Modernize Your SDLC

  • Buy Link or Shortcode: {j2store}148|cart{/j2store}
  • member rating overall impact (scale of 10): 9.5/10 Overall Impact
  • member rating average dollars saved: $30,263 Average $ Saved
  • member rating average days saved: 39 Average Days Saved
  • Parent Category Name: Development
  • Parent Category Link: /development
  • Today’s rapidly scaling and increasingly complex products create mounting pressure on delivery teams to release new features and changes quickly and with sufficient quality.
  • Many organizations lack the critical capabilities and resources needed to satisfy their growing backlog, jeopardizing product success.

Our Advice

Critical Insight

  • Delivery quality and throughput go hand in hand. Focus on meeting minimum process and product quality standards first. Improved throughput will eventually follow.
  • Business integration is not optional. The business must be involved in guiding delivery efforts, and ongoing validation and verification product changes.
  • The software development lifecycle (SDLC) must deliver more than software. Business value is generated through the products and services delivered by your SDLC. Teams must provide the required product support and stakeholders must be willing to participate in the product’s delivery.

Impact and Result

  • Standardize your definition of a successful product. Come to an organizational agreement of what defines a high-quality and successful product. Accommodate both business and IT perspectives in your definition.
  • Clarify the roles, processes, and tools to support business value delivery and satisfy stakeholder expectations. Indicate where and how key roles are involved throughout product delivery to validate and verify work items and artifacts. Describe how specific techniques and tools are employed to meet stakeholder requirements.
  • Focus optimization efforts on most affected stages. Reveal the health of your SDLC from the value delivery, business and technical practice quality standards, discipline, throughput, and governance perspectives with a diagnostic. Identify and roadmap the solutions to overcome the root causes of your diagnostic results.

Modernize Your SDLC Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should modernize your SDLC, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Set your SDLC context

State the success criteria of your SDLC practice through the definition of product quality and organizational priorities. Define your SDLC current state.

  • Modernize Your SDLC – Phase 1: Set Your SDLC Context
  • SDLC Strategy Template

2. Diagnose your SDLC

Build your SDLC diagnostic framework based on your practice’s product and process objectives. Root cause your improvement opportunities.

  • Modernize Your SDLC – Phase 2: Diagnose Your SDLC
  • SDLC Diagnostic Tool

3. Modernize your SDLC

Learn of today’s good SDLC practices and use them to address the root causes revealed in your SDLC diagnostic results.

  • Modernize Your SDLC – Phase 3: Modernize Your SDLC
[infographic]

Workshop: Modernize Your SDLC

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Set Your SDLC Context

The Purpose

Discuss your quality and product definitions and how quality is interpreted from both business and IT perspectives.

Review your case for strengthening your SDLC practice.

Review the current state of your roles, processes, and tools in your organization.

Key Benefits Achieved

Grounded understanding of products and quality that is accepted across the organization.

Clear business and IT objectives and metrics that dictate your SDLC practice’s success.

Defined SDLC current state people, process, and technologies.

Activities

1.1 Define your products and quality.

1.2 Define your SDLC objectives.

1.3 Measure your SDLC effectiveness.

1.4 Define your current SDLC state.

Outputs

Product and quality definitions.

SDLC business and technical objectives and vision.

SDLC metrics.

SDLC capabilities, processes, roles and responsibilities, resourcing model, and tools and technologies.

2 Diagnose Your SDLC

The Purpose

Discuss the components of your diagnostic framework.

Review the results of your SDLC diagnostic.

Key Benefits Achieved

SDLC diagnostic framework tied to your SDLC objectives and definitions.

Root causes to your SDLC issues and optimization opportunities.

Activities

2.1 Build your diagnostic framework.

2.2 Diagnose your SDLC.

Outputs

SDLC diagnostic framework.

Root causes to SDLC issues and optimization opportunities.

3 Modernize Your SDLC

The Purpose

Discuss the SDLC practices used in the industry.

Review the scope and achievability of your SDLC optimization initiatives.

Key Benefits Achieved

Knowledge of good practices that can improve the effectiveness and efficiency of your SDLC.

Realistic and achievable SDLC optimization roadmap.

Activities

3.1 Learn and adopt SDLC good practices.

3.2 Build your optimization roadmap.

Outputs

Optimization initiatives and target state SDLC practice.

SDLC optimization roadmap, risks and mitigations, and stakeholder communication flow.

Improve IT Team Effectiveness

  • Buy Link or Shortcode: {j2store}521|cart{/j2store}
  • member rating overall impact (scale of 10): 9.3/10 Overall Impact
  • member rating average dollars saved: $16,549 Average $ Saved
  • member rating average days saved: 5 Average Days Saved
  • Parent Category Name: Lead
  • Parent Category Link: /lead
  • Organizations rely on team-based work arrangements to provide organizational benefits and to help them better navigate the volatile, uncertain, complex, and ambiguous (VUCA) operating environment.
  • This is becoming more challenging in a hybrid model as interactions now rely less on casual encounters and now must become more intentional.
  • A high-performing team is more than productive. They are more resilient and able to recognize opportunities. They are proactive instead of reactive due to trust and a high level of communication and collaboration.
  • IT teams are more unique, which also provides unique challenges other teams don’t experience.

Our Advice

Critical Insight

IT teams have:

  • Multiple disciplines that tend to operate in parallel versus within a sequence of events.
  • Multiple incumbent roles where people operate in parallel versus needing to share information to produce an outcome.
  • Multiple stakeholders who create a tension with competing priorities.

Impact and Result

Use Info-Tech’s phased approach to diagnose your team and use the IDEA model to drive team effectiveness.

The IDEA model includes four factors to identify team challenges and focus on areas for improvement: identity, decision making, exchanges within the team, and atmosphere of team psychological safety.

Improve IT Team Effectiveness Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Team Effectiveness Storyboard – A step-by-step document that walks you through how to properly assess your team’s effectiveness and activities that will identify solutions to overcome.

The storyboard will walk you through three critical steps to assess, analyze, and build solutions to improve your team’s effectiveness.

  • Having your team members complete an assessment.
  • Reviewing and sharing the results.
  • Building a list of activities to select from based on the assessment results to ensure you target the problem you are facing.
    • Improve IT Team Effectiveness Storyboard – Phases 1-3

    2. The Team Effectiveness Survey – A tool that will determine what areas you are doing well in and where you can improve team relations and increase productivity.

    Each stage has a deliverable that will support your journey on increasing effectiveness starting with how to communicate to the assessment which will accumulate into a team charter and action plan.

    • IT Team Effectiveness Survey
    • IT Team Effectiveness Survey Tool

    3. Facilitation Guide – A collection of activities to select from and use with your team.

    The Facilitation Guide contains instructions to facilitating several activities aligned to each area of the IDEA Model to target your approach directly to your team’s results.

  • Determining roles and responsibilities on the team.
  • Creating a decision-making model that outlines levels of authority and who makes the decisions.
  • Assessing the team communications flow, which highlights the communication flow on the team and any bottlenecks.
  • Building a communication poster that articulates methods used to share different information within the team.
    • Improve IT Team Effectiveness Facilitation Guide
    • Identity – Responsibilities and Dependencies
    • Decision Making Accountability Workbook
    • Exchanges – Team Communications Flow
    • Exchanges – Communications Guide Poster Template
    • Atmosphere – SCARF Worksheet

    4. Action Plan – A template to help build your team action plan.

    The Action Plan Template captures next steps for the team on what they are committing to in order to build a more effective team.

    • Action Plan Template

    5. Team Charter – A template to create a charter for a work group or project team.

    A Team Charter captures the agreements your team makes with each other in terms of accepted behaviors and how they will communicate, make decisions, and create an environment that everyone feels safe contributing in.

    • IT Team Charter Template

    Infographic

    Workshop: Improve IT Team Effectiveness

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess the Team

    The Purpose

    Determine if proceeding is valuable.

    Key Benefits Achieved

    Set context for team members.

    Activities

    1.1 Review the business context.

    1.2 Identify IT team members to be included.

    1.3 Determine goals and objectives.

    1.4 Build execution plan and determine messaging.

    1.5 Complete IDEA Model assessment.

    Outputs

    Execution and communication plan

    IDEA Model assessment distributed

    2 Review Results and Action Plan

    The Purpose

    Review results to identify areas of strength and opportunity.

    Key Benefits Achieved

    As a team, discuss results and determine actions.

    Activities

    2.1 Debrief results with leadership team.

    2.2 Share results with team.

    2.3 Identify areas of focus.

    2.4 Identify IDEA Model activities to support objectives and explore areas of focus.

    Outputs

    IDEA assessment results

    Selection of specific activities to be facilitated

    3 Document and Measure

    The Purpose

    Review results to identify areas of strength and opportunity.

    Key Benefits Achieved

    build an action plan of solutions to incorporate into team norms.

    Activities

    3.1 Create team charter.

    3.2 Determine action plan for improvement.

    3.3 Determine metrics.

    3.4 Determine frequency of check-ins.

    Outputs

    Team Charter

    Action Plan

    Further reading

    Improve IT Team Effectiveness

    Implement the four critical factors required for all high-performing teams.

    Analyst Perspective

    All teams need to operate effectively; however, IT teams experience unique challenges.

    IT often struggles to move from an effective to a high-performing team due to the very nature of their work. They work across multiple disciplines and with multiple stakeholders.

    When operating across many disciplines it can become more difficult to identify the connections or points of interactions that define effective teams and separate them from being a working group or focus on their individual performance.

    IT employees also work in close partnership with multiple teams outside their IT domain, which can create confusion as to what team are they a primary member of. The tendency is to advocate for or on behalf of the team they primarily work with instead of bringing the IT mindset and alignment to IT roadmap and goals to serve their stakeholders.

    A Picture of Amanda Mathieson

    Amanda Mathieson
    Research Director, People & Leadership Practice
    Info-Tech Research Group

    Executive Summary

    The Challenge

    Organizations rely on team-based work arrangements to provide organizational benefits and better navigate the volatile, uncertain, complex, and ambiguous (VUCA) operating environment.

    This is becoming more challenging in a hybrid environment as interactions now rely less on casual encounters and must become more intentional.

    A high-performing team is more than productive. They are more resilient and able to recognize opportunities. They are proactive instead of reactive due to the trust and high level of communication and collaboration.

    Common Obstacles

    IT teams are more unique, which also provides unique challenges other teams don't experience:

    • Multiple disciplines that tend to operate in parallel versus within a sequence of events
    • Multiple incumbent roles where people operate in parallel versus needing to share information to produce an outcome
    • Multiple stakeholders that create a tension with competing priorities

    Info-Tech's Approach

    Use Info-Tech's phased approach to diagnose your team and use the IDEA model to drive team effectiveness.

    The IDEA model includes four factors to identify team challenges and focus on areas for improvement: identity, decision making, exchanges within the team, and atmosphere of team psychological safety.

    Info-Tech Insight

    IT teams often fail to reach their full potential because teamwork presents unique challenges and complexities due to the work they do across the organization and within their own group. Silos, not working together, and not sharing knowledge are all statements that indicate a problem. As a leader it's difficult to determine what to do first to navigate the different desires and personalities on a team.

    How this blueprint will help

    Assess, diagnose, and address issues to realize your team's full potential.

    This research helps IT support:

    • Work Teams: Operate under one organizational unit or function. Their membership is generally stable with well-defined roles.
    • Project Teams: Typically, are time-limited teams formed to produce a particular output or project. Their membership and expertise tend to vary over time.
    • Management or Leadership Teams: Provide direction and guidance to the organization and are accountable for overall performance. Membership is structured by the hierarchy of the organization and includes a diverse set of skills, experience, and expertise.

    Traditionally, organizations have tried to fix ineffective teams by focusing on these four issues: composition, leadership competencies, individual-level performance, and organizational barriers. While these factors are important, our research has shown it is beneficial to focus on the four factors of effective teams addressed in this blueprint first. Then, if additional improvement is needed, shift your focus to the traditional issue areas.

    Common obstacles

    These barriers make it difficult to address effectiveness for many IT teams:

    • Teams do not use one standard set of processes because they may have a wide variety of assignments requiring different sets of processes.
      Source: Freshworks
    • There are multiple disciplines within IT that require vastly different skill sets. Finding the connection points can be difficult when on the surface it seems like success doesn't require interconnectivity.
    • IT has many people in the same roles that act independently based on the stakeholder or internal customer they are serving. This can lead to duplication of effort if information and solutions aren't shared.
    • IT serves many parts of the organization that can bring competing priorities both across the groups they support and with the IT strategy and roadmap itself. Many IT leaders work directly in or for the business, which can see them associate with the internal client team more than their IT team – another layer of conflicting priorities.

    IT also experience challenges with maturity and data silos

    48%

    of IT respondents rate their team as low maturity.

    Maturity is defined by the value they provide the business, ranging from firefighting to innovative partner.

    Source: Info-Tech Research Group, Tech Trends, 2022

    20 Hours

    Data Silos: Teams waste more than 20 hours per month due to poor collaboration and communication.

    Source: Bloomfire, 2022

    Current realities require teams to operate effectively

    How High-Performing Teams Respond:

    Volatile: High degree of change happening at a rapid pace, making it difficult for organizations to respond effectively.

    Teams are more adaptable to change because they know how to take advantage of each others' diverse skills and experience.

    Uncertain: All possible outcomes are not known, and we cannot accurately assess the probability of outcomes that are known.

    Teams are better able to navigate uncertainty because they know how to work through complex challenges and feel trusted and empowered to change approach when needed.

    Complex: There are numerous risk factors, making it difficult to get a clear sense of what to do in any given situation.

    Teams can reduce complexity by working together to identify and plan to appropriately mitigate risk factors.

    Ambiguous: There is a lack of clarity with respect to the causes and consequences of events.

    Teams can reduce ambiguity through diverse situational knowledge, improving their ability to identify cause and effect.

    Teams struggle to realize their full potential

    Poor Communication

    To excel, teams must recognize and adapt to the unique communication styles and preferences of their members.

    To find the "just right" amount of communication for your team, communication and collaboration expectations should be set upfront.

    85% of tech workers don't feel comfortable speaking in meetings.
    Source: Hypercontext, 2022

    Decision Making

    Decision making is a key component of team effectiveness. Teams are often responsible for decisions without having proper authority.

    Establishing a team decision-making process becomes more complicated when appropriate decision-making processes vary according to the level of interdependency between team members and organizational culture.

    20% of respondents say their organization excels at decision making.
    Source: McKinsey, 2019

    Resolving Conflicts

    It is common for teams to avoid/ignore conflict – often out of fear. People fail to see how conflict can be healthy for teams if managed properly.

    Leaders assume mature adults will resolve conflicts on their own. This is not always the case as people involved in conflicts can lack an objective perspective due to charged emotions.

    56% of respondents prioritize restoring harmony in conflict and will push own needs aside.
    Source: Niagara Institute, 2022

    Teams with a shared purpose are more engaged and have higher performance

    Increased Engagement

    3.5x

    Having a shared team goal drives higher engagement. When individuals feel like part of a team working toward a shared goal, they are 3.5x more likely to be engaged.

    Source: McLean & Company, Employee Engagement Survey, IT respondents, 2023; N=5,427

    90%

    Engaged employees are stronger performers with 90% reporting they regularly accomplish more than what is expected.

    Source: McLean & Company, Employee Engagement Survey, IT respondents, 2023; N=4,363

    Effective and high-performing teams exchange information freely. They are clear on the purpose and goals of the organization, which enable empowerment.

    Info-Tech Insight

    Clear decision-making processes allow employees to focus on getting the work done versus navigating the system.

    Case Study

    Project Aristotle at Google – What makes a team effective at Google?

    INDUSTRY: Technology
    SOURCE: reWork

    Challenge

    Google wanted to clearly define what makes a team effective to drive a consistent meaning among its employees. The challenge was to determine more than quantitative measures, because more is not always better as it can just mean more mistakes to fix, and include the qualitative factors that bring some groups of people together better than others.

    Solution

    There was no pattern in the data it studied so Google stepped back and defined what a team is before embarking on defining effectiveness. There is a clear difference between a work group (a collection of people with little interdependence) and a team that is highly interdependent and relies on each other to share problems and learn from one another. Defining the different meanings took time and Google found that different levels of the organization were defining effectiveness differently.

    Results

    Google ended up with clear definitions that were co-created by all employees, which helped drive the meaning behind the behaviors. More importantly it was also able to define factors that had no bearing on effectiveness; one of which is very relevant in today's hybrid world – colocation.

    It was discovered that teams need to trust, have clarity around goals, have structure, and know the impact their work has.

    Overcoming barriers

    Teams often lack the skills or knowledge to increase effectiveness and performance.

    • Leaders struggle with team strife and ineffectiveness.
    • A leader's ability to connect with and engage team members is vital for driving desired outcomes. However, many team leads struggle to deal with low-performing or conflict-ridden teams.
    • Without adequate training on providing feedback, coaching, and managing difficult conversations, team leads often do not have the skills to positively affect team performance – and they do not appreciate the impact their actions have on desired outcomes.
    • Team leads often find it difficult to invest time and resources in addressing challenges when the team is working toward deadlines.
    • Team leads who are new to a management role within the organization often struggle to transition from independent contributor to leader – especially when they are tasked with managing team members who are former peers.
    • Some team leads believe that soliciting help will be viewed as a personal failure, so they are reluctant to seek support for team performance management from more-senior leaders.

    It's unrealistic to expect struggling teams to improve without outside help; if they were able to, they would have already done so.
    To improve, teams require:

    • A clearly defined team identity
    • A clearly defined decision-making paradigm
    • Consistently productive exchanges within the team
    • An atmosphere of psychological safety

    BUT these are the very things they are lacking when they're struggling.

    An image of Info-Tech's Insights for Improving IT Team Effectiveness.

    Improving team effectiveness

    Use the Info-Tech IDEA Model to assess and improve your team's effectiveness.

    Begin by assessing, recognizing, and addressing challenges in:

    • Identity – team goals, roles, responsibilities, and accountabilities
    • Decision-making paradigms and processes within the team.
    • Exchanges of information, motivation, and emotions between team members
    • Atmosphere of team psychological safety

    IDEA Model of Team Effectiveness

    Effective Team

    • Identity
    • Decisions
    • Exchanges
    • Atmosphere

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1: Assess the team Phase 2: Review results and action plan Phase 3: Document and measure

    Call #1: Scope requirements, objectives, and your specific challenges.
    Call #2: Prepare to assess your team(s) using the assessment tool.

    Call #3: Review the assessment results and plan next steps.
    Call #4: Review results with team and determine focus using IDEA model to identify activity based on results.
    Call #5: Complete activity to determine solutions to build your action plan.

    Call #6: Build out your team agreement.
    Call #7: Identify measures and frequency of check-ins to monitor progress.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1
    (Half Day)

    Day 2

    Day 3

    Day 4

    Determine objectives and assess

    Review survey results

    Determine and conduct activities to increase effectiveness

    Bridge the gap and
    create the strategy

    Activities

    With Leader – 1 hour
    1.1 Review the business context.
    1.2 Identify IT team members to be included.
    1.3 Determine goals and objectives.
    1.4 Build execution plan and determine messaging.
    With Team – 90 minutes
    1.5 Share messaging, set context.
    1.6 Complete Team Effectiveness Survey.

    2.1 Debrief results with leadership team.
    2.2 Share results with team.
    2.3 Identify areas of focus.
    2.4 Identify IDEA Model activities to support objectives and explore areas of focus.

    3.1 Conduct IDEA Model Activities:

    • Identify – Clarify goals, roles, and responsibilities.
    • Decisions – Determine levels of authority; decision-making process.
    • Exchanges – Review information shared with communication methods and preferred styles of each team member.
    • Atmosphere – Create a psychologically safe environment.

    3.2 Record outcomes and actions.

    4.1 Create team charter or agreement.
    4.2 Identify metrics to measure progress.
    4.3 Identify risks.
    4.4 Determine frequency of check-ins to review progress.
    4.5 Check-in with sponsor.

    Deliverables

    1. Execution and communication plan
    2. Team Effectiveness Survey
    1. Assessment results
    2. IDEA Model team-building activities
    1. List of solutions to incorporate into team norms
    2. Action Plan
    1. Team Charter

    Phase 1

    Assess the team

    Phase 1

    Phase 2

    Phase 3

    1.1 Identify team members
    and behaviors to improve using IDEA Model
    1.2 Determine messaging including follow-up plan
    1.3 Send survey

    1.1 Review results with team
    1.2 Determine IDEA focus area(s)
    1.3 Conduct activity to determine solutions

    1.1 Document outcomes and actions
    1.2 Create team charter
    1.3 Identify metrics to show success
    1.4 Schedule check-in

    Improving team effectiveness

    Use the Info-Tech IDEA Model to assess and improve your team's effectiveness

    Begin by assessing, recognizing, and addressing challenges in:

    • Identity – team goals, roles, responsibilities, and accountabilities.
    • Decision-making paradigms and processes within the team.
    • Exchanges of information, motivation, and emotions between team members.
    • Atmosphere of team psychological safety.

    Effective Team

    • Identity
    • Decisions
    • Exchanges
    • Atmosphere

    Assess the shared understanding of team identity

    In addition to having a clear understanding of the team's goals and objectives, team members must also:

    • Understand their own and each other's roles, responsibilities, and accountabilities.
    • Recognize and appreciate the value of each team member.
    • Realize how their actions impact each others' work and the overall goals and objectives.
    • Understand that working in silos is considered a work group whereas a team coordinates activities, shares information, and supports each other to achieve their goals.

    Clear goals enable employees to link their contributions to overall success of the team. Those who feel their contributions are important to the success of the department are two times more likely to feel they are part of a team working toward a shared goal compared to those who don't (McLean & Company, Employee Engagement Survey, IT respondents, 2023; N=4,551).

    Goals matter in teamwork

    The goals and objectives of the team are the underlying reason for forming the team in the first place. Without a clear and agreed-upon goal, it is difficult for teams to understand the purpose of their work.

    Clear goals support creating clear roles and the contributions required for team success.

    Team Identity = Team goals and Objectives + Individual roles, responsibilities, and accountabilities

    Assess the shared understanding of decision making

    Decision making adds to the complexity of teamwork.
    Individual team members hold different information and opinions that need to be shared to make good decisions.
    Ambiguous decision-making processes can result in team members being unable to continue their work until they get clear direction.
    The most appropriate decision-making process depends on the type of team:

    • The higher the degree of interconnectivity in team members' work, the greater the need for a general consensus approach to decision making. However, if you opt for a general consensus approach, a backup decision-making method must be identified in the event consensus cannot be reached.
    • High-pressure and high-stakes environments tend to centralize decision making to make important decisions quickly.
    • Low-pressure and low-stakes environments are more likely to adopt consensus models.

    Spectrum of Decision Making

    General consensus between all team members.

    A single, final decision maker within the team.

    Ensure team members understand how decisions are made within the team. Ask:

    • Do team members recognize the importance of sharing information, opinions, and suggestions?
    • Do team members feel their voices are heard?
    • Must there be consensus between all team members?
    • Is there a single decision maker?

    Assess team exchanges by focusing on communication

    Evaluate exchanges within your team using two categories:

    These categories are related, but there is not always overlap. While some conflicts involve failures to successfully exchange information, conflict can also occur even when everyone is communicating successfully.

    Communication

    Managing Conflict

    Information, motivations, emotions

    Accepting and expressing diverse perspectives

    Resolving conflict (unified action through diverse perspectives)

    Transmission

    Reception
    (listening)

    Success is defined in terms of how well information, motivations, and emotions are transmitted and received as intended.

    Success is defined in terms of how well the team can move to united action through differences of opinion. Effective teams recognize that conflict can be healthy if managed effectively.

    Successful exchange behaviors

    • Shared understanding of how to motivate one another and how team members respond emotionally.
    • Team moving beyond conflict to united action.
    • Formalized processes used for resolving conflicts.
    • Platforms provided for expressing diverse or conflicting perspectives and opinions – and used in a constructive manner.
    • Use of agendas at meetings as well as clearly defined action items that reflect meeting outcomes.
    • Avoidance of language that is exclusive, such as jargon and inside jokes.

    Exchanges of information, emotion, and motivation

    When selecting a method of communication (for example, in-person versus email), consider how that method will impact the exchange of all three aspects – not just information.

    Downplaying the importance of emotional and motivational exchanges and focusing solely on information is very risky since emotional and motivational exchanges can impact human relationships and team psychological safety.

    • Information: data or opinions.
    • Emotions: feelings and evaluations about the data or opinions.
    • Motivations: what we feel like doing in response to the data or opinions.

    Communication affects the whole team

    Effects are not limited to the team members communicating directly:

    • How team members interact one on one transmits information and causes emotional and motivational responses in other group members not directly involved.
    • How the larger group receives information, emotions, and motivations will also impact how individuals relate to each other in group settings.

    Remember to watch the reactions and behavior of participants and observers when assessing how the team behaves.

    Managing conflict

    Identify how conflict management is embedded into team practices.

    • Resolving conflicts is difficult and uses up a lot of time and energy. This is especially true if the team needs to figure out what to do each and every time people disagree.
    • Teams that take the time to define conflict resolution processes upfront:
      • Demonstrate their commitment to resolving conflict in a healthy way.
      • Signal that diverse perspectives and opinions are valued, even if they spur disagreement sometimes.
      • Are ready for conflict when it arises – prepared to face it and thrive.

    Successfully communicating information, emotions, and motivations is not the same as managing conflict.

    Teams that are communicating well are more likely to uncover conflicting perspectives and opinions than teams that are not.

    Conflict is healthy and can be an important element of team success if it is managed.

    The team should have processes in place to resolve conflicts and move to united action.

    Assess the atmosphere

    Team psychological safety

    A team atmosphere that exists when all members feel confident that team members can do the following without suffering negative interpersonal consequences such as blame, shame, or exclusion:

    • Admit mistakes
    • Raise questions or concerns
    • Express dissenting views

    (Administrative Science Quarterly, 1999;
    The New York Times, 2016)

    What psychologically safe teams look like:

    • Open and learning-focused approach to error.
    • Effective conflict management within the team.
    • Emotional and relational awareness between team members.
    • Existence of work-appropriate interpersonal relationships between team members (i.e. beyond mere working relationships).

    (Administrative Science Quarterly, 1999;
    The New York Times, 2016)

    What "team psychological safety" is not:

    • A situation where all team members are friends.
      In some cases psychologically safe team atmospheres might be harder to create when team members are friends since they might be more reluctant to challenge or disagree with friends.
    • Merely trust. Being able to rely on people to honor their commitments is not the same as feeling comfortable admitting mistakes in front of them or disagreeing with them.

    "Psychological safety refers to an individual's perception of the consequences of taking an interpersonal risk or a belief that a team is safe for risk taking in the face of being seen as ignorant, incompetent, negative, or disruptive… They feel confident that no one on the team will embarrass or punish anyone else for admitting a mistake, asking a question, or offering a new idea."

    – re:Work

    Psychological safety

    The impact of psychological safety on team effectiveness

    Why does an atmosphere of team psychological safety matter?

    • Prevents groupthink.
      • People who do not feel safe to hold or express dissenting views gravitate to teams that think like they do, resulting in the well-known dangers of groupthink.
    • Encourages contribution and co-operation.
      • One study found that if team psychological safety is present, even people who tend to avoid teamwork will be more likely to contribute in team settings, thereby increasing the diversity of perspectives that can be drawn on (Journal of Organizational Culture, 2016).

    Creating psychological safety in a hybrid environment requires a deliberate approach to creating team connectedness.

    In the Info-Tech State of Hybrid Work in IT report autonomy and team connectedness present an interesting challenge in that higher levels of autonomy drove higher perceptions of lack of connectedness to the respondent's team. In a hybrid world, this means leaders need to be intentional in creating a safe team dynamic.

    47% of employees who experienced more control over their decisions related to where, when, and how they work than before the pandemic are feeling less connected to their teams.
    Source: Info-Tech, State of Hybrid Work in IT, 2022

    1.1 Prepare to launch the survey

    1-2 hours

    1. Review and record the objectives and outcomes that support your vision of a high-performing team:
      1. Why is this important to you?
      2. What reactions do you anticipate from the team?
    2. In your team meeting, share your vision of what a high-performing team looks like. Engage the team in a discussion:
      1. Ask how they work. Ask them to describe their best working team environment from a previous experience or an aspirational one.
      2. Option: Instruct them to write on sticky notes, one idea per note, and share. This approach will allow for theming of ideas.
    3. Introduce the survey as a way, together as a team, the current state can be assessed against the desired state discussed.
      1. Be clear that as the leader, you won't be completing the survey as you don't want to influence their perceptions of the team. As the leader, you hold authority, and therefore, experience the team differently. This is about them and their feedback.

    Input

    • Observations of team behavior
    • Clearly articulated goals for team cohesion

    Output

    • Speaking notes for introducing survey
    • Survey launch

    Materials

    • Whiteboard/flip charts
    • Sticky notes
    • IDEA Assessment

    Participants

    • Leader
    • Team Members

    Download the IT Team Effectiveness Survey

    1.2 Launch the survey

    1-2 hours

    1. Determine how the survey will be completed.
      1. Paper-based
        1. Email a copy of the Word document IT Team Effectiveness Survey for each person to complete individually.
        2. Identify one person to collect each survey and enter the results into the team effectiveness survey tool (tab 2. Data – Effectiveness Answers and tab 3. Data – Team Type Answers). This must be someone outside the team.
      2. Online direct input into Team Effectiveness Survey Tool
        1. Post the document in a shared folder.
        2. Instruct individuals to select one of the numbered columns and enter their information into tab 2. Data – Effectiveness Answers and tab 3. Data – Team Type Answers.
        3. To protect anonymity and keep results confidential, suggest each person opens document in "Cognito mode."
        4. Hide the Summary and Results tabs to avoid team members previewing them.

    Download the IT Team Effectiveness Survey Results Tool

    Paper-Based Cautions & Considerations

    • Heavily dependent on a trusted third party for genuine results
    • Can be time consuming to enter the results

    Online Direct Cautions & Considerations

    • Ensure that users keep to the same numbered column across both entry tabs
    • Seeing other team members' responses may influence others
    • Least amount of administration

    Phase 2

    Review Results and Action Plan

    Phase 1

    Phase 2

    Phase 3

    1.1 Identify team members
    and behaviors to improve using IDEA Model
    1.2 Determine messaging including follow-up plan
    1.3 Send survey

    1.1 Review results with team
    1.2 Determine IDEA focus area(s)
    1.3 Conduct activity to determine solutions

    1.1 Document outcomes and actions
    1.2 Create team charter
    1.3 Identify metrics to show success
    1.4 Schedule check-in

    This phase will walk you through the following activities:

    • Analyzing and debriefing the results to determine themes and patterns to come to a team consensus on what to focus on.
    • Facilitated activities to drive awareness, build co-created definitions of what an effective team looks like, and identify solutions the team can undertake to be more effective.

    This phase involves the following participants:

    • Leader of the team
    • All team members

    Deliverables:

    • A presentation that communicates the team assessment results
    • A plan for effectively delivering the assessment results

    Phase 2: Build a plan to review results and create an action plan

    Reviewing assessment results and creating an improvement action plan is best accomplished through a team meeting.

    Analyzing and preparing for the team meeting may be done by:

    • The person charged with team effectiveness (i.e. team coach).
    • For teams that are seriously struggling with team effectiveness, the coach should complete this step in its entirety.
    • The team coach and the team lead.
    • Truly effective teams are self-reliant. Begin upskilling team leads by involving team leads from the start.
    1. Analyze team assessment results
    2. Prepare to communicate results to the team
    3. Select team activities that will guide the identification of action items and next steps
    4. Facilitate the team meeting

    2.1 Analyze results

    Health Dials

    1. Once the results are final, review the Health Dials for each of the areas.
      1. For each area of the team's effectiveness
        • Red indicates a threat – this will derail the team and you will require an external person to help facilitate conversations.
          It would be recommended to contact us for additional guidance if this is one of your results.
        • Yellow is a growth opportunity.
        • Green is a strength and pay attention to where the dial is – deep into strength or just past the line?
      2. Think about these questions and record your initial reactions.
        1. What surprises you – either positively or negatively?
        2. What areas are as expected?
        3. What behaviors are demonstrated that support the results?

    Prioritize one to two factors for improvement by selecting those with:

    • The lowest overall score.
    • The highest variance in responses.
    • If psychological safety is low, be sure to prioritize this factor; it is the foundation of any effective team.

    An image of the Health dials for each area.

    2.2 Analyze results

    Alignment of Responses

    1. The alignment of responses area provides you with an overview of the range of responses from the team for each area.
      • The more variety in the bars indicates how differently each person is experiencing the team.
      • The more aligned the bars are the more shared the experiences.

    The flatter the bars are across the top, the more agreement there was. Factors that show significant differences in opinion should be discussed to diagnose what is causing the misalignment within your team.

    1. Recommendation is to look at high scores and the alignment and lower scores and the alignment to determine where you may want to focus.

    The alignment chart below shows varied responses; however, there are two distinct patterns. This will be an important area to review.
    Things to think about:

    • Are there new team members?
    • Has there been a leadership change?
    • Has there been a change that has impacted the team?
    An image showing the alignment of responses for Identity, Decisions; Exchange; and Atmosphere.

    2.3 Analyze results

    Team Characteristics and Stakes

    1. Team Characteristics. Use the Team Type Results tab in the IT Team Effectiveness Assessment Tool to identify how the team characterizes itself along the High-Low Scale. The closer the dark blue bar is to the right or left suggests to which degree the team views the characteristic.
      1. Interdependence highlights the team's view on how interconnected and dependent they are on each other to get work done. Think of examples where they should be sharing or collaborating, and they are not.
      2. Virtual describes the physicality of the team. This area has changed a lot since 2020; however, it's still important to note if the team shares the same understanding of work location. Are they thinking of team members in a different geography or referring to hybrid work?
      3. Decision making describes the scale of one decision maker or many. Where are most decisions made by on your team or who is making them?
      4. Stability refers to the degree to which the team stays the same – no membership change or turnover. It can be defined by length of time the group has been together. Looking at this will help understand alignment results. If alignment is varied, one might expect a less stable team.
    2. Stakes and Pressure
      1. Pressure refers to the conditions in which the team must work. How urgent are requests?
      2. Stakes refers to the degree of impact the work has. Will outputs impact safety, health, or a service?
      3. This category can be reviewed against decision making – high pressure, high stakes environments usually have a high concentration of authority. Low pressure, low stakes decisions can also be made either by one person as there is relatively no impact or with many as you have time to get many perspectives.
      4. This area informs what your decision-making protocols should look like.

    A bar graph for Team Characteristics, and a quadrant analysis for comparing Stakes and Pressure.

    2.4 Prepare for meeting

    1-2 hours

    1. Select a facilitator
      • The right person to facilitate the meeting and present the results is dependent upon the results themselves, the team lead's comfort level, and the root and degree of team dysfunction.
      • Typically, the team lead will facilitate and present the results. However, it will be more appropriate to have a member of the HR team or an external third party facilitate.
    2. Set the agenda (recommended sample to the right) that ensures:
      • Team members reflect on the results and discuss reaction to the results. (E.g. Are they surprised? Why/why not?)
      • Results are clearly understood and accepted by team members before moving on to activities.
      • The aim of the meeting is kept in mind. The purpose of the team meeting is to involve all team members in the creation of an effectiveness improvement plan.
    3. Customize the Facilitation Guide and activities in the Improve IT Team Effectiveness Facilitation Guide. (Activities are aligned with the four factors in the IDEA model.)
      • Identify a clear objective for each activity given the team assessment results. (E.g. What are the areas of improvement? What is the desired outcome of the activity?)
      • Review and select the activities that will best achieve the objectives.
      • Customize and prepare for chosen activities appropriately.
      • Obtain all necessary materials.
      • Practice by anticipating and preparing for questions, objectives, and what you will say and do.

    Facilitation Factors
    Select a third-party facilitator if:

    • The team lead is uncomfortable.
    • The leadership or organization is implicated in the team's dysfunction, a third party can be sought in place of HR.
    • Regardless of who facilitates, it is critical that the team lead understands the process and results and is comfortable answering any questions that arise.

    Agenda

    • Review the IDEA Model.
    • Discuss the assessment results.
    • Invite team members to reflect on the results and discuss reaction to the results.
    • Ensure results are clearly understood and accepted.
    • Examine team challenges and strengths through selected team activities.
    • Create a team charter and effectiveness improvement plan.

    Materials

    • IT Team Effectiveness Activities Facilitation Guide
    • IT Team Effectiveness Survey results

    Participants

    • Leader

    2.5 Run the meeting

    2-3 hours

    Facilitate the team meeting and agree on the team effectiveness improvement plan.

    Work with the team to brainstorm and agree on an action plan of continuous improvements.

    By creating an action plan together with the team, there is greater buy-in and commitment to the activities identified within the action plan.

    Don't forget to include timelines and task owners in the action plan – it isn't complete without them.

    Document final decisions in Info-Tech's Improve IT Team Effectiveness Action Plan Tool.

    Review activity Develop Team Charter in the Improve IT Team Effectiveness Facilitation Guide and conclude the team meeting by creating a team charter. With a team charter, teams can better understand:

    • Team objectives
    • Team membership and roles
    • Team ground rules

    Facilitation Factors

    Encourage and support participation from everyone.

    Be sure no one on the team dismisses anyone's thoughts or opinions – they present the opportunity for further discussion and deeper insight.

    Watch out for anything said or done during the activities that should be discussed in the activity debrief.

    Debrief after each activity, outlining any lessons learned, action items, and next steps.

    Agenda

    • Review the IDEA Model.
    • Discuss the assessment results.
    • Invite team members to reflect on the results and discuss reaction to the results.
    • Ensure results are clearly understood and accepted.
    • Examine team challenges and strengths through selected team activities.
    • Create a team charter and effectiveness improvement plan.

    Materials

    • IT Team Effectiveness Activities Facilitation Guide
    • Whiteboard/flip charts
    • Sticky notes
    • IT Team Effectiveness Survey results

    Participants

    • Leader
    • Team Members
    • Optional – External Facilitator

    Phase 3

    Document and measure

    Phase 1

    Phase 2

    Phase 3

    1.1 Identify team members
    and behaviors to improve using IDEA Model
    1.2 Determine messaging including follow-up plan
    1.3 Send survey

    1.1 Review results with team
    1.2 Determine IDEA focus area(s)
    1.3 Conduct activity to determine solutions

    1.1 Document outcomes and actions
    1.2 Create team charter
    1.3 Identify metrics to show success
    1.4 Schedule check-in

    This phase will walk you through the following activities:
    Building your team charter that will include:

    • Team vision, mission, and goals
    • Roles and responsibilities of each member
    • Decision-making responsibilities and process
    • How information will be shared and by whom
    • Ways to build psychological safety on the team

    This phase involves the following participants:

    • Leader of the team
    • All team members

    Document and agree to regular check-ins to reassess.

    As a team it will be important to drive your brainstormed solutions into an output that is co-created.

    • Agree to what actions can be implemented.
    • Capture agreed-to team goals, roles, responsibilities, and decision process into a team charter. Also include your communication protocol that articulates how information will be shared in future.
    1. Review suggestions and actions
    2. Capture in team charter
    3. Assign metrics to measure success and determine when to review
    4. Complete ongoing check-ins with team through team meeting and plan to reassess if agreed to

    Team Charter

    Never assume everyone "just knows."

    Set clear expectations for the team's interactions and behaviors.

    • Some teams call this a team agreement, team protocol, or ways of working. Determine the naming convention that works best for your team and culture.
    • This type of document saw a renewed popularity during COVID-19 as face-to-face interactions were more difficult, and as teams, news ways to work needed to be discovered, shared, and documented.
    • A co-created team charter is a critical component to onboarding new employees in the hybrid world.

    Info-Tech Insight – State of Hybrid Work in IT

    One contributor to the report shared the effort and intention around maintaining their culture during the pandemic. The team agreement created became a critical tool to enable conversations between leaders and their team – it was not a policy document.

    Team effectiveness is driven through thoughtful planned conversations. And it's a continued conversation.

    A screenshot of the IT Team Charter Template page

    Download the IT Team Charter Template

    Establish Baseline Metrics

    Baseline metrics will be improved through:

    Identify the impact that improved team effectiveness will have on the organization.
    Determine your baseline metrics to assess the success of your team interventions and demonstrate the impact to the rest of the organization using pre-determined goals and metrics.
    Share success stories through:

    • Newsletters or email announcements
    • Team meetings
    • Presentations to business partners or the organization

    Sample effectiveness improvement goal

    Sample Metric

    Increase employee engagement
    Increase overall employee engagement scores in the Employee Engagement survey by 5% by December 31, 2023.

    • Overall employee engagement

    Strengthen manager/employee relationships
    Increase manager driver scores in the Employee Engagement survey by 5% by December 31, 2023.

    • Employee engagement – manager driver
    • Employee engagement – senior leadership driver

    Reduce employee turnover (i.e. increase retention)
    Reduce voluntary turnover by 5% by December 31, 2023.

    • Voluntary turnover rate
    • Turnover by department or manager
    • Cost of turnover

    Increase organizational productivity
    Increase the value added by human capital by 5% by December 31, 2023.

    • Value added by human capital
    • Employee productivity
    • Human capital return on investment
    • Employee engagement

    Reassess team effectiveness

    Reassess and identify trends after they have worked on key focus areas for improvement.

    Track the team's progress by reassessing their effectiveness six to twelve months after the initial assessment.
    Identify if:

    • Team characteristics have changed.
    • Areas of team strengths are still a source of strength.
    • Areas for improvement have, in fact, improved.
    • There are opportunities for further improvement.

    As the team matures, priorities and areas of concern may shift; it is important to regularly reassess team effectiveness to ensure ongoing alignment and suitability.
    Note: It is not always necessary to conduct a full formal assessment; once teams become more effective and self-sufficient, informal check-ins by team leads will be sufficient.

    If you assess team effectiveness for multiple teams, you have the opportunity to identify trends:

    • Are there common challenges within teams?
    • If so, what are they?
    • How comfortable are teams with intervention?
    • How often is outside help required?

    Identifying these trends, initiatives, training, or tactics may be used to improve team effectiveness across the department – or even the organization.

    Teams are ultimately accountable for their own effectiveness.

    As teams mature, the team lead should become less involved in action planning. However, enabling truly effective teams takes significant time and resources from the team lead.

    Use the action plan created and agreed upon during the team meeting to hold teams accountable:

    • Ensure teams follow through on action items.
    • Ensure you are continuously assessing team effectiveness (formally or informally).

    The team coach should have a plan to transition into a supportive role by:

    • Providing teams with the knowledge, resources, and tools required to improve and sustain high effectiveness.
    • Providing team members and leads with a safe, open, and honest environment.
    • Stepping in as an objective third party when required.

    If the team continues to face barriers

    Other important information: If team effectiveness has not significantly improved, other interventions may be required that are beyond the scope of this project.

    The four factors outlined in the IDEA Model of team effectiveness are very important, but they are not the only things that have a positive or negative impact on teams. If attempts to improve the four factors have not resulted in the desired level of team effectiveness, evaluate other barriers:

    For organizational culture, ask if performance and reward programs do the following:

    • Value teamwork alongside individual achievement and competition
    • Provide incentives that promote a focus on individual performance over team performance
    • Reward or promote those who sabotage their teams

    For learning and development, ask:

    • Is team effectiveness included in our manager or leadership training?
    • Do we offer resources to employees seeking to improve their teamwork competencies?

    If an individual team member's or leader's performance is not meeting expectations, potential remedies include a performance improvement plan, reassignment, and termination of employment.

    These kinds of interventions are beyond the control of the team itself. In these cases, we recommend you consult with your HR department; HR professionals can be important advocates because they possess the knowledge, influence, and authority in the company to promote changes that support teamwork.

    Related Info-Tech Research

    Redesign Your IT Department

    • You could have the best IT employees in the world, but if they aren't structured well your organization will still fail in reaching its vision.
    • Increase the effectiveness of IT as a function.
    • Provide employees with clarity in their roles and responsibilities.

    Build an IT Employee Engagement Program

    • With the growing IT job market, turnover is a serious threat to IT's ability to deliver seamless value and continuously drive innovation.
    • Engagement initiatives are often seen as being HR's responsibility; however, IT leadership needs to take accountability for the retention and productivity of their employees in order to drive business value.

    Info-Tech Leadership Programs

    • Development of the leadership mind should never stop. This program will help IT leaders continue to craft their leadership competencies to navigate the ever-changing world in which we operate.
    • Actively delegate responsibilities and opportunities that engage and develop team members to build on current skills and prepare for the future.

    Research Contributors and Experts

    A picture of Carlene McCubbin

    Carlene McCubbin
    Practice Lead
    Info-Tech Research Group

    A picture of Nick Kozlo

    Nick Kozlo
    Senior Research Analyst
    Info-Tech Research Group

    A picture of Heather Leier-Murray

    Heather Leier-Murray
    Senior Research Analyst
    Info-Tech Research Group

    A picture of Stephen O'Conner

    Stephen O'Conner
    Executive Counselor
    Info-Tech Research Group

    A picture of Jane Kouptsova

    Jane Kouptsova
    Research Director
    Info-Tech Research Group

    Dr. Julie D. Judd, Ed.D.
    Chief Technology Officer
    Ventura County Office of Education

    Works Cited

    Aminov, I., A. DeSmet, and G. Jost. "Decision making in the age of urgency." McKinsey. April 2019. Accessed January 2023.
    Duhigg, Charles. "What Google Learned From Its Quest to Build the Perfect Team." The New York Times, 25 Feb. 2016. Accessed January 2023.
    Edmondson, Amy. "Psychological Safety and Learning Behavior in Work Teams." Administrative Science Quarterly, vol. 44, no. 2, June 1999, pp. 350-383.
    Gardner, Kate. "Julie Judd – Ventura County Office of Education." Toggle, 12 Sept. 2022. Accessed January 2023.
    Google People Operations. "Guide: Understand Team Effectiveness." reWork, n.d. Accessed February 2023.
    Harkins, Phil. "10 Leadership Techniques for Building High-Performing Teams." Linkage Inc., 2014. Accessed 10 April 2017.
    Heath, C. and D. Heath. Decision: How to make better choices in life and work. Random House, 2013, ISBN 9780307361141.
    Hill, Jon. "What is an Information Silo and How Can You Avoid It." Bloomfire, 23 March 2022. Accessed January 2023.
    "IT Team Management Software for Enhanced Productivity." Freshworks, n.d. Accessed January 2023.
    Jackson, Brian. "2022 Tech Trends." Info-Tech Research Group, 2022. Accessed December 2022.
    Kahneman, Daniel. Thinking fast and slow. Farrar, Straus and Giroux. 2011.
    Kouptsova, J., and A. Mathieson. "State of Hybrid Work in IT." Info-Tech Research Group, 2023. Accessed January 2023.
    Mayfield, Clifton, et al. "Psychological Collectivism and Team Effectiveness: Moderating Effects of Trust and Psychological Safety." Journal of Organizational Culture, Communications and Conflict, vol. 20, no. 1, Jan. 2016, pp. 78-94.
    Rock, David. "SCARF: A Brain-Based Model for Collaborating With and Influencing Others." NeuroLeadership Journal, 2008. Web.
    "The State of High Performing Teams in Tech Hypercontext." Hypercontext. 2022. Accessed November 2022.
    Weick, Carl, and Kathleen Sutcliff. Managing the unexpected. John Wiley & Sons, 2007.
    "Workplace Conflict Statistics: How we approach conflict at work." The Niagara Institute, August 2022. Accessed December 2022.

    Build a Cloud Security Strategy

    • Buy Link or Shortcode: {j2store}169|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $38,592 Average $ Saved
    • member rating average days saved: 44 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Leveraging the cloud introduces IT professionals to a new world that they are tasked with securing.
    • With many cloud vendors proposing to share the security responsibility, it can be a challenge for organizations to develop a clear understanding of how they can best secure their data off premises.

    Our Advice

    Critical Insight

    • Cloud security is not fundamentally different from security on premises.
    • While some of the mechanics are different, the underlying principles are the same. Accountability doesn’t disappear.
    • By virtue of its broad network accessibility, the cloud does expose decisions to extreme scrutiny, however.

    Impact and Result

    • The business is adopting a cloud environment and it must be secured, which includes:
      • Ensuring business data cannot be leaked or stolen.
      • Maintaining privacy of data and other information.
      • Securing the network connection points.
    • This blueprint and associated tools are scalable for all types of organizations within various industry sectors.

    Build a Cloud Security Strategy Research & Tools

    Start Here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a cloud security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Explore security considerations for the cloud

    Explore how the cloud changes the required controls and implementation strategies for a variety of different security domains.

    • Build a Cloud Security Strategy – Phase 1: Explore Security Considerations for the Cloud
    • Cloud Security Information Security Gap Analysis Tool
    • Cloud Security Strategy Template

    2. Prioritize initiatives and construct a roadmap

    Develop your organizational approach to various domains of security in the cloud, considering the cloud’s unique risks and challenges.

    • Build a Cloud Security Strategy – Phase 2: Prioritize Initiatives and Construct a Roadmap
    [infographic]

    Workshop: Build a Cloud Security Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Your Approach

    The Purpose

    Define your unique approach to improving security in the cloud.

    Key Benefits Achieved

    An understanding of the organization’s requirements for cloud security.

    Activities

    1.1 Define your approach to cloud security.

    1.2 Define your governance requirements.

    1.3 Define your cloud security management requirements.

    Outputs

    Defined cloud security approach

    Defined governance requirements

    2 Respond to Cloud Security Challenges

    The Purpose

    Explore challenges posed by the cloud in various areas of security.

    Key Benefits Achieved

    An understanding of how the organization needs to evolve to combat the unique security challenges of the cloud.

    Activities

    2.1 Explore cloud asset management.

    2.2 Explore cloud network security.

    2.3 Explore cloud application security.

    2.4 Explore log and event management.

    2.5 Explore cloud incident response.

    2.6 Explore cloud eDiscovery and forensics.

    2.7 Explore cloud backup and recovery.

    Outputs

    Understanding of cloud security strategy components (cont.).

    3 Build Cloud Security Roadmap

    The Purpose

    Identify initiatives to mitigate challenges posed by the cloud in various areas of security.

    Key Benefits Achieved

    A roadmap for improving security in the cloud.

    Activities

    3.1 Define tasks and initiatives.

    3.2 Finalize your task list

    3.3 Consolidate gap closure actions into initiatives.

    3.4 Finalize initiative list.

    3.5 Conduct a cost-benefit analysis.

    3.6 Prioritize initiatives and construct a roadmap.

    3.7 Create effort map.

    3.8 Assign initiative execution waves.

    3.9 Finalize prioritization.

    3.10 Incorporate initiatives into a roadmap.

    3.11 Schedule initiatives.

    3.12 Review your results.

    Outputs

    Defined task list.

    Cost-benefit analysis

    Roadmap

    Effort map

    Initiative schedule

    The First 100 Days As CIO

    • Buy Link or Shortcode: {j2store}540|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $54,525 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: High Impact Leadership
    • Parent Category Link: /lead
    • You’ve been promoted from within to the role of CIO.
    • You’ve been hired externally to take on the role of CIO.

    Our Advice

    Critical Insight

    • Foundational understanding must be achieved before you start. Hit the ground running before day one by using company documents and initial discussions to pin down the company’s type and mode.
    • Listen before you act (usually). In most situations, executives benefit from listening to peers and staff before taking action.
    • Identify quick wins early and often. Fix problems as soon as you recognize them to set the tone for your tenure.

    Impact and Result

    • Collaborate to collect the details needed to identify the right mode for your organization and determine how it will influence your plan.
    • Use Info-Tech’s diagnostic tools to align your vision with that of business executives and form a baseline for future reference.

    The First 100 Days As CIO Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why the first 100 days of being a new executive is a crucial time that requires the right balance of listening with taking action. See how seven calls with an executive advisor will guide you through this period.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Check in with your executive advisor over seven calls

    Organize your first 100 days as CIO into activities completed within two-week periods, aided by the guidance of an executive advisor.

    • The First 100 Days As CIO – Storyboard
    • Organizational Catalog
    • Cultural Archetype Calculator
    • IT Capability Assessment

    2. Communicate your plan to your manager

    Communicate your strategy with a presentation deck that you will complete in collaboration with Info-Tech advisors.

    • The First 100 Days As CIO – Presentation Deck

    3. View an example of the final presentation

    See an example of a completed presentation deck, from the new CIO of Gotham City.

    • The First 100 Days As CIO – Presentation Deck Example

    4. Listen to our podcast

    Check out The Business Leadership podcast in Info-Tech's special series, The First 100 Days.

    • "The First 100 Days" Podcast – Alan Fong, CTO, DealerFX
    • "The First 100 Days" Podcast – Denis Gaudreault, country manager for Intel’s Canada and Latin America region
    • "The First 100 Days" Podcast – Dave Penny & Andrew Wertkin, BlueCat
    • "The First 100 Days" Podcast – Susan Bowen, CEO, Aptum
    • "The First 100 Days" Podcast – Wayne Berger, CEO IWG Plc Canada and Latin America
    • "The First 100 Days" Podcast – Eric Wright, CEO, LexisNexis Canada
    • "The First 100 Days" Podcast – Erin Bury, CEO, Willful
    [infographic]

    Further reading

    The First 100 Days As CIO

    Partner with Info-Tech for success in this crucial period of transition.

    Analyst Perspective

    The first 100 days refers to the 10 days before you start and the first three months on the job.

    “The original concept of ‘the first 100 days’ was popularized by Franklin Delano Roosevelt, who passed a battery of new legislation after taking office as US president during the Great Depression. Now commonly extended to the business world, the first 100 days of any executive role is a critically important period for both the executive and the organization.

    But not every new leader should follow FDR’s example of an action-first approach. Instead, finding the right balance of listening and taking action is the key to success during this transitional period. The type of the organization and the mode that it’s in serves as the fulcrum that determines where the point of perfect balance lies. An executive facing a turnaround situation will want to focus on more action more quickly. One facing a sustaining success situation or a realignment situation will want to spend more time listening before taking action.” (Brian Jackson, Research Director, CIO, Info-Tech Research Group)

    Executive summary

    Situation

    • You’ve been promoted from within to the role of CIO.
    • You’ve been hired externally to take on the role of CIO.

    Complication

    Studies show that two years after a new executive transition, as many as half are regarded as failures or disappointments (McKinsey). First impressions are hard to overcome, and a CIO’s first 100 days are heavily weighted in terms of how others will assess their overall success. The best way to approach this period is determined by both the size and the mode of an organization.

    Resolution

    • Work with Info-Tech to prepare a 100-day plan that will position you for success.
    • Collaborate to collect the details needed to identify the right mode for your organization and determine how it will influence your plan.
    • Use Info-Tech’s diagnostic tools to align your vision with that of business executives and form a baseline for future reference.

    Info-Tech Insight

    1. Foundational understanding must be achieved before you start.
      Hit the ground running before day one by using company documents and initial discussions to pin down the company’s type and mode.
    2. Listen before you act (usually).
      In most situations, executives benefit from listening to peers and staff before taking action.
    3. Identify quick wins early and often.
      Fix problems as soon as you recognize them to set the tone for your tenure.

    The First 100 Days: Roadmap

    A roadmap timeline of 'The 100-Day Plan' for your first 100 days as CIO and related Info-Tech Diagnostics. Step A: 'Foundational Preparation' begins 10 days prior to your first day. Step B: 'Management's Expectations' is Days 0 to 30, with the diagnostic 'CIO-CEO Alignment'. Step C: 'Assessing the IT Team' is Days 10 to 75, with the diagnostics 'IT M&G Diagnostic' at Day 30 and 'IT Staffing Assessment' at Day 60. Step D: 'Assess the Key Stakeholders' is Days 40 to 85 with the diagnostic 'CIO Business Vision Survey'. Step E: 'Deliver First-Year Plan' is Days 80 to 100.

    Concierge service overview

    Organize a call with your executive advisor every two weeks during your first 100 days. Info-Tech recommends completing our diagnostics during this period. If you’re not able to do so, instead complete the alternative activities marked with (a).

    Call 1 Call 2 Call 3 Call 4 Call 5 Call 6 Call 7
    Activities
    Before you start: Day -10 to Day 1
    • 1.1 Interview your predecessor.
    • 1.2 Learn the corporate structure.
    • 1.3 Determine STARS mode.
    • 1.4 Create a one-page intro sheet.
    • 1.5 Update your boss.
    Day 0 to 15
    • 2.1 Introduce yourself to your team.
    • 2.2 Document your sphere of influence.
    • 2.3 Complete a competitor array.
    • 2.4 Complete the CEO-CIO Alignment Program.
    • 2.4(a) Agree on what success looks like with the boss.
    • 2.5 Inform team of IT M&G Framework.
    Day 16 to 30
    • 3.1 Determine the team’s cultural archetype.
    • 3.2 Create a cultural adjustment plan.
    • 3.3 Initiate IT M&G Diagnostic.
    • 3.4 Conduct a high-level analysis of current IT capabilities.
    • 3.4 Update your boss.
    Day 31 to 45
    • 4.1 Inform stakeholders about CIO Business Vision survey.
    • 4.2 Get feedback on initial assessments from your team.
    • 4.3 Initiate CIO Business Vision survey.
    • 4.3(a) Meet stakeholders and catalog details.
    Day 46 to 60
    • 5.1 Inform the team that you plan to conduct an IT staffing assessment.
    • 5.2 Initiate the IT Staffing Assessment.
    • 5.3 Quick wins: Make recommend-ations based on CIO Business Vision Diagnostic/IT M&G Framework.
    • 5.4 Update your boss.
    Day 61 to 75
    • 6.1 Run a start, stop, continue exercise with IT staff.
    • 6.2 Make a categorized vendor list.
    • 6.3 Determine the alignment of IT commitments with business objectives.
    Day 76 to 90
    • 7.1 Finalize your vision – mission – values statement.
    • 7.2 Quick Wins: Make recommend-ations based on IT Staffing Assessment.
    • 7.3 Create and communicate a post-100-day plan.
    • 7.4 Update your boss.
    Deliverables Presentation Deck Section A: Foundational Preparation Presentation Deck slides 9, 11-13, 19-20, 29 Presentation Deck slides 16, 17, 21 Presentation Deck slides 30, 34 Presentation Deck slides 24, 25, 2 Presentation Deck slides 27, 42

    Call 1

    Before you start: Day -10 to Day 1

    Interview your predecessor

    Interviewing your predecessor can help identify the organization’s mode and type.

    Before reaching out to your predecessor, get a sense of whether they were viewed as successful or not. Ask your manager. If the predecessor remains within the organization in a different role, understand your relationship with them and how you'll be working together.

    During the interview, make notes about follow-up questions you'll ask others at the organization.

    Ask these open-ended questions in the interview:

    • Tell me about the team.
    • Tell me about your challenges.
    • Tell me about a major project your team worked on. How did it go?
    • Who/what has been helpful during your tenure?
    • Who/what created barriers for you?
    • What do your engagement surveys reveal?
    • Tell me about your performance management programs and issues.
    • What mistakes would you avoid if you could lead again?
    • Why are you leaving?
    • Could I reach out to you again in the future?

    Learn the corporate structure

    Identify the organization’s corporate structure type based on your initial conversations with company leadership. The type of structure will dictate how much control you'll have as a functional head and help you understand which stakeholders you'll need to collaborate with.

    To Do:

    • Review the organization’s structure list and identify whether the structure is functional, prioritized, or a matrix. If it's a matrix organization, determine if it's a strong matrix (project manager holds more authority), weak matrix (functional manager holds more authority), or balanced matrix (managers hold equal authority).

    Functional

    • Most common structure.
    • Traditional departments such as sales, marketing, finance, etc.
    • Functional managers hold most authority.

    Projectized

    • Most programs are implemented through projects with focused outcomes.
    • Teams are cross-functional.
    • Project managers hold the most authority.

    Matrix

    • Combination of projectized and functional.
    • Organization is a dynamic environment.
    • Authority of functional manager flows down through division, while authority of project manager flows sideways through teams.

    This organization is a ___________________ type.

    (Source: Simplilearn)

    Presentation Deck, slide 6

    Determine the mode of the organization: STARS

    Based on your interview process and discussions with company leadership, and using Michael Watkins’ STARS assessment, determine which mode your organization is in: startup, turnaround, accelerated growth, realignment, or sustaining success.

    Knowing the mode of your organization will determine how you approach your 100-day plan. Depending on the mode, you'll rebalance your activities around the three categories of assess, listen, and deliver.

    To Do:

    • Review the STARS table on the right.

    Based on your situation, prioritize activities in this way:

    • Startup: assess, listen, deliver
    • Turnaround: deliver, listen, assess
    • Accelerated Growth: assess, listen, deliver
    • Realignment: listen, assess, deliver
    • Sustaining success: listen, assess, deliver

    This organization is a ___________________ type.

    (Source: Watkins, 2013.)

    Presentation Deck, slide 6

    Determine the mode of the organization: STARS

    STARS Startup Turnaround Accelerated Growth Realignment Sustaining Success
    Definition Assembling capabilities to start a project. Project is widely seen as being in serious trouble. Managing a rapidly expanding business. A previously successful organization is now facing problems. A vital organization is going to the next level.
    Challenges Must build strategy, structures, and systems from scratch. Must recruit and make do with limited resources. Stakeholders are demoralized; slash and burn required. Requires structure and systems to scale; hiring and onboarding. Employees need to be convinced change is needed; restructure at the top required. Risk of living in shadow of a successful former leader.
    Advantages No rigid preconceptions. High-energy environment and easy to pivot. A little change goes a long way when people recognize the need. Motivated employee base willing to stretch. Organization has clear strengths; people desire success. Likely a strong team; foundation for success likely in place.

    Satya Nadella's listen, lead, and launch approach

    CASE STUDY

    Industry Software
    Source Gregg Keizer, Computerworld, 2014

    When Satya Nadella was promoted to the CEO role at Microsoft in 2014, he received a Glassdoor approval rating of 85% and was given an "A" grade by industry analysts after his first 100 days. What did he do right?

    • Created a sense of urgency by shaking up the senior leadership team.
    • Already understood the culture as an insider.
    • Listened a lot and did many one-on-one meetings.
    • Established a vision communicated with a mantra that Microsoft would be "mobile-first, cloud-first."
    • Met his words with actions. He launched Office for iPad and made many announcements for cloud platform Azure.
    Photo of Satya Nadella, CEO, Microsoft Corp.
    Satya Nadella, CEO, Microsoft Corp. (Image source: Microsoft)

    Listen to 'The First 100 Days' podcast – Alan Fong

    Create a one-page introduction sheet to use in communications

    As a new CIO, you'll have to introduce yourself to many people in the organization. To save time on communicating who you are as a person outside of the office, create a brief one-pager that includes a photo of you, where you were born and raised, and what your hobbies are. This helps make a connection more quickly so your conversations can focus on the business at hand rather than personal topics.

    For your presentation deck, remove the personal details and just keep it professional. The personal aspects can be used as a one-pager for other communications. (Source: Personal interview with Denis Gaudreault, Country Lead, Intel.)

    Presentation Deck, slide 5

    Call 2

    Day 1 to Day 15

    Introduce yourself to your team

    Prepare a 20-second pitch about yourself that goes beyond your name and title. Touch on your experience that's relevant to your new role or the industry you're in. Be straightforward about your own perceived strengths and weaknesses so that people know what to expect from you. Focus on the value you believe you'll offer the group and use humor and humility where you're comfortable. For example:

    “Hi everyone, my name is John Miller. I have 15 years of experience marketing conferences like this one to vendors, colleges, and HR departments. What I’m good at, and the reason I'm here, is getting the right people, businesses, and great ideas in a room together. I'm not good on details; that's why I work with Tim. I promise that I'll get people excited about the conference, and the gifts and talents of everyone else in this room will take over from there. I'm looking forward to working with all of you.”

    Have a structured set of questions ready that you can ask everyone.

    For example:
    • How well is the company performing based on expectations?
    • What must the company do to sustain its financial performance and market competitiveness?
    • How do you foresee the CIO contributing to the team?
    • How have past CIOs performed from the perspective of the team?
    • What would successful performance of this role look like to you? To your peers?
    • What challenges and obstacles to success am I likely to encounter? What were the common challenges of my predecessor?
    • How do you view the culture here and how do successful projects tend to get approved?
    • What are your greatest challenges? How could I help you?

    Get to know your sphere of influence: prepare to connect with a variety of people before you get down to work

    Your ability to learn from others is critical at every stage in your first 100 days. Keep your sphere of influence in the loop as you progress through this period.

    A diagram of circles within circles representing your spheres of influence. The smallest circle is 'IT Leaders' and is noted as your 'Immediate circle'. The next largest circle is 'IT Team', then 'Peers - Business Leads', then 'Internal Clients' which is noted as you 'Extended circle'. The largest circle is 'External clients'.

    Write down the names, or at least the key people, in each segment of this diagram. This will serve as a quick reference when you're planning communications with others and will help you remember everyone as you're meeting lots of new people in your early days on the job.

    • Everyone knows their networks are important.
    • However, busy schedules can cause leaders to overlook their many audiences.
    • Plan to meet and learn from all people in your sphere to gain a full spectrum of insights.

    Presentation Deck, slide 29

    Identify how your competitors are leveraging technology for competitive advantage

    Competitor identification and analysis are critical steps for any new leader to assess the relative strengths and weaknesses of their organization and develop a sense of strategic opportunity and environmental awareness.

    Today’s CIO is accountable for driving innovation through technology. A competitive analysis will provide the foundation for understanding the current industry structure, rivalry within it, and possible competitive advantages for the organization.

    Surveying your competitive landscape prior to the first day will allow you to come to the table prepared with insights on how to support the organization and ensure that you are not vulnerable to any competitive blind spots that may exist in the evaluations conducted by the organization already.

    You will not be able to gain a nuanced understanding of the internal strengths and weaknesses until you are in the role, so focus on the external opportunities and how competitors are using technology to their advantage.

    Info-Tech Best Practice

    For a more in-depth approach to identifying and understanding relevant industry trends and turning them into insights, leverage the following Info-Tech blueprints:

    Presentation Deck, slide 9

    Assess the external competitive environment

    Associated Activity icon

    INPUT: External research

    OUTPUT: Competitor array

    1. Conduct a broad analysis of the industry as a whole. Seek to answer the following questions:
      1. Are there market developments or new markets?
      2. Are there industry or lifestyle trends, e.g. move to mobile?
      3. Are there geographic changes in the market?
      4. Are there demographic changes that are shaping decision making?
      5. Are there changes in market demand?
    2. Create a competitor array by identifying and listing key competitors. Try to be as broad as possible here and consider not only entrenched close competitors but also distant/future competitors that may disrupt the industry.
    3. Identify the strengths, weaknesses, and key brand differentiators that each competitor brings to the table. For each strength and differentiator, brainstorm ways that IT-based innovation enables each. These will provide a toolkit for deeper conversations with your peers and your business stakeholders as you move further into your first 100 days.
    Competitor Strengths Weaknesses Key Differentiators IT Enablers
    Competitor 1
    Competitor 2
    Competitor 3

    Complete the CEO-CIO Alignment Program

    Associated Activity icon Run the diagnostic program or use the alternative activities to complete your presentation

    INPUT: CEO-CEO Alignment Program (recommended)

    OUTPUT: Desired and target state of IT maturity, Innovation goals, Top priorities

    Materials: Presentation Deck, slides 11-13

    Participants: CEO, CIO

    Introduce the concept of the CEO-CIO Alignment Program using slide 10 of your presentation deck and the brief email text below.

    Talk to your advisory contact at Info-Tech about launching the program. More information is available on Info-Tech’s website.

    Once the report is complete, import the results into your presentation:

    • Slide 11, the CEO’s current and desired states
    • Slide 12, IT innovation goals
    • Slide 13, top projects and top departments from the CEO and the CIO

    Include any immediate recommendations you have.

    Hello CEO NAME,

    I’m excited to get started in my role as CIO, and to hit the ground running, I’d like to make sure that the IT department is aligned with the business leadership. We will accomplish this using Info-Tech Research Group’s CEO-CIO Alignment Program. It’s a simple survey of 20 questions to be completed by the CEO and the CIO.

    This survey will help me understand your perception and vision as I get my footing as CIO. I’ll be able to identify and build core IT processes that will automate IT-business alignment going forward and create an effective IT strategy that helps eliminate impediments to business growth.

    Research shows that IT departments that are effectively aligned to business goals achieve more success, and I’m determined to make our IT department as successful as possible. I look forward to further detailing the benefits of this program to you and answering any questions you may have the next time we speak.

    Regards,
    CIO NAME

    New KPIs for CEO-CIO Alignment — Recommended

    Info-Tech CEO-CIO Alignment Program

    Info-Tech's CEO-CIO Alignment Program is set up to build IT-business alignment in any organization. It helps the CIO understand CEO perspectives and priorities. The exercise leads to useful IT performance indicators, clarifies IT’s mandate and which new technologies it should invest in, and maps business goals to IT priorities.

    Benefits

    Master the Basics
    Cut through the jargon.
    Take a comprehensive look at the CEO perspective.
    Target Alignment
    Identify how IT can support top business priorities. Address CEO-CIO differences.
    Start on the Right Path
    Get on track with the CIO vision. Use correct indicators and metrics to evaluate IT from day one.

    Supporting Tool or Template icon Additional materials are available on Info-Tech’s website.

    The desired maturity level of IT — Alternative

    Associated Activity icon Use only if you can’t complete the CEO-CIO Alignment Program

    Step 1: Where are we today?

    Determine where the CEO sees the current overall maturity level of the IT organization.

    Step 2: Where do we want to be as an organization?

    Determine where the CEO wants the IT organization to be in order to effectively support the strategic direction of the business.

    A colorful visual representation of the different IT maturity levels. At the bottom is 'STRUGGLE, Unable to Provide Reliable Business Services', then moving upwards are 'SUPPORT, Reliable Infrastructure and IT Service Desk', 'OPTIMIZE, Effective Fulfillment of Work Orders, Functional Business Applications, and Reliable Service Management', 'EXPAND, Effective Execution on Business Projects, Strategic Use of Analytics and Customer Technology', and at the top is 'TRANSFORM, Reliable Technology Innovation'.

    Presentation Deck, slide 11

    Tim Cook's powerful use of language

    CASE STUDY

    Industry Consumer technology
    Source Carmine Gallo, Inc., 2019

    Apple CEO Tim Cook, an internal hire, had big shoes to fill after taking over from the late Steve Jobs. Cook's ability to control how the company is perceived is a big credit to his success. How does he do it? His favorite five words are “The way I see it..." These words allow him to take a line of questioning and reframe it into another perspective that he wants to get across. Similarly, he'll often say, "Let me tell you the way I look at it” or "To put it in perspective" or "To put it in context."

    In your first two weeks on the job, try using these phrases in your conversations with peers and direct reports. It demonstrates that you value their point of view but are independently coming to conclusions about the situation at hand.

    Photo of Tim Cook, CEO, Apple Inc.
    Tim Cook, CEO, Apple Inc. (Image source: Apple)

    Listen to 'The First 100 Days' podcast – Denis Gaudreault

    Inform your team that you plan to do an IT Management & Governance Diagnostic survey

    Associated Activity icon Run the diagnostic program or use the alternative activities to complete your presentation

    INPUT: IT Management & Governance Diagnostic (recommended)

    OUTPUT: Process to improve first, Processes important to the business

    Materials: Presentation Deck, slides 19-20

    Participants: CIO, IT staff

    Introduce the IT Management & Governance Diagnostic survey that will help you form your IT strategy.

    Explain that you want to understand current IT capabilities and you feel a formal approach is best. You’ll also be using this approach as an important metric to track your department’s success. Tell them that Info-Tech Research Group will be conducting the survey and it’s important to you that they take action on the email when it’s sent to them.

    Example email:

    Hello TEAM,

    I appreciate meeting each of you, and so far I’m excited about the talents and energy on the team. Now I need to understand the processes and capabilities of our department in a deeper way. I’d like to map our process landscape against an industry-wide standard, then dive deeper into those processes to understand if our team is aligned. This will help us be accountable to the business and plan the year ahead. Advisory firm Info-Tech Research Group will be reaching out to you with a simple survey that shouldn’t take too long to complete. It’s important to me that you pay attention to that message and complete the survey as soon as possible.

    Regards,
    CIO NAME

    Call 3

    Day 16 to Day 30

    Leverage team interviews as a source of determining organizational culture

    Info-Tech recommends that you hold group conversations with your team to uncover their opinions of the current organizational culture. This not only helps build transparency between you and your team but also gives you another means of observing behavior and reactions as you listen to team members’ characterizations of the current culture.

    A visualization of the organizational culture of a company asks the question 'What is culture?' Five boxes are stacked, the bottom two are noted as 'The invisible causes' and the top two are noted as 'The visible signs'. From the bottom, 'Fundamental assumptions and beliefs', 'Values and attitudes', 'The way we do things around here', 'Behaviors', and at the top, 'Environment'. (Source: Hope College Blog Network)

    Note: It is inherently difficult for people to verbalize what constitutes a culture – your strategy for extracting this information will require you to ask indirect questions to solicit the highest value information.

    Questions for Discussion:

    • What about the current organizational environment do you think most contributes to your success?
    • What barriers do you experience as you try to accomplish your work?
    • What is your favorite quality that is present in our organization?
    • What is the one thing you would most like to change about this organization?
    • Do the organization's policies and procedures support your efforts to accomplish work or do they impede your progress?
    • How effective do you think IT’s interactions are with the larger organization?
    • What would you consider to be IT’s top three guiding principles?
    • What kinds of people fail in this organization?

    Supporting Tool or Template icon See Info-Tech’s Cultural Archetype Calculator.

    Use the Competing Values Framework to define your organization’s cultural archetype

    THE COMPETING VALUES FRAMEWORK (CVF):

    CVF represents the synthesis of academic study of 39 indicators of effectiveness for organizations. Using a statistical analysis, two polarities that are highly predictive of differences in organizational effectiveness were isolated:

    1. Internal focus and integration vs. external focus and differentiation.
    2. Stability and control vs. flexibility and discretion.

    By plotting these dimensions on a matrix of competing values, four main cultural archetypes are identified with their own value drivers and theories of effectiveness.

    A map of cultural archetypes with 'Internal control and integration' on the left, 'External focus and differentiation' on the right, 'Flexibility and discretion' on top, and 'Stability and control' on the bottom. Top left is 'Clan Archetype', internal and flexible. Top right is 'Adhocracy Archetype', external and flexible. Bottom left is 'Hierarchy Archetype', internal and controlled. Bottom right is 'Market Archetype', external and controlled.

    Presentation Deck, slide 16

    Create a cultural adjustment plan

    Now that you've assessed the cultural archetype, you can plan an appropriate approach to shape the culture in a positive way. When new executives want to change culture, there are a few main options at hand:

    Autonomous evolution: Encourage teams to learn from each other. Empower hybrid teams to collaborate and reward teams that perform well.

    Planned and managed change: Create steering committee and project-oriented taskforces to work in parallel. Appoint employees that have cultural traits you'd like to replicate to hold responsibility for these bodies.

    Cultural destruction: When a toxic culture needs to be eliminated, get rid of its carriers. Putting new managers or directors in place with the right cultural traits can be a swift and effective way to realign.

    Each option boils down to creating the right set of incentives and deterrents. What behaviors will you reward and which ones will you penalize? What do those consequences look like? Sometimes, but not always, some structural changes to the team will be necessary. If you feel these changes should be made, it's important to do it sooner rather than later. (Source: “Enlarging Your Sphere of Influence in Your Organization,” MindTools Corporate, 2014.)

    As you're thinking about shaping a desired culture, it's helpful to have an easy way to remember the top qualities you want to espouse. Try creating an acronym that makes it easy for staff to remember. For example: RISE could remind your staff to be Responsive, Innovative, Sustainable, and Engaging (RISE). Draw upon your business direction from your manager to help produce desired qualities (Source: Jennifer Schaeffer).

    Presentation Deck, slide 17

    Gary Davenport’s welcome “surprise”

    CASE STUDY

    Industry Telecom
    Source Interview with Gary Davenport

    After Gary Davenport was hired on as VP of IT at MTS Allstream, his first weekend on the job was spent at an all-executive offsite meeting. There, he learned from the CEO that the IT department had a budget reduction target of 25%, like other departments in the company. “That takes your breath away,” Davenport says.

    He decided to meet the CEO monthly to communicate his plans to reduce spending while trying to satisfy business stakeholders. His top priorities were:

    1. Stabilize IT after seven different leaders in a five-year period.
    2. Get the IT department to be respected. To act like business owners instead of like servants.
    3. Better manage finances and deliver on projects.

    During Davenport’s 7.5-year tenure, the IT department became one of the top performers at MTS Allstream.

    Photo of Gary Davenport.
    Gary Davenport’s first weekend on the job at MTS Allstream included learning about a 25% reduction target. (Image source: Ryerson University)

    Listen to 'The First 100 Days' podcast – David Penny & Andrew Wertkin

    Initiate IT Management & Governance Diagnostic — Recommended

    Info-Tech Management & Governance Diagnostic

    Talk to your Info-Tech executive advisor about launching the survey shortly after informing your team to expect it. You'll just have to provide the names and email addresses of the staff you want to be involved. Once the survey is complete, you'll harvest materials from it for your presentation deck. See slides 19 and 20 of your deck and follow the instructions on what to include.

    Benefits

    A sample of the 'High Level Process Landscape' materials available from Info-Tech. A sample of the 'Strategy and Governance In Depth Results' materials available from Info-Tech. A sample of the 'Process Accountability' materials available from Info-Tech.
    Explore IT Processes
    Dive deeper into performance. Highlight problem areas.
    Align IT Team
    Build consensus by identifying opposing views.
    Ownership & Accountability
    Identify process owners and hold team members accountable.

    Supporting Tool or Template icon Additional materials available on Info-Tech’s website.

    Conduct a high-level analysis of current IT capabilities — Alternative

    Associated Activity icon

    INPUT: Interviews with IT leadership team, Capabilities graphic on next slide

    OUTPUT: High-level understanding of current IT capabilities

    Run this activity if you're not able to conduct the IT Management & Governance Diagnostic.

    Schedule meetings with your IT leadership team. (In smaller organizations, interviewing everyone may be acceptable.) Provide them a list of the core capabilities that IT delivers upon and ask them to rate them on an effectiveness scale of 1-5, with a short rationale for their score.

    • 1. Not effective (NE)
    • 2. Somewhat Effective (SE)
    • 3. Effective (E)
    • 4. Very Effective (VE)
    • 5. Extremely Effective (EE)

    Presentation Deck, slide 21

    Use the following set of IT capabilities for your assessment

    Strategy & Governance

    IT Governance Strategy Performance Measurement Policies Quality Management Innovation

    People & Resources

    Stakeholder Management Resource Management Financial Management Vendor Selection & Contract Management Vendor Portfolio Management Workforce Strategy Strategic Comm. Organizational Change Enablement

    Service Management & Operations

    Operations Management Service Portfolio Management Release Management Service Desk Incident & Problem Management Change Management Demand Management

    Infrastructure

    Asset Management Infrastructure Portfolio Management Availability & Capacity Management Infrastructure Management Configuration Management

    Information Security & Risk

    Security Strategy Risk Management Compliance, Audit & Review Security Detection Response & Recovery Security Prevention

    Applications

    Application Lifecycle Management Systems Integration Application Development User Testing Quality Assurance Application Maintenance

    PPM & Projects

    Portfolio Management Requirements Gathering Project Management

    Data & BI

    Data Architecture BI & Reporting Data Quality & Governance Database Operations Enterprise Content Management

    Enterprise Architecture

    Enterprise Architecture Solution Architecture

    Quick wins: CEO-CIO Alignment Program

    Complete this while waiting on the IT M&G survey results. Based on your completed CEO-CIO Alignment Report, identify the initiatives you can tackle immediately.

    If you are here... And want to be here... Drive toward... Innovate around...
    Business Partner Innovator Leading business transformation
    • Emerging technologies
    • Analytical capabilities
    • Risk management
    • Customer-facing tech
    • Enterprise architecture
    Trusted Operator Business Partner Optimizing business process and supporting business transformation
    • IT strategy and governance
    • Business architecture
    • Projects
    • Resource management
    • Data quality
    Firefighter Trusted Operator Optimize IT processes and services
    • Business applications
    • Service management
    • Stakeholder management
    • Work orders
    Unstable Firefighter Reduce use disruption and adequately support the business
    • Network and infrastructure
    • Service desk
    • Security
    • User devices

    Call 4

    Day 31 to Day 45

    Inform your peers that you plan to do a CIO Business Vision survey to gauge your stakeholders’ satisfaction

    Associated Activity icon Run the diagnostic program or use the alternative activities to complete your presentation

    INPUT: CIO Business Vision survey (recommended)

    OUTPUT: True measure of business satisfaction with IT

    Materials: Presentation Deck, slide 30

    Participants: CIO, IT staff

    Meet the business leaders at your organization face-to-face if possible. If you can't meet in person, try a video conference to establish some rapport. At the end of your introduction and after listening to what your colleague has to say, introduce the CIO Business Vision Diagnostic.

    Explain that you want to understand how to meet their business needs and you feel a formal approach is best. You'll also be using this approach as an important metric to track your department's success. Tell them that Info-Tech Research Group will be conducting the survey and it’s important to you that they take the survey when the email is sent to them.

    Example email:

    Hello PEER NAMES,

    I'm arranging for Info-Tech Research Group to invite you to take a survey that will be important to me. The CIO Business Vision survey will help me understand how to meet your business needs. It will only take about 15 minutes of your time, and the top-line results will be shared with the organization. We will use the results to plan initiatives for the future that will improve your satisfaction with IT.

    Regards,
    CIO NAME

    Gain feedback on your initial assessments from your IT team

    There are two strategies for gaining feedback on your initial assessments of the organization from the IT team:

    1. Review your personal assessments with the relevant members of your IT organization as a group. This strategy can help to build trust and an open channel for communication between yourself and your team; however, it also runs the risk of being impacted by groupthink.
    2. Ask for your team to complete their own assessments for you to compare and contrast. This strategy can help extract more candor from your team, as they are not expected to communicate what may be nuanced perceptions of organizational weaknesses or criticisms of the way certain capabilities function.

    Who you involve in this process will be impacted by the size of your organization. For larger organizations, involve everyone down to the manager level. In smaller organizations, you may want to involve everyone on the IT team to get an accurate lay of the land.

    Areas for Review:

    • Strategic Document Review: Are there any major themes or areas of interest that were not covered in my initial assessment?
    • Competitor Array: Are there any initiatives in flight to leverage new technologies?
    • Current State of IT Maturity: Does IT’s perception align with the CEO’s? Where do you believe IT has been most effective? Least effective?
    • IT’s Key Priorities: Does IT’s perception align with the CEO’s?
    • Key Performance Indicators: How has IT been measured in the past?

    Info-Tech Best Practice

    You need your team’s hearts and minds or you risk a short tenure. Overemphasizing business commitment by neglecting to address your IT team until after you meet your business stakeholders will result in a disenfranchised group. Show your team their importance.

    Susan Bowen's talent maximization

    CASE STUDY

    Industry Infrastructure Services
    Source Interview with Susan Bowen

    Susan Bowen was promoted to be the president of Cogeco Peer 1, an infrastructure services firm, when it was still a part of Cogeco Communications. Part of her mandate was to help spin out the business to a new owner, which occurred when it was acquired by Digital Colony. The firm was renamed Aptum and Bowen was put in place as CEO, which was not a certainty despite her position as president at Cogeco Peer 1. She credits her ability to put the right talent in the right place as part of the reason she succeeded. After becoming president, she sought a strong commitment from her directors. She gave them a choice about whether they'd deliver on a new set of expectations – or not. She also asks her leadership on a regular basis if they are using their talent in the right way. While it's tempting for directors to want to hold on to their best employees, those people might be able to enable many more people if they can be put in another place.

    Bowen fully rounded out her leadership team after Aptum was formed. She created a chief operating officer and a chief infrastructure officer. This helped put in place more clarity around roles at the firm and put an emphasis on client-facing services.

    Photo of Susan Bowen, CEO, Aptum.
    Susan Bowen, CEO, Aptum (Image source: Aptum)

    Listen to 'The First 100 Days' podcast – Susan Bowen

    Initiate CIO Business Vision survey – new KPIs for stakeholder management — Recommended

    Info-Tech CIO Business Vision

    Be sure to effectively communicate the context of this survey to your business stakeholders before you launch it. Plan to talk about your plans to introduce it in your first meetings with stakeholders. When ready, let your executive advisor know you want to launch the tool and provide the names and email addresses of the stakeholders you want involved. After you have the results, harvest the materials required for your presentation deck. See slide 30 and follow the instructions on what to include.

    Benefits

    Icon for Key Stakeholders. Icon for Credibility. Icon for Improve. Icon for Focus.
    Key Stakeholders
    Clarify the needs of the business.
    Credibility
    Create transparency.
    Improve
    Measure IT’s progress.
    Focus
    Find what’s important.

    Supporting Tool or Template icon Additional materials are available on Info-Tech’s website.

    Create a catalog of key stakeholder details to reference prior to future conversations — Alternative

    Only conduct this activity if you’re not able to run the CIO Business Vision diagnostic.

    Use the Organizational Catalog as a personal cheat sheet to document the key details around each of your stakeholders, including your CEO when possible.

    The catalog will be an invaluable tool to keep the competing needs of your different stakeholders in line, while ensuring you are retaining the information to build the political capital needed to excel in the C-suite.

    Note: It is important to keep this document private. While you may want to communicate components of this information, ensure your catalog remains under lock and (encryption) key.

    Screenshot of the Organizational Catalog for Stakeholders. At the top are spaces for 'Name', 'Job Title', etc. Boxes include 'Key Personal Details', 'Satisfaction Levels With IT', 'Preferred Communications', 'Key Activities', 'In-Flight and Scheduled Projects', 'Key Performance Indicators', and 'Additional Details'.

    Info-Tech Insight

    While profiling your stakeholders is important, do not be afraid to profile yourself as well. Visualizing how your interests overlap with those of your stakeholders can provide critical information on how to manage your communications so that those on the receiving end are hearing exactly what they need.

    Activity: Conduct interviews with your key business stakeholders — Alternative

    Associated Activity icon

    1. Once you have identified your key stakeholders through your interviews with your boss and your IT team, schedule a set of meetings with those individuals.
    2. Use the meetings to get to know your stakeholders, their key priorities and initiatives, and their perceptions of the effectiveness of IT.
      1. Use the probative questions to the right to elicit key pieces of information.
      2. Refer to the Organizational Catalog tool for more questions to dig deeper in each category. Ensure that you are taking notes separate from the tool and are keeping the tool itself secure, as it will contain private information specific to your interests.
    3. Following each meeting, record the results of your conversation and any key insights in the Organizational Catalog. Refer to the following slide for more details.

    Questions for Discussion:

    • Be indirect about your personal questions – share stories that will elicit details about their interests, kids, etc.
    • What are your most critical/important initiatives for the year?
    • What are your key revenue streams, products, and services?
    • What are the most important ways that IT supports your success? What is your satisfaction level with those services?
    • Are there any current in-flight projects or initiatives that are a current pain point? How can IT assist to alleviate challenges?
    • How is your success measured? What are your targets for the year on those metrics?

    Presentation Deck, slide 34

    Call 5

    Day 46 to Day 60

    Inform your team that you plan to do an IT staffing assessment

    Associated Activity icon Introduce the IT Staffing Assessment that will help you get the most out of your team

    INPUT: Email template

    OUTPUT: Ready to launch diagnostic

    Materials: Email template, List of staff, Sample of diagnostic

    Participants: CIO, IT staff

    Explain that you want to understand how the IT staff is currently spending its time by function and by activity. You want to take a formal approach to this task and also assess the team’s feelings about its effectiveness across different processes. The results of the assessment will serve as the foundation that helps you improve your team’s effectiveness within the organization.

    Example email:

    Hello PEER NAMES,

    The feedback I've heard from the team since joining the company has been incredibly useful in beginning to formulate my IT strategy. Now I want to get a clear picture of how everyone is spending their time, especially across different IT functions and activities. This will be an opportunity for you to share feedback on what we're doing well, what we need to do more of, and what we're missing. Expect to receive an email invitation to take this survey from Info-Tech Research Group. It's important to me that you complete the survey as soon as you're can. Attached you’ll find an example of the report this will generate. Thank you again for providing your time and feedback.

    Regards,
    CIO NAME

    Wayne Berger's shortcut to solve staffing woes

    CASE STUDY

    Industry Office leasing
    Source Interview with Wayne Berger

    Wayne Berger was hired to be the International Workplace Group (IWG) CEO for Canada and Latin America in 2014.

    Wayne approached his early days with the office space leasing firm as a tour of sorts, visiting nearly every one of the 48 office locations across Canada to host town hall meetings. He heard from staff at every location that they felt understaffed. But instead of simply hiring more staff, Berger actually reduced the workforce by 33%.

    He created a more flexible approach to staffing:

    • Employees no longer just reported to work at one office; instead, they were ready to go to wherever they were most needed in a specific geographic area.
    • He centralized all back-office functions for the company so that not every office had to do its own bookkeeping.
    • Finally, he changed the labor profile to consist of full-time staff, part-time staff, and time-on-demand workers.
    Photo of Wayne Berger, CEO, IWG Plc.
    Wayne Berger, CEO, IWG Plc (Image source: IWG)

    Listen to 'The First 100 Days' podcast – Wayne Berger

    Initiate IT Staffing Assessment – new KPIs to track IT performance — Recommended

    Info-Tech IT Staffing Assessment

    Info-Tech’s IT Staffing Assessment provides benchmarking of key metrics against 4,000 other organizations. Dashboard-style reports provide key metrics at a glance, including a time breakdown by IT function and by activity compared against business priorities. Run this survey at about the 45-day mark of your first 90 days. Its insights will be used to inform your long-term IT strategy.

    Benefits

    Icon for Right-Size IT Headcount. Icon for Allocate Staff Correctly. Icon for Maximize Teams.
    Right-Size IT Headcount
    Find the right level for stakeholder satisfaction.
    Allocate Staff Correctly
    Identify staff misalignments with priorities.
    Maximize Teams
    Identify how to drive staff.

    Supporting Tool or Template icon Additional materials are available on Info-Tech’s website.

    Quick wins: Make recommendations based on IT Management & Governance Framework

    Complete this exercise while waiting on the IT Staffing Assessment results. Based on your completed IT Management & Governance report, identify the initiatives you can tackle immediately. You can conduct this as a team exercise by following these steps:

    1. Create a shortlist of initiatives based on the processes that were identified as high need but scored low in effectiveness. Think as broadly as possible during this initial brainstorming.
    2. Write each initiative on a sticky note and conduct a high-level analysis of the amount of effort that would be required to complete it, as well as its alignment with the achievement of business objectives.
    3. Draw the matrix below on a whiteboard and place each sticky note onto the matrix based on its potential impact and difficulty to address.
    A matrix of initiative categories based on effort to achieve and alignment with business objectives. It is split into quadrants: the vertical axis is 'Potential Impact' with 'High, Fully supports achievement of business objectives' at the top and 'Low, Limited support of business objectives' at the bottom; the horizontal axis is 'Effort' with 'Low' on the left and 'High' on the right. Low impact, low effort is 'Low Current Value, No immediate attention required, but may become a priority in the future if business objectives change'. Low impact, high effort is 'Future Reassessment, No immediate attention required, but may become a priority in the future if business objectives change'. High impact, high effort is 'Long-Term Initiatives, High impact on business outcomes but will take more effort to implement. Schedule these in your long-term roadmap'. High impact, low effort is 'Quick Wins, High impact on business objectives with relatively small effort. Some combination of these will form your early wins'.

    Call 6

    Day 61 to Day 75

    Run a start, stop, continue exercise with your IT staff — Alternative

    This is an alternative activity to running an IT Staffing Assessment, which contains a start/stop/continue assessment. This activity can be facilitated with a flip chart or a whiteboard. Create three pages or three columns and label them Start, Stop, and Continue.

    Hand out sticky notes to each team member and then allow time for individual brainstorming. Instruct them to write down their contributions for each category on the sticky notes. After a few minutes, have everyone stick their notes in the appropriate category on the board. Discuss as a group and see what themes emerge. Record the results that you want to share in your presentation deck (GroupMap).

    Gather your team and explain the meaning of these categories:

    Start: Activities you're not currently doing but should start doing very soon.

    Stop: Activities you're currently doing but aren’t working and should cease.

    Continue: Things you're currently doing and are working well.

    Presentation Deck, slide 24

    Determine the alignment of IT commitments with business objectives

    Associated Activity icon

    INPUT: Interviews with IT leadership team

    OUTPUT: High-level understanding of in-flight commitments and investments

    Run this only as an alternative to the IT Management & Governance Diagnostic.

    1. Schedule meetings with IT leadership to understand what commitments have been made to the business in terms of new products, projects, or enhancements.
    2. Determine the following about IT’s current investment mix:
      1. What are the current IT investments and assets? How do they align to business goals?
      2. What investments in flight are related to which information assets?
      3. Are there any immediate risks identified for these key investments?
      4. What are the primary business issues that demand attention from IT consistently?
      5. What choices remain undecided in terms of strategic direction of the IT organization?
    3. Document your key investments and commitments as well as any points of misalignment between objectives and current commitments as action items to address in your long-term plans. If they are small fixes, consider them during your quick-win identification.

    Presentation Deck, slide 25

    Determine the alignment of IT commitments with business objectives

    Run this only as an alternative to the IT Staffing Assessment diagnostic.

    Schedule meetings with IT leadership to understand what commitments have been made to the business in terms of new products, projects, or enhancements.

    Determine the following about IT’s current investment mix:

    • What are the current IT investments and assets?
    • How do they align to business goals?
    • What in-flight investments are related to which information assets?
    • Are there any immediate risks identified for these key investments?
    • What are the primary business issues that demand attention from IT consistently?
    • What remains undecided in terms of strategic direction of the IT organization?

    Document your key investments and commitments, as well as any points of misalignment between objectives and current commitments, as action items to address in your long-term plans. If they are small-effort fixes, consider them during your quick-win identification.

    Presentation Deck, slide 25

    Make a categorized vendor list by IT process

    As part of learning the IT team, you should also create a comprehensive list of vendors under contract. Collaborate with the finance department to get a clear view of how much of the IT budget is spent on specific vendors. Try to match vendors to the IT processes they serve from the IT M&G framework.

    You should also organize your vendors based on their budget allocation. Go beyond just listing how much money you’re spending with each vendor and categorize them into either “transactional” relationships or “strategic relationships.” Use the grid below to organize them. Ideally, you’ll want most relationships to be high spend and strategic (Source: Gary Davenport).

    A matrix of vendor categories with the vertical axis 'Spend' increasing upward, and the horizontal axis 'Type of relationship' with values 'Transactional' or 'Strategic'. The bottom left corner is 'Low Spend Transactional', the top right corner is 'High Spend Strategic'.

    Where to source your vendor list:

    • Finance department
    • Infrastructure managers
    • Vendor manager in IT

    Further reading: Manage Your Vendors Before They Manage You

    Presentation Deck, slide 26

    Jennifer Schaeffer’s short-timeline turnaround

    CASE STUDY

    Industry Education
    Source Interview with Jennifer Schaeffer

    Jennifer Schaeffer joined Athabasca University as CIO in November 2017. She was entering a turnaround situation as the all-online university lacked an IT strategy and had built up significant technical debt. Armed with the mandate of a third-party consultant that was supported by the president, Schaeffer used a people-first approach to construct her strategy. She met with all her staff, listening to them carefully regardless of role, and consulted with the administrative council and faculty members. She reflected that feedback in her plan or explained to staff why it wasn’t relevant for the strategy. She implemented a “strategic calendaring” approach for the organization, making sure that her team members were participating in meetings where their work was assessed and valued. Drawing on Spotify as an inspiration, she designed her teams in a way that everyone was connected to the customer experience. Given her short timeline to execute, she put off a deep skills analysis of her team for a later time, as well as creating a full architectural map of her technology stack. The outcome is that 2.5 years later, the IT department is unified in using the same tooling and optimization standards. It’s more flexible and ready to incorporate government changes, such as offering more accessibility options.

    Photo of Jennifer Schaeffer.
    Jennifer Schaeffer took on the CIO role at Athabasca University in 2017 and was asked to create a five-year strategic plan in just six weeks.
    (Image source: Athabasca University)

    Listen to 'The First 100 Days' podcast – Eric Wright

    Call 7

    Day 76 to Day 90

    Finalize your vision – mission – values statement

    A clear statement for your values, vision, and mission will help crystallize your IT strategy and communicate what you're trying to accomplish to the entire organization.

    Mission: This statement describes the needs that IT was created to meet and answers the basic question of why IT exists.

    Vision: Write a statement that captures your values. Remember that the vision statement sets out what the IT organization wants to be known for now and into the future.

    Values: IT core values represent the standard axioms by which the IT department operates. Similar to the core values of the organization as a whole, IT’s core values are the set of beliefs or philosophies that guide its strategic actions.

    Further reading: IT Vision and Mission Statements Template

    Presentation Deck, slide 42

    John Chen's new strategic vision

    CASE STUDY

    Industry Mobile Services
    Source Sean Silcoff, The Globe and Mail

    John Chen, known in the industry as a successful turnaround executive, was appointed BlackBerry CEO in 2014 following the unsuccessful launch of the BlackBerry 10 mobile operating system and a new tablet.

    He spent his first three months travelling, talking to customers and suppliers, and understanding the company's situation. He assessed that it had a problem generating cash and had made some strategic errors, but there were many assets that could benefit from more investment.

    He was blunt about the state of BlackBerry, making cutting observations of the past mistakes of leadership. He also settled a key question about whether BlackBerry would focus on consumer or enterprise customers. He pointed to a base of 80,000 enterprise customers that accounted for 80% of revenue and chose to focus on that.

    His new mission for BlackBerry: to transform it from being a "mobile technology company" that pushes handset sales to "a mobile solutions company" that serves the mobile computing needs of its customers.

    Photo of John Chen, CEO of BlackBerry.
    John Chen, CEO of BlackBerry, presents at BlackBerry Security Summit 2018 in New York City (Image source: Brian Jackson)

    Listen to 'The First 100 Days' podcast – Erin Bury

    Quick wins: Make recommendations based on the CIO Business Vision survey

    Based on your completed CIO Business Vision survey, use the IT Satisfaction Scorecard to determine some initiatives. Focus on areas that are ranked as high importance to the business but low satisfaction. While all of the initiatives may be achievable given enough time, use the matrix below to identify the quick wins that you can focus on immediately. It’s important to not fail in your quick-win initiative.

    • High Visibility, Low Risk: Best bet for demonstrating your ability to deliver value.
    • Low Visibility, Low Risk: Worth consideration, depending on the level of effort required and the relative importance to the stakeholder.
    • High Visibility, High Risk: Limit higher-risk initiatives until you feel you have gained trust from your stakeholders, demonstrating your ability to deliver.
    • Low Visibility, High Risk: These will be your lowest value, quick-win initiatives. Keep them in a backlog for future consideration in case business objectives change.
    A matrix of initiative categories based on organizational visibility and risk of failure. It is split into quadrants: the vertical axis is 'Organizational Visibility' with 'High' at the top and 'Low' at the bottom; the horizontal axis is 'Risk of Failure' with 'Low' on the left and 'High' on the right. 'Low Visibility, Low Risk, Few stakeholders will benefit from the initiative’s implementation.' 'Low Visibility, High Risk, No immediate attention is required, but it may become a priority in the future if business objectives change.' 'High Visibility, Low Risk, Multiple stakeholders will benefit from the initiative’s implementation, and it has a low risk of failure.' 'High Visibility, High Risk, Multiple stakeholders will benefit from the initiative’s implementation, but it has a higher risk of failure.'

    Presentation Deck, slide 27

    Create and communicate a post-100 plan

    The last few slides of your presentation deck represent a roundup of all the assessments you’ve done and communicate your plan for the months ahead.

    Slide 38. Based on the information on the previous slide and now knowing which IT capabilities need improvement and which business priorities are important to support, estimate where you'd like to see IT staff spend their time in the near future. Will you be looking to shift staff from one area to another? Will you be looking to hire staff?

    Slide 39. Take your IT M&G initiatives from slide 19 and list them here. If you've already achieved a quick win, list it and mark it as completed to show what you've accomplished. Briefly outline the objectives, how you plan to achieve the result, and what measurement will indicate success.

    Slide 40. Reflect your CIO Business Vision initiatives from slide 31 here.

    Slide 41. Use this roadmap template to list your initiatives by roughly when they’ll be worked on and completed. Plan for when you’ll update your diagnostics.

    Expert Contributors

    Photo of Alan Fong, Chief Technology Officer, Dealer-FX Alan Fong, Chief Technology Officer, Dealer-FX
    Photo of Andrew Wertkin, Chief Strategy Officer, BlueCat NetworksPhoto of David Penny, Chief Technology Officer, BlueCat Networks Andrew Wertkin, Chief Strategy Officer, BlueCat Networks
    David Penny, Chief Technology Officer, BlueCat Networks
    Photo of Susan Bowen, CEO, Aptum Susan Bowen, CEO, Aptum
    Photo of Erin Bury, CEO, Willful Erin Bury, CEO, Willful
    Photo of Denis Gaudreault, Country Manager, Intel Canada and Latin America Denis Gaudreault, Country Manager, Intel Canada and Latin America
    Photo of Wayne Berger, CEO, IWG Plc Wayne Berger, CEO, IWG Plc
    Photo of Eric Wright, CEO, LexisNexis Canada Eric Wright, CEO, LexisNexis Canada
    Photo of Gary Davenport Gary Davenport, past president of CIO Association” of Canada, former VP of IT, Enterprise Solutions Division, MTS AllStream
    Photo of Jennifer Schaeffer, VP of IT and CIO, Athabasca University Jennifer Schaeffer, VP of IT and CIO, Athabasca University

    Bibliography

    Beaudan, Eric. “Do you have what it takes to be an executive?” The Globe and Mail, 9 July 2018. Web.

    Bersohn, Diana. “Go Live on Day One: The Path to Success for a New CIO.” PDF document. Accenture, 2015. Web.

    Bradt, George. “Executive Onboarding When Promoted From Within To Follow A Successful Leader.” Forbes, 15 Nov. 2018. Web.

    “CIO Stats: Length of CIO Tenure Varies By Industry.” CIO Journal, The Wall Street Journal. 15 Feb. 2017. Web.

    “Enlarging Your Sphere of Influence in Your Organization: Your Learning and Development Guide to Getting People on Side.” MindTools Corporate, 2014.

    “Executive Summary.” The CIO's First 100 Days: A Toolkit. PDF document. Gartner, 2012. Web.

    Forbes, Jeff. “Are You Ready for the C-Suite?” KBRS, n.d. Web.

    Gallo, Carmine. “Tim Cook Uses These 5 Words to Take Control of Any Conversation.” Inc., 9 Aug. 2019. Web.

    Giles, Sunnie. “The Most Important Leadership Competencies, According to Leaders Around the World.” Harvard Business Review, 15 March 2016. Web.

    Godin, Seth. “Ode: How to tell a great story.” Seth's Blog. 27 April 2006. Web.

    Green, Charles W. “The horizontal dimension of race: Social culture.” Hope College Blog Network, 19 Oct. 2014. Web.

    Hakobyan, Hayk. “On Louis Gerstner And IBM.” Hayk Hakobyan, n.d. Web.

    Bibliography

    Hargrove, Robert. Your First 100 Days in a New Executive Job, edited by Susan Youngquist. Kindle Edition. Masterful Coaching Press, 2011.

    Heathfield, Susan M. “Why ‘Blink’ Matters: The Power of Your First Impressions." The Balance Careers, 25 June 2019. Web.

    Hillis, Rowan, and Mark O'Donnell. “How to get off to a flying start in your new job.” Odgers Berndtson, 29 Nov. 2018. Web.

    Karaevli, Ayse, and Edward J. Zajac. “When Is an Outsider CEO a Good Choice?” MIT Sloan Management Review, 19 June 2012. Web.

    Keizer, Gregg. “Microsoft CEO Nadella Aces First-100-Day Test.” Computerworld, 15 May 2014. Web.

    Keller, Scott, and Mary Meaney. “Successfully transitioning to new leadership roles.” McKinsey & Company, May 2018. Web.

    Kress, R. “Director vs. Manager: What You Need to Know to Advance to the Next Step.” Ivy Exec, 2016. Web.

    Levine, Seth. “What does it mean to be an ‘executive’.” VC Adventure, 1 Feb. 2018. Web.

    Lichtenwalner, Benjamin. “CIO First 90 Days.” PDF document. Modern Servant Leader, 2008. Web.

    Nawaz, Sabina. “The Biggest Mistakes New Executives Make.” Harvard Business Review, 15 May 2017. Web.

    Pruitt, Sarah. “Fast Facts on the 'First 100 Days.‘” History.com, 22 Aug. 2018. Web.

    Rao, M.S. “An Action Plan for New CEOs During the First 100 Days.” Training, 4 Oct. 2014. Web.

    Reddy, Kendra. “It turns out being a VP isn't for everyone.” Financial Post, 17 July 2012. Web.

    Silcoff, Sean. “Exclusive: John Chen’s simple plan to save BlackBerry.” The Globe & Mail, 24 Feb. 2014. Web.

    Bibliography

    “Start Stop Continue Retrospective.” GroupMap, n.d. Web.

    Surrette, Mark. “Lack of Rapport: Why Smart Leaders Fail.” KBRS, n.d. Web.

    “Understanding Types of Organization – PMP Study.” Simplilearn, 4 Sept. 2019. Web.

    Wahler, Cindy. “Six Behavioral Traits That Define Executive Presence.” Forbes, 2 July 2015. Web.

    Watkins, Michael D. The First 90 Days, Updated and Expanded. Harvard Business Review Press, 2013.

    Watkins, Michael D. “7 Ways to Set Up a New Hire for Success.” Harvard Business Review, 10 May 2019. Web.

    “What does it mean to be a business executive?” Daniels College of Business, University of Denver, 12 Aug. 2014. Web.

    Yeung, Ken. “Turnaround: Marissa Mayer’s first 300 days as Yahoo’s CEO.” The Next Web, 19 May 2013. Web.

    Adding the Right Value: Building Cloud Brokerages That Enable

    • Buy Link or Shortcode: {j2store}110|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    In many cases, the answer is to develop a cloud brokerage to manage the complexity. But what should your cloud broker be delivering, and how?

    Our Advice

    Critical Insight

    • To avoid failure, you need to provide security and compliance, but basic user satisfaction means becoming a frictionless intermediary.
    • Enabling brokers provide knowledge and guidance for the best usage of cloud.
    • While GCBs fill a critical role as a control point for IT consumption, they can easily turn into a friction point for IT projects. It’s important to find the right balance between enabling compliance and providing frictionless usability.

    Impact and Result

    • Avoid disintermediation.
    • Maintain compliance.
    • Leverage economies of scale.
    • Ensure architecture discipline.

    Adding the Right Value: Building Cloud Brokerages That Enable Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a Cloud Brokerage Deck – A guide to help you start designing a cloud brokerage that delivers value beyond gatekeeping.

    Define the value, ecosystem, and metrics required to add value as a brokerage. Develop a brokerage value proposition that aligns with your audience and capabilities. Define and rationalize the ecosystem of partners and value-add activities for your brokerage. Define KPIs that allow you to maximize and balance both usability and compliance.

    • Adding the Right Value: Building Cloud Brokerages That Enable Storyboard
    [infographic]

    Further reading

    Adding the Right Value: Building Cloud Brokerages That Enable

    Considerations for implementing an institutional-focused cloud brokerage.

    Your Challenge

    Increasingly, large institutions and governments are adopting cloud-first postures for delivering IT resources. Combined with the growth of cloud offerings that are able to meet the certifications and requirements of this segment that has been driven by federal initiatives like Cloud-First in Canada and Cloud Smart in the United States, these two factors have left institutions (and the businesses that serve them) with the challenge of delivering cloud services to their users while maintaining compliance, control, and IT sanity.

    In many cases, the answer is to develop a cloud brokerage to manage the complexity. But what should your cloud broker be delivering and how?

    Navigating the Problem

    Not all cloud brokerages are the same. And while they can be an answer to cloud complexity, an ineffective brokerage can drain value and complicate operations even further. Cloud brokerages need to be designed:

    1. To deliver the right type of value to its users.
    2. To strike the balance between effective governance & security and flexibility & ease of use.

    Info-Tech’s Approach

    By defining your end goals, framing solutions based on the type of value and rigor your brokerage needs to deliver, and focusing on the right balance of security and flexibility, you can deliver a brokerage that delivers the best of all worlds.

    1. Define the brokerage value you want to deliver.
    2. Build the catalog and partner ecosystem.
    3. Understand how to maximize adoption and minimize disintermediation while maintaining architectural discipline and compliance.

    Info-Tech Insight

    Sometimes a brokerage delivery model makes sense, sometimes it doesn’t! Understanding the value addition you want your brokerage to provide before creating it allows you to not only avoid pitfalls and maximize benefits but also understand when a brokerage model does and doesn’t make sense in the first place.

    Project Overview

    Understand what value you want your brokerage to deliver

    Different institutions want brokerage delivery for different reasons. It’s important to define up front why your users need to work through a brokerage and what value that brokerage needs to deliver.

    What’s in the catalog? Is it there to consolidate and simplify billing and consumption? Or does it add value further up the technology stack or value chain? If so, how does that change the capabilities you need internally and from partners?

    Security and compliance are usually the highest priority

    Among institutions adopting cloud, a broker that can help deliver their defined security and compliance standards is an almost universal requirement. Especially in government institutions, this can mean the need to meet a high standard in both implementation and validation.

    The good news is that even if you lack the complete set of skills in-house, the high certification levels available from hyperscale providers combined with a growing ecosystem of service providers working on these platforms means you can usually find the right partner(s) to make it possible.

    The real goal: frictionless intermediation and enablement

    Ultimately, if end users can’t get what they need from you, they will go around you to get it. This challenge, which has always existed in IT, is further amplified in a cloud service world that offers users a cornucopia of options outside the brokerage. Furthermore, cloud users expect to be able to consume IT seamlessly. Without frictionless satisfaction of user demand your brokerage will become disintermediated, which risks your highest priorities of security and compliance.

    Understand the evolution: Info-Tech thought model

    While initial adoption of cloud brokerages in institutions was focused on ensuring the ability of IT to extend its traditional role as gatekeeper to the realm of cloud services, the focus has now shifted upstream to enabling ease of use and smart adoption of cloud services. This is evidenced clearly in examples like the US government’s renaming of its digital strategy from “Cloud First” to “Cloud Smart” and has been mirrored in other regions and institutions.

    Info-Tech Insights

    To avoid failure, you need to provide security and compliance.

    Basic user satisfaction means becoming a frictionless intermediary.

    Exceed expectations! Enabling brokers provide knowledge and guidance for the best usage of cloud.

    • Security & Compliance
    • Frictionless Intermediation
    • Cloud-Enabling Brokerage

    Define the role of a cloud broker

    Where do brokers fit in the cloud model?

    • NIST Definition: An entity that manages the use, performance, and delivery of cloud services and negotiates relationships between cloud providers and cloud consumers.
    • Similar to a telecom master agent, a cloud broker acts as the middle-person and end-user point of contact, consolidating the management of underlying providers.
    • A government or institutional cloud broker (GCB) is responsible for the delivery of all cloud services consumed by the departments or agencies it supports or that are mandated to use it.

    Balancing governance and agility

    Info-Tech Insight

    While GCBs fill a critical role as a control point for IT consumption, they can easily turn into a friction point for IT projects. It’s important to find the right balance between enabling compliance and providing frictionless usability.

    Model brokerage drivers and benefits

    Reduced costs: Security through standardization: Frictionless consumption: Avoid disinter-mediation; Maintain compliance; Leverage economies of scale; Ensure architecture discipline

    Maintain compliance and ensure architecture discipline: Brokerages can be an effective gating point for ensuring properly governed and managed IT consumption that meets the specific regulations and compliances required for an institution. It can also be a strong catalyst and enabler for moving to even more effective cloud consumption through automation.

    Avoid disintermediation: Especially in institutions, cloud brokers are a key tool in the fight against disintermediation – that is, end users circumventing your IT department’s procurement and governance by consuming an ad hoc cloud service.

    Leverage economies of scale: Simply put, consolidation of your cloud consumption drives effectiveness by making the most of your buying power.

    Info-Tech Insights

    Understanding the importance of each benefit type to your brokerage audience will help you define the type of brokerage you need to build and what skills and partners will be required to deliver the right value.

    The brokerage landscape

    The past ten years have seen governments and institutions evolve from basic acceptance of cloud services to the usage of cloud as the core of most IT initiatives.

    • As part of this evolution, many organizations now have well-defined standards and guidance for the implementation, procurement, and regulation of cloud services for their use.
    • Both Canada (Strategic Plan for Information Management and Information Technology) and the United States (Cloud Smart – formerly known as Cloud First) have recently updated their guidance on adoption of cloud services. The Australian Government has also recently updated its Cloud Computing Policy.
    • AWS and Azure both now claim Full FedRAMP (Federal Risk and Authorization Management Program) certification.
    • This has not only enabled easy adoption of these core hyperscale cloud service by government but also driven the proliferation of a large ecosystem of FedRAMP-authorized cloud service providers.
    • This trend started with government at the federal level but has cascaded downstream to provincial and municipal governments globally, and the same model seems likely to be adopted by other governments and other institution types over time.

    Info-Tech Insight

    The ecosystem of platforms and tools has grown significantly and examples of best practices, especially in government, are readily available. Once you’ve defined your brokerage’s value stance, the building blocks you need to deliver often don’t need to be built from scratch.

    Address the unique challenges of business-led IT in institutions

    With the business taking more accountability and management of their own technology, brokers must learn how to evolve from being gatekeepers to enablers.

    This image This lists the Cons of IT acting as a gatekeeper providing oversight, and the Pros of IT acting as an Enabler in an IT Partnership.  the Cons are: Restrict System Access; Deliver & Monitor Applications; Own Organizational Risk; Train the Business.  The Pros are: Manage Role-Based Access; Deliver & Monitor Platforms; Share Organizational Risk; Coach & Mentor the Business

    Turn brokerage pitfalls into opportunities

    The greatest risks in using a cloud broker come from its nature as a single point of distribution for service and support. Without resources (or automation) to enable scale, as well as responsive processes for supporting users in finding the right services and making those services available through the brokerage, you will lose alignment with your users’ needs, which inevitably leads to disintermediation, loss of IT control, and broken compliance

    Info-Tech Insights

    Standardization and automation are your friend when building a cloud brokerage! Sometimes this means having a flexible catalog of options and configurations, but great brokerages can deliver value by helping their users redefine and evolve their workloads to work more effectively in the cloud. This means providing guidance and facilitating the landing/transformation of users’ workloads in the cloud, the right way.

    Challenges Impact
    • Single point of failure
    • Managing capacity
    • Alignment of brokerage with underlying agencies
    • Additional layer of complexity
    • Inability to deliver service
    • Disintermediation
    • Broken security/compliance
    • Loss of cost control/purchasing power

    Validate your cloud brokerage strategy using Info-Tech’s approach

    Value Definition

    • Define your brokerage type and value addition

    Capabilities Mapping

    • Understand the partners and capabilities you need to be able to deliver

    Measuring Value

    • Define KPIs for both compliant delivery and frictionless intermediation

    Provide Cloud Excellence

    • Move from intermediation to enablement and help users land on the cloud the right way

    Define the categories for your brokerage’s benefit and value

    Depending on the type of brokerage, the value delivered may be as simple as billing consolidation, but many brokerages go much deeper in their value proposition.

    This image depicts a funnel, where the following inputs make up the Broker Value: Integration, Interface and Management Enhancement; User Identity and Risk Management/ Security & Compliance; Cost & Workload Efficiency, Service Aggregation

    Define the categories of brokerage value to add

    • Purchasing Agents save the purchaser time by researching services from different vendors and providing the customer with information about how to use cloud computing to support business goals.
    • Contract Managers may also be assigned power to negotiate contracts with cloud providers on behalf of the customer. In this scenario, the broker may distribute services across multiple vendors to achieve cost-effectiveness, while managing the technical and procurement complexity of dealing with multiple vendors.
      • The broker may provide users with an application program interface (API) and user interface (UI) that hides any complexity and allows the customer to work with their cloud services as if they were being purchased from a single vendor. This type of broker is sometimes referred to as a cloud aggregator.
    • Cloud Enablers can also provide the customer with additional services, such as managing the deduplication, encryption, and cloud data transfer and assisting with data lifecycle management and other activities.
    • Cloud Customizers integrate various underlying cloud services for customers to provide a custom offering under a white label or its own brand.
    • Cloud Agents are essentially the software version of a Contract Manager and act by automating and facilitating the distribution of work between different cloud service providers.

    Info-Tech Insights

    Remember that these categories are general guidelines! Depending on the requirements and value a brokerage needs to deliver, it may fit more than one category of broker type.

    Brokerage types and value addition

    Info-Tech Insights

    Each value addition your brokerage invests in delivering should tie to reinforcing efficiency, compliance, frictionlessness, or enablement.

    Value Addition Purchasing Agent Contract Manager Cloud Enabler Cloud Customizer Cloud Agent
    Underlying service selection

    Standard Activity

    Standard Activity Standard Activity Standard Activity Common Activity
    Support and info Standard Activity

    Common Activity

    Standard Activity Standard Activity Common Activity
    Contract lifecycle (pricing/negotiation) Standard Activity Common Activity Standard Activity
    Workload distribution (to underlying services) (aggregation) Common Activity Standard Activity Standard Activity Standard Activity
    Value-add or layered on services Standard Activity Common Activity
    Customization/integration of underlying services Standard Activity
    Automated workload distribution (i.e. software) Standard Activity

    Start by delivering value in these common brokerage service categories

    Security & Compliance

    • Reporting & Auditing
    • SIEM & SOC Services
    • Patching & Monitoring

    Cost Management

    • Right-Sizing
    • Billing Analysis
    • Anomaly Detection & Change Recommendations

    Data Management

    • Data Tiering
    • Localization Management
    • Data Warehouse/Lake Services

    Resilience & Reliability

    • Backup & Archive
    • Replication & Sync
    • DR & HA Management
    • Ransomware Prevention/Mitigation

    Cloud-Native & DevOps Enablement

    • Infrastructure as Code (IaC)
    • DevOps Tools & Processes
    • SDLC Automation Tools

    Design, Transformation, and Integration

    • CDN Integration
    • AI Tools Integration
    • SaaS Customizations

    Activity: Brokerage value design

    Who are you and who are you building this for?

    • Internal brokerage (i.e. you are a department in an organization that is tasked with providing IT resources to other internal groups)
      • No profit motivation
      • Primary goal is to maintain compliance and avoid disintermediation
    • Third-party brokerage (i.e. you are an MSP that needs to build a brokerage to provide a variety of downstream services and act as the single point of consumption for an organization)
      • Focus on value-addition to the downstream services you facilitate for your client
      • Increased requirement to quickly add new partners/services from downstream as required by your client

    What requirements and pains do you need to address?

    • Remember that in the world of cloud, users ultimately can go around IT to find the resources and tools they want to use. In short, if you don’t provide ease and value, they will get it somewhere else.
    • Assess the different types of cloud brokerages out there as a guide to what sort of value you want to deliver.

    Why are you creating a brokerage? There are several categories of driver and more than one may apply.

    • Compliance and security gating/validation
    • Cost consolidation and governance
    • Value-add or feature enhancement of raw/downstream services being consumed

    It’s important to clearly understand how best you can deliver unique value to ensure that they want to consume from you.

    This is an image of a Venn diagram between the following: Who are you trying to serve?; Why and how are you uniquely positioned to deliver?; What requirements do they have and what pain points can you help solve?.  Where all three circles overlap is the Brokerage Value Proposition.

    Understand the ecosystem you’ll require to deliver value

    GCB

    • Enabling Effectiveness
    • Cost Governance
    • Adoption and User Satisfaction
    • Security & Compliance

    Whatever value proposition and associated services your brokerage has defined, either internal resources or additional partners will be required to run the platform and processes you want to offer on top of the defined base cloud platforms.

    Info-Tech Insights

    Remember to always align your value adds and activities to the four key themes:

    • Efficiency
    • Compliance
    • Frictionlessness
    • Cloud Enablement

    Delivering value may require an ecosystem

    The additional value your broker delivers will depend on the tools and services you can layer on top of the base cloud platform(s) you support.

    In many cases, you may require different partners to fulfil similar functions across different base platforms. Although this increases complexity for the brokerage, it’s also a place where additional value can be delivered to end users by your role as a frictionless intermediary.

    Base Partner/Platform

    • Third-party software & platforms
    • Third-party automations & integrations
    • Third-party service partners
    • Internal value-add functions

    Build the ecosystem you need for your value proposition

    Leverage partners and automation to bake compliance in.

    Different value-add types (based on the category/categories of broker you’re targeting) require different additional platforms and partners to augment the base cloud service you’re brokering.

    Security & Config

    • IaC Tools
    • Cloud Resource Configuration Validation
    • Templating Tools
    • Security Platforms
    • SDN and Networking Platforms
    • Resilience (Backup/Replication/DR/HA) Platforms
    • Data & Storage Management
    • Compliance and Validation Platforms & Partners

    Cost Management

    • Subscription Hierarchy Management
    • Showback and Chargeback Logic
    • Cost Dashboarding and Thresholding
    • Governance and Intervention

    Adoption & User Satisfaction

    • Service Delivery SLAs
    • Support Process & Tools
    • Capacity/Availability Management
    • Portal Usability/UX

    Speed of Evolution

    • Partner and Catalog/Service Additions
    • Broker Catalog Roadmapping
    • User Request Capture (new services)
    • User Request Capture (exceptions)

    Build your features and services lists

    Incorporate your end user, business, and IT perspectives in defining the list of mandatory and desired features of your target solution.

    See our Implement a Proactive and Consistent Vendor Selection Process blueprint for information on procurement practices, including RFP templates.

    End User

    • Visual, drag-and-drop models to define data models, business logic, and user interfaces
    • One-click deployment
    • Self-healing application
    • Vendor-managed infrastructure
    • Active community and marketplace
    • Prebuilt templates and libraries
    • Optical character recognition and natural language processing

    Business

    • Audit and change logs
    • Theme and template builder
    • Template management
    • Knowledgebase and document management
    • Role-based access
    • Business value, operational costs, and other KPI monitoring
    • Regulatory compliance
    • Consistent design and user experience across applications
    • Business workflow automation

    IT

    • Application and system performance monitoring
    • Versioning and code management
    • Automatic application and system refactoring and recovery
    • Exception and error handling
    • Scalability (e.g. load balancing) and infrastructure management
    • Real-time debugging
    • Testing capabilities
    • Security management
    • Application integration management

    Understand the stakeholders

    Hyperscale Platform/Base Platform: Security; Compliance and Validation;Portal/Front-End; Cost Governance; Broker Value Add(s)

    Depending on the value-add(s) you are trying to deliver, as well as the requirements from your institution(s), you will have a different delineation of responsibilities for each of the value-add dimensions. Typically, there will be at least three stakeholders whose role needs to be considered for each dimension:

    • Base Cloud Provider
    • Third-Party Platforms/Service Providers
    • Internal Resources

    Info-Tech Insights

    It’s important to remember that the ecosystem of third-party options available to you in each case will likely be dependent on if a given partner operates or supports your chosen base provider.

    Define the value added by each stakeholder in your value chain

    Value Addition Cost Governance Security & Compliance Adoption and User Satisfaction New Service Addition Speed End-User Cloud Effectiveness
    Base platform(s)
    Third party
    Internal

    A basic table of the stakeholders and platforms involved in your value stream is a critical tool for aligning activities and partners with brokerage value.

    Remember to tie each value-add category you’re embarking on to at least one of the key themes!

    Cost Governance → Efficiency

    Security & Compliance → Compliance

    Adoption & User Satisfaction → Frictionlessness

    New Service Addition Responsiveness → Frictionlessness, Enablement

    End-User Cloud Effectiveness → Enablement

    Info-Tech Insights

    The expectations for how applications are consumed and what a user experience should look like is increasingly being guided by the business and by the disintermediating power of the cloud-app ecosystem.

    “Enabling brokers” help embrace business-led IT

    In environments where compliance and security are a must, the challenges of handing off application management to the business are even more complex. Great brokers learn to act not just as a gatekeeper but an enabler of business-led IT.

    Business Empowerment

    Organizations are looking to enhance their Agile and BizDevOps practices by shifting traditional IT practices left and toward the business.

    Changing Business Needs

    Organizational priorities are constantly changing. Cost reduction opportunities and competitive advantages are lost because of delayed delivery of features.

    Low Barrier to Entry

    Low- and no-code development tools, full-stack solutions, and plug-and-play architectures allow non-technical users to easily build and implement applications without significant internal technical support or expertise.

    Democratization of IT

    A wide range of digital applications, services, and information are readily available and continuously updated through vendor and public marketplaces and open-source communities.

    Technology-Savvy Business

    The business is motivated to learn more about the technology they use so that they can better integrate it into their processes.

    Balance usability and compliance: accelerate cloud effectiveness

    Move to being an accelerator and an enabler! Rather than creating an additional layer of complexity, we can use the abstraction of a cloud brokerage to bring a wide variety of value-adds and partners into the ecosystem without increasing complexity for end users.

    Manage the user experience

    • Your portal is a great source of data for optimizing user adoption and satisfaction.
    • Understand the KPIs that matter to your clients or client groups from both a technical and a service perspective.

    Be proactive and responsive in meeting changing needs

    • Determine dashboard consumption by partner view.
    • Regularly review and address the gaps in your catalog.
    • Provide an easy mechanism for adding user-demanded services.

    Think like a service provider

    • You do need to be able to communicate and even market internally new services and capabilities as you add them or people won't know to come to you to use them.
    • It's also critical in helping people move along the path to enablement and knowing what might be possible that they hadn't considered.

    Provide cloud excellence functions

    Enablement Broker

    • Mentorship & Training
      • Build the skills, knowledge, and experiences of application owners and managers with internal and external expertise.
    • Organizational Change Leadership
      • Facilitate cultural, governance, and other organizational changes through strong relationships with business and IT leadership.
    • Good Delivery Practices & Thinking
      • Develop, share, and maintain a toolkit of good software development lifecycle (SDLC) practices and techniques.
    • Knowledge Sharing
      • Centralize a knowledgebase of up-to-date and accurate documentation and develop community forums to facilitate knowledge transfer.
    • Technology Governance & Leadership
      • Implement the organizational standards, policies, and rules for all applications and platforms and coordinate growth and sprawl.
    • Shared Services & Integrations
      • Provide critical services and integrations to support end users with internal resources or approved third-party providers and partners.

    Gauge value with the right metrics

    Focus your effort on measuring key metrics.

    Category

    Purpose

    Examples

    Business Value – The amount of value and benefits delivered. Justify the investment and impact of the brokerage and its optimization to business operations. ROI, user productivity, end-user satisfaction, business operational costs, error rate
    Application Quality – Satisfaction of application quality standards. Evaluate organizational effort to address and maximize user satisfaction and adoption rates. Adoption rate, usage friction metrics, user satisfaction metrics
    Delivery Effectiveness – The delivery efficiency of changes. Enable members to increase their speed to effective deployment, operation, and innovation on cloud platforms. Speed of deployment, landing/migration success metrics

    Determine measures that demonstrate the value of your brokerage by aligning it with your quality definition, value drivers, and users’ goals and objectives. Recognize that your journey will require constant monitoring and refinement to adjust to situations that may arise as you adopt new products, standards, strategies, tactics, processes, and tools.

    Activity Output

    Ultimately, the goal is designing a brokerage that can evolve from gatekeeping to frictionless intermediation to cloud enablement.

    Maintain focus on the value proposition, your brokerage ecosystem, and the metrics that represent enablement for your users and avoid pitfalls and challenges from the beginning.

    Activity: Define your brokerage type and value addition; Understand the partners and capabilities you need to be able to deliver; Define KPIs for both delivery (compliance) and adoption (frictionlessness); Output: GCB Strategy Plan; Addresses: Why and when you should build a GCB; How to avoid pitfalls; How to maximize benefits; How to maximize responsiveness and user satisfaction; How to roadmap and add services with agility.

    Appendix

    Related blueprints and tools

    Document Your Cloud Strategy

    This blueprint covers aligning your value proposition with general cloud requirements.

    Define Your Digital Business Strategy

    Phase 1 of this research covers identifying value chains to be transformed.

    Embrace Business-Managed Applications

    Phase 1 of this research covers understanding the business-managed applications as a factor in developing a frictionless intermediary model.

    Implement a Proactive and Consistent Vendor Selection Process

    This blueprint provides information on partner selection and procurement practices, including RFP templates.

    Bibliography

    “3 Types of Cloud Brokers That Can Save the Cloud.” Cloud Computing Topics, n.d. Web.

    Australian Government Cloud Computing Policy. Government of Australia, October 2014. Web.

    “Cloud Smart Policy Overview.” CIO.gov, n.d. Web.

    “From Cloud First to Cloud Smart.” CIO.gov, n.d. Web.

    Gardner, Dana. “Cloud brokering: Building a cloud of clouds.” ZDNet, 22 April 2011. Web.

    Narcisi, Gina. “Cloud, Next-Gen Services Help Master Agents Grow Quickly And Beat 'The Squeeze' “As Connectivity Commissions Decline.” CRN, 14 June 2017. Web.

    Smith, Spencer. “Asigra calls out the perils of cloud brokerage model.” TechTarget, 28 June 2019. Web.

    Tan, Aaron. “Australia issues new cloud computing guidelines.” TechTarget, 27 July 2020. Web.

    The European Commission Cloud Strategy. ec.europa.eu, 16 May 2019. Web.

    “TrustRadius Review: Cloud Brokers 2022.” TrustRadius, 2022. Web.

    Yedlin, Debbie. “Pros and Cons of Using a Cloud Broker.” Technology & Business Integrators, 17 April 2015. Web.

    Prepare to Successfully Deploy PPM Software

    • Buy Link or Shortcode: {j2store}437|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • PPM suite deployments are complicated and challenging. Vendors and consultants can provide much needed expertise and assistance to organizations deploying new PPM suites.
    • While functional requirements are often defined during the procurement stage (for example, in an RFP), the level of detail during this stage is likely insufficient for actually configuring the solution to your specific PPM needs. Too many organizations fail to further develop these functional requirements between signing their contracts and the official start of their professional implementation engagement.
    • Many organizations fail to organize and record the PPM data they will need to populate the new PPM suite. In almost all cases, customers have the expertise and are in the best position to collect and organize their own data. Leaving this until the vendor or consultant arrives to help with the deployment can result in using your professional services in a suboptimal way.
    • Vendors and consultants want you to prepare for their implementation engagements so that you can make the best use of their expertise and assistance. They want you to deploy a PPM suite that can be sustainably adopted in the long term. All too often, however, they arrive onsite to find customers that are disorganized and underprepared.

    Our Advice

    Critical Insight

    • Preparing for a professional implementation engagement allows you to make the best use of your professional services, as well as helping to ensure that the PPM suite is deployed according to your specific PPM needs.
    • Involving your internal resources in the preparation of data and in fully defining functional requirements for the PPM suite helps to establish stakeholder buy-in early on, helping to build internal ownership of the solution from the beginning. This avoids the solution being perceived as something the vendor/consultant “forced upon us.”
    • Vendors and consultants are happy when organizations are organized and prepared for their professional implementation engagements. Preparation ensures these engagements are positive experiences for everyone involved.

    Impact and Result

    • Ensure that the data necessary to deploy the new PPM suite is recorded and organized.
    • Make your functional requirements detailed enough to ensure that the new PPM suite can be configured/customized during the deployment engagement in a way that best fits the organization’s actual PPM needs.
    • Through carefully preparing data and fully defining functional requirements, you help the solution become sustainably adopted in the long term.

    Prepare to Successfully Deploy PPM Software Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why preparing for PPM deployment will ensure that organizations get the most value out of the implementation professional services they purchased and will help drive long-term sustainable adoption of the new PPM suite.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a preparation team and plan

    Engage in purposeful and effective PPM deployment planning by clearly defining what to prepare and when exactly it is time to move from planning to execution.

    • Prepare to Successfully Deploy PPM Software – Phase 1: Create a Preparation Team and Plan
    • Prepare to Deploy PPM Suite Project Charter Template
    • PPM Suite Functional Requirements Document Template
    • PPM Suite Deployment Timeline Template (Excel)
    • PPM Suite Deployment Timeline Template (Project)
    • PPM Suite Deployment Communication Plan Template

    2. Prepare project-related requirements and deliverables

    Provide clearer definition to specific project-related functional requirements and collect the appropriate PPM data needed for an effective PPM suite deployment facilitated by vendors/consultants.

    • Prepare to Successfully Deploy PPM Software – Phase 2: Prepare Project-Related Requirements and Deliverables
    • PPM Deployment Data Workbook
    • PPM Deployment Dashboard and Report Requirements Workbook

    3. Prepare PPM resource requirements and deliverables

    Provide clearer definition to specific resource management functional requirements and data and create a communication and training plan.

    • Prepare to Successfully Deploy PPM Software – Phase 3: Prepare PPM Resource Requirements and Deliverables
    • PPM Suite Transition Plan Template
    • PPM Suite Training Plan Template
    • PPM Suite Training Management Tool

    4. Provide preparation materials to the vendor and implementation professionals

    Plan how to engage vendors/consultants by communicating functional requirements to them and evaluating changes to those requirements proposed by them.

    • Prepare to Successfully Deploy PPM Software – Phase 4: Provide Preparation Materials to the Vendor and Implementation Professionals
    [infographic]

    Workshop: Prepare to Successfully Deploy PPM Software

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Plan the Preparation Project

    The Purpose

    Select a preparation team and establish clear assignments and accountabilities.

    Establish clear deliverables, milestones, and metrics to ensure it is clear when the preparation phase is complete.

    Key Benefits Achieved

    Preparation activities will be organized and purposeful, ensuring that you do not threaten deployment success by being underprepared or waste resources by overpreparing.

    Activities

    1.1 Overview: Determine appropriate functional requirements to define and data to record in preparation for the deployment.

    1.2 Create a timeline.

    1.3 Create a charter for the PPM deployment preparation project: record lessons learned, establish metrics, etc.

    Outputs

    PPM Suite Deployment Timeline

    Charter for the PPM Suite Preparation Project Team

    2 Prepare Project-Related Requirements and Deliverables

    The Purpose

    Collect and organize relevant project-related data so that you are ready to populate the new PPM suite when the vendor/consultant begins their professional implementation engagement with you.

    Clearly define project-related functional requirements to aid in the configuration/customization of the tool.

    Key Benefits Achieved

    An up-to-date and complete record of all relevant PPM data.

    Avoidance of scrambling to find data at the last minute, risking importing out-of-date or irrelevant information into the new software.

    Clearly defined functional requirements that will ensure the suite is configured in a way that can be adoption in the long term.

    Activities

    2.1 Define project phases and categories.

    2.2 Create a list of all projects in progress.

    2.3 Record functional requirements for project requests, project charters, and business cases.

    2.4 Create a list of all existing project requests.

    2.5 Record the current project intake processes.

    2.6 Define PPM dashboard and reporting requirements.

    Outputs

    Project List (basic)

    Project Request Form Requirements (basic)

    Scoring/Requirements (basic)

    Business Case Requirements (advanced)

    Project Request List (basic)

    Project Intake Workflows (advanced)

    PPM Reporting Requirements (basic)

    3 Prepare PPM Resource Requirements and Deliverables

    The Purpose

    Collect and organize relevant resource-related data.

    Clearly define resource-related functional requirements.

    Create a purposeful transition, communication, and training plan for the deployment period.

    Key Benefits Achieved

    An up-to-date and complete record of all relevant PPM data that allows your vendor/consultant to get right to work at the start of the implementation engagement.

    Improved buy-in and adoption through transition, training, and communication activities that are tailored to the actual needs of your specific organization and users.

    Activities

    3.1 Create a portfolio-wide roster of project resources (and record their competencies and skills, if appropriate).

    3.2 Record resource management processes and workflows.

    3.3 Create a transition plan from existing PPM tools and processes to the new PPM suite.

    3.4 Identify training needs and resources to be leveraged during the deployment.

    3.5 Define training requirements.

    3.6 Create a PPM deployment training plan.

    Outputs

    Resource Roster and Competency Profile (basic)

    User Roles and Permissions (basic)

    Resource Management Workflows (advanced)

    Transition Approach and Plan (basic)

    Data Archiving Requirements (advanced)

    List of Training Modules and Attendees (basic)

    Internal Training Capabilities (advanced)

    Training Milestones and Deadlines (basic)

    4 Provide Preparation Materials to the Vendor and Implementation Professionals

    The Purpose

    Compile the data collected and the functional requirements defined so that they can be provided to the vendor and/or consultant before the implementation engagement.

    Key Benefits Achieved

    Deliverables that record the outputs of your preparation and can be provided to vendors/consultants before the implementation engagement.

    Ensures that the customer is an active and equal partner during the deployment by having the customer prepare their material and initiate communication.

    Vendors and/or consultants have a clear understanding of the customer’s needs and expectations from the beginning.

    Activities

    4.1 Collect, review, and finalize the functional requirements.

    4.2 Compile a functional requirements and data package to provide to the vendor and/or consultants.

    4.3 Discuss how proposed changes to the functional requirements will be reviewed and decided.

    Outputs

    PPM Suite Functional Requirements Documents

    PPM Deployment Data Workbook

    Re-Envision Enterprise Printing

    • Buy Link or Shortcode: {j2store}165|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $9,000 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices
    • Enterprises may be overspending on printing, but this spend is often unknown and untracked.
    • You are locked into a traditional printer lease and outdated document management practices, hampering digital transformation.

    Our Advice

    Critical Insight

    Don’t just settle for printer consolidation: Seek to eliminate print and enlist your managed print services vendor to help you achieve that goal.

    Impact and Result

    • Identify reduction opportunities via a thorough inventory and requirements-gathering process, and educate others on the financial and non-financial benefits. Enforce reduced printing through policies.
    • Change your printing financial model to print as a service by building an RFP and scoring tool for managed print services that makes the vendor a partner in continuous innovation.
    • Leverage durable print management software to achieve vendor-agnostic governance and visibility.

    Re-Envision Enterprise Printing Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Re-Envision Enterprise Printing – A step-by-step document to help plan and execute a printer reduction project.

    This storyboard will help you plan the project, assess your current state and requirements, build a managed print services RFP and scoring process, and build continuous improvement of business processes into your operations.

    • Re-Envision Enterprise Printing – Phases 1-3

    2. Planning tools

    Use these templates and tools to plan the printer reduction project, document your inventory, assess current printer usage, and gather information on current and future requirements.

    • Enterprise Printing Project Charter
    • Enterprise Printing Roles and Responsibilities RACI Guide
    • Printer Reduction Tool
    • End-User Print Requirements Survey

    3. RFP tools

    Use these templates and tools to create an RFP for managed print services that can easily score and compare vendors.

    • Managed Print Services Vendor Assessment Questions
    • Managed Print Services RFP Vendor Proposal Scoring Tool
    • Managed Print Services RFP Template

    4. Printer policy

    Update the printer policy to express the new focus on reducing unsupported printer use.

    • Printer Policy Template

    Infographic

    Further reading

    Re-Envision Enterprise Printing

    Don't settle for printer consolidation; seek the elimination of print

    Analystperspective

    You're likely not in the printing business.
    Prepare your organization for the future by reducing print.

    Initiatives to reduce printers are often met with end-user resistance. Don't focus on the idea of taking something away from end users. Instead, focus on how print reduction fits into larger goals of business process improvement, and on opportunities to turn the vendor into a partner who drives business process improvement through ongoing innovation and print reduction.

    What are your true print use cases? Except in some legitimate use cases, printing often introduces friction and does not lead to efficiencies. Companies investing in digital transformation and document management initiatives must take a hard look at business processes still reliant on hard copies. Assess your current state to identify what the current print volume and costs are and where there are opportunities to consolidate and reduce.

    Change your financial model. The managed print services industry allows you to use a pay-as-you-go approach and right-size your print spend to the organization's needs. However, in order to do printing-as-a-service right, you will need to develop a good RFP and RFP evaluation process to make sure your needs are covered by the vendor, while also baking in assurances the vendor will partner with you for continuous print reduction.

    This is a picture of Emily Sugerman

    Emily Sugerman
    Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Darin Stahl
    Principal Research Advisor, Infrastructure & Operations
    Info-Tech Research Group

    Executive summary

    Your Challenge

    IT directors and business operations managers face several challenges:

    • Too many known unknowns: Enterprises may be overspending on printing, but this spend is often unknown and untracked.
    • Opportunity costs: By locking into conventional printer leases and outdated document management, you are locking yourself out of the opportunity to improve business processes.

    Common Obstacles

    Printer reduction initiatives are stymied by:

    • End-user resistance: Though sometimes the use of paper remains necessary, end users often cling to paper processes out of concern about change.
    • Lack of governance: You lack insight into legitimate print use cases and lack full control over procurement of devices and consumables.
    • Overly generic RFP: Print requirements are not tailored to your organization, and your managed print services RFP does not ask enough of the vendor.

    Info-Tech's Approach

    Follow these steps to excise superfluous, costly printing:

    • Identify reduction opportunities via a thorough inventory and requirements-gathering process, and educate others on the financial and non-financial benefits. Enforce reduced printing through policies.
    • Change your printing financial model to print-as-a-service by building an RFP and scoring tool for managed print services that makes the vendor a partner in continuous innovation.
    • Leverage durable print management software to achieve vendor-agnostic governance and visibility.

    Info-Tech Insight

    Don't settle for printer consolidation: seek to eliminate print and enlist your managed print services vendor to help you achieve that goal.

    Your challenge

    This research is designed to help organizations that aim to reduce printing long term

    • Finally understand aggregate printing costs: Not surprisingly, printing has become a large hidden expense in IT. Enterprises may be overspending on printing, but this spend is often unknown and untracked. Printer consumables are purchased independently by each department, non-networked desktop printers are everywhere, and everyone seems to be printing in color.
    • Walk the walk when it comes to digital transformation: Outdated document management practices that rely on unnecessary printing are not the foundation upon which the organization can improve business processes.
    • Get out of the printing business: Hire a managed print provider and manage that vendor well.

    "There will be neither a V-shaped nor U-shaped recovery in demand for printing paper . . . We are braced for a long L-shaped decline."
    –Toru Nozawa, President, Nippon Paper Industries (qtd. in Nikkei Asia, 2020).

    Weight of paper and paperboard generated in the U.S.*

    This is an image of a graph plotting the total weight of paper and paperboard generated in the US, bu thousands of US tons.

    *Comprises nondurable goods (including office paper), containers, and packaging.

    **2020 data not available.

    Source: EPA, 2020.

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Cost-saving opportunities are unclear: In most cases, nobody is accountable for controlling printing costs, so there's a lack of incentive to do so.
    • End-user attachment to paper-based processes: For end users who have been relying on paper processes, switching to a new way of working can feel like a big ask, particularly if an optimized alternative has not been provided and socialized.
    • Legitimate print use cases are undefined: Print does still have a role in some business processes (e.g. for regulatory reasons). However, these business processes have not been analyzed to determine which print use cases are still legitimate. The WFH experience during the COVID-19 pandemic demonstrated that many workflows that previously incorporated printing could be digitized. Indeed, the overall attachment to office paper is declining (see chart).
    • Immature RFP and RFP scoring methods: Outsourcing print to a managed service provider necessitates careful attention to RFP building and scoring. If your print requirements are not properly tailored to your organization and your managed print services RFP does not ask enough of the vendor, it will be harder to hold your vendor to account.

    How important is paper in your office?

    87% 77%

    Quocirca, a printer industry market research firm, found that the number of organizations for whom paper is "fairly or very important to their business" has dropped 10 percentage points between 2019 and 2021.

    Source: Quocirca, 2021.

    Info-Tech's approach

    Permanently change your company's print culture

    1. Plan your Project
    • Create your project charter, investigate end user printer behavior and reduction opportunities, gather requirements and calculate printer costs
  • Find the right managed print vendor
    • Protect yourself by building the right requirements into your RFP, evaluating candidates and negotiating from a strong position
  • Implement the new printer strategy
    • Identify printers to consolidate and eliminate, install them, and communicate updated printer policy
  • Operate
    • Track the usage metrics, service requests, and printing trends, support the printers and educate users to print wisely and sparingly
  • The Info-Tech difference:

    1. Use Info-Tech's tracking tools to finally track data on printer inventory and usage.
    2. Get to an RFP for managed print services faster through Info-Tech's requirement selection activity, and use Info-Tech's scoring tool template to more quickly compare candidates and identify frontrunners and knockouts.
    3. Use Info-Tech's guidance on print management software to decouple your need to govern the fleet from any specific vendor.

    Info-Tech's methodology for Re-Envision Enterprise Printing

    1. Strategy & planning 2. Vendor selection, evaluation, acquisition 3. Implementation & operation
    Phase steps
    1. Create project charter and assign roles
    2. Assess current state of enterprise print environments
    3. Gather current and future printer requirements
    1. Understand managed print services model
    2. Create RFP documents and score vendors
    3. Understand continuous innovation & print management software
    1. Modify printer policies
    2. Measure project success
    3. Training & adoption
    4. Plan persuasive communication
    5. Prepare for continuous improvement
    Phase outcomes
    • Documentation of project roles, scope, objectives, success metrics
    • Accurate printer inventory
    • Documentation of requirements based on end-user feedback, existing usage, and future goals
    • Finalized requirements
    • Completed RFP and vendor scoring tool
    • Managed print vendor selected, if necessary
    • Updated printer policies that reinforce print reduction focus
    • Assessment of project success

    Insight summary

    Keep an eye on the long-term goal of eliminating print

    Don't settle for printer consolidation: seek to eliminate print and enlist your managed print services vendor to help you achieve that goal.

    Persuading leaders is key

    Good metrics and visible improvement are important to strengthen executive support for a long-term printer reduction strategy.

    Tie printer reduction into business process improvement

    Achieve long-lasting reductions in print through document management and improved workflow processes.

    Maintain clarity on what types of printer use are and aren't supported by IT

    Modifying and enforcing printing policies can help reduce use of printers.

    Print management software allows for vendor-agnostic continuity

    Print management software should be vendor-agnostic and allow you to manage devices even if you change vendors or print services.

    Secure a better financial model from the provider

    Simply changing your managed print services pay model to "pay-per-click" can result in large cost savings.

    Blueprint deliverables

    Key deliverable:

    Managed Print Services RFP

    This blueprint's key deliverable is a completed RFP for enterprise managed print services, which feeds into a scoring tool that accelerates the requirements selection and vendor evaluation process.

    Managed Print Services Vendor Assessment Questions

    This is a screenshot from the Managed Print Services Vendor Assessment Questions

    Managed Print Services RFP Template

    This is a screenshot from the Managed Print Services RFP Template

    Managed Print Services RFP Vendor Proposal Scoring Tool

    This is a screenshot from the Managed Print Services RFP Vendor Proposal Scoring Tool

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Enterprise Printing Project Charter

    This is a screenshot from the Enterprise Printing Project Charter

    Document the parameters of the print reduction project, your goals, desired business benefits, metrics.

    Enterprise Printing Roles and Responsibilities RACI Guide

    This is a screenshot from the Enterprise Printing Project Charter

    Assign key tasks for the project across strategy & planning, vendor selection, implementation, and operation.

    Printer Policy

    This is a screenshot from the Printer Policy

    Start with a policy template that emphasizes reduction in print usage and adjust as needed for your organization.

    Printer Reduction Tool

    This is a screenshot from the Printer Reduction Tool

    Track the printer inventory and calculate total printing costs.

    End-User Print Requirements Survey

    This is a screenshot from the End-User Print Requirements Survey

    Base your requirements in end user needs and feedback.

    Blueprint benefits

    IT benefits

    • Make the project charter for printer reduction and estimate cost savings
    • Determine your organization's current printing costs, usage, and capabilities
    • Define your organization's printing requirements and select a solution
    • Develop a printer policy and implement the policy

    Business benefits

    • Understand the challenges involved in reducing printers
    • Understand the potential of this initiative to reduce costs
    • Accelerate existing plans for modernization of paper-based business processes by reducing printer usage
    • Contribute to organizational environmental sustainability targets

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #4: Review requirements.
    Weigh the benefits of managed print services.

    Call #6: Measure project success.

    Call #2: Review your printer inventory.
    Understand your current printing costs and usage.

    Call #5: Review completed scoring tool and RFP.

    Call #5: Review vendor responses to RFP.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    Phase 1

    Strategy and Planning

    Strategy & planning

    Vendor selection, evaluation, acquisition

    Implementation & Operation

    1.1 Create project charter and assign roles

    1.2 Assess current state

    1.3 Gather requirements

    2.1 Understand managed print services model

    2.2 Create RFP materials

    2.3 Leverage print management software

    3.1 Modify printer policies

    3.2 Measure project success

    3.3 Training & adoption

    3.4 Plan communication

    3.5 Prepare for continuous improvement

    Re-Envision Enterprise Printing

    • This phase will walk you through the following activities:
    • Create a list of enterprise print roles and responsibilities
    • Create project charter
    • Inventory printer fleet and calculate printing costs
    • Examine current printing behavior and identify candidates for device elimination
    • Gather requirements, including through end user survey

    This phase involves the following participants:

    • IT director/CIO
    • Business operations manager
    • Project manager

    Step 1.1

    Create project charter and assign roles

    Outcomes of this step

    Completed Project Charter with RACI chart

    Phase 1: Strategy and Planning

    • Step 1.1 Create project charter and assign roles
    • Step 1.2 Assess current state
    • Step 1.3 Gather requirements

    This step involves the following participants:

    • IT director/CIO
    • Business operations manager
    • Project manager

    Activities in this step

    • Create a list of enterprise print roles and responsibilities
    • Create project charter

    1.1 Create project charter

    Use the project charter to clearly define the scope and avoid scope creep

    Identify project purpose

    • Why is the organization taking on this project? What are you trying to achieve?
    • What is the important background you need to document? How old is the fleet? What kinds of printer complaints do you get? What percentage of the IT budget does printing occupy?
    • What specific goals should this project achieve? What measurable financial and non-financial benefits do these goals achieve?

    Identify project scope

    • What functional requirements do you have?
    • What outputs are expected?
    • What constraints will affect this project?
    • What is out of scope for this project?

    What are the main roles and responsibilities?

    • Who is doing what for this project?

    How will you measure success?

    • What are the project's success metrics and KPIs?

    Enterprise Printing Project Charter

    This is a screenshot from the Enterprise Printing Project Charter

    Anticipate stakeholder resistance

    Getting management buy-in for printer reduction is often one of the biggest challenges of the project.

    Challenge Resolution
    Printer reduction is not typically high on the priority list of strategic IT initiatives. It is often a project that regularly gets deferred. The lack of an aggregate view of the total cost of printing in the environment could be one root cause, and what can't be measured usually isn't being managed. Educate and communicate the benefits of printer reduction to executives. In particular, spend time getting buy-in from the COO and/or CFO. Use Info-Tech's Printer Reduction Tool to show executives the waste that is currently being generated.
    Printers are a sensitive and therefore unpopular topic of discussion. Executives often see a trade-off: cost savings versus end-user satisfaction. Make a strong financial and non-financial case for the project. Show examples of other organizations that have successfully consolidated their printers.

    Info-Tech Insight

    If printer reduction is not driven and enforced from the top down, employees will find ways to work around your policies and changes. Do not attempt to undertake printer reduction initiatives without alerting executives. Ensure visible executive support to achieve higher cost savings.

    Align the printer reduction project to org goals to achieve buy-in

    A successful IT project demonstrates clear connections to business goals

    Which business and organizational goals and drivers are supported by IT's intention to transform its printing ecosystem? For example,

    Legislation: In 2009, the Washington House of Representatives passed a bill requiring state agencies to implement a plan to reduce paper consumption by 30% (State of Washington, 2009). The University of Washington cites this directive as one of the drivers for their plans to switch fully to electronic records by 2022 (University of Washington, n.d.).

    Health care modernization: Implementing electronic health records; reducing paper charts.

    Supply chain risk reduction: In 2021, an Ontario district school board experienced photocopier toner shortages and were forced to request schools to reduce printing and photocopying: "We have recommended to all locations that the use of printing be minimized as much as possible and priority given to the printing of sensitive and confidential documentation" (CBC, 2021).

    Identify overall organizational goals in the following places:

    • Company mission statements
    • Corporate website
    • Business strategy documents
    • Other IT strategy documents
    • Executives

    Document financial and non-financial benefits

    Financial benefits: Printer reduction can reduce your printing costs and improve printing capabilities.

    • Printer reduction creates a controlled print environment; poorly controlled print environments breed unnecessary costs.
    • Cost savings can be realized through:
      • Elimination of cost-efficient inkjet desktop printers.
      • Elimination of high-cost, inefficient, or underutilized printers.
      • Sharing of workshop printers between an optimal number of end users.
      • Replacing separate printers, scanners, copiers, and fax machines with. multi-function devices.
    • Cost savings can be achieved through a move to managed print services, if you negotiate the contract well and manage the vendor properly. The University of Washington estimated a 20-25% cost reduction under a managed print services model compared to the existing lease (University of Washington, "What is MPS").

    Non-financial benefits: Although the main motivation behind printer reduction is usually cost savings, there are also non-financial benefits to the project.

    • Printer reduction decreases physical space required for printers
    • Printer reduction meets employee and client environmental demands
      • Printer reduction can reduce the electricity and consumables used
      • Reduction in consumables means reduced hazardous waste from consumables and devices
    • Printer reduction can result in better printing capabilities
      • Moving to a managed print services model can provide you with better printing capabilities with higher availability

    Assign responsibility to track print device costs to IT

    Problem:
    Managers in many organizations wrongly assume that since IT manages the printer devices, they also already manage costs.

    However, end users typically order printer devices and supplies through the supplies/facilities department, bypassing any budget approval process, or through IT, which does not have any authority or incentive to restrict requests (when they're not measured against the controlling of printer costs).

    Organization-wide printer usage policies are rarely enforced with any strictness.

    Without systematic policy enforcement, end-user print behavior becomes frivolous and generates massive printing costs.

    Solution:
    Recommend all print device costs be allocated to IT.

    • Aggregate responsibility: Recommend that all printer costs be aggregated under IT's budget and tracked by IT staff.
    • Assign accountability: Although supplies may continually be procured by the organization's supplies/facilities department, IT should track monthly usage and costs by department.
    • Enforce policy: Empower IT with the ability to enforce a strict procurement policy that ensures all devices in the print environment are approved models under IT's control. This eliminates having unknown devices in the printer fleet and allows for economies of scale to be realized from purchasing standardized printing supplies.
    • Track metrics: IT should establish metrics to measure and control each department's printer usage and flat departments that exceed their acceptable usage amounts.

    Assign accountability for the initiative

    Someone needs to have accountability for both the printer reduction tasks and the ongoing operation tasks, or the initiative will quickly lose momentum.

    Customize Info-Tech's Enterprise Printing Roles and Responsibilities RACI Guide RACI chart to designate project roles and responsibilities to participants both inside and outside IT.

    These tasks fall under the categories of:

    • Strategy and planning
    • Vendor selection, evaluation, and acquisition
    • Implementation
    • Operate

    Assign a RACI: Remember the meaning of the different roles

    • Responsible (does the work on a day-to-day basis)
    • Accountable (reviews, signs off on, and is held accountable for outcomes)
    • Consulted (input is sought to feed into decision making)
    • Informed (is given notification of outcomes)

    As a best practice, no more than one person should be responsible or accountable for any given process. The same person can be both responsible and accountable for a given process, or it could be two different people.

    Avoid making someone accountable for a process if they do not have full visibility into the process for appropriate oversight, or do not have time to give the process sufficient attention.

    The Enterprise Printing Roles and Responsibilities RACI Guide can be used to organize and manage these tasks.

    This is a screenshot from the Enterprise Printing Roles and Responsibilities RACI Guide

    Define metrics to measure success

    Track your project success by developing and tracking success metrics

    Ensure your metrics relate both to business value and customer satisfaction. "Reduction of print" is a business metric, not an experience metric.

    Frame metrics around experience level agreements (XLAs) and experience level objectives (XLOs): What are the outcomes the customer wants to achieve and the benefits they want to achieve? Tie the net promoter score into the reporting from the IT service management system, since SLAs are still needed to tactically manage the achievement of the XLOs.

    Use the Metrics Development Workbook from Info-Tech's Develop Meaningful Service Metrics to define:

    • Relevant stakeholders
    • Their goals and pain points
    • The success criteria that must be met to achieve these goals
    • The key indicators that must be measured to achieve these goals from an IT perspective
    • What the appropriate IT metrics are, based on all of the above

    Metrics could include

    • User satisfaction
    • Print services net promoter model
    • Total printing costs
    • Printer availability (uptime)
    • Printer reliability (mean time between failures)
    • Total number of reported incidents
    • Mean time for vendor to respond and repair

    Info-Tech Insight:

    Good metrics and visible improvement are important to strengthen executive support for a long-term printer reduction strategy.

    Step 1.2

    Assess current state

    Outcomes of this step

    • Aggregate view of your printer usage and costs

    Strategy and Planning

    This step involves the following participants:

    • IT director/CIO
    • Business operations manager
    • Project manager

    Activities in this step

    • 1.2. Inventory your printer fleet: Office walk-around
    • 1.2 Inventory your printer fleet: Collect purchase receipts/statements/service records
    • 1.3 Calculate printing costs

    Create an aggregate view of your printer usage and costs

    Problem: Lack of visibility

    • Most organizations are unaware of the savings potential in reducing print due to a lack of data.
    • Additionally, organizations may have inappropriately sized devices for their workloads.
    • Often, nobody is responsible for managing the printers collectively, resulting in a lack of visibility into printing activity. Without this visibility, it is difficult to muster executive commitment and support for printer reduction efforts.
    • The first step to eliminating your printers is to inventory all the printers in the organization and look at an aggregate view of the costs. Without understanding the cost saving potential, management will likely continue to avoid printer changes due to the idea's unpopularity with end users.
    • Valid use cases for printers will likely still remain, but these use cases should be based on a requirements analysis.
    This is a screenshot from the Printer Reduction Tool. It includes the Printer Inventory, and a table with the following column headings: Device Type; Specific Device; Networked; Manufacturer; Model; Serial #; Office Location; Device Owner; # users Supported; Monthly Duty; Page Count to; Device Age; Remaining Useful; # Pages printer/month; % Utilization

    Create visibility through by following these steps:

    1. Office walk-around: Most organizations have no idea how many printers they have until they walk around the office and physically count them. This is especially true in cases where management is allowed to purchase personal printers and keep them at their desks. An office walk-around is often necessary to accurately capture all the printers in your inventory.
    2. Collect purchase receipts/statements/service records: Double-check your printer inventory by referring to purchase receipts, statements, and service records.
    3. Identify other sources of costs: Printer purchases only make up a small fraction of total printing costs. Operating costs typically account for 95% of total printer costs. Make sure to factor in paper, ink/toner, electricity, and maintenance costs.

    1.2.1 Inventory your printer fleet: part 1

    Office walk-around

    1. Methodically walk around the office and determine the following for each printer:
      • Device type
      • Make, model, serial number
      • Location
      • Number of users supported
      • Device owner
      • Type of users supported (department, employee position)
    2. Record printer details in Tab 1 of Info-Tech's Printer Reduction Tool. Collaborate with the accounting or purchasing department to determine the following for each printer recorded:
      • Purchase price/date
      • Monthly duty cycle
      • Estimated remaining useful life
      • Page count to date

    Input

    Output
    • Existing inventory lists
    • Visual observation
    • Inventory of office printers, including their printer details

    Materials

    Participants

    • Notepad
    • Pen
    • Printer Reduction Tool
    • IT director
    • IT staff

    Download the Printer Reduction Tool

    1.2.2 Inventory your printer fleet:
    part 2

    Collect purchase receipts/statements/service records

    1. Ask your purchasing manager for purchase receipts, statements, and service records relating to printing.
    2. For documents found, match the printer with your physical inventory. Add any printers found that were not captured in the physical inventory count. Record the following:
      1. Device type
      2. Make, model, serial number
      3. Location
      4. Number of users supported
      5. Device owner
      6. Type of users supported (department, employee position)
    3. 3. Collaborate with the accounting or purchasing department to determine the following for each printer recorded:
      1. Purchase price/date
      2. Monthly duty cycle
      3. Estimated remaining useful life
      4. Page count to date
    4. Enter the data in Tab 1 of the Printer Reduction Tool

    Input

    Output
    • Purchase receipts
    • Statements
    • Service records
    • Printer inventory cross-checked with paperwork

    Materials

    Participants

    • Printer inventory from previous activity
    • IT director
    • IT staff
    • Purchasing manager

    Download the Printer Reduction Tool

    1.2.3 Calculate your printing costs

    Collect purchase receipts/statements/service records

    • Collect invoices, receipts, and service records to sum up the costs of paper, ink or toner, and maintenance for each machine. Estimate electricity costs.
    • Record your costs in Tab 2 of the Printer Reduction Tool.
    • Review the costs per page and per user to look for particularly expensive printers and understand the main drivers of the cost.
    • Review your average monthly cost and annual cost per user. Do these costs surprise you?

    Input

    Output
    • Invoices, receipts, service records for
    • Cost per page and user
    • Average monthly and annual cost

    Materials

    Participants

    • Printer Reduction Tool
    • IT director
    • IT staff

    Step 1.3

    Gather printing requirements

    Outcomes of this step

    • Understanding of the organization's current printing behavior and habits
    • Identification of how industry context and digitization of business processes have impacted current and future requirements

    This step involves the following participants:

    • IT director
    • IT staff
    • Rest of organization

    Activities in this step

    • Examine current printing behavior and habits
    • Administer end-user survey
    • Identify current requirements
    • Identify future requirements

    Requirements Gathering Overview

    1. Identify opportunities to go paperless
      • Determine where business process automation is occurring
      • Align with environmental and sustainability campaigns
    2. Identify current requirements
      • Review the types of document being printed and the corresponding features needed
      • Administer end-user survey to understand user needs and current printer performance
    3. Identify future requirements
    • Identify future requirements to avoid prematurely refreshing your printer fleet
  • Examine industry-specific/ workflow printing
    • Some industries have specific printing requirements such as barcode printing accuracy. Examine your industry-specific printing requirements
  • Stop: Do not click "Print"

    The most effective way to achieve durable printing cost reduction is simply to print less.

    • Consolidating devices and removing cost-inefficient individual printers is a good first step to yielding savings.
    • However, more sustainable success is achieved by working with the printer vendor(s) and the business on continuous innovation via proposals and initiatives that combine hardware, software, and services.
    • Sustained print reduction depends on separate but related business process automation and digital innovation initiatives.

    Info-Tech Insight:

    Achieve long-lasting reductions in print through document management and improved workflow processes.

    Leverage Info-Tech research to support your business' digital transformation

    This is an image of the title page from Info-Tech's Define your Digital Business Strategy blueprint.

    Define how changes to enterprise printing fit into digital transformation plans

    Identify opportunities to go paperless

    The "paperless office" has been discussed since the 1970s. The IT director alone does not have authority to change business processes. Ensure the print reduction effort is tied to other strategies and initiatives around digital transformation. Working on analog pieces of paper is not digital and may be eroding digital transformation process.

    Leverage Info-Tech's Assert IT's Relevance During Digital Transformations to remind others that modernization of the enterprise print environment belongs to the discussion around increasing digitized support capabilities.

    1. Digital Marketing

    2. Digital Channels

    3. Digitized Support Capabilities

    4. Digitally Enabled Products

    5. Business Model Innovation

    Manage Websites

    E-Channel Operations

    Workforce Management

    Product Design

    Innovation Lab Management

    Brand Management

    Product Inventory Management

    Digital Workplace Management

    Portfolio Product Administration

    Data Sandbox Management

    SEO

    Interactive Help

    Document Management

    Product Performance Measurement

    Innovation Compensation Management

    Campaign Execution

    Party Authentication

    Eliminate business process friction caused by print

    Analyze workflows for where they are still using paper. Ask probing questions about where paper still adds value and where the business process is a candidate for paperless digital transformation

    • Is this piece of paper only being used to transfer information from one application to another?
    • What kind of digitalization efforts have happened in the business as a result of the COVID-19 pandemic? Which workflows have digitized on their own?
    • Where has e-signature been adopted?
    • Is this use of paper non-negotiable (e.g. an ER triage that requires a small printer for forms; the need for bank tellers to provide receipts to customers)?
    • Do we have compliance obligations that require us to retain a paper process?
    • What is getting printed? Who is printing the most? Identify if there are recurring system-generated reports being printed daily/weekly/quarterly that are adding to the volume. Are reports going directly from staff mailboxes to a recycling bin?
    • Does our print financial model incentivize the transformation of business processes, or does it reinforce old habits?
    • What services, software, and solutions for document management and business process analysis does our managed print services vendor offer? Can we involve the vendor in the business transformation conversation by including an innovation clause in the next contract (re)negotiation to push the vendor to offer proposals for projects that reduce print?

    Develop short-term and long-term print reduction strategies

    Short-term strategies

    • Consolidate the number of printers you have.
    • Determine whether to outsource printing to a managed services provider and make the move.
    • Enable print roaming and IT verification.
    • Require user-queued print jobs to be authenticated at a printer to prevent print jobs that are lost or not picked up.
    • Set up user quotas.
    • Provide usage records to business managers so they can understand the true cost of printing.
    • User quotas may create initial pushback, but they lead users to ask themselves whether a particular print job is necessary.
    • Renegotiate print service contracts.
    • Revisit contracts and shop around to ensure pricing is competitive.
    • Leverage size and centralization by consolidating to a single vendor, and use the printing needs of the entire enterprise to decrease pricing and limit future contractual obligations.
    • Train users on self-support.
    • Train users to remedy paper jams and move paper in and out of paper trays.

    Long-term strategies

    • Promote a paperless culture by convincing employees of its benefits (greater cost savings, better security, easier access, centralized repository, greener).
    • Educate users to use print area wisely.
    • Develop campaigns to promote black and white printing or a paperless culture.

    Info-Tech Insight:

    One-time consolidation initiatives leave money on the table. The extra savings results from changes in printing culture and end-user behavior.

    Examine current printing behavior and habits

    It's natural for printer usage and printing costs to vary based on office, department, and type of employee. Certain jobs simply require more printing than others.

    However, the printing culture within your organization likely also varies based on

    • office
    • department
    • type of employee

    Examine the printing behaviors of your employees based on these factors and determine whether their printing behavior aligns with the nature of their job.

    Excessive printing costs attributed to departments or groups of employees that don't require much printing for their jobs could indicate poor printing culture and potentially more employee pushback.

    Examine current printing behavior and habits, and identify candidates for elimination

    1. Go to Tab 3 of your Printer Reduction Tool ("Usage Dashboard Refresh"). Right-click each table and press "Refresh."
    2. Go to Tab 4 of your Printer Reduction Tool ("Usage Dashboard") to understand the following:
      1. Average printer utilization by department
      2. Pages printed per month by department
      3. Cost per user by department
    3. Take note of the outliers and expensive departments.
    4. Review printer inventory and printer use rates on Tab 5.
    5. Decide which printers are candidates for elimination and which require more research.
    6. If already working in a managed print services model, review the vendor's recommendations for printer elimination and consolidation.
    7. Mark printers that could be eliminated or consolidated.

    Input

    Output
    • Discussion
    • Understanding of expensive departments and other outliers

    Materials

    Participants

    • Printer Reduction Tool
    • IT director/ business operations
    • Business managers

    Administer end-user survey

    Understand end-user printing requirements and current printer performance through an end-user survey

    1. Customize Info-Tech's End-User Print Requirements Survey to help you understand your users' needs and the current performance of your printer fleet.
    2. Send the survey to all printer users in the organization.
    3. Collect the surveys and aggregate the requirements of users in each department.
    4. Record the survey results in the "Survey Results" tab.

    Input

    Output
    • End-user feedback
    • Identification of outliers and expensive departments

    Materials

    Participants

    • End-User Print Requirements Survey template
    • IT director
    • IT staff
    • Rest of organization

    Download the End-User Print Requirements Survey

    Info-Tech Insight:

    Use an end-user printer satisfaction survey before and after any reduction efforts or vendor implementation, both as a requirement-gathering user input and to measure/manage the vendor.

    Identify your current requirements

    Collect all the surveys and aggregate user requirements. Input the requirements into your Printer Reduction Tool.

    Discussion activity:

    • Review the requirements for each department and discuss:
    • What is this device being used for (e.g. internal documents, external documents, high-quality graphics/color)?
    • Based on its use case, what kinds of features are needed (e.g. color printing, scanning to email, stapling)?
    • Is this the right type of device for its purpose? Do we need this device, or can it be eliminated?
    • Based on its use case, what kinds of security features are needed (e.g. secure print release)?
    • Are there any compliance requirements that need to be satisfied (e.g. PCI, ITAR, HIPAA)?
    • Based on its use case, what's the criticality of uptime?
    • What is this device's place in the organization's workflow? What are its dependencies?
    • With which systems is the device compatible? Is it compatible with the newer operating system versions? If not, determine whether the device is a refresh candidate.

    Input

    Output
    • Survey results and department requirements
    • List of current requirements

    Materials

    Participants

    • N/A
    • IT director
    • IT staff

    Identify your future requirements

    Prepare your printer fleet for future needs to avoid premature printer refreshes.

    Discussion activity:

    • Review the current requirements for each department's printers and discuss whether the requirements will meet the department's printing needs over the next 10 years.
    • What is this device going to be used for in the next 10 years?
    • Will use of this device be reduced by plans to increase workflow digitization?
    • Based on its use case, what kinds of features are needed?
    • Is this the right type of device for its purpose?
    • Based on its use case, what kinds of security features are needed?
    • Based on its use case, what is the criticality of uptime?
    • Is this device's place in the organization's workflow going to change? What are its dependencies?
    • Reassess your current requirements and make any changes necessary to accommodate for future requirements.

    Input

    Output
    • Discussion
    • List of future requirements

    Materials

    Participants

    • N/A
    • IT director
    • IT staff

    Examine requirements specific to your industry and workflow

    Some common examples of industries with specific printing requirements:

    • Healthcare
      • Ability to comply with HIPAA requirements
      • High availability and reliability with on-demand support and quick response times
      • Built-in accounting software for billing purposes
      • Barcode printing for hospital wristbands
      • Fax requirements
    • Manufacturing
      • Barcoding technology
      • Ability to meet regulations such as FDA requirements for the pharmaceutical industry
      • Ability to integrate with ERP systems
    • Education
      • Password protection for sensitive student information
      • Test grading solutions
      • Paper tests for accessibility needs

    Phase 2

    Vendor Selection, Evaluation, Acquisition

    Strategy & planning

    Vendor selection, evaluation, acquisition

    Implementation & Operation

    1.1 Create project charter and assign roles

    1.2 Assess current state

    1.3 Gather requirements

    2.1 Understand managed print services model

    2.2 Create RFP materials

    2.3 Leverage print management software

    3.1 Modify printer policies

    3.2 Measure project success

    3.3 Training & adoption

    3.4 Plan communication

    3.5 Prepare for continuous improvement

    Re-Envision Enterprise Printing

    • This phase will walk you through the following activities:
    • Define managed print services RFP requirement questions
    • Create managed print services RFP and scoring tool
    • Score the RFP responses

    This phase involves the following participants:

    • IT director/CIO
    • Business operations manager
    • Project manager

    Change your financial model

    The managed print services industry allows you to use a pay-as-you-go approach and right-size your print spend to the organization's needs.

    Avoid being locked into a long lease where the organization pays a fixed monthly fee whether the printer runs or not.

    Instead, treat enterprise printing as a service, like the soda pop machine in the break room, where the vendor is paid when the device is used. If the vending machine is broken, the vendor is not paid until the technician restores it to operability. Printers can work the same way.

    By moving to a per click/page financial model, the vendor installs and supports the devices and is paid whenever a user prints. Though the organization pays more on a per-click/page basis compared to a lease, the vendor is incentivized to right-size the printer footprint to the organization, and the organization saves on monthly recurring lease costs and maintenance costs.

    Right-size commitments: If the organization remains on a lease instead of pay-per-click model, it should right-size the commitment if printing drops below a certain volume. In the agreement, include a business downturn clause that allows the organization to right-size and protect itself in the event of negative growth.

    Understand the managed print services model and its cost savings

    Outsourcing print services can monitor and balance your printers and optimize your fleet for efficiency. Managed print services are most appropriate for:

    • Organizations engaging in high-volume, high-quality print jobs with growing levels of output.
    • Organizations with many customer-facing print jobs.

    There are three main managed printing service models. Sometimes, an easy switch from a level pay model to a pay-per-click model can result in substantial savings:

    Level Pay

    • Flat rate per month based on estimates.
    • Attempts to flatten IT's budgeting so printing costs are consistent every month or every year (for budgeting purposes). At the end of the year, the amount of supplies used is added up and compared with the initial estimates and adjusted accordingly.
    • The customer pays the same predictable fee each month every year, even if you don't meet the maximum print quantity for the pay. Increased upcharge for quantities exceeding maximum print quantity.

    Base Plus Click

    • Fixed base payment (lease or rental) + pay-per-sheet for services.
    • In addition to the monthly recurring base cost, you pay for what you use. This contract may be executed with or without a minimum monthly page commitment. Page count through remote monitoring technologies is typically required.

    Pay Per Click

    • Payment is solely based on printing usage.
    • Printing costs will likely be the lowest with this option, but also the most variable.
    • This option requires a minimum monthly page commitment and/or minimum term.

    Info-Tech Insight:

    Vendors typically do not like the pay-per-click option and will steer businesses away from it. However, this option holds the vendor accountable for the availability and reliability of your printers, and Info-Tech generally recommends this option.

    Compare financials of each managed print services option

    Your printing costs with a pay-per-click model are most reflective of your actual printer usage. Level pay tends to be more expensive, where you need to pay for overages but don't benefit from printing less than the maximum allocated.

    See the below cost comparison example with level pay set at a maximum of 120,000 impressions per month. In the level pay model, the organization was paying for 120,000 sheets in the month it only used 60,000 impressions, whereas it would have been able to pay just for the 60,000 sheets in the pay-per-click model.

    This image contains tables with the column headings: Impressions per month; Total Cost; Average Cost per Impression; for each of the following categories: Level Pay; Base Plus Click; Pay Per Click

    Financial comparison case study

    This organization compared estimated costs over a 36-month period for the base-plus-click and pay-per-page models for Toshiba E Studio 3515 AC Digital Color Systems.

    Base-plus-click model

    Monthly recurring cost

    Avg. impressions per month

    Monthly cost

    Monthly cost

    "Net pay per click"

    Cost over 36-month period

    A fixed lease cost each month, with an additional per click/page charge

    $924.00

    12,000 (B&W)

    $0.02 (B&W)

    $1,164.00 (B&W)

    $0.097 (B&W)

    $41,904 (B&W)

    5,500 (Color)

    $0.09 (Color)

    $495.00 (Color)

    $0.090 (Color)

    $17,820 (Color)

    Base-plus-click model

    Monthly recurring cost

    Avg. impressions per month

    Monthly cost

    Monthly cost

    "Net pay per click"

    Cost over 36-month period

    No monthly lease cost, only per-image charges

    0.00

    12,000 (B&W)

    $0.06 (B&W)

    $720.00 (B&W)

    $0.060 (B&W)

    $25,920 (B&W)

    5,500 (Color)

    $0.12 (Color)

    $660.00 (Color)

    $0.120 (Color)

    $23,760 (Color)

    Results

    Though the per-image cost for each image is lower in the base-plus-click model, the added monthly recurring costs for the lease means the "net pay per click" is higher.

    Overall, the pay-per-page estimate saved $10,044 over a 36-month period for this device.

    Bake continuing innovation into your requirements

    Once you are in the operation phase, you will need to monitor and analyze trends in company printing in order to make recommendations for the future and to identify areas for possible savings and/or asset optimization.

    Avoid a scenario where the vendor drops the printer in your environment and returns only for repairs. Engage the vendor in this continuous innovation work:

    In the managed services agreement, include a proviso for continuous innovation where the vendor has a contractual obligation to continually look at the business process flow and bring yearly proposals to show innovation (e.g. cost reductions; opportunities to reduce print, which allows the vendor to propose document management services and record keeping services). Leverage vendors who are building up capabilities to transform business processes to help with the heavy lifting.

    Establish a vision for the relationship that goes beyond devices and toner. The vendor can make a commitment to continuous management and constant improvement, instead of installing the devices and leaving. Ideally, this produces a mutually beneficial situation: The client asks the vendor to sell them ways to mature and innovate the business processes, while the vendor retains the business and potentially sells new services. In order to retain your business, the vendor must continue to learn and know about your business.

    The metric of success for your organization is the simple reduction in printed copies overall. The vendor success metric would be proposals that may combine hardware, software, and services that provide cost-effective reductions in print through document management and workflow processes. The vendors should be keen to build this into the relationship since the services delivery has a higher margin for them.

    Sample requirement wording:

    "Continuing innovation: The contractor initiates at least one (1) project each year of the contract that shows leadership and innovation in solutions and services for print, document management, and electronic recordkeeping. Bidders must describe a sample project in their response, planning for an annual investment of approximately 50 consulting hours and $10,000 in hardware and/or software."

    Reward the vendor for performance instead of "punishing" them for service failures

    Problem: Printer downtime and poor service is causing friction with your managed service provider (MSP).

    MSPs often offer clients credit requests (service credits) for their service failures, which are applied to the previous month's monthly recurring charge. They are applied to the last month's MRC (monthly reoccurring charges) at the end of term and then the vendor pays out the residual.

    However, while common, service credits are not always perceived to be a strong incentive for the provider to continually focus on improvement of mean time to respond or mean time to repair.

    Solution: Turn your vendor into a true partner by including an "earn back" condition in the contract.

    • Engage the vendor as a true partner within a relationship based upon service credits.
    • Suggest that the vendor include a minor change to the non-performance processes within the final agreement: the vendor implements an "earn back" condition in the agreement.
    • Where a bank of service credits exists because of non-performance, if the provider exceeds the SLA performance metrics for a number of consecutive months (two is common), then a given number of prior credits received by the client are returned to the provider as a reward for improved performance.
    • This can be a useful mechanism to drive improved performance.

    Leverage enterprise print management software

    Printers are commoditized and can come and go, but print management software enables the governance, compliance, savings and visibility necessary for the transformation

    • Printer management solutions range from tools bundled with ink-jet printers that track consumables' status, to software suites that track data for thousands of print devices.
    • Typically, these solutions arrive in enterprises as part of larger managed services printing engagements, bundled with hardware, financing, maintenance, and "services."
    • Bundling print management software means that customers very rarely seek to acquire printing management software alone.
    • Owing to the level of customization (billing, reporting, quotas, accounts, etc.) switching print management software solutions is also rare. The work you put into this software will remain with IT regardless of your hardware.
    • Durability of print management software is also influenced by the hardware- and technology-agnostic nature of the solutions (e.g. swapping one vendor's devices for another does not trigger anything more than a configuration change in print management software.)

    Include enterprise print management requirements in the RFP

    Ask respondents to describe their managed services capabilities and an optional on-premises, financed solution with these high-level capabilities.

    Select the appropriate type of print management software

    Vendor-provided solutions are adequate control for small organizations with simple print environments

    • Suitable for small organizations (<100 users).
    • Software included with print devices can pool print jobs, secure access, and centralize job administration.
    • Dealing with complex sales channels for third-party vendors is likely a waste of resources.

    SMBs with greater print control needs can leverage mid-level solutions to manage behavior

    • Suitable for mid-size organizations (<500 users).
    • Mid-level software can track costs, generate reports, and centralize management.
    • Solutions start at $500 but require additional per-device costs.

    Full control solutions will only attract large organizations with a mature print strategy

    • Full control solutions tend to be suitable for large organizations (>500 users) with complex print environments and advanced needs.
    • Full control software allows for absolute enforcement of printing policies and full control of printing.
    • Expect to spend thousands for a tailored solution that will save time and guide cost savings.

    Enterprise print management software features

    The feature set for these tools is long and comprehensive. The feature list below is not exhaustive, as specific tools may have additional product capabilities.

    Print Management Software Features

    Hardware-neutral support of all major printer types and operating systems (e.g. direct IP to any IPP-enabled printer along with typical endpoint devices) Tracking of all printing activity by user, client account, printer, and document metadata
    Secure print on demand (Secure print controls: User Authenticated Print Release, Pull Printing) Granular print cost/charging, allowing costs to be assigned on a per-printer basis with advanced options to charge different amounts based on document type (e.g. color, grayscale or duplex), page size, user or group
    Managed and secured mobile printing (iOS/Android), BYOD, and guest printing DaaS/VDI print support
    Printer installation discovery/enablement, device inventory/management Auditing/reporting, print audit trail using document attributes to manage costs/savings, enforce security and compliance with regulations and policies
    Monitoring print devices, print queues, provide notification of conditions Watermarking and/or timestamping to ensure integrity and confidentially/classification of printed documents some solutions support micro font adding print date, time, user id and other metadata values discreetly to a page preventing data leakage
    Active Directory integration or synchronization with LDAP user accounts Per-user quotas or group account budgets
    Ability to govern default print settings policies (B&W, double-sided, no color, etc.)

    Get to the managed print services RFP quicker

    Jumpstart your requirements process using these tools and exercises

    Vendor Assessment Questions

    Use Info-Tech's catalog of commonly used questions and requirements in successful acquisition processes for managed print services. Ask the right questions to secure an agreement that meets your needs. If you are already in a contract with managed print services, take the opportunity of contract renewal to improve the contract and service.

    RFP Template and "Schedule 1" Attachment

    Add your finalized assessment questions into this table, which you will attach to your RFP. The vendor answers questions in this "Schedule 1" attachment and returns it to you.

    RFP Scoring Tool

    Aggregate the RFP responses into this scoring tool to identify the frontrunners and candidates for elimination. Since the vendors are asked to respond in a standard format, it is easier to bring together all the responses to create a complete view of your options.

    Define RFP requirement questions

    Include the right requirements for your organization, and avoid leaving out important requirements that might have been overlooked.

    1. Download the Managed Print Services Vendor Assessment Questions tool. Use this document as a "shopping list" to jumpstart an initial draft of the RFP and, more importantly, scoring requirements.
    2. Review the questions in the context of your near- and long-term printer outsourcing needs. Consider your environment, your requirements, and goals. Include other viewpoints from the RACI chart from Phase 1.
    3. Place an 'X' in the first column to retain the question. Edit the wording of the question if required, based on your organizational needs.
    4. Use the second column to indicate which section of the RFP to include the question in.

    Input

    Output
    • Requirements from Phase 1.3
    • Completed list of requirement questions

    Materials

    Participants

    • Managed Print Services Vendor Assessment Questions tool
    • IT director/business operations
    • Other roles from the RACI chart completed in Phase 1

    Download the Managed Print Services Vendor Assessment Questions tool

    Create RFP scoring tool and RFP

    1. Enter the requirements questions into the scoring tool on Tabs 2 and 4.
    2. Tab 2: Create scoring column for each vendor. You will paste in their responses here.
    3. Edit Tabs 3 and 4 so they align with what you want the vendor to see. Copy and paste Tab 3 and Tab 4 into a new document, which will serve as a "Schedule 1" attachment to the RFP package the vendor receives.
    4. Complete the RFP template. Describe your current state and current printer hardware (documented in the earlier current-state assessment). Explain the rules of how to respond and how to fill out the Schedule 1 document. Instruct each vendor to fill in their responses to each question along with any notes, and to reply with a zip file that includes the completed RFP package along with any marketing material needed to support their response.
    5. Send a copy of the RFP and Schedule 1 to each vendor under consideration.

    Input

    Output
    • Completed list of requirement questions from previous activity
    • RFP Scoring tool
    • Completed RFP and schedule 1 attachment

    Materials

    Participants

    • Managed Print Services RFP Vendor Proposal Scoring Tool
    • Managed Print Services RFP
    • IT director/business operations

    Download the Managed Print Services RFP Vendor Proposal Scoring Tool

    Download the Managed Print Services RFP template

    Score RFP responses

    1. When the responses are returned, copy and paste each vendor's results from Schedule 1 into Tab 2 of the main scoring tool.
    2. Evaluate each RFP response against the RFP criteria based on the scoring scale.
    3. Send the completed scoring tool to the CIO.
    4. Set up a meeting to discuss the scores and generate shortlist of vendors.
    5. Conduct further interviews with shortlisted vendors for due diligence, pricing, and negotiation discussions.
    6. Once a vendor is selected, review the SLAs and contract and develop a transition plan.

    Input

    Output
    • Completed Managed Print Services RFP Vendor Proposal Scoring Tool
    • Shortlist or final decision on vendor

    Materials

    Participants

    • N/A
    • IT director/business operations

    Info-Tech Insight:

    The responses from the low-scoring vendors still have value: these providers will likely provide ideas that you can then leverage with your frontrunner, even if their overall proposal did not score highly.

    Phase 3

    Implementation & Operation

    Strategy & planning

    Vendor selection, evaluation, acquisition

    Implementation & Operation

    1.1 Create project charter and assign roles

    1.2 Assess current state

    1.3 Gather requirements

    2.1 Understand managed print services model

    2.2 Create RFP materials

    2.3 Leverage print management software

    3.1 Modify printer policies

    3.2 Measure project success

    3.3 Training & adoption

    3.4 Plan communication

    3.5 Prepare for continuous improvement

    Re-Envision Enterprise Printing

    This phase will walk you through the following activities:

    • Update your enterprise printer policies
    • Readminister end-user survey to measure project success

    This phase involves the following participants:

    • IT director/CIO
    • Business operations manager
    • Project manager

    Modify your printer policies

    Review and modify Info-Tech's Printer Policy Template to support your print reduction goals

    Consider that your goal is to achieve printer reduction. Discuss with your team how strict it needs to be to truly reset behavior with printers. Many organizations struggle with policy enforcement. Firm language in the policy may be required to achieve this goal. For example,

    • IT only supports the printers acquired through the managed print service. Personal desktop printers are not supported by IT. Expense statements will not be accepted for non-supported printers.
    • Create a procurement policy where all device requests need justification and approval by department managers and IT. Have a debate over what the extreme exceptions would be. Legitimate exceptions must go through a review and approval process.
    • Restrict color printing to external or customer-facing use cases.
    • Encourage digital or electronic solutions in lieu of hard copies (e.g. e-signatures and approval workflows; scanning; use of integrated enterprise applications like SharePoint).
    This is a screenshot of the Printer Policy Page Template

    Download the Printer Policy template

    Readminister the end-user survey

    You have already run this survey during the requirements-gathering phase. Run it again to measure success.

    The survey was run once prior to the changes being implemented to establish a baseline of user satisfaction and to gain insights into additional requirements.

    Several months after the initial rollout (90 days is typical to let the dust settle), resurvey the end users and publish or report to the administration success metrics (the current costs vs. the actual costs prior to the change).

    User satisfaction survey can be used to manage the vendor, especially if the users are less happy after the vendor touched their environment. Use this feedback to hold the provider to account for improvement.

    Input

    Output
    • Previous survey results
    • Changes to baseline satisfaction metrics

    Materials

    Participants

    • End-user survey from Phase 1
    • IT director
    • IT staff
    • Rest of organization

    Measure project success

    Revisit the pre-project metrics and goals and compare with your current metrics

    • Identify printers to consolidate or eliminate.
    • Update asset management system (enter software and hardware serial numbers or identification tags into configuration management system).
    • Reallocate/install printers across the organization.
    • Develop ongoing printer usage and cost reports for each department.
    • Review the end-user survey and compare against baseline.
    • Operate, validate, and distribute usage metrics/chargeback to stakeholders.
    • Audit and report on environmental performance and sustainability performance to internal and external bodies, as required.
    • Write and manage knowledgebase articles.
    • Monitor and analyze trends in company printing in order to make recommendations for the future and to identify areas for possible savings and/or asset optimization.

    Metrics could include

    • User satisfaction
    • Print services net promoter model
    • Total printing costs
    • Printer availability (uptime)
    • Printer reliability (mean time between failures)
    • Total number of reported incidents
    • Mean time for vendor to respond and repair

    Support training and adoption

    Train users on self-support

    Prepare troubleshooting guides and step-by-step visual aid posters for the print areas that guide users to print, release, and find their print jobs and fix common incidents on their own. These may include:

    • The name of this printer location and the names of the others on that floor.
    • How to enter a PIN to release a print job.
    • How to fix a paper jam.
    • How to empty the paper tray.
    • How to log a service ticket if all other steps are exhausted.

    Educate users to use print area wisely

    • Inform users what to do if other print jobs appear to be left behind in the printer area.
    • Display guidelines on printer location alternatives in case of a long line.
    • Display suggestions on maximum recommended time to spend on a job in the event other users are waiting.

    Develop campaign to promote paperless culture

    Ensure business leadership and end users remain committed to thinking before they print.

    • Help your users avoid backsliding by soliciting feedback on the new printer areas.
    • Ensure timely escalation of service tickets to the vendor.
    • Support efforts by the business to seek out business process modernization opportunities whenever possible.

    Plan persuasive communication strategies

    Identify cost-saving opportunities and minimize complaints through persuasive communication

    Solicit the input of end users through surveys and review comments.

    Common complaints Response

    Consider the input of end users when making elimination and consolidation decisions and communicate IT's justification for each end user's argument to keep their desktop printers.

    "I don't trust network storage. I want physical copies." Explain the security and benefits of content management systems.
    "I use my desktop a lot. I need it." Explain the cost benefits of printing on cheaper network MFPs, especially if they print in large quantities.
    "I don't use it a lot, so it's not costly." It's a waste of money to maintain and power underused devices.
    "I need security and confidentiality." MFPs have biometric and password-release functions, which add an increased layer of security.
    "I need to be able to print from home." Print drivers and networked home printers can be insecure devices and attack vectors.
    "I don't have time to wait." Print jobs in queue can be released when users are at the device.
    "I don't want to walk that far." Tell the end user how many feet the device will be within (e.g. 50 feet). It is not usually very far.

    Implement a continual improvement plan to achieve long-term enterprise print goals

    Implement a continual improvement plan for enterprise printing:

    • Develop a vendor management plan:
      • In order to govern SLAs and manage the vendor, ensure that you can track printer-related tickets even if the device is now supported by managed print services.
      • Ensure that printer service tickets sent from the device to the vendor are also reconciled in your ITSM tool. Require the MSP to e-bond the ticket created within their own device and ticketing system back to you so you can track it in your own ITSM tool.
      • Every two months, validate service credits that can be returned to the vendor for exceeding SLA performance metrics.
      • Monitor the impact of their digital transformation strategies. Develop a cadence to review the vendor's suggestions for innovation opportunities.
    • Operate, validate, and distribute usage and experience metrics/chargeback to stakeholders.
    • Monitor and analyze trends in company printing.
    This is a graph which demonstrates the process of continual improvement through Standardization. It depicts a graph with Time as the X axis, and Quality Management as the Y axis. A grey circle with the words: ACT; PLAN; CHECK; DO, moving from the lower left part of the graph to the upper right, showing that standardization improves Quality Management.

    Summary of Accomplishment

    Problem Solved

    You have now re-envisioned your enterprise print environment by documenting your current printer inventory and current cost and usage. You also have hard inventory and usage data benchmarks that you can use to measure the success of future initiatives around digitalization, going paperless, and reducing print cost.

    You have also developed a plan to go to market and become a consumer of managed print services, rather than a provider yourself. You have established a reusable RFP and requirements framework to engage a managed print services vendor who will work with you to support your continuous improvement plans.

    Return to the deliverables and advice in this blueprint to reinforce the organization's message to end users on when, where, and how to print. Ideally, this project has helped you go beyond a printer refresh – but rather served as a means to change the printing culture at your organization.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information

    workshops@infotech.com
    1-888-670-8889

    Bibliography

    Fernandes, Louella. "Quocirca Managed Services Print Market, 2021." Quocirca, 25 Mar. 2021. Accessed 12 Oct. 2021.

    McInnes, Angela. "No More Photocopies, No More Ink: Thames Valley Schools Run Out of Toner." CBC, 21 Oct. 2021. Web.

    "Paper and Paperboard: Material-Specific Data." EPA, 15 Dec. 2020. Accessed 15 Oct. 2021.

    State of Washington, House of Representatives. "State Agencies – Paper Conservation and Recycling." 61st Legislature, Substitute House Bill 2287, Passed 20 April 2009.

    Sugihara, Azusa. "Pandemic Shreds Office Paper Demand as Global Telework Unfolds." Nikkei Asia, 18 July 2020. Accessed 29 Sept. 2021.

    "Paper Reduction." University of Washington, n.d. Accessed 28 Oct. 2021.

    "What is MPS?" University of Washington, n.d. Accessed 16 Mar. 2022.

    Research contributors

    Jarrod Brumm
    Senior Digital Transformation Consultant

    Jacques Lirette
    President, Ditech Testing

    3 anonymous contributors

    Info-Tech Research Group Experts

    Allison Kinnaird, Research Director & Research Lead
    Frank Trovato, Research Director

    Leverage Agile Goal Setting for Improved Employee Engagement & Performance

    • Buy Link or Shortcode: {j2store}593|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • Managers are responsible for driving the best performance out of their staff while still developing individuals professionally.
    • Micromanaging tasks is an ineffective, inefficient way to get things done and keep employees engaged at the same time.
    • Both managers and employees view goal setting as a cumbersome process that never materializes in day-to-day work.
    • Without a consistent and agile goal-setting environment that pervades every day, managers risk low productivity and disengaged employees.

    Our Advice

    Critical Insight

    • Effective performance management occurs throughout the year, on a daily and weekly basis, not just at annual performance review time. Managers must embrace this reality and get into the habit of setting agile short-term goals to drive productivity.
    • Employee empowerment is one of the most significant contributors to employee engagement, which is a proven performance driver. Short-term goal setting, which is ultimately employee-owned, develops and nurtures a strong sense of employee empowerment.
    • Micromanaging employee tasks will get managers nowhere quickly. Putting in the effort to collaboratively define goals that benefit both the organization and the employee will pay off in the long run.
    • Goal setting should not be a cumbersome activity, but an agile, rolling habit that ensures employees are focused, supported, and given appropriate feedback to continue to drive performance.

    Impact and Result

    • Managers who have daily meetings to set goals are 17% more successful in terms of employee performance than managers who set goals annually.
    • Managers must be agile goal-setting role models, or risk over a third of their staff being confused about productivity expectations.
    • Managers that allow tracking of goals to be an inhibitor to goal setting are most likely to have a negative effect on employee performance success. In fact, tracking goals should not be a priority in the short-term.

    Leverage Agile Goal Setting for Improved Employee Engagement & Performance Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Learn the agile, short-term goal-setting process

    Implement agile goal setting with your team right away and drive performance.

    • Storyboard: Leverage Agile Goal Setting for Improved Employee Engagement & Performance
    [infographic]

    Security Priorities 2022

    • Buy Link or Shortcode: {j2store}244|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Ransomware activities and the cost of breaches are on the rise.
    • Cybersecurity talent is hard to find, and an increasing number of cybersecurity professionals are considering leaving their jobs.
    • Moving to the digital world increases the risk of a breach.

    Our Advice

    Critical Insight

    • The pandemic has fundamentally changed the technology landscape. Security programs must understand how their threat surface is now different and adapt their controls to meet the challenge.
    • The upside to the upheaval in 2021 is new opportunities to modernize your security program.

    Impact and Result

    • Use the report to ensure your plan in 2022 addresses what’s important in cybersecurity.
    • Understand the current situation in the cybersecurity space.

    Security Priorities 2022 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Security Priorities 2022 – A report that describes priorities and recommendations for CISOs in 2022.

    Use this report to understand the current situation in the cybersecurity space and inform your plan for 2022. This report includes sections on protecting against and responding to ransomware, acquiring and retaining talent, securing a remote workforce, securing digital transformation, and adopting zero trust.

    • Security Priorities for 2022 Report

    Infographic

    Further reading

    Security Priorities 2022

    The pandemic has changed how we work

    disruptions to the way we work caused by the pandemic are here to stay.

    The pandemic has introduced a lot of changes to our lives over the past two years, and this is also true for various aspects of how we work. In particular, a large workforce moved online overnight, which shifted the work environment rapidly.

    People changed how they communicate, how they access company information, and how they connect to the company network. These changes make cybersecurity a more important focus than ever.

    Although changes like the shift to remote work occurred in response to the pandemic, they are largely expected to remain, regardless of the progression of the pandemic itself. This report will look into important security trends and the priorities that stemmed from these trends.

    30% more professionals expect transformative permanent change compared to one year ago.

    47% of professionals expect a lot of permanent change; this remains the same as last year. (Source: Info-Tech Tech Trends 2022 Survey; N=475)

    The cost of a security breach is rising steeply

    The shift to remote work exposes organizations to more costly cyber incidents than ever before.

    $4.24 million

    Average cost of a data breach in 2021
    The cost of a data breach rose by nearly 10% in the past year, the highest rate in over seven years.

    $1.07 million

    More costly when remote work involved in the breach

    The average cost of breaches where remote work is involved is $1.07 million higher than breaches where remote work is not involved.

    The ubiquitous remote work that we saw in 2021 and continue to see in 2022 can lead to more costly security events. (Source: IBM, 2021)

    Remote work is here to stay, and the cost of a breach is higher when remote work is involved.

    The cost comes not only directly from payments but also indirectly from reputational loss. (Source: IBM, 2021)

    Security teams can participate in the solution

    The numbers are clear: in 2022, when we face a threat environment like WE’VE never EXPERIENCED before, good security is worth the investment

    $1.76 million

    Saved when zero trust is deployed facing a breach

    Zero trust controls are realistic and effective controls.

    Organizations that implement zero trust dramatically reduce the cost of an adverse security event.

    35%

    More costly if it takes more than 200 days to identify and contain a breach

    With increased BYOD and remote work, detection and response is more challenging than ever before – but it is also highly effective.

    Organizations that detect and respond to incidents quickly will significantly reduce the impact. (Source: IBM, 2021)

    Breaches are 34% less costly when mature zero trust is implemented.

    A fully staffed and well-prepared security team could save the cost through quick responses. (Source: IBM, 2021)

    Top security priorities and constraints in 2022

    Survey results

    As part of its research process for the 2022 Security Priorities Report, Info-Tech Research Group surveyed security and IT leaders (N=97) to ask their top security priorities as well as their main obstacles to security success in 2022:

    Top Priorities
    A list of the top three priorities identified in the survey with their respective percentages, 'Acquiring and retaining talent, 30%', 'Protecting against and responding to ransomware, 23%', and 'Securing a remote workforce, 23%'.

    Survey respondents were asked to force-rank their security priorities.

    Among the priorities chosen most frequently as #1 were talent management, addressing ransomware threats, and securing hybrid/remote work.

    Top Obstacles
    A list of the top three obstacles identified in the survey with their respective percentages, 'Staffing constraints, 31%', 'Demand of ever-changing business environment, 23%', and 'Budget constraints, 15%'.

    Talent management is both the #1 priority and the top obstacle facing security leaders in 2022.

    Unsurprisingly, the ever-changing environment in a world emerging from a pandemic and budget constraints are also top obstacles.

    We know the priorities…

    But what are security leaders actually working on?

    This report details what we see the world demanding of security leaders in the coming year.

    Setting aside the demands – what are security leaders actually working on?

    A list of 'Top security topics among Info-Tech members' with accompanying bars, 'Security Strategy', 'Security Policies', 'Security Operations', 'Security Governance', and 'Security Incident Response'.

    Many organizations are still mastering the foundations of a mature cybersecurity program.

    This is a good idea!

    Most breaches are still due to gaps in foundational security, not lack of advanced controls.

    We know the priorities…

    But what are security leaders actually working on?

    A list of industries with accompanying bars representing their demand for security. The only industry with a significant positive percentage is 'Government'. Security projects included in annual plan relative to industry.

    One industry plainly stands out from the rest. Government organizations are proportionally much more active in security than other industries, and for good reason: they are common targets.

    Manufacturing and professional services are proportionally less interested in security. This is concerning, given the recent targeting of supply chain and personal data holders by ransomware gangs.

    5 Security Priorities for 2022 Logo for Info-Tech. Logo for ITRG.

    People

    1. Acquiring and Retaining Talent
      Create a good working environment for existing and potential employees. Invest time and effort into talent issues to avoid being understaffed.
    2. Securing a Remote Workforce
      Create a secure environment for users and help your people build safe habits while working remotely.

    Process

    1. Securing Digital Transformation
      Build in security from the start and check in frequently to create agile and secure user experiences.

    Technology

    1. Adopting Zero Trust
      Manage access of sensitive information based on the principle of least privilege.
    2. Protecting Against and Responding to Ransomware
      Put in your best effort to build defenses but also prepare for a breach and know how to recover.

    Main Influencing Factors

    COVID-19 Pandemic
    The pandemic has changed the way we interact with technology. Organizations are universally adapting their business and technology processes to fit the post-pandemic paradigm.
    Rampant Cybercrime Activity
    By nearly every conceivable metric, cybercrime is way up in the past two years. Cybercriminals smell blood and pose a more salient threat than before. Higher standards of cybersecurity capability are required to respond to this higher level of threat.
    Remote Work and Workforce Reallocation
    Talented IT staff across the globe enabled an extraordinarily fast shift to remote and distance work. We must now reckon with the security and human resourcing implications of this huge shift.

    Acquire and Retain Talent

    Priority 01

    Security talent was in short supply before the pandemic, and it's even worse now.

    Executive summary

    Background

    Cybersecurity talent has been in short supply for years, but this shortage has inflected upward since the pandemic.

    The Great Resignation contributed to the existing talent gap. The pandemic has changed how people work as well as how and where they choose work. More and more senior workers are retiring early or opting for remote working opportunities.

    The cost to acquire cybersecurity talent is huge, and the challenge doesn’t end there. Retaining top talent can be equally difficult.

    Current situation

    • A 2021 survey by ESG shows that 76% of security professional agree it’s difficult to recruit talent, and 57% said their organization is affected by this talent shortage.
    • (ISC)2 reports there are 2.72 million unfilled job openings and an increasing workforce gap (2021).

    2.72 million unfilled cybersecurity openings (Source: (ISC)2, 2021)

    IT leaders must do more to attract and retain talent in 2022

    • Over 70% of IT professionals are considering quitting their jobs (TalentLMS, 2021). Meanwhile, 51% of surveyed cybersecurity professionals report extreme burnout during the last 12 months and many of them have considered quitting because of it (VMWare, 2021).
    • Working remotely makes it easier for people to look elsewhere, lowering the barrier to leaving.
    • This is a big problem for security leaders, as cybersecurity talent is in very short supply. The cost of acquiring and retaining quality cybersecurity staff in 2022 is significant, and many organizations are unwilling or unable to pay the premium.
    • Top talent will demand flexible working conditions – even though remote work comes with security risk.
    • Most smart, talented new hires in 2022 are demanding to work remotely most of the time.
    Top reasons for resignations in 2021
    Burnout 30%
    Other remote opportunities 20%
    Lack of growth opportunities 20%
    Poor culture 20%
    Acquisition concerns 10%
    (Source: Survey of West Coast US cybersecurity professionals; TechBeacon, 2021)

    Talent will be 2022’s #1 strength and #1 weakness

    Staffing obstacles in 2022:

    “Attracting and retaining talent is always challenging. We don’t pay as well and my org wants staff in the office at least half of the time. Most young, smart, talented new hires want to work remotely 100 percent of the time.“

    “Trying to grow internal resources into security roles.”

    “Remote work expectations by employees and refusal by business to accommodate.”

    “Biggest obstacle: payscales that are out of touch with cybersecurity market.”

    “Request additional staff. Obtaining funding for additional position is most significant obstacle.”

    (Info-Tech Tech Security Priorities Survey 2022)
    Top obstacles in 2022:

    As you can see, respondents to our security priorities survey have strong feelings on the challenges of staffing a cybersecurity team.

    The growth of remote work means local talent can now be hired by anybody, vastly increasing your competition as an employer.

    Hiring local will get tougher – but so will hiring abroad. People who don’t want to relocate for a new job now have plenty of alternatives. Without a compelling remote work option, you will find non-local prospects unwilling to move for a new job.

    Lastly, many organizations are still reeling at the cost of experienced cybersecurity talent. Focused internal training and development will be the answer for many organizations.

    Recommended Actions

    Provide career development opportunities

    Many security professionals are dissatisfied with their unclear career development paths. To improve retention, organizations should provide their staff with opportunities and clear paths for career and skills advancement.

    Be open-minded when hiring

    To broaden the candidate pool, organizations should be open-minded when considering who to hire.

    • Enable remote work.
    • Do not fixate on certificates and years of experience; rather, be open to developing those who have the right interest and ability.
    • Consider using freelance workers.
    Facilitate work-life balance

    Many security professionals say they experience burnout. Promoting work-life balance in your organization can help retain critical skills.

    Create inclusive environment

    Hire a diverse team and create an inclusive environment where they can thrive.

    Talent acquisition and retention plan

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Address a top priority and a top obstacle with a plan to attract and retain top organizational and cybersecurity talent.

    Initiative Description:

    • Provide secure remote work capabilities for staff.
    • Work with HR to refine a hiring plan that addresses geographical and compensation gaps with cybersecurity and general staff.
    • Survey staff engagement to identify points of friction and remediate where needed.
    • Define a career path and growth plan for staff.
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing down.
    Reduction in costs due to turnover and talent loss

    Other Expected Business Benefits:

    Arrow pointing up.
    Productivity due to good morale/ engagement
    Arrow pointing up.
    Improved corporate culture
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Big organizational and cultural changes
    • Increased attack surface of remote/hybrid workforce

    Related Info-Tech Research:

    Secure a Remote Workforce

    Priority 02

    Trends suggest remote work is here to stay. Addressing the risk of insecure endpoints can no longer be deferred.

    Executive summary

    Remote work poses unique challenges to cybersecurity teams. The personal home environment may introduce unauthorized people and unknown network vulnerabilities, and the organization loses nearly all power and influence over the daily cyber hygiene of its users.

    In addition, the software used for enabling remote work itself can be a target of cybersecurity criminals.

    Current situation

    • 70% of workers in technical services work from home.
    • Employees of larger firms and highly paid individuals are more likely to be working outside the office.
    • 80% of security and business leaders find that remote work has increased the risk of a breach.
    • (Source: StatCan, 2021)

    70% of tech workers work from home (Source: Statcan, 2021)

    Remote work demands new security solutions

    The security perimeter is finally gone

    The data is outside the datacenter.
    The users are outside the office.
    The endpoints are … anywhere and everywhere.

    Organizations that did not implement digital transformation changes following COVID-19 experience higher costs following a breach, likely because it is taking nearly two months longer, on average, to detect and contain a breach when more than 50% of staff are working remotely (IBM, 2021).

    In 2022 the cumulative risk of so many remote connections means we need to rethink how we secure the remote/hybrid workforce.

    Security
    • Distributed denial of service
    • DNS hijacking
    • Weak VPN protocols
    Identity
    • One-time verification allowing lateral movement
    Colorful tiles representing the surrounding security solutions. Network
    • Risk perimeter stops at corporate network edge
    • Split tunneling
    Authentication
    • Weak authentication
    • Weak password
    Access
    • Man-in-the-middle attack
    • Cross-site scripting
    • Session hijacking

    Recommended Actions

    Mature your identity management

    Compromised identity is the main vector to breaches in recent years. Stale accounts, contractor accounts, misalignment between HR and IT – the lack of foundational practices leads to headline-making breaches every week.
    Tighten up identity control to keep your organization out of the newspaper.

    Get a handle on your endpoints

    Work-from-home (WFH) often means unknown endpoints on unknown networks full of other unknown devices…and others in the home potentially using the workstation for non-work purposes. Gaining visibility into your endpoints can help to keep detection and resolution times short.

    Educate users

    Educate everyone on security best practices when working remotely:

    • Apply secure settings (not just defaults) to the home network.
    • Use strong passwords.
    • Identify suspicious email.
    Ease of use

    Many workers complain that the corporate technology solution makes it difficult to get their work done.

    Employees will take productivity over security if we force them to choose, so IT needs to listen to end users’ needs and provide a solution that is nimble and secure.

    Roadmap to securing remote/hybrid workforce

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    The corporate network now extends to the internet – ensure your security plan has you covered.

    Initiative Description:

    • Reassess enterprise security strategy to include the WFH attack surface (especially endpoint visibility).
    • Ensure authentication requirements for remote workers are sufficient (e.g. MFA, strong passwords, hardware tokens for high-risk users/connections).
    • Assess the value of zero trust networking to minimize the blast radius in the case of a breach.
    • Perform penetration testing annually.
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing down.


    Reduced cost of security incidents/reputational damage

    Other Expected Business Benefits:

    Arrow pointing up.
    Improved ability to attract and retain talent
    Arrow pointing up.
    Increased business adaptability
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Potential disruption to traditional working patterns
    • Cost of investing in WFH versus risk of BYOD

    Related Info-Tech Research:

    Secure Digital Transformation

    Priority 03

    Digital transformation could be a competitive advantage…or the cause of your next data breach.

    Executive summary

    Background

    Digital transformation is occurring at an ever-increasing rate these days. As Microsoft CEO Satya Nadella said early in the pandemic, “We’ve seen two years’ worth of digital transformation in two months.”

    We have heard similar stories from Info-Tech members who deployed rollouts that were scheduled to take months over a weekend instead.

    Microsoft’s own shift to rapidly expand its Teams product is a prime example of how quickly the digital landscape has changed. The global adaption to a digital world has largely been a success story, but rapid change comes with risk, and there is a parallel story of rampant cyberattacks like we have never seen before.

    Insight

    There is an adage that “slow is smooth, and smooth is fast” – the implication being that fast is sloppy. In 2022 we’ll see a pattern of organizations working to catch up their cybersecurity with the transformations we all made in 2020.

    $1.78 trillion expected in digital transformation investments (Source: World Economic Forum, 2021)

    An ounce of security prevention versus a pound of cure

    The journey of digital transformation is a risky one.

    Digital transformations often rely heavily on third-party cloud service providers, which increases exposure of corporate data.

    Further, adoption of new technology creates a new threat surface that must be assessed, mitigations implemented, and visibility established to measure performance.

    However, digital transformations are often run on slim budgets and without expert guidance.

    Survey respondents report as much: rushed deployments, increased cloud migration, and shadow IT are the top vulnerabilities reported by security leaders and executives.

    In a 2020 Ponemon survey, 82% of IT security and C-level executives reported experiencing at least one data breach directly resulting from a digital transformation they had undergone.

    Scope creep is inevitable on any large project like a digital transformation. A small security shortcut early in the project can have dire consequences when it grows to affect personal data and critical systems down the road.

    Recommended Actions

    Engage the business early and often

    Despite the risks, organizations engage in digital transformations because they also have huge business value.

    Security leaders should not be seeking to slow or stop digital transformations; rather, we should be engaging with the business early to get ahead of risks and enable successful transformation.

    Establish a vendor security program

    Data is moving out of datacenters and onto third-party environments. Without security requirements built into agreements, and clear visibility into vendor security capabilities, that data is a major source of risk.

    A robust vendor security program will create assurance early in the process and help to reinforce the responsibility of securing data with other parts of the organization.

    Build/revisit your security strategy

    The threat surface has changed since before your transformation. This is the right time to revisit or rebuild your security strategy to ensure that your control set is present throughout the new environment – and also a great opportunity to show how your current security investments are helping secure your new digital lines of business!

    Educate your key players

    Only 16% of security leaders and executives report alignment between security and business processes during digital transformation.

    If security is too low a priority, then key players in your transformation efforts are likely unaware of how security risks impact their own success. It will be incumbent upon the CISO to start that conversation.

    Securing digital transformation

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Ensure your investment in digital transformation is appropriately secured.

    Initiative Description:

    • Engage security with digital transformation and relevant governance structures (steering committees) to ensure security considerations are built into digital transformation planning.
    • Incorporate security stage gates in project management procedures.
    • Establish a vendor security assessment program.
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing up.


    Increased likelihood of digital transformation success

    Other Expected Business Benefits:

    Arrow pointing up.
    Ability to make informed decisions for the field rep strategy
    Arrow pointing down.
    Reduced long-term cost of digital transformation
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Potential increased up front cost (reduced long-term cost)
    • Potential slowed implementation with security stage gates in project management

    Related Info-Tech Research:

    Adopt Zero Trust

    Priority 04

    Governments are recognizing the importance of zero trust strategies. So should your organization.

    Why now for zero trust?

    John Kindervag modernized the concept of zero trust back in 2010, and in the intervening years there has been enormous interest in cybersecurity circles, yet in 2022 only 30% of organizations report even beginning to roll out zero trust capabilities (Statista, 2022).

    Why such little action on a revolutionary and compelling model?

    Zero trust is not a technology; it is a principle. Zero trust adoption takes concerted planning, effort, and expense, for which the business value has been unclear throughout most of the last 10 years. However, several recent developments are changing that:

    • Securing technology has become very hard! The size, complexity, and attack surface of IT environments has grown significantly – especially since the pandemic.
    • Cyberattacks have become rampant as the cost to deploy harmful ransomware has become lower and the impact has become higher.
    • The shift away from on-premises datacenters and offices created an opening for zero trust investment, and zero trust technology is more mature than ever before.

    The time has come for zero trust adoption to begin in earnest.

    97% will maintain or increase zero trust budget (Source: Statista, 2022)

    Traditional perimeter security is not working

    Zero trust directly addresses the most prevalent attack vectors today

    A hybrid workforce using traditional VPN creates an environment where we are exposed to all the risks in the wild (unknown devices at any location on any network), but at a stripped-down security level that still provides the trust afforded to on-premises workers using known devices.

    What’s more, threats such as ransomware are known to exploit identity and remote access vulnerabilities before moving laterally within a network – vectors that are addressed directly by zero trust identity and networking. Ninety-three percent of surveyed zero trust adopters state that the benefits have matched or exceeded their expectations (iSMG, 2022).

    Top reasons for building a zero trust program in 2022

    (Source: iSMG, 2022)

    44%

    Enforce least privilege access to critical resources

    44%

    Reduce attacker ability to move laterally

    41%

    Reduce enterprise attack surface

    The business case for zero trust is clearer than ever

    Prior obstacles to Zero Trust are disappearing

    A major obstacle to zero trust adoption has been the sheer cost, along with the lack of business case for that investment. Two factors are changing that paradigm in 2022:

    The May 2021 US White House Executive Order for federal agencies to adopt zero trust architecture finally placed zero trust on the radar of many CEOs and board members, creating the business interest and willingness to consider investing in zero trust.

    In addition, the cost of adopting zero trust is quickly being surpassed by the cost of not adopting zero trust, as cyberattacks become rampant and successful zero trust deployments create a case study to support investment.

    Bar chart titled 'Cost to remediate a Ransomware attack' with bars representing the years '2021' and '2020'. 2021's cost sits around $1.8M while 2020's was only $750K The cost to remediate a ransomware attack more than doubled from 2020 to 2021. Widespread adoption of zero trust capabilities could keep that number from doubling again in 2022. (Source: Sophos, 2021)

    The cost of a data breach is on average $1.76 million less for organizations with mature zero trust deployments.

    That is, the cost of a data breach is 35% reduced compared to organizations without zero trust controls. (Source: IBM, 2021)

    Recommended Actions

    Start small

    Don’t put all your eggs in one basket by deploying zero trust in a wide swath. Rather, start as small as possible to allow for growing pains without creating business friction (or sinking your project altogether).

    Build a sensible roadmap

    Zero trust principles can be applied in a myriad of ways, so where should you start? Between identities, devices, networking, and data, decide on a use case to do pilot testing and then refine your approach.

    Beware too-good-to-be-true products

    Zero trust is a powerful buzzword, and vendors know it.

    Be skeptical and do your due diligence to ensure your new security partners in zero trust are delivering what you need.

    Zero trust roadmap

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Develop a practical roadmap that shows the business value of security investment.

    Initiative Description:

    • Define desired business and security outcomes from zero trust adoption.
    • Assess zero trust readiness.
    • Build roadmaps for zero trust:
      1. Identity
      2. Networking
      3. Devices
      4. Data
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing up.


    Increased security posture and business agility

    Other Expected Business Benefits:

    Arrow pointing down.
    Reduced impact of security events
    Arrow pointing down.
    Reduced cost of managing complex control set
    Arrow pointing up.
    More secure business transformation (i.e. cloud/digital)
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Learning curve of implementation (start small and slow)
    • Transition from current control set to zero trust model

    Related Info-Tech Research:

    Protect Against and Respond to Ransomware

    Priority 05

    Ransomware is still the #1 threat to the safety of your data.

    Executive summary

    Background

    • Ransomware attacks have transformed in 2021 and show no sign of slowing in 2022. There is a new major security breach every week, despite organizations spending over $150 billion in a year on cybersecurity (Nasdaq, 2021).
    • Ransomware as a service (RaaS) is commonplace, and attackers are doubling down by holding encrypted data ransom and also demanding payment under threat to disclose exfiltrated data – and they are making good on their threats.
    • The global cost of ransomware is expected to rise to $265 billion by 2031 (Cybersecurity Ventures, 2021).
    • We expect to see an increase in ransomware incidents in 2022, both in severity and volume – multiple attacks and double extortion are now the norm.
    • High staff turnover increases risk because new employees are unfamiliar with security protocols.

    150% increase ransomware attacks in 2020 (Source: ENISA)

    This is a new golden age of ransomware

    What is the same in 2022

    Unbridled ransomware attacks make it seem like attackers must be using complex new techniques, but prevalent ransomware attack vectors are actually well understood.

    Nearly all modern variants are breaching victim systems in one of three ways:

    • Email phishing
    • Software vulnerabilities
    • RDP/Remote access compromise
    What is new in 2022
    The sophistication of victim targeting

    Victims often find themselves asking, “How did the attackers know to phish the most security-oblivious person in my staff?” Bad actors have refined their social engineering and phishing to exploit high-risk individuals, meaning your chain is only as strong as the weakest link.

    Ability of malware to evade detection

    Modern ransomware is getting better at bypassing anti-malware technology, for example, through creative techniques such as those seen in the MedusaLocker variant and in Ghost Control attacks.

    Effective anti-malware is still a must-have control, but a single layer of defense is no longer enough. Any organization that hopes to avoid paying a ransom must prepare to detect, respond, and recover from an attack.

    Many leaders still don’t know what a ransomware recovery would look like

    Do you know what it would take to recover from a ransomware incident?

    …and does your executive leadership know what it would take to recover?

    The organizations that are most likely to pay a ransom are unprepared for the reality of recovering their systems.

    If you have not done a tabletop or live exercise to simulate a true recovery effort, you may be exposed to more risk than you realize.

    Are your defenses sufficiently hardened against ransomware?

    Organizations with effective security prevention are often breached by ransomware – but they are prepared to contain, detect, and eradicate the infection.

    Ask yourself whether you have identified potential points of entry for ransomware. Assume that your security controls will fail.

    How well are your security controls layered, and how difficult would it be for an attacker to move east/west within your systems?

    Recommended Actions

    Be prepared for a breach

    There is no guarantee that an organization will not fall victim to ransomware, so instead of putting all their effort into prevention, organizations should also put effort into planning to respond to a breach.

    Security awareness training/phishing detection

    Phishing continues to be the main point of entry for ransomware. Investing in phishing awareness and detection among your end users may be the most impactful countermeasure you can implement.

    Zero trust adoption

    Always verify at every step of interaction, even when access is requested by internal users. Manage access of sensitive information based on the principle of least privilege access.

    Encrypt and back up your data

    Encrypt your data so that even if there is a breach, the attackers don’t have a copy of your data. Also, keep regular backups of data at a separate location so that you still have data to work with after a breach occurs.

    You never want to pay a ransom. Being prepared to deal with an incident is your best chance to avoid paying!

    Prevent and respond to ransomware

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Determine your current readiness, response plan, and projects to close gaps.

    Initiative Description:

    • Execute a systematic assessment of your current security and ransomware recovery capabilities.
    • Perform tabletop activities and live recoveries to test data recovery capabilities.
    • Train staff to detect suspicious communications and protect their identities.
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing up.


    Improved productivity and brand protection

    Other Expected Business Benefits:

    Arrow pointing down.
    Reduced downtime and disruption
    Arrow pointing down.
    Reduced cost due to incidents (ransom payments, remediation)
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Friction with existing staff

    Related Info-Tech Research:

    Deepfakes: Dark-horse threat for 2022

    Deepfake video

    How long has it been since you’ve gone a full workday without having a videoconference with someone?

    We have become inherently trustful that the face we see on the screen is real, but the technology required to falsify that video is widely available and runs on commercially available hardware, ushering in a genuinely post-truth online era.

    Criminals can use deepfakes to enhance social engineering, to spread misinformation, and to commit fraud and blackmail.

    Deepfake audio

    Many financial institutions have recently deployed voiceprint authentication. TD describes its VoicePrint as “voice recognition technology that allows us to use your voiceprint – as unique to you as your fingerprint – to validate your identity” over the phone.

    However, hackers have been defeating voice recognition for years already. There is ripe potential for voice fakes to fool both modern voice recognition technology and the accounts payable staff.

    Bibliography

    “2021 Ransomware Statistics, Data, & Trends.” PurpleSec, 2021. Web.

    Bayern, Macy. “Why 60% of IT security pros want to quit their jobs right now.” TechRepublic, 10 Oct. 2018. Web.

    Bresnahan, Ethan. “How Digital Transformation Impacts IT And Cyber Risk Programs.” CyberSaint Security, 25 Feb. 2021. Web.

    Clancy, Molly. “The True Cost of Ransomware.” Backblaze, 9 Sept. 2021.Web.

    “Cost of a Data Breach Report 2021.” IBM, 2021. Web.

    Cybersecurity Ventures. “Global Ransomware Damage Costs To Exceed $265 Billion By 2031.” Newswires, 4 June 2021. Web.

    “Digital Transformation & Cyber Risk: What You Need to Know to Stay Safe.” Ponemon Institute, June 2020. Web.

    “Global Incident Response Threat Report: Manipulating Reality.” VMware, 2021.

    Granger, Diana. “Karmen Ransomware Variant Introduced by Russian Hacker.” Recorded Future, 18 April 2017. Web.

    “Is adopting a zero trust model a priority for your organization?” Statista, 2022. Web.

    “(ISC)2 Cybersecurity Workforce Study, 2021: A Resilient Cybersecurity Profession Charts the Path Forward.” (ISC)2, 2021. Web.

    Kobialka, Dan. “What Are the Top Zero Trust Strategies for 2022?” MSSP Alert, 10 Feb. 2022. Web.

    Kost, Edward. “What is Ransomware as a Service (RaaS)? The Dangerous Threat to World Security.” UpGuard, 1 Nov. 2021. Web.

    Lella, Ifigeneia, et al., editors. “ENISA Threat Landscape 2021.” ENISA, Oct. 2021. Web.

    Mello, John P., Jr. “700K more cybersecurity workers, but still a talent shortage.” TechBeacon, 7 Dec. 2021. Web.

    Naraine, Ryan. “Is the ‘Great Resignation’ Impacting Cybersecurity?” SecurityWeek, 11 Jan. 2022. Web.

    Oltsik, Jon. “ESG Research Report: The Life and Times of Cybersecurity Professionals 2021 Volume V.” Enterprise Security Group, 28 July 2021. Web.

    Osborne, Charlie. “Ransomware as a service: Negotiators are now in high demand.” ZDNet, 8 July 2021. Web.

    Osborne, Charlie. “Ransomware in 2022: We’re all screwed.” ZDNet, 22 Dec. 2021. Web.

    “Retaining Tech Employees in the Era of The Great Resignation.” TalentLMS, 19 Oct. 2021. Web.

    Rubin, Andrew. “Ransomware Is the Greatest Business Threat in 2022.” Nasdaq, 7 Dec. 2021. Web.

    Samartsev, Dmitry, and Daniel Dobrygowski. “5 ways Digital Transformation Officers can make cybersecurity a top priority.“ World Economic Forum, 15 Sept. 2021. Web.

    Seymour, John, and Azeem Aqil. “Your Voice is My Passport.” Presented at black hat USA 2018.

    Solomon, Howard. “Ransomware attacks will be more targeted in 2022: Trend Micro.” IT World Canada, 6 Jan. 2022. Web.

    “The State of Ransomware 2021.” Sophos, April 2021. Web.

    Tarun, Renee. “How The Great Resignation Could Benefit Cybersecurity.” Forbes Technology Council, Forbes, 21 Dec. 2021. Web.

    “TD VoicePrint.” TD Bank, n.d. Web.

    “Working from home during the COVID-19 pandemic, April 202 to June 2021.” Statistics Canada, 4 Aug. 2021. Web.

    “Zero Trust Strategies for 2022.” iSMG, Palo Alto Networks, and Optiv, 28 Jan. 2022. Web.

    Manage the Active Directory in the Service Desk

    • Buy Link or Shortcode: {j2store}489|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Actively maintaining the Active Directory is a difficult task that only gets more difficult with issues like stale accounts and privilege creep.
    • Adding permissions without removing them in lateral transfers creates access issues, especially when regulatory requirements like HIPAA require tight controls.
    • With the importance of maintaining and granting permissions within the Active Directory, organizations are hesitant to grant domain admin access to Tier 1 of the service desk. However, inundating Tier 2 analysts with requests to grant permissions takes away project time.

    Our Advice

    Critical Insight

    • Do not treat the Active Directory like a black box. Strive for accurate data and be proactive by managing your monitoring and audit schedules.
    • Catch outage problems before they happen by splitting monitoring tasks between daily, weekly, and monthly routines.
    • Shift left to save resourcing by employing workflow automation or scripted authorization for Tier 1 technicians.
    • Design actionable metrics to monitor and manage your Active Directory.

    Impact and Result

    • Consistent and right-sized monitoring and updating of the Active Directory is key to clean data.
    • Split monitoring activities between daily, weekly, and monthly checklists to raise efficiency.
    • If need be, shift-left strategies can be implemented for identity and access management by scripting the process so that it can be done by Tier 1 technicians.

    Manage the Active Directory in the Service Desk Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should manage your Active Directory in the service desk, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Maintain your Active Directory with clean data

    Building and maintaining your Active Directory does not have to be difficult. Standardized organization and monitoring with the proper metrics help you keep your data accurate and up to date.

    • Active Directory Standard Operating Procedure
    • Active Directory Metrics Tool

    2. Structure your service desk Active Directory processes

    Build a comprehensive Active Directory workflow library for service desk technicians to follow.

    • Active Directory Process Workflows (Visio)
    • Active Directory Process Workflows (PDF)
    [infographic]

    In Case Of Emergency...

    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    1. Get people to safety efficiently by following the floor warden's information and get out if needed
      If there are no floor wardens, YOU take the initiative and alert people. Vacate the premises if you suspect danger.
      Err on the side of caution. Nobody ever got fired over keeping people safe.
    2. Get people to safety (yes! double check this)
    3. Check what is happening
    4. Stop the bleeding
    5. Check what you broke while stopping the bleeding
    6. Check if you need to go into DR mode
    7. Go into DR mode if that is the fastest way to restore the service
    8. Only now start to look deeper

    Notice what is missing in this list?

    • WHY did this happen?
    • WHO did what

    During the first reactions to an event, stick to the facts of what is happening and the symptoms. If the symptoms are bad, attend to people first, no matter the financial losses occurring.
    Remember that financial losses are typically insured. Human life is not. Only loss of income and ability to pay is insured! Not the person's life.

    The WHY, HOW, WHO and other root cause questions are asked in the aftermath of the incident and after you have stabilized the situation.
    In ITIL terms, those are Problem Management and Root Cause Analysis stage questions.

     

     

     

    Management, incident, reaction, emergency

    Develop an Availability and Capacity Management Plan

    • Buy Link or Shortcode: {j2store}500|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $2,840 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Availability & Capacity Management
    • Parent Category Link: /availability-and-capacity-management
    • It is crucial for capacity managers to provide capacity in advance of need to maximize availability.
    • In an effort to ensure maximum uptime, organizations are overprovisioning (an average of 59% for compute, and 48% for storage). With budget pressure mounting (especially on the capital side), the cost of this approach can’t be ignored.
    • Half of organizations have experienced capacity-related downtime, and almost 60% wait more than three months for additional capacity.

    Our Advice

    Critical Insight

    • All too often capacity management is left as an afterthought. The best capacity managers bake capacity management into their organization’s business processes, becoming drivers of value.
    • Communication is key. Build bridges between your organization’s silos, and involve business stakeholders in a dialog about capacity requirements.

    Impact and Result

    • Map business metrics to infrastructure component usage, and use your organization’s own data to forecast demand.
    • Project future needs in line with your hardware lifecycle. Never suffer availability issues as a result of a lack of capacity again.
    • Establish infrastructure as a driver of business value, not a “black hole” cost center.

    Develop an Availability and Capacity Management Plan Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a capacity management plan, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Develop an Availability and Capacity Management Plan – Phases 1-4

    1. Conduct a business impact analysis

    Determine the most critical business services to ensure availability.

    • Develop an Availability and Capacity Management Plan – Phase 1: Conduct a Business Impact Analysis
    • Business Impact Analysis Tool

    2. Establish visibility into core systems

    Craft a monitoring strategy to gather usage data.

    • Develop an Availability and Capacity Management Plan – Phase 2: Establish Visibility into Core Systems
    • Capacity Snapshot Tool

    3. Solicit and incorporate business needs

    Integrate business stakeholders into the capacity management process.

    • Develop an Availability and Capacity Management Plan – Phase 3: Solicit and Incorporate Business Needs
    • Capacity Plan Template

    4. Identify and mitigate risks

    Identify and mitigate risks to your capacity and availability.

    • Develop an Availability and Capacity Management Plan – Phase 4: Identify and Mitigate Risks

    [infographic]

    Workshop: Develop an Availability and Capacity Management Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Conduct a Business Impact Analysis

    The Purpose

    Determine the most important IT services for the business.

    Key Benefits Achieved

    Understand which services to prioritize for ensuring availability.

    Activities

    1.1 Create a scale to measure different levels of impact.

    1.2 Evaluate each service by its potential impact.

    1.3 Assign a criticality rating based on the costs of downtime.

    Outputs

    RTOs/RPOs

    List of gold systems

    Criticality matrix

    2 Establish Visibility Into Core Systems

    The Purpose

    Monitor and measure usage metrics of key systems.

    Key Benefits Achieved

    Capture and correlate data on business activity with infrastructure capacity usage.

    Activities

    2.1 Define your monitoring strategy.

    2.2 Implement your monitoring tool/aggregator.

    Outputs

    RACI chart

    Capacity/availability monitoring strategy

    3 Develop a Plan to Project Future Needs

    The Purpose

    Determine how to project future capacity usage needs for your organization.

    Key Benefits Achieved

    Data-based, systematic projection of future capacity usage needs.

    Activities

    3.1 Analyze historical usage trends.

    3.2 Interface with the business to determine needs.

    3.3 Develop a plan to combine these two sources of truth.

    Outputs

    Plan for soliciting future needs

    Future needs

    4 Identify and Mitigate Risks

    The Purpose

    Identify potential risks to capacity and availability.

    Develop strategies to ameliorate potential risks.

    Key Benefits Achieved

    Proactive approach to capacity that addresses potential risks before they impact availability.

    Activities

    4.1 Identify capacity and availability risks.

    4.2 Determine strategies to address risks.

    4.3 Populate and review completed capacity plan.

    Outputs

    List of risks

    List of strategies to address risks

    Completed capacity plan

    Further reading

    Develop an Availability and Capacity Management Plan

    Manage capacity to increase uptime and reduce costs.

    ANALYST PERSPECTIVE

    The cloud changes the capacity manager’s job, but it doesn’t eliminate it.

    "Nobody doubts the cloud’s transformative power. But will its ascent render “capacity manager” an archaic term to be carved into the walls of datacenters everywhere for future archaeologists to puzzle over? No. While it is true that the cloud has fundamentally changed how capacity managers do their jobs , the process is more important than ever. Managing capacity – and, by extent, availability – means minimizing costs while maximizing uptime. The cloud era is the era of unlimited capacity – and of infinite potential costs. If you put the infinity symbol on a purchase order… well, it’s probably not a good idea. Manage demand. Manage your capacity. Manage your availability. And, most importantly, keep your stakeholders happy. You won’t regret it."

    Jeremy Roberts,

    Consulting Analyst, Infrastructure Practice

    Info-Tech Research Group

    Availability and capacity management transcend IT

    This Research Is Designed For:

    ✓ CIOs who want to increase uptime and reduce costs

    ✓ Infrastructure managers who want to deliver increased value to the business

    ✓ Enterprise architects who want to ensure stability of core IT services

    ✓ Dedicated capacity managers

    This Research Will Help You:

    ✓ Develop a list of core services

    ✓ Establish visibility into your system

    ✓ Solicit business needs

    ✓ Project future demand

    ✓ Set SLAs

    ✓ Increase uptime

    ✓ Optimize spend

    This Research Will Also Assist:

    ✓ Project managers

    ✓ Service desk staff

    This Research Will Help Them:

    ✓ Plan IT projects

    ✓ Better manage availability incidents caused by lack of capacity

    Executive summary

    Situation

    • IT infrastructure leaders are responsible for ensuring that the business has access to the technology needed to keep the organization humming along. This requires managing capacity and availability.
    • Dependencies go undocumented. Services are provided on an ad hoc basis, and capacity/availability are managed reactively.

    Complication

    • Organizations are overprovisioning an average of 59% for compute, and 48% for storage. This is expensive. With budget pressure mounting, the cost of this approach can’t be ignored.
    • Lead time to respond to demand is long. Half of organizations have experienced capacity-related downtime, and almost 60% wait 3+ months for additional capacity. (451 Research, 3)

    Resolution

    • Conduct a business impact analysis to determine which of your services are most critical, and require active capacity management that will reap more in benefits than it produces in costs.
    • Establish visibility into your system. You can’t track what you can’t see, and you can’t see when you don’t have proper monitoring tools in place.
    • Develop an understanding of business needs. Use a combination of historical trend analyses and consultation with line of business and project managers to separate wants from needs. Overprovisioning used to be necessary, but is no longer required.
    • Project future needs in line with your hardware lifecycle. Never suffer availability issues as a result of a lack of capacity again.

    Info-Tech Insight

    1. Components are critical. The business doesn’t care about components. You, however, are not so lucky…
    2. Ask what the business is working on, not what they need. If you ask them what they need, they’ll tell you – and it won’t be cheap. Find out what they’re going to do, and use your expertise to service those needs.
    3. Cloud shmoud. The role of the capacity manager is changing with the cloud, but capacity management is as important as ever.

    Save money and drive efficiency with an effective availability and capacity management plan

    Overprovisioning happens because of the old style of infrastructure provisioning (hardware refresh cycles) and because capacity managers don’t know how much they need (either as a result of inaccurate or nonexistent information).

    According to 451 Research, 59% of enterprises have had to wait 3+ months for new capacity. It is little wonder, then, that so many opt to overprovision. Capacity management is about ensuring that IT services are available, and with lead times like that, overprovisioning can be more attractive than the alternative. Fortunately there is hope. An effective availability and capacity management plan can help you:

    • Identify your gold systems
    • Establish visibility into them
    • Project your future capacity needs

    Balancing overprovisioning and spending is the capacity manager’s struggle.

    Availability and capacity management go together like boots and feet

    Availability and capacity are not the same, but they are related and can be effectively managed together as part of a single process.

    If an IT department is unable to meet demand due to insufficient capacity, users will experience downtime or a degradation in service. To be clear, capacity is not the only factor in availability – reliability, serviceability, etc. are significant as well. But no organization can effectively manage availability without paying sufficient attention to capacity.

    "Availability Management is concerned with the design, implementation, measurement and management of IT services to ensure that the stated business requirements for availability are consistently met."

    – OGC, Best Practice for Service Delivery, 12

    "Capacity management aims to balance supply and demand [of IT storage and computing services] cost-effectively…"

    – OGC, Business Perspective, 90

    Integrate the three levels of capacity management

    Successful capacity management involves a holistic approach that incorporates all three levels.

    Business The highest level of capacity management, business capacity management, involves predicting changes in the business’ needs and developing requirements in order to make it possible for IT to adapt to those needs. Influx of new clients from a failed competitor.
    Service Service capacity management focuses on ensuring that IT services are monitored to determine if they are meeting pre-determined SLAs. The data gathered here can be used for incident and problem management. Increased website traffic.
    Component Component capacity management involves tracking the functionality of specific components (servers, hard drives, etc.), and effectively tracking their utilization and performance, and making predictions about future concerns. Insufficient web server compute.

    The C-suite cares about business capacity as part of the organization’s strategic planning. Service leads care about their assigned services. IT infrastructure is concerned with components, but not for their own sake. Components mean services that are ultimately designed to facilitate business.

    A healthcare organization practiced poor capacity management and suffered availability issues as a result

    CASE STUDY

    Industry: Healthcare

    Source: Interview

    New functionalities require new infrastructure

    There was a project to implement an elastic search feature. This had to correlate all the organization’s member data from an Oracle data source and their own data warehouse, and pool them all into an elastic search index so that it could be used by the provider portal search function. In estimating the amount of space needed, the infrastructure team assumed that all the data would be shared in a single place. They didn’t account for the architecture of elastic search in which indexes are shared across multiple nodes and shards are often split up separately.

    Beware underestimating demand and hardware sourcing lead times

    As a result, they vastly underestimated the amount of space that was needed and ended up short by a terabyte. The infrastructure team frantically sourced more hardware, but the rush hardware order arrived physically damaged and had to be returned to the vendor.

    Sufficient budget won’t ensure success without capacity planning

    The project’s budget had been more than sufficient to pay for the extra necessary capacity, but because a lack of understanding of the infrastructure impact resulted in improper forecasting, the project ended up stuck in a standstill.

    Manage availability and keep your stakeholders happy

    If you run out of capacity, you will inevitably encounter availability issues like downtime and performance degradation . End users do not like downtime, and neither do their managers.

    There are three variables that are monitored, measured, and analyzed as part of availability management more generally (Valentic).

      1. Uptime:

    The availability of a system is the percentage of time the system is “up,” (and not degraded) which can be calculated using the following formula: uptime/(uptime + downtime) x 100%. The more components there are in a system, the lower the availability, as a rule.

      1. Reliability:

    The length of time a component/service can go before there is an outage that brings it down, typically measured in hours.

      1. Maintainability:

    The amount of time it takes for a component/service to be restored in the event of an outage, also typically measured in hours.

    Enter the cloud: changes in the capacity manager role

    There can be no doubt – the rise of the public cloud has fundamentally changed the nature of capacity management.

    Features of the public cloudImplications for capacity management
    Instant, or near-instant, instantiation Lead times drop; capacity management is less about ensuring equipment arrives on time.
    Pay-as-you go services Capacity no longer needs to be purchased in bulk. Pay only for what you use and shut down instances that are no longer necessary.
    Essentially unlimited scalability Potential capacity is infinite, but so are potential costs.
    Offsite hosting Redundancy, but at the price of the increasing importance of your internet connection.

    Vendors will sell you the cloud as a solution to your capacity/availability problems

    The image contains two graphs. The first graph on the left is titled: Reactive Management, and shows the struggling relationship between capacity and demand. The second graph on the right is titled: Cloud future (ideal), which demonstrates a manageable relationship between capacity and demand over time.

    Traditionally, increases in capacity have come in bursts as a reaction to availability issues. This model inevitably results in overprovisioning, driving up costs. Access to the cloud changes the equation. On-demand capacity means that, ideally, nobody should pay for unused capacity.

    Reality check: even in the cloud era, capacity management is necessary

    You will likely find vendors to nurture the growth of a gap between your expectations and reality. That can be damaging.

    The cloud reality does not look like the cloud ideal. Even with the ostensibly elastic cloud, vendors like the consistency that longer-term contracts offer. Enter reserved instances: in exchange for lower hourly rates, vendors offer the option to pay a fee for a reserved instance. Usage beyond the reserved will be billed at a higher hourly rate. In order to determine where that line should be drawn, you should engage in detailed capacity planning. Unfortunately, even when done right, this process will result in some overprovisioning, though it does provide convenience from an accounting perspective. The key is to use spot instances where demand is exceptional and bounded. Example: A university registration server that experiences exceptional demand at the start of term but at no other time.

    The image contains an example of cloud reality not matching with the cloud ideal in the form of a graph. The graph is split horizontally, the top half is red, and there is a dotted line splitting it from the lower half. The line is labelled: Reserved instance ceiling. In the bottom half, it is the colour green and has a curving line.

    Use best practices to optimize your cloud resources

    The image contains two graphs. The graph on the left is labelled: Ineffective reserve capacity. At the top of the graph is a dotted line labelled: Reserved Instance ceiling. The graph is measuring capacity requirements over time. There is a curved line on the graph that suddenly spikes and comes back down. The spike is labelled unused capacity. The graph on the right is labelled: Effective reserve capacity. The reserved instance ceiling is about halfway down this graph, and it is comparing capacity requirements over time. This graph has a curved line on it, also has a spike and is labelled: spot instance.

    Even in the era of elasticity, capacity planning is crucial. Spot instances – the spikes in the graph above – are more expensive, but if your capacity needs vary substantially, reserving instances for all of the space you need can cost even more money. Efficiently planning capacity will help you draw this line.

    Evaluate business impact; not all systems are created equal

    Limited resources are a reality. Detailed visibility into every single system is often not feasible and could be too much information.

    Simple and effective. Sometimes a simple display can convey all of the information necessary to manage critical systems. In cars it is important to know your speed, how much fuel is in the tank, and whether or not you need to change your oil/check your engine.

    Where to begin?! Specialized information is sometimes necessary, but it can be difficult to navigate.

    Take advantage of a business impact analysis to define and understand your critical services

    Ideally, downtime would be minimal. In reality, though, downtime is a part of IT life. It is important to have realistic expectations about its nature and likelihood.

    STEP 1

    STEP 2

    STEP 3

    STEP 4

    STEP 5

    Record applications and dependencies

    Utilize your asset management records and document the applications and systems that IT is responsible for managing and recovering during a disaster.

    Define impact scoring scale

    Ensure an objective analysis of application criticality by establishing a business impact scale that applies to all applications.

    Estimate impact of downtime

    Leverage the scoring criteria from the previous step and establish an estimated impact of downtime for each application.

    Identify desired RTO and RPO

    Define what the RTOs/RPOs should be based on the impact of a business interruption and the tolerance for downtime and data loss.

    Determine current RTO/RPO

    Conduct tabletop planning and create a flowchart of your current capabilities. Compare your current state to the desired state from the previous step.

    Info-Tech Insight

    According to end users, every system is critical and downtime is intolerable. Of course, once they see how much totally eliminating downtime can cost, they might change their tune. It is important to have this discussion to separate the critical from the less critical – but still important – services.

    Establish visibility into critical systems

    You may have seen “If you can’t measure it, you can’t manage it” or a variation thereof floating around the internet. This adage is consumable and makes sense…doesn’t it?

    "It is wrong to suppose that if you can’t measure it, you can’t manage it – a costly myth."

    – W. Edwards Deming, statistician and management consultant, author of The New Economics

    While it is true that total monitoring is not absolutely necessary for management, when it comes to availability and capacity – objectively quantifiable service characteristics – a monitoring strategy is unavoidable. Capturing fluctuations in demand, and adjusting for those fluctuations, is among the most important functions of a capacity manager, even if hovering over employees with a stopwatch is poor management.

    Solicit needs from line of business managers

    Unless you head the world’s most involved IT department (kudos if you do) you’re going to have to determine your needs from the business.

    Do

    Do not

    ✓ Develop a positive relationship with business leaders responsible for making decisions.

    ✓ Make yourself aware of ongoing and upcoming projects.

    ✓ Develop expertise in organization-specific technology.

    ✓ Make the business aware of your expenses through chargebacks or showbacks.

    ✓ Use your understanding of business projects to predict business needs; do not rely on business leaders’ technical requests alone.

    X Be reactive.

    X Accept capacity/availability demands uncritically.

    X Ask line of business managers for specific computing requirements unless they have the technical expertise to make informed judgments.

    X Treat IT as an opaque entity where requests go in and services come out (this can lead to irresponsible requests).

    Demand: manage or be managed

    You might think you can get away with uncritically accepting your users’ demands, but this is not best practice. If you provide it, they will use it.

    The company meeting

    “I don’t need this much RAM,” the application developer said, implausibly. Titters wafted above the assembled crowd as her IT colleagues muttered their surprise. Heads shook, eyes widened. In fact, as she sat pondering her utterance, the developer wasn’t so sure she believed it herself. Noticing her consternation, the infrastructure manager cut in and offered the RAM anyway, forestalling the inevitable crisis that occurs when seismic internal shifts rock fragile self-conceptions. Until next time, he thought.

    "Work expands as to fill the resources available for its completion…"

    – C. Northcote Parkinson, quoted in Klimek et al.

    Combine historical data with the needs you’ve solicited to holistically project your future needs

    Predicting the future is difficult, but when it comes to capacity management, foresight is necessary.

    Critical inputs

    In order to project your future needs, the following inputs are necessary.

    1. Usage trends: While it is true that past performance is no indication of future demand, trends are still a good way to validate requests from the business.
    2. Line of business requests: An understanding of the projects the business has in the pipes is important for projecting future demand.
    3. Institutional knowledge: Read between the lines. As experts on information technology, the IT department is well-equipped to translate needs into requirements.
    The image contains a graph that is labelled: Projected demand, and graphs demand over time. There is a curved line that passes through a vertical line labelled present. There is a box on top of the graph that contains the text: Note: confidence in demand estimates will very by service and by stakeholder.

    Follow best practice guidelines to maximize the efficiency of your availability and capacity management process

    The image contains Info-Tech's IT Management & Governance Framework. The framework displays many of Info-Tech's research to help optimize and improve core IT processes. The name of this blueprint is under the Infrastructure & Operations section, and has been circled to point out where it is in the framework.

    Understand how the key frameworks relate and interact

    The image contains a picture of the COBIT 5 logo.

    BA104: Manage availability and capacity

    • Current state assessment
    • Forecasting based on business requirements
    • Risk assessment of planning and implementation of requirements
    The image contains a picture of the ITIL logo

    Availability management

    • Determine business requirements
    • Match requirements to capabilities
    • Address any mismatch between requirements and capabilities in a cost-effective manner

    Capacity management

    • Monitoring services and components
    • Tuning for efficiency
    • Forecasting future requirements
    • Influencing demand
    • Producing a capacity plan
    The image contains a picture of Info-Tech Research Group logo.

    Availability and capacity management

    • Conduct a business impact analysis
    • Establish visibility into critical systems
    • Solicit and incorporate business needs
    • Identify and mitigate risks

    Disaster recovery and business continuity planning are forms of availability management

    The scope of this project is managing day-to-day availability, largely but not exclusively, in the context of capacity. For additional important information on availability, see the following Info-Tech projects.

      • Develop a Business Continuity Plan

    If your focus is on ensuring process continuity in the event of a disaster.

      • Establish a Program to Enable Effective Performance Monitoring

    If your focus is on flow mapping and transaction monitoring as part of a plan to engage APM vendors.

      • Create a Right-Sized Disaster Recovery Plan

    If your focus is on hardening your IT systems against major events.

    Info-Tech’s approach to availability and capacity management is stakeholder-centered and cloud ready

    Phase 1:

    Conduct a business impact analysis

    Phase 2:

    Establish visibility into core systems

    Phase 3:

    Solicit and incorporate business needs

    Phase 4:

    Identify and mitigate risks

    1.1 Conduct a business impact analysis

    1.2 Assign criticality ratings to services

    2.1 Define your monitoring strategy

    2.2 Implement monitoring tool/aggregator

    3.1 Solicit business needs

    3.2 Analyze data and project future needs

    4.1 Identify and mitigate risks

    Deliverables

    • Business impact analysis
    • Gold systems
    • Monitoring strategy
    • List of stakeholders
    • Business needs
    • Projected capacity needs
    • Risks and mitigations
    • Capacity management summary cards

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Availability & capacity management – project overview

     

    Conduct a business impact analysis

    Establish visibility into core systems

    Solicit and incorporate business needs

    Identify and
    mitigate risks

    Best-Practice Toolkit

    1.1 Create a scale to measure different levels of impact

    1.2 Assign criticality ratings to services

    2.1 Define your monitoring strategy

    2.2 Implement your monitoring tool/aggregator

    3.1 Solicit business needs and gather data

    3.2 Analyze data and project future needs

    4.1 Identify and mitigate risks

    Guided Implementations

    Call 1: Conduct a business impact analysis Call 1: Discuss your monitoring strategy

    Call 1: Develop a plan to gather historical data; set up plan to solicit business needs

    Call 2: Evaluate data sources

    Call 1: Discuss possible risks and strategies for risk mitigation

    Call 2: Review your capacity management plan

    Onsite Workshop

    Module 1:

    Conduct a business impact analysis

    Module 2:

    Establish visibility into core systems

    Module 3:

    Develop a plan to project future needs

    Module 4:

    Identify and mitigate risks

     

    Phase 1 Results:

    • RTOs/RPOs
    • List of gold systems
    • Criticality matrix

    Phase 2 Results:

    • Capacity/availability monitoring strategy

    Phase 3 Results:

    • Plan for soliciting future needs
    • Future needs

    Phase 4 Results:

    • Strategies for reducing risks
    • Capacity management plan

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

     

    Workshop Day 1

    Workshop Day 2

    Workshop Day 3

    Workshop Day 4

     

    Conduct a business
    impact analysis

    Establish visibility into
    core systems

    Solicit and incorporate business needs

    Identify and mitigate risks

    Activities

    1.1 Conduct a business impact analysis

    1.2 Create a list of critical dependencies

    1.3 Identify critical sub-components

    1.4 Develop best practices to negotiate SLAs

    2.1 Determine indicators for sub-components

    2.2 Establish visibility into components

    2.3 Develop strategies to ameliorate visibility issues

    3.1 Gather relevant business-level data

    3.2 Gather relevant service-level data

    3.3 Analyze historical trends

    3.4 Build a list of business stakeholders

    3.5 Directly solicit requirements from the business

    3.6 Map business needs to technical requirements

    3.7 Identify inefficiencies and compare historical data

    • 4.1 Brainstorm potential causes of availability and capacity risk
    • 4.2 Identify and mitigate capacity risks
    • 4.3 Identify and mitigate availability risks

    Deliverables

    1. Business impact analysis
    2. List of gold systems
    3. SLA best practices
    1. Sub-component metrics
    2. Strategy to establish visibility into critical sub-components
    1. List of stakeholders
    2. Business requirements
    3. Technical requirements
    4. Inefficiencies
    1. Strategies for mitigating risks
    2. Completed capacity management plan template

    PHASE 1

    Conduct a Business Impact Analysis

    Step 1.1: Conduct a business impact analysis

    This step will walk you through the following activities:

    • Record applications and dependencies in the Business Impact Analysis Tool.
    • Define a scale to estimate the impact of various applications’ downtime.
    • Estimate the impact of applications’ downtime.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team

    Outcomes of this step

    • Estimated impact of downtime for various applications

    Execute a business impact analysis (BIA) as part of a broader availability plan

    1.1a Business Impact Analysis Tool

    Business impact analyses are an invaluable part of a broader IT strategy. Conducting a BIA benefits a variety of processes, including disaster recovery, business continuity, and availability and capacity management

    STEP 1

    STEP 2

    STEP 3

    STEP 4

    STEP 5

    Record applications and dependencies

    Utilize your asset management records and document the applications and systems that IT is responsible for managing and recovering during a disaster.

    Define impact scoring scale

    Ensure an objective analysis of application criticality by establishing a business impact scale that applies to all applications.

    Estimate impact of downtime

    Leverage the scoring criteria from the previous step and establish an estimated impact of downtime for each application.

    Identify desired RTO and RPO

    Define what the RTOs/RPOs should be based on the impact of a business interruption and the tolerance for downtime and data loss.

    Determine current RTO/RPO

    Conduct tabletop planning and create a flowchart of your current capabilities. Compare your current state to the desired state from the previous step.

    Info-Tech Insight

    Engaging in detailed capacity planning for an insignificant service draws time and resources away from more critical capacity planning exercises. Time spent tracking and planning use of the ancient fax machine in the basement is time you’ll never get back.

    Control the scope of your availability and capacity management planning project with a business impact analysis

    Don’t avoid conducting a BIA because of a perception that it’s too onerous or not necessary. If properly managed, as described in this blueprint, the BIA does not need to be onerous and the benefits are tangible.

    A BIA enables you to identify appropriate spend levels, continue to drive executive support, and prioritize disaster recovery planning for a more successful outcome. For example, an Info-Tech survey found that a BIA has a significant impact on setting appropriate recovery time objectives (RTOs) and appropriate spending.

    The image contains a graph that is labelled: BIA Impact on Appropriate RTOS. With no BIA, there is 59% RTOs are appropriate. With BIA, there is 93% RTOS being appropriate. The image contains a graph that is labelled: BIA Impact on Appropriate Spending. No BIA has 59% indication that BCP is cost effective. With a BIA there is 86% indication that BCP is cost effective.

    Terms

    No BIA: lack of a BIA, or a BIA bases solely on the perceived importance of IT services.

    BIA: based on a detailed evaluation or estimated dollar impact of downtime.

    Source: Info-Tech Research Group; N=70

    Select the services you wish to evaluate with the Business Impact Analysis Tool

    1.1b 1 hour

    In large organizations especially, collating an exhaustive list of applications and services is going to be onerous. For the purposes of this project, a subset should suffice.

    Instructions

    1. Gather a diverse group of IT staff and end users in a room with a whiteboard.
    2. Solicit feedback from the group. Questions to ask:
    • What services do you regularly use? What do you see others using? (End users)
    • Which service inspires the greatest number of service calls? (IT)
    • What services are you most excited about? (Management)
    • What services are the most critical for business operations? (Everybody)
  • Record these applications in the Business Impact Analysis Tool.
  • Input

    • Applications/services

    Output

    • Candidate applications for the business impact analysis

    Materials

    • Whiteboard
    • Markers

    Participants

    • Infrastructure manager
    • Enterprise architect
    • Application owners
    • End users

    Info-Tech Insight

    Include a variety of services in your analysis. While it might be tempting to jump ahead and preselect important applications, don’t. The process is inherently valuable, and besides, it might surprise you.

    Record the applications and dependencies in the BIA tool

    1.1c Use tab 1 of the Business Impact Analysis Tool

    1. In the Application/System column, list the applications identified for this pilot as well as the Core Infrastructure category. Also indicate the Impact on the Business and Business Owner.
    2. List the dependencies for each application in the appropriate columns:
    • Hosted On-Premises (In-House) – If the physical equipment is in a facility you own, record it here, even if it is managed by a vendor.
    • Hosted by a Co-Lo/MSP – List any dependencies hosted by a co-lo/MSP vendor.
    • Cloud (includes "as a Service”) – List any dependencies hosted by a cloud vendor.

    Note: If there are no dependencies for a particular category, leave it blank.

  • If you wish to highlight specific dependencies, put an asterisk in front of them (e.g. *SAN). This will cause the dependency to be highlighted in the remaining tabs in this tool.
  • Add comments as needed in the Notes columns. For example, for equipment that you host in-house but is remotely managed by an MSP, specify this in the notes. Similarly, note any DR support services.
  • Example

    The image contains a screenshot of Info-Tech's Business Impact Analysis Tool specifically tab 1.

    ID is optional. It is a sequential number by default.

    In-House, Co-Lo/MSP, and Cloud dependencies; leave blank if not applicable.

    Add notes as applicable – e.g. critical support services.

    Define a scoring scale to estimate different levels of impact

    1.1d Use tab 2 of the Business Impact Analysis Tool

    Modify the Business Impact Scales headings and Overall Criticality Rating terminology to suit your organization. For example, if you don’t have business partners, use that column to measure a different goodwill impact or just ignore that column in this tool (i.e. leave it blank). Estimate the different levels of potential impact (where four is the highest impact and zero is no impact) and record these in the Business Impact Scales columns.

    The image contains a screenshot of Info-Tech's Business Impact Analysis Tool, specifically tab 2.

    Estimate the impact of downtime for each application

    1.1e Use tab 3 of the Business Impact Analysis Tool

    In the BIA tab columns for Direct Costs of Downtime, Impact on Goodwill, and Additional Criticality Factors, use the drop-down menu to assign a score of zero to four based on levels of impact defined in the Scoring Criteria tab. For example, if an organization’s ERP is down, and that affects call center sales operations (e.g. ability to access customer records and process orders), the impact might be as described below:

      • Loss of Revenue might score a two or three depending on the proportion of overall sales lost due to the downtime.
      • The Impact on Customers might be a one or two depending on the extent that existing customers might be using the call center to purchase new products or services, and are frustrated by the inability to process orders.
      • The Legal/Regulatory Compliance and Health or Safety Risk might be a zero.

    On the other hand, if payroll processing is down, this may not impact revenue, but it certainly impacts internal goodwill and productivity.

    Rank service criticality: gold, silver, and bronze

    Gold

    Mission critical services. An outage is catastrophic in terms of cost or public image/goodwill. Example: trading software at a financial institution.

    Silver

    Important to daily operations, but not mission critical. Example: email services at any large organization.

    Bronze

    Loss of these services is an inconvenience more than anything, though they do serve a purpose and will be missed if they are never brought back online. Example: ancient fax machines.

    Info-Tech Best Practice

    Info-Tech recommends gold, silver, and bronze because of this typology’s near universal recognition. If you would prefer a particular designation (it might help with internal comprehension), don’t hesitate to use that one instead.

    Use the results of the business impact analysis to sort systems based on their criticality

    1.1f 1 hour

    Every organization has its own rules about how to categorize service importance. For some (consumer-facing businesses, perhaps) reputational damage may trump immediate costs.

    Instructions

    1. Gather a group of key stakeholders and project the completed Business Impact Analysis Tool onto a screen for them.
    2. Share the definitions of gold, silver, and bronze services with them (if they are not familiar), and begin sorting the services by category,
    • How long would it take to notice if a particular service went out?
    • How important are the non-quantifiable damages that could come with an outage?
  • Sort the services into gold, silver, and bronze on a whiteboard, with sticky notes, or with chart paper.
  • Verify your findings and record them in section 2.1 of the Capacity Plan Template.
  • Input

    • Results of the business impact analysis exercise

    Output

    • List of gold, silver, and bronze systems

    Materials

    • Projector
    • Business Impact Analysis Tool
    • Capacity Plan Template

    Participants

    • Infrastructure manager
    • Enterprise architect

    Leverage the rest of the BIA tool as part of your disaster recovery planning

    Disaster recovery planning is a critical activity, and while it is a sort of availability management, it is beyond this project’s scope. You can complete the business impact analysis (including RTOs and RPOs) for the complete disaster recovery package.

    See Info-Tech’s Create a Right-Sized Disaster Recovery Plan blueprint for instructions on how to complete your business impact analysis.

    Step 1.2: Assign criticality ratings to services

    This step will walk you through the following activities:

    • Create a list of dependencies for your most important applications.
    • Identify important sub-components.
    • Use best practices to develop and negotiate SLAs.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team

    Outcomes of this step

    • List of dependencies of most important applications
    • List of important sub-components
    • SLAs based on best practices

    Determine the base unit of the capacity you’re looking to purchase

    Not every IT organization should approach capacity the same way. Needs scale, and larger organizations will inevitably deal in larger quantities.

    Large cloud provider

    Local traditional business

    • Thousands of servers housed in a number of datacenters around the world.
    • Dedicated capacity manager.
    • Purchases components from OEMs in bulk as part of bespoke contracts that are worth many millions of dollars over time.
    • May deal with components at a massive scale (dozens of servers at once, for example).
    • A small server room that runs non-specialized services (email, for example).
    • Barely even a dedicated IT person, let alone an IT capacity manager.
    • Purchases new components from resellers or even retail stores.
    • Deals with components at a small scale (a single switch here, a server upgrade there).

    "Cloud capacity management is not exactly the same as the ITIL version because ITIL has a focus on the component level. I actually don’t do that, because if I did I’d go crazy. There’s too many components in a cloud environment."

    – Richie Mendoza, IT Consultant, SMITS Inc.

    Consider the relationship between component capacity and service capacity

    End users’ thoughts about IT are based on what they see. They are, in other words, concerned with service availability: does the organization have the ability to provide access to needed services?

    Service

    • Email
    • CRM
    • ERP

    Component

    • Switch
    • SMTP server
    • Archive database
    • Storage

    "You don’t ask the CEO or the guy in charge ‘What kind of response time is your requirement?’ He doesn’t really care. He just wants to make sure that all his customers are happy."

    – Todd Evans, Capacity and Performance Management SME, IBM.

    One telco solved its availability issues by addressing component capacity issues

    CASE STUDY

    Industry: Telecommunications

    Source: Interview

    Coffee and Wi-Fi – a match made in heaven

    In tens of thousands of coffee shops around the world, patrons make ample use of complimentary Wi-Fi. Wi-Fi is an important part of customers’ coffee shop experience, whether they’re online to check their email, do a YouTube, or update their Googles. So when one telco that provided Wi-Fi access for thousands of coffee shops started encountering availability issues, the situation was serious.

    Wi-Fi, whack-a-mole, and web woes

    The team responsible for resolving the issue took an ad hoc approach to resolving complaints, fixing issues as they came up instead of taking a systematic approach.

    Resolution

    Looking at the network as a whole, the capacity manager took a proactive approach by using data to identify and rank the worst service areas, and then directing the team responsible to fix those areas in order of the worst first, then the next worst, and so on. Soon the availability of Wi-Fi service was restored across the network.

    Create a list of dependencies for your most important applications

    1.2a 1.5 hours

    Instructions

    1. Work your way down the list of services outlined in step 1, starting with your gold systems. During the first iteration of this exercise select only 3-5 of your most important systems.
    2. Write the name of each application on a sticky note or at the top of a whiteboard (leaving ample space below for dependency mapping).
    3. In the first tier below the application, include the specific services that the general service provides.
    • This will vary based on the service in question, but an example for email is sending, retrieving, retrieving online, etc.
  • For each of the categories identified in step 3, identify the infrastructure components that are relevant to that system. Be broad and sweeping; if the component is involved in the service, include it here. The goal is to be exhaustive.
  • Leave the final version of the map intact. Photographing or making a digital copy for posterity. It will be useful in later activities.
  • Input

    • List of important applications

    Output

    • List of critical dependencies

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Infrastructure manager
    • Enterprise architect

    Info-Tech Insight

    Dependency mapping can be difficult. Make sure you don’t waste effort creating detailed dependency maps for relatively unimportant services.

    Dependency mapping can be difficult. Make sure you don’t waste effort creating detailed dependency maps for relatively unimportant services.

    The image contains a sample dependency map on ride sharing. Ride Sharing has been split between two categories: Application and Drivers. Under drivers it branches out to: Availability, Car, and Pay. Under Application, it branches out to: Compute, Network, Edge devices, Q/A maintenance, and Storage. Compute branches out to Cloud Services. Network branches out to Cellular network and Local. Edge Devices branch out to Drivers and Users. Q/A maintenance does not have a following branch. Storage branches out to Storage (Enterprise) and Storage (local).

    Ride sharing cannot work, at least not at maximum effectiveness, without these constituent components. When one or more of these components are absent or degraded, the service will become unavailable. This example illustrates some challenges of capacity management; some of these components are necessary, but beyond the ride-sharing company’s control.

    Leverage a sample dependency tree for a common service

    The image contains a sample dependency tree for the Email service. Email branches out to: Filtering, Archiving, Retrieval, and Send/receive. Filtering branches out to security appliance which then branches out to CPU, Storage, and Network. Archiving branches to Archive server, which branches out to CPU, Storage, and Network. Retrieval branches out to IMAP/PoP which branches out to CPU, Storage, and Network. Send/receive branches out to IMAP/PoP and SMTP. SMTP branches out to CPU, Storage and Network.

    Info-Tech Best Practice

    Email is an example here not because it is necessarily a “gold system,” but because it is common across industries. This is a useful exercise for any service, but it can be quite onerous, so it should be conducted on the most important systems first.

    Separate the wheat from the chaff; identify important sub-components and separate them from unimportant ones

    1.2b 1.5 hours

    Use the bottom layer of the pyramid drawn in step 1.2a for a list of important sub-components.

    Instructions

    1. Record a list of the gold services identified in the previous activity. Leave space next to each service for sub-components.
    2. Go through each relevant sub-component. Highlight those that are critical and could reasonably be expected to cause problems.
    • Has this sub-component caused a problem in the past?
    • Is this sub-component a bottleneck?
    • What could cause this component to fail? Is it such an occurrence feasible?
  • Record the results of the exercise (and the service each sub-component is tied to) in tab 2 (columns B &C) of the Capacity Snapshot Tool.
  • Input

    • List of important applications

    Output

    • List of critical dependencies

    Materials

    • Whiteboard
    • Markers

    Participants

    • Infrastructure manager
    • Enterprise architect

    Understand availability commitments with SLAs

    With the rise of SaaS, cloud computing, and managed services, critical services and their components are increasingly external to IT.

    • IT’s lack of access to the internal working of services does not let them off the hook for performance issues (as much as that might be the dream).
    • Vendor management is availability management. Use the dependency map drawn earlier in this phase to highlight the components of critical services that rely on capacity that cannot be managed internally.
    • For each of these services ensure that an appropriate SLA is in place. When acquiring new services, ensure that the vendor SLA meets business requirements.

    The image contains a large blue circle labelled: Availability. Also in the blue circle is a small red circle labelled: Capacity.

    In terms of service provision, capacity management is a form of availability management. Not all availability issues are capacity issues, but the inverse is true.

    Info-Tech Insight

    Capacity issues will always cause availability issues, but availability issues are not inherently capacity issues. Availability problems can stem from outages unrelated to capacity (e.g. power or vendor outages).

    Use best practices to develop and negotiate SLAs

    1.2c 20 minutes per service

    When signing contracts with vendors, you will be presented with an SLA. Ensure that it meets your requirements.

    1. Use the business impact analysis conducted in this project’s first step to determine your requirements. How much downtime can you tolerate for your critical services?
    2. Once you have been presented with an SLA, be sure to scour it for tricks. Remember, just because a vendor offers “five nines” of availability doesn’t mean that you’ll actually get that much uptime. It could be that the vendor is comfortable eating the cost of downtime or that the contract includes provisions for planned maintenance. Whether or not the vendor anticipated your outage does little to mitigate the damage an outage can cause to your business, so be careful of these provisions.
    3. Ensure that the person ultimately responsible for the SLA (the approver) understands the limitations of the agreement and the implications for availability.

    Input

    • List of external component dependencies

    Output

    • SLA requirements

    Materials

    • Whiteboard
    • Markers

    Participants

    • Infrastructure manager
    • Enterprise architect

    Info-Tech Insight

    Vendors are sometimes willing to eat the cost of violating SLAs if they think it will get them a contract. Be careful with negotiation. Just because the vendor says they can do something doesn’t make it true.

    Negotiate internal SLAs using Info-Tech’s rigorous process

    Talking past each other can drive misalignment between IT and the business, inconveniencing all involved. Quantify your needs through an internal SLA as part of a comprehensive availability management plan.

    See Info-Tech’s Improve IT-Business Alignment Through an Internal SLA blueprint for instructions on why you should develop internal SLAs and the potential benefits they bring.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop.

    The image contains a picture of an Info-Tech analyst.

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.2

    The image contains a screenshot of activity 1.2 as previously described above.

    Create a list of dependencies for your most important applications

    Using the results of the business impact analysis, the analyst will guide workshop participants through a dependency mapping exercise that will eventually populate the Capacity Plan Template.

    Phase 1 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Conduct a business impact analysis

    Proposed Time to Completion: 1 week

    Step 1.1: Create a scale to measure different levels of impact

    Review your findings with an analyst

    Discuss how you arrived at the rating of your critical systems and their dependencies. Consider whether your external SLAs are appropriate.

    Then complete these activities…

    • Use the results of the business impact analysis to sort systems based on their criticality

    With these tools & templates:

    Business Impact Analysis Tool

    Step 1.2: Assign criticality ratings to services

    Review your findings with an analyst

    Discuss how you arrived at the rating of your critical systems and their dependencies. Consider whether your external SLAs are appropriate.

    Then complete these activities…

    • Create a list of dependencies for your most important applications
    • Identify important sub-components
    • Use best practices to develop and negotiate SLAs

    With these tools & templates:

    Capacity Snapshot Tool

    Phase 1 Results & Insights:

    • Engaging in detailed capacity planning for an insignificant service is a waste of resources. Focus on ensuring availability for your most critical systems.
    • Carefully evaluate vendors’ service offerings. Make sure the SLA works for you, and approach pie-in-the-sky promises with skepticism.

    PHASE 2

    Establish Visibility Into Core Systems

    Step 2.1: Define your monitoring strategy

    This step will walk you through the following activities:

    • Determine the indicators you should be tracking for each sub-component.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team

    Outcomes of this step

    • List of indicators to track for each sub-component

    Data has its significance—but also its limitations

    The rise of big data can be a boon for capacity managers, but be warned: not all data is created equal. Bad data can lead to bad decisions – and unemployed capacity managers.

    Your findings are only as good as your data. Remember: garbage in, garbage out. There are three characteristics of good data:*

    1. Accuracy: is the data exact and correct? More detail and confidence is better.
    2. Reliability: is the data consistent? In other words, if you run the same test twice will you get the same results?
    3. Validity: is the information gleaned believable and relevant?

    *National College of Teaching & Leadership, “Reliability and Validity”

    "Data is king. Good data is absolutely essential to [the capacity manager] role."

    – Adrian Blant, Independent Capacity Consultant, IT Capability Solutions

    Info-Tech Best Practice

    Every organization’s data needs are different; your data needs are going to be dictated by your services, delivery model, and business requirements. Make sure you don’t confuse volume with quality, even if others in your organization make that mistake.

    Take advantage of technology to establish visibility into your systems

    Managing your availability and capacity involves important decisions about what to monitor and how thresholds should be set.

    • Use the list of critical applications developed through the business impact analysis and the list of components identified in the dependency mapping exercise to produce a plan for effectively monitoring component availability and capacity.
    • The nature of IT service provision – the multitude of vendors providing hardware and services necessary for even simple IT services to work effectively – means that it is unlikely that capacity management will be visible through a single pane of glass. In other words, “email” and “CRM” don’t have a defined capacity. It always depends.
    • Establishing visibility into systems involves identifying what needs to be tracked for each component.

    Too much monitoring can be as bad as the inverse

    In 2013, a security breach at US retailer Target compromised more than 70 million customers’ data. The company received an alert, but it was thought to be a false positive because the monitoring system produced so many false and redundant alerts. As a result of the daily deluge, staff did not respond to the breach in time.

    Info-Tech Insight

    Don’t confuse monitoring with management. While establishing visibility is a crucial step, it is only part of the battle. Move on to this project’s next phase to explore opportunities to improve your capacity/availability management process.

    Determine the indicators you should be tracking for each sub-component

    2.1a Tab 3 of the Capacity Snapshot Tool

    It is nearly impossible to overstate the importance of data to the process of availability and capacity management. But the wrong data will do you no good.

    Instructions

    1. Open the Capacity Snapshot Tool to tab 2. The tool should have been populated in step 1.2 as part of the component mapping exercise.
    2. For each service, determine which metric(s) would most accurately tell the component’s story. Consider the following questions when completing this activity (you may end up with more than one metric):
    • How would the component’s capacity be measured (storage space, RAM, bandwidth, vCPUs)?
    • Is the metric in question actionable?
  • Record each metric in the Metric column (D) of the Capacity Snapshot Tool. Use the adjacent column for any additional information on metrics.
  • Info-Tech Insight

    Bottlenecks are bad. Use the Capacity Snapshot Tool (or another tool like it) to ensure that when the capacity manager leaves (on vacation, to another role, for good) the knowledge that they have accumulated does not leave as well.

    Understand the limitations of this approach

    Although we’ve striven to make it as easy as possible, this process will inevitably be cumbersome for organizations with a complicated set of software, hardware, and cloud services.

    Tracking every single component in significant detail will produce a lot of noise for each bit of signal. The approach outlined here addresses that concern in two ways:

    • A focus on gold services
    • A focus on sub-components that have a reasonable likelihood of being problematic in the future.

    Despite this effort, however, managing capacity at the component level is a daunting task. Ultimately, tools provided by vendors like SolarWinds and AppDynamics will fill in some of the gaps. Nevertheless, an understanding of the conceptual framework underlying availability and capacity management is valuable.

    Step 2.2: Implement your monitoring tool/aggregator

    This step will walk you through the following activities:

    • Clarify visibility.
    • Determine whether or not you have sufficiently granular visibility.
    • Develop strategies to .any visibility issues.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team
    • Applications personnel

    Outcomes of this step

    • Method for measuring and monitoring critical sub-components

    Companies struggle with performance monitoring because 95% of IT shops don’t have full visibility into their environments

    CASE STUDY

    Industry: Financial Services

    Source: AppDynamics

    Challenge

    • Users are quick to provide feedback when there is downtime or application performance degradation.
    • The challenge for IT teams is that while they can feel the pain, they don’t have visibility into the production environment and thus cannot identify where the pain is coming from.
    • The most common solution that organizations rely on is leveraging the log files for issue diagnosis. However, this method is slow and often unable to pinpoint the problem areas, leading to delays in problem resolution.

    Solution

    • Application and infrastructure teams need to work together to develop infrastructure flow maps and transaction profiles.
    • These diagrams will highlight the path that each transaction travels across your infrastructure.
    • Ideally at this point, teams will also capture latency breakdowns across every tier that the business transaction flows through.
      • This will ultimately kick start the baselining process.

    Results

    • Ninety-five percent of IT departments don’t have full visibility into their production environment. As a result, a slow business transaction will often require a war-room approach where SMEs from across the organization gather to troubleshoot.
    • Having visibility into the production environment through infrastructure flow mapping and transaction profiling will help IT teams pinpoint problems.
      • At the very least, teams will be able to identify common problem areas and expedite the root-cause analysis process.

    Source: “Just how complex can a Login Transaction be? Answer: Very!,” AppDynamics

    Monitor your critical sub-components

    Establishing a monitoring plan for your capacity involves answering two questions: can I see what I need to see, and can I see it with sufficient granularity?

    • Having the right tool for the job is an important step towards effective capacity and availability management.
    • Application performance management tools (APMs) are essential to the process, but they tend to be highly specific and vertically oriented, like using a microscope.
    • Some product families can cover a wider range of capacity monitoring functions (SolarWinds, for example). It is still important, however, to codify your monitoring needs.

    "You don’t use a microscope to monitor an entire ant farm, but you might use many microscopes to monitor specific ants."

    – Fred Chagnon, Research Director, Infrastructure Practice, Info-Tech Research Group

    Monitor your sub-components: clarify visibility

    2.2a Tab 2 of the Capacity Snapshot Tool

    The next step in capacity management is establishing whether or not visibility (in the broad sense) is available into critical sub-components.

    Instructions

    1. Open the Capacity Snapshot Tool and record the list of sub-components identified in the previous step.
    2. For each sub-component answer the following question:
    • Do I have easy access to the information I need to monitor to ensure this component remains available?
  • Select “Yes” or “No” from the drop-down menus as appropriate. In the adjacent column record details about visibility into the component.
    • What tool provides the information? Where can it be found?

    The image contains a screenshot of Info-Tech's Capacity Snapshot Tool, Tab 2.

    Monitor your sub-components; determine whether or not you have sufficient granular visibility

    2.2b Tab 2 of the Capacity Snapshot Tool

    Like ideas and watches, not all types of visibility are created equal. Ensure that you have access to the right information to make capacity decisions.

    Instructions

    1. For each of the sub-components clarify the appropriate level of granularity for the visibility gained to be useful. In the case of storage, for example, is raw usage (in gigabytes) sufficient, or do you need a breakdown of what exactly is taking up the space? The network might be more complicated.
    2. Record the details of this ideation in the adjacent column.
    3. Select “Yes” or “No” from the drop-down menu to track the status of each sub-component.

    The image contains a picture of an iPhone storage screen where it breaks down the storage into the following categories: apps, media, photos, and other.

    For most mobile phone users, this breakdown is sufficient. For some, more granularity might be necessary.

    Info-Tech Insight

    Make note of monitoring tools and strategies. If anything changes, be sure to re-evaluate the visibility status. An outdated spreadsheet can lead to availability issues if management is unaware of looming problems.

    Develop strategies to ameliorate any visibility issues

    2.2c 1 hour

    The Capacity Snapshot Tool color-codes your components by status. Green – visibility and granularity are both sufficient; yellow – visibility exists, though not at sufficient granularity; and red – visibility does not exist at all.

    Instructions

    1. Write each of the yellow and red sub-components on a whiteboard or piece of chart paper.
    2. Brainstorm amelioration strategies for each of the problematic sub-components.
    • Does the current monitoring tool have sufficient functionality?
    • Does it need to be further configured/customized?
    • Do we need a whole new tool?
  • Record these strategies in the Amelioration Strategy column on tab 4 of the tool.
  • Input

    • Sub-components
    • Capacity Snapshot Tool

    Output

    • Amelioration strategies

    Materials

    • Whiteboard
    • Markers
    • Capacity Snapshot Tool

    Participants

    • Infrastructure manager

    Info-Tech Best Practice

    It might be that there is no amelioration strategy. Make note of this difficulty and highlight it as part of the risk section of the Capacity Plan Template.

    See Info-Tech’s projects on storage and network modernization for additional details

    Leverage other products for additional details on how to modernize your network and storage services.

    The process of modernizing the network is fraught with vestigial limitations. Develop a program to gather requirements and plan.

    As part of the blueprint, Modernize Enterprise Storage, the Modernize Enterprise Storage Workbook includes a section on storage capacity planning.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop.

    The image contains a picture of an Info-Tech analyst.

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.2

    The image contains a screenshot of activity 2.2.

    Develop strategies to ameliorate visibility issues

    The analyst will guide workshop participants in brainstorming potential solutions to visibility issues and record them in the Capacity Snapshot Tool.

    Phase 2 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Establish visibility into core systems

    Proposed Time to Completion: 3 weeks

    Step 2.1: Define your monitoring strategy

    Review your findings with an analyst

    Discuss your monitoring strategy and ensure you have sufficient visibility for the needs of your organization.

    Then complete these activities…

    • Determine the indicators you should be tracking for each sub-component

    With these tools & templates:

    • Capacity Snapshot Tool

    Step 2.2: Implement your monitoring tool/aggregator

    Review your findings with an analyst

    Discuss your monitoring strategy and ensure you have sufficient visibility for the needs of your organization.

    Then complete these activities…

    • Clarify visibility
    • Determine whether or not you have sufficiently granular visibility
    • Develop strategies to ameliorate any visibility issues

    With these tools & templates:

    • Capacity Snapshot Tool

    Phase 2 Results & Insights:

    • Every organization’s data needs are different. Adapt data gathering, reporting, and analysis according to your services, delivery model, and business requirements.
    • Don’t confuse monitoring with management. Build a system to turn reported data into useful information that feeds into the capacity management process.

    PHASE 3

    Solicit and Incorporate Business Needs

    Step 3.1: Solicit business needs and gather data

    This step will walk you through the following activities:

    • Build relationships with business stakeholders.
    • Analyze usage data and identify trends.
    • Correlate usage trends with business needs.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team members
    • Business stakeholders

    Outcomes of this step

    • System for involving business stakeholders in the capacity planning process
    • Correlated data on business level, service level, and infrastructure level capacity usage

    Summarize your capacity planning activities in the Capacity Plan Template

    The availability and capacity management summary card pictured here is a handy way to capture the results of the activities undertaken in the following phases. Note its contents carefully, and be sure to record specific outputs where appropriate. One such card should be completed for each of the gold services identified in the project’s first phase. Make note of the results of the activities in the coming phase, and populate the Capacity Snapshot Tool. These will help you populate the tool.

    The image contains a screenshot of Info-Tech's Capacity Plan Template.

    Info-Tech Best Practice

    The Capacity Plan Template is designed to be a part of a broader mapping strategy. It is not a replacement for a dedicated monitoring tool.

    Analyze historical trends as a crucial source of data

    The first place to look for information about your organization is not industry benchmarks or your gut (though those might both prove useful).

    • Where better to look than internally? Use the data you’ve gathered from your APM tool or other sources to understand your historical capacity needs and to highlight any periods of unavailability.
    • Consider monitoring the status of the capacity of each of your crucial components. The nature of this monitoring will vary based on the component in question. It can range from a rough Excel sheet all the way to a dedicated application performance monitoring tool.

    "In all cases the very first thing to do is to look at trending…The old adage is ‘you don’t steer a boat by its wake,’ however it’s also true that if something is growing at, say, three percent a month and it has been growing at three percent a month for the last twelve months, there’s a fairly good possibility that it’s going to carry on going in that direction."

    – Mike Lynch, Consultant, CapacityIQ

    Gather relevant data at the business level

    3.1a 2 hours per service

    A holistic approach to capacity management involves peering beyond the beaded curtain partitioning IT from the rest of the organization and tracking business metrics.

    Instructions

    1. Your service/application owners know how changes in business activities impact their systems. Business level capacity management involves responding to those changes. Ask service/application owners what changes will impact their capacity. Examples include:
    • Business volume (net new customers, number of transactions)
    • Staff changes (new hires, exits, etc.)
  • For each gold service, brainstorm relevant metrics. How can you capture that change in business volume?
  • Record these metrics in the summary card of the Capacity Plan Template.
  • In the notes section of the summary card record whether or not you have access to the required business metric.
  • Input

    • Brainstorming
    • List of gold services

    Output

    • Business level data

    Materials

    • In-house solution or commercial tool

    Participants

    • Capacity manager
    • Application/service owners

    Gather relevant data at the service level

    3.1b 2 hours per service

    One level of abstraction down is the service level. Service level capacity management, recall that service level capacity management is about ensuring that IT is meeting SLAs in its service provision.

    Instructions

    1. There should be internal SLAs for each service IT offers. (If not, that’s a good place to start. See Info-Tech’s research on the subject.) Prod each of your service owners for information on the metrics that are relevant for their SLAs. Consider the following:
    • Peak hours, requests per second, etc.
    • This will usually include some APM data.
  • Record these metrics in the summary card of the Capacity Plan Template.
  • Include any visibility issues in the notes in a similar section of the Capacity Plan Template.
  • Input

    • Brainstorming
    • List of gold services

    Output

    • Service level data

    Materials

    • In-house solution or commercial tool

    Participants

    • Capacity manager
    • Application/service owners

    Leverage the visibility into your infrastructure components and compare all of your data over time

    You established visibility into your components in the second phase of this project. Use this data, and that gathered at the business and service levels, to begin analyzing your demand over time.

    • Different organizations will approach this issue differently. Those with a complicated service catalog and a dedicated capacity manager might employ a tool like TeamQuest. If your operation is small, or you need to get your availability and capacity management activities underway as quickly as possible, you might consider using a simple spreadsheet software like Excel.
    • If you choose the latter option, select a level of granularity (monthly, weekly, etc.) and produce a line graph in Excel.
    • Example: Employee count (business metric)

    Jan

    Feb

    Mar

    Apr

    May

    June

    July

    74

    80

    79

    83

    84

    100

    102

    The image contains a graph using the example of employee count described above.

    Note: the strength of this approach is that it is easy to visualize. Use the same timescale to facilitate simple comparison.

    Manage, don’t just monitor; mountains of data need to be turned into information

    Information lets you make a decision. Understand the questions you don’t need to ask, and ask the right ones.

    "Often what is really being offered by many analytics solutions is just more data or information – not insights."

    – Brent Dykes, Director of Data Strategy, Domo

    Info-Tech Best Practice

    You can have all the data in the world and absolutely nothing valuable to add. Don’t fall for this trap. Use the activities in this phase to structure your data collection operation and ensure that your organization’s availability and capacity management plan is data driven.

    Analyze historical trends and track your services’ status

    3.1c Tab 3 of the Capacity Snapshot Tool

    At-a-glance – it’s how most executives consume all but the most important information. Create a dashboard that tracks the status of your most important systems.

    Instructions

    1. Consult infrastructure leaders for information about lead times for new capacity for relevant sub-components and include that information in the tool.
    • Look to historical lead times. (How long does it traditionally take to get more storage?)
    • If you’re not sure, contact an in-house expert, or speak to your vendor
  • Use tab 3 of the tool to record whether your existing capacity will be exceeded before you can stand more hardware up (red), you have a plan to ameliorate capacity issues but new capacity is not yet in place (yellow), or if you are not slated to run out of capacity any time soon (green).
  • Repeat the activity regularly. Include notes about spikes that might present capacity challenges, and information about when capacity may run out.
  • This tool collates and presents information gathered from other sources. It is not a substitute for a performance monitoring tool.

    Build a list of key business stakeholders

    3.1d 10 minutes

    Stakeholder analysis is crucial. Lines of authority can be diffuse. Understand who needs to be involved in the capacity management process early on.

    Instructions

    1. With the infrastructure team, brainstorm a group of departments, roles, and people who may impact demand on capacity.
    2. Go through the list with your team and identify stakeholders from two groups:
    • Line of business: who in the business makes use of the service?
    • Application owner: who in IT is responsible for ensuring the service is up?
  • Insert the list into section 3 of the Capacity Plan Template, and update as needed.
  • Input

    • Gold systems
    • Personnel Information

    Output

    • List of key business stakeholders

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Best Practice

    Consider which departments are most closely aligned with the business processes that fuel demand. Prioritize those that have the greatest impact. Consider the stakeholders who will make purchasing decisions for increasing infrastructure capacity.

    Organize stakeholder meetings

    3.1e 10 hours

    Establishing a relationship with your stakeholders is a necessary step in managing your capacity and availability.

    Instructions

    1. Gather as many of the stakeholders identified in the previous activity as you can and present information on availability and capacity management
    • If you can’t get everyone in the same room, a virtual meeting or even an email blast could get the job done.
  • Explain the importance of capacity and availability management
    • Consider highlighting the trade-offs between cost and availability.
  • Field any questions the stakeholders might have about the process. Be honest. The goal of this meeting is to build trust. This will come in handy when you’re gathering business requirements.
  • Propose a schedule and seek approval from all present. Include the results in section 3 of the Capacity Plan Template.
  • Input

    • List of business stakeholders
    • Hard work

    Output

    • Working relationship, trust
    • Regular meetings

    Materials

    • Work ethic
    • Executive brief

    Participants

    • Capacity manager
    • Business stakeholders

    Info-Tech Insight

    The best capacity managers develop new business processes that more closely align their role with business stakeholders. Building these relationships takes hard work, and you must first earn the trust of the business.

    Bake stakeholders into the planning process

    3.1f Ongoing

    Convince, don’t coerce. Stakeholders want the same thing you do. Bake them into the planning process as a step towards this goal.

    1. Develop a system to involve stakeholders regularly in the capacity planning process.
    • Your system will vary depending on the structure and culture of your organization.
    • See the case study on the following slide for ideas.
    • It may be as simple as setting a recurring reminder in your own calendar to touch base with stakeholders.
  • Liaise with stakeholders regularly to keep abreast of new developments.
    • Ensure stakeholders have reasonable expectations about IT’s available resources, the costs of providing capacity, and the lead times required to source additional needed capacity.
  • Draw on these stakeholders for the step “Gather information on business requirements” later in this phase.
  • Input

    • List of business stakeholders
    • Ideas

    Output

    • Capacity planning process that involves stakeholders

    Materials

    • Meeting rooms

    Participants

    • Capacity manager
    • Business stakeholders
    • Infrastructure team

    A capacity manager in financial services wrangled stakeholders and produced results

    CASE STUDY

    Industry: Financial Services

    Source: Interview

    In financial services, availability is king

    In the world of financial services, availability is absolutely crucial. High-value trades occur at all hours, and any institution that suffers outages runs the risk of losing tens of thousands of dollars, not to mention reputational damage.

    People know what they want, but sometimes they have to be herded

    While line of business managers and application owners understand the value of capacity management, it can be difficult to establish the working relationship necessary for a fruitful partnership.

    Proactively building relationships keeps services available

    He built relationships with all the department heads on the business side, and all the application owners.

    • He met with department heads quarterly.
    • He met with application owners and business liaisons monthly.

    He established a steering committee for capacity.

    He invited stakeholders to regular capacity planning meetings.

    • The first half of each meeting was high-level outlook, such as business volume and IT capacity utilization, and included stakeholders from other departments.
    • The second half of the meeting was more technical, serving the purpose for the infrastructure team.

    He scheduled lunch and learn sessions with business analysts and project managers.

    • These are the gatekeepers of information, and should know that IT needs to be involved when things come down the pipeline.

    Step 3.2: Analyze data and project future needs

    This step will walk you through the following activities:

    • Solicit needs from the business.
    • Map business needs to technical requirements, and technical requirements to infrastructure requirements.
    • Identify inefficiencies in order to remedy them.
    • Compare the data across business, component, and service levels, and project your capacity needs.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team members
    • Business stakeholders

    Outcomes of this step

    • Model of how business processes relate to technical requirements and their demand on infrastructure
    • Method for projecting future demand for your organization’s infrastructure
    • Comparison of current capacity usage to projected demand

    “Nobody tells me anything!” – the capacity manager’s lament

    Sometimes “need to know” doesn’t register with sales or marketing. Nearly every infrastructure manager can share a story about a time when someone has made a decision that has critically impacted IT infrastructure without letting anyone in IT in on the “secret.”

    In brief

    The image contains a picture of a man appearing to be overwhelmed.

    Imagine working for a media company as an infrastructure capacity manager. Now imagine that the powers that be have decided to launch a content-focused web service. Seems like something they would do, right? Now imagine you find out about it the same way the company’s subscribers do. This actually happened – and it shouldn’t have. But a similar lack of alignment makes this a real possibility for any organization. If you don’t establish a systematic plan for soliciting and incorporating business requirements, prepare to lose a chunk of your free time. The business should never be able to say, in response to “nobody tells me anything,” “nobody asked.”

    Pictured: an artist’s rendering of the capacity manager in question.

    Directly solicit requirements from the business

    3.2a 30 minutes per stakeholder

    Once you’ve established, firmly, that everyone’s on the same team, meet individually with the stakeholders to assess capacity.

    Instructions

    1. Schedule a one-on-one meeting with each line of business manager (stakeholders identified in 3.1). Ideally this will be recurring.
    • Experienced capacity managers suggest doing this monthly.
  • In the meeting address the following questions:
    • What are some upcoming major initiatives?
    • Is the department going to expand or contract in a noticeable way?
    • Have customers taken to a particular product more than others?
  • Include the schedule in the Capacity Plan Template, and consider including details of the discussion in the notes section in tab 3 of the Capacity Snapshot Tool.
  • Input

    • Stakeholder opinions

    Output

    • Business requirements

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    Sometimes line of business managers will evade or ignore you when you come knocking. They do this because they don’t know and they don’t want to give you the wrong information. Explain that a best guess is all you can ask for and allay their fears.

    Below, you will find more details about what to look for when soliciting information from the line of business manager you’ve roped into your scheme.

    1. Consider the following:
    • Projected sales pipeline
    • Business growth
    • Seasonal cycles
    • Marketing campaigns
    • New applications and features
    • New products and services
  • Encourage business stakeholders to give you their best guess for elements such as projected sales or business growth.
  • Estimate variance and provide a range. What can you expect at the low end? The high end? Record your historical projections for an idea of how accurate you are.
  • Consider carefully the infrastructure impact of new features (and record this in the notes section of the Capacity Snapshot Tool).
  • Directly solicit requirements from the business (optional)

    3.2a 1 hour

    IT staff and line of business staff come with different skillsets. This can lead to confusion, but it doesn’t have to. Develop effective information solicitation techniques.

    Instructions

    1. Gather your IT staff in a room with a whiteboard. As a group, select a gold service/line of business manager you would like to use as a “practice dummy.”
    2. Have everyone write down a question they would ask of the line of business representative in a hypothetical business/service capacity discussion.
    3. As a group discuss the merits of the questions posed:
    • Are they likely to yield productive information?
    • Are they too vague or specific?
    • Is the person in question likely to know the answer?
    • Is the information requested a guarded trade secret?
  • Discuss the findings and include any notes in section 3 of the Capacity Plan Template.
  • Input

    • Workshop participants’ ideas

    Output

    • Interview skills

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Capacity manager
    • Infrastructure staff

    Map business needs to technical requirements, and technical requirements to infrastructure requirements

    3.2b 5 hours

    When it comes to mapping technical requirements, IT alone has the ability to effectively translate business needs.

    Instructions

    1. Use your notes from stakeholder meetings to assess the impact of any changes on gold systems.
    2. For each system brainstorm with infrastructure staff (and any technical experts as necessary) about what the information gleaned from stakeholder discussions. Consider the following discussion points:
    • How has demand for the service been trending? Does it match what the business is telling us?
    • Have we had availability issues in the past?
    • Has the business been right with their estimates in the past?
  • Estimate what a change in business/service metrics means for capacity.
    • E.g. how much RAM does a new email user require?
  • Record the output in the summary card of the Capacity Plan Template.
  • Input

    • Business needs

    Output

    • Technical and infrastructure requirements

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    Adapt the analysis to the needs of your organization. One capacity manager called the one-to-one mapping of business process to infrastructure demand the Holy Grail of capacity management. If this level of precision isn’t attainable, develop your own working estimates using the higher-level data

    Avoid putting too much faith in the cloud as a solution to your problem

    Has the rise of on-demand, functionally unlimited services eliminated the need for capacity and availability management?

    Capacity management

    The role of the capacity manager is changing, but it still has a purpose. Consider this:

    • Not everything can move to the cloud. For security/functionality reasons, on-premises infrastructure will continue to exist.
    • Cost management is more relevant than ever in the cloud age. Manage your instances.
    • While a cloud migration might render some component capacity management functions irrelevant, it could increase the relevance of others (the network, perhaps).

    Availability management

    Ensuring services are available is still IT’s wheelhouse, even if that means a shift to a brokerage model:

    • Business availability requirements (as part of the business impact analysis, potentially) are important; internal SLAs and contracts with vendors need to be managed.
    • Even in the cloud environment, availability is not guaranteed. Cloud providers have outages (unplanned, maintenance related, etc.) and someone will have to understand the limitations of cloud services and the impact on availability.

    Info-Tech Insight

    The cloud comes at the cost of detailed performance data. Sourcing a service through an SLA with a third party increases the need to perform your own performance testing of gold level applications. See performance monitoring.

    Beware Parkinson’s law

    A consequence of our infinite capacity for creativity, people have the enviable skill of making work. In 1955, C. Northcote Parkinson pointed out this fact in The Economist . What are the implications for capacity management?

    "It is a commonplace observation that work expands so as to fill the time available for its completion. Thus, an elderly lady of leisure can spend the entire day in writing and despatching a postcard to her niece at Bognor Regis. An hour will be spent in finding the postcard, another in hunting for spectacles, half-an-hour in a search for the address, an hour and a quarter in composition, and twenty minutes in deciding whether or not to take an umbrella when going to the pillar-box in the next street."

    C. Northcote Parkinson, The Economist, 1955

    Info-Tech Insight

    If you give people lots of capacity, they will use it. Most shops are overprovisioned, and in some cases that’s throwing perfectly good money away. Don’t be afraid to prod if someone requests something that doesn’t seem right.

    Optimally align demand and capacity

    When it comes to managing your capacity, look for any additional efficiencies.

    Questions to ask:

    • Are there any infrastructure services that are not being used to their full potential, sitting idle, or allocated to non-critical or zombie functions?
      • Are you managing your virtual servers? If, for example, you experience a seasonal spike in demand, are you leaving virtual machines running after the fact?
    • Do your organization’s policies and your infrastructure setup allow for the use of development resources for production during periods of peak demand?
    • Can you make organizational or process changes in order to satisfy demand more efficiently?

    In brief

    Who isn’t a sports fan? Big games mean big stakes for pool participants and armchair quarterbacks—along with pressure on the network as fans stream games from their work computers. One organization suffered from this problem, and, instead of taking a hardline and banning all streams, opted to stream the game on a large screen in a conference room where those interested could work for its duration. This alleviated strain on the network and kept staff happy.

    Shutting off an idle cloud to cut costs

    CASE STUDY

    Industry:Professional Services

    Source:Interview

    24/7 AWS = round-the-clock costs

    A senior developer realized that his development team had been leaving AWS instances running without any specific reason.

    Why?

    The development team appreciated the convenience of an always-on instance and, because the people spinning them up did not handle costs, the problem wasn’t immediately apparent.

    Resolution

    In his spare time over the course of a month, the senior developer wrote a program to manage the servers, including shutting them down during times when they were not in use and providing remote-access start-up when required. His team alone saved $30,000 in costs over the next six months, and his team lead reported that it would have been more than worth paying the team to implement such a project on company time.

    Identify inefficiencies in order to remediate them

    3.2c 20 minutes per service

    Instructions

    1. Gather the infrastructure team together and discuss existing capacity and demand. Use the inputs from your data analysis and stakeholder meetings to set the stage for your discussion.
    2. Solicit ideas about potential inefficiencies from your participants:
    • Are VMs effectively allocated? If you need 7 VMs to address a spike, are those VMs being reallocated post-spike?
    • Are developers leaving instances running in the cloud?
    • Are particular services massively overprovisioned?
    • What are the biggest infrastructure line items? Are there obvious opportunities for cost reduction there?
  • Record any potential opportunities in the summary of the Capacity Plan Template.
  • Input

    • Gold systems
    • Data inputs

    Output

    • Inefficiencies

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    The most effective capacity management takes a holistic approach and looks at the big picture in order to find ways to eliminate unnecessary infrastructure usage, or to find alternate or more efficient sources of required capacity.

    Dodging the toll troll by rerouting traffic

    CASE STUDY

    Industry:Telecommunications

    Source: Interview

    High-cost lines

    The capacity manager at a telecommunications provider mapped out his firm’s network traffic and discovered they were using a number of VP circuits (inter building cross connects) that were very expensive on the scale of their network.

    Paying the toll troll

    These VP circuits were supplying needed network services to the telecom provider’s clients, so there was no way to reduce this demand.

    Resolution

    The capacity manager analyzed where the traffic was going and compared this to the cost of the lines they were using. After performing the analysis, he found he could re-route much of the traffic away from the VP circuits and save on costs while delivering the same level of service to their users.

    Compare the data across business, component, and service levels, and project your capacity needs

    3.2d 2 hour session/meeting

    Make informed decisions about capacity. Remember: retain all documentation. It might come in handy for the justification of purchases.

    Instructions

    1. Using either a dedicated tool or generic spreadsheet software like Excel or Sheets, evaluate capacity trends. Ask the following questions:
    • Are there times when application performance degraded, and the service level was disrupted?
    • Are there times when certain components or systems neared, reached, or exceeded available capacity?
    • Are there seasonal variations in demand?
    • Are there clear trends, such as ongoing growth of business activity or the usage of certain applications?
    • What are the ramifications of trends or patterns in relation to infrastructure capacity?
  • Use the insight gathered from stakeholders during the stakeholder meetings, project required capacity for the critical components of each gold service.
  • Record the results of this activity in the summary card of the Capacity Plan Template.
  • Compare current capacity to your projections

    3.2e Section 5 of the Capacity Plan Template

    Capacity management (and, by extension, availability management) is a combination of two balancing acts: cost against capacity and supply and demand.*

    Instructions

    1. Compare your projections with your reality. You already know whether or not you have enough capacity given your lead times. But do you have too much? Compare your sub-component capacity projections to your current state.
    2. Highlight any outliers. Is there a particular service that is massively overprovisioned?
    3. Evaluate the reasons for the overprovisioning.
    • Is the component critically important?
    • Did you get a great deal on hardware?
    • Is it an oversight?
  • Record the results in the notes section of the summary card of the Capacity Plan Template.
  • *Office of Government Commerce 2001, 119.

    In brief

    The fractured nature of the capacity management space means that every organization is going to have a slightly different tooling strategy. No vendor has dominated, and every solution requires some level of customization. One capacity manager (a cloud provider, no less!) relayed a tale about a capacity management Excel sheet programmed with 5,000+ lines of code. As much work as that is, a bespoke solution is probably unavoidable.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop.

    The image contains a picture of an Info-Tech analyst.

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.2

    The image contains a screenshot of activity 3.2.

    Map business needs to technical requirements and technical requirements to infrastructure requirements

    The analyst will guide workshop participants in using their organization’s data to map out the relationships between applications, technical requirements, and the underlying infrastructure usage.

    Phase 3 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Solicit and incorporate business needs

    Proposed Time to Completion: 2 weeks

    Step 3.1: Solicit business needs and gather data

    Review your findings with an analyst

    Discuss the effectiveness of your strategies to involve business stakeholders in the planning process and your methods of data collection and analysis.

    Then complete these activities…

    • Analyze historical trends and track your services’ status
    • Build a list of key business stakeholders
    • Bake stakeholders into the planning process

    With these tools & templates:

    Capacity Plan Template

    Step 3.2: Analyze data and project future needs

    Review your findings with an analyst

    Discuss the effectiveness of your strategies to involve business stakeholders in the planning process and your methods of data collection and analysis.

    Then complete these activities…

    • Map business needs to technical requirements and technical requirements to infrastructure requirements
    • Compare the data across business, component, and service levels, and project your capacity needs
    • Compare current capacity to your projections

    With these tools & templates:

    Capacity Snapshot Tool

    Capacity Plan Template

    Phase 3 Results & Insights:

    • Develop new business processes that more closely align your role with business stakeholders. Building these relationships takes hard work, and won’t happen overnight.
    • Take a holistic approach to eliminate unnecessary infrastructure usage or source capacity more efficiently.

    PHASE 4

    Identify and Mitigate Risks

    Step 4.1: Identify and mitigate risks

    This step will walk you through the following activities:

    • Identify potential risks.
    • Determine strategies to mitigate risks.
    • Complete your capacity management plan.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team members
    • Business stakeholders

    Outcomes of this step

    • Strategies for reducing risks
    • Capacity management plan

    Understand what happens when capacity/availability management fails

    1. Services become unavailable. If availability and capacity management are not constantly practiced, an inevitable consequence is downtime or a reduction in the quality of that service. Critical sub-component failures can knock out important systems on their own.
    2. Money is wasted. In response to fears about availability, it’s entirely possible to massively overprovision or switch entirely to a pay-as-you-go model. This, unfortunately, brings with it a whole host of other problems, including overspending. Remember: infinite capacity means infinite potential cost.
    3. IT remains reactive and is unable to contribute more meaningfully to the organization. If IT is constantly putting out capacity/availability-related fires, there is no room for optimization and activities to increase organizational maturity. Effective availability and capacity management will allow IT to focus on other work.

    Mitigate availability and capacity risks

    Availability: how often a service is usable (that is to say up and not too degraded to be effective). Consequences of reduced availability can include financial losses, impacted customer goodwill, and reduced faith in IT more generally.

    Causes of availability issues:

    • Poor capacity management – a service becomes unavailable when there is insufficient supply to meet demand. This is the result of poor capacity management.
    • Scheduled maintenance – services go down for maintenance with some regularity. This needs to be baked into service-level negotiations with vendors.
    • Vendor outages – sometimes vendors experience unplanned outages. There is typically a contract provision that covers unplanned outages, but that doesn’t change the fact that your service will be interrupted.

    Capacity: a particular component’s/service’s/business’ wiggle room. In other words, its usage ceiling.

    Causes of capacity issues:

    • Poor demand management – allowing users to run amok without any regard for how capacity is sourced and paid for.
    • Massive changes in legitimate demand – more usage means more demand.
    • Poor capacity planning – predictable changes in demand that go unaddressed can lead to capacity issues.

    Add additional potential causes of availability and capacity risks as needed

    4.1a 30 minutes

    Availability and capacity issues can stem from a number of different causes. Include a list in your availability and capacity management plan.

    Instructions

    1. Gather the group together. Go around the room and have participants provide examples of incidents and problems that have been the result of availability and capacity issues.
    2. Pose questions to the group about the source of those availability and capacity issues.
    • What could have been done differently to avoid these issues?
    • Was the availability/capacity issue a result of a faulty internal/external SLA?
  • Record the results of the exercise in sections 4.1 and 4.2 of the Capacity Plan Template.
  • Input

    • Capacity Snapshot Tool results

    Output

    • Additional sources of availability and capacity risks

    Materials

    • Capacity Plan Template

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    Availability and capacity problems result in incidents, critical incidents, and problems. These are addressed in a separate project (incident and problem management), but information about common causes can streamline that process.

    Identify capacity risks and mitigate them

    4.1b 30 minutes

    Based on your understanding of your capacity needs (through written SLAs and informal but regular meetings with the business) highlight major risks you foresee.

    Instructions

    1. Make a chart with two columns on a whiteboard. They should be labelled “risk” and “mitigation” respectively.
    2. Record risks to capacity you have identified in earlier activities.
    • Refer to the Capacity Snapshot Tool for components that are highlighted in red and yellow. These are specific components that present special challenges. Identify the risk(s) in as much detail as possible. Include service and business risks as well.
    • Examples: a marketing push will put pressure on the web server; a hiring push will require more Office 365 licenses; a downturn in registration will mean that fewer VMs will be required to run the service.

    Input

    • Capacity Snapshot Tool results

    Output

    • Inefficiencies

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    It’s an old adage, but it checks out: don’t come to the table armed only with problems. Be a problem solver and prove IT’s value to the organization.

    Identify capacity risks and mitigate them (cont.)

    4.1b 1.5 hours

    Instructions (cont.)

    1. Begin developing mitigation strategies. Options for responding to known capacity risks fall into one of two camps:
    • Acceptance: responding to the risk is costlier than acknowledging its existence without taking any action. For gold systems, acceptance is typically not acceptable.
    • Mitigation: limiting/reducing, eliminating, or transferring risk (Herrera) comprise the sort of mitigation discussed here.
      • Limiting/reducing: taking steps to improve the capacity situation, but accepting some level of risk (spinning up a new VM, pushing back on demands from the business, promoting efficiency).
      • Eliminating: the most comprehensive (and most expensive) mitigation strategy, elimination could involve purchasing a new server or, at the extreme end, building a new datacenter.
      • Transfer: “robbing Peter to pay Paul,” in the words of capacity manager Todd Evans, is one potential way to limit your exposure. Is there a less critical service that can be sacrificed to keep your gold service online?
  • Record the results of this exercise in section 5 of the Capacity Plan Template.
  • Input

    • Capacity Snapshot Tool results

    Output

    • Capacity risk mitigations

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    It’s an old adage, but it checks out: don’t come to the table armed only with problems. Be a problem solver and prove IT’s value to the organization.

    Identify availability risks and mitigate them

    4.1c 30 minutes

    While capacity management is a form of availability management, it is not the only form. In this activity, outline the specific nature of threats to availability.

    Instructions

    1. Make a chart with two columns on a whiteboard. They should be labelled “risk” and “mitigation” respectively.
    2. Begin brainstorming general availability risks based on the following sources of information/categories:
    • Vendor outages
    • Disaster recovery
    • Historical availability issues

    The image contains a large blue circle labelled: Availability. Also in the blue circle is a small red circle labelled: Capacity.

    Input

    • Capacity Snapshot Tool results

    Output

    • Availability risks and mitigations

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Best Practice

    A dynamic central repository is a good way to ensure that availability issues stemming from a variety of causes are captured and mitigated.

    Identify availability risks and mitigate them (cont.)

    4.1c 1.5 hours

    Although it is easier said than done, identifying potential mitigations is a crucial part of availability management as an activity.

    Instructions (cont.)

    1. Begin developing mitigation strategies. Options for responding to known capacity risks fall into one of two camps:
    • Acceptance – responding to the risk is costlier than taking it on. Some unavailability is inevitable, between maintenance and unscheduled downtime. Record this, though it may not require immediate action.
    • Mitigation strategies:
      • Limiting/reducing – taking steps to increase availability of critical systems. This could include hot spares for unreliable systems or engaging a new vendor.
      • Eliminating – the most comprehensive (and most expensive) mitigation strategy. It could include selling.
      • Transfer – “robbing Peter to pay Paul,” in the words of capacity manager Todd Evans, is one potential way to limit your exposure. Is there a less critical service that can be sacrificed to keep your gold service online?
  • Record the results of this exercise in section 5 of Capacity Plan Template.
  • Input

    • Capacity Snapshot Tool results

    Output

    • Availability risks and mitigations

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Iterate on the process and present your completed availability and capacity management plan

    The stakeholders consulted as part of the process will be interested in its results. Share them, either in person or through a collaboration tool.

    The current status of your availability and capacity management plan should be on the agenda for every stakeholder meeting. Direct the stakeholders’ attention to the parts of the document that are relevant to them, and solicit their thoughts on the document’s accuracy. Over time you should get a pretty good idea of who among your stakeholder group is skilled at projecting demand, and who over- or underestimates, and by how much. This information will improve your projections and, therefore, your management over time.

    Info-Tech Insight

    Use the experience gained and the artifacts generated to build trust with the business. The meetings should be regular, and demonstrating that you’re actually using the information for good is likely to make hesitant participants in the process more likely to open up.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop.

    The image contains a picture of an Info-Tech analyst.

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1

    The image contains a screenshot of activity 4.1.

    Identify capacity risks and mitigate them

    The analyst will guide workshop participants in identifying potential risks to capacity and determining strategies for mitigating them.

    Phase 4 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Identify and mitigate risks

    Proposed Time to Completion: 1 week

    Step 4.1: Identify and mitigate risks

    Review your findings with an analyst

    • Discuss your potential risks and your strategies for mitigating those risks.

    Then complete these activities…

    • Identify capacity risks and mitigate them
    • Identify availability risks and mitigate them
    • Complete your capacity management plan

    With these tools & templates:

    Capacity Snapshot Tool

    Capacity Plan Template

    Phase 4 Results & Insights:

    • Be a problem solver and prove IT’s value to the organization. Capacity management allows infrastructure to drive business value.
    • Iterate and share results. Reinforce your relationships with stakeholders and continue to refine how capacity management transforms your organization’s business processes.

    Insight breakdown

    Insight 1

    Components are critical to availability and capacity management.

    The CEO doesn’t care about the SMTP server. She cares about meeting customer needs and producing profit. For IT capacity and availability managers, though, the devil is in the details. It only takes one faulty component to knock out a service. Keep track and keep the lights on.

    Insight 2

    Ask what the business is working on, not what they need.

    If you ask them what they need, they’ll tell you – and it won’t be cheap. Find out what they’re going to do, and use your expertise to service those needs. Use your IT experience to estimate the impact of business and service level changes on the components that secure the availability you need.

    Insight 3

    Cloud shmoud.

    The role of the capacity manager might be changing with the advent of the public cloud, but it has not disappeared. Capacity managers in the age of the cloud are responsible for managing vendor relationships, negotiating external SLAs, projecting costs and securing budgets, reining in prodigal divisions, and so on.

    Summary of accomplishment

    Knowledge Gained

    • Impact of downtime on the organization
    • Gold systems
    • Key dependencies and sub-components
    • Strategy for monitoring components
    • Strategy for soliciting business needs
    • Projected capacity needs
    • Availability and capacity risks and mitigations

    Processes Optimized

    • Availability management
    • Capacity management

    Deliverables Completed

    • Business Impact Analysis
    • Capacity Plan Template

    Project step summary

    Client Project: Develop an Availability and Capacity Management Plan

    1. Conduct a business impact analysis
    2. Assign criticality ratings to services
    3. Define your monitoring strategy
    4. Implement your monitoring tool/aggregator
    5. Solicit business needs and gather data
    6. Analyze data and project future needs
    7. Identify and mitigate risks

    Info-Tech Insight

    This project has the ability to fit the following formats:

    • Onsite workshop by Info-Tech Research Group consulting analysts.
    • Do-it-yourself with your team.
    • Remote delivery via Info-Tech Guided Implementation.

    Research contributors and experts

    The image contains a picture of Adrian Blant.

    Adrian Blant, Independent Capacity Consultant, IT Capability Solutions

    Adrian has over 15 years' experience in IT infrastructure. He has built capacity management business processes from the ground up, and focused on ensuring a productive dialogue between IT and the business.

    The image contains a picture of James Zhang.

    James Zhang, Senior Manager Disaster Recovery, AIG Technology

    James has over 20 years' experience in IT and 10 years' experience in capacity management. Throughout his career, he has focused on creating new business processes to deliver value and increase efficiency over the long term.

    The image contains a picture of Mayank Banerjee.

    Mayank Banerjee, CTO, Global Supply Chain Management, HelloFresh

    Mayank has over 15 years' experience across a wide range of technologies and industries. He has implemented highly automated capacity management processes as part of his role of owning and solving end-to-end business problems.

    The image contains a picture of Mike Lynch

    Mike Lynch, Consultant, CapacityIQ

    Mike has over 20 years' experience in IT infrastructure. He takes a holistic approach to capacity management to identify and solve key problems, and has developed automated processes for mapping performance data to information that can inform business decisions.

    The image contains a picture of Paul Waguespack.

    Paul Waguespack, Manager of Application Systems Engineering, Tufts Health Plan

    Paul has over 10 years' experience in IT. He has specialized in implementing new applications and functionalities throughout their entire lifecycle, and integrating with all aspects of IT operations.

    The image contains a picture of Richie Mendoza.

    Richie Mendoza, IT Consultant, SMITS Inc.

    Richie has over 10 years' experience in IT infrastructure. He has specialized in using demand forecasting to guide infrastructure capacity purchasing decisions, to provide availability while avoiding costly overprovisioning.

    The image contains a picture of Rob Thompson.

    Rob Thompson, President, IT Tools & Process

    Rob has over 30 years’ IT experience. Throughout his career he has focused on making IT a generator of business value. He now runs a boutique consulting firm.

    Todd Evans, Capacity and Performance Management SME, IBM

    Todd has over 20 years' experience in capacity and performance management. At Kaiser Permanente, he established a well-defined mapping of the businesses workflow processes to technical requirements for applications and infrastructure.

    Bibliography

    451 Research. “Best of both worlds: Can enterprises achieve both scalability and control when it comes to cloud?” 451 Research, November 2016. Web.

    Allen, Katie. “Work Also Shrinks to Fit the Time Available: And We Can Prove It.” The Guardian. 25 Oct. 2017.

    Amazon. “Amazon Elastic Compute Cloud.” Amazon Web Services. N.d. Web.

    Armandpour, Tim. “Lies Vendors Tell about Service Level Agreements and How to Negotiate for Something Better.” Network World. 12 Jan 2016.

    “Availability Management.” ITIL and ITSM World. 2001. Web.

    Availability Management Plan Template. Purple Griffon. 30 Nov. 2012. Web.

    Bairi, Jayachandra, B., Murali Manohar, and Goutam Kumar Kundu. “Capacity and Availability Management by Quantitative Project Management in the IT Service Industry.” Asian Journal on Quality 13.2 (2012): 163-76. Web.

    BMC Capacity Optimization. BMC. 24 Oct 2017. Web.

    Brooks, Peter, and Christa Landsberg. Capacity Management in Today’s IT Environment. MentPro. 16 Aug 2017. Web.

    "Capacity and Availability Management." CMMI Institute. April 2017. Web.

    Capacity and Availability Management. IT Quality Group Switzerland. 24 Oct. 2017. Web.

    Capacity and Performance Management: Best Practices White Paper. Cisco. 4 Oct. 2005. Web.

    "Capacity Management." Techopedia.

    “Capacity Management Forecasting Best Practices and Recommendations.” STG. 26 Jan 2015. Web.

    Capacity Management from the Ground up. Metron. 24 Oct. 2017. Web.

    Capacity Management in the Modern Datacenter. Turbonomic. 25 Oct. 2017. Web.

    Capacity Management Maturity Assessing and Improving the Effectiveness. Metron. 24 Oct. 2017. Web.

    “Capacity Management Software.” TeamQuest. 24 Oct 2017. Web,

    Capacity Plan Template. Purainfo. 11 Oct 2012. Web.

    “Capacity Planner—Job Description.” Automotive Industrial Partnership. 24 Oct. 2017. Web.

    Capacity Planning. CDC. Web. Aug. 2017.

    "Capacity Planning." TechTarget. 24 Oct 2017. Web.

    “Capacity Planning and Management.” BMC. 24 Oct 2017. Web.

    "Checklist Capacity Plan." IT Process Wiki. 24 Oct. 2017. Web.

    Dykes, Brent. “Actionable Insights: The Missing Link Between Data and Business Value.” Forbes. April 26, 2016. Web.

    Evolved Capacity Management. CA Technologies. Oct. 2013. Web.

    Francis, Ryan. “False positives still cause threat alert fatigue.” CSO. May 3, 2017. Web.

    Frymire, Scott. "Capacity Planning vs. Capacity Analytics." ScienceLogic. 24 Oct. 2017. Web.

    Glossary. Exin. Aug. 2017. Web.

    Herrera, Michael. “Four Types of Risk Mitigation and BCM Governance, Risk and Compliance.” MHA Consulting. May 17, 2013.

    Hill, Jon. How to Do Capacity Planning. TeamQuest. 24 Oct. 2017. Web.

    “How to Create an SLA in 7 Easy Steps.” ITSM Perfection. 25 Oct. 2017. Web.

    Hunter, John. “Myth: If You Can’t Measure It: You Can’t Manage It.” W. Edwards Deming Institute Blog. 13 Aug 2015. Web.

    IT Service Criticality. U of Bristol. 24 Oct. 2017. Web.

    "ITIL Capacity Management." BMC's Complete Guide to ITIL. BMC Software. 22 Dec. 2016. Web.

    “Just-in-time.” The Economist. 6 Jul 2009. Web.

    Kalm, Denise P., and Marv Waschke. Capacity Management: A CA Service Management Process Map. CA. 24 Oct. 2017. Web.

    Klimek, Peter, Rudolf Hanel, and Stefan Thurner. “Parkinson’s Law Quantified: Three Investigations in Bureaucratic Inefficiency.” Journal of Statistical Mechanics: Theory and Experiment 3 (2009): 1-13. Aug. 2017. Web.

    Landgrave, Tim. "Plan for Effective Capacity and Availability Management in New Systems." TechRepublic. 10 Oct. 2002. Web.

    Longoria, Gina. “Hewlett Packard Enterprise Goes After Amazon Public Cloud in Enterprise Storage.” Forbes. 2 Dec. 2016. Web.

    Maheshwari, Umesh. “Understanding Storage Capacity.” NimbleStorage. 7 Jan. 2016. Web.

    Mappic, Sandy. “Just how complex can a Login Transaction be? Answer: Very!” Appdynamics. Dec. 11 2011. Web.

    Miller, Ron. “AWS Fires Back at Larry Ellison’s Claims, Saying It’s Just Larry Being Larry.” Tech Crunch. 2 Oct. 2017. Web.

    National College for Teaching & Leadership. “The role of data in measuring school performance.” National College for Teaching & Leadership. N.d. Web,

    Newland, Chris, et al. Enterprise Capacity Management. CETI, Ohio State U. 24 Oct. 2017. Web.

    Office of Government Commerce . Best Practice for Service Delivery. London: Her Majesty’s Stationery Office, 2001.

    Office of Government Commerce. Best Practice for Business Perspective: The IS View on Delivering Services to the Business. London: Her Majesty’s Stationery Office, 2004.

    Parkinson, C. Northcote. “Parkinson’s Law.” The Economist. 19 Nov. 1955. Web.

    “Parkinson’s Law Is Proven Again.” Financial Times. 25 Oct. 2017. Web.

    Paul, John, and Chris Hayes. Performance Monitoring and Capacity Planning. VM Ware. 2006. Web.

    “Reliability and Validity.” UC Davis. N.d. Web.

    "Role: Capacity Manager." IBM. 2008. Web.

    Ryan, Liz. “‘If You Can’t Measure It, You Can’t Manage It’: Not True.” Forbes. 10 Feb. 2014. Web.

    S, Lalit. “Using Flexible Capacity to Lower and Manage On-Premises TCO.” HPE. 23 Nov. 2016. Web.

    Snedeker, Ben. “The Pros and Cons of Public and Private Clouds for Small Business.” Infusionsoft. September 6, 2017. Web.

    Statement of Work: IBM Enterprise Availability Management Service. IBM. Jan 2016. Web.

    “The Road to Perfect AWS Reserved Instance Planning & Management in a Nutshell.” Botmetric. 25 Oct. 2017. Web.

    Transforming the Information Infrastructure: Build, Manage, Optimize. Asigra. Aug. 2017. Web.

    Valentic, Branimir. "Three Faces of Capacity Management." ITIL/ISO 20000 Knowledge Base. Advisera. 24 Oct. 2017. Web.

    "Unify IT Performance Monitoring and Optimization." IDERA. 24 Oct. 2017. Web.

    "What is IT Capacity Management?" Villanova U. Aug. 2017. Web.

    Wolstenholme, Andrew. Final internal Audit Report: IT Availability and Capacity (IA 13 519/F). Transport For London. 23 Feb. 2015. Web.

    Embed Security Into the DevOps Pipeline

    • Buy Link or Shortcode: {j2store}265|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $31,515 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Secure Cloud & Network Architecture
    • Parent Category Link: /secure-cloud-network-architecture
    • Your organization is starting its DevOps journey and is looking to you for guidance on how to ensure that the outcomes are secure.
    • Or, your organization may have already embraced DevOps but left the security team behind. Now you need to play catch-up.

    Our Advice

    Critical Insight

    • Shift security left. Identify opportunities to embed security earlier in the development pipeline.
    • Start with minimum viable security. Use agile methodologies to further your goals of secure DevOps.
    • Treat “No” as a finite resource. The role of security must transition from that of naysayer to a partner in finding the way to “Yes.”

    Impact and Result

    • Leverage the CLAIM (Culture, Learning, Automation, Integration, Measurement) Framework to identify opportunities to close the gaps.
    • Collaborate to find new ways to shift security left so that it becomes part of development rather than an afterthought.
    • Start with creating minimum viable security by developing a DevSecOps implementation strategy that focuses initially on quick wins.

    Embed Security Into the DevOps Pipeline Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should secure the DevOps pipeline, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify opportunities

    Brainstorm opportunities to secure the DevOps pipeline using the CLAIM Framework.

    • Embed Security Into the DevOps Pipeline – Phase 1: Identify Opportunities

    2. Develop strategy

    Assess opportunities and formulate a strategy based on a cost/benefit analysis.

    • Embed Security Into the DevOps Pipeline – Phase 2: Develop Strategy
    • DevSecOps Implementation Strategy Template
    [infographic]

    External Compliance

    • Buy Link or Shortcode: {j2store}39|cart{/j2store}
    • Related Products: {j2store}39|crosssells{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security and Risk
    • Parent Category Link: /security-and-risk
    Take Control of Compliance Improvement to Conquer Every Audit

    Mitigate the Risk of Cloud Downtime and Data Loss

    • Buy Link or Shortcode: {j2store}412|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • Senior leadership is asking difficult questions about the organization’s dependency on third-party cloud services and the risk that poses.
    • IT leaders have limited control over third-party incidents and that includes cloud services. Yet they are on the hot seat when cloud services go down.
    • While vendors have swooped in to provide resilience options for the more-common SaaS solutions, it is not the case for all cloud services.

    Our Advice

    Critical Insight

    • No control over the software does not mean no recovery options. Solutions range from designing an IT workaround using alternate technologies to pre-defined third-party service continuity options (e.g. see options for O365) to business workarounds.
    • Even where there is limited control, you can at least define an incident response plan to streamline notification, assessment, and implementation of workarounds. Leadership wants more options than simply waiting for the service to come back online.
    • At a minimum, IT’s responsibility is to identify and communicate risk to senior leadership. That starts with a vendor review to identify SLA issues and overall resilience gaps.

    Impact and Result

    • Follow a structured process to assess cloud resilience risk.
    • Identify opportunities to mitigate risk – at the very least, ensure critical data is protected.
    • Summarize cloud services risk, mitigation options, and incident response for senior leadership.

    Mitigate the Risk of Cloud Downtime and Data Loss Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Mitigate the Risk of Cloud Downtime and Data Loss – Step-by-step guide to assess risk, identify risk mitigation options, and create an incident response plan.

    Even where there is limited control, you can define an incident response plan to streamline notification, assessment, and implementation of workarounds.

    • Mitigate the Risk of Cloud Downtime and Data Loss Storyboard

    2. Cloud Services Incident Risk and Mitigation Review – Review your key cloud vendors’ SLAs, incident preparedness, and data protection strategy.

    At a minimum, IT’s responsibility is to identify and communicate risk to senior leadership. That starts with a vendor review to identify SLA and overall resilience gaps.

    • Cloud Services Incident Risk and Mitigation Review Tool

    3. SaaS Incident Response Workflows – Use these examples to guide your efforts to create cloud incident response workflows.

    The examples illustrate different approaches to incident response depending on the criticality of the service and options available.

    • SaaS Incident Response Workflows (Visio)
    • SaaS Incident Response Workflows (PDF)

    4. Cloud Services Resilience Summary – Use this template to capture your results.

    Summarize cloud services risk, mitigation options, and incident response for senior leadership.

    • Cloud Services Resilience Summary
    [infographic]

    Further reading

    Mitigate the Risk of Cloud Downtime and Data Loss

    Resilience and disaster recovery in an increasingly Cloudy and SaaSy world.

    Analyst Perspective

    If you think cloud means you don’t need a response plan, then get your resume ready.

    Frank Trovato

    Most organizations are now recognizing that they can’t ignore the risk of a cloud outage or data loss, and the challenge is “what can I do about it?” since there is limited control.

    If you still think “it’s in the cloud, so I don’t need to worry about it,” then get your resume ready. When O365 goes down, your executives are calling IT, not Microsoft, for an answer of what’s being done and what can they do in the meantime to get the business up and running again.

    The key is to recognize what you can control and what actions you can take to evaluate and mitigate risk. At a minimum, you can ensure senior leadership is aware of the risk and define a plan for how you will respond to an incident, even if that is limited to monitoring and communicating status.

    Often you can do more, including defining IT workarounds, backing up your SaaS data for additional protection, and using business process workarounds to bridge the gap, as illustrated in the case studies in this blueprint.

    Frank Trovato
    Research Director, Infrastructure & Operations

    Info-Tech Research Group

    Use this blueprint to expand your DRP and BCP to account for cloud services

    As more applications are migrated to cloud-based services, disaster recovery (DR) and business continuity plans (BCP) must include an understanding of cloud risks and actions to mitigate those risks. This includes evaluating vendor and service reliability and resilience, security measures, data protection capabilities, and technology and business workarounds if there is a cloud outage or incident.

    Use the risk assessments and cloud service incident response plans developed through this blueprint to supplement your DRP and BCP as well as further inform your crisis management plans (e.g. account for cloud risks in your crisis communication planning).

    Overall Business Continuity Plan

    IT Disaster Recovery Plan

    A plan to restore IT application and infrastructure services following a disruption.

    Info-Tech’s Disaster Recovery Planning blueprint provides a methodology for creating the IT DRP. Leverage this blueprint to validate and provide inputs for your IT DRP.

    BCP for Each Business Unit

    A set of plans to resume business processes for each business unit.

    Info-Tech’s Develop a Business Continuity Plan blueprint provides a methodology for creating business unit BCPs as part of an overall BCP for the organization.

    Crisis Management Plan

    A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.

    Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    • Senior leadership is asking difficult questions about the organization’s dependency on third-party cloud services and the risk that poses.
    • Migrating to cloud services transfers much of the responsibility for day-to-day platform maintenance but not accountability for resilience.
    • IT leaders are often responsible for not just the organization’s IT DRP but also BCP and other elements of overall resilience. Cloud risk adds another element IT leaders need to consider.
    • IT leaders have limited control over third-party incidents and that includes cloud services. With SaaS services in particular, recovery or continuity options may be limited.
    • While vendors have swooped in to provide resilience options for the more common SaaS solutions, that is not the case for all cloud services.
    • Part of the solution is defining business process workarounds and that depends on cooperation from business leaders.
    • At a minimum, IT’s responsibility is to identify and communicate risk to senior leadership. That starts with a vendor review to identify SLA and overall resilience gaps.
    • Adapt how you approach downtime and data loss risk, particularly for SaaS solutions where there is limited or no control over the system.
    • Even where there is limited control, you can define an incident response plan to streamline notification, assessment, and implementation of workarounds. Leadership wants more options than simply waiting for the service to come back online.

    Info-Tech Insight

    Asking vendors about their DRP, BCP, and overall resilience has become commonplace. Expect your vendors to provide answers so you can assess risk. Furthermore, your vendor may have additional offerings to increase resilience or recommendations for third parties who can further assist your goals of improving cloud service resilience.

    Key deliverable

    Cloud Services Resilience Summary

    Provide leadership with a summary of cloud risk, downtime workarounds implemented, and additional data protection.

    The image contains a screenshot of the Cloud Services Resilience Summary.

    Additional tools and templates in this blueprint

    Cloud Services Incident Risk and Mitigation Review Tool

    Use this tool to gather vendor input, evaluate vendor SLAs and overall resilience, and track your own risk mitigation efforts.

    The image contains a screenshot of the Cloud Services Incident Risk and Mitigation Review Tool.

    SaaS Incident Response Workflows

    Use the examples in this document as a model to develop your own incident response workflows for cloud outages or data loss.

    The image contains a screenshot of the SaaS Incident Response Workflows.

    This blueprint will step you through the following actions to evaluate and mitigate cloud services risk

    1. Assess your cloud risk
    • Review your cloud services to determine potential impact of downtime/data loss, vendor SLA gaps, and vendor’s current resilience.
  • Identify options to mitigate risk
    • Explore your cloud vendor’s resilience offerings, third-party solutions, DIY recovery options, and business workarounds.
  • Create an incident response plan
    • Document your cloud risk mitigation strategy and incident response plan, which might include a failover strategy, data protection, and/or business continuity.

    Cloud Risk Mitigation

    Identify options to mitigate risk

    Create an incident response plan

    Assess risk

    Phase 1: Assess your cloud risk

    Phase 1

    Phase 2

    Phase 3

    Assess your cloud risk

    Identify options to mitigate risk

    Create an incident response plan

    Cloud does not guarantee uptime

    Public cloud services (e.g. Azure, GCP, AWS) and popular SaaS solutions experience downtime every year.

    A few cloud outage examples:

    • Microsoft Azure AD outage, March 15, 2022:
      Many users could not log into O365, Dynamics, or the Azure Portal.
      Cause: software change.
    • Three AWS outages in December 2021: December 7 (Netflix and others impacted), December 15 (Duo, Zoom, Slack, others), December 20 (Slack, Epic Games, others). Cause: network issues, power outage.
    • Salesforce outage, May 12, 2022: Users could not access the Lightning platform. Cause: expired certificate.

    Cloud availability

    • Migrating to cloud services can improve availability, as they typically offer more resilience than most organizations can afford to implement themselves.
    • However, having multiple data centers, zones, and regions doesn’t prevent all outages, as we see every year with even the largest cloud vendors.

    DR challenges for IaaS, PaaS, and cloud-native

    While there are limits to what you control, often traditional “failover” DR strategy can apply.

    High-level challenges and resilience options:

    • IaaS: No control over the hardware, but you can failover to another region. This is fairly similar to traditional DR.
    • PaaS: No control over the software platform (e.g. SQL server as a service), but you can back up your data and explore vendor options to replicate your environment.
    • Cloud-native applications: As with PaaS, you can back up your data and explore vendor options to replicate your environment.

    Plan for resilience

    • Include DR requirements when designing cloud service implementation. For example, for IaaS solutions, identify what data would need to be replicated and what services may need to be “always on” (e.g. database services where high-availability is demanded).
    • Similarly, for PaaS and cloud-native solutions, consult your vendor regarding options to build in resilience options (e.g. ability to failover to another environment).

    DR challenges for SaaS solutions

    SaaS is the biggest challenge because you have no control over any part of the base application stack.

    High-level challenges and resilience options:

    • No control over the hardware (or the facility, maintenance processes, and so on).
    • No control over the base application (control is limited to configuration settings and add-on customizations or integrations).
    • Options to back up your data will depend on the service.

    Note: The rest of this blueprint is focused primarily on SaaS resilience due to the challenges listed here. For other cloud services, leverage traditional DR strategies and vendor management to mitigate risk (as summarized on the previous slides).

    Focus on what you can control

    • For SaaS solutions in particular, you must toss out traditional DR. If Salesforce has an outage, you won’t be involved in recovering the system.
    • Instead, DR for SaaS needs to focus on improving resilience where you do have control and implementing business workarounds to bridge the gap.

    Evaluate your cloud services to clarify your specific risks

    Time and money is limited, so focus first on cloud services that are most critical and evaluate the vendors’ SLA and existing resilience capabilities.

    The activities on the next two slides will evaluate risk through two approaches:

    Activity 1: Estimate potential impact of downtime and data loss to quantify the risk and determine which cloud services are most critical and need to be prioritized. This is done through a business impact analysis that assesses:

    • Impact on revenue or costs (if applicable).
    • Impact on reputation (e.g. customer impact).
    • Impact on regulatory compliance and health and safety (if applicable).

    Activity 2: Review the vendor to identify risks and gaps. Specifically, evaluate the following:

    • Incident Management SLAs (e.g. does the SLA include RTO/RPO commitments? Do they meet your requirements?)
    • Incident Response Preparedness (e.g. does the vendor have a DRP, BCP, and security incident response plan?)
    • Data Protection (e.g. does their backup strategy and data security meet your standards?)

    Activity 1: Quantify potential impact and prioritize cloud services using a business impact analysis (BIA)

    1-3 hours

    1. Download the latest version of our DRP BIA: DRP Business Impact Analysis Tool. The tool includes instructions.
    2. Include the cloud services you want to assess in the list of applications/systems (see the tool excerpt below), and follow the BIA methodology outlined in the Create a Right-Sized Disaster Recovery Plan blueprint.
    3. Use the results to quantify potential impact and prioritize your efforts on the most-critical cloud services.

    The image contains a screenshot of the DRP Business Impact Analysis Tool.

    Materials
    • DRP BIA Tool
    Participants
    • Core group of IT management and staff who can provide a well-rounded perspective on potential impact. They will create the first draft of the BIA.
    • Review the draft BIA with relevant business leaders to refine and validate the results.

    Activity 2: Review your key cloud vendors’ SLAs, incident preparedness, and data protection strategy

    1-3 hours

    Use the Cloud Services Incident Risk and Mitigation Review Tool as follows:

    1. Send the Vendor Questionnaire tab to your cloud vendors to gather input, and review your existing agreements.
    2. Copy the vendor responses into the tool (see the instructions in the tool) and evaluate. See the example excerpt below.
    3. Identify action items to clarify gaps or address risks. Some action items might not be defined yet and will need to wait until you have had a chance to further explore risk mitigation options.

    The image contains a screenshot of the Cloud Services Incident Risk and Mitigation Review Tool.

    Materials
    • Cloud Services Incident Risk and Mitigation Review Tool
    Participants
    • Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience.

    Phase 2: Identify options to mitigate risk

    Phase 1

    Phase 2

    Phase 3

    Assess your cloud risk

    Identify options to mitigate risk

    Create an incident response plan

    Consult your vendor to identify options to improve resilience, as a starting point

    Your vendor might also be able to suggest third parties that offer additional support, backup, or service continuity options.

    • The Vendor Questionnaire tab in the Cloud Services Incident Risk and Mitigation Review Tool includes a section at the bottom where your vendor can name additional options to improve resilience (e.g. premium support packages, potentially their own DR services).
    • If your vendor has not completed that part of the questionnaire, meet with them to discuss this. Asking service vendors about resilience has become commonplace, so they should be prepared to answer questions about their own offerings and potentially can name trusted third-party vendors who can further assist you.
    • Leverage Info-Tech’s advisory services to evaluate options outlined by your vendor and potential third-party options (e.g. enterprise backup solutions that support backing up SaaS data).

    Some SaaS solutions have plenty of resilience options; others not so much

    • The pervasiveness of O365 has led vendors to close the service continuity gap, with options to send and receive email during an outage and back up your data.
    • With many SaaS solutions, there isn’t going to be a third-party service continuity option, but you might still be able to at least back up your data and implement business process workarounds to close the service gap.

    Example SaaS risk and mitigation: O365

    Risk

    • Several outages every year (e.g. MS Teams July 20, 2022).
    • SLA exceptions include “Scheduled Downtime,” which can occur with just five days’ notice.
    • The Recycling Bin is your data backup, depending on your setup.

    Options to mitigate risk (not an exhaustive list):

    • Third-party solutions for email service continuity.
    • Several backup vendors (e.g. Veeam, Rubrik) can protect most of your O365 suite.
    • Business continuity workarounds leveraging synced OneDrive, SharePoint, and Outlook (access to calendar invites).

    Example SaaS risk and mitigation: Salesforce

    Risk

    • Downtime has been infrequent, but Salesforce did have a major outage in May 2021 (DNS issue) and May 2022 (expired certificate).
    • At the time of this writing, the Main Services Agreement does not commit to a specific uptime value and specifies the usual exclusions.
    • Similarly, there are limited commitments regarding data protection.

    Options to mitigate risk (not an exhaustive list):

    • Salesforce provides a backup and restore service offering.
    • In addition, some third-party vendors support backing up Salesforce data for additional protection against data corruption or data loss.
    • Business continuity workarounds can further reduce the impact of downtime (e.g. record updates in MS Word and leverage Outlook for contact info until Salesforce is recovered).

    Establish a baseline standard for risk mitigation, regardless of cloud service

    At a minimum, set a goal to review vendor risk at least annually, define standard processes for monitoring outages, and review options to back up your SaaS data.

    Example baseline standard for cloud risk mitigation

    • Review vendor risk at least annually. This includes reviewing SLAs, vendor’s incident preparedness (e.g. do they have a current DRP, BCP, and Security IRP?), and the vendor’s data protection strategy.
    • Incident response plans must include, at a minimum, steps to monitor vendor outage and communicate status to relevant stakeholders. Where possible, business process workarounds are defined to bridge the service gap.
    • For critical data (based on your BIA and an evaluation of risk), maintain your own backups of SaaS data for additional protection.

    Embed risk mitigation standards into existing IT operations

    • Include specific SLA requirements, including incident management processes, in your RFP process and annual vendor review.
    • Define cloud incident response in your incident management procedures.
    • Include cloud data considerations in your backup strategy reviews.

    Phase 3: Create an incident response plan

    Phase 1

    Phase 2

    Phase 3

    Assess your cloud risk

    Identify options to mitigate risk

    Create an incident response plan

    Activity 1: Review the example incident response workflows and case studies as a starting point

    1-3 hours

    1. Review the SaaS Incident Response Workflows examples. The examples illustrate different approaches to incident response depending on the criticality of the service and options available.
    2. Review the case studies on the next few slides, which further illustrate the resilience and incident response solutions implemented.
    3. Note the key elements:
    • Detection
    • Assessment
    • Monitoring status / contacting the vendor
    • Communication with key stakeholders
    • Invoking workarounds, if applicable

    Example SaaS Incident Response Workflow Excerpt

    The image contains a screenshot of an example of the SaaS Incident Response Workflow Excerpt.
    Materials
    • SaaS Incident Response Workflows examples
    Participants
    • Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience.
    • Relevant business process owners to provide input and define business workarounds, where applicable.

    Case Study 1: Recovery plan for critical fundraising event

    If either critical SaaS dependency fails, the following plan is executed:

    1. Donors are redirected to a predefined alternate donation page hosted by a different service. The alternate page connects to the backup payment processing service (with predefined integrations).
    2. Marketing communications support the redirect.
    3. While the backup solution doesn’t gather as much data, the payment details provide enough information to follow up with donors where necessary.

    Criticality justified a failover option

    The Annual Day of Giving generates over 50% of fundraising for the year. It’s critically dependent on two SaaS solutions that host the donation page and payment processing.

    To mitigate the risk, the organization implemented the ability to failover to an alternate “environment” – much like a traditional DR solution – supported by workarounds to manage data collection.

    Case Study 2: Protecting customer data

    Daily exports from a SaaS-hosted donations site reduce potential data loss:

    1. Daily exports to a CRM support donor profile updates and follow-ups (tax receipts, thank-you letters, etc.).
    2. The exports also mitigate the risk of data loss due to an incident with the SaaS-hosted donation site.
    3. This company is exploring more-frequent exports to further reduce the risk of data loss.

    Protecting your data gives you options

    For critical data, do you want to rely solely on the vendor’s default backup strategy?

    If your SaaS vendor is hit by ransomware or if their backup frequency doesn’t meet your needs, having your own data backup gives you options.

    It can also support business process workarounds that need to access that data while waiting for SaaS recovery.

    Case Study 3: Recovery plan for payroll

    To enable a more accurate payroll workaround, the following is done:

    1. After each payroll run, export the payroll data from the SaaS solution to a secure location.
    2. If there is a SaaS outage when payroll must be submitted, the exported data can be modified and converted to an ACH file.
    3. The ACH file is submitted to the bank, which has preapproved this workaround.

    BCP can bridge the gap

    When leadership looks to IT to mitigate cloud risk, include BCP in the discussion.

    Payroll is a good example where the best recovery option might be a business continuity workaround.

    IT often still has a role in business continuity workarounds, as in this case study: specifically, providing a solution to modify and convert the payroll data to an ACH file.

    Activity 2: Run tabletop planning exercises as a starting point to build your incident response plan

    1-3 hours

    1. Follow the tabletop planning instructions provided in the Create a Right-Sized Disaster Recovery Plan blueprint.
    2. Run the exercise for each cloud service. Keep the scenario generic at first (e.g. cloud service is down with no reported root cause) so you can focus on your response. Capture response steps and gaps.
    3. Add complexity in subsequent exercises (e.g. data loss plus downtime), and use that to expand and refine the workflow as needed.
    4. Use the resulting workflows as the core piece of your incident response plan.
    5. Supplement the workflow with relevant checklists or procedures. At this point you can choose to incorporate this into your DRP or BCP or maintain these documents as supplements to those plans.
      See the DRP Case Study and BCP Case Study for an example of DRP-BCP documentation.

    Example tabletop planning results excerpt with gaps identified

    The image contains an example tabletop planning results excerpt with gaps identified.

    Materials
    • SaaS Incident Response Workflows examples
    Participants
    • Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience.
    • Review results with relevant business process owners to provide input and define business workarounds where applicable.

    Activity 3: Summarize cloud services resilience to inform senior leadership of current risks and mitigation efforts

    1-3 hours

    1. Use the Cloud Services Resilience Summary example as a template to capture the following:
    • The results of your vendor review (i.e. incident management SLAs, incident response preparedness, data protections strategy).
    • The current state of your downtime workarounds and additional data loss protection.
    • Your baseline standard for cloud services risk mitigation.
    • Summary of resilience, risks, workarounds, and data loss protection for each individual cloud service that you have reviewed.
  • Present the results to senior leadership to:
    • Highlight risks to inform business decisions to mitigate or accept those risks.
    • Summarize actions already taken to mitigate risks.
    • Communicate next steps (e.g. action items to address remaining risks).

    Cloud Services Resilience Summary – Table of Contents

    The image contains a screenshot of Cloud Services Resilience Summary – Table of Contents.
    Materials
    • Cloud Services Resilience Summary
    Participants
    • Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience.
    • Review results with relevant business process owners to provide input and define business workarounds where applicable.

    Summary: For cloud services, after evaluating risk, IT must adapt how they approach risk mitigation

    1. Identify failover options where possible
    • A failover strategy is possible for many cloud services (e.g. IaaS replication to another region, or failing over SaaS to an alternate solution as in case study 1).
  • At least protect your data
    • Explore supplementary backup options to protect against ransomware, data corruption, or data loss and support business continuity workarounds (see case study 2).
  • Leverage BCP to close the gap
    • This doesn’t absolve IT of its role in mitigating cloud incident risk, but business process workarounds can bridge the gap where IT options are limited (see case study 3).

    Related Info-Tech Research

    IT DRP Maturity Assessment

    Get an objective assessment of your DRP program and recommendations for improvement.

    Create a Right-Sized Disaster Recovery Plan

    Close the gap between your DR capabilities and service continuity requirements.

    Develop a Business Continuity Plan

    Streamline the traditional approach to make BCP development manageable and repeatable.

    Implement Crisis Management Best Practices

    Don’t be another example of what not to do. Implement an effective crisis response plan to minimize the impact on business continuity, reputation, and profitability.

    Configuration management

    • Buy Link or Shortcode: {j2store}4|cart{/j2store}
    • Related Products: {j2store}4|crosssells{/j2store}
    • Up-Sell: {j2store}4|upsells{/j2store}
    • Download01-Title: Harness the power of Configuration Management Executive Brief
    • Download-01: Visit Link
    • member rating overall impact (scale of 10): 8.0/10
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Infra and Operations
    • Parent Category Link: /infra-and-operations
    Configuration management is all about being able to manage your assets within the support processes. That means to record what you need. Not less than that, and not more either.

    Asset Management, Configuration Management, Lifecycle Management

    Hire or Develop a World-Class CISO

    • Buy Link or Shortcode: {j2store}243|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • It is difficult to find a “unicorn”: a candidate who is already fully developed in all areas.
    • The role of the CISO has changed so much in the past three years, it is unclear what competencies are most important.
    • Current CISOs need to scope out areas of future development.

    Our Advice

    Critical Insight

    The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

    Impact and Result

    • Clarify the competencies that are important to your organizational needs and use them to find a candidate with those specific strengths.
    • If you are a current CISO, complete a self-assessment and identify your high-priority competency gaps so you can actively work to develop those areas.
    • Create an actionable plan to develop the CISO’s capabilities and regularly reassess these items to ensure constant improvement.

    Hire or Develop a World-Class CISO Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Hire of Develop a World-Class CISO Deck – A step-by-step guide on finding or developing the CISO that best fits your organization.

    Use this blueprint to hire or develop a world-class Chief Information Security Officer (CISO) with the competencies that suit your specific organizational needs. Once you have identified the right candidate, create a plan to develop your CISO.

    • Hire or Develop a World-Class CISO – Phases 1-4

    2. CISO Core Competency Evaluation Tool – Determine which competencies your organization needs and which competencies your CISO needs to work on.

    This tool will help you determine which competencies are a priority for your organizational needs and which competencies your CISO needs to develop.

    • CISO Core Competency Evaluation Tool

    3. CISO Stakeholder Power Map Template – Visualize stakeholder and CISO relationships.

    Use this template to identify stakeholders who are key to your security initiatives and to understand your relationships with them.

    • CISO Stakeholder Power Map Template

    4. CISO Stakeholder Management Strategy Template – Develop a strategy to improve stakeholder and CISO relationships.

    Create a strategy to cultivate your stakeholder relationships and manage each relationship in the most effective way.

    • CISO Stakeholder Management Strategy Template

    5. CISO Development Plan Template – Develop a plan to support a world-class CISO.

    This tool will help you create and implement a plan to remediate competency gaps.

    • CISO Development Plan Template

    Infographic

    Further reading

    Hire or Develop a World-Class CISO

    Find a strategic and security-focused champion for your business.

    Analyst Perspective

    Create a plan to become the security leader of tomorrow

    The days are gone when the security leader can stay at a desk and watch the perimeter. The rapidly increasing sophistication of technology, and of attackers, has changed the landscape so that a successful information security program must be elastic, nimble, and tailored to the organization’s specific needs.

    The Chief Information Security Officer (CISO) is tasked with leading this modern security program, and this individual must truly be a Chief Officer, with a finger on the pulses of the business and security processes at the same time. The modern, strategic CISO must be a master of all trades.

    A world-class CISO is a business enabler who finds creative ways for the business to take on innovative processes that provide a competitive advantage and, most importantly, to do so securely.

    Cameron Smith, Research Lead, Security and Privacy

    Cameron Smith
    Research Lead, Security & Privacy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • CEOs/CXOs are looking to hire or develop a senior security leader and aren’t sure where to start.
    • Conversely, security practitioners are looking to upgrade their skill set and are equally stuck in terms of what an appropriate starting point is.
    • Organizations are looking to optimize their security plans and move from a tactical position to a more strategic one.

    Common Obstacles

    • It is difficult to find a “unicorn”: a candidate who is already fully developed in all areas.
    • The role of the CISO has changed so much in the past three years, it is unclear what competencies are most important.
    • You are a current CISO and need to scope out your areas of future development.

    Info-Tech’s Approach

    • Clarify the competencies that are important to your organizational needs and use them to find a candidate with those specific strengths.
    • If you are a current CISO, complete a self-assessment and identify your high-priority competency gaps so you can actively work to develop those areas.
    • Create an actionable plan to develop the CISO’s capabilities and regularly reassess these items to ensure constant improvement.

    Info-Tech Insight
    The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

    Your challenge

    This Info-Tech blueprint will help you hire and develop a strategic CISO

    • Security without strategy is a hacker’s paradise.
    • The outdated model of information security is tactical, where security acts as a watchdog and responds.
    • The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

    Around one in five organizations don’t have an individual with the sole responsibility for security1

    1 Navisite

    Info-Tech Insight
    Assigning security responsibilities to departments other than security can lead to conflicts of interest.

    Common obstacles

    It can be difficult to find the right CISO for your organization

    • The smaller the organization, the less likely it will have a CISO or equivalent position.
    • Because there is a shortage of qualified candidates, qualified CISOs can demand high salaries and many CISO positions will go unfilled.
    • It is easier for larger companies to attract top CISO talent, as they generally have more resources available.

    Source: Navisite

    Only 36% of small businesses have a CISO (or equivalent position).

    48% of mid-sized businesses have a CISO.

    90% of large organizations have a CISO.

    Source: Navisite

    Strategic versus tactical

    CISOs should provide leadership based on a strategic vision 1

    Strategic CISO Tactical CISO

    Proactive

    Focus is on protecting hyperdistributed business processes and data

    Elastic, flexible, and nimble

    Engaged in business design decisions

    Speaks the language of the audience (e.g. business, financial, technical)

    Reactive

    Focus is on protecting current state

    Perimeter and IT-centric approach

    Communicates with technical jargon

    1 Journal of Computer Science and Information Technology

    Info-Tech has identified three key behaviors of the world-class CISO

    To determine what is required from tomorrow’s security leader, Info-Tech examined the core behaviors that make a world-class CISO. These are the three areas that a CISO engages with and excels in.

    Later in this blueprint, we will review the competencies and skills that are required for your CISO to perform these behaviors at a high level.

    Align

    Aligning security enablement with business requirements

    Enable

    Enabling a culture of risk management

    Manage

    Managing talent and change

    Info-Tech Insight
    Through these three overarching behaviors, you can enable a security culture that is aligned to the business and make security elastic, flexible, and nimble to maintain the business processes.

    Info-Tech’s approach

    Understand what your organization needs in a CISO: Consider the core competencies of a CISO. Assess: Assess candidates' core competencies and the CISO's stakeholder relationships. Plan improvements: Identify resources to close competency gaps and an approach to improve stakeholder relationships. Executive development: Decide next steps to support your CISO moving forward and regularly reassess to measure progress.

    Info-Tech’s methodology to Develop or Hire a World-Class CISO

    1. Launch 2. Assess 3. Plan 4. Execute
    Phase Steps
    1. Understand the core competencies
    2. Measure security and business satisfaction and alignment
    1. Assess stakeholder relationships
    2. Assess core competencies
    1. Identify resources to address your CISO’s competency gaps
    2. Plan an approach to improve stakeholder relationships
    1. Decide next actions and support your CISO moving forward
    2. Regularly reassess to measure development and progress
    Phase Outcomes

    At the end of this phase, you will have:

    • Determined the current gaps in satisfaction and business alignment for your IT security program.
    • Identified the desired qualities in a security leader, specific to your current organizational needs.

    At the end of this phase, you will have:

    • Used the core competencies to help identify the ideal candidate.
    • Identified areas for development in your new or existing CISO.
    • Determined stakeholder relationships to cultivate.

    At the end of this phase, you will have:

    • Created a high-level plan to address any deficiencies.
    • Improved stakeholder relations.

    At the end of this phase, you will have:

    • Created an action-based development plan, including relevant metrics, due dates, and identified stakeholders. This plan is the beginning, not the end. Continually reassessing your organizational needs and revisiting this blueprint’s method will ensure ongoing development.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    CISO Core Competency Evaluation Tool

    Assess the competency levels of a current or prospective CISO and identify areas for improvement.

    Stakeholder Power Map Template

    Visualize the importance of various stakeholders and their concerns.

    Stakeholder Management Strategy Template

    Document a plan to manage stakeholders and track actions.

    Key deliverable:

    CISO Development Plan Template

    The CISO Development Plan Template is used to map specific activities and time frames for competency development to address gaps and achieve your goal.

    Strategic competencies will benefit the organization and the CISO

    Career development should not be seen as an individual effort. By understanding the personal core competencies that Info-Tech has identified, the individual wins by developing relevant new skills and the organization wins because the CISO provides increased value.

    Organizational Benefits Individual Benefits
    • Increased alignment between security and business objectives
    • Development of information security that is elastic, nimble, and flexible for the business
    • Reduction in wasted efforts and resources, and improvement in efficiency of security and the organization as a whole
    • True synergy between security and business stakeholders, where the goals of both groups are being met
    • Increased opportunity as you become a trusted partner within your organization
    • Improved relationships with peers and stakeholders
    • Less resistance and more support for security initiatives
    • More involvement and a stronger role for security at all levels of the organization

    Measured value of a world-class CISO

    Organizations with a CISO saw an average of $145,000 less in data breach costs.1

    However, we aren’t talking about hiring just any CISO. This blueprint seeks to develop your CISO’s competencies and reach a new level of effectiveness.

    Organizations invest a median of around $375,000 annually in their CISO.2 The CISO would have to be only 4% more effective to represent $15,000 more value from this position. This would offset the cost of an Info-Tech workshop, and this conservative estimate pales in comparison to the tangible and intangible savings as shown below.

    Your specific benefits will depend on many factors, but the value of protecting your reputation, adopting new and secure revenue opportunities, and preventing breaches cannot be overstated. There is a reason that investment in information security is on the rise: Organizations are realizing that the payoff is immense and the effort is worthwhile.

    Tangible cost savings from having a world-class CISO Intangible cost savings from having a world-class CISO
    • Cost savings from incident reduction.
    • Cost savings achieved through optimizing information security investments, resulting in savings from previously misdiagnosed issues.
    • Cost savings from ensuring that dollars spent on security initiatives support business strategy.
    • More opportunities to create new business processes through greater alignment between security and business.
    • Improved reputation and brand equity achieved through a proper evaluation of the organization’s security posture.
    • Continuous improvement achieved through a good security assessment and measurement strategy.
    • Ability to plan for the future since less security time will be spent firefighting and more time will be spent engaged with key stakeholders.

    1 IBM Security
    2 Heidrick & Struggles International, Inc.

    Case Study

    In the middle of difficulty lies opportunity

    SOURCE
    Kyle Kennedy
    CISO, CyberSN.com

    Challenge
    The security program identified vulnerabilities at the database layer that needed to be addressed.

    The decision was made to move to a new vendor. There were multiple options, but the best option in the CISO’s opinion was a substantially more expensive service that provided more robust protection and more control features.

    The CISO faced the challenge of convincing the board to make a financial investment in his IT security initiative to implement this new software.

    Solution
    The CISO knew he needed to express this challenge (and his solution!) in a way that was meaningful for the executive stakeholders.

    He identified that the business has $100 million in revenue that would move through this data stream. This new software would help to ensure the security of all these transactions, which they would lose in the event of a breach.

    Furthermore, the CISO identified new business plans in the planning stage that could be protected under this initiative.

    Results
    The CISO was able to gain support for and implement the new database platform, which was able to protect current assets more securely than before. Also, the CISO allowed new revenue streams to be created securely.

    This approach is the opposite of the cautionary tales that make news headlines, where new revenue streams are created before systems are put in place to secure them.

    This proactive approach is the core of the world-class CISO.

    Info-Tech offers various levels of support to best suit your needs

    Guided Implementation

    What does a typical GI on this topic look like?

    Launch Assess Plan Execute

    Call #1: Review and discuss CISO core competencies.

    Call #2: Discuss Security Business Satisfaction and Alignment diagnostic results.

    Call #3: Discuss the CISO Stakeholder Power Map Template and the importance of relationships.

    Call #4: Discuss the CISO Core Competency Evaluation Tool.

    Call #5: Discuss results of the CISO Core Competency Evaluation and identify resources to close gaps.

    Call #6: Review organizational structure and key stakeholder relationships.

    Call #7: Discuss and create your CISO development plan and track your development

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 10 calls over the course of 3 to 6 months.

    Phase 1

    Launch

    Phase 1
    1.1 Understand Core Competencies
    1.2 Measure Security and Business Satisfaction and Alignment

    Phase 2
    2.1 Assess Stakeholder Relationships
    2.2 Assess the Core Competencies

    Phase 3
    3.1 Identify Resources to Address Competency Gaps
    3.2 Plan Approach to Improve Stakeholder Relationships

    Phase 4
    4.1 Decide Next Actions and Support Your CISO Moving Forward
    4.2 Regularly Reassess to Measure Development and Progress

    This phase will walk you through the following activities:

    • Review and understand the core competencies of a world-class CISO.
    • Launch your diagnostic survey.
    • Evaluate current business satisfaction with IT security.
    • Determine the competencies that are valuable to your IT security program’s needs.

    Hire or Develop a World-Class CISO

    Case study

    Mark Lester
    InfoSec Manager, SC Ports Authority

    An organization hires a new Information Security Manager into a static and well-established IT department.

    Situation: The organization acknowledges the need for improved information security, but there is no framework for the Security Manager to make successful changes.

    Challenges Next Steps
    • The Security Manager is an outsider in a company with well-established habits and protocols. He is tasked with revamping the security strategy to create unified threat management.
    • Initial proposals for information security improvements are rejected by executives. It is a challenge to implement changes or gain support for new initiatives.
    • The Security Manager will engage with individuals in the organization to learn about the culture and what is important to them.
    • He will assess existing misalignments in the business so that he can target problems causing real pains to individuals.

    Follow this case study throughout the deck to see this organization’s results

    Step 1.1

    Understand the Core Competencies of a World-Class CISO

    Activities

    Review core competencies the security leader must develop to become a strategic business partner

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step
    Analysis and understanding of the eight strategic CISO competencies required to become a business partner

    Launch

    Core competencies

    Info-Tech has identified eight core competencies affecting the CISO’s progression to becoming a strategic business partner.

    Business Acumen
    A CISO must focus primarily on the needs of the business.

    Leadership
    A CISO must be a security leader and not simply a practitioner.

    Communication
    A CISO must have executive communication skills

    Technical Knowledge
    A CISO must have a broad technical understanding.

    Innovative Problem Solving
    A good CISO doesn’t just say “no,” but rather finds creative ways to say “yes.”

    Vendor Management
    Vendor and financial management skills are critical to becoming a strategic CISO.

    Change Management
    A CISO improves security processes by being an agent of change for the organization.

    Collaboration
    A CISO must be able to use alliances and partnerships strategically.

    1.1 Understand the core competencies a CISO must focus on to become a strategic business partner

    < 1 hour

    Over the next few slides, review each world-class CISO core competency. In Step 1.2, you will determine which competencies are a priority for your organization.

    CISO Competencies Description
    Business Acumen

    A CISO must focus primarily on the needs of the business and how the business works, then determine how to align IT security initiatives to support business initiatives. This includes:

    • Contributing to business growth with an understanding of the industry, core functions, products, services, customers, and competitors.
    • Understanding the business’ strategic direction and allowing it to securely capitalize on opportunities.
    • Understanding the key drivers of business performance and the use of sound business practice.
    Leadership

    A CISO must be a security leader, and not simply a practitioner. This requires:

    • Developing a holistic view of security, risk, and compliance for the organization.
    • Fostering a culture of risk management.
    • Choosing a strong team. Having innovative and reliable employees who do quality work is a critical component of an effective department.
      • This aspect involves identifying talent, engaging your staff, and managing their time and abilities.

    1.1 Understand the core competencies (continued)

    CISO Competencies Description
    Communication

    Many CISOs believe that using technical jargon impresses their business stakeholders – in fact, it only makes business stakeholders become confused and disinterested. A CISO must have executive communication skills. This involves:

    • Clearly communicating with business leaders in meaningful language (i.e. business, financial, social) that they understand by breaking down the complexities of IT security into simple and relatable concepts.
    • Not using acronyms or technological speak. Easy-to-understand translations will go a long way.
    • Strong public speaking and presentation abilities.
    Technical Knowledge

    A CISO must have a broad technical understanding of IT security to oversee a successful security program. This includes:

    • Understanding key security and general IT technologies and processes.
    • Assembling a complementary team, because no individual can have deep knowledge in all areas.
    • Maintaining continuing education to stay on top of emerging technologies and threats.

    1.1 Understand the core competencies (continued)

    CISO Competencies Description
    Innovative Problem Solving

    A good CISO doesn’t just say “no,” but rather finds creative ways to say “yes.” This can include:

    • Taking an active role in seizing opportunities created by emerging technologies.
    • Facilitating the secure implementation of new, innovative revenue models.
    • Developing solutions for complex business problems that require creativity and ingenuity.
    • Using information and technology to drive value around the customer experience.
    Vendor Management

    With the growing use of “anything as a service,” negotiation, vendor, and financial management skills are critical to becoming a strategic CISO.

    • The CISO must be able to evaluate service offerings and secure favorable contracts with the right provider. It is about extracting the maximum value from vendors for the dollars you are spending.
    • Vendor products must be aligned with future business plans to create maximum ongoing value.
    • The CISO must develop financial management skills. This includes the ability to calculate total cost of ownership, return on investment, and project spending over multiyear business plans.

    1.1 Understand the core competencies (continued)

    CISO Competencies Description
    Change Management

    A world-class CISO improves security processes by being an agent of change for the organization. This involves:

    • Leading, guiding, and motivating teams to adopt a responsible risk management culture.
    • Communicating important and complex ideas in a persuasive way.
    • Demonstrating an ability to change themselves and taking the initiative in adopting more efficient behaviors.
    • Handling unplanned change, such as unforeseen attacks or personnel changes, in a professional and proactive manner.
    Collaboration

    A CISO must be able to use alliances and partnerships strategically to benefit both the business and themselves. This includes:

    • Identifying formal and informal networks and constructive relationships to enable security development.
    • Leveraging stakeholders to influence positive outcomes for the organization.
    • Getting out of the IT or IT security sphere and engaging relationships in diverse areas of the organization.

    Step 1.2

    Evaluate satisfaction and alignment between the business and IT security

    Activities

    • Conduct the Information Security Business Satisfaction and Alignment diagnostic
    • Use your results as input into the CISO Core Competency Evaluation Tool

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step
    Determine current gaps in satisfaction and alignment between information security and your organization.

    If seeking to hire/develop a CISO: Your diagnostic results will help develop a profile of the ideal CISO candidate to use as a hiring and interview guide.

    If developing a current CISO, use your diagnostic results to identify existing competency gaps and target them for improvement.

    For the CISO seeking to upgrade capabilities: Use the core competencies guide to self-assess and identify competencies that require improvement.

    Launch

    1.2 Get started by conducting Info-Tech’s Information Security Business Satisfaction and Alignment diagnostic

    Suggested Time: One week for distribution, completion, and collection of surveys
    One-hour follow-up with an Info-Tech analyst

    The primary goal of IT security is to protect the organization from threats. This does not simply mean bolting everything down, but it means enabling business processes securely. To do this effectively requires alignment between IT security and the overall business.

    • Once you have completed the diagnostic, call Info-Tech to review your results with one of our analysts.
    • The results from this assessment will provide insights to inform your entries in the CISO Core Competency Evaluation Tool.

    Call an analyst to review your results and provide you with recommendations.

    Info-Tech Insight
    Focus on the high-priority competencies for your organization. You may find a candidate with perfect 10s across the board, but a more pragmatic strategy is to find someone with strengths that align with your needs. If there are other areas of weakness, then target those areas for development.

    1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

    After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

    • Your diagnostic results will indicate where your information security program is aligned well or poorly with your business.
    • For example, the diagnostic may show significant misalignment between information security and executives over the level of external compliance. The CISO behavior that would contribute to solving this is aligning security enablement with business requirements.
      • This misalignment may be due to a misunderstanding by either party. The competencies that will contribute to resolving this are communication, technical knowledge, and business acumen.
      • This mapping method is what will be used to determine which competencies are most important for your needs at the present moment.

    Download the CISO Core Competency Evaluation Tool

    1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

    After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

    1. Starting on Tab 2: CISO Core Competencies, use your understanding of each competency from section 1.1 along with the definitions described in the tool.
      • For each competency, assign a degree of importance using the drop-down menu in the second column from the right.
      • Importance ratings will range from not at all important at the low end to critically important at the high end.
      • Your importance score will be influenced by several factors, including:
        • The current alignment of your information security department.
        • Your organizational security posture.
        • The size and structure of your organization.
        • The existing skills and maturity within your information security department.

    Download the CISO Core Competency Evaluation Tool

    1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

    After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

    1. Still on Tab 2. CISO Core Competencies, you will now assign a current level of effectiveness for each competency.
      • This will range from foundational at a low level of effectiveness up to capable, then inspirational, and at the highest rating, transformational.
      • Again, this rating will be very specific to your organization, depending on your structure and your current employees.
      • Fundamentally, these scores will reflect what you want to improve in the area of information security. This is not an absolute scale, and it will be influenced by what skills you want to support your goals and direction as an organization.

    Download the CISO Core Competency Evaluation Tool

    Phase 2

    Assess

    Phase 1
    1.1 Understand Core Competencies
    1.2 Measure Security and Business Satisfaction and Alignment

    Phase 2
    2.1 Assess Stakeholder Relationships
    2.2 Assess the Core Competencies

    Phase 3
    3.2 Plan Approach to Improve Stakeholder Relationships

    Phase 4
    4.1 Decide Next Actions and Support Your CISO Moving Forward
    4.2 Regularly Reassess to Measure Development and Progress

    This phase will walk you through the following activities:

    • Use the CISO Core Competency Evaluation Tool to create and implement an interview guide.
    • Assess and analyze the core competencies of your prospective CISOs. Or, if you are a current CISO, use the CISO Core Competency Evaluation Tool as a self-analysis and identify areas for personal development.
    • Evaluate the influence, impact, and support of key executive business stakeholders using the CISO Stakeholder Power Map Template.

    Hire or Develop a World-Class CISO

    Case study

    Mark Lester
    InfoSec Manager, SC Ports Authority

    The new Security Manager engages with employees to learn the culture.

    Outcome: Understand what is important to individuals in order to create effective collaboration. People will engage with a project if they can relate it to something they value.

    Actions Next Steps
    • The Security Manager determines that he must use low-cost small wins to integrate with the organizational culture and create trust and buy-in and investment will follow.
    • The Security Manager starts a monthly newsletter to get traction across the organization, create awareness of his mandate to improve information security, and establish himself as a trustworthy partner.
    • The Security Manager will identify specific ways to engage and change the culture.
    • Create a persuasive case for investing in information security based on what resonates with the organization.

    Follow this case study throughout the deck to see this organization’s results

    Step 2.1

    Identify key stakeholders for the CISO and assess current relationships

    Activities

    Evaluate the power, impact, and support of key stakeholders

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    • Power map of executive business stakeholders
    • Evaluation of each stakeholder in terms of influence, impact, and current level of support

    Assess

    Identify key stakeholders who own business processes that intersect with security processes

    Info-Tech Insight
    Most organizations don’t exist for the sole purpose of doing information security. For example, if your organization is in the business of selling pencils, then information security is in business to enable the selling of pencils. All the security in the world is meaningless if it doesn’t enable your primary business processes. The CISO must always remember the fundamental goals of the business.

    The above insight has two implications:

    1. The CISO needs to understand the key business processes and who owns them, because these are the people they will need to collaborate with. Like any C-level, the CISO should be one of the most knowledgeable people in the organization regarding business processes.
    2. Each of these stakeholders stands to win or lose depending on the performance of their process, and they can act to either block or enable your progress.
      • To work effectively with these stakeholders, you must learn what is important to them, and pose your initiatives so that you both benefit.

    When people are not receptive to the CISO, it’s usually because the CISO has not been part of the discussion when plans were being made. This is the heart of proactivity.

    You need to be involved from the start … from the earliest part of planning.

    The job is not to come in late and say “No” ... the job is to be involved early and find creative and intelligent ways to say “Yes.”

    The CISO needs to be the enabling security asset that drives business.

    – Elliot Lewis, CEO at Keyavi Data

    Evaluate the importance of business stakeholders and the support necessary from them

    The CISO Stakeholder Power Map Template is meant to provide a visualization of the CISO’s relationships within the organization. This should be a living document that can be updated throughout the year as relationships develop and the structure of an organization changes.

    At a glance, this tool should show:

    • How influential each stakeholder is within the company.
    • How supportive they currently are of the CISO’s initiatives.
    • How strongly each person is impacted by IT security activities.

    Once this tool has been created, it provides a good reference as the CISO works to develop lagging relationships. It shows the landscape of influence and impact within the organization, which may help to guide the CISO’s strategy in the future.

    Evaluate the importance of business stakeholders and the support necessary from them

    Download the CISO Stakeholder Power Map Template

    Evaluate the importance of business stakeholders and the support necessary from them

    1. Identify key stakeholders.
      1. Focus on owners of important business processes.
    2. Evaluate and map each stakeholder in terms of:
      1. Influence (up/down)
      2. Support (left/right)
      3. Impact (size of circle)
      4. Involvement (color of circle)
    3. Decide whether the level of support from each stakeholder needs to change to facilitate success.

    Evaluate the importance of business stakeholders and the support necessary from them

    Info-Tech Insight
    Some stakeholders must work closely with your incoming CISO. It is worth consideration to include these individuals in the interview process to ensure you will have partners that can work well together. This small piece of involvement early on can save a lot of headache in the future.

    Where can you find your desired CISO?

    Once you know which competencies are a priority in your new CISO, the next step is to decide where to start looking. This person may already exist in your company.

    Internal

    Take some time to review your current top information security employees or managers. It may be immediately clear that certain people will or will not be suitable for the CISO role. For those that have potential, proceed to Step 2.2 to map their competencies.

    Recruitment

    If you do not have any current employees that will fit your new CISO profile, or you have other reasons for wanting to bring in an outside individual, you can begin the recruitment process. This could start by posting the position for applications or by identifying and targeting specific candidates.

    Ready to start looking for your ideal candidate? You can use Info-Tech’s Chief Information Security Officer job description template.

    Use the CISO job description template

    Alternatives to hiring a CISO

    Small organizations are less able to muster the resources required to find and retain a CISO,

    Technical Counselor Seat

    In addition to having access to our research and consulting services, you can acquire a Technical Counselor Seat from our Security & Risk practice, where one of our senior analysts would serve with you on a retainer. You may find that this option saves you the expense of having to hire a new CISO altogether.

    Virtual CISO

    A virtual CISO, or vCISO, is essentially a “CISO as a service.” A vCISO provides an organization with an experienced individual that can, on a part-time basis, lead the organization’s security program through policy and strategy development.

    Why would an organization consider a vCISO?

    • A vCISO can provide services that are flexible, technical, and strategic and that are based on the specific requirements of the organization.
    • They can provide a small organization with program maturation within the organization’s resources.
    • They can typically offer depth of experience beyond what a small business could afford if it were to pursue a full-time CISO.

    Source: InfoSec Insights by Sectigo Store

    Why would an organization not consider a vCISO?

    • The vCISO’s attention is divided among their other clients.
    • They won’t feel like a member of your organization.
    • They won’t have a deep understanding of your systems and processes.

    Source: Georgia State University

    Step 2.2

    Assess CISO candidates and evaluate their current competency

    Activities

    Assess CISO candidates in terms of desired core competencies

    or

    Self-assess your personal core competencies

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO

    or

    • Current CISO seeking to upgrade capabilities

    and

    • Any key stakeholders or collaborators you choose to include in the assessment process

    Outcomes of this step

    • You have assessed your requirements for a CISO candidate.
    • The process of hiring is under way, and you have decided whether to hire a CISO, develop a CISO, or consider a Counselor Seat as another option.

    Assess

    2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to assess your CISO candidate

    Use Info-Tech’s CISO Core Competency Evaluation Tool to assess your CISO candidate

    Download the CISO Core Competency Evaluation Tool

    Info-Tech Insight
    The most important competencies should be your focus. Unless you are lucky enough to find a candidate that is perfect across the board, you will see some areas that are not ideal. Don’t forget the importance you assigned to each competency. If a candidate is ideal in the most critical areas, you may not mind that some development is needed in a less important area.

    2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to evaluate your candidates

    After deciding the importance of and requirements for each competency in Phase 1, assess your CISO candidates.

    Your first pass on this tool will be to look at internal candidates. This is the develop a CISO option.

    1. In the previous phase, you rated the Importance and Current Effectiveness for each competency in Tab 2. CISO Core Competencies. In this step, use Tab 3. Gap Analysis to enter a Minimum Level and a Desired Level for each competency. Keep in mind that it may be unrealistic to expect a candidate to be fully developed in all aspects.
    2. Next, enter a rating for your candidate of interest for each of the eight competencies.
    3. This scorecard will generate an overall suitability score for the candidate. The color of the output (from red to green) indicates the suitability, and the intensity of the color indicates the importance you assigned to that competency.

    Download the CISO Core Competency Evaluation Tool

    2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to evaluate your candidates

    • If the internal search does not identify a suitable candidate, you will want to expand your search.
    • Repeat the scoring process for external candidates until you find your new CISO.
    • You may want to skip your external search altogether and instead contact Info-Tech for more information on our Counselor Seat options.

    Download the CISO Core Competency Evaluation Tool

    Phase 3

    Plan

    Phase 1
    1.1 Understand Core Competencies
    1.2 Measure Security and Business Satisfaction and Alignment

    Phase 2
    2.1 Assess Stakeholder Relationships
    2.2 Assess the Core Competencies

    Phase 3
    3.1 Identify Resources to Address Competency Gaps
    3.2 Plan Approach to Improve Stakeholder Relationships

    Phase 4
    4.1 Decide Next Actions and Support Your CISO Moving Forward
    4.2 Regularly Reassess to Measure Development and Progress

    This phase will walk you through the following activities:

    • Create a plan to develop your competency gaps.
    • Construct and consider your organizational model.
    • Create plan to cultivate key stakeholder relationships.

    Hire or Develop a World-Class CISO

    Case study

    Mark Lester
    InfoSec Manager, SC Ports Authority

    The new Security Manager changes the security culture by understanding what is meaningful to employees.

    Outcome: Engage with people on their terms. The CISO must speak the audience’s language and express security terms in a way that is meaningful to the audience.

    Actions Next Steps
    • The Security Manager identifies recent events where ransomware and social engineering attacks were successful in penetrating the organization.
    • He uses his newsletter to create organization-wide discussion on this topic.
    • This very personal example makes employees more receptive to the Security Manager’s message, enabling the culture of risk management.
    • The Security Manager will leverage his success in improving the information security culture and awareness to gain support for future initiatives.

    Follow this case study throughout the deck to see this organization’s results

    Step 3.1

    Identify resources for your CISO to remediate competency gaps

    Activities

    Create a plan to remediate competency gaps

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO
    • The newly hired CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    • Identification of core competency deficiencies
    • A plan to close the gaps

    Plan

    3.1 Close competency gaps with Info-Tech’s Cybersecurity Workforce Development Training

    Resources to close competency gaps

    Info-Tech’s Cybersecurity Workforce Training develops critical cybersecurity skills missing within your team and organization. The leadership track provides the same deep coverage of technical knowledge as the analyst track but adds hands-on support and has a focus on strategic business alignment, program management, and governance.

    The program builds critical skills through:

    • Standardized curriculum with flexible projects tailored to business needs
    • Realistic cyber range scenarios
    • Ready-to-deploy security deliverables
    • Real assurance of skill development

    Info-Tech Insight
    Investing in a current employee that has the potential to be a world-class CISO may take less time, effort, and money than finding a unicorn.

    Learn more on the Cybersecurity Workforce Development webpage

    3.1 Identify resources for your CISO to remediate competency gaps

    < 2 hours

    CISO Competencies Description
    Business Acumen

    Info-Tech Workshops & Blueprints

    Actions/Activities

    • Take a business acumen course: Acumen Learning, What the CEO Wants You to Know: Building Business Acumen.
    • Meet with business stakeholders. Ask them to take you through the strategic plan for their department and then identify opportunities where security can provide support to help drive their initiatives.
    • Shadow another C-level executive. Understand how they manage their business unit and demonstrate an eagerness to learn.
    • Pursue an MBA or take a business development course.

    3.1 Identify resources for your CISO to remediate competency gaps (continued)

    < 2 hours

    CISO Competencies Description
    Leadership

    Info-Tech Training and Blueprints

    Action/Activities

    • Communicate your vision for security to your team. You will gain buy-in from your employees by including them in the creation of your program, and they will be instrumental to your success.

    Info-Tech Insight
    Surround yourself with great people. Insecure leaders surround themselves with mediocre employees that aren’t perceived as a threat. Great leaders are supported by great teams, but you must choose that great team first.

    3.1 Identify resources for your CISO to remediate competency gaps (continued)

    < 2 hours

    CISO Competencies Description
    Communication

    Info-Tech Workshops & Blueprints

    Build and Deliver an Optimized IT Update Presentation: Show IT’s value and relevance by dropping the technical jargon and speaking to the business in their terms.

    Master Your Security Incident Response Communications Program: Learn how to talk to your stakeholders about what’s going on when things go wrong.

    Develop a Security Awareness and Training Program That Empowers End Users: Your weakest link is between the keyboard and the chair, so use engaging communication to create positive behavior change.

    Actions/Activities

    Learn to communicate in the language of your audience (whether business, finance, or social), and frame security solutions in terms that are meaningful to your listener.

    Technical Knowledge

    Actions/Activities

    • In many cases, the CISO is progressing from a strong technical background, so this area is likely a strength already.
    • However, as the need for executive skills are being recognized, many organizations are opting to hire a business or operations professional as a CISO. In this case, various Info-Tech blueprints across all our silos (e.g. Security, Infrastructure, CIO, Apps) will provide great value in understanding best practices and integrating technical skills with the business processes.
    • Pursue an information security leadership certification: GIAC, (ISC)², and ISACA are a few of the many organizations that offer certification programs.

    3.1 Identify resources for your CISO to remediate competency gaps (continued)

    < 2 hours

    CISO Competencies Description
    Innovative Problem Solving

    Info-Tech Workshops & Blueprints

    Actions/Activities

    Vendor Management

    Info-Tech Blueprints & Resources

    Actions/Activities

    3.1 Identify resources for your CISO to remediate competency gaps (continued)

    < 2 hours

    CISO Competencies Description
    Change Management

    Info-Tech Blueprints

    Actions/Activities

    • Start with an easy-win project to create trust and support for your initiatives.
    Collaboration

    Info-Tech Blueprints

    Actions/Activities

    • Get out of your office. Have lunch with people from all areas of the business. Understanding the goals and the pains of employees throughout your organization will help you to design effective initiatives and cultivate support.
    • Be clear and honest about your goals. If people know what you are trying to do, then it is much easier for them to work with you on it. Being ambiguous or secretive creates confusion and distrust.

    3.1 Create the CISO’s personal development plan

    • Use Info-Tech’s CISO Development Plan Template to document key initiatives that will close previously identified competency gaps.
    • The CISO Development Plan Template is used to map specific actions and time frames for competency development, with the goal of addressing competency gaps and helping you become a world-class CISO. This template can be used to document:
      • Core competency gaps
      • Security process gaps
      • Security technology gaps
      • Any other career/development goals
    • If you have a coach or mentor, you should share your plan and report progress to that person. Alternatively, call Info-Tech to speak with an executive advisor for support and advice.
      • Toll-Free: 1-888-670-8889

    What you will need to complete this exercise

    • CISO Core Competency Evaluation Tool results
    • Information Security Business Satisfaction and Alignment diagnostic results
    • Insights gathered from business stakeholder interviews

    Step 3.2

    Plan an approach to improve your relationships

    Activities

    • Review engagement strategies for different stakeholder types
    • Create a stakeholder relationship development plan

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO
    • The newly hired CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    • Stakeholder relationship strategy deliverable

    Plan

    Where should the CISO sit?

    Where the CISO sits in the organization can have a big impact on the security program.

    • Organizations with CISOs in the C-suite have a fewer security incidents.1
    • Organizations with CISOs in the C-suite generally have better IT ability.1
    • An organization whose CISO reports to the CIO risks conflict of interest.1
    • 51% of CISOs believe their effectiveness can be hampered by reporting lines.2
    • Only half of CISOs feel like they are in a position to succeed.2

    A formalized security organizational structure assigns and defines the roles and responsibilities of different members around security. Use Info-Tech’s blueprint Implement a Security Governance and Management Program to determine the best structure for your organization.

    Who the CISO reports to, by percentage of organizations3

    Who the CISO reports to, by percentage of organizations

    Download the Implement a Security Governance and Management Program blueprint

    1. Journal of Computer Science and Information
    2. Proofpoint
    3. Heidrick & Struggles International, Inc

    3.2 Make a plan to manage your key stakeholders

    Managing stakeholders requires engagement, communication, and relationship management. To effectively collaborate and gain support for your initiatives, you will need to build relationships with your stakeholders. Take some time to review the stakeholder engagement strategies for different stakeholder types.

    Influence Mediators
    (Satisfy)
    Key Players
    (Engage)
    Spectators
    (Monitor)
    Noisemakers
    (Inform)
    Support for you

    When building relationships, I find that what people care about most is getting their job done. We need to help them do this in the most secure way possible.

    I don’t want to be the “No” guy, I want to enable the business. I want to find to secure options and say, “Here is how we can do this.”

    – James Miller, Information Security Director, Xavier University

    Download the CISO Stakeholder Management Strategy Template

    Key players – Engage

    Goal Action
    Get key players to help champion your initiative and turn your detractors into supporters. Actively involve key players to take ownership.
    Keep It Positive Maintain a Close Relationship
    • Use their positive support to further your objectives and act as your foundation of support.
    • Key players can help you build consensus among other stakeholders.
    • Get supporters to be vocal in your town halls.
    • Ask them to talk to other stakeholders over whom they have influence.
    • Get some quick wins early to gain and maintain stakeholder support and help convert them to your cause.
    • Use their influence and support to help persuade blockers to see your point of view.
    • Collaborate closely. Key players are tuned in to information streams that are important. Their advice can keep you informed and save you from being blindsided.
    • Keep them happy. By definition, these individuals have a stake in your plans and can be affected positively or negatively. Going out of your way to maintain relationships can be well worth the effort.

    Info-Tech Insight
    Listen to your key players. They understand what is important to other business stakeholders, and they can provide valuable insight to guide your future strategy.

    Mediators – Satisfy

    Goal Action
    Turn mediators into key players Increase their support level.
    Keep It Positive Maintain a Close Relationship
    • Make stakeholders part of the conversation by consulting them for input on planning and strategy.
    • Sample phrases:
      • “I’ve heard you have experience in this area. Do you have time to answer a few questions?”
      • “I’m making some decisions and I would value your thoughts. Can I get your perspective on this?”
    • Enhance their commitment by being inclusive. Encourage their support whenever possible.
    • Make them feel acknowledged and solicit feedback.
    • Listen to blockers with an open mind to understand their point of view. They may have valuable insight.
    • Approach stakeholders on their individual playing fields.
      • They want to know that you understand their business perspective.
    • Stubborn mediators might never support you. If consulting doesn’t work, keep them informed of important decision-making points and give them the opportunity to be involved if they choose to be.

    Info-Tech Insight
    Don’t dictate to stakeholders. Make them feel like valued contributors by including them in development and decision making. You don’t have to incorporate all their input, but it is essential that they feel respected and heard.

    Noisemakers – Inform

    Goal Action
    Have noisemakers spread the word to increase their influence. Encourage noisemakers to influence key stakeholders.
    Keep It Positive Maintain a Close Relationship
    • Identify noisemakers who have strong relationships with key stakeholders and focus on them.
      • These individuals may not have decision-making power, but their opinions and advice may help to sway a decision in your favor.
    • Look for opportunities to increase their influence over others.
    • Put effort into maintaining the positive relationship so that it doesn’t dwindle.
    • You already have this group’s support, but don’t take it for granted.
    • Be proactive, pre-emptive, and transparent.
    • Address issues or bad news early and be careful not to exaggerate their significance.
    • Use one-on-one meetings to give them an opportunity to express challenges in a private setting.
    • Show individuals in this group that you are a problem-solver:
      • “The implementation was great, but we discovered problems afterward. Here is what we’re doing about it.”

    Spectators – Monitor

    Goal Action
    Keep spectators content and avoid turning them into detractors. Keep them well informed.
    Keep It Positive Maintain a Close Relationship
    • A hands-on approach is not required with this group.
    • Keep them informed with regular, high-altitude communications and updates.
    • Use positive, exciting announcements to increase their interest in your initiatives.
    • Select a good venue for generating excitement and assessing the mood of spectators.
    • Spectators may become either supporters or blockers. Monitor them closely and keep in touch with them to stop these individuals from becoming blockers.
    • Listen to questions from spectators carefully. View any engagement as an opportunity to increase participation from this group and generate a positive shift in interest.

    3.2 Create the CISO’s stakeholder management strategy

    Develop a strategy to manage key stakeholders in order to drive your personal development plan initiatives.

    • The purpose of the CISO Stakeholder Management Strategy Template is to document the results of the power mapping exercise, create a plan to proactively manage stakeholders, and track the actions taken.
    • Use this in concert with Info-Tech’s CISO Stakeholder Power Map Template to help visualize the importance of key stakeholders to your personal development. You will document:
      • Stakeholder role and type.
      • Current relationship with the stakeholder.
      • Level of power/influence and degree of impact.
      • Current and desired level of support.
      • Initiatives that require the stakeholder’s engagement.
      • Actions to be taken – along with the status and results.

    What you will need to complete this exercise

    • Completed CISO Stakeholder Power Map
    • Security Business Satisfaction and Alignment Diagnostic results

    Download the CISO Stakeholder Management Strategy Template

    Phase 4

    Execute

    Phase 1
    1.1 Understand Core Competencies
    1.2 Measure Security and Business Satisfaction and Alignment

    Phase 2
    2.1 Assess Stakeholder Relationships
    2.2 Assess the Core Competencies

    Phase 3
    3.1 Identify Resources to Address Competency Gaps
    3.2 Plan Approach to Improve Stakeholder Relationships

    Phase 4
    4.1 Decide Next Actions and Support Your CISO Moving Forward
    4.2 Regularly Reassess to Measure Development and Progress

    This phase will walk you through the following activities:

    • Populate the CISO Development Plan Template with appropriate targets and due dates.
    • Set review and reassess dates.
    • Review due dates with CISO.

    Hire or Develop a World-Class CISO

    Case study

    Mark Lester
    InfoSec Manager, SC Ports Authority

    The new Security Manager leverages successful cultural change to gain support for new security investments.

    Outcome: Integrating with the business on a small level and building on small successes will lead to bigger wins and bigger change.

    Actions Next Steps
    • By fostering positive relationships throughout the organization, the Security Manager has improved the security culture and established himself as a trusted partner.
    • In an organization that had seen very little change in years, he has used well developed change management, business acumen, leadership, communication, collaboration, and innovative problem-solving competencies to affect his initiatives.
    • He can now return to the board with a great deal more leverage in seeking support for security investments.
    • The Security Manager will leverage his success in improving the information security culture and awareness to gain support for future initiatives.

    Step 4.1

    Decide next actions and support your CISO moving forward

    Activities

    • Complete the Info-Tech CISO Development Plan Template
    • Create a stakeholder relationship development plan

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO
    • The newly hired CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    Next actions for each of your development initiatives

    Execute

    Establish a set of first actions to set your plan into motion

    The CISO Development Plan Template provides a simple but powerful way to focus on what really matters to execute your plan.

    • By this point, the CISO is working on the personal competency development while simultaneously overseeing improvements across the security program, managing stakeholders, and seeking new business initiatives to engage with. This can be a lot to juggle effectively.
    • Disparate initiatives like these can hinder progress by creating confusion.
    • By distilling your plan down to Subject > Action > Outcome, you immediately restore focus and turn your plans into actionable items.
    • The outcome is most valuable when it is measurable. This makes progress (or lack of it) very easy to track and assess, so choose a meaningful metric.
    Item to Develop
    (competency/process/tech)
    First Action Toward Development
    Desired Outcome, Including a Measurable Indicator

    Download the CISO Development Plan Template

    4.1 Create a CISO development plan to keep all your objectives in one place

    Use Info-Tech’s CISO Development Plan Template to create a quick and simple yet powerful tool that you can refer to and update throughout your personal and professional development initiatives. As instructed in the template, you will document the following:

    Your Item to Develop The Next Action Required The Target Outcome
    This could be a CISO competency, a security process item, a security technology item, or an important relationship (or something else that is a priority). This could be as simple as “schedule lunch with a stakeholder” or “email Info-Tech to schedule a Guided Implementation call.” This part of the tool is meant to be continually updated as you progress through your projects. The strength of this approach is that it focuses your project into simple actionable steps that are easily achieved, rather than looking too far down the road and seeing an overwhelming task ahead. This will be something measurable like “reduce spending by 10%” or “have informal meeting with leaders from each department.”

    Info-Tech Insight
    A good plan doesn’t require anything that is outside of your control. Good measurable outcomes are behavior based rather than state based.
    “Increase the budget by 10%” is a bad goal because it is ultimately reliant on someone else and can be derailed by an unsupportive executive. A better goal is “reduce spending by 10%.” This is something more within the CISO’s control and is thus a better performance indicator and a more achievable goal.

    4.1 Create a CISO development plan to keep all your objectives in one place

    Below you will find sample content to populate your CISO Development Plan Template. Using this template will guide your CISO in achieving the goals identified here.

    The template itself is a metric for assessing the development of the CISO. The number of targets achieved by the due date will help to quantify the CISO’s progress.

    You may also want to include improvements to the organization’s security program as part of the CISO development plan.

    Area for Development Item for Development Next Action Required Key Stakeholders/ Owners Target Outcome Due Date Completed
    Core Competencies:
    Communication
    Executive
    communication
    Take economics course to learn business language Course completed [Insert date] [Y/N]
    Core Competencies:
    Communication
    Improve stakeholder
    relationships
    Email Bryce from finance to arrange lunch Improved relationship with finance department [Insert date] [Y/N]
    Technology Maturity: Security Prevention Identity and access management (IAM) system Call Info-Tech to arrange call on IAM solutions 90% of employees entered into IAM system [Insert date] [Y/N]
    Process Maturity: Response & Recovery Disaster recovery Read Info-Tech blueprint on disaster recovery Disaster recovery and backup policies in place [Insert date] [Y/N]

    Check out the First 100 Days as CISO blueprint for guidance on bringing improvements to the security program

    4.1 Use your action plan to track development progress and inform stakeholders

    • As you progress toward your goals, continually update the CISO development plan. It is meant to be a living document.
    • The Next Action Required should be updated regularly as you make progress so you can quickly jump in and take meaningful actions without having to reassess your position every time you open the plan. This is a simple but very powerful method.
    • To view your initiatives in customizable ways, you can use the drop-down menu on any column header to sort your initiatives (i.e. by due date, completed status, area for development). This allows you to quickly and easily see a variety of perspectives on your progress and enables you to bring upcoming or incomplete projects right to the top.
    Area for Development Item for Development Next Action Required Key Stakeholders/ Owners Target Outcome Due Date Completed
    Core Competencies:
    Communication
    Executive
    communication
    Take economics course to learn business language Course completed [Insert date] [Y/N]
    Core Competencies:
    Communication
    Improve stakeholder
    relationships
    Email Bryce from finance to arrange lunch Improved relationship with finance department [Insert date] [Y/N]
    Technology Maturity: Security Prevention Identity and access management (IAM) system Call Info-Tech to arrange call on IAM solutions 90% of employees entered into IAM system [Insert date] [Y/N]
    Process Maturity: Response & Recovery Disaster recovery Read Info-Tech blueprint on disaster recovery Disaster recovery and backup policies in place [Insert date] [Y/N]

    Step 4.2

    Regularly reassess to track development and progress

    Activities

    Create a calendar event for you and your CISO, including which items you will reassess and when

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO
    • The newly hired CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    Scheduled reassessment of the CISO’s competencies

    Execute

    4.2 Regularly evaluate your CISO’s progress

    < 1 day

    As previously mentioned, your CISO development plan is meant to be a living document. Your CISO will use this as a companion tool throughout project implementation, but periodically it will be necessary to re-evaluate the entire program to assess your progress and ensure that your actions are still in alignment with personal and organizational goals.

    Info-Tech recommends performing the following assessments quarterly or twice yearly with the help of our executive advisors (either over the phone or onsite).

    1. Sit down and re-evaluate your CISO core competencies using the CISO Core Competency Evaluation Tool.
    2. Analyze your relationships using the CISO Stakeholder Power Map Template.
    3. Compare all of these against your previous results to see what areas you have strengthened and decide if you need to focus on a different area now.
    4. Consider your CISO Development Plan Template and decide whether you have achieved your desired outcomes. If not, why?
    5. Schedule your next reassessment, then create a new plan for the upcoming quarter and get started.
    Materials
    • Laptop
    • CISO Development Plan Template
    Participants
    • CISO
    • Hiring executive (possibly)
    Output
    • Complete CISO and security program development plan

    Summary of Accomplishment

    Knowledge Gained

    • Understanding of the competencies contributing to a successful CISO
    • Strategic approach to integrate the CISO into the organization
    • View of various CISO functions from a variety of business and executive perspectives, rather than just a security view

    Process Optimized

    • Hiring of the CISO
    • Assessment and development of stakeholder relationships for the CISO
    • Broad planning for CISO development

    Deliverables Completed

    • IT Security Business Satisfaction and Alignment Diagnostic
    • CISO Core Competency Evaluation Tool
    • CISO Stakeholder Power Map Template
    • CISO Stakeholder Management Strategy Template
    • CISO Development Plan Template

    If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation

    Contact your account representative for more information

    workshop@infotech.com
    1-888-670-8889

    Related Info-Tech Research

    Build an Information Security Strategy
    Your security strategy should not be based on trying to blindly follow best practices but on a holistic risk-based assessment that is risk aware and aligns with your business context.

    The First 100 Days as CISO
    Every CISO needs to follow Info-Tech’s five-step approach to truly succeed in their new position. The meaning and expectations of a CISO role will differ from organization to organization and person to person, but the approach to the new position will be relatively the same.

    Implement a Security Governance and Management Program
    Business and security goals should be the same. Businesses cannot operate without security, and security's goal is to enable safe business operations.

    Research Contributors

    • Mark Lester, Information Security Manager, South Carolina State Ports Authority
    • Kyle Kennedy, CISO, CyberSN.com
    • James Miller, Information Security Director, Xavier University
    • Elliot Lewis, Vice President Security & Risk, Info-Tech Research Group
    • Andrew Maroun, Enterprise Security Lead, State of California
    • Brian Bobo, VP Enterprise Security, Schneider National
    • Candy Alexander, GRC Security Consultant, Towerall Inc.
    • Chad Fulgham, Chairman, PerCredo
    • Ian Parker, Head of Corporate Systems Information Security Risk and Compliance, Fujitsu EMEIA
    • Diane Kelly, Information Security Manager, Colorado State Judicial Branch
    • Jeffrey Gardiner, CISO, Western University
    • Joey LaCour, VP & Chief Security, Colonial Savings
    • Karla Thomas, Director IT Global Security, Tower Automotive
    • Kevin Warner, Security and Compliance Officer, Bridge Healthcare Providers
    • Lisa Davis, CEO, Vicinage
    • Luis Brown, Information Security & Compliance Officer, Central New Mexico Community College
    • Peter Clay, CISO, Qlik
    • Robert Banniza, Senior Director IT Center Security, AMSURG
    • Tim Tyndall, Systems Architect, Oregon State

    Bibliography

    Dicker, William. "An Examination of the Role of vCISO in SMBs: An Information Security Governance Exploration." Dissertation, Georgia State University, May 2, 2021. Accessed 30 Sep. 2022.

    Heidrick & Struggles. "2022 Global Chief Information Security Officer (CISO) Survey" Heidrick & Struggles International, Inc. September 6, 2022. Accessed 30 Sep. 2022.

    IBM Security. "Cost of a Data Breach Report 2022" IBM. August 1, 2022. Accessed 9 Nov. 2022.

    Mehta, Medha. "What Is a vCISO? Are vCISO Services Worth It?" Infosec Insights by Sectigo, June 23, 2021. Accessed Nov 22. 2022.

    Milica, Lucia. “Proofpoint 2022 Voice of the CISO Report” Proofpoint. May 2022. Accessed 6 Oct. 2022.

    Navisite. "The State of Cybersecurity Leadership and Readiness" Navisite. November 9, 2021. Accessed 9 Nov. 2022.

    Shayo, Conrad, and Frank Lin. “An Exploration of the Evolving Reporting Organizational Structure for the Chief Information Security Officer (CISO) Function” Journal of Computer Science and Information Technology, vol. 7, no. 1, June 2019. Accessed 28 Sep. 2022.

    Streamline Application Management

    • Buy Link or Shortcode: {j2store}403|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $64,272 Average $ Saved
    • member rating average days saved: 40 Average Days Saved
    • Parent Category Name: Maintenance
    • Parent Category Link: /maintenance
    • Today’s rapidly scaling and increasingly complex products create mounting pressure on delivery teams to release new features and changes quickly and with sufficient quality.
    • Many organizations lack the critical management capabilities to balance maintenance with new development and ensure high product value.
    • Application management is often viewed as a support function rather than an enabler of business growth. Focus and investments are only placed on management when it becomes a problem.
    • The lack of governance and practice accountability leaves application management in a chaotic state: politics take over, resources are not strategically allocated, and customers are frustrated.

    Our Advice

    Critical Insight

    • New features, fixes, and enhancements are all treated the same and managed in a single backlog. Teams need to focus on prioritizing their efforts on what is valuable to the organization, not to a single department.
    • Business integration is not optional. The business (i.e. product owners) must be represented in guiding delivery efforts and performing ongoing validation and verification of new features and changes.

    Impact and Result

    • Justify the necessity to optimize application management. Gain a grounded understanding of stakeholder objectives and validate their achievability against the current maturity of application management.
    • Strengthen backlog management practices. Obtain a holistic picture of the business and technical impacts, risks, value, complexity, and urgency of each backlog item in order to justify its priority and relevance. Apply the appropriate management approach to each software product according to its criticality and value to the business.
    • Establish and govern a repeatable process. Develop a management process with well-defined steps, quality controls, and roles and responsibilities, and instill good practices to improve the success of delivery.

    Streamline Application Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should sustain your application management practice, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define your priorities

    State the success criteria of your application management practice through defined objectives and metrics. Assess your maturity.

    • Streamline Application Management – Phase 1: Define Your Priorities
    • Application Management Strategy Template
    • Application Management Maturity Assessment Tool

    2. Govern application management

    Structure your application management governance model with the right process and roles. Inject product ownership into your practice.

    • Streamline Application Management – Phase 2: Govern Application Management

    3. Build your optimization roadmap

    Build your application management optimization roadmap to achieve your target state.

    • Streamline Application Management – Phase 3: Build Your Optimization Roadmap
    [infographic]

    Workshop: Streamline Application Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Your Priorities

    The Purpose

    State the success criteria of your application management practice through defined objectives and metrics.

    Assess your maturity.

    Key Benefits Achieved

    Grounded stakeholder expectations

    Application management maturity and identification of optimization opportunities

    Activities

    1.1 Set your objectives.

    1.2 Assess your maturity.

    Outputs

    Application management objectives and metrics

    Application management maturity and optimization opportunities

    2 Govern Application Management

    The Purpose

    Structure your application management governance model with the right process and roles.

    Inject product ownership into your practice.

    Key Benefits Achieved

    Management approach aligned to product value and criticality

    Management techniques to govern the product backlog

    Target-state application management process and roles

    Activities

    2.1 Select your management approach.

    2.2 Manage your single product backlog.

    2.3 Optimize your management process.

    2.4 Define your management roles.

    Outputs

    Application management approach for each application

    Product backlog management practices

    Application management process

    Application management roles and responsibilities and communication flow

    3 Build Your Optimization Roadmap

    The Purpose

    Build your application management optimization roadmap to achieve your target state.

    Key Benefits Achieved

    Optimization opportunities

    Application management optimization roadmap

    Activities

    3.1 Build your optimization roadmap.

    Outputs

    Application management optimization roadmap

    Scale Business Process Automation

    • Buy Link or Shortcode: {j2store}241|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Optimization
    • Parent Category Link: /optimization
    • Business process automation (BPA) adoption gained significant momentum as your business leaders saw the positive outcomes in your pilots, such as improvements in customer experience, operational efficiencies, and cost optimizations.
    • Your stakeholders are ready to increase their investments in more process automation solutions. They want to scale initial successes to other business and IT functions.
    • However, it is unclear how BPA can be successfully scaled and what benefits can be achieved from it.

    Our Advice

    Critical Insight

    The shift from isolated, task-based automations in your pilot to value-oriented, scaled automations brings new challenges and barriers to your organization such as:

    • Little motivation or tolerance to change existing business operations to see the full value of BPA.
    • Overinvesting in current BPA technologies to maximize the return despite available alternatives that can do the same tasks better.
    • BPA teams are ill-equipped to meet the demands and complexities of scaled BPA implementations.

    Impact and Result

    • Ground your scaling expectations. Set realistic and achievable goals centered on driving business value to the entire organization by optimizing and automating end-to-end business processes.
    • Define your scaling journey. Tailor your scaling approach according to your ability to ease BPA implementation, to broaden BPA adoption, and to loosen BPA constraints.
    • Prepare to scale BPA. Cement your BPA management and governance foundations to support BPA scaling using the lessons learned from your pilot implementation.

    Scale Business Process Automation Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Scale Business Process Automation Deck – A guide to learn the opportunities and values of scaling business process automation.

    This research walks you through the level setting of your scaled business process automation (BPA) expectations, factors to consider in defining your scaled BPA journey, and assessing your readiness to scale BPA.

    • Scale Business Process Automation Storyboard

    2. Scale Business Process Automation Readiness Assessment – A tool to help you evaluate your readiness to scale business process automation.

    Use this tool to identify key gaps in the people, processes, and technologies you need to support the scaling of business process automation (BPA). It also contains a canvas to facilitate your discussions around business process automation with your stakeholders and BPA teams.

    • Scale Business Process Automation Readiness Assessment
    [infographic]

    Further reading

    Scale Business Process Automation

    Take a value-first approach to automate the processes that matter

    Analyst Perspective

    Scaling business process automation (BPA) is an organization-wide commitment

    Business and IT must work together to ensure the right automations are implemented and BPA is grown and matured in a sustainable way. However, many organizations are not ready to make this commitment. Managing the automation demand backlog, coordinating cross-functional effort and organizational change, and measuring BPA value are some of the leading factors challenging scaling BPA.

    Pilot BPA with the intent to scale it. Pilots are safe starting points to establish your foundational governance and management practices and build the necessary relationships and collaborations for you to be successful. These factors will then allow you to explore more sophisticated, complicated, and innovative opportunities to drive new value to your team, department, and organization.

    A picture of Andrew Kum-Seun

    Andrew Kum-Seun
    Research Director,
    Application Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Business process automation (BPA) adoption gained significant momentum as your business leaders see the positive outcomes in your pilots, such as improvements in customer experience, operational efficiencies, and cost optimizations.
    • Your stakeholders are ready to increase their investments in more process automation solutions. They want to scale initial successes to other business and IT functions.
    • However, it is unclear how BPA can be successfully scaled and what benefits can be achieved from it.

    Common Obstacles

    The shift from isolated, task-based automations in your pilot to value-oriented and scaled automations brings new challenges and barriers to your organization:

    • Little motivation or tolerance to change existing business operations to see the full value of BPA.
    • Overinvesting in current BPA technologies to maximize return despite available alternatives that can do the same tasks better.
    • BPA teams are ill-equipped to meet the demands and complexities of scaled BPA implementations.

    Info-Tech's Approach

    • Ground your scaling expectations. Set realistic and achievable goals centered on driving business value to the entire organization by optimizing and automating end-to-end business processes.
    • Define your scaling journey. Tailor your scaling approach according to your ability to ease BPA implementation, to broaden BPA adoption, and to loosen BPA constraints.
    • Prepare to scale BPA. Cement your BPA management and governance foundations to support BPA scaling using the lessons learned from your pilot implementation.

    Info-Tech Insight

    Take a value-first approach in your scaling business process automation (BPA) journey. Low-risk, task-oriented automations are good starting points to introduce BPA but constrain the broader returns your organization wants. Business value can only scale when everything and everyone in your processes are working together to streamline the entire value stream rather than the small gains from optimizing small, isolated automations.

    Scale Business Process Automation

    Take a value-first approach to automate the processes that matter

    Pilot Your BPA Capabilities

    • Learn the foundation practices to design, deliver, and support BPA.
    • Understand the fit and value of BPA.
    • Gauge the tolerance for business operational change and system risk.

    See Info-Tech's Build a Winning Business Process Automation Playbook blueprint for more information.

    Build Your Scaling BPA Vision

    Apply Lessons Learned to Scale

    1. Ground Your Scaling Expectations
      Set realistic and achievable goals centered on driving business value to the entire organization by optimizing and automating end-to-end business processes.
    2. Define Your Scaling Journey
      Tailor your scaling approach according to your ability to ease BPA implementation, to broaden BPA adoption, and to loosen BPA constraints.
    3. Prepare to Scale BPA
      Cement your BPA management and governance foundations to support BPA scaling using the lessons learned from your pilot implementation.

    Research deliverable

    Design and communicate your approach to scale business process automation with Info-Tech's Scale Business Process Automation Readiness Assessment:

    • Level set your scaled BPA goals and objectives.
    • Discuss and design your scaled BPA journey.
    • Identify the gaps and improvements needed to scale your BPA practices and implementation.

    A screenshot from Info-Tech's Scale Business Process Automation Readiness Assessment

    Step 1.1

    Ground Your Scaling Expectations

    Activities

    1.1.1 Define Your Scaling Objectives

    This step involves the following participants:

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    Outcomes of this step

    Scaling BPA objectives

    Organizations want to scale their initial BPA success

    Notable Initial Benefits

    1. Time Saved: "In the first day of live operations, the robots were saving 51 hours each day or the equivalent of six people working an eight-hour shift." – Brendan MacDonald, Director of Customer Compliance Operations, Ladbrokes (UiPath)
    2. Documentation & Knowledge Sharing: "If certain people left, knowledge of some processes would be lost and we realized that we needed a reliable process management system in place." – Peta Kinnane, Acting Audit and Risk Coordinator, Liverpool City Council (Nintex)
    3. Improved Service Delivery: "Thanks to this automation, our percentage of triaged and assigned tickets is now 100%. Nothing falls through the cracks. It has also improved the time to assignment. We assign tickets 2x faster than before." – Sebastian Goodwin, Head of Cybersecurity, Nutanix (Workato)

    Can We Gain More From Automation?

    The Solution

    As industries evolve and adopt more tools and technology, their products, services, and business operating models become more complex. Task- and desktop-based automations are often not enough. More sophisticated and scaled automations are needed to simplify and streamline the process from end-to-end of complex operations and align them with organizational goals.

    Stakeholders see automation as an opportunity to scale the business

    The value of scaling BPA is dependent on the organization's ability to scale with it. In other words, stakeholders should see an increase in business value without a substantial increase in resources and operational costs (e.g., there should be little difference if sending out 10 emails versus 1000).

    Examples of how business can be scaled with automation

    • Processes triggered by incoming documents or email: in these processes, an incoming document or email (that has semi-structured or unstructured data) is collected by a script or an RPA bot. This document is then processed with a machine learning model that validates it either by rules or ML models. The validated and enriched machine-readable data is then passed on to the next system of record.
    • The accounts payable process: this process includes receiving, processing, and paying out invoices from suppliers that provided goods or services to the company. While manual processing can be expensive, take too much time, and lead to errors, businesses can automate this process with machine learning and document extraction technologies like optical characters recognition (OCR), which converts texts containing images into characters that can be readable by computers to edit, compute, and analyze.
    • Order management: these processes include retrieving email and relevant attachments, extracting information that tells the business what its customers want, updating internal systems with newly placed orders or modifications, or taking necessary actions related to customer queries.
    • Enhance customer experience: [BPA tools] can help teams develop and distribute customer loyalty offers faster while also optimizing these offers with customer insights. Now, enterprises can more easily guarantee they are delivering the relevant solutions their clients are demanding.

    Source: Stefanini Group

    Scaling BPA has its challenges

    Perceived Lack of Opportunities

    Pilot BPA implementations often involve the processes that are straightforward to automate or are already shortlisted to optimize. However, these low-hanging fruits will run out. Discovering new BPA opportunities can be challenged for a variety of reasons, such as:

    • Lack of documentation and knowledge
    • Low user participation or drive to change
    • BPA technology limitations and constraints

    Perceived Lack of Opportunities

    BPA is not a cheap investment. A single RPA bot, for example, can cost between $5,000 to $15,000. This cost does not include the added cost for training, renewal fees, infrastructure set up and other variable and reoccurring costs that often come with RPA delivery and support (Blueprint). This reality can motivate BPA owners to favor existing technologies over other cheaper and more effective alternatives in an attempt boost their return on investment.

    Ill-Equipped Support Teams

    Good technical skills and tools, and the right mindset are critical to ensure BPA capabilities are deployed effectively. Low-code no-code (LCNC) can help but success isn't guaranteed. Lack of experience with low-code platforms is the biggest obstacle in low-code adoption according to 60% of respondents (Creatio). The learning curve has led some organizations to hire contractors to onboard BPA teams, hire new employees, or dedicate significant funding and resources to upskill internal resources.

    Shift your objectives from task-based efficiencies to value-driven capabilities

    How can I improve myself?

    How can we improve my team?

    How can we improve my organization?

    Objectives

    • Improve worker productivity
    • Improve the repeatability and predictability of the process
    • Deliver outputs of consistent quality and cadence
    • Increase process, tool, and technology confidence
    • Increase the team's throughput, commitment, and load
    • Apply more focus on cognitive and complex tasks
    • Reduce the time to complete error-prone, manual, and routine collaborations
    • Deliver insightful, personalized, and valuable outputs
    • Drive more value in existing pipelines and introduce new value streams
    • Deliver consistent digital experiences involving different technologies
    • Automatically tailor a customer's experience to individual preferences
    • Forecast and rapidly respond to customer issues and market trends

    Goals

    • Learn the fit of BPA & set the foundations
    • Improve the practices & tools and optimize the performance
    • Scale BPA capabilities throughout the organization

    Gauge the success of your scaled BPA

    BPA Practice Effectiveness

    Key Question: Are stakeholders satisfied with how the BPA practice is meeting their automation needs?

    Examples of Metrics:

    • User satisfaction
    • Automation request turnaround time
    • Throughput of BPA team

    Automation Solution Quality

    Key Question: How do your automation solutions perform and meet your quality standards?

    Examples of Metrics:

    • Licensing and operational costs
    • Service level agreement and uptime/downtime
    • Number of defects

    Business Value Delivery

    Key Question: How has automation improved the value your employees, teams, and the organization delivers?

    Examples of Metrics:
    Increase in revenue generation
    Reduction in operational costs
    Expansion of business capabilities with minimal increases in costs and risks

    1.1.1 Define your scaling objectives

    5 minutes

    1. Complete the following fields to build your scaled business process automation canvas:
      1. Problem that scaling BPA is intending to solve
      2. Your vision for scaling BPA
      3. Stakeholders
      4. Scaled BPA business and IT objectives and metrics
      5. Business capabilities, processes, and application systems involved
      6. Notable constraints, roadblocks, and challenges to your scaled BPA success
    2. Document your findings and discussions in Info-Tech's Scale Business Process Automation Readiness Assessment.

    Output

    Scaled BPA value canvas

    Participants

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    Record the results in the 2. Value Canvas Tab in the Scale Business Process Automation Readiness Assessment.

    1.1.1 cont'd

    Scaled BPA Value Canvas Template:

    A screenshot of Scaled BPA Value Canvas Template

    Align your objectives to your application portfolio strategy

    Why is an application portfolio strategy important for BPA?

    • All business process optimizations are designed, delivered, and managed to support a consistent interpretation of the business and IT vision and goals.
    • Clear understanding of the sprawl, criticality, and risks of automation solutions and applications to business capabilities.
    • BPA initiatives are planned, prioritized, and coordinated alongside modernization, upgrades, and other changes to the application portfolio.
    • Resources, skills, and capacities are strategically allocated to meet BPA demand considering other commitments in the backlog and roadmap.
    • BPA expectations and practices uphold the persona, values, and principles of the application team.

    What is an application portfolio strategy?

    An application portfolio strategy details the direction, activities, and tactics to deliver on the promise of your application portfolio. It often includes:

    • Portfolio vision and goals
    • Application, automation, and process portfolio
    • Values and principles
    • Portfolio health
    • Risks and constraints
    • Strategic roadmap

    See our Application Portfolio Management Foundations blueprint for more information.

    Leverage your BPA champions to drive change and support scaling initiatives

    An arrow showing the steps to Leverage your BPA champions to drive change and support scaling initiatives

    Expected Outcome From Your Pilot: Your pilot would have recognized the roles that know how to effectively apply good BPA practices (e.g., process analysis and optimization) and are familiar with the BPA toolset. These individuals are prime candidates who can standardize your Build a Winning Business Process Automation Playbook, upskill interested teams, and build relationships among those involved in the delivery and use of BPA.

    Step 1.2

    Define Your Scaling Journey

    Activities

    1.2.1 Discuss Your BPA Opportunities
    1.2.2 Lay Out Your Scaling BPA Journey

    Scale Business Process Automation

    This step involves the following participants:

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    Outcomes of this step

    • List of scaling BPA opportunities
    • Tailored scaling journey

    Maintain a healthy demand pipeline

    A successful scaled BPA practice requires a continuous demand for BPA capabilities and the delivery of minimum viable automations (MVA) held together by a broader strategic roadmap.

    An image of a healthy demand pipeline.  it flows from opportunities to trends, with inputs from internal and external sources.

    An MVA focuses on a single and small process use case, involves minimal possible effort to improve, and is designed to satisfy a specific user group. Its purpose is to maximize learning and value and inform the further scaling of the BPA technology, approach, or practice.

    See our Build a Winning Business Process Automation Playbook blueprint for more information.

    Investigate how BPA trends can drive more value for the organization

    • Event-Driven Automation
      Process is triggered by a schedule, system output, scenario, or user (e.g., voice-activated, time-sensitive, system condition)
    • Low- & No-Code Automation build and management are completed through an easy-to-learn scripting language and/or a GUI.
    • Intelligent Document Processing
      Transform documents for better analysis, processing and handling (e.g., optical character recognition) by a tool or system.
    • End-to-End Process Automation & Transparency
      Linking cross-functional processes to enable automation of the entire value stream with seamless handoffs or triggers.
    • Orchestration of Different BPA Technologies
      Integrating and sequencing the execution of multiple automation solutions through a single console.
    • Cognitive Automation
      AI and other intelligent technologies automate information-intensive processes, including semi and unstructured data and human thinking simulation.
    • Intelligent Internet-of-Things
      Connecting process automation technologies to physical environments with sensors and other interaction devices (e.g., computer vision).
    • Ethical Design
      Optimizing processes that align to the moral value, principles, and beliefs of the organization (e.g., respects data privacy, resists manipulative patterns).
    • User Profiling & Tailored Experiences
      Customizing process outputs and user experience with user-defined configurations or system and user activity monitoring.
    • Process Mining & Discovery
      Gleaning optimization opportunities by analyzing system activities (mining) or monitoring user interactions with applications (discovery).

    1.2.1 Discuss your BPA opportunities

    5 minutes

    1. Review the goals and objectives of your initiative and the expectations you want to gain from scaling BPA.
    2. Discuss how BPA trends can be leveraged in your organization.
    3. List high priority scaling BPA opportunities.

    Output

    • Scaled BPA opportunities

    Participants

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    Create your recipe for success

    Your scaling BPA recipe (approach) can involve multiple different flavors of various quantities to fit the needs and constraints of your organization and workers.

    What and how many ingredients you need is dependent on three key questions:

    1. How can we ease BPA implementation?
    2. How can we broaden the BPA scope?
    3. How can we loosen constraints?

    Personalize Scaling BPA To Your Taste

    • Extend BPA Across Business Units (Horizontal)
    • Integrate BPA Across Your Application Architecture (Vertical)
    • Embed AI/ML Into Your Automation Technologies
    • Empower Users With Business-Managed Automations
    • Combine Multiple Technologies for End-to-End Automation
    • Increase the Volume and Velocity of Automation
    • Automate Cognitive Processes and Making Variable Decisions

    Answer these questions in the definition of your scaling BPA journey

    Seeing the full value of your scaling approach is dependent on your ability to support BPA adoption across the organization

    How can we ease BPA implementation?

    • Good governance practices (e.g., role definitions, delivery and management processes, technology standards).
    • Support for innovation and experimentation.
    • Interoperable and plug-and-play architecture.
    • Dedicated technology management and support, including resources, documents, templates and shells.
    • Accessible and easy-to-understand knowledge and document repository.

    How can we broaden BPA scope?

    • Provide a unified experience across processes, fragmented technologies, and siloed business functions.
    • Improve intellectually intensive activities, challenging decision making and complex processes with more valuable insights and information using BPA.
    • Proactively react to business and technology environments and operational changes and interact with customers with unattended automation.
    • Infuse BPA technologies into your product and service to expand their functions, output quality, and reliability.

    How can we loosen constraints?

    • Processes are automated without the need for structured data and optimized processes, and there is no need to work around or avoid legacy applications.
    • Workers are empowered to develop and maintain their own automations.
    • Coaching, mentoring, training, and onboarding capabilities.
    • Accessibility and adoption of underutilized applications are improved with BPA.
    • BPA is used to overcome the limitations or the inefficiencies of other BPA technologies.

    1.2.2 Lay out your scaling BPA journey

    5 minutes

    1. Review the goals and objectives of your initiative, the expectations you want to gain from scaling BPA, and the various scaling BPA opportunities.
    2. Discuss the different scaling BPA flavors (patterns) and how each flavor is applicable to your situation. Ask yourself these key questions:
      1. How can we ease BPA implementation?
      2. How can we broaden the BPA scope?
      3. How can we loosen constraints?
    3. Design the broad steps of your scaling BPA journey. See the following slide for an example.
    4. Document your findings and discussions in Info-Tech's Scale Business Process Automation Readiness Assessment.

    Record the results in the 3. Scaled BPA Journey Tab in the Scale Business Process Automation Readiness Assessment.

    Output

    • Scaled BPA journey

    Participants

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    1.2.2 cont'd

    An image of the marker used to identify Continuous business process optimization and automation Continuous business process optimization and automation
    An image of the marker used to identify Scope of Info-Tech's Build Your Business Process Automation Playbook blueprintScope of Info-Tech's Build Your Business Process Automation Playbook blueprint

    Example:

    An example of the BPA journey.  Below are the links included in the journey.

    Continuously review and realign expectations

    Optimizing your scaled BPA practices and applying continuous improvements starts with monitoring the process after implementation.

    Purpose of Monitoring

    1. Diligent monitoring confirms your scaled BPA implementation is performing as desired and meeting initial expectations.
    2. Holding reviews of your BPA practice and implementations helps assess the impact of marketplace and business operations changes and allows the organization to stay on top of trends and risks.

    Metrics

    Metrics are an important aspect of monitoring and sustaining the scaled practice. The metrics will help determine success and find areas where adjustments may be needed.

    Hold retrospectives to identify any practice issues to be resolved or opportunities to undertake

    The retrospective gives your organization the opportunity to review themselves and brainstorm solutions and a plan for improvements to be actioned. This session is reoccurring, typically, after key milestones. While it is important to allow all participants the opportunity to voice their opinions, feelings, and experiences, retrospectives must be positive, productive, and time boxed.

    Step 1.3

    Prepare to Scale BPA

    Activities

    1.3.1 Assess Your Readiness to Scale BPA

    This step involves the following participants:

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    Outcomes of this step

    • Scale BPA readiness assessment

    Prepare to scale by learning from your pilot implementations

    "While most organizations are advised to start with automating the 'low hanging fruit' first, the truth is that it can create traps that will impede your ability to achieve RPA at scale. In fact, scaling RPA into the organizational structure is fundamentally different from implementing a conventional software product or other process automation."
    – Blueprint

    What should be the takeaways from your pilot?

    Degree of Required BPA Support

    • Practices needed to address the organization's tolerance to business process changes and automation adoption.
    • Resources, budget and skills needed to configure and orchestrate automation technologies to existing business applications and systems.

    Technology Integration & Compatibility

    • The BPA technology and application system's flexibility to be enhanced, modified, and removed.
    • Adherence to data and system quality standards (e.g., security, availability) across all tools and technologies.

    Good Practices Toolkit

    • A list of tactics, techniques, templates, and examples to assist teams assessing and optimizing business processes and applying BPA solutions in your organization's context.
    • Strategies to navigate common blockers, challenges, and risks.

    Controls & Measures

    • Defined guardrails aligned to your organization's policies and risk tolerance
    • Key metrics are gathered to gauge the value and performance of your processes and automations for enhancements and further scaling.

    Decide how to architect and govern your BPA solutions

    Centralized

    A single body and platform to coordinate, execute, and manage all automation solutions.

    An image of the Centralized approach to governing BPA solutions.

    Distributed

    Automation solutions are locally delivered and managed whether that is per business unit, type of technology, or vendor. Some collaboration and integration can occur among solutions but might be done without a holistic strategy or approach.

    An image of the Distributed approach to governing BPA solutions.

    Hybrid

    Automation solutions are locally delivered and managed and executed for isolated use cases. Broader and complex automations are centrally orchestrated and administered.

    An image of the Hybrid approach to governing BPA solutions.

    Be prepared to address the risks with scaling BPA

    "Companies tend to underestimate the complexity of their business processes – and bots will frequently malfunction without an RPA design team that knows how to anticipate and prepare for most process exceptions. Unresolved process exceptions rank among the biggest RPA challenges, prompting frustrated users to revert to manual work."
    – Eduardo Diquez, Auxis, 2020

    Scenarios

    • Handling Failures of Dependent Systems
    • Handling Data Corruption & Quality Issues
    • Alignment to Regulatory & Industry Standards
    • Addressing Changes & Regressions to Business Processes
    • "Run Away" & Hijacked Automations
    • Unauthorized Access to Sensitive Information

    Recognize the costs to support your scaled BPA environment

    Cost Factors

    Automation Operations
    How will chaining multiple BPA technologies together impact your operating budget? Is there a limit on the number of active automations you can have at a single time?

    User Licenses
    How many users require access to the designer, orchestrator, and other functions of the BPA solution? Do they also require access to dependent applications, services, and databases?

    System Enhancements
    Are application and system upgrades and modernizations needed to support BPA? Is your infrastructure, data, and security controls capable of handling BPA demand?

    Supporting Resources
    Are dedicated resources needed to support, govern, and manage BPA across business and IT functions? Are internal resources or third-party providers preferred?

    Training & Onboarding
    Are end users and supporting resources trained to deliver, support, and/or use BPA? How will training and onboarding be facilitated: internally or via third party providers?

    Create a cross-functional and supportive body to lead the scaling of BPA

    Your supportive body is a cross-functional group of individuals promoting collaboration and good BPA practices. It enables an organization to extract the full benefits from critical systems, guides the growth and evolution of strategic BPA implementations, and provides critical expertise to those that need it. A supportive body distinctly caters to optimizing and strengthening BPA governance, management, and operational practices for a single technology or business function or broadly across the entire organization encompassing all BPA capabilities.

    What a support body is not:

    • A Temporary Measure
    • Exclusive to Large Organizations
    • A Project Management Office
    • A Physical Office
    • A Quick Fix

    See our Maximize the Benefits from Enterprise Applications With a Center of Excellence blueprint for more information.

    What are my options?

    Center of Excellence (CoE)
    AND
    Community of Practice (CoP)

    CoEs and CoPs provide critical functions

    An image of the critical functions provided by CoE and CoP.

    Shift your principles as you scale BPA

    As BPA scales, users and teams must not only think of how a BPA solution operates at a personal and technical level or what goals it is trying to achieve, but why it is worth doing and how the outcomes of the automated process will impact the organization's reputation, morality, and public perception.

    An image of the journey from Siloed BPA to Scaled BPA.

    "I think you're going to see a lot of corporations thinking about the corporate responsibility of [organizational change from automation], because studies show that consumers want and will only do business with socially responsible companies."

    – Todd Lohr

    Source: Appian, 2018.

    Assess your readiness to scale BPA

    Vision & Objectives
    Clear direction and goals of the business process automation practice.

    Governance
    Defined BPA roles and responsibilities, processes, and technology controls.

    Skills & Competencies
    The capabilities users and support roles must have to be successful with BPA.

    Business Process Management & Optimization
    The tactics to document, analyze, optimize, and monitor business processes.

    Business Process Automation Delivery
    The tactics to review the fit of automation solutions and deliver and support according to end user needs and preferences.

    Business Process Automation Platform
    The capabilities to manage BPA platforms and ensure it supports the growing needs of the business.

    1.3.1 Assess your readiness to scale BPA

    5 minutes

    1. Review your scaling BPA journey and selected patterns.
    2. Conduct a readiness assessment using the 4. Readiness Assessment tab in Info-Tech's Scale Business Process Automation Readiness Assessment.
    3. Brainstorm solutions to improve the capability or address the gaps found in this assessment.

    Output

    • Scaled BPA readiness assessment

    Participants

    • Business Process Owners
    • Product Owners
    • Application Directors
    • Business Architects
    • BPA Delivery & Support Teams

    Record the results in the 4. Readiness Assessment tab in Info-Tech's Scale Business Process Automation Readiness Assessment.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Related Info-Tech Research

    Bibliography

    Alston, Roland. "With the Rise of Intelligent Automation, Ethics Matter Now More than Ever." Appian, 4 Sept. 2018. Web.
    "Challenges of Achieving RPA at Scale." Blueprint, N.d. Web.
    Dilmegani, Cem. "RPA Benefits: 20 Ways Bots Improve Businesses in 2023," AI Multiple, 9 Jan 2023. Web.
    Diquez, Eduardo. "Struggling To Scale RPA? Discover The Secret to Success." Auxis, 30 Sept. 2020. Web.
    "How much does Robotic Process Automation (RPA) Really Cost?" Blueprint, 14 Sept. 2021. Web.
    "Liverpool City Council improves document process with Nintex." Nintex, n.d. Web.
    "The State of Low-Code/No-Code." Creatio, 2021. Web.
    "Using automation to enhance security and increase IT NPS to 90+ at Nutanix." Workato, n.d. Web.
    "What Is Hyperautomation? A Complete Guide To One Of Gartner's Top Tech Trends." Stefanini Group, 26 Mar. 2021. Web.

    Explore the Secrets of SAP Digital Access Licensing

    • Buy Link or Shortcode: {j2store}143|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • SAP’s licensing rules surrounding use and indirect access are vague, making it extremely difficult to purchase with confidence and remain compliant.
    • SAP has released nine document-type licenses that can be used in digital access licensing scenarios, but this model has its own challenges.
    • Whether you decide to remain “as is” or proactively change licensing over to the document model, either option can be costly and confusing.
    • Indirect static read can be a cause of noncompliance when data is exported but the processing capability of SAP ERP is used in real time.

    Our Advice

    Critical Insight

    • Examine all indirect access possibilities. Understanding how in-house or third-party applications may be accessing and utilizing the SAP digital core is critical to be able to correctly address issues.
    • Know what’s in your contract. Each customer agreement is different, and older agreements may provide both benefits and challenges when evaluating your SAP license position.
    • Understand the intricacies of document licensing. While it may seem digital access licensing will solve compliance concerns, there are still questions to address and challenges SAP must resolve.

    Impact and Result

    • Conduct an internal analysis to examine where digital access licensing may be needed to mitigate risk, as SAP will be speaking with all customers in due course. Indirect access can be a costly audit settlement.
    • Conduct an analysis to remove inactive and duplicate users, as multiple logins may exist and could end up costing the organization license fees when audited.
    • Adopt a cyclical approach to reviewing your SAP licensing and create a reference document to track your software needs, planned licensing, and purchase negotiation points.
    • Learn the SAP way of conducting business, which includes a best-in-class sales structure and unique contracts and license use policies, combined with a hyper-aggressive compliance function. Conducting business with SAP is not a typical vendor experience, and you will need different tools to emerge successfully from a commercial transaction.

    Explore the Secrets of SAP Digital Access Licensing Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you need to understand and document your SAP digital access licensing strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand, assess, and decide on digital access licensing

    Begin your SAP digital access licensing journey by evaluating licensing changes and options, and then make contractual changes to ensure compliance.

    • Explore the Secrets of SAP Digital Access Licensing – Phase 1: Understand, Assess, and Decide on Digital Access Licensing
    • SAP License Summary and Analysis Tool
    • SAP Digital Access Licensing Pricing Tool
    [infographic]

    IT Asset Management (ITAM) Market Overview

    • Buy Link or Shortcode: {j2store}62|cart{/j2store}
    • member rating overall impact (scale of 10): 8.5/10 Overall Impact
    • member rating average dollars saved: $12,999 Average $ Saved
    • member rating average days saved: 24 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Data management is challenging at the best of times but managing assets that change on a daily basis are difficult without automation and a good asset tool.
    • For organizations moving beyond basic hardware inventory, knowing what to look for to prepare for future processes seems impossible.
    • Using price as the leading criteria or just as an add-on to your ITSM solution may frustrate your efforts, especially if managing complex licensing is part of your mandate.

    Our Advice

    Critical Insight

    • If the purchase is happening independent of process design or review, it’s easy to end up with a solution that doesn’t fit your environment.
    • The complexity of your environment should be a significant factor in choosing an IT asset management solution.
    • Imagining the possibilities and understanding the differences between IT asset tools will drive you to the right solution for long term gain in managing dynamic assets.

    Impact and Result

    • Regardless of whether your IT environment is on-premises, in the cloud, or a complex hybrid of the two, knowing where your asset funds are allocated is key to right-sizing costs and reducing risks of non-compliance or lost assets.
    • Choosing the right tools for the job will be key to your success.

    IT Asset Management (ITAM) Market Overview Research & Tools

    Start here: Read the Market Overview

    Read the Market Overview to understand what features and capabilities are available in ITAM tools. The right features match is key to making a data heavy and challenging process easier for your team.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • IT Asset Management Market Overview

    1. Prepare your project plan and selection process

    Use the Info-Tech templates to identify and document your requirements, plan your project, and prepare to engage with vendors.

    • ITAM Project Charter Template
    • ITAM Demonstration Script Template
    • Proof of Concept Template
    • ITAM Vendor Evaluation Workbook
    [infographic]

    Create and Manage Enterprise Data Models

    • Buy Link or Shortcode: {j2store}340|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $7,263 Average $ Saved
    • member rating average days saved: 16 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Business executives don’t understand the value of Conceptual and Logical Data Models and how they define their data assets.
    • Data, like mercury, is difficult to manage and contain.
    • IT needs to justify the time and cost of developing and maintaining Data Models.
    • Data as an asset is only perceived from a physical point of view, and the metadata that provides context and definition is often ignored.

    Our Advice

    Critical Insight

    • Data Models tell the story of the organization and its data in pictures to be used by a business as a tool to evolve the business capabilities and processes.
    • Data Architecture and Data Modeling have different purposes and should be represented as two distinct processes within the software development lifecycle (SDLC).
    • The Conceptual Model provides a quick win for both business and IT because it can convey abstract business concepts and thereby compartmentalize the problem space.

    Impact and Result

    • A Conceptual Model can be used to define the semantics and relationships for your analytical layer.
      • It provides a visual representation of your data in the semantics of business.
      • It acts as the anchor point for all data lineages.
      • It can be used by business users and IT for data warehouse and analytical planning.
      • It provides the taxonomies for data access profiles.
      • It acts as the basis for your Enterprise Logical and Message Models.

    Create and Manage Enterprise Data Models Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create enterprise data models, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Setting the stage

    Prepare your environment for data architecture.

    • Enterprise Data Models

    2. Revisit your SDLC

    Revisit your SDLC to embed data architecture.

    • Enterprise Architecture Tool Selection

    3. Develop a Conceptual Model

    Create and maintain your Conceptual Data Model via an iterative process.

    4. Data Modeling Playbook

    View the main deliverable with sample models.

    • Data Modeling Playbook
    [infographic]

    Workshop: Create and Manage Enterprise Data Models

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the Data Architecture Practice

    The Purpose

    Understand the context and goals of data architecture in your organization.

    Key Benefits Achieved

    A foundation for your data architecture practice.

    Activities

    1.1 Review the business context.

    1.2 Obtain business commitment and expectations for data architecture.

    1.3 Define data architecture as a discipline, its role, and the deliverables.

    1.4 Revisit your SDLC to embed data architecture.

    1.5 Modeling tool acquisition if required.

    Outputs

    Data Architecture vision and mission and governance.

    Revised SDLC to include data architecture.

    Staffing strategy.

    Data Architecture engagement protocol.

    Installed modeling tool.

    2 Business Architecture and Domain Modeling

    The Purpose

    Identify the concepts and domains that will inform your data models.

    Key Benefits Achieved

    Defined concepts for your data models.

    Activities

    2.1 Revisit business architecture output.

    2.2 Business domain selection.

    2.3 Identify business concepts.

    2.4 Organize and group of business concepts.

    2.5 Build the Business Data Glossary.

    Outputs

    List of defined and documented entities for the selected.

    Practice in the use of capability and business process models to identify key data concepts.

    Practice the domain modeling process of grouping and defining your bounded contexts.

    3 Harvesting Reference Models

    The Purpose

    Harvest reference models for your data architecture.

    Key Benefits Achieved

    Reference models selected.

    Activities

    3.1 Reference model selection.

    3.2 Exploring and searching the reference model.

    3.3 Harvesting strategies and maintaining linkage.

    3.4 Extending the conceptual and logical models.

    Outputs

    Established and practiced steps to extend the conceptual or logical model from the reference model while maintaining lineage.

    4 Harvesting Existing Data Artifacts

    The Purpose

    Gather more information to create your data models.

    Key Benefits Achieved

    Remaining steps and materials to build your data models.

    Activities

    4.1 Use your data inventory to select source models.

    4.2 Match semantics.

    4.3 Maintain lineage between BDG and existing sources.

    4.4 Select and harvest attributes.

    4.5 Define modeling standards.

    Outputs

    List of different methods to reverse engineer existing models.

    Practiced steps to extend the logical model from existing models.

    Report examples.

    5 Next Steps and Wrap-Up (offsite)

    The Purpose

    Wrap up the workshop and set your data models up for future success.

    Key Benefits Achieved

    Understanding of functions and processes that will use the data models.

    Activities

    5.1 Institutionalize data architecture practices, standards, and procedures.

    5.2 Exploit and extend the use of the Conceptual model in the organization.

    Outputs

    Data governance policies, standards, and procedures for data architecture.

    List of business function and processes that will utilize the Conceptual model.

    Audit the Project Portfolio

    • Buy Link or Shortcode: {j2store}442|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • As a CIO you know you should audit your portfolio, but you don’t know where to start.
    • There is a lack of portfolio and project visibility.
    • Projects are out of scope, over budget, and over schedule.

    Our Advice

    Critical Insight

    • Organizations establish processes and assume people are following them.
    • There is a dilution of practices from external influences and rapid turnover rates.
    • Many organizations build their processes around existing frameworks. These frameworks are great resources but they’re often missing context and clear links to tools, templates, and fiduciary duty.

    Impact and Result

    • The best way to get insight into your current state is to get an objective set of observations of your processes.
    • Use Info-Tech’s framework to audit your portfolios and projects:
      • Triage at a high level to assess the need for an audit by using the Audit Standard Triage Tool to assess your current state and the importance of conducting a deeper audit.
      • Complete Info-Tech’s Project Portfolio Audit Tool:
        • Validate the inputs.
        • Analyze the data.
        • Review the findings and create your action plan.

    Audit the Project Portfolio Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should audit the project portfolio, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess readiness

    Understand your current state and determine the need for a deeper audit.

    • Audit the Project Portfolio – Phase 1: Assess Readiness
    • Info-Tech Audit Standard for Project Portfolio Management
    • Audit Glossary of Terms
    • Audit Standard Triage Tool

    2. Perform project portfolio audit

    Audit your selected projects and portfolios. Understand the gaps in portfolio practices.

    • Audit the Project Portfolio – Phase 2: Perform Project Portfolio Audit
    • Project Portfolio Audit Tool

    3. Establish a plan

    Document the steps you are going to take to address any issues that were uncovered in phase 2.

    • Audit the Project Portfolio – Phase 3: Establish a Plan
    • PPM Audit Timeline Template
    [infographic]

    Workshop: Audit the Project Portfolio

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Portfolio Audit

    The Purpose

    An audit of your portfolio management practices.

    Key Benefits Achieved

    Analysis of audit results.

    Activities

    1.1 Info-Tech’s Audit Standard/Engagement Context

    1.2 Portfolio Audit

    1.3 Input Validation

    1.4 Portfolio Audit Analysis

    1.5 Start/Stop/Continue

    Outputs

    Audit Standard and Audit Glossary of Terms

    Portfolio and Project Audit Tool

    Start/Stop/Continue

    2 Project Audit

    The Purpose

    An audit of your project management practices.

    Key Benefits Achieved

    Analysis of audit results.

    Activities

    2.1 Project Audit

    2.2 Input Validation

    2.3 Project Audit Analysis

    2.4 Start/Stop/Continue

    Outputs

    Portfolio and Project Audit Tool

    Start/Stop/Continue

    3 Action Plan

    The Purpose

    Create a plan to start addressing any vulnerabilities.

    Key Benefits Achieved

    A plan to move forward.

    Activities

    3.1 Action Plan

    3.2 Key Takeaways

    Outputs

    Audit Timeline Template

    Debunk Machine Learning Endpoint Security Solutions

    • Buy Link or Shortcode: {j2store}168|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Endpoint Security
    • Parent Category Link: /endpoint-security
    • Threat actors are more innovative than ever before and developing sophisticated methods of endpoints attacks capable of avoiding detection with traditional legacy anti-virus software.
    • Legacy anti-virus solutions rely on signatures and hence fail at detecting memory objects, and new and mutating malware.
    • Combined with the cybersecurity talent gap and the sheer volume of endpoint attacks, organizations need endpoint security solutions capable of efficiently and accurately blocking never-before-seen malware types and variants.

    Our Advice

    Critical Insight

    • Don’t make machine learning a goal in itself. Think of how machine learning can help you achieve your goals.
    • Determine your endpoint security requirements and goals prior to shopping around for a vendor. Vendors can easily suck you into a vortex of marketing jargon and sell you tools that your organization does not need.
    • Machine learning alone is not a solution to catching malware. It is a computational method that can generalize and analyze large datasets, and output insights quicker than a human security analyst.

    Impact and Result

    • Consider deploying an endpoint protection technology that leverages machine learning into your existing endpoint security strategy to counteract against the unknown and to quickly sift through the large volumes of data.
    • Understand how machine learning methods can help drive your organization’s security goals.
    • Identify vendors that utilize machine learning in their endpoint security products.
    • Understand use cases of where machine learning in endpoint security has been successful.

    Debunk Machine Learning Endpoint Security Solutions Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should consider machine learning in endpoint security solutions, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Demystify machine learning concepts

    Understand basic machine learning concepts used in endpoint security.

    • Debunk Machine Learning Endpoint Security Solutions – Phase 1: Demystify Machine Learning Concepts

    2. Evaluate vendors that leverage machine learning

    Determine feature requirements to evaluate vendors.

    • Debunk Machine Learning Endpoint Security Solutions – Phase 2: Evaluate Vendors That Leverage Machine Learning
    • Endpoint Protection Request for Proposal
    [infographic]

    Manage Requirements in an Agile Environment

    • Buy Link or Shortcode: {j2store}522|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Requirements & Design
    • Parent Category Link: /requirements-and-design

    The process of navigating from waterfall to Agile can be incredibly challenging. Even more problematic; how do you operate your requirements management practices once there? There traditionally isn’t a role for a business analyst, the traditional keeper of requirements. It isn’t like switching on a light.

    You likely find yourself struggling to deliver high quality solutions and requirements in Agile. This is a challenge for many organizations, regardless of how long they’ve leveraged Agile.

    But you aren’t here for assurances. You’re here for answers and help.

    Our Advice

    Critical Insight

    Agile and requirements management are complementary, not competitors.

    Impact and Result

    Info-Tech’s advice? Why choose? Why have to pick between traditional waterfall and Agile delivery? If Agile without analysis is a recipe for disaster, Agile with analysis is the solution. How can you leverage the Info-Tech approach to align your Agile and requirements management efforts into a powerful combination?

    Manage Requirements in an Agile Environment is your guide.

    Use the contents and exercises of this blueprint to gain a shared understanding of the two disciplines, to find your balance in your approach, to define your thresholds, and ultimately, to prepare for new ways of working.

    Manage Requirements in an Agile Environment Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Manage Requirements in an Agile Environment Blueprint – Agile and Requirements Management are complementary, not competitors

    Provides support and guidance for organizations struggling with their requirements management practices in Agile environments.

    • Manage Requirements in an Agile Environment Storyboard

    2. Agile Requirements Playbook – A practical playbook for aligning your teams, and articulating the guidelines for managing your requirements in Agile.

    The Agile Requirements Playbook becomes THE artifact for your Agile requirements practices. Great for onboarding, reviewing progress, and ensuring a shared understanding of your ways of working.

    • Agile Requirements Playbook

    3. Documentation Calculator – A tool for determining the right level of documentation for your organization, and whether you’re spending too much, or even not enough, on Agile Requirements documentation.

    The Documentation Calculator can inform your documentation decison making, ensuring you're investing just the right amount of time, money, and effort.

    • Documentation Calculator

    4. Agile Requirements Workbook – Supporting tools and templates in advancing your Agile Requirements practice, to be used in conjunction with the Agile Requirements Blueprint, and the Playbook.

    This workbook is designed to capture the results of your exercises in the Manage Requirements in an Agile Environment Storyboard. Each worksheet corresponds to an exercise in the storyboard. This is a tool for you, so customize the content and layout to best suit your product. The workbook is also a living artifact that should be updated periodically as the needs of your team and organization change.

    • Agile Requirements Workbook

    5. Agile Requirements Assessment – Establishes your current Agile requirements maturity, defines your target maturity, and supports planning to get there.

    The Agile Requirements Assessment is a great tool for determining your current capabilities and maturity in Agile and Business Analysis. You can also articulate your target state, which enables the identification of capability gaps, the creation of improvement goals, and a roadmap for maturing your Agile Requirements practice.

    • Agile Requirements Assessment

    Infographic

    Workshop: Manage Requirements in an Agile Environment

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Framing Agile and Business Analysis

    The Purpose

    Sets the context for the organization, to ensure a shared understanding of the benefits of both Agile and business analysis/requirements management.

    Key Benefits Achieved

    Have a shared definition of Agile and business analysis / requirements.

    Understand the current state of Agile and business analysis in your organization.

    Activities

    1.1 Define what Agile and business analysis mean in your organization.

    1.2 Agile requirements assessment.

    Outputs

    Alignment on Agile and business analysis / requirements in your organization.

    A current and target state assessment of Agile and business analysis in your organization.

    2 Tailoring Your Approach

    The Purpose

    Confirm you’re going the right way for effective solution delivery.

    Key Benefits Achieved

    Confirm the appropriate delivery methodology.

    Activities

    2.1 Confirm your selected methodology.

    Outputs

    Confidence in your selected project delivery methodology.

    3 Defining Your Requirements Thresholds

    The Purpose

    Provides the guardrails for your Agile requirements practice, to define a high-level process, roles and responsibilities, governance and decision-making, and how to deal with change.

    Key Benefits Achieved

    Clearly defined interactions between the BA and their partners

    Define a plan for management and governance at the project team level

    Activities

    3.1 Define your agile requirements process.

    3.2 Define your agile requirements RACI.

    3.3 Define your governance.

    3.4 Define your change and backlog refinement plan.

    Outputs

    Agile requirements process.

    Agile requirements RACI.

    A governance and documentation plan.

    A change and backlog refinement approach.

    4 Planning Your Next Steps

    The Purpose

    Provides the action plan to achieve your target state maturity

    Key Benefits Achieved

    Recognize and prepare for the new ways of working for communication, stakeholder engagement, within the team, and across the organization.

    Establish a roadmap for next steps to mature your Agile requirements practice.

    Activities

    4.1 Define your stakeholder communication plan.

    4.2 Identify your capability gaps.

    4.3 Plan your agile requirements roadmap.

    Outputs

    A stakeholder communication plan.

    A list of capability gaps to achieve your desired target state.

    A prioritized roadmap to achieve the target state.

    5 Agile Requirements Techniques (Optional)

    The Purpose

    To provide practical guidance on technique usage, which can enable an improved experience with technical elements of the blueprint.

    Key Benefits Achieved

    An opportunity to learn new tools to support your Agile requirements practice.

    Activities

    5.1 Managing requirements' traceability.

    5.2 Creating and managing user stories.

    5.3 Managing your requirements backlog.

    5.4 Maintaining a requirements library.

    Outputs

    Support and advice for leveraging a given tool or technique.

    Support and advice for leveraging a given tool or technique.

    Support and advice for leveraging a given tool or technique.

    Support and advice for leveraging a given tool or technique.

    Further reading

    Manage Requirements in an Agile Environment

    Agile and requirements management are complementary, not competitors

    Analyst's Perspective

    The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business then you have failed, regardless of how fast you've gone.

    Delivery in Agile doesn't mean you stop needing solid business analysis. In fact, it's even more critical, to ensure your products and projects are adding value. With the rise of Agile, the role of the business analyst has been misunderstood.

    As a result, we often throw out the analysis with the bathwater, thinking we'll be just fine without analysis, documentation, and deliberate action, as the speed and dexterity of Agile is enough.

    Consequently, what we get is wasted time, money, and effort, with solutions that fail to deliver value, or need to be re-worked to get it right.

    The best organizations find balance between these two forces, to align, and gain the benefits of both Agile and business analysis, working in tandem to manage requirements that bring solutions that are "just right".

    This is a picture of Vincent Mirabelli

    Vincent Mirabelli
    Principal Research Director, Applications Delivery and Management
    Info-Tech Research Group

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    The process of navigating from waterfall to Agile can be incredibly challenging. And even more problematic; how do you operate your requirements management practices once there? Since there traditionally isn't a role for a business analyst; the traditional keeper of requirements. it isn't like switching on a light.

    You likely find yourself struggling to deliver high quality solutions and requirements in Agile. This is a challenge for many organizations, regardless of how long they've leveraged Agile.

    But you aren't here for assurances. You're here for answers and help.

    Common Obstacles

    many organizations and teams face is that there are so busy doing Agile that they fail to be Agile.

    Agile was supposed to be the saving grace of project delivery but is misguided in taking the short-term view of "going quickly" at the expense of important elements, such as team formation and interaction, stakeholder engagement and communication, the timing and sequencing of analysis work, decision-making, documentation, and dealing with change.

    The idea that good requirements just happen because you have user stories is wrong. So, requirements remain superficial, as you "can iterate later"…but sometimes later never comes, or doesn't come fast enough.

    Organizations need to be very deliberate when aligning their Agile and requirements management practices. The work is the same. How the work is done is what changes.

    Info-Tech's Approach

    Infotech's advice? Why choose? Why have to pick between traditional waterfall and Agile delivery? If Agile without analysis is a recipe for disaster, Agile with analysis is the solution. And how can you leverage the Info-Tech approach to align your Agile and requirements management efforts into a powerful combination?

    Manage Requirements in an Agile Environment is your guide.

    Use the contents and exercises of this blueprint to gain a shared understanding of the two disciplines, to find your balance in your approach, to define your thresholds, and ultimately, to prepare for new ways of working.

    Info-Tech Insight

    Agile and requirements management are complementary, not competitors.

    The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business, then you have failed, regardless of how fast you've gone.

    Insight summary

    Overarching insight

    Agile and requirements management are complementary, not competitors.

    The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business, then you have failed, regardless of how fast you've gone

    Phase 1 insight

    • The purpose of requirements in waterfall is for approval. The purpose in Agile is for knowledge management, as Agile has no memory.
    • When it comes to the Agile manifesto, "over" does not mean "instead of".
    • In Agile, the what of business analysis does doesn't change. What does change is the how and when that work happens.

    Phase 2 insight

    • Understand your uncertainties; it's a great way to decide what level of Agile (if any) is needed.
    • Finding your "Goldilocks" zone will take time. Be patient.

    Phase 3 insight

    • Right-size your governance, based on team dynamics and project complexity. A good referee knows when to step in, and when to let the game flow.
    • Agile creates a social contract amongst the team, and with their leaders and organization.
    • Documentation needs to be valuable. Do what is acceptable and necessary to move work to future steps. Not documenting also comes with a cost, but one you pay in the future. And that bill will come due, with interest (aka, technical debt, operational inefficiencies, etc.).
    • A lack of acceptable documentation makes it more difficult to have agility. You're constantly revalidating your current state (processes, practices and structure) and re-arguing decisions already made. This slows you down more than maintaining documentation ever would.

    Phase 4 insight

    • Making Agile predictable is hard, because people are not predictable; people are prone to chaos.

    There have been many challenges with waterfall delivery

    It turns out waterfall is not that great at reducing risk and ensuring value delivery after all

    • Lack of flexibility
    • Difficulty in measuring progress
    • Difficulties with scope creep
    • Limited stakeholder involvement
    • Long feedback loops

    48%
    Had project deadlines more than double

    85%
    Exceeded their original budget by at least 20%

    25%
    At least doubled their original budget

    This is an image of the waterfall project results

    Source: PPM Express.

    Agile was meant to address the shortcomings of waterfall

    The wait for solutions was too long for our business partners. The idea of investing significant time, money, and resources upfront, building an exhaustive and complete vision of the desired state, and then waiting months or even years to get that solution, became unpalatable for them. And rightfully so. Once we cast a light on the pains, it became difficult to stay with the status quo. Given that organizations evolve at a rapid pace, what was a pain at the beginning of an initiative may not be so even 6 months later.

    Agile became the answer.

    Since its' first appearance nearly 20 years ago, Agile has become the methodology of choice for a many of organizations. According to the 15th Annual State of Agile report, Agile adoption within software development teams increased from 37% in 2020 to 86% in 2021.

    Adopting Agile led to challenges with requirements

    Requirements analysis, design maturity, and management are critical for a successful Agile transformation.

    "One of the largest sources of failure we have seen on large projects is an immature Agile implementation in the context of poorly defined requirements."
    – "Large Scale IT Projects – From Nightmare to Value Creation"

    "Requirements maturity is more important to project outcomes than methodology."
    – "Business Analysis Benchmark: Full Report"

    "Mature Agile practices spend 28% of their time on analysis and design."
    – "Quantitative Analysis of Agile Methods Study (2017): Twelve Major Findings"

    "There exists a Requirements Premium… organizations using poor practices spent 62% more on similarly sized projects than organizations using the best requirements practices."
    – "The Business Case for Agile Business Analysis" - Requirements Engineering Magazine

    Strong stakeholder satisfaction with requirements results in higher satisfaction in other areas

    This is an image of a bar graph comparing the percentage of respondents with high stakeholder satisfaction, to the percentage of respondents with low stakeholder satisfaction for four different categories.  these include: Availability of IT Capacity to Complete Projects; Overall IT Projects; IT Projects Meet Business Needs; Overall IT Satisfaction

    N= 324 small organizations from Info-Tech Research Group's CIO Business Vision diagnostic.

    Note: High satisfaction was classified as organizations with a score greater or equal to eight and low satisfaction was every organization that scored below eight on the same questions.

    Info-Tech's Agile requirements framework

    This is an image of Info-Tech's Agile requirements framework.  The three main categories are: Sprint N(-1); Sprint N; Sprint N(+1)

    Agile requirements are a balancing act

    Collaboration

    Many subject matter experts are necessary to create accurate requirements, but their time is limited too.

    Communication

    Stakeholders should be kept informed throughout the requirements gathering process, but you need to get the right information to the right people.

    Documentation

    Recording, organizing, and presenting requirements are essential, but excessive documentation will slow time to delivery.

    Control

    Establishing control points in your requirements gathering process can help confirm, verify, and approve requirements accurately, but stage gates limit delivery.

    What changes for the business analyst?

    In Agile, the what of business analysis does not change.

    What does change is the how and when that work happens.

    Business analysts need to focus on six key elements when managing requirements in Agile.

    • Team formation and interaction
    • Stakeholder engagement and communication
    • The timing and sequencing of their work
    • Decision-making
    • Documentation
    • Dealing with change

    Where does the business analysis function fit on an Agile team?

    Team formation is key, as Agile is a team sport

    A business analyst in an Agile team typically interacts with several different roles, including:

    • The product owner,
    • The Sponsor or Executive
    • The development team,
    • Other stakeholders such as customers, end-users, and subject matter experts
    • The Design team,
    • Security,
    • Testing,
    • Deployment.

    This is an image the roles who typically interact with a Business Analyst.

    How we do our requirements work will change

    • Team formation and interaction
    • Stakeholder engagement and communication
    • The timing and sequencing of their work
    • Decision-making
    • Documentation
    • Dealing with change

    As a result, you'll need to focus on;

    • Emphasizing flexibility
    • Enabling continuous delivery
    • Enhancing collaboration and communication
    • Developing a user-centered approach

    Get stakeholders on board with Agile requirements

    1. Stakeholder feedback and management support are key components of a successful Agile Requirements.
    2. Stakeholders can see a project's progression and provide critical feedback about its success at critical milestones.
    3. Management helps teams succeed by trusting them to complete projects with business value at top of mind and by removing impediments that are inhibiting their productivity.
    4. Agile will bring a new mindset and significant numbers of people, process, and technology changes that stakeholders and management may not be accustomed to. Working through these issues in requirements management enables a smoother rollout.
    5. Management will play a key role in ensuring long-term Agile requirements success and ultimately rolling it out to the rest of the organization.
    6. The value of leadership involvement has not changed even though responsibilities will. The day-to-day involvement in projects will change but continual feedback will ultimately dictate the success or failure of a project.

    Measuring your success

    Tracking metrics and measuring your progress

    As you implement the actions from this Blueprint, you should see measurable improvements in;

    • Team and stakeholder satisfaction
    • Requirements quality
    • Documentation cost

    Without sacrificing time to delivery

    Metric Description and motivation
    Team satisfaction (%) Expect team satisfaction to increase as a result of clearer role delineation and value contribution.
    Stakeholder satisfaction (%) Expect Stakeholder satisfaction to similarly increase, as requirements quality increases, bringing increased value
    Requirements rework Measures the quality of requirements from your Agile Projects. Expect that the Requirements Rework will decrease, in terms of volume/frequency.
    Cost of documentation Quantifies the cost of documentation, including Elicitation, Analysis, Validation, Presentation, and Management
    Time to delivery Balancing Metric. We don't want improvements in other at the expense of time to delivery

    Info-Tech's methodology for Agile requirements

    1. Framing Agile and Business Analysis

    2. Tailoring Your Approach

    3. Defining Your Requirements Thresholds

    4. Planning Your Next Steps

    Phase Activities

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Decide the best-fit approach for delivery

    2.2 Manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 Define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    Phase Outcomes

    Recognize the benefits and detriments of both Agile and BA.

    Understand the current state of Agile and business analysis in your organization.

    Confirm the appropriate delivery methodology.

    Manage your requirements backlog.

    Connect the business need to user story.

    Clearly defined interactions between the BA and their partners.

    Define a plan for management and governance at the project team level.

    Documentation and tactics that are right-sized for the need.

    Recognize and prepare for the new ways of working for communication, stakeholder engagement, within the team, and across the organization.

    Establish a roadmap for next steps to mature your Agile requirements practice.

    Blueprint tools and templates

    Key deliverable:

    This is a screenshot from the Agile Requirements Playbook

    Agile Requirements Playbook

    A practical playbook for aligning your teams and articulating the guidelines for managing your requirements in Agile

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    This is a screenshot from the Documentation Calculator

    Documentation Calculator

    A tool to help you answer the question: What is the right level of Agile requirements documentation for my organization?

    This is a screenshot from the Agile Requirements Assessment

    Agile Requirements Assessment

    Establishes your current maturity level, defines your target state, and supports planning to get there.

    This is a screenshot from the Agile Requirements Workbook

    Agile Requirements Workbook

    Supporting tools and templates in advancing your Agile requirements practice, to be used with the Agile Requirements Blueprint and Playbook.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    1. Framing Agile and Business Analysis / 2. Tailoring Your Approach 3. Defining Your Requirements
    Thresholds
    3. Defining Your Requirements Thresholds / 4. Planning Your Next Steps (OPTIONAL) Agile Requirements Techniques (a la carte) Next Steps and Wrap-Up (Offsite)

    Activities

    What does Agile mean in your organization? What do requirements mean in your organization?

    Agile Requirements Assessment

    Confirm your selected methodology

    Define your Agile requirements process

    Define your Agile requirements RACI (Optional)

    Define your Agile requirements governance

    Defining your change management plan

    Define your

    communication plan

    Capability gap list

    Planning your Agile requirements roadmap

    Managing requirements traceability

    Creating and managing user stories

    Managing your requirements backlog

    Maintaining a requirements library

    Develop Agile Requirements Playbook

    Complete in-progress deliverables from previous four days.

    Set up review time for workshop deliverables and next steps

    Outcomes

    Shared definition of Agile and business analysis / requirements

    Understand the current state of Agile and business analysis in your organization

    Agile requirements process

    Agile requirements RACI (Optional)

    Defined Agile requirements governance and documentation plan

    Change and backlog refinement plan

    Stakeholder communication plan

    Action plan and roadmap for maturing your Agile requirements practice

    Practical knowledge and practice about various tactics and techniques in support of your Agile requirements efforts

    Completed Agile Requirements Playbook

    Guided Implementation

    Phase 1 Phase 2 Phase 3 Phase 4

    Call #1: Scope objectives, and your specific challenges.

    Call #4: Define your approach to project delivery.

    Call #6: Define your Agile requirements process.

    Call #9: Identify gaps from current to target state maturity.

    Call #2: Assess current maturity.

    Call #5: Managing your requirements backlog.

    Call #7: Define roles and responsibilities.

    Call #10: Pprioritize next steps to mature your Agile requirements practice.

    Call #3: Identify target-state capabilities.

    Call #8: Define your change and backlog refinement approach.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 10 calls over the course of 4 to 6 months.

    Framing Agile and Business Analysis

    Phase 1

    Framing Agile and Business Analysis

    Phase 1Phase 2Phase 3Phase 4

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Confirm the best-fit approach for delivery

    2.2 manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    This phase will walk you through the following activities:

    • EXERCISE: What do Agile and requirements mean in your organization?
    • ASSESSMENT: Agile requirements assessment
    • KEY DELIVERABLE: Agile Requirements Playbook

    This phase involves the following participants:

    • Business analyst and project team
    • Stakeholders
    • Sponsor/Executive

    Managing Requirements in an Agile Environment

    Step 1.1

    Understand the benefits and limitations of Agile and business analysis

    Activities

    1.1.1 Define what Agile and business analysis mean in your organization

    This step involves the following participants:

    • Business analyst and project team
    • Sponsor/Executive

    Outcomes of this step

    • Recognize the benefits and detriments of both Agile and business analysis

    Framing Agile and Business Analysis

    There have been many challenges with waterfall delivery

    It turns out waterfall is not that great at reducing risk and ensuring value delivery after all

    • Lack of flexibility
    • Difficulty in measuring progress
    • Difficulties with scope creep
    • Limited stakeholder involvement
    • Long feedback loops

    48%
    Had project deadlines more than double

    85%
    Exceeded their original budget by at least 20%

    25%
    At least doubled their original budget

    This is an image of the Waterfall Project Results

    Source: PPM Express.

    Business analysis had a clear home in waterfall

    Business analysts had historically been aligned to specific lines of business, in support of their partners in their respective domains. Somewhere along the way, the function was moved to IT. Conceptually this made sense, in that it allowed BAs to provide technical solutions to complex business problems. This had the unintended result of lost domain knowledge, and connection to the business.

    It all starts with the business. IT enables business goals. The closer you can get to the business, the better.

    Business analysts were the main drivers of helping to define the business requirements, or needs, and then decompose those into solution requirements, to develop the best option to solve those problems, or address those needs. And the case for good analysis was clear. The later a poor requirement was caught, the more expensive it was to fix. And if requirements were poor, there was no way to know until much later in the project lifecycle, when the cost to correct them was exponentially higher, to the tune of 10-100x the initial cost.

    This is an image of a graph showing the cost multiplier for Formulating Requirements, Architecture Design, Development, Testing and, Operations

    Adapted from PPM Express. "Why Projects Fail: Business Analysis is the Key".

    Agile was meant to address the shortcomings of waterfall

    The wait for solutions was too long for our business partners. The idea of investing significant time, money, and resources upfront, building an exhaustive and complete vision of the desired state, and then waiting months or even years to get that solution became unpalatable for them. And rightfully so. Once we cast a light on the pains, it became difficult to stand pat in the current state. And besides, organizations evolve at a rapid pace. What was a pain at the beginning of an initiative may not be so even six months later.

    Agile became the answer.

    Since its first appearance nearly 20 years ago, Agile has become the methodology of choice for a huge swathe of organizations. According to the 15th Annual State of Agile report, Agile adoption within software development teams increased from 37% in 2020 to 86% in 2021.

    To say that's significant is an understatement.

    The four core values of Agile helped shift focus

    According to the Agile manifesto, "We value. . ."

    This is an image of what is valued according to the Agile Manifesto.

    "…while there is value in the items on the right, we value the items on the left more."

    Source: Agilemanifesto, 2001

    Agile has made significant inroads in IT and beyond

    94% of respondents report using Agile practices in their organization

    according to Digital.AI's "The 15th State of Agile Report"

    That same report notes a steady expansion of Agile outside of IT, as other areas of the organization seek to benefit from increased agility and responsiveness, including Human Resources, Finance and Marketing.

    While it addressed some problems…

    This is an image of the Waterfall Project Results, compared to Agile Product Results.

    "Agile projects are 37% faster to market than [the] industry average"

    (Requirements Engineering Magazine, 2017)

    • Business requirements documents are massive and unreadable
    • Waterfall erects barriers and bottlenecks between the business and the development team
    • It's hard to define the solution at the outset of a project
    • There's a long turnaround between requirements work and solution delivery
    • Locking in requirements dictates an often-inflexible solution. And the costs to make changes tend to add up.

    …Implementing Agile led to other challenges

    This is an image of a series of thought bubbles, each containing a unique challenge resulting from implementing Agile.

    Adopting Agile led to challenges with requirements

    Requirements analysis, design maturity, and management are critical for a successful Agile transformation.

    "One of the largest sources of failure we have seen on large projects is an immature Agile implementation in the context of poorly defined requirements."
    – BCG, 2015

    "Requirements maturity is more important to project outcomes than methodology."
    – IAG Consulting, 2009.

    "Mature Agile practices spend 28% of their time on analysis and design."
    – InfoQ, 2017."

    "There exists a Requirements Premium… organizations using poor practices spent 62% more on similarly sized projects than organizations using the best requirements practices."
    – Requirements Engineering Magazine, 2017

    Strong stakeholder satisfaction with requirements results in higher satisfaction in other areas

    This is an image of a bar graph comparing the percentage of respondents with high stakeholder satisfaction, to the percentage of respondents with low stakeholder satisfaction for four different categories.  these include: Availability of IT Capacity to Complete Projects; Overall IT Projects; IT Projects Meet Business Needs; Overall IT Satisfaction

    N= 324 small organizations from Info-Tech Research Group's CIO Business Vision diagnostic.

    Note: High satisfaction was classified as organizations with a score greater or equal to eight and low satisfaction was every organization that scored below eight on the same questions.

    Agile is being misinterpreted as an opportunity to bypass planning and analysis activities

    Agile is a highly effective tool.

    This isn't about discarding Agile. It is being used for things completely outside of what was originally intended. When developing products or code, it is in its element. However, outside of that realm, its being used to bypass business analysis activities, which help define the true customer and business need.

    Business analysts were forced to adapt and shift focus. Overnight they morphed into product owners, or no longer had a place on the team. Requirements and analysis took a backseat.

    The result?

    Increased rework, decreased stakeholder satisfaction, and a lot of wasted money and effort.

    "Too often, the process of two-week sprints becomes the thing, and the team never gets the time and space to step back and obsess over what is truly needed to delight customers."
    Harvard Business Review, 9 April 2021.

    Info-Tech Insight

    Requirements in Agile are the same, but the purpose of requirements changes.

    • The purpose of requirements in waterfall is for stakeholder approval.
    • The purpose of requirements in Agile is knowledge management; to maintain a record of the current state.

    Many have misinterpreted the spirit of Agile and waterfall

    The stated principles of waterfall say nothing of how work is to be linear.

    This is an image of a comparison between using Agile and Being Prescriptive.This is an image of Royce's 5 principles for success.

    Source: Royce, Dr. Winston W., 1970.

    For more on Agile methodology, check out Info-Tech's Agile Research Centre

    How did the pendulum swing so far?

    Shorter cycles of work made requirements management more difficult. But the answer isn't to stop doing it.

    Organizations went from engaging business stakeholders up front, and then not until solution delivery, to forcing those partners to give up their resources to the project. From taking years to deliver a massive solution (which may or may not even still fit the need) to delivering in rapid cycles called sprints.

    This tug-of-war is costing organizations significant time, money, and effort.

    Your approach to requirements management needs to be centered. We can start to make that shift by better aligning our Agile and business analysis practices. Outside of the product space, Agile needs to be combined with other disciplines (Harvard Business Review, 2021) to be effective.

    Agility is important. Though it is not a replacement for approach or strategy (RCG Global Services, 2022). In Agile, team constraints are leveraged because of time. There is a failure to develop new capabilities to address the business needs Harvard Business Review, 2021).

    Agility needs analysis.

    Agile requirements are a balancing act

    Collaboration

    Many subject matter experts are necessary to create accurate requirements, but their time is limited too.

    Communication

    Stakeholders should be kept informed throughout the requirements gathering process, but you need to get the right information to the right people.

    Documentation

    Recording, organizing, and presenting requirements are essential, but excessive documentation will slow time to delivery.

    Control

    Establishing control points in your requirements gathering process can help confirm, verify, and approve requirements accurately, but stage gates limit delivery.

    Start by defining what the terms mean in your organization

    We do this because there isn't even agreement by the experts on what the terms "Agile" and "business analysis" mean, so let's establish a definition within the context of your organization.

    1.1.1 What do Agile and business analysis mean in your organization?

    Estimated time: 30 Minutes

    1. Explore the motivations behind the need for aligning Agile with business analysis. Are there any current challenges related to outputs, outcomes, quality? How can the team and organization align the two more effectively for the purposes of requirements management?
    2. Gather the appropriate stakeholders to discuss their definition of the terms "Agile" and "business analysis" It can be related to their experience, practice, or things they've read or heard.
    3. Brainstorm and document all shared thoughts and perspectives.
    4. Synthesize those thoughts and perspectives into a shared definition of each term, of a sentence or two.
    5. Revisit this definition as needed, and as your Agile requirements efforts evolve.

    Input

    • Challenges and experiences/perspectives related to Agile and business requirements

    Output

    • A shared definition of Agile and business analysis, to help guide alignment on Agile requirements management

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Build your Agile Requirements Playbook

    Keep the outcomes of this blueprint in a single document

    Share at the beginning of a new project, as part of team member onboarding, and revisit as your practice matures.

    This is a series of three screenshots from the Agile Requirements Playbook.

    Your Agile Requirements Playbook will include

    • Your shared definition of Agile and business analysis for your organization
    • The Agile Requirements Maturity Assessment
    • A Methodology Selection Matrix
    • Agile requirements RACI
    • A defined Agile requirements process
    • Documentation Calculator
    • Your Requirements Repository Information
    • Capability Gap List (from current to target state)
    • Target State Improvement Roadmap and Action Plan

    Step 1.2

    Align Agile and Business Analysis Within Your Organization

    Activities

    1.2.1 Assess your Agile requirements maturity

    This step involves the following participants:

    • Business Analyst and Project Team
    • Stakeholders
    • Sponsor/Executive

    Outcomes of this step

    • Complete the Agile Requirements Maturity Assessment to establish your current and target states

    Framing Agile and Business Analysis

    Consider the question: "Why Agile?"

    What is the driving force behind that decision?

    There are many reasons to leverage the power of Agile within your organization, and specifically as part of your requirements management efforts. And it shouldn't just be to improve productivity. That's only one aspect.
    Begin by asking, "Why Agile?" Are you looking to improve:

    • Time to market
    • Team engagement
    • Product quality
    • Customer satisfaction
    • Stakeholder engagement
    • Employee satisfaction
    • Consistency in delivery of value
    • Predictably of your releases

    Or a combination of the above?

    Info-Tech Insight

    Project delivery methodologies aren't either/or. You don't have to be 100% waterfall or 100% Agile. Select the right approach for your project, product, or service.

    In the end, your business partners don't want projects delivered faster, they want value faster!

    For more on understanding Agile, check out the Implement Agile Practices That Work Blueprint

    Responses to a 2019 KPMG survey:

    13% said that their top management fully supports Agile transformation.

    76% of organizations did not agree that their organization supports Agile culture.

    62% of top management believe Agile has no implications for them.

    What changes for the business analyst?

    Business analysts need to focus on six key elements when managing requirements in Agile.

    • Team formation and interaction
    • Stakeholder engagement and communication
    • The timing and sequencing of their work
    • Decision-making
    • Documentation
    • Dealing with change

    In Agile, the what of business analysis does not change.

    What does change is the how and when that work happens.

    1.2.1 Assess your Agile requirements maturity

    This is a series of screenshots from the Agile Requirements Maturity Assessment.

    1.2.1 Assess your Agile requirements maturity

    Estimated time: 30 Minutes

      1. Using the Agile Requirements Maturity Assessment, gather all appropriate stakeholders, and discuss and score the current state of your practice. Scoring can be done by:
        1. Consensus: Generally better with a smaller group, where the group agrees the score and documents the result
        2. Average: Have everyone score individually, and aggregate the results into an average, which is then entered.
        3. Weighted Average: As above, but weight the individual scores by individual or line of business to get a weighted average.
      2. When current state is complete, revisit to establish target state (or hold as a separate session) using the same scoring approach as in current state.
        1. Recognize that there is a cost to maturity, so don't default to the highest score by default.
        2. Resist the urge at this early stage to generate ideas to navigate from current to target state. We will re-visit this exercise in Phase 4, once we've defined other pieces of our process and practice.

    Input

    • Participant knowledge and experience

    Output

    • A current and target state assessment of your Agile requirements practice

    Materials

    • Agile Requirements Maturity Assessment

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Tailoring Your Approach

    Phase 2

    Phase 1Phase 2Phase 3Phase 4

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Confirm the best-fit approach for delivery

    2.2 manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    This phase will walk you through the following activities:

    • Selecting the appropriate delivery methodology
    • Managing your requirements backlog
    • Tracing from business need to user story

    This phase involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Managing Requirements in an Agile Environment

    Step 2.1

    Confirm the Best-fit Approach for Delivery

    Activities

    2.1.1 Confirm your methodology

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • A review of potential delivery methodologies to select the appropriate, best-fit approach to your projects

    Confirming you're using the best approach doesn't have be tricky

    Selecting the right approach (or confirming you're on the right track) is easier when you assess two key inputs to your project; your level of certainty about the solution, and the level of complexity among the different variables and inputs to your project, such as team experience and training, the number of impacted stakeholders or context. lines of business, and the organizational

    Solution certainty refers to the level of understanding of the problem and the solution at the start of the project. In projects with high solution certainty, the requirements and solutions are well defined, and the project scope is clear. In contrast, projects with low solution certainty have vague or changing requirements, and the solutions are not well understood.

    Project complexity refers to the level of complexity of the project, including the number of stakeholders, the number of deliverables, and the level of technical complexity. In projects with high complexity, there are many stakeholders with different priorities, many deliverables, and high technical complexity. In contrast, projects with low complexity have fewer stakeholders, fewer deliverables, and lower technical complexity.

    "Agile is a fantastic approach when you have no clue how you're going to solve a problem"

    • Ryan Folster, Consulting Services Manager, Business Analysis, Dimension Data

    Use Info-Tech's methodology selection matrix

    Waterfall methodology is best suited for projects with high solution certainty and high complexity. This is because the waterfall model follows a linear and sequential approach, where each phase of the project is completed before moving on to the next. This makes it ideal for projects where the requirements and solutions are well-defined, and the project scope is clear.

    On the other hand, Agile methodology is best suited for projects with low solution certainty. Agile follows an iterative and incremental approach, where the requirements and solutions are detailed and refined throughout the project. This makes it ideal for projects where the requirements and solutions are vague or changing.

    Note that there are other models that exist for determining which path to take, should this approach not fit within your organization.

    Use info-tech's-methodology-selection-matrix

    This is an image of Info-Tech’s methodology selection matrix

    Adapted from The Chaos Report, 2015 (The Standish Group)

    Download the Agile Requirements Workbook

    2.1.1 Confirm your methodology

    Estimated time: 30 Minutes

    1. Using the Agile Requirements Workbook, find the tab labelled "Methodology Assessment" and answer the questions to establish your complexity and certainty scores, where;

    1 = Strongly disagree
    2 = Disagree
    3 = Neutral
    4 = Agree
    5 = Strongly agree.

    1. In the same workbook, plot the results in the grid on the tab labelled "Methodology Matrix".
    2. Projects falling into Green are good fits for Agile. Yellow are viable. And Red may not be a great fit for Agile.
    3. Note: Ultimately, the choice of methodology is yours. Recognize there may be additional challenges when a project is too complex, or uncertainty is high.

    Input

    • Current project complexity and solution certainty

    Output

    • A clear choice of delivery methodology

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Step 2.2

    Manage Your Requirements Backlog

    Activities

    2.2.1 Create your user stories

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • Understand how to convert requirements into user stories, which populate the Requirements Backlog.

    Tailoring Your Approach

    There is a hierarchy to requirements

    This is a pyramid, with the base being: Solution Requirements; The middle being: Stakeholder Requirements; and the Apex being: Business Requirements.
    • Higher-level statements of the goals, objectives, or needs of the enterprise.
    • Business requirements focus on the needs of the organization, and not the stakeholders within it.

    Defines

    Intended benefits and outcomes

    • Statements of the needs of a particular stakeholder or class of stakeholders, and how that stakeholder will interact with a solution.

    Why it is needed, and by who

    • Describes the characteristics of a solution that meets business requirements and stakeholder requirements. Functional describes the behavior and information that the solution will manage. They describe capabilities the system will be able to perform in terms of behaviors or operations. Non-functional represents constraints on the ultimate solution and tends to be less negotiable.

    What is needed, and how its going to be achieved

    Connect the dots with a traceability matrix

    Business requirements describe what a company needs in order to achieve its goals and objectives. Solution requirements describe how those needs will be met. User stories are a way to express the functionality that a solution will provide from the perspective of an end user.

    A traceability matrix helps clearly connect and maintain your requirements.

    To connect business requirements to solution requirements, you can start by identifying the specific needs that the business has and then determining how those needs can be met through technology or other solutions; or what the solution needs to do to meet the business need. So, if the business requirement is to increase online sales, a solution requirement might include implementing a shopping cart feature on your company website.

    Once you have identified the solution requirements, you can then use those to create user stories. A user story describes a specific piece of functionality that the solution will provide from the perspective of a user.

    For example, "As a customer, I want to be able to add items to my shopping cart so that I can purchase them." This user story is directly tied to the solution requirement of implementing a shopping cart feature.

    Tracing from User Story back up to Business Requirement is essential in ensuring your solutions support your organization's strategic vison and objectives.

    This is an image of a traceability matrix for Business Requirements.

    Download the Info-Tech Requirements Traceability Matrix

    Improve the quality of your solution requirements

    A solution requirement is a statement that clearly outlines the functional capability that the business needs from a system or application.

    There are several attributes to look for in requirements:

    Verifiable

    Unambiguous

    Complete

    Consistent

    Achievable

    Traceable

    Unitary

    Agnostic

    Stated in a way that can be easily tested

    Free of subjective terms and can only be interpreted in one way

    Contains all relevant information

    Does not conflict with other requirements

    Possible to accomplish with budgetary and technological constraints

    Trackable from inception through to testing

    Addresses only one thing and cannot be decomposed into multiple requirements

    Doesn't pre-suppose a specific vendor or product

    For more on developing high quality requirements, check out the Improve Requirements Gathering Blueprint

    Prioritize your requirements

    When everything is a priority, nothing is a priority.

    Prioritization is the process of ranking each requirement based on its importance to project success. Each requirement should be assigned a priority level. The delivery team will use these priority levels to ensure efforts are targeted toward the proper requirements as well as to plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order your requirements.

    The MoSCoW Model of Prioritization

    This is an image of The MoSCoW Model of Prioritization

    The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994

    (Source: ProductPlan).

    Base your prioritization on the right set of criteria

    Criteria Description
    Regulatory and legal compliance These requirements will be considered mandatory.
    Policy compliance Unless an internal policy can be altered or an exception can be made, these requirements will be considered mandatory.
    Business value significance Give a higher priority to high-value requirements.
    Business risk Any requirement with the potential to jeopardize the entire project should be given a high priority and implemented early.
    Likelihood of success Especially in proof-of-concept projects, it is recommended that requirements have good odds.
    Implementation complexity Give a higher priority to low implementation difficulty requirements.
    Alignment with strategy Give a higher priority to requirements that enable the corporate strategy.
    Urgency Prioritize requirements based on time sensitivity.
    Dependencies A requirement on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it.

    Info-Tech Insight

    It is easier to prioritize requirements if they have already been collapsed, resolved, and rewritten. There is no point in prioritizing every requirement that is elicited up front when some of them will eventually be eliminated.

    Manage solution requirements in a Product backlog

    What is a backlog?

    Agile teams are familiar with the use of a Sprint Backlog, but in Requirements Management, a Product Backlog is a more appropriate choice.

    A product backlog and a Sprint backlog are similar in that they are both lists of items that need to be completed in order to deliver a product or project, but there are some key differences between the two.

    A product backlog is a list of all the features, user stories, and requirements that are needed for a product or project. It is typically created and maintained by the business analyst or product owner and is used to prioritize and guide the development of the product.

    A Sprint backlog, on the other hand, is a list of items specifically for an upcoming sprint, which is an iteration of work in Scrum. The Sprint backlog is created by the development team and is used to plan and guide the work that will be done during the sprint. The items in the Sprint backlog are typically taken from the product backlog and are prioritized based on their importance and readiness.

    For more on building effective product backlogs, visit Deliver on Your Digital Product Vision

    A backlog stores and organizes requirements at various stages

    Your backlog must give you a holistic understanding of demand for change in the product.

    A well-formed backlog can be thought of as a DEEP backlog

    Detailed appropriately: Requirements are broken down and refined as necessary

    Emergent: The backlog grows and evolves over time as requirements are added and removed.

    Estimated: The effort to deliver a requirement is estimated at each tier.

    Prioritized: A requirement's value and priority are determined at each tier.

    This is an image of an inverted funnel, with the top being labeled: Ideas; The middle being labeled: Qualified; and the bottom being labeled: Ready.

    Adapted from Essential Scrum

    Ensure requests and requirements are ready for development

    Clearly define what it means for a requirement, change, or maintenance request to be ready for development.

    This will help ensure the value and scope of each functionality and change are clear and well understood by both developers and stakeholders before the start of the sprint. The definition of ready should be two-fold: ready for the backlog, and ready for coding.

    1. Create a checklist that indicates when a requirement or request is ready for the development backlog. Consider the following questions:
      1. Is the requirement or request in the correct format?
      2. Does the desired functionality or change have significant business value?
      3. Can the requirement or request be reasonably completed within defined release timelines under the current context?
      4. Does the development team agree with the budget and points estimates?
      5. Is there an understanding of what the requirement or request means from the stakeholder or user perspective?
    2. Create a checklist that indicates when a requirement or request is ready for development. Consider the following questions:
      1. Have the requirements and requests been prioritized in the backlog?
      2. Has the team sufficiently collaborated on how the desired functionality or change can be completed?
      3. Do the tasks in each requirement or request contain sufficient detail and direction to begin development?
      4. Can the requirement or request be broken down into smaller pieces?

    Converting solution requirements into user stories

    Define the user

    Who will be interacting with the product or feature being developed? This will help to focus the user story on the user's needs and goals.

    Create the story

    Create the user story using the following template: "As a [user], I want [feature] so that [benefit]."
    This helps articulate the user's need and the value that the requirement will provide.

    Decompose

    User stories are typically too large to be implemented in a single sprint, so they should be broken down into smaller, more manageable tasks.

    Prioritize

    User stories are typically too large to be implemented in a single sprint, so they should be broken down into smaller, more manageable tasks.

    2.2.1 Create your user stories

    Estimated time: 60 Minutes

    1. Gather the project team and relevant stakeholders. Have access to your current list of solution requirements.
    2. Leverage the approach on previous slide "Converting Solution Requirements into User Stories" to generate a collection of user stories.

    NOTE: There is not a 1:1 relationship between requirements and user stories.
    It is possible that a single requirement will have multiple user stories, and similarly, that a single user story will apply to multiple solution requirements.

    Input

    • Requirements
    • Use Case Template

    Output

    • A collection of user stories

    Materials

    • Current Requirements

    Participants

    • Business Analyst(s)
    • Project Team
    • Relevant Stakeholders

    Use the INVEST model to create good user stories

    At this point your requirements should be high-level stories. The goal is to refine your backlog items, so they are . . .

    A vertical image of the Acronym: INVEST, taken from the first letter of each bolded word in the column to the right of the image.

    Independent: Ideally your user stories can be built in any order (i.e. independent from each other). This allows you to prioritize based on value and not get caught up in sequencing and prerequisites.
    Negotiable: As per the Agile principle, collaboration over contracts. Your user stories are meant to facilitate collaboration between the developer and the business. Therefore, they should be built to allow negotiation between all parties.
    Valuable: A user story needs to state the value so it can be effectively prioritized, but also so developers know what they are building.
    Estimable: As opposed to higher-level approximation given to epics, user stories need more accuracy in their estimates in order to, again, be effectively prioritized, but also so teams can know what can fit into a sprint or release plans.
    Small: User stories should be small enough for a number of them to fit into a sprint. However, team size and velocity will impact how many can be completed. A general guideline is that your teams should be able to deliver multiple stories in a sprint.
    Testable: Your stories need to be testable, which means they must have defined acceptance criteria and any related test cases as defined in your product quality standards.
    Source: Agile For All

    Defining Your Requirements Thresholds

    Phase 3

    Defining Your Requirements Thresholds

    Phase 1Phase 2Phase 3Phase 4

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Confirm the best-fit approach for delivery

    2.2 manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    This phase will walk you through the following activities:

    • Assigning roles and responsibilities optional (Tool: RACI)
    • Define your Agile requirements process
    • Calculate the cost of your documentation (Tool: Documentation Calculator)
    • Define your backlog refinement plan

    This phase involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Managing Requirements in an Agile Environment

    Step 3.1

    Define Project Roles and Responsibilities

    Activities

    3.1.1 Define your Agile requirements RACI (optional)

    3.1.2 Define your Agile requirements process

    Defining Your Requirements Thresholds

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • A defined register of roles and responsibilities, along with a defined process for how Agile requirements work is to be done.

    Defining Your Requirements Thresholds

    Where does the BA function fit on an Agile team?

    Team formation is key, as Agile is a team sport

    A business analyst in an Agile team typically interacts with several different roles, including the product owner, development team, and many other stakeholders throughout the organization.

    This is an image the roles who typically interact with a Business Analyst.

    • The product owner, to set the priorities and direction of the project, and to gather requirements and ensure they are being met. Often, but not always, the BA and product owner are the same individual.
    • The development team, to provide clear and concise requirements that they can use to build and test the product.
    • Other stakeholders, such as customers, end-users, and subject matter experts to gather their requirements, feedback and validate the solution.
      • Design, to ensure that the product meets user needs. They may provide feedback and ensure that the design is aligned with requirements.
      • Security, to ensure that the solution meets all necessary security requirements and to identify potential risks and appropriate use of controls.
      • Testing, to ensure that the solution is thoroughly tested before it is deployed. They may create test cases or user scenarios that validate that everything is working as intended.
      • Deployment, to ensure that the necessary preparations have been made, including testing, security, and user acceptance.

    Additionally, during the sprint retrospectives, the team will review their performance and find ways to improve for the next sprint. As a team member, the business analyst helps to identify areas where the team could improve how they are working with requirements and understand how the team can improve communication with stakeholders.

    3.1.1 (Optional) Define Your Agile Requirements RACI

    Estimated Time: 60 Minutes

    1. Identify the project deliverables: The first step is to understand the project deliverables and the tasks that are required to complete them. This will help you to identify the different roles and responsibilities that need to be assigned.
    2. Define the roles and responsibilities: Identify the different roles that will be involved in the project and their associated responsibilities. These roles may include project manager, product owner, development team, stakeholders, and any other relevant parties.
    3. Assign RACI roles: Assign a RACI role to each of the identified tasks. The RACI roles are:
      1. Responsible: the person or team who is responsible for completing the task
      2. Accountable: the person who is accountable for the task being completed on time and to the required standard
      3. Consulted: the people or teams who need to be consulted to ensure the task is completed successfully
      4. Informed: the people or teams who need to be informed of the task's progress and outcome
    4. Create the RACI chart: Use the information gathered in the previous steps to create a matrix or chart that shows the tasks, the roles, and the RACI roles assigned to each task.
    5. Review and refine: Review the RACI chart with the project team and stakeholders to ensure that it accurately reflects the roles and responsibilities of everyone involved. Make any necessary revisions and ensure that all parties understand their roles and responsibilities.
    6. Communicate and implement: Communicate the RACI chart to all relevant parties and ensure that it is used as a reference throughout the project. This will help to ensure that everyone understands their role and that tasks are completed on time and to the required standard.

    Input

    • A list of required tasks and activities
    • A list of stakeholders

    Output

    • A list of defined roles and responsibilities for your project

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    A Case Study in Team Formation

    Industry: Anonymous Organization in the Energy sector
    Source: Interview

    Challenge

    Agile teams were struggling to deliver within a defined sprint, as there were consistent delays in requirements meeting the definition of ready for development. As such, sprints were often delayed, or key requirements were descoped and deferred to a future sprint.

    During a given two-week sprint cycle, the business analyst assigned to the team would be working along multiple horizons, completing elicitation, analysis, and validation, while concurrently supporting the sprint and dealing with stakeholder changes.

    Solution

    As a part of addressing this ongoing pain, a pilot program was run to add a second business analyst to the team.

    The intent was, as one is engaged preparing requirements through elicitation, analysis, and validation for a future sprint, the second is supporting the current sprint cycle, and gaining insights from stakeholders to refine the requirements backlog.

    Essentially, these two were leap-frogging each other in time. At all times, one BA was focused on the present, and one on the future.

    Result

    A happier team, more satisfied stakeholders, and consistent delivery of features and functions by the Agile teams. The pilot team outperformed all other Agile teams in the organization, and the "2 BA" approach was made the new standard.

    Understanding the Agile requirements process

    Shorter cycles make effective requirements management more necessary, not less

    Short development cycles can make requirements management more difficult because they often result in a higher rate of change to the requirements. In a shorter timeframe, there is less time to gather and verify requirements, leading to a higher likelihood of poor or incomplete requirements. Additionally, there may be more pressure to make decisions quickly, which can lead to less thorough analysis and validation of requirements. This can make it more challenging to ensure that the final solution meets the needs of the stakeholders.
    When planning your requirements cycles, it's important to consider;

    • Your sprint logistics (how long?)
    • Your release plan (at the end of every sprint, monthly, quarterly?)
    • How the backlog will be managed (as tickets, on a visual medium, such as a Kanban board?)
    • How will you manage communication?
    • How will you monitor progress?
    • How will future sprint planning happen?

    Info-Tech's Agile requirements framework

    Sprint N(-1)

    Sprint N

    Sprint N(+1)

    An image of Sprint N(-1) An image of Sprint N An image of Sprint N(+1)

    Changes from waterfall to Agile

    Gathering and documenting requirements: Requirements are discovered and refined throughout the project, rather than being gathered and documented up front. This can be difficult for business analysts who are used to working in a waterfall environment where all requirements are gathered and documented before development begins.
    Prioritization of requirements: Requirements are prioritized based on their value to the customer and the team's ability to deliver them. This can be difficult for business analysts who are used to prioritizing requirements based on the client's needs or their own understanding of what is important.

    Defining acceptance criteria: Acceptance criteria are defined for each user story to ensure that the team understands what needs to be delivered. Business analysts need to understand how to write effective acceptance criteria and how to use them to ensure that the team delivers what the customer needs.
    Supporting Testing and QA: The business analyst plays a role in ensuring that testing (and test cases) are completed and of proper quality, as defined in the requirements.

    Managing changing requirements: It is expected that requirements will change throughout the project. Business analysts need to be able to adapt quickly to changing requirements and ensure that the team is aware of the changes and how they will impact the project.
    Collaboration with stakeholders: Requirements are gathered from a variety of stakeholders, including customers, users, and team members. Business analysts need to be able to work effectively with all stakeholders to gather and refine requirements and ensure that the team is building the right product.

    3.1.2 Define your Agile requirements process

    Estimated time: 60 Minutes

    1. Gather all relevant stakeholders to discuss and define your process for requirements management.
    2. Have a team member facilitate the session to define the process. The sample in the Agile Requirements Workbook can be used optionally as a starting point. You can also use any existing processes and procedures as a baseline.
    3. Gain agreement on the process from all involved stakeholders.
    4. Revisit the process periodically to review its performance and make adjustments as needed.

    NOTE: The process is intended to be at a high enough level to leave space and flexibility for team members to adapt and adjust, but at a sufficient depth that everyone understands the process and workflows. In other words, the process will be both flexible and rigid, and the two are not mutually exclusive.

    Input

    • Project team and RACI
    • Existing Process (if available)

    Output

    • A process for Agile requirements that is flexible yet rigid

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Establish the right level of governance and decision-making

    Establishing the right level of governance and decision making is important in Agile requirements because there is a cost to decision making, as time plays an important factor. Even the failure to decide can have significant impacts.

    Good governance and decision-making practices can help to minimize risks, ensure that requirements are well understood and managed, and that project progress is tracked and reported effectively.

    In Agile environments, this often involves establishing clear roles and responsibilities, implementing effective communication and collaboration practices, and ensuring that decision-making processes are efficient and effective.

    Good requirements management practices can help to ensure that projects are aligned with organizational goals and strategy, that stakeholders' needs are understood and addressed, and that deliverables are of high quality and meet the needs of the business.

    By ensuring that governance and decision-making is effective, organizations can improve the chances of project success, and deliver value to the business. Risks and costs can be mitigated by staying small and nimble.

    Check out Make Your IT Governance Adaptable

    Develop an adaptive governance process

    A pyramid, with the number 4 at the apex, and the number 1 at the base.  In order from base-apex, the following titles are found to the right of the pyramid: Ad-Hoc governance; Controlled Governance; Agile Governance; Embedded/Automated governance.

    Maturing governance is a journey

    Organizations should look to progress in their governance stages. Ad-hoc and controlled governance tends to be slow, expensive, and a poor fit for modern practices.

    The goal as you progress through your stages is to delegate governance and empower teams to make optimal decisions in real-time, knowing that they are aligned with the understood best interests of the organization.

    Automate governance for optimal velocity, while mitigating risks and driving value.

    This puts your organization in the best position to be adaptive and able to react effectively to volatility and uncertainty.

    A graph charting Trust and empowerment on the x-axis, and Progress Integration on the Y axis.

    Five key principles for building an adaptive governance framework

    Delegate and empower

    Decision making must be delegated down within the organization, and all resources must be empowered and supported to make effective decisions.

    Define outcomes

    Outcomes and goals must be clearly articulated and understood across the organization to ensure decisions are in line and stay within reasonable boundaries.

    Make risk- informed decisions

    Integrated risk information must be available with sufficient data to support decision making and design approaches at all levels of the organization.

    Embed / automate

    Governance standards and activities need to be embedded in processes and practices. Optimal governance reduces its manual footprint while remaining viable. This also allows for more dynamic adaptation.

    Establish standards and behavior

    Standards and policies need to be defined as the foundation for embedding governance practices organizationally. These guardrails will create boundaries to reinforce delegated decision making.

    Sufficient decision-making power should be given to your Agile teams

    Push the decision-making process down to your pilot teams.

    • Bring your business stakeholders and subject matter experts together to identify the potential high-level risks.
    • Bring your business stakeholders and subject matter experts together to identify the potential high-level risks.
    • Discuss with the business the level of risk they are willing to accept.
    • Define the level of authority project teams have in making critical decisions.

    "Push the decision making down as far as possible, down to the point where sprint teams completely coordinate all the integration, development, and design. What I push up the management chain is risk taking. [Management] decides what level of risk they are willing to take and [they] demonstrate that by the amount of decision making you push down."
    – Senior Manager, Canadian P&C Insurance Company, Info-Tech Interview

    Step 3.2

    Define Your Level of Acceptable Documentation

    Activities

    3.2.1 Calculate the cost of documentation

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Relevant Stakeholders

    Outcomes of this step

    • Quantified cost of documentation produced for your Agile project.

    Defining Your Requirements Thresholds

    Right-size Your Documentation

    Why do we need it, and what purpose does it serve?

    Before creating any documentation, consider why; why are you creating documentation, and what purpose is it expected to serve?
    Is it:

    • … to gain approval?
    • … to facilitate decision-making?
    • .. to allow the team to think through a challenge or compare solution options?

    Next, consider what level of documentation would be acceptable and 'enough' for your stakeholders. Recognize that 'enough' will depend on your stakeholder's personal definition and perspective.
    There may also be considerations for maintaining documentation for the purposes of compliance, and auditability in some contexts and industries.
    The point is not to eliminate all documentation, but rather, to question why we're producing it, so that we can create just enough to deliver value.

    "What does the next person need to do their work well, to gain or create a shared understanding?"
    - Filip Hendrickx, Innovating BA and Founder, altershape

    Documentation comes at a cost

    We need to quantify the cost of documentation, against the expected benefit

    All things take time, and that would imply that all things have an inherent cost. We often don't think in these terms, as it's just the work we do, and costs are only associated with activities requiring additional capital expenditure. Documentation of requirements can come at a cost in terms of time and resources. Creating and maintaining detailed documentation requires effort from project team members, which could be spent on other aspects of the project such as development or testing. Additionally, there may be costs associated with storing and distributing the documentation.

    When creating documentation, we are making a decision. There is an opportunity cost of investing time to create, and concurrently, not working on other activities. Documentation of requirements can come at a cost in terms of time and resources. Creating and maintaining detailed documentation requires effort from project team members, which could be spent on other aspects of the project such as development or testing. Additionally, there may be costs associated with storing and distributing the documentation.

    In order to make better informed decisions about the types, quantity and even quality of the documentation we are producing, we need to capture that data. To ensure we are receiving good value for our documentation, we should compare the expected costs to the expected benefits of a sprint or project.

    3.2.1 Calculate the cost of documentation

    Estimated time: as needed

    1. Use this tool to quantify the cost of creating and maintaining current state documentation for your Agile requirements team. It provides an indication, via the Documentation Cost Index, of when your project is documenting excessively, relative to the expected benefits of the sprint or project.
    2. In Step 1, enter the hourly rate for the person (or persons) completing the business analysis function for your Agile team. NB: This does not have to be a person with the title of business analyst. If there are multiple people fulfilling this role, enter the average rate (if their rates are same or similar) or a weighted average (if there is a significant range in the hourly rate)
    3. In Step 2, enter the expected benefit (in $) for the sprint or project.
    4. In Step 3, enter the total number of hours spent on each task/activity during the sprint or project. Use blank spaces as needed to add tasks and activities not listed.
    5. In Step 4, you'll find the Documentation Cost Index, which compares your total documentation cost to the expected benefits. The cell will show green when the value is < 0.8, yellow between 0.8 and 1, and red when >1.
    6. Use the information to plan future sprints and documentation needs, identify opportunities for improvement in your requirements practice, and find balance in "just enough" documentation.

    Input

    • Project team and RACI
    • Existing Process (if available)

    Output

    • A process for Agile requirements that is flexible yet rigid

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Lack of documentation also comes at a cost

    Lack of documentation can bring costs to Agile projects in a few different ways.

    • Onboarding new team members
    • Improving efficiency
    • Knowledge management
    • Auditing and compliance
    • Project visibility
    • Maintaining code

    Info-Tech Insight

    Re-using deliverables (documentation, process, product, etc.) is important in maintaining the velocity of work. If you find yourself constantly recreating your current state documentation at the start of a project, it's hard to deliver with agility.

    Step 3.3

    Manage Requirements as an Asset

    Activities

    3.3.1 Discuss your current perspectives on requirements as assets

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Relevant Stakeholders

    Outcomes of this step

    • Awareness of the value in, and tactics for enabling effective management of requirements as assets

    Defining Your Requirements Thresholds

    What do we mean by "assets"?

    And when do requirements become assets?

    In order to delivery with agility, you need to maximize the re-usability of artifacts. These artifacts could take the form of current state documentation, user stories, test cases, and yes, even requirements for re-use.
    Think of it like a library for understanding where your organization is today. Understanding the people, processes, and technology, in one convenient location. These artifacts become assets when we choose to retain them, rather than discard them at the end of a project, when we think they'll no longer be needed.
    And just like finding a single book in a vast library, we need to ensure our assets can be found when we need them. And this means making them searchable.
    We can do this by establishing criteria for requirements and artifact reuse;

    • What business need and benefit is it aligned to?
    • What metadata needs to be attached, related to source, status, subject, author, permissions, type, etc.?
    • Where will it be stored for ease of retrieval?

    Info-Tech Insight

    When writing requirements for products or services, write them for the need first, and not simply for what is changing.

    The benefits of managing requirements as assets

    Retention of knowledge in a knowledge base that allows the team to retain current business requirements, process documentation, business rules, and any other relevant information.
    A clearly defined scope to reduce stakeholder, business, and compliance conflicts.
    Impact analysis of changes to the current organizational assets.

    Source: Requirement Engineering Magazine, 2017.

    A case study in creating an asset repository

    Industry: Anonymous Organization in the Government sector
    Source: Interview

    Challenge

    A large government organization faced a challenge with managing requirements, processes, and project artifacts with any consistency.

    Historically, their documentation was lacking, with multiple versions existing in email sent folders and manila folders no one could find. Confirming the current state at any given time meant the heavy lift of re-documenting and validating, so that effort was avoided for an excessive period.

    Then there was a request for audit and compliance, to review their existing documentation practices. With nothing concrete to show, drastic recommendations were made to ensure this practice would end.

    Solution

    A small but effective team was created to compile and (if not available) document all existing project and product documentation, including processes, requirements, artifacts, business cases, etc.

    A single repository was built and demonstrated to key stakeholders to ensure it would satisfy the needs of the audit and compliance group.

    Result

    A single source of truth for the organization, which was;

    • Accessible (view access to the entire organization).
    • Transparent (anyone could see and understand the process and requirements as intended).
    • A baseline for continuous improvement, as it was clear what the one defined "best way" was.
    • Current, where no one retained current documentation outside of this library.

    3.3.1 Discuss your current perspectives on requirements as assets

    Estimated time: 30 Minutes

    1. Gather all relevant stakeholder to share perspectives on the use of requirements as assets, historically in the organization.
    2. Have a team member facilitate the session. It is optional to document the findings.
    3. After looking at the historical use of requirements as assets, discuss the potential uses, benefits, and drawbacks of managing as assets in the target state.

    Input

    • Participant knowledge and experience

    Output

    • A shared perspective and history on requirements as assets

    Materials

    • A method for data capture (optional)

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Apply changes to baseline documentation

    Baseline + Release Changes = New Baseline

    • Start from baseline documentation dramatically to reduce cost and risk
    • Treat all scope as changes to baseline requirements
    • Sum of changes in the release scope
    • Sum of changes and original baseline becomes the new baseline
    • May take additional time and effort to maintain accurate baseline

    What is the right tool?

    While an Excel spreadsheet is great to start off, its limitations will become apparent as your product delivery process becomes more complex. Look at these solutions to continue your journey in managing your Agile requirements:

    Step 3.4

    Define Your Requirements Change Management Plan

    Activities

    3.4.1 Triage your requirements

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Relevant Stakeholders

    Outcomes of this step

    • An approach for determining the appropriate level of governance over changes to requirements.

    Expect and embrace change

    In Agile development, change is expected and embraced. Instead of trying to rigidly follow a plan that may become outdated, Agile teams focus on regularly reassessing their priorities and adapting their plans accordingly. This means that the requirements can change often, and it's important for the team to have a process in place for managing these changes.

    A common approach to managing change in Agile is to use a technique called "backlog refinement." Where previously we populated our backlog with requirements to get them ready for development and deployment, this involves regularly reviewing and updating the list of work to be done. The team will prioritize the items on the evolving backlog, and the prioritized items will be worked on during the next sprint. This allows the team to quickly respond to changes in requirements and stay focused on the most important work.

    Another key aspect of managing change in Agile is effective communication. The team should have regular meetings, such as daily stand-up meetings or weekly sprint planning meetings, to discuss any changes in requirements and ensure that everyone is on the same page.

    Best practices in change and backlog refinement

    Communicate

    Clearly communicate your change process, criteria, and any techniques, tools, and templates that are part of your approach.

    Understand impacts/risks

    Maintain consistent control and communication and ensure that an impact assessment is completed. This is key to managing risks.

    Leverage tools

    Leverage tools when you have them available. This could be a Requirements Management system, a defect/change log, or even by turning on "track changes" in your documents.

    Cross-reference

    For every change, define the source of the change, the reason for the change, key dates for decisions, and any supporting documentation.

    Communicate the reason, and stay on message throughout the change

    Leaders of successful change spend considerable time developing a powerful change message: a compelling narrative that articulates the desired end state and makes the change concrete and meaningful to staff. They create the change vision with staff to build ownership and commitment.

    • The change message should:
    • Explain why the change is needed.
    • Summarize the things that will stay the same.
    • Highlight the things that will be left behind.
    • Emphasize the things that are being changed.
    • Explain how the change will be implemented.
    • Address how the change will affect the various roles in the organization.
    • Discuss staff's role in making the change successful.

    The five elements of communicating the reason for the change:

    An image of a cycle, including the five elements for communicating the reason for change.  these include: What will the role be for each department and individual?; What is the change?; Why are we doing it?; How are we going to go about it?; How long will it take us?

    How to make the management of changes more effective

    Key decisions and considerations

    How will changes to requirements be codified?
    How will intake happen?

    • What is the submission process?
    • Who has approval to submit?
    • What information is needed to submit a request?

    How will potential changes be triaged and evaluated?

    • What criteria will be used to assess the impact and urgency of the potential change?
    • How will you treat material and non-material changes?

    What is the review and approval process?

    • How will acceptance or rejection status be communicated to the submitter?

    3.4.1 Triage Your requirements

    An image of an inverted triangle, with the top being labeled: No Material Impact, the middle being labeled: Material impact; and the bottom being labeled: Governance Impact.  To the right of the image, are text boxes elaborating on each heading.

    If there's no material impact, update and move on

    An image of an inverted triangle, with the top being labeled: No Material Impact, the middle being labeled: Material impact; and the bottom being labeled: Governance Impact. To the right of the image, is a cycle including the following terms: Validate change; Update requirements; Track change (log); Package and communicate

    Material changes require oversight and approval

    An image of an inverted triangle, with the top being labeled: No Material Impact, the middle being labeled: Material impact; and the bottom being labeled: Governance Impact. To the right of the image, is a cycle including the following terms: Define impact; Revise; Change control needed?; Implement change.

    Planning Your Next Steps

    Phase 4

    Planning Your Next Steps

    Phase 1Phase 2Phase 3Phase 4

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Confirm the best-fit approach for delivery

    2.2 manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    This phase will walk you through the following activities:

    • Completing Your Agile Requirements Playbook
    • EXERCISE: Capability Gap List

    This phase involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Managing Requirements in an Agile Environment

    Step 4.1

    Preparing New Ways of Working

    Activities

    4.1.1 Define your communication plan

    Planning Your Next Steps

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • Recognize the changes required on the team and within the broader organization, to bring stakeholders on board.

    How we do requirements work will change

    • Team formation and interaction
    • Stakeholder engagement and communication
    • The timing and sequencing of their work
    • Decision-making
    • Documentation
    • Dealing with change

    As a result, you'll need to focus on;

    Emphasizing flexibility: In Agile organizations, there is a greater emphasis on flexibility and the ability to adapt to change. This means that requirements may evolve over time and may not be fully defined at the beginning of the project.
    Enabling continuous delivery: Agile organizations often use continuous delivery methods, which means that new features and functionality are delivered to users on a regular basis. This requires a more iterative approach to requirements management, as new requirements may be identified and prioritized during the delivery process.
    Enhancing collaboration and communication: Agile organizations place a greater emphasis on collaboration and communication between team members, stakeholders, and customers.
    Developing a user-centered approach: Agile organizations often take a user-centered approach to requirements gathering, which means that the needs and goals of the end-user are prioritized.

    Change within the team, and in the broader organization

    How to build an effective blend Agile and requirements management

    Within the team

    • Meetings should happen as needed
    • Handoffs should be clear and concise
    • Interactions should add value
    • Stand-ups should similarly add value, and shouldn't be for status updates

    Within the organization

    • PMO inclusion, to ensure alignment across the organization
    • Business/Operating areas, to recognize what they are committing to for time, resources, etc.
    • Finance, for how your project or product is funded
    • Governance and oversight, to ensure velocity is maintained

    "Whether in an Agile environment or not, collaboration and relationships are still required and important…how you collaborate, communicate, and how you build relationships are key."
    - Paula Bell, CEO, Paula A. Bell Consulting

    Get stakeholders on board with Agile requirements

    1. Stakeholder feedback and management support are key components of successful Agile requirements.
    2. Stakeholders can see a project's progression and provide critical feedback about its success at critical milestones.
    3. Management helps teams succeed by trusting them to complete projects with business value at top of mind and by removing impediments that are inhibiting their productivity.
    4. Agile will bring a new mindset and significant amounts of people, process, and technology changes that stakeholders and management may not be accustomed to. Working through these issues in requirements management enables a smoother rollout.
    5. Management will play a key role in ensuring long-term Agile requirements success and ultimately rolling it out to the rest of the organization.
    6. The value of leadership involvement has not changed even though responsibilities will. The day-to-day involvement in projects will change but continual feedback will ultimately dictate the success or failure of a project.

    4.1.1 Define your communication plan

    Estimated time: 60 Minutes

      1. Gather all relevant stakeholder to create a communication plan for project or product stakeholders.
      2. Have a team member facilitate the session.
      3. Identify
      4. ;
        1. Each stakeholder
        2. The nature of information they are interested in
        3. The channel or medium best to communicate with them
        4. The frequency of communication
      5. (Optional) Consider validating the results with the stakeholders, if not present.
      6. Document the results in the Agile Requirements Workbook and include in Agile Requirements Playbook.
      7. Revisit as needed, whether at the beginning of a new initiative, or over time, to ensure the content is still valid.

    Input

    • Participant knowledge and experience

    Output

    • A plan for communicating with stakeholders

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team

    Step 4.2

    Develop a Roadmap for Next Steps

    Activities

    4.2.1 Develop your Agile requirements action plan

    4.2.2 Prioritize with now, next, later

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • A comprehensive and prioritized list of opportunities and improvements to be made to mature the Agile requirements practice.

    Planning Your Next Steps

    Identify opportunities to improve and close gaps

    Maturing at multiple levels

    With a mindset of continuous improvement, there is always some way we can get better.

    As you mature your Agile requirements practice, recognize that those gaps for improvement can come from multiple levels, from the organizational down to the individual.

    Each level will bring challenges and opportunities.

    The organization

    • Organizational culture
    • Organizational behavior
    • Political will
    • Unsupportive stakeholders

    The team

    • Current ways of working
    • Team standards, norms and values

    The individual

    • Practitioner skills
    • Practitioner experience
    • Level of training received

    Make sure your organization is ready to transition to Agile requirements management

    A cycle is depicted, with the following Terms: Learning; Automation; Integrated teams; Metrics and governance; Culture.

    Learning:

    Agile is a radical change in how people work
    and think. Structured, facilitated learning is required throughout the transformation to
    help leaders and practitioners go from

    doing Agile to being Agile.

    Automation:

    While Agile is tool-agnostic at its roots, Agile work management tools and DevOps inspired SDLC tools that have become a key part of Agile practices.

    Integrated Teams:


    While temporary project teams can get some benefits from Agile, standing, self-organizing teams that cross business, delivery, and operations are essential to gain the full benefits of Agile.

    Metrics and Governance:

    Successful Agile implementations
    require the disciplined use

    of delivery and operations
    metrics that support governance focused on developing better teams.

    Culture:

    Agile teams believe that value is best created by standing, self-organizing cross-functional teams who deliver sustainably in frequent,
    short increments supported by leaders
    who coach them through challenges.

    Info-Tech Insight

    Agile gaps may only have a short-term, perceived benefit. For example, coding without a team mindset can allow for maximum speed to market for a seasoned developer. Post-deployment maintenance initiatives, however, often lock the single developer as no one else understands the rationale for the decisions that were made.

    4.2.1 Develop your Agile requirements action plan

    Estimated time: 60 Minutes

    1. Gather all relevant stakeholder to create a road map and action plan for requirements management.
    2. Have a team member facilitate the session using the results of the Agile Requirements Maturity Assessment.
    3. Identify gaps from current to future state and brainstorm possible actions that can be taken to address those gaps. Resist the urge to analyze or discuss the feasibility of each idea at this stage. The intent is idea generation.
    4. When the group has exhausted all ideas, the facilitator should group like ideas together, with support from participants. Discuss any ideas that are unclear or ambiguous.
    5. Document the results in the Agile Requirements Workbook.

    Note: the feasibility and timing of the ideas will happen in the following "Now, Next, Later" exercise.

    Prioritize your roadmap

    Taking steps to mature your Agile requirements practice.

    An image of the Now; Next; Later technique.

    The "Now, Next, Later" technique is a method for prioritizing and planning improvements or tasks. This involves breaking down a list of tasks or improvements into three categories:

    • "Now" tasks are those that must be completed immediately. These tasks are usually urgent or critical, and they must be completed to keep the project or organization running smoothly.
    • "Next" tasks are those that should be completed soon. These tasks are not as critical as "now" tasks, but they are still important and should be tackled relatively soon.
    • "Later" tasks are those that can be completed later. These tasks are less critical and can be deferred without causing major problems.

    By using this technique, you can prioritize and plan the most important tasks first, while also allowing for flexibility and the ability to adjust plans as necessary.
    This process also helps you get a clear picture on what needs to be done first and what can be done later. This way you can work on the most important things first, and keep track of what you need to do next, for keeping the development/improvement process smooth and efficient.

    Monitor your progress

    Monitoring progress is important in achieving your target state. Be deliberate with your actions, to continue to mature your Agile requirements practice.

    As you navigate toward your target state, continue to monitor your progress, your successes, and your challenges. As your Agile requirements practice matures, you should see improvements in the stated metrics below.

    Establish a cadence to review these metrics, as well as how you are progressing on your roadmap, against the plan.

    This is not about adding work, but rather, about ensuring you're heading in the right direction; finding the balance in your Agile requirements practice.

    Metric
    Team satisfaction (%) Expect team satisfaction to increase as a result of clearer role delineation and value contribution.
    Stakeholder satisfaction (%) Expect stakeholder satisfaction to similarly increase, as requirements quality increases, bringing increased value.
    Requirements rework Measures the quality of requirements from your Agile projects. Expect that the requirements rework will decrease, in terms of volume/frequency.
    Cost of documentation Quantifies the cost of documentation, including elicitation, analysis, validation, presentation, and management.
    Time to delivery Balancing metric. We don't want improvements in other at the expense of time to delivery.

    Appendix

    Research Contributors and Experts

    This is a picture of Emal Bariali

    Emal Bariali
    Business Architect & Business Analyst
    Bariali Consulting

    Emal Bariali is a Senior Business Analyst and Business Architect with 17 years of experience, executing nearly 20 projects. He has experience in both waterfall and Agile methodologies and has delivered solutions in a variety of forms, including custom builds and turnkey projects. He holds a Master's degree in Information Systems from the University of Toronto, a Bachelor's degree in Information Technology from York University, and a post-diploma in Software & Database Development from Seneca College.

    This is a picture of Paula Bell

    Paula Bell
    Paula A. Bell Consulting, LLC

    Paula Bell is the CEO of Paula A Bell Consulting, LLC. She is a Business Analyst, Leadership and Career Development coach, consultant, speaker, and author with 21+ years of experience in corporate America in project roles including business analyst, requirements manager, business initiatives manager, business process quality manager, technical writer, project manager, developer, test lead, and implementation lead. Paula has experience in a variety of industries including media, courts, manufacturing, and financial. Paula has led multiple highly-visible multi-million-dollar technology and business projects to create solutions to transform businesses as either a consultant, senior business analyst, or manager.

    Currently she is Director of Operations for Bridging the Gap, where she oversees the entire operation and their main flagship certification program.

    This is a picture of Ryan Folster

    Ryan Folster
    Consulting Services Manager, Business Analysis
    Dimension Data

    Ryan Folster is a Business Analyst Lead and Product Professional from Johannesburg, South Africa. His strong focus on innovation and his involvement in the business analysis community have seen Ryan develop professionally from a small company, serving a small number of users, to large multi-national organizations. Having merged into business analysis through the business domain, Ryan has developed a firm grounding and provides context to the methodologies applied to clients and projects he is working on. Ryan has gained exposure to the Human Resources, Asset Management, and Financial Services sectors, working on projects that span from Enterprise Line of Business Software to BI and Compliance.

    Ryan is also heavily involved in the local chapter of IIBA®; having previously served as the chapter president, he currently serves as a non-executive board member. Ryan is passionate about the role a Business Analyst plays within an organization and is a firm believer that the role will develop further in the future and become a crucial aspect of any successful business.

    This is a picture of Filip Hendrickx

    Filip Hendrickx
    Innovating BA, Visiting Professor @ VUB
    altershape

    Filip loves bridging business analysis and innovation and mixes both in his work as speaker, trainer, coach, and consultant.

    As co-founder of the BA & Beyond Conference and IIBA Brussels Chapter president, Filip helps support the BA profession and grow the BA community in and around Belgium. For these activities, Filip received the 2022 IIBA® EMEA Region Volunteer of the Year Award.

    Together with Ian Richards, Filip is the author ofBrainy Glue, a business novel on business analysis, innovation and change. Filip is also co-author of the BCS book Digital Product Management and Cycles, a book, method and toolkit enabling faster innovation.

    This is a picture of Fabricio Laguna

    Fabricio Laguna
    Professional Speaker, Consultant, and Trainer
    TheBrazilianBA.com

    Fabrício Laguna, aka The Brazilian BA, is the main reference on business analysis in Brazil. Author and producer of videos, articles, classes, lectures, and playful content, he can explain complex things in a simple and easy-to-understand way. IIBA Brazil Chapter president between 2012-2022. CBAP, AAC, CPOA, PMP, MBA. Consultant and instructor for more than 25 years working with business analysis, methodology, solution development, systems analysis, project management, business architecture, and systems architecture. His online courses are approved by students from 65 countries.

    This is a picture of Ryland Leyton

    Ryland Leyton
    Business Analyst and Agile Coach
    Independent Consultant

    Ryland Leyton, CBAP, PMP, CSM, is an avid Agile advocate and coach, business analyst, author, speaker, and educator. He has worked in the technology sector since 1998, starting off with database and web programming, gradually moving through project management and finding his passion in the BA and Agile fields. He has been a core team member of the IIBA Extension to the BABOK and the IIBA Agile Analysis Certification. Ryland has written popular books on agility, business analysis, and career. He can be reached at www.RylandLeyton.com.

    This is a picture of Steve Jones

    Steve Jones
    Supervisor, Market Support Business Analysis
    ISO New England

    Steve is a passionate analyst and BA manager with more than 20 years of experience in improving processes, services and software, working across all areas of software development lifecycle, business change and business analysis. He rejoices in solving complex business problems and increasing process reproducibility and compliance through the application of business analysis tools and techniques.

    Steve is currently serving as VP of Education for IIBA Hartford. He is a CBAP, certified SAFe Product Owner/Product Manager, Six Sigma Green Belt, and holds an MS in Information Management and Communications.

    This is a picture of Angela Wick

    Angela Wick
    Founder
    BA-Squared and BA-Cube

    Founder of BA-Squared and BA-Cube.com, Angela is passionate about teaching practical, modern product ownership and BA skills. With over 20 years' experience she takes BA skills to the next level and into the future!
    Angela is also a LinkedIn Learning instructor on Agile product ownership and business analysis, an IC-Agile Authorized Trainer, Product Owner and BA highly-rated trainer, highly-rated speaker, sought-after workshop facilitator, and contributor to many industry publications, including:

    • IIBA BABOK v3 Core Team, leading author on the BABOK v3
    • Expert Reviewer, IIBA Agile Extension to the BABOK
    • PMI BA Practice Guide – Expert Reviewer
    • PMI Requirements Management Practice Guide – Expert Reviewer
    • IIBA Competency Model – Lead Author and Team Lead, V1, V2, and V3.

    This is a picture of Rachael Wilterdink

    Rachael Wilterdink
    Principal Consultant
    Infotech Enterprises

    Rachael Wilterdink is a Principal Consultant with Infotech Enterprises. With over 25 years of IT experience, she holds multiple business analysis and Agile certifications. As a consultant, Rachael has served clients in the financial, retail, manufacturing, healthcare, government, non-profit, and insurance industries. Giving back to the professional community, Ms. Wilterdink served on the boards of her local IIBA® and PMI® chapters. As a passionate public speaker, Rachael presents various topics at conferences and user groups across the country and the world. Rachael is also the author of the popular eBook "40 Agile Transformation Pain Points (and how to avoid or manage them)."

    Bibliography

    "2021 Business Agility Report: Rising to the Challenge." Business Agility, 2021. Accessed 13 June 2022.
    Axure. "The Pitfalls of Agile and How We Got Here". Axure. Accessed 14 November 2022.
    Beck, Kent, et al. "Manifesto for Agile Software Development." Agilemanifesto. 2001.
    Brock, Jon, et al. "Large-Scale IT Projects: From Nightmare to Value Creation." BCG, 25 May 2015.
    Bryar, Colin and Bill Carr. "Have We Taken Agile Too Far?" Harvard Business Review, 9 April 2021. Accessed 11 November, 2022.
    Clarke, Thomas. "When Agile Isn't Responsive to Business Goals" RCG Global Services, Accessed 14 November 2022.
    Digital.ai "The 15th State of Agile Report". Digital.ai. Accessed 21 November 2022.
    Hackshall, Robin. "Product Backlog Refinement." Scrum Alliance. 9 Oct. 2014.
    Hartman, Bob. "New to Agile? INVEST in good user stories." Agile For All.
    IAG Consulting. "Business Analysis Benchmark: Full Report." IAG Consulting, 2009.
    Karlsson, Johan. "Backlog Grooming: Must-Know Tips for High-Value Products." Perforce. 18 May 2018
    KPMG. Agile Transformation (2019 Survey on Agility). KPMG. Accessed November 29.
    Laguna, Fabricio "REQM guidance matrix: A framework to drive requirements management", Requirements Engineering Magazine. 12 September 2017. Accessed 10 November 2022.
    Miller, G. J. (2013). Agile problems, challenges, & failures. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute.
    Product Management: MoSCoW Prioritization." ProductPlan, n.d. Web.
    Podeswa, Howard "The Business Case for Agile Business Analysis" Requirements Engineering Magazine. 21 February 2017. Accessed 7 November 2022.
    PPM Express. "Why Projects Fail: Business Analysis is the Key". PPM Express. Accessed 16 November 2022.
    Reifer, Donald J. "Quantitative Analysis of Agile Methods Study: Twelve Major Findings." InfoQ, 6 February, 2017.
    Royce, Dr. Winston W. "Managing the Development of Large Software Systems." Scf.usc.edu. 1970. (royce1970.pdf (usc.edu))
    Rubin, Kenneth S. Essential Scrum: A Practical Guide to the Most Popular Agile Process. Pearson Education. 2012.
    Singer, Michael. "15+ Surprising Agile Statistics: Everything You Need To Know About Agile Management". Enterprise Apps Today. 22 August 2022.
    The Standish Group. The Chaos Report, 2015. The Standish Group.

    Where do I go next?

    Improve Requirements Gathering

    Back to basics: great products are built on great requirements.

    Make the Case for Product Delivery

    Align your organization on the practices to deliver what matters most.

    Requirements for Small and Medium Enterprises

    Right-size the guidelines of your requirements gathering process.

    Implement Agile Practices that Work

    Improve collaboration and transparency with the business to minimize project failure.

    Create an Agile-Friendly Gating and Governance Model

    Use Info-Tech's Agile Gating Framework as a guide to gating your Agile projects following a "trust but verify" approach.

    Make Your IT Governance Adaptable

    Governance isn't optional, so keep it simple and make it flexible.

    Deliver on Your Digital Product Vision

    Build a product vision your organization can take from strategy through execution.

    Prepare Your Application for PaaS

    • Buy Link or Shortcode: {j2store}181|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • The application may have been written a long time ago, and have source code, knowledge base, or design principles misplaced or lacking, which makes it difficult to understand the design and build.
    • The development team does not have a standardized practice for assessing cloud benefits and architecture, design principles for redesigning an application, or performing capacity for planning activities.

    Our Advice

    Critical Insight

    • An infrastructure-driven cloud strategy overlooks application specific complexities. Ensure that an application portfolio strategy is a precursor to determining the business value gained from an application perspective, not just an infrastructure perspective.
    • Business value assessment must be the core of your decision to migrate and justify the development effort.
    • Right-size your application to predict future usage and minimize unplanned expenses. This ensures that you are truly benefiting from the tier costing model that vendors offer.

    Impact and Result

    • Identify and evaluate what cloud benefits your application can leverage and the business value generated as a result of migrating your application to the cloud.
    • Use Info-Tech’s approach to building a robust application that can leverage scalability, availability, and performance benefits while maintaining the functions and features that the application currently supports for the business.
    • Standardize and strengthen your performance testing practices and capacity planning activities to build a strong current state assessment.
    • Use Info-Tech’s elaboration of the 12-factor app to build a clear and robust cloud profile and target state for your application.
    • Leverage Info-Tech’s cloud requirements model to assess the impact of cloud on different requirements patterns.

    Prepare Your Application for PaaS Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a right-sized, design-driven approach to moving your application to a PaaS platform, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Prepare Your Application for PaaS – Phases 1-2

    1. Create your cloud application profile

    Bring the business into the room, align your objectives for choosing certain cloud capabilities, and characterize your ideal PaaS environment as a result of your understanding of what the business is trying to achieve. Understand how to right-size your application in the cloud to maintain or improve its performance.

    • Prepare Your Application for PaaS – Phase 1: Create Your Cloud Application Profile
    • Cloud Profile Tool

    2. Evaluate design changes for your application

    Assess the application against Info-Tech’s design scorecard to evaluate the right design approach to migrating the application to PaaS. Pick the appropriate cloud path and begin the first step to migrating your app – gathering your requirements.

    • Prepare Your Application for PaaS – Phase 2: Evaluate Design Changes for Your Application
    • Cloud Design Scorecard Tool

    [infographic]

     
     

    Build Resilience Against Ransomware Attacks

    • Buy Link or Shortcode: {j2store}317|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $68,467 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Sophisticated ransomware attacks are on the rise and evolving quickly.
    • Executives want reassurance but are not ready to write a blank check. We need to provide targeted and justified improvements.
    • Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in hours, which makes recovery a grueling challenge.

    Our Advice

    Critical Insight

    • Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
    • Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
    • Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

    Impact and Result

    • Conduct a thorough assessment of your current state; identify potential gaps and assess the possible outcomes of an attack.
    • Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protections and detection to reduce your attack surface.
    • Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

    Build Resilience Against Ransomware Attacks Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build Resilience Against Ransomware Attacks

    Use this step-by-step guide to assess your ransomware readiness and implement controls that will improve your ability to prevent incursions and defend against attacks.

    • Build Resilience Against Ransomware Attacks – Phases 1-4

    2. Ransomware Resilience Assessment – Complete the ransomware resilience assessment and establish metrics.

    Use this assessment tool to assess existing protection, detection, response, and recovery capabilities and identify potential improvements.

    • Ransomware Resilience Assessment

    3. Threat Preparedness Workbook – Improve protection and detection capabilities.

    Use this threat preparedness workbook to evaluate the threats and tactics in the ransomware kill chain using the MITRE framework and device appropriate countermeasures.

    • Enterprise Threat Preparedness Workbook

    4. Tabletop Planning Exercise and Example Results – Improve response and recovery capabilities with a tabletop exercise for your internal IT team.

    Adapt this tabletop planning session template to plan and practice the response of your internal IT team to a ransomware scenario.

    • Tabletop Exercise – Internal (Ransomware Template)
    • Ransomware Tabletop Planning Results – Example (Visio)
    • Ransomware Tabletop Planning Results – Example (PDF)

    5. Ransomware Response Runbook and Workflow – Document ransomware response steps and key stakeholders.

    Adapt these workflow and runbook templates to coordinate the actions of different stakeholders through each stage of the ransomware incident response process.

    • Ransomware Response Runbook Template
    • Ransomware Response Workflow Template (Visio)
    • Ransomware Response Workflow Template (PDF)

    6. Extended Tabletop Exercise and Leadership Guide – Run a tabletop test to plan and practice the response of your leadership team.

    Adapt this tabletop planning session template to plan leadership contributions to the ransomware response workflow. This second tabletop planning session will focus on communication strategy, business continuity plan, and deciding whether the organization should pay a ransom.

    • Tabletop Exercise – Extended (Ransomware Template)
    • Leadership Guide for Extended Ransomware

    7. Ransomware Resilience Summary Presentation – Summarize status and next steps in an executive presentation.

    Summarize your current state and present a prioritized project roadmap to improve ransomware resilience over time.

    • Ransomware Resilience Summary Presentation

    Infographic

    Workshop: Build Resilience Against Ransomware Attacks

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Ransomware Resilience

    The Purpose

    Set workshop goals, review ransomware trends and risk scenarios, and assess the organization’s resilience to ransomware attacks.

    Key Benefits Achieved

    Develop a solid understanding of the likelihood and impact of a ransomware attack on your organization.

    Complete a current state assessment of key security controls in a ransomware context.

    Activities

    1.1 Review incidents, challenges, and project drivers.

    1.2 Diagram critical systems and dependencies and build risk scenario.

    1.3 Assess ransomware resilience.

    Outputs

    Workshop goals

    Ransomware Risk Scenario

    Ransomware Resilience Assessment

    2 Protect and Detect

    The Purpose

    Improve your capacity to protect your organization from ransomware and detect attacks along common vectors.

    Key Benefits Achieved

    Identify targeted countermeasures that improve protection and detection capabilities.

    Activities

    2.1 Assess ransomware threat preparedness.

    2.2 Determine the impact of ransomware techniques on your environment.

    2.3 Identify countermeasures to improve protection and detection capabilities.

    Outputs

    Targeted ransomware countermeasures to improve protection and detection capabilities.

    Targeted ransomware countermeasures to improve protection and detection capabilities.

    Targeted ransomware countermeasures to improve protection and detection capabilities.

    3 Respond and Recover

    The Purpose

    · Improve your organization’s capacity to respond to ransomware attacks and recover effectively.

    Key Benefits Achieved

    Build response and recovery capabilities that reduce the potential business disruption of successful ransomware attacks.

    Activities

    3.1 Review the workflow and runbook templates.

    3.2 Update/define your threat escalation protocol.

    3.3 Define scenarios for a range of incidents.

    3.4 Run a tabletop planning exercise (IT).

    3.5 Update your ransomware response runbook.

    Outputs

    Security Incident Response Plan Assessment.

    Tabletop Planning Session (IT)

    Ransomware Workflow and Runbook.

    4 Improve Ransomware Resilience.

    The Purpose

    Identify prioritized initiatives to improve ransomware resilience.

    Key Benefits Achieved

    Identify the role of leadership in ransomware response and recovery.

    Communicate workshop outcomes and recommend initiatives to improve ransomware resilience.

    Activities

    4.1 Run a tabletop planning exercise (Leadership).

    4.2 Identify initiatives to close gaps and improve resilience.

    4.3 Review broader strategies to improve your overall security program.

    4.4 Prioritize initiatives based on factors such as effort, cost, and risk.

    4.5 Review the dashboard to fine tune your roadmap.

    4.6 Summarize status and next steps in an executive presentation.

    Outputs

    Tabletop Planning Session (Leadership)

    Ransomware Resilience Roadmap and Metrics

    Ransomware Workflow and Runbook

    Further reading

    Build Ransomware Resilience

    Prevent ransomware incursions and defend against ransomware attacks

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    Ransomware is a high-profile threat that demands immediate attention:

    • Sophisticated ransomware attacks are on the rise and evolving quickly.
    • Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in only a few hours, which makes recovery a grueling challenge.
    • Executives want reassurance but aren't ready to write a blank check. Improvements must be targeted and justified.

    Common Obstacles

    Ransomware is more complex than other security threats:

    • Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
    • Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
    • Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

    Info-Tech's Approach

    To prevent a ransomware attack:

    • Conduct a through assessment of your current state, identify potential gaps, and assess the possible outcomes of an attack.
    • Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protection and detection to reduce your attack surface.
    • Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

    Info-Tech Insight

    Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recovery quickly.

    Analyst Perspective

    Ransomware is an opportunity and a challenge.

    As I write, the frequency and impact of ransomware attacks continue to increase, with no end in sight. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls as you do now.

    The opportunity comes with important challenges. Hackers need to spend less time in discovery before they deploy an attack, which have become much more effective. You can't afford to rely solely on your ability to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.

    Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. But eventually you reach the top and look back at how far you've come.

    This is an image of Michael Hébert

    Michel Hébert
    Research Director, Security and Privacy
    Info-Tech Research Group

    Ransomware attacks are on the rise and evolving quickly.

    Three factors contribute to the threat:

    • The rise of ransomware-as-a-service, which facilitates attacks.
    • The rise of crypto-currency, which facilitates anonymous payment.
    • State sponsorship of cybercrime.

    Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least $2B in payments.

    A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the clean-up cost and economic fallout over attacks during this period.

    Total ransom money collected (2015 – 2021): USD 2,592,889,121

    This image contains a bubble plot graph showing the total ransom money collected between the years 2015 - 2021.

    The frequency and impact of ransomware attacks are increasing

    Emerging strains can exfiltrate sensitive data, encrypt systems and destroy backups in only a few hours, which makes recovery a grueling challenge.

    Sophos commissioned a vendor agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.

    The survey was conducted in Jan – Feb 2022 and asked about the experience of respondents over the previous year.

    66%
    Hit by ransomware in 2021
    (up from 37% in 2020)

    90%
    Ransomware attack affected their ability to operate

    $812,360 USD
    Average ransom payment

    $4.54M
    Average remediation cost (not including ransom)

    ONE MONTH
    Average recovery time

    Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.

    Of the respondents whose organizations weren't hit by ransomware in 2021 and don't expect to be hit in the future, 72% cited either backups or cyberinsurance as reasons why they anticipated an attack.

    While these elements can help recover from an attack, they don't prevent it in the first place.

    Source: Sophos, State of Ransomware (2022)
    IBM, Cost of A Data Breach (2022)

    The 3-step ransomware attack playbook

    • Get in
    • Spread
    • Profit

    At each point of the playbook, malicious agents need to achieve something before they can move to the next step.

    Resilient organizations look for opportunities to:

    • Learn from incursions
    • Disrupt the playbook
    • Measure effectiveness

    Initial access

    Execution

    Privilege Escalation

    Credential Access

    Lateral Movement

    Collection

    Data Exfiltration

    Data encryption

    Deliver phishing email designed to avoid spam filter.

    Launch malware undetected.

    Identify user accounts.

    Target an admin account.

    Use brute force tactics to crack it.

    Move through the network and collect data.

    Infect as many critical systems and backups as possible to limit recovery options.

    Exfiltrate data to gain leverage.

    Encrypt data, which triggers alert.

    Deliver ransom note.

    Ransomware is more complex than other security threats

    Ransomware groups thrive through extortion tactics.

    • Traditionally, ransomware attacks focused on encrypting files as an incentive for organizations to pay up.
    • As organizations improved backup and recovery strategies, gangs began targeting, encrypting, and destroying back ups.
    • Since 2019, gangs have focused on a double-extortion strategy: exfiltrate sensitive or protected data before encrypting systems and threaten to publish them.

    Organizations misunderstand ransomware risk scenarios, which obscures the potential impact of an attack.

    Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:

    • Detection and Response – Activities that enable detection, containment, eradication and recovery.
    • Notification – Activities that enable reporting to data subjects, regulators, law enforcement, and third parties.
    • Lost Business – Activities that attempt to minimize the loss of customers, business disruption, and revenue.
    • Post Breach Response – Redress activities to victims and regulators, and the implementation of additional controls.

    Source: IBM, Cost of a Data Breach (2022)

    Disrupt the attack each stage of the attack workflow.

    An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.

    Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.

    Shortening dwell time requires better protection and detection

    Ransomware dwell times and average encryption rates are improving dramatically.

    Hackers spend less time in your network before they attack, and their attacks are much more effective.

    Avg dwell time
    3-5 Days

    Avg encryption rate
    70 GB/h

    Avg detection time
    11 Days

    What is dwell time and why does it matter?

    Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until they pay the ransom.

    Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.

    Dwell times are dropping, and encryption rates are increasing.

    It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.

    References: Bleeping Computers (2022), VentureBeat, Dark Reading, ZDNet.

    Resilience depends in part on response and recovery capabilities

    This blueprint will focus on improving your ransomware resilience to:

    • Protect against ransomware.
    • Detect incursions.
    • Respond and recovery effectively.

    Response

    Recovery

    This image depicts the pathway for response and recovery from a ransomware event.

    For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery.

    Info-Tech's ransomware resilience framework

    Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

    Prioritize protection

    Put controls in place to harden your environment, train savvy end users, and prevent incursions.

    Support recovery

    Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

    Protect Detect Respond

    Recover

    Threat preparedness

    Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

    Awareness and training

    Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

    Perimeter security

    Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

    Respond and recover

    Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

    Access management

    Review the user access management program, policies and procedures to ensure they are ransomware-ready.

    Vulnerability management

    Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

    This image contains the thought map for Info-Tech's Blueprint: Build Resilience Against Ransomware Attacks.

    Info-Tech's ransomware resilience methodology

    Assess resilience Protect and detect Respond and recover Improve resilience
    Phase steps
    1. Build ransomware risk scenario
    2. Conduct resilience assessment
    1. Assess attack vectors
    2. Identify countermeasures
    1. Review Security Incident Management Plan
    2. Run Tabletop Test (IT)
    3. Document Workflow and Runbook
    1. Run Tabletop Test (Leadership)
    2. Prioritize Resilience Initiatives
    Phase outcomes
    • Ransomware Resilience Assessment
    • Risk Scenario
    • Targeted ransomware countermeasures to improve protection and detection capabilities
    • Security Incident Response Plan Assessment
    • Tabletop Test (IT)
    • Ransomware Workflow and Runbook
    • Tabletop Test (Leadership)
    • Ransomware Resilience Roadmap & Metrics

    Insight Summary

    Shift to a ransomware resilience model

    Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges.

    Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, and respond and recover quickly

    Visualize challenges

    Build risk scenarios that describe how a ransomware attack would impact organizational goals.

    Understand possible outcomes to motivate initiatives, protect your organization, plan your response, and practice recovery.

    Prioritize protection

    Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

    Seize the moment

    The frequency and impact of ransomware attacks continue to increase, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.

    Measure ransomware resilience

    The anatomy of ransomware attack is relatively simple: malicious agents get in, spread, and profit. Deploy ransomware protection metrics to measure ransomware resilience at each stage.

    Key deliverable

    Ransomware resilience roadmap

    The resilience roadmap captures the key insights your work will generate, including:

    • An assessment of your current state and a list of initiatives you need to improve your ransomware resilience.
    • The lessons learned from building and testing the ransomware response workflow and runbook.
    • The controls you need to implement to measure and improve your ransomware resilience over time.

    Project deliverables

    Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.

    Ransomware Resilience Assessment

    Measure ransomware resilience, identify gaps, and draft initiatives.

    Enterprise Threat Preparedness Workbook

    Analyze common ransomware techniques and develop countermeasures.

    Ransomware Response Workflow & Runbook

    Capture key process steps for ransomware response and recovery.

    Ransomware Tabletop Tests

    Run tabletops for your IT team and your leadership team to gather lessons learned.

    Ransomware Resilience Roadmap

    Capture project insights and measure resilience over time.

    Plan now or pay later

    Organizations worldwide spent on average USD 4.62M in 2021 to rectify a ransomware attack. These costs include escalation, notification, lost business and response costs, but did not include the cost of the ransom. Malicious ransomware attacks that destroyed data in destructive wiper-style attacks cost an average of USD 4.69M.

    Building better now is less expensive than incurring the same costs in addition to the clean-up and regulatory and business disruption costs associated with successful ransomware attacks.

    After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research and advisory services helped them achieve.

    Source: IBM, Cost of a Data Breach (2022)

    See what members have to say about the ransomware resilience blueprint:

    • Overall Impact: 9.8 / 10
    • Average $ Saved: $98,796
    • Average Days Saved: 17

    "Our advisor was well-versed and very polished. While the blueprint alone was a good tool to give us direction, his guidance made it significantly faster and easier to accomplish than if we had tried to tackle it on our own."

    CIO, Global Manufacturing Organization

    Blueprint benefits

    IT benefits

    Business benefits

    • Provide a structured approach for your organization to identify gaps, quantify the risk, and communicate status to drive executive buy-in.
    • Create a practical ransomware incident response plan that combines a high-level workflow with a detailed runbook to coordinate response and recovery.
    • Present an executive-friendly project roadmap with resilience metrics that summarizes your plan to address gaps and improve your security posture.
    • Enable leadership to make risk-based, informed decisions on resourcing and investments to improve ransomware readiness.
    • Quantify the potential impact of a ransomware attack on your organization to drive risk awareness.
    • Identify existing gaps so they can be addressed, whether by policy, response plans, technology, or a combination of these.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Executive brief case study

    SOURCE: Interview with CIO of large enterprise

    Organizations who "build back better" after a ransomware attack often wish they had used relevant controls sooner.

    Challenge

    In February 2020, a large organization found a ransomware note on an admin's workstation. They had downloaded a local copy of the organization's identity management database for testing and left a port open on their workstation. Hackers exfiltrated it and encrypted the data on the workstation. They demanded a ransom payment to decrypt the data.

    Complication

    Because private information was breached, the organization informed the state-level regulator. With 250,000 accounts affected, plans were made to require password changes en masse. A public announcement was made two days after the breach to ensure that everyone affected could be reached.

    The organization decided not to pay the ransom because it had a copy on an unaffected server.

    Resolution

    The organization was praised for its timely and transparent response.

    The breach motivated the organization to put more protections in place, including:

    • The implementation of a deny-by-default network.
    • The elimination of remote desktop protocol and secure shell.
    • IT mandating MFA.
    • New endpoint-detection and response systems.

    Executive brief case study

    SOURCE: Info-Tech Workshop Results
    iNDUSTRY: Government

    Regional government runs an Info-Tech workshop to fast-track its ransomware incident response planning

    The organization was in the middle of developing its security program, rolling out security awareness training for end users, and investing in security solutions to protect the environment and detect incursions. Still, the staff knew they still had holes to fill. They had not yet fully configured and deployed security solutions, key security policies were missing, and they had didn't have a documented ransomware incident response plan.

    Workshop results

    Info-Tech advisors helped the organization conduct a systematic review of existing processes, policies, and technology, with an eye to identify key gaps in the organization's ransomware readiness. The impact analysis quantified the potential impact of a ransomware attack on critical systems to improve the organizational awareness ransomware risks and improve buy-in for investment in the security program.

    Info-Tech's tabletop planning exercise provided a foundation for the organization's actual response plan. The organization used the results to build a ransomware response workflow and the framework for a more detailed runbook. The workshop also helped staff identifies ways to improve the backup strategy and bridge further gaps in their ability to recover.

    The net result was a current-state response plan, appropriate capability targets aligned with business requirements, and a project roadmap to achieve the organization's desired state of ransomware readiness.

    Guided implementation

    What kind of analyst experiences do clients have when working through this blueprint?

    Scoping Call Phase 1 Phase 2 Phase 3 Phase 4

    Call #1:

    Discuss context, identify challenges, and scope project requirements.

    Identify ransomware resilience metrics.

    Call #2:

    Build ransomware risk scenario.

    Call #4:

    Review common ransomware attack vectors.

    Identify and assess mitigation controls.

    Call #5:

    Document ransomware workflow and runbook.

    Call #7:

    Run tabletop test with leadership.

    Call #3:

    Assess ransomware resilience.

    Call #6:

    Run tabletop test with IT.

    Call #8:

    Build ransomware roadmap.

    Measure ransomware resilience metrics.

    A guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 8 calls over the course of 4 to 6 months.

    Workshop overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Activities

    Assess ransomware resilience

    Protect and detect

    Respond and recover

    Improve ransomware resilience

    Wrap-up (offsite and offline)

    1.1 1 Review incidents, challenges, and project drivers.

    1.1.2 Diagram critical systems and dependencies.

    1.1.3 Build ransomware risk scenario.

    2.1 1. Assess ransomware threat preparedness.

    2.2 2. Determine the impact of ransomware techniques on your environment.

    2.3 3. Identify countermeasures to improve protection and detection capabilities.

    3.1.1 Review the workflow and runbook templates.

    3.1.2 Update/define your threat escalation protocol.

    3.2.1 Define scenarios for a range of incidents.

    3.2.2 Run a tabletop planning exercise (IT).

    3.3.1 Update your ransomware response workflow.

    4.1.1 Run a tabletop planning exercise (leadership).

    4.1.2 Identify initiatives to close gaps and improve resilience.

    4.1.3 Review broader strategies to improve your overall security program.

    4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk.

    4.2.2 Review the dashboard to fine tune your roadmap.

    4.3.1 Summarize status and next steps in an executive presentation.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    5.3 Revisit ransomware resilience metrics in three months.

    Deliverables
    1. Workshop goals
    2. Ransomware Risk Scenario
    3. Ransomware Resilience Assessment
    1. Targeted ransomware countermeasures to improve protection and detection capabilities.
    1. Security Incident Response Plan Assessment
    2. Tabletop Planning Session (IT)
    3. Ransomware Workflow and Runbook
    1. Tabletop Planning Session (Leadership)
    2. Ransomware Resilience Roadmap and Metrics
    3. Ransomware Summary Presentation
    1. Completed Ransomware Resilience Roadmap
    2. Ransomware Resilience Assessment
    3. Ransomware Resilience Summary Presentation

    Phase 1

    Assess ransomware resilience

    Phase 1 Phase 2 Phase 3 Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will walk you through the following activities:

    • Conducting a maturity assessment.
    • Reviewing selected systems and dependencies.
    • Assessing a ransomware risk scenario.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Build Ransomware Resilience

    Step 1.1

    Build ransomware risk scenario

    Activities

    1.1.1 Review incidents, challenges and project drivers

    1.1.2 Diagram critical systems and dependencies

    1.1.3 Build ransomware risk scenario

    Assess ransomware resilience

    This step will guide you through the following activities:

    • Reviewing incidents, challenges, and drivers.
    • Diagraming critical systems and dependencies.
    • Building a ransomware risk scenario.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Subject-Matter Experts

    Outcomes of this step

    • Establish a repeatable process to evaluate and improve ransomware readiness across your environment.
    • Build a ransomware risk scenario to assess the likelihood and impact of an attack.

    1.1.1 Review incidents, challenges, and project drivers

    1 hour

    Brainstorm the challenges you need to address in the project. Avoid producing solutions at this stage, but certainly record suggestions for later. Use the categories below to get the brainstorming session started.

    Past incidents and other drivers

    • Past incidents (be specific):
      • Past security incidents (ransomware and other)
      • Close calls (e.g. partial breach detected before damage done)
    • Audit findings
    • Events in the news
    • Other?

    Security challenges

    • Absent or weak policies
    • Lack of security awareness
    • Budget limitations
    • Other?

    Input

    • Understanding of existing security capability and past incidents.

    Output

    • Documentation of past incidents and challenges.
    • Level-setting across the team regarding challenges and drivers.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    1.1.2 Diagram critical systems and dependencies (1)

    1 hour

    Brainstorm critical systems and their dependencies to build a ransomware risk scenario. The scenario will help you socialize ransomware risks with key stakeholders and discuss the importance of ransomware resilience.

    Focus on a few key critical systems.

    1. On a whiteboard or flip chart paper, make a list of systems to potentially include in scope. Consider:
      1. Key applications that support critical business operations.
      2. Databases that support multiple key applications.
      3. Systems that hold sensitive data (e.g. data with personally identifiable information [PII]).
    2. Select five to ten systems from the list.
      1. Select systems that support different business operations to provide a broader sampling of potential impacts and recovery challenges.
      2. Include one or two non-critical systems to show how the methodology addresses a range of criticality and context.

    Input

    • High-level understanding of critical business operations and data sets.

    Output

    • Clarify context, dependencies, and security and recovery challenges for some critical systems.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)
    • System SMEs (if not covered by SIRT members)

    1.1.2 Diagram critical systems and dependencies (2)

    1 hour

    1. A high-level topology or architectural diagram is an effective way to identify dependencies and communicate risks to stakeholders.

    Start with a WAN diagram, then your production data center, and then each critical
    system. Use the next three slides as your guide.

    Notes:

    • If you have existing diagrams, you can review those instead. However, if they are too detailed, draw a higher-level diagram to provide context. Even a rough sketch is a useful reference tool for participants.
    • Keep the drawings tidy and high level. Visualize the final diagram before you start to draw on the whiteboard to help with spacing and placement.
    • Collaborate with relevant SMEs to identify dependencies.

    Input

    • High-level understanding of critical business operations and data sets.

    Output

    • Clarify context, dependencies, and security and recovery challenges for some critical systems.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)
    • System SMEs (if not covered by SIRT members)

    For your WAN diagram, focus on data center and business locations

    Start with a high-level network diagram like this one, and then dig deeper (see following slides) to provide more context. Below is an example; of course, your sketched diagrams may be rougher.

    This image contains a nexample of a High level Network Diagram.

    Diagram your production data center to provide context for the systems in scope

    Creating a high-level diagram provides context across different IT disciplines involved in creating your DRP. If you have multiple production data centers, focus on the data center(s) relevant to the selected systems. Below is an example.

    This image contains a nexample of a high level diagram which focuses on the data centers relevent to the selected system.

    Diagram each selected system to identify specific dependencies and redundancies

    Diagram the "ecosystem" for each system, identifying server, storage, and network dependencies. There may be overlap with the production data center diagram – but aim to be specific here. Below is an example that illustrates front-end and back-end components.

    When you get to this level of detail, use this opportunity to level-set with the team. Consider the following:

    • Existing security (Are these systems protected by your existing security monitoring and threat detection tools?).
    • Security challenges (e.g. public-facing systems).
    • Recovery challenges (e.g. limited or infrequent backups).
    This is an example of a diagram of a system ecosystem.

    Note the limitations of your security, backup, and DR solutions

    Use the diagrams to assess limitations. Gaps you identify here will often apply to other aspects of your environment.

    1. Security limitations
    • Are there any known security vulnerabilities or risks, such as external access (e.g. for a customer portal)? If so, are those risks mitigated? Are existing security solutions being fully used?
  • Backup limitations
    • What steps are taken to ensure the integrity of your backups (e.g. through inline or post-backup scanning, or the use of immutable backups)? Are there multiple restore points to provide more granularity when determining how far back you need to go for a clean backup?
  • Disaster recovery limitations
    • Does your DR solution account for ransomware attacks or is it designed only for one-way failover (i.e. for a smoking hole scenario)?
  • We will review the gaps we identify through the project in phase 4.

    For now, make a note of these gaps and continue with the next step.

    Draft risk scenarios to illustrate ransomware risk

    Risk scenarios help decision-makers understand how adverse events affect business goals.

    • Risk-scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that describes the circumstances and consequences if it were to happen.
    • Risk scenarios set up the risk analysis stage of the risk assessment process. They are narratives that describe in detail:
      • The asset at risk.
      • The threat that can act against the asset.
      • Their intent or motivation.
      • The circumstances and threat actor model associated with the threat event.
      • The potential effect on the organization.
      • When or how often the event might occur.

    Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.

    Risk identification → Risk scenario → Risk statement

    Well-crafted risk scenarios have four components

    The slides walk through how to build a ransomware risk scenario

    THREAT Exploits an ASSET Using a METHOD Creating an EFFECT.

    An actor capable of harming an asset

    Anything of value that can be affected and results in loss

    Technique an actor uses to affect an asset

    How loss materializes

    Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors

    Examples: Systems, regulated data, intellectual property, people

    Examples: Credential compromise, privilege escalation, data exfiltration

    Examples: Loss of data confidentiality, integrity, or availability; impact on staff health and safety

    Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events.

    Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address ransomware risks.

    1.1.3 Build ransomware risk scenario (1)

    2 hours

    In a ransomware risk scenario, the threat, their motivations, and their methods are known. Malicious agents are motivated to compromise critical systems, sabotage recovery, and exfiltrate data for financial gain.

    The purpose of building the risk scenario is to highlight the assets at risk and the potential effect of a ransomware attack.

    As a group, consider critical or mission-essential systems identified in step 1.1.2. On a whiteboard, brainstorm the potential adverse effect of a loss of system availability, confidentiality or integrity.

    Consider the impact on:

    • Information systems.
    • Sensitive or regulated data.
    • Staff health and safety.
    • Critical operations and objectives.
    • Organizational finances.
    • Reputation and brand loyalty.

    Input

    • Understanding of critical systems and dependencies.

    Output

    • Ransomware risk scenario to engage guide stakeholders to make informed decisions about addressing risks.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    1.1.3 Build ransomware risk scenario (2)

    2 hours

    1. On a whiteboard, brainstorm how threat agents will exploit vulnerabilities in critical assets to reach their goal. Redefine attack vectors to capture what could result from a successful initial attack.
    2. Bring together the critical risk elements into a single risk scenario.
    3. Distill the risk scenario into a single risk statement that captures the threat, the asset it will exploit, the method it will use, and the impact it will have on the organization.
    4. You can find a sample risk scenario and risk statement on the next slide.

    THREAT Exploits an ASSET Using a METHOD Creating an EFFECT.

    Inputs for risk scenario identification

    Risk analysis

    Critical assets

    ERP, CRM, FMS, LMS

    Operational technology

    Sensitive or regulated data

    Threat agents

    Cybercriminals

    Methods

    Compromise end user devices through social engineering attacks,. Compromise networks through external exposures and software vulnerabilities.

    Identify and crack administrative account. Escalate privileges. Move laterally.

    Collect data, destroy backups, exfiltrate data for leverage, encrypt systems,.

    Threaten to publish exfiltrated data and demand ransom.

    Adverse effect

    Serious business disruption

    Financial damage

    Reputational damage

    Potential litigation

    Average downtime: 30 Days

    Average clean-up costs: USD 1.4M

    Sample ransomware risk scenario

    Likelihood: Medium
    Impact: High

    Risk scenario

    Cyber-criminals penetrate the network, exfiltrate critical or sensitive data, encrypt critical systems, and demand a ransom to restore access.

    They threaten to publish sensitive data online to pressure the organization to pay the ransom, and reach out to partners, staff, and students directly to increase the pressure on the organization.

    Network access likely occurs through a phishing attack, credential compromise, or remote desktop protocol session.

    Risk statement

    Cybercriminals penetrate the network, compromise backups, exfiltrate and encrypt data, and disrupt computer systems for financial gain.

    Threat Actor:

    • Cybercriminals

    Assets:

    • Critical systems (ERP, FMS, CRM, LMS)
    • HRIS and payroll
    • Data warehouse
    • Office 365 ecosystem (email, Teams)

    Effect:

    • Loss of system availability
    • Lost of data confidentiality

    Methods:

    • Phishing
    • Credential compromise
    • Compromised remote desktop protocol
    • Privilege escalation
    • Lateral movement
    • Data collection
    • Data exfiltration
    • Data encryption

    Step 1.2

    Conduct resilience assessment

    Activities

    1.2.1 Complete resilience assessment

    1.2.2 Establish resilience metrics

    This step will guide you through the following activities :

    • Completing a ransomware resilience assessment
    • Establishing baseline metrics to measure ransomware resilience.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Subject-matter experts

    .Outcomes of this step

    • Current maturity, targets, and initial gap analysis

    Maturity levels in this blueprint draw on the CMMI framework

    The maturity levels are based on the Capability Maturity Model Integration framework. We outline our modifications below.

    CMMI Maturity Level – Default Descriptions:

    CMMI Maturity Level – Modified for This Assessment:

    • Level 1 – Initial: Unpredictable and reactive. Work gets completed but is often delayed and over budget.
    • Level 2 – Managed: Managed on the project level. Projects are planned, performed, measured, and controlled.
    • Level 3 – Defined: Proactive rather than reactive. Organization-wide standards provide guidance across projects, programs, and portfolios.
    • Level 4 – Quantitatively managed: Measured and controlled. Organization is data-driven, with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders.
    • Level 5 – Optimizing: Stable and flexible. Organization is focused on continuous improvement and is built to pivot and respond to opportunity and change. The organization's stability provides a platform for agility and innovation.
    • Level 1 – Initial/ad hoc: Not well defined and ad hoc in nature.
    • Level 2 – Developing: Established but inconsistent and incomplete.
    • Level 3 – Defined: Formally established, documented, and repeatable.
    • Level 4 – Managed and measurable: Managed using qualitative and quantitative data to ensure alignment with business requirements.
    • Level 5 – Optimizing: Qualitative and quantitative data is used to continually improve.

    (Source: CMMI Institute, CMMI Levels of Capability and Performance)

    Info-Tech's ransomware resilience framework

    Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

    Prioritize protection

    Put controls in place to harden your environment, train savvy end users, and prevent incursions.

    Support recovery

    Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

    Protect Detect Respond

    Recover

    Threat preparedness

    Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

    Awareness and training

    Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

    Perimeter security

    Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

    Respond and recover

    Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

    Access management

    Review the user access management program, policies and procedures to ensure they are ransomware-ready.

    Vulnerability management

    Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

    1.2.1 Complete the resilience assessment

    2-3 hours

    Use the Ransomware Resilience Assessment Tool to assess maturity of existing controls, establish a target state, and identify an initial set of initiatives to improve ransomware resilience.

    Keep the assessment tool on hand to add gap closure initiatives as you proceed through the project.

    Download the Ransomware Resilience Assessment

    Outcomes:

    • Capture baseline resilience metrics to measure progress over time.
      • Low scores are common. Use them to make the case for security investment.
      • Clarify the breadth of security controls.
      • Security controls intersect with a number of key processes and technologies, each of which are critical to ransomware resilience.
    • Key gaps identified.
      • Allocate more time to subsections with lower scores.
      • Repeat the scorecard at least annually to clarify remaining areas to address.

    Input

    • Understanding of current security controls

    Output

    • Current maturity, targets, and gaps

    Materials

    • Ransomware Resilience Assessment Tool

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of the Ransomeware Resilience Assessment Table from Info-Tech's Ransomware Resilience Assessment Blueprint.

    1.2.2 Establish resilience metrics

    Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.

    Measure metrics at the start of the project to establish a baseline, as the project nears completion to measure progress.

    Attack workflow Process Metric Target trend Current Goal
    GET IN Vulnerability Management % Critical patches applied Higher is better
    Vulnerability Management # of external exposures Fewer is better
    Security Awareness Training % of users tested for phishing Higher is better
    SPREAD Identity and Access Management Adm accounts / 1000 users Lower is better
    Identity and Access Management % of users enrolled for MFA Higher is better
    Security Incident Management Avg time to detect Lower is better
    PROFIT Security Incident Management Avg time to resolve Lower is better
    Backup and Disaster Recovery % critical assets with recovery test Higher is better
    Backup and Disaster Recovery % backup to immutable storage Higher is better

    Phase 2

    Improve protection and detection capabilities

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will walk you through the following activities:

    • Assessing common ransomware attack vectors.
    • Identifying countermeasures to improve protection and detection capabilities.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Build Ransomware Resilience

    Step 2.1

    Assess attack vectors

    Activities

    2.1.1 Assess ransomware threat preparedness

    2.1.2 Determine the impact of ransomware techniques on your environment

    This step involves the following activities:

    • Assessing ransomware threat preparedness.
    • Configuring the threat preparedness tool.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Outcomes of this step

    Assess risks associated with common ransomware attack vectors.

    Improve protection and detection capabilities

    Use the MITRE attack framework to prepare

    This phase draws on MITRE to improve ransomware protection and detection capabilities

    • The activities in this phase provide guidance on how to use the MITRE attack framework to protect your organizations against common ransomware techniques and tactics, and detect incursions.
    • You will:
      • Review common ransomware tactics and techniques.
      • Assess their impact on your environment.
      • Identify relevant countermeasures.
    • The Enterprise Threat Preparedness Workbook included with the project blueprint will be set up to deal with common ransomware threats and tactics.

    Download the Enterprise Threat Preparedness Workbook

    Review ransomware tactics and techniques

    Ransomware attack workflow

    Deliver phishing email designed to avoid spam filter.

    Launch malware undetected.

    Identify user accounts.

    Target an admin account.

    Use brute force tactics to crack it.

    Move through the network. Collect data.

    Infect critical systems and backups to limit recovery options.

    Exfiltrate data to gain leverage.

    Encrypt data, which triggers alert.

    Deliver ransom note.

    Associated MITRE tactics and techniques

    • Initial access
    • Execution
    • Privilege escalation
    • Credential access
    • Lateral movement
    • Collection
    • Data Exfiltration
    • Data encryption

    Most common ransomware attack vectors

    • Phishing and social engineering
    • Exploitation of software vulnerabilities
    • Unsecured external exposures
      • e.g. remote desktop protocols
    • Malware infections
      • Email attachments
      • Web pages
      • Pop-ups
      • Removable media

    2.1.1 Assess ransomware threat preparedness

    Estimated Time: 1-4 hours

    1. Read through the instructions in the Enterprise Threat Preparedness Workbook.
    2. Select ransomware attack tactics to analyze. Use the workbook to understand:
      1. Risks associated with each attack vector.
      2. Existing controls that can help you protect the organization and detect an incursion.
    3. This initial analysis is meant to help you understand your risk before you apply additional controls.

    Once you're comfortable, follow the instructions on the following pages to configure the MITRE ransomware analysis and identify how to improve your protection and detection capabilities.

    Download the Enterprise Threat Preparedness Workbook

    Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    2.1.2 Determine the impact of techniques

    Estimated Time: 1-4 hours

    1. The Enterprise Threat Preparedness Workbook included with the project blueprint is set up to deal with common ransomware use cases.

    If you would like to change the set-up, go through the following steps.

    • Review the enterprise matrix. Select the right level of granularity for your analysis. If you are new to threat preparedness exercises, the Technique Level is a good starting point.
    • As you move through each tactic, align each sheet to your chosen technique domain to ensure the granularity of your analysis is consistent.
    • Read the tactics sheet from left to right. Determine the impact of the technique on your environment. For each control, indicate current mitigation levels using the dropdown list.

    The following slides walk you through the process with screenshots from the workbook.

    Download the Enterprise Threat Preparedness Workbook

    Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Select the domain for the analysis

    • The Tactics Dashboard is a live feed of your overall preparedness for the potential attack vectors that your organization may face. These 14 tactics correspond to the Enterprise Matrix used by the MITRE ATT&CK® framework.
    • The technique domain on the right side of the sheet is split in two main groups:
    • The Technique Level
      • - High-level techniques that an attacker may use to gain entry to your network.
      • - The Technique Level is a great starting point if you are new to threat preparedness.
    • The Sub-Technique Level
      • - Individual sub-techniques found throughout the MITRE ATT&CK® Framework.
      • - More mature organizations will find the Sub-Technique Level generates a deeper and more precise understanding of their current preparedness.

    Info-Tech Insight

    Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

    This is the first screenshot from Info-Tech's Tactic Preparedness Assessment Dashboard.

    Keep an eye on the enterprise matrix

    As you fill out the Tactic tabs with your evaluation, the overall reading will display the average of your overall preparedness for that tactic.

    Choosing the Technique Domain level will increase the accuracy of the reporting at the cost of speed.

    The Technique level is faster but provides less specifics for each control and analyzes them as a group.

    The Sub-Technique level is much more granular, but each tactic and technique has several sub-techniques that you will need to account for.

    Check with the dashboard to see the associated risk level for each of the tactics based on the legend. Tactics that appear white have not yet been assessed or are rated as "N/A" (not applicable).

    This is the second screenshot from Info-Tech's Tactic Preparedness Assessment Dashboard.

    When you select your Technique Domain, you cannot change it again. Changing the domain mid-analysis will introduce inaccuracies in your security preparedness.

    Configure the tactics tabs

    • Each tactic has a corresponding tab at the bottom of the Excel workbook.
      Adjusting the Technique Domain level will change the number of controls shown.
    • Next, align the sheet to the domain you selected on Tab 2 before you continue. As shown in the example to the right,
      • Select "1" for Technique Level.
      • Select "2" for Sub-Technique Level.
    • This will collapse the controls to your chosen level of granularity.

    This is a screenshot showing how you can configure the tactics tab of the Ransomware Threat Preparedness Workbook

    Read tactic sheets from left to right

    This is a screenshot of the tactics tab of the Ransomware Threat Preparedness Workbook

    Technique:

    How an attacker will attempt to achieve their goals through a specific action.

    ID:

    The corresponding ID number on the MITRE ATT&CK® Matrix for quick reference.

    Impact of the Technique(s):

    If an attack of this type is successful on your network, how deep does the damage run?

    Current Mitigations:

    What security protocols do you have in place right now that can help prevent an attacker from successfully executing this attack technique? The rating is based on the CMMI scale.

    Determine the impact of the technique

    • For each control, indicate the current mitigation level using the dropdown list.
    • Only use "N/A" if you are confident that the control is not required in your organization.

    Info-Tech Insight

    We highly recommend that you write comments about your current-state security protocols. First, it's great to have documented your thought processes in the event of a threat modeling session. Second, you can speak to deficits clearly, when asked.

    This is the second screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Review technique preparedness

    • If you have chosen the Technique level, the tool should resemble this image:
      • High-level controls are analyzed, and sub-controls hidden.
      • The sub-techniques under the broader technique show how a successful attack from this vector would impact your network.
    • Each sub-technique has a note for additional context:
      • Under Impact, select the overall impact for the listed controls to represent how damaging you believe the controls to be.
      • Next select your current preparedness maturity in terms of preparedness for the same techniques. Ask yourself "What do I have that contributes to blocking this technique?"

    This is the third screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Info-Tech Insight

    You may discover that you have little to no mitigation actions in place to deal with one or many of these techniques. However, look at this discovery as a positive: You've learned more about the potential vectors and can actively work toward remediating them rather than hoping that a breach never happens through one of these avenues.

    Review sub-technique preparedness

    If you have chosen the Sub-Technique level, the tool should resemble this image.

    • The granular controls are being analyzed. However, the grouped controls will still appear. It is important to not fill the grouped sections, to make sure the calculations run properly.
    • The average of your sub-techniques will be calculated to show your overall preparedness level.
    • Look at the sub-techniques under the broader technique and consider how a successful attack from this vector would impact your network.

    Each sub-technique has a note for additional context and understanding about what the techniques are seeking to do and how they may impact your enterprise.

    • Because of the enhanced granularity, the final risk score is more representative of an enterprise's current mitigation capabilities.
    This is the fourth screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Step 2.2

    Identify countermeasures

    Activities

    2.2.1 Identify countermeasures

    This step involves the following activities:

    • Identifying countermeasures

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Outcomes of this step

    Identification of countermeasures to common ransomware techniques, and tactics to improve protection and detection capabilities.

    Improve Protection and Detection Capabilities

    Review technique countermeasures

    As you work through the tool, your dashboard will prioritize your threat preparedness for each of the various attack techniques to give you an overall impression of your preparedness.

    For each action, the tool includes detection and remediation actions for you to consider either for implementation or as table stakes for your next threat modeling sessions.

    Note: Some sheets will have the same controls. However, the context of the attack technique may change your answers. Be sure to read the tactic and technique that you are on when responding to the controls.

    This is an image of the Privilege Escalation Tactic Analysis Table

    This is an image of the Defense Evasion Tactic Analysis Table

    Prioritize the analysis of ransomware tactics and sub-techniques identified on slide 45. If your initial analysis in Activity 2.2.1 determined that you have robust security protocols for some of the attack vectors, set these domains aside.

    2.2.1 Identify countermeasures

    Estimated Time: 1-4 hours

    1. Review the output of the Enterprise Threat Preparedness Workbook. Remediation efforts are on the right side of the sheet. These are categorized as either detection actions or mitigation actions.
      1. Detection actions:
      • What can you do before an attack occurs, and how can you block attacks? Detection actions may thwart an attack before it ever occurs.
    2. Mitigation actions:
      • If an attacker is successful through one of the attack methods, how do you lessen the impact of the technique? Mitigation actions address this function to slow and hinder the potential spread or damage of a successful attack.
  • Detection and mitigation measures are associated with each technique and sub-technique. Not all techniques will be able to be detected properly or mitigated. However, understanding their relationships can better prepare your defensive protocols.
  • Add relevant control actions to the initiative list in the Ransomware Resilience Assessment.
  • Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.
    • Outputs from the Threat Preparedness Workbook.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook
    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Phase 3

    Improve response and recovery capabilities

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will guide you through the following steps:

    • Documenting your threat escalation protocol.
    • Identify response steps and gaps.
    • Update your response workflow and runbook.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)

    Build Ransomware Resilience

    Step 3.1

    Review security incident management plan

    Activities

    3.1.1 Review the workflow and runbook templates

    3.1.2 Update/define your threat escalation protocol

    This step will walk you through the following activities:

    • Reviewing the example Workflow and Runbook
    • Updating and defining your threat escalation protocol.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Clear escalation path for critical incidents.
    • Common understanding of incident severity that will drive escalation.

    Improve response and recovery capabilities

    3.1.1 Review the workflow and runbook templates

    30 minutes

    This blueprint includes sample information in the Ransomware Response Workflow Template and Ransomware Response Runbook Template to use as a starting points for the steps in Phase 3, including documenting your threat escalation protocol.

    • The Ransomware Response Workflow Template contains an example of a high-level security incident management workflow for a ransomware attack. This provides a structure to follow for the tabletop planning exercise and a starting point for your ransomware response workflow.
      The Workflow is aimed at incident commanders and team leads. It provides an at-a-glance view of the high-level steps and interactions between stakeholders to help leaders coordinate response.
    • The Ransomware Response Runbook Template is an example of a security incident management runbook for a ransomware attack. This includes a section for a threat escalation protocol that you can use as a starting point.
      The Runbook is aimed at the teams executing the response. It provides more specific actions that need to be executed at each phase of the incident response.

    Download the Ransomware Response Workflow Template

    Download the Ransomware Response Runbook Template

    Input

    • No Input Required

    Output

    • Visualize the end goal

    Materials

    • Example workflow and runbook in this blueprint

    Participants

    • Security Incident Response Team (SIRT)

    Two overlapping screenshots are depicted, including the table of contents from the Ransomware Response Runbook.

    3.1.2 Update/define your threat escalation protocol

    1-2 hours

    Document the Threat Escalation Protocol sections in the Ransomware Response Workflow Template or review/update your existing runbook. The threat escalation protocol defines which stakeholders to involve in the incident management process, depending on impact and scope. Specifically, you will need to define the following:

    Impact and scope criteria: Impact considers factors such as the criticality of the system/data, whether PII is at risk, and whether public notification is required. Scope considers how many systems or users are impacted.

    Severity assessment: Define the severity levels based on impact and scope criteria.

    Relevant stakeholders: Identify stakeholders to notify for each severity level, which can include external stakeholders.

    If you need additional guidance, see Info-Tech's Develop and Implement a Security Incident Management Program blueprint, which takes a broader look at security incidents.

    Input

    • Current escalation process (formal or informal).

    Output

    • Define criteria for severity levels and relevant stakeholders.

    Materials

    • Ransomware Response Workflow Template

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of the Threat Escalation Protocol Criteria and Stakeholders.

    Step 3.2

    Run Tabletop Test (IT)

    Activities

    3.2.1 Define scenarios for a range of incidents

    3.2.2 Run a tabletop planning exercise

    This step will guide you through the following activities:

    • Defining scenarios for a range of incidents.
    • Running a tabletop planning exercise.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Other stakeholders (as relevant)

    Outcomes of this step

    • Current-state incident response workflow, including stakeholders, steps, timeline.
    • Process and technology gaps to be addressed.

    Improve response and recovery capabilities

    3.2.1 Define scenarios for a range of incidents

    30 minutes

    As a group, collaborate to define scenarios that enable you to develop incident response details for a wide range of potential incidents. Below are example scenarios:

    • Scenario 1: An isolated attack on one key system. The database for a critical application is compromised. Assume the attack was not detected until files were encrypted, but that you can carry out a repair-in-place by wiping the server and restoring from backups.
    • Scenario 2: A site-wide impact that warrants broader disaster recovery. Several critical systems are compromised. It would take too long to repair in-place, so you need to failover to your DR environment, in addition to executing security response steps. (Note: If you don't have a DRP, see Info-Tech's Create a Right-Sized Disaster Recovery Plan.)
    • Scenario 3: A critical outsourced service or cloud service is compromised. You need to work with the vendor to determine the scope of impact and execute a response. This includes determining if your on-prem systems were also compromised.
    • Scenario 4: One or multiple end-user devices are compromised. Your response to the above scenarios would include assessing end-user devices as a possible source or secondary attack, but this scenario would provide more focus on the containing an attack on end-user devices.

    Note: The above is too much to execute in one 30-minute session, so plan a series of exercises as outlined on the next slide.

    Input

    • No input required

    Output

    • Determine the scope of your tabletop planning exercises

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    Optimize the time spent by participants by running a series of focused exercises

    Not all stakeholders need to be present at every tabletop planning exercise. First, run an exercise with IT that focuses on the technical response. Run a second tabletop for non-IT stakeholders that focuses on the non-IT response, such as crisis communications, working with external stakeholders (e.g. law enforcement, cyberinsurance).

    Sample schedule:

    • Q1: Hold two sessions that run Scenarios 1 and 2 with relevant IT participants (see Activity 3.2.1). The focus for these sessions will be primarily on the technical response. For example, include notifying leadership and their role in decision making, but don't expand further on the details of their process. Similarly, don't invite non-IT participants to these sessions so you can focus first on understanding the IT response. Invite executives to the Q2 exercise, where they will have more opportunity to be involved.
    • Q2: Hold one session with the SIRT and non-IT stakeholders. Use the results of the Q1 exercises as a starting point and expand on the non-IT response steps (e.g. notifying external parties, executive decisions on response options).
    • Q3 and Q4: Run other sessions (e.g. for Scenarios 3 and 4) with relevant stakeholders. Ensure your ransomware incident response plan covers a wide range of possible scenarios.
    • Run ongoing exercises at least annually. Once you have a solid ransomware incident response plan, incorporate ransomware-based tabletop planning exercises into your overall security incident management testing and maintenance schedule.

    Info-Tech Insight

    Schedule these sessions well in advance to ensure appropriate resources are available. Document this in an annual test plan summary that outlines the scope, participants, and dates and times for the planned sessions.

    3.2.2 Run a tabletop planning exercise

    1-2 hours

    Remember that the goal is a deeper dive into how you would respond to an attack so you can clarify steps and gaps. This is not meant to just be a read-through of your plan. Follow the guidelines below:

    1. Select your scenario and invite relevant participants (see the previous slides).
    2. Guide participants through the incident and capture the steps and gaps along the way. Focus on one stakeholder at a time through each phase but be sure to get input from everyone. For example, focus on the Service Desk's steps for detection, then do the same as relevant to other stakeholders. Move on to analysis and do the same. (Tip: The distinction between phases is not always clear, and that's okay. Similarly, eradication and recovery might be the same set of steps. Focus on capturing the detail; you can clarify the relevant phase later.)
    3. Record the results (e.g. capture it in Visio) for reference purposes. (Tip: You can run the exercise directly in Visio. However, there's a risk that the tool may become a distraction. Enlist a scribe who is proficient with Visio so you don't need to wait for information to be captured and plan to save the detailed formatting and revising for later. )

    Refer to the Ransomware Tabletop Planning Results – Example as a guide for what to capture. Aim for more detail than found in your Ransomware Response Workflow (but not runbook-level detail).

    Download the Ransomware Tabletop Planning Results – Example

    Input

    • Baseline ransomware response workflow

    Output

    • Clarify your response workflow, capabilities, and gaps

    Materials

    • Whiteboard or sticky notes or index cards, or a shared screen

    Participants

    • Security Incident Response Team (SIRT)

    This is an example of a Ransomware Response Tabletop Planning Results Page.

    Step 3.3

    Document Workflow and Runbook

    Activities

    3.3.1 Update your ransomware response workflow

    3.3.2 Update your ransomware response runbook

    This step will guide you through the following activities:

    • Updating your ransomware response workflow.
    • Updating your ransomware response runbook.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • An updated incident response workflow and runbook based on current capabilities.

    Improve response and recovery capabilities

    3.3.1 Update your ransomware response workflow

    1 hour

    Use the results from your tabletop planning exercises (Activity 3.2.2) to update and clarify your ransomware response workflow. For example:

    • Update stakeholder swim-lanes: Clarify which stakeholders need a swim lane (e.g. where interactions between groups needs to be clarified). For example, consider an SIRT swim-lane that combines the relevant technical response roles, but have separate swim-lanes for other groups that the SIRT interacts with (e.g. Service Desk, the Executive Team).
    • Update workflow steps: Use the detail from the tabletop exercises to clarify and/or add steps, as well as further define the interactions between swim-lanes.(Tip: Your workflow needs to account for a range of scenarios. It typically won't be as specific as the tabletop planning results, which focus on only one scenario.)
    • Clarify the overall the workflow: Look for and correct any remaining areas of confusion and clutter. For example, consider adding "Go To" connectors to minimize lines crossing each other, adding color-coding to highlight key related steps (e.g. any communication steps), and/or resizing swim-lanes to reduce the overall size of the workflow to make it easier to read.
    • Repeat the above after each exercise: Continue to refine the workflow as needed until you reach the stage where you just need to validate that your workflow is still accurate.

    Input

    • Results from tabletop planning exercises (Activity 3.2.2)

    Output

    • Clarify your response workflow

    Materials

    • Ransomware Response Workflow

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot from the ransomeware response tabletop planning

    3.3.2 Update your ransomware response runbook

    1 hour

    Use the results from your tabletop planning exercises (Activity 3.2.2) to update your ransomware response runbook. For example:

    • Align stakeholder sections with the workflow: Each stakeholder swim-lane in the workflow needs its own section in the runbook.
    • Update incident response steps: Use the detail from the tabletop exercise to clarify instructions for each stakeholder. This can include outlining specific actions, defining which stakeholders to work with, and referencing relevant documentation (e.g. vendor documentation, step-by-step restore procedures). (Tip: As with the workflow, the runbook needs to account for a range of scenarios, so it will include a list of actions that might need to be taken depending on the incident, as illustrated in the example runbook.)
    • Review and update your threat escalation protocol: It's best to define your threat escalation protocol before the tabletop planning exercise to help identify participants and avoid confusion. Now use the exercise results to validate or update that documentation.
    • Repeat the above after each exercise. Continue to refine your runbook as needed until you reach the stage where you just need to validate that your runbook is still accurate.

    Input

    • Results from tabletop planning exercises (Activity 3.2.2)

    Output

    • Clarified response runbook

    Materials

    • Ransomware Response Workflow

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot of the Ransomware Response Runbook

    Phase 4

    Improve ransomware resilience

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will guide you through the following steps:

    • Identifying initiatives to improve ransomware resilience.
    • Prioritizing initiatives in a project roadmap.
    • Communicating status and recommendations.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)

    Build Ransomware Resilience

    Step 4.1

    Run Tabletop Test (leadership)

    Activities

    • 4.1.1 Identify initiatives to close gaps and improve resilience
    • 4.1.2 Review broader strategies to improve your overall security program

    This step will walk you through the following activities:

    • Identifying initiatives to close gaps and improve resilience.
    • Reviewing broader strategies to improve your overall security program.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Specific potential initiatives based on a review of the gaps.
    • Broader potential initiatives to improve your overall security program.

    Improve ransomware resilience

    4.1.1 Identify initiatives to close gaps and improve resilience

    1 hour

    1. Use the results from the activities you have completed to identify initiatives to improve your ransomware readiness.
    2. Set up a blank spreadsheet with two columns and label them "Gaps" and "Initiatives." (It will be easier to copy the gaps and initiatives from this spreadsheet to you project roadmap, rather than use the Gap Initiative column in the Ransomware Readiness Maturity Assessment Tool.)
    3. Review your tabletop planning results:
      1. Summarize the gaps in the "Gaps" column in your spreadsheet created for this activity.
      2. For each gap, write down potential initiatives to address the gap.
      3. Where possible, combine similar gaps and initiatives. Similarly, the same initiative might address multiple gaps, so you don't need to identify a distinct initiative for every gap.
    4. Review the results of your maturity assessment completed in Phase 1 to identify additional gaps and initiatives in the spreadsheet created for this activity.

    Input

    • Tabletop planning results
    • Maturity assessment

    Output

    • Identify initiatives to improve ransomware readiness

    Materials

    • Blank spreadsheet

    Participants

    • Security Incident Response Team (SIRT)

    4.1.2 Review broader strategies to improve your overall security program

    1 hour

    1. Review the following considerations as outlined on the next few slides:
      • Implement core elements of an effective security program – strategy, operations, and policies. Leverage the work completed in this blueprint to provide context and address your immediate gaps while developing an overarching security strategy based on business requirements, risk tolerance, and overall security considerations. Security operations and policies are key to executing your overall security strategy and day to day incident management.
      • Update your backup strategy to account for ransomware attacks. Consider what your options would be today if your primary backups were infected? If those options aren't very good, your backup strategy needs a refresh.
      • Consider a zero-trust strategy. Zero trust reduces your reliance on perimeter security and moves controls to where the user accesses resources. However, it takes time to implement. Evaluate your readiness for this approach.
    2. As a team, discuss the merits of these strategies in your organization and identify potential initiatives. Depending on what you already have in place, the project may be to evaluate options (e.g. if you have not already initiated zero trust, assign a project to evaluate your options and readiness).

    Input

    • An understanding of your existing security practices and backup strategy.

    Output

    • Broader initiatives to improve ransomware readiness.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    Implement core elements of an effective security program

    There is no silver bullet. Ransomware readiness depends on foundational security best practices. Where budget allows, support that foundation with more advanced AI-based tools that identify abnormal behavior to detect an attack in progress.

    Leverage the following blueprints to implement the foundational elements of an effective security program:

    • Build an Information Security Strategy: Consider the full spectrum of information security, including people, processes, and technologies. Then base your security strategy on the risks facing your organization – not just on best practices – to ensure alignment with business goals and requirements.
    • Develop a Security Operations Strategy: Establish unified security operations that actively monitor security events and threat information, and turn that into appropriate security prevention, detection, analysis, and response processes.
    • Develop and Deploy Security Policies: Improve cybersecurity through effective policies, from acceptable use policies aimed at your end users to system configuration management policies aimed at your IT operations.

    Supplement foundational best practices with AI-based tools to counteract more sophisticated security attacks:

    • The evolution of ransomware gangs and ransomware as a service means the most sophisticated tools designed to bypass perimeter security and endpoint protection are available to a growing number of hackers.
    • Rather than activate the ransomware virus immediately, attackers will traverse the network using legitimate commands to infect as many systems as possible and exfiltrate data without generating alerts, then finally encrypt infected systems.
    • AI-based tools learn what is normal behavior and therefore can recognize unusual traffic (which could be an attack in progress) before it's too late. For example, a "user" accessing a server they've never accessed before.
    • Engage an Info-Tech analyst or consult SoftwareReviews to review products that will add this extra layer of AI-based security.

    Update your backup strategy to account for ransomware attacks

    Apply a defense-in-depth strategy. A daily disk backup that goes offsite once a week isn't good enough.

    In addition to applying your existing security practices to your backup solution (e.g. anti-malware, restricted access), consider:

    • Creating multiple restore points. Your most recent backup might be infected. Frequent backups allow you to be more granular when determining how far you need to roll back.
    • Having offsite backups and using different storage media. Reduce the risk of infected backups by using different storage media (e.g. disk, NAS, tape) and backup locations (e.g. offsite). If you can make the attackers jump through more hoops, you have a greater chance of detecting the attack before all backups are infected.
    • Investing in immutable backups. Most leading backup solutions offer options to ensure backups are immutable (cannot be altered after they are written).
    • Using the BIA you completed in Phase 2 to help decide where to prioritize investments. All the above strategies add to your backup costs and might not be feasible for all data. Use your BIA results to decide which data sets require higher levels of protection.

    This example strategy combines multiple restore points, offsite backup, different storage media, and immutable backups.

    This is an example of a backup strategy to account for ransomware attacks.

    Refer to Info-Tech's Establish an Effective Data Protection Plan blueprint for additional guidance.

    Explore zero-trust initiatives

    Zero trust is a set of principles, not a set of controls.

    Reduces reliance on perimeter security.

    Zero trust is a strategy that reduces reliance on perimeter security and moves controls to where your user accesses resources. It often consolidates security solutions, reduces operating costs, and enables business mobility.

    Zero trust must benefit the business first.

    IT security needs to determine how zero trust initiatives will affect core business processes. It's not a one-size-fits-all approach to IT security. Zero trust is the goal – but some organizations can only get so close to that ideal.

    For more information, see Build a Zero-Trust Roadmap.

    Info-Tech Insight

    A successful zero-trust strategy should evolve. Use an iterative and repeatable process to assess available zero-trust technologies and principles and secure the most relevant protect surfaces. Collaborate with stakeholders to develop a roadmap with targeted solutions and enforceable policies.

    Step 4.2

    Prioritize resilience initiatives

    Activities

    • 4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk
    • 4.2.2 Review the dashboard to fine tune your roadmap

    This step will guide you through the following activities:

    • Prioritizing initiatives based on factors such as effort, cost, and risk.
    • Reviewing the dashboard to fine-tune your roadmap.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • An executive-friendly project roadmap dashboard summarizing your initiatives.
    • A visual representation of the priority, effort, and timeline required for suggested initiatives.

    Review the Ransomware Resilience Assessment

    Tabs 2 and 3 list initiatives relevant to your ransomware readiness improvement efforts.

    • At this point in the project, the Ransomware Resilience Assessment should contain a number of initiatives to improve ransomware resilience.
    • Tab 2 is prepopulated with examples of gap closure actions to consider, which are categorized into initiatives listed on Tab 3.
    • Follow the instructions in the Ransomware Resilience Assessment to:
      • Categorize gap control actions into initiatives.
      • Prioritize initiatives based on cost, effort, and benefit.
      • Construct a roadmap for consideration.

    Download the Ransomware Resilience Assessment

    4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk

    1 hour

    Prioritize initiatives in the Ransomware Resilience Assessment.

    1. The initiatives listed on Tab 3 Initiative List will be copied automatically on Tab 5 Prioritization.
    2. On Tab 1 Setup:
      1. Review the weight you want to assign to the cost and effort criteria.
      2. Update the default values for FTE and Roadmap Start as needed.
    3. Go back to Tab 5 Prioritization:
      1. Fill in the cost, effort, and benefit evaluation criteria for each initiative. Hide optional columns you don't plan to use, to avoid confusion.
      2. Use the cost and benefit scores to prioritize waves and schedule initiatives on Tab 6 Gantt Chart.

    Input

    • Gaps and initiatives identified in Step 4.1

    Output

    • Project roadmap dashboard

    Materials

    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)

    4.2.2 Review the dashboard to fine-tune the roadmap

    1 hour

    Review and update the roadmap dashboard in your Ransomware Resilience Assessment.

    1. Review the Gantt chart to ensure:
      1. The timeline is realistic. Avoid scheduling many high-effort projects at the same time.
      2. Higher-priority items are scheduled sooner than low-priority items.
      3. Short-term projects include quick wins (e.g. high-priority, low-effort items).
      4. It supports the story you wish to communicate (e.g. a plan to address gaps, along with the required effort and timeline).
    2. Update the values on the 5 Prioritization and 6 Gantt Chart tabs based on your review.

    Input

    • Gaps and initiatives identified in Step 4.1

    Output

    • Project roadmap dashboard

    Materials

    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of a sample roadmap for the years 2022-2023

    Step 4.3

    Measure resilience metrics

    Activities

    4.3.1 Summarize status and next steps in an executive presentation

    This step will guide you through the following activities:

    • Summarizing status and next steps in an executive presentation.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Gain stakeholder buy-in by communicating the risk of the status quo and achievable next steps to improve your organization's ransomware readiness.

    Improve ransomware resilience

    4.3.1 Summarize status and next steps in an executive presentation

    1 hour

    Gain stakeholder buy-in by communicating the risk of the status quo and recommendations to reduce that risk. Specifically, capture and present the following from this blueprint:

    • Phase 1: Maturity assessment results, indicating your organization's overall readiness as well as specific areas that need to improve.
    • Phase 2: Business impact results, which objectively quantify the potential impact of downtime and data loss.
    • Phase 3: Current incident response capabilities including steps, timeline, and gaps.
    • Phase 4: Recommended projects to close specific gaps and improve overall ransomware readiness.

    Overall key findings and next steps.

    Download the Ransomware Readiness Summary Presentation Template

    Input

    • Results of all activities in Phases 1-4

    Output

    • Executive presentation

    Materials

    • Ransomware Readiness Summary Presentation Template

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot of level 2 of the ransomware readiness maturity tool.

    Revisit metrics

    Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.

    Revisit metrics as the project nears completion and compare them against your baseline to measure progress.

    Attack workflow Process Metric Target trend Current Goal
    GET IN Vulnerability Management % Critical patches applied Higher is better
    Vulnerability Management # of external exposures Fewer is better
    Security Awareness Training % of users tested for phishing Higher is better
    SPREAD Identity and Access Management Adm accounts / 1000 users Lower is better
    Identity and Access Management % of users enrolled for MFA Higher is better
    Security Incident Management Avg time to detect Lower is better
    PROFIT Security Incident Management Avg time to resolve Lower is better
    Backup and Disaster Recovery % critical assets with recovery test Higher is better
    Backup and Disaster Recovery % backup to immutable storage Higher is better

    Summary of accomplishments

    Project overview

    Project deliverables

    This blueprint helped you create a ransomware incident response plan for your organization, as well as identify ransomware prevention strategies and ransomware prevention best practices.

    • Ransomware Resilience Assessment: Measure your current readiness, then identify people, policy, and technology gaps to address.
    • Ransomware Response Workflow: An at-a-glance summary of the key incident response steps across all relevant stakeholders through each phase of incident management.
    • Ransomware Response Runbook: Includes your threat escalation protocol and detailed response steps to be executed by each stakeholder.
    • Ransomware Tabletop Planning : This deep dive into a ransomware scenario will help you develop a more accurate incident management workflow and runbook, as well as identify gaps to address.
    • Ransomware Project Roadmap: This prioritized list of initiatives will address specific gaps and improve overall ransomware readiness.
    • Ransomware Readiness Summary Presentation: Your executive presentation will communicate the risk of the status quo, present recommended next steps, and drive stakeholder buy-in.

    Project phases

    Phase 1: Assess ransomware resilience

    Phase 2: Protect and detect

    Phase 3: Respond and recover

    Phase 4: Improve ransomware resilience

    Related Info-Tech Research

    Tab 3. Initiative List in the Ransomware Resilience Assessment identifies relevant Info-Tech Research to support common ransomware resilience initiatives.

    Related security blueprints:

    Related disaster recovery blueprints:

    Research Contributors and Experts

    This is an image of Jimmy Tom

    Jimmy Tom
    AVP of Information Technology and Infrastructure
    Financial Horizons

    This is an image of Dan Reisig

    Dan Reisig
    Vice President of Technology
    UV&S

    This is an image of Samuel Sutto

    Samuel Sutton
    Computer Scientist (Retired)
    FBI

    This is an image of Ali Dehghantanha

    Ali Dehghantanha
    Canada Research Chair in Cybersecurity and Threat Intelligence,
    University of Guelph

    This is an image of Gary Rietz

    Gary Rietz
    CIO
    Blommer Chocolate Company

    This is an image of Mark Roman

    Mark Roman
    CIO
    Simon Fraser University

    This is an image of Derrick Whalen

    Derrick Whalen
    Director, IT Services
    Halifax Port Authority

    This is an image of Stuart Gaslonde

    Stuart Gaslonde
    Director of IT & Digital Services
    Falmouth-Exeter Plus

    This is an image of Deborah Curtis

    Deborah Curtis
    CISO
    Placer County

    This is an image of Deuce Sapp

    Deuce Sapp
    VP of IT
    ISCO Industries

    This is an image of Trevor Ward

    Trevor Ward
    Information Security Assurance Manager
    Falmouth-Exeter Plus

    This is an image of Brian Murphy

    Brian Murphy
    IT Manager
    Placer County

    This is an image of Arturo Montalvo

    Arturo Montalvo
    CISO
    Texas General Land Office and Veterans Land Board

    No Image Available

    Mduduzi Dlamini
    IT Systems Manager
    Eswatini Railway

    No Image Available

    Mike Hare
    System Administrator
    18th Circuit Florida Courts

    No Image Available

    Linda Barratt
    Director of Enterprise architecture, IT Security, and Data Analytics, Toronto Community Housing Corporation

    This is an image of Josh Lazar

    Josh Lazar
    CIO
    18th Circuit Florida Courts

    This is an image of Douglas Williamson

    Douglas Williamson
    Director of IT
    Jamaica Civil Aviation Authority

    This is an image of Ira Goldstein

    Ira Goldstein
    Chief Operating Officer
    Herjavec Group

    This is an image of Celine Gravelines

    Celine Gravelines
    Senior Cybersecurity Analyst
    Encryptics

    This is an image of Dan Mathieson

    Dan Mathieson
    Mayor
    City of Stratford

    This is an image of Jacopo Fumagalli

    Jacopo Fumagalli
    CISO
    Omya

    This is an image of Matthew Parker

    Matthew Parker
    Program Manager
    Utah Transit Authority

    Two Additional Anonymous Contributors

    Bibliography

    2019-Data-Breach-Investigations-Report.-Verizon,-May-2019.
    2019-Midyear-Security-Roundup:-Evasive-Threats,-Persistent-Effects.-Trend-Micro,-2019.
    Abrams,-Lawrence.-"Ryuk-Ransomware-Uses-Wake-on-Lan-to-Encrypt-Offline-Devices."-Bleeping-Computer,-14-Jan.-2020.
    Abrams,-Lawrence.-"Sodinokibi-Ransomware-Publishes-Stolen-Data-for-the-First-Time."-Bleeping-Computer,-11-Jan.-2020.
    Canadian-Center-for-Cyber-Security,-"Ransomware-Playbook,"-30-November-2021.-Accessed-21-May-2022.-
    Carnegie-Endowment-for-International-Peace.-"Ransomware:-Prevention-and-Protection."-Accessed-May-2022.-
    Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-26-Data-Integrity:-Detecting-and-Responding-to-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.
    Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-25-Data-Integrity:-Identifying-and-Protecting-Assets-Against-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.-
    Cichonski,-P.,-T.-Millar,-T.-Grance,-and-K.-Scarfone.-"Computer-Security-Incident-Handling-Guide."-SP-800-61-Rev.-2.-NIST,-Aug.-2012.
    Cimpanu,-Catalin.-"Company-shuts-down-because-of-ransomware,-leaves-300-without-jobs-just-before-holidays."-ZDNet,-3-Jan.-2020.
    Cimpanu,-Catalin.-"Ransomware-attack-hits-major-US-data-center-provider."-ZDNet,-5-Dec.-2019.
    CISA,-"Stop-Ransomware,"-Accessed-12-May-2022.
    "CMMI-Levels-of-Capability-and-Performance."-CMMI-Institute.-Accessed-May-2022.-
    Connolly,-Lena-Yuryna,-"An-empirical-study-of-ransomware-attacks-on-organizations:-an-assessment-of-severity-and-salient-factors-affecting-vulnerability."-Journal-of-Cybersecurity,-2020,.-1-18.
    "Definitions:-Backup-vs.-Disaster-Recovery-vs.-High-Availability."-CVM-IT-&-Cloud-Services,-12-Jan.-2017.
    "Don't-Become-a-Ransomware-Target-–-Secure-Your-RDP-Access-Responsibly."-Coveware,-2019.-
    Elementus,-"Rise-of-the-Ransomware-Cartels-"(2022).-YouTube.-Accessed-May-2022.-
    Global-Security-Attitude-Survey.-CrowdStrike,-2019.
    Graham,-Andrew.-"September-Cyberattack-cost-Woodstock-nearly-$670,00:-report."-
    Global-News,-10-Dec.-2019.
    Harris,-K.-"California-2016-Data-Breach-Report."-California-Department-of-Justice,-Feb.-2016.
    Hiscox-Cyber-Readiness-Report-2019.-Hiscox-UK,-2019.
    Cost-of-A-Data-Breach-(2022).-IBM.-Accessed-June-2022.--
    Ikeda,-Scott.-"LifeLabs-Data-Breach,-the-Largest-Ever-in-Canada,-May-Cost-the-Company-Over-$1-Billion-in-Class-Action-Lawsuit."-CPO-Magazine,-2020.
    Kessem,-Limor-and-Mitch-Mayne.-"Definitive-Guide-to-Ransomware."-IBM,-May-2022.
    Krebs,-Brian.-"Ransomware-Gangs-Now-Outing-Victim-Businesses-That-Don't-Pay-Up."-Krebson-Security,-16-Dec.-2019.
    Jaquith,-Andrew-and-Barnaby-Clarke,-"Security-metrics-to-help-protect-against-ransomware."-Panaseer,-July-29,-2021,-Accessed-3-June-2022.
    "LifeLabs-pays-ransom-after-cyberattack-exposes-information-of-15-million-customers-in-B.C.-and-Ontario."-CBC-News,-17-Dec.-2019.
    Matthews,-Lee.-"Louisiana-Suffers-Another-Major-Ransomware-Attack."-Forbes,-20-Nov.-2019.
    NISTIR-8374,-"Ransomware-Risk-Management:-A-Cybersecurity-Framework-Profile."-NIST-Computer-Security-Resource-Center.-February-2022.-Accessed-May-2022.-
    "Ransomware-attack-hits-school-district-twice-in-4-months."-Associated-Press,-10-Sept.-2019.
    "Ransomware-Costs-Double-in-Q4-as-Ryuk,-Sodinokibi-Proliferate."-Coveware,-2019.
    Ransomware-Payments-Rise-as-Public-Sector-is-Targeted,-New-Variants-Enter-the-Market."-Coveware,-2019.
    Rector,-Kevin.-"Baltimore-to-purchase-$20M-in-cyber-insurance-as-it-pays-off-contractors-who-helped-city-recover-from-ransomware."-The-Baltimore-Sun,-16-Oct.-2019.
    "Report:-Average-time-to-detect-and-contain-a-breach-is-287-days."-VentureBeat,-May-25,-2022.-Accessed-June-2022.-
    "Five-Lessons-Learned-from-over-600-Ransomware-Attacks."-Riskrecon.-Mar-2022.-Accessed-May-2022.-
    Rosenberg,-Matthew,-Nicole-Perlroth,-and-David-E.-Sanger.-"-'Chaos-is-the-Point':-Russian-Hackers-and-Trolls-Grow-Stealthier-in-2020."-The-New-York-Times,-10-Jan.-2020.
    Rouse,-Margaret.-"Data-Archiving."-TechTarget,-2018.
    Siegel,-Rachel.-"Florida-city-will-pay-hackers-$600,000-to-get-its-computer-systems-back."-The-Washington-Post,-20-June-2019.
    Sheridan,-Kelly.-"Global-Dwell-Time-Drops-as-Ransomware-Attacks-Accelerate."-DarkReading,-13-April-2021.-Accessed-May-2022.-
    Smith,-Elliot.-"British-Banks-hit-by-hacking-of-foreign-exchange-firm-Travelex."-CNBC,-9-Jan.-2020.
    "The-State-of-Ransomware-2022."-Sophos.-Feb-2022.-Accessed-May-2022.-
    "The-State-of-Ransomware-in-the-U.S.:-2019-Report-for-Q1-to-Q3."-Emsisoft-Malware-Lab,-1-Oct.2019.
    "The-State-of-Ransomware-in-the-U.S.:-Report-and-Statistics-2019."-Emsisoft-Lab,-12-Dec.-2019.
    "The-State-of-Ransomware-in-2020."-Black-Fog,-Dec.-2020.
    Toulas,-Bill.-"Ten-notorious-ransomware-strains-put-to-the-encryption-speed-test."-Bleeping-Computers,-23-Mar-2022.-Accessed-May-2022.
    Tung,-Liam-"This-is-how-long-hackers-will-hide-in-your-network-before-deploying-ransomware-or-being-spotted."-zdnet.-May-19,-2021.-Accessed-June-2022.-

    Manage Your Chromebooks and MacBooks

    • Buy Link or Shortcode: {j2store}167|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices

    Windows is no longer the only option. MacBooks and Chromebooks are justified, but now you have to manage them.

    • If you have modernized your end-user computing strategy, you may have Windows 10 devices as well as MacBooks.
    • Virtual desktop infrastructure (VDI) and desktop as a service (DaaS) are becoming popular. Chromebooks may be ideal as a low-cost interface into DaaS for your employees.
    • Managing Chromebooks can be particularly challenging as they grow in popularity in the education sector.

    Our Advice

    Critical Insight

    Managing end-user devices may be accomplished with a variety of solutions, but many of those solutions advocate integration with a Microsoft-friendly solution to take advantage of features such as conditional access, security functionality, and data governance.

    Impact and Result

    • Many solutions are available to manage end-user devices, and they come with a long list of options and features. Clarify your needs and define your requirements before you purchase another endpoint management tool. Don’t purchase capabilities that you may never use.
    • Use the associated Endpoint Management Selection Tool spreadsheet to identify your desired endpoint solution features and compare vendor solution functionality based on your desired features.

    Manage Your Chromebooks and MacBooks Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Manage Your Chromebooks and MacBooks deck – MacBooks and Chromebooks are growing in popularity in enterprise and education environments, and now you have to manage them.

    Explore options, guidance and some best practices related to the management of Chromebooks and MacBooks in the enterprise environment and educational institutions. Our guidance will help you understand features and options available in a variety of solutions. We also provide guidance on selecting the best endpoint management solution for your own environment.

    • Manage Your Chromebooks and MacBooks Storyboard

    2. Endpoint Management Selection Tool – Select the best endpoint management tool for your environment. Build a table to compare endpoint management offerings in relation to the features and options desired by your organization.

    This tool will help you determine the features and options you want or need in an endpoint management solution.

    • Endpoint Management Selection Tool
    [infographic]

    Further reading

    Manage Your Chromebooks and MacBooks

    Financial constraints, strategy, and your user base dictate the need for Chromebooks and MacBooks – now you have to manage them in your environment.

    Analyst Perspective

    Managing MacBooks and Chromebooks is similar to managing Windows devices in many ways and different in others. The tools have many common features, yet they struggle to achieve the same goals.

    Until recently, Windows devices dominated the workplace globally. Computing devices were also rare in many industries such as education. Administrators and administrative staff may have used Windows-based devices, but Chromebooks were not yet in use. Most universities and colleges were Windows-based in offices with some flavor of Unix in other areas, and Apple devices were gaining some popularity in certain circles.

    That is a stark contrast compared to today, where Chromebooks dominate the classrooms and MacBooks and Chromebooks are making significant inroads into the enterprise environment. MacBooks are also a common sight on many university campuses. There is no doubt that while Windows may still be the dominant player, it is far from the only one in town.

    Now that Chromebooks and MacBooks are a notable, if not significant, part of the education and enterprise environments, they must be afforded the same considerations as Windows devices in those environments when it comes to management. The good news is that there is no lack of available solutions for managing these devices, and the endpoint management landscape is continually evolving and improving.

    This is a picture of P.J. Ryan, Research Director, Infrastructure & Operations, Info-Tech Research Group

    P.J. Ryan
    Research Director, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • You modernized your end-user computing strategy and now have Windows 10 devices as well as MacBooks.
    • Virtual desktop infrastructure (VDI) and desktop as a service (DaaS) are becoming popular. Chromebooks would be ideal as a low-cost interface into DaaS for your employees.
    • You are responsible for the management of all the new Chromebooks in your educational district.
    • Windows is no longer the only option. MacBooks and Chromebooks are justified, but now you have to manage them.

    Common Obstacles

    • Endpoint management solutions typically do a great job at managing one category of devices, like Windows or MacBooks, but they struggle to fully manage alternative endpoints.
    • Multiple solutions to manage multiple devices will result in multiple dashboards. A single view would be better.
    • One solution may not fit all, but multiple solutions is not desirable either, especially if you have Windows devices, MacBooks, and Chromebooks.

    Info-Tech's Approach

    • Use the tools at your disposal first – don't needlessly spend money if you don't have to. Many solutions can already manage other types of devices to some degree.
    • Use the integration capabilities of endpoint management tools. Many of them can integrate with each other to give you a single interface to manage multiple types of devices while taking advantage of additional functionality.
    • Don't purchase capabilities you will never use. Using 80% of a less expensive tool is economically smarter than using 10% of a more expensive tool.

    Info-Tech Insight

    Managing end-user devices may be accomplished with a variety of solutions, but many of those solutions advocate integration with a Microsoft-friendly solution to take advantage of features such as conditional access, security functionality, and data governance.

    Insight Summary

    Insight 1

    Google Admin Console is necessary to manage Chromebooks, but it can be paired with other tools. Implementation partnerships provide solutions to track the device lifecycle, track the repair lifecycle, sync with Google Admin Console as well as PowerSchool to provide a more complete picture of the user and device, and facilitate reminders to return the device, pay fees if necessary, pick up a device when a repair is complete, and more.

    Insight 2

    The Google Admin Console allows admins to follow an organizational unit (OU) structure very similar to what they may have used in Microsoft's Active Directory environment. This familiarity makes the task of administering Chromebooks easier for admins.

    Insight 3

    Chromebook management goes beyond securing and manipulating the device. Controls to protect the students while online, such as Safe Search and Safe Browsing, should also be implemented.

    Insight 4

    Most companies choose to use a dedicated MacBook management tool. Many unified endpoint management (UEM) tools can manage MacBooks to some extent, but admins tend to agree that a MacBook-focused endpoint management tool is best for MacBooks while a Windows-based endpoint management tool is best for Windows devices.

    Insight 5

    Some MacBook management solutions advocate integration with Windows UEM solutions to take advantage of Microsoft features such as conditional access, security functionality, and data governance. This approach can also be applied to Chromebooks.

    Chromebooks

    Chromebooks had a respectable share of the education market before 2020, but the COVID-19 pandemic turbocharged the penetration of Chromebooks in the education industry.

    Chromebooks are also catching the attention of some decision makers in the enterprise environment.

    "In 2018, Chromebooks represented an incredible 60 percent of all laptop or tablet devices in K-12 -- up from zero percent when the first Chromebook launched during the summer break in 2011."
    – "Will Chromebooks Rule the Enterprise?" Computerworld

    "Chromebooks were the best performing PC products in Q3 2020, with shipment volume increasing to a record-high 9.4 million units, up a whopping 122% year-on-year."
    – Android Police

    "Until the pandemic, Chrome OS' success was largely limited to U.S. schools. Demand in 2020 appears to have expanded beyond that small but critical part of the U.S. PC market."
    – Geekwire

    "In addition to running a huge number of Chrome Extensions and Apps at once, Chromebooks also run Android, Linux and Windows apps."
    – "Will Chromebooks Rule the Enterprise?" Computerworld

    Managing Chromebooks

    Start with the Google Admin Console (GAC)

    GAC is necessary to initially manage Chrome OS devices.

    GAC gives you a centralized console that will allow you to:

    • Create organizational units
    • Add your Chromebook devices
    • Add users
    • Assign users to devices
    • Create groups
    • Create and assign policies
    • Plus more

    GAC can facilitate device management with features such as:

    • Control admin permissions
    • Encryption and update settings
    • App deployment, screen timeout settings
    • Perform a device wipe if required
    • Audit user activity on a device
    • Plus more

    Device and user addition, group and organizational unit creation and administration, applying policies to devices and users – does all this remind you of your Active Directory environment?

    GAC lets you administer users and devices with a similar approach.

    Managing Chromebooks

    Use Active Directory to manage Chromebooks.

    • Enable Active Directory (AD) management from within GAC and you will be able to integrate your Chromebook devices with your AD environment.
    • Devices will be visible in both the GAC and AD environment.
    • Use Windows Group Policy to manage devices and to push policies to users and devices.
    • Users can use their AD username and password to sign into Chromebook devices.
    • GAC can still be used for devices that are not synced with AD.

    Chromebooks can also be managed through these approved partners:

    • Cisco Meraki
    • Citrix XenMobile
    • IBM MaaS360
    • ManageEngine Mobile Device Manager Plus
    • VMware Workspace ONE

    Source: Google

    You must be running the Chrome Enterprise Upgrade and have any licenses required by the approved partner to take advantage of this management option. The partner admin policies supersede GAC.

    If you stop using the approved partner admin console to manage your devices, the polices and settings in GAC will immediately take over the devices.

    Microsoft still has the market share when it comes to device sales, and many administrators are already familiar with Microsoft's Active Directory. Google took advantage of that familiarity when it designed the Google Admin Console structure for users, groups, and organizational units.

    Chromebook Deployment

    Chromebook deployment becomes a challenge when device quantities grow. The enrollment process can be time consuming, and every device must be enrolled before it can be used by an employee or a student. Many admins enlist their full IT teams to assist in the short term. Some vendor partners may assist with distribution options if staffing levels permit. Recent developments from Google have opened additional options for device enrollment beyond the manual enrollment approach.

    Enrolling Chromebooks comes down to one of two approaches:

    1. Manually enrolling one device at a time
      • Users can assist by entering some identifying details during the enrollment if permitted.
      • Some third-party solutions exist, such as USB drives to reduce repetitive keystrokes or hubs to facilitate manually enrolling multiple Chromebooks simultaneously.
    2. Google's Chrome Enterprise Upgrade or the Chrome Education Upgrade
      • This allows you to let your users enroll devices after they accept the end-user license agreement.
      • You can take advantage of Google's vendor partner program and use a zero-touch deployment method where the Chromebook devices automatically receive the assigned policies, apps, and settings as soon as the device is powered on and an authorized user signs in.
      • The Enterprise Upgrade and the Education Upgrade do come with an annual cost per device, which is currently less than US$50.
      • The Enterprise and Education Upgrades come with other features as well, such as enhanced security.

    Chromebooks are automatically assigned to the top-level organizational unit (OU) when enrolled. Devices can be manually moved to another OU, but admins can also create enrollment policies to place newly enrolled devices in a specific OU or have the device locate itself in the same OU as the user.

    Chromebooks in Education

    GAC is also used with Education-licensed devices

    Most of the settings and features previously mentioned are also available for Education-licensed devices and users. Enterprise-specific features will not be available to Education licenses. (Active Directory integration with Education licenses, for example, is accomplished using a different approach)

    • Groups, policies, administrative controls, app deployment and management, adding devices and users, creating organizational units, and more features are all available to Education Admins to use.

    Education device policies and settings tend to focus more on protecting the students with controls such as:

    • Disable incognito mode
    • Disable location tracking
    • Disable external storage devices
    • Browser based protections such as Safe Search or Safe Browsing
    • URL blocking
    • Video input disable for websites
    • App installation prevention, auto re-install, and app blocking
    • Forced re-enrollment to your domain after a device is wiped
    • Disable Guest Mode
    • Restrict who can sign in
    • Audit user activity on a device

    When a student takes home a Chromebook assigned to them, that Chromebook may be the only computer in the household. Administrative polices and settings must take into account the fact that the device may have multiple users accessing many different sites and applications when the device is outside of the school environment.

    Chromebook Management Extended

    An online search for Chromebook management solutions will reveal several software solutions that augment the capabilities of the Google Admin Console. Many of these solutions are focused on the education sector and classroom and student options, although the features would be beneficial to enterprises and educational organizations alike.

    These solutions assist or augment Chromebook management with features such as:

    • Ability to sync with Google Admin Console
    • Ability to sync with student information systems, such as PowerSchool
    • Financial management, purchase details, and chargeback
    • Asset lifecycle management
    • 1:1 Chromebook distribution management
    • Repair programs and repair process management
    • Check-out/loan program management
    • Device distribution/allocation management, including barcode reader integration
    • Simple learning material distribution to the classroom for teachers
    • Facilitate GAC bulk operations
    • Manage inventory of non-IT assets such as projectors, TVs, and other educational assets
    • Plus more

    "There are many components to managing Chromebooks. Schools need to know which student has which device, which school has which device, and costs relating to repairs. Chromebook Management Software … facilitates these processes."
    – VIZOR

    MacBooks

    • MacBooks are gaining popularity in the Enterprise world.
    • Some admins claim MacBooks are less expensive in the long run over Windows-based PCs.
    • Users claim less issues when using a MacBook, and overall, companies report increased retention rates when users are using MacBooks.

    "Macs now make up 23% of endpoints in enterprises."
    – ComputerWeekly.com

    "When given the choice, no less than 72% of employees choose Macs over PCs."
    – "5 Reasons Mac is a must," Jamf

    "IBM says it is 3X more expensive to manage PCs than Macs."
    – Computerworld

    "74% of those who previously used a PC for work experienced fewer issues now that they use a Mac"
    – "Global Survey: Mac in the Enterprise," Jamf

    "When enterprise moves to Mac, staff retention rates improve by 20%. That's quite a boost! "
    – "5 Reasons Mac is a must," Jamf

    Managing MacBooks

    Can your existing UEM keep up?

    Many Windows unified endpoint management (UEM) tools can manage MacBooks, but most companies choose to use a dedicated MacBook management tool.

    • UEM tools that are primarily Windows focused do not typically go deep enough into the management capabilities of non-Windows devices.
    • Admins have noted limitations when it comes to using Windows UEM tools, and reasons they prefer a dedicated MacBook management solution include:
      • Easier to use
      • Faster response times when deploying settings and policies
      • Better control over notification settings and lock screen settings.
      • Easier Apple Business Manager (ABM) integration and provisioning.
    • Note that not every UEM will have the same limitations or advantages. Functionality is different between vendor products.

    Info-Tech Insight

    Most Windows UEM tools are constantly improving, and it is only a matter of time before they rival many of the dedicated MacBook management tools out there.

    Admins tend to agree that a Windows UEM is best for Windows while an Apple-based UEM is best for Apple devices.

    Managing MacBooks

    The market for "MacBook-first" management solutions includes a variety of players of varying ages such as:

    • Jamf
    • Kandji
    • Mosyle
    • SimpleMDM
    • Others

    MacBook-focused management tools can provide features such as:

    • Encryption and update settings
    • App deployment and lifecycle management
    • Remote device wipe, scan, shutdown, restart, and lock
    • Zero touch deployment and support
    • Location tracking
    • Browser content filtering
    • Enable, hide/block, or disable built-in features
    • Configure Wi-Fi, VPN, and certificate-based settings
    • Centralized dashboard with device and app listings as well as individual details
    • Data restrictions
    • Plus more

    Unified endpoint management (UEM) solutions that can provide MacBook management to some degree include (but are not limited to):

    • Intune
    • Ivanti
    • Endpoint Central
    • WorkspaceOne

    Dedicated solutions advocate integration with UEM solutions to take advantage of conditional access, security functionality, and data governance features.

    Jamf and Microsoft entered into a collaboration several years ago with the intention of making the MacBook management process easier and more secure.

    Microsoft Intune and Jamf Pro: Better together to manage and secure Macs
    Microsoft Conditional Access with Jamf Pro ensures that company data is only accessed by trusted users, on trusted devices, using trusted apps. Jamf extends this Enterprise Mobile + Security (EMS) functionality to Mac, iPhone and iPad.
    – "Microsoft Intune and Jamf Pro," Jamf

    Endpoint Management Selection Tool
    Activity

    There are many solutions available to manage end-user devices, and they come with a long list of options and features. Clarify your needs and define your requirements before you purchase another endpoint management tool. Don't purchase capabilities that you may never use.

    Use the Endpoint Management Selection Tool to identify your desired endpoint solution features and compare vendor solution functionality based on your desired features.

    1. List out the desired features you want in an endpoint solution for your devices and record those features in the first column. Use the features provided, or add your own and edit or delete the existing ones if necessary.
    2. List your selected endpoint management solution vendors in each of the columns in place of "Vendor 1," "Vendor 2," etc.
    3. Fill out the spreadsheet by changing the corresponding desired feature cell under each vendor to a "yes" or "no" based on your findings while investigating each vendor solution.
    4. When you have finished your investigation, review your spreadsheet to compare the various offerings and pros and cons of each vendor.
    5. Select your endpoint management solution.

    Endpoint Management Selection Tool

    In the first column, list out the desired features you want in an endpoint solution for your devices. Use the features provided if desired, or add your own and edit or delete the existing ones if necessary. As you look into various endpoint management solution vendors, list them in the columns in place of "Vendor 1," "Vendor 2," etc. Use the "Desired Feature" list as a checklist and change the values to "yes" or "no" in the corresponding box under the vendors' names. When complete, you will be able to look at all the features and compare vendors in a single table.

    Desired Feature Vendor 1 Vendor 2 Vendor 3
    Organizational unit creation Yes No Yes
    Group creation Yes Yes Yes
    Ability to assign users to devices No Yes Yes
    Control of administrative permissions Yes Yes Yes
    Conditional access No Yes Yes
    Security policies enforced Yes No Yes
    Asset management No Yes No
    Single sign-on Yes Yes Yes
    Auto-deployment No Yes No
    Repair lifecycle tracking No Yes No
    Application deployment Yes Yes No
    Device tracking Yes Yes Yes
    Ability to enable encryption Yes No Yes
    Device wipe Yes No Yes
    Ability to enable/disable device tracking No No Yes
    User activity audit No No No

    Related Info-Tech Research

    this is a screenshot from Info-Tech's Modernize and Transform Your End-User Computing Strategy.

    Modernize and Transform Your End-User Computing Strategy
    This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

    Best Unified Endpoint Management (UEM) Software 2022 | SoftwareReviews
    Compare and evaluate unified endpoint management vendors using the most in-depth and unbiased buyer reports available. Download free comprehensive 40+ page reports to select the best unified endpoint management software for your organization.

    Best Enterprise Mobile Management (EMM) Software 2022 | (softwarereviews.com)
    Compare and evaluate enterprise mobile management vendors using the most in-depth and unbiased buyer reports available. Download free comprehensive 40+ page reports to select the best enterprise mobile management software for your organization.

    Bibliography

    Bridge, Tom. "Macs in the enterprise – what you need to know". Computerweekly.com, TechTarget. 27 May 2022. Accessed 12 Aug. 2022.
    Copley-Woods, Haddayr. "5 reasons Mac is a must in the enterprise". Jamf.com, Jamf. 28 June 2022. Accessed 16 Aug. 2022.
    Duke, Kent. "Chromebook sales skyrocketed in Q3 2020 with online education fueling demand." androidpolice.com, Android Police. 16 Nov 2020. Accessed 10 Aug. 2022.
    Elgin, Mike. "Will Chromebooks Rule the Enterprise? (5 Reasons They May)". Computerworld.com, Computerworld. 30 Aug 2019. Accessed 10 Aug. 2022.
    Evans, Jonny. "IBM says it is 3X more expensive to manage PCs than Macs". Computerworld.com, Computerworld. 19 Oct 2016. Accessed 23 Aug. 2022.
    "Global Survey: Mac in the Enterprise". Jamf.com, Jamf. Accessed 16 Aug. 2022.
    "How to Manage Chromebooks Like a Pro." Vizor.cloud, VIZOR. Accessed 10 Aug. 2022.
    "Manage Chrome OS Devices with EMM Console". support.google.com, Google. Accessed 16 Aug. 2022.
    Protalinski, Emil. "Chromebooks outsold Macs worldwide in 2020, cutting into Windows market share". Geekwire.com, Geekwire. 16 Feb 2021. Accessed 22 Aug. 2022.
    Smith, Sean. "Microsoft Intune and Jamf Pro: Better together to manage and secure Macs". Jamf.com, Jamf. 20 April 2022. Accessed 16 Aug. 2022.

    COVID-19 Work Status Tracking Guide

    • Buy Link or Shortcode: {j2store}594|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • Keeping track of the multiple and frequently changing work arrangements on your team.
    • Ensuring you have a fast and easy way to keep an up-to-date record of where and how employees are working.

    Our Advice

    Critical Insight

    • During these critical times, keeping track of employees’ work status doesn’t have to be complicated – the right tool is one that does the job.
    • Keeping track of your employees is a health and safety issue – deployed well, it is an aid in keeping the business running and an additional communication channel, not a sign of lack of trust.

    Impact and Result

    • An Excel spreadsheet is all you need to ensure you have a way to record work arrangements that can change by the day.
    • An easy-to-use tool means minimal administrative overhead to ensuring you have this critical information at hand.

    COVID-19 Work Status Tracking Guide Research & Tools

    Start here – read the Work Status Tracking Guide

    Read our recommendations and use the accompanying tool to quickly get a handle on your team’s work arrangements.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • COVID-19 Work Status Tracking Guide Storyboard
    • COVID-19 Work Status Tracking Tool
    [infographic]

    Build a Service-Based Security Resourcing Plan

    • Buy Link or Shortcode: {j2store}267|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $20,799 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations
    • IT and security leaders across all industries must determine what and how many resources are needed to support the information security program.
    • Estimating current usage and future demand for security resources can be a difficult and time-consuming exercise.

    Our Advice

    Critical Insight

    Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

    Impact and Result

    • Info-Tech’s approach to resource planning focuses less on benchmarks and more on estimating actual demand for security services to ensure that there are enough resources to deliver them.
    • A well-designed security services portfolio is the first step towards determining resourcing needs.
    • When planning resource allocations, plan for both mandatory and discretionary demand to optimize utilization.

    Build a Service-Based Security Resourcing Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a Service-Based Security Resourcing Plan – A blueprint to help you define security roles, build a service portfolio, estimate demand, and determine resourcing needs.

    This storyboard will help you to determine your security resourcing needs using a service-based approach.

    • Build a Service-Based Security Resourcing Plan – Phases 1-3

    2. Security Resources Planning Workbook – This tool will result in a defined security service portfolio and a three-year resourcing plan.

    Use this tool to build your security service portfolio and to determine resourcing needs to meet your service demand.

    • Security Resources Planning Workbook

    Infographic

    Workshop: Build a Service-Based Security Resourcing Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Roles and Select Services

    The Purpose

    Identify the roles needed to implement and deliver your organization’s security services.

    Key Benefits Achieved

    A security services portfolio allows you to assign job roles to each service, which is the first step towards determining resourcing needs. Improve employee engagement and satisfaction with clearly defined job roles, responsibilities, and service levels.

    Activities

    1.1 Assess security needs and business pressures.

    1.2 Define security job roles.

    1.3 Define security services and assign ownership.

    Outputs

    Security Roles Definition

    Security Services Portfolio

    2 Estimate Current and Future Demand

    The Purpose

    Estimate the actual demand for security resources and determine how to allocate resources accordingly.

    Key Benefits Achieved

    Allocate resources more effectively across your Security and Risk teams.

    Raise the profile of your security team by aligning security service offerings with the demands of the business.

    Activities

    2.1 Estimate current and future demand.

    2.2 Review demand summary.

    2.3 Allocate resources where they are needed the most.

    Outputs

    Demand Estimates

    Resourcing Plan

    3 Identify Required Skills

    The Purpose

    When defining roles, consider the competencies needed to deliver your security services. Make sure to account for this need in your resource planning.

    Key Benefits Achieved

    Leverage the NCWF to establish the building blocks of a capable and ready cybersecurity workforce to effectively identify, recruit, develop and maintain cybersecurity talent.

    Activities

    3.1 Identify skills needed for planned initiatives.

    3.2 Prioritize your skill requirements.

    3.3 Assign work roles to the needs of your target environment.

    3.4 Discuss the NICE cybersecurity workforce framework.

    3.5 Develop technical skill requirements for current and future work roles.

    Outputs

    Prioritized Skill Requirements and Associated Roles

    4 Future Planning

    The Purpose

    Create a development plan to train and upskill your employees to address current and future service requirements.

    Key Benefits Achieved

    Skill needs are based on the strategic requirements of a business-aligned security program.

    Activities

    4.1 Continue developing technical skill requirements for current and future work roles.

    4.2 Conduct current workforce skills assessment.

    4.3 Develop a plan to acquire skills.

    4.4 Discuss training and certification opportunities for staff.

    4.5 Discuss next steps for closing the skills gap.

    4.6 Debrief.

    Outputs

    Role-Based Skills Gaps

    Workforce Development Plan

    Further reading

    Build a Service-Based Security Resourcing Plan

    Every security program is unique; resourcing allocations should reflect this.

    Analyst Perspective

    Start by looking inward.

    The image is a picture of Logan Rohde.The image is a picture of Isabelle Hertanto.

    Organizations have a critical need for skilled cybersecurity resources as the cyberthreat landscape becomes more complex. This has put a strain on many security teams who must continue to meet demand for an increasing number of security services. To deliver services well, we first need to determine what are the organization’s key security requirements. While benchmarks can be useful for quick peer-to-peer comparisons to determine if we are within the average range, they tend to make all security programs seem the same. This can lead to misguided investments in security services and personnel that might be better used elsewhere.

    Security teams will be most successful when organizations take a personalized approach to security, considering what must be done to lower risk and operate more efficiently and effectively.

    Logan Rohde

    Senior Research Analyst, Security

    Info-Tech Research Group

    Isabelle Hertanto

    Principal Research Director, Security

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    • IT and Security leaders across all industries must determine what and how many resources are needed to support the information security program.
    • Estimating current usage, the right allocations, and future demand for security resources can be a difficult and time-consuming exercise.
    • Needing to provide a benchmark to justify increasing headcount.
    • Absence of formally defined security service offerings and service owners.
    • Lack of skills needed to provide necessary security services.
    • Info-Tech’s approach to resource planning focuses less on benchmarks and more on estimating actual demand for security services to ensure that there are enough resources to deliver them.
    • A well-designed security services portfolio is the first step toward determining resourcing needs.
    • When allocating resources, plan for both mandatory and discretionary demand to position yourself for greatest success.

    Info-Tech Insight

    Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

    Your challenge

    This research is designed to help organizations who are looking to:

    • Determine what and how many resources are needed to support the information security program.
    • Identify the organization's key service offerings and the required resourcing to support delivery of such services.
    • Estimate current staff utilization and required allocations to satisfy future demand for services.

    Every organization is unique and will need different security research allocations aligned with their business needs.

    “The number of priorities that CISOs have continues to grow, but if everything is a priority, nothing is. It’s important to focus on the ones that deliver the most value to your organization and that are synchronized with the overall business strategy.”

    Paige H. Adams

    Global CISO at Zurich

    Insurance

    Source: Proofpoint, 2021

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Security leaders sometimes try to cut to the chase and lean on staffing benchmarks to justify their requests for resources. However, while staffing benchmarks are useful for quick peer-to-peer validation and decision making, they tend to reduce security programs down to a set of averages, which can be misleading when used out of context.
    • A more effective approach is to determine what security services need to be provided, the level of demand, and what it will take to meet that demand currently and in the coming years.
    • With these details available, it becomes much easier to predict what roles need to be hired, what skills need to be developed, and whether outsourcing is an option.

    Hiring delays and skills gaps can fuel resourcing challenges

    59% of organizations report taking 3-6+ months to fill a vacant cybersecurity position.

    Source: ISACA, 2020

    30% report IT knowledge as the most prevalent skills gap in today’s cybersecurity professionals.

    Source: ISACA, 2020

    Info-Tech’s methodology for Building a Service-Based Security Resourcing Plan

    1. Determine Security Service Portfolio Offerings

    2. Plan for Mandatory Versus Discretionary Demand

    3. Define Your Resourcing Model

    Phase Steps

    1 Gather Requirements and Define Roles

    1.2 Choose Security Service Offerings

    2.1 Assess Demand

    3.1 Review Demand Summary

    3.2 Develop an Action Plan

    Phase Outcomes

    Security requirements

    Security service portfolio

    Service demand estimates

    Service hour estimates

    Three-year resourcing plan

    Stay on top of resourcing demands with a security service portfolio

    Security programs should be designed to address unique business needs.

    A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

    Watch out for role creep.

    It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time.

    Time estimates will improve with practice.

    It may be difficult to estimate exactly how long it takes to carry out each service at first. But making the effort to time your activities each quarter will help you to improve the accuracy of your estimates incrementally.

    Start recruiting well in advance of need.

    Security talent can be difficult to come by, so make sure to begin your search for a new hire three to six months before your demand estimates indicate the need will arise.

    People and skills are both important.

    As the services in your portfolio mature and become more complex, remember to consider the skills you will need to be able to provide that service. Make sure to account for this need in your resource planning and keep in mind that we can only expect so much from one role. Therefore, hiring may be necessary to keep up with the diverse skills your services may require.

    Make sure your portfolio reflects reality.

    There’s nothing wrong with planning for future state, but we should avoid using the portfolio as a list of goals.

    Blueprint deliverable

    Use this tool to build your security services portfolio, estimate demand and hours needed, and determine FTE requirements.

    The image contains screenshots of the Security Resources Planning Workbook.

    Key deliverable:

    Security Resources Planning Workbook

    The Security Resources Planning Workbook will be used to:

    • Build a security services portfolio.
    • Estimate demand for security services and the efforts to deliver them.
    • Determine full-time equivalent (FTE) requirements for each service.
    The image contains a thought model to demonstrate the benchmarks that lead to a one-size-fits-all approach to security.

    Blueprint benefits

    IT Benefits

    Business Benefits

    • Allocate resources more effectively across your security and risk teams.
    • Improve employee engagement and satisfaction with clearly defined job roles, responsibilities, and service levels.
    • Raise the profile of your security team by aligning security service offerings with the demands of the business.
    • Ensure that people, financial, knowledge, and technology resources are appropriately allocated and leveraged across the organization.
    • Improve your organization’s ability to satisfy compliance obligations and reduce information security risk.
    • Increase customer and business stakeholder satisfaction through reliable service delivery.

    Measure the value of this blueprint

    Use these metrics to realize the value of completing this blueprint.

    Metric

    Expected Improvement

    Level of business satisfaction with IT security

    You can expect to see a 20% improvement in your IT Security Business Satisfaction Diagnostic.

    Reports on key performance indicators and service level objectives

    Expect to see a 40% improvement in security service-related key performance indicators and service level objectives.

    Employee engagement scores

    You can expect to see approximately a 10% improvement in employee engagement scores.

    Changes in rates of voluntary turnover

    Anticipating demand and planning resources accordingly will help lower employee turnover rates due to burnout or stress leave by as much as 10%.

    47% of cybersecurity professionals said that stress and burnout has become a major issue due to overwork, with most working over 41 hours a week, and some working up to 90.

    Source: Security Boulevard, 2021

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Scope requirements, objectives, and your specific drivers.

    Call #2: Discuss roles and duties.

    Call #3: Build service portfolio and assign ownership.

    Call #4: Estimate required service hours.

    Call #5: Review service demand and plan for future state.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 4 to 6 calls over the course of 2 to 3 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5

    Define Roles and Select Services

    Estimate Current and Future Demand

    Identify Required Skills

    Future Planning

    Next Steps and
    Wrap-Up (offsite)

    Activities

    1.1 Assess Security Needs and Business Pressures.

    1.2 Define Security Job Roles.

    1.3 Define Security Services and Assign Ownership.

    2.1 Estimate Current and Future Demand.

    2.2 Review Demand Summary.

    2.3 Allocate Resources Where They Are Needed the Most.

    3.1 Identify Skills Needed Skills for Planned Initiatives.

    3.2 Prioritize Your Skill Requirements.

    3.3 Assign Work Roles to the Needs of Your Target Environment.

    3.4 Discuss the NICE Cybersecurity Workforce Framework.

    3.5 Develop Technical Skill Requirements for Current and Future Work Roles.

    4.1 Continue Developing Technical Skill Requirements for Current and Future Work Roles.

    4.2 Conduct Current Workforce Skills Assessment.

    4.3 Develop a Plan to Acquire Skills.

    4.4 Discuss Training and Certification Opportunities for Staff.

    4.5 Discuss Next Steps for Closing the Skills Gap.

    4.6 Debrief.

    5.1 Complete In-Progress Deliverables From Previous Four Days.

    5.2 Set Up Review Time for Workshop Deliverables and to Discuss Next steps.

    Deliverables
    1. FTE-Hours Calculation
    2. Security Roles Definition
    3. Security Services Portfolio
    1. Demand Estimates
    2. Resourcing Plan
    1. Skills Gap Prioritization Tool
    2. Technical Skills Tool
    1. Technical Skills Tool
    2. Current Workforce Skills Assessment
    3. Skills Development Plan

    Phase 1

    Determine Security Service Portfolio Offerings

    Phase 1

    Phase 2

    Phase 3

    1.1 Gather Requirements and Define Roles

    1.2 Choose Security Service Offerings

    2.1 Assess Demand

    3.1 Determine Resourcing Status

    This phase involves the following participants:

    • CISO
    • Core Security Team
    • Business Representative (optional)

    Step 1.1

    Gather Requirements and Define Roles

    Activities

    1.1.1 Assess Business Needs and Pressures

    1.1.2 Define Security Roles

    This step involves the following participants:

    • CISO
    • Core Security Team
    • Business Representative (optional)

    Outcomes of this step

    • Security program requirements
    • Security roles definitions

    1.1.1 Assess security needs and pressures

    1 hour

    1. As a group, brainstorm the security requirements for your organization and any business pressures that exist within your industry (e.g. compliance obligations).
    • To get started, consider examples of typical business pressures on the next slides. Determine how your organization must respond to these points (note: this is not an exhaustive list).
    • You will likely notice that these requirements have already influenced the direction of your security program and the kinds of services it needs to provide to the business side of the organization.
  • There may be some that have not been well addressed by current service offerings (e.g. current service maturity, under/over definition of a service). Be sure to make a note of these areas and what the current challenge is and use these details in Step 1.2.
  • Document the results for future use in Step 1.2.1.
  • Input Output
    • List of key business requirements and industry pressures
    • Prioritized list of security program requirements
    Materials Participants
    • Whiteboard
    • Sticky notes
    • CISO
    • Core Security Team
    • Business Representative (optional)

    Typical business pressures examples

    The security services you will provide to the organization should be based on its unique business requirements and pressures, which will make certain services more applicable than others. Use this exercise to get an idea of what those business drivers might be.

    The image contains a screenshot of Typical business pressures examples.

    1.1.2 Define security roles

    1-2 hours

    1. Using the link below, download the Security Resources Planning Workbook and review the examples provided on the next slide.
    2. On tab 1 (Roles), review the example roles and identify which roles you have within your security team.
    • If necessary, customize the roles and descriptions to match your security team’s current make up.
    • If you have roles within your security team that do not appear in the examples, you can add them to the bottom of the table.
  • For each role, use columns D-F to indicate how many people (headcount) you have, or plan to have, in that role.
  • Use columns H-J to indicate how many hours per year each role has available to deliver the services within your service catalog.
  • Input Output
    • Full-time hours worked per week Weeks worked per year Existing job descriptions/roles
    • Calculated full-time equivalents (FTE) Defined security roles
    Materials Participants
    • Security Resources Planning Workbook
    • CISO
    • Core Security Team

    Download the Security Resources Planning Workbook

    Calculating FTEs and defining security roles

    The image contains a screenshot of the workbook demonstrating calculating FTEs and defining security roles.

    1. Start by entering the current and planned headcount for each role
    2. Then enter number of hours each role works per week
    3. Estimate the number of administrative hours (e.g. team meetings, training) per week
    4. Enter the average number of weeks per year that each role is available for service delivery
    5. The tool uses the data from steps 2-4 to calculate the average number of hours each role has for service delivery per year (FTE)

    Info-Tech Insight

    Watch out for role creep. It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time.

    Other considerations

    Address your skills gap.

    Cybersecurity is a rapidly evolving discipline and security teams from all over are reporting challenges related to training and upskilling needed to keep pace with the developments of the threat landscape.

    95% Security leaders who agree the cybersecurity skills gap has not improved over the last few years.*

    44% Security leaders who say the skills gap situation has only gotten worse.*

    When defining roles, consider the competencies needed to deliver your security services. Use Info-Tech’s blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan to help you determine the required skillsets for each role.

    * Source: ISSA, 2021

    Info-Tech Insight

    As the services in your portfolio mature and become more complex, remember to consider the skills you need and will need to be able to provide that service. Make sure to account for this need in your resource planning and keep in mind that we can only expect so much from one role. Therefore, hiring may be necessary to keep up with the diverse skills your services may require.

    Download blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan

    Step 1.2

    Choose Security Service Offerings

    Activities

    1.2.1 Define Security Services and Role Assignments

    This step involves the following participants:

    • CISO
    • Core Security Team

    Outcomes of this step

    • Service portfolio
    • Service pipeline status
    • Service ownership

    1.2.1 Define security services and role assignments

    2-4 hours

    1. As a group, review the outputs from Step 1.1.1. These requirements will serve as the basis to prioritize the service offerings of your security portfolio.
    2. Take these outputs, as well as any additional notes you’ve made, and put them side by side with the example service offerings on tab 3 of the Security Resources Planning Workbook so each service can be considered alongside these requirements (i.e. to determine if that service should be included in the security service portfolio at this time).
    3. Using the following slides as a guide, work your way down the list of example services and choose the services for your portfolio. For each service selected, be sure to customize the definition of the service and state its outcome (i.e. what time is spent when providing this service, indicate if it is outsourced, which role is responsible for delivering it, and the service pipeline status (in use, plan to use, plan to retire)).
    InputOutput
    • Business and security requirements gathered in Step 1.1.1
    • Defined security service portfolio
    • Service ownership assigned to role
    MaterialsParticipants
    • Security Resources Planning Workbook
    • CISO
    • Core Security Team

    Download the Security Resources Planning Workbook

    Service needs aligned with your control framework

    Use Info-Tech's best-of-breed Security Framework to develop a comprehensive baseline set of security service areas.

    The image contains a screenshot of the Security Framework.

    Prioritize your security services

    Example of a custom security services portfolio definition

    Security Strategy and Governance Model

    • Aligned Business Goals
    • Security Program Objectives
    • Centralized vs. Decentralized Governance Model

    Compliance Obligations

    • Penetration testing
    • Annual security audits
    • Data privacy and protection laws

    CISO Accountabilities

    • Security Policy
    • Risk Management
    • Application & Infrastructure Security
    • Program Metrics and Reporting

    Consider each of the requirement categories developed in Step 1.1.1 against the taxonomy and service domain here. If there is a clear need to add this service, use the drop-down list in the “Include in Catalog” column to indicate “Yes.” Mark un-needed services as “No.”

    The image contains a screenshot of the security services portfolio definition.

    Assigning roles to services

    The image contains an example of assigning roles to services.

    1. If the service is being outsourced, use the drop-down list to select “Yes.” This will cause the formatting to change in the neighboring cell (Role), as this cell does not need to be completed.
    2. For all in-sourced services, indicate the role assigned to perform the service.
    3. Indicate the service-pipeline status for each of the services you include. The selection you make will affect the conditional formatting on the next tab, similar to what is described in step 1.

    Info-Tech Insight

    Make sure your portfolio reflects current state and approved plans. There’s nothing wrong with planning for the future, but we should avoid using the portfolio as a list of goals.

    Phase 2

    Plan for Mandatory Versus Discretionary Demand

    Phase 1

    Phase 2

    Phase 3

    1.1 Gather Requirements and Define Roles

    1.2 Choose Security Service Offerings

    2.1 Assess Demand

    3.1 Determine Resourcing Status

    This phase involves the following participants:

    • CISO
    • Core Security Team

    Step 2.1

    Assess Demand

    Activities

    2.1.1 Estimate Current and Future Demand

    This step involves the following participants:

    • CISO
    • Core Security Team

    Outcomes of this step

    • Service demand estimates
    • Total service hours required
    • FTEs required per service

    2.1.1 Estimate current and future demand

    2-4 hours

    1. Estimate the number of hours required to complete each of the services in your portfolio and how frequently it is performed. Remember the service-hour estimates should be based on the outcome of the service (see examples on the next slide).
    • To do this effectively, think back over the last quarter and count how many times the members of your team performed each service and how many hours it took to complete.
    • Then, think back over the last year and consider if the last quarter represents typical demand (i.e. you may notice that certain services have a greater demand at different parts of the year, such as annual audit) and arrive at your best estimate for both service hours and demand.
    • See examples on next slide.

    Note: For continuous services (i.e. 24/7 security log monitoring), use the length of the work shift for estimating the Hours to Complete and the corresponding number of shifts per year for Mandatory Demand estimates. Example: For an 8-hour shift, there are 3 shifts per day at 365 days/year, resulting in 1,095 total shifts per year.

    Download the Security Resources Planning Workbook

    InputOutput
    • Service-hour estimations
    • Expected demand for service
    • Discretionary demand for service
    • Total hours required for service
    • FTEs required for service
    MaterialsParticipants
    • Security Resources Planning Workbook
    • CISO
    • Core Security Team

    Info-Tech Insight

    Time estimates will improve over time. It may be difficult to estimate exactly how long it takes to carry out each service at first. But making the effort to time your activities each quarter will help you to improve the accuracy of your estimates incrementally.

    Understanding mandatory versus discretionary demand

    Every service may have a mix of mandatory and discretionary demands. Understanding and differentiating between these types of demand is critical to developing an efficient resourcing plan.

    The image contains a picture used to represent mandatory demand.

    Mandatory Demand

    Mandatory demand refers to the amount of work that your team must perform to meet compliance obligations and critical business and risk mitigation requirements.

    Failure to meet mandatory demand levels will have serious consequences, such as regulatory fines or the introduction of risks that far exceed risk tolerances. This is work you cannot refuse.

    The image contains a diagram to demonstrate the relationship between Mandatory and Discretionary demand.

    The image contains a picture used to represent discretionary demand.

    Discretionary Demand

    Discretionary demand refers to the amount of work the security team is asked to perform that goes above and beyond your mandatory demand. Discretionary demand often comes in the form of ad hoc requests from business units or the IT department.

    Failure to meet discretionary demand levels usually has limited consequences, allowing you more flexibility to decide how much of this type of work you can accept.

    Mandatory versus discretionary demand examples

    Service Name

    Mandatory Demand Example

    Discretionary Demand Example

    Penetration Testing

    PCI compliance requires penetration testing against all systems within the cardholder data environment annually (currently 2 systems per year).

    Business units request ad hoc penetration testing against non-payment systems (expected 2-3 systems per year).

    Vendor Risk Assessments

    GDPR compliance requires vendor security assessments against all third parties that process personal information on our behalf (expected 1-2 per quarter).

    IT department has requested that the security team conduct vendor security assessments for all cloud services, regardless of whether they store personal information (expected 2-3 assessments per quarter).

    e-Discovery and Evidence Handling

    There is no mandatory demand for this service.

    The legal department occasionally asks the security team to assist with e-Discovery requests (expected demand 1-2 investigations per quarter).

    Example of service demand estimations

    The image contains a screenshot example of service demand estimations.

    1. For each service, describe the specific outcome or deliverable that the service produces. Modify the example deliverables as required.
    2. Enter the number of hours required to produce one instance of the service deliverable. For example, if the deliverable for your security training service is an awareness campaign, it may require 40 person hours to develop and deliver.
    3. Enter the number of mandatory and discretionary demands expected for each service within a given year. For instance, if you are delivering quarterly security awareness campaigns, enter 4 as the demand.

    Phase 3

    Build Your Resourcing Plan

    Phase 1

    Phase 2

    Phase 3

    1.1 Gather Requirements and Define Roles

    1.2 Choose Security Service Offerings

    2.1 Assess Demand

    3.1 Determine Resourcing Status

    This phase involves the following participants:

    • CISO
    • Security Manager

    Step 3.1

    Determine Resourcing Status

    Activities

    3.1.1 Review Demand Summary

    3.1.2 Fill Resource Gaps

    This step involves the following participants:

    • CISO
    • Security Manager

    Outcomes of this step

    • The number of FTEs required to meet demand
    • Resourcing gaps

    3.1.1 Review demand summary

    1-2 hours

    1. On tab 5 of the Security Resourcing Planning Tool (Demand Summary), review the results. This tab will show you if you have enough FTE hours per role to meet the demand level for each service.
    • Green indicates that there is a surplus of FTEs and the number displayed shows how many extra FTEs there are.
    • Yellow text that you have adequate FTEs to meet all of your mandatory demand but may not have enough to meet all of your discretionary demand.
    • Red text indicates that there are too few FTEs available, and the number displayed shows how many additional FTEs you will require.
  • Take note of how many FTEs you will need to meet expected and discretionary demand in each of the years you’ve planned for.
  • Input Output
    • Current staffing
    • Resourcing model
    Materials Participants
    • Security Resources Planning Workbook
    • CISO
    • HR Representative

    Download the Security Resources Planning Workbook

    Info-Tech Insight

    Start recruiting well in advance of need. Security talent can be difficult to come by, so make sure to begin your search for a new hire three to six months before your demand estimates indicate the need will arise.

    Example of demand planning summary (1/2)

    The image contains a screenshot of an example of demand planning summary.

    Example of demand planning summary (2/2)

    The image contains a screenshot of an example of demand planning. This image has a screenshot of the dashboard.

    3.1.2 Fill resource gaps

    2-4 hours

    1. Now that you have a resourcing model for your security services, you will need to plan to close the gaps between available FTEs and required service hours. For each role that has been under/over committed to service delivery, review the services assignments on tab 3 and determine the viability of the following gap closure actions:
      1. Reassign service responsibility to another role with fewer commitments
      2. Create efficiencies to reduce required hours
      3. Hire to meet the service demand
      4. Outsource the service
    2. Your resourcing shortages may not all be apparent at once. Therefore, build a roadmap to determine which needs must be addressed immediately and which can be scheduled for years two and three.

    Consider outsourcing

    Outsourcing provides access to tools and talent that would otherwise be prohibitively expensive. Typical reasons for outsourcing security operations include:

    • Difficulty finding or retaining security staff with advanced and often highly specialized skillsets.
    • The desire to transfer liability for high-risk operational activities such as 24/7 security monitoring.
    • Workforce scalability to accommodate irregular or infrequent events such as incident response and incident-related forensic investigations.

    Given the above, three different models have emerged for the operational security organization:

    1. Outsourced SecOps

    A fully outsourced Security Operations Center, managed and governed by a smaller in-house team

    2. Balanced Hybrid

    In-house operational security staff with some reliance on managed services

    3. In-House SecOps

    A predominantly in-house security team, augmented by a small managed services contract

    Once you have determined that further outsourcing is needed, go back and adjust the status in your service portfolio. Use Info-Tech's blueprint Develop Your Security Outsourcing Strategy to determine the right approach for your business needs.

    “The workforce of the future needs to be agile and adaptable, enabled by strong partnerships with third-party providers of managed security services. I believe these hybrid models really are the security workforce of the future.”

    – Senior Manager, Cybersecurity at EY

    Download blueprint Develop Your Security Outsourcing Strategy

    Info-Tech Insight

    Choose the right model for your organization’s size, risk tolerance, and process maturity level. For example, it might make more sense for larger enterprises with low risk tolerance to grow their internal teams and build in-house capability.

    Create efficiencies

    Resourcing challenges are often addressed more directly by increased spending. However, for a lot of organizations, this just isn’t possible. While there is no magic solution to resolve resource constraints and small budgets, the following tactics should be considered as a means to reduce the hours required for the services your team provides.

    Upskill Your Staff

    If full-scale training is not an option, see if there are individual skills that could be improved to help improve time to completion for your services. Use Info-Tech's blueprint Close the InfoSec Skills Gap to determine which skills are needed for your security team.

    Improve Process Familiarity

    In some organizations, especially low-maturity ones, problems can arise simply because there is a lack of familiarity with what needs to be done. Review the process, socialize it, and make sure your staff can execute in within the target time allotment.

    Add Technology

    Resourcing crunch or not, technology can help us do things better. Investigate whether automation software might help to shave a few hours off a given service. Use Info-Tech's blueprint Build a Winning Business Process Automation Playbook to optimize and automate your business processes with a user-centric approach.

    Download the blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan

    Download the blueprint Build a Winning Business Process Automation Playbook

    Info-Tech Insight

    Every minute counts. While using these strategies may not solve every resourcing crunch you have, they can help put you in the best position possible to deliver on your commitments for each service.

    Plan for employee turnover

    Cybersecurity skills are in high demand; practitioners are few. The reality is that experienced security personnel have a lot of opportunities. While we cannot control for the personal reasons employees leave jobs, we can address the professional reasons that cause them to leave.

    Fair wage

    Reasonable expectations

    Provide training

    Defined career path

    It’s a sellers’ market for cybersecurity skills these days. Higher-paying offers are one of the major reasons security leaders leave their jobs (ISSA, 2021).

    Many teams lose out on good talent simply because they have unrealistic expectations, seeking 5+ years experience for an entry-level position, due to misalignment with HR (TECHNATION, 2021).

    Technology is changing (and being adopted) faster than security professionals can train on it. Ongoing training is needed to close these gaps (ISO, 2021).

    People want to see where they are now, visualize where they will be in the future, and understand what takes to get there. This helps to determine what types of training and specialization are necessary (DigitalGuardian, 2020).

    Use Info-Tech’s blueprint Build a Strategic IT Workforce Plan to help staff your security organization for success.

    The image contains a screenshot of the Build a Strategic IT Workforce Plan.

    Download blueprint Build a Strategic IT Workforce Plan

    Summary of Accomplishment

    Problem Solved

    You have now successfully identified your business and security drivers, determined what services your security program will provide, and determined your resourcing plan to meet these demands over the next three years.

    As needs change at your organization, don’t forget to re-evaluate the decisions you’ve made. Don’t forget that outsourcing a service may be the most reliable way to provide and resource it. However, this is just one tool among many that should be considered, along with upskilling, process improvement/familiarity, and process automation.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Research Contributors and Experts

    The image contains a picture of George Al-Koura.

    George Al-Koura

    CISO

    Ruby Life

    The image contains a picture of Brian Barniner.

    Brian Barniner

    Head of Decision Science and Analytics

    ValueBridge Advisors

    The image contains a picture of Tracy Dallaire.

    Tracy Dallaire

    CISO / Director of Information Security

    McMaster University

    The image contains a picture of Ricardo Johnson.

    Ricardo Johnson

    Chief Information Security Officer

    Citrix

    Research Contributors and Experts

    The image contains a picture of Ryan Rodriguez.

    Ryan Rodriguez

    Senior Manager, Cyber Threat Management

    EY

    The image contains a picture of Paul Townley.

    Paul Townley

    VP Information Security and Personal Technology

    Owens Corning

    13 Anonymous Contributors

    Related Info-Tech Research

    Cost-Optimize Your Security Budget

    Develop Your Security Outsourcing Strategy

    Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan

    Bibliography

    2021 Voice of the CISO Report.” Proofpoint, 2021. Web.

    “2022 Voice of the CISO.” Proofpoint, 2022. Web.

    Brook, Chris. “How to Find and Retain Skilled Cybersecurity Talent.” DigitalGuardian, 17 Sep. 2020. Web.

    “Canadian Cybersecurity Skills Framework” TECHNATION Canada, April 2020. Web.

    “Cybersecurity Skills Crisis Continues for Fifth Year, Perpetuated by Lack of Business Investment.” ISSA, 28 July 2021. Web.

    “Cybersecurity Workforce, National Occupational Standard.” TECHNATION Canada, April 2020. Web.

    Naden, Clare. “The Cybersecurity Skills Gap: Why Education Is Our Best Weapon against Cybercrime.” ISO, 15 April 2021. Web.

    Purse, Randy. “Four Challenges in Finding Cybersecurity Talent And What Companies Can Do About It.” TECHNATION Canada, 29 March 2021. Web.

    Social-Engineer. “Burnout in the Cybersecurity Community.” Security Boulevard, 8 Dec. 2021. Web.

    “State of Cybersecurity 2020.” ISACA, 2020. Web.

    Satisfy Customer Requirements for Information Security

    • Buy Link or Shortcode: {j2store}259|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $247 Average $ Saved
    • member rating average days saved: 3 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Your customers and potential customers are increasingly demanding assurance that you will meet their information security requirements.
    • Responding to these assurance demands requires ever more effort from the security team, which distracts them from their primary mission of protecting the organization.
    • Every customer seems to have their own custom security questionnaire they want you to complete, increasing the effort you have to expend to respond to them.

    Our Advice

    Critical Insight

    • Your security program can be a differentiator and help win and retain customers.
    • Value rank your customers to right-size the level of effort your security team dedicates to responding to questionnaires.
    • SOC 2 or ISO 27001 certification can be an important part of your security marketing, but only if you make the right business case.

    Impact and Result

    • CISOs need to develop a marketing strategy for their information security program.
    • Ensure that your security team dedicates the appropriate amount of effort to sales by value ranking your potential customers and aligning efforts to value.
    • Develop a business case for SOC 2 or ISO 27001 to determine if certification makes sense for your organization, and to gain support from key stakeholders.

    Satisfy Customer Requirements for Information Security Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should proactively satisfy customer requirements for information security, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Manage customer expectations for information security

    Identify your customers’ expectations for security and privacy, value rank your customers to right-size your efforts, and learn how to impress them with your information security program.

    • Satisfy Customer Requirements for Information Security – Phase 1: Manage Customer Expectations for Information Security

    2. Select a certification path

    Decide whether to obtain SOC 2 or ISO 27001 certification, and build a business case for certification.

    • Satisfy Customer Requirements for Information Security – Phase 2: Select a Certification Path
    • Security Certification Selection Tool
    • Security Certification Business Case Tool

    3. Obtain and maintain certification

    Develop your certification scope, prepare for the audit, and learn how to maintain your certification over time.

    • Satisfy Customer Requirements for Information Security – Phase 3: Obtain and Maintain Certification
    [infographic]

    Create and Implement an IoT Strategy

    • Buy Link or Shortcode: {j2store}57|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Disruptive & Emerging Technologies
    • Parent Category Link: /disruptive-emerging-technologies

    While the Internet of Things (IoT) or smart devices have the potential to transform businesses, they have to be implemented strategically to drive value. The business often engages directly with vendors, and many IoT solutions are implemented as point solutions with IT being brought in very late in the process.

    This leads to challenges with integration, communication, and data aggregation and storage. IT is often also left grappling with many new devices that need to be inventoried, added to lifecycle management practices, and secured.

    Unlock the true potential of IoT with early IT involvement

    As IoT solutions become more common, IT leaders must work closely with business stakeholders early in the process to ensure that IoT solutions make the most of opportunities and mitigate risks.

    1. Ensure that IoT solutions meet business needs: Assess IoT solutions to ensure that they meet business requirements and align with business strategy.
    2. Make integration and management smooth: Build and execute plans so IoT devices integrate with existing infrastructure and multiple devices can be managed efficiently.
    3. Ensure privacy and security: IoT solutions should meet clearly outlined privacy and security requirements and comply with regulations such as GDPR and CCPA.
    4. Collect and store data systematically: Manage what data will be collected and aggregated and how it will be stored so that the business can recognize value from the data with minimal risk.

    Create and Implement an IoT Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create and Implement an IoT Strategy Deck – A framework to assess and onboard IoT devices into your environment.

    The storyboard will help to create a steering committee and a playbook to quickly assess IoT ideas to determine the best way to support these ideas, test them in Proof of concepts, when appropriate, and give the business the confidence they need to get the right solution for the job and to know that IT can support them long term.

    • Create and Implement an IoT Strategy – Phases 1-3

    2. Steering Committee Charter Template – Improve governance starting with a steering committee charter to help you clearly define the role of the steering committee to improve outcomes.

    Create a steering committee to improve success of IoT implementations.

    • IoT Steering Committee Charter Template

    3. IoT Solution Playbook – Create an IoT playbook to define a framework to quickly assess new solutions and determine the best time and method for onboarding into your operational environment.

    Create a framework to quickly evaluate IoT solutions to mitigate risks and increase success.

    • IoT Solution Playbook

    Infographic

    Further reading

    Create and Implement an IoT Strategy

    Gain control of your IoT environment

    Create and Implement an IoT Strategy

    Gain control of your IoT environment

    EXECUTIVE BRIEF

    Table of Contents

    Page Contents Page Contents
    4 Analyst Perspective 27 Phase 2: Define the intake & assessment process
    5 Executive Summary 29 Define requirements for requesting new IoT solutions
    7 Common Obstacles 32 Define procedures for reviewing proposals and projects – BA/BRM
    8 Framework 38 Define criteria for assessing proposals and projects – data specialists
    9 Insight Summary 43 Define criteria for assessing proposals & projects – Privacy & Security
    10 Blueprint deliverables 47 Define criteria for assessing proposals & projects – Infrastructure & Operations
    11 Blueprint benefits 48 Define service objectives & evaluation process
    13 Measure the value of IoT 49 Phase 3: Prepare for a proof of value
    15 Guided Implementation 58 Create a template for designing a proof of value
    16 Phase 1: Define your governance process 59 Communications
    21 Define the committee’s roles & responsibilities 60 Research contributors and experts
    23 Define the IoT steering committee’s vision statement and mandate 61 Related InfoTech Research
    26 Define procedures for reviewing proposals and projects

    Analyst perspective

    IoT is an extremely efficient automated data collection system which produces millions of pieces of data. Many organizations will purchase point solutions to help with their primary business function to increase efficiency, increase profitability, and most importantly provide scalable services that cannot exist without automated data collection and analytical tools.

    Most of the solutions available are designed to perform a specific function within the parameters of the devices and applications designed by vendors. As these specific use cases proliferate within any organization, the data collected can end up housed in many places, owned by each specific business unit and used only for the originally designed purpose. Imagine though, if you could take the health information of many patients, anonymize it, and compare overall health of specific regions, rather than focusing only on the patient record as a correlated point; or many data points within cities to look at pedestrian, bike, and vehicle traffic to better plan infrastructure changes, improve city plans, and monitor pollution, then compared to other cities for additional modeling.

    In order to make these dramatic shifts to using many IoT solutions, it’s time to look at creating an IoT strategy that will ensure all systems meet strategic goals and will enable disparate data to be aggregated for greater insights. The act of aggregation of systems and data will require additional scrutiny to mitigate the potential perils for privacy, management, security, and auditability

    The strategy identifies who stewards use of the data, who manages devices, and how IT enables broader use of this technology. But with the increased volume of devices and data, operational efficiency as part of the strategy will also be critical to success.

    This project takes you through the process of defining vision and governance, creating a process for evaluating proposed solutions for proof of value, and implementing operational effectiveness.

    Photo of Sandi Conrad, Principal Research Director, Info-Tech Research Group.

    Sandi Conrad
    Principal Research Director
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    The business needs to move quickly to adopt new ways to collect and analyze data or automate actions. IoT may be the right answer, but it can be complex and create new challenges for IT teams.

    Many of these solutions are implemented by vendors as point solutions, but more organizations are recognizing they need to bring the data in-house to start driving insights.

    As IoT solutions become more prolific, the need to get more involved in securing and managing these solutions has become evident.

    Common Obstacles

    The business is often engaging directly with the vendors to better understand how they can benefit from these solutions, and IT is often brought in when the solution is ready to go live.

    When IT isn’t involved early, there may be challenges around integrations, communications, and getting access to data.

    Management becomes challenging as many devices are suddenly entering the environment, which need to be inventoried, added to lifecycle management practices, and secured.

    Info-Tech’s Approach

    Info-Tech’s approach starts with assessing the proposed solutions to:

    • Ensure they will meet the business need.
    • Understand data structure for integration to central data store.
    • Ensure privacy and security needs can be met.
    • Determine effort and technical requirements for integration into the infrastructure and appropriate onboarding into operations.

    Early intervention will improve results. IoT is one of the biggest challenges for IT departments to manage today. The large volume of devices and lack of insight into vendor solutions is making it significantly harder to plan for upgrades and contract renewals, and to guarantee security protocols are being met. Create a multistep onboarding process, starting with an initial assessment process to increase success for the business, then look to derive additional benefits to the business and mitigate risks.

    Your challenge

    Scaling up and out from an IoT point solution is complicated and requires collaboration from stakeholders that may not have worked well together before
    • Point solutions may be installed and configured with support outsourced to vendors, where integrations may be light or non-existent.
    • Each point solution will be owned by the business, with data used for a specific purpose, and may only require infrastructure support from the internal IT department.
    • Operational needs must be met to protect the business’ investment, and without involving IT early, agreements may be signed that don’t meet long-term goals of high value at reasonable prices.
    • To fully realize value from multiple disparate systems, a cohesive strategy to bring together data will be required, but with that comes a need to improve technology, determine data ownership, and improve oversight with strengthened security, privacy, and communications.
    • Where IoT is becoming a major source of data, taking a piecemeal approach will no longer be enough to be successful.

    IoT solutions may be chosen by the business, but to be successful and meet their requirements, a partnership with IT will ensure better communications with the service provider for a less stressful implementation with governance over security needs and protection of the organization’s data, and it will ensure that continual value is enabled through effective operations.

    Pie chart titled 'IoT project success' with '12% Fully successful', '30% Mostly successful', '40% Mostly unsuccessful', and 'Not at all successful'.
    (Source: Beecham Research qtd. in Software AG)

    Common obstacles

    These barriers make IoT challenging to implement for many organizations:
    • Solutions managed outside of IT, whether through an operational technology team or an outsourced vender, will require a comprehensive approach that encourages collaboration, common understandings of risk, and the ability to embrace change.
    • Technical expertise required will be broad and deep for a multi-solution implementation. Many types of devices, with varied connections and communications methods, will need to be architected with flexibility to accommodate changing technology and scalability needs.
    • Understanding the myriad options available and where it makes sense to deploy cutting-edge vs. proven technologies, as well as edge computing and digital twins.
    • External consultants specializing in IoT may need to be engaged to make these complex solutions successful, and they also need to be skilled in facilitating discussions within teams to bring them to a common understanding.
    • Analysis skills and a data strategy will be key to successfully correlating data from multiple sources, and AI will be key to making sense of vast amounts of data available and be able to use it for predictive work. According to the Microsoft IoT Signals report of October 2020, “79% of organizations adopt AI as part of their IoT solution, and those who do perceive IoT to be more critical to their company’s success (95% vs. 82%) and are more satisfied with IoT (96% vs. 87%).“
    Pie chart with two tiers titled 'Challenges to using IT'. The inner circle are challenge categories like 'Security', 'Lack of budget/staff', and the outer circle are the more specific challenges within them, such as 'Concerned about consumer privacy' and 'No human resources to implement & manage'.
    (Source: Microsoft IoT Signals, Edition 2, October 2020 n=3,000)

    Internet of Things Framework

    Interoperability of multiple IoT systems and data will be required to maximize value.

    GOVERNANCE

    What should I build? What are my concerns?
    Where should I build it? Why does it need to be built?

    DATA MODEL ——› BUSINESS OPERATING MODEL
    Data quality
    Metadata
    Persistence
    Lifecycle
    Sales, marketing
    Product manufacturing
    Service delivery
    Operations

    |—›

    BUSINESS USE CASE

    ‹—|
    Customer facing Internal facing ROI
    ˆ
    |
    ETHICS
    Deliberate misuse
    Unintentional consequences
    Right to informed consent
    Active vs. passive consent
    Bias
    Profit vs. common good
    Acceptable/fair use
    Responsibility assignment
    Autonomous action
    Transparency
    Vendor ethical implications
    ˆ
    |
    TECHNICAL OPERATIONAL MODEL
    Personal data
    Customer data
    Non-customer data
    Public data
    Third-party business data
    Data rights/proprietary data
    Identification
    Vendor data
    Profiling (Sharing/linkage of data sets)

    CONTROLS

    How do I operate and maintain it?

    1. SECURITY
      • Risk identification and assessment
      • Threat modeling – ineffective because of scale
      • Dumb, cheap endpoints without users
      • Massive attack surface
      • Data/system availability
      • Physical access to devices
      • Response to anonymized individuals
    2. COMPLIANCE
      • Internal
      • External
        NIST, SOC, ISO
        Profession/industry
      • Ethics
      • Regulatory
        PII, GDPR, PIPEDA
        Audit process
    1. OPERATIONAL STANDARDS
      • Industry best practices
      • Open standards vs. proprietary ones
      • Standardization
      • Automation
      • Vendor management
    2. TECHNICAL OPERATIONAL MODEL
      • Platforms
      • Insourcing/outsourcing
      • Acquisition
      • Asset management
      • Patching
      • Data protection
      • Source image control
      • Software development lifecycle
      • Vendor management
      • Disposition/disposal

    BRIDGING THE PHYSICAL WORLD AND THE VIRTUAL WORLD

    How should it be built?

    Diagram with 'Physical World' 'Internet of Things Devices' on the left, connected to 'Virtual World' 'Central Compute (Cloud/Data Center)', 'Edge Computing', and 'Business Systems and Applications' via 'Data - data-verified= Data Normalization' from physical to virtual and 'Instructions' from virtual to physical.">

    Insight summary

    Real value to the business will come from insights derived from data

    Many point solutions will solve many business issues and produce many data sets. Ensure your strategy includes plans on how to leverage data to further your organizational goals. A data specialist will make a significant difference in helping you determine how best to aggregate and analyze data to meet those needs.

    Provide the right level of oversight to help the business adopt IoT

    Regardless of who is initiating the request or installing the solution, it’s critical to have a framework that protects the organization and their data and a plan for managing the devices.

    The business doesn’t always know what questions to ask, so it’s important for IT to enable them if moving to a business-led innovation model, and it’s critical to helping them achieve business value early.

    Do a pre-implementation assessment to engage early and at the right level

    Many IoT solutions are business- and vendor-led and are hosted outside of the organization or managed inside the business unit.

    Having IT engage early allows the business to determine what level of support is appropriate for them, allows IT to ensure data integrity, and allows IT to ensure that security, privacy, and long-term operational needs are managed appropriately.

    Blueprint deliverables

    IoT Steering Committee Charter

    Create a steering committee to improve success of IoT implementations

    Sample of the IoT Steering Committee Charter.

    IoT Solution Playbook

    Create a framework to quickly evaluate IoT solutions to mitigate risks and increase success

    Sample of the IoT Solution Playbook.

    Blueprint benefits

    IT Benefits

    • Aggregation of processes and data may have compelling implications for increasing effectiveness of the business, but this may also increase risk. A framework will help to drive value while putting in appropriate guardrails.
    • IoT use cases may be varied within many industries, and the use of many types of sensors and devices complicates management and maintenance. A common understanding of how devices will be tracked, managed, and maintained is imperative to IT securing their systems and data.
    • A pilot program to evaluate effectiveness and either reject or move forward with a plan to onboard the solution as quickly as possible will ensure quick time to value and enable immediate implementation of controls to meet operational and security requirements.

    Business Benefits

    • Aggregation of many disparate groups of data can provide new insights into the way an organization interacts with its clients and how clients are using products and services.
    • As organizations innovate and new IoT solutions are introduced to the environment, solutions need to be evaluated quickly to determine if they’re going to meet the business case and then determine what needs to be put in place for technology, process, and policy to ensure success.
    • As new solutions are introduced, anyone who may be impacted through this new data-collection process will need to be informed and feel secure in the way information is analyzed and managed. This project will provide the framework to quickly assess the risks and develop a communications plan.

    Evaluate digital transformation opportunities with these guiding principles for smart solutions

    Problem & opportunity focus
    • Search for real problems to solve, with visible improvement possibilities
    • Don’t choose technology for technology’s sake
    • Keep an eye to the future
    • Strategic foresight
    Piece by piece
    • Avoid the “Big Bang” approach
    • Test technologies in multiple conditions
    • Run inexpensive pilots
    • Increase flexibility
    • Technology ecosystem
    User buy-in
    • Collaborate with the community
    • Gain and sustain support
    • Increase uptake of city technology
    • Crowdsource community ideas
    Recommendations:
    Focus on real problems • Be a fast follower • Build a technology ecosystem

    Info-Tech Insight

    When looking for a quick win, consider customer journey mapping exercises to find out what it takes to do the work today, for example, map the journey to apply for a building permit, renew a license, or register a patient.

    Measure the value of IoT

    There is a broad range of solutions for IoT all designed to collect information and execute actions in a way designed to increase profitability and/or improve services. McKinsey estimates value created through interoperability will account for 40% to 60% of the potential value of IoT applications.

    Revenue Generating
    • Production increases and efficiency
    • Reliability as data quality increases
    • New product development opportunities through better understanding of how your products are used
    • New product offerings with automated data collection and analysis of aggregated data
    Improved outcomes
    • Improved wellness programs for employees and patients through proactive health management
      • Reduction in health care/insurance costs
      • Reduction in time off for illness
    • Reduction in human error
    • Improved safety – fewer equipment malfunction incidents
    • Sustainability – reduction in emissions
    Increased access to data, especially if aggregating with other data sources, will increase opportunities for data analysis leading to more informed decision making.
    Cost Avoidance
    • Cost efficiency – lower energy consumption, less waste, improved product consumption
    • Reliability – reduced downtime of equipment due to condition-based maintenance
    • Security – decrease in malware attacks
    Operational Metrics
    • # supported devices
    • % of projects using IoT
    • % of managed systems
    • % of increase in equipment optimization

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 4 to 8 calls over the course of 2 to 4 months.

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3
    Call #1: Determine steering committee members and mandates.

    Call #2: Define process for meeting and assessing requests.

    Call #3: Define the intake process.

    Call #4: Define the role of the BRM & assessment criteria.

    Call #5: Define the process to secure funding.

    Call #6: Define assessment requirements for other IT groups.

    Call #7: Define proof of value process.

    Create and Implement an IoT Strategy

    Phase 1

    Define your governance process

    Steering Committee

    1.1 Define the committee’s roles and responsibilities in the IoT Steering Committee Charter

    1.2 Define the IoT steering committee’s vision statement and mandates

    1.3 Define procedures for reviewing proposals and roles and responsibilities

    Intake Process

    2.1 Define requirements for requesting new IoT solutions

    2.2 Define procedures for reviewing proposals and projects – BA/BRM

    2.3 Define procedures for reviewing proposals and projects – Data specialists

    2.4 Define procedures for reviewing proposals and projects – Privacy & Security

    2.5 Define procedures for reviewing proposals and projects – Infrastructure & Operations

    2.6 Define service objectives and evaluation process

    Proof of Value

    3.1 Determine the criteria for running a proof of value

    3.2 Define the template and process for running a proof of value

    This phase will provide the following activities

    • Create the steering committee project charter
    If a steering committee exists, it may be appropriate to define IoT governance under their mandate. If a committee doesn’t already exist or their mandate will not include IoT, consider creating a committee to set standards and processes and quickly evaluate solutions for feasibility and implementation.

    Create an IoT steering committee to ensure value will be realized and operational needs will be met

    The goals of the steering committee should be:

    • To align IoT initiatives with organizational goals. 
    • To effectively evaluate, approve, and prioritize IoT initiatives.
    • To approve IoT strategy & evaluation criteria.
    • To reinforce and define risk evaluation criteria as they relate to IoT technology.
    • To review pilot results and confirm the value achievement of approved IoT initiatives.
    • To ensure the investment in IoT technology can be integrated and managed using defined parameters.

    Assemble the right team to ensure the success of your IoT ecosystem

    Business stakeholders will provide clarity for their strategy and provide input into how they envision IoT solutions furthering those goals and how they may gain relevant insights from secondary data.

    As IoT solutions move beyond their primary goals, it will be critical to evaluate the continually increasing data to mitigate risks of unintended consequences as new data sets converge. The security team will need to evaluate solutions and enforce standards.

    CDO and analysts will assess opportunities for data convergence to create new insights into how your services are used.

    Lightbulb with the word 'Value' surrounded by categories relative to the adjacent paragraph, 'Data Scientists', 'Security and Privacy', 'Business Leaders', 'IT Executives', 'Operations', and 'Infrastructure & Enterprise Architects'. IT stakeholders will be driving these projects forward and ensuring all necessary resources are available and funded.

    Operational plans will include asset management, monitoring, and support to meet functional goals and manage throughout the asset lifecycle.

    Each solution added to the environment will need to be chosen and architected to meet primary functions and secondary data collection.

    Identify IoT steering committee participants to ensure broad assessment capabilities are available

    • The committee should include team members experienced enough to provide an effective assessment of IoT projects, and to provide input and oversight regarding business value, privacy, security, operational support, infrastructure, and architectural support.
    • A data specialist will be critical for evaluating opportunities to expand use of data and ensure data can be effectively validated and aggregated. Additional oversight will be needed to review aggregated data to protect against the unintended consequences of having data combined and creating personas that will identify individuals.
    • Additional experts may be invited to committee meetings as appropriate, and ideas should be discussed and clarified with the business unit bringing the ideas forward or that may be impacted by solutions.
    • Invite appropriate IT and business leaders to the initial meeting to gain agreement and form the governance model.

    Determine responsibilities of the committee to gain consensus and universal understanding

    Icon of binoculars. STRATEGIC
    ALIGNMENT
    • Define the IoT vision in alignment with the organizational strategy and mission.
    • Define strategy, policies and communication requirements for IoT projects.
    • Assess and bring forward proposals to utilize IoT to further organizational strategy.
    Icon of a person walking up an ascending bar graph. VALUE
    DELIVERY
    • Define criteria for evaluating and prioritizing proposals and projects.
    • Validate the IoT proposals to ensure value drivers are understood and achievable.
    • Identify opportunities to combine data sets for secondary analysis and insights.
    Icon of a lightbulb. RISK
    OPTIMIZATION
    • Evaluate data and combined data sets to avoid unintended consequences.
    • Ensure security standards are adhered to when integrating new solutions.
    • Reinforce privacy regulations, policy, and communications requirements.
    Icon of an arrow in a bullseye. RESOURCE
    OPTIMIZATION
    • Identify and validate investment and resource requirements.
    • Evaluate technical requirements and capabilities.
    • Align IoT management requirements to operations goals within IT.
    Icon of a handshake. PERFORMANCE
    MANAGEMENT
    • Assess validity of pilot project plan, including success criteria.
    • Identify corner cases to assess functionality and potential risks beyond core features.
    • Monitor progress, evaluate results, and ensure organizational needs will be met.
    • Evaluate pilot to determine if it will be moved into full production, reworked, or rejected.

    1.1 Exercise:
    Define the committee’s roles & responsibilities in the IoT steering committee charter

    1-3 hours

    Input: Current policies and assessment tools for security and privacy, Current IT strategy for introducing new solutions and setting standards

    Output: List of roles and responsibilities, High-level discussion points

    Materials: Whiteboard/flip charts, Steering committee workbook

    Participants: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

    1. Identify and document core and auxiliary members of the committee, ensuring all important facets of the IoT environment can be assessed.
    2. Identify and document the committee chair.
    3. Gain consensus on responsibilities of the steering committee.

    Download the IoT Steering Committee Charter

    Define the vision statement for the IoT committee to clarify mandate and communicate to stakeholders

    The vision statement will define what you’re trying to achieve and how. You may have the statement already solidified, but if not, start with brainstorming several outcomes and narrow to less than 5 focus areas.

    A vision statement should be concise and should be in support of the overall IT strategy and organizational mission. The vision statement will be used as a high-level guide for defining and assessing proposed solutions and evaluating potential outcomes. It can be used as a limiter to quickly weed out ideas that don’t fit within the mandate, but it can also inspire new ideas.

    • Support innovation
    • Enable the business
    • Enable operations for continual value

    New York City has a broad plan for implementing IoT to meet several aspects of their overall strategy and subsequently their IT strategy. Their strategic plan includes several focus areas that will benefit from IoT:
    • A vibrant democracy
    • An inclusive economy
    • Thriving neighborhoods
    • Healthy lives
    • Equity and excellence in education
    • A livable climate
    • Efficient mobility
    • Modern infrastructure
    Their overall mission is: “OneNYC 2050 is a strategy to secure our city’s future against the challenges of today and tomorrow. With bold actions to confront our climate crisis, achieve equity, and strengthen our democracy, we are building a strong and fair city. Join us.”

    In order to accomplish this overall mission, they’ve created a specific IT vision statement: “Improve digital infrastructure to meet the needs of the 21st century.”

    This may seem broad, and it includes not just IoT, but also the need to upgrade infrastructure to be able to enable IoT as a tool to meet the needs to collect data, take action, and better understand how people move and live within the city. You can read more of their strategy at this
    link: http://onenyc.cityofnewyork.us/about/

    1.2 Exercise:
    Define the IoT steering committee’s vision statement and mandate

    1 hour

    Input: Organizational vision and IT strategy

    Output: Vision statement

    Materials: Whiteboard/flip charts, Steering committee workbook

    Participants: Steering committee, which may include: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

    1. Starting with the organizational mission statement, brainstorm areas of focus with the steering committee and narrow down the statement.
    2. Make sure it’s broad enough to encompass your goals, but succinct enough to allow you to identify projects that don’t meet the vision.
    3. Test with a few existing ideas.
    4. Document in your steering committee charter.

    Download the IoT Steering Committee Charter

    Use the COPIS methodology to define your project review process

    COPIS is a customer-focused methodology used to focus on the areas around the process, ensuring a holistic view starting with who the customer is and what they need, then building out the process and defining what will be required to be successful and who will be involved in fulfilling the work.

    Customer

    • Executive leadership
    • Business leaders

    Outputs

    • Risk assessment
    • Approvals to proceed
    • Pilot plan
    • Assessment to approve for production or reject

    Process

    • Review proposals
    • Ask questions and discuss with proposer & committee
    • Review pilot & testing plan
    • Engage with IT Team to define requirements

    Inputs

    • Request form including:
    • New idea
    • Business value defined
    • Data collected
    • Initial risk assessment
    • Implementation plan
    • Definition of success

    Suppliers

    • IT operations team
    • Device and software vendors
    • IT leaders
    • Risk committee
    Agenda & process flow



    Determine where people will access request form Ending point
    Sequence of right-facing arrows labelled 'Agenda & process flow'. Text in each arrow from left to right reads 'Confirm attendees required are in attendance', 'Review open action items', 'Assess new items', 'Assess prioritization', 'Review metrics & pilots in progress', 'Decisions & recommendations'.

    Create a committee charter to ensure roles are clarified and mandates can be met

    The purpose of the committee is to quickly assess and protect organizational interests while furthering the needs of the business

    The committee needs to be seen as an enabler to the business, not as a gatekeeper, so it must be thorough but responsive.

    The charter should include:
    • The vision to ensure clarity of purpose.
    • IoT mandates to focus the committee on assessment criteria.
    • Roles, responsibilities, and assignments to engage the right people who will provide the kind of guidance needed to ensure success.
    • Procedures to make the best use of each committee member’s time.
    • Process flow to guide evaluations to avoid unnecessary delays while reducing organizational risks.
    Stock image of someone reading on a tablet.

    1.3 Exercise:
    Define procedures for reviewing proposals and projects

    2-3 hours

    Input: Schedules of committee members, Process documentation for evaluating new technology

    Output: Procedures for reviewing proposals, Reference documentation for evaluating proposals

    Materials: Whiteboard/flip charts, Steering committee workbook

    Participants: Steering committee, which may include: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

    1. Discuss as a group how often you will meet for reviews and project updates. Which roles will have veto rights on project approvals?
    2. Define the intake process and requirements for scheduling based on average lead time to get the group together and preview documentation.
    3. Identify where process documentation already exists to use for evaluation of proposals and projects, and what needs to be created to quickly move from evaluation to action phases.
    4. Define basic rules of engagement.
    5. Define process flow using COPIS methodology as a framework. Note the different stages that may be part of the intake flow. Some business partners may bring solutions to IT, and others may just have an idea that needs to be solutioned.

    Download the IoT Steering Committee Charter

    Create and Implement an IoT Strategy

    Phase 2

    Define the intake and assessment process

    Steering Committee

    1.1 Define the committee’s roles and responsibilities in the IoT Steering Committee Charter

    1.2 Define the IoT steering committee’s vision statement and mandates

    1.3 Define procedures for reviewing proposals and roles and responsibilities

    Intake Process

    2.1 Define requirements for requesting new IoT solutions

    2.2 Define procedures for reviewing proposals and projects – BA/BRM

    2.3 Define procedures for reviewing proposals and projects – Data specialists

    2.4 Define procedures for reviewing proposals and projects – Privacy & Security

    2.5 Define procedures for reviewing proposals and projects – Infrastructure & Operations

    2.6 Define service objectives and evaluation process

    Proof of Value

    3.1 Determine the criteria for running a proof of value

    3.2 Define the template and process for running a proof of value

    This phase will provide the following activities

    • Define requirements for requesting new IoT solutions
    • Define procedures for review proposals and projects
    • Define service objectives and evaluation process for reviewing proposals and projects

    Determine what information is necessary to start the intake process

    To encourage your business leaders to engage IT in evaluating and appropriately supporting the solution, start with an intake process that is simple and easily populated with business information.
    • Review intake forms from the PMO or build your own from the IoT Solution Playbook:
    • Start by asking for a clear picture of the solution. Ensure the requester can clearly articulate the business benefit to the solution, including what issues are being resolved and what success looks like.
    • Requesters may not be expected to seek out all relevant information to make the decision.
      • Consider providing a business analyst (BA) to assist with data gathering for further assessment and to launch the review process.
      • Review may require additional steps if it is not clear the proposed solution will perform as expected and could include conversations with the vendor or a determination that a full requirements-gathering process may need to be done.
    • Typically, a BA will launch the review process to have appropriate experts assess the feasibility of the solution; assess regulatory, privacy, and security concerns; and determine the level of involvement needed by IT and the project managers.
    • Have options for different starting points. Some requesters may be further along in their research as they know exactly what they want, while others will be early in the idea stage. Don’t discourage innovation by creating more work than they’re able to execute.

    Business goals and benefits are important to ensure the completed solution meets the intended purpose and enables appropriate collection, analysis, and use of data in the larger business context.

    Ongoing operational support and service need to be considered to ensure ongoing value, and adherence to security and privacy policies is critical.

    2.1 Exercise:
    Define requirements for requesting new IoT solutions

    1 hour

    Input: Business requirements for requesting IT solutions

    Output: Request form for business users, Section 1 of the IoT Solution Playbook

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Determine requirements for initiating an assessment.
      1. Will a business case be necessary to start, or can the assessment feed into the business case?
      2. How can you best access the work already done by the requester to not start over?
      3. Determine the right questions to understand how they will define success to ensure this solution will do what they need.
      4. Do you need a breakdown of the way they do the job today?
      5. What level of authorization needs to be on the request to move forward?
    3. Try to balance the effort of the requester against their role. Don’t expect them to investigate solutions beyond the business value.
    4. Provide them with a means to provide you any information they have gathered, especially if they have already spoken to vendors.

    Download the IoT Solution Playbook

    Define what role the BA or BRM will play to support the request process

    Identify questions that will need to be answered in order to assess if the solution will be fit for purpose, to help build out business cases, and to enable the appropriate assessments and engagement with project managers and technical teams.
    • Project sponsorship is key to moving the project ahead. Ensure the project sponsor and business owner will be in alignment on the solution and business needs.
    • Note any information that will help to prioritize this project among all other requests. This will feed into implementation timing and the project management needs, resourcing, and vendor engagement required.
    • Determine if a proof of value would be an asset. A proof of value can be time consuming, but it can mitigate the risks of large-scale failures.
    • Ask about data collection and data type, which will be a major part of the assessment for the data team and for security, privacy, infrastructure, and operational assessments.
    • Determine if any actions will need to be taken, which might include data transfer, notifications and alerts, or others. This may require additional discussions on actuators, RPA, data stores, and integrations.
    • Determine if any automation will be part of the solution, as this will help to inform future discussions on power, connectivity, security, and privacy.

    Download the blueprint Embed Business Relationship Management in IT if you need help to support the business in a more strategic manner.

    Info-Tech Insight

    Understanding the business issue more deeply can help the business analyst determine if the solution needs a review of business process as well as helping to build out the requirements well enough to improve chances of success.

    The BA should be able to determine initial workload and involvement of project managers and evaluators.

    Clearly articulate the business benefits to secure funding and resources

    If the business users need to build a business case, the information being collected will help to define the value, estimate costs, and evaluate risk

    IoT point solutions can be straightforward to articulate the business benefits as they will have very specific benefits which will likely fit into one of these categories:
    • Financial – to increase profitability or reduce costs through predictive maintenance and efficiency.
    • Business Development – innovation for new products, services, and methodologies
    • Improve specific outcomes – typically these will be industry specific, such as improved patient health care, reduced traffic congestion or use of city resources, improved billing, or fire prevention for utility companies.

    As you start to look at the bigger picture of how these different systems can bring together disparate data sets, the benefits will be harder to define, and the costs to implement this next level of data analysis can be daunting and expensive.

    This doesn’t necessitate a complete alignment of data collection purposes; there may be benefits to improving operations in secondary areas such as updating HVAC systems to reduce energy costs in a hospital, though the updated systems may also include sensors to monitor air quality and further improve patient outcomes.

    In these cases, there may be future opportunities to use this data in unexpected ways, but even where there aren’t, applying the same standards for security, privacy, and operations should apply.

    Table titled 'Increasing productivity through efficiency and yield are the top benefits organizations expect to see from IoT implementations' with three columns, one for type of benefit (ie efficiency, yield, quality, etc), one for different IoT implementations and one for percent increase.
    (Microsoft IoT Signals Report 2020, n= 3,000 IT Professionals)

    2.2 Exercise – BA/BRM: Define procedures for reviewing proposals and projects

    1 hour

    Input: Process documentation for evaluating new technology, Business case requirements

    Output: Interview questions and assessment criteria for BA/BRM

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive(s), Senior data specialist, Senior business executive(s)

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Identify the questions that will need to be asked of the business to determine whether the request will be fit for purpose.
    3. Additional questions may help to:
      1. Identify project sponsors to determine if requirements are defined or need to be, and who will champion this project through to implementation.
      2. Identify what additional work will be needed for you to shepherd the project through the various stage gates.
      3. Identify any prioritization criteria including business-specific milestones and outcomes.
    4. Document when a formal business case needs to be created.

    Download the IoT Solution Playbook

    Assess the vendor’s solution for accessibility to ensure data will be available and useable

    Data governance, including stewardship and ownership; lineage; and the ability to scale, deduplicate, normalize, validate, and aggregate disparate data will be critical to being able to analyze data to execute on strategic goals.

    If your organization isn’t poised to manage and make the best use of the data, see Info-Tech’s related blueprints:

    Relevant Research: Diagnostic:
    Data ownership is important to establish early on, as the owner(s) will be accountable for how data is used and accessed. Data needs to be owned by the organization (not the vendor) and needs to be accessible for:
    • Regulatory compliance.
    • Data quality and validation.
    • Data normalization.
    • Data aggregation and analysis.
    Vendor assessments need to investigate how data will be accessed, where data is normalized and how data will be validated.
    Data validation will have different levels of importance depending on the use case. Where data validation is critical, there may be a need to double up sensors in key areas, validate against adjacent sensors, better understand how and where data will be collected.
    • Infrared sensors may include intelligence to count people or objects.
    • Cameras might require manual counts but may provide better images.
    • Good quality images may require technology to distort faces for privacy.
    If data validation will include non-sensor data, such as validation against a security access database or visitor log, access to the data for validation may be required in near real time.

    Determine how often you need to access and download data

    Requirements will vary depending on whether sensors are collecting data for later analysis or if they are actuators that need to process data at the source.

    Determine where the data will reside and how it will be structured. If it will be open and controlled within your own environment, confer with your data team to ensure the solution is integrated into your data systems. If, however, the solution is a point solution which will be hosted by the vendor, understand who will be normalizing the data and how frequently you can export or transfer it into your own data repository. If APIs will need to be installed to enable data transfer, work with the vendor to test them.

    Self-contained or closed solutions may be quick to install and configure and may require minimal technical support from within your own IT team, but they will not provide visibility to the inner workings of the solution. This may create issues around integration and interoperability which could limit the functionality and usability beyond the point solution.

    If the solution chosen is a closed system, determine how you will need to interact with the vendor to gain access to the data. Interoperability may not be an option, so work with the vendor to set up a regular cadence for accessing the data.

    Questions for the vendor could include:

    1. How often can we access the data? Will the vendor push it on a regular basis? Is it on demand?
    2. Or will we need to pull the data? Is there an API?
    3. Will the data be normalized?
    4. Will the data be transferred, or will the vendor keep a historical record?
    5. Are there additional fees for archiving or for data extraction?
    Stock image of a large key inserted into the screen of a laptop.

    Identify whether digital twins are needed

    Create a virtual world to safely test and fail without impacting the real-world applications.

    As actuators are processing information and executing actions, there may be a benefit to assess the effectiveness and impact of various scenarios in a safe environment. Digital twins enable the creation of a virtual world to test these new use cases using real world scenarios.

    These virtual replicas will not be necessary for every IoT application as many solutions will be very straightforward in their application. But for those complex systems, such as smart buildings, smart cities and mechanically complex projects, digital twins can be created to run multiple simulations to aid in business continuity planning, performance assessments, R&D and more.

    Due to the expense and complexity of creating a full digital twin, carefully weighing the benefits, and identifying how it will be used, can help to build the business case to invest in the technology. Without the skills in house, reliance on a vendor to create the model and test scenarios will likely be part of the overall solution.

    The assessment will also include understanding what data will be transferred into the model, how often it will be updated, how it will be protected and who will need to be involved in the modeling process.

    Download the blueprint: Double Your Organization’s Effectiveness With a Digital Twin. if you need more information on how to leverage digital twin technology.

    Stock image of a twin mirroring the original person's action.

    To fully realize value in IoT, think beyond single use case solutions to leverage the data collected

    Expertise in data analysis will be key to moving forward with an enterprise approach to IoT and the data it produces.
    • A single IoT solution can add hundreds of sensors, collecting a wide variety of data for specific purposes. If multiple solutions are in place, there may be divergent data sets that may never be seen by anyone other than their specific data stewards.
    • Many organizations have started out with one or two solutions that support their primary business and may include some more mature offerings such as HVAC systems, which have used sensors for years. However, not all data is used today. In many cases, data is used for anomaly detection to improve operations, and only the non-standard information is used for alerting. McKinsey estimates less than 1% of data is used in these applications, with the remaining data stored or deleted, rather than used for optimization and predictive analysis.
    • Thinking beyond the initial use cases, there may be opportunities to create new services, improve services for existing products, or improve insights through analysis of juxtaposed data.
    • McKinsey reports up to $11.1 trillion a year in economic value may be possible by 2025 through the linking of the physical and digital worlds. Personal devices and all industries are potential growth areas – though factories and anywhere that could use predictive maintenance, cities, retail, and transportation will see the largest probable increases. Interoperability was identified as being required to maximize value, accounting for 40% to 60% of the potential value of IT applications.
    • Where data is used to correct and control anomalies, very little data is retained and used for optimization or predictive analysis. By taking a deliberate approach to normalize, correlate, and analyze data, organizations can gain insight into the way their products are used, benefit from predictive maintenance, improve health care, reduce costs, and more.
    (Source: McKinsey, 2015)

    By 2025 an estimated data volume of 79.4 zettabytes will be attributed to connected IoT devices. (Statistia)

    Build data governance and analysis into your strategy to find new insights from correlating new and existing data

    As a point solution, IoT provides a means to collect large amounts of data quickly and act. When determining the use case for IoT and best fit solutions, it’s important to think about what data needs to be collected and what actions will need to be coordinated. As the need for more than just a few IoT solutions surfaces, the complexity and potential usefulness of data increases. This can lead to significant changes to the scope of data collection, storage, and analysis and may lead to unintended consequences.
    • Some industries, such as governments looking to build smart cities, will have a very broad range of opportunities for IoT devices, as well as high levels of difficulty managing very disparate systems; other industries, such as healthcare, will have very focused prospects for data collection and analysis.
    • In any case, the introduction of new IoT solutions can create very large amounts of data quickly, and if used only for a single purpose, there may be lost opportunity for expanding use of data to better understand your product, customers, or environment.
    • Don’t limit analysis to only IoT-collected data, as this can be consolidated with other sources for validation, enhancement, and insights. For example, fleet transponders can be connected to travel logs and dispatch records for validation and evaluation of fuel and resource consumption.
    • Determine the best time and methods for consolidation and normalization; consider using data consolidation vendors if the expertise is not available in-house.
    • As data combines, there may be unintended consequences of unique anonymous identifiers combining to identify employees or customers, and the potential for privacy breeches will need to be evaluated as all new systems come on-line.

    “We find very little IoT data in real life flows through analytics solutions, regardless of customer size. Even in the large organizations, they tend to build at-purpose applications, rather than creating those analytical scenarios or think of consolidating the IoT data in a data lake like environment.” (Rajesh Parab, Info-Tech Research Group)

    2.3 Exercise – data specialists: Define criteria for assessing proposals and projects

    1-2 hours

    Input: Process documentation for evaluating new technology, Data governance documents

    Output: Interview questions and assessment criteria for data specialists

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Identify the questions that will need to be asked of the solution to ensure data governance and accessibility needs will be met.
    3. Additional questions may help to:
      1. Identify data owners or stewards to determine who will have authority over data and ensure their needs will be met.
      2. Identify what additional work will be needed for the data team to access, validate, normalize, and centralize data.
      3. Identify any concerns that will identify the solution as unviable.
      4. Identify any risks to data accessibility which will require mitigation.

    This initial review is designed to identify risks to data ownership or integrity and ensure data is available for additional uses as deemed appropriate to the organizational goals. This assessment is designed to find major flaws and to mitigate and integrate should the project be approved as viable.

    Download the IoT Solution Playbook

    Security assessments will need to include risk reviews specific to IoT

    The increase of data collectors and actuators creates a large attack surface that could easily provide an entry point for hackers to connect into an organization’s network. Assess existing protocols and risk registry to ensure all IoT systems are reviewed for security threats.

    The significant increase in devices and applications will require a review of security practices related to IoT to understand and mitigate risks. Even if the data collected is not considered integral to the business, such as with automated HVAC systems or an aquarium monitoring system, the devices can provide an entry point to access the network.

    IoT and ICS devices are functionally diverse and may include more mature solutions that have been acquired many times over. There are a wide variety of protocols that may not be recognized by vulnerability scanners as safe to operate in your environment. Many of these solutions will be agentless and may not be picked up by scanners on the network. Without knowing these devices exist or understanding the data traffic patterns, protecting the devices, data, and systems they’re attached to becomes challenging.

    Discovery and vulnerability scanners tuned specifically for IoT to look for and allow unusual protocols and traffic patterns will enable these devices to operate as designed without being shut down by vulnerability scanners protecting more traditional devices and traffic on an IT network. Orphaned devices can be found and removed. Solutions that will provide detailed asset inventories and network topologies will improve vulnerability detection.

    Systems that are air gapped or completely segregated may provide a layer of protection between IoT devices and the corporate network, but this may create additional difficulties in vulnerability assessment, identifying and responding to active threats, or managing the operational side. Additionally, if there are still functional connections between these systems for traffic to flow back to central repositories, operational systems, or remote connections, there are still potential threats.

    If security controls are not yet documented, see Info-Tech’s related blueprints:

    Relevant Research: Diagnostic:

    Align risk assessments to your existing risk registry, to quickly approve low-risk solutions and mitigate high risk

    Work with the business owner to understand how these systems are designed to work. Tracking normal patterns of behavior and traffic flow may be key to fine-tuning security settings to accommodate these solutions and prevent false positive shutdowns, especially if using automated remediation. Is the business owner identified, and will they be accessible throughout the lifecycle of the solution?

    Physical security: Will these systems be accessible to the public, and can they be secured in a way to minimize theft and vandalism? Will they require additional housing or waterproofing? Could access be completely secured? For example, could anyone access and install malware on a disconnected camera’s SD card?

    Security settings: For ease of service and installation, a vendor may use default security settings and passwords. This can create easy access for hackers to access the network and access sensitive data. Is there a possibility of IP theft though access by sensors? Determine who will have remote access to the system, and if the vendor will be supporting the system, will they be using least privilege or zero trust models? Determine their adherence to your security policy.

    Internet and network access and monitoring: Review connectivity and data transmission requirements and whether these can be accommodated in a way that balances security with operational needs. Will there be a need for air gapping, firewalls, or secure tunnelling, and will these solutions allow for discovery and monitoring? Can the vendor guarantee there are no back doors built into the code? Will the system be monitored for unauthorized access and activity, and what is the response process? Can it be integrated into your security operations center?

    Failover state: IoT devices with actuators or that may impact health and safety will need to be examined. Can you ensure actions in event of a failure will not be negatively impactful? For example, a door that locks on failover and cannot be opened from the inside will create safety risks; however, a door that opens on failover could result in theft of property or IP. Who controls and can access these settings?

    Firmware updates: Assess the history of updates released by the vendor and determine how these updates are sent to the devices and validated. Ensure the product has been developed using trusted platforms with security lifecycle models. Many devices will have embedded security solutions. Ensure these can be integrated into organizational security solutions and risk mitigation strategies.

    Enterprise IoT strategy will require a focus on privacy and risk

    Data aggregation creates new privacy concerns as data may be used outside of the original project parameters. The change of scope will need to be evaluated to determine personally identifiable information and what new issues it can create for the program, organization, and your audience.

    As a point solution, IoT provides a means to collect large amounts of data and, if actuators are completing tasks, act quickly. When determining the use case for IoT and best fit solutions, it’s important to think about what data needs to be collected and what actions will need to be coordinated.

    As the need for more than just a few IoT solutions surfaces, the complexity and potential usefulness of data increases. This can lead to significant changes to the scope of data collection, storage, and analysis, and may lead to unintended consequences.

    Questions to ask your vendors:
    1. Where may there be physical access to sensors and a possibility of theft, and can the data be encrypted?
    2. What type of information is captured by sensors and stored in the solution?
    3. Where is personally identifiable information captured, and where is it stored? How will you meet regulatory requirements such as GDPR? Where does the data fit within existing retention policies, and how long should it be kept?
    4. Will there be a need to post signage or update privacy statements in response to the information being collected?

    If data classification, privacy, and security controls are not yet documented, see Info-Tech’s related blueprints:

    Relevant Research:

    Don’t make assumptions about the type of data gathered with devices – ask the vendor to clearly state how and what is collected

    Carefully review how this information can be used by machine learning, in combination with other solutions, and if there is a possibility of unintended consequences that will create issues for your customers and therefore your own data sets.

    Look for ways of capturing information that will meet your business requirements while mitigating risk of capturing personally identifiable information. Examples would be LiDAR to capture movement instead of video, or AI to blur faces or license plate numbers at time of image capture.

    This chart identifies data collected by smartphone accelerometers which could be used to identify and profile an individual and understand their behaviors.

    Mobile device accelerometer data

    Table of Mobile device accelerometer data with columns 'Detection of sound vibrations', 'Body movements', and 'Motion trajectory of the device', and a key for color-coding labelling purple items as 'Health', yellow items as 'Personality traits, moods & emotions', and green items 'Identification'.
    Overview of sensitive inferences that can be drawn from accelerometer data. (Source: Association for Computing Machinery, 2019.)

    2.4 Exercise – Privacy & Security specialists: Define criteria for assessing proposals and projects

    1-2 hours

    Input: Process documentation for evaluating new technology, Data governance documents

    Output: Interview questions and assessment criteria for Privacy & Security specialists

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Identify the questions that will need to be asked of the solution to ensure security and privacy needs will be met.
    3. Additional questions may help to:
      1. Identify biggest risks created by a large influx of sensors and additional vendors.
      2. Identify options for mitigating risks for privacy and regulatory requirements.

    This initial review is designed to identify risks to data ownership or integrity and ensure data is available for additional uses as deemed appropriate to the organizational goals. This assessment is designed to find major flaws and to mitigate and integrate should the project be approved as viable.

    Download the IoT Solution Playbook

    Review infrastructure requirements to proactively engage with vendors

    A modernized architecture will provide needed flexibility for onboarding new IoT solutions as well as providing the structure to collect, transport, and house data; however, not everything will be on the network. Knowing requirements for integrations, communications, and support will eliminate surprises during implementation.

    The supporting applications will be collecting and analyzing data for each of these solutions, with most being hosted on public clouds or privately by the vendor. Access to the applications for data collection may require APIs or other middleware to transfer data outside of their application. Data transfer may be unimportant if the data collected will stand alone and never be integrated to other systems, but it will be critical if IoT plans include retrieving, aggregating, and analyzing data from most systems. If these systems are closed, determine the process to get this information, whether it’s through scheduled exports or batch transfers.

    Determine if data will be backed up by the vendor or if backups are the responsibility of your team. Work with the business owner to better understand business continuity requirements to plan appropriately for data transmission, storage, and archiving.

    Network and communications will vary dramatically depending on where sensors and actuators are located. On-premises solutions may rely on Wi-Fi on your network or may require an air-gapped or segregated network. External sensors may rely on public Wi-Fi, cellular, or satellite, and this may impact reliability and serviceability. If manual data collection is required, such as collecting SD cards on trail cams, who will be responsible, and will they have the tools and data repository they need to upload data manually? Are you able to work with the vendor to estimate traffic on these networks, and how will that impact costs for cellular or satellite service?

    Investigate power requirements. On-premises solutions may require additional wiring, but if using wind or solar, what is the backup? If using batteries, what is the expected lifespan? Who will be monitoring, and who will be changing the batteries?

    Determine monitoring requirements. Who should be responsible for performance monitoring, outages, data transmission, and validation? Is this a vendor premium service or a process to manage in-house? If managed by the vendor, discuss required SLAs and their ability to meet them.

    If your organization is dealing with technical debt and older architecture which could prevent progress, see Info-Tech’s related blueprints to build out the foundation.

    Relevant Research:

    Determine operational readiness to support and secure IoT solutions

    Availability and capacity planning, business continuity planning, and management of all operational and support requirements will need to be put in place. Execution of controls, maintenance plans, and operational support will be required to mitigate risks and reduce value of the solutions.

    One of the biggest challenges organizations that have already adopted IoT face is management of these systems. Without an accurate inventory, it’s impossible to know how secure the IoT systems are. Abandoned sensors, stolen cameras, and old and unpatched firmware all contribute to security risks.

    Existing asset management solutions may provide the right solution, but they are limited in many cases by the discovery tools in place. Many discovery tools are designed to scan the network and may not have access to segregated or air-gapped networks or a means to access anything in the cloud or requiring remote access. Evaluate the effectiveness of current tools, and if they prove to be inadequate, look for solutions that are geared specifically to IoT as they may provide additional useful management capabilities.

    IoT management tools will provide more than just inventory. They can discover IoT devices in a variety of environments, possibly adding micro-agents to access device attributes such as name, type, and date of build, and allowing metadata and tags to be added. Additionally, these solutions will provide the means to deploy firmware updates, change configuration settings, send notifications if devices are taken offline, and run vulnerability assessments. Some may even have diagnostics tools for troubleshooting and remediation.

    If operational processes aren’t in place, see Info-Tech’s related blueprints to build out the foundation.

    Relevant Research: Diagnostic:

    Identify what needs to happen to onboard these solutions into your support portfolio

    Evaluate support options to determine the best way to support the business. Even if support is completely outsourced, a support plan will be critical for holding vendors to account, bringing support in-house if support doesn’t meet your needs, and understanding dependencies while navigating through incidents and problem- and change-enablement processes.

    Regular maintenance for your team may include battery swaps, troubleshooting camera outages or intermittent sensors, or deploying patches. Understand the support requirements for the product lifecycle and who will be responsible for that work. If the vendor will be applying patches and upgrading firmware, get clarity on how often and how they’ll be deployed and validated. Ask the vendor about support documentation and offerings.

    Determine the best ways of collecting inventory on the solution. Determine what the solution offers to help with this process; however, if the project plan requires specific location details to add sensors, the project list may be the best way to initially onboard the sensors into inventory.

    Determine if warranty offerings are an appropriate solution for devices in each project, to schedule and record appropriate maintenance details and plan replacements as sensors reach end of life. Document dependencies for future planning.

    Stock image of an electrical worker fixing a security camera.

    2.5 Exercise – Infrastructure & Operations specialists: Define criteria for assessing proposals and projects

    1-2 hours

    Input: Process documentation for evaluating new technology, Data governance documents

    Output: Interview questions and assessment criteria for Infrastructure & Operations specialists

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
    2. Identify the questions that will need to be asked of the solutions to ensure the solutions can be integrated into the existing environment and operational processes.
    3. Additional questions may help to:
      1. Reduce risks and project failures from solutions that will be difficult to integrate or secure.
      2. Improve project planning for projects that are often driven by the vendor and the business.
      3. Reduce operational risks due to lack of integration with asset and operational processes.

    This initial review is designed to identify risks to data ownership or integrity and ensure data is available for additional uses as deemed appropriate to the organizational goals. This assessment is designed to find major flaws and to mitigate and integrate should the project be approved as viable.

    Download the IoT Solution Playbook

    2.6 Exercise: Define service objectives and evaluation process

    1 hour

    Input: List of criteria in the playbook, Understanding of resource availability of solution evaluators

    Output: Steering committee criteria for progressing projects through the process

    Materials: Whiteboard/flip charts, IoT Steering Committee Charter workbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    Now that you’ve defined the initial review requirements, meet as a group once more to finalize the process for reviewing requests. Look for ways to speed the process, including asynchronous communications and reviews. Consider meeting as a group for any solutions that may be deemed high risk or highly complex.

    1. Agree on what can be identified as a reasonable SLA to respond to the business on these requests.
    2. Agree on methods of communication between committee members and the business.
    3. Determine the criteria for determining when a proof of value should be initiated, and who will lead the process.

    Download the IoT Steering Committee Charter

    Create and Implement an IoT Strategy

    Phase 3

    Prepare for a Proof of Value

    Steering Committee

    1.1 Define the committee’s roles and responsibilities in the IoT Steering Committee Charter

    1.2 Define the IoT steering committee’s vision statement and mandates

    1.3 Define procedures for reviewing proposals and roles and responsibilities

    Intake Process

    2.1 Define requirements for requesting new IoT solutions

    2.2 Define procedures for reviewing proposals and projects – BA/BRM

    2.3 Define procedures for reviewing proposals and projects – Data specialists

    2.4 Define procedures for reviewing proposals and projects – Privacy & Security

    2.5 Define procedures for reviewing proposals and projects – Infrastructure & Operations

    2.6 Define service objectives and evaluation process

    Proof of Value

    3.1 Determine the criteria for running a proof of value

    3.2 Define the template and process for running a proof of value

    This phase will provide the following activities

    • Create proof of value criteria
    • Create proof of value template

    A proof of value can quickly help you prove value or fail fast

    Investing a small amount of time and money up front will validate the possibility of your proposed solution.

    A proof of value will require a vision and definition of your criteria for success, which will be necessary to determine if the project should go ahead. It should take no longer than three months and may be as short as a week.

    When should you run a proof of value?

    • When it is difficult to confirm that the solution is fit for purpose.
    • When the value of the solution is indeterminate.
    • When the solution is early in its lifecycle and not widely proven in the marketplace.
    • When scalability is questionable or unproven.
    • When the solution requires customization or configuration.

    Info-Tech Insight
    Where a solution is well known in the market, requires minimal customization, and is proven to be fit for purpose, a shorter evaluation or conversations with reference clients or partners may be all that is necessary.

    Table titled 'Reasons IoT proof of value projects fail'. There is a column for type of project (ie Scaling, Business, etc), one for reasons, and one for percentages.
    (Microsoft IoT Signals Report 2020, n= 3,000 IT Professionals)

    3.1 Exercise: Define the criteria for running a proof of value

    1 hour

    Input: Agreement of steering committee members to create a process to mitigate risk for complex solutions.

    Output: Proof of value template for use as appropriate to evaluate IoT solutions.

    Materials: IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. As a group, review the circumstances for when to run a proof of value.
    2. Determine who will help to build the proof of value plan.
    3. Determine requirements for participation in the proof of value process. Consider project size, complexity and risk and visibility.

    Download IoT Solution Playbook

    Design your proof of value to test the viability of the solution

    Engage the right stakeholders early to gather feedback and analysis and determine suitability

    Determine the proof of value methodology to ensure plan allows for fast testing
    • Go back to the original request: What are the goals for implementing this solution? Has this been clearly defined with criteria for success?
    • Define the technical team that will configure the solution, including vendors and technicians. Ensure the vendor fully understands your use cases and goals. Identify the level of support you’ll need to be implement and assess the solution.
    • Define the testing team, including technical and business users. Complete a journey map if needed to define the use case(s) at the right level of detail.
    • Ensure the test use case(s) have been defined and they all agree on the definition of success.
    • Make sure the team is available to do the testing and provide feedback, as high adoption will improve feedback which will be critical to successfully implementing the full solution.
    • Determine how to evaluate scalability with process, resources, and capacity.
    • Evaluate the risks and obstacles to reject the solution or mitigate and prevent scope creep.
    • Evaluate the vendor’s roadmap, training materials, and technical support options.

    Info-Tech Insight

    Additional information on building out a process for testing new technology can be found in the blueprint: Exploit Disruptive Infrastructure Technology.

    “Although scope creep is not the only nemesis a project can have, it does tend to have the farthest reach. Without a properly defined project and/or allowing numerous changes along the way, a project can easily go over budget, miss the deadline, and wreak havoc on project success.” (University Alliance, Villanova University)

    Define your objectives for the proof of value

    Referencing documents submitted to the committee, continue to refine the problem statement.

    Objectives are a key first step to show the solution will meet your needs.
    • Every technology is designed to solve a problem faced by somebody somewhere. For each technology that your team has decided to move forward with, identify and clearly state the problem it would solve.
    • A clear problem statement is a crucial part of a new technology’s business case. It is impossible to earn buy-in from the rest of the organization without demonstrating the necessity of a solution.
    • Perfection is impossible to achieve, especially during a proof of value (POV). However, knowing the pain points of the way things are done without this technology, and noting a reduction in pain and increase in efficiency and accuracy of data gathering will help in the initial feedback of the tests. Ensure the proof of value includes data validation to test accuracy.

    Info-Tech Insight

    Know your metrics going into the proof of value. Document performance, quality, and time to do the work and compare to metrics in the proof of value. Agree on what success looks like, to ensure that improvements are substantial enough to justify the expense and effort of implementing the solution.

    Questions to consider:
    • What are the project’s goals?
    • What is the desired future state?
    • What problems must be solved to call the POV a viable solution?
    • Where will the project be rolled out? Are there any concerns about communications and power that may need to be addressed?
    • Are there any risks to watch for?

    Info-Tech Insight

    Be sure to avoid scope creep! Remember: the goal of the proof of value project is to produce a minimum case for viability in a carefully defined area. Reserve a detailed accounting of costs and benefits for after the proof of value stage.

    Define use cases to test against current methods

    Outline the solution to the problem

    Determine how the solution should perform in completing tasks. Be careful not to focus too heavily on how things are done today: You’re looking for dramatic improvements, not going back to existing workarounds.
    • The use case will help to define the scope of the project, define adjacent use cases or tasks that will be out of scope, and to contain the test to a reasonable effort and time frame, while still testing core functionality.
    • Map processes based on expectations of how the solution should work, and compare these to the way things are done today. Identify if there are obvious improvements to the existing processes that if done, would change the existing results significantly. Take this into account when reviewing results. (This will also be useful if the project isn’t approved or is delayed.)
    • Identify where tasks and data collection will be automated and where they will need to stay manual or require additional integrations or solutions such as RPA. These other solutions may not factor into the proof of value but will need to be identified on the solution roadmap if it goes ahead.

    Blocks with arrows in between them, like an example of a step progression.

    Define steps to reach these goals today:
    • Discuss steps to completion
    • Effort to collect data
    • Effort to validate and correct data
    • Effort and ability to use the data for decision making, understanding your customers, and process improvements
    • Quality of data available with current methods compared to quality and volume of data using an IoT solution

    Determine the appropriate project team

    Bring in team members from the business and technical sides to test for those functions that matter most to each team. This effort will enable them to quickly identify risks and mitigate them as part of the product rollout or start the process to look at alternative solutions.
    • Stakeholders: Anyone who is impacted by the new technology and who will end up using, approving, or implementing it. Identify team members who will be willing and able to test the systems for data quality, collection, and workflow improvements.
    • Data analysts: Include someone who can validate the usefulness of data to meet the needs of the organization.
    • Security & Privacy: Include these team members to validate their expectations of how privacy and security needs can be met.
    • Infrastructure & Operations: These team members can test integrations, data collections, traffic flow, etc.
    • Vendor: Discuss what part the vendor can play in setting up the solution for running the proof of value.
    • Other business units: Identify business units that could benefit or be impacted by this solution. Invite them to participate in the roof of value, but remember to contain scope.
    Leverage the insights of the diverse working group
    • Processes are designed to transform inputs into outputs. All business activities can be mapped into processes.
    • A process map illustrates the sequence of actions and decisions that transform an input into an output.
    • Effective mapping gives managers an “aerial” view of the company’s processes, making it easier to identify inefficiencies, reduce waste, and ultimately streamline operations.
    • To identify business processes, have group members familiar with the affected business units identify how jobs are typically accomplished within those units.
    • Ensure they have the time to test the solution and provide valid feedback.

    Estimate the resources required for the pilot

    Time, money, technology, resources

    The benefit of running a proof of value is to make a decision on viability of a solution without the expense of implementing a full solution. This isn’t necessary for low-risk, highly proven solutions, which could be validated with references instead.

    Estimate

    Estimate the number of hours needed to implement the proof of value.

    Estimate

    Estimate the hours needed for business users to test.

    Estimate

    Estimate the costs of technology. If the solution can be run in a vendor sandbox or in a test/dev instance in the cloud, you may be able to keep these costs very low.

    Determine

    Determine the appropriate number of devices to test in multiple locations and environments; work with the vendor to see if they have evaluation devices or discounts for proof of value purposes.

    Conduct a post-proof of value review to finalize the decision to move forward

    Gather evaluators together to ensure the pilot team completed their assessments. A common failure of pilots is making assumptions around the level of participation that has taken place.
    • The core working group is responsible for producing a vision of the future and outlining new technology’s disruptive potential. The actual implementation of the proof of value (purchasing the hardware, negotiating the SLA with the vendor) is beyond the committee’s responsibilities.
    • If the proof of value goes ahead, the facilitator should block some time to evaluate the completed project against the key performance indicators identified in the initial plan.
    • Use the Proof of Value Template section of the IoT Solution Playbook to document POV requirements as well as finalizing the feedback loop.
    • Determine ratings for the proof of value to identify which solutions are not viable and which levels of viability are worth moving forward. Some viable solutions may need a different vendor, and some may need customization or multiple integrations. This is important for the project team to move ahead with the implementation.
    • Encourage everyone to provide enough feedback on the various processes to be confident in their declarations of worthiness and to confirm the proof of value was thorough.
    • Communicate your working group’s findings and success to a wide audience to gain interest in IoT solutions as well as to encourage the business to work with the committee to integrate solutions into the governance and operational structure.

    3.2 Exercise: Create a template for designing a proof of value

    1-3 hours

    Input: Agreement of steering committee members to create a process to mitigate risk for complex solutions

    Output: Proof of value template for use as appropriate to evaluate IoT solutions

    Materials: Whiteboard/flip charts, IoT Solution Playbook

    Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

    1. As a group, review the Proof of Value Template section of the IoT Solution Playbook to determine if it will meet the needs of your business and technical groups.
    2. Determine who will work with the business to create the proof of value plan.
    3. Modify the template to suit your needs, keeping in mind a need for clarity of purpose, communications throughout the POV, and clearly stated goals and definitions of success.
    4. Set a target timeframe to run the POV, preferably no longer than 90 days.
    5. Determine appropriate steps to take for POVs that do not garner the expected participation to qualify a solution to move forward.
    6. Determine appropriate reporting for the evaluation process.

    Download IoT Solution Playbook

    Communications

    As with any new product, marketing and communications will be an important first step in letting the business know how to engage IT in its assessments of IoT innovations. As these solutions prove themselves, or even as you help the business to find better solutions, share your successes with the rest of the organization.

    Business units are already being courted by the vendors, so it’s up to IT to insert themselves in the process in a way that helps improve the success of the business team while still meeting IT’s objectives.

    Your customers will not willingly engage in highly bureaucratic processes and need to see a reason to engage.

    1. Keep the intake process simple.
    2. Provide support to answer the tough questions.
    3. Be clear on the benefits to the organization and the business unit by engaging with your group, and be clear about how you will help within a reasonable time frame.
      • IT will help navigate the vendor prerequisites, contracts, and product setup.
      • IT will assume some of the responsibility for the solution, especially around security and privacy.
      • The business unit will reap the rewards of the solution with minimal operational effort.

    Info-Tech Insight

    Consider building your playbook into your service catalog to make it easy for business users to start the request process. From there, you can create workflows and notifications, track progress, set and meet SLAs, and enable efficient asynchronous communications.

    Research Contributors and Experts

    Photo of John Burwash, Senior Director, Executive Services, Info-Tech Research Group.

    John Burwash
    Senior Director, Executive Services
    Info-Tech Research Group

    INFO~TECH RESEARCH GROUP

    Info-Tech Research Group is an IT research and advisory firm with over 23 years of experience helping enterprises around the world with managing and improving core IT processes. They write highly relevant and unbiased research to help leaders make strategic, timely, and well-informed decisions.

    External contributors
    4 external contributors have asked to remain anonymous.

    Photo of Jennifer Jones, Senior Research Advisor, Industry, Info-Tech Research Group.

    Jennifer Jones
    Senior Research Advisor, Industry
    Info-Tech Research Group

    Photo of Aaron Shum, Vice President, Security, Privacy & Risk, Info-Tech Research Group.

    Aaron Shum
    Vice President, Security, Privacy & Risk
    Info-Tech Research Group

    Photo of Rajesh Parab, Research Director, Applications, Data & Analytics, Info-Tech Research Group.

    Rajesh Parab
    Research Director, Applications, Data & Analytics
    Info-Tech Research Group

    Photo of Frank Sargent, Senior Director Practice Lead, Security, Privacy & Risk, Info-Tech Research Group.

    Frank Sargent
    Senior Director Practice Lead, Security, Privacy & Risk
    Info-Tech Research Group

    Photo of Scott Young, Principal Research Advisor, Infrastructure, Info-Tech Research Group.

    Scott Young
    Principal Research Advisor, Infrastructure
    Info-Tech Research Group

    Photo of Rocco Rao, Director, Research Advisor, Industry, Info-Tech Research Group.

    Rocco Rao
    Director, Research Advisor, Industry
    Info-Tech Research Group

    Bibliography

    Ayyaswamy, Regu, et al. “IoT Is Enabling Enterprise Strategies for New Beginnings.” Tata Consulting Services, 2020. Web.

    “Data Volume of Internet of Things (IoT) Connections Worldwide in 2019 and 2025.” Statistia, 2020.

    Dos Santos, Daniel, et al. “Cybersecurity in Building Automation Systems (BAS).” Forescout, 2020. Web.

    Earle, Nick. “Overcoming the Barriers to Global IoT Connectivity: How Regional Operators Can Reap Rewards From IoT.” IoTNow, 30 June 2021. Web.

    Faludi, Rob. “How Do IoT Devices Communicate?” Digi, 26 Mar. 2021. Web.

    Halper, Fern, and Philip Russom. “TDWI IoT Data Readiness Guide, Interpreting Your Assessment Score.” Cloudera, 2018. Web.

    Horwitz, Lauren. “IoT Enterprise Deployments Continue Apace, Despite COVID-19.” IoT World Today, 22 Apr. 2021.

    “How Does IoT Data Collection Work?” Digiteum, 13 Feb. 2020. Web.

    “IoT Data: How to Collect, Process, and Analyze Them.” Spiceworks, 26 Mar. 2019. Web.

    IoT Signals Report: Edition 2, Hypothesis Group for Microsoft, Oct. 2020. Web.

    King, Stacey. “4 Key Considerations for Consistent IoT Manageability and Security.” Forescout, 22 Aug. 2019. Web.

    Krämer, Jurgen. “Why IoT Projects Fail and How to Beat the Odds.” Software AG, 2020. Web.

    Kröger, Jacob Leon, et al. “Privacy Implications of Accelerometer Data: A Review of Possible Inferences” ICCSP, Jan. 2019, pp. 81-7. Web.

    Manyika, James, et al. “Unlocking the Potential of the Internet of Things.” McKinsey Global Institute, 1 June 2015. Web.

    Ricco, Emily. “How To Run a Successful Proof of Concept – Lessons From Hubspot.” Filtered. Web.

    Rodela, Jimmy. “The Blueprint, Your Complete Guide to Proof of Concept.” Motley Fool, 2 Jan 2021. Web.

    Sánchez, Julia, et al. “An Integral Pedagogical Strategy for Teaching and Learning IoT Cybersecurity.” Sensors, vol. 20, no. 14, July 2020, p. 3970.

    The IoT Generation of Vulnerabilities. SC Media, 2020. E-book.

    Woods, James P., Jr. “How Consumer IoT Devices Can Break Your Security.” HPE, 2 Nov. 2021.

    IBM i Migration Considerations

    • Buy Link or Shortcode: {j2store}109|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    IBM i remains a vital platform and now many CIOs, CTOs, and IT leaders are faced with the same IBM i challenges regardless of industry focus: how do you evaluate the future viability of this platform, assess the future fit and purpose, develop strategies, and determine the future of this platform for your organization?

    Our Advice

    Critical Insight

    For organizations that are struggling with the iSeries/IBM i platform, resourcing challenges are typically the culprit. An aging population of RPG programmers and system administrators means organizations need to be more pro-active in maintaining in-house expertise. Migrating off the iSeries/IBM i platform is a difficult option for most organizations due to complexity, switching costs in the short term, and a higher long-term TCO.

    Impact and Result

    The most common tactic is for the organization to better understand their IBM i options and adopt some level of outsourcing for the non-commodity platform retaining the application support/development in-house. To make the evident, obvious; the options here for the non-commodity are not as broad as with commodity server platforms. Options include co-location, onsite outsourcing, managed and public cloud services.

    IBM i Migration Considerations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. IBM i Migration Considerations – A brief deck that outlines key migration options for the IBM i platforms.

    This project will help you evaluate the future viability of this platform; assess the fit, purpose, and price; develop strategies for overcoming potential challenges; and determine the future of this platform for your organization.

    • IBM i Migration Considerations Storyboard

    2. Infrastructure Outsourcing IBM i Scoring Tool – A tool to collect vendor responses and score each vendor.

    Use this scoring sheet to help you define and evaluate IBM i vendor responses.

    • Infrastructure Outsourcing IBM i Scoring Tool
    [infographic]

    Further reading

    IBM i Migration Considerations

    Don’t be overwhelmed by IBM i migration options.

    Executive Summary

    Your Challenge

    IBM i remains a vital platform and now many CIO, CTO, and IT leaders are faced with the same IBM i challenges regardless of industry focus; how do you evaluate the future viability of this platform, assess the future fit and purpose, develop strategies, and determine the future of this platform for your organization?

    Common Obstacles

    For organizations that are struggling with the iSeries/IBM i platform, resourcing challenges are typically the culprit. An aging population of RPG programmers and system administrators means organizations need to be more proactive in maintaining in-house expertise. Migrating off the iSeries/IBM i platform is a difficult option for most organizations due to complexity, switching costs in the short term, and a higher long-term TCO.

    Info-Tech Approach

    The most common tactic is for the organization to better understand its IBM i options and adopt some level of outsourcing for the non-commodity platform, retaining the application support/development in-house. To make the evident, obvious: the options here for the non-commodity are not as broad as with commodity server platforms. Options include co-location, onsite outsourcing, managed hosting, and public cloud services.

    Info-Tech Insight

    “For over twenty years, IBM was ‘king,’ dominating the large computer market. By the 1980s, the world had woken up to the fact that the IBM mainframe was expensive and difficult, taking a long time and a lot of work to get anything done. Eager for a new solution, tech professionals turned to the brave new concept of distributed systems for a more efficient alternative. On June 21, 1988, IBM announced the launch of the AS/400, their answer to distributed computing.” (Dale Perkins)

    Review

    We help IT leaders make the most of their IBM i environment.

    Problem Statement:

    The IBM i remains a vital platform for many businesses and continues to deliver exceptional reliability and performance and play a key role in the enterprise. With the limited resources at hand, CIOs and the like must continually review and understand their migration path with the same regard as any other distributed system roadmap.

    This research is designed for:

    • IT strategic direction decision makers
    • IT managers responsible for an existing iSeries or IBM i platform
    • Organizations evaluating platforms for mission-critical applications

    This research will help you:

    1. Evaluate the future viability of this platform.
    2. Assess the fit, purpose, and price.
    3. Develop strategies for overcoming potential challenges.
    4. Determine the future of this platform for your organization.

    The “fit for purpose” plot

    Thought Model

    We will investigate the aspect of different IBM i scenarios as they impact business, what that means, and how that can guide the questions that you are asking as you move to an aligned IBM i IT strategy. Our model considers:

    • Importance to Business Outcomes
      • Important to strategic objectives
      • Provides competitive advantage
      • Non-commodity IT service or process
      • Specialized in-house knowledge required
    • Vendor’s Performance Advantage
      • Talent or access to skills
      • Economies of scale or lower cost at scale
      • Access to technology

    Info-Tech Insights

    With multiple control points to be addressed, care must be taken in simplifying your options while addressing all concerns to ease operational load.

    Map different 'IBM i' scenarios with axes 'Importance to Business Outcomes - Low to High' and 'Vendor’s Performance Advantage - Low to High'. Quadrant labels are '[LI/LA] Potentially Outsource: Service management, Help desk, desk-side support, Asset management', '[LI/HA] Outsource: Application & Infra Support, Web Hosting, SAP Support, Email Services, Infrastructure', '[HI/LA] Insource (For Now): Application development tech support', and '[HI/HA] Potentially Outsource: Onshore or offshore application maintenance'.

    IBM i environments are challenging

    “The IBM i Reality” – Darin Stahl

    Most members relying on business applications/workloads running on non-commodity platforms (zSeries, IBM i, Solaris, AIX, etc.) are first motivated to get out from under the perceived higher costs for the hardware platform.

    An additional challenge for non-commodity platforms is that from an IT Operations Management perspective they become an island with a diminishing number of integrated operations skills and solutions such as backup/restore and monitoring tools.

    The most common tactic is for the organization to adopt some level of outsourcing for the non-commodity platform, retaining the application support and development in-house.

    Key challenges with current IBM i environments:
    1. DR Requirements
      Understand what the business needs are and where users and resources are located.
    2. Market Lack of Expertise
      Skilled team members are hard to find.
    3. Cost Management
      There is a perceived cost disadvantage to managing on-prem solutions.
    4. Aging Support Teams
      Current support teams are aging with little backfill in skill and experience.

    Understand your options

    Co-Location

    A customer transitions their hardware environment to a provider’s data center. The provider can then manage the hardware and “system.”

    Onsite Outsourcing

    A provider will support the hardware/system environment at the client’s site.

    Managed Hosting

    A customer transitions their legacy application environment to an off-prem hosted, multi-tenanted environment.

    Public Cloud

    A customer can “re-platform” the non-commodity workload into public cloud offerings or in a few offerings “re-host.”

    Co-Location

    Provider manages the data center hardware environment.

    Abstract

    Here a provider manages the system data center environment and hardware; however, the client’s in-house IBM i team manages the IBM i hardware environment and the system applications. The client manages all of the licenses associated with the platform as well as the hardware asset management considerations. This is typically part of a larger services or application transformation. This effectively outsources the data center management while maintaining all IBM i technical operations in-house.

    Advantages

    • On-demand bandwidth
    • Cost effective
    • Secure and compliant environment
    • On-demand remote “hands and feet” services
    • Improved IT DR services
    • Data center compliance

    Considerations

    • Application transformation
    • CapEx cost
    • Fluctuating network bandwidth costs
    • Secure connectivity
    • Disaster recovery and availability of vendor
    • Company IT DR and BC planning
    • Remote system maintenance (HW)

    Info-Tech Insights

    This model is extremely attractive for organizations looking to reduce their data center management footprint. Idea for the SMB.

    Onsite Sourcing

    A provider will support the hardware/system environment at the client’s site.

    Abstract

    Here a provider will support and manage the hardware/system environment at the client’s site. The provider may acquire the customer’s hardware and provide software licenses. This could also include hiring or “rebadging” staff supporting the platform. This type of arrangement is typically part of a larger services or application transformation. While low risk, it is not as cost-effective as other deployment models.

    Advantages

    • Managed environment within company premises
    • Cost effective (OpEx expense)
    • Economies of scale
    • On-demand “as-a-service” model
    • Improved IT DR staffing services
    • 24x7 monitoring and support

    Considerations

    • Outsourced IT talent
    • Terms and contract conditions
    • IT staff attrition
    • Increased liability
    • Modified technical support and engagement
    • Secure connectivity and communication
    • Internal problem and change management

    Info-Tech Insights

    Depending on the application lifecycle and viability, in-house skill and technical depth is a key consideration when developing your IBM i strategy.

    Managed Hosting

    Transition legacy application environment to an off-prem hosted multi-tenanted environment.

    Abstract

    This type of arrangement is typically part of an application migration or transformation. In this model, a client can “re-platform” the application into an off-premises-hosted provider platform. This would yield many of the cloud benefits however in a different scaling capacity as experienced with commodity workloads (e.g. Windows, Linux) and the associated application.

    Advantages

    • Turns CapEx into OpEx
    • Reduces in-house need for diminishing or scarce human resources
    • Allows the enterprise to focus on the value of the IBM i platform through the reduction of system administrative toil
    • Improved IT DR services
    • Data center compliance

    Considerations

    • Application transformation
    • Network bandwidth
    • Contract terms and conditions
    • Modified technical support and engagement
    • Secure connectivity and communication
    • Technical security and compliance
    • Limited providers; reduced options

    Info-Tech Insights

    There is a difference between a “re-host” and “re-platform” migration strategy. Determine which solution aligns to the application requirements.

    Public Cloud

    Leverage “public cloud” alternatives with AWS, Google, or Microsoft AZURE.

    Abstract

    This type of arrangement is typically part of a larger migration or application transformation. While low risk, it is not as cost-effective as other deployment models. In this model, client can “re-platform” the non-commodity workload into public cloud offerings or in a few offerings “re-host.” This would yield many of the cloud benefits however in a different scaling capacity as experienced with commodity workloads (e.g. Windows, Linux).

    Advantages

    • Remote workforce accessibility
    • OpEx expense model
    • Improved IT DR services
    • Reduced infrastructure and system administration
    • Vendor management
    • 24x7 monitoring and support

    Considerations

    • Contract terms and conditions
    • Modified technical support and engagement
    • Secure connectivity and communication
    • Technical security and compliance
    • Limited providers; reduced options
    • Vendor/cloud lock-in
    • Application migration/”re-platform”
    • Application and system performance

    Info-Tech Insights

    This model is extremely attractive for organizations that consume primarily cloud services and have a large remote workforce.

    Understand your vendors

    • To best understand your options, you need to understand what IBM i services are provided by the industry vendors.
    • Within the following slides, you will find a defined activity with a working template that will create “vendor profiles” for each vendor.
    • As a working example, you can review the following partners:
    • Connectria (United States)
    • Rowton IT Solutions Ltd (United Kingdom)
    • Mid-Range (Canada)

    Info-Tech Insights

    Creating vendor profiles will help quickly filter the solution providers that directly meet your IBM i needs.

    Vendor Profile #1

    Rowton IT

    Summary of Vendor

    “Rowton IT thrive on creating robust and simple solutions to today's complex IT problems. We have a highly skilled and motivated workforce that will guarantee the right solution.

    Working with select business partners, we can offer competitive and cost effective packages tailored to suit your budget and/or business requirements.

    Our knowledge and experience cover vast areas of IT including technical design, provision and installation of hardware (Wintel and IBM Midrange), technical engineering services, support services, IT project management, application testing, documentation and training.”

    IBM i Services

    • ✔ IBM Power Hardware Sales
    • ✔ Co-Managed Services
    • ✔ DR/High Available Config
    • ✔ Full Managed Services
    • ✖ Co-Location Services
    • ✔ Public Cloud Services (AWS)

    URL
    rowtonit.com

    Regional Coverage:
    United Kingdom

    Logo for RowtonIT.com.

    Vendor Profile #2

    Connectria

    Summary of Vendor

    “Every journey starts with a single step and for Connectria, that step happened to be with the world’s largest bank, Deutsche Bank. Followed quickly by our second client, IBM. Since then, we have added over 1,000 clients worldwide. For 25 years, each customer, large or small, has relied on Connectria to deliver on promises made to make it easy to do business with us through flexible terms, scalable solutions, and straightforward pricing. Join us on our journey.”

    IBM i Services

    • ✔ IBM Power Hardware Sales
    • ✔ Co-Managed Services
    • ✔ DR/High Available Config
    • ✔ Full Managed Services
    • ✔ Co-Location Services
    • ✔ Public Cloud Services (AWS)

    URL
    connectria.com

    Regional Coverage:
    United States

    Logo for Connectria.

    Vendor Profile #3

    Mid-Range

    Summary of Vendor

    “Founded in 1988 and profitable throughout all of those 31 years, we have a solid track record of success. At Mid-Range, we use our expertise to assess your unique needs, in order to proactively develop the most effective IT solution for your requirements. Our full-service approach to technology and our diverse and in-depth industry expertise keep our clients coming back year after year.

    Serving clients across North America in a variety of industries, from small and emerging organizations to large, established enterprises – we’ve seen it all. Whether you need hardware or software solutions, disaster recovery and high availability, managed services or hosting or full ERP services with our JD Edwards offerings – we have the methods and expertise to help.”

    IBM i Services

    • ✔ IBM Power Hardware Sales
    • ✔ Co-Managed Services
    • ✔ DR/High Available Config
    • ✔ Full Managed Services
    • ✔ Co-Location Services
    • ✔ Public Cloud Services (AWS)

    URL
    midrange.ca

    Regional Coverage:
    Canada

    Logo for Mid-Range.

    Activity

    Understand your vendor options

    Activities:
    1. Create your vendor profiles
    2. Score vendor responses
    3. Develop and manage your vendor agenda

    This activity involves the following participants:

    • IT strategic direction decision makers
    • IT managers responsible for an existing iSeries or IBM i platform

    Outcomes of this step:

    • Vendor Profile Template
    • Completed IT Infrastructure Outsourcing Scoring Tool

    Info-Tech Insights

    This check-point process creates transparency around agreement costs with the business and gives the business an opportunity to re-evaluate its requirements for a potentially leaner agreement.

    1. Create your vendor profiles

    Define what you are looking for:

    • Create a vendor profile for every vendor of interest.
    • Leverage our starting list and template to track and record the advantages of each vendor.

    Mindshift

    First National Technology Solutions

    Key Information Systems

    MainLine

    Direct Systems Support

    T-Systems

    Horizon Computer Solutions Inc.

    Vendor Profile Template

    [Vendor Name]

    Summary of Vendor

    [Vendor Summary]
    *Detail the Vendor Services as a Summary*

    IBM i Services

    • ✔ IBM Power Hardware Sales
    • ✔ Co-Managed Services
    • ✔ DR/High Available Config
    • ✔ Full Managed Services
    • ✔ Co-Location Services
    • ✔ Public Cloud Services (AWS)
    *Itemize the Vendor Services specific to your requirements*

    URL
    https://www.url.com/
    *Insert the Vendor URL*

    Regional Coverage:
    [Country\Region]
    *Insert the Vendor Coverage & Locations*

    *Insert the Vendor Logo*

    2. Score your vendor responses

    Use the IT Infrastructure Outsourcing Scoring Tool to manage vendor responses.
    Use Info-Tech’s IT Infrastructure Outsourcing Scoring Tool to systematically score your vendor responses.

    The overall quality of the IBM i questions can help you understand what it might be like to work with the vendor.

    Consider the following questions:

    • Is the vendor clear about what it’s able to offer? Is its response transparent?
    • How much effort did the vendor put into answering the questions?
    • Does the vendor seem like someone you would want to work with?

    Once you have the vendor responses, you will select two or three vendors to continue assessing in more depth leading to an eventual final selection.

    Screenshot of the IT Infrastructure Outsourcing Scoring Tool's Scoring Sheet. There are three tables: 'Scoring Scale', 'Results', and one with 'RFP Questions'. Note on Results table says 'Top Scoring Vendors', and note on questions table says 'List your IBM i questions (requirements)'.

    Info-Tech Insights

    Watch out for misleading scores that result from poorly designed criteria weightings.

    3. Develop your vendor agenda

    Vendor Conference Call

    Develop an agenda for the conference call. Here is a sample agenda:
    • Review the vendor questions.
    • Go over answers to written vendor questions previously submitted.
    • Address new vendor questions.

    Commonly Debated Question:
    Should vendors be asked to remain anonymous on the call or should each vendor mention their organization when they join the call?

    Many organizations worry that if vendors can identify each other, they will price fix. However, price fixing is extremely rare due to its consequences and most vendors likely have a good idea which other vendors are participating in the bid. Another thought is that revealing vendors could either result in a higher level of competition or cause some vendors to give up:

    • A vendor that hears its rival is also bidding may increase the competitiveness of its bid and response.
    • A vendor that feels it doesn’t have a chance may put less effort into the process.
    • A vendor that feels it doesn’t have real competition may submit a less competitive or detailed response than it otherwise would have.

    Vendor Workshop

    A vendor workshop day is an interactive way to provide context to your vendors and to better understand the vendors’ offerings. The virtual or in-person interaction also offers a great way to understand what it’s like to work with each vendor and decide whether you could build a partnership with them in the long run.

    The main focus of the workshop is the vendors’ service solution presentation. Here is a sample agenda for a two-day workshop:

    Day 1
    • Meet and greet
    • Welcome presentation with objectives, acquisition strategy, and company overview
    • Overview of the current IT environment, technologies, and company expectations
    • Question and answer session
    • Site walk
    Day 2
    • Review Day 1 activities
    • Vendor presentations and solution framing
    Use the IT Infrastructure Outsourcing Scoring Tool to manage vendor responses.

    Related Info-Tech Research

    Effectively Acquire Infrastructure Services
    Acquiring a service is like buying an experience. Don’t confuse the simplicity of buying hardware with buying an experience.

    Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery
    There are very few IT infrastructure components you should be housing internally – outsource everything else.

    Build Your Infrastructure Roadmap
    Move beyond alignment: Put yourself in the driver’s seat for true business value.

    Define Your Cloud Vision
    Make the most of cloud for your organization.

    Document Your Cloud Strategy
    Drive consensus by outlining how your organization will use the cloud.

    Create a Right-Sized Disaster Recovery Plan
    Close the gap between your DR capabilities and service continuity requirements.

    Create a Better RFP Process
    Improve your RFPs to gain leverage and get better results.

    Research Authors

    Photo of Darin Stahl, Principal Research Advisor, Info-Tech Research Group.Darin Stahl, Principal Research Advisor, Info-Tech Research Group

    Principal Research Advisor within the Infrastructure Practice and leveraging 38+ years of experience, his areas of focus include: IT Operations Management, Service Desk, Infrastructure Outsourcing, Managed Services, Cloud Infrastructure, DRP/BCP, Printer Management, Managed Print Services, Application Performance Monitoring (APM), Managed FTP, and non-commodity servers (zSeries, mainframe, IBM i, AIX, Power PC).

    Photo of Troy Cheeseman, Practice Lead, Info-Tech Research Group.Troy Cheeseman, Practice Lead, Info-Tech Research Group

    Troy has over 24 years of experience and has championed large, enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT Operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) start-ups.

    Research Contributors

    Photo of Dan Duffy, President & Owner, Mid-Range.Dan Duffy, President & Owner, Mid-Range

    Dan Duffy is the President and Founder of Mid-Range Computer Group Inc., an IBM Platinum Business Partner. Dan and his team have been providing the Canadian and American IBM Power market with IBM infrastructure solutions including private cloud, hosting and disaster recovery, high availability and data center services since 1988. He has served on numerous boards and associations including the Toronto Users Group for Mid-Range Systems (TUG), the IBM Business Partners of the Americas Advisory Council, the Cornell Club of Toronto, and the Notre Dame Club of Toronto. Dan holds a Bachelor of Science from Cornell University.

    Photo of George Goodall, Executive Advisor, Info-Tech Research Group.George Goodall, Executive Advisor, Info-Tech Research Group

    George Goodall is an Executive Advisor in the Research Executive Services practice at Info-Tech Research Group. George has over 20 years of experience in IT consulting, enterprise software sales, project management, and workshop delivery. His primary focus is the unique challenges and opportunities in organizations with small and constrained IT operations. In his long tenure at Info-Tech, George has covered diverse topics including voice communications, storage, and strategy and governance.

    Bibliography

    “Companies using IBM i (formerly known as i5/OS).” Enlyft, 21 July 2021. Web.

    Connor, Clare. “IBM i and Meeting the Challenges of Modernization.” Ensono, 22 Mar. 2022. Web.

    Huntington, Tom. “60+ IBM i User Groups and Communities to Join?” HelpSystems, 16 Dec. 2021. Web.

    Perkins, Dale. “The Road to Power Cloud: June 21st 1988 to now. The Journey Continues.” Mid-Range, 1 Nov. 2021. Web.

    Prickett Morgan, Timothy. “How IBM STACKS UP POWER8 AGAINST XEON SERVERS.” The Next Platform, 13 Oct. 2015. Web.

    “Why is AS/400 still used? Four reasons to stick with a classic.” NTT, 21 July 2016. Web.

    Appendix

    Public Cloud Provider Notes

    Appendix –
    Cloud
    Providers


    “IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

    AWS

    Appendix –
    Cloud
    Providers



    “IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

    Google

    • Google Cloud console supports IBM Power Systems.
    • This offering provides cloud instances running on IBM Power Systems servers with PowerVM.
    • The service uses a per-day prorated monthly subscription model for cloud instance plans with different capacities of compute, memory, storage, and network. Standard plans are listed below and custom plans are possible.
    • There is no IBM i offering yet that we are aware of.
    • For AIX on Power, this would appear to be a better option than AWS (Converge Enterprise Cloud with IBM Power for Google Cloud).

    Appendix –
    Cloud
    Providers



    “IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

    Azure

    • Azure has partners using the Azure Dedicated Host offerings to deliver “native support for IBM POWER Systems to Azure data centres” (PowerWire).
    • Microsoft has installed Power servers in an couple Azure data centers and Skytap manages the IBM i, AIX, and Linux environments for clients.
    • As far as I am aware there is no ability to install IBM i or AIX within an Azure Dedicated Host via the retail interfaces – these must be worked through a partner like Skytap.
    • The cloud route for IBM i or AIX might be the easiest working with Skytap and Azure. This would appear to be a better option than AWS in my opinion.

    Appendix –
    Cloud
    Providers



    “IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

    IBM

    Modernize Data Architecture for Measurable Business Results

    • Buy Link or Shortcode: {j2store}387|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Data architecture projects have often failed in the past, causing businesses today to view the launch of a new project as a costly initiative with unclear business value.
    • New technologies in big data and analytics are requiring organizations to modernize their data architecture, but most organizations have failed to spend the time and effort refining the appropriate data models and blueprints that enable them to do so.
    • As the benefits for data architecture are often diffused across an organization’s information management practice, it can be difficult for the business to understand the value and necessity of data architecture.

    Our Advice

    Critical Insight

    • At the heart of tomorrow’s insights-driven enterprises is a modern data environment anchored in fit-for-purpose data architectures.
    • The role of traditional data architecture is transcending beyond organizational boundaries and its focus is shifting from “keeping the lights on” (i.e. operational data and BI) to providing game-changing insights gleaned from untapped big data.

    Impact and Result

    • Perform a diagnostic assessment of your present day architecture and identify the capabilities of your future “to be” environment to position your organization to capitalize on new opportunities in the data space.
    • Use Info-Tech’s program diagnostic assessment and guidance for developing a strategic roadmap to support your team in building a fit-for purpose data architecture practice.
    • Create a data delivery architecture that harmonizes traditional and modern architectural opportunities.

    Modernize Data Architecture for Measurable Business Results Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should modernize your data architecture, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop a data architecture vision

    Plan your data architecture project and align it with the business and its strategic vision.

    • Modernize Data Architecture for Measurable Business Results – Phase 1: Develop a Data Architecture Vision
    • Modernize Data Architecture Project Charter
    • Data Architecture Strategic Planning Workbook

    2. Assess data architecture capabilities

    Evaluate the current and target capabilities of your data architecture, using the accompanying diagnostic assessment to identify performance gaps and build a fit-for-purpose practice.

    • Modernize Data Architecture for Measurable Business Results – Phase 2: Assess Data Architecture Capabilities
    • Data Architecture Assessment and Roadmap Tool
    • Initiative Definition Tool

    3. Develop a data architecture roadmap

    Translate your planned initiatives into a sequenced roadmap.

    • Modernize Data Architecture for Measurable Business Results – Phase 3: Develop a Data Architecture Roadmap
    • Modernize Data Architecture Roadmap Presentation Template
    [infographic]

    Workshop: Modernize Data Architecture for Measurable Business Results

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Develop a Data Architecture (DA) Vision

    The Purpose

    Discuss key business drivers and strategies.

    Identify data strategies.

    Develop a data architecture vision.

    Assess data architecture practice capabilities. 

    Key Benefits Achieved

    A data architecture vision aligned with the business.

    A completed assessment of the organization’s current data architecture practice capabilities.

    Identification of "to be" data architecture practice capabilities.

    Identification of key gaps. 

    Activities

    1.1 Explain approach and value proposition

    1.2 Discuss business vision and key drivers

    1.3 Discover business pain points and needs

    1.4 Determine data strategies

    1.5 Assess DA practice capabilities

    Outputs

    Data strategies

    Data architecture vision

    Current and target capabilities for the modernized DA practice

    2 Assess DA Core Capabilities (Part 1)

    The Purpose

    Assess the enterprise data model (EDM).

    Assess current and target data warehouse, BI/analytics, and big data architectures.

    Key Benefits Achieved

    A completed assessment of the organization’s current EDM, data warehouse, BI and analytics, and big data architectures.

    Identification of "to be" capabilities for the organization’s EDM, data warehouse, BI and analytics, and big data architectures.

    Identification of key gaps.

    Activities

    2.1 Present an overarching DA capability model

    2.2 Assess current and target EDM capabilities

    2.3 Assess current/target data warehouse, BI/analytics, and big data architectures

    2.4 Identify gaps and high level strategies

    Outputs

    Target capabilities for EDM

    Target capabilities for data warehouse architecture, BI architecture, and big data architecture

    3 Assess DA Core Capabilities (Part 2)

    The Purpose

    Assess EDM.

    Assess current/target MDM, metadata, data integration, and content architectures.

    Assess dynamic data models.

    Key Benefits Achieved

    A completed assessment of the organization’s current MDM, metadata, data integration, and content architectures.

    Identification of “to be” capabilities for the organization’s MDM, metadata, data integration, and content architectures.

    Identification of key gaps.

    Activities

    3.1 Present an overarching DA capability model

    3.2 Assess current and target MDM, metadata, data integration, and content architectures

    3.3 Assess data lineage and data delivery model

    3.4 Identify gaps and high level strategies

    Outputs

    Target capabilities for MDM architecture, metadata architecture, data integration architecture, and document & content architecture

    Target capabilities for data lineage/delivery

    4 Analyze Gaps and Formulate Strategies

    The Purpose

    Map performance gaps and document key initiatives from the diagnostic assessment.

    Identify additional gaps and action items.

    Formulate strategies and initiatives to address priority gaps. 

    Key Benefits Achieved

    Prioritized gap analysis.

    Improvement initiatives and related strategies.

    Activities

    4.1 Map performance gaps to business vision, pain points, and needs

    4.2 Identify additional gaps

    4.3 Consolidate/rationalize/prioritize gaps

    4.4 Formulate strategies and actions to address gaps

    Outputs

    Prioritized gaps

    Data architecture modernization strategies

    5 Develop a Data Architecture Roadmap

    The Purpose

    Plot initiatives and strategies on a strategic roadmap.

    Key Benefits Achieved

    A roadmap with prioritized and sequenced initiatives.

    Milestone plan.

    Executive report. 

    Activities

    5.1 Transform strategies into a plan of action

    5.2 Plot actions on a prioritized roadmap

    5.3 Identify and discuss next milestone plan

    5.4 Compile an executive report

    Outputs

    Data architecture modernization roadmap

    Data architecture assessment and roadmap report (from analyst team)

    Build a Digital Workspace Strategy

    • Buy Link or Shortcode: {j2store}294|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $12,399 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: End-User Computing Strategy
    • Parent Category Link: /end-user-computing-strategy
    • IT must figure out what a digital workspace is, why they’re building one, and what type they want.
    • Remote work creates challenges that cannot be solved by technology alone.
    • Focusing solely on technology risks building something the business doesn’t want or can’t use.

    Our Advice

    Critical Insight

    Building a smaller digital workspace doesn’t mean that the workspace will have a smaller impact on the business.

    Impact and Result

    • Partner with the business to create a team of digital workspace champions.
    • Empower employees with a tool that makes remote work easier.

    Build a Digital Workspace Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should partner with the business for building a digital workspace, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify the digital workspace you want to build

    Create a list of benefits that the organization will find compelling and build a cross-functional team to champion the workspace.

    • Build a Digital Workspace Strategy – Phase 1: Identify the Digital Workspace You Want to Build
    • Digital Workspace Strategy Template
    • Digital Workspace Executive Presentation Template

    2. Identify high-level requirements

    Design the digital workspace’s value proposition to drive your requirements.

    • Build a Digital Workspace Strategy – Phase 2: Identify High-Level Requirements
    • Sample Digital Workspace Value Proposition
    • Flexible Work Location Policy
    • Flexible Work Time Policy
    • Flexible Work Time Off Policy
    • Mobile Device Remote Wipe Waiver Template
    • Mobile Device Connectivity & Allowance Policy
    • General Security – User Acceptable Use Policy

    3. Identify initiatives and a high-level roadmap

    Take an agile approach to building your digital workspace.

    • Build a Digital Workspace Strategy – Phase 3: Identify Initiatives and a High-Level Roadmap
    [infographic]

    Workshop: Build a Digital Workspace Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify the Digital Workspace You Want to Build

    The Purpose

    Ensure that the digital workspace addresses real problems the business is facing.

    Key Benefits Achieved

    Defined benefits that will address business problems

    Identified strategic business partners

    Activities

    1.1 Identify the digital workspace’s direction.

    1.2 Prioritize benefits and define a vision.

    1.3 Assemble a team of digital workspace champions.

    Outputs

    Vision statement

    Mission statement

    Guiding principles

    Prioritized business benefits

    Metrics and key performance indicators

    Service Owner, Business Owner, and Project Sponsor role definitions

    Project roles and responsibilities

    Operational roles and responsibilities

    2 Identify Business Requirements

    The Purpose

    Drive requirements through a well-designed value proposition.

    Key Benefits Achieved

    Identified requirements that are based in employees’ needs

    Activities

    2.1 Design the value proposition.

    2.2 Identify required policies.

    2.3 Identify required level of input from users and business units.

    2.4 Document requirements for user experiences, processes, and services.

    2.5 Identify in-scope training and culture requirements.

    Outputs

    Prioritized functionality requirements

    Value proposition for three business roles

    Value proposition for two service provider roles

    Policy requirements

    Interview and focus group plan

    Business process requirements

    Training and culture initiatives

    3 Identify IT and Service Provider Requirements

    The Purpose

    Ensure that technology is an enabler.

    Key Benefits Achieved

    Documented requirements for IT and service provider technology

    Activities

    3.1 Identify systems of record requirements.

    3.2 Identify requirements for apps.

    3.3 Identify information storage requirements.

    3.4 Identify management and security integrations.

    3.5 Identify requirements for internal and external partners.

    Outputs

    Requirements for systems for record

    Prioritized list of apps

    Storage system requirements

    Data and security requirements

    Outsourcing requirements

    Secure IT-OT Convergence

    • Buy Link or Shortcode: {j2store}382|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $10,499 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations

    IT and OT are both very different complex systems. However, significant benefits have driven OT to be converged to IT. This results in IT security leaders, OT leaders and their teams' facing challenges in:

    • Governing and managing IT and OT security and accountabilities.
    • Converging security architecture and controls between IT and OT environments.
    • Compliance with regulations and standards.
    • Metrics for OT security effectiveness and efficiency.

    Our Advice

    Critical Insight

    • Returning to isolated OT is not beneficial for the organization, therefore IT and OT need to learn to collaborate starting with communication to build trust and to overcome differences between IT and OT. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and metrics for OT security.
    • Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
    • OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT-OT based on negotiation and this needs top-down support.

    Impact and Result

    Info-Tech’s approach in preparing for IT/OT convergence in the planning phase is coordination and collaboration of IT and OT to

    • initiate communication to define roles and responsibilities.
    • establish governance and build cross-functional team.
    • identify convergence components and compliance obligations.
    • assess readiness.

    Secure IT/OT Convergence Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Secure IT/OT Convergence Storyboard – A step-by-step document that walks you through how to secure IT-OT convergence.

    Info-Tech provides a three-phase framework of secure IT/OT convergence, namely Plan, Enhance, and Monitor & Optimize. The essential steps in Plan are to:

  • Initiate communication to define roles and responsibilities.
  • Establish governance and build a cross-functional team.
  • Identify convergence components and compliance obligations.
  • Assess readiness.
    • Secure IT/OT Convergence Storyboard

    2. Secure IT/OT Convergence Requirements Gathering Tool – A tool to map organizational goals to secure IT-OT goals.

    This tool serves as a repository for information about the organization, compliance, and other factors that will influence your IT/OT convergence.

    • Secure IT/OT Convergence Requirements Gathering Tool

    3. Secure IT/OT Convergence RACI Chart Tool – A tool to identify and understand the owners of various IT/OT convergence across the organization.

    A critical step in secure IT/OT convergence is populating a RACI (Responsible, Accountable, Consulted, and Informed) chart. The chart assists you in organizing roles for carrying out convergence steps and ensures that there are definite roles that different individuals in the organization must have. Complete this tool to assign tasks to suitable roles.

    • Secure IT/OT Convergence RACI Chart Tool
    [infographic]

    Further reading

    Secure IT/OT Convergence

    Create a holistic IT/OT security culture.

    Analyst Perspective

    Are you ready for secure IT/OT convergence?

    IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.

    In the past, OT systems were engineered to be air gapped, relying on physical protection and with little or no security in design, (e.g. OT protocols without confidentiality properties). However, now, OT has become dependent on the IT capabilities of the organization, thus OT inherits IT’s security issues, that is, OT is becoming more vulnerable to attack from outside the system. IT/OT convergence is complex because the culture, policies, and rules of IT are quite foreign to OT processes such as change management, and the culture, policies, and rules of OT are likewise foreign to IT processes.

    A secure IT/OT convergence can be conceived of as a negotiation of a strong treaty between two systems: IT and OT. The essential initial step is to begin with communication between IT and OT, followed by necessary components such as governing and managing OT security priorities and accountabilities, converging security controls between IT and OT environments, assuring compliance with regulations and standards, and establishing metrics for OT security.

    Photo of Ida Siahaan, Research Director, Security and Privacy Practice, Info-Tech Research Group. Ida Siahaan
    Research Director, Security and Privacy Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    IT and OT are both very different complex systems. However, significant benefits have driven OT to converge with IT. This results in IT security leaders, OT leaders, and their teams facing challenges with:

    • Governing and managing IT and OT security and accountabilities.
    • Converging security architecture and controls between IT and OT environments.
    • Compliance with regulations and standards.
    • Metrics for OT security effectiveness and efficiency.
    Common Obstacles
    • IT/OT network segmentation and remote access issues, as most OT incidents indicate that the attackers gained access through the IT network, followed by infiltration into OT networks.
    • OT proprietary devices and unsecure protocols use outdated systems which may be insecure by design.
    • Different requirements of OT and IT security – i.e. IT (confidentiality, integrity, and availability) vs. OT (safety, reliability, and availability).
    Info-Tech’s Approach

    Info-Tech’s approach in preparing for IT/OT convergence (i.e. the Plan phase) is coordination and collaboration of IT and OT to:

    • Initiate communication to define roles and responsibilities.
    • Establish governance and build a cross-functional team.
    • Identify convergence components and compliance obligations.
    • Assess readiness.

    Info-Tech Insight

    Returning to isolated OT is not beneficial for the organization, so IT and OT need to learn to collaborate, starting with communication to build trust and to overcome their differences. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.

    Consequences of unsecure IT/OT convergence

    OT systems were built with no or little security design

    90% of organizations that use OT experienced a security incident. (Fortinet, 2021. Ponemon, 2019.)

    Bar graph comparing three years, 2019-2021, of four different OT security incidents: 'Ransomeware', 'Insider breaches', 'Phishing', and 'Malware'.
    (Source: Fortinet, 2021.)
    Lack of visibility

    86% of OT security-related service engagements lack complete visibility of OT network in 2021 (90% in 2020, 81% in 2019). (Source: “Cybersecurity Year In Review” Dragos, 2022.)

    The need for secure IT/OT convergence

    Important Industrial Control System (ICS) cyber incidents

    2000
    Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released.
    2012
    Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files.
    2014
    Target: German Steel Mill. Method: Spear-phishing. Impact: Blast furnace failed to shut down.
    2017
    Target: Middle East safety instrumented system (SIS). Method: TRISIS/TRITON. Impact: Modified SIS ladder logic.
    2022
    Target: Viasat’s KA-SAT network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat’s services.
    Timeline of Important Industrial Control System (ICS) cyber incidents.
    1903
    Target: Marconi wireless telegraph presentation. Method: Morse code. Impact: Fake message sent “Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily.”
    2010
    Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs).
    2013
    Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers
    2016
    Target: Ukrainian power grid. Method: BlackEnergy. Impact: For 1-6 hours, power outages for 230,000 consumers.
    2021
    Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation.

    (Source: US Department of Energy, 2018.


    ”Significant Cyber Incidents,” CSIS, 2022


    MIT Technology Review, 2022.)

    Info-Tech Insight

    Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.

    Case Study

    Horizon Power
    Logo for Horizon Power.
    INDUSTRY
    Utilities
    SOURCE
    Interview

    Horizon Power is the regional power provider in Western Australia and stands out as a leader not only in the innovative delivery of sustainable power, but also in digital transformation. Horizon Power is quite mature in distributed energy resource management; moving away from centralized generation to decentralized, community-led generation, which reflects in its maturity in converging IT and OT.

    Horizon Power’s IT/OT convergence journey started over six years ago when advanced metering infrastructure (AMI) was installed across its entire service area – an area covering more than one quarter of the Australian continent.

    In these early days of the journey, the focus was on leveraging matured IT approaches such as adoption of cloud services to the OT environment, rather than converging the two. Many years later, Horizon Power has enabled OT data to be more accessible to derive business benefits such as customer usage data using data analytics with the objective of improving the collection and management of the OT data to improve business performance and decision making.

    The IT/OT convergence meets legislation such as the Australian Energy Sector Cyber Security Framework (AESCSF), which has impacts on the architectural layer of cybersecurity that support delivery of the site services.

    Results

    The lessons learned in converging IT and OT from Horizon Power were:

    • Start with forming relationships to build trust and overcome any divide between IT and OT.
    • Collaborate with IT and OT teams to successfully implement solutions, such as vulnerability management and discovery tools for OT assets.
    • Switch the focus from confidentiality and integrity to availability in solutions evaluation
    • Develop training and awareness programs for all levels of the organization.
    • Actively encourage visible sponsorship across management by providing regular updates and consistent messaging.
    • Monitor cybersecurity metrics such as vulnerabilities, mean time to treat vulnerabilities, and intrusion attempts.
    • Manage third-party vendors using a platform which not only performs external monitoring but provides third-party vendors with visibility or potential threats in their organization.

    The Secure IT/OT Convergence Framework

    IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating onto the IT ecosystem, to improve access via the internet and to leverage other standard IT capabilities. However, IT and OT are historically very different, and without careful calculation, simply connecting the two systems will result in a problem. Therefore, IT and OT need to learn to live together starting with communication to build trust and to overcome differences between IT and OT.
    Convergence Elements
    • Process convergence
    • Software and data convergence
    • Network and infrastructure convergence
    Target Groups
    • OT leader and teams
    • IT leader and teams
    • Security leader and teams
    Security Components
    • Governance and compliance
    • Security strategy
    • Risk management
    • Security policies
    • IR, DR, BCP
    • Security awareness and training
    • Security architecture and controls

    Plan

    • Initiate communication
    • Define roles and responsibilities
    • Establish governance and build a cross-functional team
    • Identify convergence elements and compliance obligations
    • Assess readiness

    Governance

    Compliance

    Enhance

    • Update security strategy for IT/OT convergence
    • Update risk-management framework for IT/OT convergence
    • Update security policies and procedures for IT/OT convergence
    • Update incident response, disaster recovery, and business continuity plan for IT/OT convergence

    Security strategy

    Risk management

    Security policies and procedures

    IR, DR, and BCP

    Monitor &
    Optimize

    • Implement awareness, induction, and cross-training program
    • Design and deploy converging security architecture and controls
    • Establish and monitor IT/OT security metrics on effectiveness and efficiency
    • Red-team followed by blue-team activity for cross-functional team building

    Awareness and cross-training

    Architecture and controls

    Phases
    Color-coded phases with arrows looping back up from the bottom to top phase.
    • Plan
    • Enhance
    • Monitor & Optimize
    Plan Outcomes
    • Mapping business goals to IT/OT security goals
    • RACI chart for priorities and accountabilities
    • Compliance obligations register
    • Readiness checklist
    Enhance Outcomes
    • Security strategy for IT/OT convergence
    • Risk management framework
    • Security policies & procedures
    • IR, DR, BCP
    Monitor & Optimize Outcomes
    • Security awareness and training
    • Security architecture and controls
    Plan Benefits
    • Improved flexibility and less divided IT/OT
    • Improved compliance
    Enhance Benefits
    • Increased strategic common goals
    • Increased efficiency and versatility
    Monitor & Optimize Benefits
    • Enhanced security
    • Reduced costs

    Plan

    Initiate communication

    To initiate communication between the IT and OT teams, it is important to understand how the two groups are different and to build trust to find a holistic approach which overcomes those differences.
    IT OT
    Remote Access Well-defined access control Usually single-level access control
    Interfaces Human Machine, equipment
    Software ERP, CRM, HRIS, payroll SCADA, DCS
    Hardware Servers, switches, PCs PLC, HMI, sensors, motors
    Networks Ethernet Fieldbus
    Focus Reporting, communication Up-time, precision, safety
    Change management Frequent updates and patches Infrequent updates and patches
    Security Confidentiality, integrity, availability Safety, reliability, availability
    Time requirement Normally not time critical Real time

    Info-Tech Insight

    OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT and OT based on negotiation, and this needs top-down support.

    Identifying organization goals is the first step in aligning your secure IT/OT convergence with your organization’s vision.

    • Security leaders need to understand the direction the organization is headed in.
    • Wise security investments depend on aligning your security initiatives to the organization.
    • Secure IT/OT convergence should contribute to your organization’s objectives by supporting operational performance and ensuring brand protection and shareholder value.

    Map organizational goals to IT/OT security goals

    Input: Corporate, IT, and OT strategies

    Output: Your goals for the security strategy

    Materials: Secure IT/OT Convergence Requirements Gathering Tool

    Participants: Executive leadership, OT leader, IT leader, Security leader, Compliance, Legal, Risk management

    1. As a group, brainstorm organization goals.
      1. Review relevant corporate, IT, and OT strategies.
    2. Record the most important business goals in the Secure IT/OT Convergence Requirements Gathering Tool. Try to limit the number of business goals to no more than 10 goals. This limitation will be critical to helping focus on your secure IT/OT convergence.
    3. For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.

    Download the Secure IT/OT Convergence Requirements Gathering Tool

    Record organizational goals

    Sample of the definitions table with columns numbered 1-4.

    Refer to the Secure IT/OT Convergence Framework when filling in the following elements.

    1. Record your identified organization goals in the Goals Cascade tab of the Secure IT/OT Convergence Requirements Gathering Tool.
    2. For each of your organizational goals, identify IT alignment goals.
    3. For each of your organizational goals, identify OT alignment goals.
    4. For each of your organizational goals, select one to two IT/OT security alignment goals from the drop-down lists.

    Establish scope and boundaries

    It is important to know at the outset of the strategy: What are we trying to secure in IT/OT convergence ?
    This includes physical areas we are responsible for, types of data we care about, and departments or IT/OT systems we are responsible for.

    This also includes what is not in scope. For some outsourced services or locations, you may not be responsible for their security. In some business departments, you may not have control of security processes. Ensure that it is made explicit at the outset what will be included and what will be excluded from security considerations.

    Physical Scope and Boundaries

    • How many offices and locations does your organization have?
    • Which locations/offices will be covered by your information security management system (ISMS)?
    • How sensitive is the data residing at each location?
    • You may have many physical locations, and it is not necessary to list each one. Rather, list exceptional cases that are specifically in or out of scope.

    IT Systems Scope and Boundaries

    • There may be hundreds of applications that are run and maintained in your organization. Some of these may be legacy applications. Do you need to secure all your programs or only a select few?
    • Is the system owned or outsourced?
    • Where are you accountable for security?
    • How sensitive is the data that each system handles?

    Organizational Scope and Boundaries

    • Will your ISMS cover all departments within your organization? For example, do certain departments (e.g. operations) not need any security coverage?
    • Do you have the ability to make security decisions for each department?
    • Who are the key stakeholders/data owners for each department?

    OT Systems Scope and Boundaries

    • There may be hundreds of OT systems that are run and maintained in your organization. Do you need to secure all OT or a select subset?
    • Is the system owned or outsourced?
    • Where are you accountable for safety and security?
    • What reliability requirements does each system handle?

    Record scope and boundaries

    Sample Scope and Boundaries table. Refer to the Secure IT/OT Convergence Framework when filling in the following elements:
    • Record your security-related organizational scope, physical location scope, IT systems scope, and OT systems scope in the Scope tab of the Secure IT/OT Convergence Requirements Gathering Tool.
    • For each item scoped, give the rationale for including it in the comments column. Careful attention should be paid to any elements that are not in scope.

    Plan

    Define roles and responsibilities

    Input: List of relevant stakeholders

    Output: Roles and responsibilities for the secure IT/OT convergence program

    Materials: Secure IT/OT Convergence RACI Chart Tool

    Participants: Executive leadership, OT leader, IT leader, Security leader

    There are many factors that impact an organization’s level of effectiveness as it relates to IT/OT convergence. How the two groups interact, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, it is imperative in the planning phase to identify stakeholders who are:

    • Responsible: The people who do the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
    • Accountable: The person who is accountable for the completion of the activity. Ideally, this is a single person and will often be an executive or program sponsor.
    • Consulted: The people who provide information. This is usually several people, typically called subject matter experts (SMEs).
    • Informed: The people who are updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

    Download the Secure IT/OT Convergence RACI Chart Tool

    Define RACI Chart

    Sample RACI chart with only the 'Plan' section enlarged.

    Define responsible, accountable, consulted, and informed (RACI) stakeholders.
    1. Customize the "work units" to best reflect your operation with applicable stakeholders.
    2. Customize the "action“ rows as required.
    Info-Tech Insight

    The roles and responsibilities should be clearly defined. For example, IT network should be responsible for the communication and configuration of all access points and devices from the remote client to the control system DMZ, and controls engineering should be responsible from the control system DMZ to the control system.

    Plan

    Establish governance and build cross-functional team

    To establish governance and build an IT/OT cross-functional team, it is important to understand the operation of OT systems and their interactions with IT within the organization, e.g. ad hoc, centralized, decentralized.

    The maturity ladder with levels 'Fully Converged', 'Collaborative Partners', 'Trusted Resources', 'Affiliated Entities', and 'Siloed' at the bottom. Each level has four maturity indicators listed.

    Info-Tech Insight

    To determine IT/OT convergence maturity level, Info-Tech provides the IT/OT Convergence Self-Evaluation Tool.

    Centralized security governance model example

    Example of a centralized security governance model.

    Plan

    Identify convergence elements and compliance obligations

    To switch the focus from confidentiality and integrity to safety and availability for OT system, it is important to have a common language such as the Purdue model for technical communication.
    • A lot of OT compliance standards are technically focused and do not address governance and management, e.g. IT standards like the NIST Cybersecurity Framework. For example, OT system modeling with Purdue model will help IT teams to understand assets, networking, and controls. This understanding is needed to know the possible security solutions and where these solutions could be embedded to the OT system with respect to safety, reliability, and availability.
    • However, deployment of technical solutions or patches to OT system may nullify warranty, so arrangements should be made to manage this with the vendor or manufacturer prior to modification.
    • Finally, OT modernizations such as smart grid together with the advent of IIoT where data flow is becoming less hierarchical have encouraged the birth of a hybrid Purdue model, which maintains segmentation with flexibility for communications.

    Level 5: Enterprise Network

    Level 4: Site Business

    Level 3.5: DMZ
    Example: Patch Management Server, Application Server, Remote Access Server

    Level 3: Site Operations
    Example: SCADA Server, Engineering Workstation, Historian

    Level 2: Area Supervisory Control
    Example: SCADA Client, HMI

    Level 1: Basic Control
    Example: Batch Controls, Discrete Controls, Continuous Process Controls, Safety Controls, e.g. PLCs, RTUs

    Level 0: Process
    Example: Sensors, Actuators, Field Devices

    (Source: “Purdue Enterprise Reference Architecture (PERA) Model,” ISA-99.)

    Identify compliance obligations

    To manage compliance obligations, it is important to use a platform which not only performs internal and external monitoring, but also provides third-party vendors with visibility on potential threats in their organization.
    Example table of compliance obligations standards. Example tables of compliance obligations regulations and guidelines.

    Source:
    ENISA, 2013
    DHS, 2009.

    • OT system has compliance obligations with industry regulations and security standards/regulations/guidelines. See the lists given. The lists are not exhaustive.
    • OT system owner can use the standards/regulations/guidelines as a benchmark to determine and manage the security level provided by third parties.
    • It is important to understand the various frameworks and to adhere to the appropriate compliance obligations, e.g. IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series.

    IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series

    International series of standards for asset owners, system integrators, and product manufacturers.
    Diagram of the international series of standards for asset owners.
    (Source: Cooksley, 2021)
    • IEC/ISA 62443 is a comprehensive international series of standards covering security for ICS systems, which recognizes three roles, namely: asset owner, system integrator, and product manufacturer.
    • In IEC/ISA 62443, requirements flow from the asset owner to the product manufacturer, while solutions flow in the opposite direction.
    • For the asset owner who owns and operates a system, IEC 62443-2 enables defining target security level with reference to a threat level and using the standard as a benchmark to determine the current security level.
    • For the system integrator, IEC 62443-3 assists to evaluate the asset owner’s requirements to create a system design. IEC 62443-3 also provides a method for verification that components provided by the product manufacturer are securely developed and support the functionality required.

    Record your compliance obligations

    Refer to the “Goals Cascade” tab of the Secure IT/OT Convergence Requirements Gathering Tool.
    1. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include:
      1. Laws
      2. Government regulations
      3. Industry standards
      4. Contractual agreements
      Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your secure IT/OT convergence, include only those that have OT security requirements.
    2. Record your compliance obligations, along with any notes, in your copy of the Secure IT/OT Convergence Requirements Gathering Tool.
    3. Refer to the “Compliance DB” tab for lists of standards/regulations/guidelines.
    Table of mandatory and voluntary security compliance obligations.

    Plan

    Assess readiness

    Readiness checklist for secure IT/OT convergence

    People

    • Define roles and responsibilities on interaction based on skill sets and the degree of support and alignment.
    • Adopt well-established security governance practices for cross-functional teams.
    • Analyze and develop skills required by implementing awareness, induction, and cross-training program.

    Process

    • Conduct a maturity assessment of key processes and highlight interdependencies.
    • Redesign cybersecurity processes for your secure IT/OT convergence program.
    • Develop a baseline and periodically review on risks, security policies and procedures, incident response, disaster recovery, and business continuity plan.

    Technology

    • Conduct a maturity assessment and identify convergence elements and compliance obligations.
    • Develop a roadmap and deploy converging security architecture and controls step by step, working with trusted technology partners.
    • Monitor security metrics on effectiveness and efficiency and conduct continuous testing by red-team and blue-team activities.

    (Source: “Grid Modernization: Optimize Opportunities And Minimize Risks,” Info-Tech)

    Enhance

    Update security strategy

    To update security strategy, it is important to actively encourage visible sponsorship across management and to provide regular updates.

    Cycle for updating security strategy: 'Architecture design', 'Procurement', 'Installation', 'Maintenance', 'Decommissioning'.
    (Source: NIST SP 800-82 Rev.3, “Guide to Operational Technology (OT) Security,” NIST, 2022.)
    • OT system life cycle is like the IT system life cycle, starting with architectural design and ending with decommissioning.
    • Currently, IT only gets involved from installation or maintenance, so they may not fully understand the OT system. Therefore, if OT security is compromised, the same personnel who commissioned the OT system (e.g. engineering, electrical, and maintenance specialists) must be involved. Thus, it is important to have the IT team collaborate with the OT team in each stage of the OT system’s life cycle.
    • Finally, it is necessary to have propositional sharing of responsibilities between IT leaders, security leaders, and OT leaders who have broader responsibilities.

    Enhance

    Update risk management framework

    The need for asset and threat taxonomy

    • One of issues in IT/OT convergence is that OT systems focus on production, so IT solutions like security patching or updates may deteriorate a machine or take a machine offline and may not be applicable. For example, some facilities run with reliability of 99.999%, which only allows maximum of 5 minutes and 35 seconds or less of downtime per year.
    • Managing risks requires an understanding of the assets and threats for IT/OT systems. Having a taxonomy of the assets and the threats cand help.
    • Applying normal IT solutions to mitigate security risks may not be applicable in an OT environment, e.g. running an antivirus tool on OT system may remove essential OT operations files. Thus, this approach must be avoided; instead, systems must be rebuilt from golden images.
    Risk management framework.
    (Source: ENISA, 2018.)

    Enhance

    Update security policies and procedures

    • Policy is the link between people, process, and technology for any size of organization. Small organizations may think that having formal policies in place is not necessary for their operations, but compliance is applicable to all organizations, and vulnerabilities affect organizations of all sizes as well. Small organizations partnering with clients or other organizations are sometimes viewed as ideal proxies for attackers.
    • Updating security policies to align with the OT system so that there is a uniform approach to securing both IT and OT environments has several benefits. For example, enhancing the overall security posture as issues are pre-emptively avoided, being better prepared for auditing and compliance requirements, and improving governance especially when OT governance is weak.
    • In updating security policies, it is important to redefine the policy framework to include the OT framework and to prioritize the development of security policies. For example, entities that own or manage US and Canadian electric power grids must comply with North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards, specifically CIP-003 for Policy and Governance. This can be achieved by understanding the current state of policies and by right-sizing the policy suite based on a policy hierarchy.
    The White House released an Executive Order on Improving the Nation’s Cybersecurity (EO 14028) in 2021 that establishes new requirements on the scope of protection and security policy such that it must include both IT and OT.

    Policy hierarchy example

    This example of a policy hierarchy features templates from Info-Tech’s Develop and Deploy Security Policies and Identify the Best Framework for Your Security Policies research.

    Example policy hierarchy with four levels, from top-down: 'Governance', 'Process-based policies', 'Prescriptive/ technical (for IT including OT elements)', 'Prescriptive/ technical (for users)'.

    Enhance

    Update IR, DR, and BCP

    A proactive approach to security is important, so actions such as updating and testing the incident response plan for OT are a must. (“Cybersecurity Year In Review” Dragos, 2022.)

    1. Customize organizational chart for IT/OT IR, DR, BCP based on governance and management model.
      E.g. ad hoc, internal distributed, internal centralized, combined distributed, and decentralized. (Software Engineering Institute, 2003)
    2. Adjust the authority of the new organizational chart and decide if it requires additional staffing.
      E.g. full authority, shared authority. (Software Engineering Institute, 2003)
    3. Update IR plan, DR plan, and BCP for IT/OT convergence.
      E.g. incorporate zero trust principles for converge network
    4. Testing updated IR plan, DR plan, and BCP.

    Optimize

    Implement awareness, induction, and cross-training

    To develop training and awareness programs for all levels of the organization, it is important to understand the common challenges in IT security that also affect secure IT/OT convergence and how to overcome those challenges.

    Alert Fatigue

    Too many false alarms, too many events to process, and an evolving threat landscape that wastes analysts’ valuable time on mundane tasks such as evidence collection. Meanwhile, only limited time is given for decision and conclusion, which results in fear of missing an incident and alert fatigue.

    Skill Shortages

    Obtaining and retaining cybersecurity-skilled talent is challenging. Organizations need to invest in the people, but not all organizations will be able to invest sufficiently to have their own dedicated security team.

    Lack of Insight

    To report progress, clear metrics are needed. However, cybersecurity still falls short in this area, as the system itself is complex, and much work is siloed. Furthermore, lessons learned are not yet distilled into insights yet for improving future accuracy.

    Lack of Visibility

    Ensuring complete visibility of the threat landscape, risks, and assets requires system integration and consistent workflow across the organization, and the convergence of OT, IoT, and IT enhances this challenge (e.g. machines cannot be scanned during operational uptime).
    (Source: Security Intelligence, 2020.)
    “Cybersecurity staff are feeling burnout and stressed to the extent that many are considering leaving their jobs.” (Danny Palmer, ZDNET News, 2022)

    Awareness may not correspond to readiness

    • An issue with IT/OT convergence training and awareness happens when awareness exists, but the personnel are trained only for IT security and are not trained for OT-specific security. For example, some organizations still use generic topics such as not opening email attachments, when the personnel do not even operate using email nor in a web browsing environment. (“Assessing Operational Readiness,” Dragos, 2022)
    • Meanwhile, as is the case with IT, OT security training topics are broad, such as OT threat intelligence, OT-specific incident response, and tabletop exercises.
    • Hence, it requires the creation of a training program development plan that considers the various audiences and topics and maps them accordingly.
    • Moreover, roles are also evolving due to convergence and modernization. These new roles require an integrative skill set. For example, the grid security & ops team might consist of an IT security specialist, SCADA technician/engineer, and OT/IIOT security specialist where OT/IIOT security specialist is a new role. (Grid Modernization: Optimize Opportunities and Minimize Risks,” Info-Tech)
    • In conclusion, it is important to approach talent development with an open mind. The ability to learn and flexibility in the face of change are important attributes, and technical skill sets can be improved with certifications and training.
    “One area regularly observed by Dragos is a weakness in overall cyber readiness and training tailored specific to the OT environment.” (“Assessing Operational Technology,” Dragos, 2022.)

    Certifications

    What are the options?
    • One of issues in certification is the complexity on relevancy in topics with respect to roles and levels.
    • An example solution is the European Union Agency for Cybersecurity (ENISA)’s approach to analyzing existing certifications by orientation, scope, and supporting bodies, grouped into specific certifications, relevant certifications, and safety certifications.

    Specific cybersecurity certification of ICS/SCADA
    Example: ISA-99/IEC 62443 Cybersecurity Certificate Program, GIAC Global Industrial Cyber Security Professional (GICSP), Certified SCADA Security Architect (CSSA), EC-Council ICS/SCADA Cybersecurity Training Course.

    Other relevant certification schemes
    Example: Network and Information Security (NIS) Driving License, ISA Certified Automation Professional (CAP), Industrial Security Professional Certification (NCMS-ISP).

    Safety Certifications
    Example: Board of Certified Safety Professionals (BCSP), European Network of Safety and Health Professional Organisations (ENSHPO).

    Order of certifications with 'Orientation' at the top, 'Scope', then 'Support'.(Source: ENISA, 2015.)

    Optimize

    Design and deploy converging security architecture and controls

    • IT/OT convergence architecture can be modeled as a layered structure based on security. In this structure, the bottom layer is referred as “OT High-Security Zone” and the topmost layer is “IT Low-Security Zone.” In this model, each layer has its own set of controls configured and acts like an additional layer of security for the zone underneath it.
    • The data flows from the “OT High-Security Zone” to the topmost layer, the “IT Low-Security Zone,” and the traffic must be verified to pass to another zone based on the need-to-know principle.
    • In the normal control flow within the “OT High-Security Zone” from level 3 to level 0, the traffic must be verified to pass to another level based on the principle of least privilege.
    • Remote access (dotted arrow) is allowed under strict access control and change control based on the zero-trust principle with clear segmentation and a point for disconnection between the “OT High-Security Zone” and the “OT Low-Security Zone”
    • This model simplifies the security process, as if the lower layers have been compromised, then the compromise can be confined on that layer, and it also prevents lateral movement as access is always verified.
    Diagram for the deployments of converging security architecture.(Source: “Purdue Enterprise Reference Architecture (PERA) model,” ISA-99.)

    Off-the-shelf solutions

    Getting the right recipe: What criteria to consider?

    Image of a shopping cart with the four headlines on the right listed in order from top to bottom.
    Icon of an eye crossed out. Visibility and Asset Management

    Passive data monitoring using various protocol layers, active queries to devices, or parsing configuration files of OT, IoT, and IT environments on assets, processes, and connectivity paths.

    Icon of gears. Threat Detection, Mitigation, and Response (+ Hunting)

    Automation of threat analysis (signature-based, specification-based, anomaly-based, sandboxing) not only in IT but also in relevant environments, e.g. IoT, IIoT, and OT on assets, data, network, and orchestration with threat intelligence sharing and analytics.

    Icon of a check and pen. Risk Assessment and Vulnerability Management

    Risk scoring approach (qualitative, quantitative) based on variables such as behavioral patterns and geolocation. Patching and vulnerability management.

    Icon of a wallet. Usability, Architecture, Cost

    The user and administrative experience, multiple deployment options and extensive integration capabilities, and affordability.

    Optimize

    Establish and monitor IT/OT security metrics for effectiveness and efficiency

    Role of security metrics in a cybersecurity program (EPRI, 2017.)
    • Requirements for secure IT/OT are derived from mandatory or voluntary compliance, e.g. NERC CIP, NIST SP 800-53.
    • Frameworks for secure IT/OT are used to build and implement security, e.g. NIST CSF, AESCSF.
    • Maturity of secure IT/OT is used to measure the state of security, e.g. C2M2, CMMC.
    • Security metrics have the role of measuring effectiveness and efficiency.

    Icon of a person ascending stairs.
    Safety

    OT interfaces with the physical world. Thus, metrics based on risks related with life, health, and safety are crucial. These metrics motivate personnel by making clear why they should care about security. (EPRI, 2017.)

    Icon of a person ascending stairs.
    Business Performance

    The impact of security on the business can be measured in various metrics such as operational metrics, service level agreements (SLAs), and financial metrics. (BMC, 2022.)

    Icon of a person ascending stairs.
    Technology Performance

    Early detection will lead to faster remediation and less damage. Therefore, metrics such as maximum tolerable downtime (MTD) and mean time to recovery (MTR) indicate system reliability. (Dark Reading, 2022)

    Icon of a person ascending stairs.
    Security Culture

    The metrics for the overall quality of security culture with indicators such as compliance and audit, vulnerability management, and training and awareness.

    Further information

    Related Info-Tech Research

    Sample of 'Build an Information Security Strategy'.

    Build an Information Security Strategy

    Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations.

    This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap.

    Sample of 'Preparing for Technology Convergence in Manufacturing'.

    Preparing for Technology Convergence in Manufacturing

    Information technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication.

    Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration.

    Sample of 'Implement a Security Governance and Management Program'.

    Implement a Security Governance and Management Program

    Your security governance and management program needs to be aligned with business goals to be effective.

    This approach also helps provide a starting point to develop a realistic governance and management program.

    This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

    Bibliography

    Assante, Michael J. and Robert M. Lee. “The Industrial Control System Cyber Kill Chain.” SANS Institute, 2015.

    “Certification of Cyber Security Skills of ICS/SCADA Professionals.” European Union Agency for Cybersecurity (ENISA), 2015. Web.

    Cooksley, Mark. “The IEC 62443 Series of Standards: A Product Manufacturer‘s Perspective.” YouTube, uploaded by Plainly Explained, 27 Apr. 2021. Accessed 26 Aug. 2022.

    “Cyber Security Metrics for the Electric Sector: Volume 3.” Electric Power Research Institute (EPRI), 2017.

    “Cybersecurity and Physical Security Convergence.” Cybersecurity and Infrastructure Security Agency (CISA). Accessed 19 May 2022.

    “Cybersecurity in Operational Technology: 7 Insights You Need to Know,” Ponemon, 2019. Web.

    “Developing an Operational Technology and Information Technology Incident Response Plan.” Public Safety Canada, 2020. Accessed 6 Sep. 2022.

    Gilsinn, Jim. “Assessing Operational Technology (OT) Cybersecurity Maturity.” Dragos, 2021. Accessed 02 Sep. 2022.

    “Good Practices for Security of Internet of Things.” European Union Agency for Cybersecurity (ENISA), 2018. Web.

    Greenfield, David. “Is the Purdue Model Still Relevant?” AutomationWorld. Accessed 1 Sep. 2022

    Hemsley, Kevin E., and Dr. Robert E. Fisher. “History of Industrial Control System Cyber Incidents.” US Department of Energy (DOE), 2018. Accessed 29 Aug. 2022.

    “ICS Security Related Working Groups, Standards and Initiatives.” European Union Agency for Cybersecurity (ENISA), 2013.

    Killcrece, Georgia, et al. “Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Software Engineering Institute, CMU, 2003.

    Liebig, Edward. “Security Culture: An OT Survival Story.” Dark Reading, 30 Aug. 2022. Accessed 29 Aug. 2022.

    Bibliography

    O'Neill, Patrick. “Russia Hacked an American Satellite Company One Hour Before the Ukraine Invasion.” MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022.

    Palmer, Danny. “Your Cybersecurity Staff Are Burned Out – And Many Have Thought About Quitting.” Zdnet, 08 Aug. 2022. Accessed 19 Aug. 2022.

    Pathak, Parag. “What Is Threat Management? Common Challenges and Best Practices.” SecurityIntelligence, 23 Jan. 2020. Web.

    Raza, Muhammad. “Introduction To IT Metrics & KPIs.” BMC, 5 May 2022. Accessed 12 Sep. 2022.

    “Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability.” Department of Homeland Security (DHS), Oct. 2009. Web.

    Sharma, Ax. “Sigma Rules Explained: When and How to Use Them to Log Events.” CSO Online, 16 Jun. 2018. Accessed 15 Aug. 2022.

    “Significant Cyber Incidents.” Center for Strategic and International Studies (CSIS). Accessed 1 Sep. 2022.

    Tom, Steven, et al. “Recommended Practice for Patch Management of Control Systems.” Department of Homeland Security (DHS), 2008. Web.

    “2021 ICS/OT Cybersecurity Year In Review.” Dragos, 2022. Accessed 6 Sep. 2022.

    “2021 State of Operational Technology and Cybersecurity Report,” Fortinet, 2021. Web.

    Zetter, Kim. “Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed.” Black Hat USA, 08 Aug. 2022. Accessed 19 Aug. 2022.

    Research Contributors and Experts

    Photo of Jeff Campbell, Manager, Technology Shared Services, Horizon Power, AU. Jeff Campbell
    Manager, Technology Shared Services
    Horizon Power, AU

    Jeff Campbell has more than 20 years' experience in information security, having worked in both private and government organizations in education, finance, and utilities sectors.

    Having focused on developing and implementing information security programs and controls, Jeff is tasked with enabling Horizon Power to capitalize on IoT opportunities while maintaining the core security basics of confidentiality, integrity and availability.

    As Horizon Power leads the energy transition and moves to become a digital utility, Jeff ensures the security architecture that supports these services provides safer and more reliable automation infrastructures.

    Christopher Harrington
    Chief Technology Officer (CTO)
    Carolinas Telco Federal Credit Union

    Frank DePaola
    Vice President, Chief Information Security Officer (CISO)
    Enpro

    Kwasi Boakye-Boateng
    Cybersecurity Researcher
    Canadian Institute for Cybersecurity

    The Rapid Application Selection Framework

    • Buy Link or Shortcode: {j2store}608|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $37,512 Average $ Saved
    • member rating average days saved: 22 Average Days Saved
    • Parent Category Name: Selection & Implementation
    • Parent Category Link: /selection-and-implementation
    • Selection takes forever. Traditional software selection drags on for years, sometimes in perpetuity.
    • IT is viewed as a bottleneck and the business has taken control of software selection.
    • “Gut feel” decisions rule the day. Intuition, not hard data, guides selection, leading to poor outcomes.
    • Negotiations are a losing battle. Money is left on the table by inexperienced negotiators.
    • Overall: Poor selection processes lead to wasted time, wasted effort, and applications that continually disappoint.

    Our Advice

    Critical Insight

    • Adopt a formal methodology to accelerate and improve software selection results.
    • Improve business satisfaction by including the right stakeholders and delivering new applications on a truly timely basis.
    • Kill the “sacred cow” requirements that only exist because “it’s how we’ve always done it.”
    • Forget about “RFP” overload and hone in on the features that matter to your organization.
    • Skip the guesswork and validate decisions with real data.
    • Take control of vendor “dog and pony shows” with single-day, high-value, low-effort, rapid-fire investigative interviews.
    • Master vendor negotiations and never leave money on the table.

    Impact and Result

    Improving software selection is a critical project that will deliver huge value.

    • Hit a home run with your business stakeholders: use a data-driven approach to select the right application vendor for their needs – fast.
    • Shatter stakeholder expectations with truly rapid application selections.
    • Boost collaboration and crush the broken telephone with concise and effective stakeholder meetings.
    • Lock in hard savings and do not pay list price by using data-driven tactics.

    The Rapid Application Selection Framework Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. The Rapid Application Selection Framework

    • The Rapid Application Selection Framework Deck

    2. The Guide to Software Selection: A Business Stakeholder Manual

    • The Guide to Software Selection: A Business Stakeholder Manual

    3. The Software Selection Workbook

    • The Software Selection Workbook

    4. The Vendor Evaluation Workbook

    • The Vendor Evaluation Workbook
    [infographic]

    Redesign Your IT Organizational Structure

    • Buy Link or Shortcode: {j2store}275|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $71,830 Average $ Saved
    • member rating average days saved: 25 Average Days Saved
    • Parent Category Name: Organizational Design
    • Parent Category Link: /organizational-design

    Most organizations go through an organizational redesign to:

    • Better align to the strategic objectives of the organization.
    • Increase the effectiveness of IT as a function.
    • Provide employees with clarity in their roles and responsibilities.
    • Support new capabilities.
    • Better align IT capabilities to suit the vision.
    • Ensure the IT organization can support transformation initiatives.

    Our Advice

    Critical Insight

    • Organizational redesign is only as successful as the process leaders engage in. It shapes a story framed in a strong foundation of need and a method to successfully implement and adopt the new structure.
    • Benchmarking your organizational redesign to other organizations will not work. Other organizations have different strategies, drivers, and context. It’s important to focus on your organization, not someone else's.
    • You could have the best IT employees in the world, but if they aren’t structured well your organization will still fail in reaching its vision.

    Impact and Result

    • We are often unsuccessful in organizational redesign because we lack an understanding of why this initiative is required or fail to recognize that it is a change initiative.
    • Successful organizational design requires a clear understanding of why it is needed and what will be achieved by operating in a new structure.
    • Additionally, understanding the impact of the change initiative can lead to greater adoption by core stakeholders.

    Redesign Your IT Organizational Structure Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Redesign Your IT Organizational Structure Deck – A defined method of redesigning your IT structure that is founded by clear drivers and consistently considering change management practices.

    The purpose of this storyboard is to provide a four-phased approach to organizational redesign.

    • Redesign Your IT Organizational Structure – Phases 1-4

    2. Communication Deck – A method to communicate the new organizational structure to critical stakeholders to gain buy-in and define the need.

    Use this templated Communication Deck to ensure impacted stakeholders have a clear understanding of why the new organizational structure is needed and what that structure will look like.

    • Organizational Design Communications Deck

    3. Redesign Your IT Organizational Structure Executive Summary Template – A template to secure executive leadership buy-in and financial support for the new organizational structure to be implemented.

    This template provides IT leaders with an opportunity to present their case for a change in organizational structure and roles to secure the funding and buy-in required to operate in the new structure.

    • Redesign Your IT Organizational Structure Executive Summary

    4. Redesign Your IT Organizational Structure Workbook – A method to document decisions made and rationale to support working through each phase of the process.

    This Workbook allows IT and business leadership to work through the steps required to complete the organizational redesign process and document key rationale for those decisions.

    • Redesign Your IT Organizational Structure Workbook

    5. Redesign Your IT Organizational Structure Operating Models and Capability Definitions – A tool that can be used to provide clarity on the different types of operating models that exist as well as the process definitions of each capability.

    Refer to this tool when working through the redesign process to better understand the operating model sketches and the capability definitions. Each capability has been tied back to core frameworks that exist within the information and technology space.

    • Redesign Your IT Organizational Structure Operating Models and Capability Definitions

    Infographic

    Workshop: Redesign Your IT Organizational Structure

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the Organizational Design Foundation

    The Purpose

    Lay the foundation for your organizational redesign by establishing a set of organizational design principles that will guide the redesign process.

    Key Benefits Achieved

    Clearly articulate why this organizational redesign is needed and the implications the strategies and context will have on your structure.

    Activities

    1.1 Define the org design drivers.

    1.2 Document and define the implications of the business context.

    1.3 Align the structure to support the strategy.

    1.4 Establish guidelines to direct the organizational design process.

    Outputs

    Clear definition of the need to redesign the organizational structure

    Understanding of the business context implications on the organizational structure creation.

    Strategic impact of strategies on organizational design.

    Customized Design Principles to rationalize and guide the organizational design process.

    2 Create the Operating Model Sketch

    The Purpose

    Select and customize an operating model sketch that will accurately reflect the future state your organization is striving towards. Consider how capabilities will be sourced, gaps in delivery, and alignment.

    Key Benefits Achieved

    A customized operating model sketch that informs what capabilities will make up your IT organization and how those capabilities will align to deliver value to your organization.

    Activities

    2.1 Augmented list of IT capabilities.

    2.2 Capability gap analysis

    2.3 Identified capabilities for outsourcing.

    2.4 Select a base operating model sketch.

    2.5 Customize the IT operating model sketch.

    Outputs

    Customized list of IT processes that make up your organization.

    Analysis of which capabilities require dedicated focus in order to meet goals.

    Definition of why capabilities will be outsourced and the method of outsourcing used to deliver the most value.

    Customized IT operating model reflecting sourcing, centralization, and intended delivery of value.

    3 Formalize the Organizational Structure

    The Purpose

    Translate the operating model sketch into a formal structure with defined functional teams, roles, reporting structure, and responsibilities.

    Key Benefits Achieved

    A detailed organizational chart reflecting team structures, reporting structures, and role responsibilities.

    Activities

    3.1 Categorize your IT capabilities within your defined functional work units.

    3.2 Create a mandate statement for each work unit.

    3.3 Define roles inside the work units and assign accountability and responsibility.

    3.4 Finalize your organizational structure.

    Outputs

    Capabilities Organized Into Functional Groups

    Functional Work Unit Mandates

    Organizational Chart

    4 Plan for the Implementation & Change

    The Purpose

    Ensure the successful implementation of the new organizational structure by strategically communicating and involving stakeholders.

    Key Benefits Achieved

    A clear plan of action on how to transition to the new structure, communicate the new organizational structure, and measure the effectiveness of the new structure.

    Activities

    4.1 Identify and mitigate key org design risks.

    4.2 Define the transition plan.

    4.3 Create the change communication message.

    4.4 Create a standard set of FAQs.

    4.5 Align sustainment metrics back to core drivers.

    Outputs

    Risk Mitigation Plan

    Change Communication Message

    Standard FAQs

    Implementation and sustainment metrics.

    Further reading

    Redesign Your IT Organizational Structure

    Designing an IT structure that will enable your strategic vision is not about an org chart – it’s about how you work.

    EXECUTIVE BRIEF

    Analyst Perspective

    Structure enables strategy.

    The image contains a picture of Allison Straker.

    Allison Straker

    Research Director,

    Organizational Transformation

    The image contains a picture of Brittany Lutes.

    Brittany Lutes

    Senior Research Analyst,

    Organizational Transformation

    An organizational structure is much more than a chart with titles and names. It defines the way that the organization operates on a day-to-day basis to enable the successful delivery of the organization’s information and technology objectives. Moreover, organizational design sees beyond the people that might be performing a specific role. People and role titles will and often do change frequently. Those are the dynamic elements of organizational design that allow your organization to scale and meet specific objectives at defined points of time. Capabilities, on the other hand, are focused and related to specific IT processes.

    Redesigning an IT organizational structure can be a small or large change transformation for your organization. Create a structure that is equally mindful of the opportunities and the constraints that might exist and ensure it will drive the organization towards its vision with a successful implementation. If everyone understands why the IT organization needs to be structured that way, they are more likely to support and adopt the behaviors required to operate in the new structure.

    Executive Summary

    Your Challenge

    Your organization needs to reorganize itself because:

    • The current IT structure does not align to the strategic objectives of the organization.
    • There are inefficiencies in how the IT function is currently operating.
    • IT employees are unclear about their role and responsibilities, leading to inconsistencies.
    • New capabilities or a change in how the capabilities are organized is required to support the transformation.

    Common Obstacles

    Many organizations struggle when it comes redesigning their IT organizational structure because they:

    • Jump right into creating the new organizational chart.
    • Do not include the members of the IT leadership team in the changes.
    • Do not include the business in the changes.
    • Consider the context in which the change will take place and how to enable successful adoption.

    Info-Tech’s Approach

    Successful IT organization redesign includes:

    • Understanding the drivers, context, and strategies that will inform the structure.
    • Remaining objective by focusing on capabilities over people or roles.
    • Identifying gaps in delivery, sourcing strategies, customers, and degrees of centralization.
    • Remembering that organizational design is a change initiative and will require buy-in.

    Info-Tech Insight

    A successful redesign requires a strong foundation and a plan to ensure successful adoption. Without these, the organizational chart has little meaning or value.

    Your challenge

    This research is designed to help organizations who are looking to:

    • Redesign the IT structure to align to the strategic objectives of the enterprise.
    • Increase the effectiveness in how the IT function is operating in the organization.
    • Provide clarity to employees around their roles and responsibilities.
    • Ensure there is an ability to support new IT capabilities and/or align capabilities to better support the direction of the organization.
    • Align the IT organization to support a business transformation such as becoming digitally enabled or engaging in M&A activities.

    Organizational design is a challenge for many IT and digital executives

    69% of digital executives surveyed indicated challenges related to structure, team silos, business-IT alignment, and required roles when executing on a digital strategy.

    Source: MIT Sloan, 2020

    Common obstacles

    These barriers make IT organizational redesign difficult to address for many organizations:

    • Confuse organizational design and organizational charts as the same thing.
    • Start with the organizational chart, not taking into consideration the foundational elements that will make that chart successful.
    • Fail to treat organizational redesign as a change management initiative and follow through with the change.
    • Exclude impacted or influential IT leaders and/or business stakeholders from the redesign process.
    • Leverage an operating model because it is trending.

    To overcome these barriers:

    • Understand the context in which the changes will take place.
    • Communicate the changes to those impacted to enable successful adoption and implementation of a new organizational structure.
    • Understand that organizational design is for more than just HR leaders now; IT executives should be driving this change.

    Succeed in Organizational Redesign

    75% The percentage of change efforts that fail.

    Source: TLNT, 2019

    55% The percentage of practitioners who identify how information flows between work units as a challenge for their organization.

    Source: Journal of Organizational Design, 2019

    Organizational design defined

    If your IT strategy is your map, your IT organizational design represents the optimal path to get there.

    IT organizational design refers to the process of aligning the organization’s structure, processes, metrics, and talent to the organization’s strategic plan to drive efficiency and effectiveness.

    Why is the right IT organizational design so critical to success?

    Adaptability is at the core of staying competitive today

    Structure is not just an organizational chart

    Organizational design is a never-ending process

    Digital technology and information transparency are driving organizations to reorganize around customer responsiveness. To remain relevant and competitive, your organizational design must be forward looking and ready to adapt to rapid pivots in technology or customer demand.

    The design of your organization dictates how roles function. If not aligned to the strategic direction, the structure will act as a bungee cord and pull the organization back toward its old strategic direction (ResearchGate.net, 2014). Structure supports strategy, but strategy also follows structure.

    Organization design is not a one-time project but a continuous, dynamic process of organizational self-learning and continuous improvement. Landing on the right operating model will provide a solid foundation to build upon as the organization adapts to new challenges and opportunities.

    Understand the organizational differences

    Organizational Design

    Organizational design the process in which you intentionally align the organizational structure to the strategy. It considers the way in which the organization should operate and purposely aligns to the enterprise vision. This process often considers centralization, sourcing, span of control, specialization, authority, and how those all impact or are impacted by the strategic goals.

    Operating Model

    Operating models provide an architectural blueprint of how IT capabilities are organized to deliver value. The placement of the capabilities can alter the culture, delivery of the strategic vision, governance model, team focus, role responsibility, and more. Operating model sketches should be foundational to the organizational design process, providing consistency through org chart changes.

    Organizational Structure

    The organizational structure is the chosen way of aligning the core processes to deliver. This can be strategic, or it can be ad hoc. We recommend you take a strategic approach unless ad hoc aligns to your culture and delivery method. A good organizational structure will include: “someone with authority to make the decisions, a division of labor and a set of rules by which the organization operates” (Bizfluent, 2019).

    Organizational Chart

    The capstone of this change initiative is an easy-to-read chart that visualizes the roles and reporting structure. Most organizations use this to depict where individuals fit into the organization and if there are vacancies. While this should be informed by the structure it does not necessarily depict workflows that will take place. Moreover, this is the output of the organizational design process.

    Sources: Bizfluent, 2019; Strategy & Business, 2015; SHRM, 2021

    The Technology Value Trinity

    The image contains a diagram of the Technology Value Trinity as described in the text below.

    All three elements of the Technology Value Trinity work in harmony to delivery business value and achieve strategic needs. As one changes, the others need to change as well.

    How do these three elements relate?

    • Digital and IT strategy tells you what you need to achieve to be successful.
    • Operating model and organizational design align resources to deliver on your strategy and priorities. This is done by strategically structuring IT capabilities in a way that enables the organizations vision and considers the context in which the structure will operate.
    • I&T governance is the confirmation of IT’s goals and strategy, which ensures the alignment of IT and business strategy and is the mechanism by which you continuously prioritize work to ensure that what is delivered is in line with the strategy.

    Too often strategy, organizational design, and governance are considered separate practices – strategies are defined without teams and resources to support. Structure must follow strategy.

    Info-Tech’s approach to organizational design

    Like a story, a strategy without a structure to deliver on it is simply words on paper.

    Books begin by setting the foundation of the story.

    Introduce your story by:

    • Defining the need(s) that are driving this initiative forward.
    • Introducing the business context in which the organizational redesign must take place.
    • Outlining what’s needed in the redesign to support the organization in reaching its strategic IT goals.

    The plot cannot thicken without the foundation. Your organizational structure and chart should not exist without one either.

    The steps to establish your organizational chart - with functional teams, reporting structure, roles, and responsibilities defined – cannot occur without a clear definition of goals, need, and context. An organizational chart alone won’t provide the insight required to obtain buy-in or realize the necessary changes.

    Conclude your story through change management and communication.

    Good stories don’t end without referencing what happened before. Use the literary technique of foreshadowing – your change management must be embedded throughout the organizational redesign process. This will increase the likelihood that the organizational structure can be communicated, implemented, and reinforced by stakeholders.

    Info-Tech uses a capability-based approach to help you design your organizational structure

    Once your IT strategy is defined, it is critical to identify the capabilities that are required to deliver on those strategic initiatives. Each initiative will require a combination of these capabilities that are only supported through the appropriate organization of roles, skills, and team structures.

    The image contains a diagram of the various services and blueprints that Info-Tech has to offer.

    Embed change management into organizational design

    Change management practices are needed from the onset to ensure the implementation of an organizational structure.

    For each phase of this blueprint, its important to consider change management. These are the points when you need to communicate the structure changes:

    • Phase 1: Begin to socialize the idea of new organizational structure with executive leadership and explain how it might be impactful to the context of the organization. For example, a new control, governance model, or sourcing approach could be considered.
    • Phase 2: The chosen operating model will influence your relationships with the business and can create/eliminate silos. Ensure IT and business leaders have insight into these possible changes and a willingness to move forward.
    • Phase 3: The new organizational structure could create or eliminate teams, reduce or increase role responsibilities, and create different reporting structures than before. It’s time to communicate these changes with those most impacted and be able to highlight the positive outcomes of the various changes.
    • Phase 4: Should consider the change management practices holistically. This includes the type of change and length of time to reach the end state, communication, addressing active resistors, acquiring the right skills, and measuring the success of the new structure and its adoption.

    Info-Tech Insight

    Do not undertake an organizational redesign initiative if you will not engage in change management practices that are required to ensure its successful adoption.

    Measure the value of the IT organizational redesign

    Given that the organizational redesign is intended to align with the overall vision and objectives of the business, many of the metrics that support its success will be tied to the business. Adapt the key performance indicators (KPIs) that the business is using to track its success and demonstrate how IT can enable the business and improve its ability to reach those targets.

    Strategic Resources

    The percentage of resources dedicated to strategic priorities and initiatives supported by IT operating model. While operational resources are necessary, ensuring people are allocating time to strategic initiatives as well will drive the business towards its goal state. Leverage Info-Tech’s IT Staffing Assessment diagnostic to benchmark your IT resource allocation.

    Business Satisfaction

    Assess the improvement in business satisfaction overall with IT year over year to ensure the new structure continues to drive satisfaction across all business functions. Leverage Info-Tech’s CIO Business Vision diagnostic to see how your IT organization is perceived.

    Role Clarity

    The degree of clarity that IT employees have around their role and its core responsibilities can lead to employee engagement and retention. Consider measuring this core job driver by leveraging Info-Tech’s Employee Engagement Program.

    Customer & User Satisfaction

    Measure customer satisfaction with technology-enabled business services or products and improvements in technology-enabled client acquisition or retention processes. Assess the percentage of users satisfied with the quality of IT service delivery and leverage Info-Tech’s End-User Satisfaction Survey to determine improvements.

    Info-Tech’s methodology for Redesigning Your IT Organization

    Phase

    1. Establish the Organizational Design Foundation

    2. Create the Operating Model Sketch

    3. Formalize the Organizational Structure

    4. Plan for Implementation and Change

    Phase Outcomes

    Lay the foundation for your organizational redesign by establishing a set of organizational design principles that will guide the redesign process.

    Select and customize an operating model sketch that will accurately reflect the future state your organization is striving towards. Consider how capabilities will be sourced, gaps in delivery, and alignment.

    Translate the operating model sketch into a formal structure with defined functional teams, roles, reporting structure, and responsibilities.

    Ensure the successful implementation of the new organizational structure by strategically communicating and involving stakeholders.

    Insight summary

    Overarching insight

    Organizational redesign processes focus on defining the ways in which you want to operate and deliver on your strategy – something an organizational chart will never be able to convey.

    Phase 1 insight

    Focus on your organization, not someone else's’. Benchmarking your organizational redesign to other organizations will not work. Other organizations have different strategies, drivers, and context.

    Phase 2 insight

    An operating model sketch that is customized to your organization’s specific situation and objectives will significantly increase the chances of creating a purposeful organizational structure.

    Phase 3 insight

    If you follow the steps outlined in the first three phases, creating your new organizational chart should be one of the fastest activities.

    Phase 4 insight

    Throughout the creation of a new organizational design structure, it is critical to involve the individuals and teams that will be impacted.

    Tactical insight

    You could have the best IT employees in the world, but if they aren’t structured well your organization will still fail in reaching its vision.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:


    Communication Deck

    Communicate the changes to other key stakeholders such as peers, managers, and staff.

    Workbook

    As you work through each of the activities, use this workbook as a place to document decisions and rationale.

    Reference Deck

    Definitions for every capability, base operating model sketches, and sample organizational charts aligned to those operating models.

    Job Descriptions

    Key deliverable:

    Executive Presentation

    Leverage this presentation deck to gain executive buy-in for your new organizational structure.

    Blueprint benefits

    IT Benefits

    • Create an organizational structure that aligns to the strategic goals of IT and the business.
    • Provide IT employees with clarity on their roles and responsibilities to ensure the successful delivery of IT capabilities.
    • Highlight and sufficiently staff IT capabilities that are critical to the organization.
    • Define a sourcing strategy for IT capabilities.
    • Increase employee morale and empowerment.

    Business Benefits

    • IT can carry out the organization’s strategic mission and vision of all technical and digital initiatives.
    • Business has clarity on who and where to direct concerns or questions.
    • Reduce the likelihood of turnover costs as IT employees understand their roles and its importance.
    • Create a method to communicate how the organizational structure aligns with the strategic initiatives of IT.
    • Increase ability to innovate the organization.

    Executive Brief Case Study

    IT design needs to support organizational and business objectives, not just IT needs.

    INDUSTRY: Government

    SOURCE: Analyst Interviews and Working Sessions

    Situation

    IT was tasked with providing equality to the different business functions through the delivery of shared IT services. The government created a new IT organizational structure with a focus on two areas in particular: strategic and operational support capabilities.

    Challenge

    When creating the new IT structure, an understanding of the complex and differing needs of the business functions was not reflected in the shared services model.

    Outcome

    As a result, the new organizational structure for IT did not ensure adequate meeting of business needs. Only the operational support structure was successfully adopted by the organization as it aligned to the individual business objectives. The strategic capabilities aspect was not aligned to how the various business lines viewed themselves and their objectives, causing some partners to feel neglected.

    Info-Tech offers various levels of support to best suit your needs.

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    Phase 1

    Call #1: Define the process, understand the need, and create a plan of action.

    Phase 2

    Call #2: Define org. design drivers and business context.

    Call #3: Understand strategic influences and create customized design principles.

    Call #4: Customize, analyze gaps, and define sourcing strategy for IT capabilities.

    Call #5: Select and customize the IT operating model sketch.

    Phase 3

    Call #6: Establish functional work units and their mandates.

    Call #7: Translate the functional organizational chart to an operational organizational chart with defined roles.

    Phase 4

    Call #8: Consider risks and mitigation tactics associated with the new structure and select a transition plan.

    Call #9: Create your change message, FAQs, and metrics to support the implementation plan.

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Establish the Organizational Redesign Foundation

    Create the Operating Model Sketch

    Formalize the Organizational Structure

    Plan for Implementation and Change

    Next Steps and
    Wrap-Up (offsite)

    Activities

    1.1 Define the org. design drivers.

    1.2 Document and define the implications of the business context.

    1.3 Align the structure to support the strategy.

    1.4 Establish guidelines to direct the organizational design process.

    2.1 Augment list of IT capabilities.

    2.2 Analyze capability gaps.

    2.3 Identify capabilities for outsourcing.

    2.4 Select a base operating model sketch.

    2.5 Customize the IT operating model sketch.

    3.1 Categorize your IT capabilities within your defined functional work units.

    3.2 Create a mandate statement for each work unit.

    3.3 Define roles inside the work units and assign accountability and responsibility.

    3.4 Finalize your organizational structure.

    4.1 Identify and mitigate key org. design risks.

    4.2 Define the transition plan.

    4.3 Create the change communication message.

    4.4 Create a standard set of FAQs.

    4.5 Align sustainment metrics back to core drivers.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. Foundational components to the organizational design
    2. Customized design principles
    1. Heat mapped IT capabilities
    2. Defined outsourcing strategy
    3. Customized operating model
    1. Capabilities organized into functional groups
    2. Functional work unit mandates
    3. Organizational chart
    1. Risk mitigation plan
    2. Change communication message
    3. Standard FAQs
    4. Implementation and sustainment metrics
    1. Completed organizational design communications deck

    This blueprint is part one of a three-phase approach to organizational transformation

    PART 1: DESIGN

    PART 2: STRUCTURE

    PART 3: IMPLEMENT

    IT Organizational Architecture

    Organizational Sketch

    Organizational Structure

    Organizational Chart

    Transition Strategy

    Implement Structure

    1. Define the organizational design drivers, business context, and strategic alignment.

    2. Create customized design principles.

    3. Develop and customize a strategically aligned operating model sketch.

    4. Define the future-state work units.

    5. Create future-state work unit mandates.

    6. Define roles by work unit.

    7. Turn roles into jobs with clear capability accountabilities and responsibilities.

    8. Define reporting relationships between jobs.

    9. Assess options and select go-forward organizational sketch.

    11. Validate organizational sketch.

    12. Analyze workforce utilization.

    13. Define competency framework.

    14. Identify competencies required for jobs.

    15. Determine number of positions per job

    16. Conduct competency assessment.

    17. Assign staff to jobs.

    18. Build a workforce and staffing plan.

    19. Form an OD implementation team.

    20. Develop change vision.

    21. Build communication presentation.

    22. Identify and plan change projects.

    23. Develop organizational transition plan.

    24. Train managers to lead through change.

    25. Define and implement stakeholder engagement plan.

    26. Develop individual transition plans.

    27. Implement transition plans.

    Risk Management: Create, implement, and monitor risk management plan.

    HR Management: Develop job descriptions, conduct job evaluation, and develop compensation packages.

    Monitor and Sustain Stakeholder Engagement

    Phase 1

    Establish the Organizational Redesign Foundation

    This phase will walk you through the following activities:

    1.1 Define the organizational redesign driver(s)

    1.2 Create design principles based on the business context

    1.3a (Optional Exercise) Identify the capabilities from your value stream

    1.3b Identify the capabilities required to deliver on your strategies

    1.4 Finalize your list of design principles

    This phase involves the following participants:

    • CIO
    • IT Leadership
    • Business Leadership

    Embed change management into the organizational design process

    Articulate the Why

    Changes are most successful when leaders clearly articulate the reason for the change – the rationale for the organizational redesign of the IT function. Providing both staff and executive leaders with an understanding for this change is imperative to its success. Despite the potential benefits to a redesign, they can be disruptive. If you are unable to answer the reason why, a redesign might not be the right initiative for your organization.

    Employees who understand the rationale behind decisions made by executive leaders are 3.6 times more likely to be engaged.

    McLean & Company Engagement Survey Database, 2021; N=123,188

    Info-Tech Insight

    Successful adoption of the new organizational design requires change management from the beginning. Start considering how you will convey the need for organizational change within your IT organization.

    The foundation of your organizational design brings together drivers, context, and strategic implications

    All aspects of your IT organization’s structure should be designed with the business’ context and strategic direction in mind.

    Use the following set of slides to extract the key components of your drivers, business context, and strategic direction to land on a future structure that aligns with the larger strategic direction.

    REDESIGN DRIVERS

    Driver(s) can originate from within the IT organization or externally. Ensuring the driver(s) are easy to understand and articulate will increase the successful adoption of the new organizational structure.

    BUSINESS CONTEXT

    Defines the interactions that occur throughout the organization and between the organization and external stakeholders. The context provides insight into the environment by both defining the purpose of the organization and the values that frame how it operates.

    STRATEGY IMPLICATIONS

    The IT strategy should be aligned to the overall business strategy, providing insight into the types of capabilities required to deliver on key IT initiatives.

    Understand IT’s desired maturity level, alignment with business expectations, and capabilities of IT

    Where are we today?

    Determine the current overall maturity level of the IT organization.

    Where do we want to be as an organization?

    Use the inputs from Info-Tech’s diagnostic data to determine where the organization should be after its reorganization.

    How can you leverage these results?

    The result of these diagnostics will inform the design principles that you’ll create in this phase.

    Leverage Info-Tech’s diagnostics to provide an understanding of critical areas your redesign can support:

    CIO Business Vision Diagnostic

    Management & Governance Diagnostic

    IT Staffing Diagnostic

    The image contains a picture of Info-Tech's maturity ladder.

    Consider the organizational design drivers

    Consider organizational redesign if …

    Effectiveness is a concern:

    • Insufficient resources to meet demand
    • Misalignment to IT (and business) strategies
    • Lack of clarity around role responsibility or accountability
    • IT functions operating in silos

    New capabilities are needed:

    • Organization is taking on new capabilities (digital, transformation, M&A)
    • Limited innovation
    • Gaps in the capabilities/services of IT
    • Other external environmental influences or changes in strategic direction

    Lack of business understanding

    • Misalignment between business and IT or how the organization does business
    • Unhappy customers (internal or external)

    Workforce challenges

    • Frequent turnover or inability to attract new skills
    • Low morale or employee empowerment

    These are not good enough reasons …

    • New IT leader looking to make a change for the sake of change or looking to make their legacy known
    • To work with specific/hand-picked leaders over others
    • To “shake things up” to see what happens
    • To force the organization to see IT differently

    Info-Tech Insight

    Avoid change for change’s sake. Restructuring could completely miss the root cause of the problem and merely create a series of new ones.

    1.1 Define the organizational redesign driver(s)

    1-2 hours

    1. As a group, brainstorm a list of current pain points or inhibitors in the current organizational structure, along with a set of opportunities that can be realized during your restructuring. Group these pain points and opportunities into themes.
    2. Leverage the pain points and opportunities to help further define why this initiative is something you’re driving towards. Consider how you would justify this initiative to different stakeholders in the organization.
    3. Questions to consider:
      1. Who is asking for this initiative?
      2. What are the primary benefits this is intended to produce?
      3. What are you optimizing for?
      4. What are we capable of achieving as an IT organization?
      5. Are the drivers coming from inside or outside the IT organization?
    4. Once you’ve determined the drivers for redesigning the IT organization, prioritize those drivers to ensure there is clarity when communicating why this is something you are focusing time and effort on.

    Input

    Output

    • Knowledge of the current organization
    • Pain point and opportunity themes
    • Defined drivers of the initiative

    Materials

    Participants
    • Whiteboard/flip charts (physical or electronic)
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Communications Deck

    Frame the organizational design within the context of the business

    Workforce Considerations:

    • How does your organization view its people resources? Does it have the capacity to increase the number of resources?
    • Do you currently have sufficient staff to meet the demands of the organization? Are you able to outsource resources when demand requires it?
    • Are the members of your IT organization unionized?
    • Is your workforce distributed? Do time zones impact how your team can collaborate?

    Business Context Consideration

    IT Org. Design Implication

    Culture:

    Culture, "the way we do things here,” has huge implications for executing strategy, driving engagement, and providing a guiding force that ensures organizations can work together toward common goals.

    • What is the culture of your organization? Is it cooperative, traditional, competitive, or innovative? (See appendix for details.)
    • Is this the target culture or a stepping-stone to the ideal culture?
    • How do the attitudes and behaviors of senior leaders in the organization reinforce this culture?

    Consider whether your organization’s culture can accept the operating model and organizational structure changes that make sense on paper.

    Certain cultures may lean toward particular operating models. For example, the demand-develop-service operating model may be supported by a cooperative culture. A traditional organization may lean towards the plan-build-run operating model.

    Ensure you have considered your current culture and added exercises to support it.

    If more capacity is required to accomplish the goals of the organization, you’ll want to prepare the leaders and explain the need in your design principles (to reflect training, upskilling, or outsourcing). Unionized environments require additional consideration. They may necessitate less structural changes, and so your principles will need to reflect other alternatives (hiring additional resources, creative options) to support organizational needs. Hybrid or fully remote workforces may impact how your organization interacts.

    Business context considerations

    Business Context Consideration

    IT Org. Design Implication

    Control & Governance:

    It is important to consider how your organization is governed, how decisions are made, and who has authority to make decisions.

    Strategy tells what you do, governance validates you’re doing the right things, and structure is how you execute on what’s been approved.

    • How do decisions get considered and approved in your organization? Are there specific influences that impact the priorities of the organization?
    • Are those in the organization willing to release decision-making authority around specific IT components?
    • Should the organization take on greater accountability for specific IT components?

    Organizations that require more controls may lean toward more centralized governance. Organizations that are looking to better enable and empower their divisions (products, groups, regions, etc.) may look to embed governance in these parts of the organization.

    For enterprise organizations, consider where IT has authority to make decisions (at the global, local, or system level). Appropriate governance needs to be built into the appropriate levels.

    Business context considerations

    Business Context Consideration

    IT Org. Design Implication

    Financial Constraints:

    Follow the money: You may need to align your IT organization according to the funding model.

    • Do partners come to IT with their budgets, or does IT have a central pool that they use to fund initiatives from all partners?
    • Are you able to request finances to support key initiatives/roles prioritized by the organization?
    • How is funding aligned: technology, data, digital, etc.? Is your organization business-line funded? Pooled?
    • Are there special products or digital transformation initiatives with resources outside IT? Product ownership funding?
    • How are regulatory changes funded?
    • Do you have the flexibility to adjust your budget throughout the fiscal year?
    • Are chargebacks in place? Are certain services charged back to business units

    Determine if you can move forward with a new model or if you can adjust your existing one to suit the financial constraints.

    If you have no say over your funding, pre-work may be required to build a business case to change your funding model before you look at your organizational structure – without this, you might have to rule out centralized and focus on hybrid/centralized. If you don’t control the budget (funding comes from your partners), it will be difficult to move to a more centralized model.

    A federated business organization may require additional IT governance to help prioritize across the different areas.

    Budgets for digital transformation might come from specific areas of the business, so resources may need to be aligned to support that. You’ll have to consider how you will work with those areas. This may also impact the roles that are going to exist within your IT organization – product owners or division owners might have more say.

    Business context considerations

    Business Context Consideration

    IT Org. Design Implication

    Business Perspective of IT:

    How the business perceives IT and how IT perceives itself are sometimes not aligned. Make sure the business’ goals for IT are well understood.

    • Are your business partners satisfied if IT is an order taker? Do they agree with the need for IT to become a business partner? Is IT expected to innovate and transform the organization?
    • Is what the business needs from IT the same as what IT is providing currently?

    Business Organization Structure and Growth:

    • How is the overall organization structured: Centralized/decentralized? Functionally aligned? Divided by regions?
    • In what areas does the organization prioritize investments?
    • Is the organization located across a diverse geography?
    • How big is the organization?
    • How is the organization growing and changing – by mergers and acquisitions?

    If IT needs to become more of a business partner, you’ll want to define what that means to your organization and focus on the capabilities to enable this. Educating your partners might also be required if you’re not aligned.

    For many organizations, this will include stakeholder management, innovation, and product/project management. If IT and its business partners are satisfied with an order-taker relationship, be prepared for the consequences of that.

    A global organization will require different IT needs than a single location. Specifically, site reliability engineering (SRE) or IT support services might be deployed in each region. Organizations growing through mergers and acquisitions can be structured differently depending on what the organization needs from the transaction. A more centralized organization may be appropriate if the driver is reuse for a more holistic approach, or the organization may need a more decentralized organization if the acquisitions need to be handled uniquely.

    Business context considerations

    Business Context Consideration

    IT Org. Design Implication

    Sourcing Strategy:

    • What are the drivers for sourcing? Staff augmentation, best practices, time zone support, or another reason?
    • What is your strategy for sourcing?
    • Does IT do all of your technology work, or are parts being done by business or other units?
    • Are we willing/able to outsource, and will that place us into non-compliance (regulations)?
    • Do you have vendor management capabilities in areas that you might outsource?
    • How cloud-driven is your organization?
    • Do you have global operations?

    Change Tolerance:

    • What’s your organization’s tolerance to make changes around organizational design?
    • What's the appetite and threshold for risk?

    Your sourcing strategy affects your organizational structure, including what capabilities you group together. Since managing outsourced capabilities also includes the need for vendor management, you’ll need to ensure there aren’t too many capabilities required per leader. Look closely at what can be achieved through your operating model if IT is done through other groups. Even though these groups may not be in scope of your organization changes, you need to ensure your IT team works with them effectively.

    If your organization is going to push back if there are big structural changes, consider whether the changes are truly necessary. It may be preferred to take baby steps – use an incremental versus big-bang approach.

    A need for incremental change might mean not making a major operating model change.

    Business context considerations

    Business Context Consideration

    IT Org Design. Implication

    Stakeholder Engagement & Focus:

    Identify who your customers and stakeholders are; clarify their needs and engagement model.

    • Who is the customer for IT products and services?
    • Is your customer internal? External? Both?
    • How much of a priority is customer focus for your organization?
    • How will IT interact with customers, end users, and partners? What is the engagement model desired?

    Business Vision, Services, and Products:

    Articulate what your organization was built to do.

    • What does the organization create or provide?
    • Are these products and services changing?
    • What are the most critical capabilities to your organization?
    • What makes your organization a success? What are critical success factors of the organization and how are they measuring this to determine success?

    For a customer or user focus, ensure capabilities related to understanding needs (stakeholder, UX, etc.) are prioritized. Hybrid, decentralized, or demand-develop-service models often have more of a focus on customer needs.

    Outsourcing the service desk might be a consideration if there’s a high demand for the service. A differentiation between these users might mean there’s a different demand for services.

    Think broadly in terms of your organizational vision, not just the tactical (widget creation). You might need to choose an operating model that supports vision.

    Do you need to align your organization with your value stream? Do you need to decentralize specific capabilities to enable prioritization of the key capabilities?

    1.2 Create design principles based on the business context

    1-3 hours

    1. Discuss the business context in which the IT organizational redesign will be taking place. Consider the following standard components of the business context; include other relevant components specific to your organization:
    • Culture
    • Workforce Considerations
    • Control and Governance
    • Financial Constraints
    • Business Perspective of IT
    • Business Organization Structure and Growth
    • Sourcing Strategy
    • Change Tolerance
    • Stakeholder Engagement and Focus
    • Business Vision, Services, and Products
  • Different stakeholders can have different perspectives on these questions. Be sure to consider a holistic approach and engage these individuals.
  • Capture your findings and use them to create initial design principles.
  • Input

    Output

    • Business context
    • Design principles reflecting how the business context influences the organizational redesign for IT

    Materials

    Participants

    • Whiteboard/flip charts (physical or electronic)
    • List of Context Questions
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Communications Deck

    How your IT organization is structured needs to reflect what it must be built to do

    Structure follows strategy – the way you design will impact what your organization can produce.

    Designing your IT organization requires an assessment of what it needs to be built to do:

    • What are the most critical capabilities that you need to deliver, and what does success look like in those different areas?
    • What are the most important things that you deliver overall in your organization?

    The IT organization must reflect your business needs:

    • Understand your value stream and/or your prioritized business goals.
    • Understand the impact of your strategies – these can include your overall digital strategy and/or your IT strategy

    1.3a (Optional Exercise) Identify the capabilities from your value stream

    1 hour

    1. Identify your organization’s value stream – what your overall organization needs to do from supplier to consumer to provide value. Leverage Info-Tech’s industry reference architectures if you haven’t identified your value stream, or use the Document Your Business Architecture blueprint to create yours.
    2. For each item in your value stream, list capabilities that are critical to your organizational strategy and IT needs to further invest in to enable growth.
    3. Also, list those that need further support, e.g. those that lead to long wait times, rework time, re-tooling, down-time, unnecessary processes, unvaluable processes.*
    4. Capture the IT capabilities required to enable your business in your draft principles.
    The image contains a screenshot of the above activity: Sampling Manufacturing Business Capabilities.
    Source: Six Sigma Study Guide, 2014
    Input Output
    • Organization’s value stream
    • List of IT capabilities required to support the IT strategy
    Materials Participants
    • Whiteboard/flip charts (physical or electronic)
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Communications Deck

    Your strategy will help you decide on your structure

    Ensure that you have a clear view of the goals and initiatives that are needed in your organization. Your IT, digital, business, and/or other strategies will surface the IT capabilities your organization needs to develop. Identify the goals of your organization and the initiatives that are required to deliver on them. What capabilities are required to enable these? These capabilities will need to be reflected in your design principles.

    Sample initiatives and capabilities from an organization’s strategies

    The image contains a screenshot of sample initiatives and capabilities from an organization's strategies.

    1.3b Identify the capabilities required to deliver on your strategies

    1 hour

    1. For each IT goal, there may be one or more initiatives that your organization will need to complete in order to be successful.
    2. Document those goals and infinitives. For each initiative, consider which core IT capabilities will be required to deliver on that goal. There might be one IT capability or there might be several.
    3. Identify which capabilities are being repeated across the different initiatives. Consider whether you are currently investing in those capabilities in your current organizational structure.
    4. Highlight the capabilities that require IT investment in your design principles.
    InputOutput
    • IT goals
    • IT initiatives
    • IT, digital, and business strategies
    • List of IT capabilities required to support the IT strategy
    MaterialsParticipants
    • Whiteboard/flip charts (physical or electronic)
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Communications Deck

    Create your organizational design principles

    Your organizational design principles should define a set of loose rules that can be used to design your organizational structure to the specific needs of the work that needs to be done. These rules will guide you through the selection of the appropriate operating model that will meet your business needs. There are multiple ways you can hypothetically organize yourself to meet these needs, and the design principles will point you in the direction of which solution is the most appropriate as well as explain to your stakeholders the rationale behind organizing in a specific way. This foundational step is critical: one of the key reasons for organizational design failure is a lack of requisite time spent on the front-end understanding what is the best fit.

    The image contains an example of organizing design principles as described above.

    1.4 Finalize your list of design principles

    1-3 hours

    1. As a group, review the key outputs from your data collection exercises and their implications.
    2. Consider each of the previous exercises – where does your organization stand from a maturity perspective, what is driving the redesign, what is the business context, and what are the key IT capabilities requiring support. Identify how each will have an implication on your organizational redesign. Leverage this conversation to generate design principles.
    3. Vote on a finalized list of eight to ten design principles that will guide the selection of your operating model. Have everyone leave the meeting with these design principles so they can review them in more detail with their work units or functional areas and elicit any necessary feedback.
    4. Reconvene the group that was originally gathered to create the list of design principles and make any final amendments to the list as necessary. Use this opportunity to define exactly what each design principle means in the context of your organization so everyone has the same understanding of what this means moving forward.
    InputOutput
    • Organizational redesign drivers
    • Business context
    • IT strategy capabilities
    • Organizational design principles to help inform the selection of the right operating model sketch
    MaterialsParticipants
    • Whiteboard/flip charts (physical or electronic)
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Communications Deck

    Example design principles

    Your eight to ten design principles will be those that are most relevant to YOUR organization. Below are samples that other organizations have created, but yours will not be the same.

    Design Principle

    Description

    Decision making

    We will centralize decision making around the prioritization of projects to ensure that the initiatives driving the most value for the organization as a whole are executed.

    Fit for purpose

    We will build and maintain fit-for-purpose solutions based on business units’ unique needs.

    Reduction of duplication

    We will reduce role and application duplication through centralized management of assets and clearly differentiated roles that allow individuals to focus within key capability areas.

    Managed security

    We will manage security enterprise-wide and implement compliance and security governance policies.

    Reuse > buy > build

    We will maximize reuse of existing assets by developing a centralized application portfolio management function and approach.

    Managed data

    We will create a specialized data office to provide data initiatives with the focus they need to enable our strategy.

    Design Principle

    Description

    Controlled technical diversity

    We will control the variety of technology platforms we use to allow for increased operability and reduction of costs.

    Innovation

    R&D and innovation are critical – we will build an innovation team into our structure to help us meet our digital agenda.

    Resourcing

    We will separate our project and maintenance activities to ensure each are given the dedicated support they need for success and to reduce the firefighting mentality.

    Customer centricity

    The new structure will be directly aligned with customer needs – we will have dedicated roles around relationship management, requirements, and strategic roadmapping for business units.

    Interoperability

    We will strengthen our enterprise architecture practices to best prepare for future mergers and acquisitions.

    Cloud services

    We will move toward hosted versus on-premises infrastructure solutions, retrain our data center team in cloud best practices, and build roles around effective vendor management, cloud provisioning, and architecture.

    Phase 2

    Create the Operating Model Sketch

    This phase will walk you through the following activities:

    2.1 Augment the capability list

    2.2 Heatmap capabilities to determine gaps in service

    2.3 Identify the target state of sourcing for your IT capabilities

    2.4 Review and select a base operating model sketch

    2.5 Customize the selected overlay to reflect the desired future state

    This phase involves the following participants:

    • CIO
    • IT Leadership

    Embed change management into the organizational design process

    Gain Buy-In

    Obtain desire from stakeholders to move forward with organizational redesign initiative by involving them in the process to gain interest. This will provide the stakeholders with assurance that their concerns are being heard and will help them to understand the benefits that can be anticipated from the new organizational structure.

    “You’re more likely to get buy-in if you have good reason for the proposed changes – and the key is to emphasize the benefits of an organizational redesign.”

    Source: Lucid Chart

    Info-Tech Insight

    Just because people are aware does not mean they agree. Help different stakeholders understand how the change in the organizational structure is a benefit by specifically stating the benefit to them.

    Info-Tech uses capabilities in your organizational design

    We differentiate between capabilities and competencies.

    Capabilities

    • Capabilities are focused on the entire system that would be in place to satisfy a particular need. This includes the people who are competent to complete a specific task and also the technology, processes, and resources to deliver.
    • Capabilities work in a systematic way to deliver on specific need(s).
    • A functional area is often made up of one or more capabilities that support its ability to deliver on that function.
    • Focusing on capabilities rather then the individuals in organizational redesign enables a more objective and holistic view of what your organization is striving toward.

    Competencies

    • Competencies on the other hand are specific to an individual. It determines if the individual poses the skills or ability to perform.
    • Competencies are rooted in the term competent, which looks to understand if you are proficient enough to complete the specific task at hand.
    • Source: The People Development Magazine, 2020

    Use our IT capabilities to establish your IT organization design

    The image contains a diagram of the various services and blueprints that Info-Tech has to offer.

    2.1 Augment the capability list

    1-3 hours

    1. Using the capability list on the previous slide, go through each of the IT capabilities and remove any capabilities for which your IT organization is not responsible and/or accountable. Refer to the Operating Model and Capability Definition List for descriptions of each of the IT capabilities.
    2. Augment the language of specific capabilities that you feel are not directly reflective of what is being done within your organizational context or that you feel need to be changed to reflect more specifically how work is being done in your organization.
    • For example, some organizations may refer to their service desk capability as help desk or regional support. Use a descriptive term that most accurately reflects the terminology used inside the organization today.
  • Add any core capabilities from your organization that are missing from the provided IT capability list.
    • For example, organizations that leverage DevOps capabilities for their product development may desire to designate this in their operating model.
  • Document the rationale for decisions made for future reference.
  • Input Output
    • Baseline list of IT capabilities
    • IT capabilities required to support IT strategy
    • Customized list of IT capabilities
    Materials Participants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership

    Record the results in the Organizational Design Workbook

    Gaps in delivery

    Identify areas that require greater focus and attention.

    Assess the gaps between where you currently are and where you need to be. Evaluate how critical and how effective your capabilities are:

    • Criticality = Importance
      • Try to focus on those which are highly critical to the organization.
      • These may be capabilities that have been identified in your strategies as areas to focus on.
    • Effectiveness = Performance
      • Identify those where the process or system is broken or ineffective, preventing the team from delivering on the capability.
      • Effectiveness could take into consideration how scalable, adaptable, or sustainable each capability is.
      • Focus on the capabilities that are low or medium in effectiveness but highly critical. Addressing the delivery of these capabilities will lead to the most positive outcomes in your organization.

    Remember to identify what allows the highly effective capabilities to perform at the capacity they are. Leverage this when increasing effectiveness elsewhere.

    High Gap

    There is little to no effectiveness (high gap) and the capability is highly important to your organization.

    Medium Gap

    Current ability is medium in effectiveness (medium gap) and there might be some priority for that capability in your organization.

    Low Gap

    Current ability is highly effective (low gap) and the capability is not necessarily a priority for your organization.

    2.2 Heatmap capabilities to determine gaps in delivery

    1-3 hours

    1. At this point, you should have identified what capabilities you need to have to deliver on your organization's goals and initiatives.
    2. Convene a group of the key stakeholders involved in the IT organizational design initiative.
    3. Review your IT capabilities and color each capability border according to the effectiveness and criticality of that capability, creating a heat map.
    • Green indicates current ability is highly effective (low gap) and the capability is not necessarily a priority for your organization.
    • Yellow indicates current ability is medium in effectiveness (medium gap) and there might be some priority for that capability in your organization.
    • Red indicates that there is little to no effectiveness (high gap) and the capability is highly important to your organization.
    Input Output
    • Selected capabilities from activity 2.1
    • Gap analysis in delivery of capabilities currently
    Materials Participants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership

    Record the results in the Organizational Design Workbook

    Don’t forget the why: why are you considering outsourcing?

    There are a few different “types” of outsourcing:

    1. Competitive Advantage – Working with a third-party organization for the knowledge, insights, and best practices they can bring to your organization.
    2. Managed Service– The third party manages a capability or function for your organization.
    3. Staff Augmentation – Your organization brings in contractors and third-party organizations to fill specific skills gaps.

    Weigh which sourcing model(s) will best align with the needed capabilities to deliver effectively

    Insourcing

    Staff Augmentation

    Managed Service

    Competitive Advantage

    Description

    The organization maintains full responsibility for the management and delivery of the IT capability or service.

    Vendor provides specialized skills and enables the IT capability or service together with the organization to meet demand.

    Vendor completely manages the delivery of value for the IT capability, product or service.

    Vendor has unique skills, insights, and best practices that can be taught to staff to enable insourced capability and competency.

    Benefits

    • Retains in-house control over proprietary knowledge and assets that provide competitive or operational advantage.
    • Gains efficiency due to integration into the organization’s processes.
    • Provision of unique skills.
    • Addresses variation in demand for resources.
    • Labor cost savings.
    • Improves use of internal resources.
    • Improves effectiveness due to narrow specialization.
    • Labor cost savings.
    • Gain insights into aspects that could provide your organization with advantages over competitors.
    • Long-term labor cost savings.
    • Short-term outsourcing required.
    • Increase in-house competencies.

    Drawbacks

    • Quality of services/capabilities might not be as high due to lack of specialization.
    • No labor cost savings.
    • Potentially inefficient distribution of labor for the delivery of services/capabilities.
    • Potential conflicts in management or delivery of IT services and capabilities.
    • Negative impact on staff morale.
    • Limited control over services/capabilities.
    • Limited integration into organization’s processes.
    • Short-term labor expenses.
    • Requires a culture of continuous learning and improvement.

    Your strategy for outsourcing will vary with capability and capacity

    The image contains a diagram to show the Develop Vendor Management Capabilities, as described in the text below.

    Capability

    Capacity

    Outsourcing Model

    Low

    Low

    Your solutions may be with you for a long time, so it doesn’t matter whether it is a strategic decision to outsource development or if you are not able to attract the talent required to deliver in your market. Look for a studio, agency, or development shop that has a proven reputation for long-term partnership with its clients.

    Low

    High

    Your team has capacity but needs to develop new skills to be successful. Look for a studio, agency, or development shop that has a track record of developing its customers and delivering solutions.

    High

    Low

    Your organization knows what it is doing but is strapped for people. Look at “body shops” and recruiting agencies that will support short-term development contracts that can be converted to full-time staff or even a wholesale development shop acquisition.

    High

    High

    You have capability and capacity for delivering on your everyday demands but need to rise to the challenge of a significant, short-term rise in demand on a critical initiative. Look for a major system integrator or development shop with the specific expertise in the appropriate technology.

    Use these criteria to inform your right sourcing strategy

    Sourcing Criteria

    Description

    Determine whether you’ll outsource using these criteria

    1. Critical or commodity

    Determine whether the component to be sourced is critical to your organization or if it is a commodity. Commodity components, which are either not strategic in nature or related to planning functions, are likely candidates for outsourcing. Will you need to own the intellectual property created by the third party? Are you ok if they reuse that for their other clients?

    2. Readiness to outsource

    Identify how easy it would be to outsource a particular IT component. Consider factors such as knowledge transfer, workforce reassignment or reduction, and level of integration with other components.

    Vendor management readiness – ensuring that you have sufficient capabilities to manage vendors – should also be considered here.

    3. In-house capabilities

    Determine if you have the capability to deliver the IT solutions in-house. This will help you establish how easy it would be to insource an IT component.

    4. Ability to attract resources (internal vs. outsourced)

    Determine if the capability is one that is easily sourced with full-time, internal staff or if it is a specialty skill that is best left for a third-party to source.

    Determine your sourcing model using these criteria

    5. Cost

    Consider the total cost (investment and ongoing costs) of the delivery of the IT component for each of the potential sourcing models for a component.

    6. Quality

    Define the potential impact on the quality of the IT component being sourced by the possible sourcing models.

    7. Compliance

    Determine whether the sourcing model would fit with regulations in your industry. For example, a healthcare provider would only go for a cloud option if that provider is HIPAA compliant.

    8. Security

    Identify the extent to which each sourcing option would leave your organization open to security threats.

    9. Flexibility

    Determine the extent to which the sourcing model will allow your organization to scale up or down as demand changes.

    2.3 Identify capabilities that could be outsourced

    1-3 hours

    1. For each of the capabilities that will be in your future-state operating model, determine if it could be outsourced. Review the sourcing criteria available on the previous slide to help inform which sourcing strategy you will use for each capability.
    2. When looking to outsource or co-source capabilities, consider why that capability would be outsourced:
    • Competitive Advantage – Work with a third-party organization for the knowledge, insights, and best practices they can bring to your organization.
    • Managed Service – The third party manages a capability or function for your organization.
    • Staff Augmentation – Your organization brings in contractors and third-party organizations to fill specific skills gaps.
  • Place an asterisk (*) around the capabilities that will be leveraging one of the three previous sourcing options.
  • InputOutput
    • Customized IT capabilities
    • Sourcing strategy for each IT capability
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership

    Record the results in the Organizational Design Workbook

    What is an operating model?

    Leverage a cohesive operating model throughout the organizational design process.

    An IT operating model sketch is a visual representation of the way your IT organization needs to be designed and the capabilities it requires to deliver on the business mission, strategic objectives, and technological ambitions. It ensures consistency of all elements in the organizational structure through a clear and coherent blueprint.

    The visual should be the optimization and alignment of the IT organization’s structure to deliver the capabilities required to achieve business goals. Additionally, it should clearly show the flow of work so that key stakeholders can understand where inputs flow in and outputs flow out of the IT organization. Investing time in the front end getting the operating model right is critical. This will give you a framework to rationalize future organizational changes, allowing you to be more iterative and your model to change as the business changes.

    The image contains an example of an operating model as described in the text above.

    Info-Tech Insight

    Every structure decision you make should be based on an identified need, not on a trend.Build your IT organization to enable the priorities of the organization.

    Each IT operating model is characterized by a variety of advantages and disadvantages

    Centralized

    Hybrid

    Decentralized

    Advantages
    • Maximum flexibility to allocate IT resources across business units.
    • Low-cost delivery model and greatest economies of scale.
    • Control and consistency offers opportunity for technological rationalization and standardization and volume purchasing at the highest degree.
    • Centralizes processes and services that require consistency across the organization.
    • Decentralizes processes and services that need to be responsive to local market conditions.
    • Eliminates duplication and redundancy by allowing effective use of common resources (e.g. shared services, standardization).
    • Goals are aligned to the distinct business units or functions.
    • Greater flexibility and more timely delivery of services.
    • Development resources are highly knowledgeable about business-unit-specific applications.
    • Business unit has greatest control over IT resources and can set and change priorities as needed.

    Disadvantages

    • Less able to respond quickly to local requirements with flexibility.
    • IT can be resistant to change and unwilling to address the unique needs of end users.
    • Business units can be frustrated by perception of lack of control over resources.
    • Development of special business knowledge can be limited.
    • Requires the most disciplined governance structure and the unwavering commitment of the business; therefore, it can be the most difficult to maintain.
    • Requires new processes as pooled resources must be staffed to approved projects.
    • Redundancies, conflicts, and incompatible technologies can result from business units having differentiated services and applications – increasing cost.
    • Ability to share IT resources is low due to lack of common approaches.
    • Lack of integration limits the communication of data between businesses and reduces common reporting.

    Decentralization can take many forms – define what it means to your organization

    Decentralization can take a number of different forms depending on the products the organization supports and how the organization is geographically distributed. Use the following set of explanations to understand the different types of decentralization possible and when they may make sense for supporting your organizational objectives.

    Line of Business

    Decentralization by lines of business (LoB) aligns decision making with business operating units based on related functions or value streams. Localized priorities focus the decision making from the CIO or IT leadership team. This form of decentralization is beneficial in settings where each line of business has a unique set of products or services that require specific expertise or flexible resourcing staffing between the teams.

    Product Line

    Decentralization by product line organizes your team into operationally aligned product families to improve delivery throughput, quality, and resource flexibility within the family. By adopting this approach, you create stable product teams with the right balance between flexibility and resource sharing. This reinforces value delivery and alignment to enterprise goals within the product lines.

    Geographical

    Geographical decentralization reflects a shift from centralized to regional influences. When teams are in different locations, they can experience a number of roadblocks to effective communication (e.g. time zones, regulatory differences in different countries) that may necessitate separating those groups in the organizational structure, so they have the autonomy needed to make critical decisions.

    Functional

    Functional decentralization allows the IT organization to be separated by specialty areas. Organizations structured by functional specialization can often be organized into shared service teams or centers of excellence whereby people are grouped based on their technical, domain, or functional area within IT (Applications, Data, Infrastructure, Security, etc.). This allows people to develop specialized knowledge and skills but can also reinforce silos between teams.

    2.4 Review and select a base operating model sketch

    1 hour

    1. Review the set of base operating model sketches available on the following slides.
    2. For each operating model sketch, there are benefits and risks to be considered. Make an informed selection by understanding the risks that your organization might be taking on by adopting that particular operating model.
    3. If at any point in the selection process the group is unsure about which operating model will be the right fit, refer back to your design principles established in activity 1.4. These should guide you in the selection of the right operating model and eliminate those which will not serve the organization.
    InputOutput
    • Organizational design principles
    • Customized list of IT capabilities
    • Operating model sketch examples
    • Selected operating model sketch
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership

    Record the results in the Organizational Design Workbook

    Centralized Operating Model #1: Plan-Build-Run

    I want to…

    • Establish a formalized governance process that takes direction from the organization on which initiatives should be prioritized by IT.
    • Ensure there is a clear separation between teams that are involved in strategic planning, building solutions, and delivering operational support.
    • Be able to plan long term by understanding the initiatives that are coming down the pipeline and aligning to an infrequent budgeting plan.

    BENEFITS

    • Effective at implementing long-term plans efficiently; separates maintenance and projects to allow each to have the appropriate focus.
    • More oversight over financials; better suited for fixed budgets.
    • Works across centralized technology domains to better align with the business’ strategic objectives – allows for a top-down approach to decision making.
    • Allows for economies of scale and expertise pooling to improve IT’s efficiency.
    • Well-suited for a project-driven environment that employs waterfall or a hybrid project management methodology that is less iterative.

    RISKS

    • Creates artificial silos between the build (developers) and run (operations staff) teams, as both teams focus on their own responsibilities and often fail to see the bigger picture.
    • Miss opportunities to deliver value to the organization or innovate due to an inability to support unpredictable/shifting project demands as decision making is centralized in the plan function.
    • The portfolio of initiatives being pursued is often determined before requirements analysis takes place, meaning the initiative might be solving the wrong need or problem.
    • Depends on strong hand-off processes to be defined and strong knowledge transfer from build to run functions in order to be successful.
    The image contains an example of a Centralized Operating Model: Plan-Build-Run.

    Centralized Operating Model #2: Demand-Develop-Service

    I want to…

    • Listen to the business to understand new initiatives or service enhancements being requested.
    • Enable development and operations to work together to seamlessly deliver in a DevOps culture.
    • Govern and confirm that initiatives being requested by the business are still aligned to IT’s overarching strategy and roadmap before prioritizing those initiatives.

    BENEFITS

    • Aligns well with an end-to-end services model; constant attention to customer demand and service supply.
    • Centralizes service operations under one functional area to serve shared needs across lines of business.
    • Allows for economies of scale and expertise pooling to improve IT’s efficiency.
    • Elevates sourcing and vendor management as its own strategic function; lends well to managed service and digital initiatives.
    • Development and operations housed together; lends well to DevOps-related initiatives and reduces the silos between these two core groups.

    RISKS

    • IT prioritizes the initiatives it thinks are a priority to the business based on how well it establishes good stakeholder relations and communications.
    • Depends on good governance to prevent enhancements and demands from being prioritized without approval from those with accountability and authority.
    • This model thrives in a DevOps culture but does not mean it ensures your organization is a “DevOps” organization. Be sure you're encouraging the right behaviors and attitudes.

    The image contains an example of a Centralized Operating Model: Demand, Develop, Service.

    Hybrid Operating Model #1: LOB/Functional Aligned

    I want to…

    • Better understand the various needs of the organization to align IT priorities and ensure the right services can be delivered.
    • Keep all IT decisions centralized to ensure they align with the overarching strategy and roadmap that IT has set.
    • Organize your shared services in a strategic manner that enables delivery of those services in a way that fits the culture of the organization and the desired method of operating.

    BENEFITS

    • Best of both worlds of centralization and decentralization; attempts to channel benefits from both centralized and decentralized models.
    • Embeds key IT functions that require business knowledge within functional areas, allowing for critical feedback and the ability to understand those business needs.
    • Places IT in a position to not just be “order takers” but to be more involved with the different business units and promote the value of IT.
    • Achieves economies of scale where necessary through the delivery of shared services that can be requested by the function.
    • Shared services can be organized to deliver in the best way that suits the organization.

    RISKS

    • Different business units may bypass governance to get their specific needs met by functions – to alleviate this, IT must have strong governance and prioritize amongst demand.
    • Decentralized role can be viewed as an order taker by the business if not properly embedded and matured.
    • No guaranteed synergy and integration across functions; requires strong communication, collaboration, and steering.
    • Cannot meet every business unit’s needs – can cause tension from varying effectiveness of the IT functions.

    The image contains an example of a Hybrid Operating Model: LOB/Functional Aligned.

    Hybrid Model #2: Product-Aligned Operating Model

    I want to…

    • Align my IT organization into core products (services) that IT provides to the organization and establish a relationship with those in the organization that have alignment to that product.
    • Have roles dedicated to the lifecycle of their product and ensure the product can continuously deliver value to the organization.
    • Maintain centralized set of standards as it applies to overall IT strategy, security, and architecture to ensure consistency across products and reduce silos.

    BENEFITS

    • Focus is on the full lifecycle of a product – takes a strategic view of how technology enables the organization.
    • Promotes centralized backlog around a specific value creator, rather than a traditional project focus that is more transactional.
    • Dedicated teams around the product family ensure you have all of the resources required to deliver on your product roadmap.
    • Reduces barriers between IT and business stakeholders; focuses on technology as a key strategic enabler.
    • Delivery is largely done through frequent releases that can deliver value.

    RISKS

    • If there is little or no business involvement, it could prevent IT from truly understanding business demand and prioritizing the wrong work.
    • A lack of formal governance can create silos between the IT products, causing duplication of efforts, missed opportunities for collaboration, and redundancies in application or vendor contracts.
    • Members of each product can interpret the definition of standards (e.g. architecture, security) differently.

    The image contains an example of the Hybrid Operating Model: Product-Aligned Operating Model.

    Hybrid Operating Model #3: Service-Aligned Operating Model

    I want to…

    • Decentralize the IT organization by the various IT services it offers to the organization while remaining centralized with IT strategy, governance, security and operational services.
    • Ensure IT services are defined and people resources are aligned to deliver on those services.
    • Enable each of IT’s services to have the autonomy to understand the business needs and be able to manage the operational and new project initiatives with a dedicated service owner or business relationship manager.

    BENEFITS

    • Strong enabler of agility as each service has the autonomy to make decisions around operational work versus project work based on their understanding of the business demand.
    • Individuals in similar roles that are decentralized across services are given coaching to provide common direction.
    • Allows teams to efficiently scale with service demand.
    • This is a structurally baseline DevOps model. Each group will have services built within that have their own dedicated teams that will handle the full gambit of responsibilities, from new features to enhancements and maintenance.

    RISKS

    • Service owners require a method to collaborate to avoid duplication of efforts or projects that conflict with the efforts of other IT services.
    • May result in excessive cost through role redundancies across different services, as each will focus on components like integration, stakeholder management, project management, and user experiences.
    • Silos cause a high degree of specialization, making it more difficult for team members to imagine moving to another defined service group, limiting potential career advancement opportunities.
    • The level of complex knowledge required by shared services (e.g. help desk) is often beyond what they can provide, causing them to rely on and escalate to defined service groups more than with other operating models.

    The image contains an example of the Hybrid Operating Model: Service-Aligned Operating Model.

    Decentralized Model: Division Decentralization (LoB, Geography, Function, Product)

    I want to…

    • Decentralize the IT organization to enable greater autonomy within specific groups that have differing customer demands and levels of support.
    • Maintain a standard level of service that can be provided by IT for all divisions.
    • Ensure each division has access to critical data and reports that supports informed decision making.

    BENEFITS

    • Organization around functions allows for diversity in approach in how areas are run to best serve a specific business unit’s needs.
    • Each functional line exists largely independently, with full capacity and control to deliver service at the committed SLAs.
    • Highly responsive to shifting needs and demands with direct connection to customers and all stages of the solution development lifecycle.
    • Accelerates decision making by delegating authority lower into the function.
    • Promotes a flatter organization with less hierarchy and more direct communication with the CIO.

    RISKS

    • Requires risk and security to be centralized and have oversight of each division to prevent the decisions of one division from negatively impacting other divisions or the enterprise.
    • Less synergy and integration across what different lines of business are doing can result in redundancies and unnecessary complexity.
    • Higher overall cost to the IT group due to role and technology duplication across different divisions.
    • It will be difficult to centralize aspects of IT in the future, as divisions adopt to a culture of IT autonomy.

    The image contains an example of the Decentralized Model: Division Decentralization.

    Enterprise Model: Multi-Modal

    I want to…

    • Have an organizational structure that leverages several different operating models based on the needs and requirements of the different divisions.
    • Provide autonomy and authority to the different divisions so they can make informed and necessary changes as they see fit without seeking approval from a centralized IT group.
    • Support the different initiatives the enterprise is focused on delivering and ensure the right model is adopted based on those initiatives.

    BENEFITS

    • Allows for the organization to work in ways that best support individual areas; for example, areas that support legacy systems can be supported through traditional operating models while areas that support digital transformations may be supported through more flexible operating models.
    • Enables a specialization of knowledge related to each division.

    RISKS

    • Inconsistency across the organization can lead to confusion on how the organization should operate.
    • Parts of the organization that work in more traditional operating models may feel limited in career growth and innovation.
    • Cross-division initiatives may require greater oversight and a method to enable operations between the different focus areas.

    The image contains an example of the Enterprise Model: Multi-Modal.

    Create enabling teams that bridge your divisions

    The following bridges might be necessary to augment your divisions:

    • Specialized augmentation: There might not be a sufficient number of resources to support each division. These teams will be leveraged across the divisions; this means that the capabilities needed for each division will exist in this bridge team, rather than in the division.
    • Centers of Excellence: Capabilities that exist within divisions can benefit from shared knowledge across the enterprise. Your organization might set up centers of excellence to support best practices in capabilities organization wide. These are Forums in the unfix model, or communities of practice and support capability development rather than deliveries of each division.
    • Facilitation teams might be required to support divisions through coaching. This might include Agile or other coaches who can help teams adopt practices and embed learnings.
    • Holistic teams provide an enterprise view as they work with various divisions. This can include capabilities like user experience, which can benefit from the holistic perspective rather than a siloed one. People with these capabilities augment the divisions on an as-needed basis.
    The image contains a diagram to demonstrate the use of bridges on divisions.

    2.5 Customize the selected sketch to reflect the desired future state

    1-3 hours

    1. Using the baseline operating model sketch, walk through each of the IT capabilities. Based on the outputs from activity 2.1:
      1. Remove any capabilities for which your IT organization is not responsible and/or accountable.
      2. Augment the language of specific capabilities that you feel are not directly reflective of what is being done within your organizational context or that you feel need to be changed to reflect more specifically how work is being done in your organization.
      3. Add any core capabilities from your organization that are missing from the provided IT capability list.
    2. Move capabilities to the right places in the operating model to reflect how each of the core IT processes should interact with one another.
    3. Add bridges as needed to support the divisions in your organization. Identify which capabilities will sit in these bridges and define how they will enable the operating model sketch to deliver.
    InputOutput
    • Selected base operating model sketch
    • Customized list of IT capabilities
    • Understanding of outsourcing and gaps
    • Customized operating model sketch
    MaterialsParticipants
    • Whiteboard/flip charts
    • Operating model sketch examples
    • CIO
    • IT Leadership

    Record the results in the Organizational Design Workbook

    Document the final operating model sketch in the Communications Deck

    Phase 3

    Formalize the Organizational Structure

    This phase will walk you through the following activities:

    3.1 Create work units

    3.2 Create work unit mandates

    3.3 Define roles inside the work units

    3.4 Finalize the organizational chart

    3.5 Identify and mitigate key risks

    This phase involves the following participants:

    • CIO
    • IT Leadership
    • Business Leadership

    Embed change management into the organizational design process

    Enable adoption of the new structure.

    You don’t have to make the change in one big bang. You can adopt alternative transition plans such as increments or pilots. This allows people to see the benefits of why you are undergoing the change, allows the change message to be repeated and applied to the individuals impacted, and provides people with time to understand their role in making the new organizational structure successful.

    “Transformational change can be invigorating for some employees but also highly disruptive and stressful for others.”

    Source: OpenStax, 2019

    Info-Tech Insight

    Without considering the individual impact of the new organizational structure on each of your employees, the change will undoubtedly fail in meeting its intended goals and your organization will likely fall back into old structured habits.

    Use a top-down approach to build your target-state IT organizational sketch

    The organizational sketch is the outline of the organization that encompasses the work units and depicts the relationships among them. It’s important that you create the structure that’s right for your organization, not one that simply fits with your current staff’s skills and knowledge. This is why Info-Tech encourages you to use your operating model as a mode of guidance for structuring your future-state organizational sketch.

    The organizational sketch is made up of unique work units. Work units are the foundational building blocks on which you will define the work that IT needs to get done. The number of work units you require and their names will not match your operating model one to one. Certain functional areas will need to be broken down into smaller work units to ensure appropriate leadership and span of control.

    Use your customized operating model to build your work units

    WHAT ARE WORK UNITS?

    A work unit is a functional group or division that has a discrete set of processes or capabilities that it is responsible for, which don’t overlap with any others. Your customized list of IT capabilities will form the building blocks of your work units. Step one in the process of building your structure is grouping IT capabilities together that are similar or that need to be done in concert in the case of more complex work products. The second step is to iterate on these work units based on the organizational design principles from Phase 1 to ensure that the future-state structure is aligned with enablement of the organization’s objectives.

    Work Unit Examples

    Here is a list of example work units you can use to brainstorm what your organization’s could look like. Some of these overlap in functionality but should provide a strong starting point and hint at some potential alternatives to your current way of organizing.

    • Office of the CIO
    • Strategy and Architecture
    • Architecture and Design
    • Business Relationship Management
    • Projection and Portfolio Management
    • Solution Development
    • Solution Delivery
    • DevOps
    • Infrastructure and Operations
    • Enterprise Information Security
    • Security, Risk & Compliance
    • Data and Analytics

    Example of work units

    The image contains an example of work units.

    3.1 Create functional work units

    1-3 hours

    1. Using a whiteboard or large tabletop, list each capability from your operating model on a sticky note and recreate your operating model. Use one color for centralized activities and a second color for decentralized activities.
    2. With the group of key IT stakeholders, review the operating model and any important definitions and rationale for decisions made.
    3. Starting with your centralized capabilities, review each in turn and begin to form logical groups of compatible capabilities. Review the decentralized capabilities and repeat the process, writing additional sticky notes for capabilities that will be repeated in decentralized units.
    4. Note: Not all capabilities need to be grouped. If you believe that a capability has a high enough priority, has a lot of work, or is significantly divergent from others put this capability by itself.
    5. Define a working title for each new work unit, and discuss the pros and cons of the model. Ensure the work units still align with the operating model and make any changes to the operating model needed.
    6. Review your design principles and ensure that they are aligned with your new work units.
    InputOutput
    • Organizational business objectives
    • Customized operating model
    • Defined work units
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    Group formation

    Understand the impact of the functional groups you create.

    A group consists of two or more individuals who are working toward a common goal. Group formation is how those individuals are organized to deliver on that common goal. It should take into consideration the levels of hierarchy in your structure, the level of focus you give to processes, and where power is dispersed within your organizational design.

    Importance: Balance highly important capabilities with lower priority capabilities

    Specialization: The scope of each role will be influenced by specialized knowledge and a dedicated leader

    Effectiveness: Group capabilities that increase their efficacy

    Span of Control: Identify the right number of employees reporting to a single leader

    Choose the degree of specialization required

    Be mindful of the number of hats you’re placing on any one role.

    • Specialization exists when individuals in an organization are dedicated to performing specific tasks associated with a common goal and requiring a particular skill set. Aligning the competencies required to carry out the specific tasks based on the degree of complexity associated with those tasks ensures the right people and number of people can be assigned.
    • When people are organized by their specialties, it reduces the likelihood of task switching, reduces the time spent training or cross-training, and increases the focus employees can provide to their dedicated area of specialty.
    • There are disadvantages associated with aligning teams by their specialization, such as becoming bored and seeing the tasks they are performing as monotonous. Specialization doesn’t come without its problems. Monitor employee motivation

    Info-Tech Insight

    Smaller organizations will require less specialization simply out of necessity. To function and deliver on critical processes, some people might be asked to wear several hats.

    Avoid overloading the cognitive capacity of employees

    Cognitive load refers to the number of responsibilities that one can successfully take on.

    • When employees are assigned an appropriate number of responsibilities this leads to:
      • Engaged employees
      • Less task switching
      • Increased effectiveness on assigned responsibilities
      • Reduced bottlenecks
    • While this cognitive load can differ from employee to employee, when assigning role responsibilities, ensure each role isn’t being overburdened and spreading their focus thin.
    • Moreover, capable does not equal successful. Just because someone has the capability to take on more responsibilities doesn’t mean they will be successful.
    • Leverage the cognitive load being placed on your team to help create boundaries between teams and demonstrate clear role expectations.
    Source: IT Revolution, 2021

    Info-Tech Insight

    When you say you are looking for a team that is a “jack of all trades,” you are likely exceeding appropriate cognitive loads for your staff and losing productivity to task switching.

    Factors to consider for span of control

    Too many and too few direct reports have negative impacts on the organization.

    Complexity: More complex work should have fewer direct reports. This often means the leader will need to provide lots of support, even engaging in the work directly at times.

    Demand: Dynamic shifts in demand require more managerial involvement and therefore should have a smaller span of control. Especially if this demand is to support a 24/7 operation.

    Competency Level: Skilled employees should require less hands-on assistance and will be in a better position to support the business as a member of a larger team than those who are new to the role.

    Purpose: Strategic leaders are less involved in the day-to-day operations of their teams, while operational leaders tend to provide hands-on support, specifically when short-staffed.

    Group formation will influence communication structure

    Pick your poison…

    It’s important to understand the impacts that team design has on your services and products. The solutions that a team is capable of producing is highly dependent on how teams are structured. For example, Conway’s Law tells us that small distributed software delivery teams are more likely to produce modular service architecture, where large collocated teams are better able to create monolithic architecture. This doesn’t just apply to software delivery but also other products and services that IT creates. Note that small distributed teams are not the only way to produce quality products as they can create their own silos.

    Sources: Forbes, 2017

    Create mandates for each of your identified work units

    WHAT ARE WORK UNIT MANDATES?

    The work unit mandate should provide a quick overview of the work unit and be clear enough that any reader can understand why the work unit exists, what it does, and what it is accountable for.

    Each work unit will have a unique mandate. Each mandate should be distinguishable enough from your other work units to make it clear why the work is grouped in this specific way, rather than an alternative option. The mandate will vary by organization based on the agreed upon work units, design archetype, and priorities.

    Don’t just adopt an example mandate from another organization or continue use of the organization’s pre-existing mandate – take the time to ensure it accurately depicts what that group is doing so that its value-added activities are clear to the larger organization.

    Examples of Work Unit Mandates

    The Office of the CIO will be a strategic enabler of the IT organization, driving IT organizational performance through improved IT management and governance. A central priority of the Office of the CIO is to ensure that IT is able to respond to evolving environments and challenges through strategic foresight and a centralized view of what is best for the organization.

    The Project Management Office will provide standardized and effective project management practices across the IT landscape, including an identified project management methodology, tools and resources, project prioritization, and all steps from project initiation through to evaluation, as well as education and development for project managers across IT.

    The Solutions Development Group will be responsible for the high-quality development and delivery of new solutions and improvements and the production of customized business reports. Through this function, IT will have improved agility to respond to new initiatives and will be able to deliver high-quality services and insights in a consistent manner.

    3.2 Create work unit mandates

    1-3 hours

    1. Break into teams of three to four people and assign an equal number of work units to each team.
    2. Have each team create a set of statements that describe the overall purpose of that working group. Each mandate statement should:
    • Be clear enough that any reader can understand.
    • Explain why the work unit exists, what it does, and what it is accountable for.
    • Be distinguishable enough from your other work units to make it clear why the work is grouped in this specific way, rather than an alternative option.
  • Have each group present their work unit mandates and make changes wherever necessary.
  • InputOutput
    • Work units
    • Work unit mandates
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    Identify the key roles and responsibilities for the target IT organization

    Now that you have identified the main units of work in the target IT organization, it is time to identify the roles that will perform that work. At the end of this step, the key roles will be identified, the purpose statement will be built, and accountability and responsibility for roles will be clearly defined. Make sure that accountability for each task is assigned to one role only. If there are challenges with a role, change the role to address them (e.g. split roles or shift responsibilities).

    The image contains an example of two work units: Enterprise Architecture and PMO. It then lists the roles of the two work units.

    Info-Tech Insight

    Do not bias your role design by focusing on your existing staff’s competencies. If you begin to focus on your existing team members, you run the risk of artificially narrowing the scope of work or skewing the responsibilities of individuals based on the way it is, rather than the way it should be.

    3.3 Define roles inside the work units

    1-3 hours

    1. Select a work unit from the organizational sketch.
    2. Describe the most senior role in that work unit by asking, “what would the leader of this group be accountable or responsible for?” Define this role and move the capabilities they will be accountable for under that leader. Repeat this activity for the capabilities this leader would be responsible for.
    3. Continue to define each role that will be required in that work unit to deliver or provide oversight related to those capabilities.
    4. Continue until key roles are identified and the capabilities each role will be accountable or responsible for are clarified.
    5. Remember, only one role can have accountability for each capability but several can have responsibility.
    6. For each role, use the list of capabilities that the position will be accountable, responsible, or accountable and responsible for to create a job description. Leverage your own internal job descriptions or visit our Job Descriptions page.
    InputOutput
    • Work units
    • Work unit mandates
    • Responsibilities
    • Accountabilities
    • Roles with clarified responsibilities and accountabilities
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    Delivery model for product or solution development

    Can add additional complexity or clarity

    • Certain organizational structures will require a specific type of resourcing model to meet expectations and deliver on the development or sustainment of core products and solutions.
    • There are four common methods that we see in IT organizations:
      • Functional Roles: Completed work is handed off from functional team to functional team sequentially as outlined in the organization’s SDLC.
      • Shared Service & Resource Pools (Matrix): Resources are pulled whenever the work requires specific skills or pushed to areas where product demand is high.
      • Product or System: Work is directly sent to the teams who are directly managing the product or directly supporting the requestor.
      • Skills & Competencies: Work is directly sent to the teams who have the IT and business skills and competencies to complete the work.
    • Each of these will lead to a difference in how the functional team is skilled. They could have a great understanding of their customer, the product, the solution, or their service.

    Info-Tech Insight

    Despite popular belief, there is no such thing as the Spotify model, and organizations that structured themselves based on the original Spotify drawing might be missing out on key opportunities to obtain productivity from employees.

    Sources: Indeed, 2020; Agility Scales

    There can be different patterns to structure and resource your product delivery teams

    The primary goal of any product delivery team is to improve the delivery of value for customers and the business based on your product definition and each product’s demand. Each organization will have different priorities and constraints, so your team structure may take on a combination of patterns or may take on one pattern and then transform into another.

    Delivery Team Structure Patterns

    How Are Resources and Work Allocated?

    Functional Roles

    Teams are divided by functional responsibilities (e.g. developers, testers, business analysts, operations, help desk) and arranged according to their placement in the software development lifecycle (SDLC).

    Completed work is handed off from team to team sequentially as outlined in the organization’s SDLC.

    Shared Service and Resource Pools

    Teams are created by pulling the necessary resources from pools (e.g. developers, testers, business analysts, operations, help desk).

    Resources are pulled whenever the work requires specific skills or pushed to areas where product demand is high.

    Product or System

    Teams are dedicated to the development, support, and management of specific products or systems.

    Work is directly sent to the teams who are directly managing the product or directly supporting the requester.

    Skills and Competencies

    Teams are grouped based on skills and competencies related to technology (e.g. Java, mobile, web) or familiarity with business capabilities (e.g. HR, Finance).

    Work is directly sent to the teams who have the IT and business skills and competencies to complete the work.

    Delivery teams will be structured according to resource and development needs

    Functional Roles

    Shared Service and Resource Pools

    Product or System

    Skills and Competencies

    When your people are specialists versus having cross-functional skills

    Leveraged when specialists such as Security or Operations will not have full-time work on the product

    When you have people with cross-functional skills who can self-organize around a product’s needs

    When you have a significant investment in a specific technology stack

    The image contains a diagram of functional roles.The image contains a diagram of shared service and resource pools.The image contains a diagram of product or system.The image contains a diagram of skills and competencies.

    For more information about delivering in a product operating model, refer to our Deliver Digital Products at Scale blueprint.

    3.4 Finalize the organizational chart

    1-3 hours

    1. Import each of your work units and the target-state roles that were identified for each.
    2. In the place of the name of each work unit in your organizational sketch, replace the work unit name with the prospective role name for the leader of that group.
    3. Under each of the leadership roles, import the names of team members that were part of each respective work unit.
    4. Validate the final structure as a group to ensure each of the work units includes all the necessary roles and responsibilities and that there is clear delineation of accountabilities between the work units.

    Input

    Output

    • Work units
    • Work unit mandates
    • Roles with accountabilities and responsibilities
    • Finalized organizational chart

    Materials

    Participants

    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook & Executive Communications Deck

    Proactively consider and mitigate redesign risks

    Every organizational structure will include certain risks that should have been considered and accepted when choosing the base operating model sketch. Now that the final organizational structure has been created, consider if those risks were mitigated by the final organizational structure that was created. For those risks that weren’t mitigated, have a tactic to control risks that remain present.

    3.5 Identify and mitigate key risks

    1-3 hours

    1. For each of the operating model sketch options, there are specific risks that should have been considered when selecting that model.
    2. Take those risks and transfer them into the correct slide of the Organizational Design Workbook.
    3. Consider if there are additional risks that need to be considered with the new organizational structure based on the customizations made.
    4. For each risk, rank the severity of that risk on a scale of low, medium, or high.
    5. Determine one or more mitigation tactic(s) for each of the risks identified. This tactic should reduce the likelihood or impact of the risk event happening.
    InputOutput
    • Final organizational structure
    • Operating model sketch benefits and risks
    • Redesign risk mitigation plan
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    Phase 4

    Plan for Implementation & Change

    This phase will walk you through the following activities:

    4.1 Select a transition plan

    4.2 Establish the change communication messages

    4.3 Be consistent with a standard set of FAQs

    4.4 Define org. redesign resistors

    4.5 Create a sustainment plan

    This phase involves the following participants:

    • CIO
    • IT Leadership
    • Business Leadership
    • HR Business Partners

    All changes require change management

    Change management is:

    Managing a change that requires replanning and reorganizing and that causes people to feel like they have lost control over aspects of their jobs.

    – Padar et al., 2017
    People Process Technology

    Embedding change management into organizational design

    PREPARE A

    Awareness: Establish the need for organizational redesign and ensure this is communicated well.

    This blueprint is mostly focused on the prepare and transition components.

    D

    Desire: Ensure the new structure is something people are seeking and will lead to individual benefits for all.

    TRANSITION K

    Knowledge: Provide stakeholders with the tools and resources to function in their new roles and reporting structure.

    A

    Ability: Support employees through the implementation and into new roles or teams.

    FUTURE R

    Reinforcement: Emphasize and reward positive behaviors and attitudes related to the new organizational structure.

    Implementing the new organizational structure

    Implementing the organizational structure can be the most difficult part of the process.

    • To succeed in the process, consider creating an implementation plan that adequately considers these five components.
    • Each of these are critical to supporting the final organizational structure that was established during the redesign process.

    Implementation Plan

    Transition Plan: Identify the appropriate approach to making the transition, and ensure the transition plan works within the context of the business.

    Communication Strategy: Create a method to ensure consistent, clear, and concise information can be provided to all relevant stakeholders.

    Plan to Address Resistance: Given that not everyone will be happy to move forward with the new organizational changes, ensure you have a method to hear feedback and demonstrate concerns have been heard.

    Employee Development Plan: Provide employees with tools, resources, and the ability to demonstrate these new competencies as they adjust to their new roles.

    Monitor and Sustain the Change: Establish metrics that inform if the implementation of the new organizational structure was successful and reinforce positive behaviors.

    Define the type of change the organizational structure will be

    As a result, your organization must adopt OCM practices to better support the acceptance and longevity of the changes being pursued.

    Incremental Change

    Transformational Change

    Organizational change management is highly recommended and beneficial for projects that require people to:

    • Adopt new tools and workflows.
    • Learn new skills.
    • Comply with new policies and procedures.
    • Stop using old tools and workflows.

    Organizational change management is required for projects that require people to:

    • Move into different roles, reporting structures, and career paths.
    • Embrace new responsibilities, goals, reward systems, and values.
    • Grow out of old habits, ideas, and behaviors.
    • Lose stature in the organization.

    Info-Tech Insight

    How you transition to the new organizational structure can be heavily influenced by HR. This is the time to be including them and leveraging their expertise to support the transition “how.”

    Transition Plan Options

    Description

    Pros

    Cons

    Example

    Big Bang Change

    Change that needs to happen immediately – “ripping the bandage off.”

    • It puts an immediate stop to the current way of operating.
    • Occurs quickly.
    • More risky.
    • People may not buy into the change immediately.
    • May not receive the training needed to adjust to the change.

    A tsunami in Japan stopped all imports and exports. Auto manufacturers were unable to get parts shipped and had to immediately find an alternative supplier.

    Incremental Change

    The change can be rolled out slower, in phases.

    • Can ensure that people are bought in along the way through the change process, allowing time to adjust and align with the change.
    • There is time to ensure training takes place.
    • It can be a timely process.
    • If the change is dragged on for too long (over several years) the environment may change and the rationale and desired outcome for the change may no longer be relevant.

    A change in technology, such as HRIS, might be rolled out one application at a time to ensure that people have time to learn and adjust to the new system.

    Pilot Change

    The change is rolled out for only a select group, to test and determine if it is suitable to roll out to all impacted stakeholders.

    • Able to test the success of the change initiative and the implementation process.
    • Able to make corrections before rolling it out wider, to aid a smooth change.
    • Use the pilot group as an example of successful change.
    • Able to gain buy-in and create change champions from the pilot group who have experienced it and see the benefits.
    • Able to prevent an inappropriate change from impacting the entire organization.
    • Lengthy process.
    • Takes time to ensure the change has been fully worked through.

    A retail store is implementing a new incentive plan to increase product sales. They will pilot the new incentive plan at select stores, before rolling it out broadly.

    4.1 Select a transition plan approach

    1-3 hours

    1. List each of the changes required to move from your current structure to the new structure. Consider:
      1. Changes in reporting structure
      2. Hiring new members
      3. Eliminating positions
      4. Developing key competencies for staff
    2. Once you’ve defined all the changes required, consider the three different transition plan approaches: big bang, incremental, and pilot. Each of the transition plan approaches will have drawbacks and benefits. Use the list of changes to inform the best approach.
    3. If you are proceeding with the incremental or the pilot, determine the order in which you will proceed with the changes or the groups that will pilot the new structure first.
    InputOutput
    • Customized operating model sketch
    • New org. chart
    • Current org. chart
    • List of changes to move from current to future state
    • Transition plan to support changes
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • HR Business Partners

    Record the results in the Organizational Design Workbook

    Make a plan to effectively manage and communicate the change

    Success of your new organizational structure hinges on adequate preparation and effective communication.

    The top challenge facing organizations in completing the organizational redesign is their organizational culture and acceptance of change. Effective planning for the implementation and communication throughout the change is pivotal. Make sure you understand how the change will impact staff and create tailored plans for communication.

    65% of managers believe the organizational change is effective when provided with frequent and clear communication.

    Source: SHRM, 2021

    Communicate reasons for organizational structure changes and how they will be implemented

    Leaders of successful change spend considerable time developing a powerful change message, i.e. a compelling narrative that articulates the desired end state, and that makes the change concrete and meaningful to staff.

    The organizational change message should:

    • Explain why the change is needed.
    • Summarize what will stay the same.
    • Highlight what will be left behind.
    • Emphasize what is being changed.
    • Explain how change will be implemented.
    • Address how change will affect various roles in the organization.
    • Discuss the staff’s role in making the change successful.

    Five elements of communicating change

    • What is the change?
    • Why are we doing it?
    • How are we going to go about it?
    • How long will it take us to do it?
    • What will the role be for each department and individual?
    Source: Cornelius & Associates, 2010

    4.2 Establish the change communication messages

    2 hours

    1. The purpose of this activity is to establish a change communication message you can leverage when talking to stakeholders about the new organizational structure.
    2. Review the questions in the Organizational Design Workbook.
    3. Establish a clear message around the expected changes that will have to take place to help realize the new organizational structure.
    InputOutput
    • Customized operating model sketch
    • New org. chart
    • Current org. chart
    • List of changes
    • Transition plan
    • Change communication message for new organizational structure
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    Apply the following communication principles to make your IT organization redesign changes relevant to stakeholders

    Be Clear

    • Say what you mean and mean what you say.
    • Choice of language is important: “Do you think this is a good idea? I think we could really benefit from your insights and experience here.” Or do you mean: “I think we should do this. I need you to do this to make it happen.”
    • Don’t use jargon.

    Be Consistent

    • The core message must be consistent regardless of audience, channel, or medium.
    • Test your communication with your team or colleagues to obtain feedback before delivering to a broader audience.
    • A lack of consistency can be interpreted as an attempt at deception. This can hurt credibility and trust.

    Be Concise

    • Keep communication short and to the point so key messages are not lost in the noise.
    • There is a risk of diluting your key message if you include too many other details.

    Be Relevant

    • Talk about what matters to the stakeholder.
    • Talk about what matters to the initiative.
    • Tailor the details of the message to each stakeholder’s specific concerns.
    • IT thinks in processes but stakeholders only care about results: talk in terms of results.
    • IT wants to be understood but this does not matter to stakeholders. Think: “what’s in it for them?”
    • Communicate truthfully; do not make false promises or hide bad news.

    Frequently asked questions (FAQs) provide a chance to anticipate concerns and address them

    As a starting point for building an IT organizational design implementation, look at implementing an FAQ that will address the following:

    • The what, who, when, why, and where
    • The transition process
    • What discussions should be held with clients in business units
    • HR-centric questions

    Questions to consider answering:

    • What is the objective of the IT organization?
    • What are the primary changes to the IT organization?
    • What does the new organizational structure look like?
    • What are the benefits to our IT staff and to our business partners?
    • How will the IT management team share new information with me?
    • What is my role during the transition?
    • What impact is there to my reporting relationship within my department?
    • What are the key dates I should know about?

    4.3 Be consistent with a standard set of FAQs

    1 hour

    1. Beyond the completed communications plans, brainstorm a list of answers to the key “whats” of your organizational design initiative:
    • What is the objective of the IT organization?
    • What are the primary changes to the IT organization?
    • What does the new organizational structure look like?
    • What are the benefits to our IT staff and to our business partners?
  • Think about any key questions that may rise around the transition:
    • How will the IT management team share new information with me?
    • What is my role during the transition?
    • What impact is there to my reporting relationship within my department?
    • What are the key dates I should know about?
  • Determine the best means of socializing this information. If you have an internal wiki or knowledge-sharing platform, this would be a useful place to host the information.
  • InputOutput
    • Driver(s) for the new organizational structure
    • List of changes to move from current to future state
    • Change communication message
    • FAQs to provide to staff about the organizational design changes
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    The change reaction model

    The image contains a picture of the change reaction model. The model includes a double arrow pointing in both directions of left and right. On top of the arrow are 4 circles spread out on the arrow. They are labelled: Active Resistance, Detachment, Questioning, Acceptance.

    (Adapted from Cynthia Wittig)

    Info-Tech Insight

    People resist changes for many reasons. When it comes to organizational redesign changes, some of the most common reasons people resist change include a lack of understanding, a lack of involvement in the process, and fear.

    Include employees in the employee development planning process

    Prioritize

    Assess employee to determine competency levels and interests.

    Draft

    Employee drafts development goals; manager reviews.

    Select

    Manager helps with selection of development activities.

    Check In

    Manager provides ongoing check-ins, coaching, and feedback.

    Consider core and supplementary components that will sustain the new organizational structure

    Supplementary sustainment components:

    • Tools & Resources
    • Structure
    • Skills
    • Work Environment
    • Tasks
    • Disincentives

    Core sustainment components:

    • Empowerment
    • Measurement
    • Leadership
    • Communication
    • Incentives

    Sustainment Plan

    Sustain the change by following through with stakeholders, gathering feedback, and ensuring that the change rationale and impacts are clearly understood. Failure to so increases the potential that the change initiative will fail or be a painful experience and cost the organization in terms of loss of productivity or increase in turnover rates.

    Support sustainment with clear measurements

    • Measurement is one of the most important components of monitoring and sustaining the new organizational structure as it provides insight into where the change is succeeding and where further support should be added.
    • There should be two different types of measurements:
    1. Standard Change Management Metrics
    2. Organizational Redesign Metrics
  • When gathering data around metrics, consider other forms of measurement (qualitative) that can provide insights on opportunities to enhance the success of the organizational redesign change.
    1. Every measurement should be rooted to a goal. Many of the goals related to organizational design will be founded in the driver of this change initiative
    2. Once the goals have been defined, create one or more measurements that determines if the goal was successful.
    3. Use specific key performance indicators (KPIs) that contain a metric that is being measured and the frequency of that measurement.

    Info-Tech Insight

    Obtaining qualitative feedback from employees, customers, and business partners can provide insight into where the new organizational structure is operating optimally versus where there are further adjustments that could be made to support the change.

    4.4 Consider sustainment metrics

    1 hour

    1. Establish metrics that bring the entire process together and that will ensure the new organizational design is a success.
    2. Go back to your driver(s) for the organizational redesign. Use these drivers to help inform a particular measurement that can be used to determine if the new organizational design will be successful. Each measurement should be related to the positive benefits of the organization, an individual, or the change itself.
    3. Once you have a list of measurements, use these to determine the specific KPI that can be qualified through a metric. Often you are looking for an increase or decrease of a particular measurement by a dollar or percentage within a set time frame.
    4. Use the example metrics in the workbook and update them to reflect your organization’s drivers.
    InputOutput
    • Driver(s) for the new organizational structure
    • List of changes to move from current to future state
    • Change communication message
    • Sustainment metrics
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    Related Info-Tech Research

    Build a Strategic IT Workforce Plan

    • Continue into the second phase of the organizational redesign process by defining the required workforce to deliver.
    • Leveraging trends, data, and feedback from your employees, define the competencies needed to deliver on the defined roles.

    Implement a New IT Organizational Structure

    • Organizational design implementations can be highly disruptive for IT staff and business partners.
    • Without a structured approach, IT leaders may experience high turnover, decreased productivity, and resistance to the change.

    Define the Role of Project Management in Agile and Product-Centric Delivery

    • There are many voices with different opinions on the role of project management. This causes confusion and unnecessary churn.
    • Project management and product management naturally align to different time horizons. Harmonizing their viewpoints can take significant work.

    Research Contributors and Experts

    The image contains a picture of Jardena London.

    Jardena London

    Transformation Catalyst, Rosetta Technology Group

    The image contains a picture of Jodie Goulden.

    Jodie Goulden

    Consultant | Founder, OrgDesign Works

    The image contains a picture of Shan Pretheshan.

    Shan Pretheshan

    Director, SUPA-IT Consulting

    The image contains a picture of Chris Briley.

    Chris Briley

    CIO, Manning & Napier

    The image contains a picture of Dean Meyer.

    Dean Meyer

    President N. Dean Meyer and Associates Inc.

    The image contains a picture of Jimmy Williams.

    Jimmy Williams

    CIO, Chocktaw Nation of Oklahoma

    Info-Tech Research Group

    Cole Cioran, Managing Partner

    Dana Daher, Research Director

    Hans Eckman, Principal Research Director

    Ugbad Farah, Research Director

    Ari Glaizel, Practice Lead

    Valence Howden, Principal Research Director

    Youssef Kamar, Senior Manager, Consulting

    Carlene McCubbin, Practice Lead

    Baird Miller, Executive Counsellor

    Josh Mori, Research Director

    Rajesh Parab, Research Director

    Gary Rietz, Executive Counsellor

    Bibliography

    “A Cheat Sheet for HR Professionals: The Organizational Development Process.” AIHR, 2021. Web.

    Acharya, Ashwin, Roni Lieber, Lissa Seem, and Tom Welchman. “How to identify the right ‘spans of control’ for your organization.” McKinsey, 21 December 2017. Web.

    Anand. N., and Jean-Louis Barsoux. “What everyone gets wrong about change management. Harvard Business Review, December 2017. Web.

    Atiken, Chris. “Operating model design-first principles.” From Here On, 24 August 2018. Web.

    “Avoid common digital transformation challenges: Address your IT Operating Model Now.” Sofigate, 5 May 2020. Web.

    Baumann, Oliver, and Brian Wu. “The many dimensions of research on designing flat firms.” Journal of Organizational Design, no. 3, vol. 4. 09 May 2022.Web.

    Bertha, Michael. “Cross the project to product chasm.” CIO, 1 May 2020. Web.

    Blenko, Marcia, and James Root. “Design Principles for a Robust Operating Model.” Bain & Company, 8 April 2015. Web.

    Blenko, Marcia, Leslie Mackrell, and Kevin Rosenberg. “Operating models: How non-profits get from strategy to results.” The Bridge Span Group, 15 August 2019. Web.

    Boulton, Clint. “PVH finds perfect fit in hybrid IT operating model amid pandemic.” CIO, 19 July 2021. Web.

    Boulton, Clint. “Why digital disruption leaves no room for bimodal IT.” CIO, 11 May 2017. Web.

    Bright, David, et al. “Chapter 10: Organizational Structure & Change.” Principles of Management, OpenStax, Rice University, 20 March 2019. Book.

    Campbell, Andrew. “Design Principles: How to manage them.” Ashridge Operating Models. 1 January 2022. Web.

    D., Maria. “3 Types of IT Outsourcing Models and How to Choose Between Them.” Cleveroad, 29 April 2022. Web.

    Devaney, Eric. “9 Types of Organizational Structure Every Company Should Consider.” HubSpot, 11 February 2022. Web.

    Devaney, Erik. “The six building blocks of organizational structure.” Hubspot, 3 June 2020. Web.

    Eisenman, M., S. Paruchuri, and P. Puranam. “The design of emergence in organizations.” Journal of Organization Design, vol. 9, 2020. Web.

    Forbes Business Development Council. “15 Clear Signs It’s Time to Restructure the Business.” Forbes, 10 February 2020. Web.

    Freed, Joseph. “Why Cognitive Load Could Be The Most Important Employee Experience Metric In The Next 10 Years.” Forbes, 30 June 2020. Web.

    Galibraith, Jay. “The Star Model.” JayGalbraith.com, n.d. Web.

    Girod, Stéphane, and Samina Karim. “Restructure or reconfigure?” Harvard Business Review, April 2017. Web.

    Goldman, Sharon. “The need for a new IT Operating Model: Why now?” CIO, 27 August 2019. Web.

    Halapeth, Milind. “New age IT Operating Model: Creating harmony between the old and the new.” Wirpo, n.d. Web.

    Harvey, Michelle. “Why a common operating model is efficient for business productivity.” CMC, 10 May 2020. Web.

    Helfand, Heidi. “Dynamic Reteaming.” O’Reilly Media, 7 July 2020. Book.

    JHeller, Martha. “How Microsoft CIO Jim DuBois changed the IT Operating Model.” CIO, 2 February 2016. Web.

    Heller, Martha. “How Stryker IT Shifted to a global operating model.” CIO, 19 May 2021. Web.

    Heller, Michelle. “Inside blue Shields of California’s IT operating model overhaul.” CIO, 24 February 2021. Web.

    Hessing, Ted. “Value Stream Mapping.” Six Sigma Study Guide, 11 April 2014. Web.

    Huber, George, P. “What is Organization Design.” Organizational Design Community, n.d. Web.

    Indeed Editorial Team. “5 Advantages and Disadvantages of the Matrix Organizational Structure.” Indeed, 23 November 2020. Web.

    Indeed Editorial Team. “How to plan an effective organization restructure.” Indeed, 10 June 2021. Web.

    “Insourcing vs Outsourcing vs Co-Sourcing.” YML Group, n.d. Web.

    “Investing in more strategic roles.” CAPS Research, 3 February 2022. Web.

    Jain, Gagan. “Product IT Operating Model: The next-gen model for a digital work.” DevOps, 22 July 2019. Web.

    Kane, Gerald, D. Plamer, and Anh Phillips. “Accelerating Digital Innovation Inside and Out.” Deloitte Insights, 4 June 2019. Web.

    Krush, Alesia. “IT companies with ‘flat’ structures: utopia or innovative approach?” Object Style, 18 October 2018. Web.

    Law, Michael. “Adaptive Design: Increasing Customer Value in Your Organisation.” Business Agility Institute, 5 October 2020. Web.

    LucidContent Team. “How to get buy-in for changes to your organizational structure.” Lucid Chart, n.d. Web.

    Matthews, Paul. “Do you know the difference between competence and capability?” The People Development Magazine, 25 September 2020. Web.

    Meyer, Dean N. “Analysis: Common symptoms of organizational structure problems.” NDMA, n.d. Web.

    Meyer, N. Dean. “Principle-based Organizational Structure.” NDMA Publishing, 2020. Web.

    Morales Pedraza, Jorge. Answer to posting, “What is the relationship between structure and strategy?” ResearchGate.net, 5 March 2014. Web.

    Nanjad, Len. “Five non-negotiables for effective organization design change.” MNP, 01 October 2021. Web.

    Neilson, Gary, Jaime Estupiñán, and Bhushan Sethi. “10 Principles of Organizational Design.” Strategy & Business, 23 March 2015. Web.

    Nicastro, Dom. “Understanding the Foundational Concepts of Organizational Design.” Reworked, 24 September 2020. Web.

    Obwegeser, Nikolaus, Tomoko Yokoi, Michael Wade, and Tom Voskes. “7 Key Principles to Govern Digital Initiatives.” MIT Sloan, 1 April 2020. Web.

    “Operating Models and Tools.” Business Technology Standard, 23 February 2021. Web.

    “Organizational Design Agility: Journey to a combined community.” ODF-BAI How Space, Organizational Design Forum, 2022. Web.

    “Organizational Design: Understanding and getting started.” Ingentis, 20 January 2021. Web.

    Padar, Katalin, et al. “Bringing project and change management roles into sync.” Journal of Change Management, 2017. Web.

    Partridge, Chris. “Evolve your Operating Model- It will drive everything.” CIO, 30 July 2021. Web.

    Pijnacker, Lieke. “HR Analytics: role clarity impacts performance.” Effectory, 25 September 2019. Web.

    Pressgrove, Jed. “Centralized vs. Federated: Breaking down IT Structures.” Government Technology, March 2020. Web.

    Sherman, Fraser. “Differences between Organizational Structure and Design.” Bizfluent, 20 September 2019. Web.

    Skelton, Matthew, and Manual Pais. “Team Cognitive Load.” IT Revolution, 19 January 2021. Web.

    Skelton, Matthew, and Manual Pais. Team Topologies. IT Revolution Press, 19 September 2019. Book

    Spencer, Janet, and Michael Watkins. “Why organizational change fails.” TLNT, 26 November 2019. Web.

    Storbakken, Mandy. “The Cloud Operating Model.” VMware, 27 January 2020. Web.

    "The Qualities of Leadership: Leading Change.” Cornelius & Associates, 2010. Web.

    “Understanding Organizational Structures.” SHRM, 31 August 2021. Web.

    "unfix Pattern: Base.” AgilityScales, n.d. Web.

    Walker, Alex. “Half-Life: Alyx helped change Valve’s Approach to Development.” Kotaku, 10 July 2020. Web.

    "Why Change Management.” Prosci, n.d. Web.

    Wittig, Cynthia. “Employees' Reactions to Organizational Change.” OD Practioner, vol. 44, no. 2, 2012. Web.

    Woods, Dan. “How Platforms are neutralizing Conway’s Law.” Forbes, 15 August 2017. Web.

    Worren, Nicolay, Jeroen van Bree, and William Zybach. “Organization Design Challenges. Results from a practitioner survey.” Journal of Organizational Design, vol. 8, 25 July 2019. Web.

    Appendix

    IT Culture Framework

    This framework leverages McLean & Company’s adaptation of Quinn and Rohrbaugh’s Competing Values Approach.

    The image contains a diagram of the IT Culture Framework. The framework is divided into four sections: Competitive, Innovative, Traditional, and Cooperative, each with their own list of descriptors.

    Demystify Blockchain: How Can It Bring Value to Your Organization?

    • Buy Link or Shortcode: {j2store}96|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Most leaders have an ambiguous understanding of blockchain and its benefits, let alone how it impacts their organization.
    • At the same time, with bitcoin drawing most of the media attention, organizations are finding it difficult to translate cryptocurrency usage to business case.

    Our Advice

    Critical Insight

    • Cut through the hype associated with blockchain by focusing on what is relevant to your organization. You have been hearing about blockchain for some time now and want to better understand it. While it is complex, you can beat the learning curve by analyzing its key benefits and purpose. Features such as transparency, efficiency, and security differentiate blockchain from existing technologies and help explain why it has transformative potential.
    • Ensure your use case is actually useful by first determining whether blockchain aligns with your organization. CIOs must take a practical approach to blockchain in order to avoid wasting resources (both time and money) and hurting IT’s image in the eyes of the business. While is easy to get excited and invest in a new technology to help maintain your image as a thought leader, you must ensure that your use case is fully developed prior to doing so.

    Impact and Result

    • Follow Info-Tech’s methodology for simplifying an otherwise complex concept. By focusing on its benefits and how they directly relate to a use case, blockchain technology is made easy to understand for business and IT professionals.
    • Our program will help you understand if blockchain is the optimal solution for your organization by mapping its key benefits (i.e. transparency, integrity, efficiency, and security) to your needs and capabilities.
    • Leverage a repeatable framework for brainstorming blockchain use case ideas and communicate your findings to business stakeholders who may otherwise be confused about the transformative potential of blockchain.

    Demystify Blockchain: How Can It Bring Value to Your Organization? Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why your organization should care about determining whether blockchain aligns with your organization, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. What exactly is blockchain?

    Understand blockchain’s unique feature, benefits, and business use cases.

    • Demystify Blockchain – Phase 1: What Is Blockchain?
    • Blockchain Glossary

    2. What can blockchain do for your organization?

    Envision blockchain’s transformative potential for your organization by brainstorming and validating a use case.

    • Demystify Blockchain – Phase 2: What Can Blockchain Do for Your Organization?
    • Blockchain Alignment Tool
    • Blockchain Alignment Presentation
    [infographic]

    Capture and Market the ROI of Your VMO

    • Buy Link or Shortcode: {j2store}212|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $108,234 Average $ Saved
    • member rating average days saved: 9 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • All IT organizations are dependent on their vendors for technology products, services, and solutions to support critical business functions.
    • Measuring the impact of and establishing goals for the vendor management office (VMO) to maximize its effectiveness requires an objective and quantitative approach whenever possible.
    • Sharing the VMO’s impact internally is a balancing act between demonstrating value and self-promotion.

    Our Advice

    Critical Insight

    • The return on investment (ROI) calculation for your VMO must be customized. The ROI components selected must match your VMO ROI maturity, resources, and roadmap. There is no one-size-fits-all approach to calculating VMO ROI.
    • ROI contributions come from many areas and sources. To maximize the VMO’s ROI, look outside the traditional framework of savings and cost avoidance to vendor-facing interactions and the impact the VMO has on internal departments.

    Impact and Result

    • Quantifying the contributions of the VMO takes the guess work out of whether the VMO is performing adequately.
    • Taking a comprehensive approach to measuring the value created by the VMO and the ROI associated with it will help the organization appreciate the importance of the VMO.
    • Establishing goals for the VMO with the help of the executives and key stakeholders ensures that the VMO is supporting the needs of the entire organization.

    Capture and Market the ROI of Your VMO Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should calculate and market internally your VMO’s ROI, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Get organized

    Begin the process by identifying your VMO’s ROI maturity level and which calculation components are most appropriate for your situation.

    • Capture and Market the ROI of the VMO – Phase 1: Get Organized
    • VMO ROI Maturity Assessment Tool
    • VMO ROI Calculator and Tracker
    • VMO ROI Data Source Inventory and Evaluation Tool
    • VMO ROI Summary Template

    2. Establish baseline

    Set measurement baselines and goals for the next measurement cycle.

    • Capture and Market the ROI of the VMO – Phase 2: Establish Baseline
    • VMO ROI Baseline and Goals Tool

    3. Measure and monitor results

    Measure the VMO's ROI and value created by the VMO’s efforts and the overall internal satisfaction with the VMO.

    • Capture and Market the ROI of the VMO – Phase 3: Measure and Monitor Results
    • RFP Cost Estimator
    • Improvements in Working Capital Estimator
    • Risk Estimator
    • General Process Cost Estimator and Delta Estimator
    • VMO Internal Client Satisfaction Survey
    • Vendor Security Questionnaire
    • Value Creation Worksheet
    • Deal Summary Report Template

    4. Report results

    Report the results to key stakeholders and executives in a way that demonstrates the value added by the VMO to the entire organization.

    • Capture and Market the ROI of the VMO – Phase 4: Report Results
    • Internal Business Review Agenda Template
    • IT Spend Analytics
    • VMO ROI Reporting Worksheet
    • VMO ROI Stakeholder Report Template
    [infographic]

    Workshop: Capture and Market the ROI of Your VMO

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Get Organized

    The Purpose

    Determine how you will measure the VMO’s ROI.

    Key Benefits Achieved

    Focus your measurement on the appropriate activities.

    Activities

    1.1 Determine your VMO’s maturity level and identify applicable ROI measurement categories.

    1.2 Review and select the appropriate ROI formula components for each applicable measurement category.

    1.3 Compile a list of potential data sources, evaluate the viability of each data source selected, and assign data collection and analysis responsibilities.

    1.4 Communicate progress and proposed ROI formula components to executives and key stakeholders for feedback and/or approval/alignment.

    Outputs

    VMO ROI maturity level and first step of customizing the ROI formula components.

    Second and final step of customizing the ROI formula components…what will actually be measured.

    Viable data sources and assignments for team members.

    A progress report for key stakeholders and executives.

    2 Establish Baseline

    The Purpose

    Set baselines to measure created value against.

    Key Benefits Achieved

    ROI contributions cannot be objectively measured without baselines.

    Activities

    2.1 Gather baseline data.

    2.2 Calculate/set baselines.

    2.3 Set SMART goals.

    2.4 Communicate progress and proposed ROI formula components to executives and key stakeholders for feedback and/or approval/alignment.

    Outputs

    Data to use for calculating baselines.

    Baselines for measuring ROI contributions.

    Value creation goals for the next measurement cycle.

    An updated progress report for key stakeholders and executives.

    3 Measure and Monitor Results

    The Purpose

    Calculate the VMO’s ROI.

    Key Benefits Achieved

    An understanding of whether the VMO is paying for itself.

    Activities

    3.1 Assemble the data and calculate the VMO’s ROI.

    3.2 Organize the data for the reporting step.

    Outputs

    The VMO’s ROI expressed in terms of how many times it pays for itself (e.g. 1X, 3X, 5X).

    Determine which supporting data will be reported.

    4 Report Results

    The Purpose

    Report results to stakeholders.

    Key Benefits Achieved

    Stakeholders understand the value of the VMO.

    Activities

    4.1 Create a reporting template.

    4.2 Determine reporting frequency.

    4.3 Decide how the reports will be distributed or presented.

    4.4 Send out a draft report and update based on feedback.

    Outputs

    A template for reporting ROI and supporting data.

    A decision about quarterly or annual reports.

    A decision regarding email, video, and in-person presentation of the ROI reports.

    Final ROI reports.

    Identify Opportunities to Mature the Security Architecture

    • Buy Link or Shortcode: {j2store}385|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Secure Cloud & Network Architecture
    • Parent Category Link: /secure-cloud-network-architecture
    • Organizations do not have a solid grasp on the complexity of their infrastructure and are unaware of the overall risk to their infrastructure posed by inadequate security.
    • Organizations do not understand how to properly create and deliver value propositions of technical security solutions.

    Our Advice

    Critical Insight

    • The security architecture is a living, breathing thing based on the risk profile of your organization.
    • Compliance and risk mitigation create an intertwined relationship between the business and your security architecture. The security architecture roadmap must be regularly assessed and continuously maintained to ensure security controls align with organizational objectives.

    Impact and Result

    • A right-sized security architecture can be created by assessing the complexity of the IT department, the operations currently underway for security, and the perceived value of a security architecture within the organization. This will bring about a deeper understanding of the organizational infrastructure.
    • Developing a security architecture should also result in a list of opportunities (i.e. initiatives) that an organization can integrate into a roadmap. These initiatives will seek to improve security operations and strengthen the IT department’s understanding of security’s role within the organization.
    • A better understanding of the infrastructure will help to save time on determining the correct technologies required from vendors and therefore cut down on the amount of vendor noise.
    • Creating a defensible roadmap will assist with justifying future security spend.

    Identify Opportunities to Mature the Security Architecture Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a right-sized security architecture, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify the organization’s ideal security architecture

    Complete three unique assessments to define the ideal security architecture maturity for your organization.

    • Identify Opportunities to Mature the Security Architecture – Phase 1: Identify the Organization's Ideal Security Architecture
    • Security Architecture Recommendation Tool
    • None

    2. Create a security program roadmap

    Use the results of the assessments from Phase 1 of this research to create a roadmap for improving the security program.

    • Identify Opportunities to Mature the Security Architecture – Phase 2: Create a Security Program Roadmap
    [infographic]

    Create a Service Management Roadmap

    • Buy Link or Shortcode: {j2store}394|cart{/j2store}
    • member rating overall impact (scale of 10): 8.9/10 Overall Impact
    • member rating average dollars saved: $71,003 Average $ Saved
    • member rating average days saved: 24 Average Days Saved
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • Inconsistent adoption of holistic practices has led to a chaotic service delivery model that results in poor customer satisfaction.
    • There is little structure, formalization, or standardization in the way IT services are designed and managed, leading to diminishing service quality and low business satisfaction.

    Our Advice

    Critical Insight

    • Having effective service management practices in place will allow you to pursue activities, such as innovation, and drive the business forward.
    • Addressing foundational elements like business alignment and management practices will enable you to build effective core practices that deliver business value.
    • Providing consistent leadership support and engagement is essential to allow practitioners to focus on delivering expected outcomes.

    Impact and Result

    • Understand the foundational and core elements that allow you to build a successful service management practice focused on outcomes.
    • Use Info-Tech’s advice and tools to perform an assessment of your organization’s current state, identify the gaps, and create a roadmap for success.
    • Increase business and customer satisfaction by delivering services focused on creating business value.

    Create a Service Management Roadmap Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why many service management maturity projects fail to address foundational and core elements, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch the project

    Kick-off the project and complete the project charter.

    • Create a Service Management Roadmap – Phase 1: Launch Project
    • Service Management Roadmap Project Charter

    2. Assess the current state

    Determine the current state for service management practices.

    • Create a Service Management Roadmap – Phase 2: Assess the Current State
    • Service Management Maturity Assessment Tool
    • Organizational Change Management Capability Assessment Tool
    • Service Management Roadmap Presentation Template

    3. Build the roadmap

    Build your roadmap with identified initiatives.

    • Create a Service Management Roadmap – Phase 3: Identify the Target State

    4. Build the communication slide

    Create the communication slide that demonstrates how things will change, both short and long term.

    • Create a Service Management Roadmap – Phase 4: Build the Roadmap
    [infographic]

    Workshop: Create a Service Management Roadmap

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Service Management

    The Purpose

    Understand service management.

    Key Benefits Achieved

    Gain a common understanding of service management, the forces that impact your roadmap, and the Info-Tech Service Management Maturity Model.

    Activities

    1.1 Understand service management.

    1.2 Build a compelling vision and mission.

    Outputs

    Constraints and enablers chart

    Service management vision, mission, and values

    2 Assess the Current State of Service Management

    The Purpose

    Assess the organization’s current service management capabilities.

    Key Benefits Achieved

    Understand attitudes, behaviors, and culture.

    Understand governance and process ownership needs.

    Understand strengths, weaknesses, opportunities, and threats.

    Defined desired state.

    Activities

    2.1 Assess cultural ABCs.

    2.2 Assess governance needs.

    2.3 Perform SWOT analysis.

    2.4 Define desired state.

    Outputs

    Cultural improvements action items

    Governance action items

    SWOT analysis action items

    Defined desired state

    3 Continue Current-State Assessment

    The Purpose

    Assess the organization’s current service management capabilities.

    Key Benefits Achieved

    Understand the current maturity of service management processes.

    Understand organizational change management capabilities.

    Activities

    3.1 Perform service management process maturity assessment.

    3.2 Complete OCM capability assessment.

    3.3 Identify roadmap themes.

    Outputs

    Service management process maturity activities

    OCM action items

    Roadmap themes

    4 Build Roadmap and Communication Tool

    The Purpose

    Use outputs from previous steps to build your roadmap and communication one-pagers.

    Key Benefits Achieved

    Easy-to-understand roadmap one-pager

    Communication one-pager

    Activities

    4.1 Build roadmap one-pager.

    4.2 Build communication one-pager.

    Outputs

    Service management roadmap

    Service management roadmap – Brought to Life communication slide

    Further reading

    Create a Service Management Roadmap

    Implement service management in an order that makes sense.

    ANALYST PERSPECTIVE

    "More than 80% of the larger enterprises we’ve worked with start out wanting to develop advanced service management practices without having the cultural and organizational basics or foundational practices fully in place. Although you wouldn’t think this would be the case in large enterprises, again and again IT leaders are underestimating the importance of cultural and foundational aspects such as governance, management practices, and understanding business value. You must have these fundamentals right before moving on."

    Tony Denford,

    Research Director – CIO

    Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • CIO
    • Senior IT Management

    This Research Will Help You:

    • Create or maintain service management (SM) practices to ensure user-facing services are delivered seamlessly to business users with minimum interruption.
    • Increase the level of reliability and availability of the services provided to the business and improve the relationship and communication between IT and the business.

    This Research Will Also Assist

    • Service Management Process Owners

    This Research Will Help Them:

    • Formalize, standardize, and improve the maturity of service management practices.
    • Identify new service management initiatives to move IT to the next level of service management maturity.

    Executive summary

    Situation

    • Inconsistent adoption of holistic practices has led to a chaotic service delivery model that results in poor customer satisfaction.
    • There is little structure, formalization, or standardization in the way IT services are designed and managed, leading to diminishing service quality and low business satisfaction.

    Complication

    • IT organizations want to be seen as strategic partners, but they fail to address the cultural and organizational constraints.
    • Without alignment with the business goals, services often fail to provide the expected value.
    • Traditional service management approaches are not adaptable for new ways of working.

    Resolution

    • Follow Info-Tech’s methodology to create a service management roadmap that will help guide the optimization of your IT services and improve IT’s value to the business.
    • The blueprint will help you right-size your roadmap to best suit your specific needs and goals and will provide structure, ownership, and direction for service management.
    • This blueprint allows you to accurately identify the current state of service management at your organization. Customize the roadmap and create a plan to achieve your target service management state.

    Info-Tech Insight

    Having effective service management practices in place will allow you to pursue activities such as innovation and drive the business forward. Addressing foundational elements like business alignment and management practices will enable you to build effective core practices that deliver business value. Consistent leadership support and engagement is essential to allow practitioners to focus on delivering expected outcomes.

    Poor service management manifests in many different pains across the organization

    Immaturity in service management will not result in one pain – rather, it will create a chaotic environment for the entire organization, crippling IT’s ability to deliver and perform.

    Low Service Management Maturity

    These are some of the pains that can be attributed to poor service management practices.

    • Frequent service-impacting incidents
    • Low satisfaction with the service desk
    • High % of failed deployments
    • Frequent change-related incidents
    • Frequent recurring incidents
    • Inability to find root cause
    • No communication with the business
    • Frequent capacity-related incidents

    And there are many more…

    Mature service management practices are a necessity, not a nice-to-have

    Immature service management practices are one of the biggest hurdles preventing IT from reaching its true potential.

    In 2004, PwC published a report titled “IT Moves from Cost Center to Business Contributor.” However, the 2014-2015 CSC Global CIO Survey showed that a high percentage of IT is still considered a cost center.

    And low maturity of service management practices is inhibiting activities such as agility, DevOps, digitalization, and innovation.

    A pie chart is shown that is titled: Where does IT sit? The chart has 3 sections. One section represents IT and the business have a collaborative partnership 28%. The next section represents at 33% where IT has a formal client/service provider relationship with the business. The last section has 39% where IT is considered as a cost center.
    Source: CSC Global CIO Survey: 2014-2015 “CIOs Emerge as Disruptive Innovators”

    39%: Resources are primarily focused on managing existing IT workloads and keeping the lights on.

    31%: Too much time and too many resources are used to handle urgent incidents and problems.

    There are many misconceptions about what service management is

    Misconception #1: “Service management is a process”

    Effective service management is a journey that encompasses a series of initiatives that improves the value of services delivered.

    Misconception #2: “Service Management = Service Desk”

    Service desk is the foundation, since it is the main end-user touch point, but service management is a set of people and processes required to deliver business-facing services.

    Misconception #3: “Service management is about the ITSM tool”

    The tool is part of the overall service management program, but the people and processes must be in place before implementing.

    Misconception #4: “Service management development is one big initiative”

    Service management development is a series of initiatives that takes into account an organization’s current state, maturity, capacities, and objectives.

    Misconception #5: “Service management processes can be deployed in any order, assuming good planning and design”

    A successful service management program takes into account the dependencies of processes.

    Misconception #6: “Service management is resolving incidents and deploying changes”

    Service management is about delivering high-value and high-quality services.

    Misconception #7: “Service management is not the key determinant of success”

    As an organization progresses on the service management journey, its ability to deliver high-value and high-quality services increases.

    Misconception #8: “Resolving Incidents = Success”

    Preventing incidents is the name of the game.

    Misconception #9: “Service Management = Good Firefighter”

    Service management is about understanding what’s going on with user-facing services and proactively improving service quality.

    Misconception #10: “Service management is about IT and technical services (e.g. servers, network, database)”

    Service management is about business/user-facing services and the value the services provide to the business.

    Service management projects often don’t succeed because they are focused on process rather than outcomes

    Service management projects tend to focus on implementing process without ensuring foundational elements of culture and management practices are strong enough to support the change.

    1. Aligning your service management goals with your organizational objectives leads to better understanding of the expected outcomes.
    2. Understand your customers and what they value, and design your practices to deliver this value.

    3. IT does not know what order is best when implementing new practices or process improvements.
    4. Don't run before you can walk. Fundamental practices must reach the maturity threshold before developing advanced practices. Implement continuous improvement on your existing processes so they continue to support new practices.

    5. IT does not follow best practices when implementing a practice.
    6. Our best-practice research is based on extensive experience working with clients through advisory calls and workshops.

    Info-Tech can help you create a customized, low-effort, and high-value service management roadmap that will shore up any gaps, prove IT’s value, and achieve business satisfaction.

    Info-Tech’s methodology will help you customize your roadmap so the journey is right for you

    With Info-Tech, you will find out where you are, where you want to go, and how you will get there.

    With our methodology, you can expect the following:

    • Eliminate or reduce rework due to poor execution.
    • Identify dependencies/prerequisites and ensure practices are deployed in the correct order, at the correct time, and by the right people.
    • Engage all necessary resources to design and implement required processes.
    • Assess current maturity and capabilities and design the roadmap with these factors in mind.

    Doing it right the first time around

    You will see these benefits at the end

      ✓ Increase the quality of services IT provides to the business.

      ✓ Increase business satisfaction through higher alignment of IT services.

      ✓ Lower cost to design, implement, and manage services.

      ✓ Better resource utilization, including staff, tools, and budget.

    Focus on a strong foundation to build higher value service management practices

    Info-Tech Insight

    Focus on behaviors and expected outcomes before processes.

    Foundational elements

    • Operating model facilitates service management goals
    • Culture of service delivery
    • Governance discipline to evaluate, direct, and monitor
    • Management discipline to deliver

    Stabilize

    • Deliver stable, reliable IT services to the business
    • Respond to user requests quickly and efficiently
    • Resolve user issues in a timely manner
    • Deploy changes smoothly and successfully

    Proactive

    • Avoid/prevent service disruptions
    • Improve quality of service (performance, availability, reliability)

    Service Provider

    • Understand business needs
    • Ensure services are available
    • Measure service performance, based on business-oriented metrics

    Strategic Partner

    • Fully aligned with business
    • Drive innovation
    • Drive measurable value

    Info-Tech Insight

    Continued leadership support of the foundational elements will allow delivery teams to provide value to the business. Set the expectation of the desired maturity level and allow teams to innovate.

    Follow our model and get to your target state

    A model is depicted that shows the various target states. There are 6 levels showing in the example, and the example is made to look like a tree with a character watering it. In the roots, the level is labelled foundational. The trunk is labelled the core. The lowest hanging branches of the tree is the stabilize section. Above it is the proactive section. Nearing the top of the tree is the service provider. The canopy of the tree are labelled strategic partner.

    Before moving to advanced service management practices, you must ensure that the foundational and core elements are robust enough to support them. Leadership must nurture these practices to ensure they are sustainable and can support higher value, more mature practices.

    Each step along the way, Info-Tech has the tools to help you

    Phase 1: Launch the Project

    Assemble a team with the right talent and vision to increase the chances of project success.

    Phase 2: Assess Current State

    Understand where you are currently on the service management journey using the maturity assessment tool.

    Phase 3: Build Roadmap

    Based on the assessments, build a roadmap to address areas for improvement.

    Phase 4: Build Communication slide

    Based on the roadmap, define the current state, short- and long-term visions for each major improvement area.

    Info-Tech Deliverables:

    • Project Charter
    • Assessment Tools
    • Roadmap Template
    • Communication Template

    CIO call to action

    Improving the maturity of the organization’s service management practice is a big commitment, and the project can only succeed with active support from senior leadership.

    Ideally, the CIO should be the project sponsor, even the project leader. At a minimum, the CIO needs to perform the following activities:

    1. Walk the talk – demonstrate personal commitment to the project and communicate the benefits of the service management journey to IT and the steering committee.
    2. Improving or adopting any new practice is difficult, especially for a project of this size. Thus, the CIO needs to show visible support for this project through internal communication and dedicated resources to help complete this project.

    3. Select a senior, capable, and results-driven project leader.
    4. Most likely, the implementation of this project will be lengthy and technical in some nature. Therefore, the project leader must have a good understanding of the current IT structure, senior standing within the organization, and the relationship and power in place to propel people into action.

    5. Help to define the target future state of IT’s service management.
    6. Determine a realistic target state for the organization based on current capability and resource/budget restraints.

    7. Conduct periodic follow-up meetings to keep track of progress.
    8. Reinforce or re-emphasize the importance of this project to the organization through various communication channels if needed.

    Stabilizing your environment is a must before establishing any more-mature processes

    CASE STUDY

    Industry: Manufacturing

    Source: Engagement

    Challenge

    • The business landscape was rapidly changing for this manufacturer and they wanted to leverage potential cost savings from cloud-first initiatives and consolidate multiple, self-run service delivery teams that were geographically dispersed.

    Solution

    Original Plan

    • Consolidate multiple service delivery teams worldwide and implement service portfolio management.

    Revised Plan with Service Management Roadmap:

    • Markets around the world had very different needs and there was little understanding of what customers value.
    • There was also no understanding of what services were currently being offered within each geography.

    Results

    • Plan was adjusted to understand customer value and services offered.
    • Services were then stabilized and standardized before consolidation.
    • Team also focused on problem maturity and drove a continuous improvement culture and increasing transparency.

    MORAL OF THE STORY:

    Understanding the value of each service allowed the organization to focus effort on high-return activities rather than continuous fire fighting.

    Understand the processes involved in the proactive phase

    CASE STUDY

    Industry: Manufacturing

    Source: Engagement

    Challenge

    • Services were fairly stable, but there were significant recurring issues for certain services.
    • The business was not satisfied with the service quality for certain services, due to periodic availability and reliability issues.
    • Customer feedback for the service desk was generally good.

    Solution

    Original Plan

    • Review all service desk and incident management processes to ensure that service issues were handled in an effective manner.

    Revised Plan with Service Management Roadmap:

    • Design and deploy a rigorous problem management process to determine the root cause of recurring issues.
    • Monitor key services for events that may lead to a service outage.

    Results

    • Root cause of recurring issues was determined and fixes were deployed to resolve the underlying cause of the issues.
    • Service quality improved dramatically, resulting in high customer satisfaction.

    MORAL OF THE STORY:

    Make sure that you understand which processes need to be reviewed in order to determine the cause for service instability. Focusing on the proactive processes was the right answer for this company.

    Have the right culture and structure in place before you become a service provider

    CASE STUDY

    Industry: Healthcare

    Source:Journal of American Medical Informatics Association

    Challenge

    • The IT organization wanted to build a service catalog to demonstrate the value of IT to the business.
    • IT was organized in technology silos and focused on applications, not business services.
    • IT services were not aligned with business activities.
    • Relationships with the business were not well established.

    Solution

    Original Plan

    • Create and publish a service catalog.

    Revised Plan: with Service Management Roadmap:

    • Establish relationships with key stakeholders in the business units.
    • Understand how business activities interface with IT services.
    • Lay the groundwork for the service catalog by defining services from the business perspective.

    Results

    • Strong relationships with the business units.
    • Deep understanding of how business activities map to IT services.
    • Service definitions that reflect how the business uses IT services.

    MORAL OF THE STORY:

    Before you build and publish a service catalog, make sure that you understand how the business is using the IT services that you provide.

    Calculate the benefits of using Info-Tech’s methodology

    To measure the value of developing your roadmap using the Info-Tech tools and methodology, you must calculate the effort saved by not having to develop the methods.

    A. How much time will it take to develop an industry-best roadmap using Info-Tech methodology and tools?

    Using Info-Tech’s tools and methodology you can accurately estimate the effort to develop a roadmap using industry-leading research into best practice.

    B. What would be the effort to develop the insight, assess your team, and develop the roadmap?

    This metric represents the time your team would take to be able to effectively assess themselves and develop a roadmap that will lead to service management excellence.

    C. Cost & time saving through Info-Tech’s methodology

    Measured Value

    Step 1: Assess current state

    Cost to assess current state:

    • 5 Directors + 10 Managers x 10 hours at $X an hour = $A

    Step 2: Build the roadmap

    Cost to create service management roadmap:

    • 5 Directors + 10 Managers x 8 hours at $X an hour = $B

    Step 3: Develop the communication slide

    Cost to create roadmaps for phases:

    • 5 Directors + 10 Managers x 6 hours at $X an hour = $C

    Potential financial savings from using Info-Tech resources:

    Estimated cost to do “B” – (Step 1 ($A) + Step 2 ($B) + Step 3 ($C)) = $Total Saving

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Create a Service Management Roadmap – project overview


    Launch the project

    Assess the current state

    Build the roadmap

    Build communication slide

    Best-Practice Toolkit

    1.1 Create a powerful, succinct mission statement

    1.2 Assemble a project team with representatives from all major IT teams

    1.3 Determine project stakeholders and create a communication plan

    1.4 Establish metrics to track the success of the project

    2.1 Assess impacting forces

    2.2 Build service management vision, mission, and values

    2.3 Assess attitudes, behaviors, and culture

    2.4 Assess governance

    2.5 Perform SWOT analysis

    2.6 Identify desired state

    2.7 Assess SM maturity

    2.8 Assess OCM capabilities

    3.1 Document overall themes

    3.2 List individual initiatives

    4.1 Document current state

    4.2 List future vision

    Guided Implementations

    • Kick-off the project
    • Build the project team
    • Complete the charter
    • Understand current state
    • Determine target state
    • Build the roadmap based on current and target state
    • Build short- and long-term visions and initiative list

    Onsite Workshop

    Module 1: Launch the project

    Module 2: Assess current service management maturity

    Module 3: Complete the roadmap

    Module 4: Complete the communication slide

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information

    Workshop Day 1

    Workshop Day 2

    Workshop Day 3

    Workshop Day 4

    Activities

    Understand Service Management

    1.1 Understand the concepts and benefits of service management.

    1.2 Understand the changing impacting forces that affect your ability to deliver services.

    1.3 Build a compelling vision and mission for your service management program.

    Assess the Current State of Your Service Management Practice

    2.1 Understand attitudes, behaviors, and culture.

    2.2 Assess governance and process ownership needs.

    2.3 Perform SWOT analysis.

    2.4 Define the desired state.

    Complete Current-State Assessment

    3.1 Conduct service management process maturity assessment.

    3.2 Identify organizational change management capabilities.

    3.3 Identify themes for roadmap.

    Build Roadmap and Communication Tool

    4.1 Build roadmap one-pager.

    4.2 Build roadmap communication one-pager.

    Deliverables

    1. Constraints and enablers chart
    2. Service management vision, mission, and values
    1. Action items for cultural improvements
    2. Action items for governance
    3. Identified improvements from SWOT
    4. Defined desired state
    1. Service Management Process Maturity Assessment
    2. Organizational Change Management Assessment
    1. Service management roadmap
    2. Roadmap Communication Tool in the Service Management Roadmap Presentation Template

    PHASE 1

    Launch the Project

    Launch the project

    This step will walk you through the following activities:

    • Create a powerful, succinct mission statement based on your organization’s goals and objectives.
    • Assemble a project team with representatives from all major IT teams.
    • Determine project stakeholders and create a plan to convey the benefits of this project.
    • Establish metrics to track the success of the project.

    Step Insights

    • The project leader should have a strong relationship with IT and business leaders to maximize the benefit of each initiative in the service management journey.
    • The service management roadmap initiative will touch almost every part of the organization; therefore, it is important to have representation from all impacted stakeholders.
    • The communication slide needs to include the organizational change impact of the roadmap initiatives.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Launch the Project

    Step 1.1 – Kick-off the Project

    Start with an analyst kick-off call:

    • Identify current organization pain points relating to poor service management practices
    • Determine high-level objectives
    • Create a mission statement

    Then complete these activities…

    • Identify potential team members who could actively contribute to the project
    • Identify stakeholders who have a vested interest in the completion of this project

    With these tools & templates:

    • Service Management Roadmap Project Charter

    Step 1.2 – Complete the Charter

    Review findings with analyst:

    • Create the project team; ensure all major IT teams are represented
    • Review stakeholder list and identify communication messages

    Then complete these activities…

    • Establish metrics to complete project planning
    • Complete the project charter

    With these tools & templates:

    • Service Management Roadmap Project Charter

    Use Info-Tech’s project charter to begin your initiative

    1.1 Service Management Roadmap Project Charter

    The Service Management Roadmap Project Charter is used to govern the initiative throughout the project. It provides the foundation for project communication and monitoring.

    The template has been pre-populated with sample information appropriate for this project. Please review this sample text and change, add, or delete information as required.

    The charter includes the following sections:

    • Mission Statement
    • Goals & Objectives
    • Project Team
    • Project Stakeholders
    • Current State (from phases 2 & 3)
    • Target State (from phases 2 & 3)
    • Target State
    • Metrics
    • Sponsorship Signature
    A screenshot of Info-Tech's Service Management Roadmap Project Charter is shown.

    Use Info-Tech’s ready-to-use deliverable to customize your mission statement

    Adapt and personalize Info-Tech’s Service Management Roadmap Mission Statement and Goals & Objectives below to suit your organization’s needs.

    Goals & Objectives

    • Create a plan for implementing service management initiatives that align with the overall goals/objectives for service management.
    • Identify service management initiatives that must be implemented/improved in the short term before deploying more advanced initiatives.
    • Determine the target state for each initiative based on current maturity and level of investment available.
    • Identify service management initiatives and understand dependencies, prerequisites, and level of effort required to implement.
    • Determine the sequence in which initiatives should be deployed.
    • Create a detailed rollout plan that specifies initiatives, time frames, and owners.
    • Engage the right teams and obtain their commitment throughout both the planning and assessment of roadmap initiatives.
    • both the planning and assessment of roadmap initiatives. Obtain support for the completed roadmap from executive stakeholders.

    Example Mission Statement

    To help [Organization Name] develop a set of service management practices that will better address the overarching goals of the IT department.

    To create a roadmap that sequences initiatives in a way that incorporates best practices and takes into consideration dependencies and prerequisites between service management practices.

    To garner support from the right people and obtain executive buy-in for the roadmap.

    Create a well-balanced project team

    The project leader should be a member of your IT department’s senior executive team with goals and objectives that will be impacted by service management implementation. The project leader should possess the following characteristics:

    Leader

    • Influence and impact
    • Comprehensive knowledge of IT and the organization
    • Relationship with senior IT management
    • Ability to get things done

    Team Members

    Identify

    The project team members are the IT managers and directors whose day-to-day lives will be impacted by the service management roadmap and its implementation. The service management initiative will touch almost every IT staff member in the organization; therefore, it is important to have representatives from every single group, including those that are not mentioned. Some examples of individuals you should consider for your team:

    • Service Delivery Managers
    • Director/Manager of Applications
    • Director/Manager of Infrastructure
    • Director/Manager of Service Desk
    • Business Relationship Managers
    • Project Management Office

    Engage & Communicate

    You want to engage your project participants in the planning process as much as possible. They should be involved in the current-state assessment, the establishment of goals and objectives, and the development of your target state.

    To sell this project, identify and articulate how this project and/or process will improve the quality of their job. For example, a formal incident management process will benefit people working at the service desk or on the applications or infrastructure teams. Helping them understand the gains will help to secure their support throughout the long implementation process by giving them a sense of ownership.

    The project stakeholders should also be project team members

    When managing stakeholders, it is important to help them understand their stake in the project as well as their own personal gain that will come out of this project.

    For many of the stakeholders, they also play a critical role in the development of this project.

    Role & Benefits

    • CIO
    • The CIO should be actively involved in the planning stage to help determine current and target stage.

      The CIO also needs to promote and sell the project to the IT team so they can understand that higher maturity of service management practices will allow IT to be seen as a partner to the business, giving IT a seat at the table during decision making.

    • Service Delivery Managers/Process Owners
    • Service Delivery Managers are directly responsible for the quality and value of services provided to the business owners. Thus, the Service Delivery Managers have a very high stake in the project and should be considered for the role of project leader.

      Service Delivery Managers need to work closely with the process owners of each service management process to ensure clear objectives are established and there is a common understanding of what needs to be achieved.

    • IT Steering Committee
    • The Committee should be informed and periodically updated about the progress of the project.

    • Manager/Director – Service Desk
    • The Manager of the Service Desk should participate closely in the development of fundamental service management processes, such as service desk, incident management, and problem management.

      Having a more established process in place will create structure, governance, and reduce service desk staff headaches so they can handle requests or incidents more efficiently.

    • Manager/Director –Applications & Infrastructure
    • The Manager of Applications and Infrastructure should be heavily relied on for their knowledge of how technology ties into the organization. They should be consulted regularly for each of the processes.

      This project will also benefit them directly, such as improving the process to deploy a fix into the environment or manage the capacity of the infrastructure.

    • Business Relationship Manager
    • As the IT organization moves up the maturity ladder, the Business Relationship Manager will play a fundamental role in the more advanced processes, such as business relationship management, demand management, and portfolio management.

      This project will be an great opportunity for the Business Relationship Manager to demonstrate their value and their knowledge of how to align IT objectives with business vision.

    Ensure you get the entire IT organization on board for the project with a well-practiced change message

    Getting the IT team on board will greatly maximize the project’s chance of success.

    One of the top challenges for organizations embarking on a service management journey is to manage the magnitude of the project. To ensure the message is not lost, communicate this roadmap in two steps.

    1. Communicate the roadmap initiative

    The most important message to send to the IT organization is that this project will benefit them directly. Articulate the pains that IT is currently experiencing and explain that through more mature service management, these pains can be greatly reduced and IT can start to earn a place at the table with the business.

    2. Communicate the implementation of each process separately

    The communication of process implementation should be done separately and at the beginning of each implementation. This is to ensure that IT staff do not feel overwhelmed or overloaded. It also helps to keep the project more manageable for the project team.

    Continuously monitor feedback and address concerns throughout the entire process

    • Host lunch and learns to provide updates on the service management initiative to the entire IT team.
    • Understand if there are any major roadblocks and facilitate discussions on how to overcome them.

    Articulate the service management initiative to the IT organization

    Spread the word and bring attention to your change message through effective mediums and organizational changes.

    Key aspects of a communication plan

    The methods of communication (e.g. newsletters, email broadcast, news of the day, automated messages) notify users of implementation.

    In addition, it is important to know who will deliver the message (delivery strategy). You need IT executives to deliver the message – work hard on obtaining their support as they are the ones communicating to their staff and should be your project champions.

    Anticipate organizational changes

    The implementation of the service management roadmap will most likely lead to organizational changes in terms of structure, roles, and responsibilities. Therefore, the team should be prepared to communicate the value that these changes will bring.

    Communicating Change

    • What is the change?
    • Why are we doing it?
    • How are we going to go about it?
    • What are we trying to achieve?
    • How often will we be updated?

    The Qualities of Leadership: Leading Change

    Create a project communication plan for your stakeholders

    This project cannot be successfully completed without the support of senior IT management.

    1. After the CIO has introduced this project through management meetings or informal conversation, find out how each IT leader feels about this project. You need to make sure the directors and managers of each IT team, especially the directors of application and infrastructure, are on board.
    2. After the meeting, the project leader should seek out the major stakeholders (particularly the heads of applications and infrastructure) and validate their level of support through formal or informal meetings. Create a list documenting the major stakeholders, their level of support, and how the project team will work to gain their approval.
    3. For each identified stakeholder, create a custom communication plan based on their role. For example, if the director of infrastructure is not a supporter, demonstrate how this project will enable them to better understand how to improve service quality. Provide periodic reporting or meetings to update the director on project progress.

    INPUT

    • A collaborative discussion between team members

    OUTPUT

    • Thorough briefing for project launch
    • A committed team

    Materials

    • Communication message and plan
    • Metric tracking

    Participants

    • Project leader
    • Core project team

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1

    A screenshot of activity 1.1 is shown.

    Create a powerful, succinct mission statement

    Using Info-Tech’s sample mission statement as a guide, build your mission statement based on the objectives of this project and the benefits that this project will achieve. Keep the mission statement short and clear.

    1.2

    A screenshot of activity 1.2 is shown.

    Assemble the project team

    Create a project team with representatives from all major IT teams. Engage and communicate to the project team early and proactively.

    1.3

    A screenshot of activity 1.3 is shown.

    Identify project stakeholders and create a communication plan

    Info-Tech will help you identify key stakeholders who have a vested interest in the success of the project. Determine the communication message that will best gain their support.

    1.4

    A screenshot of activity 1.4 is shown.

    Use metrics to track the success of the project

    The onsite analyst will help the project team determine the appropriate metrics to measure the success of this project.

    PHASE 2

    Assess Your Current Service Management State

    Assess your current state

    This step will walk you through the following activities:

    • Use Info-Tech’s Service Management Maturity Assessment Tool to determine your overall practice maturity level.
    • Understand your level of completeness for each individual practice.
    • Understand the three major phases involved in the service management journey; know the symptoms of each phase and how they affect your target state selection.

    Step Insights

    • To determine the real maturity of your service management practices, you should focus on the results and output of the practice, rather than the activities performed for each process.
    • Focus on phase-level maturity as opposed to the level of completeness for each individual process.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Determine Your Service Management Current State

    Step 2.1 – Assess Impacting Forces

    Start with an analyst kick-off call:

    • Discuss the impacting forces that can affect the success of your service management program
    • Identify internal and external constraints and enablers
    • Review and interpret how to leverage or mitigate these elements

    Then complete these activities…

    • Present the findings of the organizational context
    • Facilitate a discussion and create consensus amongst the project team members on where the organization should start

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.2 – Build Vision, Mission, and Values

    Review findings with analyst:

    • Review your service management vision and mission statement and discuss the values

    Then complete these activities…

    • Socialize the vision, mission, and values to ensure they are aligned with overall organizational vision. Then, set the expectations for behavior aligned with the vision, mission, and values

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.3 – Assess Attitudes, Behaviors, and Culture

    Review findings with analyst:

    • Discuss tactics for addressing negative attitudes, behaviors, or culture identified

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.4 – Assess Governance Needs

    Review findings with analyst:

    • Understand the typical types of governance structure and the differences between management and governance
    • Choose the management structure required for your organization

    Then complete these activities…

    • Determine actions required to establish an effective governance structure and add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.5 – Perform SWOT Analysis

    Review findings with analyst:

    • Discuss SWOT analysis results and tactics for addressing within the roadmap

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.6 – Identify Desired State

    Review findings with analyst:

    • Discuss desired state and commitment needed to achieve aspects of the desired state

    Then complete these activities…

    • Use the desired state to critically assess the current state of your service management practices and whether they are achieving the desired outcomes
    • Prep for the SM maturity assessment

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.7 – Perform SM Maturity Assessment

    Review findings with analyst:

    • Review and interpret the output from your service management maturity assessment

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Service Management Maturity Assessment

    Step 2.8 – Review OCM Capabilities

    Review findings with analyst:

    • Review and interpret the output from your organizational change management maturity assessment

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Organizational Change Management Assessment

    Understand and assess impacting forces – constraints and enablers

    Constraints and enablers are organizational and behavioral triggers that directly impact your ability and approach to establishing Service Management practices.

    A model is shown to demonstrate the possibe constraints and enablers on your service management program. It incorporates available resources, the environment, management practices, and available technologies.

    Effective service management requires a mix of different approaches and practices that best fit your organization. There’s not a one-size-fits-all solution. Consider the resources, environment, emerging technologies, and management practices facing your organization. What items can you leverage or use to mitigate to move your service management program forward?

    Use Info-Tech’s “Organizational Context” template to list the constraints and enablers affecting your service management

    The Service Management Roadmap Presentation Template will help you understand the business environment you need to consider as you build out your roadmap.

    Discuss and document constraints and enablers related to the business environment, available resources, management practices, and emerging technologies. Any constraints will need to be addressed within your roadmap and enablers should be leveraged to maximize your results.


    Screenshot of Info-Tech's Service Management Roadmap Presentation Template is shown.

    Document constraints and enablers

    1. Discuss and document the constrains and enablers for each aspect of the management mesh: environment, resources, management practices, or technology.
    2. Use this as a thought provoker in later exercises.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Organizational context constraints and enablers

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    Build compelling vision and mission statements to set the direction of your service management program

    While you are articulating the vision and mission, think about the values you want the team to display. Being explicit can be a powerful tool to create alignment.

    A vision statement describes the intended state of your service management organization, expressed in the present tense.

    A mission statement describes why your service management organization exists.

    Your organizational values state how you will deliver services.

    Use Info-Tech’s “Vision, Mission, and Values” template to set the aspiration & purpose of your service management practice

    The Service Management Roadmap Presentation Template will help you document your vision for service management, the purpose of the program, and the values you want to see demonstrated.

    If the team cannot gain agreement on their reason for being, it will be difficult to make traction on the roadmap items. A concise and compelling statement can set the direction for desired behavior and help team members align with the vision when trying to make ground-level decisions. It can also be used to hold each other accountable when undesirable behavior emerges. It should be revised from time to time, when the environment changes, but a well-written statement should stand the test of time.

    A screenshot of the Service Management Roadmap Presentation Temaplate is shown. Specifically it is showing the section on the vision, mission, and values results.

    Document your organization’s vision, mission , and values

    1. Vision: Identify your desired target state, consider the details of that target state, and create a vision statement.
    2. Mission: Consider the fundamental purpose of your SM program and craft a statement of purpose.
    3. Values: As you work through the vision and mission, identify values that your organization prides itself in or has the aspiration for.
    4. Discuss common themes and then develop a concise vision statement and mission statement that incorporates the group’s ideas.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Vision statement
    • Mission statement
    • Organizational values

    Materials

    • Whiteboards or flip charts
    • Sample vision and mission statements

    Participants

    • All stakeholders
    • Senior leadership

    Understanding attitude, behavior, and culture

    Attitude

    • What people think and feel. It can be seen in their demeanor and how they react to change initiatives, colleagues, and users.

    Any form of organizational change involves adjusting people’s attitudes, creating buy-in and commitment. You need to identify and address attitudes that can lead to negative behaviors and actions or that are counter-productive. It must be made visible and related to your desired behavior.

    Behaviour

    • What people do. This is influenced by attitude and the culture of the organization.

    To implement change within IT, especially at a tactical level, both IT and organizational behavior needs to change. This is relevant because people don’t like to change and will resist in an active or passive way unless you can sell the need, value, and benefit of changing their behavior.

    Culture

    • The accepted and understood ways of working in an organization. The values and standards that people find normal and what would be tacitly identified to new resources.

    The organizational or corporate “attitude,” the impact on employee behavior and attitude is often not fully understood. Culture is an invisible element, which makes it difficult to identify, but it has a strong impact and must be addressed to successfully embed any organizational change or strategy.

    Culture is a critical and under-addressed success factor

    43% of CIOs cited resistance to change as the top impediment to a successful digital strategy.

    CIO.com

    75% of organizations cannot identify or articulate their culture or its impact.

    Info-Tech

    “Shortcomings in organizational culture are one of the main barriers to company success in the digital age.”

    McKinsey – “Culture for a digital age”

    Examples of how they apply

    Attitude

    • “I’ll believe that when I see it”
    • Positive outlook on new ideas and changes

    Behaviour

    • Saying you’ll follow a new process but not doing so
    • Choosing not to document a resolution approach or updating a knowledge article, despite being asked

    Culture

    • Hero culture (knowledge is power)
    • Blame culture (finger pointing)
    • Collaborative culture (people rally and work together)

    Why have we failed to address attitude, behavior, and culture?

      ✓ While there is attention and better understanding of these areas, very little effort is made to actually solve these challenges.

      ✓ The impact is not well understood.

      ✓ The lack of tangible and visible factors makes it difficult to identify.

      ✓ There is a lack of proper guidance, leadership skills, and governance to address these in the right places.

      ✓ Addressing these issues has to be done proactively, with intent, rigor, and discipline, in order to be successful.

      ✓ We ignore it (head in the sand and hoping it will fix itself).

    Avoidance has been a common strategy for addressing behavior and culture in organizations.

    Use Info-Tech’s “Culture and Environment” template to identify cultural constraints that should be addressed in roadmap

    The Service Management Roadmap Presentation Template will help you document attitude, behavior, and culture constraints.

    Discuss as a team attitudes, behaviors, and cultural aspects that can either hinder or be leveraged to support your vision for the service management program. Capture all items that need to be addressed in the roadmap.

    A screenshot of the Service Management Roadmap Presentation Template is shown. Specifically showing the culture and environment slide.

    Document your organization’s attitudes, behaviors, and culture

    1. Discuss and document positive and negative aspects of attitude, behavior, or culture within your organization.
    2. Identify the items that need to be addressed as part of your roadmap.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Culture and environment worksheet

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    The relationship to governance

    Attitude, behavior, and culture are still underestimated as core success factors in governance and management.

    Behavior is a key enabler of good governance. Leading by example and modeling behavior has a cascading impact on shifting culture, reinforcing the importance of change through adherence.

    Executive leadership and governing bodies must lead and support cultural change.

    Key Points

    • Less than 25% of organizations have formal IT governance in place (ITSM Tools).
    • Governance tends to focus on risk and compliance (controls), but forgets the impact of value and performance.

    Lack of oversight often limits the value of service management implementations

    Organizations often fail to move beyond risk mitigation, losing focus of the goals of their service management practices and the capabilities required to produce value.

    Risk Mitigation

    • Stabilize IT
    • Service Desk
    • Incident Management
    • Change Management

    Gap

    • Organizational alignment through governance
    • Disciplined focus on goals of SM

    Value Production

    • Value that meets business and consumer needs

    This creates a situation where service management activities and roadmaps focus on adjusting and tweaking process areas that no longer support how the organization needs to work.

    How does establishing governance for service management provide value?

    Governance of service management is a gap in most organizations, which leads to much of the failure and lack of value from service management processes and activities.

    Once in place, effective governance enables success for organizations by:

    1. Ensuring service management processes improve business value
    2. Measuring and confirming the value of the service management investment
    3. Driving a focus on outcome and impact instead of simply process adherence
    4. Looking at the integrated impact of service management in order to ensure focused prioritization of work
    5. Driving customer-experience focus within organizations
    6. Ensuring quality is achieved and addressing quality impacts and dependencies between processes

    Four common service management process ownership models

    Your ownership structure largely defines how processes will need to be implemented, maintained, and improved. It has a strong impact on their ability to integrate and how other teams perceive their involvement.

    An organizational structure is shown. In the image is an arrow, with the tip facing in the right direction. The left side of the arrow is labelled: Traditional, and the right side is labelled: Complex. The four models are noted along the arrow. Starting on the left side and going to the right are: Distributed Process Ownership, Centralized Process Ownership, Federated Process Ownership, and Service Management Office.

    Most organizations are somewhere within this spectrum of four core ownership models, usually having some combination of shared traits between the two models that are closest to them on the scale.

    Info-Tech Insight

    The organizational structure that is best for you depends on your needs, and one is not necessarily better than another. The next four slides describe when each ownership level is most appropriate.

    Distributed process ownership

    Distributed process ownership is usually evident when organizations initially establish their service management practices. The processes are assigned to a specific group, who assumes some level of ownership over its execution.

    The distributed process ownership model is shown. CIO is listed at the top with four branches leading out from below it. The four branches are labelled: Service Desk, Operations, Applications, and Security.

    Info-Tech Insight

    This model is often a suitable approach for initial implementations or where it may be difficult to move out of siloes within the organization’s structure or culture.

    Centralized process ownership

    Centralized process ownership usually becomes necessary for organizations as they move into a more functional structure. It starts to drive management of processes horizontally across the organization while still retaining functional management control.

    A centralized process ownership model is shown. The CIO is at the top and the following are branches below it: Service Manager, Support, Middleware, Development, and Infrastructure.

    Info-Tech Insight

    This model is often suitable for maturing organizations that are starting to look at process integration and shared service outcomes and accountability.

    Federated process ownership

    Federated process ownership allows for global control and regional variation, and it supports product orientation and Agile/DevOps principles

    A federated process ownership model is shown. The Sponsor/CIO is at the top, with the ITSM Executive below it. Below that level is the: Process Owner, Process Manager, and Process Manager.

    Info-Tech Insight

    Federated process ownership is usually evident in organizations that have an international or multi-regional presence.

    Service management office (SMO)

    SMO structures tend to occur in highly mature organizations, where service management responsibility is seen as an enterprise accountability.

    A service management office model is shown. The CIO is at the top with the following branches below it: SMO, End-User Services, Infra., Apps., and Architecture.

    Info-Tech Insight

    SMOs are suitable for organizations with a defined IT and organizational strategy. A SMO supports integration with other enterprise practices like enterprise architecture and the PMO.

    Determine which process ownership and governance model works best for your organization

    The Service Management Roadmap Presentation Template will help you document process ownership and governance model

    Example:

    Key Goals:

      ☐ Own accountability for changes to core processes

      ☐ Understand systemic nature and dependencies related to processes and services

      ☐ Approve and prioritize improvement and CSI initiatives related to processes and services

      ☐ Evaluate success of initiative outcomes based on defined benefits and expectations

      ☐ Own Service Management and Governance processes and policies

      ☐ Report into ITSM executive or equivalent body

    Membership:

      ☐ Process Owners, SM Owner, Tool Owner/Liaison, Audit

    Discuss as a team which process ownership model works for your organization. Determine who will govern the service management practice. Determine items that should be identified in your roadmap to address governance and process ownership gaps.

    Use Info-Tech’s “SWOT” template to identify strengths, weaknesses, opportunities & threats that should be addressed

    The Service Management Roadmap Presentation Template will help you document items from your SWOT analysis.

    A screenshot of the Service Management Roadmap Presentation Template is shown. Specifically the SWOT section is shown.

    Brainstorm the strengths, weaknesses, opportunities, and threats related to resources, environment, technology, and management practices. Add items that need to be addressed to your roadmap.

    Perform a SWOT analysis

    1. Brainstorm each aspect of the SWOT with an emphasis on:
    • Resources
    • Environment
    • Technologies
    • Management Practices
  • Record your ideas on a flip chart or whiteboard.
  • Add items to be addressed to the roadmap.
  • INPUT

    • A collaborative discussion

    OUTPUT

    • SWOT analysis
    • Priority items identified

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    Indicate desired maturity level for your service management program to be successful

    Discuss the various maturity levels and choose a desired level that would meet business needs.

    The desired maturity model is depicted.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Desired state of service management maturity

    Materials

    • None

    Participants

    • All stakeholders

    Use Info-Tech’s Service Management Process Maturity Assessment Tool to understand your current state

    The Service Management Process Maturity Assessment Tool will help you understand the true state of your service management.

    A screenshot of Info-Tech's Service Management Process Assessment Tool is shown.

    Part 1, Part 2, and Part 3 tabs

    These three worksheets contain questions that will determine the overall maturity of your service management processes. There are multiple sections of questions focused on different processes. It is very important that you start from Part 1 and continue the questions sequentially.

    Results tab

    The Results tab will display the current state of your service management processes as well as the percentage of completion for each individual process.

    Complete the service management process maturity assessment

    The current-state assessment will be the foundation of building your roadmap, so pay close attention to the questions and answer them truthfully.

    1. Start with tab 1 in the Service Management Process Maturity Assessment Tool. Remember to read the questions carefully and always use the feedback obtained through the end-user survey to help you determine the answer.
    2. In the “Degree of Process Completeness” column, use the drop-down menu to input the results solicited from the goals and objectives meeting you held with your project participants.
    3. A screenshot of Info-Tech's Service Management Process Assessment Tool is shown. Tab 1 is shown.
    4. Host a meeting with all participants following completion of the survey and have them bring their results. Discuss in a round-table setting, keeping a master sheet of agreed upon results.

    INPUT

    • Service Management Process Maturity Assessment Tool questions

    OUTPUT

    • Determination of current state

    Materials

    • Service Management Process Maturity Assessment Tool

    Participants

    • Project team members

    Review the results of your current-state assessment

    At the end of the assessment, the Results tab will have action items you could perform to close the gaps identified by the process assessment tool.

    A screenshot of Info-Tech's Service Management Process Maturity Assessment Results is shown.

    INPUT

    • Maturity assessment results

    OUTPUT

    • Determination of overall and individual practice maturity

    Materials

    • Service Management Maturity Assessment Tool

    Participants

    • Project team members

    Use Info-Tech’s OCM Capability Assessment tool to understand your current state

    The Organizational Change Management Capabilities Assessment tool will help you understand the true state of your organizational change management capabilities.

    A screenshot of Info-Tech's Organizational Change Management Capabilities Assessment

    Complete the Capabilities tab to capture the current state for organizational change management. Review the Results tab for interpretation of the capabilities. Review the Recommendations tab for actions to address low areas of maturity.

    Complete the OCM capability assessment

    1. Open Organizational Change Management Capabilities Assessment tool.
    2. Come to consensus on the most appropriate answer for each question. Use the 80/20 rule.
    3. Review result charts and discuss findings.
    4. Identify roadmap items based on maturity assessment.

    INPUT

    • A collaborative discussion

    OUTPUT

    • OCM Assessment tool
    • OCM assessment results

    Materials

    • OCM Capabilities Assessment tool

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1

    A screenshot of activity 2.1 is shown.

    Create a powerful, succinct mission statement

    Using Info-Tech’s sample mission statement as a guide, build your mission statement based on the objectives of this project and the benefits that this project will achieve. Keep the mission statement short and clear.

    2.2

    A screenshot of activity 2.2 is shown.

    Complete the assessment

    With the project team in the room, go through all three parts of the assessment with consideration of the feedback received from the business.

    2.3

    A screenshot of activity 2.3 is shown.

    Interpret the results of the assessment

    The Info-Tech onsite analyst will facilitate a discussion on the overall maturity of your service management practices and individual process maturity. Are there any surprises? Are the results reflective of current service delivery maturity?

    PHASE 3

    Build Your Service Management Roadmap

    Build Roadmap

    This step will walk you through the following activities:

    • Document your vision and mission on the roadmap one-pager.
    • Using the inputs from the current-state assessments, identify the key themes required by your organization.
    • Identify individual initiatives needed to address key themes.

    Step Insights

    • Using the Info-Tech thought model, address foundational gaps early in your roadmap and establish the management methods to continuously make them more robust.
    • If any of the core practices are not meeting the vision for your service management program, be sure to address these items before moving on to more advanced service management practices or processes.
    • Make sure the story you are telling with your roadmap is aligned to the overall organizational goals.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Determine Your Service Management Target State

    Step 3.1 – Document the Overall Themes

    Start with an analyst kick-off call:

    • Review the outputs from your current-state assessments to identify themes for areas that need to be included in your roadmap

    Then complete these activities…

    • Ensure foundational elements are solid by adding any gaps to the roadmap
    • Identify any changes needed to management practices to ensure continuous improvement

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 3.2 – Determine Individual Initiatives

    Review findings with analyst:

    • Determine the individual initiatives needed to close the gaps between the current state and the vision

    Then complete these activities…

    • Finalize and document roadmap for executive socialization

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Focus on a strong foundation to build higher value service management practices

    Info-Tech Insight

    Focus on behaviors and expected outcomes before processes.

    Foundational elements

    • Operating model facilitates service management goals
    • Culture of service delivery
    • Governance discipline to evaluate, direct, and monitor
    • Management discipline to deliver

    Stabilize

    • Deliver stable, reliable IT services to the business
    • Respond to user requests quickly and efficiently
    • Resolve user issues in a timely manner
    • Deploy changes smoothly and successfully

    Proactive

    • Avoid/prevent service disruptions
    • Improve quality of service (performance, availability, reliability)

    Service Provider

    • Understand business needs
    • Ensure services are available
    • Measure service performance, based on business-oriented metrics

    Strategic Partner

    • Fully aligned with business
    • Drive innovation
    • Drive measurable value

    Info-Tech Insight

    Continued leadership support of the foundational elements will allow delivery teams to provide value to the business. Set the expectation of the desired maturity level and allow teams to innovate.

    Identify themes that can help you build a strong foundation before moving to higher level practices

    A model is depicted that shows the various target states. There are 6 levels showing in the example, and the example is made to look like a tree with a character watering it. In the roots, the level is labelled foundational. The trunk is labelled the core. The lowest hanging branches of the tree is the stabilize section. Above it is the proactive section. Nearing the top of the tree is the service provider. The top most branches of the tree is labelled strategic partner.

    Before moving to advanced service management practices, you must ensure that the foundational and core elements are robust enough to support them. Leadership must nurture these practices to ensure they are sustainable and can support higher value, more mature practices.

    Use Info-Tech’s “Service Management Roadmap” template to document your vision, themes and initiatives

    The Service Management Roadmap Presentation Template contains a roadmap template to help communicate your vision, themes to be addressed, and initiatives

    A screenshot of Info-Tech's Service Management Roadmap template is shown.

    Working from the lower maturity items to the higher value practices, identify logical groupings of initiatives into themes. This will aid in communicating the reasons for the needed changes. List the individual initiatives below the themes. Adding the service management vision and mission statements can help readers understand the roadmap.

    Document your service management roadmap

    1. Document the service management vision and mission on the roadmap template.
    2. Identify, from the assessments, areas that need to be improved or implemented.
    3. Group the individual initiatives into logical themes that can ease communication of what needs to happen.
    4. Document the individual initiatives.
    5. Document in terms that business partners and executive sponsors can understand.

    INPUT

    • Current-state assessment outputs
    • Maturity model

    OUTPUT

    • Service management roadmap

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1

    A screenshot of activity 3.1 is shown.

    Identify themes to address items from the foundational level up to higher value service management practices

    Identify easily understood themes that will help others understand the expected outcomes within your organization.

    A screenshot of activity 3.2 is shown.

    Document individual initiatives that contribute to the themes

    Identify specific activities that will close gaps identified in the assessments.

    PHASE 2

    Build Communication Slide

    Complete your service management roadmap

    This step will walk you through the following activities:

    • Use the current-state assessment exercises to document the state of your service management practices. Document examples of the behaviors that are currently seen.
    • Document the expected short-term gains. Describe how you want the behaviors to change.
    • Document the long-term vision for each item and describe the benefits you expect to see from addressing each theme.

    Step Insights

    • Use the communication template to acknowledge the areas that need to be improved and paint the short- and long-term vision for the improvements to be made through executing the roadmap.
    • Write it in business terms so that it can be used widely to gain acceptance of the upcoming changes that need to occur.
    • Include specific areas that need to be fixed to make it more tangible.
    • Adding the values from the vision, mission, and values exercise can also help you set expectations about how the team will behave as they move towards the longer-term vision.

    Phase 4 Outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Build the Service Management Roadmap

    Step 4.1: Document the Current State

    Start with an analyst kick-off call:

    • Review the pain points identified from the current state analysis
    • Discuss tactics to address specific pain points

    Then complete these activities…

    • Socialize the pain points within the service delivery teams to ensure nothing is being misrepresented
    • Gather ideas for the future state

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 4.2: List the Future Vision

    Review findings with analyst:

    • Review short- and long-term vision for improvements for the pain points identified in the current state analysis

    Then complete these activities…

    • Prepare to socialize the roadmap
    • Ensure long-term vision is aligned with organizational objectives

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Use Info-Tech’s “Service Management Roadmap – Brought to Life” template to paint a picture of the future state

    The Service Management Roadmap Presentation Template contains a communication template to help communicate your vision of the future state

    A screenshot of Info-Tech's Service Management Roadmap - Brought to Life template

    Use this template to demonstrate how existing pain points to delivering services will improve over time by painting a near- and long-term picture of how things will change. Also list specific initiatives that will be launched to affect the changes. Listing the values identified in the vision, mission, and values exercise will also demonstrate the team’s commitment to changing behavior to create better outcomes.

    Document your current state and list initiatives to address them

    1. Use the previous assessments and feedback from business or customers to identify current behaviors that need addressing.
    2. Focus on high-impact items for this document, not an extensive list.
    3. An example of step 1 and 2 are shown.
    4. List the initiatives or actions that will be used to address the specific pain points.

    An example of areas for improvement.

    INPUT

    • Current-state assessment outputs
    • Feedback from business

    OUTPUT

    • Service Management Roadmap Communication Tool, in the Service Management Roadmap Presentation

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    Document your future state

    An example of document your furture state is shown.

    1. For each pain point document the expected behaviors, both short term and longer term.
    2. Write in terms that allow readers to understand what to expect from your service management practice.

    INPUT

    • Current-state assessment outputs
    • Feedback from business

    OUTPUT

    • Service Management Roadmap Communication Tool, in the Service Management Roadmap Presentation Template

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1

    A screenshot of activity 4.1 is shown.

    Identify the pain points and initiatives to address them

    Identify items that the business can relate to and initiatives or actions to address them.

    4.2

    A screenshot of activity 4.2 is shown.

    Identify short- and long-term expectations for service management

    Communicate the benefits of executing the roadmap both short- and long-term gains.

    Research contributors and experts

    Photo of Valence Howden

    Valence Howden, Principal Research Director, CIO Practice

    Info-Tech Research Group

    Valence helps organizations be successful through optimizing how they govern, design, and execute strategies, and how they drive service excellence in all work. With 30 years of IT experience in the public and private sectors, he has developed experience in many information management and technology domains, with focus in service management, enterprise and IT governance, development and execution of strategy, risk management, metrics design and process design, and implementation and improvement.

    Photo of Graham Price

    Graham Price, Research Director, CIO Practice

    Info-Tech Research Group

    Graham has an extensive background in IT service management across various industries with over 25 years of experience. He was a principal consultant for 17 years, partnering with Fortune 500 clients throughout North America, leveraging and integrating industry best practices in IT service management, service catalog, business relationship management, IT strategy, governance, and Lean IT and Agile.

    Photo of Sharon Foltz

    Sharon Foltz, Senior Workshop Director

    Info-Tech Research Group

    Sharon is a Senior Workshop Director at Info-Tech Research Group. She focuses on bringing high value to members via leveraging Info-Tech’s blueprints and other resources enhanced with her breadth and depth of skills and expertise. Sharon has spent over 15 years in various IT roles in leading companies within the United States. She has strong experience in organizational change management, program and project management, service management, product management, team leadership, strategic planning, and CRM across various global organizations.

    Related Info-Tech Research

    Build a Roadmap for Service Management Agility

    Extend the Service Desk to the Enterprise

    Bibliography

    • “CIOs Emerge as Disruptive Innovators.” CSC Global CIO Survey: 2014-2015. Web.
    • “Digital Transformation: How Is Your Organization Adapting?” CIO.com, 2018. Web.
    • Goran, Julie, Laura LaBerge, and Ramesh Srinivasan. “Culture for a digital age.” McKinsey, July 2017. Web.
    • The Qualities of Leadership: Leading Change. Cornelius & Associates, 14 April 2012.
    • Wilkinson, Paul. “Culture, Ethics, and Behavior – Why Are We Still Struggling?” ITSM Tools, 5 July 2018. Web.

    Develop and Implement a Security Incident Management Program

    • Buy Link or Shortcode: {j2store}316|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $105,346 Average $ Saved
    • member rating average days saved: 39 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Tracked incidents are often classified into ready-made responses that are not necessarily applicable to the organization. With so many classifications, tracking becomes inefficient and indigestible, allowing major incidents to fall through the cracks.
    • Outcomes of incident response tactics are not formally tracked or communicated, resulting in a lack of comprehensive understanding of trends and patterns regarding incidents, leading to being re-victimized by the same vector.
    • Having a formal incident response document to meet compliance requirements is not useful if no one is adhering to it.

    Our Advice

    Critical Insight

    • You will experience incidents. Don’t rely on ready-made responses. They’re too broad and easy to ignore. Save your organization response time and confusion by developing your own specific incident use cases.
    • Analyze, track, and review results of incident response regularly. Without a comprehensive understanding of incident trends and patterns, you can be re-victimized by the same attack vector.
    • Establish communication processes and channels well in advance of a crisis. Don’t wait until a state of panic. Collaborate and exchange information with other organizations to stay ahead of incoming threats.

    Impact and Result

    • Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities.
    • This blueprint will walk through the steps of developing a scalable and systematic incident response program relevant to your organization.

    Develop and Implement a Security Incident Management Program Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop and implement a security incident management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare

    Equip your organization for incident response with formal documentation of policies and processes.

    • Develop and Implement a Security Incident Management Program – Phase 1: Prepare
    • Security Incident Management Maturity Checklist ‒ Preliminary
    • Information Security Requirements Gathering Tool
    • Incident Response Maturity Assessment Tool
    • Security Incident Management Charter Template
    • Security Incident Management Policy Template
    • Security Incident Management RACI Tool

    2. Operate

    Act with efficiency and effectiveness as new incidents are handled.

    • Develop and Implement a Security Incident Management Program – Phase 2: Operate
    • Security Incident Management Plan
    • Security Incident Runbook Prioritization Tool
    • Security Incident Management Runbook: Credential Compromise
    • Security Incident Management Workflow: Credential Compromise (Visio)
    • Security Incident Management Workflow: Credential Compromise (PDF)
    • Security Incident Management Runbook: Distributed Denial of Service
    • Security Incident Management Workflow: Distributed Denial of Service (Visio)
    • Security Incident Management Workflow: Distributed Denial of Service (PDF)
    • Security Incident Management Runbook: Malware
    • Security Incident Management Workflow: Malware (Visio)
    • Security Incident Management Workflow: Malware (PDF)
    • Security Incident Management Runbook: Malicious Email
    • Security Incident Management Workflow: Malicious Email (Visio)
    • Security Incident Management Workflow: Malicious Email (PDF)
    • Security Incident Management Runbook: Ransomware
    • Security Incident Management Workflow: Ransomware (Visio)
    • Security Incident Management Workflow: Ransomware (PDF)
    • Security Incident Management Runbook: Data Breach
    • Security Incident Management Workflow: Data Breach (Visio)
    • Security Incident Management Workflow: Data Breach (PDF)
    • Data Breach Reporting Requirements Summary
    • Security Incident Management Runbook: Third-Party Incident
    • Security Incident Management Workflow: Third-Party Incident (Visio)
    • Security Incident Management Workflow: Third-Party Incident (PDF)
    • Security Incident Management Runbook: Blank Template

    3. Maintain and optimize

    Manage and improve the incident management process by tracking metrics, testing capabilities, and leveraging best practices.

    • Develop and Implement a Security Incident Management Program – Phase 3: Maintain and Optimize
    • Security Incident Metrics Tool
    • Post-Incident Review Questions Tracking Tool
    • Root-Cause Analysis Template
    • Security Incident Report Template
    [infographic]

    Workshop: Develop and Implement a Security Incident Management Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prepare Your Incident Response Program

    The Purpose

    Understand the purpose of incident response.

    Formalize the program.

    Identify key players and escalation points.

    Key Benefits Achieved

    Common understanding of the importance of incident response.

    Various business units becoming aware of their roles in the incident management program.

    Formalized documentation.

    Activities

    1.1 Assess the current process, obligations, scope, and boundaries of the incident management program.

    1.2 Identify key players for the response team and for escalation points.

    1.3 Formalize documentation.

    1.4 Prioritize incidents requiring preparation.

    Outputs

    Understanding of the incident landscape

    An identified incident response team

    A security incident management charter

    A security incident management policy

    A list of top-priority incidents

    A general security incident management plan

    A security incident response RACI chart

    2 Develop Incident-Specific Runbooks

    The Purpose

    Document the clear response procedures for top-priority incidents.

    Key Benefits Achieved

    As incidents occur, clear response procedures are documented for efficient and effective recovery.

    Activities

    2.1 For each top-priority incident, document the workflow from detection through analysis, containment, eradication, recovery, and post-incident analysis.

    Outputs

    Up to five incident-specific runbooks

    3 Maintain and Optimize the Program

    The Purpose

    Ensure the response procedures are realistic and effective.

    Identify key metrics to measure the success of the program.

    Key Benefits Achieved

    Real-time run-through of security incidents to ensure roles and responsibilities are known.

    Understanding of how to measure the success of the program.

    Activities

    3.1 Limited scope tabletop exercise.

    3.2 Discuss key metrics.

    Outputs

    Completed tabletop exercise

    Key success metrics identified

    Further reading

    Develop and Implement a Security Incident Management Program

    Create a scalable incident response program without breaking the bank.

    ANALYST PERSPECTIVE

    Security incidents are going to happen whether you’re prepared or not. Ransomware and data breaches are just a few top-of-mind threats that all organizations deal with. Taking time upfront to formalize response plans can save you significantly more time and effort down the road. When an incident strikes, don’t waste time deciding how to remediate. Rather, proactively identify your response team, optimize your response procedures, and track metrics so you can be prepared to jump to action.

    Céline Gravelines,
    Senior Research Analyst
    Security, Risk & Compliance Info-Tech Research Group

    Picture of Céline Gravelines

    Céline Gravelines,
    Senior Research Analyst
    Security, Risk & Compliance Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For

    • A CISO who is dealing with the following:
      • Inefficient use of time and money when retroactively responding to incidents, negatively affecting business revenue and workflow.
      • Resistance from management to adequately develop a formal incident response plan.
      • Lack of closure of incidents, resulting in being re-victimized by the same vector.

    This Research Will Help You

    • Develop a consistent, scalable, and usable incident response program that is not resource intensive.
    • Track and communicate incident response in a formal manner.
    • Reduce the overall impact of incidents over time.
    • Learn from past incidents to improve future response processes.

    This Research Will Also Assist

    • Business stakeholders who are responsible for the following:
    • Improving workflow and managing operations in the event of security incidents to reduce any adverse business impacts.
    • Ensuring that incident response compliance requirements are being adhered to.

    This Research Will Help Them

    • Efficiently allocate resources to improve incident response in terms of incident frequency, response time, and cost.
    • Effectively communicate expectations and responsibilities to users.

    Executive Summary

    Situation

    • Security incidents are inevitable, but how they’re dealt with can make or break an organization. Poor incident response negatively affects business practices, including workflow, revenue generation, and public image.
    • The incident response of most organizations is ad hoc at best. A formal management plan is rarely developed or adhered to, resulting in ineffective firefighting responses and inefficient allocation of resources.

    Complication

    • Tracked incidents are often classified into ready-made responses that are not necessarily applicable to the organization. With so many classifications, tracking becomes inefficient and indigestible, allowing major incidents to fall through the cracks.
    • Outcomes of incident response tactics are not formally tracked or communicated, resulting in a lack of comprehensive understanding of trends and patterns regarding incidents, leading to being revictimized by the same vector.
    • Having a formal incident response document to meet compliance requirements is not useful if no one is adhering to it.

    Resolution

    • Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities.
    • This blueprint will walk through the steps of developing a scalable and systematic incident response program relevant to your organization.

    Info-Tech Insight

    • You will experience incidents. Don’t rely on ready-made responses. They’re too broad and easy to ignore. Save your organization response time and confusion by developing your own specific incident use cases.
    • Analyze, track, and review results of incident response regularly. Without a comprehensive understanding of incident trends and patterns, you can be re-victimized by the same attack vector.
    • Establish communication processes and channels well in advance of a crisis. Don’t wait until a state of panic. Collaborate and exchange information with other organizations to stay ahead of incoming threats.

    Data breaches are resulting in major costs across industries

    Per capita cost by industry classification of benchmarked companies (measured in USD)

    This is a bar graph showing the per capita cost by industry classification of benchmarked companies(measured in USD). the companies are, in decreasing order of cost: Health; Financial; Services; Pharmaceutical; Technology; Energy; Education; Industrial; Entertainment; Consumer; Media; Transportation; Hospitality; Retail; Research; Public

    Average data breach costs per compromised record hit an all-time high of $148 (in 2018).
    (Source: IBM, “2018 Cost of Data Breach Study)”

    % of systems impacted by a data breach
    1%
    No Impact
    19%
    1-10% impacted
    41%
    11-30% impacted
    24%
    31-50% impacted
    15%
    > 50% impacted
    % of customers lost from a data breach
    61% Lost
    < 20%
    21% Lost 20-40% 8% Lost
    40-60%
    6% Lost
    60-80%
    4% Lost
    80-100%
    % of customers lost from a data breach
    58% Lost
    <20%
    25% Lost
    20-40%
    9% Lost
    40-60%
    5% Lost
    60-80%
    4% Lost
    80-100%

    Source: Cisco, “Cisco 2017 Annual Cybersecurity Report”

    Defining what is security incident management

    IT Incident

    Any event not a part of the standard operation of a service which causes, or may cause, the interruption to, or a reduction in, the quality of that service.

    Security Event:

    A security event is anything that happens that could potentially have information security implications.

    • A spam email is a security event because it may contain links to malware.
    • Organizations may be hit with thousands or perhaps millions of identifiable security events each day.
    • These are typically handled by automated tools or are simply logged.

    Security Incident:

    A security incident is a security event that results in damage such as lost data.

    • Incidents can also include events that don't involve damage but are viable risks.
    • For example, an employee clicking on a link in a spam email that made it through filters may be viewed as an incident.

    It’s not a matter of if you have a security incident, but when

    The increasing complexity and prevalence of threats have finally caught the attention of corporate leaders. Prepare for the inevitable with an incident response program.

    1. A formalized incident response program reduced the average cost of a data breach (per capita) from $148 to $134, while third-party involvement increased costs by $13.40.
    2. US organizations lost an average of $7.91 million per data breach as a result of increased customer attrition and diminished goodwill. Canada and the UK follow suit at $1.57 and $1.39 million, respectively.
    3. 73% of breaches are perpetrated by outsiders, 50% are the work of criminal groups, and 28% involve internal actors.
    4. 55% of companies have to manage fallout, such as reputational damage after a data breach.
    5. The average cost of a data breach increases by $1 million if left undetected for > 100 days.

    (Sources: IBM, “2018 Cost of Data Breach Study”; Verizon, “2017 Data Breach Investigations Report”; Cisco, “Cisco 2018 Annual Cybersecurity Report”)

    Threat Actor Examples

    The proliferation of hacking techniques and commoditization of hacking tools has enabled more people to become threat actors. Examples include:
    • Organized Crime Groups
    • Lone Cyber Criminals
    • Competitors
    • Nation States
    • Hacktivists
    • Terrorists
    • Former Employees
    • Domestic Intelligence Services
    • Current Employees (malicious and accidental)

    Benefits of an incident management program

    Effective incident management will help you do the following:

    Improve efficacy
    Develop structured processes to increase process consistency across the incident response team and the program as a whole. Expose operational weak points and transition teams from firefighting to innovating.

    Improve threat detection, prevention, analysis, and response
    Enhance your pressure posture through a structured and intelligence-driven incident handling and remediation framework.

    Improve visibility and information sharing
    Promote both internal and external information sharing to enable good decision making.

    Create and clarify accountability and responsibility
    Establish a clear level of accountability throughout the incident response program, and ensure role responsibility for all tasks and processes involved in service delivery.

    Control security costs
    Effective incident management operations will provide visibility into your remediation processes, enabling cost savings from misdiagnosed issues and incident reduction.

    Identify opportunities for continuous improvement
    Increase visibility into current performance levels and accurately identify opportunities for continuous improvement with a holistic measurement program.

    Impact

    Short term:
    • Streamlined security incident management program.
    • Formalized and structured response process.
    • Comprehensive list of operational gaps and initiatives.
    • Detailed response runbooks that predefine necessary operational protocol.
    • Compliance and audit adherence.
    Long term:
    • Reduced incident costs and remediation time.
    • Increased operational collaboration between prevention, detection, analysis, and response efforts.
    • Enhanced security pressure posture.
    • Improved communication with executives about relevant security risks to the business.
    • Preserved reputation and brand equity.

    Incident management is essential for organizations of any size

    Your incidents may differ, but a standard response ensures practical security.

    Certain regulations and laws require incident response to be a mandatory process in organizations.

    Compliance Standard Examples Description
    Federal Information Security Modernization Act (FISMA)
    • Organizations must have “procedures for detecting, reporting, and responding to security incidents” (2002).
    • They must also “inform operators of agency information systems about current and potential information security threats and vulnerabilities.”
    Federal Information Processing Standards (FIPS)
    • “Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.”
    Payment Card Industry Data Security Standard (PCI DSS v3)
    • 12.5.3: “Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.”
    Health Insurance Portability and Accountability Act (HIPAA)
    • 164.308: Response and Reporting – “Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.”

    Security incident management is applicable to all verticals

    Examples:
    • Finance
    • Insurance
    • Healthcare
    • Public administration
    • Education services
    • Professional services
    • Scientific and technical services

    Maintain a holistic security operations program

    Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization.

    Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operation, and technology infrastructure on a daily basis.

    Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential. Detect: There are two types of companies – those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.
    Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape. Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.

    Info-Tech’s incident response blueprint is one of four security operations initiatives

    Design and Implement a Vulnerability Management Program Vulnerability Management
    Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.
    • Vulnerability Tracking Tool
    • Vulnerability Scanning Tool RFP Template
    • Penetration Test RFP Template
    • Vulnerability Mitigation Process Template
    Integrate Threat Intelligence Into Your Security Operations Vulnerability Management
    Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.
    • Threat Intelligence Maturity Assessment Tool
    • Threat Intelligence RACI Tool
    • Threat Intelligence Management Plan Template
    • Threat Intelligence Policy Template
    • Threat Intelligence Alert Template
    • Threat Intelligence Alert and Briefing Cadence Schedule Template
    Develop Foundational Security Operations Processes Operations
    Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. These analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations.
    • Security Operations Maturity Assessment Tool
    • Security Operations Event Prioritization Tool
    • Security Operations Efficiency Calculator
    • Security Operations Policy
    • In-House vs. Outsourcing Decision-Making Tool
    • Seccrimewareurity Operations RACI Tool
    • Security Operations TCO & ROI Comparison Calculator
    Develop and Implement a Security Incident Management Program Incident Response (IR)
    Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. Incident response teams coordinate root cause and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns.
    Security Incident Management Policy
    • Security Incident Management Plan
    • Incident Response Maturity Assessment Tool
    • Security Incident Runbook Prioritization Tool
    • Security Incident Management RACI Tool
    • Various Incident Management Runbooks

    Understand how incident response ties into related processes

    Info-Tech Resources:
    Business Continuity Plan Develop a Business Continuity Plan
    Disaster Recovery Plan Create a Right-Sized Disaster Recovery Plan
    Security Incident Management Develop and Implement a Security Incident Management Program
    Incident Management Incident and Problem Management
    Service Desk Standardize the Service Desk

    Develop and Implement a Security Incident Management Program – project overview

    1. Prepare 2. Operate 3. Maintain and Optimize
    Best-Practice Toolkit 1.1 Establish the Drivers, Challenges, and Benefits.

    1.2 Examine the Security Incident Landscape and Trends.

    1.3 Understand Your Security Obligations, Scope, and Boundaries.

    1.4 Gauge Your Current Process to Identify Gaps.

    1.5 Formalize the Security Incident Management Charter.

    1.6 Identify Key Players and Develop a Call Escalation Tree.

    1.7 Develop a Security Incident Management Policy.

    2.1 Understand the Incident Response Framework.

    2.2 Understand the Purpose of Runbooks.

    2.3 Prioritize the Development of Incident-Specific Runbooks.

    2.4 Develop Top-Priority Runbooks.

    2.5 Fill Out the Root-Cause Analysis Template.

    2.6 Customize the Post-Incident Review Questions Tracking Tool to Standardize Useful Questions for Lessons-Learned Meetings.

    2.7 Complete the Security Incident Report Template.

    3.1 Conduct Tabletop Exercises.

    3.2 Initialize a Security Incident Management Metrics Program.

    3.3 Leverage Best Practices for Continuous Improvement.

    Guided Implementations Understand the incident response process, and define your security obligations, scope, and boundaries.

    Formalize the incident management charter, RACI, and incident management policy.
    Use the framework to develop a general incident management plan.

    Prioritize and develop top-priority runbooks.
    Develop and facilitate tabletop exercises.

    Create an incident management metrics program, and assess the success of the incident management program.
    Onsite Workshop Module 1:
    Prepare for Incident Response
    Module 2:
    Handle Incidents
    Module 3:
    Review and Communicate Security Incidents
    Phase 1 Outcome:
  • Formalized stakeholder support
  • Security Incident Management Policy
  • Security Incident Management Charter
  • Call Escalation Tree
  • Phase 2 Outcome:
    • A generalized incident management plan
    • A prioritized list of incidents
    • Detailed runbooks for top-priority incidents
    Phase 3 Outcome:
    • A formalized tracking system for benchmarking security incident metrics.
    • Recommendations for optimizing your security incident management processes.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities
    • Kick off and introductions.
    • High-level overview of weekly activities and outcomes.
    • Understand the benefits of security incident response management.
    • Formalize stakeholder support.
    • Assess your current process, obligations, and scope.
    • Develop RACI chart.
    • Define impact and scope.
    • Identify key players for the threat escalation protocol.
    • Develop a security incident response policy.
    • Develop a general security incident response plan.
    • Prioritize incident-specific runbook development.
    • Understand the incident response process.
    • Develop general and incident-specific call escalation trees.
    • Develop specific runbooks for your top-priority incidents (e.g. ransomware).
      • Detect the incident.
      • Analyze the incident.
      • Contain the incident.
      • Eradicate the root cause.
      • Recover from the incident.
      • Conduct post-incident analysis and communication.
    • Develop specific runbooks for your next top-priority incidents:
      • Detect the incident.
      • Analyze the incident.
      • Contain the incident.
      • Eradicate the root cause.
      • Recover from the incident.
      • Conduct post-incident analysis and communication.
    • Determine key metrics to track and report.
    • Develop post-incident activity documentation.
    • Understand best practices for both internal and external communication.
    • Finalize key deliverables created during the workshop.
    • Present the security incident response program to key stakeholders.
    • Workshop executive presentation and debrief.
    • Finalize main deliverables.
    • Schedule subsequent Analyst Calls.
    • Schedule feedback call.
    Deliverables
    • Security Incident Management Maturity Checklist ‒ Preliminary
    • Security Incident Management RACI Tool
    • Security Incident Management Policy
    • General incident management plan
    • Security Incident Management Runbook
    • Development prioritization
    • Prioritized list of runbooks
    • Understanding of incident handling process
    • Incident-specific runbooks for two incidents (including threat escalation criteria and Visio workflow)
    • Discussion points for review with response team
    • Incident-specific runbooks for two incidents (including threat escalation criteria and Visio workflow)
    • Discussion points for review with response team
    • Security Incident Metrics Tool
    • Post-Incident Review Questions Tracking Tool
    • Post-Incident Report Analysis Template
    • Root Cause Analysis Template
    • Post-Incident Review Questions Tracking Tool
    • Communication plans
    • Workshop summary documentation
  • All final deliverables
  • Measured value for Guided Implementations

    Engaging in GIs doesn’t just offer valuable project advice – it also results in significant cost savings.

    GI Purpose Measured Value
    Section 1: Prepare

    Understand the need for an incident response program.
    Develop your incident response policy and plan.
    Develop classifications around incidents.
    Establish your program implementation roadmap.

    Time, value, and resources saved using our classification guidance and templates: 2 FTEs*2 days*$80,000/year = $1,280
    Time, value, and resources saved using our classification guidance and templates:
    2 FTEs*5 days*$80,000/year = $3,200

    Section 2: Operate

    Prioritize runbooks and develop the processes to create your own incident response program:

  • Detect
  • Analyze
  • Contain
  • Eradicate
  • Recover
  • Post-Incident Activity
  • Time, value, and resources saved using our guidance:
    4 FTEs*10 days*$80,000/year = $12,800 (if done internally)

    Time, value, and resources saved using our guidance:
    1 consultant*15 days*$2,000/day = $30,000 (if done by third party)
    Section 3: Maintain and Optimize Develop methods of proper reporting and create templates for communicating incident response to key parties. Time, value, and resources saved using our guidance, templates, and tabletop exercises:
    2 FTEs*3 days*$80,000/year = $1,920
    Total Costs To just get an incident response program off the ground. $49,200

    Insurance company put incident response aside; executives were unhappy

    Organization implemented ITIL, but formal program design became less of a priority and turned more ad hoc.

    Situation

    • Ad hoc processes created management dissatisfaction around the organization’s ineffective responses to data breaches.
    • Because of the lack of formal process, an entirely new security team needed to be developed, costing people their positions.

    Challenges

    • Lack of criteria to categorize and classify security incidents.
    • Need to overhaul the long-standing but ineffective program means attempting to change mindsets, which can be time consuming.
    • Help desk is not very knowledgeable on security.
    • New incident response program needs to be in alignment with data classification policy and business continuity.
    • Lack of integration with MSSP’s ticketing system.

    Next steps:

    • Need to get stakeholder buy-in for a new program.
    • Begin to establish classification/reporting procedures.

    Follow this case study to Phase 1

    Phase 1

    Prepare

    Develop and Implement a Security Incident Management Program

    Phase 1: Prepare

    PHASE 1 PHASE 2 PHASE 3
    Prepare Operate Optimize

    This phase walks you through the following activities:

    1.1 Establish the drivers, challenges, and benefits.
    1.2 Examine the security incident landscape and trends.
    1.3 Understand your security obligations, scope, and boundaries.
    1.4 Gauge your current process to identify gaps.
    1.5 Formalize a security incident management charter.
    1.6 Identify key players and develop a call escalation tree.
    1.7 Develop a security incident management policy.

    This phase involves the following participants:

    • CISO
    • Security team
    • IT staff
    • Business leaders

    Outcomes of this phase

    • Formalized stakeholder support.
    • Security incident management policy.
    • Security incident management charter.
    • Call escalation tree.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Prepare for Incident Response
    Proposed Time to Completion: 3 Weeks
    Step 1.1-1.3 Understand Incident Response Step 1.4-1.7 Begin Developing Your Program
    Start with an analyst kick-off call:
  • Discuss your current incident management status.
  • Review findings with analyst:
  • Review documents.
  • Then complete these activities…
    • Establish your security obligations, scope, and boundaries.
    • Identify the drivers, challenges, and benefits of formalized incident response.
    • Review any existing documentation.
    Then complete these activities…
    • Discuss further incident response requirements.
    • Identify key players for escalation and notifications.
    • Develop the policy.
    • Develop the plan.

    With these tools & templates:
    Security Incident Management Maturity Checklist ‒ Preliminary Information Security Requirements Gathering Tool

    With these tools & templates:
    Security Incident Management Policy
    Security Incident Management Plan
    Phase 1 Results & Insights:

    Ready-made incident response solutions often contain too much coverage: too many irrelevant cases that are not applicable to the organization are accounted for, making it difficult to sift through all the incidents to find the ones you care about. Develop specific incident use cases that correspond with relevant incidents to quickly identify the response process and eliminate ambiguity when handled by different individuals.

    Ice breaker: What is a security incident for your organization?

    1.1 Whiteboard Exercise – 60 minutes

    How do you classify various incident types between service desk, IT/infrastructure, and security?

    • Populate sticky notes with various incidents and assign them to the appropriate team.
      • Who owns the remediation? When are other groups involved? What is the triage/escalation process?
      • What other groups need to be notified (e.g. cyber insurance, Legal, HR, PR)?
      • Are there dependencies among incidents?
      • What are we covering in the scope of this project?

    Microsoft Dynamics 365: Understand the Transition to the Cloud

    • Buy Link or Shortcode: {j2store}350|cart{/j2store}
    • member rating overall impact (scale of 10): 8.7/10 Overall Impact
    • member rating average dollars saved: $94,858 Average $ Saved
    • member rating average days saved: 4 Average Days Saved
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • Your on-premises Dynamics CRM or AX needs updating or replacing, and you’re not sure whether to upgrade or transition to the cloud with the new Microsoft Dynamics 365 platform. You’re also uncertain about what the cost might be or if there are savings to be had with a transition to the cloud for your enterprise resource planning system.
    • The new license model, Apps vs. Plans and Dual Use Rights in the cloud, includes confusing terminology and licensing rules that don’t seem to make sense. This makes it difficult to purchase proper licensing that aligns with your current on-premises setup and to maximize your choices in transition licenses.
    • There are different licensing programs for Dynamics 365 in the cloud. You need to decide on the most cost effective program for your company, for now and for the future.
    • Microsoft is constantly pressuring you to move to the cloud, but you don’t understand the why. You're uncertain if there's real value in such a strategic move right now, or if should you wait awhile.

    Our Advice

    Critical Insight

    • Focus on what’s best for you. Do a thorough current state assessment of your hardware and software needs and consider what will be required in the near future (one to four years).
    • Educate yourself. You should have a good understanding of your options from staying on-premises vs. an interim hybrid model vs. a lift and shift to the cloud.
    • Consider the overall picture. There might not be hard cost savings to be realized in the near term, given the potential increase in licensing costs over a CapEx to OpEx savings.

    Impact and Result

    • Understanding the best time to transition, from a licensing perspective, could save you significant dollars over the next one to four years.
    • Planning and effectively mapping your current licenses to the new cloud user model will maximize your current investment into the cloud and fully leverage all available Microsoft incentives in the process.
    • Gaining the knowledge required to make the most informed transition decision, based on best timing, most appropriate licensing program, and maximized cost savings in the near term.
    • Engaging effectively with Microsoft and a competent Dynamics partner for deployment or licensing needs.

    Microsoft Dynamics 365: Understand the Transition to the Cloud Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should learn about Microsoft Dynamics 365 user-based cloud licensing, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Timing

    Review to confirm if you are eligible for Microsoft cloud transition discounts and what is your best time to move to the cloud.

    • Microsoft Dynamics 365: Understand the Transition to the Cloud – Phase 1: Timing
    • Microsoft License Agreement Summary Tool
    • Existing CRM-AX License Summary Worksheet

    2. Licensing

    Begin with a review to understand user-based cloud licensing, then move to mapping your existing licenses to the cloud users and plans.

    • Microsoft Dynamics 365: Understand the Transition to the Cloud – Phase 2: Licensing
    • Microsoft Dynamics 365 On-Premises License Transition Mapping Tool
    • Microsoft Dynamics 365 User License Assignment Tool
    • Microsoft Licensing Programs Brief Overview

    3. Cost review

    Use your cloud mapping activity as well your eligible discounts to estimate your cloud transition licensing costs.

    • Microsoft Dynamics 365: Understand the Transition to the Cloud – Phase 3: Cost Review
    • Microsoft Dynamics 365 Cost Estimator

    4. Analyze and decide

    Start by summarizing your choice license program, decide on the ideal time, then move on to total cost review.

    • Microsoft Dynamics 365: Understand the Transition to the Cloud – Phase 4: Analyze and Decide
    [infographic]

    Workshop: Microsoft Dynamics 365: Understand the Transition to the Cloud

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand What You Own and What You Can Transition to the Cloud

    The Purpose

    Understand what you own and what you can transition to the cloud.

    Learn which new cloud user licenses to transition.

    Key Benefits Achieved

    All your licenses in one summary.

    Eligible transition discounts.

    Mapping of on-premises to cloud users.

    Activities

    1.1 Validate your discount availability.

    1.2 Summarize agreements.

    1.3 Itemize your current license ownership.

    1.4 Review your timing options.

    1.5 Map your on-premises licenses to the cloud-based, user-based model.

    Outputs

    Current agreement summary

    On-premises to cloud user mapping summary

    Understanding of cloud app and plan features

    2 Transition License Cost Estimate and Additional Costs

    The Purpose

    Estimate cloud license costs and other associated expenses.

    Summarize and decide on the best timing, users, and program.

    Key Benefits Achieved

    Good cost estimate of equivalent cloud user-based licenses.

    Understanding of when and how to move your on-premises licensing to the new Dynamics 365 cloud model.

    Activities

    2.1 Estimate cloud user license costs.

    2.2 Calculate additional costs related to license transitions.

    2.3 Review all activities.

    2.4 Summarize and analyze your decision.

    Outputs

    Cloud user licensing cost modeling

    Summary of total costs

    Validation of costs and transition choices

    An informed decision on your Dyn365 timing, licensing, and costs

    CIO Priorities 2022

    • Buy Link or Shortcode: {j2store}328|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $31,499 Average $ Saved
    • member rating average days saved: 9 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Understand how to respond to trends affecting your organization.
    • Determine your priorities based on current state and relevant internal factors.
    • Assign the right amount of resources to accomplish your vision.
    • Consider what new challenges outside of your control will demand a response.

    Our Advice

    Critical Insight

    A priority is created when external factors hold strong synergy with internal goals and an organization responds by committing resources to either avert risk or seize opportunity. These are the priorities identified in the report:

    1. Reduce Friction in the Hybrid Operating Model
    2. Improve Your Ransomware Readiness
    3. Support an Employee-Centric Retention Strategy
    4. Design an Automation Platform
    5. Prepare to Report on New Environmental, Social, and Governance Metrics

    Impact and Result

    Update your strategic roadmap to include priorities that are critical and relevant for your organization based on a balance of external and internal factors.

    CIO Priorities 2022 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. CIO Priorities 2022 – A report on the key priorities for competing in the digital economy.

    Discover Info-Tech’s five priorities for CIOs in 2022.

    • CIO Priorities Report for 2022

    2. Listen to the podcast series

    Hear directly from our contributing experts as they discuss their case studies with Brian Jackson.

    • Frictionless hybrid working: How the Harvard Business School did it
    • Close call with ransomware: A CIO recounts a near security nightmare
    • How a financial services company dodged "The Great Resignation"
    • How Allianz took a blockchain platform from pilot to 1 million transactions
    • CVS Health chairman David Dorman on healthcare's hybrid future

    Infographic

    Further reading

    CIO Priorities 2022

    A jumble of business-related words. Info-Tech’s 2022 Tech Trends survey asked CIOs for their top three priorities. Cluster analysis of their open-ended responses shows four key themes:
    1. Business process improvements
    2. Digital transformation or modernization
    3. Security
    4. Supporting revenue growth or recovery

    Info-Tech’s annual CIO priorities are formed from proprietary primary data and consultation with our internal experts with CIO stature

    2022 Tech Trends Survey CIO Demographic N=123

    Info-Tech’s Tech Trends 2022 survey was conducted between August and September 2021 and collected a total of 475 responses from IT decision makers, 123 of which were at the C-level. Fourteen countries and 16 industries are represented in the survey.

    2022 IT Talent Trends Survey CIO Demographic N=44

    Info-Tech’s IT Talent Trends 2022 survey was conducted between September and October 2021 and collected a total of 245 responses from IT decision makers, 44 of which were at the C-level. A broad range of countries from around the world are represented in the survey.

    Internal CIO Panels’ 125 Years Of Combined C-Level IT Experience

    Panels of former CIOs at Info-Tech focused on interpreting tech trends data and relating it to client experiences. Panels were conducted between November 2021 and January 2022.

    CEO-CIO Alignment Survey Benchmark Completed By 107 Different Organizations

    Info-Tech’s CEO-CIO Alignment program helps CIOs align with their supervisors by asking the right questions to ensure that IT stays on the right path. It determines how IT can best support the business’ top priorities and address the gaps in your strategy. In 2021, the benchmark was formed by 107 different organizations.

    Build IT alignment

    IT Management & Governance Diagnostic Benchmark Completed By 320 Different Organizations

    Info-Tech’s Management and Governance Diagnostic helps IT departments assess their strengths and weaknesses, prioritize their processes and build an improvement roadmap, and establish clear ownership of IT processes. In 2021, the benchmark was formed by data from 320 different organizations.

    Assess your IT processes

    The CIO priorities are informed by Info-Tech’s trends research reports and surveys

    Priority: “The fact or condition of being regarded or treated as more important than others.” (Lexico/Oxford)

    Trend: “A general direction in which something is developing or changing.” (Lexico/Oxford)

    A sequence of processes beginning with 'Sensing', 'Hypothesis', 'Validation', and ending with 'Trends, 'Priorities'. Under Sensing is Technology Research, Interviews & Insights, Gathering, and PESTLE. Under Hypothesis is Near-Future Probabilities, Identify Patterns, Identify Uncertainties, and Identify Human Benefits. Under Validation is Test Hypothesis, Case Studies, and Data-Driven Insights. Under Trends is Technology, Talent, and Industry. Under Priorities is CIO, Applications, Infrastructure, and Security.

    Visit Info-Tech’s Trends & Priorities Research Center

    Image called 'Defining the CIO Priorities for 2022'. Image shows 4 columns, Implications, Resource Investment, Amplifiers, and Actions and Outcomes, with 2 dotted lines, labeled External Context and Internal Context, running through all 4 columns and leading to bottom-right label called CIO Priorities Formed

    The Five Priorities

    Priorities to compete in the digital economy

    1. Reduce Friction in the Hybrid Operating Model
    2. Improve Your Ransomware Readiness
    3. Support an Employee-Centric Retention Strategy
    4. Design an Automation Platform
    5. Prepare to Report on New Environmental, Social, and Governance Metrics

    Reduce friction in the hybrid operating model

    Priority 01 | APO07 Human Resources Management

    Deliver solutions that create equity between remote workers and office workers and make collaboration a joy.

    Hybrid work is here to stay

    CIOs must deal with new pain points related to friction of collaboration

    In 2020, CIOs adapted to the pandemic’s disruption to offices by investing in capabilities to enable remote work. With restrictions on gathering in offices, even digital laggards had to shift to an all-remote work model for non-essential workers.

    Most popular technologies already invested in to facilitate better collaboration

    • 24% Web Conferencing
    • 23% Instant Messaging
    • 20% Document Collaboration

    In 2022, the focus shifts to solving problems created by the new hybrid operating model where some employees are in the office and some are working remotely. Without the ease of collaborating in a central hub, technology can play a role in reducing friction in several areas:

    • Foster more connections between employees. Remote workers are less likely to collaborate with people outside of their department and less likely to spontaneously collaborate with their peers. CIOs should provide a digital employee experience that fosters collaboration habits and keeps workers engaged.
    • Prevent employee attrition. With more workers reevaluating their careers and leaving their jobs, CIOs can help employees feel connected to the overall purpose of the organization. Finding a way to maintain culture in the new context will require new solutions. While conference room technology can be a bane to IT departments, making hybrid meetings effortless to facilitate will be more important.
    • Provide new standards for mediated collaboration. Meeting isn’t as easy as simply gathering around the same table anymore. CIOs need to provide structure around how hybrid meetings are conducted to create equity between all participants. Business continuity processes must also consider potential outages for collaboration services so employees can continue the work despite a major outage.

    Three in four organizations have a “hybrid” approach to work. (Tech Trends 2022 Survey)

    In most organizations, a hybrid model is being implemented. Only 14.9% of organizations are planning for almost everyone to return to the office, and only 9.9% for almost everyone to work remotely.

    Elizabeth Clark

    CIO, Harvard Business School

    "I want to create experiences that are sticky. That keep people coming back and engaging with their colleagues."

    Photo of Elizabeth Clark, CIO, Harvard Business School.

    Listen to the Tech Insights podcast:
    Frictionless hybrid working: How the Harvard Business School did it

    Internal interpretation: Harvard Business School

    • March 2020
      The pandemic disrupts in-class education at Harvard Business School. Their case study method of instruction that depends on in-person, high-quality student engagement is at risk. While students and faculty completed the winter semester remotely, the Dean and administration make the goal to restore the integrity of the classroom experience with equity for both remote and in-person students.
    • May 2020
      A cross-functional task force of about 100 people work intensively, conducting seven formal experiments, 80 smaller tests, and hundreds of polling data points, and a technology and facilities solution is designed: two 4K video cameras capturing both the faculty and the in-class students, new ceiling mics, three 85-inch TV screens, and students joining the videoconference from their laptops. A custom Zoom room, combining three separate rooms, integrated all the elements in one place and integrated with the lecture capture system and learning management system.
    • October 2020
      Sixteen classrooms are renovated to install the new solution. Students return to the classroom but in lower numbers due to limits on in-room capacity, but students rotate between the in-person and remote experience.
    • September 2021
      Renovations for the hybrid solution are complete in 26 classrooms and HBS has determined this will be its standard model for the classroom. The case method of teaching is kept alive and faculty and students are thrilled with the results.
    • November 2021
      HBS is adapting its solution for the classroom to its conference rooms and has built out eight different rooms for a hybrid experience. The 4K cameras and TV screens capture all participants in high fidelity as well as the blackboard.

    Photo of a renovated classroom with Zoom participants integrated with the in-person students.
    The renovated classrooms integrate all students, whether they are participating remotely or in person. (Image courtesy of Harvard Business School.)

    Implications: Organization, Process, Technology

    External

    • Organization – About half of IT practitioners in the Tech Trends 2022 survey feel that IT leaders, infrastructure and operations teams, and security teams were “very busy” in 2021. Capacity to adapt to hybrid work could be constrained by these factors.
    • Process – Organizations that want employees to benefit from being back in the office will have to rethink how workers can get more value out of in-person meetings that also require videoconference participation with remote workers.
    • Technology – Fifty-four percent of surveyed IT practitioners say the pandemic raised IT spending compared to the projections they made in 2020. Much of that investment went into adapting to a remote work environment.

    Internal

    • Organization – HBS added 30 people to its IT staff on term appointments to develop and implement its hybrid classroom solutions. Hires included instructional designers, support technicians, coordinators, and project managers.
    • Process – Only 25 students out of the full capacity of 95 could be in the classroom due to COVID-19 regulations. On-campus students rotated through the classroom seats. An app was created to post last-minute seat availability to keep the class full.
    • Technology – A Zoom room was created that combines three rooms to provide the full classroom experience: a view of the instructor, a clear view of each student that enlarges when they are speaking, and a view of the blackboard.

    Resources Applied

    Appetite for Technology

    CIOs and their direct supervisors both ranked internal collaboration tools as being a “critical need to adopt” in 2021, according to Info-Tech’s CEO-CIO Alignment Benchmark Report.

    Intent to Invest

    Ninety-seven percent of IT practitioners plan to invest in technology to facilitate better collaboration between employees in the office and outside the office by the end of 2022, according to Info-Tech’s 2022 Tech Trends survey.

    “We got so many nice compliments, which you don’t get in IT all the time. You get all the complaints, but it’s a rare case when people are enthusiastic about something that was delivered.” (Elizabeth Clark, CIO, Harvard Business School)

    Harvard Business School

    • IT staff were reassigned from other projects to prioritize building a hybrid classroom solution. A cloud migration and other portfolio projects were put on pause.
    • The annual capital A/V investment was doubled. The amount of spend on conference rooms was tripled.
    • Employees were hired to the media services team at a time when other areas of the organization were frozen.

    Outcomes at Harvard Business School

    The new normal at Harvard Business School

    New normal: HBS has found its new default operating model for the classroom and is extending its solution to its operating environment.

    Improved CX: The high-quality experience for students has helped avoid attrition despite the challenges of the pandemic.

    Engaged employees: The IT team is also engaged and feels connected to the mission of the school.

    Photo of a custom Zoom room bringing together multiple view of the classroom as well as all remote students.
    A custom Zoom room brings together multiple different views of the classroom into one single experience for remote students. (Image courtesy of Harvard Business School.)

    From Priorities to Action

    Make hybrid collaboration a joy

    Align with your organization’s goals for collaboration and customer interaction, with the target of high satisfaction for both customers and employees. Invest in capital projects to improve the fidelity of conference rooms, develop and test a new way of working, and increase IT capacity to alleviate pressure points.

    Foster both asynchronous and synchronous collaboration approaches to avoid calendars filling up with videoconference meetings to get things done and to accommodate workers contributing from across different time zones.

    “We’ll always have hybrid now. It’s opened people’s eyes and now we’re thinking about the future state. What new markets could we explore?” (Elizabeth Clark, CIO, Harvard Business School)

    Take the next step

    Run Better Meetings
    Hybrid, virtual, or in person – set meeting best practices that support your desired meeting norms.

    Prepare People Leaders for the Hybrid Work Environment
    Set hybrid work up for success by providing people leaders with the tools they need to lead within the new model.

    Hoteling and Hot-Desking: A Primer
    What you need to know regarding facilities, IT infrastructure, maintenance, security, and vendor solutions for desk hoteling and hot-desking.

    “Human Resources Management” gap between importance and effectiveness
    Info-Tech Research Group Management and Governance Diagnostic Benchmark 2021

    A bar chart illustrating the Human Resources Management gap between importance and effectiveness. The difference is marked as Delta 2.3.

    Improve your ransomware readiness

    Priority 02 | APO13 Security Strategy

    Mitigate the damage of successful ransomware intrusions and make recovery as painless as possible.

    The ransomware crisis threatens every organization

    Prevention alone won’t be enough against the forces behind ransomware.

    Cybersecurity is always top of mind for CIOs but tends to be deprioritized due to other demands related to digital transformation or due to cost pressures. That’s the case when we examine our data for this report.

    Cybersecurity ranked as the fourth-most important priority by CIOs in Info-Tech’s 2022 Tech Trends survey, behind business process improvement, digital transformation, and modernization. Popular ways to prepare for a successful attack include creating offline backups, purchasing insurance, and deploying new solutions to eradicate ransomware.

    CIOs and their direct supervisors ranked “Manage IT-Related Security” as the third-most important top IT priority on Info-Tech’s CEO-CIO Alignment Benchmark for 2021, in support of business goals to manage risk, comply with external regulation, and ensure service continuity.

    Most popular ways for organizations to prepare for the event of a successful ransomware attack:

    • 25% Created offline backups
    • 18% Purchased cyberinsurance
    • 19% New tech to eradicate ransomware

    Whatever priority an organization places on cybersecurity, when ransomware strikes, it quickly becomes a red alert scenario that disrupts normal operations and requires all hands on deck to respond. Sophisticated attacks executed at wide scale demonstrate that security can be bypassed without creating an alert. After that’s accomplished, the perpetrators build their leverage by exfiltrating data and encrypting critical systems.

    CIOs can plan to mitigate ransomware attacks in several constructive ways:

    • Business impact analysis. Determine the costs of an outage for specific periods and the system and data recovery points in time.
    • Engage a partner for 24/7 monitoring. Gain real-time awareness of your critical systems.
    • Review your identity access management (IAM) policies. Use of multi-factor authentication and limiting access to only the roles that need it reduces ransomware risk.

    50% of all organizations spent time and money specifically to prevent ransomware in the past year. (Info-Tech Tech Trends 2022 Survey)

    John Doe

    CIO, mid-sized manufacturing firm in the US

    "I want to create experiences that are sticky. That keep people coming back and engaging with their colleagues."

    Blank photo.

    Listen to the Tech Insights podcast:
    Close call with ransomware: a CIO recounts a near security nightmare

    Internal interpretation: US-based, mid-sized manufacturing firm

    • May 1, 2021
      A mid-sized manufacturing firm (“The Firm”) CIO gets a call from his head of security about odd things happening on the network. A call is made to Microsoft for support. Later that night, the report is that an unwanted crypto-mining application is the culprit. But a couple of hours later, that assessment is proven wrong when it’s realized that hundreds of systems are staged for a ransomware attack. All the attacker has to do is push the button.
    • May 2, 2021
      The Firm disconnects all its global sites to cut off new pathways for the malware to infect. All normal operations cease for 24 hours. It launches its cybersecurity insurance process. The CIO engages a new security vendor, CrowdStrike, to help respond. Employees begin working from home if they can so they can make use of their own internet service. The Firm has cut off its public internet connectivity and is severed from cloud services such as Azure storage and collaboration software.
    • May 4, 2021
      The hackers behind the attack are revealed by security forensics experts. A state-sponsored agency in Russia set up the ransomware and left it ready to execute. It sold the staged attack to a cybercriminal group, Doppel Spider. According to CrowdStrike, the group uses malware to run “big game hunting operations” and targets 18 different countries including the US and multiple industries, including manufacturing.
    • May 10, 2021
      The Firm has totally recovered from the ransomware incident and avoided any serious breach or paying a ransom. The CIO worked more hours than at any other point in his career, logging an estimated 130 hours over the two weeks.
    • November 2021
      The Firm never previously considered itself a ransomware target but has now reevaluated that stance. It has hired a service provider to run a security operations center on a 24/7 basis. It's implemented a more sophisticated detection and response model and implemented multi-factor authentication. It’s doubled its security spend in 2021 and will invest more in 2022.

    “Now we take the approach that if someone does get in, we're going to find them out.” (John Doe, CIO, “The Firm”)

    Implications: Organization, Process, Technology

    External

    • Organization – Organizations must consider how their employees play a role in preventing ransomware and plan for training to recognize phishing and other common traps. They must make plans for employees to continue their work if systems are disrupted by ransomware.
    • Process – Backup processes across multiple systems should be harmonized to have both recent and common points to recover from. Work with the understanding IT will have to take systems offline if ransomware is discovered and there is no time to ask for permission.
    • Technology – Organizations can benefit from security services provided by a forensics-focused vendor. Putting cybersecurity insurance in place not only provides financial protection but also guidance in what to do and which vendors to work with to prevent and recover from ransomware.

    Internal

    • Organization – The Firm was prepared with a business continuity plan to allow many of its employees to work remotely, which was necessary because the office network was incapacitated for ten days during recovery.
    • Process – Executives didn’t seek to assign blame for the security incident but took it as a signal there were some new costs involved to stay in business. It initiated new outsource relationships and hired one more full-time employee to shore up security resources.
    • Technology – New ransomware eradication software was deployed to 2,000 computers. Scripted processes automated much of the work, but in some cases full system rebuilds were required. Backup systems were disconnected from the network as soon as the malware was discovered.

    Resources Applied

    Consider the Alternative

    Organizations should consider how much a ransomware attack on critical systems would cost them if they were down for a minimum of 24-48 hours. Plan to invest an amount at least equal to the costs of that downtime.

    Ask for ID

    Implementing across-the-board multi-factor authentication reduces chances of infection and is cheap, with enterprise solutions ranging from $2 to $5 per user on average. Be strict and deny access when connections don’t authenticate.

    “You'll never stop everything from getting into the network. You can still focus on stopping the bad actors, but then if they do make it in, make sure they don't get far.” (John Doe, CIO, “The Firm”)

    “The Firm” (Mid-Sized Manufacturer)

    • During the crisis, The Firm paused all activities and focused solely on isolating and eliminating the ransomware threat.
    • New outsourcing relationship with a vendor provides a 24/7 Security Operations Center.
    • One more full-time employee on the security team.
    • Doubled investment in security in 2021 and will spend more in 2022.

    Outcomes at “The Firm” (Mid-Sized Manufacturer)

    The new cost of doing business

    Real-time security: While The Firm is still investing in prevention-based security, it is also developing its real-time detection and response capabilities. When ransomware makes it through the cracks, it wants to know as soon as possible and stop it.

    Leadership commitment: The C-suite is taking the experience as a wake-up call that more investment is required in today’s threat landscape. The Firm rates security more highly as an overall organizational goal, not just something for IT to worry about.

    Stock photo of someone using their phone while sitting at a computer, implying multi-factor authentication.
    The Firm now uses multi-factor authentication as part of its employee sign-on process. For employees, authenticating is commonly achieved by using a mobile app that receives a secret code from the issuer.

    From Priorities to Action

    Cybersecurity is everyone’s responsibility

    In Info-Tech’s CEO-CIO Alignment Benchmark for 2021, the business goal of “Manage Risk” was the single biggest point of disagreement between CIOs and their direct supervisors. CIOs rank it as the second-most important business goal, while CEOs rank it as sixth-most important.

    Organizations should align on managing risk as a top priority given the severity of the ransomware threat. The threat actors and nature of the attacks are such that top leadership must prepare for when ransomware hits. This includes halting operations quickly to contain damage, engaging third-party security forensics experts, and coordinating with government regulators.

    Cybersecurity strategies may be challenged to be effective without creating some friction for users. Organizations should look beyond multi-layer prevention strategies and lean toward quick detection and response, spending evenly across prevention, detection, and response solutions.

    Take the next step

    Create a Ransomware Incident Response Plan
    Don’t be the next headline. Determine your current readiness, response plan, and projects to close gaps.

    Simplify Identity and Access Management
    Select and implement IAM and produce vendor RFPs that will contain the capabilities you need, including multi-factor authentication.

    Cybersecurity Series Featuring Sandy Silk
    More from Info-Tech’s Senior Workshop Director Sandy Silk in this video series created while she was still at Harvard University.

    Gap between CIOs and CEOs in points allocated to “Manage risk” as a top business goal

    A bar chart illustrating the gap between CIOs and CEOs in points allocated to 'Manage risk' as a top business goal. The difference is marked as Delta 1.5.

    Support an employee-centric retention strategy

    Priority 03 | ITRG02 Leadership, Culture & Values

    Avoid being a victim of “The Great Resignation” by putting employees at the center of an experience that will engage them with clear career path development, purposeful work, and transparent feedback.

    Defining an employee-first culture that improves retention

    The Great resignation isn’t good for firms

    In 2021, many workers decided to leave their jobs. Working contexts were disrupted by the pandemic and that saw non-essential workers sent home to work, while essential workers were asked to continue to come into work despite the risks of COVID-19. These disruptions may have contributed to many workers reevaluating their professional goals and weighing their values differently. At the same time, 2021 saw a surging economy and many new job opportunities to create a talent-hungry market. Many workers could have been motivated to take a new opportunity to increase their salary or receive other benefits such as more flexibility.

    Annual turnover rate for all us employees on the rise

    • 20% – Jan.-Aug. 2020, Dipped from 22% in 2019
    • 25% Jan.-Aug. 2021, New record high
    • Data from Visier Inc.

    When you can’t pay them, develop them

    IT may be less affected than other departments by this trend. Info-Tech’s 2022 IT Talent Trends Report shows that on average, estimated turnover rate in IT is lower than the rest of the organization. Almost half of respondents estimated their organization’s voluntary turnover rate was 10% or higher. Only 30% of respondents estimate that IT’s voluntary turnover rate is in the same range. However, CIOs working in industries with the highest turnover rates will have to work to keep their workers engaged and satisfied, as IT skills are easily transferred to other industries.

    49% ranked “enabling learning & development within IT” as high priority, more than any other single challenge. (IT Talent Trends 2022 Survey, N=227)

    A bar chart of 'Industries with highest turnover rates (%)' with 'Leisure and Hospitality' at 6.4%, 'Trade, Transportation & Utilities' at 3.6%, 'Professional and Business' at 3.3%, and 'Other Services' at 3.1%. U.S. Bureau of Labor Statistics, 2022.

    Jeff Previte

    Executive Vice-President of IT, CrossCountry Mortgage

    “We have to get to know the individual at a personal level … Not just talking about the business, but getting to know the person."

    Photo of Jeff Previte, Executive Vice-President of IT, CrossCountry Mortgage.

    Listen to the Tech Insights podcast:
    How a financial services company dodged ‘The Great Resignation’

    Internal interpretation: CrossCountry Mortgage

    • May 2019
      Jeff Previte joins Cleveland, Ohio-based CrossCountry Mortgage in the CIO role. The company faces a challenge with employee turnover, particularly in IT. The firm is a sales-focused organization and saw its turnover rate reach as high as 60%. Yet Previte recognized that IT had some meaningful goals to achieve and would need to attract – and retain – some higher caliber talent. His first objective in his new role was to meet with IT employees and business leadership to set priorities.
    • July 2019
      Previte takes a “people-first” approach to leadership and meets his staff face-to-face to understand their personal situations. He sets to work on defining roles and responsibilities in the organization, spending about a fifth of his time on defining the strategy.
    • June 2020
      Previte assigned his leadership team to McLean & Company’s Design an Impactful Employee Development Program. From there, the team developed a Salesforce tool called the Career Development Workbook. “We had some very passionate developers and admins that wanted to build a home-grown tool,” he says. It turns McLean & Company’s process into a digital tool employees can use to reflect on their careers and explore their next steps. It helps facilitate development conversations with managers.
    • January 2021
      CrossCountry Mortgage changes its approach to career development activities. Going to external conferences and training courses is reduced to just 30% of that effort. The rest is by doing hands-on work at the company. Previte aligned with his executives and road-mapped IT projects annually. Based on employee’s interests, opportunities are found to carve out time from usual day-to-day activities to spend time on a project in a new area. When there’s a business need, someone internally can be ready to transition roles.
    • June 2021
      In the two years since joining the company, Previte has reduced the turnover rate to just 12%. The IT department has grown to more adequately meet the needs of the business and employees are engaged with more opportunities to develop their careers. Instead of focusing on compensation, Previte focused more on engaging employees with a developmentally dedicated environment and continuous hands-on learning.

    “It’s come down to a culture shift. Folks have an idea of where we’re headed as an organization, where we’re headed as an IT team, and how their role contributes to that.” (Jeff Previte, EVP of IT, CrossCountry Mortgage)

    Implications: Organization, Process, Technology

    External

    • Organization – A high priority is being placed on improving IT’s maturity through its talent. Enabling learning and development in IT, enabling departmental innovation, and recruiting are the top three highest priorities according to IT Talent Trends 2022 survey responses.
    • Process – Recruiting is more challenging for industries that operate primarily onsite, according to McLean & Company's 2022 HR Trends Report. They face more challenges attracting applications, more rejected offers, and more candidate ghosting compared to remote-capable industries.
    • Technology – Providing a great employee experience through digital tools is more important as many organizations see a mix of workers in the office and at home. These tools can help connect colleagues, foster professional development, and improve the candidate experience.

    Internal

    • Organization – CrossCountry Mortgage faced a situation where IT employees did not have clarity on their roles and responsibilities. In terms of salary, it wasn’t offering at the high end compared to other employers in Cleveland.
    • Process – To foster a culture of growth and development, CrossCountry Mortgage put in place a performance assessment system that encouraged reflection and goal setting, aided by collaboration with a manager.
    • Technology – The high turnover rate was limiting CrossCountry Mortgage from achieving the level of maturity it needed to support the company’s goals. It ingrained its new PA process with a custom build of a Salesforce tool.

    Resources Applied

    Show me the money

    Almost six in ten Talent Trends survey respondents identified salary and compensation as the reason that employees resigned in the past year. Organizations looking to engage employees must first pay a fair salary according to market and industry conditions.

    Build me up

    Professional development and opportunity for innovative work are the next two most common reasons for resignations. Organizations must ensure they create enough capacity to allow workers time to spend on development.

    “Building our own solution created an element of engagement. There was a sense of ownership that the team had in thinking through this.” (Jeff Previte, CrossCountry Mortgage)

    CrossCountry Mortgage

    • Executive time: CIO spends 10-20% of his time on activities related to designing the approach.
    • Leveraged memberships with Info-Tech Research Group and McLean & Company to define professional development process.
    • Internal IT develops automated workflow in Salesforce.
    • Hired additional IT staff to build out overall capacity and create time for development activities.

    Outcomes at CrossCountry Mortgage

    Engaged IT workforce

    The Great Maturation: IT staff turnover rate dropped to 10-12% and IT talent is developing on the job to improve the department’s overall skill level. More IT staff on hand and more engaged workers mean IT can deliver higher maturity level results.

    Alignment achieved: Connecting IT’s initiatives to the vision of the C-suite creates a clear purpose for IT in its initiatives. Staff understand what they need to achieve to progress their careers and can grow while they work.

    Photo of employees from CrossCountry Mortgage assisting with a distribution event.
    Employees from CrossCountry Mortgage headquarters assist with a drive-thru distribution event for the Cleveland Food Bank on Dec. 17, 2021. (Image courtesy of CrossCountry Mortgage.)

    From Priorities to Action

    Staff retention is a leadership priority

    The Great Resignation trend is bringing attention to employee engagement and staff retention. IT departments are busier than ever during the pandemic as they work overtime to keep up with a remote workforce and new security threats. At the same time, IT talent is among the most coveted on the market.

    CIOs need to develop a people-first approach to improve the employee experience. Beyond compensation, IT workers need clarity in terms of their career paths, a direct connection between their work and the goals of the organization, and time set aside for professional development.

    Info-Tech’s 2021 benchmark for “Leadership, Culture & Values” shows that most organizations rate this capability very highly (9) but see room to improve on their effectiveness (6.9).

    Take the next step

    IT Talent Trends 2022
    See how IT talent trends are shifting through the pandemic and understand how themes like The Great Resignation has impacted IT.

    McLean & Company’s Modernize Performance Management
    Customize the building blocks of performance management to best fit organizational needs to impact individual and organizational performance, productivity, and engagement.

    Redesign Your IT Organizational Structure
    Define future-state work units, roles, and responsibilities that will enable the IT organization to complete the work that needs to be done.

    “Leadership, Culture & Values” gap between importance and effectiveness
    Info-Tech Research Group Management and Governance Diagnostic Benchmark 2021

    A bar chart illustrating the 'Leadership, Culture & Values' gap between importance and effectiveness. The difference is marked as Delta 2.1.

    Design an automation platform

    Priority 04 | APO04 Innovation

    Position yourself to buy or build a platform that will enable new automation opportunities through seamless integration.

    Build it or buy it, but platform integration can yield great benefits

    Necessity is the mother of innovation

    When it’s said that digital transformation accelerated during the pandemic, what’s really meant is that processes that were formerly done manually became automated through software. In responses to the Tech Trends survey, CIOs say digital transformation was more of a focus during the pandemic, and eight in ten CIOs also say they shifted more than 20% of their organization’s processes to digital during the pandemic. Automating tasks through software can be called digitalization.

    Most organizations became more digitalized during the pandemic. But how they pursued it depends on their IT maturity. For digital laggards, partnering with a technology services platform is the path of least resistance. For sophisticated innovators, they can consider building a platform to address the specific needs of their business process. Doing so requires the foundation of an existing “digital factory” or innovation arm where new technologies can be tested, proofs of concept developed, and external partnerships formed. Patience is key with these efforts, as not every investment will yield immediate returns and some will fail outright.

    Build it or buy it, platform participants integrate with their existing systems through application programming interfaces (APIs). Organizations should determine their platform strategies based on maturity, then look to integrate the business processes that will yield the most gains.

    What role should you play in the platform ecosystem?

    A table with levels on the maturity ladder laid out as a sprint. Column headers are maturity levels 'Struggle', 'Support', 'Optimize', 'Expand', and 'Transform', row headers are 'Maturity' and 'Role'. Roles are assigned to one or many levels. 'Improve' is solely under Struggle. 'Integrate' spans from Support to Transform. 'Buy' spans Support to Expand. 'Build' begins midway through Expand and all of Transform. 'Partner' spans from Optimize to halfway through Transform.

    68% of CIOs say digital transformation became much more of a focus for their organization during the pandemic (Info-Tech Tech Trends 2022 Survey)

    Bob Crozier

    Chief Architect, Allianz Technology & Global Head of Blockchain, Allianz Technology SE

    "Smart contracts are really just workflows between counterparties."

    Photo of Bob Crozier, Chief Architect, Allianz Technology & Global Head of Blockchain, Allianz Technology SE.

    Listen to the Tech Insights podcast:
    How Allianz took a blockchain platform from pilot to 1 million transactions

    Internal interpretation: Allianz Technology

    • 2015
      After smart contracts are demonstrated on the Ethereum blockchain, Allianz and other insurers recognize the business value. There is potential to use the capability to administer a complex, multi-party contract where the presence of the reinsurer in the risk transfer ecosystem is required. Manual contracts could be turned into code and automated. Allianz organized an early proof of concept around a theoretical pandemic excessive loss contract.
    • 2018
      Allianz Chief Architect Bob Crozier is leading the Global Blockchain Center of Competence for Allianz. They educate Allianz on the value of blockchain for business. They also partner with a joint venture between the Technology University of Munich and the state of Bavaria. A cohort of Masters students is looking for real business problems to solve with open-source distributed ledger technology. Allianz puts its problem statement in front of the group. A student team presents a proof of concept for an international motor insurance claims settlement and it comes in second place at a pitch day competition.
    • 2019
      Allianz brings the concept back in-house, and its business leaders return to the concept. Startup Luther Systems is engaged to build a minimum-viable product for the solution, with the goal being a pilot involving three or four subsidiaries in different countries. The Blockchain Center begins communicating with 25 Allianz subsidiaries that will eventually deploy the platform.
    • 2020
      Allianz is in build mode on its international motor insurance claims platform. It leverages its internal Dev/SecOps teams based in Munich and in India.
    • May 2021
      Allianz goes live with its new platform on May 17, decommissioning its old system and migrating all live claims data onto the new blockchain platform. It sees 400 concurrent users go live across Europe.
    • January 2022
      Allianz mines its one-millionth block to its ledger on Jan. 19, with each block representing a peer-to-peer transaction across its 25 subsidiaries in different countries. The platform has settled hundreds of millions of dollars.

    Stock photo of two people arguing over a car crash.

    Implications: Organization, Process, Technology

    External

    • Organization – To explore emerging technologies like blockchain, organizations need staff that are accountable for innovation and have leeway to develop proofs of concept. External partners are often required to bring in fresh ideas and move quickly towards an MVP.
    • Process – According to the Tech Trends 2022 survey, 84% of CIOs consider automation a high-value digital capability, and 77% say identity verification is a high-value capability. A blockchain platform using smart contracts can deliver those.
    • Technology – The Linux Foundation’s Hyperledger Fabric is an open-source blockchain technology that’s become popular in the financial industry for its method of forming consensus and its modular architecture. It’s been adopted by USAA, MasterCard, and PayPal. It also underpins the IBM Blockchain Platform and is supported by Azure Blockchain.

    Internal

    • Organization – Allianz is a holding company that owns Allianz Technology and 25 operating entities across Europe. It uses the technology arm to innovate on the business process and creates shared platforms that its entities can integrate with to automate across the value chain.
    • Process – Initial interest in smart contracts on blockchain were funneled into a student competition, where a proof of concept was developed. Allianz partnered with a startup to develop an MVP, then developed the platform while aligning with its business units ahead of launch.
    • Technology – Allianz built its blockchain platform on Hyperledger Fabric because it was a permissioned system, unlike other public permissionless blockchains such as Ethereum, and because its mining mechanism was much more energy efficient compared to other blockchains using Proof of Work consensus models.

    Resources Applied

    Time to innovate

    Exploring emerging technology for potential use cases is difficult for staff tasked with running day-to-day operations. Organizations serious about innovation create a separate team that can focus on “moonshot” projects and connect with external partners.

    Long-term ROI

    Automation of new business processes often requires a high upfront initial investment for a long-term efficiency gain. A proof of concept should demonstrate clear business value that can be repeated often and for a long period.

    “My next project has to deliver in the tens of millions of value in return. The bar is high and that’s what it should be for a business of our size.” (Bob Crozier, Allianz)

    Allianz

    • Several operating entities from different countries supplied subject matter expertise and helped with the testing process.
    • Allianz Technology team has eight staff members. It is augmented by Luther Systems and the team at industry group B3i.
    • Funding of less than $5 million to develop. Dev team continues to add improvements.
    • Operating requires just one full-time employee plus infrastructure costs, mostly for public cloud hosting.

    Outcomes at Allianz

    From insurer to platform provider

    Deliver your own SaaS: Allianz Technology built its blockchain-based claims settlement platform and its subsidiaries consume it as software as a service. The platform runs on a distributed architecture across Europe, with each node running the same version of the software. Operating entities can also integrate their own systems to the platform via APIs and further automate business processes such as billing.

    Ready to scale: After processing one million transactions, the international claims settlement platform is proven and ready to add more participants. Crozier sees auto repair shops and auto manufacturers as the next logical users.

    Stock photo of Blockchain.
    Allianz is a shareholder of the Blockchain Insurance Industry Initiative (B3i). It is providing a platform used by a group of insurance companies in the commercial and reinsurance space.

    When should we use blockchain? THREE key criteria:

    • Redundant processes
      Different entities follow the same process to achieve the desired outcome.
    • Audit trail
      Accountability in the decision making must be documented.
    • Reconciliation
      Parties need to be able to resolve disputes by tracing back to the truth.

    From Priorities to Action

    It’s a build vs. buy question for platforms

    Allianz was able to build a platform for its group of European subsidiaries because of its established digital factory and commitment to innovation. Allianz Technology is at the “innovate” level of IT maturity, allowing it to create a platform that subsidiaries can integrate with via APIs. For firms that are lower on the IT maturity scale, buying a platform solution is the better path to automation. These firms will be concerned with integrating their legacy systems to platforms that can reduce the friction of their operating environments and introduce modern new capabilities.

    From Info-Tech’s Build a Winning Business Process Automation Playbook

    An infographic comparing pros and cons of Build versus Buy. On the 'Build: High Delivery Capacity & Capability' side is 'Custom Development', 'Data Integration', 'AI/ML', 'Configuration', 'Native Workflow', and 'Low & No Code'. On the 'Buy: Low Delivery Capacity & Capability' side is 'Outsource Development', 'iPaaS', 'Chatbots', 'iBPMS & Rules Engines', 'RPA', and 'Point Solutions'.

    Take the next step

    Accelerate Your Automation Processes
    Integrate automation solutions and take the first steps to building an automation suite.

    Build Effective Enterprise Integration on the Back of Business Process
    From the backend to the frontlines – let enterprise integration help your business processes fly.

    Evolve Your Business Through Innovation
    Innovation teams are tasked with the responsibility of ensuring that their organizations are in the best position to succeed while the world is in a period of turmoil, chaos, and uncertainty.

    “Innovation” gap between importance and effectiveness Info-Tech Research Group Management and Governance Diagnostic Benchmark 2021

    A bar chart illustrating the 'Innovation' gap between importance and effectiveness. The difference is marked as Delta 2.1.

    Prepare to report on new environmental, social, and governance (ESG) metrics

    Priority 05 | ITRG06 Business Intelligence and Reporting

    Be ready to either lead or support initiatives to meet the criteria of new ESG reporting mandates and work toward disclosure reporting solutions.

    Time to get serious about ESG

    What does CSR or ESG mean to a CIO?

    Humans are putting increasing pressure on the planet’s natural environment and creating catastrophic risks as a result. Efforts to mitigate these risks have been underway for the past 30 years, but in the decade ahead regulators are likely to impose more strict requirements that will be linked to the financial value of an organization. Various voluntary frameworks exist for reporting on environmental, social, and governance (ESG) or corporate social responsibility (CSR) metrics. But now there are efforts underway to unify and clarify those standards.

    The most advanced effort toward a global set of standards is in the environmental area. At the United Nations’ COP26 summit in Scotland last November, the International Sustainability Standards Board (ISSB) announced its headquarters (Frankfurt) and three other international office locations (Montreal, San Francisco, and London) and its roadmap for public consultations. It is working with an array of voluntary standards groups toward a consensus.

    In Info-Tech’s 2022 Tech Trends survey, two-thirds of CIOs say their organization is committed to reducing greenhouse gas emissions, yet only 40% say their organizational leadership is very concerned with reducing those emissions. CIOs will need to consider how to align organizational concern with internal commitments and new regulatory pressures. They may investigate new real-time reporting solutions that could serve as a competitive differentiator on ESG.

    Standards informing the ISSB’s global set of climate standards

    A row of logos of organizations that inform ISSB's global set of climate standards.

    67% of CIOs say their organization is committed to reducing greenhouse gases, with one-third saying that commitment is public. (Info-Tech Tech Trends 2022 Survey)

    40% of CIOs say their organizational leadership is very concerned with reducing greenhouse gas emissions.

    David W. Dorman

    Chairman of the board, CVS Health

    “ESG is a question of what you do in the microcosm of your company to make sure there is a clear, level playing field – that there is a color-blind, gender-blind meritocracy available – that you are aware that not in every case can you achieve that without really focusing on it. It’s not going to happen on its own. That’s why our commitments have real dollars behind them and real focus behind them because we want to be the very best at doing them.”

    Photo of David W. Dorman, Chairman of the Board, CVS Health.

    Listen to the Tech Insights podcast:
    CVS Health chairman David Dorman on healthcare's hybrid future

    Internal interpretation: CVS Health

    CVS Health established a new steering committee of senior leaders in 2020 to oversee ESG commitments. It designs its corporate social responsibility strategy, Transform Health 2030, by aligning company activities in four key areas: healthy people, healthy business, healthy planet, and healthy community. The strategy aligns with the United Nations’ Sustainable Development Goals. In alignment with these goals, CVS identifies material topics where the company has the most ability to make an impact. In 2020, its top three topics were:

    1. Access to quality health care
    2. Patient and customer safety
    3. Data protection and privacy
    Material Topic
    Access to quality health care
    Material Topic
    Patient and customer safety
    Material Topic
    Data protection and privacy
    Technology Initiative
    MinuteClinic’s Virtual Collaboration for Nurses

    CVS provided Apple iPads compliant with the Health Insurance Portability and Accountability Act (HIPAA) to clinics in a phased approach, providing training to more than 700 providers in 26 states by February 2021. Nurses could use the iPads to attend virtual morning huddles and access clinical education. Nurses could connect virtually with other healthcare experts to collaborate on delivering patient care in real-time. The project was able to scale across the country through a $50,000 American Nurses Credentialing Center Pathway Award. (Wolters Kluwer Health, Inc.)

    Technology Initiative
    MinuteClinic’s E-Clinic

    MinuteClinics launched this telehealth solution in response to the pandemic, rolling it out in three weeks. The solution complemented video visits delivered in partnership with the Teladoc platform. Visits cost $59 and are covered by Aetna insurance plans, a subsidiary of CVS Health. It hosted more than 20,000 E-Clinic visits through the end of 2020. CVS connected its HealthHUBs to the solution to increase capacity in place of walk-in appointments and managed patients via phone for medication adherence and care plans. CVS also helped behavioral health providers transition patients to virtual visits. (CVS Health)

    Technology Initiative
    Next Generation Authentication Platform

    CVS patented this solution to authenticate customers accessing digital channels. It makes use of the available biometrics data and contextual information to validate identity without the need for a password. CVS planned to extend the platform to voice channels as well, using voiceprint technology. The solution prevents unauthorized access to sensitive health data while providing seamless access for customers. (LinkedIn)

    Implications: Organization, Process, Technology

    External

    • Organization – Since the mid-2010s, younger investors have demonstrated reliance on ESG data when making investment decisions, resulting in the creation of voluntary standards that offered varied approaches. Organizations in ESG exchange-traded funds are outperforming the overall S&P 500 (S&P Global Market Intelligence).
    • Process – Organizations are issuing ESG reports today despite the absence of clear rules to follow for reporting results. With regulators expected to step in to establish more rigid guidelines, many organizations will need to revisit their approach to ESG reports.
    • Technology – Real-time reporting of ESG metrics will become a competitive advantage before 2030. Engineering a solution that can alert organizations to poor performance on ESG measures and allow them to respond could avert losing market value.

    Internal

    • Organization – CVS Health established an ESG Steering Committee in 2020 composed of senior leaders including its chief governance officers, chief sustainability officer, chief risk officer, and controller and SVP of investor relations. It is supported by the ESG Operating Committee.
    • Process – CVS conducts a materiality assessment in accordance with Global Reporting Initiative standards to determine the most significant ESG impacts it can make and what topics most influence the decisions of stakeholders. It engages with various stakeholder groups on CSR topics.
    • Technology – CVS technology initiatives during the pandemic focused on supporting patients and employees in collaborating on health care delivery using virtual solutions, providing rich digital experiences that are easily accessible while upholding high security and privacy standards.

    Resources Applied

    Lack of commitment

    While 83% of businesses state support for the Sustainable Development Goals outlined by the Global Reporting Initiative (GRI), only 40% make measurable commitments to their goals.

    Show your work

    The GRI recommends organizations not only align their activities with sustainable development goals but also demonstrate contributions to specific targets in reporting on the positive actions they carry out. (GRI, “State of Progress: Business Contributions to the SDGS.”)

    “We end up with a longstanding commitment to diversity because that’s what our customer base looks like.” (David Dorman, CVS Health)

    CVS Health

    • The MinuteClinic Virtual Collaboration solution was piloted in Houston, demonstrated success, and won additional $50,000 funding from the Pathway to Excellence Award to scale the program across the country (Wolters Kluwer Health, Inc.).
    • The Next-Gen Authentication solution is provided by the vendor HYPR. It is deployed to ten million users and looking to scale to 30 million more. Pricing for enterprises is quoted at $1 per user, but volume pricing would apply to CVS (HYPR).

    Outcomes at CVS Health

    Delivering on hybrid healthcare solutions

    iPads for collaboration: Healthcare practitioners in the MinuteClinic Virtual Collaboration initiative agreed that it improved the use of interprofessional teams, working well virtually with others, and improved access to professional resources (Wolters Kluwer Health, Inc.)

    Remote healthcare: Saw a 400% increase in MinuteClinic virtual visits in 2020 (CVS Health).

    Verified ID: The Next Generation Authentication platform allowed customers to register for a COVID-19 vaccination appointment. CVS has delivered more than 50 million vaccines (LinkedIn).

    Stock photo of a doctor with an iPad.
    CVS Health is making use of digital channels to connect its customers and health practitioners to a services platform that can supplement visits to a retail or clinic location to receive diagnostics and first-hand care.

    From Priorities to Action

    Become your organization’s ESG Expert

    The risks posed to organizations and wider society are becoming more severe, driving a transition from voluntary frameworks for ESG goals to a mandatory one that’s enforced by investors and governments. Organizations will be expected to tie their core activities to a defined set of ESG goals and maintain a balance sheet of their positive and negative impacts. CIOs should become experts in ESG disclosure requirements and recommend the steps needed to meet or exceed competitors’ efforts. If a leadership vacuum for ESG accountability exists, CIOs can either seek to support their peers that are likely to become accountable or take a leadership role in overseeing the area. CIOs should start working toward solutions that deliver real-time reporting on ESG goals to make reporting frictionless.

    “If you don’t have ESG oversight at the highest levels of the company, it won’t wind up getting the focus. That’s why we review it at the Board multiple times per year. We have an annual report, we compare how we did, what we intended to do, where did we fall short, where did we exceed, and where we can run for daylight to do more.” (David Dorman, CVS Health)

    Take the next step

    ESG Disclosures: How Will We Record Status Updates on the World We Are Creating?
    Prepare for the era of mandated environmental, social, and governance disclosures.

    Private Equity and Venture Capital Growing Impact of ESG Report
    Learn about how the growing impact of ESG affects both your organization and IT specifically, including challenges and opportunities, with expert assistance.

    “Business Intelligence and Reporting” gap between importance and effectiveness
    Info-Tech Research Group Management and Governance Diagnostic Benchmark 2021

    A bar chart illustrating the 'BI and Reporting' gap between importance and effectiveness. The difference is marked as Delta 2.4.

    The Five Priorities

    Priorities to compete in the digital economy

    1. Reduce Friction in the Hybrid Operating Model
    2. Improve Your Ransomware Readiness
    3. Support an Employee-Centric Retention Strategy
    4. Design an Automation Platform
    5. Prepare to Report on New Environmental, Social, and Governance Metrics

    Contributing Experts

    Elizabeth Clark

    CIO, Harvard Business School
    Photo of Elizabeth Clark, CIO, Harvard Business School.

    Jeff Previte

    Executive Vice-President of IT, CrossCountry Mortgage
    Photo of Jeff Previte, Executive Vice-President of IT, CrossCountry Mortgage.

    Bob Crozier

    Chief Architect, Allianz Technology & Global Head of Blockchain, Allianz Technology SE
    Photo of Bob Crozier, Chief Architect, Allianz Technology & Global Head of Blockchain, Allianz Technology SE.

    David W. Dorman

    Chairman of the Board, CVS Health
    Photo of David W. Dorman, Chairman of the Board, CVS Health.

    Info-Tech’s internal CIO panel contributors

    • Bryan Tutor
    • John Kemp
    • Mike Schembri
    • Janice Clatterbuck
    • Sandy Silk
    • Sallie Wright
    • David Wallace
    • Ken McGee
    • Mike Tweedie
    • Cole Cioran
    • Kevin Tucker
    • Angelina Atkins
    • Yakov Kofner
    Photo of an internal CIO panel contributor. Photo of an internal CIO panel contributor.Photo of an internal CIO panel contributor.
    Photo of an internal CIO panel contributor.Photo of an internal CIO panel contributor.Photo of an internal CIO panel contributor.Photo of an internal CIO panel contributor.
    Photo of an internal CIO panel contributor.Photo of an internal CIO panel contributor.Photo of an internal CIO panel contributor.

    Thank you for your support

    Logo for the Blockchain Research Institute.
    Blockchain Research Institute

    Bibliography – CIO Priorities 2022

    “2020 Corporate Social Responsibility Report.” CVS Health, 2020, p. 127. Web.

    “Adversary: Doppel Spider - Threat Actor.” Crowdstrike Adversary Universe, 2021. Accessed 29 Dec. 2021.

    “Aetna CVS Health Success Story.” HYPR, n.d. Accessed 6 Feb. 2022.

    Baig, Aamer. “The CIO agenda for the next 12 months: Six make-or-break priorities.” McKinsey Digital, 1 Nov. 2021. Web.

    Ball, Sarah, Kristene Diggins, Nairobi Martindale, Angela Patterson, Anne M. Pohnert, Jacinta Thomas, Tammy Todd, and Melissa Bates. “2020 ANCC Pathway Award® winner.” Wolters Kluwer Health, Inc., 2021. Accessed 6 Feb. 2022.

    “Canadian Universities Propose Designs for a Central Bank Digital Currency.” Bank of Canada, 11 Feb. 2021. Accessed 14 Dec. 2021.

    “Carbon Sequestration in Wetlands.” MN Board of Water and Soil Resources, n.d. Accessed 15 Nov. 2021.

    “CCM Honored as a NorthCoast 99 Award Winner.” CrossCountry Mortgage, 1 Dec. 2021. Web.

    Cheek, Catherine. “Four Things We Learned About the Resignation Wave–and What to Do Next.” Visier Inc. (blog), 5 Oct. 2021. Web.

    “Companies Using Hyperledger Fabric, Market Share, Customers and Competitors.” HG Insights, 2022. Accessed 25 Jan. 2022.

    “IFRS Foundation Announces International Sustainability Standards Board, Consolidation with CDSB and VRF, and Publication of Prototype Disclosure Requirements.” IFRS, 3 Nov. 2021. Web.

    “IT Priorities for 2022: A CIO Report.” Mindsight, 28 Oct. 2021. Web.

    “Job Openings and Labor Turnover Survey.” Databases, Tables & Calculators by Subject, U.S. Bureau of Labor Statistics, 2022. Accessed 9 Feb. 2022.

    Kumar, Rashmi, and Michael Krigsman. “CIO Planning and Investment Strategy 2022.” CXOTalk, 13 Sept. 2021. Web.

    Leonhardt, Megan. “The Great Resignation Is Hitting These Industries Hardest.” Fortune, 16 Nov. 2021. Accessed 7 Jan. 2022.

    “Most companies align with SDGs – but more to do on assessing progress.” Global Reporting Initiative (GRI), 17 Jan. 2022. Web.

    Navagamuwa, Roshan. “Beyond Passwords: Enhancing Data Protection and Consumer Experience.” LinkedIn, 15 Dec. 2020.

    Ojo, Oluwaseyi. “Achieving Digital Business Transformation Using COBIT 2019.” ISACA, 19 Aug. 2019. Web.

    “Priority.” Lexico.com, Oxford University Press, 2021. Web.

    Riebold, Jan, and Yannick Bartens. “Reinventing the Digital IT Operating Model for the ‘New Normal.’” Capgemini Worldwide, 3 Nov. 2020. Web.

    Samuels, Mark. “The CIO’s next priority: Using the tech budget for growth.” ZDNet, 1 Sept. 2021. Accessed 1 Nov. 2021.

    Sayer, Peter. “Exclusive Survey: CIOs Outline Tech Priorities for 2021-22.” CIO, 5 Oct. 2021. Web.

    Shacklett, Mary E. “Where IT Leaders Are Likely to Spend Budget in 2022.” InformationWeek, 10 Aug. 2021. Web.

    “Table 4. Quits Levels and Rates by Industry and Region, Seasonally Adjusted - 2021 M11 Results.” U.S. Bureau of Labor Statistics, Economic News Release, 1 Jan. 2022. Accessed 7 Jan. 2022.

    “Technology Priorities CIOs Must Address in 2022.” Gartner, 19 Oct. 2021. Accessed 1 Nov. 2021.

    Thomson, Joel. Technology, Talent, and the Future Workplace: Canadian CIO Outlook 2021. The Conference Board of Canada, 7 Dec. 2021. Web.

    “Trend.” Lexico.com, Oxford University Press, 2021. Web.

    Vellante, Dave. “CIOs signal hybrid work will power tech spending through 2022.” SiliconANGLE, 25 Sept. 2021. Web.

    Whieldon, Esther, and Robert Clark. “ESG funds beat out S&P 500 in 1st year of COVID-19; how 1 fund shot to the top.” S&P Global Market Intelligence, April 2021. Accessed Dec. 2021.

    Enterprise Storage Solution Considerations

    • Buy Link or Shortcode: {j2store}507|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Storage & Backup Optimization
    • Parent Category Link: /storage-and-backup-optimization
    • Enterprise storage technology and options are challenging to understand.
    • There are so many options. How do you decide what the best solution is for your storage challenge??
    • Where do you start when trying to solve your enterprise storage challenge?

    Our Advice

    Critical Insight

    Take the time to understand the various data storage formats, disk types, and associated technology, as well as the cloud-based and on-premises options. This will help you select the right tool for your needs.

    Impact and Result

    Look to existing use cases based on actual Info-Tech analyst calls to help in your decision-making process.

    Enterprise Storage Solution Considerations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Enterprise Storage Solution Considerations – Narrow your focus with the right product type and realize efficiencies.

    Explore the building blocks of enterprise storage so you can select the best solution, narrow your focus with the correct product type, explore the features that should be considered when evaluating enterprise storage offerings, and examine use cases based on actual Info-Tech analyst calls to find a storage solution for your situation.

    • Enterprise Storage Solution Considerations Storyboard

    2. Modernize Enterprise Storage Workbook – Understand your data requirements.

    The first step in solving your enterprise storage challenge is identifying your data sources, data volumes, and growth rates. This information will give you insight into what data sources could be stored on premises or in the cloud, how much storage you will require for the coming five to ten years, and what to consider when exploring enterprise storage solutions. This tool can be a valuable asset for determining your current storage drivers and future storage needs, structuring a plan for future storage purchases, and determining timelines and total cost of ownership.

    • Modernize Enterprise Storage Workbook
    [infographic]

    Further reading

    Enterprise Storage Solution Considerations

    Narrow your focus with the right product type and realize efficiencies.

    Analyst Perspective

    The vendor landscape is continually evolving, as are the solutions they offer. The options and features are increasing and appealing.

    The image contains a picture of P.J. Ryan.

    To say that the current enterprise storage landscape looks interesting would be an understatement. The solutions offered by vendors continue to grow and evolve. Flash and NVMe are increasing the speed of storage media and reducing latency. Software-defined storage is finding the most efficient use of media to store data where it is best served while managing a variety of vendor storage and older storage area networks and network-attached storage devices.

    Storage as a service is taking on a new meaning with creative solutions that let you keep the storage appliance on premises or in a colocated data center while administration, management, and support are performed by the vendor for a nominal monthly fee.

    We cannot discuss enterprise storage without mentioning the cloud. Bring a thermometer because you must understand the difference between hot, warm, and cold storage when discussing the cloud options. Very hot and very cold may also come into play.

    Storage hardware can assume a higher total cost of ownership with support options that replace the controllers on a regular basis. The options with this type of service are also varied, but the concept of not having to replace all disks and chassis nor go through a data migration is very appealing to many companies.

    The cloud is growing in popularity when it comes to enterprise storage, but on-premises solutions are still in demand, and whether you choose cloud or on premises, you can be guaranteed an array of features and options to add stability, security, and efficiency to your enterprise storage.

    P.J. Ryan
    Research Director, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Info-Tech Insight

    The vendor landscape is continually evolving, as are the solutions they offer.

    Storage providers are getting acquired by bigger players, “outside the box” thinking is disrupting the storage support marketplace, “as a service” storage offerings are evolving, and what is a data lake and do I need one? The traditional storage vendors are not alone in the market, and the solutions they offer are no longer traditional either. Explore the landscape and understand your options before you make any enterprise storage solution purchases.

    Understand the building blocks of storage so you can select the best solution.

    There are multiple storage formats for data, along with multiple hardware form factors and disk types to hold those various data formats. Software plays a significant role in many of these storage solutions, and cloud offerings take advantage of all the various formats, form factors, and disks. The challenge is matching your data type with the correct storage format and solution.

    Look to existing use cases to help in your decision-making process.

    Explore previous experiences from others by reading use cases to determine what the best solution is for your challenge. You’re probably not the first to encounter the challenge you’re facing. Another organization may have previously reached out for assistance and found a viable solution that may be just what you also need.

    Enterprise storage has evolved, with more options than ever

    Data is growing, data security will always be a concern, and vendors are providing more and more options for enterprise storage.

    “By 2025, it’s estimated that 463 exabytes of data will be created each day globally – that’s the equivalent of 212,765,957 DVDs per day!” (Visual Capitalist)

    “Modern criminal groups target not only endpoints and servers, but also central storage systems and their backup infrastructure.” (Continuity Software)

    Cloud or on premises? Maybe a hybrid approach with both cloud and on premises is best for you. Do you want to remove the headaches of storage administration, management, and support with a fully managed storage-as-a-service solution? Would you like to upgrade your controllers every three or four years without a major service interruption? The options are increasing and appealing.

    High-Level Considerations

    1. Understand Your Data

    Understand how much data you have and where it is located. This will be crucial when evaluating enterprise storage solutions.

    2. Plan for Growth

    Your enterprise storage considerations should include your data needs now and in the future.

    3. Understand the Mechanics

    Take the time to understand the various data storage formats, disk types, and associated technology, as well as the cloud-based and on-premises options. This will help you select the right tool for your needs.

    Storage formats, disk drives, and technology

    Common data storage formats, technology, and drive types are outlined below. Understanding how data is stored as well as the core building blocks for larger systems will help you decide which solution is best for your storage needs.

    Format

    What it is

    Disk Drives and Technology

    File Storage

    File storage is hierarchical storage that uses files, folders, subfolders, and directories. You enter a specific filename and path to access the file, such as P:\users\johndoe\strategy\cloud.doc. If you ever saved a file on a server, you used file storage. File storage is usually managed by some type of file manager, such as File Explorer in Windows. Network-attached storage (NAS) devices use file storage.

    Hard Disk Drives (HDD)

    HDD use a platter of spinning disks to magnetically store data. The disks are thick enough to make them rigid and are referred to as hard disks.

    HDD is older technology but is still in demand and offered by vendors.

    Object Storage

    Object storage is when data is broken into distinct units, called objects. These objects are stored in a flat, non-hierarchical structure in a single location or repository. Each object is identified by its associated ID and metadata. Objects are accessed by an application programming interface (API).

    Flash

    Flash storage uses flash memory chips to store data. The flash memory chips are written with electricity and contain no moving parts. Flash storage is very fast, which is how the technology got its name (“Flash vs. SSD Storage,” Enterprise Storage Forum, 2018).

    Block Storage

    Block storage is when data is divided up into fixed-size blocks and stored with a unique identifier. Blocks can be stored in different environments, such as Windows or Linux. Storage area networks (SANs) use block storage.

    Solid-State Drive (SSD)

    SSD is a storage mechanism that also does not use any moving parts. Most SSD drives use flash storage, but other options are available for SSD.

    Nonvolatile Memory Express (NVMe)

    NVMe is a communications standard developed specially for SSDs by a consortium of vendors including Intel, Samsung, SanDisk, Dell, and Seagate. It operates across the PCIe bus (hence the “Express” in the name), which allows the drives to act more like the fast memory that they are rather than the hard disks they imitate (PCWorld).

    Narrow your focus with the right product type

    On-premises enterprise storage solutions fit into a few distinct product types.

    Network-Attached Storage

    Storage Area Network

    Software-Defined Storage

    Hyperconverged Infrastructure

    NAS refers to a storage device that is connected directly to your network. Any user or device with access to your network can access the available storage provided by the NAS. NAS storage is easily scalable and can add data redundancy through RAID technology. NAS uses the file storage format.

    NAS storage may or may not be the first choice in terms of enterprise storage, but it does have a solid market appeal as an on-premises primary backup storage solution.

    A SAN is a dedicated network of pooled storage devices. The dedicated network, separate from the regular network, provides high speed and scalability without concern for the regular network traffic. SANs use block storage format and can be divided into logical units that can be shared between servers or segregated from other servers. SANs can be accessed by multiple servers and systems at the same time. SANs are scalable and offer high availability and redundancy through RAID technology.

    SANs can use a variety of disk types and sizes and are quite common among on-premises storage solutions.

    “Software-defined storage (SDS) is a storage architecture that separates storage software from its hardware. Unlike traditional network-attached storage (NAS) or storage area network (SAN) systems, SDS is generally designed to perform on any industry-standard or x86 system, removing the software’s dependence on proprietary hardware.” (RedHat)

    SDS uses software-based policies and rules to grow and protect storage attached to applications.

    SDS allows you to use server-based storage products to add management, protection, and better usage.

    Hyperconverged storage uses virtualization and software-defined storage to combine the storage, compute, and network resources along with a hypervisor into one appliance.

    Hyperconverged storage can scale out by adding more nodes or appliances, but scaling up, or adding more resources to each appliance, can have limitations. There is flexibility as hyperconverged storage can work with most network and compute manufacturers.

    Cloud storage

    • Cloud storage is online storage offered by a cloud provider. Cloud storage is available almost anywhere and is set up with high availability features such as data duplication, redundancy, backup, and power failure protection.
    • Cloud storage is very scalable and typically is offered as object storage, block storage, or file storage. Cloud storage vendors may have their own naming scheme for object, block, or file storage.
    • Cloud-hosted data is marketed according to the frequency of access and length of time in storage. There are typically three main levels of storage: hot, warm, or cold. Vendors may have their own naming convention for hot, warm, and cold storage. Some may also add more layers such as very hot or very cold.
      • Hot storage is for data that is frequently accessed and modified. It is available on demand and is the most costly of the storage levels.
      • Cold storage is for data that will sit for a long period of time and not need to be accessed. Cold storage is usually only available after several hours or days. Cold storage is very low cost and, in some cases, even free, but retrieval or restoration for the free services can be costly.
      • Warm storage sits in between hot and cold storage. It is for data that is infrequently needed. The cost of warm storage is also in between hot and cold storage costs, and access times are measured in terms of minutes or hours.
      • It is not uncommon for data to start in hot storage and, as it ages, move to warm and eventually cold storage.

    “Enterprise cloud storage offers nearly unlimited scalability. Enterprises can add storage quickly and easily as it is needed, eliminating the risk and cost of over-provisioning.”

    – Spectrum Enterprise

    “Hot data will operate on fresh data. Cold data will operate on less frequent data and [is] used mainly for reporting and planning. Warm data is a balance between the two.”

    – TechBlost

    Enterprise storage features

    The features listed below, while not intended to cover all features offered by all vendors, should be considered and could act as a baseline for discussions with storage providers when evaluating enterprise storage offerings.

    • Scalability
      • What are the options to expand, and how easy or difficult it is to expand capacity in the future?
    • Security
      • Does the solution offer data encryption options as well as ransomware protections?
    • Integration options
      • Can the solution support seamless connectivity with other solutions and applications, such as cloud-based storage or backup software?
    • Storage reduction
      • Does the solution offer space-reduction options such as deduplication or data compression?
    • Replication
      • Does the solution offer replication options such as device to device on premises, device to device when geographically separated, device to cloud, or a combination of these scenarios?
    • Performance
      • “Enterprise storage systems have two main ‘speed’ measurements: throughput and IOPS. Throughput is the data transfer rate to and from storage media, measured in bytes per second; IOPS measures the number of reads and writes – input/output (I/O) operations – per second.” (Computer Weekly)
    • Protocol support
      • Does the solution support object-based, block-based, and file-based storage protocols?
    • Storage Efficiency
      • How efficient is the solution? Can they prove it?
      • Storage efficiencies must be available and baselined.
    • Management platform
      • A management/reporting platform should be a component included in the system.
    • Multi-parity
      • Does the solution offer multi-level block “parity” for RAID 6 protection equivalency, which would allow for the simultaneous failure of two disks?
    • Proactive support
      • Features such as call home, dial in, or remote support must be available on the system.
    • Financial considerations
      • The cost is always a concern, but are there subscription-based or “as-a-service” options?
      • Internally, is it better for this expenditure to be a capital expenditure or an ongoing operating expense?

    What’s new in enterprise storage

    • Data warehouses are not a new concept, but the data storage evolution and growth of data means that data lakes and data lakehouses are growing in popularity.
      • “A data lake is a centralized repository that allows you to store all your structured and unstructured data at any scale. You can store your data as-is, without having to first structure the data” (Amazon Web Services).
      • Analytics with a data lake is possible, but manipulation of the data is hindered due to the nature of the data. A data lakehouse adds data management and analytics to a data lake, similar to the data warehouse functionality added to databases.
    • Options for on-premises hardware support is changing.
      • Pure Storage was the first to shake up the SAN support model with its Evergreen support option. Evergreen//Forever support allows for storage controller upgrades without having to migrate data or replace your disks or chassis (Pure Storage).
      • In response to the Pure Storage Evergreen offering, Dell, HPE, NetApp, and others have come out with similar programs that offer controller upgrades while maintaining the data, disks, and chassis.
    • “As a service” is available as a hybrid solution.
      • Storage as a service (STaaS) originally referred to hosted, fully cloud-based offerings without the need for any on-premises hardware.
      • The latest STaaS offerings provide on-premises or colocated hardware with pay-as-you-go subscription pricing for data consumption. Administration, management, and support are included. The vendor will supply support and manage everything on your behalf.
      • Most of the major storage vendors offer a variation of storage as a service.

    “Because data lakes mostly consist of raw unprocessed data, a data scientist with specialized expertise is typically needed to manipulate and translate the data.”

    – DevIQ

    “A Lakehouse is also a type of centralized data repository, integrated from heterogeneous sources. As can be expected from its name, It shares features with both datawarehouses and data lakes.”

    – Cesare

    “Storage as a service (STaaS) eliminates Capex, simplifies management and offers extensive flexibility.”

    – TechTarget

    Major vendors

    The current vendor landscape for enterprise storage solutions represents a range of industry veterans and the brands they’ve aggregated along the way, as well as some relative newcomers who have come to the forefront within the past ten years.

    Vendors like Dell EMC and HPE are longstanding veterans of storage appliances with established offerings and a back catalogue of acquisitions fueling their growth. Others such as Pure Storage offer creative solutions like all-flash arrays, which are becoming more and more appealing as flash storage becomes more commoditized.

    Cloud-based vendors have become popular options in recent years. Cloud storage provides many options and has attracted many other vendors to provide a cloud option in addition to their on-premises solutions. Some software and hardware vendors also partner with cloud vendors to offer a complete solution that includes storage.

    Info-Tech Insight

    Explore your current vendor’s solutions as a starting point, then use that understanding as a reference point to dive into other players in the market

    Key Players

    • Amazon
    • Cisco
    • Dell EMC
    • Google
    • Hewlett Packard Enterprise
    • Hitachi Vantara
    • IBM
    • Microsoft
    • NetApp
    • Nutanix
    • Pure Storage

    Enterprise Storage Use Cases

    Block, object, or file storage? NAS, SAN, SDS, or HCI? Cloud or on prem? Hot, warm, or cold?
    Which one do you choose?
    The following use cases based on actual Info-Tech analyst calls may help you decide.

    1. Offsite backup solution
    2. Infrastructure consolidation
    3. DR/BCP datacenter duplication
    4. Expansion of existing storage
    5. Complete backup solution
    6. Existing storage solution going out of support soon
    7. Video storage
    8. Classify and offload storage

    Offsite backup solution

    “Offsite” may make you think of geographical separation or even cloud-based storage, but what is the best option and why?

    Use Case: How a manufacturing company dealt with retired applications

    • A leading manufacturing company had to preserve older applications no longer in use.
    • The company had completed several acquisitions and ended up with multiple legacy applications that had been merged or migrated into replacement solutions. These legacy applications were very important to the original companies, and although the data they held had been migrated to a replacement solution, executives felt they should hold on to these applications for a period of time, just in case.
    • A modern archiving solution was considered, but a research advisor from Info-Tech Research joined a call with the manufacturing company and helped the client realize that the solution was a modified backup. The application data had already been preserved through the migration, so data could be accessed in the production environment.
    • The data could be exported from the legacy application into a nonsequential database, compressed, and stored in cloud-based cold storage for less than $5 per terabyte per month. The manufacturing company staff realized that they could apply this same approach to several of their legacy applications and save tens of thousands of dollars in the process.
    • Cold storage is inexpensive until you start retrieving that data frequently. The manufacturing company knew they did not have a requirement to retrieve the application and data for a very long time, so cloud-based cold storage was ideal.

    “Data retrieval from cold storage is harder and slower than it is from hot storage. … Because of the longer retrieval time, online cold storage plans are often much cheaper. … The downside is that you’d incur additional costs when retrieving the data.”

    – Ben Stockton, Cloudwards

    Infrastructure consolidation

    Hyperconverged infrastructure combines storage, virtual infrastructure, and associated management into one piece of equipment.

    Use Case: How one company dealt with equipment and storage needs

    • One Info-Tech client had recently started in the role of IT director and realized he had inherited aging infrastructure along with a serious data challenge. The storage appliances were old and out of support. The appliances were performing inadequately, and the client was in need of more data due to ongoing growth, but he also realized that the virtual environment was running on very old servers that were no longer supported. The IT director reached out to Info-Tech to find solutions to the virtualization challenge, but the storage problem also came up throughout the course of the conversation with an analyst.
    • The analyst quickly realized that the IT director was an ideal candidate for a hyperconverged infrastructure (HCI) storage solution, which would also provide the necessary virtual environment.
    • The analyst explained the benefits of having a single appliance that would provide virtualization needs as well as storage needs. The built-in management features would ease the burden of administration, and the software-defined nature of the HCI would allow for the migration of data as well as future expansion options.
    • Hyperconverged infrastructure is offered by many vendors under a variety of names. Most are similar but some may have a better interface or other features. The expansion process is simple, and HCI is a good fit for many organizations looking to consolidate virtual infrastructure and storage.

    “HCI environments use a hypervisor, usually running on a server that uses direct-attached storage (DAS), to create a data center pool of systems and resources.”

    – Samuel Greengard, Datamation

    Datacenter duplication

    SAN providers offer a varied range of options for their products, and those options are constantly evolving.

    Use Case: Independent school district provides better data access using SAN technology

    • An independent school district was expanding by adding a second data center in a new school. This new data center would be approximately 20 miles away from the original data center used by the district. The intent was not to replace the original data center but to use both centers to store data and provide services concurrently. The district’s ideal scenario would be that users would not know or care which data center they were reaching, and there would be no difference in the service received from each data center. The school district reached out to Info-Tech when planning discussions reached the topic of data duplication and replication software.
    • An Info-Tech analyst joined a call with the school district and guided the conversation toward the existing environment to understand what options might be available. The analyst quickly discovered that all the district’s servers were virtual, and all associated data was stored on a single SAN.
    • The analyst informed the school district staff about SAN options, including SAN-to-SAN replication. If the school district had a sufficient link between the two data centers, SAN-to-SAN replication would work for them and provide the two identical copies of data at two locations.
    • The analyst continued to offer explanations of other features that some vendors offer with their SANs, such as the ability to turn on or off deduplication and compression, as well as disk options such as flash or NVMe.
    • The school district was moving to the request for proposal (RFP) stage but hoped to have SAN-to-SAN replication implemented before the next academic year started.

    “SAN-to-SAN replication is a low-cost, highly efficient way to manage mounting quantities of stored data.”

    – Secure Infrastructure & Services

    Expansion of existing storage

    That old storage area network may still have some useful life left in it.

    Use Case: Municipality solves data storage aging and growth challenge

    • A municipality in the United States reached out to Info-Tech for guidance on its storage challenge. The municipality had accumulated multiple SANs from different vendors over the years. These SANs were running out of storage, and more data storage was needed. The municipality’s data was growing at a rapid pace, thanks to municipal growth and expansion of services. The IT team was also concerned with modernizing their storage and not hindering their long-term growth by making the wrong purchase decision for their current storage needs.
    • An analyst from Info-Tech discussed several options with the municipality but in the end advised that software-defined storage may be the best solution.
    • Software-defined storage (SDS) would allow the municipality to gain better visibility into existing storage while making more efficient use of existing and new storage. SDS could take over the management of the existing storage from multiple vendors and add additional storage as required. SDS would also be able to integrate cloud-based storage if that was the direction taken by the municipality in the future.
    • The municipality moved forward with an SDS solution and added some additional storage capacity. They used some of their existing SANs but retired the more troublesome ones. The SDS system managed all the storage instances and data management. The administration of the storage environment was easier for the storage admins, and long-term savings were achieved through better storage management.

    “Often enterprises have added storage on an ad hoc basis as they needed it for various applications. That can result in a mishmash of heterogenous storage hardware from a wide variety of vendors. SDS offers the ability to unify management of these different storage devices, allowing IT to be more efficient.”

    – Cynthia Harvey, Enterprise Storage Forum (“What Is Software Defined Storage?”, 2018)

    Complete backup solution

    Many backup software solutions can provide backups to multiple locations, making two-location backups simple.

    Use Case: How an oil refinery modernized its backup solution

    • A large oil refinery needed a better solution for the storage of backups. The refinery was replacing its backup software solution but also wanted to improve the backup storage situation and move away from tape-based storage. All other infrastructure was reasonably modern and not in need of replacement at this time.
    • A research analyst from Info-Tech helped the client realize that the solution was a modified backup. The general guidance for backups is have a least one copy offsite, so the cloud was the obvious focal point. The analyst also explained that it would be beneficial to have a recent copy of the backup available on site for common restoration requests in addition to having the offsite copy for disaster recovery (DR) purposes.
    • The refinery staff conducted a data analysis to determine how much data was being backed up on a daily basis. The solution proposed by the analyst included network-attached storage (NAS) with adequate storage to hold 30 days' worth of on-premises data. The backup software would also simultaneously copy each backup to a cloud-based storage repository. The backup software was smart enough to only back up and transfer data that had changed since the previous backup, so transfer time and capacity was not a factor.
    • The NAS would allow for the restoration of any local, on-premises data while the cloud storage would provide a safe location offsite for backup data. It could also serve as the backup location for other cloud-based services that required a backup.

    “Data protection demands that enterprises have multiple methods of keeping data safe and replicating it in case of disaster or loss.”

    – Drew Robb, Enterprise Storage Forum, 2021

    Storage going out of support

    SAN solutions have come a long way with improvements in how data is stored and what is used to store the data.

    Use Case: How one organization replaced its old storage with a similar solution

    • A government organization was looking for a solution for its aging storage area network appliances. The SANs were old and would be no longer supported by the manufacturer within four months. The SANs had slower spinning disks and their individual capacity was at its limit through the addition of extra shelves and disks over the years.
    • The organization reached out to Info-Tech for guidance. An analyst arranged a call with them, and they discussed the storage situation in detail, including desired benefits from a storage solution and growth requirements. They also discussed cloud storage, but the government organization was not in a position to move its data to the cloud for a variety of reasons.
    • Although the individual SANs were at their storage capacity limit, the total amount of data was well within the limits of many modern on-premises storage solutions. SSD and flash or NVMe storage can store large amounts of data in small footprints and form factors.
    • The analyst reviewed several vendors with the client and discussed some advantages and disadvantages of each. They explored the features offered as well as scalability options.
    • SANs have been around for a long time but the features and capabilities that come with them has evolved. They are still a very viable solution for many organizations in a variety of scenarios.

    “A rapidly growing portion of SAN deployments leverages all-flash storage to gain its high performance, consistent low latency, and lower total cost when compared to spinning disk.”

    – NetApp

    Video storage

    Cloud storage would not be sufficient if you were using a dial up connection, just as on-premises storage solutions would not suffice if they were using floppy disks.

    Use Case: Body cams and public cameras in municipalities are driving storage growth

    • Municipal law enforcement agencies are wearing body cameras more frequently, for their own protection as well as for the protection of the public. Camera footage can be useful in legal situations as well. Municipalities are also installing more and more public cameras for the purposes of public safety. The recorded video footage from these cameras can result in large data files, which in turn drive data storage requirements.
    • Info-Tech analysts are joining calls about video data storage with increasing frequency. The concerns are repetitive, and the guidance is similar on most of these calls.
    • The “object” storage format is ideal for video and media data. Most cloud-based storage solutions use object storage, but it is also available with on-premises solutions such as NAS or SAN. The challenges clients are expressing are typically related to inadequate bandwidth for cloud-based storage or other storage formats instead of “object” storage. Cloud-based storage can also grow beyond the budgeted numbers, causing an increase in the monthly cloud cost. Older, slower on-premises hardware sometimes reveals itself as the latency culprit.
    • Object storage is well suited for the unstructured data that is video footage. It uses metadata to tag the video file for future retrieval and is easily expandable, which also makes it cost effective.
    • Video data stored in a cloud-based repository will work fine as long as the bandwidth is adequate. On-premises storage of video data is also quite adequate on the right storage format, with fast disks and a reasonably up-to-date network infrastructure.

    “The captured video is stored for days, weeks, months and sometimes years and consumes a lot of space. Data storage plays a new and important role in these systems. Object storage is ideal to store the video data.”

    – Object-Storage.Info

    Classify and offload primary storage

    Some software products have storage options available as a result of agreements with other storage vendors. Several backup and archive software products fall into this category.

    Use Case: Enterprise storage can help reduce data sprawl

    • A large engineering firm was trying to manage its data sprawl. The team sampled a small percentage of their data and quickly realized that when they applied their findings on the 1% of data to their entire data estate, the sheer volume of personal files, older files, and unclassified data was going to be a challenge.
    • They found a solution in archiving software. The archiving software would tag data based on several factors. The software would move older files away from primary storage to an alternate storage platform but still leave a stub of the moved file in place and maintain limited access to those files. This would reduce primary storage requirements and allow the firm to eliminate multiple file servers
    • The engineering firm reached out to Info-Tech and participated in an analyst call. During that call, they laid out their plans, and the analyst made them aware of cloud storage. The positive and negative aspects of cloud storage were discussed, and the firm fully understood that the colder the storage tier, the slower the recovery. The firm's stance was if the files had not been accessed in the past six months, waiting a day or two for retrieval would not be a concern, and the firm was content with cold storage in the cloud.
    • The firm had not purchased the archiving software at the time of the analyst call, and the analyst also explained to them that the archiving software may have an existing agreement with a cloud provider for storage options, which could be more cost effective than purchasing cloud storage separately.
    • Cold cloud-based storage was the preferred solution for this firm, but this use case also highlights the option that some software products carry regarding storage. Several backup and archive products have a cloud storage option that should be investigated, as they may be cost-effective options.

    “Cold storage is perfect for archiving your data. Online backup providers offer low-cost, off-site data backups at the expense of fast speeds and easy access, even though data retrieval often comes at an added cost. If you need to keep your data long-term, but don’t need to access it often, this is the kind of storage you need.”

    – Ben Stockton, Cloudwards

    Understand your data requirements

    Activity

    The first step in solving your enterprise storage challenge is identifying your data sources or drivers, data volume size, and growth rates. This information will give you insight into what data sources could be stored on premises or in the cloud, how much storage you will require for the coming five to ten years, and what to consider when exploring enterprise storage solutions.

    • Info-Tech’s Modernize Enterprise Storage Workbook can be a valuable asset for determining your current storage drivers and future storage needs, structuring a plan for future storage purchases, and determining timelines and total cost of ownership.
    • An example of the Storage Capacity Calculator tab from that workbook is displayed on the right. Using the Storage Capacity Requirements Calculator requires minimal steps.
    1. Enter the current date and planning timeline (horizon) in months
    2. Identify the top sources of data within the business – the current data drivers. Areas of focus could include business applications, file shares, backup, and archives.
    3. For each of these data drivers, include your best estimate of:
    • Current data volume
    • Growth rate
  • Identify the top future data drivers, such as new applications or initiatives that will result from current business plans and priorities, and record the following details:
    • Initial data volumes
    • Projected growth rates
    • Planned implementation date
  • The spreadsheet will automatically calculate the data volume at the planning horizon based on the growth rate.
  • Download the Modernize Enterprise Storage Workbook and take the first step toward understanding your data requirements.

    The image contains a screenshot of the Modernize Enterprise Storage Workbook.

    Download the Modernize Enterprise Storage Workbook

    Related Info-Tech Research

    Modernize Enterprise Storage

    Current and emerging storage technologies are disrupting the status quo – prepare your infrastructure for the exponential rise in data and its storage requirements.

    Modernize Enterprise Storage Workbook

    This workbook will complement the discussions and activities found in the Modernize Enterprise Storage blueprint. Use this workbook in conjunction with the blueprint to develop a strategy for storage modernization.

    Bibliography

    Bakkianathan, Raghunathan. “What is the difference between Hot Warm and Cold data storage?” TechBlost, n.d.. Accessed 14 July 2022.
    Cesare. “Data warehouse vs Data lake vs Lakehouse… and DeltaLake?“ Medium, 14 June 2021. Accessed 26 July 2022.
    Davison, Shawn and Ryan Sappenfield. “Data Lake Vs Lakehouse Vs Data Mesh: The Evolution of Data Transformation.” DevIQ, May 2022. Accessed 23 July 2022.
    Desjardins, Jeff. “Infographic: How Much Data is Generated Each Day?” Visual Capitalist, 15 April 2019. Accessed 26 July 2022.
    Greengard, Samuel. “Top 10 Hyperconverged Infrastructure (HCI) Solutions.” Datamation, 22 December 2020. Accessed 23 July 2022.
    Harvey, Cynthia. “Flash vs. SSD Storage: Is there a Difference?” Enterprise Storage Forum, 10 July 2018. Accessed 23 July 2022.
    Harvey, Cynthia. “What Is Software Defined Storage? Features & Benefits.” Enterprise Storage Forum, 22 February 2018. Accessed 23 July 2022.
    Hecht, Gil. “4 Predictions for storage and backup security in 2022.” Continuity Software, 09 January 2022. Accessed 22 July 2022.
    Jacobi, Jonl. “NVMe SSDs: Everything you need to know about this insanely fast storage.” PCWorld, 10 March 2019. Accessed 22 July 2022
    Pritchard, Stephen. “Briefing: Cloud storage performance metrics.” Computer Weekly, 16 July 2021. Accessed 23 July 2022
    Robb, Drew. “Best Enterprise Backup Software & Solutions 2022.” Enterprise Storage Forum, 09 April 2021. Accessed 23 July 2022.
    Sheldon, Robert. “On-premises STaaS shifts storage buying to Opex model.” TechTarget, 10 August 2020. Accessed 22 July 2022.
    “Simplify Your Storage Ownership, Forever.” PureStorage. Accessed 20 July 2022.
    Stockton, Ben. “Hot Storage vs Cold Storage in 2022: Instant Access vs Long-Term Archives.” Cloudwards, 29 September 2021. Accessed 22 July 2022.
    “The Cost Savings of SAN-to-SAN Replication.” Secure Infrastructure and Services, 31 March 2016. Accessed 16 July 2022.
    “Video Surveillance.” Object-Storage.Info, 18 December 2019. Accessed 25 July 2022.
    “What is a Data Lake?” Amazon Web Services, n.d. Accessed 17 July 2022.
    “What is enterprise cloud storage?” Spectrum Enterprise, n.d. Accessed 28 July 2022.
    “What is SAN (Storage Area Network).” NetApp, n.d. Accessed 25 July 2022.
    “What is software-defined storage?” RedHat, 08 March 2018. Accessed 16 July 2022.

    Create a Buyer Persona and Journey

    • Buy Link or Shortcode: {j2store}558|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Contacts fail to convert to leads because messaging fails to resonate with buyers.
    • Products fail to reach targets given shallow understanding of buyer needs.
    • Sellers' emails go unopened and attempts at discovery fail due to no understanding of buyer challenges, pain points, and needs.

    Our Advice

    Critical Insight

    • Marketing leaders in possession of well-researched and up-to-date buyer personas and journeys dramatically improve product market fit, lead gen, and sales results.
    • Success starts with product, marketing, and sales alignment on targeted personas.
    • Speed to deploy is enabled via initial buyer persona attribute discovery internally.
    • However, ultimate success requires buyer interviews, especially for the buyer journey.
    • Leading marketers update journey maps every six months as disruptive events such as COVID-19 and new media and tech platform advancements require continual innovation.

    Impact and Result

    • Reduce time and treasure wasted chasing the wrong prospects.
    • Improve product-market fit.
    • Increase open and click-through rates in your lead gen engine.
    • Perform more effective sales discovery and increase eventual win rates.

    Create a Buyer Persona and Journey Research & Tools

    Start here – read the Executive Brief

    Our Executive Brief summarizes the challenges faced when buyer persona and journeys are ill-defined. It describes the attributes of, and the benefits that accrue from, a well-defined persona and journey and the key steps to take to achieve success.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Drive an aligned initial draft of buyer persona

    Define and align your team on target persona, outline steps to capture and document a robust buyer persona and journey, and capture current team buyer knowledge.

    • Buyer Persona Creation Template
    • Buyer Persona and Journey Interview Guide and Data Capture Tool

    2. Interview buyers and validate persona and journey

    Hold initial buyer interviews, test initial results, and continue with interviews.

    3. Prepare communications and educate stakeholders

    Consolidate interview findings, present to product, marketing, and sales teams. Work with them to apply to product design, marketing launch/campaigning, and sales and customer success enablement.

    • Buyer Persona and Journey Summary Template
    [infographic]

    Workshop: Create a Buyer Persona and Journey

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Align Team, Identify Persona, and Document Current Knowledge

    The Purpose

    Organize, drive alignment on target persona, and capture initial views.

    Key Benefits Achieved

    Steering committee and project team roles and responsibilities clarified.

    Product, marketing, and sales aligned on target persona.

    Build initial team understanding of persona.

    Activities

    1.1 Outline a vision for buyer persona and journey creation and identify stakeholders.

    1.2 Identify buyer persona choices and settle on an initial target.

    1.3 Document team knowledge about buyer persona (and journey where possible).

    Outputs

    Documented steering committee and working team

    Executive Brief on personas and journey

    Personas and initial targets

    Documented team knowledge

    2 Validate Initial Work and Identify Buyer Interviewees

    The Purpose

    Build list of buyer interviewees, finalize interview guide, and validate current findings with analyst input.

    Key Benefits Achieved

    Interview efficiently using 75-question interview guide.

    Gain analyst help in persona validation, reducing workload.

    Activities

    2.1 Share initial insights with covering industry analyst.

    2.2 Hear from industry analyst their perspectives on the buyer persona attributes.

    2.3 Reconcile differences; update “current understanding.”

    2.4 Identify interviewee types by segment, region, etc.

    Outputs

    Analyst-validated initial findings

    Target interviewee types

    3 Schedule and Hold Buyer Interviews

    The Purpose

    Validate current persona hypothesis and flush out those attributes only derived from interviews.

    Key Benefits Achieved

    Get to a critical mass of persona and journey understanding quickly.

    Activities

    3.1 Identify actual list of 15-20 interviewees.

    3.2 Hold interviews and use interview guides over the course of weeks.

    3.3 Hold review session after initial 3-4 interviews to make adjustments.

    3.4 Complete interviews.

    Outputs

    List of interviewees; calls scheduled

    Initial review – “are you going in the right direction?”

    Completed interviews

    4 Summarize Findings and Provide Actionable Guidance to Colleagues

    The Purpose

    Summarize persona and journey attributes and provide activation guidance to team.

    Key Benefits Achieved

    Understanding of product market fit requirements, messaging, and marketing, and sales asset content.

    Activities

    4.1 Summarize findings.

    4.2 Create action items for supporting team, e.g. messaging, touch points, media spend, assets.

    4.3 Convene steering committee/executives and working team for final review.

    4.4 Schedule meetings with colleagues to action results.

    Outputs

    Complete findings

    Action items for team members

    Plan for activation

    5 Measure Impact and Results

    The Purpose

    Measure results, adjust, and improve.

    Key Benefits Achieved

    Activation of outcomes; measured results.

    Activities

    5.1 Review final copy, assets, launch/campaign plans, etc.

    5.2 Develop/review implementation plan.

    5.3 Reconvene team to review results.

    Outputs

    Activation review

    List of suggested next steps

    Further reading

    Create a Buyer Persona and Journey

    Make it easier to market, sell, and achieve product-market fit with deeper buyer understanding.

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    B2B marketers without documented personas and journeys often experience the following:

    • Contacts fail to convert to leads because messaging fails to resonate with buyers.
    • Products fail to reach targets given shallow understanding of buyer needs.
    • Sellers’ emails go unopened, and attempts at discovery fail due to no understanding of buyer challenges, pain points, and needs.

    Without a deeper understanding of buyer needs and how they buy, B2B marketers will waste time and precious resources targeting the incorrect personas.

    Common Obstacles

    Despite being critical elements, organizations struggle to build personas due to:

    • A lack of alignment and collaboration among marketing, product, and sales.
    • An internal focus; or a lack of true customer centricity.
    • A lack of tools and techniques for building personas and buyer journeys.

    In today’s Agile development environment, combined with the pressure to generate revenues quickly, high tech marketers often skip the steps necessary to go deeper to build buyer understanding.

    SoftwareReviews’ Approach

    With a common framework and target output, clients will:

    • Align marketing, sales, and product, and collaborate together to share current knowledge on buyer personas and journeys.
    • Target 12-15 customers and prospects to interview and validate insights. Share that with customer-facing staff.
    • Activate the insights for more customer-centric lead generation, product development, and selling.

    Clients who activate findings from buyer personas and journeys will see a 50% results improvement.

    SoftwareReviews Insight:
    Buyer personas and buyer journeys are essential ingredients in go-to-market success, as they inform for product, marketing, sales, and customer success who we are targeting and how to engage with them successfully.

    Buyer personas and journeys: A go-to-market critical success factor

    Marketers – large and small – will fail to optimize product-market fit, lead generation, and sales effectiveness without well-defined buyer personas and a buyer journey.

    Critical Success Factors of a Successful G2M Strategy:

    • Opportunity size and business case
    • Buyer personas and journey
    • Competitively differentiated product hypothesis
    • Buyer-validated commercial concept
    • Sales revenue plan and program cost budget
    • Consolidated communications to steering committee

    Jeff Golterman, Managing Director, SoftwareReviews Advisory

    “44% of B2B marketers have already discovered the power of Personas.”
    – Hasse Jansen, Boardview.io!, 2016

    Documenting buyer personas enables success beyond marketing

    Documenting buyer personas has several essential benefits to marketing, sales, and product teams:

    • Achieve a better understanding of your target buyer – by building a detailed buyer persona for each type of buyer and keeping it fresh, you take a giant step toward becoming a customer-centric organization.
    • Team alignment on a common definition – will happen when you build buyer personas collaboratively and among those teams that touch the customer.
    • Improved lead generation – increases dramatically when messaging and marketing assets across your lead generation engine better resonate with buyers because you have taken the time to understand them deeply.
    • More effective selling – is possible when sellers apply persona development output to their interactions with prospects and customers.
    • Better product-market fit – increases when product teams more deeply understand for whom they are designing products. Documenting buyer challenges, pain points, and unmet needs gives product teams what they need to optimize product adoption.

    “It’s easier buying gifts for your best friend or partner than it is for a stranger, right? You know their likes and dislikes, you know the kind of gifts they’ll have use for, or the kinds of gifts they’ll get a kick out of. Customer personas work the same way, by knowing what your customer wants and needs, you can present them with content targeted specifically to their wants and needs.”
    – Emma Bilardi, Product Marketing Alliance, 2020

    Buyer understanding activates just about everything

    Without the deep buyer insights that persona and journey capture enables, marketers are suboptimized.

    Buyer Persona and Journey

    • Product design
    • Customer targeting
    • Personalization
    • Messaging
    • Content marketing
    • Lead gen & scoring
    • Sales Effectiveness
    • Customer retention

    “Marketing eutopia is striking the all-critical sweet spot that adds real value and makes customers feel recognized and appreciated, while not going so far as to appear ‘big brother’. To do this, you need a deep understanding of your audience coming from a range of different data sets and the capability to extract meaning.”
    – Plexure, 2020

    Does your organization need buyer persona and journey updating?

    “Yes,” if experiencing one or more key challenges:

    • Sales time is wasted on unqualified leads
    • Website abandon rates are high
    • Lead gen engine click-through rates are low
    • Ideal customer profile is ill defined
    • Marketing asset downloads are low
    • Seller discovery with prospects is ineffective
    • Sales win/loss rates drop due to poor product-market fit
    • Higher than desired customer churn

    SoftwareReviews Advisory Insight:
    Marketers developing buyer personas and journeys that lack agreement among Marketing, Sales, and Product of personas to target will squander precious time and resources throughout the customer targeting and acquisition process.

    Outcomes and benefits

    Building your buyer persona and journey using our methodology will enable:

    • Greater stakeholder alignment – when marketing, product, and sales agree on personas, less time is wasted on targeting alternate personas.
    • Improved product-market fit – when buyers see both pain-relieving features and value-based pricing, “because you asked vs. guessed,” win rates increase.
    • Greater open and click-through rates – because you understood buyer pain points and motivations for solution seeking, you’ll see higher visits and engagement with your lead gen engine, and because you asked “what asset types do you find most helpful” your CTAs become ”lead-gen magnets” because you’ve offered the right asset types in your content marketing strategy.
    • More qualified leads – because you defined a more accurate ideal customer profile (ICP) and your lead scoring algorithm has improved, sellers see more qualified leads.
    • Increased sales cycle velocity – since you learned from personas their content and engagement preferences and what collateral types they need during the down-funnel sales discussions, sales calls are more productive and sales cycles shrink.

    Our methodology for buyer persona and journey creation

    1. Document Team Knowledge of Buyer Persona and Drive Alignment 2. Interview Target Buyer Prospects and Customers 3. Create Outputs and Apply to Marketing, Sales, and Product
    Phase Steps
    1. Outline a vision for buyer persona and journey creation and identify stakeholders.
    2. Pull stakeholders together, identify initial buyer persona, and begin to document team knowledge about buyer persona (and journey where possible).
    3. Validate with industry and marketing analyst’s initial buyer persona, and identify list of buyer interviewees.
    1. Hold interviews and document and share findings.
    2. Validate initial drafts of buyer persona and create initial documented buyer journey. Review findings among key stakeholders, steering committee, and supporting analysts.
    3. Complete remaining interviews.
    1. Summarize findings.
    2. Convene steering committee/exec. and working team for final review.
    3. Communicate to key stakeholders in product, marketing, sales, and customer success for activation.
    Phase Outcomes
    1. Steering committee and team selection
    2. Team insights about buyer persona documented
    3. Buyer persona validation with industry and marketing analysts
    4. Sales, marketing, and product alignment
    1. Interview guide
    2. Target interviewee list
    3. Buyer-validated buyer persona
    4. Buyer journey documented with asset types, channels, and “how buyers buy” fully documented
    1. Education deck on buyer persona and journey ready for use with all stakeholders: product, field marketing, sales, executives, customer success, partners
    2. Activation will update product-market fit, optimize lead gen, and improve sales effectiveness

    Our approach provides interview guides and templates to help rebuild buyer persona

    Our methodology will enable you to align your team on why it’s important to capture the most important attributes of buyer persona including:

    • Functional – helps you find and locate your target personas
    • Emotive – deepens team understanding of buyer initiatives, motivations for seeking alternatives, challenges they face, pain points for your offerings to address, and terminology that describes the “space”
    • Solution – enables greater product market fit
    • Behavioral – clarifies how to communicate with personas and understand their content preferences
    Functional – “to find them”
    Job Role Title Org. Chart Dynamics Buying Center Firmographics
    Emotive – “what they do and jobs to be done”
    Initiatives: What programs/projects the persona is tasked with and their feelings and aspirations about these initiatives. Motivations? Build credibility? Get promoted? Challenges: Identify the business issues, problems, and pain points that impede attainment of objectives. What are their fears, uncertainties, and doubts about these challenges? Buyer Need: They may have multiple needs; which need is most likely met with the offering? Terminology: What are the keywords/phrases they organically use to discuss the buyer need or business issue?
    Decision Criteria – “how they decide”
    Buyer Role: List decision-making criteria and power level. The five common buyer roles are champion, influencer, decision maker, user, and ratifier (purchaser/negotiator). Evaluation and Decision Criteria: Which lens – strategic, financial, or operational – does the persona evaluate the impact of purchase through?
    Solution Attributes – “what does the ideal solution look like”
    Steps in “Jobs to Be Done” Elements of the “Ideal Solution” Business outcomes from ideal solution Opportunity scope; other potential users Acceptable price for value delivered Alternatives that see consideration Solution sourcing: channel, where to buy
    Behavioral Attributes – “how to approach them successfully”
    Content Preferences: List the persona’s content preferences – blog, infographic, demo, video – vs. long-form assets (e.g. white paper, presentation, analyst report). Interaction Preferences: Which are preferred among in-person meetings, phone calls, emails, videoconferencing, conducting research via Web, mobile, and social? Watering Holes: Which physical or virtual places do they go to network or exchange info with peers (e.g. LinkedIn)?

    Buyer journeys are constantly shifting

    If you didn’t remap buyer journeys in 2021, you may be losing to competitors that did. Leaders remap buyer journey frequently.

    • The multi-channel buyer journey is constantly changing. Today’s B2B buyer uses industry research sites, vendor content marketing assets, software reviews sites, contacts with vendor salespeople, events participation, peer networking, consultants, emails, social media sites, and electronic media to research purchasing decisions.
    • COVID-19 has dramatically decreased face-to-face interaction. We estimate a B2B buyer spent 20-25% more time online in 2021 than pre-COVID-19 researching software buying decisions. This has diminished the importance of face-to-face selling and given dramatic rise to digital selling and outbound marketing.
    • Content marketing has exploded, but without mapping the buyer journey and knowing where – by channel –and when – by buyer journey step – to offer content marketing assets, we will fail to convert prospects into buyers.

    “~2/3 of [B2B] buyers prefer remote human interactions or digital self-service.” And during Aug. ‘20 to Feb. ‘21, use of digital self-service to interact with sales reps leapt by more than 10% for both researching and evaluating new suppliers.”
    – Liz Harrison, Dennis Spillecke, Jennifer Stanley, and Jenny Tsai McKinsey & Company, 2021

    SoftwareReviews Advisory Insight:
    Marketers are advised to update their buyer journey annually and with greater frequency when the human vs. digital mix is affected due to events such as COVID-19 and as emerging media such as AR shifts asset-type usage and engagement options.

    Our approach helps you define the buyer journey

    Because marketing leaders need to reach buyers through the right channel with the right message at the right time during their decision cycle, you’ll benefit by using questionnaires that enable you to build the below easily and quickly.

    You’ll be more successful by following our overall guidance

    Overarching insight

    Buyer personas and buyer journeys are essential ingredients in go-to-market success, as they inform for product, marketing, sales, and customer success who we are targeting and how to engage with them successfully.

    Align Your Team

    Marketers developing buyer personas and journeys that lack agreement among Marketing, Sales, and Product of personas to target will squander precious time and resources throughout the customer targeting and acquisition process.

    Jump-Start Persona Development

    Marketing leaders leverage the buyer persona knowledge not only from in-house experts in areas such as sales and executives but from analysts that speak with their buyers each and every day.

    Buyer Interviews Are a Must

    While leaders will get a fast start by interviewing sellers, executives, and analysts, you will fail to craft the right messages, build the right marketing assets, and design the best buyer journey if you skip buyer interviews.

    Watch for Disruption

    Leaders will update their buyer journey annually and with greater frequency when the human vs. digital mix is effected due to events such as COVID-19 and as emerging media such as AR and VR shifts the way buyers engage.

    Advanced Buyer Journey Discovery

    Digital marketers that ramp up lead gen engine capabilities to capture “wins” and measure engagement back through the lead gen and nurturing engines will build a more data-driven view of the buyer journey. Target to build this advanced capability in your initial design.

    Tools and templates to speed your success

    This blueprint is accompanied by supporting deliverables to help you gather team insights, interview customers and prospects, and summarize results for ease in communications.

    To support your buyer persona and journey creation, we’ve created the enclosed tools

    Buyer Persona Creation Template

    A PowerPoint template to aid the capture and summarizing of your team’s insights on the buyer persona.

    Buyer Persona and Journey Interview Guide and Data Capture Tool

    For interviewing customers and prospects, this tool is designed to help you interview personas and summarize results for up to 15 interviewees.

    Buyer Persona and Journey Summary Template

    A PowerPoint template into which you can drop your buyer persona and journey interviewees list and summary findings.

    SoftwareReviews offers two levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    The "do-it-yourself" step-by-step instructions begin with Phase 1.

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    A Guided Implementation is a series of analysts inquiries with you and your team.

    Diagnostics and consistent frameworks are used throughout each option.

    Guided Implementation

    A Guided Implementation (GI) is series of calls with a SoftwareReviews Advisory analyst to help implement our best practices in your organization.

    For guidance on marketing applications, we can arrange a discussion with an Info-Tech analyst.

    Your engagement managers will work with you to schedule analyst calls.

    What does our GI on buyer persona and journey mapping look like?

    Drive an Aligned Initial Draft of Buyer Persona

    • Call #1: Collaborate on vision for buyer persona and the buyer journey. Review templates and sample outputs. Identify your team.
    • Call #2: Review work in progress on capturing working team knowledge of buyer persona elements.
    • Call #3: (Optional) Review Info-Tech’s research-sourced persona insights.
    • Call #4: Validate the persona WIP with Info-Tech analysts. Review buyer interview approach and target list.

    Interview Buyers and Validate Persona and Journey

    • Call #5: Revise/review interview guide and final interviewee list; schedule interviews.
    • Call #6: Review interim interview finds; adjust interview guide.
    • Call #7: Use interview findings to validate/update persona and build journey map.
    • Call #8: Add supporting analysts to final stakeholder review.

    Prepare Communications and Educate Stakeholders

    • Call #9: Review output templates completed with final persona and journey findings.
    • Call #10: Add supporting analysts to stakeholder education meetings for support and help with addressing questions/issues.

    Workshop overview

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Day1 Day 2 Day 3 Day 4 Day 5
    Align Team, Identify Persona, and Document Current Knowledge Validate Initial Work and Identify Buyer Interviewees Schedule and Hold Buyer interviews Summarize Findings and Provide Actionable Guidance to Colleagues Measure Impact and Results
    Activities

    1.1 Outline a vision for buyer persona and journey creation and identify stakeholders.

    1.2 Identify buyer persona choices and settle on an initial target.

    1.3 Document team knowledge about buyer persona (and journey where possible).

    2.1 Share initial insights with covering industry analyst.

    2.2 Hear from industry analyst their perspectives on the buyer persona attributes.

    2.3 Reconcile differences; update “current understanding.”

    2.4 Identify interviewee types by segment, region, etc.

    3.1 Identify actual list of 15-20 interviewees.

    A gap of up to a week for scheduling of interviews.

    3.2 Hold interviews and use interview guides (over the course of weeks).

    3.3 Hold review session after initial 3-4 interviews to make adjustments.

    3.4 Complete interviews.

    4.1 Summarize findings.

    4.2 Create action items for supporting team, e.g. messaging, touch points, media spend, assets.

    4.3 Convene steering committee/exec. and working team for final review.

    4.4 Schedule meetings with colleagues to action results.

    5.1 Review final copy, assets, launch/campaign plans, etc.

    5.2 Develop/review implementation plan.

    A period of weeks will likely intervene to execute and gather results.

    5.3 Reconvene team to review results.

    Deliverables
    1. Documented steering committee and working team
    2. Executive Brief on personas and journey
    3. Personas and initial targets
    4. Documented team knowledge
    1. Analyst-validated initial findings
    2. Target interviewee types
    1. List of interviewees; calls scheduled
    2. Initial review – “are we going in the right direction?”
    3. Completed interviews
    1. Complete findings
    2. Action items for team members
    3. Plan for activation
    1. Activation review
    2. List of suggested next steps

    Phase 1
    Drive an Aligned Initial Draft of Buyer Persona

    This Phase walks you through the following activities:

    • Develop an understanding of what comprises a buyer persona and journey, including their importance to overall go-to-market strategy and execution.
    • Sample outputs.

    This Phase involves the following stakeholders:

    • Program leadership
    • Product Marketing
    • Product Management
    • Representative(s) from Sales
    • Executive Leadership

    1.1 Establish the team and align on shared vision

    Input

    • Typically a joint recognition that buyer personas have not been fully documented.
    • Identify working team members/participants (see below), and an executive sponsor.

    Output

    • Communication of team members involved and the make-up of steering committee and working team
    • Alignment of team members on a shared vision of “Why Build Buyer Personas and Journey” and what key attributes define both.

    Materials

    • N/A

    Participants

    • Initiative Manager – individual leading the buyer persona and journey initiative
    • CMO/Sponsoring Executive Working Team – typically representatives in Product Marketing, Product Management, and Sales
    • SoftwareReviews marketing analyst

    60 minutes

    1. Schedule inquiry with working team members and walk the team through the Buyer Persona and Journey Executive Brief PowerPoint presentation.
    2. Optional: Have the (SoftwareReviews Advisory) SRA analyst walk the team through the Buyer Persona and Journey Executive Brief PowerPoint presentation as part of your session.

    Review the Create a Buyer Persona Executive Brief (Slides 3-14)

    1.2 Document team knowledge of buyer persona

    Input

    • Working team member knowledge

    Output

    • Initial draft of your buyer persona

    Materials

    • Buyer Persona Creation Template

    Participants

    • Initiative Manager – individual leading the buyer persona and journey initiative
    • CMO/Sponsoring Executive (optional)
    • Working Team – typically representatives in Product Marketing, Product Management, and Sales

    2-3 sessions of 60 minutes each

    1. Schedule meeting with working team members and, using the Buyer Persona Template, lead the team in a discussion that documents current team knowledge of the target buyer persona.
    2. Lead the team to prioritize an initial, single, most important persona and to collaborate to complete the template (and later, the buyer journey). Once the team learns the process for working on the initial persona, the development of additional personas will become more efficient.
    3. Place the PowerPoint template in a shared drive for team collaboration. Expect to schedule several 60-minute meets. Quicken collaboration by encouraging team to “do their homework” by sharing persona knowledge within the shared drive version of the template. Your goal is to get to an initial agreed upon version that can be shared for additional validation with industry analyst(s) in the next step.

    Download the Buyer Persona Creation Template

    1.3 Validate with industry analysts

    Input

    • Identify gaps in persona from previous steps

    Output

    • Further validated buyer persona

    Materials

    • Bring your Buyer Persona Creation Template to the meeting to share with analysts

    Participants

    • Initiative Manager – individual leading the buyer persona and journey initiative
    • CMO/Sponsoring Executive (Optional)
    • Working Team – typically representatives in Product Marketing, Product Management, and Sales
    • Info-Tech analyst covering your product category and SoftwareReviews marketing analyst

    30 minutes

    1. Schedule meeting with working team members and discuss which persona areas require further validation from an Info-Tech analyst who has worked closely with those buyers within your persona.

    60 minutes

    1. Schedule an inquiry with the appropriate Info-Tech analyst and SoftwareReviews Advisory analyst to share current findings and see:
      1. Info-Tech analyst provide content feedback given what they know about your target persona and product category.
      2. SoftwareReviews Advisory analyst provide feedback on persona approach and to coach any gaps or important omissions.
    2. Tabulate results and update your persona summary. At this point you will likely require additional validation through interviews with customers and prospects.

    1.4 Identify interviewees and prepare for interviews

    Input

    • Identify segments within which you require persona knowledge
    • Understand your persona insight gaps

    Output

    • List of interviewees

    Materials

    • Interviewee recording template on following slide
    • Interview guide questions found within the Buyer Persona and Journey Interview Guide and data Capture Tool

    Participants

    • Initiative Manager – individual leading the buyer persona and journey initiative
    • Working Team – typically representatives in Product Marketing, Product Management, and Sales

    1-2 weeks

    1. Identify the types of customers and prospects that will best represent your target persona. Choose interviewees that when interviewed will inform key differences among key segments (geographies, company size, mix of customers and prospects, etc.).
    2. Recruit interviewees and schedule interviews for 45 minutes.
    3. Keep track of Interviewees using the slide following this one.
    4. In preparation for interviews, review the Buyer Persona and Journey Interview Guide and Data Capture Tool. Review the two sets of questions:
      1. Buyer Persona-Related – use to validate areas where you still have gaps in your persona, OR if you are starting with a blank persona and wish to build your personas entirely based on customer and prospect interviews.
      2. Buyer-Journey Related, which we will focus on in the next phase.

    Download the Buyer Persona and Journey Interview Guide and Data Capture Tool

    The image shows a table titled ‘Interviewee List.’ A note next to the title indicates: Here you will document your interviewee list and outreach plan. A note in the Segment column indicates: Ensure you are interviewing personas across segments that will give you the insights you need, e.g. by size, by region, mix of customers and prospects. A note in the Title column reads: Vary your title types up or down in the “buying center” if you are seeking to strengthen buying center dynamics understanding. A note in the Roles column reads: Vary your role types according to decision-making roles (decision maker, influencer, ratifier, coach, user) if you are seeking to strengthen decision-making dynamics understanding.

    Phase 2
    Interview Buyers and Validate Persona and Journey

    This Phase walks you through the following activities:

    • Developing final interview guide.
    • Interviewing buyers and customers.
    • Adjusting approach.
    • Validating buyer persona.
    • Crafting buyer journey
    • Gaining analyst feedback.

    This Phase involves the following stakeholders:

    • Program leadership
    • Product Marketing
    • Representative(s) from Sales

    2.1 Hold interviews

    Input

    • List of interviewees
    • Final list of questions

    Output

    • Buyer perspectives on their personas and buyer journeys

    Materials

    • Buyer Persona and Journey Interview Guide and data Capture Tool

    Participants

    • Initiative Manager – individual leading the buyer persona and journey initiative
    • Working Team – typically representatives in Product Marketing, Product Management, and Sales

    1-2 weeks

    1. Hold interviews and adjust your interviewing approach as you go along. Uncover where you are not getting the right answers, check with working team and analysts, and adjust.

    Download the Buyer Persona and Journey Interview Guide and Data Capture Tool

    2.2 Use interview findings to validate what’s needed for activation

    Input

    • List of interviewees
    • Final list of questions

    Output

    • Buyer perspectives on their personas and buyer journeys
    • Stakeholder feedback that actionable insights are resulting from interviews

    Materials

    • Buyer Persona Creation Template
    • Buyer Persona and Journey Interview Guide and Data Capture Tool

    Participants

    • Initiative Manager – individual leading the buyer persona and journey initiative
    • Working Team – typically representatives in Product Marketing, Product Management, and Sales
    • SoftwareReviews marketing analyst

    2 hours

    1. Convene your team, with marketing analysts, and test early findings: It’s wise to test initial interview results to check that you are getting the right insights to understand and validate key challenges, pain points, needs, and other vital areas pertaining to the buyer persona. Are the answers you are getting enabling you to complete the Summary slides for later communications and training for Sales?
    2. Check when doing buyer journey interviews that you are getting actionable answers that drive messaging, what asset types are needed, what the marketing channel mix is, and other vital insights to activate the results. Are the answers you are getting adequate to give guidance to campaigners, content marketers, and sales enablement?
    3. See the following slides for detailed questions that need to be answered satisfactorily by your team members that need to “activate” the results.

    Download the Buyer Persona and Journey Interview Guide and Data Capture Tool

    2.2.1 Are you getting what you need from interviews to inform the buyer persona?

    Test that you are on the right track:

    1. Are you getting the functional answers so you can guide sellers to the right roles? Can you guide marketers/campaigners to the right “Ideal Customer Profile” for lead scoring?
    2. Are you capturing the right emotive areas that will support message crafting? Solutioning? SEM/SEO?
    3. Are you capturing insights into “how they decide” so sellers are well informed on the decision-making dynamics?
    4. Are you getting a strong understanding of content, interaction preferences, and news and information sources so sellers can outreach more effectively, you can pinpoint media spend, and content marketing can create the right assets?
    Functional – “to find them”
    Job Role Title Org. Chart Dynamics Buying Center Firmographics
    Emotive – “what they do and jobs to be done”
    Initiatives: What programs/projects the persona is tasked with and their feelings and aspirations about these initiatives. Motivations? Build credibility? Get promoted? Challenges: Identify the business issues, problems, and pain points that impede attainment of objectives. What are their fears, uncertainties, and doubts about these challenges? Buyer Need: They may have multiple needs; which need is most likely met with the offering? Terminology: What are the keywords/phrases they organically use to discuss the buyer need or business issue?
    Decision Criteria – “how they decide”
    Buyer Role: List decision-making criteria and power level. The five common buyer roles are champion, influencer, decision maker, user, and ratifier (purchaser/negotiator). Evaluation and Decision Criteria: Which lens – strategic, financial, or operational – does the persona evaluate the impact of purchase through?
    Solution Attributes – “what does the ideal solution look like”
    Steps in “Jobs to Be Done” Elements of the “Ideal Solution” Business outcomes from ideal solution Opportunity scope; other potential users Acceptable price for value delivered Alternatives that see consideration Solution sourcing: channel, where to buy
    Behavioral Attributes – “how to approach them successfully”
    Content Preferences: List the persona’s content preferences – blog, infographic, demo, video – vs. long-form assets (e.g. white paper, presentation, analyst report). Interaction Preferences: Which are preferred among in-person meetings, phone calls, emails, videoconferencing, conducting research via Web, mobile, and social? Watering Holes: Which physical or virtual places do they go to network or exchange info with peers (e.g. LinkedIn)?

    2.2.2 Are you getting what you need from interviews to support the buyer journey?

    Our approach helps you define the buyer journey

    Because marketing leaders need to reach buyers through the right channel with the right message at the right time during their decision cycle, you’ll benefit by using questionnaires that enable you to build the below easily and quickly.

    2.3 Continue interviews

    Input

    • Final adjustments to list of interview questions

    Output

    • Final buyer perspectives on their personas and buyer journeys

    Materials

    • Buyer Persona Creation Template
    • Buyer Persona and Journey Interview Guide and data Capture Tool

    Participants

    • Initiative Manager – individual leading the buyer persona and journey initiative
    • Working Team – typically representatives in Product Marketing, Product Management, and Sales

    1-2 weeks

    1. Continue customer and prospect interviews.
    2. Ensure you are gaining the segment perspectives needed.
    3. Complete the “Summary” columns within the Buyer Persona and Journey Interview Guide and Data Capture Tool.

    Download the Buyer Persona and Journey Interview Guide and Data Capture Tool

    Phase 3
    Prepare Communications and Educate Stakeholders

    This Phase walks you through the following activities:

    • Creating outputs for key stakeholders
    • Communicating final findings and supporting marketing, sales, and product activation.

    This Phase involves the following stakeholders:

    • Program leadership
    • Product Marketing
    • Product Management
    • Sales
    • Field Marketing/Campaign Management
    • Executive Leadership

    3.1 Summarize interview results and convene full working team and steering committee for final review

    Input

    • Buyer persona and journey interviews detail

    Output

    • Buyer perspectives on their personas and buyer journeys

    Materials

    • Buyer Persona and Journey Interview Guide and Data Capture Tool
    • Buyer Persona and Journey Summary Template

    Participants

    • Initiative Manager – individual leading the buyer persona and journey initiative
    • CMO/Sponsoring Executive (Optional)
    • Working Team – typically representatives in Product Marketing, Product Management, and Sales
    • SoftwareReviews marketing analyst

    1-2 hours

    1. Summarize interview results within the Buyer Persona and Journey Summary Template.

    Download the Buyer Persona and Journey Interview Guide and Data Capture Tool

    Download the Buyer Persona and Journey Summary Template

    3.2 Convene executive steering committee and working team to review results

    Input

    • Buyer persona and journey interviews summary

    Output

    • Buyer perspectives on their personas and buyer journeys

    Materials

    • Buyer Persona and Journey Summary Template

    Participants

    • Initiative Manager – individual leading the buyer persona and journey initiative
    • Working Team – typically representatives in Product Marketing, Product Management, and Sales

    1-2 hours

    1. Present final persona and journey results to the steering committee/executives and to working group using the summary slides interview results within the Buyer Persona and Journey Summary Template to finalize results.

    Download the Buyer Persona and Journey Summary Template

    3.3 Convene stakeholder meetings to activate results

    Input

    • Buyer persona and journey interviews summary

    Output

    Activation of key learnings to drive:

    • Better product –market fit
    • Lead gen
    • Sales effectiveness
    • Awareness

    Materials

    • Buyer Persona and Journey Summary Template

    Participants

    • Initiative Manager – individual leading the buyer persona and journey initiative
    • Working Team – typically representatives in Product Marketing, Product Management, and Sales
    • Stakeholder team members (see left)

    4-5 hours

    Present final persona and journey results to each stakeholder team. Key presentations include:

    1. Product team to validate product market fit.
    2. Content marketing to provide messaging direction for the creation of awareness and lead gen assets.
    3. Campaigners/Field Marketing for campaign-related messaging and to identify asset types required to be designed and delivered to support the buyer journey.
    4. Social media strategists for social post copy, and PR for other awareness-building copy.
    5. Sales enablement/training to enable updating of sales collateral, proposals, and sales training materials. Sellers to help with their targeting, prospecting, and crafting of outbound messaging and talk tracks.

    Download the Buyer Persona and Journey Summary Template

    Summary of Accomplishment

    Problem Solved

    With the help of this blueprint, you have deepened your and your colleagues’ buyer understanding at both the persona “who they are” level and the buyer journey “how do they buy” level. You are among the minority of marketing leaders that have fully documented a buyer persona and journey – congratulations!

    The benefits of having led your team through the process are significant and include the following:

    • Better alignment of customer/buyer-facing teams such as in product, marketing, sales, and customer success.
    • Messaging that can be used by marketing, sales, and social teams that will resonate with buyer initiatives, pain points, sought-after “pain relief,” and value.
    • Places in the digital and physical universe where your prospects “hang out” so you can optimize your media spend.
    • More effective use of marketing assets and sales collateral that align with the way your prospect needs to consume information throughout their buyer journey to make a decision in your solution area.

    And by capturing and documenting your buyer persona and journey even for a single buyer type, you have started to build the “institutional strength” to apply the process to other roles in the decision-making process or for when you go after new and different buyer types for new products. And finally, by bringing your team along with you in this process, you have also led your team in becoming a more customer-focused organization – a strategic shift that all organizations should pursue.

    If you would like additional support, contact us and we’ll make sure you get the professional expertise you need.

    Contact your account representative for more information.

    info@softwarereviews.com

    1-888-670-8889

    Related Software Reviews Research

    Optimize Lead Generation With Lead Scoring

    • Save time and money and improve your sales win rates when you apply our methodology to score contacts with your lead gen engine more accurately and pass better qualified leads over to your sellers.
    • Our methodology teaches marketers to develop your own lead scoring approach based upon lead/contact profile vs. your Ideal Customer Profile (ICP) and scores contact engagement. Applying the methodology to arrive at your own approach to scoring will mean reduced lead gen costs, higher conversion rates, and increased marketing-influenced wins.

    Bibliography

    Bilardi, Emma. “How to Create Buyer Personas.” Product Marketing Alliance, July 2020. Accessed Dec. 2021.

    Harrison, Liz, Dennis Spillecke, Jennifer Stanley, and Jenny Tsai. “Omnichannel in B2B sales: The new normal in a year that has been anything but.” McKinsey & Company, 15 March 2021. Accessed Dec. 2021.

    Jansen, Hasse. “Buyer Personas – 33 Mind Blowing Stats.” Boardview.io!, 19 Feb. 2016. Accessed Jan. 2022.

    Raynor, Lilah. “Understanding The Changing B2B Buyer Journey.” Forbes Agency Council, 18 July 2021. Accessed Dec. 2021.

    Simpson, Jon. “Finding Your Audience: The Importance of Developing a Buyer Persona.” Forbes Agency Council, 16 May 2017. Accessed Dec. 2021.

    “Successfully Executing Personalized Marketing Campaigns at Scale.” Plexure, 6 Jan. 2020. Accessed Dec 2020.

    Ulwick, Anthony W. JOBS TO BE DONE: Theory to Practice. E-book, Strategyn, 1 Jan. 2017. Accessed Jan. 2022.

    Apply Design Thinking to Build Empathy With the Business

    • Buy Link or Shortcode: {j2store}89|cart{/j2store}
    • member rating overall impact (scale of 10): 8.5/10 Overall Impact
    • member rating average dollars saved: $20,772 Average $ Saved
    • member rating average days saved: 13 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Business satisfaction with IT is low.
    • IT and the business have independently evolving strategy, initiatives, and objectives.
    • IT often exceeds their predicted project costs and has difficulty meeting the business’ expectations of project quality and time-to-market.

    Our Advice

    Critical Insight

    • Business needs are unclear or ambiguous.
    • IT and the business do not know how to leverage each other’s talent and resources to meet their common goals.
    • Not enough steps are taken to fully understand and validate problems.
    • IT can’t pivot fast enough when the business’s needs change.

    Impact and Result

    Product, service, and process design should always start with an intimate understanding of what the business is trying to accomplish and why it is important.

    Apply Design Thinking to Build Empathy With the Business Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should apply experience design to partner with the business, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Research

    Identify goals and objectives for experience design, establish targeted stakeholders, and conduct discovery interviews.

    • Apply Design Thinking to Build Empathy With the Business – Phase 1: Research
    • Stakeholder Discovery Interview Template

    2. Map and iterate

    Create the journey map, design a research study to validate your hypotheses, and iterate and ideate around a refined, data-driven understanding of stakeholder problems.

    • Apply Design Thinking to Build Empathy With the Business – Phase 2: Map and Iterate
    • Journey Map Template
    • Research Study Log Tool
    [infographic]

    Workshop: Apply Design Thinking to Build Empathy With the Business

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Introduction to Journey Mapping

    The Purpose

    Understand the method and purpose of journey mapping.

    Key Benefits Achieved

    Initial understanding of the journey mapping process and the concept of end-user empathy.

    Activities

    1.1 Introduce team and discuss workshop motivations and goals.

    1.2 Discuss overview of journey mapping process.

    1.3 Perform journey mapping case study activity.

    Outputs

    Case Study Deliverables – Journey Map and Empathy Maps

    2 Persona Creation

    The Purpose

    Begin to understand the goals and motivations of your stakeholders using customer segmentation and an empathy mapping exercise.

    Key Benefits Achieved

    Understand the demographic and psychographic factors driving stakeholder behavior.

    Activities

    2.1 Discuss psychographic stakeholder segmentation.

    2.2 Create empathy maps for four segments.

    2.3 Generate problem statements.

    2.4 Identify target market.

    Outputs

    Stakeholder personas

    Target market of IT

    3 Interview Stakeholders and Start a Journey Map

    The Purpose

    Get first-hand knowledge of stakeholder needs and start to capture their perspective with a first-iteration journey map.

    Key Benefits Achieved

    Capture the process stakeholders use to solve problems and empathize with their perspectives, pains, and gains.

    Activities

    3.1 Review discovery interviewing techniques.

    3.2 Review and modify the discovery questionnaire

    3.3 Demonstrate stakeholder interview.

    3.4 Synthesize learnings and begin creating a journey map.

    Outputs

    Customized discovery interview template

    Results of discovery interviewing

    4 Complete the Journey Map and Create a Research Study

    The Purpose

    Hypothesize the stakeholder journey, identify assumptions, plan a research study to validate your understanding, and ideate around critical junctures in the journey.

    Key Benefits Achieved

    Understand the stakeholder journey and ideate solutions with the intention of improving their experience with IT.

    Activities

    4.1 Finish the journey map.

    4.2 Identify assumptions and create hypotheses.

    4.3 Discuss field research and hypothesis testing.

    4.4 Design the research study.

    4.5 Discuss concluding remarks and next steps.

    Outputs

    Completed journey map for one IT process, product, or service

    Research study design and action plan

    Determine Your Zero Trust Readiness

    • Buy Link or Shortcode: {j2store}249|cart{/j2store}
    • member rating overall impact (scale of 10): 9.8/10 Overall Impact
    • member rating average dollars saved: $24,574 Average $ Saved
    • member rating average days saved: 12 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting

    CISOs pushing for zero trust as their security strategy face several challenges including:

    • Understanding and clarifying the benefits of zero trust for the organization.
    • The inability to verify all business operations are maintaining security best practices.
    • Convincing business units to add more security controls that go against the grain of reducing friction in workflows while still demonstrating these controls support the business.

    Our Advice

    Critical Insight

    • Zero trust must benefit the business and security. Because the road to zero trust is an iterative process, IT security will need to constantly determine how different areas of zero trust will affect core business processes.
    • Zero trust reduces reliance on perimeter security. Zero trust is a strategy that solves how to move beyond the reliance on perimeter security and move controls to where the user accesses resources.
    • Not everyone can achieve zero trust, but everyone can adopt it. Zero trust will be different for every organization and may not be applicable in every control area. This means that zero trust is not a one-size-fits-all approach to IT security. Zero trust is the goal, but some organizations can only get so close to the ideal.

    Impact and Result

    Zero trust is a journey that uses multiple capabilities and requires multiple parties to contribute to an organization’s security. Use Info-Tech’s approach to:

    • Understand zero trust as a strategic platform for building your security roadmap.
    • Assess your current state and determine the benefits of adopting zero trust to help plan your roadmap.
    • Separate vendors from the hype surrounding zero trust to adopt a vendor-agnostic approach to your zero trust planning.

    Determine Your Zero Trust Readiness Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should determine your zero trust readiness, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand zero trust

    Recognize the zero trust ideal and understand the different zero trust schools of thought.

    2. Assess your zero trust readiness

    Assess and determine the benefits of zero trust and identify and evaluate vendors in the zero trust market.

    • Zero Trust Security Benefit Assessment Tool
    [infographic]

    Maximize Value From Your Value-Added Reseller (VAR)

    • Buy Link or Shortcode: {j2store}215|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Organizations need to understand their value-added reseller (VAR) portfolio and the greater VAR landscape to better:

    • Manage the VAR portfolio.
    • Understand additional value each VAR can provide.
    • Maximize existing VAR commitments.
    • Evaluate the VARs’ performance.

    Our Advice

    Critical Insight

    VARs typically charge more for products because they are in some way adding value. If you’re not leveraging any of the provided value, you’re likely wasting money and should use a basic commodity-type reseller for procurement.

    Impact and Result

    This project will provide several benefits to Vendor Management and Procurement:

    • Defined VAR value and performance tracking.
    • Manageable portfolio of VARs that fully benefit the organization.
    • Added training, licensing advice, faster quoting, and invoicing resolution.
    • Reduced deployment and logistics costs.

    Maximize Value From Your Value-Added Reseller (VAR) Research & Tools

    Start here – read the Executive Brief

    Read our informative Executive Brief to find out why you should maximize value from your value-added reseller, review Info-Tech’s methodology, and understand the three ways to better manage your VARs improve performance and reduce costs.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Organize and prioritize

    Organize all your VARs and create a manageable portfolio detailing their value, specific, product, services, and certifications.

    • Maximize Value From Your Value-Added Reseller – Phase 1: Organize and Prioritize
    • VAR Listing and Prioritization Tool

    2. “EvaluRate” your VARs

    Create an in-depth evaluation of the VARs’ capabilities.

    • Maximize Value From Your Value-Added Reseller – Phase 2: EvaluRate Your VARs
    • VAR Features Checklist Tool
    • VAR Profile and EvaluRation Tool

    3. Consolidate and reduce

    Assess each VAR for low performance and opportunity to increase value or consolidate to another VAR and reduce redundancy.

    • Maximize Value From Your Value-Added Reseller – Phase 3: Consolidate and Reduce

    4. Maximize their value

    Micro-manage your primary VARs to ensure performance to commitments and maximize their value.

    • Maximize Value From Your Value-Added Reseller – Phase 4: Maximize Their Value
    • VAR Information and Scorecard Workbook
    [infographic]

    Elevate Your Vendor Management Initiative

    • Buy Link or Shortcode: {j2store}223|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • As cloud vendors, managed service providers, and other IT vendors continue to play a larger role in IT operations, the VMI must evolve to meet new challenges. Maximizing the VMI's impact requires it to keep pace with the IT landscape and transforming from tactical to strategic.
    • Increased spend with and reliance on vendors leads to less control and more risk for IT organizations. The VMI must mature on multiple fronts to continue adding value; staying stagnant is not an option.

    Our Advice

    Critical Insight

    • An organization’s vendor management initiative must continue to evolve and mature to reach its full strategic value. In the early stages, the vendor management initiative may be seen as transactional, focusing on the day-to-day functions associated with vendor management. The real value of a VMI comes from becoming strategic partner to other functional groups (departments) within your organization.
    • Developing vendor management personnel is critical to the vendor management initiative’s evolution and maturation. For the VMI to mature, its personnel must mature as well. Their professional skills, competencies, and knowledge must increase over time. Failure to accentuate personal growth within the team limits what the team is able to achieve and how the team is perceived.
    • Vendor management is not about imposing your will on vendors; it is about understanding the multi-faceted dynamics between your organization and your vendors and charting the appropriate path forward. Resource allocation and relationship expectations flow from these dynamics. Each critical vendor requires an individual plan to build the best possible relationship and to leverage that relationship. What works with one vendor may not work or even be possible with another vendor…even if both vendors are critical to your success.

    Impact and Result

    • Evolve the VMI from tactical to strategic
    • Improve the VMI’s brand and brand awareness
    • Develop the VMI’s team members to increase the VMI’s impact
    • Take relationships to the next level with your critical vendors
    • Understand how your vendors view your organization as a customer
    • Create and implement plans to improve relationships with critical vendors
    • Create and implement plans to improve underperforming vendors

    Elevate Your Vendor Management Initiative Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should continue to evolve and mature your vendor management initiative and to understand the additional elements of Info-Tech’s four-step cycle to running your vendor management initiative.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Elevate Your Vendor Management Initiative – Executive Brief
    • Elevate Your Vendor Management Initiative – Phases 1-4

    1. Plan

    This phase helps the VMI stay focused and aligned by reviewing existing materials, updating the existing maturity assessment, and ensuring that the foundational elements of the VMI are up to date. The main outcomes from this phase are a current maturity assessment and updated or revised Plan documents.

    • Elevate Your Vendor Management Initiative – Phase 1

    2. Build

    This phase helps you configure, create, and understand the tools and templates used to elevate the VMI. The main outcomes from this phase are a clear understanding of the tools that identify which vendors are important to you, tools and concepts to help you take key vendor relationships to the next level, and tools to help you evaluate and improve the VMI and its personnel.

    • Elevate Your Vendor Management Initiative – Phase 2
    • Elevate – COST Model Vendor Classification Tool
    • Elevate – MVP Model Vendor Classification Tool
    • Elevate – OPEN Model Customer Positioning Tool
    • Elevate – Relationship Assessment and Improvement Tool
    • Elevate – Tools and Templates Compendium

    3. Run

    This phase helps you begin integrating the new tools and templates into the VMI’s operations. The main outcomes from this phase are guidance and the steps required to continue your VMI’s maturation and evolution.

    • Elevate Your Vendor Management Initiative – Phase 3

    4. Review

    This phase helps the VMI stay aligned with the overall organization, stay current, and improve its strategic value as it evolves. The main outcomes from this phase are ways to advance the VMI’s strategic impact.

    • Elevate your Vendor Management Initiative – Phase 4

    Infographic

    Workshop: Elevate Your Vendor Management Initiative

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Plan and Build

    The Purpose

    Review existing tools and templates and configure new tools and templates.

    Key Benefits Achieved

    Updated Maturity Assessment and configured tools and templates.

    Activities

    1.1 Existing Plan document review and new maturity assessment.

    1.2 Optional classification models.

    1.3 Customer positioning model.

    1.4 Two-way scorecards.

    Outputs

    Updated Plan documents.

    New maturity assessment.

    Configured classification model.

    Customer positioning for top five vendors.

    Configured scorecard and feedback form.

    2 Build and Run

    The Purpose

    Configure VMI Tools and Templates.

    Key Benefits Achieved

    Configured Tools and Templates for the VMI.

    Activities

    2.1 Performance improvement plans (PIPs).

    2.2 Relationship improvement plans (RIPs).

    2.3 Vendor-at-a-Glance reports.

    2.4 VMI Personnel Competency Evaluation Tool.

    Outputs

    Configured Performance Improvement Plan.

    Configured Relationship Assessment and Relationship Improvement Plan.

    Configured 60-Second Report and completed Vendor Calendar for one vendor.

    Configured VMI Personnel Competency Evaluation Tool.

    3 Build and Run

    The Purpose

    Continue configuring VMI Tools and Templates and enhancing VM competencies.

    Key Benefits Achieved

    Configured Tools and Templates for the VMI and market intelligence to gather.

    Activities

    3.1 Internal feedback tool.

    3.2 VMI ROI calculation.

    3.3 Vendor recognition program.

    3.4 Assess the Relationship Landscape.

    3.5 Gather market intelligence.

    3.6 Improve professional skills.

    Outputs

    Configured Internal Feedback Tool.

    General framework for a vendor recognition program.

    Completed Relationship Landscape Assessment (representative sample).

    List of market intelligence to gather for top five vendors.

    4 Run and Review

    The Purpose

    Improve the VMI’s brand awareness and impact on the organization; continue to maintain alignment with the overall organization.

    Key Benefits Achieved

    Raising the organization’s awareness of the VMI, and ensuring the VMI Is becoming more strategic.

    Activities

    4.1 Expand professional knowledge.

    4.2 Create brand awareness.

    4.3 Investigate potential alliances.

    4.4 Continue increasing the VMI’s strategic value.

    4.5 Review and update (governances, policies and procedures, lessons learned, internal alignment, and leading practices).

    Outputs

    Branding plan for the VMI.

    Branding plan for individual VMI team members.

    Further reading

    Elevate Your Vendor Management Initiative

    Transform Your VMI From Tactical to Strategic to Maximize Its Impact and Value

    EXECUTIVE BRIEF

    Analyst Perspective

    Transform your VMI into a strategic contributor to ensure its longevity.

    The image contains a picture of Phil Bode.

    By the time you start using this blueprint, you should have established a solid foundation for your vendor management initiative (VMI) and implemented many or all of the principles outlined in Info-Tech’s blueprint Jump Start Your Vendor Management (the Jump Start blueprint). This blueprint (the Elevate blueprint) is meant to continue the evolutionary or maturation process of your VMI. Many of the items presented here will build on and refer to the elements from the Jump Start blueprint. The goal of the Elevate blueprint is to assist in the migration of your VMI from transactional to strategic. Why? Simply put, the more strategic the VMI, the more value it adds and the more impact it has on the organization as a whole.

    While the day-to-day, transactional aspect of running a VMI will never go away, getting stuck in transactional mode is a horrible place for the VMI and its team members:

    • The VMI will never live up to its potential.
    • The work won’t be enjoyable or rewarding for most people.
    • The VMI will be seen paper pushers, gatekeepers, and other things that don’t add value or should be avoided.
    • Being reactive (i.e. putting out fires all day) is exhausting and provides little or no control over the work and workflow.
    • Lastly, the VMI’s return on investment will be low, and unless it was established due to regulatory, audit, or other influences, the VMI could be disbanded. Minimal resources will be available to the VMI…just enough to keep it alive and obtain whatever checkmark needs to be earned to satisfy the original need for its creation.

    To prevent these tragic things from happening, transform the VMI into a strategic contributor and partner internally. This Elevate blueprint provides a roadmap and guidance to get your journey started. Focus on expanding your understanding of customer/vendor dynamics, improving the skills, competencies, and knowledge of the VMI’s team members, contributing value beyond the savings aspect, and building a solid brand internally and with your vendors. This requires a conscious effort and a proactive approach to vendor management…not to mention treating your internal “clients” with respect and providing great customer service.

    At the end of the day, ask yourself one question: If your internal clients had to pay for your services, would they? If you can answer yes, you are well on your way to being strategic. If not, you still have some work to do. Long live the strategic VMI!

    Phil Bode
    Principal Research Director, Vendor Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Each year, IT organizations “outsource” tasks, activities, functions, and other items. During 2021:

    • Spend on as-a-service providers increased 38% over 2020.*
    • Spend on managed service providers increased 16% over 2020.*
    • IT service providers increased their merger and acquisition numbers by 47% over 2020.*

    This leads to more spend, less control, and more risk for IT organizations. Managing this becomes a higher priority for IT, but many IT organizations are ill-equipped to do this proactively.

    As new contracts are negotiated and existing contracts are renegotiated or renewed, there is a perception that the contracts will yield certain results, output, performance, solutions, or outcomes. The hope is that these will provide a measurable expected value to IT and the organization. Often, much of the expected value is never realized. Many organizations don’t have a VMI to help:

    • Ensure at least the expected value is achieved.
    • Improve on the expected value through performance management.
    • Significantly increase the expected value through a proactive VMI.

    Vendor Management is a proactive, cross-functional lifecycle. It can be broken down into four phases:

    • Plan
    • Build
    • Run
    • Review

    The Info-Tech process addresses all four phases and provides a step-by-step approach to configure and operate your VMI. The content in this blueprint helps you and the VMI evolve to add value and impact to the organization that was started with the Info-Tech blueprint Jump Start Your VMI.

    Info-Tech Insight

    The VMI must continue to mature and evolve, or it will languish, atrophy, and possibly be disbanded.

    • A transactional approach to vendor management ignores the multi-faceted dynamics in play and limits the VMI’s potential value.
    • Improving the VMI’s impact starts with the VMI’s personnel – their skills, knowledge, competencies, and relationships.
    • Adding value to the organization requires time to build trust and understand the landscape (internal and external).
    *Source: Information Services Group, Inc., 2022.

    Executive Summary

    Your Challenge

    Spend on managed service providers and as-a-service providers continues to increase. In addition, IT services vendors continue to be active in the mergers and acquisitions arena. This increases the need for a VMI to help with the changing IT vendor landscape.

    38%

    2021

    16%

    2021

    47%

    2021

    Spend on

    As-a-Service Providers

    Spend on

    Managed Services

    Providers

    IT Services

    Merger & Acquisition

    Growth

    (Transactions)

    Source: Information Services Group, Inc., 2022.

    Executive Summary

    Common Obstacles

    When organizations execute, renew, or renegotiate a contract, there is an “expected value” associated with that contract. Without a robust VMI, most of the expected value will never be realized. With a robust VMI, the realized value significantly exceeds the expected value during the contract term.

    The image contains a screenshot of a diagram that demonstrates the expected value of a contract with and without a vmi.

    Source: Based on findings from Geller & Company, 2003.

    Executive Summary

    Info-Tech’s Approach

    A sound, cyclical approach to vendor management will help ensure your VMI meets your needs and stays in alignment with your organization as they both change (i.e. mature and evolve).

    Vendor Management Process

    1. Plan
    • Review and Update Existing Plan Materials
  • Build
    • Vendor Classification Models
    • Customer Positioning Model
    • 2-Way Scorecards
    • Performance Improvement Plan (PIP)
    • Relationship Improvement Plan (RIP)
    • Vendor-at-a-Glance Reports
    • VMI Personnel Competency Evaluation Tool
    • Internal Feedback Tool
    • VMI ROI Calculation Tools
    • Vendor Recognition Program
  • Run
    • Classify Vendors and Identify Customer Position
    • Assess the Relationship Landscape
    • Leverage 2-Way Scorecards
    • Implement PIPs and RIPS
    • Gather Market Intelligence
    • Generate Vendor-at-a-Glance Reports
    • Evaluate VMI Personnel
    • Improve Professional Skills
    • Expand Professional Knowledge
    • Create Brand Awareness
    • Survey Internal Clients
    • Calculate VMI ROI
    • Implement Vendor Recognition Program
  • Review
    • Investigate Potential Alliances
    • Continue Increasing the VMI's Strategic Value
    • Review and Update Governances
    • Outcomes
      • Better Allocation of VMI Resources
      • Measurable Impact of the VMI
      • Increased Awareness of the VMI
      • Improved Vendor Performance
      • Improved Vendor Relationships
      • VMI Team Member Development
      • Strategic Relationships Internally

    Info-Tech’s Methodology for Elevating Your VMI

    Phase 1 - Plan

    Phase 2 - Build

    Phase 3 - Run

    Phase 4 – Review

    Phase Steps

    1.1 Review and Update Existing Plan Materials

    2.1 Vendor Classification Models

    2.2 Customer Positioning Model

    2.3 Two-Way Scorecards

    2.4 Performance Improvement Plan (PIP)

    2.5 Relationship Improvement Plan (RIP)

    2.6 Vendor-at-a-Glance Reports

    2.7 VMI Personnel Competency Evaluation Tool

    2.8 Internal Feedback Tool

    2.9 VMI ROI Calculation

    2.10 Vendor Recognition Program

    3.1 Classify Vendors & Identify Customer Position

    3.2 Assess the Relationship Landscape

    3.3 Leverage Two-Way Scorecards

    3.4 Implement PIPs and RIPs

    3.5 Gather Market Intelligence

    3.6 Generate Vendor-at-a-Glance Reports

    3.7 Evaluate VMI Personnel

    3.8 Improve Professional Skills

    3.9 Expand Professional Knowledge

    3.10 Create Brand Awareness

    3.11 Survey Internal Clients

    3.12 Calculate VMI ROI

    3.13 Implement Vendor Recognition Program

    4.1 Investigate Potential Alliances

    4.2 Continue Increasing the VMI’s Strategic Value

    4.3 Review and Update

    Phase Outcomes

    This phase helps the VMI stay focused and aligned by reviewing existing materials, updating the existing maturity assessment, and ensuring that the foundational elements of the VMI are up-to-date.

    This phase helps you configure, create, and understand the tools and templates used to elevate the VMI.

    This phase helps you begin integrating the new tools and templates into the VMI’s operations.

    This phase helps the VMI stay aligned with the overall organization, stay current, and improve its strategic value as it evolves.

    Insight Summary

    Insight 1

    An organization’s vendor management initiative must continue to evolve and mature to reach its full strategic value. In the early stages, the vendor management initiative may be seen as transactional, focusing on the day-to-day functions associated with vendor management. The real value of a VMI comes from becoming strategic partner to other functional groups (departments) within your organization.

    Insight 2

    Developing vendor management personnel is critical to the vendor management initiative’s evolution and maturation. For the VMI to mature, its personnel must mature as well. Their professional skills, competencies, and knowledge must increase over time. Failure to accentuate personal growth within the team limits what the team can achieve and how the team is perceived.

    Insight 3

    Vendor management is not about imposing your will on vendors; it is about understanding the multifaceted dynamics between your organization and your vendors and charting the appropriate path forward. Resource allocation and relationship expectations flow from these dynamics. Each critical vendor requires an individual plan to build the best possible relationship and to leverage that relationship. What works with one vendor may not work or even be possible with another vendor – even if both vendors are critical to your success.

    Blueprint Deliverables

    The four phases of maturing and evolving your vendor management initiative are supported with configurable tools, templates, and checklists to help you stay aligned internally and achieve your goals.

    VMI Tools and Templates

    Continue building your foundation for your VMI and configure tools and templates to help you manage your vendor relationships.

    The image contains screenshots of the VMI Tools and Templates.

    Key Deliverables:

    Info-Tech’s

    1. Elevate – COST Model Vendor Classification Tool
    2. Elevate – MVP Model Vendor Classification Tool
    3. Elevate – OPEN Model Customer Positioning Tool
    4. Elevate – Relationship Assessment and Improvement Plan Tool
    5. Elevate – Tools and Templates Compendium

    A suite of tools and templates to help you upgrade and evolve your vendor management initiative.

    Blueprint benefits

    IT Benefits

    Business Benefits

    • Improve VMI performance and value.
    • Improve VMI team member performance.
    • Build better relationships with critical vendors.
    • Measure the impact and contributions provided by the VMI.
    • Establish realistic and appropriate expectations for vendor interactions.
    • Understand customer positioning to allocate vendor management resources more effectively and more efficiently.
    • Improve vendor accountability.
    • Increase collaboration between departments.
    • Improve working relationships with your vendors.
    • Create a feedback loop to address vendor/customer issues before they get out of hand or are more costly to resolve.
    • Increase access to meaningful data and information regarding important vendors.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phases 2 and 3 Phase 4

    Call #1: Review status of existing plan materials.

    Call #2: Conduct a new maturity assessment.

    Call #3: Review optional classification models.

    Call #4: Determine customer positioning for top vendors.

    Call #5: Configure vendor Scorecards and vendor feedback forms.

    Call #6: Discuss PIPs, RIPs, and vendor-at-a-glance reports.

    Call #7: VMI personnel competency evaluation tool.

    Call #8: Create internal feedback tool and discuss ROI.

    Call #9: Identify vendor recognition program attributes and assess the relationship landscape.

    Call #10: Gather market intelligence and create brand awareness.

    Call #11: Identify potential vendor alliances, review the components of a strategic VMI, and discuss the continuous improvement loop.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 6 to 12 calls over the course of 3 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1

    Day 2

    Day 3

    Day 4

    Plan/Build Run

    Build/Run

    Build/Run

    Run/Review

    Activities

    1.1 Existing Plan document review and new maturity assessment.

    1.2 Optional classification models.

    1.3 Customer positioning model.

    1.4 Two-way scorecards.

    2.1 Performance improvement plans (PIPs).

    2.2 Relationship improvement plans (RIPs).

    2.3 Vendor-at-a-glance reports.

    2.4 VMI personnel competency evaluation tool.

    3.1 Internal feedback tool.

    3.2 VMI ROI calculation.

    3.3 Vendor recognition program.

    3.4 Assess the relationship landscape.

    3.5 Gather market intelligence.

    3.6 Improve professional skills.

    4.1 Expand professional knowledge.

    4.2 Create brand awareness.

    4.3 Investigate potential alliances.

    4.4 Continue increasing the VMI’s strategic value.

    4.5 Review and update (governances, policies and procedures, lessons learned, internal alignment, and leading practices).

    Deliverables

    1. Updated plan documents.
    2. New maturity assessment.
    3. Configured classification model.
    4. Customer positioning for top 5 vendors.
    5. Configured scorecard and feedback form.
    1. Configured performance improvement plan.
    2. Configured relationship assessment and relationship improvement plan.
    3. Configured 60-second report and completed vendor calendar for one vendor.
    4. Configured VMI personnel competency evaluation tool.
    1. Configured internal feedback tool.
    2. General framework for a vendor recognition program.
    3. Completed relationship landscape assessment (representative sample).
    4. List of market intelligence to gather for top 5 vendors.
    1. Roadmap/plan for improving skills and knowledge for VMI personnel.
    2. Action plan for creating brand awareness for the VMI.
    3. Action plan for creating brand awareness for each VMI team member.

    Using complementary vendor management blueprints

    Jump Start Your VMI and Elevate Your VMI

    The image contains a screenshot to demonstrate using complementary vendor management blueprints.

    Phase 1 – Plan

    Look to the Future and Update Existing Materials

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Review and update existing Plan materials

    2.1 Vendor classification models

    2.2 Customer positioning model

    2.3 Two-way scorecards

    2.4 Performance improvement plan (PIP)

    2.5 Relationship improvement plan (RIP)

    2.6 Vendor-at-a-glance reports

    2.7 VMI personnel competency evaluation tool

    2.8 Internal feedback tool

    2.9 VMI ROI calculation

    2.10 Vendor recognition program

    3.1 Classify vendors and identify customer position

    3.2 Assess the relationship landscape

    3.3 Leverage two-way scorecards

    3.4 Implement PIPs and RIPs

    3.5 Gather market intelligence

    3.6 Generate vendor-at-a-glance reports

    3.7 Evaluate VMI personnel

    3.8 Improve professional skills

    3.9 Expand professional knowledge

    3.10 Create brand awareness

    3.11 Survey internal clients

    3.12 Calculate VMI ROI

    3.13 Implement vendor recognition program

    4.1 Investigate potential alliances

    4.2 Continue increasing the VMI’s strategic value

    4.3 Review and update

    This phase will walk you through the following activities:

    This phase helps the VMI stay focused and aligned by reviewing existing materials, updating the existing maturity assessment, and ensuring that the foundational elements of the VMI are up-to-date. The main outcomes from this phase are a current maturity assessment and updated or revised Plan documents.

    This phase involves the following participants:

    • VMI team
    • Applicable stakeholders and executives
    • Procurement/Sourcing
    • IT
    • Others as needed

    Phase 1 – Plan

    Phase 1 – Plan revisits the foundational elements from the Info-Tech blueprint Jump Start Your Vendor Management Initiative. As the VMI continues to operate and mature, looking backward periodically provides a new perspective and helps the VMI move forward:

    • Has anything changed (mission statement, goals, scope, strengths and obstacles, roles and responsibilities, and process mapping)?
    • What progress was made against the maturity assessment?
    • What is next in the maturity process for the VMI?
    • Were some foundational elements overlooked or not done thoroughly due to time constraints, a lack of knowledge, or other factors?

    Keep an eye on the past as you begin looking toward the future.

    Step 1.1 – Review and update existing Plan materials

    Ensure existing materials are current

    At this point, the basic framework for your VMI should be in place. However, now is a good time to correct any oversights in your foundational elements. Have you:

    • Drafted a mission statement for the VMI and listed its goals, answering the questions “why does the VMI exist” and “what will it achieve”?
    • Determined the VMI’s scope, establishing what is in and outside the purview of the VMI?
    • Listed the VMI’s strengths and obstacles, identifying what you can leverage and what needs to be managed to ensure smooth sailing?
    • Established roles and responsibilities (OIC Chart) for the vendor management lifecycle, defining each internal party’s place in the process?
    • Documented process maps, delineating (at a minimum) what the VMI is doing for each step of the vendor management lifecycle?
    • Created a charter, establishing an operational structure for the VMI?
    • Completed a vendor inventory, identifying the major vendors included in the VMI?
    • Conducted a VMI maturity assessment, establishing a baseline and desired future state to work toward?
    • Defined the VMI’s structure, documenting the VMI’s place in the organization, its services, and its clients?

    If any of these elements is missing, revisit the Info-Tech blueprint Jump Start Your Vendor Management Initiative to complete these components. If they exist, review them and make any required modifications.

    Download the Info-Tech blueprint Jump Start Your Vendor Management Initiative

    1.1.1 – Review and update existing Plan materials

    1 – 6 Hours

    1. Meet with the participants and review existing documents and tools created or configured during Phase 1 of the Info-Tech blueprint Jump Start Your Vendor Management Initiative: mission statement and goals, scope, strengths and obstacles, OIC chart, process maps, charter, vendor inventory, maturity assessment, and structure.
    2. Update the documents as needed.
    3. Redo the maturity assessment if more than 12 months have passed since the initial assessment was conducted.
    Input Output
    • Documents and tools from Phase 1 of the Info-Tech blueprint Jump Start Your Vendor Management Initiative
    • Updated documents and tools from Phase 1 of the Info-Tech blueprint Jump Start Your Vendor Management Initiative
    Materials Participants
    • Documents and tools from Phase 1 of the Info-Tech blueprint Jump Start Your Vendor Management Initiative
    • Whiteboard or flip charts (as needed)
    • VMI team
    • Applicable stakeholders and executives (as needed)

    Download the Info-Tech blueprint Jump Start Your Vendor Management Initiative

    Download the Jump - Phase 1 Tools and Templates Compendium

    Phase 2 – Build

    Create New Tools and Consider Alternatives to Existing Tools

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Review and update existing Plan materials

    2.1 Vendor classification models

    2.2 Customer positioning model

    2.3 Two-way scorecards

    2.4 Performance improvement plan (PIP)

    2.5 Relationship improvement plan (RIP)

    2.6 Vendor-at-a-glance reports

    2.7 VMI personnel competency evaluation tool

    2.8 Internal feedback tool

    2.9 VMI ROI calculation

    2.10 Vendor recognition program

    3.1 Classify vendors and identify customer position

    3.2 Assess the relationship landscape

    3.3 Leverage two-way scorecards

    3.4 Implement PIPs and RIPs

    3.5 Gather market intelligence

    3.6 Generate vendor-at-a-glance reports

    3.7 Evaluate VMI personnel

    3.8 Improve professional skills

    3.9 Expand professional knowledge

    3.10 Create brand awareness

    3.11 Survey internal clients

    3.12 Calculate VMI ROI

    3.13 Implement vendor recognition program

    4.1 Investigate potential alliances

    4.2 Continue increasing the VMI’s strategic value

    4.3 Review and update

    This phase will walk you through the following activities:

    This phase helps you configure, create, and understand the tools and templates used to elevate the VMI. The main outcomes from this phase are a clear understanding of the tools that identify which vendors are important to you, tools and concepts to help you take key vendor relationships to the next level, and tools to help you evaluate and improve the VMI and its personnel.

    This phase involves the following participants:

    • VMI team
    • Applicable stakeholders and executives
    • Legal
    • Marketing
    • Others as needed

    Phase 2 – Build

    Create and configure tools, templates, and processes

    Phase 2 – Build is similar to its counterpart in the Info-Tech blueprint Jump Start Your Vendor Management Initiative; this phase focuses on tools, templates, and concepts that help the VMI increase its strategic value and impact. The items referenced in this phase will require your customization or configuration to integrate them within your organization and culture for maximum effect.

    One goal of this phase is to provide new ways of looking at things and alternate approaches. (For example, two methods of classifying your vendors are presented for your consideration.) You don’t live in a one-size-fits-all world, and options allow you (or force you) to evaluate what’s possible rather than running with the herd. As you review this phase, keep in mind that some of the concepts presented may not be applicable in your environment…or it may be that they just aren’t applicable right now. Timing, evolution, and maturity will always be factors in how the VMI operates.

    Another goal of this phase is to get you thinking about the value the VMI brings to the organization, and just as important, how to capture and report it. Money alone may be at the forefront of most people’s minds when return on investment is brought up, but there are many ways to measure a VMI’s value and impact. This Phase will help you in your pursuit.

    Lastly, a VMI must focus on its internal clients, and that starts with the VMI’s personnel. The VMI is a reflection of its team members – what they do, say, and know will determine how the VMI is perceived…and used.

    Step 2.1 – Vendor classification model

    Determine which classification model works best for your VMI

    The classification model in the Info-Tech blueprint Jump Start Your Vendor Management Initiative is simple and easy to use. It provides satisfactory results for the first one or two years of the VMI’s life. After that, a more sophisticated model should be used, one with more parameters or flexibility to accommodate the VMI’s new maturity.

    Two models are presented on the following pages. The first is a variation of the COST model used in the Jump Start Your Vendor Management Initiative blueprint. The second is the MVP model, which segments vendors into three categories instead of four and eliminates the 50/50 allocation constraint inherent in a 2x2 model.

    Step 2.1 – Vendor classification model

    Configure the COST Vendor Classification Tool

    The image contains a screenshot of the COST classification model.

    If you used the COST classification model in the Jump Start Your Vendor Management Initiative blueprint, you are familiar with its framework: vendors are plotted into a 2x2 matrix based on their spend and switching costs and their value to your operation. The simple variation of this model uses three variables to assess the vendor’s value to your operation and two variables to determine the vendor’s spend and switching cost implications.

    The COST classification model presented here sticks to the same basic tenets but adds to the number of variables used to plot a vendor’s position within the matrix. Six variables are used to define a vendor’s value and three variables are used to set the spend and switching cost. This provides greater latitude in identifying what makes a vendor important to you.

    Step 2.1 – Vendor classification model

    Configure the MVP Vendor Classification Tool

    The image contains a screenshot example of the MVP clsssification tool.

    Another option for classifying vendors is the MVP classification model. In this model, vendors fall into one of three categories: minor, valued, or principal. Similar to the COST vendor classification model, the MVP classification model requires a user to evaluate statements or questions to assess a vendor’s importance to the organization. In the MVP approach, each question/statement is weighted, and the potential responses to each question/statement are assigned points (100, 33, or 10) based on their impact. Multiplying the weight (expressed as a percentage) for each question/statement by the response points for each question/statement yields a line-item score. The total number of points obtained by a vendor determines its classification category. A vendor receiving a score of 75 or greater would be a principal vendor (similar to a strategic vendor under the COST model); 55 to 74 points would be a valued vendor (similar to operational or tactical vendor); less than 55 points would be a minor vendor (similar to a commodity vendor).

    Step 2.1 – Vendor classification model

    Which classification model is best?

    By now, you may be asking yourself, “Which model should I use? What is the advantage of the MVP model?” Great questions! Both models work well, but the COST model has a limitation inherent in any basic 2x2 model. Since two axes are used in a 2x2 approach, the effective weighting for each axis is 50%. As a result, the weights assigned to an individual element are reduced by 50%. A simple but extreme example will help clarify this issue (hopefully).

    Suppose you wanted to use an element such as How integrated with our business processes are the vendor's products/services? and weighted it 100%. Under the 2x2 matrix approach, this element only moves the X-axis score; it has no impact on the Y-axis score. The vendor in this hypothetical could max out the X-axis under the COST model, but additional elements would be needed for the vendor to rise from the tactical quadrant to the strategic quadrant. In the MVP model, if the vendor maxed out the score on that one element (at 100%), the vendor would be at the top of the pyramid and would be a principal vendor.

    One model is not necessarily better than the other. Both provide an objective way for you to determine the importance of your vendors. However, if you are using elements that don’t fit neatly into the two axes of the COST model, consider using the MVP model. Play with each and see which one works best in your environment, knowing you can always switch at a later point.

    2.1.1 – COST Model Vendor Classification Tool

    15 – 45 Minutes

    1. Meet with the participants to decide whether you want to use this model or the MVP model (see next page); if you choose this model, configure it for your environment by reviewing Elevate – COST Model Vendor Classification Tool – Tab 2. Set Parameters.
      1. Review the questions in column C for each axis (items 1-9), the weights in column D, and the answers/descriptors for each question (columns E, F, G, and H). Make any adjustments necessary to fit your culture, environment, and goals.
      2. Using the Jump Start Your Vendor Management blueprint tool Jump - Phase 1 Tools and Templates Compendium – Tab 1.7 Vendor Inventory, sort your vendors by spend; if you used multiple line items for a vendor in the Vendor Inventory Tool, aggregate the spend data for this activity.
      3. Adjust the descriptors and values in row 16 (Item 7) to match your actual data. General guidance for establishing the spend ranges is provided in the tool itself.
    2. No other modifications should be made to the parameters.
    Input Output
    • Jump - Phase 1 Tools and Templates Compendium – Tab 1.7 Vendor Inventory from the blueprint Jump Start Your Vendor Management Initiative
    • Configured COST Model Vendor Classification Tool
    Materials Participants
    • Elevate – Cost Model Vendor Classification Tool – Tab 2. Set Parameters
    • VMI team

    Download the Info-Tech Elevate - COST Model Vendor Classification Tool

    2.1.2 – MVP Model Vendor Classification Tool

    15 – 45 Minutes

    1. Meet with the Participants to decide whether you want to use this model or the COST Model (see previous page); if you choose this model, configure it for your environment by reviewing Elevate – MVP Model Vendor Classification Tool – Tab 2. Set Parameters.
    2. Review the questions in column C (Items 1 - 7 ), the answers/descriptors for each question (columns D, E, and F), and the weights in column G. Make any adjustments necessary to fit your culture, environment, and goals.
    3. For the answers/descriptors use words and phrases that resonate with your audience and are as intuitive as possible.
    4. If you use annualized spend as an element, general guidance for establishing the spend ranges is provided in the tool itself.
    5. When assigning a weight value to a question, refrain from going below 5%; weights below this threshold will have minimal to no impact on a vendor's score.
    InputOutput
    • Jump - Phase 1 Tools and Templates Compendium – Tab 1.7 Vendor Inventory from the Info-Tech blueprint Jump Start Your Vendor Management Initiative
    • Configured MVP Model Vendor Classification Tool
    MaterialsParticipants
    • Elevate – MVP Model Vendor Classification Tool – Tab 2. Set Parameters
    • VMI team

    Download the Info-Tech Elevate – MVP Model Vendor Classification Tool

    Step 2.2 – Customer positioning model

    Identify how the vendors view your organization

    The image contains a screenshot of the customer positioning model.

    Now that you have configured your choice of vendor classification model (or decided to stick with your original model), it’s time to think about the other side of the coin: How do your vendors view your organization. Why is this important? Because the VMI will have only limited success if you are trying to impose your will on your vendors without regard for how they view the relationship from their perspective. For example, if the vendor is one of your strategic (COST Model) or principal (MVP Model) vendors, but you don’t spend much money with them, you are difficult to work with, and there is no opportunity for future growth, you may have a difficult time getting the vendor to show up for BAMs (business alignment meetings), caring about scorecards, or caring about the relationship period.

    Our experience at Info-Tech interacting with our members through vendor management workshops, guided implementations, and advisory calls has led us to a significant conclusion on this topic: Most customers tend to overvalue their importance to their vendors. To open your eyes about how your vendors actually view your account, use Info-Tech’s OPEN Model Customer Positioning Tool. (It is based on the supplier preferencing model pioneered by Steele & Court in 1996 in which the standard 2x2 matrix tool for procurement [and eventually vendor management] was repurposed to provide insights from the vendor’s perspective.) For our purposes, think of the OPEN model for customer positioning as a mirror’s reflection of the COST model for vendor classification. The OPEN model provides a more objective way to determine your importance to your vendors. Ultimately, your relationship with each vendor will be plotted into the 2x2 grid, and it will indicate whether your account is viewed as an opportunity, preferred, exploitable, or negligible.

    *Adapted from Profitable Purchasing Strategies by Paul T. Steele and Brian H. Court

    Step 2.3 – Two-way scorecards

    Design a two-way feedback loop with your vendors

    The image contains a screenshot example of the otwo-way feedback loop with vendors.

    As with the vendor classification models discussed in Step 2.1, the two-way scorecards presented here are an extension of the scorecard and feedback material from the Jump Start Your Vendor Management Initiative blueprint.

    The vendor scorecard in this blueprint provides additional flexibility and sophistication for your scorecarding approach by allowing the individual variables (or evidence indicators) within each measurement category to be evaluated and weighted. (The prior version only allowed the evaluation and weighting at the category level.)

    On the vendor feedback side, the next evolution is to formalize the feedback and document it in its own scorecard format rather than continuing to list questions in the BAM agenda. The vendor feedback template included with this blueprint provides a sample approach to quantifying the vendor’s feedback and tracking the information.

    The fundamentals of scorecarding remain the same:

    • Keep your eye on what is important to you.
    • Limit the number of measurement categories and evidence indicators to a reasonable and manageable number.
    • Simple is almost always better than complicated.

    2.3.1 – Two-way scorecards (vendor scorecard)

    15 – 60 Minutes

    1. Meet with the participants to configure the scorecard from Elevate – Tools and Templates Compendium – Tab 2.3.1 Vendor Scorecard to meet your needs:
      1. Review the measurement categories and criteria and modify as needed.
      2. Weight the measurement categories (Column E) according to their relative importance to each other; make sure the total adds up to 100%.
      3. Weight the measurement criteria (Column D) within each measurement category according to their relative importance to each other; make sure the total adds up to 100%.
    2. As a reminder, the vendor scorecard is for the vendor overall, not for a specific contract.
    3. You can create variations of the scorecard based on vendor categories (e.g. hardware, software, cloud, security, telecom), but avoid the temptation of creating vendor-specific scorecards unless the vendor is unique; conversely, you may want to create two or more scorecards for a vendor that crosses categories (one for each category).
    InputOutput
    • Elevate – Tools and Templates Compendium – Tab 2.3.1 Vendor Scorecard
    • Brainstorming
    • Configured vendor scorecards
    MaterialsParticipants
    • Elevate – Tools and Templates Compendium – Tab 2.3.1 Vendor Scorecard
    • VMI team

    Download the Info-Tech Elevate – Tools and Templates Compendium

    2.3.2 – Two-way scorecards (vendor feedback form)

    15 – 60 Minutes

    1. Meet with the participants to configure the feedback form from Elevate – Tools and Templates Compendium – Tab 2.3.2 Vendor Feedback Form to meet your needs:
      1. Review the measurement categories and criteria and modify as needed.
      2. Weight the measurement categories (Column E) according to their relative importance to each other; make sure the total adds up to 100%.
      3. Weight the measurement criteria (Column D) within each measurement category according to their relative importance to each other; make sure the total adds up to 100%.
    2. As a reminder, the vendor feedback form is for the relationship overall and not for a specific contract.
    3. You can create variations of the feedback form based on vendor categories (e.g. hardware, software, cloud, security, telecom), but avoid the temptation of creating vendor-specific feedback forms unless the vendor is unique; conversely, you may want to create two or more feedback forms for a vendor that crosses categories and you work with different account management teams (one for each team).
    InputOutput
    • Elevate – Tools and Templates Compendium – Tab 2.3.2 Vendor Feedback Form
    • Brainstorming
    • Configured vendor feedback forms
    MaterialsParticipants
    • Elevate – Tools and Templates Compendium – Tab 2.3.2 Vendor Feedback Form
    • VMI team

    Download the Info-Tech Elevate – Tools and Templates Compendium

    Step 2.4 – Performance improvement plan (PIP)

    Design your template to help underperforming vendors

    It is not uncommon to see performance dips from even the best vendors. However, when poor performance becomes a trend, the vendor manager can work with the vendor to create and implement a performance improvement plan (PIP).

    Performance issues can come from a variety of sources:

    • Contractual obligations.
    • Scorecard items.
    • Compliance issues not specified in the contract.
    • Other areas/expectations not covered by the scorecard or contract (e.g. vendor personnel showing up late for meetings, vendor personnel not being adequately trained, vendor personnel not being responsive).

    PIPs should focus on at least a few key areas:

    • The stated performance in the contract or the expected performance.
    • The actual performance provided by the vendor.
    • The impact of the vendor’s poor performance on the customer.
    • A corrective action plan, including steps to be taken by the vendor and due dates and/or review dates.
    • The consequences for not improving the performance level.

    Info-Tech Insight

    PIPs are most effective when the vendor is an operational, strategic, or tactical vendor (COST model) or a principal or valued vendor (MVP model) and when you are an opportunity or preferred customer (OPEN model).

    2.4.1 – Performance improvement plan (PIP)

    15 – 30 Minutes

    1. Meet with the participants to review the two options for PIPs: Elevate – Tools and Templates Compendium – Tabs 2.4.1 and 2.4.2. Decide whether you want to use one or both options.
    2. Modify, add, or delete elements from either or both options to meet your needs.
    3. If you want to add signature lines for acknowledgement by the parties or other elements that may have legal implications, check with your legal advisors.
    InputOutput
    • Elevate – Tools and Templates Compendium - Tabs 2.4.1 and 2.4.2
    • Brainstorming
    • Configured performance improvement plan templates
    MaterialsParticipants
    • Elevate – Tools and Templates Compendium - Tabs 2.4.1 and 2.4.2
    • VMI team

    Download the Info-Tech Elevate – Tools and Templates Compendium

    Step 2.5 – Relationship improvement plan (RIP)

    Identify key relationship indicators for your vendors

    Relationships are often taken for granted, and many faulty assumptions are made by both parties in the relationship: good relationships will stay good, bad relationships will stay bad, and relationships don’t require any work. In the vendor management space, these assumptions can derail the entire VMI and diminish the value added to your organization by vendors.

    To complicate matters, relationships are multi-faceted. They can occur:

    • On an organization-to-organization, working level.
      • Do your roadmaps align with the vendors?
      • Do the parties meet their contractual obligations?
      • Do the parties meet their day-to-day requirements (meetings, invoices, responses to inquiries)?
    • On an individual, personnel-to-personnel basis.
      • Do you have a good relationship with the account manager?
      • Does your project manager work well with the vendor’s project manager?
      • Do your executives have good relationships with their counterparts at the vendor?

    Improving or maintaining a relationship will not happen by accident. There must be a concerted effort to achieve the desired results (or get as close as possible). A relationship improvement plan can be used to improve or maintain a relationship with the vendor and the individuals who make up the vendor’s organization.

    Step 2.5 – Relationship improvement plan (RIP)

    Identify key relationship indicators for your vendors (continued)

    Improving relationships (or even maintaining them) requires a plan. The first step is to understand the current situation: Is the relationship good, bad, or somewhere in between? While the analysis will be somewhat subjective, it can be made more objective than merely thinking about relationships emotionally or intuitively. Relationships can be assessed based on the presence and quality of certain traits, factors, and elements. For example, you may think communication is important in a relationship. However, that is too abstract and subjective; to be more objective, you would need to identify the indicators or qualities of good communication. For a vendor relationship, they might include (but wouldn’t necessarily be limited to):

    • Vendor communication is accurate and complete.
    • Vendor personnel respond to inquiries on a timely basis.
    • Vendor personnel communications are easy to understand.
    • Vendor personnel communicate with you in your preferred manner (text, email, phone).
    • Vendor personnel discuss the pros and cons of vendor products/services being presented.

    Evaluating these statements on a predefined and consistent scale establishes the baseline necessary to conduct a gap analysis. The second half of the equation is the future state. Using the same criteria, what would or should the communication component look like a year from now? After that is determined, a plan can be created to improve the deficient areas and maintain the acceptable areas.

    Although this example focused on one category, the same methodology can be used for additional categories. It all starts with the simple question that requires a complex answer, “What traits are important to you and are indicators of a good relationship?”

    2.5.1 – Relationship Improvement Plan (RIP)

    15 – 60 Minutes

    1. Meet with the participants to configure the relationship indicators in Elevate – Relationship Assessment and Improvement Plan tool – Tab 2. Set Parameters.
    2. Review the 60 relationship indicators in column E of Tab 2. Set Parameters.
    3. Identify any relationship indicators that are important to you but that are missing from the prepopulated list.
    4. Add the relationship indicators you identified in step 3 above in the space provided at the end of column E of Tab 2. Set Parameters. There is space for up to 15 additional relationship indicators.
    InputOutput
    • Elevate – Relationship Assessment and Improvement Plan Tool
    • Brainstorming
    • Configured Relationship Assessment and Improvement Plan tool
    MaterialsParticipants
    • Elevate – Relationship Assessment and Improvement Plan tool
    • Whiteboard of flip chart
    • VMI team

    Download the Info-Tech Elevate – Relationship Assessment and Improvement Plan tool

    Step 2.6 – Vendor-at-a-glance reports

    Configure executive and stakeholder reports

    Executives and stakeholders (“E&S”) discuss vendors during internal meetings and often meet directly with vendors as well. Having a solid working knowledge of all the critical vendors used by an organization is nearly impossible for E&S. Without situational awareness, though, E&S can appear uninformed, can be at the mercy of others with better information, and can be led astray by misinformation. To prevent these and other issues from derailing the E&S, two essential vendor-at-a-glance reports can be used.

    The first report is the 60-Second Report. As the name implies, the report can be reviewed and digested in roughly a minute. The report provides a lot of information on one page in a combination of graphics, icons, charts, and words.

    The second report is a vendor calendar. Although it is a simple document, the Vendor Calendar is a powerful communication tool to keep E&S informed of upcoming events with a vendor. The purpose is not to replace the automated calendaring systems (e.g. Outlook), but to supplement them.

    Combined, the 60-Second Report and the Vendor Calendar provide E&S with an overview of the information required for any high-level meeting with a vendor or to discuss a vendor.

    2.6.1 – Vendor-at-a-glance reports (60-Second Report)

    30 – 90 Minutes

    1. Meet with the participants to review the sample 60-Second Report and the Checklist of Potential Topics in Elevate – Tools and Templates Compendium – Tab 2.6.1 V-at-a-G 60-Second Report.
    2. Identify topics of interest and ways to convey the data/information. (Make sure the data sources are valid and the data are easy to obtain.)
    3. Create a framework for the report and populate the fields with sample data. Use one printed page as a guideline for the framework; if it doesn’t fit on one page, adjust the amount of content until it does. If you adjust the margins, font, size of the graphic content, and other items, make sure you don’t reduce the size too much. The brain needs white space to more easily absorb the content, and people shouldn’t have to squint to read the content!
    4. Share the mockup with the intended audience and get their feedback. Use an iterative approach until you are satisfied that no further changes are necessary (or reasonable). Keep in mind that you will not be able to please everyone!
    InputOutput
    • Elevate – Tools and Templates Compendium – Tab 2.6.1 V-at-a-G 60-Second Report
    • Design elements and framework for 60-Second Reports
    MaterialsParticipants
    • Elevate – Tools and Templates Compendium – Tab 2.6.1. V-at-a-G 60-Second Report
    • Whiteboard or flip chart
    • VMI team

    Download the Info-Tech Elevate – Tools and Templates Compendium

    2.6.2 – Vendor-at-a-glance reports (vendor calendar)

    15 – 30 Minutes

    1. Meet with the participants to review the sample Vendor Calendar format in Elevate – Tools and Templates Compendium – Tab 2.6.2 V-at-a-G Vendor Calendar.
    2. Brainstorm as a team to identify items to include in the calendar (e.g. business alignment meeting dates, conference dates, contract renewals).
    3. Determine whether you want the Vendor Calendar to be:
      1. A calendar year or a fiscal year (if they are different in your organization)
      2. A rolling twelve-month calendar or a fixed calendar.
    4. Decide whether the fill color for each month should change based on your answers in 3, above. For example, you might want a color scheme by quarter or by year (if you choose a rolling twelve-month calendar).
    5. Share the mockup with the intended audience to get their feedback. Use an iterative approach until you are satisfied that no further changes are necessary (or reasonable). Keep in mind you will not be able to please everyone!
    InputOutput
    • Elevate – Tools and Templates Compendium – Tab 2.6.2 V-at-a-G Vendor Calendar
    • Brainstorming
    • Framework and topics for Vendor Calendar Reports
    MaterialsParticipants
    • Elevate – Tools and Templates Compendium – Tab 2.6.2 V-at-a-G Vendor Calendar
    • Whiteboard or flip chart
    • VMI team

    Download the Info-Tech Elevate – Tools and Templates Compendium

    Step 2.7 – VMI personnel competency evaluation tool

    Identify skills, competencies, and knowledge required for success

    The image contains a screenshot of the VMI personnel competency evaluation tool.

    By now, you have built and begun managing the VMI’s 3-year roadmap and 90-day plans to help you navigate the VMI’s day-to-day operational path. To complement these plans, it is time to build a roadmap for the VMI’s personnel as well. It doesn’t matter whether VMI is just you, you and some part-time personnel, a robust and fully staffed vendor management office, or some other point on the vendor management spectrum. The VMI is a reflection of its personnel, and they must improve their skills, competencies, and knowledge (“S/C/K”) over time for the VMI to reach its potential. As the adage says, “What got you here won’t get you there.”

    To get there requires a plan that starts with creating an inventory of the VMI’s team members’ S/C/K. Initially, focus on two items:

    • What S/C/K does the VMI currently have across its personnel?
    • What S/C/K does the VMI need to get to the next level?

    Conducting an assessment of and developing an improvement plan for each team member will be addressed later in this blueprint. (See steps 3.7 – Evaluate VMI Personnel, 3.8 – Improve Professional Skills, and 3.9 - Expand Professional Knowledge.)

    2.7.1 – VMI Personnel Competency Evaluation Tool

    15 – 60 Minutes

    1. Review the two options of the competency matrix found in Elevate – Tools and Templates Compendium tabs 2.7.1 and 2.7.2 and decide which format you want to use.
    2. Review and modify as needed the prepopulated list of skills, competencies, knowledge, and other intellectual assets found in section 1 of the template option you selected in step 1. The list you use should reflect items that are important to your VMI's mission, goals, scope, charter, and operations.
    3. No changes are required to Sections 2 and 3. They are dashboards and will be updated automatically based on any changes you make to the skills, competencies, knowledge, and other intellectual assets elements in section 1.
    Input Output
    • Elevate – Tools and Templates Compendium – Tabs 2.7.1 and 2.7.2
    • Current job descriptions
    • A list of competencies, skills, and knowledge VMI personnel
      • Should have
      • Do have

    An assessment and inventory of competencies, skills, knowledge, and other intellectual assets by VMI team member

    Materials Participants
    • Elevate – Tools and Templates Compendium – Tabs 2.7.1 and 2.7.2
    • VMI team lead
    • VMI team members as needed

    Download the Info-Tech Elevate – Tools and Templates Compendium.

    Step 2.8 – Internal feedback tool

    Create a user-friendly survey to learn about the VMI’s impact on the organization

    The image contains a screenshot of the internal feedback tool.

    *Adapted from “Best Practices for Every Step of Survey Creation” from surveymonkey.com and “The 9 Most Important Survey Design Tips & Best Practices” by Swetha Amaresan.

    As part of the vendor management lifecycle, the VMI conducts an annual review to assesses compliance with policies and procedures, to incorporate changes in leading practices, to ensure that lessons learned are captured and leveraged, to validate that internal alignment is maintained, and to update governances as needed. As the VMI matures, the annual review process should incorporate feedback from those the VMI serves and those directly impacted by the VMI’s efforts. Your internal clients and others will be able to provide insights on what the VMI does well, what needs improvement, what challenges arise when using the VMI’s services, and other issues.

    A few best practices for creating surveys are set out below:*

    1. Start by establishing a clearly defined, attainable, and high-level goal by filling in the blank: "I want to better understand [blank] (e.g. how the VMI impacts our clients and the executives/stakeholders)." From there, you can begin to derive questions that will help you meet your stated goal.
    2. Use mostly “closed-ended” questions in the survey – responses selected from a list provided. Do ask some “open-ended” questions at the end of the survey to obtain specific examples, anecdotes, or compliments by providing space for the respondent to provide a narrative.
    3. Avoid using biased and leading questions, for example, “Would you say the VMI was great or merely fabulous?” The goal is to get real feedback that helps the VMI improve. Don’t ask the respondents to tell you what you want to hear…listen to what they have to say.

    Step 2.8 – Internal feedback tool

    Create a user-friendly survey to learn about the VMI’s impact on the organization (continued)

    The image contains a screenshot of the internal feedback tool.

    4. Pay attention to your vocabulary and phrasing; use simple words. The goal is to communicate effectively and solicit feedback, and that all starts with the respondents being able to understand what you are asking or seeking.

    5. Use response scales and keep the answer choices balanced. You want the respondents to find an answer that matches their feedback. For example, potential answers such as “strongly agree, agree, neutral, disagree, strongly disagree” are better than “strongly agree, agree, other.”

    6. To improve your response rate, keep your survey short. Most people don’t like surveys, but they really hate long surveys. Make every question count, and keep the average response time to a maximum of a couple of minutes.

    7. Watch out for “absolutes;” they can hurt the quality of your responses. Avoid using language such as always, never, all, and every in your questions or statements. They tend to polarize the evaluation and make it feel like an all-or-nothing situation.

    8. Ask one question at a time or request evaluation of one statement at a time. Combining two topics into the same question or statement (double-barreled questions or statements) makes it difficult for the respondent to determine how to answer if both parts require different answers, for example, “During your last interaction with the VMI, how would you rate our assistance and friendliness?”

    2.8.1 – Internal Feedback Tool

    15 – 60 Minutes

    1. Meet with the participants and review the information in Elevate – Phase 2 Tools and Templates Compendium – Tab 2.8.
    2. Two types of surveys are referenced in tab 2.8: a general awareness survey and a specific interaction survey. Decide whether you want to create one or both for your VMI.
      1. For a general awareness survey, review the questions in part 1 of tab 2.8 and make any changes required to meet your needs. Try to keep the number of questions to seven or less. Determine who will receive the survey and how often it will be used.
      2. For a specific interaction survey, review the questions in Part 2 of Tab 2.8. Select up to 7 questions you want to use, making changes to existing questions or creating your own. The goal of this survey is to solicit feedback immediately after one of your internal clients has used the VMI’s services. You may need multiple variations of the survey based on the types of interactions or services the VMI provides.
    3. Balance the length of the surveys against the information you are seeking and the time required for the respondents to complete the survey.
    InputOutput
    • Elevate – Phase 2 Tools and Templates Compendium – Tab 2.8
    • Brainstorming
    • Configured internal surveys
    MaterialsParticipants
    • Elevate – Phase 2 Tools and Templates Compendium – Tab 2.8
    • VMI team

    Download the Info-Tech Elevate –Tools and Templates Compendium

    Step 2.9 – VMI ROI calculation

    Identify ROI variables to track

    After the VMI has been operating for a year or two, questions may begin to surface about the value the VMI provides. “We’re making an investment in the VMI. What are we getting in return?” “Does the VMI provide us with any tangible benefits, or is it another mandatory area like Internal Audit?” To keep the naysayers at bay, start tracking the value the VMI adds to the organization or the return on investment (ROI) provided.

    The easy thing to focus on is money: hard-dollar savings, soft-dollar savings, and cost avoidance. However, the VMI often plays a critical role in vendor-facing activities that lead to saving time, improving performance, and managing risk. All of these are quantifiable and trackable. In addition, internal customer satisfaction (step 2.8 and step 3.11) can provide examples of the VMI’s impact beyond the four pillars of money, time, performance, and risk.

    VMI ROI is a multifaceted and complex topic that is beyond the scope of this blueprint. However, you can do a deep (or shallow) dive on this topic by downloading and reading Info-Tech’s blueprint Capture and Market the ROI of Your VMO to plot your path for tracking and reporting the VMI’s ROI or value.

    Download the Info-Tech blueprint Capture and Market the ROI of Your VMO

    2.9.1 – VMI ROI calculation

    2 – 4 Hours

    1. Meet with the participants to review the Info-Tech blueprint Capture and Market the ROI of Your VMO.
    2. Identify your ROI maturity level using the tools from that blueprint.
    3. Develop a game plan for measuring and reporting your ROI.
    4. Configure the tools to meet your needs.
    5. Gain approval from applicable stakeholders or executives.
    Input Output
    • The tools and materials from the Info-Tech blueprint Capture and Market the ROI of Your VMO
    • Brainstorming
    • Game plan for measuring and reporting ROI
    Materials Participants
    • The Info-Tech blueprint Capture and Market the ROI of Your VMO and its tools
    • VMI team
    • Executives and stakeholders as needed

    Download the Info-Tech blueprint Capture and Market the ROI of Your VMO

    Step 2.10 – Vendor recognition program

    Address the foundational elements of your program

    A vendor recognition program can provide many benefits to your organization. Obtaining those benefits requires a solid plan and the following foundational elements:

    • Internal alignment: The program must align with your organization’s principles and culture. A vendor recognition program that accentuates value and collaboration will not succeed in a customer environment that operates with a “lowest cost wins/price is the only thing we care about” mentality.
    • Funding: Not every program requires extensive funding (or any funding), but more formal vendor recognition programs do require some investment. Underfunding will make your program look cheap and unimpressive. For example, a certificate of appreciation printed on plain paper using a Word template doesn’t send the same message as a nice plaque engraved with the winner’s name.
    • Support: Executive buy-in and support are essential. Without this, only the most informal vendor recognition programs stand a chance of surviving. Executives and stakeholders are often directly involved in formal programs, and this broadens the appeal of the program from the vendor’s perspective.
    • Designated leader: Someone needs to be in charge of the vendor recognition program. This doesn’t mean only one person is doing all the work, but it does require one person to lead the effort and drive the program forward. Much like the VMI itself, there are things the leader will be able to do themselves and things that will require the input, assistance, and participation from others throughout the organization.

    Step 2.10 – Vendor recognition program

    Leverage the advantages of recognizing vendors

    As with any project, there are advantages and disadvantages with implementing and operating a vendor recognition program.

    Advantages:

    • The Pygmalion effect may come into play; the vendors’ performance can be influenced by your expectations as conveyed through the program.
    • There may be some prestige for the vendor associated with winning one of your awards or receiving recognition.
    • Vendor recognition programs can be viewed as a competition, and this can improve vendor performance as it relates to the program and program categories.
    • The program can provide additional feedback to the vendor on what's important to you and help the vendor focus on those items.
    • The vendors’ executives may have an increased awareness of your organization, which can help build relationships.
    • Performance gains can be maintained or increased. Vendors are competitive by nature. Once a vendor wins an award or receives the recognition, it will strive to win again the following year (or measurement period).

    Step 2.10 – Vendor recognition program

    Manage the disadvantages of recognizing vendors

    Just as a coin has two sides, there are two sides to a vendor recognition program. Advantages must be weighed against disadvantages, or at the very least, you must be aware of the potential disadvantages.

    Disadvantages:

    • The program may require funding, depending upon the scope and type of awards, rewards, and recognition being provided.
    • Some vendors who don’t qualify for the program or who fail to win may get hurt feelings. This may alienate them.
    • In addition to hurt feelings from being excluded or finishing outside of the winner’s circle, some vendors may believe the program shows favoritism to certain vendors or is too subjective.
    • Some vendors may not “participate” in the program; they may not understand the WIIFM (what’s in it for me). You may have to “sell” the benefits and advantages of participation to the vendors.
    • Participation may vary by size of vendor. The award, reward, or recognition may mean more to small and mid-sized companies than large companies.

    Step 2.10 – Vendor recognition program

    Create your program’s framework

    There is no one-size-fits-all approach to creating a vendor recognition program. Your program should align with your goals. For example, do you want to drive performance and collaboration, or do you want to recognize vendors that exceed your expectations? While these are not mutually exclusive, the first step is to identify your goals. Next, focus on whether you want a formal or informal program. An informal program could consist of sending thank-you emails or notes to vendor personnel who go above and beyond; a formal program could consist of objective criteria announced and measured annually, with the winners receiving plaques, publicity, and/or recognition at a formal award ceremony with your executives. Once you have determined the type of program you want, you can begin building the framework.

    Take a “crawl, walk, run” approach to designing, implementing, and running your vendor recognition program. Start small and build on your successes. If you try something and it doesn’t work the way you intended, regroup and try again.

    The vendor recognition program may or may not end up residing in the VMI. Regardless, the VMI can be instrumental in creating the program and reinforcing it with the vendors. Even if the program is run and operated by the VMI, other departments will need to be involved. Seek input from the legal and marketing departments to build a durable program that works for your environment and maximizes its impact.

    Lastly, don’t overlook the simple gestures…they go a long way to making people feel appreciated in today’s impersonal world. A simple (but specific) thank-you can have a lasting impact, and not everything needs to be about the vendor’s organization. People make the organization “go,” not the other way around.

    2.10.1 – Vendor recognition program

    30 – 90 Minutes

    1. Meet with the participants to review the checklist in Elevate – Tools and Templates Compendium, Tab 2.10 Vendor Recognition.
      1. Decide whether you want to create a program that recognizes individual vendor personnel. If so, review part 1 of tab 2.10 and select the elements you are interested in using to build your program.
      2. Decide whether you want to create a program that recognizes vendors at the company level. If so, review part 2 of tab 2.10.
        1. The first section lists elements of an informal and a formal approach. Decide which approach you want to take.
        2. The second section focuses on creating a formal recognition program. Review the checklist and identify elements that you want to include or issues that must be addressed in creating your program.
    2. Create a draft framework of your programs and work with other areas to finalize the program elements, timeline, marketing, budget, and other considerations.
    Input Output
    • Elevate – Tools and Templates Compendium – Tab 2.10 Vendor Recognition
    • Brainstorming
    • A framework for a vendor recognition program
    Materials Participants
    • Elevate – Tools and Templates Compendium – Tab 2.10. Vendor Recognition
    • Whiteboard or flip chart
    • VMI team
    • Executives and stakeholders as needed
    • Marketing and legal as needed

    Download the Info-Tech Elevate – Tools and Templates Compendium

    Phase 3 – Run

    Use New and Updated Tools and Increase the VMI’s Impact

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Review and update existing Plan materials

    2.1 Vendor classification models

    2.2 Customer positioning model

    2.3 Two-way scorecards

    2.4 Performance improvement plan (PIP)

    2.5 Relationship improvement plan (RIP)

    2.6 Vendor-at-a-glance reports

    2.7 VMI personnel competency evaluation tool

    2.8 Internal feedback tool

    2.9 VMI ROI calculation

    2.10 Vendor recognition program

    3.1 Classify vendors and identify customer position

    3.2 Assess the relationship landscape

    3.3 Leverage two-way scorecards

    3.4 Implement PIPs and RIPs

    3.5 Gather market intelligence

    3.6 Generate vendor-at-a-glance reports

    3.7 Evaluate VMI personnel

    3.8 Improve professional skills

    3.9 Expand professional knowledge

    3.10 Create brand awareness

    3.11 Survey internal clients

    3.12 Calculate VMI ROI

    3.13 Implement vendor recognition program

    4.1 Investigate potential alliances

    4.2 Continue increasing the VMI’s strategic value

    4.3 Review and update

    This phase will walk you through the following activities:

    This phase helps you begin integrating the new tools and templates into the VMI’s operations. The main outcomes from this phase are guidance and the steps required to continue your VMI’s maturation and evolution.

    This phase involves the following participants:

    • VMI team
    • IT
    • Legal
    • Marketing
    • Human resources
    • Applicable stakeholders and executives
    • Others as needed

    Phase 3 – Run

    Implement new processes, tools, and templates and leverage new concepts

    The review and assessment conducted in Phase 1 – Plan and the tools and templates created and configured during Phase 2 – Build are ready for use and incorporation into your operations. As you trek through Phase 3 – Run, a couple of familiar concepts will be reviewed (vendor classification and scorecarding), and additional details on previously introduced concepts will be provided (customer positioning, surveying internal clients); in addition, new ideas will be presented for your consideration:

    • Assessing the relationship landscape
    • Gathering market intelligence
    • Improving professional skills
    • Expanding professional knowledge
    • Creating brand awareness

    Step 3.1 – Classify vendors & identify customer position

    Classify your top 25 vendors by spend

    The methodology used to classify your vendors in the blueprint Jump Start Your Vendor Management Initiative applies here as well, regardless of whether you use the COST model or the MVP model. Info-Tech recommends using an iterative approach initially to validate the results from the model you configured in step 2.1.

    1. Start with your top 25 vendors by spend. From this pool, select 10 vendors: choose your top three vendors by spend, three from the middle of the pack (e.g. numbers 14, 15, and 16 by spend), and the bottom four by spend. Run all 10 vendors through the classification model and review the results.
    2. If the results are what you expected and do not contain any significant surprises, run the rest of the top 25 vendors through the model.
    3. If the results are not what you expected or do contain significant surprises, look at the configuration page of the tool (tab 2) and adjust the weights slightly. Be cautious in your evaluation of the results before modifying the configuration page – some legitimate results are unexpected or surprises based on biases or subjective expectations. Proceed to point 1 above and repeat this process as needed.

    Remember to share the results with executives and stakeholders. Switching from one classification model to another may lead to concerns or questions. As always, obtain their buy-in on the final results.

    Step 3.1 – Classify vendors and identify customer position

    Translate terminology and processes if you use the MVP vendor classification model

    If you use the MVP model, the same features will be applicable and the same processes will be followed after classifying your vendors, despite the change in nomenclature. (Strategic vendors are the equivalent of principal vendors; high operational and high tactical vendors are the equivalent of valued vendors; and all other vendors are the equivalent of minor vendors.)

    • Roughly 5% (max) of your total vendor population will be classified as principal.
    • Approximately 10% (max) of your total vendor population will be classified as valued.
    • About 80% of your total vendor population will be classified as minor.
    • Business alignment meetings should be conducted and scorecards should be compiled quarterly for your principal vendors and at least every six months for your valued vendors; business alignment meetings are not necessary for your minor vendors.
    • All other activities will be based on the criteria you used in your MVP model. For example, risk measuring, monitoring, and reporting might be done quarterly for principal and valued vendors if risk is a significant component in your MVP model; if risk is a lesser component, measuring, monitoring, and reporting might be done less frequently (every six or 12 months).

    Step 3.1 – Classify vendors and identify customer position

    Determine your customer position for your top 25 vendors using the OPEN model

    The image contains a screenshot of the customer positioning model.

    After classifying your vendors, run your top 25 vendors through the OPEN Model Customer Positioning Tool. The information you need can come from multiple sources, including:

    • Talking to internal personnel to determine responses to the OPEN model assessment statements.
    • Compiling spend information.
    • Looking at the vendors’ financial statements.
    • Talking with the vendors to glean additional information.

    At first blush, the results can run the emotional and logical gamut: shocking, demeaning, degrading, comforting, insightful, accurate, off-kilter, or a combination of these and other reactions. To a certain extent, that is the point of the activity. As previously stated, customers often overestimate their importance to a vendor. To be helpful, your perspective must be as objective as possible rather than the subjective view painted by the account team and others within the vendor (e.g. “You’re my favorite client,” “We love working with you,” “You’re one of our key accounts,” or “You’re one of our best clients.”) The vendor often puts customers on a pedestal that is nothing more than sales puffery. How a vendor treats you is more important than them telling you how great you are.

    Use the OPEN model results and the material on the following pages to develop a game plan as you move forward with your vendor-facing VMI activities. The outcomes of the OPEN model will impact your business alignment meetings, scorecards, relationships, expectations, and many other facets of the VMI.

    Info-Tech Insight

    The OPEN Model Customer Positioning Tool can be adapted for use at the account manager level to determine how important your account is to the account manager.

    *Adapted from Profitable Purchasing Strategies by Paul T. Steele and Brian H. Court

    Step 3.1 – Classify vendors and identify customer position

    Learn how each quadrant of the open model impacts your organization (continued)

    Opportunity

    Low value and high attractiveness

    Characteristics and potential actions by the vendor

    • Higher level of service provided.
    • Higher level of attention.
    • Nurture the customer.1
    • Expand the business and relationship.1
    • Seek new opportunities.2
    • Provide proactive service.
    • Demonstrate added value.

    Customer strategies

    • Leverage the position – the vendor may be willing (at least in the short term) to meet your requirements in order to win more business.3
    • Look for ways to improve your value to the vendor and to grow the relationship and business if it works to your advantage.
    1. Procurement Cube, 2020. 2. Accuity Consultants, 2012. 3. New Zealand Ministry of Business, Innovation & Employment, 2021.

    Step 3.1 – Classify vendors and identify customer position

    Learn how each quadrant of the OPEN model impacts your organization (continued)

    Preferred

    High value and high attractiveness

    Characteristics and potential actions by the vendor

    • High level of service provided.
    • High level of attention, service, and response.1
    • The supplier actively seeks longer-term commitments.2
    • Retain and expand the business and relationship.3
    • Look after and pamper the customer.4
    • Fight to keep the account.
    • There is a dedicated account manager2 (you are the account manager’s only account).

    Customer strategies

    • Establish a rewarding business relationship in which both parties continually seek to add value.3
    • Leverage the relationship to gain better access to innovation, collaborate to eliminate waste, and work together to maintain or increase your competitive advantages.1
      1. Procurement Cube, 2020. 2. Comprara, 2015. 3. New Zealand Ministry of Business, Innovation & Employment, 2021. 4. Accuity Consultants, 2012.

    Step 3.1 – Classify vendors and identify customer position

    Learn how each quadrant of the OPEN model impacts your organization (continued)

    Exploitable

    High value and low attractiveness

    Characteristics and potential actions by the vendor

    • Lower level of service provided.
    • Lower level of attention.
    • Strive for best price from the customer (i.e. premium pricing).1
    • Seek short-term advantage and consistent price increases.
    • Accept risk of losing the customer.
    • Focus on maximizing profits.2
    • Provide reactive service.

    Customer strategies

    • Look for alternative vendors or try to make the relationship more attractive by considering more efficient ways to do business2 or focusing on issues other than pricing.
    • Identify ways to improve your organization’s attractiveness to the vendor or the account manager.
    1. Accuity Consultants, 2012. 2. New Zealand Ministry of Business, Innovation & Employment, 2021.

    Step 3.1 – Classify vendors and identify customer position

    Learn how each quadrant of the open model impacts your organization

    Negligible

    Low value and low attractiveness

    Characteristics and potential actions by the vendor

    • Lower level of service provided.
    • Lower level of attention.1
    • Loss of interest and enthusiasm for customer’s business.
    • Loss of customer will not cause any pain.1
    • Terminate the relationship.2
    • Terms and conditions are the “standard” terms and are non-negotiable.3
    • There is a standard price list and discounts are in line with industry norms.3

    Customer strategies

    • You may wish to consider sourcing from other suppliers who value your business more highly.2
    • Identify the root cause of your position and determine whether it is worthwhile (or possible) to improve your position.
    1. Procurement Cube, 2020. 2. New Zealand Ministry of Business, Innovation & Employment, 2021. 3 Comprara, 2015.

    Step 3.1 – Classify vendors and identify customer position

    Think like a vendor to increase situational awareness

    In summary, vendor actions are understandable and predictable. Learning about how they think and act is invaluable. As some food for thought, consider this snippet from an article aimed at vendors:

    “The [customer positioning] grid or matrix is, in itself, a valuable snapshot of the portfolio of customers. However, it is what we do with this information that governs how effective the tool is. It can be used in many ways:

    • It helps in the allocation of resources to specific customers, and whether the right resources are being allocated to the right customers.
    • It can determine the style of relationship that is appropriate to have with this client – and whether the real relationship truly reflects this.
    • It can influence the amount of time spent with these clients. Interestingly, we often find that a disproportionate amount of management time is spent on [Negligible] Customers (at the expense of spending more time with [Preferred] Accounts)!
    • It should significantly influence the price and profitability targets for specific customers.
    • And, last but by no means least, it should determine our negotiation style for different customers.”1
    1 “Rule No. 5: All Customers/Suppliers Have a Different Value to You,” New Dawn Partners.

    Step 3.2 – Assess the relationship landscape

    Identify key relationships and relationship risks

    After classifying your vendors (COST or MVP model) and identifying your positioning for the top vendors via the OPEN Model Customer Positioning Tool, the next step is to assess the relationship landscape. For key vendors (strategic, high operational, and high tactical under the COST model and principal and valued under the MVP model), look closer at the relationships that currently exist:

    • What peer-to-peer relationships exist between your organization and the vendor (e.g. your project manager works closely with the vendor’s project manager)? Look across executives, mid-level management, and frontline employees.
    • What politically charged relationships exist between employees of the two organizations and the organizations themselves? Examples include:
      • Friendships, neighbors, and relationships fostered by children on the same sports team or engaged in other activities.
      • Serving on third-party boards of directors or working with the same charities in an active capacity.
      • Reciprocity relationships where each organization is a customer and vendor to the other (e.g. a bank buys hardware from the vendor and the vendor uses the customer for its banking needs).
    • How long has the contract relationship been in place?

    This information will provide a more holistic view of the dynamics at work (or just beneath the surface) beyond the contract and operational relationships. It will also help you understand any relationship leverage that may be in play…now or in the future…from each party’s perspective.

    3.2.1 – Assess the relationship landscape

    10 - 30 Minutes per vendor

    1. Decide whether to meet with the participants in small groups or as a large group.
    2. Using Elevate – Tools and Templates Compendium – Tab 3.2 Relationship Landscape, for each important vendor (strategic, tactical, and operational under the COST model or principal and valued under the MVP model), identify and evaluate the relationships that exist for the following categories:
      1. Professional: relationships your personnel have with the vendor’s executives, mid-level management, and frontline employees.
      2. Political: personal relationships between customer and vendor personnel, any professional connections, and any reciprocity between your organization and the vendor.
    Input Output
    • Relationship information
    • Vendor classification categories for each vendor being assessed
    • A list of customer-vendor relationships
    • Potential reciprocity issues to manage
    Materials Participants
    • Elevate – Tools and Templates Compendium – Tab 3.2 Relationship Landscape
    • VMI team
    • Stakeholders
    • Others with knowledge of customer/vendor relationships

    Download the Info-Tech Elevate – Tools and Templates Compendium

    Step 3.3 – Leverage two-way scorecards

    Roll out your new vendor scorecards and feedback forms

    As you roll out your new, enhanced scorecards, the same principles apply. Only a couple of modifications need to be made to your processes.

    For the vendor scorecards, the VMI will still be driving the process, and internal personnel will still be completing the scorecards. An email or short orientation meeting for those involved will ease the transition from the old format to the new format. Consider creating a FAQ (frequently asked questions) for the new template, format, and content; you’ll be able to leverage it via the email or meeting to answer questions such as: What changed? Why did it change? Why are we doing this? In addition, making a change to the format and content may generate a need for new or additional internal personnel to be part of the scorecarding process. A scorecarding kick-off meeting or orientation meeting will ensure that the new participants buy into the process and acclimate to the process quickly.

    For the vendor feedback, the look and feel is completely new. The feedback questions that were part of the BAM agenda have been replaced by a more in-depth approach that mirrors the vendor scorecards. Consider conducting a kick-off meeting with each participating vendor to ensure they understand the importance of the feedback form and the process for completing it. Remember to update your process to remind the vendors to submit the feedback forms three to five business days prior to the BAM (and update your BAM agenda). You will want time to review the feedback and identify any questions or items that need to be clarified. Lastly, set aside some extra time to review the feedback form in the first BAM after you shift to the formal format.

    Step 3.4 – Implement PIPs and RIPs

    Improve vendor performance

    Underperforming vendors are similar to underperforming employees. There can be many reasons for the lackluster performance, and broaching the subject of a PIP may put the vendor on the defensive. Consider working with the human resources department (or whatever it is called in your organization) to learn some of the subtle nuances and best practices from the employee PIP realm that can be used in the vendor PIP realm.

    When developing the PIP, make sure you:

    • Work with legal to ensure compliance with the contract and applicable laws.
    • Adequately convey the expected performance to the vendor; it is unfair to hold a vendor accountable for unreasonable and unconveyed expectations.
    • Work with the vendor on the PIP rather than imposing the PIP on the vendor.
    • Remain objective and be realistic about timelines and improvement.

    Not all performance issues require a PIP; some can be addressed one-on-one with the vendor’s account manager, project manager, or other personnel. The key is to identify meaningful problems and use a PIP to resolve them when other measures have failed or when more formality is required.

    A PIP is a communication tool, not a punishment tool. When used properly, PIPs can improve relationships, help avoid lawsuits, and prevent performance issues from having a significant impact on your organization.

    Step 3.4 – Implement PIPs and RIPs

    Improve vendor relationships

    After assessing the relationship landscape in step 3.2 and configuring the Relationship Assessment and Improvement Plan Tool in step 2.5, the next step is to leverage that information: 1) establish a relationship baseline for each critical vendor; and 2) develop and implement a plan for each to maintain or improve those relationships.

    The Relationship Assessment and Improvement Plan Tool provides insights into the actual status of your relationships. It allows you to quantify and qualify those relationships rather than relying on intuition or instinct. It also pinpoints areas that are strong and areas that need improvement. Identify your top seven relationship priorities and build your improvement/maintenance plan around those to start. (This number can be expanded if some of your priorities are low effort or if you have several people who can assist with the implementation of the plan.) Decide which relationship indicators need a formal plan, which ones require only an informal plan, and which ones involve a hybrid approach. Remember to factor in the maintenance aspect of the relationship – if something is going well, it can still be a top priority to ensure that the relationship component remains strong.

    Similar to a PIP, your RIP can be very formal with action items and deadlines. Unlike a PIP, the RIP is typically not shared with the vendor. (It can be awkward to say, “Here are the things we’re going to do to improve our relationship, vendor.”)

    The level of formality for your plan will vary. Customize your plan for each vendor. Relationships are not formulaic, although they can share traits. Keep in mind what works with one person or one vendor may not work for another. It’s okay to revisit the plan if it is not working and make adjustments.

    Step 3.5 – Gather market intelligence

    Determine the nature and scope of your market intelligence

    What is market intelligence?

    Market intelligence is a broad umbrella that covers a lot of topics, and the breadth and depth of those topics depend on whether you sit on the vendor or customer side of the equation. Even on the customer side, the scope and meaning of market intelligence are defined by the role served by those gathering market intelligence. As a result, the first step for the VMI is to set the boundaries and expectations for its role in the process. There can be some overlap between IT, procurement/sourcing, and the VMI, for example. Coordinating with other functional areas is a good idea to avoid stepping on each other’s toes or expending duplicate resources unnecessarily.

    For purposes of this blueprint, market intelligence is defined as gathering, analyzing, interpreting, and synthesizing data and information about your critical vendors (high operational, high tactical, and strategic under the COST model or valued and principal under the MVP model), their competitors, and the industry. Market intelligence can be broken into two basic categories: individual vendors and the industry as a whole. For vendors, it generally encompasses data and information about products and services available, each vendor’s capabilities, reputation, costs, pricing, advantages, disadvantages, finances, location, risks, quality ratings, standard service level agreements (SLAs) and other metrics, supply chain risk, total cost of ownership, background information, and other points of interest. For the industry, it can include the market drivers, pressures, and competitive forces; each vendor’s position in the industry; whether the industry is growing, stable, or declining; whether the industry is competitive or led by one or two dominant players; and the potential for disruption, trends, volatility, and risk for the industry. This represents some of the components of market intelligence; it is not intended to be an exhaustive list.

    Market intelligence is an essential component of a VMI as it matures and strives to be strategic and to provide significant value to the organization.

    Step 3.5 – Gather market intelligence

    Determine the nature and scope of your market intelligence

    What are the benefits of gathering market intelligence?

    Depending on the scope of your research, there are many potential uses, goals, and benefits that flow from gathering market intelligence:

    • Identify potential alternate vendors.
    • Learn more about the vendors and market in general.
    • Identify trends, innovations, and what’s available in the industry.
    • Improve contract protections and mitigate contract/performance risk.
    • Identify more comprehensive requirements for RFPs and negotiations.
    • Identify the strengths, weaknesses, opportunities, and threats for vendors.
    • Assist with minority/women/veteran-owned business or small business use initiatives.
    • Improve the pool of potential vendors for future RFPs, which can improve competition for your business.
    • Leverage information gained when negotiating or renegotiating at renewal (better terms and conditions).
    • Ensure ongoing alignment or identify gaps/risks between your current vendor’s capabilities and your needs.

    Step 3.5 – Gather market research and intelligence

    Begin collecting data and information

    What are some potential sources of information for market intelligence?

    For general information, there are many places to obtain market intelligence. Here are some common resources:

    • User groups
    • The internet
    • Vendor demos
    • Vendor marketing materials and websites
    • Internal personnel interviews and meetings
    • Industry publications and general periodicals
    • Trade shows and conferences (hosted or attended by vendors)
    • Requests for information (RFIs) and requests for proposal (RFPs)
    • Vendor financial filings for publicly held companies (e.g. annual reports, 10-K, 10-Q)

    Keep in mind the source of the information may be skewed in favor of the vendor. For example, vendor marketing materials may paint a rosier picture of the vendor than reality. Using multiple sources to validate the data and information is a leading practice (and common sense).

    For specific information, many VMIs use a third-party service. Third-party services can dedicate more resources to research since that is their core function. However, the information obtained from any third party should be used as guidance and not as an absolute. No third-party service has access to every deal, and market conditions can change often and quickly.

    Step 3.5 – Gather market research and intelligence

    Resolve storage and access issues

    Some additional thoughts on market intelligence

    • Market intelligence is another tool in the VMI’s toolbox. How you use it and what you do with the results of your efforts is critical. Collecting information and passing it on without analysis or insights is close to being a capital offense.
    • As previously mentioned, defining the scope and nature of market intelligence is the first step. In conjunction with that, remember to identify where the information will be stored. Set up a system that allows for searching by relevance and easy retrieval. You can become overwhelmed with information.
    • Periodically update the scope and reach of your market intelligence efforts. Do you need to expand, contract, or maintain the breadth and depth of your research? Do new vendors and industries need to be added to the mix?
    • Information can grow stale. Review your market intelligence repository at least annually and purge unneeded or outdated information. Be careful though – some historical information is helpful to show trends and evolution. Decide whether old information should be deleted completely or moved to an archive.
    • Determine who should have access to your repository and what level of access they should have. Do you want to share outside of the VMI? Do you want others to contribute to or modify/edit the material in the repository or only be able to read from the repository?

    Step 3.6 – Generate vendor-at-a-glance reports

    Keep executives and stakeholders informed about critical vendors

    Much of the guidance provided on reports in the blueprint Jump Start Your Vendor Management Initiative holds true for the 60-Second Report and the Vendor Calendar.

    • Determine who will be responsible for updating the reports, knowing that the VMI will be mainly coordinating the process and assembling the data/information rather than obtaining the data firsthand.
    • Determine the frequency. Most likely it will be periodic and ad hoc; for example, you may decide to update the 60-Second Report in whole or in part each quarter, but you may need to update it in the middle of the quarter if an executive has a meeting with one of your critical vendors at that time.
    • Even though you obtained feedback and “approval” from executives and stakeholders during step 2.6, you will still want to seek their input periodically. Their needs may change from time to time with respect to data, information, and formatting. Avoid the temptation to constantly make changes to the format, though. After the initial review cycle, try to make changes only annually as part of your ongoing review process.
    • Unfortunately, these reports require a manual approach; some parts may be automated, but that will depend on your format and systems.

    These reports should be kept confidential. Consider using a “confidential” stamp, header, watermark, or other indicator to highlight that the materials are sensitive and should not be disclosed outside of your organization without approval.

    Step 3.7 – Evaluate VMI personnel

    Compare skills, competencies, and knowledge needed to current levels

    Using the configured VMI personnel assessment tool (Elevate – Tools and Templates Compendium tab 2.7.1 or 2.7.2), evaluate each VMI employee’s skills, competencies, and knowledge (S/C/K) against the established minimum level required/desired field for each. Use this tool for full-time and part-time team members to obtain a complete inventory of the VMI’s S/C/K.

    After completing the assessment, you will be able to identify areas where personnel exceed, meet, or fail to meet the minimum level required/desired using the included dashboards. This information can be used to create a development plan for areas of deficiency or areas where improvement is desired for career growth.

    As an alternative, you can assess VMI personnel using their job descriptions. Tab 2.7.3 of the Tools and Templates Compendium is set up to perform this type of analysis and create a plan for improvement when needed. Unlike Tabs 2.7.1 and 2.7.2, however, the assessment does not provide a dashboard for all employee evaluations. Tab 2.7.3 is intended to focus on the different roles and responsibilities for each employee versus the VMI as a whole.

    Lastly, you can use Tab 2.7.4 to evaluate potential VMI personnel during the interview process. Load the roles and responsibilities into the template, and evaluate all the candidates on the same criteria. A dashboard at the bottom of the template quantifies the number of instances each candidate exceeds, meets, and fails to meet the criteria. Used together, the evaluation matrix and dashboard will make it easier to identify each candidate’s strengths and weaknesses (and ultimately select the best new VMI team member).

    Step 3.8 – Improve professional skills

    Increase proficiency in a few key areas

    The image contains an a screenshot example to demonstrate how to increase proficiency in a few key areas.

    To be an effective member of the VMI requires proficiency in many areas. Some basic skills like computer skills, writing, and time management are straightforward. Others are more nebulous. The focus of this step is on a few of the often-overlooked skills lurking in the shadows:

    • Communication
    • Running a meeting
    • Diplomacy
    • Emotional intelligence quotient (EQ)
    • Influence and persuasion
    • Building and maintaining relationships

    For the VMI to be viewed as a strategic and integral part of the organization, these skills (and others) are essential. Although this blueprint cannot cover all of them, some leading practices, tips, and techniques for each of the skills listed above will be shared over the next several pages.

    Step 3.8 – Improve professional skills

    Communicate more effectively

    Communication is the foundational element for the other professional skills covered in this Step 3.8. By focusing on seven key areas, you can improve your relationships, influence, emotional intelligence quotient, diplomacy, and impact when interacting with others. The concepts for the seven focal points presented here are the proverbial tip of the iceberg. Continue learning about these areas, and recognize that mastering each will require time and practice.

    1. Writing.
      1. Stick with simple words;1 you’re trying to communicate, not impress people with your vocabulary.
      2. Keep your sentences simple;1 use short words, short sentences, and short paragraphs.2
      3. Read your writing aloud;1 If you have to take a breath while reading a sentence out loud, the sentence is too long.
      4. Use a tool like Grammarly or the built-in functionality of Word to determine readability; aim for a score of 60 to 70 or a seventh- or eighth-grade level.3
      5. When reviewing your writing: consider your word choice and the implications of your words; look for unintended interpretations, ambiguities, and implied-tone issues.
    1 Grammarly, 2017. 2 Elna Cain, 2018. 3 Forbes, 2016.

    Step 3.8 – Improve professional skills

    Communicate more effectively (continued)

    2. Speaking

    1. Similar to writing, focus on short words and sentences. Avoid run-on sentences.
    2. Think before speaking and work on eliminating “ums,” “uhs,” and “you knows.” These detract from your message.
    3. Choose words that are “comfortable” for the other person/people. Rule number one in public speaking is to know your audience, and that rule applies beyond public speaking and to groups of all sizes (1 to 1,000+).
    4. Don’t confuse the words with the message.
    5. Pay attention to your tone, pace, and volume. Try to match your counterpart in one-on-one settings.

    3. Body Language.

    1. Understand body language’s limitations; it is part art and part science…not an absolute.
    2. Individual movements and movement clusters can provide information regarding the spoken message – look for consistencies and inconsistencies. A baseline for the person is needed to interpret the body language “accurately.”
    3. Pay attention to your own body language. Does it match the message being conveyed by your words or those of your teammates (in group settings)?

    Step 3.8 – Improve professional skills

    Communicate more effectively (continued)

    4. Personality.

    1. Identify your counterpart’s personality: Are they extroverted or introverted? Are they effusive or reserved? Are they diplomatic or offensive? Are they collaborative or looking to blame someone?
    2. Appeal to their personality type when possible, but avoid the blame game. For example, don’t be loud and “over the top” with someone who is reserved and quiet.

    5. Style.

    1. Determine your counterpart’s style for both written and spoken communications: Are they direct or indirect? Are they bottom-line or do they prefer descriptions and build-ups? Are they into empirical data or anecdotal examples?
    2. To maximize the connection and communication effectiveness, match their style…even if it means getting out of your comfort zone a little. For example, if you have an indirect style, you will have to be more direct when dealing with someone who is direct; otherwise, you run the risk of alienating your counterpart (i.e. they will get frustrated or bored, or their mind will wander).

    Step 3.8 – Improve professional skills

    Communicate more effectively (continued)

    6. Learning

    1. People absorb information in three ways:
      1. Visually: These learners need to see things for them to make sense and be retained.
      2. Auditory: These learners need to hear things for them to make sense and be retained.
      3. Kinesthetic/experiential: These learners need to do something or experience it to understand and retain it.
    2. While some people are dominant in one area, most are a combination of one or more methods.
    3. If you can identify a person’s preferred method of learning, you can enhance your ability to communicate. For example, talking (exclusively) with a visual learner will be minimally effective; showing that person a picture or graph while talking will increase your effectiveness.

    7. Actions and inactions.

    1. Communication goes beyond words, messages, body language, and other issues. Your actions or inactions following a communication can undo your hard work to communicate effectively.
    2. Follow through on promises, action items, or requests.
    3. Meet any deadlines or due dates that result from communications. This helps build trust.
    4. Make sure your follow-through items are complete and thorough. Half-way is no way!
    5. Communicate any delays in meeting the deadlines or due dates to avoid

    Step 3.8 – Improve professional skills

    Tap into your inner diplomat

    Diplomacy can be defined many ways, but this one seems to fit best for the purposes of vendor management: The ability to assert your ideas or opinions, knowing what to say and how to say it without damaging the relationship by causing offense.1 At work, diplomacy can be about getting internal or external parties to work together, influencing another party, and conveying a message tactfully. As a vendor manager, diplomacy is a necessary skill for working with your team, your organization, and vendors.

    To be diplomatic, you must be in tune with others and understand many things about them such as their feelings, opinions, ideas, beliefs, values, positions, preferences, and styles. To achieve this, consider the following guidance:2

    • Modify your communication style: Communication is about getting someone to understand and evaluate your message so they can respond. Approach people the way they want to be approached. For example, sending an email to a person who prefers phone calls may create a communication issue.
    • Choose your words carefully: Use words as an artist uses a brush, paint, and a canvas. Paint a picture through word selection. Similar words can portray different scenes (e.g. the child ran to the store quickly vs. the child raced to the store). Make sure your image is relatable for your counterpart.
    1 “The Art of Tact and Diplomacy,” SkillsYouNeed 2 Communiqué PR, 2020.

    Step 3.8 – Improve professional skills

    Tap into your inner diplomat (continued)

    • Slow down a speak concisely: Say what you have to say…and stop. No one likes a communicator who rambles on and on. Once your message has been conveyed, go into silent mode. Get comfortable with silence; there is no need to fill the void with more meaningless words. Let your counterpart contemplate in peace.
    • Listen to understand: Be an active listener rather than biding your time until you can talk again. Avoid interrupting the other party (whenever possible, but sometimes it is needed!). Show interest in what the other person is saying and ask clarifying questions. Make eye contact, nod your head periodically, and summarize what you hear from time to time. Use your ears and mouth in proportion: listen twice as much as you talk.
    • Consider nonverbals: Read the facial expressions of the speaker and be aware of your own. Faces tend to be expressive; sometimes we are aware of it…and sometimes we aren’t. Try relaxing your face and body to minimize the involuntary expressions that may betray you. Adopt a diplomatic facial expression and practice using it; find the right mix of interest and neutrality.

    Whenever things get tense, take a deep breath, take a break, or stop the communication (based on the situation and what is appropriate). Being diplomatic can be taxing, and it is better to step back than to continue down a wrong path due to stress, emotion, being caught off guard, etc.

    Step 3.8 – Improve professional skills

    Build and maintain relationships

    Relationship building and networking cannot be overvalued. VMI personnel interact with many areas and people throughout the organization, and good relationships are essential. Building and maintaining relationships requires hard work and focusing on the right items. Although there isn’t a scientific formula or a mathematical equation to follow, key elements are present in all durable relationships.

    Focus on building relationships at all levels within your organization. People at every level may have data or information you need, and your relationship with them may be the deciding factor in whether you get the information or not. At other times, you will have data and information to give, and the relationship may determine how receptive others are to your message. Some relationship fundamentals are provided below and continue on the next page.1,2

    • Trust: be honest and ethical and follow through on your commitments.
    • Diversity: build relationships with people who aren’t just like you to expand your mindset.
    • Interrelatedness: understand how what you do impacts others you have relationships with.
    • Varied interaction: a good relationship will incorporate work-related interactions with personal interactions.
    • Effective communication: combine methods of communication but focus on the other person’s preferred method.
    1 ”Seven Characteristics of Successful Work Relationships,” 2006. 2 Success.com, 2022.

    Step 3.8 – Improve professional skills

    Build and maintain relationships (continued)

    • Empathy – understand where the other person is coming from through active listening.
    • Vulnerability – create a judgment-free zone.
    • Respect – this must be given and earned.
    • Real face time – meeting in the offline world signals to the person that they are important (but this is not always possible today).
    • A giving-first mentality – provide something of value before asking for something in return.
    • Unique perspective – tap into what the other person believes and values.
    • Intent – start with genuine interest in the other person and the relationship.
    • Hard work – active engagement and a commitment to the relationship are required.
    • Honesty – be honest in your communications.
    • Challenge – be open to thinking differently and trying new things.
    • Value – identify what you add to the relationship.
    • Conscientiousness – be aware of the relationship’s status and react accordingly.

    Step 3.8 – Improve professional skills

    Run meetings more efficiently and effectively

    Most people don’t get excited about meetings, but they are an important tool in the toolbox. Unfortunately, many meetings are unnecessary and unproductive. As a result, meeting invites often elicit an audible groan from invitees. Eliminating meetings completely is not a practical solution, which leaves one other option: improving them.

    You may not be in charge of every meeting, but when you are, you can improve their productivity and effectiveness by making a few modifications to your approach. Listed below are ten ideas for getting the most out of your meetings:*

    1. Begin with the mindset that you are a steward or protector of the meeting attendees’ time, and you never want attendees to feel that you wasted their time.
    2. Keep the attendee list to essential personnel only. Everyone attending the meeting should be able to justify their attendance (or you should be able to justify it).
    3. Set an appropriate time limit for the meeting. Don’t default to the 60-minute meeting; right-size the meeting time (e.g. 15, 30, or 45 minutes or some other number). Shorter meeting times force participants to focus.
    4. Create and use an agenda. To help you stay focused and to determine who to invite, set up the agenda as a list of questions rather than a list of topics.
    *Adapted from “The Surprising Science Behind Successful Remote Meetings” by Steven G. Rogelberg

    Step 3.8 – Improve professional skills

    Run meetings more efficiently and effectively (continued)

    5. Use video when anyone is attending virtually. This helps prevent anonymity and increases engagement.

    6. Start and end meetings on time. Running over impacts other meetings and commitments; it also makes you look ineffective and increases stress levels for attendees.

    7. If longer meetings are necessary, build in a short break or time for people to stand up and stretch. Don’t say, “If you need a break or to stand up during the meeting, feel free.” Make it a planned activity.

    8. Keep others engaged by facilitating and drawing specific people into the conversation; however, don’t ask people to contribute on topics that they know nothing about or ask generally if anyone has any comments.

    9. Leverage technology to help with the meeting; have someone monitor the chat for questions and concerns. However, the chat should not be for side conversations, memes, and other distractions.

    10. End the meeting with a short recap, and make sure everyone knows what was decided/accomplished, what next steps are, and which action items belong to which people.

    Step 3.8 – Improve professional skills

    Increase emotional intelligence

    Emotional intelligence (otherwise known as emotional intelligence quotient or EQ) is the ability to understand, use, and manage your own emotions in positive ways to relieve stress, communicate effectively, empathize with others, overcome challenges and defuse conflict.1 This is an important set of skills for working with vendors and internal personnel. Increasing your EQ will help you build better relationships and be seen as a valuable teammate…at all levels within your organization.

    Improving this skill dovetails with other skills discussed in this step 3.8, such as communication and diplomacy. Being well versed in the concepts of EQ won’t be enough. To improve requires a willingness to be open – open to feedback from others and open to new ideas. It also requires practice and patience. Change won’t happen overnight, but with some hard work and perseverance, your EQ can improve.

    There are many resources that can help you on your journey, and here are some tips to improve your EQ:2

    • Practice observing how you feel.
    • Pay attention to how you behave.
    • Learn to look at yourself objectively.
    • Understand what motivates you.
    • Acknowledge your emotional triggers.
    • Be interested in the subject matter.
    1 HelpGuide, 2022. 2 RocheMartin, 2022.

    Step 3.8 – Improve professional skills

    Increase emotional intelligence (continued)

    Tips to improve your EQ (continued from previous page):

    • It’s your choice how you react to a situation.
    • Listen without interruption, preconceptions, or skepticism; absorb their situation and consider how they are feeling before you react.
    • Try to be approachable and accessible.
    • Think about what’s happening from their perspective.
    • Cultivate a curiosity about strangers to understand different opinions, views, and values.
    • Acknowledge what people are saying to show you are actively listening.
    • Think about how you’re physically coming across with your body language, tone of voice, eye contact, and facial expressions.

    Things to avoid:1

    • Drama – don’t let others’ emotions affect or rule yours.
    • Complaining – don’t be a victim; do look for solutions.
    • Dwelling on the past – learn from the past and live in the present.
    • Selfishness – consider others’ needs, not just your own.
    • Being overly critical – understand the other person, then communicate the change you want to see.
    1 RocheMartin, 2022.

    Step 3.8 – Improve Professional Skills

    Use Influence and Persuasion to Benefit the VMI

    Skills such as influence and persuasion are important (even necessary) for vendor managers. (Don’t confuse this with the dark arts version – manipulation.) A good working definition is provided by the Center for Creative Leadership: Influence is the ability to affect the behavior of others in a particular direction, leveraging key tactics that involve, connect, and inspire them.* Influence and persuasion are not about strongarming or blackmailing someone to get your way. Influence and persuasion are about presenting issues, facts, examples, and other items in a way that moves people to align with your position. Sometimes you will be attempting to change a person’s mind, and other times you will be moving them from a neutral stance to agreeing to support your position.

    Building upon the basic communication skills discussed at the start of this step, there are some ways to improve your ability to influence and persuade others. Here are some suggestions to get you started:*

    1. Develop organizational intelligence – learn how your organization truly operates; identify the power brokers and their spheres of control and influence. Many failures to persuade and influence stem from not understanding who can help and how they can help (or hinder) your efforts. The most influential person in your organization may not be the person with the fancy title.
    2. Promote yourself and the team – don’t be afraid to step into the spotlight and demonstrate your knowledge and expertise. To be able to persuade and influence as and individual or a team, credibility must be established.
    * Center for Creative Leadership, 2020.

    Step 3.8 – Improve professional skills

    Use influence and persuasion to benefit the VMI (continued)

    3. Build and maintain trust – trust has two main components: competency and character. In item 2 on the previous page, competency trust was discussed from the perspective of knowledge and expertise. For character trust, you need to be viewed as being above reproach. You are honest and ethical; you follow through and honor your commitments. Once both types of trust are in place, eyes and ears will be open and more receptive to your messages. Bottom line: You can’t influence or persuade people if they don’t trust you.

    4. Grow and leverage networks – the workplace is a dynamic atmosphere, and it requires almost constant networking to ensure adequate contacts throughout the organization are maintained. Leveraging your network is an artform, and it must be used wisely. You don’t want to wear out your welcome by asking for assistance too often.

    As you prepare your plan to influence or persuade someone, ask yourself the following questions:*

    • Who am I attempting to influence?
    • What is the situation and how much support do I need?
    • Why do I need this person’s support for my idea?
    • What tactics can I use, and how can I establish rapport?
    • What responses do I anticipate?
    • What mutual points of agreement can I use?
    • How can I end on a positive note no matter what the outcome is?
    * Center for Creative Leadership, 2020.

    Step 3.9 – Expand professional knowledge

    Learn more about departments and functions tangential to the VMI

    To function in their roles, VMI personnel must be well versed in the concepts and terminology associated with vendor management. To be strategic and to develop relationships with other departments, divisions, agencies, and functional groups, VMI personnel must also be familiar with the concepts and terminology for functions outside the VMI. Although a deep dive is beyond the scope of this blueprint, understanding basic concepts within each of the topics below is critical:

    • Finance and accounting
    • Project management
    • Contracts and contract management
    • Procurement/sourcing
    • Change management
    • Conflict management
    • Account team dynamics

    It isn’t necessary to be an expert in these subjects, but VMI personnel must be able to talk with their peers intelligently. For example, a vendor manager needs to have a general background in contract terms and conditions to be able to discuss issues with legal, finance, procurement, and project management groups. A well-rounded and well-versed VMI team member can rise to the level of trusted advisor and internal strategic partner rather than wallowing in the operational or transactional world.

    Step 3.9 – Expand professional knowledge

    Understand finance and accounting basics

    Finance and accounting terms and concepts are commonplace in every organization. They are the main language of business – they are the way for-profit businesses keep score. Regardless of whether your organization is a for-profit, non-profit, governmental, or other entity, finance and accounting run through the veins of your organization as well. In addition to the customer side of the equation, there is the vendor side of the equation: Every vendor you deal with will be impacted financially by working with you.

    Having a good grasp of finance and accounting terms and concepts will improve your ability to negotiate, talk to finance and accounting personnel (internal and external), conduct ongoing due diligence on your critical vendors, review contracts, and evaluate vendor options, to name just a few of the benefits.

    The concepts listed on the following pages are some of the common terms applicable to finance and accounting. It is not intended to be an exhaustive list. Continue to learn about these concepts and identify others that allow you to grow professionally.

    Step 3.9 – Expand professional knowledge

    Understand finance and accounting basics (continued)

    Finance and accounting terms and concepts

    • Cash accounting vs. accrual accounting.
    • Fiscal year vs. calendar year.
    • Profit vs. cash flow.
    • Fixed expenses vs. variable expenses.
    • Capital expense (CapEx) vs. operating expense (OpEx).
    • Depreciation vs. amortization.
    • Payment upfront vs. payment in arrears.
    • Favorable (positive) variance vs. unfavorable (negative) variance.
    • Discretionary expense (cost/expenditure) vs. non-discretionary expense (cost/expenditure).
    • Income statement and its components.
    • Balance sheet and its components.

    Step 3.9 – Expand professional knowledge

    Understand finance and accounting basics (continued)

    Finance and accounting terms and concepts (cont’d)

    • Operating profit margin.
    • Net profit margin.
    • Return on assets.
    • Current ratio.
    • Quick ratio.
    • Debt-to-asset ratio.
    • Interest coverage.
    • Total asset turnover.
    • Receivables turnover.
    • Average collection period.
    • Inventory turnover.
    • Time value of money concept.
    • Future value (FV).
    • Present value (PV).
    • Net present value (NPV).
    • Cost of capital.
    • Internal rate of return (IRR).
    • Return on investment (ROI).
    • Payback (payback period or break even).

    Step 3.9 – Expand professional knowledge

    Understand project management basics

    The image contains a screenshot example of expanding professional knowledge.

    Whether your organization has a formal project management office (PMO) or not, project management practices are being used by those tasked with making sure software and software as a service implementations go smoothly, technology refreshes are rolled out without a hitch, and other major activities are successful. Listed below are some common competencies/skills used by project managers to make sure the job gets done right.

    1. Requirements – define the project’s goals, objectives, and requirements.
    2. Scope – develop, monitor, and manage the project’s scope.
    3. Time – develop and manage the timeline and determine the order (parallel and sequential) for the tasks and activities.
    4. Budget – create and manage the project budget and report on any variances.
    5. Resources – manage space, people, software, equipment, services, etc.
    6. Risk – identify, evaluate, monitor, and manage project risk.
    7. Change – manage updated requirements, changes to the scope, and modifications to the contract.
    8. Documentation – work with the project charter, open issue logs, meeting minutes, and various reports.
    9. Communication – communicate with vendor personnel and internal personnel, including stakeholders and executives as needed.
    10. Quality – ensure the deliverables and other work are acceptable and coordinate/conduct acceptance tests.

    Step 3.9 – Expand professional knowledge

    Understand project management basics (continued)

    The image contains a screenshot of understanding project management basics.

    The concepts listed below are common project management terms and concepts.1, 2 This list is not intended to be exhaustive. Look internally at your project management processes and operations to identify the concepts applicable in your environment and any that are missing from this list.
    • Project plan
    • Work breakdown structure (WBS)
    • Critical path
    • Project manager
    • Project stakeholder
    • Agile project
    • Waterfall project
    • Milestone
    • Deliverable
    • Dependency
    • Phase
    • Kickoff meeting
    • Project budget
    • Project timeline
    • Resource allocation
    • Project risk
    • Risk management
    • Risk owner
    • Issue log
    • Gantt chart
    1 nTask, 2019. 2 Whiz Labs, 2018.

    Step 3.9 – Expand professional knowledge

    Understand contracts and contract lifecycle management basics

    Contracts and contract lifecycle management (CLM) are two separate but related topics. It is possible to have contracts without a formal CLM process, but you can’t have CLM without contracts. This portion of step 3.9 provides some general background on each topic and points you to blueprints that cover each subject in more detail.

    IT contracts tend to be more complicated than other types of contracts due to intellectual property (IP) rights being associated with most IT contracts. As a result, it is necessary to have a basic understanding of IP and common IT contract provisions.

    There are four main areas of IP: copyrights, patents, trademarks, and trade secrets. Each has its own nuances, and people who don’t work with IP often mistake one for another or use the terms interchangeably. They are not interchangeable, and each affords a different type of protection when available (e.g. something may not be capable of being patented, but it can be copyrighted).

    For contract terms and conditions, vendor managers are best served by understanding both the business side and the legal side of the provisions. In addition, a good contract checklist will act as a memory jogger whether you are reviewing a contract or discussing one with legal or a vendor. For more information on contract provisions, checklists, and playbooks, download the Info-Tech blueprints identified to the left.

    Download the Info-Tech blueprint Understand Common IT Contract Provisions to Negotiate More Effectively

    Download the Info-Tech blueprint Improve Your Statements of Work to Hold Your Vendors Accountable

    Step 3.9 – Expand professional knowledge

    Understand contracts and contract lifecycle management basics (continued)

    CLM is a process that helps you manage your agreements from cradle to grave. A robust CLM process eases the challenges of managing hundreds or even thousands of contracts that affect the day-to-day business and could expose your organization to various types of vendor-related risk.

    Managing a few contracts through the contracting process is easy, but as the number of contracts grows, managing each step of the process for each contract becomes increasingly difficult and time consuming. That’s where CLM and CLM tools can help. Here is a high-level overview of the CLM process:

    1. Request – a request for a contract is initiated.
    2. Create contract – the contract is drafted by the customer or provided by the vendor.
    3. Review risk – areas of risk in the contract are identified.
    4. Approve – base agreement and attachments are approved and readied for negotiations.
    5. Negotiate – the agreement is negotiated and finalized.
    6. Sign – the agreement is signed or executed by the parties.
    7. Capture – the agreement is stored in a centralized repository.
    8. Manage – actively manage the operational and commitment aspects of the agreement.
    9. Monitor compliance – ensure that each party is honoring and complying with its obligations.
    10. Optimize – review the process and the contracts for potential improvements.

    For more information on CLM, download the Info-Tech blueprint identified to the left.

    Download the Info-Tech Blueprint Design and Build an Effective Contract Lifecycle Management Process

    Step 3.9 – Expand professional knowledge

    Understand procurement/sourcing basics

    Almost every organization has a procurement or sourcing department. Procurement/sourcing is often the gatekeeper of the processes used to buy equipment and services, lease equipment, license software, and acquire other items. There are many different types of procurement/sourcing departments and several points of maturity within each type. As a result, the general terms listed on the next page may or may not be applicable within your organization. (Or your organization may not have a procurement/sourcing department at all!)

    Identifying your organization’s procurement/sourcing structure is the best place to start. From there, you can determine which terms are applicable in your environment and dive deeper on the appropriate concepts as needed.

    Step 3.9 – Expand professional knowledge

    Understand procurement/sourcing basics (continued)

    Procurement sourcing terms and concepts

    • Hard dollar savings
    • Soft dollar savings
    • Cost avoidance
    • Value creation
    • Value created
    • Addressable spend
    • Spend addressed
    • Revenue creation
    • Category management
    • Category manager
    • Targeted negotiations
    • Indirect procurement/sourcing
    • Direct procurement/sourcing
    • Sourcing/procurement processes
    • Sourcing/procurement drivers and metrics
    • RFX (RFP, RFI, RFQ) processes
    • Forecasting value creation
    • Percentage of value creation to spend addressed
    • Category opportunity
    • Category plans
    • Center-led procurement/sourcing
    • Centralized procurement/sourcing
    • Decentralized procurement/sourcing

    Step 3.9 – Expand professional knowledge

    Understand conflict management basics

    Whether you consider conflict management a skill, knowledge, or something in between, there is no denying that vendor managers are often engaged to resolve conflicts and disputes. At times, the VMI will be a “disinterested third party,” sitting somewhere between the vendor and an internal department, line of business, agency, or other functional designation. The VMI also may be one of the parties involved in the dispute or conflict. As a result, a little knowledge and a push in the right direction will help you learn more about how to handle situations where two parties don’t agree.

    To begin with, there are four levels of “formal” dispute resolution. You may be intimately aware of all of them or only have cursory knowledge of how they work and the purpose they serve:

    • Negotiation
    • Mediation
    • Arbitration
    • Litigation

    Their use often can be controlled or limited either contractually or by your organization’s preferences. They may be exclusive or used in combination with one another (e.g. negotiation first, and if things aren’t resolved, arbitration). Look at your contracts and legal department for guidance. It’s important to understand when and how these tools are used and what is expected (if anything) from the VMI.

    Step 3.9 – Expand professional knowledge

    Understand conflict management basics (continued)

    The image contains a screenshot of The Thomas-Kilman Conflict Resolution Model.

    Another factor in the conflict management and informal dispute resolution process is the people component. Perhaps the most famous or well-known model on this topic is the Thomas-Kilmann conflict resolution model. It attempts to bring clarity to the five different personality types you may encounter when resolving differences. As the graphic indicates, it is not purely a black-and-white endeavor; it is comprised of various shades of grey.

    The framework presented by Mr. Thomas and Mr. Kilmann provides insights into how people behave and how to engage them based on personality characteristics and attributes. The model sorts people into one of five categories:

    • Avoiders.
    • Competitors.
    • Collaborators.
    • Accommodators.
    • Compromisers.

    Although it is not an absolute science since people are unpredictable at times, the Thomas-Kilmann model provides great insights into human behavior and ways to work with the personality types listed.

    *Kilmann Diagnostics, 2018.

    Step 3.9 – Expand professional knowledge

    Understand conflict management basics (continued)

    Although the topic is vastly greater than being presented here, the last consideration is a sound process to follow when the conflict or dispute will be handled informally (at least to start). The simple process presented below works with vendors, but it can be adapted to work with internal disputes as well. The following process assumes that the VMI is attempting to facilitate a dispute between an internal party and a vendor.

    Step 1. Validate the person and the issue being brought to you; don’t discount the person, their belief, or their issue. Show genuine interest and concern.

    Step 2. Gather and verify data; not all issues brought forward can be pursued or pursued as presented. For example, “The vendor is always late with its reports” may or may not be 100% accurate as presented.

    Step 3. Convert data gathered into useful and relatable information. To continue the prior example, you may find that the vendor was late with the reports on specified dates, and this can be converted into “the vendor was late with its reports 50% of the time during the last three months.”

    Step 3.9 – Expand professional knowledge

    Understand conflict management basics (continued)

    Step 4. Escalate findings internally to the appropriate stakeholders and executives as necessary so they are not blindsided if a vendor complains or goes around you and the process. In addition, they may want to get involved if it is a big issue, or they may tell you to get rid of it if it is a small issue.

    Step 5. Engage the vendor once you have your facts and present the issues without judgment. Ask the vendor to do its own fact gathering.

    Step 6. Schedule a meeting to review of the situation and hear the vendor’s version of the facts…they may align, or they may not.

    Step 7. Resolve any differences between your facts/information and the vendor’s. There may be extenuating circumstances, oversights, different data, or other items that come to light.

    Step 8. Attempt to resolve the problem and prevent further occurrences through root cause analysis and collaborative problem-solving techniques.

    Develop your own process and make sure it stays neutral. The process should not put the vendor (or any party) on the defensive. The process is to help the parties reach resolution…not to assign blame.

    Step 3.9 – Expand professional knowledge

    Understand account team management basics

    Working with the account or sales team from your critical vendors can be challenging. A basic understanding of account team operations and customer/vendor dynamics will go a long way to improving your interactions (and even vendor performance) over time.

    Sales basics

    • Salespeople are typically paid a base salary and a commission on each sale.
    • Salespeople have quotas that must be met; failure to meet the quota results in probation (at a minimum) or termination.
    • Salespeople sell what they are motivated to sell; the motivation comes in the way of contests, commissions, and recognition. The commission structure is not the same for every service or product sold by the vendor. In addition, incentives may be created to move old product, overstock, or new product (to name a few).
    • Salespeople have multiple goals when interacting with customers:
      • Sell
      • Gather information
      • Build a relationship
      • Get a reference
      • Obtain a reference
      • Increase the vendor’s footprint

    Step 3.9 – Expand professional knowledge

    Understand account team management basics (continued)

    Improving sales and account team dynamics with your organization

    • Conduct due diligence on your account team. Are they “qualified” to work with your account?
    • Set expectations with the account team for the ongoing relationship. Don’t leave it to chance.
    • Evaluate the sales and account teams at least annually. Get feedback from those who work closely with the salespeople and account managers, including stakeholders and executives.
    • Educate people internally about the sales process. At a minimum, counsel them to avoid giving away leverage, answering “damaging” questions, and disclosing confidential information.
    • Try to get involved early in the sales cycle. Sell your value to internal personnel.
    • Work to convert your account manager into your champion within the vendor. The salesperson can benefit by going to bat for you even though they work for the vendor. The commission structure often creates a split loyalty issue. Capitalize on it!
    • Watch out for high turnover. This can indicate a problem at the vendor OR your account is not that attractive/profitable. (See steps 2.2 and 3.1 regarding customer positioning.)

    Step 3.9 – Expand professional knowledge

    Understand account team management basics (continued)

    Improving sales and account team dynamics with your organization (continued)

    • Support effective sales reps by educating them on your organization, the best way to work with you, and the benefits of working with your processes. If they do something above and beyond, consider sending them a thank-you and copying their boss. Little things go a long way.
    • Control the sales process. Require qualified people from your organization to be invited to meetings; require an agenda for those meetings; and avoid “surprise” meetings (those meetings with limited notice and no agenda… "My boss is in town today, and I wanted to stop by and introduce her to you").
    • Don’t be afraid to request a new account manager. For your critical vendors, you should always be dealing with competent account teams. They should have the requisite knowledge of their products and services to be able to answer basic through intermediate questions; they should be ethical; and they should be responsive.
    • Build relationships beyond the salesperson or account manager. Develop a network that extends throughout the sales organization. (For example, the sales manager, sales director, and sales vice president at a minimum.) These people generally have more sway within the vendor organization and can get things done when the need arises.

    For more information on this topic, download the Info-Tech blueprint Evaluate Your Vendor Account Team to Optimize Vendor Relations.

    Step 3.10 – Create brand awareness

    Determine whether a brand makes sense for the VMI

    Branding isn’t just for companies. It is for departments (or whatever you call them at your place of employment) and individuals working in those departments. With a little work and even less money, you can create a meaningful brand for the VMI. While you are at it, you may want to encourage the VMI’s team members to focus a little attention on their personal brands since the VMI and its personnel are intertwined. First, let's define “brand.”

    Ask 50 people, “How do you define ‘brand’?” and you are likely to get 50 different answers. For the purposes of this blueprint, the following definition provides some guiderails by describing what a brand is and isn’t: “A brand is not a logo. A brand is not an identity. A brand is not a product. A brand is a person’s gut feeling about a product, service, or organization.”1 Let’s expand the definition of “a brand is…” to include departments and individuals since that’s the focus of this step, and it doesn’t violate the spirit of the original definition. A further expansion could include the goodwill associated with the product, service, organization, department, or individual.

    Dedicating time and other resources to proactively creating and nurturing the VMI’s brand has many advantages:

    • “If you don’t define your brand, others will.”2 This is your chance to define the VMI’s narrative and influence the perception others have of it.
    • It allows VMI team members to feel connected to the VMI’s vision and goals during their day-to-day activities.
    • It helps form an emotional connection between the VMI and your internal “clients.”
    • “Branding is a way of establishing and consistently reinforcing who you are and what you [do]…”2 Your brand helps you promote the VMI’s value and impact.
    1 Emotive Brand, 2019. 2 Forbes, 2018.

    Step 3.10 – Create brand awareness

    Establish the VMI’s brand and monitor it

    As you embark on creating a brand for the VMI and raising awareness, here are a few considerations to keep in mind:

    • Identify your mission.* Review the VMI’s mission statement and goals. Translate them into statements that connect with your internal clients.
    • Establish your unique value proposition.* What does the VMI provide to your internal clients that would make them go out of their way to use your services? How can you help them in ways others can’t?
    • Create your brand’s visual identity.* Can you create a logo for the VMI? Can you provide a consistent look and feel for the reports you generate and information you provide?
    • Increase brand recognition.* It takes time to build trust and establish a reputation. The same is true of creating a brand and increasing its recognition. Develop a plan for this rather than leaving it to chance.
    • Be consistent. Make sure your brand is consistent with the organization’s brand or at least doesn’t contradict it. The VMI’s brand is based on its values, mission, goals, and other items; these should complement the organization’s values, mission, goals, and other items.
    • Spread the word. Attend internal clients’ staff meetings, conduct lunch & learn sessions, send out a newsletter to ensure that your internal clients know who you are, what you do, and the impact you can make or have made. Make personal connections whenever possible.
    • Monitor your brand. It is not enough to create a brand and turn it loose unsupervised. Seek feedback on the VMI and its brand beyond the internal survey (step 3.11), and adjust your brand periodically as needed.
    * Stevens & Tate, 2019.

    Step 3.10 – Create brand awareness

    Enhance the brand of VMI team members

    As previously mentioned, brands are for individuals as well. In fact, everybody has a brand associated with them…for better or worse...whether they have consciously created and molded it or not. Focusing on the individual brand at this point offers the VMI and its team members the opportunity to enhance the brand for both. After all, the VMI is a reflection of its personnel.

    Here are some things VMI team members can do to enhance their brand:

    • Network internally beyond your immediate team.1 Get to know people and build relationships with others even if you don’t work directly or indirectly with them.
    • Say yes to relevant opportunities.1 Volunteer for projects where you can make an impact and let others see your value; it’s also a good way to build relationships beyond your immediate team.
    • Speak at a conference. According to Jeff Butler (author and TEDx speaker), “Speaking gets you that immediate credibility not only internally but also externally where other companies are now seeing you as an expert.” He also states that “speaking at … conferences is not only good for you but also good for your [organization].”1
    • Share your voice.1 Become a resource for bloggers, authors, and podcasters; consider blogging, writing, and podcasting. Remember not to disclose any proprietary or confidential information, though! Work with your legal and marketing departments before embarking on this path.
    • Set goals and monitor your progress. Track the number of times you are asked to speak or contribute to a blog, podcast, event, or article, and track the number of times you are mentioned or referenced in social media, blogs, articles, and podcasts.2
    1 Forbes, 2018. 2 Oberlo, 2022.

    3.10.1 – Create brand awareness

    30 – 90 Minutes

    1. Meet with the participants to review the information in Elevate – Tools and Templates Compendium – Tab 3.10. The worksheet is divided into two parts.
      1. Part 1 is for the VMI to use to create a brand, and
      2. Part 2 is for an individual VMI team member to create a brand.
    2. For Part 1, work as a team to answer the questions to begin identifying components of your brand awareness and building a strategy for the VMI's brand.
    3. For Part 2, individuals can work by themselves or with the team leader to answer the questions and set goals to help build an individual brand (if it is desirable).
    InputOutput
    • Elevate – Tools and Templates Compendium – Tab 3.10
    • Brainstorming
    • VMI brand framework
    • Individual VMI personnel brand framework
    MaterialsParticipants
    • Elevate – Tools and Templates Compendium – Tab 3.10
    • VMI team

    Download the Info-Tech Elevate - Tools and Templates Compendium

    Step 3.11 – Survey internal clients

    Gain insights and feedback from internal sources

    As you deploy your surveys, timing must be considered. For annual surveys, avoid busy seasons such as mid to late December (especially if your organization’s fiscal year is a calendar year). Give people time to recover from any November holidays, and survey them before they become distracted by December holidays (if possible). You may want to push the annual survey until January or February when things have settled back into a normal routine. Your needs for timing and obtaining the results must be balanced against the time constraints and other issues facing the potential respondents.

    For recency surveys, timing can work to your advantage or disadvantage. Send the survey almost immediately after providing assistance. If you wait more than a week or two, memories will begin to fade, and the results will trend toward the middle of the road.

    Regardless of whether it is an annual survey or a recency survey, distributing the surveys to a big enough sample size will be tough. Combine that with low response rates and the results may be skewed. Take what you can get and look for trends over time. Some people may be tough critics; if possible, send the survey to the same people (and incorporate new ones) to see if the tough graders’ responses are remaining true over time. Another way to mitigate some of the tough critics is to review their answers to the open-ended questions. For example, a tough grader may respond with a “4 – helpful” when you were expecting a “5 – very helpful;” the narrative portion of the survey may be consistent with that answer, or it may provide what you were looking for: “The VMI was great to work with on this project.” When confined to a scale, some respondents won’t give the top value/assessment no matter what, but they will sing your praises in a question that requires a narrative response. Taken together, you may get a slightly different picture – one that often favors you.

    Step 3.11 – Survey internal clients

    Gain insights and feedback from internal sources (continued)

    The image contains a screenshot of an example survey.

    After you have received a few responses to your surveys (recency and annual), review the results against your expectations and follow up with some of the respondents. Were the questions clear? Were the answer choices appropriate? Ultimately, you have to decide if the survey provided the meaningful feedback you were looking for. If not, revise the questions and answers choices as needed. (Keep in mind, you are not looking for “feelgood fluff.” You are looking for feedback that will reinforce what you are doing well and show areas for improvement.)

    Once you have the results, it’s time to share them with the executives and stakeholders. When creating a report, consider the following guidance:

    • Don’t just list the data; convert it to usable information.
    • When needed, provide some context and interpretation for the results. For example, if you have an internal goal or service level, indicate this and show how the results compare to the target (e.g. in a bar chart, insert a horizontal line and label it “target”).
    • Present the results on a question-by-question basis, but you may want to combine or aggregate results to provide meaningful information. For example, combine 21% responding with “doing a great job” and 62% responding with “doing a good job” into one statement of “83% of those surveyed said the VMI is doing a good job or doing a great job.”
    • Use an executive summary as an overview or to highlight the key findings, with the detailed data and information on subsequent pages for people who want to dive deeper.

    Step 3.12 – Calculate VMI ROI

    Identify and report the VMI’s value and impact on the organization

    Calculating ROI begins with establishing baselines: what is the current situation? Once those are established, you can begin tracking the impact made by the VMI by looking at the differences between the baseline and the end result. For example, if the VMI is tracking money saved, it is critical to know the baseline amounts (e.g. the initial quote from the vendor, the budgeted amount). If time is being measured, it is important to understand how much time was previously spent on items (e.g. vendor meetings to address concerns, RFPs).

    The blueprint Capture and Market the ROI of Your VMO will lead you through the process, but there are a couple of key things to remember: 1) some results will be quick and easy – the low-hanging fruit, things that have been ignored or not done well, eliminating waste, and streamlining inefficiencies; and 2) other things may take time to come to fruition. Be patient and make sure you work with finance or others to bring credibility to your calculations.

    When reporting the ROI, remember to include the results of the survey from step 3.11. They are not always quantifiable, but they help executives and stakeholders see the complete picture, and the stories or examples make the ROI “personal” to the organization.

    Reporting can be a challenge. VMIs often underestimate their value and don’t like self-promotion. While you don’t want to feel like you operate in justification mode, many eyes will be on the VMI. The ROI report helps validate and promote the VMI, and it helps build brand awareness for the VMI.

    Step 3.13 – Implement vendor recognition program

    Set your plan in motion

    As indicated in step 2.10, take a “crawl, walk, run” approach to your vendor recognition program. Start off small and grow the program over time. Based on the scope of the program, decide how you’ll announce and promote it. Work with marketing, IT, and others to ensure a consistent message, to leverage technology (e.g. your website), and to maximize awareness.

    For a formal program, you may want to hold a kickoff meeting to introduce the program internally and externally. The external kickoff can be handled in a variety of ways depending on available resources and the extent of the program. For example, a video can be produced and shared with eligible vendors, an email from the VMI or an executive can be used, or the program can be rolled out through BAMs if only BAM participants are eligible for the program. If you are taking an informal approach to the vendor recognition program, you may not need an external kickoff at all.

    For a formal program, collect information periodically throughout the year rather than waiting until the end of the year; however, some data may not be available or relevant until the end of the measurement period. For subjective criteria, the issue of recency may be an issue, and memories will fade over time. (Be careful the subjective portion doesn’t turn into a popularity contest.)

    If the vendor recognition program is not meeting your goals adequately, don’t be afraid to modify it or even scrap it. At some point, you may have to do a partial or total reboot of the program. Creating and maintaining a “lessons learned” document will make a reboot easier and better if it is necessary. Remember: While a vendor recognition program has many potential benefits, your main goals must be achieved or the program adds little or no value.

    Phase 4 - Review

    Ensure Your VMI Continues to Evolve

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Review and update existing Plan materials

    2.1 Vendor classification models

    2.2 Customer positioning model

    2.3 Two-way scorecards

    2.4 Performance improvement plan (PIP)

    2.5 Relationship improvement plan (RIP)

    2.6 Vendor-at-a-glance reports

    2.7 VMI personnel competency evaluation tool

    2.8 Internal feedback tool

    2.9 VMI ROI calculation

    2.10 Vendor recognition program

    3.1 Classify vendors and identify customer position

    3.2 Assess the relationship landscape

    3.3 Leverage two-way scorecards

    3.4 Implement PIPs and RIPs

    3.5 Gather market intelligence

    3.6 Generate vendor-at-a-glance reports

    3.7 Evaluate VMI personnel

    3.8 Improve professional skills

    3.9 Expand professional knowledge

    3.10 Create brand awareness

    3.11 Survey internal clients

    3.12 Calculate VMI ROI

    3.13 Implement vendor recognition program

    4.1 Investigate potential alliances

    4.2 Continue increasing the VMI’s strategic value

    4.3 Review and update

    This phase will walk you through the following activities:

    This phase helps the VMI stay aligned with the overall organization, stay current, and improve its strategic value as it evolves. The main outcomes from this phase are ways to advance the VMI’s strategic impact.

    This phase involves the following participants:

    • VMI team
    • Applicable stakeholders and executives
    • Others as needed

    Phase 4 – Review

    Continue evolving the VMI and keep it up to date

    The emphasis of this final phase is on the VMI’s continued evolution.

    • First up is the concept of alliances. For a small number of vendors, your relationship has the ability to transcend to a different level. A collaborative, synergistic relationship can be achieved under the right circumstances.
    • Next, additional material on transforming the VMI from purely transactional to strategic is provided (along with some reminders from prior phases). To reach its full potential, the VMI must mature and evolve, but this won’t happen without the active management of a well-crafted plan. What got the VMI to this point won’t necessarily work to get you to the next point on the evolution scale.
    • Lastly, remember to stay vigilant about the review process. What is the VMI doing well? Where can it improve? What needs to change?

    Step 4.1 – Investigate potential alliances

    Understand what separates an alliance from a regular relationship

    Chances are you’ve seen a marketing or business alliance at work in your personal life. If you’ve visited a Target store or a Barnes and Noble store, you’ve more than likely walked past the Starbucks counter. The relationship is about more than the landlord-tenant agreement, and the same business concept can exist in non-retail settings. Although they may not be as common in the customer-IT vendor space, alliances can work here as well.

    Definition

    For vendor management purposes, an alliance is a symbiotic relationship between two parties where both benefit beyond the traditional transactional (i.e. buyer-seller) relationship.

    Characteristics

    • Each party remains independent; this is not a true partnership or joint venture from a legal perspective.
    • Each party obtains benefits they wouldn’t be able to obtain by themselves (or, at a minimum, the timeline is accelerated significantly).
    • The relationship is geared toward the long term, and each party contributes resources to achieve synergies.

    Step 4.1 – Investigate potential alliances

    Analyze benefits and risks for the alliance

    Benefits

    • Synergies
    • Innovations
    • Use of pooled resources
    • Access to different areas of expertise
    • Quicker development or improvement of products or services
    • Competitive advantages, new revenue streams, and new markets

    Risks

    • Cultural fit
    • Departing executives/sponsors
    • Return on investment pressures
    • Different interests or expectations
    • Failure to address intellectual property issues adequately
    • Lack of experience and process to manage the relationship

    Step 4.1 – Investigate potential alliances

    Set up the alliance for success

    Keys to success

    • Communicate transparently.
    • Ensure executive participation from both parties.
    • Establish a joint steering committee and alliance governances.
    • Set clear expectations and define what each party wants out of the alliance.
    • Create “alliance managers” in addition to vendor managers and project mangers.
    • Start with a small alliance; don’t go all-in on a big alliance the first time you try it.
    • Create an environment of trust and collaboration; the alliance goes beyond the contract.
    • Make sure both parties are happy with their contributions to and rewards from the alliance.

    The purpose of this step is not to make you an expert on alliances or to encourage you to rush out of your office, cubicle, bedroom, or other workspace looking for opportunities. The purpose is to familiarize you with the concepts, to encourage you to keep your eyes open, and to think about relationships from different angles. How will you make the most of your vendors’ expertise, resources, market, and other things they bring to the table?

    Step 4.2 – Continue increasing the VMI’s strategic value

    Grow the VMI’s impact over time

    Although they are not synonymous concepts, increasing the VMI’s maturity and increasing the VMI’s strategic value can go hand in hand. Evolving the VMI to be strategic allows the organization to receive the greatest benefit for its investment. This isn’t to say that all work the VMI does will be strategic. It will always live in two places – the transactional world and the strategic world – even when it is fully mature and operating strategically. Just like any job, there are transactional tasks and activities that must be done, and some of them are foundational elements for being strategic (e.g. conducting research, preparing reports, and classifying vendors). The VMI must evolve and become strategic for many reasons: staying in the transactional world limits the VMI’s contributions, results, influence and impact; team members will have less job satisfaction and enjoyment and lower salaries; ultimately, the justification for the VMI could disappear.

    To enhance the VMI’s (and, as applicable, its personnel’s) strategic value, continue:

    • Maturing the VMI and its personnel.
    • Building relationships internally and with the critical vendors (typically, high operational, high tactical, and strategic vendors under the COST model and valued and principal vendors under the MVP model).
    • Increasing your knowledge about vendor management and your critical vendors and their industries.
    • Saying yes to opportunities or volunteering for cross-functional teams that allow the VMI to showcase its abilities.
    • Increasing your knowledge of your organization, how it operates, the political environment, and anything else that will help the VMI provide information, insight, and guidance.
    • Learning about your industry and competitors (if applicable).

    Step 4.2 – Continue increasing the VMI’s strategic value

    Shift from transactional to strategic as much as possible

    Indicators of a transactional VMI:

    Indicators of a strategic VMI:

    • Exclusively reactive approach to operations
    • Focused exclusively on day-to-day operations
    • Internal clients are obligated to use the VMI due to policy
    • No perceived value-add; perceived as an administrative function
    • Left out of the RFP process or only have a limited role
    • Left out of the negotiation process or only have a limited role
    • VMI has a narrow reach and impact within the organization
    • Measure of value for the VMI is only quantitative
    • Metrics gathering without analysis and influential use
    • Personnel have limited skills, competencies, and knowledge
    • Proactive approach to operations
    • Focused on the big picture
    • Internal clients seek out or voluntarily consult the VMI
    • VMI is valued for its contributions and impact
    • Good relationships exist with vendors and stakeholders
    • Personnel possess high levels of skill, competency, and knowledge
    • VMI processes are integrated into the organization
    • VMI participates in business strategy development
    • VMI leads or is heavily involved in the RFP & negotiation processes
    • Relationship managers are assigned to all critical vendors
    • Measure of value for the VMI is quantitative and qualitative
    • Metrics are used to make and influence decisions/strategy

    Step 4.3 – Review and update

    Tap into the collective wisdom and experience of your team members

    The vendor management lifecycle is continuous and more chaotic than linear, but the chaos mostly stays within the boundaries of the “plan, build, run, and review” framework outlined in this blueprint and the blueprint Jump Start Your Vendor Management Initiative. Two of the goals of managing the lifecycle are: 1) to adapt to a changing world; and 2) to improve the VMI and its impact over time. To do this, keep following the guidance in this phase, but don’t forget about the direction provided in phase 4 of the blueprint Jump Start Your Vendor Management Initiative:

    • Review and assess compliance.
    • Compile and leverage lessons learned.
    • Focus on maintaining alignment internally.
    • Identify and incorporate leading practices.
    • Update governances.

    Info-Tech Insight

    Continue reviewing and updating the VMI’s risk footprint. Add risk categories and scope as needed (measurement, monitoring, and reporting). Review Info-Tech’s vendor management-based series of risk blueprints for further information (Identify and Manage Reputational Risk Impacts on Your Organization and others).

    Summary of Accomplishment

    Problem Solved

    It is easy for business owners to lose sight of things. There is a saying among entrepreneurs about remembering to work on the business rather than working exclusively in the business. For many entrepreneurs, it is easy to get lost in the day-to-day grind and to forget to look at the bigger picture. A VMI is like a business in that regard – it is easy to focus on the transactional work and lose sight of maturing or evolving the VMI. Don’t let this happen!

    Leverage the tools and templates from this blueprint and adapt them to your environment as needed. Unlike the blueprint Jump Start Your Vendor Management Initiative, some of the concepts presented here may take more time, resources, and evolution before you are ready to deploy them. Continue using the three-year roadmap and 90-day plans from the Jump Start Your Vendor Management Initiative blueprint, and add components from this blueprint when the time is right. The two blueprints are designed to work in concert as you move forward on your VMI journey.

    Lastly, focus on getting a little better each day, week, month, or year: better processes, better policies and procedures, better relationships with vendors, better relationships with internal clients, better planning, better anticipation, better research, better skills, competencies, and knowledge for team members, better communication, better value, and better impact. A little “better” goes a long way, and over time it becomes a lot better.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Related Info-Tech Research

    Jump Start Your Vendor Management Initiative

    IT (and the organization as a whole) are more reliant on vendors than ever before, and vendor management has become increasingly necessary to manage the relationships and manage the risks. Implementing a vendor management initiative is no longer a luxury...it is a necessity.

    Capture and Market the ROI of Your VMO

    Calculating the impact or value of a vendor management office (VMO) can be difficult without the right framework and tools. Let Info-Tech’s tools and templates help you account for the contributions made by your VMO.

    Evaluate Your Vendor Account Team to Optimize Vendor Relations

    Understanding your vendor team’s background, experience, and strategic approach to your account is key to the management of the relationship, the success of the vendor agreement, and, depending on the vendor, the success of your business.

    Identify and Manage Financial Risk Impacts on Your Organization

    Vendors’ failure to perform, including security and compliance violations, can have significant financial consequences. Good vendor management practices help organizations understand the costs of those actions.

    Bibliography

    Amaresan, Swetha. “The 9 Most Important Survey Design Tips & Best Practices.” HubSpot. Accessed 13 July 2022.
    “Best Practices for Every Step of Survey Creation.” Survey Monkey. Accessed 13 July 2022.
    Brevig, Armand. ”Here Is a Quicker Way of Getting Better Supply Market Insights.” Procurement Cube, 30 July 2020. Accessed 19 May 2022.
    Cain, Elna. “9 Simple Ways on How to Improve Your Writing Skills.” Elna Cain, 20 Nov. 2018. Accessed 5 June 2020.
    Colwell, Tony. “How to Select Strategic Suppliers Part 1: Beware the Supplier's Perspective.” Accuity Consultants, 7 Feb 2012. Accessed 19 May 2022.
    “50 Tips for Improving Your Emotional Intelligence.” RocheMartin, 12 Jan. 2022. Accessed 25 July 2022.
    “4 Ways to Strengthen Your Ability to Influence Others.” Center for Creative Leadership, 24 Nov. 2020. Accessed 20 July 2022.
    Ferreira, Nicole Martins. “10 Personal Branding Tips That’ll Elevate Your Business In 2022.” Oberlo, 21 Mar. 2022. Accessed 24 May 2022.
    Gartlan, Dan. “4 Essential Brand Components.” Stevens & Tate, 25 Nov. 2019. Accessed 24 May 2022.
    Geller & Company. “World-Class Procurement — Increasing Profitability and Quality.” Spend Matters, 2003. Accessed 4 March 2022.
    Gumaste, Pavan. “50 Project Management Terms You Should Know.” Whiz Labs, 2018. Accessed 22 July 2022.
    Hertzberg, Karen. “How to Improve Writing Skills in 15 Easy Steps.” Grammarly, 15 June 2017. Accessed 5 June 2020.
    “Improving Emotional Intelligence (EQ).” HelpGuide, 2022. Accessed 25 July 2022.
    “ISG Index 4Q 2021.” Information Services Group, Inc., 2022. Web.
    Lehoczky, Etelka. “How To Improve Your Writing Skills At Work.” Forbes, 9 Mar. 2016. Accessed 5 June 2020.
    Liu, Joseph. “5 Ways To Build Your Personal Brand At Work.” Forbes, 30 Apr. 2018. Accessed 24 May 2022.
    Lloyd, Tracy. “Defining What a Brand Is: Why Is It So Hard?” Emotive Brand, 18 June 2019. Accessed 28 July 2022.
    Nielson, Megan. “The Basic Tenants of Diplomatic Communication.” Communiqué PR, 22 October 2020. Accessed 23 May 2022
    “Positioning Yourself in the Market.” New Zealand Ministry of Business, Innovation & Employment, 2021. Accessed 19 May 2022.
    Rogelberg, Steven G. “The Surprising Science Behind Successful Remote Meetings.” sloanreview.mit.edu. 21 May 2020. Accessed 19 July 2022.
    “Rule No 5: All Customers/Suppliers Have a Different Value to You.” newdawnpartners.com. Accessed 19 May 2022.

    Bibliography

    Shute, Benjamin. “Supplier Relationship Management: Is Bigger Always Better?” Comprara, 24 May 2015. Accessed 19 May 2022.
    Steele, Paul T. and Brian H. Court. Profitable Purchasing Strategies: A Manager's Guide for Improving Organizational Competitiveness Through the Skills of Purchasing. ‎ McGraw-Hill, 1996.
    “Take the Thomas-Kilmann Conflict Mode Instrument (TKI).” Kilmann Diagnostics, 2018. Accessed 20 Aug. 2020.
    Tallia, Alfred F. MD, MPH, et al. ”Seven Characteristics of Successful Work Relationships.” Fam Pract Manag. 2006 Jan;13(1):47-50.
    “The Art of Tact and Diplomacy.” skillsyouneed.com. Accessed 23 May 2022.
    “13 Key Traits of Strong Professional Relationships.” success.com. Accessed 4 Feb. 2022.
    Wilson, Fred. “Top 40 Project Management Terms and Concepts of 2022.” nTask, 25 Feb. 2019. Accessed 24 July 2022.

    Ensure Cloud Security in IaaS, PaaS, and SaaS Environments

    • Buy Link or Shortcode: {j2store}386|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Secure Cloud & Network Architecture
    • Parent Category Link: /secure-cloud-network-architecture
    • Security remains a large impediment to realizing cloud benefits. Numerous concerns still exist around the ability for data privacy, confidentiality, and integrity to be maintained in a cloud environment.
    • Even if adoption is agreed upon, it becomes hard to evaluate vendors that have strong security offerings and even harder to utilize security controls that are internally deployed in the cloud environment.

    Our Advice

    Critical Insight

    • The cloud can be secure despite unique security threats.
    • Securing a cloud environment is a balancing act of who is responsible for meeting specific security requirements.
    • Most security challenges and concerns can be minimized through our structured process (CAGI) of selecting a trusted cloud security provider (CSP) partner.

    Impact and Result

    • The business is adopting a cloud environment and it must be secured, which includes:
      • Ensuring business data cannot be leaked or stolen.
      • Maintaining privacy of data and other information.
      • Securing the network connection points.
    • Determine your balancing act between yourself and your CSP; through contractual and configuration requirements, determine what security requirements your CSP can meet and cover the rest through internal deployment.
    • This blueprint and associated tools are scalable for all types of organizations within various industry sectors.

    Ensure Cloud Security in IaaS, PaaS, and SaaS Environments Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should prioritize security in the cloud, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine your cloud risk profile

    Determine your organization’s rationale for cloud adoption and what that means for your security obligations.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 1: Determine Your Cloud Risk Profile
    • Secure Cloud Usage Policy

    2. Identify your cloud security requirements

    Use the Cloud Security CAGI Tool to perform four unique assessments that will be used to identify secure cloud vendors.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 2: Identify Your Cloud Security Requirements
    • Cloud Security CAGI Tool

    3. Evaluate vendors from a security perspective

    Learn how to assess and communicate with cloud vendors with security in mind.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 3: Evaluate Vendors From a Security Perspective
    • IaaS and PaaS Service Level Agreement Template
    • SaaS Service Level Agreement Template
    • Cloud Security Communication Deck

    4. Implement your secure cloud program

    Turn your security requirements into specific tasks and develop your implementation roadmap.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 4: Implement Your Secure Cloud Program
    • Cloud Security Roadmap Tool

    5. Build a cloud security governance program

    Build the organizational structure of your cloud security governance program.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 5: Build a Cloud Security Governance Program
    • Cloud Security Governance Program Template
    [infographic]

    How to build a Service Desk Chatbot POC

    • Buy Link or Shortcode: {j2store}16|cart{/j2store}
    • Related Products: {j2store}16|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.7/10
    • member rating average dollars saved: 11,197
    • member rating average days saved: 8
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk

    The challenge

    Build a chatbot that creates value for your business

     

    • Ensure your chatbot meets your business needs.
    • Bring scalability to your customer service delivery in a cost-effective manner.
    • Measure your chatbot objectives with clear metrics.
    • Pre-determine your ticket categories to use during the proof of concept.

    Our advice

    Insight

    • Build your chatbot to create business value. Whether increasing service or resource efficiency, keep value creation in mind when making decisions with your proof of concept.

    Impact and results 

    • When implemented effectively, chatbots can help save costs, generate new revenue, and ultimately increase customer satisfaction for external and internal-facing customers.

    The roadmap

    Read our concise Executive Brief to find out why you building a chatbot proof of concept is a good idea, review our methodology, and understand the four ways we can support you to successfully complete this project. Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Start here

    Form your chatbot strategy.

    Build the right metrics to measure the success of your chatbot POC

    • Chatbot ROI Calculator (xls)
    • Chatbot POC Metrics Tool (xls)

    Build the foundation for your chatbot.

    Architect the chatbot to maximize business value

    • Chatbot Conversation Tree Library

    Continue to improve your chatbot.

    Now take your chatbot proof of concept to production

    • Chatbot POC RACI (doc)
    • Chatbot POC Implementation Roadmap (xls)
    • Chatbot POC Communication Plan (doc)Chatbot ROI Calculator (xls)

    Navigate the Digital ID Ecosystem to Enhance Customer Experience

    • Buy Link or Shortcode: {j2store}76|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • Amid the pandemic-fueled surge in online services, organizations require secure solutions to safeguard digital interactions. These solutions must be uniform, interoperable, and fortified against security threats.
    • Although the digital identity ecosystem has garnered significant attention and investment, many organizations remain uncertain about its potential for authentication and the authorization required for B2B and B2C transactions, and in turn reducing their cost of operations and transferring their data risks.

    Our Advice

    Critical Insight

    • Limited / lack of understanding of the global digital ID ecosystem and its varying approaches across countries handicaps businesses in defining the benefits digital ID can bring to customer interactions and overall business management.
    • In addition, key obstacles exist in balancing customer privacy, data security, and regulatory requirements while pursuing excellent end-user experience and high customer adoption.
    • Info-Tech Insight: Focusing on customer touchpoints and transforming them are key to excellent experience and increasing their life-time value (LTV) to them and to your organization. Digital ID is that tool of transformation.

    Impact and Result

    • Digital ID has many dimensions, and its ecosystem's sustainability lies in the key principles it is built on. Understanding the digital identity ecosystem and its responsibilities is crucial to formulating an approach to adopt it. Also, focusing on key success factors drives digital ID adoption.
    • Before embarking on the digital identity adoption journey, it is essential to assess your readiness. It is also necessary to understand the risks and challenges. Specific steps to digital ID adoption can help realize the potential of digital identity and enhance the customers' experience.

    Navigate the Digital ID Ecosystem to Enhance Customer Experience Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Navigate the Digital ID Ecosystem to Enhance Customer Experience Storyboard – Learn how to adopt Digital ID to drive benefits, enhance customer experience, improve efficiency, manage data risks, and uncover new opportunities.

    This research focuses on verified digital identity ecosystems and explores risks, opportunities, and challenges of relying on verified digital IDs and also how adopting digital identity initiatives can improve customer experience and operational efficiency. It covers:

  • Definition and dimensions of digital identity
  • Key responsibilities and principles of digital identity ecosystem
  • Success factors for digital identity adoption
  • Global evolution and unique approaches in Estonia, India, Canada, UK, and Australia
  • Industries that benefit most from digital ID development
  • Key use cases of digital ID
  • Benefits to governments, ID providers, ID consumers, and end users
  • Readiness checklist and ten steps to digital ID adoption
  • Risks and challenges of digital identity adoption
  • Key recommendations to realize potential of digital identity
  • Taxonomy and definitions of terms in the digital identity ecosystem
    • Navigate the Digital ID Ecosystem to Enhance Customer Experience Storyboard
    • Familiarize Yourself With the Digital ID Ecosystem Taxonomy
    • Assess Your Digital ID Adoption Readiness

    Infographic

    Further reading

    Navigate the Digital ID Ecosystem to Enhance Customer Experience

    Beyond the hype: How it can help you become more customer-focused?

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Amid the pandemic-fueled surge of online services, organizations require secure solutions to safeguard digital interactions. These solutions must be uniform, interoperable, and fortified against security threats.

    Although the digital identity ecosystem has garnered significant attention and investment, many organizations remain uncertain about its potential for authentication and authorization required for B2B and B2C transactions.

    They still wonder if digital ID can help reduce cost of operations and transfer data risks.

    Limited or lack of understanding of the global Digital ID ecosystem and its varying approaches across countries handicap businesses in defining the potential benefits Digital ID can bring to customer interactions and overall business management.

    In addition, key obstacles exist in balancing customer privacy (including the right to be forgotten), data security, and regulatory requirements while pursuing desired end-user experience and high customer adoption.

    Digital ID has many dimensions, and its ecosystem's sustainability lies in the key principles it is built on. Understanding the digital identity ecosystem and its responsibilities is crucial to formulate an approach to adopt it. Also, focusing on key success factors drives digital ID adoption.

    Before embarking on the digital identity adoption journey, it is essential to assess your readiness. It is also necessary to understand the risks and challenges. Specific steps to digital ID adoption can help realize the potential of digital identity and enhance the customers' experience.

    Info-Tech Insight

    Focusing on customer touchpoints and transforming them is key to excellent user experience and increasing their lifetime value (LTV) to them and to your organization. Digital ID is that tool of transformation.

    Analyst Perspective

    Manish Jain.

    Manish Jain

    Principal Research Director

    Analyst Profile

    “I just believed. I believed that the technology would change people's lives. I believed putting real identity online - putting technology behind real identity - was the missing link.”

    - Sheryl Sandberg (Brockes, Emma. “Facebook’s Sheryl Sandberg: who are you calling bossy?” The Guardian, 5 April 2014)

    Sometimes dismissed as mere marketing gimmicks, digital identity initiatives are anything but. While some argue that any online credential is a "Digital ID," rendering the hype around it pointless, the truth is that a properly built digital ID ecosystem has the power to transform laggard economies into global digital powerhouses. Moreover, digital IDs can help businesses transfer some of their cybersecurity risks and unlock new revenue channels by enabling a foundation for secure and efficient value delivery.

    In addition, digital identity is crucial for digital and financial inclusion, simplifying onboarding processes and opening up new opportunities for previously underserved populations. For example, in India, the Aadhaar digital ID ecosystem brought over 481 million1 people into the formal economy by enabling access to financial services. Similarly, in Indonesia, the e-KIP digital ID program paved the way for 10 million new bank accounts, 94% of which were for women2.

    However, digital identity initiatives also come with valid concerns, such as the risk of a single point of failure and the potential to widen the digital divide.

    This research focuses on the verified digital identity ecosystem, exploring the risks, opportunities, and challenges organizations face relying on these verified digital IDs to know their customers before delivering value. By understanding and adopting digital identity initiatives, organizations can unlock their full potential and provide a seamless customer experience while ensuring operational efficiency.

    1 India Aadhaar PMJDY (https://pmjdy.gov.in/account)
    2 Women’s World Banking, 2020.

    Digital Identity Ecosystem and vital ingredients of adoption

    Digital Identity Ecosystem.

    What is digital identity?

    Definitions may vary, depending on the focus.

    “Digital identity (ID) is a set of attributes that links a physical person with their online interactions. Digital ID refers to one’s online persona - an online footprint. It touches important aspects of one’s everyday life, from financial services to health care and beyond.” - DIACC Canada

    “Digital identity is a digital representation of a person. It enables them to prove who they are during interactions and transactions. They can use it online or in person.” - UK Digital Identity and Attributes Trust Framework

    “Digital identity is an electronic representation of an entity (person or other entity such as a business) and it allows people and other entities to be recognized online.” - Australia Trusted Digital Identity Framework

    A digital identity is primarily an electronic form of identity representing an entity uniquely , while abstracting all other identity attributes of the entity. In addition to an electronic form, it may also exist in a physical form (identity certificate), linked through an identifier representing the same entity.

    Digital identity has many dimensions*, and in turn categories

    Trust

    • Verified (Govt. issued IDs)
    • Unverified (Email Id)

    Subject

    • Individual
    • Organization
    • Device
    • Service

    Usability

    • Single-purpose (Disposable)
    • Multi-purpose (Reusable)

    Provider

    • Sovereign Government
    • Provincial Government
    • Local Government
    • Public Organization
    • Private Organization
    • Self

    Jurisdiction

    • Global (Passport)
    • National (DL)
    • State/Provincial (Health Card)
    • Local (Voting Card)
    • Private (Social)

    Form

    • Physical Card
    • Virtual Identifier
    • Online/App Account
    • PKI Keys
    • Tokens

    Governance

    • Sovereign
    • Federated
    • Decentralized
    • Trust Framework -based
    • Self-sovereign

    Expiry

    • Permanent (Lifetime, Years)
    • Temporary (Minutes, Hours)
    • Revocable

    Usage Mode

    • online only
    • offline only
    • Online/offline

    Purpose

    • Authorization (driver’s license, passport, employment)
    • Authentication (birth certificate, social security number)
    • Activity Linking (preferences, habits, and priorities)
    • Historical Record (Resume, educational financial, health history)
    • Social Interactions (Social Media)
    • Machine Connectivity

    Info-Tech Insight

    Digital ID has taken different meanings for different people, serving different purposes in different environments. Based on various aspects of Digital Identification, it can be categorized in several types. However, most of the time when people refer to a form of identification as Digital ID, they refer to a verified id with built-in trust either from the government OR the eco-system.

    * Please refer to Taxonomy for the definition of each of the dimensions

    Understanding a digital identity ecosystem is key to formulating your approach to adopt it

    The image contains a screenshot of a digital identity ecosystem diagram.

    Info-Tech Insight

    Digital identity ecosystems comprise many entities playing different roles, and sometimes more than one. In addition, variations in approach by jurisdictions drive how many active players are in the ecosystem for that jurisdiction.

    For example, in countries like Estonia and India, government plays the role of trust and governance authority as well as ID provider, but didn’t start with any Digital ID wallet. In contrast, in Ukraine, Diia App is primarily a Digital ID Wallet. Similarly, in the US, different states are adopting private Digital ID Wallet providers like Apple.

    Digital ID ecosystem’s sustainability lies in the key principles it is built on

    Social, economic, and legal alignment with target stakeholders
    Transparent governance and operation
    Legally auditable and enforceable
    Robust and Resilient – High availability
    Security – At rest, in progress, and in transit
    Privacy and Control with users
    Omni-channel Convenience – User and Operations
    Minimum data transfer between entities
    Technical interoperability enabled through open standards and protocol
    Scalable and interoperable at policy level
    Cost effective – User and operations
    Inclusive and accessible

    Info-Tech Insight

    A transparent, resilient, and auditable digital ID system must be aligned with socio-economic realities of the target stakeholders. It not only respects their privacy and security of their data by minimizing the data transfer between entities, but also drives desired customer experience by providing an omni-channel, interoperable, scalable, and inclusive ecosystem while still being cost-effective for the collaborators.

    Source: Adapted from Canada PCTF, UK Trust framework, European Commission, Australia TDIF, and others

    Focus on key success factors to drive the digital ID adoption

    Digital ID success factors

    Legislative regulatory framework – Removes uncertainty
    Security & Privacy Assurance- builds trust
    Smooth user experience – Drives preferences
    Transparent ecosystem – Drives inclusivity
    Multi-channel – Drive consistent experience online / offline
    Inter-operability thorough open standards
    Digital literacy – Education and awareness
    Multi-purpose & reusable – Reduce consumer burden
    Collaborative ecosystem –Build network effect

    Source: Adapted from Canada PCTF, UK digital identity & attributes trust framework , European eIDAS, and others

    Info-Tech Insight

    Driving adoption of Digital ID requires affirmative actions from all ecosystem players including governing authorities, identity providers, and identity consumers (relying parties).

    These nine success factors can help drive sustainable adoption of the Digital ID.

    Among many responsibilities the ecosystem players have, identity governance is the key to sustainability

    • Digital identity provision
      • Creating identity attributes
      • Create a reusable identity and attribute service
      • Create a digital identity
      • Assess and manage quality of an identity and attributes
      • Making identity provision inclusive and accessible
    • Digital identity resolution
      • Enabling inclusive access to products and services through digital identity
      • Authenticate and authorize identity subjects before permitting access to their identity and attributes
    • Digital identity governance
      • Manage digital identity and attributes
      • Make Identity service interoperable, and sharable
      • Recover digital identity and attribute accounts
      • Notifying users on accessing identity or making changes on more attributes
      • Report and audit – exclusion, accessibility
      • Retiring an identity or attribute service
      • Respond to complaints and disputes
    • Enterprise risk management and governance
    The image contains a screenshot of a diagram to demonstrate how identity governance is the key to sustainability.
    • Privacy and security
      • Use encryption
      • Privacy compliance framework
      • Consumer Privacy Protection laws (CPPA, GDPR etc.)
      • Acquiring and managing user consents & agreements
      • Prohibited processing of personal data
      • Security controls and governance
    • Information management
      • Record management
      • Archival
      • Disposal (on expiry or to comply with regulations)
      • CIA (confidentiality, integrity, availability)
    • Fraud management
      • Fraud monitoring and reporting
      • Fraud intelligence and analysis
      • Sharing threat indicators
      • Legal, policies and procedures for fraud management
    • Incident response
      • Respond to fraud incidents
      • Respond to a service delivery incident
      • Responding to data breaches
      • Performing and participating in investigation

    Global evolution of digital ID is following the socio-economic aspirations of countries

    The image contains a screenshot of a graph that demonstrates global evolution of digital ID.

    Source: Adapted from the book: Identification Revolution: Can Digital ID be harnessed for Development? (Gelb & Metz), 2018

    Info-Tech Insight

    The world became global a long time ago; however, it sustained economic progress without digital IDs for most of the world's population.

    With the pandemic, when political rhetoric pointed to the demand for localized supply chains, economies became irreversibly digital. In this digital economy, the digital ID ecosystem is the fulcrum of sustainable growth.

    At a time in overlapping jurisdictions, multiple digital IDs can exist. For example, one is issued by a local municipality, one by the province, and another by the national government.

    Global footprint of digital ID is evolving rapidly, but varies in approach

    The image contains a screenshot of a Global footprint of digital ID.

    Info-Tech Insight

    Countries’ approach to the digital ID is rooted in their socio-economic environment and global aspirations.

    Emerging economies with large underserved populations prioritize fast implementation of digital ID through centralized systems.

    Developed economies with smaller populations, low trust in government, and established ID systems prioritize developing trust frameworks to drive decentralized full-scale implementation.

    There is no right way except the one which follows Digital ID principles and aligns with a country’s and its people’s aspirations.

    Estonia's e-identity is the key to its digital agenda 2030

    • Regulatory Body and Operational Governance: Estonian Information System Authority (RIA).
    • Identity Providers: Government of Estonia; Private sector doesn’t issue IDs but can leverage Digital ID ecosystem.
    • Decentralized Approach: Permissioned Blockchain Architecture with built-in data traceability implemented on KSI (Keyless Signature Infrastructure).
    • X-Road – Secure, interoperable open-source data exchange platform between collection point where Data is stored.
    • Digital Identity Form: e-ID
    • Key Use cases:
      • Financial, Telecom: e-KYC, e-Banking
      • Digital Authentication: ID Card, Mobile ID, Smart ID, Digital Signatures
      • E-governance: e-Voting, e-Residency, e-Services Registries, e-Business Register
      • Smart City and mobility: Freight Transportation, Passenger Mobility
      • Healthcare: e-Health Record, e-Prescription, e-Ambulance
    • ID-card
    • Smart ID
    • Mobile ID
    • e-Residency

    Uniqueness

    Estonia pioneered the digital ID implementation with a centralized approach and later transitioned to a decentralized ecosystem driving trust to attract non-citizens into Estonia’s digital economy.

    99% Of Estonian residents have an ID card enabling use of electronic ID

    1.4 B Digital signatures given (2021)

    99% Public Services available as e-Services

    17K+ Productive years saved (five working days/citizen/year saved accessing public services)

    25K E-resident companies contributed more than €32 million in tax

    *Source: https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf ;

    https://www.e-resident.gov.ee/dashboard

    The image contains a timeline of events from 2001-2020 for Estonia..

    India’s Aadhaar is the foundation of its digital journey through “India stack”

    • Regulatory Accountability and Operational Governance: Unique Identification Authority of India (UIDAI).
    • Identity Provider: Govt. of India.
    • Digital Identity Form: Physical and electronic ID Card; Online (Identifier + OTP), and offline (identifier + biometric) usage; mAadhaar App & Web Portal
    • India Stack: a set of open APIs and digital assets to leverage Aadhaar in identity, data, and payments at scale.
    • Key Use cases:
      • Financial, Telecom: eKYC, Unified Payments Interface (UPI)
      • Digital Wallet: Digi Locker
      • Digital Authentication: eSign, and Aadhaar Auth.
      • Public Welfare: Public Distribution of Service, Social Pension, Employment Guarantee
      • Public service access: Enrollment to School, Healthcare

    1.36B People enrolled

    80% Beneficiaries feel Aadhaar has made PDS, employment guarantee and social pensions more reliable

    91.6% Are very satisfied or somewhat satisfied with Aadhaar

    14B eKYC transactions done by 218 eKYC authentication agencies (KUA)

    Source: https://uidai.gov.in/aadhaar_dashboard/india.php; https://www.stateofaadhaar.in/

    World Bank Report on Private Sector Impacts from ID

    Uniqueness

    “The Aadhaar digital identity system could reduce onboarding costs for Indian firms from 1,500 rupees to as low as an estimated 10 rupees.”

    -World Bank Report on Private Sector Impacts from ID

    With lack of public trust in private sector, government brought in private sector executives in public ecosystem to lead the largest identity program globally and build the India stack to leverage the power of Digital Identity.

    The image contains a screenshot of India's Aadhaar timeline from 2009-2022.

    Ukraine’s Diia is a resilient act to preserve their identities during threat to their existence

    Regulatory Accountability and Operational Governance: Ministry of Digital Transformation.

    Identity provider: Federated govt. agencies.

    Digital identity form: Diia App & Portal as a digital wallet for all IDs including digital driving license.

    • Key use cases:
      • eGovernance – Issuing license and permits, business registration, vaccine certificates.
      • Public communication: air-raid alerts, notifications, court decisions and fines.
      • Financial, Telecom: KYC compliance, mobile donations.
      • eBusiness: Diia City legal framework for IT industry, Diia Business Portal for small and medium businesses.
      • Digital sharing and authentication: Diia signature and Diia QR.
      • Public service access: Diia Education Portal for digital education and digital skills development, healthcare.

    18.5M People downloaded the Diia app.

    14 Digital IDs provided by other ID providers are available through Diia.

    70 Government services are available through Diia.

    ~1M Private Entrepreneurs used Diia to register their companies.

    1300 Tons of paper estimated to be saved by reducing paper applications for new IDs and replacements.

    Source:

    • Ukraine Govt. Website for Invest and trade
    • Diia Case study prepared for the office of Canadian senator colin deacon.

    Uniqueness

    “One of the reasons for the Diia App's popularity is its focus on user experience. In September 2022, the Diia App simplified 25 public services and digitized 16 documents. The Ministry of Digital Transformation aims to make 100% of all public services available online by 2024.”

    - Vladyslava Aleksenko

    Project Lead—digital Identity, Ukraine

    The image contains a screenshot of the timeline for Diia.

    Canada’s PCTF (Pan Canadian Trust Framework) driving the federated digital identity ecosystem

    • Regulatory Accountability: Treasury Board of Canada Secretariat (TBS); Canadian Digital Service (CDS); Office of CIO
    • Standard Setting: Digital Identification and Authentication Council of Canada (DIACC)
    • Frameworks:
      • Treasury Board Directive on Identity Management
      • Pan Canadian Trust Framework (PCTF)
      • Voilà Verified Trustmark Program: ISO aligned compliance certification program on PCTF
      • Governing / Certificate Authority: Trustmark Oversight Board (TOB) and DIACC accredited assessor
      • Operational Governance: Federated between identity providers and identity consumers
      • Identity Providers: Public and Private Sector
      • Other entities involved: Digital ID Lab (Voila Verified Auditor); Kuma (Accredited Assessor)
    The image contains a screenshot of PCTF Components.

    82% People supportive of Digital ID.

    2/3 Canadians prefer public-private partnership for Pan-Canadian digital ID framework.

    >40% Canadians prefer completing various tasks and transactions digitally.

    75% Canadians are willing to share personal information for better experience.

    >80% Trust government, healthcare providers, and financial institutions with their personal information.

    Source: DIACC Survey 2021

    Uniqueness

    Although a few provinces in Canada started their Digital ID journey already, federally, Canada lacked an approach.

    Now Canada is developing a federated Digital ID ecosystem driven through the Pan-Canadian Trust Framework (PCTF) led by a non-profit (DIACC) formed with public and private partnership.

    The image contains a screenshot of Canada's PCTF timeline from 2002-2025.

    Australia’s digital id is pivotal to its vision to become one of the Top-3 digital governments globally by 2025*

    * Australia Digital Government Strategy 2021
    • Regulatory responsibility and standard: Digital Transformation Agency (DTA)’s Digital Identity
    • Operational support and oversight: Service Australia, Interim Oversight Authority (IOA).
    • Accredited identity providers (by 2022): Australian Taxation Office (ATO)’s myGovID, Australia Post’s Digital ID, MasterCard’s ID, OCR Labs App
    • Framework: Trusted Digital Identity Framework (TDIF)
      • Digital Identity Exchange
      • Identity Service Providers and Attribute Verification Service
      • Attribute Service Providers
      • Credential Service Providers
      • Relying Parties
    • Others: States such as NSW, Victoria, and Queensland have their own digital identity programs

    8.6M People using myGovID by Jun-2022

    117 Services accessible through Digital Id System

    The image contains a screenshot diagram of Digital Identity.

    Uniqueness

    Australia started its journey of Digital ID with a centralized Digital ID ecosystem.

    However, now it preparing to transition to a centrally governed Trust framework-based ecosystem expanding to private sector.

    The image contains a screenshot of Australia's Digital id timeline from 2014-2022.

    UK switches gear to the Trust Framework approach to build a public-private digital ID ecosystem

    • Government: Ministry of Digital Infrastructure / Department of Digital, Culture, Media, and Sport
    • Governing Body / Certificate Authority / Operational Governance: TBD
    • Approach: Trust Framework-based UK Digital Identity and attributes trust framework (UKDIATF)
    • Identity providers: Transitioning from “GOV.UK Verify” to a federated digital identity system aligned with “Trust Framework” – enabling both government (“One Login for Government”) and private sector identity providers.
    The image contains a screenshot of the Trust Framework.

    Uniqueness

    UK embarked its Digital ID journey through Gov.UK Verify but decided to scrap it recently.

    It is now preparing to build a trust framework-based federated digital ID ecosystem with roles like schema-owners and orchestration service providers for private sector and drive the collaboration between industry players.

    The image contains a screenshot of UK timeline from 2011-2023.

    Digital ID will transform all industries, though financial services and e-governance will gain most

    Cross Industry

    Financial Services

    Insurance

    E-governance

    Healthcare & Lifesciences

    Travel and Tourism

    E-Commerce

    • Onboarding (customer, employee, patient, etc.)
    • Fraud-prevention (identity theft)
    • Availing restricted services (buying liquor)
    • Secure-sharing of credentials and qualifications (education, experience, gig worker)
    • For businesses, customer 360
    • For businesses, reliable data-driven decision making with lower frequency of ‘astroturfing’ (false identities) and ‘ballot-stuffing’ (duplicate identities)
    • Account opening
    • Asset transfer
    • Payments
    • For businesses, risk management - know your customer (KYC), anti-money laundering (AML), customer due diligence (CDD)
    • Insurance history
    • Insurance claim
    • Public distribution schemes (PDS)
    • Subsidy payments (direct to consumer)
    • Obtain government benefits (maternity, pension, employment guarantee / insurance payments)
    • Tax filing
    • Issuing credentials (birth certificate, passport)
    • Voting
    • For businesses, availing governments supports
    • For SMB businesses, easier regulatory compliance
    • Digital health
    • Out of state public healthcare
    • Secure access to health and diagnostic records
    • For businesses, data sharing between providers and with payers
    • Travel booking
    • Cross-border travel
    • Car rental
    • Secure peer-to-peer sales
    • Secure peer-to-peer sales

    USE CASE

    Car rental

    INDUSTRY: Travel & Tourism

    Source: Info-Tech Research Group

    Challenge

    Solution

    Results

    Verifying the driver’s license (DL) is the first step a car rental company takes before handing over the keys.

    While the rental company only need to know the validity of the DL and if it belongs to the presenter, is bears the liability of much more data presented to them through the DL.

    For customers, it is impossible to rent a car if they forget their DL. If the customer has their driver’s license, they compromise their privacy and security as they hand over their license to the representative.

    The process is not only time consuming, it also creates unnecessary risks to both the business and the renter.

    A digital id-based rental process allows the renter to present the digital id online or in person.

    As the customer approaches the car rental they present their digital id on the mobile app, which has already authenticated the presenter though the biometrics or other credentials.

    The customer selects the purpose of the business as “Car Rental”, and only the customer’s name, photo, and validity of the DL appear on the screen for the representative to see (selective disclosures).

    If the car pick-up is online, only this information is shared with the car rental company, which in turn shares the car and key location with the renter.

    A digital identity-based identity verification can ensure a rental company has access to the minimum data it needs to comply with local laws, which in turn reduces its data leak risk.

    It also reduces customer risks linked to forgetting the DL, and data privacy.

    Digital identity also reduces the risk originated from identity fraud leading to stolen cars.

    USE CASE

    e-Governance public distribution service

    INDUSTRY: Government

    Source: Info-Tech Research Group

    Challenge

    Solution

    Results

    In both emerging and developed economies, public distribution of resources – food, subsidies, or cash – is a critical process through which many people (especially from marginalized sections) survive on.

    They often either don’t have required valid proof of identity or fall prey to low-level corruption when someone defrauds them by claiming the benefit.

    As a result, they either completely miss out on claiming government-provided social benefits OR only receive a part of what they are eligible for.

    A Digital ID based public distribution can help created a Direct Benefit Transfer ecosystem.

    Here beneficiaries register (manually OR automatically from other government records) for the benefits they are eligible for.

    On the specific schedule, they receive their benefit – monetary benefit in their bank accounts, and non-cash benefits, in person from authorized points-of-sales (POS), without any middleman with discretionary decision powers on the distribution.

    India launched its Financial Inclusion Program (Prime Minister's Public Finance Scheme) in 2014.

    The program was linked with India’s Digital Id Aadhaar to smoothen the otherwise bureaucratic and discretionary process for opening a bank account.

    In last eight years, ~481M (Source: PMJDY) beneficiaries have opened a bank account and deposited ~ ₹1.9Trillion (USD$24B), a part of which came as social benefits directly deposited to these accounts from the government of India.

    USE CASE

    Real-estate investment and sale

    INDUSTRY: Asset Management

    Source: Info-Tech Research Group

    Challenge

    Solution

    Results

    “Impersonators posing as homeowners linked to 32 property fraud cases in Ontario and B.C.” – Global News Canada1

    “The level of fraud in the UK is such that it is now a national security threat” – UK Finance Lobby Group2

    Real estate is the most expensive investment people make in their lives. However, lately it has become a soft target for title fraud. Fraudsters steal the title to one’s home and sell it or apply for a new mortgage against it.

    At the root cause of these fraud are usually identity theft when a fraudster steals someone’s identity and impersonates them as the title owner.

    Digital identity tagged to the home ownership / title record can reduce the identity fraud in title transfer.

    When a person wants to sell their house OR apply for a new mortgage on house, multiple notifications will be triggered to their contact attributes on digital ID – phone, email, postal address, and digital ID Wallet, if applicable.

    The homeowner will be mandated to authorize the transaction on at least two channels they had set as preferred, to ensure that the transaction has the consent of the registered homeowner.

    This process will stop any fraud transactions until at least two modes are compromised.

    Even if two modes are compromised, the real homeowner will receive the notification on offline communication modes, and they can then alert the institution or lawyer to block the transaction.

    It will especially help elderly people, who are more prone to fall prey to identity frauds when somebody uses their IDs to impersonate them.

    1 Global News (https://globalnews.ca/news/9437913/homeowner-impersonators-lined-32-fraud-cases-ontario-bc/)

    2 UK Finance Lobby Group (https://www.ukfinance.org.uk/system/files/Half-year-fraud-update-2021-FINAL.pdf)

    Adopting digital ID benefits everybody – governments, id providers, id consumers, and end users

    Governments & identity providers

    (public & private)

    Customers and end users

    (subjects)

    Identity consumer

    (relying parties)

    • Growth in GDP
    • Save costs of providing identity
    • Unlock new revenue source by economic expansion
    • Choice and convenience
    • Control of what data is shared
    • Experience driven by simplicity and data minimalization
    • Reduced cost of availing services
    • Operational efficiency
    • Overall cost efficiency of delivering service and products
    • Reduce risk of potential litigation
    • Reduce risk of fraud
    • Enhanced customer experience leading to increased lifetime value
    • Streamlined storage and access
    • Encourage innovation

    Digital ID will transform all industries, though financial services and e-governance will gain most

    Governments and identity providers (public and private)

    • Growth in GDP by reducing bureaucracy and discretion from the governance processes.
      • As per a McKinsey report, digital ID could unlock the economic value equivalent of 3%-13% of GDP across seven focus countries (Brazil, Ethiopia, India, Nigeria, China, UK, USA) in 2030.
      • “Estonia saves two percent of GDP by signing things digitally; imagine if it could go global.” - aavi Rõivas, Prime Minister of the Republic of Estonia (International Peace Institute)
    • Unlock new revenue source by economic expansion.
      • Estonia earned €32 million in tax revenue from e-resident companies (e-Estonia).
    • Save costs of providing identity in collaboration with 3rd parties and reduce fraud.
      • Canada estimates savings of $482 million for provincial and federal governments, and $4.5 billion for private sector organizations through digital id adoption (2022 Budget Statement).

    Digital ID brings end users choice, convenience, control, and cost-saving, driving overall experience

    Customers and end users (subjects)

    • Choice: Citizens have the choice and convenience to interact safely and conveniently online and offline.
    • Convenience: No compulsion to make physical trips to access service, as end users can identify themselves safely and reliably online, as they do offline.
    • Control: A decentralized, privacy enhancing solution – neither government nor private companies control your digital ID. How and when you use digital ID is entirely up to you.
    • Cost Saving: Save costs of availing service by reducing the offline documentation.
    • Experience: Improved experience while availing service without a need to present multiple documents every time.

    Digital id benefits identity consumers by enhancing multiple dimensions of their value streams

    Identity consumer (relying parties)

    • Operational efficiency: Eliminating unnecessary steps and irrelevant data from the value stream increases overall operational efficiency.
    • Cost efficiency: Helps businesses to reduce overall cost of operations like regulatory requirements.
      • World Bank estimated that the Aadhaar could reduce onboarding costs for Indian firms from ₹1,500/- ($23) to as low as an estimated ₹10/- ($0.15) (*World Bank ID4D)
    • Reduce risk of potential litigation issues: Encourage data minimization.
    • Privacy and security: Businesses can reduce the risk of fraud to organizations and users and can significantly boost the privacy and security of their IT assets.
    • Enhanced customer experience: The decrease in the number of touchpoints and faster turnaround.
    • Streamlined storage and access: Store all available data in a single place, and when required.
    • Encourage innovation: Reduce efforts required in authentication and authorization of users.

    Before embarking on the digital identity adoption journey, assess your readiness

    Legislative coverage

    Does your target jurisdiction have adequate legislative framework to enable uses of digital identities in your industry?

    Trust framework

    If the Digital ID ecosystem in your target jurisdiction is trust framework-based, do you have adequate understanding of it?

    Customer touch-points

    Do you have exact understanding of value stream and customer touch-points where you interact with user identity?

    Relevant identity attributes

    Do you have exact understanding of the identity attributes that your business processes need to deliver customer value?

    Regulatory compliance

    Do you have required systems to ensure your compliance with industry regulations around customer PII and identity?

    Interoperability with IMS

    Is your existing identity management system interoperable with Open-source Digital Identity ecosystem?

    Enterprise governance

    Have you established an integrated enterprise governance framework covering business processes, technical systems, and risk management?

    Communication strategy

    Do have a clear strategy (mode, method, means) to communicate with your target customer and persuade them to adopt digital identity?

    Security operations center

    Do you have security operations center coordinating detection, response, resolution, and communication of potential data breaches?

    Ten steps to adopt to enhance the customer experience

    Considering the complexity of digital identity adoption, and its impact on customer experience, it is vital to assess the ecosystem and adopt an MVP approach before a big-bang launch.

    Diagram to help assess the ecosystem.

    1. Define the use case and identify the customer touchpoint in the value stream which can be improved with a verified digital identity.
    2. Ensure your organization is ready to adopt digital identity (Refer to Digital identity adoption readiness),
    3. Identify an Identity Service Provider (Government, private sector), if there are options.
    4. Understand its technical requirements and assess, to the finer detail, your technical landscape for interoperability.
    5. Set-up a business contract for terms of usages and liabilities.
    6. Create and execute a Minimum Viable Program (MVP) of integration which can be tested with real customers.
    7. Extend MVP to the complete solution and define key success metrics.
    8. Canary-launch with a segment of target customers before a full launch.
    9. Educate customers on the usages and benefits, and adapt your communication plan taking feedback
    10. Monitor and continuously improve the solution based on the feedback from ecosystem partners and end-customers, and regulatory changes.

    Understand and manage the risks and challenges of digital identity adoption

    Digital ID adoption is a major change for everyone in the ecosystem.

    Manage associated risks to avoid the derailing of integration with your business processes and a negative impact on customer experience.

    Manage Risks.

    1. Privacy and security risks – Customer’s sensitive data may get centralized with the identity provider.
    2. Single point of failure while relying a specific IDs; it also increases the impact of identity theft and fraud risk.
    3. Centralization and control risks – Identity provider or identity service broker / orchestrator may control who can participate.
    4. Not universal, interoperability risks – if purpose-specific.
    5. Impact omni-channel experience - Not always available (legal / printable) for offline use.
    6. Exclusion and discrimination risks – Specific data requirements may exclude a group of people.
    7. Scope for misuse and misinterpretation if compromised and not reclaimed in timely manner.
    8. Adoption and usability risks – Subjects / relying parties may not see benefit due to lack of awareness or suspicion.
    9. Liability Agreement gaps between identity provider and identity consumer (relying party).

    Recommendations to help you realize the potential of digital identity into your value streams

    1

    Customer-centricity

    Digital identity initiative should prioritize customer experience when evaluating its fit in the value stream. Adopting it should not sacrifice end-user experience to gain a few brownie points.

    See Info-Tech’s Adopt Design Thinking in Your Organization blueprint, to ensure customer remains at the center of your Digital Adoption initiative.

    2

    Privacy and security

    Adopting digital identity reduces data risk by minimizing data transfer between providers and consumers. However, securing identity attributes in value streams still requires strengthening enterprise security systems and processes.

    See Info-Tech’s Assess and Govern Identity Security blueprint for the actions you may take to secure and govern digital identity.

    3

    Inclusion and awareness

    Adopting digital identity may alter customer interaction with an organization. To avoid excluding target customer segments, design digital identity accordingly. Educating and informing customers about the changes can facilitate faster adoption.

    See Info-Tech’s Social Media blueprint and IT Diversity & Inclusion Tactics to make inclusion and awareness part of digital adoption

    4

    Quantitative success metrics

    To measure the success of a digital ID adoption program, it's essential to use quantitative metrics that align with business KPIs. Some measurable KPIs may include:

    • Reduction in number of IDs business used to serve 90% of customers
    • Reduction in overall cost of operation
      • Reduction in cost of user authentication
    • Reduction in process cycle time (less time required to complete a task – e.g. KYC)

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues..

    Attributes: An identity attribute is a statement or information about a specific aspect of entity’s identity ,substantiating they are who they claim to be, own, or have.

    Attribute (or Credential) provider: An attribute or credential provider could be an organization which issues the primary attribute or credential to a subject or entity. They are also responsible for identity-attribute binding, credential maintenance, suspension, recovery, and authentication.

    Attribute (or Credential) service provider: An attribute service provider could be an organization which originally vetted user’s credentials and certified a specific attribute of their identity. It could also be a software, such as digital wallet, which can store and share a user’s attribute with a third party once consented by the user. (Source: UK Govt. Trust Framework)

    Attribute binding: This is a process an attribute service providers uses to link the attributes they created to a person or an organization through an identifier. This process makes attributes useful and valuable for other entities using these attributes. For example, when a new employee joins a company, they are given a unique employee number (an identifier), which links the person with their job title and other aspects (attributes) of his job. (Source: UK Govt. Trust Framework)

    Authentication service provider: An organization which is responsible for creating and managing authenticators and their lifecycle (issuance, suspension, recovery, maintenance, revocation, and destruction of authenticators). (Source: DIACC)

    Authenticator: Information or biometric characteristics under the control of an individual that is a specific instance of something the subject has, knows, or does. E.g. private signing keys, user passwords, or biometrics like face, fingerprints. (Source: Canada PCTF)

    Authentication (identity verification): The process of confirming or denying that the identity presented relates to the subject who is making the claim by comparing the credentials presented with the ones presented during identity proofing.

    Authorization: The process of validating if the authenticated entity has permission to access a resource (service or product).

    Biometrics attributes: Human attributes like retina (iris), fingerprint, heartbeat, facial, handprint, thumbprint, voice print.

    Centralized identity: Digital identities which are fully governed by a centralized government entity. It may have enrollment or registration agencies, private or public sector, to issue the identities, and the technical system may still be decentralized to keep data federated.

    Certificate Authority (CA or accredited assessors): An organization or an entity that conducts assessments to validate the framework compliance of identity or attribute providers (such as websites, email addresses, companies, or individual persons) serving other users, and binding them to cryptographic keys through the issuance of electronic documents known as digital certificates.

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues..

    Collective (non-resolvable) attributes: Nationality, domicile, citizenship, immigration status, age group, disability, income group, membership, (outstanding) credit limit, credit score range.

    Contextual identity: A type of identity which establishes an entity’s existence in a specific context – real or virtual. These can be issued by public or private identity providers and are governed by the organizational policies. E.g. employee ID, membership ID, social media ID, machine ID.

    Credentials: A physical or a digital representation of something that establishes an entity’s eligibility to do something for which it is seeking permission, or an association/affiliation with another, generally well-known entity. E.g. Passport, DL, password. In the context of Digital Identity, every identity needs to be attached with a credential to ensure that the subject of the identity can control how and by whom that identity can be used.

    Cryptographic hash function: A hash function is a one-directional mathematical operation performed on a message of any length to get a unique, deterministic, and fixed size numerical string (the hash) which can’t be reverse engineered to get the input data without deploying disproportionate resources. It is the foundation of modern security solutions in DLT / blockchain as they help in verifying the integrity and authenticity of the message.

    Decentralized identity (DID) or self-sovereign identity: This is a way to give back the control of identity to the subject whose identity it is, using an identity wallet in which they collect verified information about themselves from certified issuers (such as the government). By controlling what information is shared from the wallet to requesting third parties (e.g. when registering for a new online service), the user can better manage their privacy, such as only presenting proof that they’re over 18 without needing to reveal their date of birth. Source: (https://www.gsma.com/identity/decentralised-identity)

    Digital identity wallet: A type of digital wallet refers to a secure, trusted software applications (native mobile app, mobile web apps, or Rivas-hosted web applications) based on common standards, allowing a user to store and use their identity attributes, identifiers, and other credentials without loosing or sharing control of them. This is different than Digital Payment Wallets used for financial transactions. (Source: https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf)

    Digital identity: A digital identity is primarily an electronic form of identity representing an entity uniquely , while abstracting all other identity attributes of the entity. In addition to an electronic form, it may also exist in a physical form (identity certificate), linked through an identifier representing the same entity. E.g. Estonia eID , India Aadhar, digital citizenship ID.

    Digital object architecture: DOA is an open architecture for interoperability among various information systems, including ID wallets, identity providers, and consumers. It focuses on digital objects and comprises three core components: the identifier/resolution system, the repository system, and the registry system. There are also two protocols that connect these components. (Source: dona.net)

    Digital signature: A digital signature is an electronic, encrypted stamp of authentication on digital information such as email messages, macros, or electronic documents. A signature confirms that the information originated from the signer and has not been altered. (Source: Microsoft)

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues..

    Entity (or Subject): In the context of identity, an entity is a person, group, object, or a machine whose claims need to be ascertained and identity needs to be established before his request for a service or products can be fulfilled. An entity can also be referred to as a subject whose identity needs to be ascertained before delivering a service.

    Expiry: This is another dimension of an identity and determines the validity of an ID. Most of the identities are longer term, but there can be a few like digital tokens and URLs which can be issued for a few hours or even minutes. There are some which can be revoked after a pre-condition is met.

    Federated identity: Federated identity is an agreement between two organizations about the definition and use of identity attributes and identifiers of a consumer entity requesting a service. If successful, it allows a consumer entity to get authenticated by one organization (identity provider) and then authorized by another organization. E.g. accessing a third-party website using Google credentials.

    Foundational identity: A type of identity which establishes an entity’s existence in the real world. These are generally issued by public sector / government agencies, governed by a legal farmwork within a jurisdiction, and are widely accepted at least in that jurisdiction. E.g. birth certificate, citizenship certificate.

    Governance: This is a dimension of identity that covers the governance model for a digital ID ecosystem. While traditionally it has been under the sovereign government or a federated structure, in recent times, it has been decentralized through DLT technologies or trust-framework based. It can also be self-sovereign, where individuals fully control their data and ID attributes.

    Identifier: A digital identifier is a string of characters that uniquely represents an entity’s identity in a specific context and scope even if one or more identity attributes of the subject change over time. E.g. driver’s license, SSN, SIN, email ID, digital token, user ID, device ID, cookie ID.

    Identity: An identity is an instrument used by an entity to provide the required information about itself to another entity in order to avail a service, access a resource, or exercise a privilege. An identity formed by 1-n identity attributes and a unique identifier.

    Identity and access management (IAM): IAM is a set of frameworks, technologies, and processes to enable the creation, maintenance, and use of digital identity, ensuring that the right people gain access to the right materials and records at the right time. (Source: https://iam.harvard.edu/)

    Identity consumer (Relying party): An organization, or an entity relying on identity provider to mitigate IT risks around knowing its customers before delivering the end-user value (product/service) without deteriorating end-user experience. E.g. Canada Revenue Agency using SecureKey service and relying on Banking institutions to authenticate users; Telecom service providers in India relying on Aadhaar identity system to authenticate the customer's identity.

    Identity form: A dimension of identity that defines its forms depending on the scope it wants to serve. It can be a physical card for offline uses, a virtual identifier like a number, or an app/account with multiple identity attributes. Cryptographic keys and tokens can also be forms of identity.

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues...

    Identity infrastructure provider: Organizations involved in creating and maintaining technological infrastructure required to manage the lifecycle of digital identities, attributes, and credentials. They implement functions like security, privacy, resiliency, and user experience as specified in the digital identity policy and trust framework.

    Identity proofing: A process of asserting the identification of a subject at a useful identity assurance level when the subject provides evidence to a credential service provider (CSP), reliably identifying themselves. (Source: NIST Special Publication 800-63A)

    Identity provider (Attestation authority): An organization or an entity validating the foundation or contextual claims of a subject and establishing identifier(s) for a subject. E.g. DMV (US) and MTA (Canada) issuing drivers’ licenses; Google / Facebook issuing authentication tokens for their users logging in on other websites.

    Identity validation: The process of confirming or denying the accuracy of identity information of a subject as established by an authorized party. It doesn’t ensure that the presenter is using their own identity.

    Identity verification (Authentication): The process of confirming or denying that the identity presented relates to the subject who is making the claim by comparing the credentials presented with the ones presented during identity proofing.

    Internationalized resource identifier (IRI): IRIs are equivalent to URIs except that IRIs also allow non-ascii characters in the address space, while URIs only allow us-ascii encoding. (Source: w3.org)

    Jurisdiction: A dimension of identity that covers the physical area or virtual space where an identity is legally acceptable for the purpose defined under law. It can be global, like it is for passport, or it can be local within a municipality for specific services. For unverified digital IDs, it can be the social network.

    Multi-factor Authentication (MFA): Multi-factor authentication is a layered approach to securing digital assets (data and applications), where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. These factors can be a combination of (i) something you know like a password/PIN; (ii) something you have like a token on mobile device; and (iii) something you are like a biometric. (Adapted from https://www.cisa.gov/publication/multi-factor-authentication-mfa)

    Oauth (Open authorization): OAuth is a standard authorization protocol and used for access delegation. It allows internet users to access websites by using credentials managed by a third-party authorization server / Identity Provider. It is designed for HTTP and allows access tokens to be issued by an authorization server to third-party websites. E.g. Google, Facebook, Twitter, LinkedIn use Oauth to delegate access.

    OpenID: OpenID is a Web Authentication Protocol and implements reliance authentication mechanism. It facilitates the functioning of federated identity by allowing a user to use an existing account (e.g. Google, Facebook, Yahoo) to sign into third-party websites without needing to create new credentials. (Source: https://openid.net/).

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues...

    Personally identifiable information (PII): PII is a set of attributes which can be used, through direct or indirect means, to infer the real-world identity of the individual whose information is input. E.g. National ID (SSN/SIN/Aadhar) DL, name, date of birth, age, address, age, identifier, university credentials, health condition, email, domain name, website URI (web resolvable) , phone number, credit card number, username/password, public key / private key. (Source: https://www.dol.gov)

    Predicates: The mathematical or logical operations such as equality or greater than on attributes (e.g. prove your salary is greater than x or your age is greater than y) to prove a claim without sharing the actual values.

    Purpose: This dimension of a digital id defines for what purpose digital id can be used. It can be one or many of these – authentication, authorization, activity linking, historical record keeping, social interactions, and machine connectivity for IoT use cases.

    Reliance authentication: Relying on a third-party authentication before providing a service. It is a method followed in a federated entity system.

    Risk-based authentication: A mechanism to protect against account compromise or identity theft. It correlates an authentication request with transitional facts like requester’s location, past frequency of login, etc. to reduce the risk of potential fraud.

    Scheme in trust framework: A specific set of rules (standard and custom) around the use of digital identities and attributes as agreed by one or more organizations. It is useful when those organizations have similar products, services, business processes. (Source: UK Govt. Trust Framework). E.g. Many credit unions agree on how they will use the identity in loan origination and servicing.

    Selective disclosure (Assertion): A way to present one’s identity by sharing only a limited amount information that is critical to make an authentication / authorization decision. E.g. when presenting your credentials, you could share something proving you are 18 years or above, but not share your name, exact age, address, etc.

    Trust: A dimension of an identity, which essentially is a belief in the reliability, truth, ability, or strength of that identity. While in the physical world all acceptable form of identities come with a verified trust, in online domain, it can be unverified. Also, where an identity is only acceptable as per the contract between two entities, but not widely.

    Trust framework: The trust framework is a set of rules that different organizations agree to follow to deliver one or more of their services. This includes legislation, standards, guidance, and the rules in this document. By following these rules, all services and organizations using the trust framework can describe digital identities and attributes they’ve created in a consistent way. This should make it easier for organizations and users to complete interactions and transactions or share information with other trust framework participants. (Source: UK Govt. Trust Framework)

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues...

    Uniform resource identifier (URI): A universal name in registered name spaces and addresses referring to registered protocols or name spaces.

    Uniform resource locator (URL): A type of URI which expresses an address which maps onto an access algorithm using network protocols. (Source: https://www.w3.org/)

    Uniform resource name (URN): A type of URI that includes a name within a given namespace but may not be accessible on the internet.

    Usability: A dimension of identity that defines how many times it can be used. While most of the identities are multi-use, a few digital identities are in token form and can be used only once to authenticate oneself.

    Usage mode: A dimension of identity that defines the service mode in which a digital ID can be used. While all digital IDs are made for online usage, many can also be used in offline interactions.

    Verifiable credentials: This W3C standard specification provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy-respecting, and machine-verifiable. (Source: https://www.w3.org/TR/vc-data-model/)

    X.509 Certificates: X.509 certificates are standard digital documents that represent an entity providing a service to another entity. They're issued by a certification authority (CA), subordinate CA, or registration authority. These certificates play an important role in ascertaining the validity of an identity provider and in turn the identities issued by it. (Source: https://learn.microsoft.com/en-us/azure/iot-hub/reference-x509-certificates)

    Zero-knowledge proofs: A method by which one party (the prover) can prove to another party (the verifier) that something is true, without revealing any information apart from the fact that this specific statement is true. (Source: 1989 SIAM Paper)

    Zero-trust security: A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. It evaluates each access request as if it is a fraud attempt, and grants access only if it passes the authentication and authorization test. (Source: Adapted from NIST, SP 800-207: Zero Trust Architecture, 2020)

    Related Info-Tech Research

    Build a Zero Trust Roadmap
    Leverage an iterative and repeatable process to apply zero trust to your organization.

    Assess and Govern Identity Security
    Strong identity security and governance are the keys to the zero-trust future.

    Adopt Design Thinking in Your Organization
    Innovation needs design thinking to ensure customer remains at the center of everything the organization does.

    Social Media
    Leveraging Social Media to connect with your customers and educate them to drive the value proposition of your efforts.

    IT Diversity & Inclusion Tactics
    Equip your teams to create an inclusive environment and mobilize inclusion efforts across the organization.


    Research Contributors and Experts

    David Wallace

    David Wallace
    Executive Counselor

    Erik Avakian

    Erik Avakian
    Technical Counselor, Data Architecture and Governance

    Matthew Bourne

    Matthew Bourne
    Managing Partner, Public Sector Global Services

    Mike Tweedie

    Mike Tweedie
    Practice Lead, CIO Research Development

    Aaron Shum

    Aaron Shum
    Vice President, Security & Privacy

    Works Cited

    India Aadhaar PMJDY (https://pmjdy.gov.in/account)
    Theis, S., Rusconi, G., Panggabean, E., Kelly, S. (2020). Delivering on the Potential of Digitized G2P: Driving Women’s Financial Inclusion and Empowerment through Indonesia’s Program Keluarga Harapan. Women’s World Banking.
    DIACC Canada (https://diacc.ca/the-diacc/)
    UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    Australia Trusted Digital Identity Framework (https://www.digitalidentity.gov.au/tdif#changes)
    eIDAS (https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation)
    Europe Digital Wallet – POTENTIAL (https://www.digital-identity-wallet.eu/)
    Canada PCTF (https://diacc.ca/trust-framework/)
    Identification Revolution: Can Digital ID be harnessed for Development? (Gelb & Metz), 2018
    e-Estonia website (https://e-estonia.com/solutions/e-identity/id-card/)
    Aadhaar Dashboard (https://uidai.gov.in/)
    DIACC Website (https://diacc.ca/the-diacc/)
    Australia Digital ID website (https://www.digitalidentity.gov.au/tdif#changes)
    UK Policy paper - digital identity & attributes trust framework (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    Ukraine Govt. website (https://ukraine.ua/invest-trade/digitalization/)
    Singapore SingPass Website (https://www.tech.gov.sg/products-and-services/singpass/)
    Norway BankID Website (https://www.bankid.no/en/private/about-us/)
    Brazil National ID Card website (https://www.gov.br/casacivil/pt-br/assuntos/noticias/2022/julho/nova-carteira-de-identidade-nacional-modelo-unico-a-partir-de-agosto)
    Indonesia Coverage in Professional Security Magazine (https://www.professionalsecurity.co.uk/products/id-cards/indonesian-cards/)
    Philippine ID System (PhilSys) website (https://www.philsys.gov.ph/)
    China coverage on eGovReview (https://www.egovreview.com/article/news/559/china-announces-plans-national-digital-ids)
    Thales Group Website - DHS’s Automated Biometric Identification System IDENT (https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/customer-cases/ident-automated-biometric-identification-system)
    FranceConnect (https://franceconnect.gouv.fr/)
    Germany: Office for authorization cert. (https://www.personalausweisportal.de/Webs/PA/DE/startseite/startseite-node.html)
    Italian Digital Services Authority (https://www.spid.gov.it/en/)
    Monacco Mconnect (https://mconnect.gouv.mc/en)
    Estonia eID (https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf)
    E-Residency Dashboard (https://www.e-resident.gov.ee/dashboard)
    Unique ID authority of India (https://uidai.gov.in/aadhaar_dashboard/india.php)
    State of Aadhaar (https://www.stateofaadhaar.in/)
    World Bank (https://documents1.worldbank.org/curated/en/219201522848336907/pdf/Private-Sector-Economic-Impacts-from-Identification-Systems.pdf)
    WorldBank - ID4D 2022 Annual Report (https://documents.worldbank.org/en/publication/documents-reports/documentdetail/099437402012317995/idu00fd54093061a70475b0a3b50dd7e6cdfe147)
    Ukraine Govt. Website for Invest and trade (https://ukraine.ua/invest-trade/digitalization/)
    Diia Case study prepared for the office of Canadian senator colin deacon (https://static1.squarespace.com/static/63851cbda1515c69b8a9a2b9/t/6398f63a9d78ae73d2fd5725/1670968891441/2022-case-study-report-diia-mobile-application.pdf)
    Canadian Digital Identity Research (https://diacc.ca/wp-content/uploads/2022/04/DIACC-2021-Research-Report-ENG.pdf)
    Voilà Verified Trustmark (https://diacc.ca/voila-verified/)
    Digital Identity, 06A Federation Onboarding Guidance paper, March 2022 (https://www.digitalidentity.gov.au/sites/default/files/2022-04/TDIF%2006A%20Federation%20Onboarding%20Guidance%20-%20Release%204.6%20%28Doc%20Version%201.2%29.pdf)
    UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    A United Nations Estimate of KYC/AML (https://www.imf.org/Publications/fandd/issues/2018/12/imf-anti-money-laundering-and-economic-stability-straight)
    India Aadhaar PMJDY (https://pmjdy.gov.in/account)
    Global News (https://globalnews.ca/news/9437913/homeowner-impersonators-lined-32-fraud-cases-ontario-bc/)
    UK Finance Lobby Group (https://www.ukfinance.org.uk/system/files/Half-year-fraud-update-2021-FINAL.pdf) McKinsey Digital ID report ( https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/digital-identification-a-key-to-inclusive-growth) International Peace Institute ( https://www.ipinst.org/2016/05/information-technology-and-governance-estonia#7)
    E-Estonia Report (https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf)
    2022 Budget Statement (https://diacc.ca/2022/04/07/2022-budget-statement/)
    World Bank ID4D - Private Sector Economic Impacts from Identification Systems 2018 (https://documents1.worldbank.org/curated/en/219201522848336907/Private-Sector-Economic-Impacts-from-Identification-Systems.pdf)
    DIACC Canada (https://diacc.ca/the-diacc/)
    UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    https://www.gsma.com/identity/decentralised-identity
    https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf
    Microsoft Digital signatures and certificates (https://support.microsoft.com/en-us/office/digital-signatures-and-certificates-8186cd15-e7ac-4a16-8597-22bd163e8e96)
    https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf
    https://www.dona.net/digitalobjectarchitecture
    IAM (https://iam.harvard.edu/)
    NIST Special Publication 800-63A (https://pages.nist.gov/800-63-3/sp800-63a.html)
    https://www.cisa.gov/publication/multi-factor-authentication-mfa
    https://openid.net/
    U.S. DEPARTMENT OF LABOR (https://www.dol.gov/)
    UK govt. trust framework (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    https://www.w3.org/
    Verifiable Credentials Data Model v1.1 (https://www.w3.org/TR/vc-data-model/)
    https://learn.microsoft.com/en-us/azure/iot-hub/reference-x509-certificates

    Make the Case for Enterprise Business Analysis

    • Buy Link or Shortcode: {j2store}509|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Requirements & Design
    • Parent Category Link: /requirements-and-design
    • It can be difficult to secure alignment between the many lines of business, IT included, in your organization.
    • Historically, we have drawn a dividing line between IT and "the business.”
    • The reality of organizational politics and stakeholder bias means that, with selection and prioritization, sometimes the highest value option is dismissed to make way for the loudest voice’s option.

    Our Advice

    Critical Insight

    • Enterprise business analysis can help you stop the debate between IT and “the business,” as it sees everyone as part of the business. It can effectively break down silos, support the development of holistic strategies to address internal and external risks, and remove the bias and politics in decision making all too common in organizations.
    • The business analyst is the only role that can connect the strategic with the tactical, the systems, and the operations and do so objectively. It is the one source to show how people, process, and technology connect and relate, and the most skilled can remove bias and politics from their lens of view.
    • Maturity can’t be rushed. Build your enterprise business analysis program on a solid foundation of leading and consistent business analysis practices to secure buy-in and have a program that is sustainable in the long term.

    Impact and Result

    Let’s make the case for enterprise business analysis!

    • Organizations that have higher business analysis maturity and deploy enterprise analysis deliver better quality outcomes, with higher value, lower cost, and higher user satisfaction.
    • Business analysts should be contributing at the strategic level, as they need to understand multiple horizons simultaneously and be able to zoom in and out as the context calls for it. Business analysts aren’t only for projects.

    Make the Case for Enterprise Business Analysis Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make the Case for Enterprise Business Analysis Storyboard – Take your business analysis from tactics to strategy.

    • Make the Case for Enterprise Business Analysis Storyboard

    2. Communicate the Case for Enterprise Business Analysis Template – Make the case for enterprise business analysis.

    • Communicate the Case for Enterprise Business Analysis
    [infographic]

    Further reading

    Make the Case for Enterprise Business Analysis

    Putting the strategic and tactical puzzle together.

    Analyst Perspective

    We commonly recognize the value of effective business analysis at a project or tactical level. A good business analysis professional can support the business by identifying its needs and recommending solutions to address them.
    Now, wouldn't it be great if we could do the same thing at a higher level?
    Enterprise (or strategic) business analysis is all about seeing that bigger picture, an approach that makes any business analysis professional a highly valuable contributor to their organization. It focuses on the enterprise, not a specific project or line of business.
    Leading the business analysis effort at an enterprise level ensures that your business is not only doing things right, but also doing the right things; aligned with the strategic vision of your organization to improve the way decisions are made, options are analyzed, and successful results are realized.

    Vincent Mirabelli

    Vincent Mirabelli
    Principal Research Director, Applications Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Difficulty properly aligning between the many lines of business in your organization.
    • Historically, we have drawn a dividing line between IT and the business.
    • The reality of organizational politics and stakeholder bias means that, with selection and prioritization, sometimes the highest value option is dismissed in favor of the loudest voice.

    Common Obstacles

    • Difficulty aligning an ever-changing backlog of projects, products, and services while simultaneously managing risks, external threats, and stakeholder expectations.
    • Many organizations have never heard of enterprise business analysis and only see the importance of business analysts at the project and delivery level.
    • Business analysis professionals rarely do enough to advocate for a seat at the strategic tables in their organizations.

    Info-Tech's Approach

    Let's make the case for enterprise business analysis!

    • Organizations that have higher business analysis maturity and deploy enterprise business analysis deliver better quality outcomes with higher value, lower cost, and higher user satisfaction.
    • Business analysts aren't only for projects. They should contribute at the strategic level, since they need to understand multiple horizons simultaneously and be able to zoom in and out as the context requires.

    Info-Tech Insight

    Enterprise business analysis can help you reframe the debate between IT and the business, since it sees everyone as part of the business. It can effectively break down silos, support the development of holistic strategies to address internal and external risks, and remove bias and politics from decision making.

    Phase 1

    Build the case for enterprise business analysis

    Phase 1

    Phase 2

    1.1 Define enterprise business analysis

    1.2 Identify your pains and opportunities

    2.1 Set your vision

    2.2 Define your roadmap and next steps

    2.3 Complete your executive communications deck

    This phase will walk you through the following activities:

    • 1.1.1 Discuss how business analysis is used in our organization
    • 1.1.2 Discuss your disconnects between strategy and tactics
    • 1.2.1 Identify your pains and opportunities

    This phase involves the following participants:

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    How business analysis supports our success today

    Delivering value at the tactical level

    Effective business analysis helps guide an organization through improvements to processes, products, and services. Business analysts "straddle the line between IT and the business to help bridge the gap and improve efficiency" in an organization (CIO, 2019).
    They are most heavily involved in:

    • Defining needs
    • Modeling concepts, processes, and solutions
    • Conducting analysis
    • Maintaining and managing requirements
    • Managing stakeholders
    • Monitoring progress
    • Doing business analysis planning
    • Conducting elicitation

    In a survey, business analysts indicated that of their total working time, they spend 31% performing business analysis planning and 41% performing elicitation and analysis (PMI, 2017).

    By including a business analyst in a project, organizations benefit by:
    (IAG, 2009)

    87%

    Reduced time overspending

    75%

    Prevented budget overspending

    78%

    Reduction in missed functionality

    1.1.1 Discuss how business analysis is used in your organization

    15-30 minutes

    1. Gather the appropriate stakeholders to discuss their knowledge, experience, and perspectives on business analysis. This should relate to their experience and not a future or aspirational usage.
    2. Have a team member facilitate the session.
    3. Brainstorm and document all shared thoughts and perspectives.
    4. Synthesize those thoughts and perspectives and record the results for the group to review and discuss.
    5. Transfer the results to the Communicate the Case for Enterprise Business Analysis template

    Input

    • Stakeholder knowledge and experience

    Output

    • A shared understanding of how your organization leverages its business analysis function

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Download the Communicate the Case for Enterprise Business Analysis template

    Executives and leadership are satisfied with IT when there is alignment between tactics and goals

    Info-Tech's CIO Business Vision Survey data highlights the importance of IT projects in supporting the business to achieve its strategic goals.

    However, Info-Tech's CEO-CIO Alignment Survey (N=124) data indicates that CEOs perceive IT as poorly aligned with the business' strategic goals.

    Info-Tech's CIO-CEO Alignment Diagnostics

    43%

    of CEOs believe that business goals are going unsupported by IT.

    60%

    of CEOs believe that IT must improve understanding of business goals.

    80%

    of CIOs/CEOs are misaligned on the target role of IT.

    30%

    of business stakeholders support their IT departments.

    Addressing problems solely with tactics does not always have the desired effect

    94%

    Source: "Out of the Crisis", Deming (via Harvard Business Review)

    According to famed management and quality thought leader and pioneer W. Edwards Deming, 94% of issues in the workplace are systemic cause significant organizational pain.

    Yet we continue to address them on the surface, rather than acknowledge how ingrained they are in our culture, systems, and processes.

    For example, we:

    • Create workarounds to address process and solution constraints
    • Expect that poor (or lack of ) leadership can be addressed in a course or seminar
    • Expect that "going Agile" will resolve our problems, and that decision making, governance, and organizational alignment will happen organically.

    Band-aid solutions rarely have the desired effect, particularly in the long-term.

    Our solutions should likewise focus on the systemic/macro environment. We can do this via projects, products and services, but those don't always address the larger issues.

    If we take the work our business analysis currently does in defining needs and solutions, and elevate this to the strategic level, the results can be impactful.

    Many organizations would benefit from enhancing their business analysis maturity

    The often-overlooked strategic value of the role comes with maturing your practices.

    Only 18% of organizations have mature (optimized or established) business analysis practices.

    With that higher level of maturity comes increased levels of capability, efficiency, and effectiveness in delivering value to people, processes, and technology. Through such efforts, they're better equipped and able to connect the strategy of their organization to the projects, processes, and products they deliver.

    They shift focus from "figuring business analysis out" to truly unleashing its potential, with business analysts contributing in strategic and tactical ways.

    an image showing the following data: Optimized- 5; Established- 13; Improving- 37; Starting- 25; Ad hoc- 21

    (Adapted from PMI, 2017)

    Info-Tech Insight

    Business analysts are best suited to connect the strategic with the tactical, the systems, and the operations. They maintain the most objective lens regarding how people, process, and technology connect and relate, and the most skilled of them can remove bias and politics from their perspective.

    1.1.2 Discuss your disconnects between strategy and tactics

    30-60 minutes

      1. Gather the appropriate stakeholders to discuss their knowledge, experience, and perspectives regarding failures that resulted from disconnects between strategy and tactics.
      2. Have a team member facilitate the session.
      3. Brainstorm and document all shared thoughts and perspectives.
      4. Synthesize those thoughts and perspectives and record the results.
      5. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Input

    • Stakeholder knowledge and experience

    Output

    • A shared understanding and list of failures due to disconnects between strategy and tactics

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Download the Communicate the Case for Enterprise Business Analysis template

    Defining enterprise business analysis

    Terms may change, but the function remains the same.

    Enterprise business analysis (sometimes referred to as strategy analysis) "…focuses on defining the future and transition states needed to address the business need, and the work required is defined both by that need and the scope of the solution space. It covers strategic thinking in business analysis, as well as the discovery or imagining of possible solutions that will enable the enterprise to create greater value for stakeholders and/or capture more value for itself."
    (Source: "Business Analysis Body of Knowledge," v3)

    Define the function of enterprise business analysis

    This is a competitive advantage for mature organizations.

    Organizations with high-performing business analysis programs experience an enhanced alignment between strategy and operations. This contributes to improved organizational performance. We see this in financial (69% vs. 45%) and strategic performance (66% vs. 21%), also organizational agility (40% vs. 14%) and management of operational projects (62% vs. 29%). (PMI, 2017)

    When comparing enterprise with traditional business analysis, we see stark differences in the size and scope of their view, where they operate, and the role they play in organizational decision making.

    Enterprise Traditional
    Decision making Guides and influences Executes
    Time horizon 2-10 years 0-2 years
    Focus Strategy, connecting the strategic to the operational Operational, optimizing how business is done, and keeping the lights on
    Domain

    Whole organization

    Broader marketplace

    Only stakeholder lines of business relevant to the current project, product or service
    Organizational Level Executive/Leadership Project

    (Adapted from Schulich School of Business)

    Info-Tech Insight

    Maturity can't be rushed. Build your enterprise business analysis program on a solid foundation of leading and consistent business analysis practices to secure buy-in and have a program that is sustainable in the long term.

    An image showing the percentages of high- and low- maturity organizations, for the following categories: Financial performance; Strategy implementation; Organizational agility; Management of projects.

    (Adapted from PMI, 2017)

    How enterprise business analysis is used to improve organizations

    The biggest sources of project failure include:

    • Wrong (or poor) requirements
    • Unrealistic (or incomplete) business case
    • Lack of appropriate governance and oversight
    • Poor implementation
    • Poor benefits management
    • Environmental changes

    Source: MindTools.com, 2023.

    Enterprise business analysis addresses these sources and more.

    It brings a holistic view of the organization, improving collaboration and decision making across the many lines of business, effectively breaking down silos.

    In addition to ensuring we're doing the right things, not just doing things right in the form of improved requirements and more accurate business cases, or ensuring return on investment (ROI) and monitoring the broader landscape, enterprise business analysis also supports:

    • Reduced rework and waste
    • Understanding and improving operations
    • Making well-informed decisions through improved objectivity/reduced bias
    • Identifying new opportunities for growth and expansion
    • Identifying and mitigating risk
    • Eliminating projects and initiatives that do not support organizational goals or objectives
    • A career-pathing option for business analysts

    Identify your pains and opportunities

    There are many considerations in enterprise business analysis.

    Pains, gains, threats, and opportunities can come at your organization from anywhere. Be it a new product launch, an international expansion, or a new competitor, it can be challenging to keep up.

    This is where an enterprise business analyst can be the most helpful.

    By keeping a pulse on the external and internal environments, they can support growth, manage risks, and view your organization through multiple lenses and perspectives to get a single, complete picture.

    External

    Internal

    Identifying competitive forces

    In the global environment

    Organizational strengths and weaknesses

    • Monitoring and maintaining your competitive advantage.
    • Understanding trends, risks and threats in your business domain, and how they affect your organization.
    • Benchmarking performance against like and unlike organizations, to realize where you stand and set a baseline for continuous improvement and business development.
    • Leveraging tools and techniques to scan the broader landscape on an ongoing basis. Using PESTLE analysis, they can monitor the political, economic, social, technological, legal, and environmental factors that impact when, where, how, and with who you conduct your business and IT operations.
    • Supporting alignment between a portfolio or program of projects and initiatives.
    • Improving alignment between the various lines of business, who often lack full visibility outside of their silo, and can find themselves clashing over time, resources, and attention from leaders.
    • Improving solutions and outcomes through objective option selection.

    1.2.1 Identify your pains and opportunities

    30-60 minutes

    1. As a group, generate a list of the current pains and opportunities facing your organization. You can focus on a particular type (competitive, market, or internal) or leave it open. You can also focus on pains or opportunities separately, or simultaneously.
    2. Have a team member facilitate the session.
    3. Record the results for the group to review, discuss, and prioritize.
      1. Discuss the impact and likelihood of each item. This can be formally ranked and quantified if there is data to support the item or leveraging the wisdom of the group.
      2. Prioritize the top three to five items of each type, as agreed by the group, and document the results.
    4. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Attendee knowledge
    • Supporting data, if available

    Output

    • A list of identified organizational pains and opportunities that has been prioritized by the group

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Phase 2

    Prepare the foundations for your enterprise business analysis program

    Phase 1

    Phase 2

    1.1 Define enterprise business analysis

    1.2 Identify your pains and opportunities

    2.1 Set your vision

    2.2 Define your roadmap and next steps

    2.3 Complete your executive communications deck

    This phase will walk you through the following activities:

    • 2.1.1 Define your vision and goals
    • 2.1.2 Identify your enterprise business analysis inventory
    • 2.2.1 Now, Next, Later

    This phase involves the following participants:

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Set your vision

    Your vision becomes your "north star," guiding your journey and decisions.

    When thinking about a vision statement for enterprise business analysis, think about:

    • Who are we doing this for? Who will benefit?
    • What do our business partners need? What do our customers need?
    • What value do we provide them? How can we best support them?
    • Why is this special/different from how we usually do business?

    Always remember: Your goal is not your vision!

    Not knowing the difference will prevent you from both dreaming big and achieving your dream.

    Your vision represents where you want to go. It's what you want to do.

    Your goals represent how you want to achieve your vision.

    • They are a key element of operationalizing your vision.
    • Your strategy, initiatives, and features will align with one or more goals.

    Info-Tech Best Practice

    Your vision shouldn't be so far out that it doesn't feel real, nor so short term that it gets bogged down in details. Finding balance will take some trial and error and will be different depending on your organization.

    2.1.1 Define your vision and goals

    1-2 hours

    1. Gather the appropriate stakeholders to discuss their vision for enterprise business analysis. It should address the questions used in framing your vision statement.
    2. Have a team member facilitate the session.
    3. Review your current organizational vision and goals.
    4. Discuss and document all shared thoughts and perspectives on how enterprise business analysis can align with the organizational vision.
    5. Synthesize those thoughts and perspectives to create a vision statement.
    6. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Stakeholder vision, knowledge, and experience
    • Current organizational vision and goals

    Output

    • A documented vision and goals for your enterprise business analysis program

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Components of successful enterprise business analysis programs

    Ensure you're off to the best start by examining where you are and where you want to go.

    Training

    • Do the current team members have the right level of training?
    • Can we easily obtain training to close any gaps?

    Competencies and capabilities

    • Do our business analysts have the right skills, attributes, and behaviors to be successful?

    Structure and alignment

    • Would the organizational culture support enterprise business analysis (EBA)?
    • How might we structure the EBA unit to maximize effectiveness?
    • How can we best support the organization's goals and objectives?

    Methods and processes

    • How do we plan on managing the work to be done?
    • Can we define our processes and workflows?

    Tools, techniques, and templates

    • Do we have the most effective tools, techniques, and templates?

    Governance

    • How will we make decisions?
    • How will the program be managed?

    2.1.2 Identify your enterprise business analysis inventory

    30-60 minutes

    1. Gather the appropriate stakeholders to discuss the current business analysis assets, which could be leveraged for enterprise business analysis. This includes people, processes, and technologies which cover skills, knowledge, resources, experience, knowledge, and competencies. Focus on what the organization currently has, and not what it needs.
    2. Have a team member facilitate the session.
    3. Record the results for the group to review and discuss.
    4. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Your current business analysis assets and resources Stakeholder knowledge and experience

    Output

    • A list of assets and resources to enable enterprise business analysis

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Define your roadmap and next steps

    What do we have? What do we need?

    From completing the enterprise business analysis inventory, you will have a comprehensive list of all available assets.

    The next question is, how can this be leveraged to start building for the future?

    To operationalize enterprise business analysis, consider:

    • What do we still need to do?
    • How important are the identified gaps? Can we still operate?
    • What decisions do we need to make?
    • What stakeholders do we need to involve? Have we engaged them all?

    Lay out your roadmap

    Taking steps to mature your enterprise business analysis practice.

    The Now, Next, Later technique is a method for prioritizing and planning improvements or tasks. This involves breaking down a list of tasks or improvements into three categories:

    • Now tasks are those that must be completed immediately. These tasks are usually urgent or critical, and they must be completed to keep the project or organization running smoothly.
    • Next tasks are those that should be completed soon. These tasks are not as critical as Now tasks, but they are still important and should be tackled relatively soon.
    • Later tasks are those that can be completed later. These tasks are less critical and can be deferred without causing major problems.

    By using this technique, you can prioritize and plan the most important tasks, while allowing the flexibility to adjust as necessary.

    This technique also helps clarify what must be done first vs. what can wait. This prioritizes the most important things while keeping track of what must be done next, maintaining a smooth development/improvement process.

    An image of the now - next - later roadmap technique.

    2.2.1 Now, Next, Later

    1-2 hours

    1. Use the list of items created in 2.1.2 (Identify your enterprise business analysis inventory). Add any you feel are missing during this exercise.
    2. Have a team member facilitate the session.
    3. In the Communicate the Case for Enterprise Business Analysis template, categorize these items according to Now, Next and Later, where:
      1. Now = Critically important items that may require little effort to complete. These must be done within the next six months.
      2. Next = Important items that may require more effort or depend on other factors. These must be done in six to twelve months.
      3. Later = Less important items that may require significant effort to complete. These must be done at some point within twelve months.

    Ultimately, the choice of priority and timing is yours. Recognize that items may change categories as new information arises.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Your enterprise business analysis inventory and gaps
    • Stakeholder knowledge and experience

    Output

    • A prioritized list of items to enable enterprise business analysis

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    2.3 Complete your executive communication deck

    Use the results of your completed exercises to build your executive communication slide deck, to make the case for enterprise business analysis

    Slide Header Associated Exercise Rationale
    Pains and opportunities

    1.1.2 Discuss your disconnects between strategy and tactics

    1.2.1 Identify your pains and opportunities

    This helps build the case for enterprise business analysis (EBA), leveraging the existing pains felt in the organization. This will draw the connection for your stakeholders.
    Our vision and goals 2.1.1 Define your vision and goals Defines where you want to go and what effort will be required.
    What is enterprise business analysis

    1.1.1 How is BA being used in our organization today?
    Pre-populated supporting content

    Defines the discipline of EBA and how it can support and mature your organization.
    Expected benefits Pre-populated supporting content What's in it for us? This section helps answer that question. What benefits can we expect, and is this worth the investment of time and effort?
    Making this a reality 2.1.2 Identify your EBA inventory Identifies what the organization presently has that makes the effort easier. It doesn't feel as daunting if there are existing people, processes, and technologies in place and in use today.
    Next steps 2.2.1 Now, Next, Later A prioritized list of action items. This will demonstrate the work involved, but broken down over time, into smaller, more manageable pieces.

    Track metrics

    Track metrics throughout the project to keep stakeholders informed.

    As the project nears completion:

    1. You will have better-aligned and more satisfied stakeholders.
    2. You will see fewer projects and initiatives that don't align with the organizational goals and objectives.
    3. There will be a reduction in costs attributed to misaligned projects and initiatives (as mentioned in #2) and the opportunity to allocate valuable time and resources to other, higher-value work.
    Metric Description Target Improvement/Reduction
    Improved stakeholder satisfaction Lines of business and previously siloed departments/divisions will be more satisfied with time spent on solution involvement and outcomes. 10% year 1, 20% year 2
    Reduction in misaligned/non-priority project work Reduction in projects, products, and services with no clear alignment to organizational goals. With that, resource costs can be allocated to other, higher-value solutions. 10% year 1, 25% year 2
    Improved delivery agility/lead time With improved alignment comes reduced conflict and political infighting. As a result, the velocity of solution delivery will increase. 10%

    Bibliography

    Bossert, Oliver and Björn Münstermann. "Business's 'It's not my problem' IT problem." McKinsey Digital. 30 March, 2023.
    Brule, Glenn R. "The Lay of the Land: Enterprise Analysis." Modern Analyst.
    "Business Analysis: Leading Organizations to Better Outcomes." Project Management Institute (PMI), 2017
    Corporate Finance Institute. "Strategic Analysis." Updated 14 March 2023
    IAG Consulting. Business Analysis Benchmark Report, 2009.
    International Institute of Business Analysis. "A Guide to the Business Analysis Body of Knowledge" (BABOK Guide) version 3.
    Mirabelli, Vincent. "Business Analysis Foundations: Enterprise" LinkedIn Learning, February 2022.
    - - "Essential Techniques in Enterprise Analysis" LinkedIn Learning, September 2022.
    - - "The Essentials of Enterprise Analysis" Love the Process Academy. May 2020.
    - - "The Value of Enterprise Analysis." VincentMirabelli.com
    Praslova, Ludmila N. "Today's Most Critical Workplace Challenges Are About Systems." Harvard Business Review. 10 January 2023.
    Pratt, Mary K. and Sarah K. White. "What is a business analyst? A key role for business-IT efficiency." CIO. 17 April, 2019.
    Project Management Institute. "Business Analysis: Leading Organizations to Better Outcomes." October 2017.
    Sali, Sema. "The Importance of Strategic Business Analysis in Successful Project Outcomes." International Institute of Business Analysis. 26 May 2022.
    - - "What Does Enterprise Analysis Look Like? Objectives and Key Results." International Institute of Business Analysis. 02 June 2022.
    Shaker, Kareem. "Why do projects really fail?" Project Management Institute, PM Network. July 2010.
    "Strategic Analysis: Definition, Types and Benefits" Voxco. 25 February 2022.
    "The Difference Between Enterprise Analysis and Business Analysis." Schulich School of Business, Executive Education Center. 24 September 2018 (Updated June 2022)
    "Why Do Projects Fail: Learning How to Avoid Project Failure." MindTools.com. Accessed 24 April 2023.

    Take a Realistic Approach to Disaster Recovery Testing

    • Buy Link or Shortcode: {j2store}414|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity

    You have made significant investments in availability and disaster recovery – but your ability to recover hasn’t been tested in years. Testing will:

    • Improve your DR capabilities.
    • Identify required changes to planning documentation and procedures.
    • Validate DR capabilities for interested customers and auditors.

    Our Advice

    Critical Insight

    • If you treat testing as a pass/fail exercise, you aren’t meeting the end goal of improving organizational resilience.
    • Focus on identifying gaps and risks, and addressing them, before a real disaster hits.
    • Take a realistic, iterative approach to resilience testing that starts with small, low-risk tests and builds on lessons learned.

    Impact and Result

    • Identify testing scenarios and scope that can deliver value to your organization.
    • Create practical test plans with Info-Tech’s template.
    • Demonstrate value from testing to gain buy-in for additional tests.

    Take a Realistic Approach to Disaster Recovery Testing Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take a Realistic Approach to Disaster Recovery Testing Storyboard – A guide to establishing a right-sized approach to DR testing that delivers durable value to your organization.

    Use this research to understand the different types of tests, prioritize and plan tests for your organization, review the results, and establish a cadence for testing.

    • Take a Realistic Approach to Disaster Recovery Testing Storyboard

    2. Disaster Recovery Test Plan Template – A template to document your organization's DR test plan.

    Use this template to document scope and goals, participants, key pre-test milestones, the test-day schedule, and your findings from the testing exercise.

    • Disaster Recovery Test Plan Template

    3. Disaster Recovery Testing Program Summary – A template to outline your organization's DR testing program.

    Identify the tests you will run over the next year and the expertise, governance, process, and funding required to support testing.

    • Disaster Recovery Testing Program Summary

    [infographic]

     

    Further reading

    Take a Realistic Approach to Disaster Recovery Testing

    Reduce costly downtime with a right-sized testing program that improves IT resilience.

    Analyst Perspective

    Reduce costly downtime with a right-sized testing program that improves IT resilience.

    Andrew Sharp

    Most businesses make significant investments in disaster recovery and technology resilience. Redundant sites and systems, monitoring, intrusion prevention, backups, training, documentation: it all costs time and money.

    But does this investment deliver expected value? Specifically, can you deliver service continuity in a way that meets business requirements?

    You can’t know the answer without regularly testing recovery processes and systems. And more than just validation, testing helps you deliver service continuity by finding and addressing gaps in your plans and training your staff on recovery procedures.

    Use the insights, tools, and templates in this research to create a streamlined and effective resilience testing program that helps validate recovery capabilities and enhance service reliability, availability, and continuity.

    Andrew Sharp

    Research Director, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    You have made significant investments in availability and disaster recovery (DR) – but your ability to recover hasn’t been tested in years. Testing will:

    • Improve your DR capabilities.
    • Identify required changes to planning documentation and procedures.
    • Validate DR capabilities for interested customers and auditors.

    Common Obstacles

    Despite the value testing can offer, actually executing on DR tests is difficult because:

    • Testing is often an IT-driven initiative, and it can be difficult to secure business buy-in to redirect resources away from other urgent projects or accept risks that come with testing.
    • Previous tests have been overly complex and challenging to coordinate and leave a hangover so bad that no one wants to do them again.

    Info-Tech's Approach

    Take a realistic approach to resilience testing by starting with small, low-risk tests, then iterating with the lessons you’ve learned:

    • Identify testing scenarios and scope that can deliver value to your organization.
    • Create practical test plans with Info-Tech’s template.
    • Get buy-in for regular DR testing from key stakeholders with a testing program summary.

    Info-Tech Insight

    If you treat testing as a pass/fail exercise, you aren’t meeting the end goal of improving organizational resilience. Focus on identifying gaps and risks so you can address them before a real disaster hits.

    Process and Outputs

    This research is accompanied by templates to help you achieve your goals faster.

    1 - Establish the business rationale for DR testing.
    2 - Review a range of options for testing.
    3 - Prioritize tests that are most valuable to your business.
    4 - Create a disaster recovery test plan.
    5 - Establish a Test Program to support a regular testing cycle.

    Outputs:

    DR Test Plan
    DR Testing Program Summary

    Example Orange Activity slide.
    Orange activity slides like the one on the left provide directions to help you make key decisions.

    Key Deliverable:

    Disaster Recovery Test Plan Template

    Build a plan for your first disaster recovery test.

    This document provides a complete example you can use to quickly build your own plan, including goals, milestones, participants, the test-day schedule, and findings from the after-action review.

    Why test?

    Testing helps you avoid costly downtime

    • In a disaster scenario, speed matters. Immediately after an outage, the impact on the organization is small, but impact increases rapidly the longer the outage continues.
    • A quick and reliable response and recovery can protect the organization from significant losses.
    • A DRP testing and maintenance program helps ensure you’re ready to recover when you need to, rather than figuring it out as you go.

    “Routine testing is vital to survive a disaster… that’s when muscle memory sets in. If you don’t test your DR plan it falls [in importance], and you never see how routine changes impact it.”

    – Jennifer Goshorn
    Chief Administrative Officer
    Gunderson Dettmer LLP

    Info-Tech members estimated even one day of system downtime could lead to significant revenue losses. Estimated loss of revenue over 24 hours. Core Infrastructure has the highest potential for lost revenue.

    Average estimated potential loss* in thousands of USD due to a 24-hour outage (N=41)

    *Data aggregated from 41 business impact analyses (BIAs) conducted with Info-Tech advisory assistance. BIAs evaluate potential revenue loss due to a full day of system downtime, at the worst possible time.

    Run tests to enhance disaster recovery plans

    Testing improves organizational resilience

    • Identify and address gaps in your plans before a real disaster strikes.
    • Cross-train staff on systems recovery.
    • Go beyond testing technology to test recovery processes.
    • Establish a culture that centers resilience in everyday decision-making.

    Testing keeps DR documentation ready for action

    • Update documentation ahead of tests to prepare for the testing exercise.
    • Update documentation after testing to incorporate any lessons learned.

    Testing validates that investments in resilience deliver value

    • Confirm your organization can meet defined recovery time objectives (RTOs) and recovery point objectives (RPOs).
    • Provide proof of testing for auditors, prospective customers, and insurance applications

    Overcome testing challenges

    Despite the value of effective recovery testing, most IT organizations struggle to test recovery plans

    Common challenges

    • Key resources don’t have time for testing exercises.
    • You don’t have the technology to support live recovery testing.
    • Tests are done ad hoc and lessons learned are lost.
    • A lack of business support for test exercises as the value isn’t understood.
    • Tests are always artificially simple because RTOs and RPOs must be met to satisfy customer or auditor inquiries

    Overcome challenges with a realistic approach:

    • Start small with tabletop and recovery tests for specific systems.
    • Include recovery tests in operational tasks (e.g. restore systems when you have a maintenance window).
    • Create testing plans for larger testing exercises.
    • Build on successful tests to streamline testing exercises in the future.
    • Don’t make testing a pass-fail exercise. Focus on identifying gaps and risks so you can address them before a real disaster hits.

    Go beyond traditional testing

    Different test techniques help validate recovery against different threats

    • There are many threats to service continuity, including ransomware, severe weather events, geopolitical conflict, legacy systems, staff turnover, and day-to-day outages caused by human error, software updates, hardware failures, or network outages.
    • At its core, disaster recovery planning is about recovery. A plan for service recovery will help you mitigate against many threats at once. The testing approaches on the right will help you validate different aspects of that recovery process.
    • This research will provide an overview of the approaches outlined on the right and help you prioritize tests that are most valuable to your organization.
    Different test techniques for disaster recover training: System Failover tests, tabletop exercises, ransomware recovery tests, etc.

    00 Identify a working group

    30 minutes

    Identify a group of participants who can fill the following roles and inform the discussions around testing in this research. A single person could fill multiple roles and some roles could be filled by multiple people. Many participants will be drawn from the larger DRP team.

    Roles and expectations for Disaster Recovery Planning. DRP sponsor, Testing coordinator, System testers, business liaisons, executive team.

    Input

    • Organizational context

    Output

    • A list of key participants for test planning and execution

    Participants

    • Typically, start by identifying the sponsor and coordinator and have them identify the other members of the working group.

    Start by updating your disaster recovery plan (DRP)

    Use Info-Tech’s Create a Right-Sized Disaster Recovery Plan research to identify recovery objectives based on business impact and outline recovery processes. Both are tremendously valuable inputs to your test plans.

    Overall Business Continuity Plan

    IT Disaster Recovery Plan

    A plan to restore IT services (e.g. applications and infrastructure) following a disruption. A DRP:

    • Identifies critical applications and dependencies.
    • Defines appropriate recovery objectives based on a business impact analysis (BIA).
    • Creates a step-by-step incident response plan.

    BCP for Each Business Unit

    A set of plans to resume business processes for each business unit. A business continuity plan (BCP) is also sometimes called a continuity of operations plan (COOP).

    BCPs are created and owned by each business unit, and creating a BCP requires deep involvement from the leadership of each business unit.

    Info-Tech’s Develop a Business Continuity Plan blueprint provides a methodology for creating business unit BCPs as part of an overall BCP for the organization.

    Crisis Management Plan

    A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.

    Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.

    01 Confirm: why test at all?

    15-30 minutes

    Identify the value recovery testing for your organization. Use language appropriate for a nontechnical audience. Start with the list below and add, modify, or delete bullet points to reflect your own organization.

     

    Drivers for testing – Examples:

     

    • Improve service continuity.
    • Identify and address gaps in recovery plans before a real disaster strikes.
    • Cross-train staff on systems recovery to minimize single points of failure.
    • Identify how we coordinate across teams during a major systems outage.
    • Exercise both recovery processes and technology.
    • Support a culture that centers system resilience in everyday decision-making.
    • Keep recovery documentation up-to-date and ready for action.
    • Confirm that our stated recovery objectives can be met.
    • Provide proof of testing for auditors, prospective customers, and insurance applications.
    • We require proof of testing to pass audits and renew cybersecurity insurance.

    Info-Tech Insight

    Time-strapped technical staff will sometimes push back on planning and testing, objecting that the team will “figure it out” in a disaster. But the question isn’t whether recovery is possible – it’s whether the recovery aligns with business needs. If your plan is to “MacGyver” a solution on the fly, you can’t know if it’s the right solution for your organization.

    Input

    • Business drivers and context for testing

    Output

    • Specific goals that are driving testing

    Participants

    • DR sponsor
    • Test coordinator

    Think about what and how you test

    Different layers of the stack to test: Network, Authentication, compute and storage, visualization platforms, database services, middleware, app servers, web servers.

    Find gaps and risks with tabletop testing

    Tabletop planning had the greatest impact on meeting recovery objectives (RTOs/RPOs).

    In a tabletop planning exercise, the team walks through a disaster scenario to outline the recovery workflow, and risks or gaps that could disrupt that workflow.

    Tabletops are particularly effective because:

    • It enables you to play out a wider range of scenarios than technology-based testing (e.g. full-scale, parallel) due to cost and complexity factors.
    • It is non-intrusive, so it can be executed more easily than other testing methodologies.
    • The exercise translates into recovery documentation: you create a workflow as you go.
    • A major site or service recovery scenario will review all aspects of the recovery process and create the backbone of your recovery plan.

    02 Run a tabletop exercise

    2 hours

    Tabletop testing is part of our core DRP methodology, Create a Right-Sized Disaster Recovery Plan. This exercise can be run using cue cards, sticky notes, or on a whiteboard; many of our facilitators find building the workflow directly in flowchart software to be very effective.

    Use our Recovery Workflow Template as a starting point.

    Some tips for running your first tabletop exercise:

    Do

    • Review the complete workflow from notification all the way to user acceptance testing.
    • Keep focused; stay on task and on time.
    • Revisit each step and record gaps and risks (and known solutions, but don’t dwell on this).
    • Revise and improve the plan with task owners.

    Don't

    • Get weighed down by tools.
    • Try to find solutions to every gap/risk as you go. Save in-depth research/discussion for later.
    • Document the details right away – stick to the high-level plan for the first exercise.
    1. Ahead of the exercise, decide on a scenario, identify participants, and book a meeting time.
      • For your first walkthrough of a DR scenario, we often recommend a scenario that considers a site failure requiring failover to a DR site.
      • For the first exercise, focus on technical aspects of recovery before bringing in members of the business. The technical team may need space to discuss the appropriate steps in the recovery process before you bring in business liaisons to discuss user acceptance testing (UAT).
      • A complete failover considers all systems, the viability of your second site, and can help identify parts of the process that require additional exercises.
    2. Review the scenario with participants. Then, discuss and document the recovery process, starting with initial notification of an event.
      • Record steps in the process on white cards or boxes.
      • On yellow and red cards, document gaps and risks in people process and technology requirements.
    3. Once you’ve walked through the process, return to the start.
      • Record the time required to complete each step. Consider identifying who is responsible for key steps. Identify any additional gaps and risks.
    4. Clean up and record the results of the workflow. Save a copy with your DRP documentation.

    Input

    • Expert knowledge on systems recovery

    Output

    • Recovery workflow, including gaps and risks

    Participants

    • Test coordinator
    • Technical SMEs

    Move from tabletop testing to functional exercises

    See how your plans fare in the real world

    In live exercises, some portion of your recovery plans are executed in a way that mimics a real recovery scenario. Some advantages of live testing:

    • See how standby systems behave. A tabletop exercise can miss small issues that can make or break the recovery process. For example, connectivity or integration issues on a new subnet might be difficult to predict prior to actually running services in that environment.
    • Hands-on practice: Familiarize the team with the steps, commands, and interfaces of your recovery toolset.
    • Manage the pressure of the DR scenario: Nothing’s quite like the real thing, but a live exercise may be the closest your team can get to a disaster situation without experiencing it firsthand.

    Examples of live exercises

    Boot and smoke test Turn on a standby system and confirm it boots up correctly.
    Restore and validate data Restore data or servers from backup. Confirm data integrity.
    Parallel testing Send familiar transactions to production and standby systems. Confirm both systems produce the same result.
    Failover systems Shut down the production system and use the standby system in production.

    Run local tests ahead of releases

    Think small

    Most unacceptable downtime is caused by localized issues, such as hardware or software failures, rather than widespread destructive events. Regular local testing can help validate the recovery plan for local issues and improve overall service continuity.

    Make local testing a standard step in maintenance work and new deployments to embed resilience considerations in day-to-day activities. Run the same tests in both your primary and your DR environment.

    Some examples of localized tests:

    • Review backup logs and check for errors.
    • Restore files or whole systems from backup.
    • Run application-based tests as part of release management, including unit, regression, and performance tests.
      • Ensure application tests are run for both the primary and DR environment.
      • For a deep-dive on application testing, see Info-Tech’s research Automate Testing to Get More Done.

    Info-Tech Insight

    Local tests will vary between different services, and local test design is usually best left to the system SMEs. At the same time, centralize reporting to understand where tests are being done.

    Investigate whether your IT Service Management or ticketing system can create recurring tasks or work orders to schedule, document, and track test exercises. Tasks can be pre-populated with checklists and documentation to support the test and provide a record of completed tests to support oversight and reporting.

    Have the business validate recovery

    If your business doesn’t think a system’s recovered, it’s not recovered.

    User acceptance testing (UAT) after system recovery is a key step in the recovery process. Like any step in the process, there’s value in testing it before it actually needs to be done. Assign responsibility for building UATs to the person who will be responsible for executing them.

    An acceptance test script might look something like the checklist below.

    • Does the application open?
    • Does the interface look right?
    • Do you see any unusual notifications or warnings?
    • Can you conduct a key transaction with dummy data?
    • Can you run key reports?

    “I cannot stress how important it is to assign ownership of responsibilities in a test; this is the only way to truly mitigate against issues in a test.”

    – Robert Nardella
    IT Service Management
    Certified z/OS Mainframe Professional

    Info-Tech Insight

    Build test scripts and test transactions ahead of time to minimize the amount of new work required during a recovery scenario.

    Beyond the Basics: Full Failover Testing

    • A failover test – a full failover of your production environment to a secondary environment – is what many IT and businesspeople think about when they think of disaster recovery testing.
    • A full test can validate previous local or tabletop tests, identify additional gaps and risks, and provide hands-on training experience with recovery processes and technologies.
    • Setting a date for failover testing can also inject some urgency into otherwise low-priority (but high importance) disaster recovery planning and documentation exercises, which need to be completed prior to the test.
    • Despite these benefits, full failover tests carry significant risk and require a great deal of effort and cost. Typically, only businesses that already have an active-active environment capable of supporting in-scope production systems are able to run a full environment failover.
    • This is especially true the first time you test. While in theory a DR plan should be ready to go at any time, there will be documents to update, gaps to address, and risks to mitigate before you go ahead with the test.

    Full Failover Testing

    What you get:

    • Provide hands-on experience with recovery processes and technology.
    • Confirm that site failover works in practice as you assumed in tabletop or local testing exercises.
    • Identify critical gaps you might have missed without a full failover test.

    What you need:

    • An active-active secondary site, with sufficient standby equipment, data, and licensed standby software to support production.
    • A completed tabletop exercise and documented recovery workflow.
    • A documented test plan, backout plan, and formal sign-off.
    • An off-hours downtime window.
    • Time from technical SMEs and business resources, both for creating the plan and executing the test.

    Beyond the Basics: Site Reliability Engineering

    • Site reliability engineering (SRE) is an application of skills and approaches from software engineering to improve system resilience.
    • SRE is focused on “availability, latency, performance, efficiency, change management, monitoring, emergency response, and capacity planning” across a set portfolio of services (Sloss, 2017).
    • In many organizations, SRE is implemented as a team that supports separate applications teams.
    • Applications must have defined and granular resilience requirements, translated into service objectives. The SRE team and applications teams will work together to meet these objectives.
    • Site reliability engineers (the folks that do SRE, and often also abbreviated as SREs) are expected to build solutions and processes to ensure services remain stable and performant, not just respond when they fail. For example, Google allows their SREs to spend just half their time on incident response, with the rest of their time focused on development and automation tasks.

    Site Reliability Testing

    What you get:

    • Improved reliability and reduced frequency and impact of downtime.
    • Increased use of automation to address problems before they cause an incident.
    • Granular resilience objectives.

    What you need:

    • Systems running on software-defined infrastructure.
    • Specialized skills in programming, infrastructure-as-code.
    • Business & product owners able to define and fund acceptable and appropriate resilience objectives.
    • Technical experts able to translate product requirements into technical design requirements.

    Beyond the Basics: Chaos Engineering

    • Chaos engineering, a term and approach first popularized by the team at Netflix, aims to improve the resilience of particularly large and distributed systems by simulating system failures and evaluating performance against a baseline.
    • Experiments simulate a variety of real-world events that could cause outages (e.g. network slowdowns or server failures). Experiments run continuously, and the recommendation is to run them in production where feasible while minimizing the impact on customers.
    • Tools to help you run chaos testing exist, including open-source toolkits like Chaos Monkey or Mangle and paid software as a service (SaaS) solutions like Gremlin.
    • Deciding whether the long-term benefits of tests that can degrade production are worth the potential risk of system slowdowns or outages is a business or product decision. Technical considerations aside, if the business owner of a particular system doesn’t see the value of continuous testing outweighing the introduced risk, this approach to testing isn’t going to happen.

    Chaos Engineering

    What you get:

    • Confidence that systems can weather volatile and unpredictable conditions in a production environment.
    • An embedded resilience culture.

    What you need:

    • High-maturity IT incident, monitoring and event practices.
    • Standby/resilient systems to minimize downtime impact.
    • Business buy-in for introducing risk into the production environment.
    • Specialized skills to identify, develop, and run tests that degrade production performance in a controlled way.
    • Budget and time to act on issues identified through testing.

    Beyond the Basics: Security Event Simulations

    • Ransomware is driving demands for proof of recovery testing from customers, executives, auditors, and insurance companies. Systems recovery is part of ransomware recovery, but recovering from a breach includes detection, analysis, containment, and eradication of the attack vector before systems recovery can begin.
    • Beyond technical recovery, internal legal and communications teams will have a role, as will your insurance provider, consultants specialized in ransomware recovery, or professional ransom negotiators.
    • A tabletop exercise focused on ransomware incident response is a key first step. You can find Info-Tech’s methodology for a ransomware tabletop in Phase 3 of Build Resilience Against Ransomware Attacks.
    • Live testing approaches can offer hands-on experience and further insight into how your systems are vulnerable to malware. A variety of open source and proprietary tools can simulate ransomware and help you identify problems, though it’s important to understand the limitations of different simulators (Allon, 2022).
    • A “red team” exercise simulates an adversarial attack against your processes and systems. A specialized penetration tester will often take on the role of the red team and provide a report of identified gaps and risks after the engagement.

    Security Event Simulation

    What you get:

    • Hands-on experience managing and recovering from a ransomware attack in a controlled environment.
    • A better understanding of gaps in your response process.

    What you need:

    • A completed ransomware tabletop exercise and mature security incident response processes.
    • For Ransomware Simulators: An air-gapped sandbox environment hosting a copy of your production systems and security tools, and time from your technical SMEs.
    • For Red Team Exercises: A trusted provider, scope for your testing plans, and time from your security incident response team.

    Prioritize tests by asking these three questions

    1. Will the scope of this test deliver sufficient value?

    • Yes, these are critical systems with low tolerance for downtime or data loss.
    • Yes, major changes or new systems require validation of DR capabilities.
    • Yes, there’s high probability of an outage, or recent experience of an outage.
    • •Yes, we have audit requirements or customer demands for testing.

    2. Are we ready for this test?

    • Yes, recovery plans and recovery objectives are documented.
    • Yes, key technical and business resources have time to commit to testing exercises.
    • Yes, technology is currently able to support proposed tests.

    3. Is it easy to do?

    • Yes, effort required to complete the test is low (i.e. minimal work, few participants).
    • Yes, the risks related to testing are low.
    • Yes, it won’t cost much.

    Info-Tech Insight

    More complex, challenging, risky, or costly tests, such as full failover tests, can deliver value. But do the high-value, low-effort stuff first!

    03 Brainstorm and prioritize test ideas

    30-60 minutes

    Even if you have an idea of what you need to test and how you want to run those tests, this brainstorming exercise can generate useful ideas for testing that might otherwise have been missed.

      1. Review the slides above to develop ideas on how and what you want to test. These slides may be enough to kickstart a brainstorming process. Don’t debate or discount ideas at this point. Write down these ideas in a space where all participants can see them (e.g. whiteboard or shared screen).

    The next steps will help you prioritize the list – if needed – to tests that are highest value and lowest effort.

    1. Discuss where you have the greatest need to test. Assign a score of 0 – 3 for each test, with a score of 3 being high-need and a score of zero being low-need. Consider whether:
      • These applications have a low tolerance for downtime.
      • There’s a high chance of an outage, or recent experience with an outage.
      • There’s a need to train or cross-train staff on recovery for the system(s) in question.
      • Major changes require a review or validation of DR capabilities.
      • Audit requirements or customer/executive demands can be met via testing.
    2. Discuss which tests will require the least effort to complete – where readiness is high and tests are easier to do. Assign a score between 0 and 3 for each test, with a score of 3 being least effort and a score of 0 being high effort. Consider whether:
      • Recovery plans and recovery objectives are documented for these systems.
      • Technical experts are available to work on testing exercises.
      • For active testing, standby/sandbox systems are available and capable of supporting proposed tests.
      • The effort required to complete the test is low (e.g. minimal new work, few participants).
      • The risks related to testing are low.
      • You will need to secure additional funding.
    3. Sum together the assigned scores for each test. Higher scores should be the highest priority, but of course use your judgement to validate the results and select one or two tests to execute in the coming year.

    “There are different levels of testing and it is very progressive. I do not recommend my clients to do anything, unless they do it in a progressive fashion. Don’t try to do a live failover test with your users, right out of the box.”

    – Steve Tower
    Principal Consultant
    Prompta Consulting Group

    Input

    • Organizational and technical context

    Output

    • Prioritize list of DR testing ideas

    Participants

    • DR sponsor
    • Test coordinator

    04 Build a test plan

    3-5 days

    Building a test plan helps the test run smoothly and can uncover issues with the underlying DRP as you dig into the details.

    The test coordinator will own the plan document but will rely on the sponsor to confirm scope and goals, technical SMEs to develop system recovery plans, and business liaisons to create UAT scripts.

    Download Info-Tech’s Disaster Recovery Test Plan Template. Use the structure of the template to build your own document, deleting example data as you go. Consider saving a separate copy of this document as an example and working from a second copy.

    Key sections of the document include:

    • Goals, scenario, and scope of the test.
    • Assumptions, constraints, risks, and mitigation strategies.
    • Test participants.
    • Key pre-test milestones, and test-day schedule.
    • After-action review.

    Download the Disaster Recovery Test Plan Template

    Input

    • Scope
    • High-level goals

    Output

    • Test plan, including goals, scope, key milestones, risks and mitigations, and test-day schedule

    Participants

    • Test coordinator develops the plan with support from:
      • Technical SMEs
      • Business liaisons
      • DR sponsor

    05 Run an after-action review

    30-60 minutes

    Take time after test exercises – especially large-scale tests with many participants – to consider what went well, what didn’t, and where you can improve future testing exercises. Track lessons learned and next steps at the bottom of your test plan.

    1. Start with a short (5-10 minute) debrief of the test and allow participants to ask questions. Confirm:
      • Did we meet the goals we set for the exercise, including RTOs and RPOs?
      • What was done well? What issues, gaps, and risks were identified?
    2. Work through variations of the following questions:
      • Was the test plan effective, and was the test well organized?
      • Was the documentation effective? Where did we follow the plan as documented, and where did we deviate from the plan?
      • Was our communication/collaboration during the test effective?
      • Have gaps and issues found during the test been reported to the testing coordinator? Could some of the issues uncovered apply more broadly to other IT services as well?
      • What could we test next, based on what was discovered?
      • Are there other tools or approaches that could be useful?

    Input

    • Insights and experience from a recent testing exercise

    Output

    • Identified gaps and risks, and action items to address them
    • Ideas to improve future test exercises

    Participants

    • Test coordinator develops the plan with support from:
      • Test coordinator
      • Test participants

    Follow a testing cycle

    All tests are expected to drive actions to improve resilience, as appropriate. Experience from previous tests will be applied to future testing exercises.

    The testing cycle: 1. Plan a test, 2. Run test, 3. Take action.

    Use your experience to simplify testing

    The fifth testing exercise should be easier than the first

    Outputs and lessons learned from testing should help you run future tests.

    • With past experience under their belt, participants should have a better understanding of their role, and of their peers’ roles, and the goal of the exercise.
    • Facilitators will be more comfortable facilitating the exercise, and everyone should be more confident in the steps required to recover their systems.
    • Gather feedback from participants through after-action reviews to identify what worked and what didn’t.
    • Documentation from previous tests can provide a template for future tests.
    • Gaps identified in previous tests can provide ideas for future tests.

    Experience, lessons learned, improved process, new test targets, repeat.

    Info-Tech Insight

    Testing should get easier over time. But if you’re easily passing every test, it’s a sign that you’re ready to run more challenging tests.

    06 Create a test program summary

    2-4 hours

    Regular testing allows you to build on prior tests and helps keep plans current despite changes to your environment.

    Keeping a regular testing schedule requires expertise, a process to coordinate your efforts, and a level of governance to provide oversight and ensure testing continues to deliver value. Create a call to action using Info-Tech’s Disaster Recovery Testing Program Summary Template.

    The result is a summary document that:

    • Identifies key takeaways and testing goals
    • Presents key elements of the testing program
    • Outlines the testing cycle
    • Lists expected milestones for the next year
    • Identifies participants
    • Recommends next steps

    “It is extremely important in the early stages of development to concentrate the focus on actual recoverability and data protection, enhancing these capabilities over time into a fully matured program that can truly test the recovery, and not simply focusing on the testing process itself.”

    – Joe Starzyk
    Senior Business Development Executive
    IBM Global Services

    Research Contributors and Experts

    • Bernard A. Jones, Business Continuity & Disaster Recovery Expert
    • Robert Nardella, IT Service Management, Certified z/OS Mainframe Professional
    • Larry Liss, Chief Technology Officer, Blank Rome LLP
    • Jennifer Goshorn, Chief Administrative and Chief Compliance Officer, Gunderson Dettmer LLP
    • Paul Kirvan, FBCI, CISA, Independent IT Consultant/Auditor, Paul Kirvan Associates
    • Steve Tower, Principal Consultant, Prompta Consulting Group
    • Joe Starzyk, Senior Business Development Executive, IBM Global Services
    • Thomas Bronack, Enterprise Resiliency and Corporate Certification Consultant, DCAG
    • Paul S. Randal, CEO & Owner, SQLskills.com
    • Tom Baumgartner, Disaster Recovery Analyst, Catholic Health

    Bibliography

    Alton, Yoni. “Ransomware simulators – reality or a bluff?” Palo Alto Blog, 2 May 2022. Accessed 31 Jan 2023.
    https://www.paloaltonetworks.com/blog/security-operations/ransomware-simulators-reality-or-a-bluff/

    Brathwaite, Shimon. “How to Test your Business Continuity and Disaster Recovery Plan,” Security Made Simple, 13 Nov 2022. Accessed 31 Jan 2023.
    https://www.securitymadesimple.org/cybersecurity-blog/how-to-test-your-business-continuity-and-disaster-recovery-plan

    The Business Continuity Institute. Good Practice Guidelines: 2018 Edition. The Business Continuity Institute, 2017.

    Emigh, Jacqueline. “Disaster Recovery Testing: Ensuring Your DR Plan Works,” Enterprise Storage Forum, 28 May 2019. Accessed 31 Jan 2023.
    Disaster Recovery Testing: Ensuring Your DR Plan Works | Enterprise Storage Forum

    Gardner, Dana. "Case Study: Strategic Approach to Disaster Recovery and Data Lifecycle Management Pays off for Australia's SAI Global." ZDNet. BriefingsDirect, 26 Apr 2012. Accessed 31 Jan 2023.
    http://www.zdnet.com/article/case-study-strategic-approach-to-disaster-recovery-and-data-lifecycle-management-pays-off-for-australias-sai-global/.

    IBM. “Section 11. Testing the Disaster Recovery Plan.” IBM, 2 Aug 2021. Accessed 31 Jan 2023. Section 11. Testing the disaster recovery plan - IBM Documentation Lutkevich, Ben and Alexander Gillis. “Chaos Engineering”. TechTarget, Jun 2021. Accessed 31 Jan 2023.
    https://www.techtarget.com/searchitoperations/definition/chaos-engineering

    Monperrus, Martin. “Principles of Antifragility.” Arxiv Forum, 7 June 2017. Accessed 31 Jan 2023.
    https://arxiv.org/ftp/arxiv/papers/1404/1404.3056.pdf

    “Principles of Chaos Engineering.” Principles of Chaos Engineering, 2019 March. Accessed 31 Jan 2023.
    https://principlesofchaos.org/

    Sloss, Benjamin Treynor. “Introduction.” Site Reliability Engineering. Ed. Betsy Beyer. O’Reilly Media, 2017. Accessed 31 Jan 2023.
    https://sre.google/sre-book/introduction/

    Time Study

    • Buy Link or Shortcode: {j2store}260|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • In ESG’s 2018 report “The Life of Cybersecurity Professionals,” 36% of participants expressed the overwhelming workload was a stressful aspect of their job.
    • Organizations expect a lot from their security specialists. From monitoring the threat environment, protecting business assets, and learning new tools, to keeping up with IT initiatives, cybersecurity teams struggle to balance their responsibilities with the constant emergencies and disruptions that take them away from their primary tasks.
    • Businesses fail to recognize the challenges associated with task prioritization and the time management practices of a security professional.

    Our Advice

    Critical Insight

    • The majority of scheduled calendar meetings include employees and peers.
      • Our research indicates cybersecurity professionals spent the majority of their meetings with employees (28%) and peers (24%). Other stakeholders involved in meetings included by myself (15%), boss (13%), customers (10%), vendors (8%), and board of directors (2%).
    • Calendar meetings are focused on project work, management, and operations.
      • When asked to categorize calendar meetings, the focus was on project work (26%), management (23%), and operations (22%). Other scheduled meetings included ones focused on strategy (15%), innovation (9%), and personal time (5%).
    • Time management scores were influenced by the percentage of time spent with employees and peers.
      • When participants were divided into good and poor time managers, we found good time managers spent less time with their peers and more time with their employees. This may be due to the nature of employee meetings being more directly tied to the project outputs of the manager than their peer meetings. Managers who spend more time in meetings with their employees feel a sense of accomplishment, and hence rate themselves higher in time management.

    Impact and Result

    • Understand how cybersecurity professionals allocate their time.
    • Gain insight on whether perceived time management skills are associated with calendar maintenance factors.
    • Identify common time management pain points among cybersecurity professionals.
    • Identify current strategies cybersecurity professionals use to manage their time.

    Time Study Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Read our Time Study

    Read our Time Study to understand how cybersecurity professionals allocate their time, what pain points they endure, and tactics that can be leveraged to better manage time.

    • Time Study Storyboard
    [infographic]

    Build an IT Employee Engagement Program

    • Buy Link or Shortcode: {j2store}544|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $5,734 Average $ Saved
    • member rating average days saved: 8 Average Days Saved
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • IT’s performance and stakeholder satisfaction with IT services hinge on IT’s ability to attract and retain top talent and to motivate teams to go above and beyond.
    • With the growing IT job market, turnover is a serious threat to IT’s ability to deliver seamless value and continuously drive innovation.
    • Engagement initiatives are often seen as being HR’s responsibility; however, IT leadership needs to take accountability for the retention and productivity of their employees in order to drive business value.

    Our Advice

    Critical Insight

    • Engagement is a two-way street. Initiatives must address a known need and be actively sought by employees – not handed down from management.
    • Engagement initiatives are useless unless they target the right issues. It can be tempting to focus on the latest perks and gadgets and ignore difficult issues. Use a systematic approach to uncover and tackle the real problems.
    • It’s time for IT leadership to step up. IT leaders have a much bigger impact on IT staff engagement than HR ever can. Leverage this power to lead your team to peak performance.

    Impact and Result

    • Info-Tech engagement diagnostics and accompanying tools will help you perform a deep dive into the root causes of disengagement on your team.
    • The guidance that accompanies Info-Tech’s tools will help you avoid common engagement program pitfalls and empower IT leaders to take charge of their own team’s engagement.

    Build an IT Employee Engagement Program Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to discover why engagement is critical to IT performance, review Info-Tech’s methodology, and understand how our tools will help you construct an effective employee engagement program.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Measure employee engagement

    Use Info-Tech's Pulse or Full Engagement Surveys to measure employee engagement.

    • Improve Employee Engagement to Drive IT Performance – Phase 1: Measure Employee Engagement
    • Engagement Strategy Record
    • Engagement Communication Template

    2. Analyze results and ideate solutions

    Understand the drivers of engagement that are important for your team, and involve your staff in brainstorming engagement initiatives.

    • Improve Employee Engagement to Drive IT Performance – Phase 2: Analyze Results and Ideate Solutions
    • Engagement Survey Results Interpretation Guide
    • Full Engagement Survey Focus Group Facilitation Guide
    • Pulse Engagement Survey Focus Group Facilitation Guide
    • Focus Group Facilitation Guide Driver Definitions
    • One-on-One Manager Meeting Worksheet

    3. Select and implement engagement initiatives

    Select engagement initiatives for maximal impact, create an action plan, and establish open and ongoing communication about engagement with your team.

    • Improve Employee Engagement to Drive IT Performance – Phase 3: Select and Implement Engagement Initiatives
    • Summary of Interdepartmental Engagement Initiatives
    • Engagement Progress One-Pager
    [infographic]

    Workshop: Build an IT Employee Engagement Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 (Preparation) Run Engagement Survey

    The Purpose

    Select and run your engagement survey prior to the workshop.

    Key Benefits Achieved

    Receive an in-depth report on your team’s engagement drivers to form the basis of your engagement strategy.

    Activities

    1.1 Select engagement survey.

    1.2 Identify engagement program goals and metrics.

    1.3 Run engagement survey.

    Outputs

    Full or Pulse engagement survey report

    Engagement survey results interpretation guide

    2 Explore Engagement

    The Purpose

    To understand the current state of engagement and prepare to discuss the drivers behind it with your staff.

    Key Benefits Achieved

    Empower your leadership team to take charge of their own teams’ engagement.

    Activities

    2.1 Review engagement survey results.

    2.2 Finalize focus group agendas.

    2.3 Train managers.

    Outputs

    Customized focus group agendas

    3 Hold Focus Groups

    The Purpose

    Establish an open dialogue with your staff to understand what would improve their engagement.

    Key Benefits Achieved

    Employee-generated initiatives have the greatest chance at success.

    Activities

    3.1 Identify priority drivers.

    3.2 Identify engagement KPIs.

    3.3 Brainstorm engagement initiatives.

    3.4 Vote on initiatives within teams.

    Outputs

    Summary of focus groups results

    Identified engagement initiatives

    Identified engagement initiatives

    4 Select and Plan Initiatives

    The Purpose

    Learn the characteristics of successful engagement initiatives and build execution plans for each.

    Key Benefits Achieved

    Choose initiatives with the greatest impact on your team’s engagement, and ensure you have the necessary resources for success.

    Activities

    4.1 Select engagement initiatives with IT leadership.

    4.2 Create initiative project plans.

    4.3 Present project plans.

    4.4 Define implementation checkpoints.

    4.5 Develop communications plan.

    4.6 Define strategy for ongoing engagement monitoring.

    Outputs

    Engagement project plans

    Implementation and communication checkpoints

    Further surveys planned (optional)

    5 Additional Leadership Training

    The Purpose

    Select training modules that best address your team’s needs from Info-Tech’s modular leadership training program.

    Key Benefits Achieved

    Arm your IT leadership team with the key skills of effective leadership, tailored to their existing experience level.

    Activities

    5.1 Adopting an Integrated Leadership Mindset

    5.2 Optimizing Talent Leadership Practices

    5.3 Driving Diversity & Inclusion

    5.4 Fortifying Internal Stakeholder Relations

    5.5 Engaging Executives and the Board

    5.6 Crafting Your Leadership Brand

    5.7 Crafting and Delivering Compelling Presentations

    5.8 Communication & Difficult Conversations

    5.9 Conflict Management

    5.10 Performance Management

    5.11 Feedback & Coaching

    5.12 Creating a Culture of Personal Accountability

    Outputs

    Develop the skills to lead resourcefully in times of uncertainty

    Apply leadership behaviors across enterprise initiatives to deploy and develop talent successfully

    Develop diversity and inclusion practices that turn the IT function and leaders into transformative champions of inclusion

    Identify elements of effective partnering to maximize the impact of internal interactions

    Understand the major obstacles to CEO and board relevance and uncover the keys to elevating your internal executive profile

    Develop a leadership brand statement that demonstrates leadership competency and is aligned with the brand, mission, vision, and goals of the organization

    Identify the components of effective presentations and hone your presentation skills

    Gain the skills to confront and drive solutions from difficult situations

    Develop strategies to engage in conflict constructively and reach a resolution that benefits the team or organization

    Learn to identify the root causes of low performance and develop the skills to guide employees through the process of improvement

    Adopt a behavior-focused coaching model to help managers sustain and apply effective coaching principles

    Understand how and when to encourage autonomy and how to empower employees to take success into their own hands

    Prepare for Cognitive Service Management

    • Buy Link or Shortcode: {j2store}335|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: 10 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design
    • The evolution of natural language processing and machine learning applications has led to specialized AI-assisted toolsets that promise to improve the efficiency and timeliness of IT operations.

    Our Advice

    Critical Insight

    • These are early days. These AI-assisted toolsets are generating a considerable amount of media attention, but most of them are relatively untested. Early adopters willing to absorb experimentation costs are in the process of deploying the first use cases. Initial lessons are showing that IT operations in most organizations are not yet mature enough to take advantage of AI-assisted toolsets.
    • Focus on the problem, not the tool. Explicit AI questions should be at the end of the list. Start by asking what business problem you want to solve.
    • Get your house in order. The performance of AI-assisted tools depends on mature IT operations processes and reliable data sets. Standardize service management processes and build a knowledgebase of structured content to prepare for AI-assisted IT operations.

    Impact and Result

    • Don’t fall prey to the AI-bandwagon effect. AI-assisted innovations will support shift-left service support strategies through natural language processing and machine learning applications. However, the return on your AI investment will depend on whether it helps you meet an actual business goal.
    • AI-assisted tools presuppose the existence of mature IT operations functions, including standardized processes, high-quality structured content focused on the incidents and requests that matter, and a well-functioning ITSM web portal.
    • The success of AI ITSM projects hinges on adoption. If your vision is to power end-user interactions with chatbots and deploy intelligent agents on tickets coming through the web portal, be sure to develop a self-service culture that empowers end users to help themselves and experiment with new tools and technologies. Without end-user adoption, the promised benefits of AI projects will not materialize.

    Prepare for Cognitive Service Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should prepare for cognitive service management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Review emerging AI technology

    Get an overview of emerging AI applications to understand how they will strengthen a shift-left service support strategy.

    2. Sort potential IT operations AI use cases

    Review potential use cases for AI applications to prioritize improvement initiatives and align them to organizational goals.

    • Disruptive Technology Shortlisting Tool
    • Disruptive Technology Value-Readiness and SWOT Analysis Tool

    3. Prepare for a cognitive service management project

    Develop an ITSM AI strategy to prepare your organization for the coming of cognitive service management, and build a roadmap for implementation.

    • Customer Journey Map (PDF)
    • Customer Journey Map (Visio)
    • Infrastructure Roadmap Technology Assessment Tool
    • Strategic Infrastructure Roadmap Tool
    [infographic]

    Implement a Social Media Program

    • Buy Link or Shortcode: {j2store}560|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • IT is being caught in the middle of various business units, all separately attempting to create, staff, implement, and instrument a social media program.
    • Requests for procuring social media tools and integrating with CRM systems are coming from all directions, with no central authority governing a social media program or coordinating business goals.
    • Public Relations and Corporate Communications groups have been acting as the first level of response to social media channels since the company’s first Twitter account went live, but the volume of inquiries received through social channels has become too great for these groups to continue in a first responder role.

    Our Advice

    Critical Insight

    • Social media immaturity is an opportunity for IT leadership. As with so many of the “next new things,” IT has an opportunity to help the business understand social media technologies, trends, and risks, and coordinate efforts to approach social media as a united company.
    • Social media maturity must reach the Social Media Steering Committee stage before major investments in technology can proceed. As with all business initiatives, technology automation decisions cannot be made without respect to organizational and process maturity. Social media strategy stakeholders must join together and form a steering committee to create policies and procedures, govern strategy, develop workflows, and facilitate technology selection processes. IT not only belongs on such a steering committee, but it can also be instrumental in the formation of it.
    • Info-Tech’s research repeatedly indicates that the greatest return from social media investments is in the customer service domain, by reacting to incoming social inquiries and proactively listening to social conversations for product and service inquiry opportunities. This means CRM integration is essential to long-term social media program success.

    Impact and Result

    • Assess your organization’s social maturity to know where to begin and where to go in implementation of a social media program.
    • Form a social media steering committee to bring order to chaos among different business units.
    • Develop comprehensive workflows to categorize and prioritize inquiries, and then route them to the appropriate part of the business for resolution.
    • Consider creating one or more physical social media command centers to process large volumes of social inquiries more efficiently and monitor real-time social media metrics to improve critical response times.

    Implement a Social Media Program Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess your organization's social maturity

    Know where to begin and where to go in implementation of a social media program.

    • Storyboard: Implement a Social Media Program
    • Social Media Maturity Assessment Tool

    2. Form a social media steering committee

    Bring order to chaos among different business units.

    • Social Media Steering Committee Charter Template
    • Social Media Acceptable Use Policy
    • Blogging and Microblogging Guidelines Template

    3. Consider creating one or more physical social media command centers

    Process large volumes of social inquiries more efficiently, and monitor real-time social media metrics to improve critical response times.

    • Social Media Representative
    • Social Media Manager
    [infographic]

    Develop Infrastructure & Operations Policies and Procedures

    • Buy Link or Shortcode: {j2store}452|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $46,324 Average $ Saved
    • member rating average days saved: 42 Average Days Saved
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • Time and money are wasted dealing with mistakes or missteps that should have been addressed by procedures or policies.
    • Standard operating procedures are less effective without a policy to provide a clear mandate and direction.
    • Adhering to policies is rarely a priority, as compliance often feels like an impediment to getting work done.
    • Processes aren’t measured or audited to assess policy compliance, which makes enforcing the policies next to impossible.

    Our Advice

    Critical Insight

    • Document what you need to document and forget the rest. Always check to see if you can use a previously approved policy before you create a new one. You may only need to create new guidelines or standards rather than approve a new policy.

    Impact and Result

    • Start with a comprehensive policy framework to help you identify policy gaps. Prioritize and address those policy gaps.
    • Create effective policies that are reasonable, measurable, auditable, and enforceable.
    • Create and document procedures to support policy changes.

    Develop Infrastructure & Operations Policies and Procedures Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should change your approach to developing Infrastructure & Operations policies and procedures, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify policy and procedure gaps

    Create a prioritized action plan for documentation based on business need.

    • Develop Infrastructure & Operations Policies and Procedures – Phase 1: Identify Policy and Procedure Gaps

    2. Develop policies

    Adapt policy templates to meet your business requirements.

    • Develop Infrastructure & Operations Policies and Procedures – Phase 2: Develop Policies
    • Availability and Capacity Management Policy
    • Business Continuity Management Policy
    • Change Control – Freezes & Risk Evaluation Policy
    • Change Management Policy
    • Configuration Management Policy
    • Firewall Policy
    • Hardware Asset Management Policy
    • IT Triage and Support Policy
    • Release Management Policy
    • Software Asset Management Policy
    • System Maintenance Policy – NIST
    • Internet Acceptable Use Policy

    3. Document effective procedures

    Improve policy adherence and service effectiveness through procedure standardization and documentation.

    • Develop Infrastructure & Operations Policies and Procedures – Phase 3: Document Effective Procedures
    • Capacity Plan Template
    • Change Management Standard Operating Procedure
    • Configuration Management Standard Operation Procedures
    • Incident Management and Service Desk SOP
    • DRP Summary Template
    • Service Desk Standard Operating Procedure
    • HAM Standard Operating Procedures
    • SAM Standard Operating Procedures
    [infographic]

    Further reading

    Develop Infrastructure & Operations Policies and Procedures

    Document what you need to document and forget the rest.

    Table of contents

    Project Rationale

    Project Outlines

    • Phase 1: Identify Policy and Procedure Gaps
    • Phase 2: Develop Policies
    • Phase 3: Document Effective Procedures

    Bibliography

    ANALYST PERSPECTIVE

    Document what you need to document now and forget the rest.

    "Most IT organizations struggle to create and maintain effective policies and procedures, despite known improvements to consistency, compliance, knowledge transfer, and transparency.

    The numbers are staggering. Fully three-quarters of IT professionals believe their policies need improvement, and the same proportion of organizations don’t update procedures as required.

    At the same time, organizations that over-document and under-document perform equally poorly on key measures such as policy quality and policy adherence. Take a practical, step-by-step approach that prioritizes the documentation you need now. Leave the rest for later."

    (Andrew Sharp, Research Manager, Infrastructure & Operations Practice, Info-Tech Research Group)

    Our understanding of the problem

    This Research Is Designed For:

    • Infrastructure Managers
    • Chief Technology Officers
    • IT Security Managers

    This Research Will Help You:

    • Address policy gaps
    • Develop effective procedures and procedure documentation to support policy compliance

    This Research Will Also Assist:

    • Chief Information Officers
    • Enterprise Risk and Compliance Officers
    • Chief Human Resources Officers
    • Systems Administrators and Engineers

    This Research Will Help Them:

    • Understand the importance of a coherent approach to policy development
    • Understand the importance of Infrastructure & Operations policies
    • Support Infrastructure & Operations policy development and enforcement

    Info-Tech Best Practice

    This blueprint supports templates for key policies and procedures that help Infrastructure & Operations teams to govern and manage internal operations. For security policies, see the NIST SP 800-171 aligned Info-Tech blueprint, Develop and Deploy Security Policies.

    Executive Summary

    Situation

    • Time and money are wasted dealing with mistakes or missteps that should have been addressed by procedures or policies.
    • Standard operating procedures are less effective without a policy to provide a clear mandate and direction.

    Complication

    • Existing policies were written, approved, signed – and forgotten for years because no one has time to maintain them.
    • Adhering to policies is rarely a priority, as compliance often feels like an impediment to getting work done.
    • Processes aren’t measured or audited to assess policy compliance, which makes enforcing the policies next to impossible.

    Resolution

    • Start with a comprehensive policy framework to help you identify policy gaps. Prioritize and address those policy gaps.
    • Create effective policies that are reasonable, measurable, auditable, and enforceable.
    • Create and document procedures to support policy changes.

    Info-Tech Insight

    1. Document what you need to document and forget the rest.
      Always check if a previously approved policy exists before you create a new one. You may only need to create new guidelines or standards rather than approve a new policy.
    2. Support policies with documented procedures.
      Build procedures that embed policy adherence in daily operations. Find opportunities to automate policy adherence (e.g. removing local admin rights from user computers).

    What are policies, procedures, and processes?

    A policy is a governing document that states the long-term goals of the organization and in broad strokes outlines how they will be achieved (e.g. a Data Protection Policy).

    In the context of policies, a procedure is composed of the steps required to complete a task (e.g. a Backup and Restore Procedure). Procedures are informed by required standards and recommended guidelines. Processes, guidelines, and standards are three pillars that support the achievement of policy goals.

    A process is higher level than a procedure – a set of tasks that deliver on an organizational goal.

    Better policies and procedures reduce organizational risk and, by strengthening the ability to execute processes, enhance the organization’s ability to execute on its goals.

    Visualization of policies, procedures, and processes using pillars. Two separate structures, 'Policy A' and 'Policy B', are each held up by three pillars labelled 'Standards', 'Procedures', and 'Guidelines'. Two lines pass through the pillars of both structures and are each labelled 'Value-creating process'.

    Document to improve governance and operational processes

    Deliver value

    Build, deliver, and support Infrastructure assets in a consistent way, which ultimately reduces costs associated with downtime, errors, and rework. A good manual process is the foundation for a good automated process.

    Simplify Training

    Use documentation for knowledge transfer. Routine tasks can be delegated to less-experienced staff.

    Maintain compliance

    Comply with laws and regulations. Policies are often required for compliance, and formally documented and enforced policies help the organization maintain compliance by mandating required due diligence, risk reduction, and reporting activities.

    Provide transparency

    Build an open kitchen. Other areas of the organization may not understand how Infra & Ops works. Your documentation can provide the answer to the perennial question: “Why does that take so long?”

    Info-Tech Best Practice

    Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

    Document what you need to document – and forget the rest

    Half of all organizations believe their policy suite is insufficient. (Info-Tech myPolicies Survey Data (N=59))

    Pie chart with three sections labelled 'Too Many Policies and Procedures 14%', 'Adequate Policies and Procedures 37%', 'Insufficient Policies and Procedures 49%'

    Too much documentation and a lack of documentation are both ineffective. (Info-Tech myPolicies Survey Data (N=59))

    Two bar charts labelled 'Policy Adherence' and 'Policy Quality' each with three bars representing 'Too Many Policies and Procedures', 'Insufficient Policies and Procedures', and 'Adequate Policies and Procedures'. The values shown are an average score out of 5. For Policy Adherence: Too Many is 2.4, Insufficient is 2.1, and Adequate is 3.2. For Policy Quality: Too Many is 2.9, Insufficient is 2.6, and Adequate is 4.1.

    77% of IT professionals believe their policies require improvement. (Kaspersky Lab)

    Presenting: A COBIT-aligned policy suite

    We’ve developed a suite of effective policy templates for every Infra & Ops manager based on Info-Tech’s IT Management & Governance Framework.

    Policy templates and the related aspects of Info-Tech's IT Management & Governance Framework

    Info-Tech Best Practice

    Look for these symbols as you work through the deck. Prioritize and focus on the policies you work on first based on the value of the policy to the enterprise and the existing gaps in your governance structure.

    Project outline

    Phases

    1. Identify policy and procedure gaps 2. Develop policies 3. Document effective procedures

    Steps

    • Review and right-size the existing policy set
    • Create an action plan to address policy gaps
    • Modify policy templates and gather feedback
    • Implement, enforce, measure, and maintain new policies
    • Scope and outline procedures
    • Document and maintain procedures

    Outcomes

    Action list of policy and procedure gaps New or updated Infrastructure & Operations policies Procedure documentation

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Accelerate policy development with a Guided Implementation

    Your trusted advisor is just a call away.

    • Identify Policy and Procedure Gaps (Calls 1-2)
      Assess current policies, operational challenges, and gaps. Mitigate significant risks first.
    • Create and Review Policies (Calls 2-4)
      Modify and review policy templates with an Info-Tech analyst.
    • Create and Review Procedures (Calls 4-6)
      Workflow procedures, using templates wherever possible. Review documentation best practices.

    Contact Info-Tech to set up a Guided Implementation with a dedicated advisor who will walk you through every stage of your policy development project.

    Develop Infrastructure & Operations Policies and Procedures

    Phase 1

    Identify Policy and Procedure Gaps

    PHASE 1: Identify Policy and Procedure Gaps

    Step 1.1: Review and right-size the existing policy set

    This step will walk you through the following activities:

    • Identify gaps in your existing policy suite
    • Document challenges to core Infrastructure & Operations processes
    • Identify documentation that can close gaps
    • Prioritize your documentation effort

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Infrastructure Supervisors

    Results & Insights

    • Results: A review of the existing policy suite and identification of opportunities for improvement.
    • Insights: Not all gaps necessarily require a fresh policy. Repurpose, refresh, or supplement existing documentation wherever appropriate.

    Conduct a policy review

    Associated Activity icon 1(a) 30 minutes per policy

    You’ve got time to review your policy suite. Make the most of it.

    1. Start with organizational requirements.
      • What initiatives are on the go? What policies or procedures do you have a mandate to create?
    2. Weed out expired and dated policies.
      • Gather your existing policies. Identify when each one was published or last reviewed.
      • Decide whether to retire, merge, or update expired or obviously dated policy.
    3. Review policy statements.
      • Check that the organization is adequately supporting policy statements with SOPs, standards, and guidelines. Ensure role-related information is up to date.
    4. Document and bring any gaps forward to the next activity. If no action is required, indicate that you have completed a review and submit the findings for approval.

    But they just want one policy...

    A review of your policy suite is good practice, especially when it hasn’t been done for a while. Why?
    • Existing policies may address what you’re trying to do with a new policy. Using or modifying an existing policy avoids overlap and contradiction and saves you the effort required to create, communicate, approve, and maintain a new policy.
    • Review the suite to validate that you’re addressing the most important challenges first.

    Brainstorm improvements for core Infrastructure & Operations processes

    Associated Activity icon 1(b) 1 hour

    Supplement the list of gaps from your policy review with process challenges.

    1. Write out key Infra & Ops–related processes – one piece of flipchart paper per process. You can work through all of these processes or cherry-pick the processes you want to improve first.
    2. With participants, write out in point form how you currently execute on these processes (e.g. for Asset Management, you might be tagging hardware, tracking licenses, etc.)
    3. Work through a “Start – Stop – Continue” exercise. Ask participants: What should we start doing? What must we stop doing? What do we do currently that’s valuable and must continue? Write ideas on sticky notes.
    4. Once you’ve worked through the “Start – Stop – Continue” exercise for all processes, group similar suggestions for improvements.

    Asset Management: Manage hardware and software assets across their lifecycle to protect assets and manage costs.

    Availability and Capacity Management: Balance current and future availability, capacity, and performance needs with cost-to-serve.

    Business Continuity Management: Continue operation of critical business processes and IT services.

    Change Management: Deliver technical changes in a controlled manner.

    Configuration Management: Define and maintain relationships between technical components.

    Problem Management: Identify incident root cause.

    Operations Management: Coordinate operations.

    Release and Patch Management: Deliver updates and manage vulnerabilities in a controlled manner.

    Service Desk: Respond to user requests and all incidents.

    PHASE 1: Identify Policy and Procedure Gaps

    Step 1.2: Create an action plan to address policy gaps

    This step will walk you through the following activities:

    • Identify challenges and gaps that can be addressed via documentation
    • Prioritize high-value, high-risk gaps

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Infrastructure Supervisors

    Results & Insights

    • Results: An action plan to tackle policy and procedures gaps, aligned with business requirements and business value.
    • Insights: Not all documentation is equally valuable. Prioritize documentation that delivers value and mitigates risk.

    Support policies with procedures, standards, and guidelines

    Use a working definition for each type of document.

    Policy: Directives, rules, and mandates that support the overarching, long-term goals of the organization.

    • Standards: Prescriptive, uniform requirements.
    • Procedures: Specific, detailed, step-by-step instructions for completing a task.
    • Guidelines: Non-enforceable, recommended best practices.

    Info-Tech Best Practice

    Take advantage of your Info-Tech advisory membership by scheduling review sessions with an analyst. We provide high-level feedback to ensure your documentation is clear, concise, and consistent and aligns with the governance objectives you’ve identified.

    Answer the following questions to decide if governance documentation can help close gaps

    Associated Activity icon 1(c) 30 minutes

    Documentation supports knowledge sharing, process consistency, compliance, and transparency. Ask the following questions:

    1. What is the purpose of the documentation?
      Procedures support task completion. Policies set direction and manage organizational risk.
    2. Should it be enforceable?
      Policies and standards are enforceable; guidelines are not. Procedures are enforceable in that they should support policy enforcement.
    3. What is the scope?
      To document a task, create a procedure. Set overarching rules with policies. Use standards and guidelines to set detailed rules and best practices.
    4. What’s the expected cadence for updates?
      Policies should be revisited and revised less frequently than procedures.

    Info-Tech Best Practice

    Reinvent the wheel? I don’t think so!

    Always check to see if a gap can be addressed with existing tools before drafting a new policy

    • Is there an existing policy that could be supported with new or updated procedures, technical standards, or guidelines?
    • Is there a technical control you can deploy that would enforce the terms of an existing, approved policy?
    • It may be simpler to amend an existing policy instead of creating a new one.

    Some problems can’t be solved by better documentation (or by documentation alone). Consider additional strategies that address people, process, and technology.

    Tackle high-value, high-risk gaps first

    Associated Activity icon 1(d) 30 minutes

    Prioritize your documentation effort.

    1. List each proposed piece of documentation on the board.
    2. Assign a score to the risk posed to the business by the lack of documentation and to the expected benefit of completing the documentation. Use a scoring scale between 1 and 3 such as the one on the right.
    3. Prioritize documentation that mitigates risks and maximizes benefits.
    4. If you need to break ties, consider effort required to develop, implement, and enforce policies or procedures.

    Example Scoring Scale

    Score Business risk of missing documentation Business benefit of value of documentation

    1

    Low: Affects ad hoc activities or non-critical data. Low: Minimal impact.

    2

    Moderate: Impacts productivity or internal goodwill. Moderate: Required periodically; some cross-training opportunities.

    3

    High: Impacts revenue, safety, or external goodwill. High: Save time for common or ongoing processes; extensive improvement to training/knowledge transfer.

    Info-Tech Insight

    Documentation pulls resources away from other important programs and projects, so ultimately it must be a demonstrably higher priority than other work. This exercise is designed to align documentation efforts with business goals.

    Phase 1: Review accomplishments

    Policy pillars: Standards, Procedures, Guidelines

    Summary of Accomplishments

    • Identified gaps in the existing policy suite and identified pain points in existing Infra & Ops processes.
    • Developed a list of policies and procedures that can address existing gaps and prioritized the documentation effort.

    Develop Infrastructure & Operations Policies and Procedures

    Phase 2

    Develop Policies

    PHASE 2: Develop Policies

    Step 2.1: Modify policy templates and gather feedback

    This step will walk you through the following activities:

    • Modify policy templates

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Technical Writer

    Results & Insights

    • Results: Your own COBIT-aligned policies built by modifying Info-Tech templates.
    • Insights: Effective policies are easy to read and navigate.

    Write Good-er: Be Clear, Consistent, and Concise

    Effective policies adhere to the three Cs of documentation.

    1. Be clear. Make it as easy as possible for a user to learn how to comply with your policy.
    2. Be consistent. Write policies that complement each other, not contradict each other.
    3. Be concise. Make it as quick and easy as possible to read and understand your policy.

    Info-Tech Best Practice

    To download the full suite of templates all at once, click the “Download Research” button on the research landing page on the website.

    Use the three Cs: Be Clear

    Understanding makes compliance possible. Create policy with the goal of making compliance as easy as possible. Use positive, simple language to convey your intentions and rationale to your audience. Staff will make an effort adhere to your policy when they understand the need and are able to comply with the terms.

    1. Choose a skilled writer. Select a writer who can write clearly and succinctly.
    2. Default to simple language and define key terms. Define scope and key terms upfront. Avoid using technical terms outside of technical documentation; if they’re necessary be sure to define them as well.
    3. Use active, positive language. Where possible, tell people what they can do, not what they can’t.
    4. Keep the structure simple. Complicated documents are less likely to be understood and read. Use short sentences and paragraphs. Lists are a helpful way to summarize important information. Guide your reader through the document with appropriately named section headers, tables of contents, and numeration.
    5. Add a process for handling exceptions. Refer to procedures, standards, and guidelines documentation. Try to keep these links as static as possible. Also, refer to a process for handling exceptions.
    6. Manage the integrity of electronic documents. When published electronically, the policy should have restricted editing access or should be published in a non-editable format. Access to the procedure and policy storage database for employees should be read-only.

    Info-Tech Insight

    Highly effective policies are easy to navigate. Your policies should be “skimmable.” Very few people will fully read a policy before accepting it. Make it easy to navigate so the reader can easily find the policy statements that apply to them.

    Use the three Cs: Be Consistent

    Ensure that policies are aligned with other organizational policies and procedures. It detracts from compliance if different policies prescribe different behavior in the same situation. Moreover, your policies should reflect the corporate culture and other company standards. Use your policies to communicate rules and get employees aligned with how your company works.

    1. Use standard sentences and paragraphs. Policies are usually expressed in short, standard sentences. Lists should also be used when necessary or appropriate.
    2. Remember the three Ws. When writing a policy, always be sure to clearly state what the rule is, when it should be applied, and who needs to follow it. Policies should clearly define their scope of application and whether directives are mandatory or recommended.
    3. Use an outline format. Using a numbered or outline format will make a document easier to read and will make content easier to look up when referring back to the document at a later time.
    4. Avoid amendments. Avoid the use of information that is quickly outdated and requires regular amendment (e.g. names of people).
    5. Reference a set of supplementary documents. Codify your tactics outside of the policy document, but make reference to them within the text. This makes it easier to ensure consistency in the behavior prescribed by your policies.

    "One of the issues is the perception that policies are rules and regulations. Instead, your policies should be used to say ‘this is the way we do things around here.’" (Mike Hughes CISA CGEIT CRISC, Principal Director, Haines-Watts GRC)

    Use the three Cs: Be Concise

    Reading and understanding policies shouldn’t be challenging, and it shouldn’t significantly detract from productive time. Long policies are more difficult to read and understand, increasing the work required for employees to comply with them. Put it this way: How often do you read the Terms and Conditions of software you’ve installed before accepting them?

    1. Be direct. The quicker you get to the point, the easier it is for the reader to interpret and comply with your policy.
    2. Your policy is a rule, not a recipe. Your policy should outline what needs to be accomplished and why – your standards, guidelines, and SOPs address the how.
    3. Keep policies short. Nobody wants to read a huge policy book, so keep your policies short.
    4. Use additional documentation where needed. In addition to making consistency easier, this shortens the length of your policies, making them easier to read.
    5. Policy still too large? Modularize it. If you have an extremely large policy, it’s likely that it’s too widely scoped or that you’re including statements that should be part of procedure documentation. Consider breaking your policy into smaller, focused, more digestible documents.

    "If the policy’s too large, people aren’t going to read it. Why read something that doesn’t apply to me?" (Carole Fennelly, Owner and Principal, cFennelly Consulting)

    "I always try to strike a good balance between length and prescriptiveness when writing policy. Your policies … should be short and describe the problem and your approach to solving it. Below policies, you write standards, guidelines, and SOPs." (Michael Deskin, Policy and Technical Writer, Canadian Nuclear Safety Commission)

    Customize policy documents

    Associated Activity icon 2(a) 1-2 hours per policy

    Use the policies templates to support key Infrastructure & Operations programs.

    INPUT: List of prioritized policies

    OUTPUT: Written policy drafts ready for review

    Materials: Policy templates

    Participants: Policy writer, Signing authority

    No policy template will be a perfect fit for your organization. Use Info-Tech’s research to develop your organization’s program requirements. Customize the policy templates to support those requirements.

    1. Work through policies from highest to lowest priority as defined in Phase 1.
    2. Follow the instructions written in grey text to customize the policy. Follow the three Cs when you write your policy.
    3. When your draft is finished, prepare to request signoff from your signing authority by reviewing the draft with an Info-Tech analyst.
    4. Complete the highest ranked three or four draft policies. Review all these policies with relevant stakeholders and include all relevant signing authorities in the signoff process.
    5. Rinse and repeat. Iterate until all relevant polices are complete.

    Request, Incident, and Problem Management

    An effective, timely service desk correlates with higher overall end-user satisfaction across all other IT services. (Info-Tech Research Group, 2016 (N=25,998))

    An icon for the 'DSS02 Service Desk' template. An icon for the 'DSS03 Incident and Problem Management' template.

    Use the following template to create a policy that outlines the goals and mandate for your service and support organization:

    • IT Triage and Support Policy

    Support the program and associated policy statements using Info-Tech’s research:

    • Standardize the Service Desk
    • Incident and Problem Management
    • Design & Build a User-Facing Service Catalog

    Embrace Standardization

    • Outline the support and service mandate with the policy. Support the policy with the methodology in Info-Tech’s research.
    • Over time, organizations without standardized processes face confusion, redundancies, and cost overruns. Standardization avoids wasting energy and effort building new solutions to solved issues.
    • Standard processes for IT services define repeatable approaches to work and sandbox creative activities.
    • Create tickets for every task and categorize them using a standard classification system. Use the resulting data to support root-cause analysis and long-term trend management.
    • Create a single point of contact for users for all incidents and requests. Escalate and resolve tickets faster.
    • Empower end users and technicians with knowledge bases that help them solve problems without intervention.

    Change, Release, and Patch Management

    Slow turnaround, unauthorized changes, and change-related incidents are all too familiar to many managers.

    An icon for the 'BAI06 Change Management' template. An icon for the 'BAI07 Release Management' template.

    Use the following templates to create policies that define effective patch, release, and change management:

    • Change Management Policy
    • Release and Patch Management Policy
    • Change Control – Freezes & Risk Evaluation Policy

    Ensure the policy is supported by using the following Info-Tech research:

    • Optimize Change Management

    Embrace Change

    • IT system owners resist change management when they see it as slow and bureaucratic.
    • At the same time, an increasingly interlinked technical environment may cause issues to appear in unexpected places. Configuration management systems are often not kept up to date, so preventable conflicts get missed.
    • No process exists to support the identification and deployment of critical security patches. Tracking down users to find a maintenance window takes significant, dedicated effort and intervention from the management team.
    • Create a unified change management process that reduces risk and is balanced in its approach toward deploying changes, while also maintaining throughput of patches, fixes, enhancements, and innovation.

    IT Asset Management (ITAM)

    A proactive, dynamic ITAM program will pay dividends in support, contract management, appropriate provisioning, and more.

    An icon for the 'BAI09 Asset Management' template.

    Start by outlining the requirements for effective asset management:

    • Hardware Asset Management Policy
    • Software Asset Management Policy

    Support ITAM policies with the following Info-Tech research:

    • Implement IT Asset Management

    Leverage Asset Data

    • Create effective, directional policies for your asset management program that provide a mandate for action. Support the policies with robust procedures, capable staff, and right-fit technology solutions.
    • Poor management of assets generally leads to higher costs due to duplicated purchases, early replacement, loss, and so on.
    • Visibility into asset location and ownership improves security and accountability.
    • A centralized repository of asset data supports request fulfilment and incident management.
    • Asset management is an ongoing program, not a one-off project, and must be resourced accordingly. Organizations often implement an asset management program and let it stagnate.

    "Many of the large data breaches you hear about… nobody told the sysadmin the client data was on that server. So they weren’t protecting and monitoring it." (Carole Fennelly, Owner and Principal, cFennelly Consulting)

    Business Continuity Management (BCM)

    Streamline the traditional approach to make BCM practical and repeatable.

    An icon for the 'DSS04 DR and Business Continuity' template.

    Set the direction and requirements for effective BCM:

    • Business Continuity Management Policy

    Support the BCM policy with the following Info-Tech research:

    • Create a Right-Sized Disaster Recovery Plan
    • Develop a Business Continuity Plan

    Build Organizational Resilience

    • Evidence of disaster recovery and business continuity planning is increasingly required to comply with regulations, mitigate business risk, and meet customer demands.
    • IT leaders are often asked to take the lead on business continuity, but overall accountability for business continuity rests with the board of directors, and each business unit must create and maintain its business continuity plan.
    • Set an organizational mandate for BCM with the policy.
    • Divide the business continuity mandate into manageable parcels of work. Follow Info-Tech’s practical methodology to tackle key disaster recovery and business continuity planning activities one at a time.

    Info-Tech Best Practice

    Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

    Availability, Capacity, and Operations Management

    What was old is new again. Use time-tested techniques to manage and plan cloud capacity and costs.

    An icon for the 'BAI04 Availability and Capacity Management' template. An icon for the 'DSS01 Operations Management' template. An icon for the 'BAI10 Configuration Management' template.

    Set the direction and requirements for effective availability and capacity management:

    • Availability and Capacity Management Policy
    • System Maintenance Policy – NIST

    Support the policy with the following Info-Tech research:

    • Develop an Availability and Capacity Management Plan
    • Improve IT Operations Management
    • Develop an IT Infrastructure Services Playbook

    Mature Service Delivery

    • Hybrid IT deployments – managing multiple locations, delivery models, and service providers – are the future of IT. Hybrid deployments significantly complicate capacity planning and operations management.
    • Effective operations management practices develop structured processes to automate activities and increase process consistency across the IT organization, ultimately improving IT efficiency.
    • Trying to add mature service delivery can feel like playing whack-a-mole. Systematically improve your service capabilities using the tactical, iterative approach outlined in Improve IT Operations Management.

    Enhance your overall security posture with a defensible, prescriptive policy suite

    Align your security policy suite with NIST Special Publication 800-171.

    Security policies support the organization’s larger security program. We’ve created a dedicated research blueprint and a set of templates that will help you build security policies around a robust framework.

    • Start with a security charter that aligns the security program with organizational objectives.
    • Prioritize security policies that address significant risks.
    • Work with technical and business stakeholders to adapt Info-Tech’s NIST SP 800-171–aligned policy templates (at right) to reflect your organizational objectives.

    A diagram listing all the different elements in a 'Security Charter': 'Access Control', 'Audit & Acc.', 'Awareness and Training', 'Config. Mgmt.', 'Identification and Auth.', 'Incident Response', 'Maintenance', 'Media Protection', 'Personnel Security', 'Physical Protection', 'Risk Assessment', 'Security Assessment', 'System and Comm. Protection', and 'System and Information Integrity'.

    Review and download Info-Tech's blueprint Develop and Deploy Security Policies.

    Info-Tech Best Practice

    Customize Info-Tech’s policy framework to align your policy suite to NIST SP 800-171. Given NIST’s requirements for the control of confidential information, organizations that align their policies to NIST standards will be in a strong governance position.

    PHASE 2: Develop Policies

    Step 2.2: Implement, enforce, measure, and maintain new policies

    This step will walk you through the following activities:

    • Gather stakeholder feedback
    • Identify preventive and detective controls
    • Identify required supports
    • Seek policy approval
    • Establish roles and responsibilities for policy maintenance

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Infrastructure Supervisors
    • Technical Writer
    • Policy Stakeholders

    Results & Insights

    • Results: Well-supported policies that have received signoff.
    • Insights: If you’re not prepared to enforce the policy, you might not actually need a policy. Use the policy statements as guidelines or standards, create and implement procedures, and build a culture of compliance. Once you can confidently execute on required controls, seek signoff.

    Gather feedback from users to assess the feasibility of the new policies

    Associated Activity icon 2(b) Review period: 1-2 weeks

    Once the policies are drafted, roundtable the drafts with stakeholders.

    INPUT: Draft policies

    OUTPUT: Reviewed policy drafts ready for approval

    Materials: Policy drafts

    Participants: Policy stakeholders

    1. Form a test group of users who will be affected by the policy in different ways. Keep the group to around five staff.
    2. Present new policies to the testers. Allow them to read the documents and attempt to comply with the new policies in their daily routines.
    3. Collect feedback from the group.
      • Consider using interviews, email surveys, chat channels, or group discussions.
      • Solicit ideas on how policy statements could be improved or streamlined.
    4. Make reasonable changes to the first draft of the policies before submitting them for approval. Policies will only be followed if they’re realistic and user friendly.

    Info-Tech Best Practice

    Allow staff the opportunity to provide input on policy development. Giving employees a say in policy development helps avoid obstacles down the road. This is especially true if you’re trying to change behavior rather than lock it in.

    Develop mechanisms for monitoring and enforcement

    Associated Activity icon 2(c) 20 minutes per policy

    Brainstorm preventive and detective controls.

    INPUT: Draft policies

    OUTPUT: Reviewed policy drafts ready for approval

    Materials: Policy drafts

    Participants: Policy stakeholders

    Preventive controls are designed to discourage or pre-empt policy breaches before they occur. Training, approvals processes, and segregation of duties are examples of preventive controls. (Ohio University)

    Detective controls help enforce the policy by identifying breaches after they occur. Forensic analysis and event log auditing are examples of detective controls. (Ohio University)

    Not all policies require the same level of enforcement. Policies that are required by law or regulation generally require stricter enforcement than policies that outline best practices or organizational values.

    Identify controls and enforcement mechanisms that are in line with policy requirements. Build control and enforcement into procedure documentation as needed.

    Suggestions:

    1. Have staff sign off on policies. Disclose any monitoring/surveillance.
    2. Ensure consequences match the severity of the infraction. Document infractions and ensure that enforcement is applied consistently across all infractions.
    3. Automatic controls shouldn’t get in the way of people’s ability to do their jobs. Test controls with users before you roll them out widely.

    Support the policy before seeking approval

    A policy is only as strong as its supporting pillars.

    Create Standards

    Standards are requirements that support policy adherence. Server builds and images, purchase approval criteria, and vulnerability severity definitions can all be examples of standards that improve policy adherence.

    Where reasonable, use automated controls to enforce standards. If you automate the control, consider how you’ll handle exceptions.

    Create Guidelines

    If no standards exist – or best practices can’t be monitored and enforced, as standards require – write guidelines to help users remain in compliance with the policy.

    Create Procedures: We’ll cover procedure development and documentation in Phase 3.

    Info-Tech Insight

    In general, failing to follow or strictly enforce a policy creates a risk for the business. If you’re not confident a policy will be followed or enforced, consider using policy statements as guidelines or standards as an interim measure as you update procedures and communicate and roll out changes that support adherence and enforcement.

    Seek approval and communicate the policy

    Policies ultimately need to be accepted by the business.

    • Once the drafts are completed, identify who is in charge of approving the policies.
    • Ensure all stakeholders understand the importance, context, and repercussions of the policies.
    • The approvals process is about appropriate oversight of the drafted policies. For example:
      • Do the policies satisfy compliance and regulatory requirements?
      • Do the policies work with the corporate culture?
      • Do the policies address the underlying need?

    If the draft is rejected:

    • Acquire feedback and make revisions.
    • Resubmit for approval.

    If the draft is approved:

    • Set the effective date and a review date.
    • Begin communication, training, and implementation.
    • Employees must know that there are new policies and understand the steps they must take to comply with the policies in their work.
    • Employees must be able to interpret, understand, and know how to act upon the information they find in the policies.
    • Employees must be informed on where to get help or ask questions and from whom to request policy exceptions.

    "A lot of board members and executive management teams… don’t understand the technology and the risks posed by it." (Carole Fennelly, Owner and Principal, cFennelly Consulting)

    Identify policy management roles and responsibilities

    Associated Activity icon 2(d) 30 minutes

    Discuss and assign roles and responsibilities for ongoing policy management.

    Role

    Responsibilities

    Executive sponsor

  • Supports the program at the highest levels of the business, as needed
  • Program lead

  • Leads the Infrastructure & Operations policy management program
  • Identifies and communicates status updates to the executive sponsor and the project team
  • Coordinates business demands and interviews and organizes stakeholders to identify requirements
  • Manages the work team and coordinates policy rollout
  • Policy writer

  • Authors and updates policies based on requirements
  • Coordinates with outsourced editor for completion of written documents
  • IT infrastructure SMEs

  • Provide technical insight into capabilities and limitations of infrastructure systems
  • Provide advice on possible controls that can aid policy rollout, monitoring, and enforcement
  • Legal expert

  • Provides legal advice on the policy’s legal terms and enforceability
  • "Whether at the level of a government, a department, or a sub-organization: technology and policy expertise complement one another and must be part of the conversation." (Peter Sheingold, Portfolio Manager, Cybersecurity, MITRE Corporation)

    Phase 2: Review accomplishments

    Effective Policies: Clear, Consistent, and Concise

    An icon for the 'DSS02 Service Desk' template.

    An icon for the 'DSS03 Incident and Problem Management' template.

    An icon for the 'BAI06 Change Management' template.

    An icon for the 'BAI07 Release Management' template.

    An icon for the 'BAI09 Asset Management' template.

    An icon for the 'DSS04 DR and Business Continuity' template.

    An icon for the 'BAI04 Availability and Capacity Management' template.

    An icon for the 'DSS01 Operations Management' template.

    An icon for the 'BAI10 Configuration Management' template.

    Summary of Accomplishments

    • Built priority policies based on templates aligned with the IT Management & Governance Framework and COBIT 5.
    • Reviewed controls and policy supports.
    • Assigned roles and responsibilities for ongoing policy maintenance.

    Develop Infrastructure & Operations Policies and Procedures

    Phase 3

    Document Effective Procedures

    PHASE 3: Document Effective Procedures

    Step 3.1: Scope and outline procedures

    This step will walk you through the following activities:

    • Prioritize SOP documentation
    • Draft workflows using a tabletop exercise
    • Modify templates, as applicable

    This step involves the following participants:

    • Infrastructure & Operations Manager
    • Technical Writer
    • Infrastructure Supervisors

    Results & Insights

    • Results: An action plan for SOP documentation and an outline of procedure workflows.
    • Insights: Don’t let tools get in the way of documentation – low-tech solutions are often the most effective way to build and analyze workflows.

    Prioritize your SOP documentation effort

    Associated Activity icon 3(a) 1-2 hours

    Build SOP documentation that gets used and doesn’t just check a box.

    1. Review the list of procedure gaps from Phase 1. Are any other procedures needed? Are some of the procedures now redundant?
    2. Establish the scope of the proposed procedures. Who are the stakeholders? What policies do they support?
    3. Run a basic prioritization exercise using a three-point scale. Higher scores mean greater risks or greater benefits. Score the risk of the undocumented procedure to the business (e.g. potential effect on data, productivity, goodwill, health and safety, or compliance). Score the benefit to the business of documenting the procedure (e.g. throughput improvements or knowledge transfer).
    4. Different procedures require different formats. Decide on one or more formats that can help you effectively document the procedure:
      • Flowcharts: Depict workflows and decision points. Provide an at-a-glance view that is easy to follow. Can be supported by checklists and diagrams where more detail is required.
      • Checklists: A reminder of what to do, rather than how to do it. Keep instructions brief.
      • Diagrams: Visualize objects, topologies, and connections for reference purposes.
      • Tables: Establish relationships between related categories.
      • Prose: Use full-text instructions where other documentation strategies are insufficient.

    Modify the following Info-Tech templates for larger SOPs

    Support these processes...

    ...with these blueprints...

    ...to create SOPs using these templates.

    An icon for the 'DSS04 DR and Business Continuity' template. Create a Right-Sized Disaster Recovery Plan DRP Summary
    An icon for the 'BAI09 Asset Management' template. Implement IT Asset Management HAM SOP and SAM SOP
    An icon for the 'BAI06 Change Management' template. An icon for the 'BAI07 Release Management' template. Optimize Change Management Change Management SOP
    An icon for the 'DSS02 Service Desk' template. An icon for the 'DSS03 Incident and Problem Management' template. Standardize the Service Desk Service Desk SOP

    Use tabletop planning or whiteboards to draft workflows

    Associated Activity icon 3(b) 30 minutes

    Tabletop planning is a paper-based exercise in which your team walks through a particular process and maps out what happens at each stage.

    OUTPUT: Steps in the current process for one SOP

    Materials: Tabletop, pen, and cue cards

    Participants: Process owners, SMEs

    1. For this exercise, choose one particular process to document.
    2. Document each step of the process on cue cards, which can be arranged on the table in sequence.
    3. Be sure to include task ownership in your steps.
    4. Map out the process as it currently happens – we’ll think about how to improve it later.
    5. Keep focused. Stay on task and on time.

    Example:

    • Step 3: PM reviews new defects daily
    • Step 4: PM assigns defects to tech leads
    • Step 5: Assigned resource updates status – frequency is based on ticket priority

    Info-Tech Insight

    Don’t get weighed down by tools. Relying on software or other technological tools can detract from the exercise. Use simple tools such as cue cards to record steps so that you can easily rearrange steps or insert steps based on input from the group.

    Collaborate to optimize the SOP

    Associated Activity icon 3(c) 30 minutes

    Review the tabletop exercise. What gaps exist in current processes?
    How can the processes be made better? What are the outputs and checkpoints?

    OUTPUT: Identify steps to optimize the SOP

    Materials: Tabletop, pen, and cue cards

    Participants: Process owners, SMEs

    Example:

    • Step 3: PM reviews new defects daily
    • NEW STEP: Schedule 10-minute daily defect reviews with PM and tech leads to evaluate ticket priority
    • Step 4: PM assigns defects to tech leads
    • Step 5: Assigned resource updates status – frequency is based on ticket priority
      • Step 5 Subprocess: Ticket status update
      • Step 5 Output: Ticket status moved to OPEN by assigned resource – acknowledges receipt by assigned resource

    A note on colors: Use white cards to record steps. Record gaps on yellow cards (e.g. a process step not documented) and risks on red cards (e.g. only one person knows how to execute a step) to highlight your gaps/to-dos and risks to be mitigated or accepted.

    If it’s necessary to clarify complex process flows during the exercise, you can also use green cards for decision diamonds, purple for document/report outputs, and blue for subprocesses.

    PHASE 3: Document Effective Procedures

    Step 3.2: Document effective procedures

    This step will walk you through the following activities:

    • Document workflows, checklists, and diagrams
    • Establish a cadence for document review and updates

    This step involves the following participants:

    • Infrastructure Manager
    • Technical Writer

    Results & Insights

    • Results: Improved SOP documentation and document management practices.
    • Insights: It’s possible to keep up with changes if you put the right cues and accountabilities in place. Include document review in project and change management procedures and hold staff accountable for completion.

    Document workflows with flowcharting software

    Suggestions for workflow documentation

    • Whether you draft the workflow on a whiteboard or using cue cards, the first iteration is usually messy. Clean up the flow as you document the results of the exercise.
    • Make the workflow as simple as possible and no simpler. Eliminate any decision points that aren’t strictly necessary to complete the procedure.
    • Use standard flowchart shapes (see next slide).
    • Use links to connect to related documentation.
    • Review the documented workflow with participants.

    Download the following workflow examples:

    Establish flowcharting standards

    If you don’t have existing flowchart standards, then keep it simple and stick to basic flowcharting conventions as described below.

    Basic flowcharting convention: a circle can be used for 'Start, End, and Connector'. Start, End, and Connector: Traditional flowcharting standards reserve this shape for connectors to other flowcharts or other points in the existing flowchart. Unified Modeling Language (UML) also uses the circle for start and end points.
    Basic flowcharting convention: a rounded rectangle can be used for 'Start and End'. Start and End: Traditional flowcharting standards use this for start and end. However, Info-Tech recommends using the circle shape to reduce the number of shapes and avoid confusion with other similar shapes.
    Basic flowcharting convention: a rectangle can be used for 'Process Step'. Process Step: Individual process steps or activities (e.g. create ticket or escalate ticket). If it’s a series of steps, then use the subprocess symbol and flowchart the subprocess separately.
    Basic flowcharting convention: a rectangle with double-line on the ends can be used for 'Subprocess'. Subprocess: A series of steps. For example, a critical incident SOP might reference a recovery process as one of the possible actions. Marking it as a subprocess, rather than listing each step within the critical incident SOP, streamlines the flowchart and avoids overlap with other flowcharts (e.g. the recovery process).
    Basic flowcharting convention: a diamond can be used for 'Decision'. Decision: Represents decision points, typically with Yes/No branches, but you could have other branches depending on the question (e.g. a “Priority?” question could branch into separate streams for Priority 1, 2, 3, 4, and 5 issues).
    Basic flowcharting convention: a rectangle with a wavy bottom can be used for 'Document/Report Output'. Document/Report Output: For example, the output from a backup process might include an error log.

    Support workflows with checklists and diagrams

    Diagrams

    • Diagrams are a visual representation of real-world phenomena and the connections between them.
    • Be sure to use standard shapes. Clearly label elements of the diagram. Use standard practices, including titles, dates, authorship, and versioning.
    • IT systems and interconnections are layered. Include physical, logical, protocol, and data flow connections.

    Examples:

    • XMPL Recovery Workflows
    • Workflow Library

    Checklists

    • Checklists are best used as short-form reminders on how to complete a particular task.
    • Remember the audience. If the process will be carried out by technical staff, there’s technical background material you won’t need to spell out in detail.

    Examples:

    • Employee Termination Process Checklist
    • XMPL Systems Recovery Playbook

    Establish a cadence for documentation review and maintenance

    Lock-in the work with strong document management practices.

    • Identify documentation requirements as part of project planning.
    • Require a manager or supervisor to review and approve SOPs.
    • Check documentation status as part of change management.
    • Hold staff accountable for documentation.

    "It isn’t unusual for us to see infrastructure or operations documentation that is wildly out of date. We’re talking months, even years. Often it was produced as one big effort and then not reliably maintained." (Gary Patterson, Consultant, Quorum Resources)

    Only a quarter of organizations update SOPs as needed

    A bar chart representing how often organizations update SOPs. Each option has two bars, one representing 'North America', the other representing 'Europe and Asia'. 'Never or rarely' is 11% in North America and 3% in Europe and Asia. 'Ad-hoc approach' is 38% in North America and 28% in Europe and Asia. 'For audits/annual reviews' is 33% in North America and 45% in Europe and Asia. 'As needed/via change management' is 18% in North America and 25% in Europe and Asia. Source: Info-Tech Research Group (N=104)

    Info-Tech Best Practice

    Use Info-Tech’s research Create Visual SOP Documents to further evaluate document management practices and toolsets.

    Phase 3: Review accomplishments

    Workflow documentation: Cue cards into flowcharts

    Summary of Accomplishments

    • Identified priority procedures for documentation activities.
    • Created procedure documentation in the appropriate format and level of granularity to support Infra & Ops policies.
    • Published and maintained procedure documentation.

    Research contributors and experts

    Carole Fennelly, Owner
    cFennelly Consulting

    Picture of Carole Fennelly, Owner, cFennelly Consulting.

    Carole Fennelly provides pragmatic cyber security expertise to help organizations bridge the gap between technical and business requirements. She authored the Center for Internet Security (CIS) Solaris and Red Hat benchmarks, which are used globally as configuration standards to secure IT systems. As a consultant, Carole has defined security strategies, and developed policies and procedures to implement them, at numerous Fortune 500 clients. Carole is a Certified Information Security Manager (CISM), Certified Security Compliance Specialist (CSCS), and Certified HIPAA Professional (CHP).

    Marko Diepold, IT Audit Manager
    audit2advise

    Picture of Marko Diepold, IT Audit Manager, audit2advise.

    Marko is an IT Audit Manager at audit2advise, where he delivers audit, risk advisory, and project management services. He has worked as a Security Officer, Quality Manager, and Consultant at some of Germany’s largest companies. He is a CISA and is ITIL v3 Intermediate and ITGCP certified.

    Research contributors and experts

    Martin Andenmatten, Founder & Managing Director
    Glenfis AG

    Picture of Martin Andenmatten, Founder and Managing Director, Glenfis AG.

    Martin is a digital transformation enabler who has been involved in various fields of IT for more than 30 years. At Glenfis, he leads large Governance and Service Management projects for various customers. Since 2002, he has been the course manager for ITIL® Foundation, ITIL® Service Management, and COBIT training. He has published two books on ISO 20000 and ITIL.

    Myles F. Suer, CIO Chat Facilitator
    CIO.com/Dell Boomi

    Picture of Myles F. Suer, CIO Chat Facilitator, CIO.com/Dell Boomi.

    Myles Suer, according to LeadTails, is the number 9 influencer of CIOs. He is also the facilitator for the CIOChat, which has executive-level participants from around the world in such industries as banking, insurance, education, and government. Myles is also the Industry Solutions Marketing Manager at Dell Boomi.

    Research contributors and experts

    Peter Sheingold, Portfolio Manager
    Cybersecurity, Homeland Security Center, The MITRE Corporation

    Picture of Peter Sheingold, Portfolio Manager, Cybersecurity, Homeland Security Center, The MITRE Corporation.

    Peter leads tasks that involve collaboration with the Department of Homeland Security (DHS) sponsors and MITRE colleagues and connect strategy, policy, organization, and technology. He brings a deep background in homeland security and strategic analysis to his work with DHS in the immigration, border security, and cyber mission spaces. Peter came to MITRE in 2005 but has worked with DHS from its inception.

    Robert D. Austin, Professor
    Ivey Business School

    Picture of Robert D. Austin, Professor, Ivey Business School.

    Dr. Austin is a professor of Information Systems at Ivey Business School and an affiliated faculty member at Harvard Medical School. Before his appointment at Ivey, he was a professor of Innovation and Digital Transformation at Copenhagen Business School, and, before that, a professor of Technology and Operations Management at the Harvard Business School.

    Research contributors and experts

    Ron Jones, Director of IT Infrastructure and Service Management
    DATA Communications

    Picture of Ron Jones, Director of IT Infrastructure and Service Management, DATA Communications.

    Ron is a senior IT leader with over 20 years of management experiences from engineering to IT Service Management and operations support. He is known for joining organizations and leading enhanced process efficiency and has improved software, hardware, infrastructure, and operations solution delivery and support. Ron has worked for global and Canadian firms including BlackBerry, DoubleClick, Cogeco, Infusion, Info-Tech Research Group, and Data Communications Management.

    Scott Genung, Executive Director of Networking, Infrastructure, and Service Operations
    University of Chicago

    Picture of Scott Genung, Executive Director of Networking, Infrastructure, and Service Operations, University of Chicago.

    Scott is an accomplished IT executive with 26 years of experience in technical and leadership roles. In his current role, Scott provides strategic leadership, vision, and oversight for an IT portfolio supporting 31,000 users consisting of services utilized by campuses located in North America, Asia, and Europe; oversees the University’s Command Center; and chairs the UC Cyberinfrastructure Alliance (UCCA), a group of research IT providers that collectively deliver services to the campus and partners.

    Research contributors and experts

    Steve Weil, CISSP, CISM, CRISC, Information Security Director, Cybersecurity Principal Consultant
    Point B

    Picture of Steve Weil, CISSP, CISM, CRISC, Information Security Director, Cybersecurity Principal Consultant, Point B.

    Steve has 20 years of experience in information security design, implementation, and assessment. He has provided information security services to a wide variety of organizations, including government agencies, hospitals, universities, small businesses, and large enterprises. With his background as a systems administrator, security consultant, security architect, and information security director, Steve has a strong understanding of both the strategic and tactical aspects of information security. Steve has significant hands-on experience with security controls, operating systems, and applications. Steve has a master's degree in Information Science from the University of Washington.

    Tony J. Read, Senior Program/Project Lead & Interim IT Executive
    Read & Associates

    Picture of Tony J. Read, Senior Program/Project Lead and Interim IT Executive, Read and Associates.

    Tony has over 25 years of international IT leadership experience, within high tech, computing, telecommunications, finance, banking, government, and retail industries. Throughout his career, Tony has led and successfully implemented key corporate initiatives, contributing millions of dollars to the top and bottom line. He established Read & Associates in 2002, an international IT management and program/project delivery consultancy practice whose aim is to provide IT value-based solutions, realizing stakeholder economic value and network advantage. These key concepts are presented in his new book: The IT Value Network: From IT Investment to Stakeholder Value, published by J. Wiley, NJ.

    Related Info-Tech research

    • Develop and Deploy Security Policies
    • Develop an Availability and Capacity Management Plan
    • Improve IT Operations Management
    • Develop an IT Infrastructure Services Playbook
    • Create a Right-Sized Disaster Recovery Plan
    • Develop a Business Continuity Plan
    • Implement IT Asset Management
    • Optimize Change Management
    • Standardize the Service Desk
    • Incident and Problem Management
    • Design & Build a User-Facing Service Catalog

    Bibliography

    “About Controls.” Ohio University, ND. Web. 2 Feb 2018.

    England, Rob. “How to implement ITIL for a client?” The IT Skeptic. Two Hills Ltd, 4 Feb. 2010. Web. 2018.

    “Global Corporate IT Security Risks: 2013.” Kaspersky Lab, May 2013. Web. 2018.

    “Information Security and Technology Policies.” City of Chicago, Department of Innovation and Technology, Oct. 2014. Web. 2018.

    ISACA. COBIT 5: Enabling Processes. International Systems Audit and Control Association. Rolling Meadows, IL.: 2012.

    “IT Policy & Governance.” NYC Information Technology & Telecommunications, ND. Web. 2018.

    King, Paula and Kent Wada. “IT Policy: An Essential Element of IT Infrastructure”. EDUCAUSE Review. May-June 2001. Web. 2018.

    Luebbe, Max. “Simplicity.” Site Reliability Engineering. O’Reilly Media. 2017. Web. 2018.

    Swartout, Shawn. “Risk assessment, acceptance, and exception with a process view.” ISACA Charlotte Chapter September Event, 2013. Web. 2018.

    “User Guide to Writing Policies.” Office of Policy and Efficiency, University of Colorado, ND. Web. 2018.

    “The Value of Policies and Procedures.” New Mexico Municipal League, ND. Web. 2018.

    Tame the Project Backlog

    • Buy Link or Shortcode: {j2store}439|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Unmanaged project backlogs can become the bane of IT departments, tying IT leaders and PMO staff down to an ever-growing receptacle of project ideas that provides little by way of strategic value and that typically represents a lack of project intake and approval discipline.
    • Decision makers frequently use the backlog to keep the peace. Lacking the time to assess the bulk of requests, or simply wanting to avoid difficult conversations with stakeholders, they “approve” everything and leave it to IT to figure it out.
    • As IT has increasing difficulty assessing – let alone starting – any of the projects in the backlog, stakeholder relations suffer. Requestors view inclusion in the backlog as a euphemism for “declined,” and often characterize the backlog as the place where good project ideas go to die.
    • Faced with these challenges, you need to make your project backlog more useful and reliable. The backlog may contain projects worth doing, but in its current untamed state, you have difficulty discerning, let alone capitalizing upon, those instances of value.

    Our Advice

    Critical Insight

    • Project backlogs are an investment and need to be treated as such. Incurring a cost impact that can be measured in terms of time and money, the backlog needs to be actively managed to ensure that you’re investing wisely and getting a good return in terms of strategic value and project throughput.
    • Unmanageable project backlogs are rooted in bad habits and poorly-defined processes. Identifying the sources that fuel backlog growth is key to long-term success. Unless the problem is addressed at the root, any gains made in the near-term will simply fade away as old, unhealthy habits re-emerge and take hold.
    • Backlog management should facilitate executive awareness about the status of backlog items as new work is being approved. In the long run, this ongoing executive engagement will not only help to keep the backlog manageable, but it will also help to bring more even workloads to IT project staff.

    Impact and Result

    • Keep the best, forget the rest. Develop a near-term approach to limit the role of the backlog to include only those items that add value to the business.
    • Shine a light. Improve executive visibility into the health and status of the backlog so that the backlog is taken into account when decision makers approve new work.
    • Evolve the organizational culture. Effectively employ organizational change management practices to evolve the culture that currently exists around the project backlog in order to ensure customer-service needs are more effectively addressed.
    • Ensure long-term sustainability. Institute processes to make sure that your list of pending projects – should you still require one after implementing this blueprint – remains minimal, maintainable, and of high value.

    Tame the Project Backlog Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how a more disciplined approach to managing your project backlog can help you realize increased value and project throughput.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a project backlog battle plan

    Calculate the cost of the project backlog and assess the root causes of its unmanageability.

    • Tame the Project Backlog – Phase 1: Create a Backlog Battle Plan
    • Project Backlog ROI Calculator

    2. Execute a near-term backlog cleanse

    Increase the manageability of the backlog by updating stale requests and removing dead weight.

    • Tame the Project Backlog – Phase 2: Execute a Near-Term Backlog Cleanse
    • Project Backlog Management Tool
    • Project Backlog Stakeholder Communications Template

    3. Ensure long-term backlog manageability

    Develop and maintain a manageable backlog growth rate by establishing disciplined backlog management processes.

    • Tame the Project Backlog – Phase 3: Ensure Long-Term Backlog Manageability
    • Project Backlog Operating Plan Template
    • Project Backlog Manager
    [infographic]

    Workshop: Tame the Project Backlog

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Create a Project Backlog Battle Plan

    The Purpose

    Gauge the manageability of your project backlog in its current state.

    Calculate the total cost of your project backlog investments.

    Determine the root causes that contribute to the unmanageability of your project backlog.

    Key Benefits Achieved

    An understanding of the organizational need for more disciplined backlog management.

    Visibility into the costs incurred by the project backlog.

    An awareness of the sources that feed the growth of the project backlog and make it a challenge to maintain.

    Activities

    1.1 Calculate the sunk and marginal costs that have gone into your project backlog.

    1.2 Estimate the throughput of backlog items.

    1.3 Survey the root causes of your project backlog.

    Outputs

    The total estimated cost of the project backlog.

    A project backlog return-on-investment score.

    A project backlog root cause analysis.

    2 Execute a Near-Term Project Backlog Cleanse

    The Purpose

    Identify the most organizationally appropriate goals for your backlog cleanse.

    Pinpoint those items that warrant immediate removal from the backlog and establish a game plan for putting a bullet in them.

    Communicate backlog decisions with stakeholders in a way that minimizes friction and resistance. 

    Key Benefits Achieved

    An effective, achievable, and organizationally right-sized approach to cleansing the backlog.

    Criteria for cleanse outcomes and a protocol for carrying out the near-term cleanse.

    A project sponsor outreach plan to help ensure that decisions made during your near-term cleanse stick. 

    Activities

    2.1 Establish roles and responsibilities for the near-term cleanse.

    2.2 Determine cleanse scope.

    2.3 Develop backlog prioritization criteria.

    2.4 Prepare a communication strategy.

    Outputs

    Clear accountabilities to ensure the backlog is effectively minimized and outcomes are communicated effectively.

    Clearly defined and achievable goals.

    Effective criteria for cleansing the backlog of zombie projects and maintaining projects that are of strategic and operational value.

    A communication strategy to minimize stakeholder friction and resistance.

    3 Ensure Long-Term Project Backlog Manageability

    The Purpose

    Ensure ongoing backlog manageability.

    Make sure the executive layer is aware of the ongoing status of the backlog when making project decisions.

    Customize a best-practice toolkit to help keep the project backlog useful. 

    Key Benefits Achieved

    A list of pending projects that is minimal, maintainable, and of high value.

    Executive engagement with the backlog to ensure intake and approval decisions are made with a view of the backlog in mind.

    A backlog management tool and processes for ongoing manageability. 

    Activities

    3.1 Develop a project backlog management operating model.

    3.2 Configure a project backlog management solution.

    3.3 Assign roles and responsibilities for your long-term project backlog management processes.

    3.4 Customize a project backlog management operating plan.

    Outputs

    An operating model to structure your long-term strategy around.

    A right-sized management tool to help enable your processes and executive visibility into the backlog.

    Defined accountabilities for executing project backlog management responsibilities.

    Clearly established processes for how items get in and out of the backlog, as well as for ongoing backlog review.

    Define a Sourcing Strategy for Your Development Team

    • Buy Link or Shortcode: {j2store}161|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Hiring quality development team resources is becoming increasingly difficult and costly in most domestic markets.
    • Firms are seeking to do more with less and increase their development team throughput.
    • Globalization and increased competition are driving a need for more innovation in your applications.
    • Firms want more cost certainty and tighter control of their development investment.

    Our Advice

    Critical Insight

    • Choosing the right sourcing strategy is not just a question of technical skills! Successful sourcing is based on matching your organization’s culture, knowledge, and experiences to the right choice of internal or external partnership.

    Impact and Result

    • We will help you build a sourcing strategy document for your application portfolio.
    • We will examine your portfolio and organization from three different perspectives to enable you to determine the right approach:
      • From a business perspective, reliance on the business, strategic value of the product, and maturity of product ownership are critical.
      • From an organizational perspective, you must examine your culture for communication processes, conflict resolution methods, vendor management skills, and geographic coverage.
      • From a technical perspective, consider integration complexity, environmental complexity, and testing processes.

    Define a Sourcing Strategy for Your Development Team Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define a Sourcing Strategy for Your Development Team Storyboard – A guide to help you choose the right resourcing strategy to keep pace with your rapidly changing application and development needs.

    This project will help you define a sourcing strategy for your application development team by assessing key factors about your products and your organization, including critical business, technical, and organizational factors. Use this analysis to select the optimal sourcing strategy for each situation.

    • Define a Sourcing Strategy for Your Development Team Storyboard

    2. Define a Sourcing Strategy Workbook – A tool to capture the results of activities to build your sourcing strategy.

    This workbook is designed to capture the results of the activities in the storyboard. Each worksheet corresponds with an activity from the deck. The workbook is also a living artifact that should be updated periodically as the needs of your team and organization change.

    • Define a Sourcing Strategy Workbook
    [infographic]

    Further reading

    Define a Sourcing Strategy for Your Development Team

    Choose the right resourcing strategy to keep pace with your rapidly changing application and development needs.

    Analyst Perspective

    Choosing the right sourcing strategy for your development team is about assessing your technical situation, your business needs, your organizational culture, and your ability to manage partners!

    Photo of Dr. Suneel Ghei, Principal Research Director, Application Development, Info-Tech Research Group

    Firms today are under continuous pressure to innovate and deliver new features to market faster while at the same time controlling costs. This has increased the need for higher throughput in their development teams along with a broadening of skills and knowledge. In the face of these challenges, there is a new focus on how firms source their development function. Should they continue to hire internally, offshore, or outsource? How do they decide which strategy is the right fit?

    Info-Tech’s research shows that the sourcing strategy considerations have evolved beyond technical skills and costs. Identifying the right strategy has become a function of the characteristics of the organization, its culture, its reliance on the business for knowledge, its strategic value of the application, its vendor management skills, and its ability to internalize external knowledge. By assessing these factors firms can identify the best sourcing mix for their development portfolios.

    Dr. Suneel Ghei
    Principal Research Director, Application Development
    Info-Tech Research Group

    Executive Summary

    Your Challenge
    • Hiring quality development team resources is becoming increasingly difficult and costly in most domestic markets.
    • Firms are seeking to do more with less and increase their development team throughput.
    • Globalization and increased competition is driving a need for more innovation in your applications.
    • Firms want more cost certainty and tighter control of their development investment.
    Common Obstacles
    • Development leaders are encouraged to manage contract terms and SLAs rather than build long-term relationships.
    • People believe that outsourcing means you will permanently lose the knowledge around solutions.
    • Moving work outside of the current team creates motivational and retention challenges that can be difficult to overcome.
    Info-Tech’s Approach
    • Looking at this from these three perspectives will enable you to determine the right approach:
      1. From a business perspective, reliance on the business, strategic value of the product, and maturity of product ownership are critical.
      2. From an organizational perspective, you must examine your culture for communication processes, conflict resolution methods, vendor management skills, and geographic coverage
      3. From a technical perspective, consider integration complexity, environment complexity, and testing processes.

    Info-Tech Insight

    Choosing the right sourcing strategy is not just a question of technical skills! Successful sourcing is based on matching your organization’s culture, knowledge, and experiences to the right choice of internal or external partnership.

    Define a sourcing strategy for your development team

    Business
    • Business knowledge/ expertise required
    • Product owner maturity
    Technical
    • Complexity and maturity of technical environment
    • Required level of integration
    Organizational
    • Company culture
    • Desired geographic proximity
    • Required vendor management skills
    1. Assess your current delivery posture for challenges and impediments.
    2. Decide whether to build or buy a solution.
    3. Select your desired sourcing strategy based on your current state and needs.
    Example sourcing strategy with initiatives like 'Client-Facing Apps' and 'ERP Software' assigned to 'Onshore Dev', 'Outsource Team', 'Offshore Dev', 'Outsource App (Buy)', 'Outsource Dev', or 'Outsource Roles'.

    Three Perspectives +

    Three Steps =

    Your Sourcing Strategy

    Diverse sourcing is used by many firms

    Many firms across all industries are making use of different sourcing strategies to drive innovation and solve business issues.

    According to a report by ReportLinker the global IT services outsourcing market reached US$413.8 billion in 2021.

    In a recent study of Canadian software firms, it was found that almost all firms take advantage of outside knowledge in their application development process. In most cases these firms also use outside resources to do development work, and about half the time they use externally built software packages in their products (Ghei, 2020)!

    Info-Tech Insight

    In today’s diverse global markets, firms that wish to stay competitive must have a defined ability to take advantage of external knowledge and to optimize their IT services spend.

    Modeling Absorptive Capacity for Open Innovation in the Canadian Software Industry (Source: Ghei, 2020; n=54.)

    56% of software development firms are sourcing applications instead of resources.

    68% of firms are sourcing external resources to develop software products.

    91% of firms are leveraging knowledge from external sources.

    Internal sourcing models

    Insourcing comes in three distinct flavors

    Geospatial map giving example locations for the three internal sourcing models. In this example, 'Head Office' is located in North America, 'Onshore' is 'Located in the same area or even office as your core business resources. Relative Cost: $$$', 'Near Shore' is 'Typically, within 1-3 time zones for ease of collaboration where more favorable resource costs exist. Relative Cost: $$', and 'Offshore' is 'Located in remote markets where significant labor cost savings can be realized. Relative Cost: $'.

    Info-Tech Insight

    Insourcing allows you to stay close to more strategic applications. But choosing the right model requires a strong look inside your organization and your ability to provide business knowledge support to developers who may have different skills and cultures and are in different geographies.

    Outsourcing models

    External sourcing can be done to different degrees

    Outsource Roles
    • Enables resource augmentation
    • Typically based on skills needs
    • Short-term outsourcing with eventual integration or dissolution
    Outsource Teams (or Projects)
    • Use of a full team or multiple teams of vendor resources
    • Meant to be temporary, with knowledge transfer at the end of the project
    Outsource Products
    • Use of a vendor to build, maintain, and support the full product
    • Requires a high degree of contract management skill

    Info-Tech Insight

    Outsourcing represents one of the most popular ways for organizations to source external knowledge and skills. The choice of model is a function of the organization’s ability to support the external resources and to absorb the knowledge back into the organization.

    Defining your sourcing strategy

    Follow the steps below to identify the best match for your organization

    Review Your Current Situation

    Review the issues and opportunities related to application development and categorize them based on the key factors.

    Arrow pointing right. Assess Build Versus Buy

    Before choosing a sourcing model you must assess whether a particular product or function should be bought as a package or developed.

    Arrow pointing right. Choose the Right Sourcing Strategy

    Based on the research, use the modeling tool to match the situation to the appropriate sourcing solution.

    Step 1.1

    Review Your Current Situation

    Activities
    • 1.1.1 Identify and categorize your challenges

    This step involves the following participants:

    • Product management team
    • Software development leadership team
    • Key stakeholders
    Outcomes of this step

    Review your current delivery posture for challenges and impediments.

    Define a Sourcing Strategy for Your Development Team
    Step 1.1 Step 1.2 Step 1.3

    Review your situation

    There are three key areas to examine in your current situation:

    Business Challenges
    • Do you need to gain new knowledge to drive innovation?
    • Does your business need to enhance its software to improve its ability to compete in the market?
    • Do you need to increase your speed of innovation?

    Technology Challenges

    • Are you being asked to take tighter control of your development budgets?
    • Does your team need to expand their skills and knowledge?
    • Do you need to increase your development speed and capacity?

    Market Challenges

    • Is your competition seen as more innovative?
    • Do you need new features to attract new clients?
    • Are you struggling to find highly skilled and knowledgeable development resources?
    Stock image of multi-colored arrows travelling in a line together before diverging.

    Info-Tech Insight

    Sourcing is a key tool to solve business and technical challenges and enhance market competitiveness when coupled with a robust definition of objectives and a way to measure success.

    1.1.1 Identify and categorize your challenges

    60 minutes

    Output: List of the key challenges in your software lifecycle. Breakdown of the list into categories to identify opportunities for sourcing

    Participants: Product management team, Software development leadership team, Key stakeholders

    1. What challenge is your firm is facing with respect to your software that you think sourcing can address? (20 minutes)
    2. Is the challenge related to a business outcome, development methodology, or technology challenge? (10 minutes)
    3. Is the challenge due to a skills gap, budget or resource challenge, throughput issue, or a broader organizational knowledge or process issue? (10 minutes)
    4. What is the specific objective for the team/leader in addressing this challenge? (15 minutes)
    5. How will you measure progress and achievement of this objective? (5 minutes)

    Document results in the Define a Sourcing Strategy Workbook

    Identify and categorize your challenges

    Sample table for identifying and categorizing challenges, with column groups 'Challenge' and 'Success Measures' containing headers 'Issue, 'Category', 'Breadth', and 'Stakeholder' in the former, and 'Objective' and 'Measurement' in the latter.

    Step 1.2

    Assess Build Versus Buy

    Activities
    • 1.2.1 Understand the benefits and drawbacks of build versus buy in your organizational context

    This step involves the following participants:

    • Product management team
    • Software development leadership team
    • Key stakeholders

    Outcomes of this step

    Understand in your context the benefits and drawbacks of build versus buy, leveraging Info-Tech’s recommended definitions as a starting point.

    Define a Sourcing Strategy for Your Development Team

    Step 1.1 Step 1.2 Step 1.3

    Look vertically across the IT hierarchy to assess the impact of your decision at every level

    IT Hierarchy with 'Enterprise' at the top, branching out to 'Portfolio', then to 'Solution' at the bottom. The top is 'Strategic', the bottom 'Operational'.

    Regardless of the industry, a common and challenging dilemma facing technology teams is to determine when they should build software or systems in-house versus when they should rely wholly on an outside vendor for delivering on their technology needs.

    The answer is not as cut and dried as one would expect. Any build versus buy decision may have an impact on strategic and operational plans. It touches every part of the organization, starting with individual projects and rolling up to the enterprise strategy.

    Info-Tech Insight

    Do not ignore the impact of a build or buy decision on the various management levels in an IT organization.

    Deciding whether to build or buy

    It is as much about what you gain as it is about what problem you choose to have

    BUILD BUY

    Multi-Source Best of Breed

    Integrate various technologies that provide subset(s) of the features needed for supporting the business functions.

    Vendor Add-Ons & Integrations

    Enhance an existing vendor’s offerings by using their system add-ons either as upgrades, new add-ons, or integrations.
    Pros
    • Flexibility in choice of tools
    • In some cases, cost may be lower
    • Easier to enhance with in-house teams
    Cons
    • Introduces tool sprawl
    • Requires resources to understand tools and how they integrate
    • Some of the tools necessary may not be compatible with one another
    Pros
    • Reduces tool sprawl
    • Supports consistent tool stack
    • Vendor support can make enhancement easier
    • Total cost of ownership may be lower
    Cons
    • Vendor lock-in
    • The processes to enhance may require tweaking to fit tool capability

    Multi-Source Custom

    Integrate systems built in-house with technologies developed by external organizations.

    Single Source

    Buy an application/system from one vendor only.
    Pros
    • Flexibility in choice of tools
    • In some cases, cost may be lower
    • Easier to enhance with in-house teams
    Cons
    • May introduce tool sprawl
    • Requires resources to have strong technical skills
    • Some of the tools necessary may not be compatible with one another
    Pros
    • Reduces tool sprawl
    • Supports consistent tool stack
    • Vendor support can make enhancement easier
    • Total cost of ownership may be lower
    Cons
    • Vendor lock-in
    • The processes to enhance may require tweaking to fit tool capability

    1.2.1 Understand the benefits and drawbacks of build versus buy in your organizational context

    30 minutes

    Output: A common understanding of the different approaches to build versus buy applied to your organizational context

    Participants: Product management team, Software development leadership team, Key stakeholders

    1. Look at the previous slide, Deciding whether to build or buy.
    2. Discuss the pros and cons listed for each approach.
      1. Do they apply in your context? Why or why not?
      2. Are there some approaches not applicable in terms of how you wish to work?
    3. Record the curated list of pros and cons for the different build/buy approaches.
    4. For each approach, arrange the pros and cons in order of importance.

    Document results in the Define a Sourcing Strategy Workbook

    Step 1.3

    Choose the Right Sourcing Strategy

    Activities
    • 1.3.1 Determine the right sourcing strategy for your needs

    This step involves the following participants:

    • Product management team
    • Software development leadership team
    • Key stakeholders

    Outcomes of this step

    Choose your desired sourcing strategy based on your current state and needs.

    Define a Sourcing Strategy for Your Development Team

    Step 1.1 Step 1.2 Step 1.3

    Choose the right sourcing strategy

    • Based on our research, finding the right sourcing strategy for a particular situation is a function of three key areas:
      • Business drivers
      • Organizational drivers
      • Technical drivers
    • Each area has key characteristics that must be assessed to confirm which strategy is best suited for the situation.
    • Once you have assessed the factors and ranked them from low to high, we can then match your results with the best-fit strategy.
    Business
    • Business knowledge/ expertise required
    • Product owner maturity

    Technical

    • Complexity and maturity of technical environment
    • Required level of integration

    Organizational

    • Your culture
    • Desired geographic proximity
    • Required vendor management skills

    Business drivers

    To choose the right sourcing strategy, you need to assess your key drivers of delivery

    Product Knowledge
    • The level of business involvement required to support the development team is a critical factor in determining the sourcing model.
    • Both the breadth and depth of involvement are critical factors.
    Strategic Value
    • The strategic value of the application to the company is also a critical component.
    • The more strategic the application is to the company, the closer the sourcing should be maintained.
    • Value can be assessed based on the revenue derived from the application and the depth of use of the application by the organization.
    Product Ownership Maturity
    • To support sourcing models that move further from organizational boundaries a strong product ownership function is required.
    • Product owners should ideally be fully allocated to the role and engaged with the development teams.
    • Product owners should be empowered to make decisions related to the product, its vision, and its roadmap.
    • The higher their allocation and empowerment, the higher the chances of success in external sourcing engagements.
    Stock image of a person running up a line with a positive trend.

    Case Study: The GoodLabs Studio Experience Logo for GoodLabs Studio.

    INDUSTRY: Software Development | SOURCE: Interview with Thomas Lo, Co-Founder, GoodLabs Studio
    Built to Outsource Development Teams
    • GoodLabs is an advanced software innovation studio that provides bespoke team extensions or turnkey digital product development with high-caliber software engineers.
    • Unlike other consulting firms, GoodLabs works very closely with its customers as a unified team to deliver the most significant impact on clients’ projects.
    • With this approach, it optimizes the delivery of strong software engineering skills with integrated product ownership from the client, enabling long-term and continued success for its clients.
    Results
    • GoodLabs is able to attract top engineering talent by focusing on a variety of complex projects that materially benefit from technical solutions, such as cybersecurity, fraud detection, and AI syndrome surveillance.
    • Taking a partnership approach with the clients has led to the successful delivery of many highly innovative and challenging projects for the customers.

    Organizational drivers

    To choose the right sourcing strategy for a particular problem you need to assess the organization’s key capabilities

    Stock photo of someone placing blocks with illustrated professionals one on top of the other. Vendor Management
    • Vendor management is a critical skill for effective external sourcing.
    • This can be assessed based on the organization’s ability to cultivate and grow long-term relationships of mutual value.
    • The longevity and growth of existing vendor relationships can be a good benchmark for future success.
    Absorptive Capacity
    • To effectively make use of external sourcing models, the organization must have a well-developed track record of absorbing outside knowledge.
    • This can be assessed by looking at past cases where external knowledge was sourced and internalized, such as past vendor development engagements or use of open-source code.
    Organizational Culture
    • Another factor in success of vendor engagements and long-term relationships is the matching of organizational cultures.
    • It is key to measure the organization’s current position on items like communication strategy, geographical dispersal, conflict resolution strategy, and hierarchical vs flat management.
    • These factors should be documented and matched with partners to determine the best fit.

    Case Study: WCIRB California Logo for WCIRB California.

    INDUSTRY: Workers Compensation Insurance | SOURCE: Interview with Roger Cottman, Senior VP and CIO, WCIRB California
    Trying to Find the Right Match
    • WCIRB is finding it difficult to hire local resources in California.
    • Its application is a niche product. Since no off-the-shelf alternatives exist, the organization will require a custom application.
    • WCIRB is in the early stages of a digital platform project and is looking to bring in a partner to provide a full development team, with the goal of ideally bringing the application back in-house once it is built.
    • The organization is looking for a local player that will be able to integrate well with the business.
    • It has engaged with two mid-sized players but both have been slow to respond, so it is now considering alternative approaches.
    Info-Tech’s Recommended Approach
    • WCIRB is finding that mid-sized players don’t fit its needs and is now looking for a larger player
    • Based on our research we have advised that WCIRB should ensure the partner is geographically close to its location and can be a strategic partner, not simply work on an individual project.

    Technical drivers

    To choose the right sourcing strategy for a particular problem you need to assess your technical situation and capabilities

    Environment Complexity
    • The complexity of your technical environment is a hurdle that must be overcome for external sourcing models.
    • The number of environments used in the development lifecycle and the location of environments (physical, virtual, on-premises, or cloud) are key indicators.
    Integration Requirements
    • The complexity of integration is another key technical driver.
    • The number of integrations required for the application is a good measuring stick. Will it require fewer than 5, 5-10, or more than 10?
    Testing Capabilities
    • Testing of the application is a key technical driver of success for external models.
    • Having well-defined test cases, processes, and shared execution with the business are all steps that help drive success of external sourcing models.
    • Test automation can also help facilitate success of external models.
    • Measure the percentage of test cases that are standardized, the level of business involvement, and the percentage of test cases that are automated.
    Stock image of pixelated light.

    Case Study: Management Control Systems (MC Systems) Logo for MC Systems.

    INDUSTRY: Technology Services | SOURCE: Interview with Kathryn Chin See, Business Development and Research Analyst, MC Systems
    Seeking to Outsource Innovation
    • MC Systems is seeking to outsource its innovation function to get budget certainty on innovation and reduce costs. It is looking for a player that has knowledge of the application areas it is looking to enhance and that would augment its own business knowledge.
    • In previous outsourcing experiences with skills augmentation and application development the organization had issues related to the business depth and product ownership it could provide. The collaborations did not lead to success as MC Systems lacked product ownership and the ability to reintegrate the outside knowledge.
    • The organization is concerned about testing of a vendor-built application and how the application will be supported.
    Info-Tech’s Recommended Approach
    • To date MC Systems has had success with its outsourcing approach when outsourcing specific work items.
    • It is now looking to expand to outsourcing an entire application.
    • Info-Tech’s recommendation is to seek partners who can take on development of the application.
    • MC Systems will still need resources to bring knowledge back in-house for testing and to provide operational support.

    Choosing the right model


    Legend for the table below using circles with quarters to represent Low (0 quarters) to High (4 quarters).
    Determinant Key Questions to Ask Onshore Nearshore Offshore Outsource Role(s) Outsource Team Outsource Product(s)
    Business Dependence How much do you rely on business resources during the development cycle? Circle with 4 quarters. Circle with 3 quarters. Circle with 1 quarter. Circle with 2 quarters. Circle with 1 quarter. Circle with 0 quarters.
    Absorptive Capacity How successful has the organization been at bringing outside knowledge back into the firm? Circle with 0 quarters. Circle with 1 quarter. Circle with 1 quarter. Circle with 2 quarters. Circle with 1 quarter. Circle with 4 quarters.
    Integration Complexity How many integrations are required for the product to function – fewer than 5, 5-10, or more than 10? Circle with 4 quarters. Circle with 3 quarters. Circle with 3 quarters. Circle with 2 quarters. Circle with 1 quarter. Circle with 0 quarters.
    Product Ownership Do you have full-time product owners in place for the products? Do product owners have control of their roadmaps? Circle with 1 quarter. Circle with 2 quarters. Circle with 3 quarters. Circle with 2 quarters. Circle with 4 quarters. Circle with 4 quarters.
    Organization Culture Fit What are your organization’s communication and conflict resolution strategies? Is your organization geographically dispersed? Circle with 1 quarter. Circle with 1 quarter. Circle with 3 quarters. Circle with 1 quarter. Circle with 3 quarters. Circle with 4 quarters.
    Vendor Mgmt Skills What is your skill level in vendor management? How long are your longest-standing vendor relationships? Circle with 0 quarters. Circle with 1 quarter. Circle with 1 quarter. Circle with 2 quarters. Circle with 3 quarters. Circle with 4 quarters.

    1.3.1 Determine the right sourcing strategy for your needs

    60 minutes

    Output: A scored matrix of the key drivers of the sourcing strategy

    Participants: Development leaders, Product management team, Key stakeholders

    Choose one of your products or product families and assess the factors below on a scale of None, Low, Medium, High, and Full.

    • 3.1 Assess the business factors that drive selection using these key criteria (20 minutes):
      • 3.1.1 Product knowledge
      • 3.1.2 Strategic value
      • 3.1.3 Product ownership
    • 3.2 Assess the organizational factors that drive selection using these key criteria (20 minutes):
      • 3.2.1 Vendor management
      • 3.2.2 Absorptive capacity
      • 3.2.3 Organization culture
    • 3.3 Assess the technical factors that drive selection using these key criteria (20 minutes):
      • 3.3.1 Environments
      • 3.3.2 Integration
      • 3.3.3 Testing

    Document results in the Define a Sourcing Strategy Workbook

    Things to Consider When Implementing

    Once you have built your strategy there are some additional things to consider

    Things to Consider Before Acting on Your Strategy

    By now you understand what goes into an effective sourcing strategy. Before implementing one, there are a few key items you need to consider:

    Example 'Sourcing Strategy for Your Portfolio' with initiatives like 'Client-Facing Apps' and 'ERP Software' assigned to 'Onshore Dev', 'Outsource Team', 'Offshore Dev', 'Outsource App (Buy)', 'Outsource Dev', or 'Outsource Roles'. Start with a pilot
    • Changing sourcing needs to start with one team.
    • Grow as skills develop to limit risk.
    Build an IT workforce plan Enhance your vendor management skills Involve the business early and often
    • The business should feel they are part of the discussion.
    • See our Agile/DevOps Research Center for more information on how the business and IT can better work together.
    Limit sourcing complexity
    • Having too many different partners and models creates confusion and will strain your ability to manage vendors effectively.

    Bibliography

    Apfel, Isabella, et al. “IT Project Member Turnover and Outsourcing Relationship Success: An Inverted-U Effect.” Developments, Opportunities and Challenges of Digitization, 2020. Web.

    Benamati, John, and Rajkumar, T.M. “The Application Development Outsourcing Decision: An Application of the Technology Acceptance Model.” Journal of Computer Information Systems, vol. 42, no. 4, 2008, pp. 35-43. Web.

    Benamati, John, and Rajkumar, T.M. “An Outsourcing Acceptance Model: An Application of TAM to Application Development Outsourcing Decisions.” Information Resources Management Journal, vol. 21, no. 2, pp. 80-102, 2008. Web.

    Broekhuizen, T. L. J., et al. “Digital Platform Openness: Drivers, Dimensions and Outcomes.” Journal of Business Research, vol. 122, July 2019, pp. 902-914. Web.

    Brook, Jacques W., and Albert Plugge. “Strategic Sourcing of R&D: The Determinants of Success.” Business Information Processing, vol. 55, Aug. 2010, pp. 26-42. Web.

    Delen, G. P A.J., et al. “Foundations for Measuring IT-Outsourcing Success and Failure.” Journal of Systems and Software, vol. 156, Oct. 2019, pp. 113-125. Web.

    Elnakeep, Eman, et al. “Models and Frameworks for IS Outsourcing Structure and Dimensions: A Holistic Study.” Lecture notes in Networks and Systems, 2019. Web.

    Ghei, Suneel. Modeling Absorptive Capacity for Open Innovation in the Software Industry. 2020. Faculty of Graduate Studies, Athabasca University, 2020. DBA Dissertation.

    “IT Outsourcing Market Research Report by Service Model, Organization Sizes, Deployment, Industry, Region – Global Forecast to 2027 – Cumulative Impact of COVID-19.” ReportLinker, April 2022. Web.

    Jeong, Jongkil Jay, et al. “Enhancing the Application and Measurement of Relationship Quality in Future IT Outsourcing Studies.” 26th European Conference on Information Systems: Beyond Digitization – Facets of Socio-Tehcnical Change: Proceedings of ECIS 2018, Portsmouth, UK, June 23-28, 2018. Edited by Peter Bednar, et al., 2018. Web.

    Könning, Michael. “Conceptualizing the Effect of Cultural Distance on IT Outsourcing Success.” Proceedings of Australasian Conference on Information Systems 2018, Sydney, Australia, Dec. 3-5, 2018. Edited by Matthew Noble, UTS ePress, 2018. Web.

    Lee, Jae-Nam, et al. “Holistic Archetypes of IT Outsourcing Strategy: A Contingency Fit and Configurational Approach.” MIS Quarterly, vol. 43, no. 4, Dec. 2019, pp. 1201-1225. Web.

    Loukis, Euripidis, et al. “Determinants of Software-as-a-Service Benefits and Impact on Firm Performance.” Decision Support Systems, vol. 117, Feb. 2019, pp. 38-47. Web.

    Martensson, Anders. “Patterns in Application Development Sourcing in the Financial Industry.” Proceedings of the 13th European Conference of Information Systems, 2004. Web.

    Martínez-Sánchez, Angel, et al. “The Relationship Between R&D, the Absorptive Capacity of Knowledge, Human Resource Flexibility and Innovation: Mediator Effects on Industrial Firms.” Journal of Business Research, vol. 118, Sept. 2020, pp. 431-440. Web.

    Moreno, Valter, et al. “Outsourcing of IT and Absorptive Capacity: A Multiple Case Study in the Brazilian Insurance Sector.” Brazilian Business Review, vol. 17, no. 1, Jan.-Feb. 2020, pp. 97-113. Web.

    Ozturk, Ebru. “The Impact of R&D Sourcing Strategies on Basic and Developmental R&D in Emerging Economies.” European Journal of Innovation Management, vol. 21, no. 7, May 2018, pp. 522-542. Web.

    Ribas, Imma, et al. “Multi-Step Process for Selecting Strategic Sourcing Options When Designing Supply Chains.” Journal of Industrial Engineering and Management, vol. 14, no. 3, 2021, pp. 477-495. Web.

    Striteska, Michaela Kotkova, and Viktor Prokop. “Dynamic Innovation Strategy Model in Practice of Innovation Leaders and Followers in CEE Countries – A Prerequisite for Building Innovative Ecosystems.” Sustainability, vol. 12, no. 9, May 2020. Web.

    Thakur-Wernz, Pooja, et al. “Antecedents and Relative Performance of Sourcing Choices for New Product Development Projects.” Technovation, 2020. Web.

    Knowledge Management

    • Buy Link or Shortcode: {j2store}33|cart{/j2store}
    • Related Products: {j2store}33|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.0/10
    • member rating average dollars saved: $10,000
    • member rating average days saved: 2
    • Parent Category Name: People and Resources
    • Parent Category Link: /people-and-resources
    Mitigate Key IT Employee Knowledge Loss

    Incident Management for Small Enterprise

    • Buy Link or Shortcode: {j2store}482|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $6,531 Average $ Saved
    • member rating average days saved: 3 Average Days Saved
    • Parent Category Name: Incident & Problem Management
    • Parent Category Link: /incident-and-problem-management
    • Technical debt and disparate systems are big constraints for most small enterprise (SE) organizations. What may have worked years ago is no longer fit for purpose or the business is growing faster than the current tools in place can handle.
    • Super specialization of knowledge is also a common factor in smaller teams caused by complex architectures. While helpful, if that knowledge isn’t documented it can walk out the door with the resource and the rest of the team is left scrambling.
    • Lessons learned may be gathered for critical incidents but often are not propagated, which impacts the ability to solve recurring incidents.
    • Over time, repeated incidents can have a negative impact on the customer’s perception that the service desk is a credible and essential service to the business.

    Our Advice

    Critical Insight

    • Go beyond the blind adoption of best-practice frameworks. No simple formula exists for improving incident management maturity. Identify the challenges in your incident lifecycle and draw on best-practice frameworks pragmatically to build a structured response to those challenges.
    • Track, analyze, and review results of incident response regularly. Without a comprehensive understanding of incident trends and patterns you can be susceptible to recurring incidents that increase in damage over time. Make the case for problem management, and successfully reduce the volume of unplanned work by scheduling it into regular IT activity.
    • Recurring incidents will happen; use runbooks for a consistent response each time. Save your organization response time and confusion by developing your own specific incident use cases. Incident response should follow a standard process, but each incident will have its own escalation process or call tree that identifies key participants.

    Impact and Result

    • Effective and efficient management of incidents involves a formal process of identifying, classifying, categorizing, responding, resolving, and closing of each incident. The key for smaller organizations, where technology or resources is a constraint, is to make the best practices usable for your unique environment.
    • Develop a plan that aligns with your organizational needs, and adapt best practices into light, sustainable processes, with the goal to improve time to resolve, cost to serve, and ultimately, end-user satisfaction.
    • Successful implementation of incident management will elevate the maturity of the service desk to a controlled state, preparing you for becoming proactive with problem management.

    Incident Management for Small Enterprise Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement incident management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and log incidents

    This phase will provide an overview of the incident lifecycle and an activity on how to classify the various types of incidents in your environment.

    • Service Desk Standard Operating Procedure
    • Incident Management Workflow Library (Visio)
    • Incident Management Workflow Library (PDF)

    2. Prioritize and define SLAs

    This phase will help you develop a categorization scheme for incident handling that ensures success and keeps it simple. It will also help you identify the most important runbooks necessary to create first.

    • Service Desk Ticket Categorization Schemes
    • IT Incident Runbook Prioritization Tool
    • IT Incident Management Runbook Blank Template

    3. Respond, recover, and close incidents

    This phase will help you identify how to use a knowledgebase to resolve incidents quicker. Identify what needs to be answered during a post-incident review and identify the criteria needed to invoke problem management.

    • Knowledgebase Article Template
    • Root-Cause Analysis Template
    • Post-Incident Review Questions Tracking Tool
    [infographic]

    Workshop: Incident Management for Small Enterprise

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess the Current State

    The Purpose

    Assess the current state of the incident management lifecycle within the organization.

    Key Benefits Achieved

    Understand the incident lifecycle and how to classify them in your environment.

    Identify the roles and responsibilities of the incident response team.

    Document the incident workflows to identify areas of opportunities.

    Activities

    1.1 Outline your incident lifecycle challenges.

    1.2 Identify and classify incidents.

    1.3 Identify roles and responsibilities for incident handling.

    1.4 Design normal and critical incident workflows for target state.

    Outputs

    List of incident challenges for each phase of the incident lifecycle

    Incident classification scheme mapped to resolution team

    RACI chart

    Incident Workflow Library

    2 Define the Target State

    The Purpose

    Design or improve upon current incident and ticket categorization schemes, priority, and impact.

    Key Benefits Achieved

    List of the most important runbooks necessary to create first and a usable template to go forward with

    Activities

    2.1 Improve incident categorization scheme.

    2.2 Prioritize and define SLAs.

    2.3 Understand the purpose of runbooks and prioritize development.

    2.4 Develop a runbook template.

    Outputs

    Revised ticket categorization scheme

    Prioritization matrix based on impact and urgency

    IT Incident Runbook Prioritization Tool

    Top priority incident runbook

    3 Bridge the Gap

    The Purpose

    Respond, recover, and close incidents with root-cause analysis, knowledgebase, and incident runbooks.

    Key Benefits Achieved

    This module will help you to identify how to use a knowledgebase to resolve quicker.

    Identify what needs to be answered during a post-incident review.

    Identify criteria to invoke problem management.

    Activities

    3.1 Build a targeted knowledgebase.

    3.2 Build a post-incident review process.

    3.3 Identify metrics to track success.

    3.4 Build an incident matching process.

    Outputs

    Working knowledgebase template

    Root-cause analysis template and post-incident review checklist

    List of metrics

    Develop criteria for problem management

    IT Governance

    • Buy Link or Shortcode: {j2store}22|cart{/j2store}
    • Related Products: {j2store}22|crosssells{/j2store}
    • Up-Sell: {j2store}22|upsells{/j2store}
    • member rating overall impact (scale of 10): 9.2/10
    • member rating average dollars saved: $124,127
    • member rating average days saved: 37
    • Parent Category Name: Strategy and Governance
    • Parent Category Link: /strategy-and-governance
    Read our concise Executive Brief to find out why you may want to redesign your IT governance, Review our methodology, and understand how we can support you in completing this process.

    Define Your Digital Business Strategy

    • Buy Link or Shortcode: {j2store}55|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $83,641 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Your organizational digital business strategy sits on the shelf because it fails to guide implementation.
    • Your organization has difficulty adapting new technologies or rethinking their existing business models.
    • Your organization lacks a clear vision for the digital customer journey.
    • Your management team lacks a framework to rethink how your organization delivers value today, which causes annual planning to become an ideation session that lacks focus.

    Our Advice

    Critical Insight

    • Pre-pandemic digital strategies have been primarily focused on automation. However, your post-pandemic digital strategy must focus on driving resilience for growth opportunities.

    Impact and Result

    • Design a strategy that applies innovation to your business model, streamline and transform processes, and make use of technologies to enhance interactions with customers and employees.
    • Use digital for transforming non-routine cognitive activities and for derisking key elements of the value chain.
    • Create a balanced roadmap that improves digital maturity and prepares you for long-term success in a digital economy.

    Define Your Digital Business Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Digital Business Strategy Deck – A step-by-step document that walks you through how to identify top value chains and a digitally enabled growth opportunity, transform stakeholder journeys, and build a digital transformation roadmap.

    This blueprint guides you through a value-driven approach to digital transformation that allows you to identify what aspects of the business to transform, what technologies to embrace, what processes to automate, and what new business models to create. This approach to digital transformation unifies digital possibilities with your customer experiences.

    • Define Your Digital Business Strategy – Phases 1-4

    2. Digital Business Strategy Workbook – A tool to guide you in planning and prioritizing projects to build an effective digital business strategy.

    This tool guides you in planning and prioritizing projects to build an effective digital business strategy. Key activities include conducting a horizon scan, conducting a journey mapping exercise, prioritizing opportunities from a journey map, expanding opportunities into projects, and lastly, building the digital transformation roadmap using a Gantt chart visual to showcase project execution timelines.

    • Digital Strategy Workbook

    3. Digital Business Strategy Final Report Template – Use this template to capture the synthesized content from outputs of the activities.

    This deck is a visual presentation template for this blueprint. The intent is to capture the contents of the activities in a presentation PowerPoint. It uses sample data from “City of X” to demonstrate the digital business strategy.

    • Digital Business Strategy Final Report Template
    [infographic]

    Workshop: Define Your Digital Business Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Two Existing Value Chains

    The Purpose

    Understand how your organization creates value today.

    Key Benefits Achieved

    Identify opportunities for digital transformation in how you currently deliver value today.

    Activities

    1.1 Validate business context.

    1.2 Assess business ecosystem.

    1.3 Identify and prioritize value streams.

    1.4 Break down value stream into value chains.

    Outputs

    Business context

    Overview of business ecosystem

    Value streams and value chains

    2 Identify a Digitally Enabled Growth Opportunity

    The Purpose

    Leverage strategic foresight to evaluate how complex trends can evolve over time and identify opportunities to leapfrog competitors.

    Key Benefits Achieved

    Identify a leapfrog idea to sidestep competitors.

    Activities

    2.1 Conduct a horizon scan.

    2.2 Identify leapfrog ideas.

    2.3 Identify impact to existing or new value chains.

    Outputs

    One leapfrog idea

    Corresponding value chain

    3 Transform Stakeholder Journeys

    The Purpose

    Design a journey map to empathize with your customers and identify opportunities to streamline or enhance existing and new experiences.

    Key Benefits Achieved

    Identify a unified view of customer experience.

    Identify opportunities to automate non-routine cognitive tasks.

    Identify gaps in value delivery.

    Improve customer journey.

    Activities

    3.1 Identify stakeholder persona.

    3.2 Identify journey scenario.

    3.3 Conduct one journey mapping exercise.

    3.4 Identify opportunities to improve stakeholder journey.

    3.5 Break down opportunities into projects.

    Outputs

    Stakeholder persona

    Stakeholder scenario

    Journey map

    Journey-based projects

    4 Build a Digital Transformation Roadmap

    The Purpose

    Build a customer-centric digital transformation roadmap.

    Key Benefits Achieved

    Keep your team on the same page with key projects, objectives, and timelines.

    Activities

    4.1 Prioritize and categorize initiatives.

    4.2 Build roadmap.

    Outputs

    Digital goals

    Unified roadmap

    Further reading

    Define Your Digital Business Strategy

    After a major crisis, find your place in the digital economy.

    Info-Tech Research Group

    Info-Tech is a provider of best-practice IT research advisory services that make every IT leader’s job easier.

    35,000 members sharing best practices you can leverage

    Millions spent developing tools and templates annually

    Leverage direct access to over 100 analysts as an extension of your team

    Use our massive database of benchmarks and vendor assessments

    Get up to speed in a fraction of the time

    Analyst Perspective

    Build business resilience and prepare for a digital economy.

    This is a picture of Senior Research Analyst, Dana Daher

    Dana Daher
    Senior Research Analyst

    To survive one of the greatest economic downturns since the Great Depression, organizations had to accelerate their digital transformation by engaging with the Digital Economy. To sustain growth and thrive as the pandemic eases, organizations must focus their attention on building business resilience by transforming how they deliver value today.
    This requires a value-driven approach to digital transformation that is capable of identifying what aspects of the business to transform, what technologies to embrace, what processes to automate, and what new business models to create. And most importantly, it needs to unify digital possibilities with your customer experiences.
    If there was ever a time for an organization to become a digital business, it is today.

    Executive Summary

    Your Challenge

    • Your organization has difficulty adapting new technologies or rethinking the existing business models.
    • Your management lacks a framework to rethink how your organization delivers value today, which causes annual planning to become an ideation session that lacks focus.
    • There is uncertainty on how to meet evolving customer needs and how to compete in a digital economy.

    Common Obstacles

    • Your organization might approach digital transformation as if we were still in 2019, not recognizing that the pandemic resulted in a major shift to an end-to-end digital economy.
    • Your senior-most leadership thinks digital is "IT's problem" because digital is viewed synonymously with technology.
    • On the other hand, your IT team lacks the authority to make decisions without the executives’ involvement in the discussion around digital.

    Info-Tech’s Approach

    • Design a strategy that applies innovation to your business model, streamline and transform processes, and make use of technologies to enhance interactions with customers and employees.
    • Use digital for transforming non-routine cognitive activities and for de-risking key elements of the value chain.
    • Create a balanced roadmap that improves digital maturity and prepares you for long-term success in a digital economy.

    Info-Tech Insight

    After a major crisis, focus on restarting the growth engine and bolstering business resilience.

    Your digital business strategy aims to transform the business

    Digital Business Strategy

    • Looks for ways to transform the business by identifying what technologies to embrace, what processes to automate, and what new business models to create.
    • Unifies digital possibilities with your customer experiences.
    • Accountability lies with the executive leadership.
    • Must involve cross-functional participation from senior management from the different areas of the organization.

    IT Strategy

    • Aims to identify how to change, fix, or improve technology in support of the organization’s business strategy.
    • Accountability lies with the CIO.
    • Must involve IT management and gather strategic input from the business.

    Becoming a digital business

    Automate tasks to free up time for innovation.

    Business activities (tasks, procedures, and processes, etc.) are used to create, sell, buy, and deliver goods and services.

    When we convert information into a readable format used by computers, we call this digitization (e.g. converting paper into digital format). When we convert these activities into a format to be processed by a computer, we have digitalization (e.g. scheduling appointments online).

    These two processes alter how work takes place in an organization and form the foundation of the concept digital transformation.

    We maintain that digital transformation is all about becoming a “digital business” – an organization that performs more than 66% of all work activities via executable code.

    As organizations take a step closer to this optimal state, new avenues are open to identify advances to promote growth, enhance customer experiences, secure sustainability, drive operational efficiencies, and unearth potential future business ventures.

    Key Concepts:

    Digital: The representation of a physical item in a format used by computers

    Digitization: Conversion of information and processes into a digital format

    Digitalization: Conversion of information into a format to be processed by a computer

    Why transform your business?

    COVID-19 has irrefutably changed livelihoods, businesses, and the economy. During the pandemic, digital tools have acted as a lifeline, helping businesses and economies survive, and in the process, have acted as a catalyst for digital transformation.

    As organizations continue to safeguard business continuity and financial recovery, in the long term, recovery won’t be enough.

    Although many pandemic/recession recovery periods have occurred before, this next recovery period will present two first-time challenges no one has faced before. We must find ways to:

    • Recover from the COVID-19 recession.
    • Compete in a digital economy.

    To grow and thrive in this post-pandemic world, organizations must provide meaningful and lasting changes to brace for a future defined by digital technologies. – Dana Daher, Info-Tech Research Group

    We are amid an economic transformation

    What we are facing today is a paradigm shift transforming the ways in which we work, live, and relate to one another.

    In the last 60 years alone, performance and productivity have been vastly improved by IT in virtually all economic activities and sectors. And today, digital technologies continue to advance IT's contribution even further by bringing unprecedented insights into economic activities that have largely been untouched by IT.

    As technological innovation and the digitalization of products and services continue to support economic activities, a fundamental shift is occurring that is redefining how we live, work, shop, and relate to one another.

    These rapid changes are captured in a new 21st century term:

    The Digital Economy.

    90% of CEOs believe the digital economy will impact their industry. But only 25% have a plan in place. – Paul Taylor, Forbes, 2020

    Analyst Perspective

    Become a Digital Business

    this is a picture of Research Fellow, Kenneth McGee

    Kenneth McGee
    Research Fellow

    Today, the world faces two profoundly complex, mega-challenges simultaneously:

    1. Ending the COVID-19 pandemic and recession.
    2. Creating strategies for returning to business growth.

    Within the past year, healthcare professionals have searched for and found solutions that bring real hope to the belief the global pandemic/recession will soon end.

    As progress towards ending COVID-19 continues, business professionals are searching for the most effective near-term and long-term methods of restoring or exceeding the rates of growth they were enjoying prior to 2020.

    We believe developing a digital business strategy can deliver cost savings to help achieve near-term business growth while preparing an enterprise for long-term business growth by effectively competing within the digital economy of the future.

    The Digital Economy

    The digital economy refers to a concept in which all economic activity is facilitated or managed through digital technologies, data, infrastructure, services, and products (OECD, 2020).

    The digital economy captures decades of digital trends including:

    • Declining enterprise computing costs
    • Improvements in computing power and performance; unprecedent analytic capabilities
    • Rapid growth in network speeds, affordability, and geographic reach
    • High adoption rates of PCs, mobile, and other computing devices

    These trends among others have set the stage to permanently alter how buying and selling will take place within and between local, regional, national, and international economies.

    The emerging digital economy concept is so compelling that the world economists, financial experts, and others are currently investigating how they must substantially rewrite the rules governing how taxes, trade, tangible and intangible assets, and countless other financial issues will be assessed and valued in a digital economy.

    Download Info-Tech’s Digital Economy Report

    Signals of Change

    60%
    of People on Earth Use the Internet
    (DataReportal, 2021)
    20%
    of Global Retail Sales Performed via E-commerce
    (eMarketer, 2021)
    6.64T
    Global Business-to-Business
    E-commerce Market
    (Derived from The Business Research Company, 2021)
    9.6%
    of US GDP ($21.4T) accounted for by the digital economy ($2.05T)
    (Bureau of Economic Analysis, 2021)

    The digital economy captures technological developments transforming the way in which we live, work, and socialize

    Technological evolution

    this image contains a timeline of technological advances, from computers and information technology, to the digital economy of the future

    Info-Tech’s approach to digital business strategy

    A path to thrive in a digital economy.

    1. Identify top value chains to be transformed
    2. Identify a digitally enabled growth opportunity
    3. Transform stakeholder journeys
    4. Build a digital transformation roadmap

    Info-Tech Insight

    Pre-pandemic digital strategies have been primarily focused on automation. However, your post-pandemic digital strategy must focus on driving resilience for growth opportunities.

    The Info-Tech difference:

    • Understand how your organization creates value today to identify opportunities for digital transformation.
    • Leverage strategic foresight to evaluate how complex trends can evolve over time and identify opportunities to leapfrog competitors.
    • Design a journey map to empathize with your customers and identify opportunities to streamline or enhance existing and new experiences.
    • Create a balanced roadmap that improves digital maturity and prepares you for long-term success in a digital economy.

    A digital transformation starts by transforming how you deliver value today

    As digital transformation is an effort to transform how you deliver value today, it is important to understand the different value-generating activities that deliver an outcome for and from your customers.

    We do this by looking at value streams –which refer to the specific set of activities an industry player undertakes to create and capture value for and from the end consumer (and so the question to ask is, how do you make money as an organization?).

    Our approach helps you to digitally transform those value streams that generate the most value for your organization.

    Higher Education Value stream

    Recruitment → Admission → Student Enrolment → Instruction & Research → Graduation → Advancement

    Local Government Value Stream

    Sustain Land, Property, and the Environment → Facilitate Civic Engagement → Protect Local Health and Safety → Grow the Economy → Provide Regional Infrastructure

    Manufacturing Value Stream

    Design Product → Produce Product → Sell Product

    Visit Info-Tech’s Industry Coverage Research to identify your industry’s value streams

    Assess your external environment to identify new value generators

    Assessing your external environment allows you to identify trends that will have a high impact on how you deliver value today.

    Traditionally, a PESTLE analysis is used to assess the external environment. While this is a helpful tool, it is often too broad as it identifies macro trends that are not relevant to an organization's addressable market. That is because not every factor that affects the macro environment (for example, the country of operation) affects a specific organization’s industry in the same way.

    And so, instead of simply assessing the macro environment and trying to project its evolution along the PESTLE factors, we recommend to:

    • Conduct a PESTLE first and deduce, from the analysis, what are possible shifts in six characteristics of an organization’s industry, or
    • Proceed immediately with identifying evolutionary trends that impact the organization’s direct market.

    the image depicts the relationship of factors from the Macro Environment, to the Industry/Addressable Market, to the Organization. the macro environmental factors are Political; Economic; Social; Technological; Legal; and Environmental. the Industry/addressable market factors are the Customer; Talent; Regulation; technology and; Supply chain.

    Info-Tech Insight

    While PESTLE is helpful to scan the macro environment, the analysis often lacks relevance to an organization’s industry.

    An analysis of evolutionary shifts in five industry-specific characteristics would be more effective for identifying trends that impact the organization

    A Market Evolution Trend Analysis (META) identifies changes in prevailing market conditions that are directly relevant to an organization’s industry, and thus provides some critical input to the strategy design process, since these trends can bring about strategic risks or opportunities.
    Shifts in these five characteristics directly impact an organization:

    ORGANIZATION

    • Customer Expectations
    • Talent Availability
    • Regulatory System
    • Supply Chain Continuity
    • Technological Landscape

    Capture existing and new value generators through a customer journey map

    As we prioritize value streams, we break them down into value chains – that is the “string” of processes that interrelate that work.

    However, once we identify these value chains and determine what parts we wish to digitally transform, we take on the perspective of the user, as the way they interact with your products and services will be different to the view of those within the organization who implement and provide those services.

    This method allows us to build an empathetic and customer-centric lens, granting the capability to uncover challenges and potential opportunities. Here, we may define new experiences or redesign existing ones.

    This image contains an example of how a school might use a value chain and customer journey map. the value streams listed include: Recruitment; Admission; Student Enrolment; Instruction& Research; Graduation; and Advancement. the Value chain for the Instruction and Research Value stream. The value chain includes: Research; Course Creation, Delivery, and assessment. The Customer journey map for curricula delivery includes: Understanding the needs of students; Construct the course material; Deliver course material; Conduct assessment and; Upload Grades into system

    A digital transformation is not just about customer journeys but also about building business resilience

    Pre-pandemic, a digital transformation was primarily focused around improving customer experiences. Today, we are facing a paradigm shift in the way in which we capture the priorities and strategies for a digital transformation.

    As the world grows increasingly uncertain, organizations need to continue to focus on improving customer experience while simultaneously protecting their enterprise value.

    Ultimately, a digital transformation has two purposes:

    1. The classical model – whereby there is a focus on improving digital experiences.
    2. Value protection or the reduction of enterprise risk by systematically identifying how the organization delivers value and digitally transforming it to protect future cashflows and improve the overall enterprise value.
    Old Paradigm New Paradigm
    Predictable regulatory changes with incremental impact Unpredictable regulatory changes with sweeping impact
    Reluctance to use digital collaboration Wide acceptance of digital collaboration
    Varied landscape of brick-and-mortar channels Last-mile consolidation
    Customers value brand Customers value convenience/speed of fulfilment
    Intensity of talent wars depends on geography Broadened battlefields for the war for talent
    Cloud-first strategies Cloud-only strategies
    Physical assets Aggressive asset decapitalization
    Digitalization of operational processes Robotization of operational processes
    Customer experience design as an ideation mechanism Business resilience for value protection and risk reduction

    Key deliverable:

    Digital Business Strategy Presentation Template

    A highly visual and compelling presentation template that enables easy customization and executive-facing content.

    three images are depicted, which contain slides from the Digital Business Strategy presentation template, which will be available in 2022.

    *Coming in 2022

    Blueprint deliverables

    The Digital Business Strategy Workbook supports each step of this blueprint to help you accomplish your goals:

    Initiative Prioritization

    A screenshot from the Initiative Prioritization blueprint is depicted, no words are legible in the image.

    Use the weighted scorecard approach to evaluate and prioritize your opportunities and initiatives.

    Roadmap Gantt Chart

    A screenshot from the Roadmap Gantt Chart blueprint is depicted, no words are legible in the image.

    Populate your Gantt chart to visually represent your key initiative plan over the next 12 months.

    Journey Mapping Workbook

    A screenshot from the Journey Mapping Workbook blueprint is depicted, no words are legible in the image.

    Populate the journey maps to evaluate a user experience over its end-to-end journey.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 0 Phase 1 Phase 2 Phase 3 Phase 4
    Call #1:
    Discuss business context and customize your organization’s capability map.
    Call #2:
    Assess business ecosystem.
    Call #3:
    Perform horizon scanning and trends identification.
    Call #5:
    Identify stakeholder personas and scenarios.
    Call #7:
    Discuss initiative generation and inputs into roadmap.
    Call #3:
    Identify how your organization creates value.
    Call #4:
    Discuss value chain impact.
    Call #6:
    Complete journey mapping exercise.
    Call #8:
    Summarize results and plan next steps.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
    A typical GI is between 8 to 12 calls over the course of 2 to 4 months.

    Workshop Requirements

    Business Inputs

    Gather business strategy documents and find information on:

    • Business goals
    • Current transformation initiatives
    • Business capabilities to create or enhance
    • Identify top ten revenue and expense generators
    • Identify stakeholders

    Interview the following stakeholders to uncover business context information:

    • CEO
    • CIO

    Download the Business Context Discovery Tool

    Optional Diagnostic

    • Assess your digital maturity (Concierge Service)

    Visit Assess Your Digital Maturity

    Phase 1

    Identify top value chains to be transformed

    • Understand the business
    • Assess your business ecosystem
    • Identify two value chains for transformation

    This phase will walk you through the following activities:

    Understand how your organization delivers value today and identify value chains to be transformed.

    This phase involves the following participants:

    A cross-functional cohort across all levels of the organization.

    Outcomes

    • Business ecosystem
    • Existing value chains to be transformed

    Step 1.1

    Understand the business

    Activities

    • Review business documents.

    Identify top value chains to be transformed

    This step will walk you through the following activities:

    In this section you will gain an understanding of the business context for your strategy.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    Business Context

    Understand the business context

    Understanding the business context is a must for all strategic initiatives. A pre-requisite to all strategic planning should be to elicit the business context from your business stakeholders.

    Inputs Document(s)/ Method Outputs
    Key stakeholders Strategy Document Stakeholders that are actively involved in, affected by or influence outcome of the organization, e.g. employers, customers, vendors.
    Vision and mission of the organization Website Strategy Document What the organization wants to achieve and how it strives to accomplish those goals.
    Business drivers CEO Interview Inputs and activities that drive the operational and financial results of the organization.
    Key targets CEO Interview Quantitative benchmarks to support strategic goals, e.g. double the enterprise EBITD, improve top-of-mind brand awareness by 15%,
    Strategic investment goals CFO Interview
    Digital Strategy
    Financial investments corresponding with strategic objectives of the organization, e.g. geographic expansion, digital investments.
    Top three value-generating lines of business Financial Document Identification of your top three value-generating products and services or lines of business.
    Goals of the organization over the next 12 months Strategy Document
    Corporate Retreat Notes
    Strategic goals to support the vision, e.g. hire 100 new sales reps, improve product management and marketing.
    Top business initiatives over the next 12 months Strategy Document
    CEO Interview
    Internal campaigns to support strategic goals, e.g. invest in sales team development, expand the product innovation team.
    Business model Strategy Document Products or services that the organization plans to sell, the identified market and customer segments, price points, channels and anticipated expenses.
    Competitive landscape Internal Research Analysis Who your typical or atypical competitors are.

    1.1 Understand the business context

    Objective: Elicit the business context with a careful review of business and strategy documents.

    1. Gather the strategy creation team and review your business context documents. This includes business strategy documents, interview notes from executive stakeholders, and other sources for uncovering the business strategy.
    2. Brainstorm in smaller groups answers to the question you were assigned:
      • What are the strengths and weaknesses of the organization?
      • What are some areas of improvement or opportunity?
      • What does it mean to have a digital business strategy?
    3. Discuss the questions above with participants and document key findings. Share with the group and work through the balanced scorecard questions to complete this exercise.
    4. Document your findings.

    Assess your digital readiness with Info-Tech’s Digital Maturity Assessment

    Input

    • Business Strategy Documents
    • Executive Stakeholder Interviews

    Output

    • Business Context Information

    Materials

    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)

    Participants

    • Executive Team

    Step 1.2

    Assess your business ecosystem

    Activities

    • Identify disruptors and incumbents.

    Info-Tech Insight

    Your digital business strategy cannot be formulated without a clear vision of the evolution of your industry.

    Identify top value chains to be transformed

    This step will walk you through the following activities:

    In this section, we will assess who the incumbents and disruptors are in your ecosystem and identify who your stakeholders are.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    Business Ecosystem

    Assess your business ecosystem

    Understand the nature of your competition.

    Learn what your competitors are doing.

    To survive, grow, or transform in today's digital era, organizations must first have a strong pulse on their business ecosystem. Learning what your competitors are doing to grow their bottom line is key to identifying how to grow your own. Start by understanding who the key incumbents and disruptors in your industry are to identify where your industry is heading.

    Incumbents: These are established leaders in the industry that possess the largest market share. Incumbents often focus their attention to their most demanding or profitable customers and neglect the needs of those down market.

    Disruptors: Disruptors are primarily new entrants (typically startups) that possess the ability to displace the existing market, industry, or technology. Disruptors are often focused on smaller markets that the incumbents aren’t focused on. (Clayton Christenson, 1997)

    An image is shown demonstrating the relationship within an industry between incumbents, disruptors, and the organization. The incumbents are represented by two large purple circles. The disruptors are represented by 9 smaller blue circles, which represent smaller individual customer bases, but overall account for a larger portion of the industry.

    ’Disruption’ specifically refers to what happens when the incumbents are so focused on pleasing their most profitable customers that they neglect or misjudge the needs of their other segments.– Ilan Mochari, Inc., 2015

    Example Business Ecosystem Analysis

    Business Target Market & Customer Product/Service & Key Features Key Differentiators Market Positioning
    University XYZ
    • Local Students
    • Continuous Learner
    • Certificate programs
    • Associate degrees
    • Strong engineering department with access to high-quality labs
    • Strong community impact
    Affordable education with low tuition cost and access to bursaries & scholarships.
    University CDE University CDE
    • Local students
    • International students
    • Continuous learning students
    • Continuous learning offerings (weekend classes)
    • Strong engineering program
    • Strong continuous learning programs
    Outcome focused university with strong co-ops/internship programs and career placements for graduates
    University MNG
    • Local students
    • Non degree, freshman and continuous learning adults
    • Associate degrees
    • Certificate programs (IT programs)
    • Dual credit program
    • More locations/campuses
    • Greater physical presence
    • High web presence
    Nurturing university with small student population and classroom sizes. University attractive to adult learners.
    Disruptors Online Learning Company EFG
    • Full-time employees & executives– (online presence important)
    • Shorter courses
    • Full-time employees & executives– (online presence important)
    Competitive pricing with an open acceptance policy
    University JKL Online Credential Program
    • High school
    • University students
    • Adult learners
    • Micro credentials
    • Ability to acquire specific skills
    Borderless and free (or low cost) education

    1.2 Understand your business ecosystem

    Objective: Identify the incumbents and disruptors in your business ecosystem.

    1. Identify the key incumbents and disruptors in your business ecosystem.
      • Incumbents: These are established leaders in the industry that possess the largest market share.
      • Disruptors: Disruptors are primarily new entrants (startups) that possess the ability to displace the existing market, industry, or technology.
    2. Identify target market and key customers. Who are the primary beneficiaries of your products or service offerings? Your key customers are those who keep you in business, increase profits, and are impacted by your operations.
    3. Identify what their core products or services are. Assess what core problem their products solve for key customers and what key features of their solution support this.
    4. Assess what the competitors' key differentiators are. There are many differentiators that an organization can have, examples include product, brand, price, service, or channel.
    5. Identify what the organization’s value proposition is. Why do customers come to them specifically? Leverage insights from the key differentiators to derive this.
    6. Finally, assess how your organization derives value relative to your competitors.

    Input

    • Market Assessment

    Output

    • Key Incumbents and Disruptors

    Materials

    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)

    Participants

    • Executive Team

    Step 1.3

    Value-chain prioritization

    Activities

    • Identify and prioritize value chains for innovation.

    Identify top value chains to be transformed

    This step will walk you through the following activities:

    Identify and prioritize how your organization currently delivers value today and identify value chains to be transformed.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    Prioritized Value Chains

    Determine what value the organization creates

    Identify areas for innovation.

    Value streams and value chains connect business goals to the organization’s value realization activities. They enable an organization to create and capture value in the market place by engaging in a set of interconnected activities. Those activities are dependent on the specific industry segment an organization operates within.

    Different types of value your organization creates

    This an example of a value chain which a school would use to analyze how their organization creates value. The value streams listed include: Recruitment; Admission; Student Enrolment; Instruction& Research; Graduation; and Advancement. the Value chain for the Student enrolment stream is displayed. The value chain includes: Matriculation; Enrolment into a Program and; Unit enrolment.

    Value Streams

    A value stream refers to the specific set of activities an industry player undertakes to create and capture value for and from the end consumer.

    Value Chains

    A value chain is a ”string” of processes within a company that interrelate and work together to meet market demand. Examining the value chain of a company will reveal how it achieves competitive advantage.

    Visit Info-Tech’s Industry Coverage Research to identify value streams

    Begin with understanding your industry’s value streams

    Value Streams

    Recruitment

    • The promotion of the institution and the communication with prospective students is accommodated by the recruitment component.
    • Prospective students are categorized as domestic and international, undergraduate and graduate. Each having distinct processes.

    Admission

    • Admission into the university involves processes distinct from recruitment. Student applications are processed and evaluated and the students are informed of the decision.
    • This component is also concerned with transfer students and the approval of transfer credits.

    Student Enrolment

    • Student enrolment is concerned with matriculation when the student first enters the institution, and subsequent enrolment and scheduling of current students.
    • The component is also concerned with financial aid and the ownership of student records.

    Instruction & Research

    • Instruction involves program development, instructional delivery and assessment, and the accreditation of courses of study.
    • The research component begins with establishing policy and degree fundamentals and concerns the research through to publication and impact assessment.

    Graduation

    • Graduation is not only responsible for the ceremony but also the eligibility of the candidate for an award and the subsequent maintenance of transcripts.

    Advancement

    • Alumni relations are the first responsibility of advancement. This involves the continual engagement with former students.
    • Fundraising is the second responsibility. This includes the solicitation and stewardship of gifts from alumni and other benefactors.

    Value stream defined…

    Value streams connect business goals to the organization’s value realization activities in the marketplace. Those activities are dependent on the specific industry segment in which an organization operates.

    There are two types of value streams: core value streams and support value streams.

    • Core value streams are mostly externally facing. They deliver value to either an external or internal customer and they tie to the customer perspective of the strategy map.
    • Support value streams are internally facing and provide the foundational support for an organization to operate.

    An effective method for ensuring all value streams have been considered is to understand that there can be different end-value receivers.

    Leverage your industry’s capability maps to identify value chains

    Business Capability Map Defined

    A business capability defines what a business does to enable value creation, rather than how. Business capabilities:

    • Represent stable business functions.
    • Are unique and independent of each other.
    • Typically, will have a defined business outcome.

    A capability map is a great starting point to identify value chains within an organization as it is a strong indicator of the processes involved to deliver on the value streams.

    this image contains an example of a business capability map using the value streams identified earlier in this blueprint.

    Info-Tech Insight

    Leverage your industry reference architecture to define value streams and value chains.

    Visit Info-Tech’s Industry Coverage Research to identify value streams

    Prioritize value streams to be supported or enhanced

    Use an evaluation criteria that considers both the human and business value generators that these streams provide.

    two identical value streams are depicted. The right most value stream has Student Enrolment and Instruction Research highlighted in green. between the two streams, are two boxes. In these boxes is the following: Business Value: Profit; Enterprise Value; Brand value. Human Value: Faculty satisfaction; Student satisfaction; Community impact.

    Info-Tech Insight

    To produce maximum impact, focus on value streams that provide two-thirds of your enterprise value.

    Business Value

    Assess the value generators to the business, e.g. revenue dollars, enterprise value, cost or differentiation (competitiveness), etc.

    Human Value

    Assess the value generators to people, e.g. student/faculty satisfaction, well-being, and social cohesion.

    Identify value chains for transformation

    Value chains, pioneered by the academic Michael Porter, refer to the ”string” of processes within a company that interrelate and work together to meet market demand. An organization’s value chain is connected to the larger part of the value stream. This perspective of how value is generated encourages leaders to see each activity as a part of a series of steps required deliver value within the value stream and opens avenues to identify new opportunities for value generation.

    this image depicts two sample value chains for the value streams: student enrolment and Instruction & Research. Each value chain has a stakeholder associated with it. This is the primary stakeholder that seeks to gain value from that value chain.

    Prioritize value chains for transformation

    Once we have identified the key value chains within each value stream element, evaluate the individual processes within the value chain to identify opportunities for transformation. Evaluate the value chain processes based on the level of pain experienced by a stakeholder to accomplish that task, and the financial impact that level of the process has on the organization.

    this image depicts the same value chains as the image above, with a legend showing which steps have a financial impact, which steps have a high degree of risk, and which steps are prioritized for transformation. Matriculation and publishing are shown to have a financial impact. Research foundation is shown to have a high degree of risk, and enrollment into a program and conducting research are prioritized for transformation.

    1.3 Value chain analysis

    Objective: Determine how the organization creates value, and prioritize value chains for innovation.

    1. The first step of delivering value is defining how it will happen. Use the organization’s industry segment to start a discussion on how value is created for customers. Working back from the moment value is realized by the customer, consider the sequential steps required to deliver value in your industry segment.
    2. Define and validate the organization’s value stream. Write a short description of the value stream that includes a statement about the value provided and a clear start and end for the value stream.
    3. Prioritize the value streams based on an evaluation criteria that reflects business and human value generators to the organization.
    4. Identify value chains that are associated with each value stream. The value chains refer to a string of processes within the value stream element. Each value chain also captures a particular stakeholder that benefits from the value chain.
    5. Once we have identified the key value chains within each value stream element, evaluate the individual processes within the value chain and identify areas for transformation. Evaluate the value chain processes based on the level of pain or exposure to risk experienced by a stakeholder to accomplish that task and the financial impact that level of the process has on the organization.

    Visit Info-Tech’s Industry Coverage Research to identify value streams and capability maps

    Input

    • Market Assessment

    Output

    • Key Incumbents and Disruptors

    Materials

    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)

    Participants

    • Executive Team

    Phase 2

    Identify a digitally enabled growth opportunity

    • Conduct horizon scan
    • Identify leapfrog idea
    • Conduct value chain impact analysis

    This phase will walk you through the following activities:

    Assess trends that are impacting your industry and identify strategic growth opportunities.

    This phase involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes

    Identify new growth opportunities and value chains impacted

    Phase 2.1

    Horizon scanning

    Activities

    • Scan the internal and external environment for trends.

    Info-Tech Insight

    Systematically scan your environment to identify avenues or opportunities to skip one or several stages of technological development and stay ahead of disruption.

    Identify a digitally enabled growth opportunity

    This step will walk you through the following activities:

    Scan the environment for external environment for megatrends, trends, and drivers. Prioritize trends and build a trends radar to keep track of trends within your environment.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    Growth opportunity

    Horizon scanning

    Understand how your industry is evolving.

    Horizon scanning is a systematic analysis of detecting early signs of future changes or threats.

    Horizon scanning involves scanning, analyzing, and communicating changes in an organization’s environment to prepare for potential threats and opportunities. Much of what we know about the future is based around the interactions and trajectory of macro trends, trends, and drivers. These form the foundations for future intelligence.

    Macro Trends

    A macro trend captures a large-scale transformative trend that could impact your addressable market.

    Trends

    A trend captures a business use case of the macro trend. Consider trends in relation to competitors in your industry.

    Drivers

    A driver is an underlying force causing the trend to occur. There can be multiple causal forces, or drivers, that influence a trend, and multiple trends can be influenced by the same causal force.

    Identify signals of change in the present and their potential future impacts.

    Identifying macro trends

    A macro trend captures a large-scale transformative trend that could change the addressable market. Here are some examples of macro trends to consider when horizon scanning for your own organization:

    Talent Availability

    • Decentralized workforce
    • Hybrid workforce
    • Diverse workforce
    • Skills gap
    • Digital workforce
    • Multigenerational workforce

    Customer Expectations

    • Personalization
    • Digital experience
    • Data ownership
    • Transparency
    • Accessibility

    Technological Landscape

    • AI & robotics
    • Virtual world
    • Ubiquitous connectivity,
    • Genomics
    • Materials (smart, nano, bio)

    Regulatory System

    • Market control
    • Economic shifts
    • Digital regulation
    • Consumer protection
    • Global green

    Supply Chain Continuity

    • Resource scarcity
    • Sustainability
    • Supply chain digitization
    • Circular supply chains
    • Agility

    Identifying trends and drivers

    A trend captures a business use case of a macro trend. Assessing trends can reduce some uncertainties about the future and highlight potential opportunities for your organization. A driver captures the internal or external forces that lead the trend to occur. Understanding and capturing drivers is important to understanding why these trends are occurring and the potential impacts to your value chains.

    This image contains a flow chart, demonstrating the relationship between Macro trends, Trends, and Drivers. in this example, the macro trend is Accessibility. The Trends, or patterns of change, are an increase in demands for micro-credentials, and Preference for eLearning. The Drivers, or the why, are addressing skill gaps for increase in demand for micro-credentials, and Accommodating adult/working learners- for Preference for eLearning.

    Leverage industry roundtables and trend reports to understand the art of the possible

    Uncover important business and industry trends that can inform possibilities for technology innovation.

    Explore trends in areas such as:

    • Machine Learning
    • Citizen Dev 2.0
    • Venture Architecture
    • Autonomous Organizations
    • Self-Sovereign Cloud
    • Digital Sustainability

    Market research is critical in identifying factors external to your organization and identifying technology innovation that will provide a competitive edge. It’s important to evaluate the impact each trend or opportunity will have in your organization and market.

    Visit Info-Tech’s Trends & Priorities Research Center

    Visit Info-Tech’s Industry Coverage Research to identify your industry’s value streams

    this image contains three screenshots from Rethinking Higher Education Report and 2021 Tech Trends Report

    Images are from Info-Tech’s Rethinking Higher Education Report and 2021 Tech Trends Report

    Example horizon scanning activity

    Macro Trends Trends Drivers
    Talent Availability Diversity Inclusive campus culture Systemic inequities
    Hybrid workforce Online learning staff COVID-19 and access to physical institutions
    Customer Expectations Digital experience eLearning for working learners Accommodate adult learners
    Accessibility Micro-credentials for non-traditional students Addressing skills gap
    Technological Landscape Artificial intelligence and robotics AI for personalized learning Hyper personalization
    IoT IoT for monitoring equipment Asset tracking
    Augmented reality Immersive education AR and VR Personalized experiences
    Regulatory System Regulatory System Alternative funding for research Changes in federal funding
    Global Green Environmental and sustainability education curricula Regulatory and policy changes
    Supply Chain Continuity Circular supply chains Vendors recycling outdated technology Sustainability
    Cloud-based solutions Cloud-based eLearning software Convenience and accessibility

    Visit Info-Tech’s Industry Coverage Research to identify your industry’s value streams

    Prioritize trends

    Develop a cross-industry holistic view of trends.

    Visualize emerging and prioritize action.

    Moving from horizon scanning to action requires an evaluation process to determine which trends can lead to growth opportunities. First, we need to make a short list of trends to analyze. For your digital strategy, consider trends on the time horizon that are under 24 months. Next, we need to evaluate the shortlisted opportunities by a second set of criteria: relevance to your organization and impact on industry.

    Timing

    The estimated time to disruption this trend will have for your industry. Assess whether the trend will require significant developments to support its entry into the ecosystem.

    Relevance

    The relevance of the trend to your organization. Does the trend fulfil the vision or goals of the organization?

    Impact

    The degree of impact the trend will have on your industry. A trend with high impact will drive new business models, products, or services.

    Prioritize trends to adopt into your organization

    Prioritize trends based on timing, impact, and relevance.

    Trend Timing
    (S/M/L)
    Impact
    (1-5)
    Relevance
    ( 1-5)
    1. Micro-credentialing S 5 5
    2. IoT-connected devices for personalized experience S 1 3
    3. International partnerships with educational institutions M
    4. Use of chatbots throughout enrollment process L
    5. IoT for energy management of campus facilities L
    6. Gamification of digital course content M
    7. Flexible learning curricula S 4 3
    Deprioritize trends
    that have a time frame
    to disruption of more
    than 24 months.
    this image contains a graph demonstrating the relationship between relevance (x axis) and Impact (Y axis).

    2.1 Scanning the horizon

    Objective: Generate trends

    60 minutes

    • Start by selecting macro trends that are occurring in your environment using the five categories. These are the large-scale transformative trends that impact your addressable market. Macro trends have three key characteristics:
      • They span over a long period of time.
      • They impact all geographic regions.
      • They impact governments, individuals, and organizations.
    • Begin to break down these macro trends into trends. Trends should reflect the direction of a macro trend and capture the pattern in events. Consider trends that directly impact your organization.
    • Understand the drivers behind these trends. Why are they occurring? What is driving them? Understanding the drivers helps us understand the value they may generate.
    • Deprioritize trends that are expected to happen beyond 24 months.
    • Prioritize trends that have a high impact and relevance to the organization.
    • If you identify more than one trend, discuss with the group which trend you would like to pursue and limit it to one opportunity.

    Input

    • Macro Trends
    • Trends

    Output

    • Trends Prioritization

    Materials

    • Digital Strategy Workbook

    Participants

    • Executive Team

    Step 2.2

    Leapfrogging ideation

    Activities

    • Identify leapfrog ideas.
    • Identify impact to value chain.

    Info-Tech Insight

    A systematic approach to leapfrog ideation is one of the most critical ways in which an organization can build the capacity for resilient innovation.

    This step will walk you through the following activities:

    Evaluate trend opportunities and determine the strategic opportunities they pose. You will also work towards identifying the impact the trend has on your value chain.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • Strategic growth opportunities
    • Value chain impact

    Leapfrog into the future

    Turn trends into growth opportunities.

    To thrive in the digital age, organizations must innovate big, leverage internal creativity, and prepare for flexibility.

    In this digital era, organizations are often playing catch up to a rapidly evolving technological landscape and following a strict linear approach to innovation. However, this linear catch-up approach does not help companies get ahead of competitors. Instead, organizations must identify avenues to skip one or several stages of technological development to leapfrog ahead of their competitors.

    The best way to predict the future is to invent it. – Alan Kay

    Leapfrogging takes place when an organization introduces disruptive innovation into the market and sidesteps competitors who are unable to mobilize to respond to the opportunities.

    Case Study

    Classroom of the Future

    Higher Education: Barco’s Virtual Classroom at UCL

    University College London (UCL), in the United Kingdom, selected Barco weConnect virtual classroom technology for its continuing professional development medical education offering. UCL uses the platform for synchronous teaching, where remote students can interact with a lecturer.

    One of the main advantages of the system is that it enables direct interaction with students through polls, questions, and whiteboarding. The system also allows you to track student engagement in real time.

    The system has also been leveraged for scientific research and publications. In their “Delphi” process, key opinion leaders were able to collaborate in an effective way to reach consensus on a subject matter. The processes that normally takes months were successfully completed in 48 hours (McCann, 2020).

    Results

    The system has been largely successful and has supported remote, real-time teaching, two-way engagement, engagement with international staff, and an overall enriched teaching experience.

    Funnel trends into leapfrog ideas

    Go from trend insights into ideas.

    Brainstorm ways of generating leapfrog ideas from trend insights.

    Dealing with trends is one of the most important tasks for innovation. It provides the basis of developing the future orientation of the organization. However, being aware of a trend is one thing, to develop strategies for response is another.

    To identify the impact the trend has on the organization, consider the four areas of growth strategies for the organization:

    1. New Customers: Leverage the trend to target new customers for existing products or services.
    2. New Business Models: Adjust the business model to capture a change in how the organization delivers value.
    3. New Markets: Enter or create new markets by applying existing products or services to different problems.
    4. New Product or Service Offerings: Introduce new products or services to the existing market.
    A funnel shaped image is depicted. At the top, at the entrance of the funnel, is the word Trend. At the bottom of the image, at the output of the funnel, is the word Opportunity.

    From trend to leapfrog ideas

    Trend New Customer New Market New Business Model New Product or Service
    What trends pose a high-immediate impact to the organization? Target new customers for existing products or services Enter or create new markets by applying existing products or services to different problems Adjust the business model to capture a change in how the organization delivers value Introduce new products or services to the existing market
    Micro-credentials for non-traditional students Target non-traditional learners/students - Online delivery Introduce mini MBA program

    2.2 Identify and prioritize opportunities

    60 minutes

    1. Gather the prioritized trend identified in the horizon scanning exercise (the trend identified to be “adopted” within the organization).
    2. Analyze each trend identified and assess whether the trend provides an opportunity for a new customers, new markets, new business models, or new products and services.

    Input

    • “Adopt” Trends

    Output

    • Trends to pursue
    • Breakdown of strategic opportunities that the trends pose

    Materials

    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)

    Participants

    • Executive Team

    Step 2.3

    Value chain impact

    Activities

    • Identify impact to value chain.

    This step will walk you through the following activities:

    Evaluate trend opportunities and determine the strategic opportunities they pose. Prioritize the opportunities and identify impact to your value chain.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • Strategic growth opportunities

    Value chain analysis

    Identify implications of strategic growth opportunities to the value chains.

    As we identify and prioritize the opportunities available to us, we need to assess their impacts on value chains. Does the opportunity directly impact an existing value chain? Or does it open us to the creation of a new value chain?

    The value chain perspective allows an organization to identify how to best minimize or enhance impacts and generate value.
    As we move from opportunity to impact, it is important to break down opportunities into the relevant pieces so we can see a holistic picture of the sources of differentiation.

    this image depicts the value chain for the value stream, student enrolment.

    2.3 Value chain impact

    Objective: Identify impacts to the value chain from the opportunities identified.
    60 minutes

    1. Once you have identified the opportunity, turn back to the value stream, and with the working group, identify the value stream impacted most by the opportunity. Leverage the human impact/business impact criteria to support the identification of the value stream to be impacted.
    2. Within the value stream, brainstorm what parts of the value chain will be impacted by the new opportunity. Or ask whether this new opportunity provides you with a new value chain to be created.
    3. If this opportunity will require a new value chain, identify what set of new processes or steps will be created to support this new entrant.
    4. Identify any critical value chains that will be impacted by the new opportunity. What areas of the value chain pose the greatest risk? And where can we estimate the financial revenue will be impacted the most?

    Input

    • Opportunity

    Output

    • Value chains impacted

    Materials

    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)

    Participants

    • Executive Team

    Phase 3

    Transform stakeholder journeys

    • Identify stakeholder personas and scenarios
    • Conduct journey map
    • Identify projects

    This phase will walk you through the following activities:

    Take the prioritized value chains and create a journey map to capture the end-to-end experience of a stakeholder.

    Through a journey mapping exercise, you will identify opportunities to digitize parts of the journey. These opportunities will be broken down into functional initiatives to tackle in your strategy.

    This phase involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes

    1. Stakeholder persona
    2. Stakeholder scenario
    3. Stakeholder journey map
    4. Opportunities

    Step 3.1

    Identify stakeholder persona and journey scenario

    Activities

    • Identify stakeholder persona.
    • Identify stakeholder journey scenario.

    Transform stakeholder journeys

    This step will walk you through the following activities:

    In this step, you with identify stakeholder personas and scenarios relating to the prioritized value chains.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • A taxonomy of critical stakeholder journeys.

    Identify stakeholder persona and journey scenario

    From value chain to journey scenario.

    Stakeholder personas and scenarios help us build empathy towards our customers. It helps put us into the shoes of a stakeholder and relate to their experience to solve problems or understand how they experience the steps or processes required to accomplish a goal. A user persona is a valuable basis for stakeholder journey mapping.

    A stakeholder scenario describes the situation the journey map addresses. Scenarios can be real (for existing products and services) or anticipated.

    A stakeholder persona is a fictitious profile to represent a customer or a user segment. Creating this persona helps us understand who your customers really are and why they are using your service or product.

    Learn more about applying design thinking methodologies

    Identify stakeholder scenarios to map

    For your digital strategy, leverage the existing and opportunity value chains identified in phase 1 and 2 for journey mapping.

    Identify two existing value chains to be transformed.
    In section 1, we identified existing value chains to be transformed. For example, your stakeholder persona is a member of the faculty (engineering), and the scenario is the curricula design process.
    this image contains the value chains for instruction (engineering) and enrolment of engineering student. the instruction(engineering) value chain includes curricula research, curricula design, curricula delivery, and Assessment for the faculty-instructor. The enrolment of engineering student value chain includes matriculation, enrolment into a program, and unit enrolment for the student. In the instruction(engineering) value chain, curricula design is highlighted in blue. In the enrolment of engineering student value chain, Enrolment into a program is highlighted.
    Identify one new value chain.
    In section 2, we identified a new value chain. However, for a new opportunity, the scenario is more complex as it may capture many different areas of a value chain. Subsequently, a journey map for a new opportunity may require mapping all parts of the value chain.
    this image contains an example of a value chain for micro-credentialing (mini online MBA)

    Identify stakeholder persona

    Who are you transforming for?

    To define a stakeholder scenario, we need to understand who we are mapping for. In each value chain, we identified a stakeholder who gains value from that value chain. We now need to develop a stakeholder persona: a representation of the end user to gain a strong understanding of who they are, what they need, and their pains and gains.

    One of the best ways to flesh out your stakeholder persona is to engage with the stakeholders directly or to gather the input of those who may engage with them within the organization.

    For example, if we want to define a journey map for a student, we might want to gather the input of students or teaching faculty that have firsthand encounters with different student types and are able to define a common student type.

    Info-Tech Insight

    Run a survey to understand your end users and develop a stronger picture of who they are and what they are seeking to gain from your organization.

    Example Stakeholder Persona

    Name: Anne
    Age: 35
    Occupation: Engineering Faculty
    Location: Toronto, Canada

    Pains

    What are their frustrations, fears, and anxieties?

    • Time restraints
    • Using new digital tools
    • Managing a class while incorporating individual learning
    • Varying levels within the same class
    • Unmotivated students

    What do they need to do?

    What do they want to get done? How will they know they are successful?

    • Design curricula in a hybrid mode without loss of quality of experience of in-classroom learning.

    Gains

    What are their wants, needs, hopes, and dreams?

    • Interactive content for students
    • Curriculum alignment
    • Ability to run a classroom lab (in hybrid format)
    • Self-paced and self-directed learning opportunities for students

    (Adapted from Osterwalder, et al., 2014)

    Define a journey statement for mapping

    Now that we understand who we are mapping for, we need to define a journey statement to capture the stakeholder journey.
    Leverage the following format to define the journey statement.
    As a [stakeholder], I need to [prioritized value chain task], so that I can [desired result or overall goal].

    this image contains the instruction(engineering) value chain shown above. next to it is a stakeholder journey statement, which states: As an engineering faculty member, I want to design my curricula in a hybrid mode of delivery so that I can simulate in-classroom experiences.

    3.1 Identify stakeholder persona and journey scenario

    Objective: Identify stakeholder persona and journey scenario statement for journey mapping exercise.

    1. Start by identifying who your stakeholder is. Give your stakeholder a demographic profile – capture a typical stakeholder for this value chain.
    2. Identify what the gains and pains are during this value chain and what the stakeholder is seeking to accomplish.
    3. Looking at the value chain, create a statement that captures the goals and needs of the stakeholder. Use the following format to create a statement:
      As a [stakeholder], I need to [prioritized value chain task], so that I can [desired result or overall goal].

    Input

    • Prioritized Value Chains (existing and opportunity)

    Output

    • Stakeholder Persona
    • Stakeholder Journey Statement

    Materials

    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)
    • Stakeholder Persona Canvas

    Participants

    • Executive Team
    • Stakeholders (if possible)
    • Individual who works directly with stakeholders

    Step 3.2

    Map stakeholder journeys

    Activities

    • Map stakeholder journeys.

    Transform stakeholder journeys

    This step will walk you through the following activities:

    Prioritize the journeys by focusing on what matters most to the stakeholders and estimating the organizational effort to improve those experiences.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • Candidate journeys identified for redesign or build.

    Leverage customer journey mapping to capture value chains to be transformed

    Conduct a journey mapping exercise to identify opportunities for innovation or automation.

    A journey-based approach helps an organization understand how a stakeholder moves through a process and interacts with the organization in the form of touch points, channels, and supporting characters. By identifying pain points in the journey and the activity types, we can identify opportunities for innovation and automation along the journey.

    Embrace design thinking methodologies to elevate the stakeholder journey and to build a competitive advantage for your organization.

    this image contains an example of the result of a journey mapping exercise. the main headings are Awareness, Consideration, Acquisition, Service and, Loyalty.

    Internal vs. external stakeholder perspective

    In journey mapping, we always start with the stakeholder's perspective, then eventually transition into what the organization does business-wise to deliver value to each stakeholder. It is important to keep in mind both perspectives while conducting a journey mapping exercise as there are often different roles, processes, and technologies associated with each of the journey steps.

    Stakeholder Journey
    (External Perspective)

    • Awareness
    • Consideration
    • Selecting
    • Negotiating
    • Approving

    Business Processes
    (Internal Perspective)

    • Preparation
    • Prospecting
    • Presentation
    • Closing
    • Follow-Up

    Info-Tech Insight

    Take the perspective of an end user, who interacts with your products and services, as it is different from the view of those inside the organization, who implement and provide those services.

    Build a stakeholder journey map

    A stakeholder journey map is a tool used to illustrate the user’s perceptions, emotions, and needs as they move through a process and interact with the organization in the form of touch points, channels, and supporting characters.

    this image depicts an example of a stakeholder journey map, the headings in the map are: Journey Activity; Touch Points; Metrics; Nature of Activity; Key Moments & Pain Points; Opportunities

    Stakeholder Journey Map: Journey Activity

    The journey activity refers to the steps taken to accomplish a goal.

    The journey activity comprises the steps or sequence of tasks the stakeholder takes to accomplish their goal. These steps reflect the high-level process your candidates perform to complete a task or solve a problem.

    Stakeholder Journey Map: Touch Points

    Touch points are the points of interaction between a stakeholder and the organization.

    A touch point refers to any time a stakeholder interacts with your organization or brand. Consider three main points of interaction with the customer in the journey:

    • Before: How did they find out about you? How did they first contact you to start this journey? What channels or mediums were used?
      • Social media
      • Rating & reviews
      • Word of mouth
      • Advertising
    • During: How was the sale or service accomplished?
      • Website
      • Catalog
      • Promotions
      • Point of sale
      • Phone system
    • After: What happened after the sale or service?
      • Billing
      • Transactional emails
      • Marketing emails
      • Follow-ups
      • Thank-you emails

    Stakeholder Journey Map: Nature of Activity

    The nature of activity refers to the type of task the journey activity captures.

    We categorize the activity type to identify opportunities for automation. There are four main types of task types, which in combination (as seen in the table below) capture a task or job to be automated.

    Routine Non-Routine
    Cognitive Routine Cognitive: repeatable tasks that rely on knowledge work, e.g. sales, administration
    Prioritize for automation (2)
    Non-Routine Cognitive: infrequent tasks that rely on knowledge work, e.g. driving, fraud detection
    Prioritize for automation (3)
    Non-Routine Cognitive: infrequent tasks that rely on knowledge work, e.g. driving, fraud detection Prioritize for automation (3) Routine Manual: repeatable tasks that rely on physical work, e.g. manufacturing, production
    Prioritize for automation (1)
    Non-Routine Manual: infrequent tasks that rely on physical work, e.g. food preparation
    Not mature for automation

    Info-Tech Insight

    Where automation makes sense, routine manual activities should be transformed first, followed by routine cognitive activities. Non-routine cognitive activities are the final frontier.

    Stakeholder Journey Map: Metrics

    Metrics are a quantifiable measurement of a process, activity, or initiative.

    Metrics are crucial to justify expenses and to estimate growth for capacity planning and resourcing. There are multiple benefits to identifying and implementing metrics in a journey map:

    • Metrics provide accurate indicators for accurate IT and business decisions.
    • Metrics help you identify stakeholder touch point efficiencies and problems and solve issues before they become more serious.
    • Active metrics tracking makes root cause analysis of issues much easier.

    Example of journey mapping metrics: Cost, effort, turnaround time, throughput, net promoter score (NPS), satisfaction score

    Stakeholder Journey Map: Key Moments & Pain Points

    Key moments and pain points refer to the emotional status of a stakeholder at each stake of the customer journey.

    The key moments are defining pieces or periods in a stakeholder's experience that create a critical turning point or memory.

    The pain points are the critical problems that the stakeholder is facing during the journey or business continuity risks. Prioritize identifying pain points around key moments.

    Info-Tech Insight

    To identify key moments, look for moments that can dramatically influence the quality of the journey or end the journey prematurely. To improve the experience, analyze the hidden needs and how they are or aren’t being met.

    Stakeholder Journey Map: Opportunities

    An opportunity is an investment into people, process, or technology for the purposes of building or improving a business capability and accomplishing a specific organizational objective.

    An opportunity refers to the initiatives or projects that should address a stakeholder pain. Opportunities should also produce a demonstrable financial impact – whether direct (e.g. cost reduction) or indirect (e.g. risk mitigation) – and be evaluated based on how technically difficult it will be to implement.

    Customer

    Create new or different experiences for customers

    Workforce

    Generate new organizational skills or new ways of working

    Operations

    Improve responsiveness and resilience of operations

    Innovation

    Develop different products or services

    Example of stakeholder journey output: Higher Education

    Stakeholder: A faculty member
    Journey: As an engineering faculty member, I want to design my curricula in a hybrid mode of delivery so that I can simulate in-classroom experiences

    Journey activity Understanding the needs of students Construct the course material Deliver course material Conduct assessments Upload grades into system
    Touch Points
    • Research (primary or secondary)
    • Teaching and learning center
    • Training on tools
    • Office suite
    • Video tools
    • PowerPoint live
    • Chat (live)
    • Forum (FAQ
    • Online assessment tool
    • ERP
    • LMS
    Nature of Activity Non-routine cognitive Non-routine cognitive Non-routine cognitive Routine cognitive Routine Manual
    Metrics
    • Time to completion
    • Time to completion
    • Student satisfaction
    • Student satisfaction
    • Student scores
    Ken Moments & Pain Points Lack of centralized repository for research knowledge
    • Too many tools to use
    • Lack of Wi-Fi connectivity for students
    • Loss of social aspects
    • Adjusting to new forms of assessments
    No existing critical pain points; process already automated
    Opportunities
    • Centralized repository for research knowledge
    • Rationalize course creation tool set
    • Connectivity self-assessment/checklist
    • Forums for students
    • Implement an online proctoring tool

    3.2 Stakeholder journey mapping

    Objective: Conduct journey mapping exercise for existing value chains and for opportunities.

    1. Gather the working group and, with the journey mapping workbook, begin to map out the journey scenario statements identified in the value chain analysis. In total, there should be three journey maps:
      • Two for the existing value chains. Map out the specific point in the value chain that is to be transformed.
      • One for the opportunity value chain. Map out all parts of the value chain to be impacted by the new opportunity.
    2. Start with the journey activity and map out the steps involved to accomplish the goal of the stakeholder.
    3. Identify the touch points involved in the value chain.
    4. Categorize the nature of the activity in the journey activity.
    5. Identify metrics for the journey. How can we measure the success of the journey?
    6. Identify pain points and opportunities in parallel with one another.

    Input

    • Value Chain Analysis
    • Stakeholder Personas
    • Journey Mapping Scenario

    Output

    • Journey Map

    Materials

    • Digital Strategy Workbook, Stakeholder Journey tab

    Participants

    • Executives
    • Individuals in the organization that have a direct interaction with the stakeholders

    Info-Tech Insight

    Aim to build out 90% of the stakeholder journey map with the working team; validate the last 10% with the stakeholder themselves.

    Step 3.3

    Prioritize opportunities

    Activities

    • Prioritize opportunities.

    Transform stakeholder journeys

    This step will walk you through the following activities:

    Prioritize the opportunities that arose from the stakeholder journey mapping exercise.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    Prioritized opportunities

    Prioritization of opportunities

    Leverage design-thinking methods to prioritize opportunities.

    As there may be many opportunities arising from the journey map, we need to prioritize ideas to identify which ones we can tackle first – or at all. Leverage IDEO’s design-thinking “three lenses of innovation” to support prioritization:

    • Feasibility: Do you currently have the capabilities to deliver on this opportunity? Do we have the right partners, resources, or technology?
    • Desirability: Is this a solution the stakeholder needs? Does it solve a known pain point?
    • Viability: Does this initiative have an impact on the financial revenue of the organization? Is it a profitable solution that will support the business model? Will this opportunity require a complex cost structure?
    Opportunities Feasibility
    (L/M/H)
    Desirability
    (L/M/H)
    Viability
    (L/M/H)
    Centralized repository for research knowledge H H H
    Rationalize course creation tool set H H H
    Connectivity self-assessment/ checklist H M H
    Forums for students M H H
    Exam preparation (e.g. education or practice exams) H H H

    3.3 Prioritization of opportunities

    Objective: Prioritize opportunities for creating a roadmap.

    1. Gather the opportunities identified in the journey mapping exercise
    2. Assess the opportunities based on IDEO’s three lenses of innovation:
      • Feasibility: Do you currently have the capabilities to deliver on this opportunity? Do we have the right partners, resources, or technology?
      • Viability: Does this initiative have an impact on the financial revenue of the organization? Is it a profitable solution that will support the business model? Will this opportunity require a complex cost structure?
      • Desirability: Is this a solution the stakeholder needs? Does it solve a known pain point?
    3. Opportunities that score high in all three areas are prioritized for the roadmap.

    Input

    • Opportunities From Journey Map

    Output

    • Prioritized Opportunities

    Materials

    • Digital Strategy Workbook

    Participants

    • Executives

    Step 3.4

    Define digital goals

    Activities

    Transform stakeholder journeys

    This step will walk you through the following activities:

    Define a digital goal as it relates to the prioritized opportunities and the stakeholder journey map.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    Digital goals

    Define digital goals

    What digital goals can be derived from the stakeholder journey?

    With the prioritized set of opportunities for each stakeholder journey, take a step back and assess what the sum of these opportunities mean for the journey. What is the overall goal or objective of these opportunities? How do these opportunities change or facilitate the journey experience? From here, identify a single goal statement for each stakeholder journey.

    Stakeholder Scenario Prioritized Opportunities Goal
    Faculty (Engineering) As a faculty (Engineering), I want to prepare and teach my course in a hybrid mode of delivery Centralized repository for research knowledge
    Rationalized course creation tool set
    Support hybrid course curricula development through value-driven toolsets and centralized knowledge

    3.4 Define digital goals

    Objective: Identify digital goals derived from the journey statements.

    1. With the prioritized set of opportunities for each stakeholder journey (the two existing journeys and one opportunity journey) take a step back and assess what the sum of these opportunities means for each journey.
      • What is the overall goal or objective of these opportunities?
      • How do these opportunities change or facilitate the journey experience?
    2. From here, identify a single goal for each stakeholder journey.

    Input

    • Opportunities From Journey Map
    • Stakeholder Persona

    Output

    • Digital Goals

    Materials

    • Prioritization Matrix

    Participants

    • Executives

    Step 3.5

    Breakdown opportunities into series of initiatives

    Activities

    • Identify initiatives from the opportunities.

    Transform stakeholder journeys

    This step will walk you through the following activities:

    Identify people, process, and technology initiatives for the opportunities identified.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • People, process, and technology initiatives

    Break down opportunities into a series of initiatives

    Brainstorm initiatives for each high-priority opportunity using the framework below. Describe each initiative as a plan or action to take to solve the problem.

    Opportunity → Initiatives:

    People: What initiatives are required to manage people, data, and other organizational factors that are impacted by this opportunity?

    Process: What processes must be created, changed, or removed based on the data?

    Technology: What systems are required to support this opportunity?

    Break down opportunities into a series of initiatives

    Initiatives
    Centralized repository for research knowledge Technology Acquire and implement knowledge management application
    People Train researchers on functionality
    Process Periodically review and validate data entries into repository
    Initiatives
    Rationalize course creation toolset Technology Retire duplicate or under-used tools
    People Provide training on tool types and align to user needs
    Process Catalog software applications and tools across the organization
    Identify under-used or duplicate tools/applications

    Info-Tech Insight

    Ruthlessly evaluate if a initiative should stand alone or if it can be rolled up with another. Fewer initiatives or opportunities increases focus and alignment, allowing for better communication.

    3.5 Break down opportunities into initiatives

    Objective: Break down opportunities into people, process, and technology initiatives.

    1. Split into groups and identify initiatives required to deliver on each opportunity. Document each initiative on sticky notes.
    2. Have each team answer the following questions to identify initiatives for the prioritized opportunities:
      • People: What initiatives are required to manage people, data, and other organizational factors that are impacted by this opportunity?
      • Process: What processes must be created, changed, or removed based on the data?
      • Technology: What systems are required to support this opportunity?
    3. Document findings in the Digital Strategy Workbook.

    Input

    • Opportunities

    Output

    • Opportunity initiatives categorized by people, process and technology

    Materials

    • Digital Strategy Workbook

    Participants

    • Executive team

    Phase 4

    Build a digital transformation roadmap

    • Detail initiatives
    • Build a unified roadmap roadmap

    This phase will walk you through the following activities:

    Build a digital transformation roadmap that captures people, process, and technology initiatives.

    This phase involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes

    • Digital transformation roadmap

    Step 4.1

    Detail initiatives

    Activities

    • Detail initiatives.

    Build a digital transformation roadmap

    This step will walk you through the following activities:

    Detail initiatives for each priority initiative on your horizon.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • A roadmap for your digital business strategy.

    Create initiative profiles for each high-priority initiative on your strategy

    this image contains a screenshot of an example initiative profile

    Step 4.2

    Build a roadmap

    Activities

    • Create a roadmap of initiatives.

    Build a digital transformation roadmap

    Info-Tech Insight

    A roadmap that balances growth opportunities with business resilience will transform your organization for long-term success in the digital economy.

    This step will walk you through the following activities:

    Identify timing of initiatives and build a Gantt chart roadmap.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • A roadmap for your digital transformation and the journey canvases for each of the prioritized journeys.

    Build a roadmap to visualize your key initiative plan

    Visual representations of data are more compelling than text alone.

    Develop a high-level document that travels with the initiative from inception through executive inquiry, project management, and finally execution.

    A initiative needs to be discrete: able to be conceptualized and discussed as an independent item. Each initiative must have three characteristics:

    • Specific outcome: Describe an explicit change in the people, processes, or technology of the enterprise.
    • Target end date: When the described outcome will be in effect.
    • Owner: Who on the IT team is responsible for executing on the initiative.
    this image contains screenshots of a sample roadmap for supporting hybrid course curricula development through value-driven toolsets and centralized knowledge.

    4.2 Build your roadmap (30 minutes)

    1. For the Gantt chart:
      • Input the Roadmap Start Year date.
      • Change the months and year in the Gantt chart to reflect the same roadmap start year.
      • Populate the planned start and planned end date for the pre-populated list of high-priority initiatives in each category (people, process, and technology).

    Input

    • Initiatives
    • Initiative start & end dates
    • Initiative category

    Output

    • Digital strategy roadmap visual

    Materials

    • Digital Strategy Workbook

    Participants

    • Senior Executive

    Learn more about project portfolio management strategy

    Step 4.3

    Create a refresh strategy

    Activities

    • Refresh your strategy.

    Build a digital transformation roadmap

    Info-Tech Insight

    A digital strategy is a design process, it must be revisited to pressure test and account for changes in the external environment.

    This step will walk you through the following activities:

    Detail a refresh strategy.

    This step involves the following participants:

    A cross-functional cohort across levels in the organization.

    Outcomes of this step

    • Refresh strategy

    Create a refresh strategy

    It is important to dedicate time to your strategy throughout the year. Create a refresh plan to assess for the changing business context and its impact on the digital business strategy. Make sure the regular planning cycle is not the primary trigger for strategy review. Put a process in place to review the strategy and make your organization proactive. Start by examining the changes to the business context and how the effect would trickle downwards. It’s typical for organizations to build a refresh strategy around budget season and hold planning and touch points to accommodate budget approval time.
    Example:

    this image contains an example of a refresh strategy.

    4.3 Create a refresh strategy (30 minutes)

    1. Work with the digital strategy creation team to identify the time frequencies the organization should consider to refresh the digital business strategy. Time frequencies can also be events that trigger a review (i.e. changing business goals). Record the different time frequencies in the Refresh of the Digital Business Strategy slide of the section.
    2. Discuss with the team the different audience members for each time frequency and the scope of the refresh. The scope represents what areas of the digital business strategy need to be re-examined and possibly changed.

    Example:

    Frequency Audience Scope Date
    Annually Executive Leadership Resurvey, review/ validate, update schedule Pre-budget
    Touch Point Executive Leadership Status update, risks/ constraints, priorities Oct 2021
    Every Year (Re-build) Executive Leadership Full planning Jan 2022

    Input

    • Digital Business Strategy

    Output

    • Refresh Strategy

    Materials

    • Digital Business Strategy Presentation Template
    • Collaboration/ Brainstorming Tool (whiteboard, flip chart, digital equivalent)

    Participants

    • Executive Leaders

    Related Info-Tech Research

    Design a Customer-Centric Digital Operating Model

    Design a Customer-Centric Digital Operating Model

    Establish a new way of working to deliver value on your digital transformation initiatives.

    Develop a Project Portfolio Management Strategy

    Develop a Project Portfolio Management Strategy

    Drive project throughput by throttling resource capacity.

    Adopt Design Thinking in Your Organization

    Adopt Design Thinking in Your Organization

    Innovation needs design thinking.

    Digital Maturity Improvement Service

    Digital Maturity Improvement Service

    Prepare your organization for digital transformation – or risk falling behind.

    Research Contributors and Experts

    Kenneth McGee

    this is a picture of Research Fellow, Kenneth McGee

    Research Fellow
    Info-Tech Research Group

    Kenneth McGee is a Research Fellow within the CIO practice at Info-Tech Research Group and is focused on IT business and financial management issues, including IT Strategy, IT Budgets and Cost Management, Mergers & Acquisitions (M&A), and Digital Transformation. He also has extensive experience developing radical IT cost reduction and return-to-growth initiatives during and following financial recessions.

    Ken works with CIOs and IT leaders to help establish twenty-first-century IT organizational charters, structures, and responsibilities. Activities include IT organizational design, IT budget creation, chargeback, IT strategy formulation, and determining the business value derived from IT solutions. Ken’s research has specialized in conducting interviews with CEOs of some of the world’s largest corporations. He has also interviewed a US Cabinet member and IT executives at the White

    House. He has been a frequent keynote speaker at industry conventions, client sales kick-off meetings, and IT offsite planning sessions.

    Ken obtained a BA in Cultural Anthropology from Dowling College, Oakdale, NY, and has pursued graduate studies at Polytechnic Institute (now part of NYU University). He has been an adjunct instructor at State University of New York, Westchester Community College.

    Jack Hakimian

    this is a picture of Vice President of the Info-Tech Research Group, Jack Hakimian

    Vice President
    Info-Tech Research Group

    Jack has more than 25 years of technology and management consulting experience. He has served multi-billion dollar organizations in multiple industries including Financial Services and Telecommunications. Jack also served a number of large public sector institutions.

    Prior to joining the Info-Tech Research Group, he worked for leading consulting players such as Accenture, Deloitte, EY, and IBM.

    Jack led digital business strategy engagements as well as corporate strategy and M&A advisory services for clients across North America, Europe, the Middle East, and Africa. He is a seasoned technology consultant who has developed IT strategies and technology roadmaps, led large business transformations, established data governance programs, and managed the deployment of mission-critical CRM and ERP applications.

    He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master’s degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management.

    Bibliography

    Abrams, Karin von. “Global Ecommerce Forecast 2021.” eMarketer, Insider Intelligence, 7 July 2021. Web.

    Christenson, Clayton. The Innovator's Dilemma: When New Technologies Cause Great Firms to Fail. Harvard Business School, 1997. Book.

    Drucker, Peter F., and Joseph A. Maciariello. Innovation and Entrepreneurship. Routledge, 2015.

    Eagar, Rick, David Boulton, and Camille Demyttenaere. “The Trends in Megatrends.” Arthur D Little, Prism, no. 2, 2014. Web.

    Enright, Sara, and Allison Taylor. “The Future of Stakeholder Engagement.” The Business of a Better World, October 2016. Web.

    Hatem, Louise, Daniel Ker, and John Mitchell. “A roadmap toward a common framework for measuring the digital economy.” Report for the G20 Digital Economy Task Force, OECD, 2020. Web.

    Kemp, Simon. “Digital 2021 April Statshot Report.” DataReportal, Global Digital Insights, 21 Apr. 2021. Web.

    Larson, Chris. “Disruptive Innovation Theory: 4 Key Concepts.” Business Insights, Harvard Business School, HBS Online, 15 Nov. 2016. Web.

    McCann, Leah. “Barco's Virtual Classroom at UCL: A Case Study for the Future of All University Classrooms?” rAVe, 2 July 2020. Web.

    Mochari, Ilan. “The Startup Buzzword Almost Everyone Uses Incorrectly.” Inc., 19 Nov. 2015. Web.

    Osterwalder, Alexander, et al. Value Proposition Design. Wiley, 2014.

    Reed, Laura. “Artificial Intelligence: Is Your Job at Risk?” Science Node, 9 August 2017.

    Rodeck, David. “Alphabet Soup: Understanding the Shape of a Covid-19 Recession.” Forbes, 8 June 2020. Web.

    Tapscott, Don. Wikinomics. Atlantic Books, 2014.

    Taylor, Paul. “Don't Be A Dodo: Adapt to the Digital Economy.” Forbes, 27 Aug. 2015. Web.

    The Business Research Company. "Wholesale Global Market Report 2021: COVID-19 Impact and Recovery to 2030." Research and Markets, January 2021. Press Release.

    “Topic 1: Megatrends and Trends.” BeFore, 11 October 2018.

    “Updated Digital Economy Estimates – June 2021.” Bureau of Economic Analysis, June 2021. Web.

    Williamson, J. N. The Leader Manager. John Wiley & Sons, 1984.

    AI and the Future of Enterprise Productivity

    • Buy Link or Shortcode: {j2store}329|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $12,399 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • We’re witnessing a fundamental transformation in how businesses operate and productivity is achieved.
    • Advances in narrow but powerful forms of artificial intelligence (AI) are being driven by a cluster of factors.
    • Applications for enterprise AI aren’t waiting for the emergence of a general AI. They’re being rapidly deployed in task-specific domains. From robotic process automation (RPA) to demand forecasting, from real-world robotics to AI-driven drug development, AI is boosting enterprise productivity in significant ways.

    Our Advice

    Critical Insight

    Algorithms are becoming more advanced, data is now richer and easier to collect, and hardware is cheaper and more powerful. All of this is true and contributes to the excitement around enterprise AI applications, but the biggest difference today is that enterprises are redesigning their processes around AI, rather than simply adding AI to their existing processes.

    Impact and Result

    This report outlines six emerging ways AI is being used in the enterprise, with four future scenarios outlining their possible trajectories. These are designed to guide strategic decision making and facilitate future-focused ideation.

    AI and the Future of Enterprise Productivity Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Read the trend report

    This report outlines six emerging ways AI is being used in the enterprise, with four future scenarios outlining their possible trajectories. These are designed to guide strategic decision making and facilitate future-focused ideation.

    • AI and the Future of Enterprise Productivity Trend Report
    • AI and the Future of Enterprise Productivity Trend Report (PDF)
    [infographic]

    Integrate Portfolios to Create Exceptional Customer Value

    • Buy Link or Shortcode: {j2store}176|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Through growth, both organic and acquisition, you have a significant footprint of projects and applications.
    • Projects and applications have little in common with one another, all with their own history and pedigree.
    • You need to look across your portfolio of applications and projects to see if they will collectively help the organization achieve its goals.

    Our Advice

    Critical Insight

    • Stakeholders don’t care about the minutia and activities involved in project and application portfolio management.
    • Timely delivery of effective and important applications that deliver value throughout their life are the most important factors driving business satisfaction with IT.

    Impact and Result

    • Define an organizing principle that will structure your projects and applications in a way that matters to your stakeholders.
    • Bridge application and project portfolio data using the organizing principle that matters to communicate with stakeholders across the organization.
    • Create a dashboard that brings together the benefits of both project and application portfolio management to improve visibility and decision making.

    Integrate Portfolios to Create Exceptional Customer Value Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should integrate your application and project portfolios, review Info-Tech’s methodology, and understand the three ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define the principle that organizes your portfolios, objectives, and stakeholders

    To bring your portfolios together, you need to start with learning about your objectives, principles, and stakeholders.

    • Integrate Portfolios to Create Exceptional Customer Value – Phase 1: Define the Principle That Organizes Your Portfolios, Objectives, and Stakeholders
    • Integrated Portfolio Dashboard Tool
    • Integrated Portfolio Dashboard Tool – Example

    2. Take stock of what brings you closer to your goals

    Get a deeper understanding of what makes up your organizing principle before learning about your applications and projects that are aligned with your principles.

    • Integrate Portfolios to Create Exceptional Customer Value – Phase 2: Take Stock of What Brings You Closer to Your Goals

    3. Bring it all together

    Bound by your organizing principles, bring your projects and applications together under a single dashboard. Once defined, determine the rollout and communication plan that suits your organization.

    • Integrate Portfolios to Create Exceptional Customer Value – Phase 3: Bring It All Together
    • Integrated Portfolio Communication and Roadmap Plan
    • Integrated Portfolio Communication and Roadmap Plan Example
    [infographic]

    Workshop: Integrate Portfolios to Create Exceptional Customer Value

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Looking at Your Principles

    The Purpose

    Determine your organizational objectives and organizing principle.

    Key Benefits Achieved

    A clear understanding of where you need to go as an organization.

    A clear way to enable all parts of your portfolio to come together.

    Activities

    1.1 Determine your organization’s objectives.

    1.2 Determine your key stakeholders.

    1.3 Define your organizing principle.

    1.4 Decompose your organizing principle into its core components.

    Outputs

    Determined organizing principle for your applications and projects

    2 Understanding Your Applications

    The Purpose

    Get a clear view of the applications that contribute to your organization’s objectives.

    Key Benefits Achieved

    A key element of IT value delivery is its applications. Gaining awareness allows you to evaluate if the right value is being provided.

    Activities

    2.1 Determine your complete list of applications.

    2.2 Determine the health of your applications.

    2.3 Link your applications to the organization’s core components.

    Outputs

    List of applications

    Application list with health statistics filled in

    List of applications with health metrics bound to the organization’s core components

    3 Understanding Your Projects

    The Purpose

    Get a clear view of your project portfolio and how it relates to your applications and their organizing principle.

    Key Benefits Achieved

    An understanding of your project portfolio.

    Activities

    3.1 List all in-flight projects and vital health statistics.

    3.2 Map out the key programs and projects in your portfolio to the application’s core components.

    Outputs

    List of projects

    List of projects mapped to applications they impact

    4 Rolling Out the New Dashboard

    The Purpose

    Bring together your application and project portfolios in a new, easy-to-use dashboard with a full rollout plan.

    Key Benefits Achieved

    Dashboard available for use

    Roadmap and communication plan to make dashboard implementable and tangible

    Activities

    4.1 Test the dashboard.

    4.2 Define your refresh cadence.

    4.3 Plan your implementation.

    4.4 Develop your communication plan.

    Outputs

    Validated dashboards

    Business Value

    • Buy Link or Shortcode: {j2store}7|cart{/j2store}
    • Related Products: {j2store}7|crosssells{/j2store}
    • Up-Sell: {j2store}7|upsells{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Financial Management
    • Parent Category Link: /financial-management
    Maximize your ROI on IT through benefits realization

    Data security consultancy

    Data security consultancy

    Based on experience
    Implementable advice
    human-based and people-oriented

    Data security consultancy makes up one of Tymans Group’s areas of expertise as a corporate consultancy firm. We are happy to offer our insights and solutions regarding data security and risk to businesses, both through online and offline channels. Read on and discover how our consultancy company can help you set up practical data security management solutions within your firm.

    How our data security consultancy services can help your company

    Data security management should be an important aspect of your business. As a data security consultancy firm, Tymans Group is happy to assist your small or medium-sized enterprise with setting up clear protocols to keep your data safe. As such, we can advise on various aspects comprising data security management. This ranges from choosing a fit-for-purpose data architecture to introducing IT incident management guidelines. Moreover, we can perform an external IT audit to discover which aspects of your company’s data security are vulnerable and which could be improved upon.

    Security and risk management

    Our security and risk services

    Security strategy

    Security Strategy

    Embed security thinking through aligning your security strategy to business goals and values

    Read more

    Disaster Recovery Planning

    Disaster Recovery Planning

    Create a disaster recovey plan that is right for your company

    Read more

    Risk Management

    Risk Management

    Build your right-sized IT Risk Management Program

    Read more

    Check out all our services

    Discover our practical data security management solutions

    Data security is just one aspect with which our consultancy firm can assist your company. Tymans Group offers its extensive expertise in various corporate management domains, such as quality management and risk management. Our solutions all stem from our vast expertise and have proven their effectiveness. Moreover, when you choose to employ our consultancy firm for your data security management, you benefit from a holistic, people-oriented approach.

    Set up an appointment with our experts

    Do you wish to learn more about our data security management solutions and services for your company? We are happy to analyze any issues you may be facing and offer you a practical solution if you contact us for an appointment. You can book a one-hour online talk or elect for an on-site appointment with our experts. Contact us to set up your appointment now.

    Continue reading

    Gain Control of Cloud Integration Strategies Before they Float Away

    • Buy Link or Shortcode: {j2store}362|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Enterprise Integration
    • Parent Category Link: /enterprise-integration
    • IT is typically backlogged with tasks while the business waits to implement key solutions to remain competitive. In this competitive space, Cloud solutions offer attractive benefits to business stakeholders especially around agility and cost.
    • Moving to the Cloud involves more than outsourcing a component of the technology stack. Roles, processes, and authentication technologies need to be redefined to fit a distributed stack where parts of the IT solution space reside on-premise while the rest are in the Cloud.
    • Cloud integration means accepting loss of control in product development. A Cloud vendor will address the needs of most constituents and any high degree of customization which counteracts their business model. This makes integration a complex initiative involving two separate parties trying to align.

    Our Advice

    Critical Insight

    • Cloud integration is a fundamental commitment to change within the organization as it deeply impacts roles, processes, and technologies.
    • Be prepared to lose some degree of control of SLA management. IT will have to manage multiple Cloud SLAs and deliver a lowest common approach to the business. This may mean lowering the SLA standards previously set with on-premise solutions.
    • Cloud integration isn’t just about the technology. It is a dedication to establish solid relationships with the Cloud vendor. Understanding where the cloud solution is moving and what issues are being addressed are critical to creating an organizational road map for the future.

    Impact and Result

    • Develop a Cloud integration strategy by proactively understanding the impact of Cloud integration efforts to the organization.
    • Realize that Cloud integration will be an ongoing process of collaboration with the business, and that the initial implementation does not constitute an end.
    • Implement an integrated support structure that includes on-premise and cloud stacks.

    Gain Control of Cloud Integration Strategies Before they Float Away Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the impacts of Cloud computing on Data, Application, Access, and Service Level Agreement integration

    Assess your current level of Cloud adoption and integration, focusing on solutions that are emerging in the market and the applicability to your IT environment.

    • Storyboard: Gain Control of Cloud Integration Strategies Before they Float Away
    • Cloud Integration Checklist
    • None
    [infographic]

    Assess Your Cybersecurity Insurance Policy

    • Buy Link or Shortcode: {j2store}255|cart{/j2store}
    • member rating overall impact (scale of 10): 9.1/10 Overall Impact
    • member rating average dollars saved: $33,656 Average $ Saved
    • member rating average days saved: 7 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Organizations must adapt their information security programs to accommodate insurance requirements.
    • Organizations need to reduce insurance costs.
    • Some organizations must find alternatives to cyber insurance.

    Our Advice

    Critical Insight

    • Shopping for insurance policies is not step one.
    • First and foremost, we must determine what the organization is at risk for and how much it would cost to recover.
    • The cyber insurance market is still evolving. As insurance requirements change, effectively managing cyber insurance requires that your organization proactively manages risk.

    Impact and Result

    Perform an insurance policy comparison with scores based on policy coverage and exclusions.

    Assess Your Cybersecurity Insurance Policy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess Your Cybersecurity Insurance Policy Storyboard - A step-by-step document that walks you through how to acquire cyber insurance, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Use this blueprint to score your potential cyber insurance policies and develop skills to overcome common insurance pitfalls.

    • Assess Your Cybersecurity Insurance Policy Storyboard

    2. Acquire cyber insurance with confidence – Learn the essentials of the requirements gathering, policy procurement, and review processes.

    Use these tools to gather cyber insurance requirements, prepare for the underwriting process, and compare policies.

    • Threat and Risk Assessment Tool
    • DRP Business Impact Analysis Tool
    • Legacy DRP Business Impact Analysis Tool
    • DRP BIA Scoring Context Example
    • Cyber Insurance Policy Comparison Tool
    • Cyber Insurance Controls Checklist

    Infographic

    Leadership Workshop Overview

    • Buy Link or Shortcode: {j2store}475|cart{/j2store}
    • member rating overall impact (scale of 10): 8.8/10 Overall Impact
    • member rating average dollars saved: $69,299 Average $ Saved
    • member rating average days saved: 28 Average Days Saved
    • Parent Category Name: Leadership Development Programs
    • Parent Category Link: /leadership-development-programs

    Leadership has evolved over time. The velocity of change has increased and leadership for the future looks different than the past.

    Our Advice

    Critical Insight

    Development of the leadership mind should never stop. This program will help IT leaders continue to craft their leadership competencies to navigate the ever-changing world in which we operate.

    Impact and Result

    • Embrace and lead change through active sharing, transparency, and partnerships.
    • Encourage growth mindset to enhance innovative ideas and go past what has always been done.
    • Actively delegate responsibilities and opportunities that engage and develop team members to build on current skills and prepare for the future.

    Leadership Workshop Overview Research & Tools

    Start here – read the Workshop Overview

    Read our concise Workshop Overview to find out how this program can support the development needs of your IT leadership teams.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Info-Tech Leadership Workshop Overview
    [infographic]

    Plan Your Digital Transformation on a Page

    • Buy Link or Shortcode: {j2store}81|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $34,649 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • Digital investments often under deliver on expectations of return, and there is no cohesive approach to managing the flow of capital into digital.
    • The focus of the business has historically been to survive technological disruption rather than to thrive in it.
    • Strategy is based mostly on opinion rather than an objective analysis of the outcomes customers want from the organization.
    • Digital is considered a buzzword – nobody has a clear understanding of what it is and what it means in the organization’s context.

    Our Advice

    Critical Insight

    • The purpose of going digital is getting one step closer to the customer. The mark of a digital organization lies in how they answer the question, “How does what we’re doing contribute to what the customer wants from us?”
    • The goal of digital strategy is digital enablement. An organization that is digitally enabled no longer needs a digital strategy, it’s just “the strategy.”

    Impact and Result

    • Focus strategy making on delivering the digital outcomes that customers want.
      • Leverage the talent, expertise, and perspectives within the organization to build a customer-centric digital strategy.
    • Design a balanced digital strategy that creates value across the five digital value pools:
      • Digital marketing, digital channels, digital products, digital supporting capabilities, and business model innovation.
    • Ask how disruption can be leveraged, or even become the disruptor.
      • Manage disruption through quick-win approaches and empowering staff to innovate.
    • Use a Digital Strategy-on-a-Page to spark the digital transformation.
      • Drive awareness and alignment on the digital vision and spark your organization’s imagination around digital.

    Plan Your Digital Transformation on a Page Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to understand how digital disruption is driving the need for transformation, and how Info-Tech’s methodology can help.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Scope the digital transformation

    Learn how to apply the Digital Value Pools thought model and scope strategy around them.

    • Plan Your Digital Transformation on a Page – Phase 1: Scope the Digital Transformation

    2. Design the digital future state vision

    Identify business imperatives, define digital outcomes, and define the strategy’s guiding principles.

    • Plan Your Digital Transformation on a Page – Phase 2: Design the Digital Future State Vision
    • Digital Strategy on a Page

    3. Define the digital roadmap

    Define, prioritize, and roadmap digital initiatives and plan contingencies.

    • Plan Your Digital Transformation on a Page – Phase 3: Define the Digital Roadmap

    4. Sustain digital transformation

    Create, polish, and socialize the Digital Strategy-on-a-Page.

    • Plan Your Digital Transformation on a Page – Phase 4: Sustain Digital Transformation
    [infographic]

    Workshop: Plan Your Digital Transformation on a Page

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Scope the Digital Transformation

    The Purpose

    Identify the need for and use of digital strategy and determine a realistic scope for the digital strategy.

    Key Benefits Achieved

    The digital strategy project is planned and scoped around a subset of the five digital value pools.

    Activities

    1.1 Introduction to digital strategy.

    1.2 Establish motivation for digital.

    1.3 Discuss in-flight digital investments.

    1.4 Define the scope of digital.

    1.5 Identify stakeholders.

    1.6 Perform discovery interviews.

    1.7 Select two value pools to focus day 2, 3, and 4 activities.

    Outputs

    Business model canvas

    Stakeholder power map

    Discovery interview results

    Two value pools for focus throughout the workshop

    2 Design the Digital Future State Vision

    The Purpose

    Create guiding principles to help define future digital initiatives. Generate the target state with the help of strategic goals.

    Key Benefits Achieved

    Establish the basis for planning out the initiatives needed to achieve the target state from the current state.

    Activities

    2.1 Identify digital imperatives.

    2.2 Define key digital outcomes.

    2.3 Create a digital investment thesis.

    2.4 Define digital guiding principles.

    Outputs

    Corporate strategy analysis, PESTLE analysis, documented operational pain points (value streams)

    Customer needs assessment (journey maps)

    Digital investment thesis

    Digital guiding principles

    3 Define the Digital Roadmap

    The Purpose

    Understand the gap between the current and target state. Create transition options and assessment against qualitative and quantitative metrics to generate a list of initiatives the organization will pursue to reach the target state. Build a roadmap to plan out when each transition initiative will be implemented.

    Key Benefits Achieved

    Finalize the initiatives the organization will use to achieve the target digital state. Create a roadmap to plan out the timing of each initiative and generate an easy-to-present document for digital strategy approval.

    Activities

    3.1 Identify initiatives to achieve digital outcomes.

    3.2 Align in-flight initiatives to digital initiatives.

    3.3 Prioritize digital initiatives.

    3.4 Document architecturally significant requirements for high-priority initiatives.

    Outputs

    Digital outcomes and KPIs

    Investment/value pool matrix

    Digital initiative prioritization

    Architecturally significant requirements for high-priority initiatives

    4 Define the Digital Roadmap

    The Purpose

    Plan your approach to socializing the digital strategy to help facilitate the cultural changes necessary for digital transformation.

    Key Benefits Achieved

    Plant the seed of digital and innovation to start making digital a part of the organization’s DNA.

    Activities

    4.1 Review and refine Digital Strategy on a Page.

    4.2 Assess company culture.

    4.3 Define high-level cultural changes needed for successful transformation.

    4.4 Define the role of the digital transformation team.

    4.5 Establish digital transformation team membership and desired outcomes.

    Outputs

    Digital Strategy on a Page

    Strategyzer Culture Map

    Digital transformation team charter

    Drive Business Value With Off-the-Shelf AI

    • Buy Link or Shortcode: {j2store}205|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy
    • Understanding the impact of the machine learning/AI component that is built into most of the enterprise products and tools and its role in the implementation of the solution.
    • Understanding the most important aspects that the organization needs to consider while planning the implementation of the AI-powered product.

    Our Advice

    Critical Insight

    • Organizations are faced with multiple challenges trying to adopt AI solutions. Challenges include data issues, ethics and compliance considerations, business process challenges, and misaligned leadership goals.
    • When choosing the right product to meet business needs, organizations need to know what questions to ask vendors to ensure they fully understand the implications of buying an AI/ML product.
    • To guarantee the success of your off-the-shelf AI implementation and ensure it delivers value, you must start with a clear definition of the business case and an understanding of your data.

    Impact and Result

    To guarantee success of the off-the-shelf AI implementation and deliver value, in addition to formulating a clear definition of the business case and understanding of data, organizations should also:

    • Know what questions to ask vendors while evaluating AI-powered products.
    • Measure the impact of the project on business and IT processes.

    Drive Business Value With Off-the-Shelf AI Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Drive Business Value With Off-the-Shelf AI Deck – A step-by-step approach that will help guarantee the success of your Off-the-Shelf AI implementation and ensure it delivers business value

    Use this practical and actionable framework that will guide you through the planning of your Off-the-Shelf AI product implementation.

    • Drive Business Value With Off-the-Shelf AI Storyboard

    2. Off-the-Shelf AI Analysis – A tool that will guide the analysis and planning of the implementation

    Use this analysis tool to ensure the success of the implementation.

    • Off-the-Shelf AI Analysis

    Infographic

    Further reading

    Drive Business Value With Off-the-Shelf AI

    A practical guide to ensure return on your Off-the-Shelf AI investment

    Executive Summary

    Your Challenge
    • Understanding the impact of the machine learning/AI component that is built into most of the enterprise products and tools and its role in the implementation of the solution.
    • What are the most important aspects that organizations needs to consider while planning the implementation of the AI-powered product?
    Common Obstacles
    • Organizations are faced with multiple challenges trying to adopt an AI solution. Challenges include data issues, ethics and compliance considerations, business process challenges, and misaligned leadership goals.
    • When choosing the right product to meet business needs, organizations need to know what questions to ask vendors to ensure they fully understand the implications of buying an AI/ML product.
    Info-Tech’s Approach

    Info-Tech’s approach includes a framework that will guide organizations through the process of the Off-the-Shelf AI product selection.

    To guarantee success of the Off-the-Shelf AI implementation and deliver value, organization should start with clear definition of the business case and an understanding of data.

    Other steps include:

    • Knowing what questions to ask vendors to evaluate AI-powered products.
    • Measuring the impact of the project on your business and IT processes.
    • Assessing impact on the organization and ensure team readiness.

    Info-Tech Insight

    To guarantee the success of your Off-the-Shelf AI implementation and ensure it delivers value, you must start with a clear definition of the business case and an understanding of your data.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Getting value out of AI and machine learning investments

    92.1%

    of companies say they are achieving returns on their data and AI investments

    91.7%

    said they were increasing investments in data and AI

    26.0%

    of companies have AI systems in widespread production
    However, CIO Magazine identified nine main hurdles to AI adoption based on the survey results:
    • Data issues
    • Business process challenges
    • Implementation challenges and skill shortages
    • Costs of tools and development
    • Misaligned leadership goals
    • Measuring and proving business value
    • Legal and regulatory risks
    • Cybersecurity
    • Ethics
    • (Source: CIO, 2019)
    “Data and AI initiatives are becoming well established, investments are paying off, and companies are getting more economic value from AI.” (Source: NewVantage, 2022.)

    67% of companies are currently using machine learning, and 97% are using or planning to use it in the next year.” (Source: Deloitte, 2020)

    AI vs. ML

    Machine learning systems learn from experience and without explicit instructions. They learn patterns from data then analyze and make predictions based on past behavior and the patterns learned.

    Artificial intelligence is a combination of technologies and can include machine learning. AI systems perform tasks mimicking human intelligence such as learning from experience and problem solving. Most importantly, AI is making its own decisions without human intervention.

    The AI system can make assumptions, test these assumptions, and learn from the results.

    (Level of decision making required increases from left to right)
    Statistical Reasoning
    Infer relationships between variables

    Statistical models are designed to find relationships between variables and the significance of those relationships.

    Machine Learning:
    Making accurate predictions

    Machine learning is a subset of AI that discovers patterns from data without being explicitly programmed to do so.

    Artificial Intelligence
    Dynamic adaptation to novelty

    AI systems choose the optimal combination of methods to solve a problem. They make assumptions, reassess the model, and reevaluate the data.

    “Machine learning is the study of computer algorithms that improve automatically through experience.” (Tom Mitchell, 1997)

    “At its simplest form, artificial intelligence is a field, which combines computer science and robust datasets, to enable problem-solving.” (IBM, “What is artificial intelligence?”)

    Types of Off-the-Shelf AI products and solutions

    ML/AI-Powered Products Off-the-Shelf Pre-built and Pre-trained AI/ML Models
    • AI/ML capabilities built into the product and might require training as part of the implementation.
    • Off-the-Shelf ML/AI Models, pre-built, pre-trained, and pre-optimized for a particular task. For example, language models or image recognition models that can be used to speed up and simplify ML/AI systems development.
    Examples of OTS tools/products: Examples of OTS models:

    The data inputs for these models are defined, the developer has to conform to the provided schema, and the data outputs are usually fixed due to the particular task the OTS model is built to solve.

    Insight summary

    Overarching insight:

    To guarantee the success of your Off-the-Shelf AI implementation and ensure it delivers value, you must start with a clear definition of the business case and an understanding of your data.

    Business Goals

    Question the value that AI adds to the tool you are evaluating. Don’t go after the tool simply because it has an AI label attached to it. AI/ML capabilities might add little value but increase implementation complexity. Define the problem you are solving and document business requirements for the tool or a model.

    Data

    Know your data. Determine data requirements to:

    • Train the model during the implementation and development.
    • Run the model in production.

    People/Skills

    Define the skills required for the implementation and assemble the team that will support the project from requirements to deployment and support, through its entire lifecycle. Don’t forget about production support and maintenance.

    Choosing an AI-Powered Tool

    No need to reinvent the wheel and build a product you can buy, but be prepared to work around tool limitations, and make sure you understand the data and the model the tool is built on.

    Choosing an AI/ML Model

    Using Off-the-Shelf-AI models enables an agile approach to system development. Faster POC and validation of ideas and approaches, but the model might not be customizable for your requirements.

    Guaranteeing Off-the-Shelf AI Implementation Success

    Info-Tech Insight

    To guarantee the success of your Off-the-Shelf AI implementation and ensure it delivers value, you must start with a clear definition of the business case and an understanding of your data.

    Why do you need AI in your toolset?
    Business Goals

    Clearly defined problem statement and business requirements for the tool or a model will help you select the right solution that will deliver business value even if it does not have all the latest bells and whistles.

    Small chevron pointing right.
    Do you know the data required for implementation?
    Data

    Expected business outcome defines data requirements for implementation. Do you have the right data required to train and run the model?

    Large chevron pointing right.
    Is your organization ready for AI?
    People/Team/ Skills

    New skills and expertise are required through all phases of the implementation: design, build, deployment, support, and maintenance, as well as post-production support, scaling, and adoption.

    Data Architecture/ Infrastructure

    New tool or model will impact your cloud and integration strategy. It will have to integrate with the existing infrastructure, in the cloud or on prem.

    Large chevron pointing right.
    What questions do you need to ask when choosing the solution?
    Product/ Tool or Model Selection

    Do you know what model powers the AI tool? What data was used to train the tool and what data is required to run it? Ask the right questions.

    Small chevron pointing right.
    Are you measuring impact on your processes?
    Business and IT Processes

    Business processes need to be defined or updated to incorporate the output of the tool back into the business processes to deliver value.

    IT governance and support processes need to accommodate the new AI-powered tool.

    Small chevron pointing right.
    Realize and measure business value of your AI investment
    Value

    Do you have a clear understanding of the value that AI will bring to your organization?Optimization?Increased revenue?Operational efficiency?

    Introduction of Off-the-Shelf AI Requires a Strategic Approach

    Business Goals and Value Data People/Team/ Skills Infrastructure Business and IT Processes
    AI/ML–powered tools
    • Define a business problem that can be solved with either an AI-powered tool or an AI/ML pre-built model that will become part of the solution.
    • Define expectations and assumptions around the value that AI can bring.
    • Document business requirements for the tool or model.
    • Define the scope for a prototype or POC.
    • Define data requirements.
    • Define data required for implementation.
    • Determine if the required data can be acquired or captured/generated.
    • Document internal and external sources of data.
    • Validate data quality (define requirements and criteria for data quality).
    • Define where and how the data is stored and will be stored. Does it have to be moved or consolidated?
    • Define all stakeholders involved in the implementation and support.
    • Define skills and expertise required through all phases of the implementation: design, build, deployment, support, and maintenance.
    • Define skills and expertise required to grow AI practice and achieve the next level of adoption, scaling, and development of the tool or model POC.
    • Define infrastructure requirements for either Cloud, Software-as-a-Service, or on-prem deployment of a tool or model.
    • Define how the tool is integrated with existing systems and into existing infrastructure.
    • Determine the cost to deploy and run the tool/model.
    • Define processes that need to be updated to accommodate new functionality.
    • Define how the outcome of the tool or a model (e.g. predictions) are incorporated back into the business processes.
    • Define new business and IT processes that need to be defined around the tool (e.g. chatbot maintenance; analysis of the data generated by the tool).
    Off-the-shelf AI/ML pre-built models
    • Define the business metrics and KPIs to measure success of the implementation against.
    • Determine if there are requirements for a specific data format required for the tool or a model.
    • Determine if there is a need to classify/label the data (supervised learning).
    • Define privacy and security requirements.
    • Define requirements for employee training. This can be vendor training for a tool or platform training in the case of a pre-built model or service.
    • Define if ML/AI expertise is required.
    • Is the organization ready for ML/AI? Conduct an AI literacy survey and understand team’s concerns, fears, and misconceptions and address them.
    • Define requirements for:
      • Data migration.
      • Security.
      • AI/ML pipeline deployment and maintenance.
    • Define requirements for operation and maintenance of the tool or model.
    • Confirm infrastructure readiness.
    • How AI and its output will be used across the organization.

    Define Business Goals and Objectives

    Why do you need AI in your toolset? What value will AI deliver? Have a clear understanding of business benefits and the value AI delivers through the tool.

    • Define a business problem that can be solved with either an AI-powered tool or AI/ML pre-built model.
    • Define expectations and assumptions around the value that AI can bring.
    • Document business requirements for a tool or model.
    • Start with the POC or a prototype to test assumptions, architecture, and components of the solution.
    • Define business metrics and KPIs to measure success of the implementation.

    Info-Tech Insight

    Question the value that AI adds to the tool you are evaluating. Don’t go after the tool simply because it has an AI label attached to it. AI/ML capabilities might add little value but increase implementation complexity. Define the problem you are solving and document business requirements for the tool or a model.

    Venn diagram of 'Applied Artificial Intelligence (AAI)' with a larger circle at the top, 'Machine Learning (ML)', and three smaller ovals intersecting, 'Computer Vision', 'Natural Language Processing (NLP)', and 'Robotic Process Automation (RPA)'.

    AAI solutions and technologies are helping organizations make faster decisions and predict future outcomes such as:

    • Business process automation
    • Intelligent integration
    • Intelligent insights
    • Operational efficiency improvement
    • Increase revenue
    • Improvement of existing products and services
    • Product and process innovation

    1. Use Info-Tech’s Off-the-Shelf AI Analysis Tool to define business drivers and document business requirements

    2-3 hours
    Screenshot of the Off-the-Shelf AI Analysis Tool's Business Drivers tab, a table with columns 'AI/ML Tool or Model', 'Use Case', 'Business problem / goal for AI/ML use case', 'Description', 'Business Owner (Primary Stakeholder)', 'Priority', 'Stakeholder Groups Impacted', 'Requirements Defined? Yes/No', 'Related Data Domains', and 'KPIs'. Use the Business Drivers tab to document:
    • Business objectives of the initiative that might drive the AI/ML use case.
    • The business owner or primary stakeholder who will help to define business value and requirements.
    • All stakeholders who will be involved or impacted.
    • KPIs that will be used to assess the success of the POC.
    • Data required for the implementation.
    • Use the Business Requirements tab to document high-level requirements for a tool or model.
    • These requirements will be used while defining criteria for a tool selection and to validate if the tool or model meets your business goals.
    • You can use either traditional BRD format or a user story to document requirements.
    Screenshot of the Off-the-Shelf AI Analysis Tool's Business Requirements tab, a table with columns 'Requirement ID', 'Requirement Description / user story', 'Requirement Category', 'Stakeholder / User Role', 'Requirement Priority', and 'Complexity (point estimates)'.

    Download the Off-the-Shelf AI Analysis Tool

    1. Define business drivers and document business requirements

    Input

    • Strategic plan of the organization
    • Data strategy that defines target data capabilities required to support enterprise strategic goals
    • Roadmap of business and data initiatives to support target state of data capabilities

    Output

    • Prioritized list of business use cases where an AI-powered tool or AI/ML can deliver business value
    • List of high-level requirements for the selected use case

    Materials

    • Whiteboard/Flip Charts
    • Off-the-Shelf-AI Analysis Tool, “Business Drivers” and “Business Requirements” tabs

    Participants

    • CIO
    • Senior business and IT stakeholders
    • Data owner(s)
    • Data steward(s)
    • Enterprise Architect
    • Data Architect
    • Data scientist/Data analyst

    Understand data required for implementation

    Do you have the right data to implement and run the AI-powered tool or AI/ML model?

    Info-Tech Insight

    Know your data. Determine data requirements to:

    • Train the model during the implementation and development, and
    • Run the model in production
    AvailabilityArrow pointing rightQualityArrow pointing rightPreparationArrow pointing rightBias, Privacy, SecurityArrow pointing rightData Architecture
    • Define what data is required for implementation, e.g. customer data, financial data, product sentiment.
    • If the data is not available, can it be acquired, gathered, or generated?
    • Define the volume of data required for implementation and production.
    • If the model has to be trained, do you have the data required for training (e.g. dictionary of terms)? Can it be created, gathered, or acquired?
    • Document internal and external sources of data.
    • Evaluate data quality for all data sources based on the requirements and criteria defined in the previous step.
    • For datasets with data quality issues, determine if the data issues can be resolved (e.g. missing values are inferred). If not, can this issue be resolved by using other data sources?
    • Engage a Data Governance organization to address any data quality concerns.
    • Determine if there are requirements for a specific data format required for the tool or model.
    • Determine if there is a need to classify/label or tag the data. What are the metadata requirements?
    • Define whether or not the implementation team needs to aggregate or transform the data before it can be used.
    • Define privacy requirements, as these might affect the availability of the data for ML/AI.
    • Define data bias concerns and considerations. Do you have datasheets for datasets that will be used in this project? What datasets cannot be used to prevent bias?
    • What are the security requirements and how will they affect data storage, product selection, and infrastructure requirements for the tool and overall solution?
    • Define where and how the data is currently stored and will be stored.
    • Does it have to be migrated or consolidated? Does it have to be moved to the cloud or between systems?
    • Is a data lake or data warehouse a requirement for this implementation as defined by the solution architecture?

    2. Use Info-Tech’s Off-the-Shelf AI Analysis Tool to document data requirements

    2-3 hours

    Use the Data tab to document the following for each data source or dataset:
    • Data Domain – e.g. Customer data
    • Data Concept – e.g. Customer
    • Data Internally Accessible – Identify datasets that are required for the implementation even if the data might not be available internally. Work on determining if the data ca be acquired externally or collected internally.
    • Source System – define the primary source system for the data, e.g. Salesforce
    • Target System (if applicable) – Define if the data needs to be migrated/transferred. For example, you might use a datalake or data warehouse for the AI/ML solution or migrate data to the cloud.
    • Classification/Taxonomy/Ontology
    • Data Steward
    • Data Owner
    • Data Quality – Data quality indicator
    • Refresh Rate – Frequency of data refresh. Indicate if the data can be accessed in real time or near-real time

    Screenshot of the Off-the-Shelf AI Analysis Tool's Data tab, a spreadsheet table with the columns listed to the left and below.
    • Retention – Retention policy requirements
    • Compliance Requirements – Define if data has to comply with any of the regulatory requirements, e.g. GDPR
    • Privacy, Bias, and Ethics Considerations – Privacy Act, PIPEDA, etc. Identify if the dataset contains sensitive information that should be excluded from the model, such as gender, age, race etc. Indicate fairness metrics, if applicable.

    Download the Off-the-Shelf AI Analysis Tool

    2. Document data requirements

    Input

    • Documented business use cases from Step 1.
    • High-level business requirements from Step 1.
    • Data catalog, data dictionaries, business glossary
    • Data flows and data architecture

    Output

    • High-level data requirements
    • List of data sources and datasets that can be used for the implementation
    • Datasets that need to be collected or acquired externally

    Materials

    • Whiteboard/Flip Charts
    • Off-the-Shelf AI Analysis Tool, “Data” tab

    Participants

    • CIO
    • Business and IT stakeholders
    • Data owner(s)
    • Data steward(s)
    • Enterprise Architect
    • Data Architect
    • Data scientist/Data analyst

    Is Your Organization Ready for AI?

    Assess organizational readiness and define stakeholders impacted by the implementation. Build the team with the right skillset to drive the solution.

    • Implementation of the AI/ML-powered Off-the-Shelf Tool or an AI/ML model will require a team with a combination of skills through all phases of the project, from design of the solution to build, production, deployment, and support.
    • Document the skillsets required and determine the skills gap. Before you start hiring, depending on the role, you might find talent within the organization to join the implementation team with little to no training.
    • AI/ML resources that may be needed on your team driving AI implementation (you might consider bringing part-time resources to fill the gaps or use vendor developers) are:
      • Data Scientist
      • Machine Learning Engineer
      • Data Engineer
      • Data Architect
      • AI/ML Ops engineer
    • Define training requirements. Consider vendor training for a tool or platform.
    • Plan for future scaling and the growing of the solution and AI practice. Assess the need to apply AI in other business areas. Work with the team to analyze use cases and prioritize AI initiatives. As the practice grows, grow your team expertise.
    • Identify the stakeholders who will be affected by the AI implementation.
    • Work with them to understand and address any concerns, fears, or misconceptions around the role of AI and the consequences of bringing AI into the organization.
    • Develop a communication and change management plan to educate everyone within the organization on the application and benefits of using AI and machine learning.

    Info-Tech Insight:

    Define the skills required for the implementation and assemble the team that will support the project through its entire lifecycle. Don’t forget about production, support, and maintenance.

    3. Build your implementation team

    1-2 hours

    Input: Solution conceptual design, Current resource availability

    Output: Roles required for the implementation of the solution, Resources gap analysis, Training and hiring plan

    Materials: Whiteboard/Flip charts, Off-the-Shelf AI Analysis Tool, “People and Team” tab

    Participants: Project lead, HR, Enterprise Architect

    1. Review your solution conceptual design and define implementation team roles.
    2. Document requirements for each role.
    3. Review current org chart and job descriptions and identify skillset gaps. Draft an action plan to fill in the roles.
    4. Use Info-Tech’s Off-the-Shelf AI Analysis Tool's People and Team tab to document team roles for the entire implementation, including design, build/implement, deployment, support and maintenance, and future development.

    Screenshot of the Off-the-Shelf AI Analysis Tool's People and Team tab, a table with columns 'Design', 'Implement', 'Deployment', 'Support and Maintenance', and 'Future Development'.

    Download the Off-the-Shelf AI Analysis Tool

    Cloud, SaaS or On Prem – what are my options and what is the impact?

    Depending on the architecture of the solution, define the impact on the current infrastructure, including system integration, AI/ML pipeline deployment, maintenance, and data storage

    • Data Architecture: use the current data architecture to design the architecture for an AI-powered solution. Assess changes to the data architecture with the introduction of a new tool to make sure it is scalable enough to support the change.
    • Define infrastructure requirements for either Cloud, Software-as-a-Service, or on-prem deployment of a tool or model.
    • Define how the tool will be integrated with existing systems and into existing infrastructure.
    • Define requirements for:
      • Data migration and data storage
      • Security
      • AI/ML pipeline deployment, production monitoring, and maintenance
    • Define requirements for operation and maintenance of the tool or model.
    • Work with your infrastructure architect and vendor to determine the cost of deploying and running the tool/model.
    • Make a decision on the preferred architecture of the system and confirm infrastructure readiness.

    Download the Create an Architecture for AI blueprint

    4. Use Info-Tech’s Off-the-Shelf AI Analysis Tool to document infrastructure decisions

    2-3 hours

    Input: Solution conceptual design

    Output: Infrastructure requirements, Infrastructure readiness assessment

    Materials: Whiteboard/Flip charts, Off-the-Shelf AI Analysis Tool, “Infrastructure” tab

    Participants: Infrastructure Architect, Solution Architect, Enterprise Architect, Data Architect, ML/AI Ops Engineer

    1. Work with Infrastructure, Data, Solution, and Enterprise Architects to define your conceptual solution architecture.
    2. Define integration and storage requirements.
    3. Document security requirements for the solution in general and the data specifically.
    4. Define MLOps requirements and tools required for ML/AI pipeline deployment and production monitoring.
    5. Use Info-Tech’s Off-the-Shelf AI Analysis Tool's Infrastructure tab to document requirements and decisions around Data and Infrastructure Architecture.

    Screenshot of the Off-the-Shelf AI Analysis Tool's Infrastructure tab, a table with columns 'Cloud, SaaS or On-Prem', 'Data Migration Requirements', 'Data Storage Requirements', 'Security Requirements', 'Integrations Required', and 'AI/ML Pipeline Deployment and Maintenance Requirements'.

    Download the Off-the-Shelf AI Analysis Tool

    What questions do you need to ask vendors when choosing the solution?

    Take advantage of Info-Tech’s Rapid Application Selection Framework (RASF) to guide tool selection, but ask vendors the right questions to understand implications of having AI/ML built into the tool or a model

    Data Model Implementation and Integration Deployment Security and Compliance
    • What data (attributes) were used to train the model?
    • Do you have datasheets for the data used?
    • How was data bias mitigated?
    • What are the data labeling/classification requirements for training the model?
    • What data is required for production? E.g. volume; type of data, etc.
    • Were there any open-source libraries used in the model? If yes, how were vulnerabilities and security concerns addressed?
    • What algorithms are implemented in the tool/model?
    • Can model parameters be configured?
    • What is model accuracy?
    • Level of customization required for the implementation to meet our requirements.
    • Does the model require training? If yes, can you provide details? Can you estimate the effort required?
    • Integration capabilities and requirements.
    • Data migration requirements for tool operation and development.
    • Administrator console – is this functionality available?
    • Implementation timeframe.
    • Is the model or tool deployable on premises or in the cloud? Do you support hybrid cloud and multi-cloud deployment?
    • What cloud platforms are your product/model integrated with (AWS, Azure, GCP)?
    • What are the infrastructure requirements?
    • Is the model containerized/ scalable?
    • What product support and product updates are available?
    • Regulatory compliance (GDPR, PIPEDA, HIPAA, PCI DSS, CCPA, SOX, etc.)?
    • How are data security risks addressed?

    Use Info-Tech’s Off-the-Shelf AI Analysis Tool, “Vendor Questionnaire” tab to track vendor responses to these questions.

    Are you measuring impact on your processes?

    Make sure that you understand the impact of the new technology on the existing business and IT processes.

    And make sure your business processes are ready to take advantage of the benefits and new capabilities enabled by AI/ML.

    Process automation, optimization, and improvement enabled by the technology and AI/ML-powered tools allow organizations to reduce manual work, streamline existing business processes, improve customer satisfaction, and get critical insights to assist decision making.

    To take full advantage of the benefits and new capabilities enabled by the technology, make sure that business and IT processes reflect these changes:

    • Processes that need to be updated.
    • How the outcome of the tool or a model (e.g. predictions) is incorporated into the existing business processes and the processes that will monitor the accuracy of the outcome and monitor performance of the tool or model.
    • New business and IT processes that need to be defined for the tool (e.g. chatbot maintenance, analysis of the data generated by the tool, etc.).

    5. Document the Impact on Business and IT Processes

    2-3 hours

    Input: Solution design, Existing business and IT processes

    Output: Documented updates to the existing processes, Documented new business and IT processes

    Materials: Whiteboard/Flip charts, Off-the-Shelf AI Analysis Tool, “Business and IT Processes” tab

    Participants: Project lead, Business stakeholders, Business analyst

    1. Review current business processes affected by the implementation of the AI/ML- powered tool or model. Define the changes that need to be made. The changes might include simplification of the process due to automation of some of the steps. Some processes will need to be redesigned and some processes might become obsolete.
    2. Document high-level steps for any new processes that need to be defined around the AI/ML-powered tool. An example of such a process would be defining new IT and business processes to support a new chatbot.
    3. Use Info-Tech’s Off-the-Shelf AI Analysis Tool's Business and IT Processes tab, to document process changes.

    Screenshot of the Off-the-Shelf AI Analysis Tool's Business and IT Processes tab, a table with columns 'Existing business process affected', 'New business process', 'Stakeholders involved', 'Changes to be made', and 'New Process High-Level Steps'.

    Download the Off-the-Shelf AI Analysis Tool

    AI-powered Tools – Considerations

    PROS:
    • Enhanced functionality, allows the power of AI without specialized skills (e.g., Mathematica – recognizing patterns in data).
    • Might be a cheaper option compared to building a solution in-house (chatbot, for ex.).

    Info-Tech Insight:

    No need to reinvent the wheel and build the product you can buy, but be prepared to work around tool limitations, and make sure you understand the data and the model the tool is built on.

    CONS:
    • Dependency on the service provider.
    • The tool might not meet all the business requirements without customization.
    • Bias can be built into the tool:
      • Work with the vendor to understand what data was used to train the model.
      • From the perspective of ethics and bias, learn what model is implemented in the tool and what data attributes the model uses.

    Pre-built/pre-trained models – what to keep in mind when choosing

    PROS:
    • Lower cost and less time to development compared to creating and training models from scratch (e.g. using image recognition models or pre-trained language models like BERT).
    • If the pre-trained and optimized model perfectly fits your needs, the model accuracy might be high and sufficient for your scenario.
    • Off-the-Shelf AI models are useful for creating prototypes or POCs, for testing a hypothesis, and for validating ideas and requirements.
    • Usage of Off-the-Shelf models shortens the development cycle and reduces investment risks.
    • Language models are particularly useful if you don’t have data to train your own model (a “small data” scenario).
    • Infrastructure and model training cost reduction.
    CONS:
    • Might be a challenge to deploy and maintain the system in production.
    • Lack of flexibility: you might not be able to configure input or output parameters to your requirements. For example, a pre-built sentiment analysis model might return four values (“positive,” “negative,” “neutral,” and “mixed”), but your solution will require only two or three values.
    • Might be a challenge to comply with security and privacy requirements.
    • Compliance with privacy and fairness requirements and considerations: what data was used to pretrain the model?
    • If open-source libraries were used to create the model, how will vulnerabilities, risks, and security concerns be addressed?

    Info-Tech Insight:

    Using Off-the-Shelf AI models enables an agile approach to system development – faster POC and validation of ideas and approaches, but the model might not be customizable for your requirements.

    Metrics

    Metrics and KPIs for this project will depend on the business goals and objectives that you will identify in Step 1 of the tool selection process.

    Metrics might include:

    • Reduction of time spent on a specific business process. If the tool is used to automate certain steps of a business process, this metric will measure how much time was saved, in minutes/hours, compared to the process time before the introduction of the tool.
    • Accuracy of prediction. This metric would measure the accuracy of estimations or predictions compared to the same estimations done before the implementation of the tool. It can be measured by generating the same prediction or estimation using the AI-powered tool or using any methods used before the introduction of the tool and comparing the results.
    • Accuracy of the search results. If the AI-powered tool is a search engine, compare a) how much time it would take a user to find an article or a piece of content they were searching for using new tool vs. previous techniques, b) how many steps it took the user to locate the required article in the search results, and c) the location of the correct piece of content in the search result list (at the top of the search result list or on the tenth page).
    • Time spent on manual tasks and activities. This metric will measure how much time, in minutes/hours, is spent by the employees or users on manual tasks if the tool automates some of these tasks.
    • Reduction of business process steps (if the steps are being automated). To derive this metric, create a map of the business process before the introduction of the AI-powered tool and after, and determine if the tool helped to simplify the process by reducing the number of process steps.

    Bibliography

    Adryan, Boris. “Is it all machine learning?” Badryan, Oct. 20, 2015. Accessed Feb. 2022.

    “AI-Powered Data Management Platform.” Informatica, N.d. Accessed Feb 2022.

    Amazon Rekognition. “Automate your image and video analysis with machine learning.” AWS. N.d. Accessed Feb 2022.

    “Artificial Intelligence (AI).” IBM Cloud Education, 3 June 2020. Accessed Feb 2022.

    “Artificial intelligence (AI) vs machine learning (ML).” Microsoft Azure Documentation. Accessed Feb. 2022.

    “Avante Garde in the Realm of AI” SearchUnify Cognitive Platform. Accessed Feb 2022.

    “Azure Cognitive Services.” Microsoft. N.d. Accessed Feb 2022.

    “Becoming an AI-fueled organization. State of AI in the enterprise, 4th edition,” Deloitte, 2020. Accessed Feb. 2022.

    “Coveo Predictive Search.” Coveo, N.d. Accessed Feb 2022.

    ”Data and AI Leadership. Executive Survey 2022. Executive Summary of Findings.” NewVantage Partners. Accessed Feb 2022.

    “Einstein Discovery in Tableau.” Tableau, N.d. Accessed Feb 2022.

    Korolov, Maria. “9 biggest hurdles to AI adoption.” CIO, Feb 26, 2019. Accessed Feb 2022.

    Meel, Vidushi. “What Is Deep Learning? An Easy to Understand Guide.” visio.ai. Accessed Feb. 2022.

    Mitchell, Tom. “Machine Learning,” McGraw Hill, 1997.

    Stewart, Matthew. “The Actual Difference Between Statistics and Machine Learning.” Towards Data Science, Mar 24, 2019. Accessed Feb 2022.

    “Sentiment analysis with Cognitive Services.” Microsoft Azure Documentation. Accessed February 2022.

    “Three Principles for Designing ML-Powered Products.” Spotify Blog. Oct 2019, Accessed Feb 2022.

    “Video Intelligence API.” Google Cloud Platform. N.d. Accessed Feb 2022

    Customer Relationship Management Platform Selection Guide

    • Buy Link or Shortcode: {j2store}529|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $14,719 Average $ Saved
    • member rating average days saved: 32 Average Days Saved
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • Customer relationship management (CRM) suites are an indispensable part of a holistic strategy for managing end-to-end customer interactions.
    • After defining an approach to CRM, selection and implementation of the right CRM suite is a critical step in delivering concrete business value for marketing, sales, and customer service.
    • Despite the importance of CRM selection and implementation, many organizations struggle to define an approach to picking the right vendor and rolling out the solution in an effective and cost-efficient manner.
    • IT often finds itself in the unenviable position of taking the fall for CRM platforms that don't deliver on the promise of the CRM strategy.

    Our Advice

    Critical Insight

    • IT needs to be a trusted partner in CRM selection and implementation, but the business also needs to own the requirements and be involved from the beginning.
    • CRM requirements dictate the components of the target CRM architecture, such as deployment model, feature focus, and customization level. Savvy application directors recognize the points in the project where the CRM architecture model necessitates deviations from a "canned" roll-out plan.
    • CRM selection is a multi-step process that involves mapping target capabilities for marketing, sales, and customer service, assigning requirements across functional categories, determining the architecture model to prioritize criteria, and developing a comprehensive RFP that can be scored in a weighted fashion.
    • Companies that succeed with CRM implementation create a detailed roadmap that outlines milestones for configuration, security, points of implementation, data migration, training, and ongoing application maintenance.

    Impact and Result

    • A CRM platform that effectively meets the needs of marketing, sales, and customer service and delivers value.
    • Reduced costs during CRM selection.
    • Reduced implementation costs and time frame.
    • Faster time to results after implementation.

    Customer Relationship Management Platform Selection Guide Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Customer Relationship Management Platform Selection Guide – Speed up the process to build your business case and select your CRM solution.

    This blueprint will help you build a business case for selecting the right CRM platform, defining key requirements, and conducting a thorough analysis and scan of the ever-evolving CRM market space.

    • Customer Relationship Management Platform Selection Guide — Phases 1-3

    2. CRM Business Case Template – Document the key drivers for selecting a new CRM platform.

    Having a sound business case is essential for succeeding with a CRM. This template will allow you to document key drivers and impact, in line with the CRM Platform Selection Guide blueprint.

    • CRM Business Case Template

    3. CRM Request for Proposal Template

    Create your own request for proposal (RFP) for your customer relationship management (CRM) solution procurement process by customizing the RFP template created by Info-Tech.

    • CRM Request for Proposal Template

    4. CRM Suite Evaluation and RFP Scoring Tool

    The CRM market has many strong contenders and differentiation may be difficult. Instead of relying solely on reputation, organizations can use this RFP tool to record and objectively compare vendors according to their specific requirements.

    • CRM Suite Evaluation and RFP Scoring Tool

    5. CRM Vendor Demo Script

    Use this template to support your business's evaluation of vendors and their solutions. Provide vendors with scenarios that prompt them to display not only their solution's capabilities, but also how the tool will support your organization's particular needs.

    • CRM Vendor Demo Script

    6. CRM Use Case Fit Assessment Tool

    Use this tool to help build a CRM strategy for the organization based on the specific use case that matches your organizational needs.

    • CRM Use-Case Fit Assessment Tool
    [infographic]

    Further reading

    Customer Relationship Management Platform Selection Guide

    Speed up the process to build your business case and select your CRM solution.

    Table of Contents

    1. Analyst Perspective
    2. Executive Summary
    3. Blueprint Overview
    4. Executive Brief
    5. Phase 1: Understand CRM Functionality
    6. Phase 2: Build the Business Case and Elicit CRM requirements
    7. Phase 3: Discover the CRM Marketspace and Prepare for Implementation
    8. Conclusion

    Analyst Perspective

    A strong CRM platform is paramount to succeeding with customer engagement.

    Modern CRM platforms are the workhorses that provide functional capabilities and data curation for customer experience management. The market for CRM platforms has seen an explosion of growth over the last five years, as organizations look to mature their ability to deliver strong capabilities across marketing, sales, and customer service.

    IT needs to be a trusted partner in CRM selection and implementation, but the business also needs to own the requirements and be involved from the get-go.

    CRM selection must be a multistep process that involves defining target capabilities for marketing, sales, and customer service, prioritizing requirements across functional categories, determining the architecture model for the CRM environment, and developing a comprehensive RFP that can be scored in a weighted fashion.

    To succeed with CRM implementation, create a detailed roadmap that outlines milestones for configuration, security, points of implementation, data migration, training, and ongoing application maintenance.

    Photo of Ben Dickie, Research Lead, Customer Experience Strategy, Info-Tech Research Group. Ben Dickie
    Research Lead, Customer Experience Strategy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Customer Relationship Management (CRM) suites are an indispensable part of a holistic strategy for managing end-to-end customer interactions. Selecting the right platform that aligns with your requirements is a significant undertaking.

    After defining an approach to CRM, selection and implementation of the right CRM suite is a critical step in delivering concrete business value for marketing, sales, and customer service.
    Common Obstacles

    Despite the importance of CRM selection and implementation, many organizations struggle to define an approach to picking the right vendor and rolling out the solution in an effective and cost-efficient manner.

    The CRM market is rapidly evolving and changing, making it tricky to stay on top of the space.

    IT often finds itself in the unenviable position of taking the fall for CRM platforms that don’t deliver on the promise of the CRM strategy.
    Info-Tech’s Approach

    CRM platform selection must be driven by your overall customer experience management strategy: link your CRM selection to your organization’s CXM framework.

    Determine if you need a CRM platform that skews toward marketing, sales, or customer service; leverage use cases to help guide selection.

    Ensure strong points of integration between CRM and other software such as MMS. A CRM should not live in isolation; it must provide a 360-degree view.

    Info-Tech Insight

    IT must work in lockstep with its counterparts in marketing, sales, and customer service to define a unified vision for the CRM platform.

    Info-Tech’s methodology for selecting the right CRM platform

    1. Understand CRM Features 2. Build the Business Case & Elicit CRM Requirements 3. Discover the CRM Market Space & Prepare for Implementation
    Phase Steps
    1. Define CRM platforms
    2. Classify table stakes & differentiating capabilities
    3. Explore CRM trends
    1. Build the business case
    2. Streamline requirements elicitation for CRM
    3. Construct the RFP
    1. Discover key players in the CRM landscape
    2. Engage the shortlist & select finalist
    3. Prepare for implementation
    Phase Outcomes
    • Consensus on scope of CRM and key CRM capabilities
    • CRM selection business case
    • Top-level use cases and requirements
    • Completed CRM RFP
    • CRM market analysis
    • Shortlisted vendor
    • Implementation considerations

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    The CRM purchase process should be broken into segments:

    1. CRM vendor shortlisting with this buyer’s guide
    2. Structured approach to selection
    3. Contract review

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Call #1: Understand what a CRM platform is and the “art of the possible” for sales, marketing, and customer service. Call #2: Build the business case to select a CRM.

    Call #3: Define your key CRM requirements.

    Call #4: Build procurement items such as an RFP.
    Call #5: Evaluate the CRM solution landscape and shortlist viable options.

    Call #6: Review implementation considerations.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    INFO~TECH RESEARCH GROUP

    Customer Relationship Management Platform Selection Guide

    Speed up the process to build your business case and select your CRM solution.

    EXECUTIVE BRIEF

    Info-Tech Research Group Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.
    © 1997-2022 Info-Tech Research Group Inc.

    What exactly is a CRM platform?

    Our Definition: A customer relationship management (CRM) platform (or suite) is a core enterprise application that provides a broad feature set for supporting customer interaction processes, typically across marketing, sales and customer service. These suites supplant more basic applications for customer interaction management (such as the contact management module of an enterprise resource planning (ERP) platform or office productivity suite).

    A customer relationship management suite provides many key capabilities, including but not limited to:

    • Account management
    • Order history tracking
    • Pipeline management
    • Case management
    • Campaign management
    • Reports and analytics
    • Customer journey execution

    A CRM suite provides a host of native capabilities, but many organizations elect to tightly integrate their CRM solution with other parts of their customer experience ecosystem to provide a 360-degree view of their customers.

    Stock image of a finger touching a screen showing a stock chart.

    Info-Tech Insight

    CRM feature sets are rapidly evolving. Focus on the social component of sales, marketing, and service management features, as well as collaboration, to get the best fit for your requirements. Moreover, consider investing in best-of-breed social media management platforms (SMMPs) and internal collaboration tools to ensure sufficient functionality.

    Build a cohesive CRM selection approach that aligns business goals with CRM capabilities.

    Info-Tech Insight

    Customers expect to interact with organizations through the channels of their choice. Now more than ever, you must enable your organization to provide tailored customer experiences.

    Customer expectations are on the rise: meet them!

    A CRM platform is a crucial system for enabling good customer experiences.

    CUSTOMER EXPERIENCE IS EVOLVING

    1. Thoughtfulness is in
        Connect with customers on a personal level
    2. Service over products
        The experience is more important than the product
    3. Culture is now number one
        Culture is the most overlooked piece of customer experience strategy
    4. Engineering and service finally join forces
        Companies are combining their technology and service efforts to create strong feedback loops
    5. The B2B world is inefficiently served
        B2B needs to step up with more tools and a greater emphasis placed on customer experience

    (Source: Forbes, 2019)

    Identifying organizational objectives of high priority will assist in breaking down business needs and CRM objectives. This exercise will better align the CRM systems with the overall corporate strategy and achieve buy-in from key stakeholders.

    A strong CRM platform supports a range of organizational objectives for customer engagement.

    Increase Revenue Enable lead scoring Deploy sales collateral management tools Improve average cost per lead via a marketing automation tool
    Enhance Market Share Enhance targeting effectiveness with a CRM Increase social media presence via an SMMP Architect customer intelligence analysis
    Improve Customer Satisfaction Reduce time-to-resolution via better routing Increase accessibility to customer service with live chat Improve first contact resolution with customer KB
    Increase Customer Retention Use a loyalty management application Improve channel options for existing customers Use customer analytics to drive targeted offers
    Create Customer-Centric Culture Ensure strong training and user adoption programs Use CRM to provide 360-degree view of all customer interactions Incorporate the voice of the customer into product development

    Succeeding with CRM selection and implementation has a positive effect on driving revenues and decreasing costs

    There are three buckets of metrics and KPIs where CRM will drive improvements

    The metrics of a smooth CRM selection and implementation process include:

    • Better alignment of CRM functionality to business needs.
    • Better functionality coverage of the selected platform.
    • Decreased licensing costs via better vendor negotiation.
    • Improved end-user satisfaction with the deployed solution.
    • Fewer errors and rework during implementation.
    • Reduced total implementation costs.
    • Reduced total implementation time.

    A successful CRM deployment drives revenue

    • Increased customer acquisition due to enhanced accuracy of segmentation and targeting, superior lead qualification, and pipeline management.
    • Increased customer satisfaction and retention due to targeted campaigns (e.g. customer-specific deals), quicker service incident resolution, and longitudinal relationship management.
    • Increased revenue per customer due to comprehensive lifecycle management tools, social engagement, and targeted upselling of related products and services (enabled by better reporting/analytics).

    A successful CRM deployment decreases cost

    • Deduplication of effort across business domains as marketing, sales, and service now have a common repository of customer information and interaction tools.
    • Increased sales and service agent efficiency due to their focus on selling and resolution, rather than administrative tasks and overhead.
    • Reduced cost-to-sell and cost-to-serve due to automation of activities that were manually intensive.
    • Reduced cost of accurate data due to embedded reporting and analytics functionality.

    CRM platforms sit at the core of a well-rounded customer engagement ecosystem

    At the center is 'Customer Relationship Management Platform' surrounded by 'Web Experience Management Platform', 'E-Commerce & Point-of-Sale Solutions', 'Social Media Management Platform', 'Customer Intelligence Platform', 'Customer Service Management Tools', and 'Marketing Management Suite'.

    Customer Experience Management (CXM) Portfolio

    Customer relationship management platforms are increasingly expansive in functional scope and foundational to an organization’s customer engagement strategy. Indeed, CRMs form the centerpiece for a comprehensive CXM system, alongside tools such as customer intelligence platforms and adjacent point solutions for sales, marketing, and customer service.

    Review Info-Tech’s CXM blueprint below to build a complete, end-to-end customer interaction solution portfolio that encompasses CRM alongside other critical components. The CXM blueprint also allows you to develop strategic requirements for CRM based on customer personas and external market analysis.

    Build a Strong Technology Foundation for Customer Experience Management

    Sample of the 'Build a Strong Technology Foundation for Customer Experience Management' blueprint. Design an end-to-end technology strategy to drive sales revenue, enhance marketing effectiveness, and create compelling experiences for your customers.

    View the blueprint

    Considering a CRM switch? Switching software vendors drives high satisfaction

    Eighty percent of organizations are more satisfied after changing their software vendor.

    • Most organizations see not only a positive change in satisfaction with their new vendor, but also a substantial change in satisfaction.
    • What matters is making sure your organization is well-positioned to make a switch.
    • When it comes to switching software vendors, the grass really can be greener on the other side.

    Over half of organizations are 60%+ more satisfied after changing their vendor.

    (Source: Info-Tech Research Group, "Switching Software Vendors Overwhelmingly Drives Increased Satisfaction", 2020.)

    IT is critical to the success of your CRM selection and rollout

    Today’s shared digital landscape of the CIO and CMO

    Info-Tech Insight

    Technology is the key enabler of building strong customer experiences: IT must stand shoulder to shoulder with the business to develop a technology framework for customer relationship management.

    CIO

    IT Operations

    Service Delivery and Management

    IT Support

    IT Systems and Application

    IT Strategy and Governance

    Cybersecurity
    Collaboration and Partnership

    Digital Strategy = Transformation
    Business Goals | Innovation | Leadership | Rationalization

    Customer Experience
    Architecture | Design | Omnichannel Delivery | Management

    Insight (Market Facing)
    Analytics | Business Intelligence | Machine Learning | AI

    Marketing Integration + Operating Model
    Apps | Channels | Experiences | Data | Command Center

    Master Data
    Customer | Audience | Industry | Digital Marketing Assets
    CMO

    PEO Media

    Brand Management

    Campaign Management

    Marketing Tech

    Marketing Ops

    Privacy, Trust, and Regulatory Requirements

    (Source: ZDNet, 2020)

    CRM by the numbers

    1/3

    Statistical analysis of CRM projects indicates failures vary from 18% to 69%. Taking an average of those analyst reports, about one-third of CRM projects are considered a failure. (Source: CIO Magazine, 2017)

    92%

    92% of organizations report that CRM use is important for accomplishing revenue objectives. (Source: Hall, 2020)

    40%

    In 2019, 40% of executives name customer experience the top priority for their digital transformation. (Source: CRM Magazine, 2019)

    Case Study

    Align strategy and technology to meet consumer demand.
    INDUSTRY
    Entertainment
    SOURCE
    Forbes, 2017
    Challenge

    Beginning as a mail-out service, Netflix offered subscribers a catalog of videos to select from and have mailed to them directly. Customers no longer had to go to a retail store to rent a video. However, the lack of immediacy of direct mail as the distribution channel resulted in slow adoption.

    Blockbuster was the industry leader in video retail but was lagging in its response to industry, consumer, and technology trends around customer experience.

    Solution

    In response to the increasing presence of tech-savvy consumers on the internet, Netflix invested in developing its online platform as its primary distribution channel. The benefit of doing so was two-fold: passive brand advertising (by being present on the internet) and meeting customer demands for immediacy and convenience. Netflix also recognized the rising demand for personalized service and created an unprecedented, tailored customer experience.

    Results

    Netflix’s disruptive innovation is built on the foundation of great customer experience management. Netflix is now a $28-billion company, which is tenfold what Blockbuster was worth.

    Netflix used disruptive technologies to innovatively build a customer experience that put it ahead of the long-time video rental industry leader, Blockbuster.

    CRM Buyer’s Guide

    Phase 1

    Understand CRM Features

    Phase 1

    1.1 Define CRM platforms

    1.2 Classify table stakes & differentiating capabilities

    1.3 Explore CRM trends

    Phase 2

    2.1 Build the business case

    2.2 Streamline requirements elicitation for CRM

    2.3 Construct the RFP

    Phase 3

    3.1 Discover key players in the CRM landscape

    3.2 Engage the shortlist & select finalist

    3.3 Prepare for implementation

    This phase will walk you through the following activities:

    • Set a level of understanding of CRM technology.
    • Define which CRM features are table stakes (standard) and which are differentiating.
    • Identify the “Art of the Possible” in a modern CRM from a sales, marketing, and service lens.

    This phase involves the following participants:

    • CIO
    • Applications manager
    • Project manager
    • Sales executive
    • Marketing executive
    • Customer service executive

    Understand CRM table stakes features

    Organizations can expect nearly all CRM vendors to provide the following functionality.

    Lead Management Pipeline Management Contact Management Campaign Management Customer Service Management
    • Tracks and captures a lead’s information, automatically building a profile. Leads are then qualified through contact scoring models. Assigning leads to sales is typically automated.
    • Enables oversight over future sales. Includes revenue forecasting based on past/present trends, tracking sales velocity, and identifying ineffective sales processes.
    • Tracks and stores customer data, including demography, account and billing history, social media, and contact information. Typically, records and fields can be customized.
    • Provides integrated omnichannel campaign functionality and data analysis of customer intelligence. Data insights can be used to drive new and effective marketing campaigns.
    • Provides integrated omnichannel customer experiences to provide convenient service. Includes case and ticket management, automated escalation rules, and third-party integrations.

    Identify differentiating CRM features

    While not always “must-have” functionality, these features may be the final dealbreaker when deciding between two CRM vendors.

    Image of clustered screens with various network and business icons surounding them.
    • Workflow Automation
      Automate repetitive tasks by creating workflows that trigger actions or send follow-up reminders for next steps.
    • Advanced Analytics and Reporting
      Provides customized dashboard visualizations, detailed reporting, AI-driven virtual assistants, data extraction & analysis, and ML forecasting.
    • Customizations and Open APIs
      Broad range of available customizations (e.g. for dashboards and fields), alongside ease of integration (e.g. via plugins or APIs).
    • Document Management
      Out-of-the-box centralized content repository for storing, uploading, and sharing documents.
    • Mobile Support
      Ability to support mobile devices, OSes, and platforms with a native application or HTML-based web-access.
    • Project and Task Management
      Native project and task management functionality, enhancing cross-team organization and communication.
    • Configure, Price, Quote (CPQ)
      Create and send quotes or proposals to prospective and current customers.

    Features aren’t everything – be wary of common CRM selection pitfalls

    You can have all the right features, but systemic problems will lead to poor CRM implementation. Dig out these root causes first to ensure a successful CRM selection.

    50% of organizations believe the quality of their CRM data is “very poor” or “neutral.”

    Without addressing data governance issues, CRMs will only be as good as your data.

    Source: (Validity 2020)
    27% of organizations report that bad data costs them 10% or more in lost revenue annually.
    42% rate the trust that users have in their data as “high” or “very high.”
    54% believe that sales forecasts are accurate or very accurate.
    69% attribute poor CRM governance to missing or incomplete data, followed by duplicate data, incorrect data, and expired data. Other data issues include siloed data or disparate systems.
    73% believe that they do not have a 360-degree view of their customers.

    Ensure you understand the “art of the possible” in the CRM landscape

    Knowing what is possible will help funnel which features are most suitable for your organization – having all the bells and whistles does not always equal strong ROI.

    Holistically examine the potential of any CRM solution through three main lenses: Stock image of a person working with dashboards.

    Sales

    Identify sales opportunities through recording customers’ interactions, generating leads, nurturing contacts, and forecasting revenues.
    Stock image of people experiencing digital ideas.

    Marketing

    Analyze customer interactions to identify upsell and cross-sell opportunities, drive customer loyalty, and use customer data for targeted campaigns.
    Stock image of a customer service representative.

    Customer Service

    Improve and optimize customer engagement and retention, leveraging customer data to provide round-the-clock omnichannel experiences.

    Art of the possible: Sales

    Stock image of a person working with dashboards.

    TRACK PROSPECT INTERACTIONS

    Want to engage with a prospect but don’t know what to lead with? CRM solutions can track and analyze many of the interactions a prospect has with your organization, including with fellow staff, their clickthrough rate on marketing material, and what services they are downloading on your website. This information can then auto-generate tasks to begin lead generation.

    COORDINATE LEAD SCORING

    Information captured from a prospect is generated into contact cards; missing data (such as name and company) can be auto-captured by the CRM via crawling sites such as LinkedIn. The CRM then centralizes and scores (according to inputted business rules) a lead’s potential, ensuring sales teams coordinate and keep a track of the lead’s journey without wrongful interference.

    AI-DRIVEN REVENUE FORECASTING

    Generate accurate forecasting reports using AI-driven “virtual assistants” within the CRM platform. These assistants are personal data scientists, quickly noting discrepancies, opportunities, and what-if scenarios – tasks that might take weeks to do manually. This pulled data is then auto-forecasted, with the ability to flexibly adjust to real-time data.

    Art of the possible: Marketing

    Stock image of people experiencing digital ideas.

    DRIVE LOYALTY

    Data captured and analyzed in the CRM from customer interactions builds profiles and a deeper understanding of customers’ interests. With this data, marketing teams can deliver personalized promotions and customer service to enhance loyalty – from sending a discount on a product the customer was browsing on the website, to providing notifications about delivery statuses.

    AUTOMATE WORKFLOWS

    Building customer profiles, learning spending habits, and charting a customer’s journey for upselling or cross-selling can be automated through workflows, saving hours of manual work. These workflows can immediately respond to customer enquiries or deliver offers to the customer’s preferred channel based on their prior usage.

    TARGETED CAMPAIGNING

    Information attained through a CRM platform directly informs any marketing strategy: identifying customer segments, spending habits, building a better product based on customer feedback, and identifying high-spending customers. With any new product or offering, it is straightforward for marketing teams to understand where to target their next campaign for highest impact.

    Art of the possible: Customer service

    Stock image of a customer service representative.

    OMNICHANNEL SUPPORT

    Rapidly changing demographics and modes of communications require an evolution toward omnichannel engagement. Many customers now expect to communicate with contact centers not just by voice, but via social media. Agents need customer information synced across each channel they use, meeting the customer’s needs where they are.

    INTELLIGENT SELF-SERVICE PORTALS

    Customers want their issues resolved as quickly as possible. Machine-learning self-service options deliver personalized customer experiences, which also reduce both agent call volume and support costs for the organization.

    LEVERAGING ANALYTICS

    The future of customer service is tied up with analytics. This not only entails AI-driven capabilities that fetch the agent relevant information, skills-based routing, and using biometric data (e.g. speech) for security. It also feeds operations leaders’ need for easy access to real insights about how their customers and agents are doing.

    Best-of-Breed Point Solutions

    Full CRM Suite

    Blue smiley face. Benefits
    • Features may be more advanced for specific functional areas and a higher degree of customization may be possible.
    • If a potential delay in real-time customer data transfer is acceptable, best-of-breeds provide a similar level of functionality to suites for a lower price.
    • Best-of-breeds allow value to be realized faster than suites, as they are easier and faster to implement and configure.
    • Rip and replace is easier, and vendor updates are relatively quick to market.
    Benefits
    • Everyone in the organization works from the same set of customer data.
    • There is a “lowest common denominator” for agent learning as consistent user interfaces lower learning curves and increase efficiency in usage.
    • There is a broader range of functionality using modules.
    • Integration between functional areas will be strong and the organization will be in a better position to enable version upgrades without risking invalidation of an integration point between separate systems.
    Green smiley face.
    Purple frowny face. Challenges
    • Best-of-breeds typically cover less breadth of functionality than suites.
    • There is a lack of uniformity in user experience across best-of-breeds.
    • Data integrity risks are higher.
    • Variable infrastructure may be implemented due to multiple disparate systems, which adds to architecture complexity and increased maintenance.
    • There is potential for redundant functionality across multiple best-of-breeds.
    Challenges
    • Suites exhibit significantly higher costs compared to point solutions.
    • Suite module functionality may not have the same depth as point solutions.
    • Due to high configuration availability and larger-scale implementation requirements, the time to deploy is longer than point solutions.
    Orange frowny face.
    Info-Tech Insight

    Even if a suite is missing a potential module, the proliferation of app extensions, integrations, and services could provide a solution. Salesforce’s AppExchange, for instance, offers a plethora of options to extend its CRM solution – from telephony integration, to gamification.

    CRM Buyer’s Guide

    Phase 2

    Build the Business Case & Elicit CRM Requirements

    Phase 1

    1.1 Define CRM platforms

    1.2 Classify table stakes & differentiating capabilities

    1.3 Explore CRM trends

    Phase 2

    2.1 Build the business case

    2.2 Streamline requirements elicitation for CRM

    2.3 Construct the RFP

    Phase 3

    3.1 Discover key players in the CRM landscape

    3.2 Engage the shortlist & select finalist

    3.3 Prepare for implementation

    This phase will walk you through the following activities:

    • Identify goals, objectives, challenges, and costs to inform the business case for a new CRM platform.
    • Elicit and prioritize key requirements for your platform.
    • Port the requirements into Info-Tech’s CRM RFP Template.

    This phase involves the following participants:

    • CIO
    • Applications manager
    • Project manager
    • Sales executive
    • Marketing executive
    • Customer service executive

    Right-size the CRM selection team to ensure you get the right information but are still able to move ahead quickly

    Full-Time Resourcing: At least one of these five team members must be allocated to the selection initiative as a full-time resource.

    A silhouetted figure.

    IT Leader

    A silhouetted figure.

    Technical Lead

    A silhouetted figure.

    Business Analyst/
    Project Manager

    A silhouetted figure.

    Business Lead

    A silhouetted figure.

    Process Expert(s)

    This team member is an IT director or CIO who will provide sponsorship and oversight from the IT perspective. This team member will focus on application security, integration, and enterprise architecture. This team member elicits business needs and translates them into technology requirements. This team member will provide sponsorship from the business needs perspective. Typically, a CMO or SVP of sales. These team members are the sales, marketing, and service process owners who will help steer the CRM requirements and direction.

    Info-Tech Insight

    It is critical for the selection team to determine who has decision rights. Organizational culture will play the largest role in dictating which team member holds the final say for selection decisions. For more information on stakeholder management and involvement, see this guide.

    Be prepared to define what issues you are trying to address and why a new CRM is the right approach

    Identify the current state and review the background of what you’ve done leading up to this point, goals you’ve been asked to meet, and challenges in solving known problems to help to set the stage for why your proposed solution is needed. If your process improvements have taken you as far as you can go without improved workflows or data, specify where the gaps are.
    Arrows with icons related to the text on the right merging into one arrow. Alignment

    Alignment to strategic goals is always important, but that is especially true with CRM because customer relationship management platforms are at the intersection of your organization and your customers. What are the strategic marketing, sales and customer service goals that you want to realize (in whole or in part) by improving your CRM ecosystem?

    Impact to your business

    Identify areas where your customers may be impacted by poor experiences due to inadequate or aging technology. What’s the impact on customer retention? On revenue?

    Impact to your organization

    Define how internal stakeholders within the organization are impacted by a sub-optimal CRM experience – what are their frustrations and pain points? How do issues with your current CRM environment prevent teams in sales, marketing, or service from doing their jobs?

    Impact to your department

    Describe the challenges within IT of using disparate systems, workarounds, poor data and reporting, lack of automation, etc., and the effect these challenges have on IT’s goals.

    Align the CRM strategy with the corporate strategy

    Corporate Strategy Unified Strategy CRM Strategy
    Spectrum spanning all columns.
    Your corporate strategy:
    • Conveys the current state of the organization and the path it wants to take.
    • Identifies future goals and business aspirations.
    • Communicates the initiatives that are critical for getting the organization from its current state to the future state.
    • The CRM strategy and the rationale for deploying a new CRM can be and should be linked, with metrics, to the corporate strategy and ultimate business objectives (such as improving customer acquisition, entering new segments, or improving customer lifetime value).
    Your CRM strategy:
    • Communicates the organization’s budget and spending on CRM.
    • Identifies IT initiatives that will support the business and key CRM objectives.
    • Outlines staffing and resourcing for CRM initiatives.
    CRM projects are more successful when the management team understands the strategic importance and the criticality of alignment. Time needs to be spent upfront aligning business strategies with CRM capabilities. Effective alignment between sales, marketing, customer service, operations, IT, and the business should happen daily. Alignment doesn’t just need to occur at the executive level, but also at each level of the organization.

    2.1 Create your list of goals and milestones for CRM

    1-3 hours

    Input: Corporate strategy, Target key performance indicators, End-user satisfaction results (if applicable)

    Output: Prioritized list of goals with milestones that can be met with a new or improved CRM solution

    Materials: Whiteboard/flip charts, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales or service SMEs

    1. Review strategic goals to identify alignment to your CRM selection project. For example, digital transformation may be enhanced or enabled with a CRM solution that supports better outreach to key customer segments through improved campaign management.
    2. Next, brainstorm tactical goals with your colleagues.
    3. Identify specific goals the organization has set for the business that may be supported by improved customer prospecting, customer service, or analytics functionality through a better CRM solution.
    4. Identify specific goals your organization will be able to make possible with a new or improved CRM solution.
    5. Prioritize this list and lead with the most important goal that can be reached at the one-year, six-month, and three-month milestones.
    6. Document in the goals section of your business case.

    Download the CRM Business Case Template and record the outputs of this exercise in the strategic business goals, business drivers, and technical drivers slides.

    Identify what challenges exist with the current environment

    Ensure you are identifying issues at a high level, so as not to drown in detail, but still paint the right picture. Identify technical issues that are impacting customer experience or business goals. Typical complaints for CRM solutions that are old or have been outgrown include:

    1.

    Lack of a flexible, configurable customer data model that supports complex relationships between accounts and contacts.

    2.

    Lack of a flexible, configurable customer data model that supports complex relationships between accounts and contacts.

    3.

    Lack of meaningful reports and useable dashboards, or difficulty in surfacing them.

    4.

    Poor change enablement resulting in business interruptions.

    5.

    Inability to effectively automate routine sales, marketing, or service tasks at scale via a workflow tool.

    6.

    Lack of proper service management features, such as service knowledge management.

    7.

    Inability to ingest customer data at scale (for example, no ability to automatically log e-mails or calls).

    8.

    Major technical deficiencies and outages – the incumbent CRM platform goes down, causing business disruption.

    9.

    The platform itself doesn’t exist in the current state – everything is done in Microsoft Excel!

    Separate business issues from technical issues, but highlight where they’re connected and where technical issues are causing business issues or preventing business goals from being reached.

    Before switching vendors, evaluate your existing CRM to see if it’s being underutilized or could use an upgrade

    The cost of switching vendors can be challenging, but it will depend entirely on the quality of data and whether it makes sense to keep it.
    • Achieving success when switching vendors first requires reflection. We need to ask why we are dissatisfied with our incumbent software.
    • If the product is old and inflexible, the answer may be obvious, but don’t be afraid to include your incumbent in your evaluation if your issues might be solved with an upgrade.
    • Look at your use-case requirements to see where you want to take the CRM solution and compare them to your incumbent’s roadmap. If they don’t match, switching vendors may be the only solution. If your roadmaps align, see if you’re fully leveraging the solution or will be able to start working through process improvements.
    Pie graph with a 20% slice. Pie graph with a 25% slice.

    20%

    Small/Medium Enterprises

    25%

    Large Enterprises
    only occasionally or rarely/never use their software (Source: Software Reviews, 2020; N = 45,027)
    Fully leveraging your current software now will have two benefits:
    1. It may turn out that poor leveraging of your incumbent software was the problem all along; switching vendors won’t solve the problem by itself. As the data to the right shows, a fifth of small/medium enterprises and a quarter of large enterprises do not fully leverage their incumbent software.
    2. If you still decide to switch, you’ll be in a good negotiating position. If vendors can see you are engaged and fully leveraging your software, they will be less complacent during negotiations to win you over.
    Info-Tech Insight

    Switching vendors won’t improve poor internal processes. To be fully successful and meet the goals of the business case, new software implementations must be accompanied by process review and improvement.

    2.2 Create your list of challenges as they relate to your goals and their impacts

    1-2 hours

    Input: Goals lists, Target key performance indicators, End-user satisfaction results (if applicable)

    Output: Prioritized list of challenges preventing or hindering customer experiences

    Materials: Whiteboard/flip charts, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Brainstorm with your colleagues to discuss your challenges with CRM today from an application and process lens.
    2. Identify how these challenges are impacting your ability to meet the goals and identify any that are creating customer-facing issues.
    3. Group together like areas and arrange in order of most impactful. Identify which of these issues will be most relevant to the business case for a new CRM platform.
    4. Document in the current-state section of your business case.
    5. Discuss and determine if the incumbent solution can meet your needs or if you’ll need to replace it with a different product.

    Download the CRM Business Case Template and document the outputs of this exercise in the current-state section of your business case.

    Determine costs of the solution

    Ensure the business case includes both internal and external costs related to the new CRM platform, allocating costs of project managers to improve accuracy of overall costs and level of success.

    CRM solutions include application costs and costs to design processes, install, and configure. These start-up costs can be a significant factor in whether the initial purchase is feasible.

    CRM Vendor Costs

    • Application licensing
    • Implementation and configuration
    • Professional services
    • Maintenance and support
    • Training
    • 3rd Party add-ons
    • Data transformation
    • Integration
    When thinking about vendor costs, also consider the matching internal cost associated with the vendor activity (e.g. data cleansing, internal support).

    Internal Costs

    • Project management
    • Business readiness
    • Change management
    • Resourcing (user groups, design/consulting, testing)
    • Training
    • Auditors (if regulatory requirements need vetting)
    Project management is a critical success factor at all stages of an enterprise application initiative from planning to post-implementation. Ensuring that costs for such critical areas are accurately represented will contribute to success.

    Download the blueprint Improve Your Statements of Work to Hold Your Vendors Accountable to define requirements for installation and configuration.

    Bring in the right resources to guarantee success. Work with the PMO or project manager to get help with creating the SOW.

    60% of IT projects are NOT finished “mostly or always” on time (Wellingtone, 2018).

    55% of IT personnel feel that the business objectives of their software projects are clear to them (Geneca, 2017).

    Document costs and expected benefits of the new CRM

    The business case should account for the timing of both expenditures and benefits. It is naïve to expect straight-line benefit realization or a big-bang cash outflow related to the solution implementation. Proper recognition and articulation of ramp-up time will make your business case more convincing.

    Make sure your timelines are realistic for benefits realization, as these will be your project milestones and your metrics for success.

    Example:
    Q1-Q2 Q3-Q6 Q6 Onwards

    Benefits at 25%

    At the early stages of an implementation, users are still learning the new system and go-live issues are being addressed. Most of the projected process improvements are likely to be low, zero, or even negative.

    Benefits at 75%

    Gradually, as processes become more familiar, an organization can expect to move closer to realizing the forecasted benefits or at least be in a position to recognize a positive trend toward their realization.

    Benefits at 100%

    In an ideal world, all projected benefits are realized at 100% or higher. This can be considered the stage where processes have been mastered, the system is operating smoothly, and change has been broadly adopted. In reality, benefits are often overestimated.

    Costs at 50%

    As with benefits, some costs may not kick in until later in the process or when the application is fully operational. In the early phases of implementation, factor in the cost of overlapping technology where you’ll need to run redundant systems and transition any data.

    Costs at 100%

    Costs are realized quicker than benefits as implementation activities are actioned, licensing and maintenance costs are introduced, and resourcing is deployed to support vendor activities internally. Costs that were not live in the early stages are an operational reality at this stage.

    Costs at 100%+

    Costs can be expected to remain relatively static past a certain point, if estimates accurately represented all costs. In many instances, costs can exceed original estimates in the business case, where costs were either underestimated, understated, or missed.

    2.3 Document your costs and expected benefits

    1-2 hours

    Input: Quotes with payment schedule, Budget

    Output: Estimated payment schedule and cost breakdown

    Materials: Spreadsheet or whiteboard, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Estimate costs for the CRM solution. If you’re working with a vendor, provide the initial requirements to quote; otherwise, estimate as closely as you’re able.
    2. Calculate the five-year total cost for the solution to ensure the long-term budget is calculated.
    3. Break down costs for licenses, implementation, training, internal support, and hardware or hosting fees.
    4. Determine a reasonable breakdown of costs for the first year.
    5. Identify where residual costs of the old system may factor in if there are remaining contract obligations during the technology transition.
    6. Create a list of benefits expected to be realized within the same timeline.

    Sample of the table on the previous slide.

    Download the CRM Business Case Template and document the outputs of this exercise in the current-state section of your business case.

    Identify risks and dependencies to mitigate barriers to success as you look to roll out a CRM suite

    A risk assessment will be helpful to better understand what risks need to be mitigated to make the project a success and what risks are pending should the solution not be approved or be delayed.

    Risk Criteria Relevant Questions
    Timeline Uncertainty
    • How much risk is associated with the timeline of the CRM project?
    • Is this timeline realistic and can you reach some value in the first year?
    Success of Similar Projects
    • Have we undertaken previous projects that are similar?
    • Were those successful?
    • Did we note any future steps for improvement?
    Certainty of Forecasts
    • Where have the numbers originated?
    • How comfortable are the sponsors with the revenue and cost forecasts?
    Chance of Cost Overruns
    • How likely is the project to have cost overruns?
    • How much process and design work needs to be done prior to implementation?
    Resource Availability
    • Is this a priority project?
    • How likely are resourcing issues from a technical and business perspective?
    • Do we have the right resources?
    Change During Delivery
    • How volatile is the area in which the project is being implemented?
    • Are changes in the environment likely?
    • How complex are planned integrations?

    2.4 Identify risks to the success of the solution rollout and mitigation plan

    1-2 hours

    Input: List of goals and challenges, Target key performance indicators

    Output: Prioritized list of challenges preventing or hindering improvements for the IT teams

    Materials: Whiteboard/flip charts, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Brainstorm with your colleagues to discuss potential roadblocks and risks that could impact the success of the CRM project.
    2. Identify how these risks could impact your project.
    3. Document the ones that are most likely to occur and derail the project.
    4. Discuss potential solutions to mitigate risks.

    Download the CRM Business Case Template and document the outputs of this exercise in the risk and dependency section of your business case. If the risk assessment needs to be more complex, complete the Risk Indicator Analysis in Info-Tech’s Business Case Workbook.

    Start requirements gathering by identifying your most important use cases across sales, marketing, and service

    Add to your business case by identifying which top-level use cases will meet your goals.

    Examples of target use cases for a CRM project include:

    • Enhance sales acquisition capabilities (i.e. via pipeline management)
    • Enhance customer upsell and cross-sell capabilities
    • Improve customer segmentation and targeting capabilities for multi-channel marketing campaigns
    • Strengthen customer care capabilities to improve customer satisfaction and retention (i.e. via improved case management and service knowledge management)
    • Create actionable insights via enhanced reporting and analytics

    Info-Tech Insight

    Lead with the most important benefit and consider the timeline. Can you reach that goal and report success to your stakeholders within the first year? As you look toward that one-year goal, you can consider secondary benefits, some of which may be opportunities to bring early value in the solution.

    Benefits of a successful deployment of use cases will include:
    • Improved customer satisfaction
    • Improved operational efficiencies
    • Reduced customer turnover
    • Increased platform uptime
    • License or regulatory compliance
    • Positioned for growth

    Typically, we see business benefits in this order of importance. Lead with the outcome that is most important to your stakeholders.

    • Net income increases
    • Revenue generators
    • Cost reductions
    • Improved customer service

    Consider perspectives of each stakeholder to ensure functionality needs are met and high satisfaction results

    Best of breed vs. “good enough” is an important discussion and will feed your success.

    Costs can be high when customizing an ill-fitting module or creating workarounds to solve business problems, including loss of functionality, productivity, and credibility.

    • Start with use cases to drive the initial discussion, then determine which features are mandatory and which are nice-to-haves. Mandatory features will help determine high success for critical functionality and identify where “good enough” is an acceptable state.
    • Consider the implications to implementation and all use cases of buying an all-in-one solution, integration of multiple best-of-breed solutions, or customizing features that were not built into a solution.
    • Be prepared to shelve a use case for this solution and look to alternatives for integration where mandatory features cannot meet highly specialized needs that are outside of traditional CRM solutions.

    Pros and Cons

    Build vs. Buy

    Multi-Source Best of Breed

    Flexibility
    vs.
    architectural complexity

    Vendor Add-Ons & Integrations

    Lower support costs
    vs.
    configuration

    Multi-source Custom

    Flexibility
    vs.
    high skills requirements

    Single Source

    Lower support costs
    vs.
    configuration

    2.5 Define use cases and high-level features for meeting business and technical goals

    1-2 hours

    Input: List of goals and challenges

    Output: Use cases to be used for determining requirements

    Materials: Whiteboard/flip charts, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Identify the key customer engagement use cases that will support your overall goals as defined in the previous section.
    2. The following slide has examples of use case domains that will be enhanced from a CRM platform.
    3. Define high-level goals you wish to achieve in the first year and longer term. If you have more specific KPIs to add, and it is a requirement for your organization’s documentation, add them to this section.
    4. Take note of where processes will need to be improved to benefit from these use-case solutions – the tools are only as good as the process behind them.

    Download the CRM Business Case Template and document the outputs from this exercise in the current-state section of your business case.

    Understand the dominant use-case scenarios across organizations to narrow the list of potential CRM solutions

    Sales
    Enablement

    • Generate leads through multiple channels.
    • Rapidly sort, score, and prioritize leads based on multiple criteria.
    • Create in-depth sales forecasts segmented by multiple criteria (territory, representative, etc.).

    Marketing
    Management

    • Manage marketing campaigns across multiple channels (web, social, email, etc.).
    • Aggregate and analyze customer data to generate market intelligence.
    • Build and deploy customer-facing portals.

    Customer Service
    Management

    • Generate tickets, and triage customer service requests through multiple channels.
    • Track customer service interactions with cases.
    • There is a need to integrate customer records with contact center infrastructure.
    Info-Tech Insight

    Use your understanding of the CRM use case to accelerate the vendor shortlisting process. Since the CRM use case has a direct impact on the prioritization of a platform’s features and capabilities, you can rapidly eliminate vendors from contention or designate superfluous modules as out-of-scope.

    2.5.1 Use Info-Tech’s CRM Use-Case Fit Assessment Tool to align your CRM requirements to the vendor use cases

    30 min

    Input: Understanding of business objectives for CRM project, Use-Case Fit Assessment Tool

    Output: Use-case suitability

    Materials: Use-Case Fit Assessment Tool

    Participants: Core project team, Project managers

    1. Use the Use-Case Fit Assessment Tool to understand how your unique business requirements map into which CRM use case.
    2. This tool will assess your answers and determine your relative fit against the use-case scenarios.
    3. Fit will be assessed as “Weak,” “Moderate,” or “Strong.”
      1. Consider the common pitfalls, which were mentioned earlier, that can cause IT projects to fail. Plan and take clear steps to avoid or mitigate these concerns.
      2. Note: These use-case scenarios are not mutually exclusive, meaning your organization can align with one or more scenarios based on your answers. If your organization shows close alignment to multiple scenarios, consider focusing on finding a more robust solution and concentrate your review on vendors that performed strongly in those scenarios or meet the critical requirements for each.

    Download the CRM Use-Case Fit Assessment Tool

    Once you’ve identified the top-level use cases a CRM must support, elicit, and prioritize granular platform requirements.

    Understanding business needs through requirements gathering is the key to defining everything about what is being purchased, yet it is an area where people often make critical mistakes.

    Info-Tech Insight

    To avoid creating makeshift solutions, an organization needs to gather requirements with the desired future state in mind.

    Risks of poorly scoped requirements

    • Fail to be comprehensive and miss certain areas of scope
    • Focus on how the solution should work instead of what it must accomplish
    • Have multiple levels of detail within the requirements, which are inconsistent and confusing
    • Drill all the way down into system-level detail
    • Add unnecessary constraints based on what is done today rather than focusing on what is needed for tomorrow
    • Omit constraints or preferences that buyers think are “obvious”

    Best practices

    • Get a clear understanding of what the system needs to do and what it is expected to produce
    • Test against the principle of MECE – requirements should be “mutually exclusive and collectively exhaustive”
    • Explicitly state the obvious and assume nothing
    • Investigate what is sold on the market and how it is sold. Use language that is consistent with that of the market and focus on key differentiators – not table stakes
    • Contain the appropriate level of detail – the level should be suitable for procurement and sufficient for differentiating vendors

    Prioritize requirements to assist with vendor selection: focus on priority requirements linked to differentiated capabilities

    Prioritization is the process of ranking each requirement based on its importance to project success. Hold a meeting for the domain SMEs, implementation SMEs, project managers, and project sponsors to prioritize the requirements list. At the conclusion of the meeting, each requirement should be assigned a priority level. The implementation SMEs will use these priority levels to ensure efforts are targeted toward the proper requirements and to plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order requirements.


    Pyramid of the MoSCoW Model.
    The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994.

    The MoSCoW Model of Prioritization

    Requirements must be implemented for the solution to be considered successful.

    Requirements that are high priority should be included in the solution if possible.

    Requirements are desirable but not necessary and could be included if resources are available.

    Requirements won’t be in the next release, but will be considered for the future releases.

    Base your prioritization on the right set of criteria

    Effective Prioritization Criteria

    Criteria

    Description

    Regulatory & Legal Compliance These requirements will be considered mandatory.
    Policy Compliance Unless an internal policy can be altered or an exception can be made, these requirements will be considered mandatory.
    Business Value Significance Give a higher priority to high-value requirements.
    Business Risk Any requirement with the potential to jeopardize the entire project should be given a high priority and implemented early.
    Likelihood of Success Especially in “proof of concept” projects, it is recommended that requirements have good odds.
    Implementation Complexity Give a higher priority to low implementation difficulty requirements.
    Alignment With Strategy Give a higher priority to requirements that enable the corporate strategy.
    Urgency Prioritize requirements based on time sensitivity.
    Dependencies A requirement on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it.

    2.6 Identify requirements to support your use cases

    1-2 hours

    Input: List of goals and challenges

    Output: Use cases to be used for determining requirements

    Materials: Whiteboard/flip charts, Vendor Evaluation Workbook

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Work with the team to identify which features will be most important to support your use cases. Keep in mind there will be some features that will require more effort to implement fully. Add that into your project plan.
    2. Use the features lists on the following slides as a guide to get started on requirements.
    3. Prioritize your requirements list into mandatory features and nice-to-have features (or use the MoSCoW model from the previous slides). This will help you to eliminate vendors who don’t meet bare minimums and to score remaining vendors.
    4. Use this same list to guide your vendor demos.

    Our Improve Requirements Gathering blueprint provides a deep dive into the process of eliciting, analyzing, and validating requirements if you need to go deeper into effective techniques.

    CRM features

    Table stakes vs. differentiating

    What is a table stakes/standard feature?

    • Certain features are standard for all CRM tools, but that doesn’t mean they are all equal.
    • The existence of features doesn’t guarantee their quality or functionality to the standards you need. Never assume that “Yes” in a features list means you don’t need to ask for a demo.
    • If Table Stakes are all you need from your CRM solution, the only true differentiator for the organization is price. Otherwise, dig deeper to find the best price to value for your needs.

    What is a differentiating/additional feature?

    • Differentiating features take two forms:
      • Some CRM platforms offer differentiating features that are vertical specific.
      • Other CRM platforms offer differentiating features that are considered cutting edge. These cutting-edge features may become table stakes over time.

    Table stakes features for CRM

    Account Management Flexible account database that stores customer information, account history, and billing information. Additional functionality includes: contact deduplication, advanced field management, document linking, and embedded maps.
    Interaction Logging and Order History Ability to view all interactions that have occurred between sales teams and the customer, including purchase order history.
    Basic Pipeline Management View of all opportunities organized by their current stage in the sales process.
    Basic Case Management The ability to create and manage cases (for customer service or order fulfilment) and associate them with designated accounts or contacts.
    Basic Campaign Management Basic multi-channel campaign management (i.e. ability to execute outbound email campaigns). Budget tracking and campaign dashboards.
    Reports and Analytics In-depth reports on CRM data with dashboards and analytics for a variety of audiences.
    Mobile Support Mobile access across multiple devices (tablets, smartphones and/or wearables) with access to CRM data and dashboards.

    Additional features for CRM

    Customer Information Management Customizable records with detailed demographic information and the ability to created nested accounts (accounts with associated sub-accounts or contact records).
    Advanced Case Management Ability to track detailed interactions with members or constituents through a case view.
    Employee Collaboration Capabilities for employee-to-employee collaboration, team selling, and activity streams.
    Customer Collaboration Capabilities for outbound customer collaboration (i.e. the ability to create customer portals).
    Lead Generation Capabilities for generating qualified leads from multiple channels.
    Lead Nurturing/Lead Scoring The ability to evaluate lead warmth using multiple customer-defined criteria.
    Pipeline and Deal Management Managing deals through cases, providing quotes, and tracking client deliverables.

    Additional features for CRM (Continued)

    Marketing Campaign Management Managing outbound marketing campaigns via multiple channels (email, phone, social, mobile).
    Customer Intelligence Tools for in-depth customer insight generation and segmentation, predictive analytics, and contextual analytics.
    Multi-Channel Support Capabilities for supporting customer interactions across multiple channels (email, phone, social, mobile, IoT, etc.).
    Customer Service Workflow Management Capabilities for customer service resolution, including ticketing and service management.
    Knowledge Management Tools for capturing and sharing CRM-related knowledge, especially for customer service.
    Customer Journey Mapping Visual workflow builder with automated trigger points and business rules engine.
    Document Management The ability to curate assets and attachments and add them to account or contact records.
    Configure, Price, Quote The ability to create sales quotes/proposals from predefined price lists and rules.

    2.7 Put it all together – port your requirements into a robust RFP template that you can take to market!

    1-2 hours
    1. Once you’ve captured and prioritized your requirements – and received sign-off on them from key stakeholders – it’s time to bake them into a procurement vehicle of your choice.
    2. For complex enterprise systems like a CRM platform, Info-Tech recommends that this should take the form of a structured RFP document.
    3. Use our CRM RFP Template and associated CRM RFP Scoring Tool to jump-start the process.
    4. The next step will be conducting a market scan to identify contenders, and issuing the RFP to a shortlist of viable vendors for further evaluation.

    Need additional guidance on running an effective RFP process? Our Drive Successful Sourcing Outcomes with a Robust RFP Process has everything you need to ace the creation, administration and assessment of RFPs!

    Samples of the CRM Request for Proposal Template and CRM Suite Evaluation and RFP Scoring Tool.

    Download the CRM Request for Proposal Template

    Download the CRM Suite Evaluation and RFP Scoring Tool

    Identify whether vertical-specific CRM platforms are a best fit

    In mature vendor landscapes (like CRM) vendors begin to differentiate themselves by offering vertical-specific platforms, modules, or feature sets. These feature sets accelerate the implantation, decrease the platform’s learning curve, and drive user adoption. The three use cases below cover the most common industry-specific offerings:

    Public Sector

    • Constituent management and communication.
    • Constituent portal deployment for self-service.
    • Segment constituents based on geography, needs and preferences.

    Education

    • Top-level view into the student journey from prospect to enrolment.
    • Track student interactions with services across the institution.
    • Unify communications across different departments.

    Financial Services

    • Determine customer proclivity for new services.
    • Develop self-service banking portals.
    • Track longitudinal customer relationships from first account to retirement management.
    Info-Tech Insight

    Vertical-specific solutions require less legwork to do upfront but could cost you more in the long run. Interoperability and vendor viability must be carefully examined. Smaller players targeting niche industries often have limited integration ecosystems and less funding to keep pace with feature innovation.

    Rein-in ballooning scope for CRM selection projects

    Stretching the CRM beyond its core capabilities is a short-term solution to a long-term problem. Educate stakeholders about the limits of CRM technology.

    Common pitfalls for CRM selection

    • Tangential capabilities may require separate solutions. It is common for stakeholders to list features such as “content management” as part of the new CRM platform. While content management goes hand in hand with the CRM’s ability to manage customer interactions, document management is best handled by a standalone platform.

    Keeping stakeholders engaged and in line

    • Ballooning scope leads to stakeholder dissatisfaction. Appeasing stakeholders by over-customizing the platform will lead to integration and headaches down the road.
    • Make sure stakeholders feel heard. Do not turn down ideas in the midst of an elicitation session. Once the requirements-gathering sessions are completed, the project team has the opportunity to mark requirements as “out of scope” and communicate the reasoning behind the decision.
    • Educate stakeholders on the core functionality of CRM. Many stakeholders do not know the best-fit use cases for CRM platforms. Help end users understand what CRM is good at and where additional technologies will be needed.
    Stock image of a man leaping with a balloon.

    CRM Buyer’s Guide

    Phase 3

    Discover the CRM Market Space & Prepare for Implementation

    Phase 1

    1.1 Define CRM platforms

    1.2 Classify table stakes & differentiating capabilities

    1.3 Explore CRM trends

    Phase 2

    2.1 Build the business case

    2.2 Streamline requirements elicitation for CRM

    2.3 Construct the RFP

    Phase 3

    3.1 Discover key players in the CRM landscape

    3.2 Engage the shortlist & select finalist

    3.3 Prepare for implementation

    This phase will walk you through the following activities:

    • Dive into the key players of the CRM vendor landscape.
    • Understand best practices for building a vendor shortlist.
    • Understand key implementation considerations for CRM.

    This phase involves the following participants:

    • CIO
    • Applications manager
    • Project manager
    • Sales executive
    • Marketing executive
    • Customer service executive

    Consolidating the Vendor Shortlist Up-Front Reduces Downstream Effort

    Put the “short” back in shortlist!

    • Radically reduce effort by narrowing the field of potential vendors earlier in the selection process. Too many organizations don’t funnel their vendor shortlist until nearing the end of the selection process. The result is wasted time and effort evaluating options that are patently not a good fit.
    • Leverage external data (such as SoftwareReviews) and expert opinion to consolidate your shortlist into a smaller number of viable vendors before the investigative interview stage and eliminate time spent evaluating dozens of RFP responses.
    • Having fewer RFP responses to evaluate means you will have more time to do greater due diligence.
    Stock image of river rapids.

    Review your use cases to start your shortlist

    Your Info-Tech analysts can help you narrow down the list of vendors that will meet your requirements.

    Next steps will include:
    1. Reviewing your requirements
    2. Checking out SoftwareReviews
    3. Shortlisting your vendors
    4. Conducting demos and detailed proposal reviews
    5. Selecting and contracting with a finalist!
    Image of a person presenting a dashboard of the steps on the left.

    Get to know the key players in the CRM landscape

    The proceeding slides provide a top-level overview of the popular players you will encounter in the CRM shortlisting process.

    Logos of the key players in the CRM landscape (Salesforce, Microsoft, Oracle, HubSpot, etc).

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews

    Sample of SoftwareReviews' Data Quadrant Report. Title page of SoftwareReviews' Data Quadrant Report. The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

    Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

    Sample of SoftwareReviews' Emotional Footprint. Title page of SoftwareReviews' Emotional Footprint. The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

    Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Speak with category experts to dive deeper into the vendor landscape

    SoftwareReviews

    Icon of a person.


    Fact-based reviews of business software from IT professionals.

    Icon of a magnifying glass over a chart.


    Top-tier data quality backed by a rigorous quality assurance process.

    CLICK HERE to ACCESS

    Comprehensive software reviews to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    Icon of a tablet.


    Product and category reports with state-of-the-art data visualization.

    Icon of a phone.


    User-experience insight that reveals the intangibles of working with a vendor.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today’s technology. Combined with the insights of our expert analysts, our members receive unparalleled support in their buying journey.

    Logo for Salesforce.
    Est. 1999 | CA, USA | NYSE: CRM

    bio

    Link for their Twitter account. Link for their LinkedIn profile. Link for their website.
    Sales Cloud Enterprise allows you to be more efficient, more productive, more everything than ever before as it allows you to close more deals, accelerate productivity, get more leads, and make more insightful decisions.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:
    • Breadth of features
    • Quality of features
    • Sales management functionality
    Areas to Improve:
    • Cost of service
    • Ease of implementation
    • Telephony and contact center management
    Logo gif for SoftwareReviews.
    8.0
    COMPOSITE SCORE
    8.3
    CX SCORE
    +77
    EMOTIONAL FOOTPRINT
    83%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 600
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Salesforce screen. Vendor Pulse rating. How often do we hear about Salesforce from our members for CRM? 'Very Frequently'.
    History of Salesforce in a vertical timeline.
    *Pricing correct as of August 2021. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.
    Logo for Salesforce.

    “Salesforce is the pre-eminent vendor in the CRM marketplace and is a force to be reckoned with in terms of the breadth and depth of its capabilities. The company was an early disruptor in the category, placing a strong emphasis from the get-go on a SaaS delivery model and strong end-user experience. This allowed them to rapidly gain market share at the expense of more complacent enterprise application vendors. A series of savvy acquisitions over the years has allowed Salesforce to augment their core Sales and Service Clouds with a wide variety of other solutions, from e-commerce to marketing automation to CPQ. Salesforce is a great fit for any organization looking to partner with a market leader with excellent functional breadth, strong interoperability, and a compelling technology and partner ecosystem. All of this comes at a price, however – Salesforce prices at a premium, and our members routinely opine that Salesforce’s commercial teams are overly aggressive – sometimes pushing solutions without a clear link to underpinning business requirements.”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    Sales Cloud Essentials Sales Cloud Professional Sales Cloud Enterprise Sales Cloud Ultimate
    • Starts at $25*
    • Per user/mo
    • Small businesses after basic functionality
    • Starts at $75*
    • Per user/mo
    • Mid-market target
    • Starts at $150*
    • Per user/mo
    • Enterprise target
    • Starts at $300*
    • Per user/mo
    • Strong upmarket feature additions
    Logo for Microsoft.


    Est. 1975 | WA, USA | NYSE: MSFT

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Dynamics 365 Sales is an adaptive selling solution that helps your sales team navigate the realities of modern selling. At the center of the solution is an adaptive, intelligent system – prebuilt and ready to go – that actively monitors myriad signals and distills them into actionable insights.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Business value created
    • Analytics and reporting
    • Lead management

    Areas to Improve:

    • Quote, contract, and proposals
    • Vendor support
    Logo gif for SoftwareReviews.
    8.1
    COMPOSITE SCORE
    8.3
    CX SCORE
    +84
    EMOTIONAL FOOTPRINT
    82%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 198
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Microsoft screen.Vendor Pulse rating. How often do we hear about Microsoft Dynamics from our Members? 'Very Frequently'.

    History of Microsoft in a vertical timeline.

    *Pricing correct as of June 2022. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.
    Logo for Microsoft.
    “”

    “Microsoft Dynamics 365 is a strong and compelling player in the CRM arena. While Microsoft is no stranger to the CRM space, their offerings here have seen steady and marked improvement over the last five years. Good functional breadth paired with a modern user interface and best-in-class Microsoft stack compatibility ensures that we consistently see them on our members’ shortlists, particularly when our members are looking to roll out CRM capabilities alongside other components of the Dynamics ecosystem (such as Finance, Operations, and HR). Today, Microsoft segments the offering into discrete modules for sales, service, marketing, commerce, and CDP. While Microsoft Dynamics 365 is a strong option, it’s occasionally mired by concerns that the pace of innovation and investment lags Salesforce (its nearest competitor). Additionally, the marketing module of the product is softer than some of its competitors, and Microsoft themselves points organizations with complex marketing requirements to a strategic partnership that they have with Adobe.”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    D365 Sales Professional D365 Sales Enterprise D365 Sales Premium
    • Starts at $65*
    • Per user/mo
    • Midmarket focus
    • Starts at $95*
    • Per user/mo
    • Enterprise focus
    • Starts at $135*
    • Per user/mo
    • Enterprise focus with customer intelligence
    Logo for Oracle.


    Est. 1977 | CA, USA | NYSE: ORCL

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Oracle Engagement Cloud (CX Sales) provides a set of capabilities to help sales leaders transition smoothly from sales planning and execution through customer onboarding, account management, and support services.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Quality of features
    • Activity and workflow management
    • Analytics and reporting

    Areas to Improve:

    • Marketing management
    • Product strategy & rate of improvement
    Logo gif for SoftwareReviews.
    7.8
    COMPOSITE SCORE
    7.9
    CX SCORE
    +77
    EMOTIONAL FOOTPRINT
    78%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 140
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of an Oracle screen.Vendor Pulse rating. How often do we hear about Oracle from our members for CRM? 'Frequently'.

    History of Oracle in a vertical timeline.

    Logo for Oracle.

    “Oracle is long-term juggernaut of the enterprise applications space. Their CRM portfolio is diverse – rather than a single stack, there are multiple Oracle solutions (many made by acquisition) that support CRM capabilities – everything from Siebel to JD Edwards to NetSuite to Oracle CX applications. The latter constitute Oracle’s most modern stab at CRM and are where the bulk of feature innovation and product development is occurring within their portfolio. While historically seen as lagging behind other competitors like Salesforce and Microsoft, Oracle has made excellent strides in improving their user experience (via their Redwoods design paradigm) and building new functional capabilities within their CRM products. Indeed, SoftwareReviews shows Oracle performing well in our most recent peer-driven reports. Nonetheless, we most commonly see Oracle as a pricier ecosystem play that’s often subordinate to a heavy Oracle footprint for ERP. Many of our members also express displeasure with Oracle as a vendor and highlight their heavy-handed “threat of audit” approach. ”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    Oracle CX Sales - Pricing Opaque:

    “Request a Demo”

    Logo for SAP.


    Est. 1972 | Germany | NYSE: SAP

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    SAP is the third-largest independent software manufacturer in the world, with a presence in over 120 countries. Having been in the industry for over 40 years, SAP is perhaps best known for its ERP application, SAP ERP.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Ease of data integration

    Areas to Improve:

    • Lead management
    • Marketing management
    • Collaboration
    • Usability & intuitiveness
    • Analytics & reporting
    Logo gif for SoftwareReviews.
    7.4
    COMPOSITE SCORE
    7.8
    CX SCORE
    +74
    EMOTIONAL FOOTPRINT
    75%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 108
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a SAP screen.Vendor Pulse rating. How often do we hear about SAP from our members for CRM? 'Occasionally'.

    History of SAP in a vertical timeline.

    *Pricing correct as of August 2021. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.
    Logo for SAP.

    “SAP is another mainstay of the enterprise applications market. While they have a sound breadth of capabilities in the CRM and customer experience space, SAP consistently underperforms in many of our relevant peer-driven SoftwareReviews reports for CRM and adjacent areas. CRM seems decidedly a secondary focus for SAP, behind their more compelling play in the enterprise resource planning (ERP) space. Indeed, most instances where we see SAP in our clients’ shortlists, it’s as an ecosystem play within a broader SAP strategy. If you’re blue on the ERP side, looking to SAP’s capabilities on the CRM front makes logical sense and can help contain costs. If you’re approaching a CRM selection from a greenfield lens and with no legacy vendor baggage for SAP elsewhere, experience suggests you’ll be better served by a vendor that places a higher degree of primacy on the CRM aspect of their portfolio.”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    SAP CRM - Pricing Opaque:

    “Request a Demo”

    Logo for pipedrive.


    Est. 2010 | NY, USA | Private

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Pipedrive brings together the tools and data, the platform focuses sales professionals on fundamentals to advance deals through their pipelines. Pipedrive's goal is to make sales success inevitable - for salespeople and teams.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Sales Management
    • Account & Contact Management
    • Lead Management
    • Usability & Intuitiveness
    • Ease of Implementation

    Areas to Improve:

    • Customer Service Management
    • Marketing Management
    • Product Strategy & Rate of Improvement
    Logo gif for SoftwareReviews.
    8.3
    COMPOSITE SCORE
    8.4
    CX SCORE
    +85
    EMOTIONAL FOOTPRINT
    85%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 262
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Pipedrive screen.Vendor Pulse rating. How often do we hear about Pipedrive from our members for CRM? 'Occasionally'.

    History of Pipedrive in a vertical timeline.

    *Pricing correct as of June 2022. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.
    Logo for Pipedrive.

    “A relatively new offering, Pipedrive has seen explosive growth over the last five years. They’re a vendor that has gone from near-obscurity to popping up frequently on our members’ shortlists. Pipedrive’s secret sauce has been a relentless focus on high-velocity sales enablement. Their focus on pipeline management, lead assessment and routing, and a good single pane of glass for sales reps has driven significant traction for the vendor when sales enablement is the driving rationale behind rolling out a new CRM platform. Bang for your buck is also strong with Pipedrive, with the vendor having a value-driven licensing and implementation model.

    Pipedrive is not without some shortcomings. It’s laser-focus on sales enablement is at the expense of deep capabilities for marketing and service management, and its profile lends itself better to SMBs and lower midmarket than it does large organizations looking for enterprise-grade CRM.”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    Essential Advanced Professional Enterprise
    • Starts at $12.50*
    • Per user/mo
    • Small businesses after basic functionality
    • Starts at $24.90*
    • Per user/mo
    • Small/mid-sized businesses
    • Starts at $49.90*
    • Per user/mo
    • Lower mid-market focus
    • Starts at $99*
    • Per user/mo
    • Enterprise focus
    Logo for SugarCRM.


    Est. 2004 | CA, USA | Private

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Produces Sugar, a SaaS-based customer relationship management application. SugarCRM is backed by Accel-KKR.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Ease of customization
    • Product strategy and rate of improvement
    • Ease of IT administration

    Areas to Improve:

    • Marketing management
    • Analytics and reporting
    Logo gif for SoftwareReviews.
    8.4
    COMPOSITE SCORE
    8.8
    CX SCORE
    +92
    EMOTIONAL FOOTPRINT
    84%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 97
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a SugarCRM screen.Vendor Pulse rating. How often do we hear about SugarCRM from our members for CRM? 'Frequently'.
    History of SugarCRM in a vertical timeline.
    *Pricing correct as of August 2021. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.
    Logo for SugarCRM.

    “SugarCRM offers reliable baseline capabilities at a lower price point than other large CRM vendors. While SugarCRM does not offer all the bells and whistles that an Enterprise Salesforce plan might, SugarCRM is known for providing excellent vendor support. If your organization is only after standard features, SugarCRM will be a good vendor to shortlist.

    However, ensure you have the time and labor power to effectively implement and train on SugarCRM’s solutions. SugarCRM does not score highly for user-friendly experiences, with complaints centering on outdated and unintuitive interfaces. Setting up customized modules takes time to navigate, and SugarCRM does not provide a wide range of native integrations with other applications. To effectively determine whether SugarCRM does offer a feasible solution, it is recommended that organizations know exactly what kinds of integrations and modules they need.”

    Thomas Randall
    Research Director, Info-Tech Research Group

    Sugar Professional Sugar Serve Sugar Sell Sugar Enterprise Sugar Market
    • Starts at $52*
    • Per user/mo
    • Min. 3 users
    • Small businesses
    • Starts at $80*
    • Per user/mo
    • Min. 3 users
    • Focused on customer service
    • Starts at $80*
    • Per user/mo
    • Min. 3 users
    • Focused on sales automation
    • Starts at $80*
    • Per user/mo
    • Min. 3 users
    • On-premises, mid-sized businesses
    • Starts at $1000*
    • Priced per month
    • Min. 10k contacts
    • Large enterprise
    Logo for .


    Est. 2006 | MA, USA | HUBS (NYSE)

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Develops software for inbound customer service, marketing, and sales. Software includes CRM, SMM, lead gen, SEO, and web analytics.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Breadth of features
    • Product strategy and rate of improvement
    • Ease of customization

    Areas to Improve:

    • Ease of data integration
    • Customer service management
    • Telephony and call center management
    Logo gif for SoftwareReviews.
    8.3
    COMPOSITE SCORE
    8.4
    CX SCORE
    +84
    EMOTIONAL FOOTPRINT
    86%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 97
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a HubSpot screen.Vendor Pulse rating. How often do we hear about HubSpot from our members for CRM? 'Frequently'.

    History of HubSpot in a vertical timeline.

    *Pricing correct as of August 2021. Listed in USD and absent discounts
    See pricing on vendor’s website for latest information.
    Logo for HubSpot.

    “ HubSpot is best suited for small to mid-sized organizations that need a range of CRM tools to enable growth across sales, marketing campaigns, and customer service. Indeed, HubSpot offers a content management solution that offers a central storage location for all customer and marketing data. Moreover, HubSpot offers plenty of freemium tools for users to familiarize themselves with the software before buying. However, though HubSpot is geared toward growing businesses, smaller organizations may not see high ROI until they begin to scale. The “Starter” and “Professional” plans’ pricing is often cited by small organizations as a barrier to commitment, and the freemium tools are not a sustainable solution. If organizations can take advantage of discount behaviors from HubSpot (e.g. a startup discount), HubSpot will be a viable long-term solution. ”

    Thomas Randall
    Research Director, Info-Tech Research Group

    Starter Professional Enterprise
    • Starts at $50*
    • Per month
    • Min. 2 users
    • Small businesses
    • Starts at $500*
    • Per month
    • Min. 5 users
    • Small/mid-sized businesses
    • Starts at $1200*
    • Billed yearly
    • Min. 10 users
    • Mid-sized/small enterprise
    Logo for Zoho.


    Est. 1996 | India | Private

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Zoho Corporation offers a cloud software suite, providing a full operating system for CRM, alongside apps for finance, productivity, HR, legal, and more.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Business value created
    • Breadth of features
    • Collaboration capabilities

    Areas to Improve:

    • Usability and intuitiveness
    Logo gif for SoftwareReviews.
    8.7
    COMPOSITE SCORE
    8.9
    CX SCORE
    +92
    EMOTIONAL FOOTPRINT
    85%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 152
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Zoho screen.Vendor Pulse rating. How often do we hear about Zoho from our members for CRM? 'Occasionally'.

    History of Zoho in a vertical timeline.

    *
    See pricing on vendor’s website for latest information.
    Logo for Zoho.

    “Zoho has a long list of software solutions for businesses to run end to end. As one of Zoho’s earliest software releases, though, ZohoCRM remains a flagship product. ZohoCRM’s pricing is incredibly competitive for mid/large enterprises, offering high business value for its robust feature sets. For those organizations that already utilize Zoho solutions (such as its productivity suite), ZohoCRM will be a natural extension.

    However, small/mid-sized businesses may wonder how much ROI they can get from ZohoCRM, when much of the functionality expected from a CRM (such as workflow automation) cannot be found until one jumps to the “Enterprise” plan. Given the “Enterprise” plan’s pricing is on par with other CRM vendors, there may not be much in a smaller organization’s eyes that truly distinguishes ZohoCRM unless they are already invested Zoho users.”

    Thomas Randall
    Research Director, Info-Tech Research Group

    Standard Professional Enterprise Ultimate
    • Starts at $20*
    • Per user/mo
    • Small businesses after basic functionality
    • Starts at $35*
    • Per user/mo
    • Small/mid-sized businesses
    • Adds inventory management
    • Starts at $50*
    • Per user/mo
    • Mid-sized/small enterprise
    • Adds Zia AI
    • Starts at $65*
    • Per user/mo
    • Enterprise
    • Bundles Zoho Analytics
    Logo for Zendesk.


    Est. 2009 | CA, USA | ZEN (NYSE)

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Software developer for customer service. Founded in Copenhagen but moved to San Francisco after $6 million Series B funding from Charles River Ventures and Benchmark Capital.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Quality of features
    • Breadth of features
    • Vendor support

    Areas to Improve:

    • Business value created
    • Ease of customization
    • Usability and intuitiveness
    Logo gif for SoftwareReviews.
    7.8
    COMPOSITE SCORE
    7.9
    CX SCORE
    +80
    EMOTIONAL FOOTPRINT
    72%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 50
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Zendesk screen.Vendor Pulse rating. How often do we hear about Zendesk from our members for CRM? 'Rarely'.

    History of Zendesk in a vertical timeline.

    *Pricing correct as of August 2021. Listed in USD and absent discounts
    See pricing on vendor’s website for latest information.
    Logo for Zendesk.

    “Zendesk’s initial growth was grounded in word-of-mouth advertising, owing to the popularity of its help desk solution’s design and functionality. Zendesk Sell has followed suit, receiving strong feedback for the breadth and quality of its features. Organizations that have already reaped the benefits of Zendesk’s customer service suite will find Zendesk Sell a straightforward fit for their sales teams.

    However, it is important to note that Zendesk Sell is predominantly focused on sales. Other key components of a CRM, such as marketing, are less fleshed out. Organizations should ensure they verify what requirements they have for a CRM before choosing Zendesk Sell – if sales process requirements (such as forecasting, call analytics, and so on) are but one part of what the organization needs, Zendesk Sell may not offer the highest ROI for the pricing offered.”

    Thomas Randall
    Research Director, Info-Tech Research Group

    Sell Team Sell Professional Sell Enterprise
    • Starts at $19*
    • Per user/mo
    • Max. 3 users
    • Small businesses
    • Basic functionality
    • Starts at $49*
    • Per user/mo
    • Small/mid-sized businesses
    • Advanced analytics
    • Starts at $99*
    • Per user/mo
    • Mid-sized/small enterprise
    • Task automation

    Speak with category experts to dive deeper into the vendor landscape

    Icon of a person.
    Fact-based reviews of business software from IT professionals.
    Icon of a magnifying glass over a chart.
    Top-tier data quality backed by a rigorous quality assurance process.
    CLICK HERE to ACCESS

    Comprehensive software reviews to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    Icon of a tablet.
    Product and category reports with state-of-the-art data visualization.
    Icon of a phone.
    User-experience insight that reveals the intangibles of working with a vendor.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today’s technology. Combined with the insights of our expert analysts, our members receive unparalleled support in their buying journey.

    Conduct a day of rapid-fire vendor demos

    Zoom in on high-value use cases and answers to targeted questions

    Make sure the solution will work for your business

    Give each vendor 90 to 120 minutes to give a rapid-fire presentation. We suggest the following structure:

    • 30 minutes: company introduction and vision
    • 60 minutes: walk-through of two or three high-value demo scenarios
    • 30 minutes: targeted Q&A from the business stakeholders and procurement team
    To ensure a consistent evaluation, vendors should be asked analogous questions, and a tabulation of answers should be conducted.
    How to challenge the vendors in the investigative interview
    • Change the visualization/presentation.
    • Change the underlying data.
    • Add additional data sets to the artifacts.
    • Collaboration capabilities.
    • Perform an investigation in terms of finding BI objects and identifying previous changes, and examine the audit trail.
    Rapid-fire vendor investigative interview

    Invite vendors to come onsite (or join you via video conference) to demonstrate the product and to answer questions. Use a highly targeted demo script to help identify how a vendor’s solution will fit your organization’s particular business capability needs.

    Graphic of an alarm clock.
    To kick-start scripting your demo scenarios, leverage our CRM Demo Script Template.

    A vendor scoring model provides a clear anchor point for your evaluation of CRM vendors based on a variety of inputs

    A vendor scoring model is a systematic method for effectively assessing competing vendors. A weighted-average scoring model is an approach that strikes a strong balance between rigor and evaluation speed.

    Info-Tech Insight

    Even the best scoring model will still involve some “art” rather than science – scoring categories such as vendor viability always entails a degree of subjective interpretation.

    How do I build a scoring model?

    • Start by shortlisting the key criteria you will use to evaluate your vendors. Functional capabilities should always be a critical category, but you’ll also want to look at criteria such as affordability, architectural fit, and vendor viability.
    • Depending on the complexity of the project, you may break down some criteria into sub-categories to assist with evaluation (for example, breaking down functional capabilities into constituent use cases so you can score each one).
    • Once you’ve developed the key criteria for your project, the next step is weighting each criterion. Your weightings should reflect the priorities for the project at hand. For example, some projects may put more emphasis on affordability, others on vendor partnership.
    • Using the information collected in the subsequent phases of this blueprint, score each criterion from 1-100, then multiply by the weighting factor. Add up the weighted scores to arrive at the aggregate evaluation score for each vendor on your shortlist.

    What are some of the best practices?

    • While the criteria for each project may vary, it’s helpful to have an inventory of repeatable criteria that can be used across application selection projects. The next slide contains an example that you can add or subtract from.
    • Don’t go overboard on the number of criteria: five to 10 weighted criteria should be the norm for most projects. The more criteria (and sub-criteria) you must score against, the longer it will take to conduct your evaluation. Always remember, link the level of rigor to the size and complexity of your project! It’s possible to create a convoluted scoring model that takes significant time to fill out but yields little additional value.
    • Creation of the scoring model should be a consensus-driven activity among IT, procurement, and the key business stakeholders – it should not be built in isolation. Everyone should agree on the fundamental criteria and weights that are employed.
    • Consider using not just the outputs of investigative interviews and RFP responses to score vendors, but also third-party review services like SoftwareReviews.

    Define how you’ll score CRM proposals and demos

    Define key CRM selection criteria for your organization – this should be informed by the following goals, use cases, and requirements covered in the blueprint.

    Criteria

    Description

    Functional CapabilitiesHow well does the vendor align with the top-priority functional requirements identified in your accelerated needs assessment? What is the vendor’s functional breadth and depth?
    AffordabilityHow affordable is this vendor? Consider a three-to-five-year total cost of ownership (TCO) that encompasses not just licensing costs, but also implementation, integration, training, and ongoing support costs.
    Architectural FitHow well does this vendor align with our direction from an enterprise architecture perspective? How interoperable is the solution with existing applications in our technology stack? Does the solution meet our deployment model preferences?
    ExtensibilityHow easy is it to augment the base solution with native or third-party add-ons as our business needs may evolve?
    ScalabilityHow easy is it to expand the solution to support increased user, data, and/or customer volumes? Are there any capacity constraints of the solution?
    Vendor ViabilityHow viable is this vendor? Are they an established player with a proven track record, or a new and untested entrant to the market? What is the financial health of the vendor? How committed are they to the particular solution category?
    Vendor VisionDoes the vendor have a cogent and realistic product roadmap? Are they making sensible investments that align with your organization’s internal direction?
    Emotional FootprintHow well does the vendor’s organizational culture and team dynamics align to yours?
    Third-Party Assessments and/or ReferencesHow well-received is the vendor by unbiased, third-party sources like SoftwareReviews? For larger projects, how well does the vendor perform in reference checks (and how closely do those references mirror your own situation)?

    Decision Point: Select the Finalist

    After reviewing all vendor responses to your RFP, conducting vendor demos, and running a pilot project (if applicable), the time has arrived to select your finalist.

    All core selection team members should hold a session to score each shortlisted vendor against the criteria enumerated on the previous slide – based on an in-depth review of proposals, the demo sessions, and any pilots or technical assessments.

    The vendor that scores the highest in aggregate is your finalist.

    Congratulations – you are now ready to proceed to final negotiation and inking a contract. This blueprint provides a detailed approach on the mechanics of a major vendor negotiation.

    Leverage Info-Tech’s research to plan and execute your CRM implementation

    Use Info-Tech Research Group’s three phase implementation process to guide your own planning.
    The three phases of software implementation: 'Assess', 'Prepare', 'Govern & Course Correct'. Sample of the 'Governance and Management of Enterprise Software Implementation' blueprint.

    Establish and execute an end-to-end, agile framework to succeed with the implementation of a major enterprise application.

    Visit this link

    Prepare for implementation: establish a clear resourcing plan

    Organizations rarely have sufficient internal staffing to resource a CRM project on their own. Consider the options for closing the gap in internal resource availability.

    The most common project resourcing structures for enterprise projects are:
    Your own staff +
    1. Management consultant
    2. Vendor consultant
    3. System integrator
    Info-Tech Insight

    When contemplating a resourcing structure, consider:

    • Availability of in-house implementation competencies and resources.
    • Timeline and constraints.
    • Integration environment complexity.

    Consider the following:

    Internal vs. External Roles and Responsibilities

    Clearly delineate between internal and external team responsibilities and accountabilities, and communicate this to your technology partner up front.

    Internal vs. External Accountabilities

    Accountability is different than responsibility. Your vendor or SI partner may be responsible for completing certain tasks, but be careful not to outsource accountability for the implementation – ultimately, the internal team will be accountable.

    Partner Implementation Methodologies

    Often vendors and/or SIs will have their own preferred implementation methodology. Consider the use of your partner's implementation methodology; however, you know what will work for your organization.

    Establish team composition

    1 – 2 hours

    Input: Skills assessment, Stakeholder analysis, Vendor partner selection

    Output: Team composition

    Materials: Sticky notes, Whiteboard, Markers

    Participants: Project team

    Use Info-Tech’s Governance and Management of Enterprise Software Implementation to establish your team composition. Within that blueprint:

    1. Assess the skills necessary for an implementation. Inventory the competencies required for the implementation project team. Map your internal resources to each competency as applicable.
    2. Select your internal implementation team. Determine who needs to be involved closely with the implementation. Key stakeholders should also be considered as members of your implementation team.
    3. Identify the number of external consultants/support required for implementation. Consider your in-house skills, timeline considerations, integration environment complexity, and cost constraints as you make your team composition plan. Be sure to dedicate an internal resource to managing the vendor and partner relationships.
    4. Document the roles and responsibilities, accountabilities, and other expectations of your team as they relate to each step of the implementation.

    Governance and Management of Enterprise Software Implementation

    Sample of the 'Governance and Management of Enterprise Software Implementation' blueprint.Follow our iterative methodology with a task list focused on the business must-have functionality to achieve rapid execution and to allow staff to return to their daily work sooner.

    Visit this link

    Ensure your implementation team has a high degree of trust and communication

    If external partners are needed, dedicate an internal resource to managing the vendor and partner relationships.

    Communication

    Teams must have some type of communication strategy. This can be broken into:
    • Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
    • Ceremonies: Injecting awards and continually emphasizing delivery of value can encourage relationship-building and constructive motivation.
    • Escalation: Voicing any concerns and having someone responsible for addressing those concerns.

    Proximity

    Distributed teams create complexity as communication can break down. This can be mitigated by:
    • Location: Placing teams in proximity can close the barrier of geographical distance and time zone differences.
    • Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
    • Communication tools: Having the right technology (e.g. video conference) can help bring teams closer together virtually.

    Trust

    Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:
    • Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.
    • Role clarity: Having a clear definition of what everyone’s role is.

    Plan for your implementation of CRM based on deployment model

    Place your CRM application into your IT landscape by configuring and adjusting the tool based on your specific deployment method.

    Icon of a housing development.
    On-Premises

    1. Identify custom features and configuration items
    2. Train developers and IT staff on new software investment
    3. Install software
    4. Configure software
    5. Test installation and configuration
    6. Test functionality

    Icon of a cloud upload.
    SaaS-based

    1. Train developers and IT staff on new software investment
    2. Set up connectivity
    3. Identify VPN or internal solution
    4. Check firewalls
    5. Validate bandwidth regulations

    Integration is a top IT challenge and critical to the success of the CRM suite

    CRM suites are most effective when they are integrated with ERP and MarTech solutions.

    Data interchange between the CRM solution and other data sources is necessary

    Formulate a comprehensive map of the systems, hardware, and software with which the CRM solution must be able to integrate. Customer data needs to constantly be synchronized: without this, you lose out on one of the primary benefits of CRM. These connections must be bidirectional for maximum value (i.e. marketing data to the CRM, customer data to MMS).
    Specialized projects that include an intricate prospect or customer list and complex rules may need to be built by IT The more custom fields you have in your CRM suite and point solutions, the more schema mapping you will have to do. Include this information in the RFP to receive guidance from vendors on the ease with which integration can be achieved.

    Pay attention to legacy apps and databases

    If you have legacy CRM, POS, or customer contact software, more custom code will be required. Many vendors claim that custom integration can be performed for most systems, but custom comes at a cost. Don’t just ask if they can integrate; ask how long it will take and for references from organizations which have been successful in this.
    When assessing the current application portfolio that supports CRM, the tendency will be to focus on the applications under the CRM umbrella, relating mostly to marketing, sales, and customer service. Be sure to include systems that act as inputs to, or benefit due to outputs from, the CRM or similar applications.

    CRM data flow

    Example of a CRM data flow.

    Be sure to include enterprise applications that are not included in the CRM application portfolio. Popular systems to consider for POIs include billing, directory services, content management, and collaboration tools.

    Sample CRM integration map

    Sample of a CRM integration map.

    Scenario: Failure to address CRM data integration will cost you in the long run

    A company spent $15 million implementing a new CRM system in the cloud and decided NOT to spend an additional $1.5 million to do a proper cloud DI tool procurement. The mounting costs followed.

    Cost Element – Custom Data Integration

    $

    2 FTEs for double entry of sales order data $ 100,000/year
    One-time migration of product data to CRM $ 240,000 otc
    Product data maintenance $ 60,000/year
    Customer data synchronization interface build $ 60,000 otc
    Customer data interface maintenance $ 10,000/year
    Data quality issues $ 100,000/year
    New SaaS integration built in year 3 $ 300,000 otc
    New SaaS integration maintenance $ 150,000/year

    Cost Element – Data Integration Tool

    $

    DI strategy and platform implementation $1,500,000 otc
    DI tool maintenance $ 15,000/year
    New SaaS integration point in year 3 $ 300,000 otc
    Thumbs down color coded red to the adjacent chart. Custom integration is costing this organization $300,000/year for one SaaS solution.
    Thumbs up color coded blue to the adjacent chart.

    The proposed integration solution would have paid for itself in 3-4 years and saved exponential costs in the long run.

    Proactively address data quality in the CRM during implementation

    Data quality is a make-or-break issue in a CRM platform; garbage in is garbage out.
    • CRM suites are one of the leading offenders for generating poor-quality data. As such, it’s important to have a plan in place for structuring your data architecture in such a way the poor data quality is minimized from the get-go.
    • Having a plan for data quality should precede data migration efforts; some types of poor data quality can be mitigated prior to migration.
    • There are five main types of poor-quality data found in CRM platforms.
      • Duplicate data: Duplicate records can be a major issue. Leverage dedicated deduplication tools to eliminate them.
      • Stale data: Out-of-date customer information can reduce the usefulness of the platform. Use automated social listening tools to help keep data fresh.
      • Incomplete data: Records with missing info limit platform value. Specify data validation parameters to mandate that all fields are filled in.
      • Invalid and conflicting data: These can create cascading errors. Establishing conflict resolution rules in ETL tools for data integration can lessen issues.
    Info-Tech Insight

    If you have a complex POI environment, appoint data stewards for each major domain and procure a deduplication tool. As the complexity of CRM system-to-system integrations increases, so will the chance that data quality errors will crop up – for example, bidirectional POI with other sources of customer information dramatically increase the chances of conflicting/duplicate data.

    Profile data, eliminate dead weight, and enforce standards to protect data

    Identify and eliminate dead weight

    Poor data can originate in the firm’s CRM system. Custom queries, stored procedures, or profiling tools can be used to assess the key problem areas.

    Loose rules in the CRM system may lead to records of no significant value in the database. Those rules need to be fixed, but if changes are made before the data is fixed, users could encounter database or application errors, which will reduce user confidence in the system.

    • Conduct a data flow analysis: map the path that data takes through the organization.
    • Use a mass cleanup to identify and destroy dead weight data. Merge duplicates either manually or with the aid of software tools. Delete incomplete data, taking care to reassign related data.
    • COTS packages typically allow power users to merge records without creating orphaned records in related tables, but custom-built applications typically require IT expertise.

    Create and enforce standards and policies

    Now that the data has been cleaned, it’s important to protect the system from relapsing.

    Work with business users to find out what types of data require validation and which fields should have changes audited. Whenever possible, implement drop-down lists to standardize values and make programming changes to ensure that truncation ceases.

    • Truncated data is usually caused by mismatches in data structures during either one-time data loads or ongoing data integrations.
    • Don’t go overboard on assigning required fields; users will just put key data in note fields.
    • Discourage the use of unstructured note fields: the data is effectively lost except if it gets subpoenaed.
    Info-Tech Insight

    Data quality concerns proliferate with the customization level of your platform. The more extensive the custom integration points and module/database extensions that you have made, the more you will need to have a plan in place for managing data quality from a reactive and proactive standpoint.

    Create a formal communication process throughout the CRM implementation

    Establish a comprehensive communication process around the CRM enterprise roll-out to ensure that end users stay informed.

    The CRM kick-off meeting(s) should encompass: 'The high-level application overview', 'Target business-user requirements', 'Target quality of service (QoS) metrics', 'Other IT department needs', 'Tangible business benefits of application', 'Special consideration needs'. The overall objective for interdepartmental CRM kick-off meetings is to confirm that all parties agree on certain key points and understand platform rationale and functionality.

    The kick-off process will significantly improve internal communications by inviting all affected internal IT groups, including business units, to work together to address significant issues before the application process is formally activated.

    Department groups or designated trainers should take the lead and implement a process for:

    • Scheduling CRM platform roll-out/kick-off meetings.
    • Soliciting preliminary input from the attending groups to develop further training plans.
    • Establishing communication paths and the key communication agents from each department who are responsible for keeping lines open moving forward.

    Ensure requirements are met with robust user acceptance testing

    User acceptance testing (UAT) is a test procedure that helps to ensure end-user requirements are met. Test cases can reveal bugs before the suite is implemented.

    Five Secrets of UAT Success

    Bracket with colors corresponding the adjacent list items.

    1

    Create the plan With the information collected from requirements gathering, create the plan. Make sure this information is added to the main project plan documentation.

    2

    Set the agenda The time allotted will vary depending on the functionality being tested. Ensure that the test schedule allows for the resolution of issues and discussion.

    3

    Determine who will participate Work with the relevant stakeholders to identify the people who can best contribute to system testing. Look for experienced power users who have been involved in earlier decision making about the system.

    4

    Highlight acceptance criteria Together with the UAT group, pinpoint the criteria to determine system acceptability. Refer back to requirements specified in use cases in the initial requirements-gathering stages of the project.

    5

    Collect end user feedback Weaknesses in resolution workflow design, technical architecture, and existing customer service processes can be highlighted and improved on with ongoing surveys and targeted interviews.

    Calculate post-deployment metrics to assess measurable value of the project

    Track the post-deployment results from the project and compare the metrics to the current state and target state.

    CRM Selection and Implementation Metrics
    Description Formula Current or Estimated Target Post-Deployment
    End-User Satisfaction # of Satisfied Users
    # of End Users
    70% 90% 85%
    Percentage Over/Under Estimated Budget Amount Spent - 100%
    Budget
    5% 0% 2%
    Percentage Over/Under Estimated Timeline Project Length - 100%
    Estimated Timeline
    10% -5% -10%

    CRM Strategy Metrics
    Description Formula Current or Estimated Target Post-Deployment
    Number of Leads Generated (per month) # of Leads Generated 150 200 250
    Average Time to Resolution (in minutes) Time Spent on Resolution
    # of Resolutions
    30 minutes 10 minutes 15 minutes
    Cost per Interaction by Campaign Total Campaign Spending
    # of Customer Interactions
    $17.00 $12.00 $12.00

    Select the Right CRM Platform

    CRM technology is critical to facilitate an organization’s relationships with customers, service users, employees, and suppliers. Having a structured approach to building a business case, defining key requirements, and engaging with the right shortlist of vendors to pick the best finalist is crucial.

    This selection guide allows organizations to execute a structured methodology for picking a CRM that aligns with their needs. This includes:
    • Alignment and prioritization of key business and technology drivers for a CRM selection business case.
    • Identification of key use cases and requirements for CRM.
    • Construction of a robust CRM RFP.
    • A strong market scan of key players.
    • A survey of crucial implementation considerations.
    This formal CRM selection initiative will drive business-IT alignment, identify sales and marketing automation priorities, and allow for the rollout of a platform that’s highly likely to satisfy all stakeholder needs.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.
    workshops@infotech.com
    1-888-670-8889

    Insight summary

    Stakeholder satisfaction is critical to your success

    Choosing a solution for a single use case and then expanding it to cover other purposes can be a way to quickly gain approvals and then make effective use of dollars spent. However, this can also be a nightmare if the product is not fit for purpose and requires significant customization effort for future use cases. Identify use cases early, engage stakeholders to define success, and recognize where you need to find balance between a single off-the-shelf CRM platform and adjacent MarTech or sales enablement systems.

    Build a business case

    An effective business case isn’t a single-purpose document for obtaining funding. It can also be used to drive your approach to product selection, requirements gathering, and ultimately evaluating stakeholder and user satisfaction.

    Use your business case to define use cases and milestones as well as success.

    Balance process with technology

    A new solution with old processes will result in incremental increased value. Evaluate existing processes and identify opportunities to improve and remove workarounds. Then define requirements.

    You may find that the tools you have would be adequate with an upgrade and tool optimization. If not, this exercise will prepare you to select the right solution for your current and future needs.

    Drive toward early value

    Lead with the most important benefit and consider the timeline. Most stakeholders will lose interest if they don’t realize benefits within the fist year. Can you reach your goal and report success within that timeline?

    Identify secondary, incremental customer engagement improvements that can be made as you work toward the overall goal to be achieved at the one-year milestone.

    Related Info-Tech Research

    Stock image of an office worker. Build a Strong Technology Foundation for Customer Experience Management
    • Any CRM project needs to be guided by the broader strategy around customer engagement. This blueprint explores how to create a strong technology enablement approach for CXM using voice of the customer analysis.
    Stock image of a target with arrows. Improve Requirements Gathering
    • 70% of projects that fail do so because of poor requirements. If you need to double-click on best practices for eliciting, analyzing, and validating requirements as you build up your CRM picklist and RFP, this blueprint will equip you with the knowledge and tools you need to hit the ground running.
    Stock image of a pen on paper. Drive Successful Sourcing Outcomes with a Robust RFP Process
    • Managing a complex RFP process for an enterprise application like a CRM platform can be a challenging undertaking. This blueprint zooms into how to build, run, administer, and evaluate RFP responses effectively.

    Bibliography

    “Doomed From the Start? Why a Majority of Business and IT Teams Anticipate Their Software Development Projects Will Fail.” Geneca, 25 Jan. 2017. Web.

    Hall, Kerrie. “The State of CRM Data Management 2020.” Validity. 27 April 2020. Web.

    Hinchcliffe, Dion. “The Evolving Role of the CIO and CMO in Customer Experience.” ZDNet, 22 Jan. 2020. Web.

    Klie, L. “CRM Still Faces Challenges, Most Speakers Agree: CRM Systems Have Been Around for Decades, but Interoperability and Data Siloes Still Have to Be Overcome.” CRM Magazine, vol. 23, no. 5, 2019, pp. 13-14.

    Markman, Jon. "Netflix Knows What You Want... Before You Do." Forbes. 9 Jun. 2017. Web.

    Morgan, Blake. “50 Stats That Prove The Value Of Customer Experience.” Forbes, 24 Sept. 2019. Web.

    Taber, David. “What to Do When Your CRM Project Fails.” CIO Magazine, 18 Sept. 2017. Web.

    “The State of Project Management Annual Survey 2018.” Wellingtone, 2018. Web.

    “The History of Microsoft Dynamics.” Eswelt. 2021. Accessed 8 June 2022.

    “Unlock the Mysteries of Your Customer Relationships.” Harvard Business Review. 1 July 2014. Accessed 30 Mar. 2016.

    Microsoft Teams Cookbook

    • Buy Link or Shortcode: {j2store}408|cart{/j2store}
    • member rating overall impact (scale of 10): 8.8/10 Overall Impact
    • member rating average dollars saved: $6,299 Average $ Saved
    • member rating average days saved: 27 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity

    Remote work calls for leveraging your Office 365 license to use Microsoft Teams – but IT is unsure about best practices for governance and permissions. Moreover, IT has few resources to help train end users with Teams best practices.

    Our Advice

    Critical Insight

    Microsoft Teams is not a standalone app. Successful utilization of Teams occurs when conceived in the broader context of how it integrates with Office 365. Understanding how information flows between Teams, SharePoint Online, and OneDrive for Business, for instance, will aid governance with permissions, information storage, and file sharing.

    Impact and Result

    Use Info-Tech’s Microsoft Teams Cookbook to successfully implement and use Teams. This cookbook includes recipes for:

    • IT best practices concerning governance of the creation process and Teams rollout.
    • End-user best practices for Teams functionality and common use cases.

    Microsoft Teams Cookbook Research & Tools

    Start here – read the Executive Brief

    Learn critical insights for an effective Teams rollout.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Microsoft Teams Cookbook – Sections 1-2

    1. Teams for IT

    Understand best practices for governance of the Teams creation process and Teams rollout.

    • Microsoft Teams Cookbook – Section 1: Teams for IT

    2. Teams for end users

    Get end users on board with this series of how-tos and common use cases for Teams.

    • Microsoft Teams Cookbook – Section 2: Teams for End Users

    [infographic]

     

    Further reading

    Microsoft Teams Cookbook

    Recipes for best practices and use cases for Microsoft Teams.

    Table of contents

    Executive Brief

    Section 1: Teams for IT

    Section 2: Teams for End Users

    Executive Summary

    Situation

    Remote work calls for leveraging your Office 365 license to utilize Teams – but IT is unsure about best practices for governance and permissions.

    Without a framework or plan for governing the rollout of Teams, IT risks overlooking secure use of Teams, the phenomenon of “teams sprawl,” and not realizing how Teams integrates with Office 365 more broadly.

    Complication

    Teams needs to be rolled out quickly, but IT has few resources to help train end users with Teams best practices.

    With teams, channels, chats, meetings, and live events to choose from, end users may get frustrated with lack of guidance on how to use Teams’ many capabilities.

    Resolution

    Use Info-Tech’s Microsoft Teams Cookbook to successfully implement and utilize Teams. This cookbook includes recipes for:

    • IT best practices concerning governance of the creation process and Teams rollout.
    • End-user best practices for Teams functionality and common use cases.

    Key Insights

    Teams is not a standalone app

    Successful utilization of Teams occurs when conceived in the broader context of how it integrates with Office 365. Understanding how information flows between Teams, SharePoint Online, and OneDrive for Business, for instance, will aid governance with permissions, information storage, and file sharing.

    IT should paint the first picture for team creation

    No initial governance for team creation can lead to “teams sprawl.” While Teams was built to allow end users’ creativity to flow in creating teams and channels, this can create problems with a cluttered interface and keeping track of information. To prevent end-user dissatisfaction here, IT’s initial Teams rollout should offer a basic structure for end users to work with first, limiting early teams sprawl.

    The Teams admin center can only take you so far with permissions

    Knowing how Teams integrates with other Office 365 apps will help with rolling out sensitivity labels to protect important information being accidentally shared in Teams. Of course, technology only does so much – proper processes to train and hold people accountable for their actions with data sharing must be implemented, too.

    Related Info-Tech Research

    Establish a Communication and Collaboration System Strategy

    Don’t waste your time deploying yet another collaboration tool that won’t get used.

    Modernize Communication and Collaboration Infrastructure

    Your legacy telephony infrastructure is dragging you down – modern communications and collaboration technology will dramatically improve productivity.

    Migrate to Office 365 Now

    One small step to cloud, one big leap to Office 365. The key is to look before you leap.

    Section 1: Teams for IT

    Governance best practices and use cases for IT

    Section 1

    Teams for IT

    Section 2

    Teams for end users

    From determining prerequisites to engaging end users.

    IT fundamentals
    • Creation process
    • Teams rollout
    Use cases
    • Retain and search for legal/regulatory compliance
    • Add an external user to a team
    • Delete/archive a team

    Overview: Creation process

    IT needs to be prepared to manage other dependent services when rolling out Teams. See the figure below for how Teams integrates with these other Office 365 applications.

    A flow chart outlining how Teams integrates with other Office 365 applications. Along the side are different applications, from the top: 'Teams client', 'OneDrive for Business', 'Sharepoint Online', 'Planner (Tasks for Teams)', 'Exchange Online', and 'Stream'. Along the top are services of 'Teams client', 'Files', 'Teams', 'Chat', 'Meeting', and 'Calls'.

    Which Microsoft 365 license do I need to access Teams?

    • Microsoft 365 Business Essentials
    • Microsoft 365 Business Premium
    • Office 365 Enterprise, E1, E3, or E5
    • Office 365 Enterprise E4 (if purchased prior to its retirement)

    Please note: To appeal to the majority of Info-Tech’s members, this blueprint refers to Teams in the context of Office 365 Enterprise licenses.

    Assign admin roles

    You will already have at least one global administrator from setting up Office 365.

    Global administrators have almost unlimited access to settings and most of the data within the software, so Microsoft recommends having only two to four IT and business owners responsible for data and security.

    Info-Tech Best Practice

    Configure multifactor authentication for your dedicated Office 365 global administrator accounts and set up two-step verification.

    Once you have organized your global administrators, you can designate your other administrators with “just-enough” access for managing Teams. There are four administrator roles:

    Teams Service Administrator Manage the Teams service; manage and create Microsoft 365 groups.
    Teams Communications Administrator Manage calling and meetings features with Teams.
    Teams Communications Support Engineer Troubleshoot communications issues within Teams using the advanced troubleshooting toolset.
    Teams Communications Support Specialist Troubleshoot communications issues using Call Analytics.

    Prepare the network

    There are three prerequisites before Teams can be rolled out:

    • UDP ports 3478 through 3481 are opened.
    • You have a verified domain for Office 365.
    • Office 365 has been rolled out, including Exchange Online and SharePoint Online.

    Microsoft then recommends the following checklist to optimize your Teams utilization:

    • Optimize calls and performance using the Call Quality Dashboard.
    • Assess network requirements in the Network Planner in the Teams admin center.
    • Ensure all computers running Teams client can resolve external DNS queries.
    • Check adequate public IP addresses are assigned to the NAT pools to prevent port exhaustion.
    • Route to local or regional Microsoft data centers.
    • Whitelist all Office 365 URLs to move through security layers, especially IDS/IPS.
    • Split tunnel Teams traffic so it bypasses your organization’s VPN.

    Info-Tech Best Practice

    For online support and walkthroughs, utilize Advisor for Teams. This assistant can be found in the Teams admin center.

    Team Creation

    You can create and manage Teams through the Teams PowerShell module and the Teams admin center. Only the global administrator and Teams service administrator have full administrative capabilities in this center.

    Governance over team creation intends to prevent “teams sprawl” – the phenomenon whereby end users create team upon team without guidance. This creates a disorganized interface, with issues over finding the correct team and sharing the right information.

    Prevent teams sprawl by painting the first picture for end users:

    1. Decide what kind of team grouping would best fit your organization: by department or by project.
    2. Start with a small number of teams before letting end users’ creativity take over. This will prevent initial death by notifications and support adoption.
    3. Add people or groups to these teams. Assign multiple owners for each team in case people move around at the start of rollout or someone leaves the organization.
    4. Each team has a general channel that cannot be removed. Use it for sharing an overview of the team’s goals, onboarding, and announcements.

    Info-Tech Best Practice

    For smaller organizations that are project-driven, organize teams by projects. For larger organizations with established, siloed departments, organize by department; projects within departments can become channels.

    Integrations with SharePoint Online

    Teams does not integrate with SharePoint Server.

    Governance of Teams is important because of how tightly it integrates with other Office 365 apps, including SharePoint Online.

    A poor rollout of Teams will have ramifications in SharePoint. A good rollout will optimize these apps for the organization.

    Teams and SharePoint integrate in the following ways:

    • Each team created in Teams automatically generates a SharePoint team site behind it. All documents and chat shared through a team are stored in that team’s SharePoint document library.
    • As such, all files shared through Teams are subject to SharePoint permissions.
    • Existing SharePoint folders can be tied to a team without needing to create a new one.
    • If governance over resource sharing in Teams is poor, information can get lost, duplicated, or cluttered throughout both Teams and SharePoint.

    Info-Tech Best Practice

    End users should be encouraged to integrate their teams and channels with existing SharePoint folders and, where no folder exists, to create one in SharePoint first before then attaching a team to it.

    Permissions

    Within the Teams admin center, the global or Teams service administrator can manage Teams policies.

    Typical Teams policies requiring governance include:

    • The extent end users can discover or create private teams or channels
    • Messaging policies
    • Third-party app use

    Chosen policies can be either applied globally or assigned to specific users.

    Info-Tech Best Practice

    If organizations need to share sensitive information within the bounds of a certain group, private channels help protect this data. However, inviting users into that channel will enable them to see all shared history.

    External and guest access

    Within the security and compliance center, the global or Teams service administrator can set external and guest access.

    External access (federation) – turned on by default.

    • Lets you find, call, and chat with users in other domains. External users will have no access to the organization’s teams or team resources.

    Guest access – turned off by default.

    • Lets you add individual users with their own email address. You do this when you want external users to access teams and team resources. Approved guests will be added to the organization’s active directory.

    If guest access is enabled, it is subject to Azure AD and Office 365 licensing and service limits. Guests will have no access to the following, which cannot be changed:

    • OneDrive for Business
    • An organization’s calendar/meetings
    • PSTN
    • Organization’s hierarchical chart
    • The ability to create, revise, or browse a team
    • Upload files to one-on-one chat

    Info-Tech Best Practice

    Within the security and compliance center, you can allow users to add sensitivity labels to their teams that can prevent external and guest access.

    Expiration and archiving

    To reduce the number of unused teams and channels, or delete information permanently, the global or Teams service administrator can implement an Office 365 group expiration and archiving policy through the Teams admin center.

    If a team has an expiration policy applied to it, the team owner will receive a notification for team renewal 30 days, 15 days, and 1 day before the expiry date. They can renew their team at any point within this time.

    • To prevent accidental deletion, auto-renewal is enabled for a team. If the team owner is unable to manually respond, any team that has one channel visit from a team member before expiry is automatically renewed.
    • A deleted Office 365 group is retained for 30 days and can be restored at any point within this time.

    Alternatively, teams and their channels (including private) can be archived. This will mean that all activity for the team ceases. However, you can still add, remove, and update roles of the members.

    Retention and data loss prevention

    Retention policies can be created and managed in the Microsoft 365 Compliance Center or the security and compliance center PowerShell cmdlets. This can be applied globally or to specific users.

    By default, information shared through Teams is retained forever.

    However, setting up retention policies ensures data is retained for a specified time regardless of what happens to that data within Teams (e.g. user deletes).

    Info-Tech Best Practice

    To prevent external or guest users accessing and deleting sensitive data, Teams is able to block this content when shared by internal users. Ensure this is configured appropriately in your organization:

    • For guest access in teams and channels
    • For external access in meetings and chat

    Please note the following limitations of Teams’ retention and data loss prevention:

    • Organization-wide retention policies will need to be manually inputted into Teams. This is because Teams requires a retention policy that is independent of other workloads.
    • As of May 2020, retention policies apply to all information in Teams except private channel messages. Files shared in private channels, though, are subject to retention policies.
    • Teams does not support advanced retention settings, such as a policy that pertains to specific keywords or sensitive information.
    • It will take three to seven days to permanently delete expired messages.

    Teams telephony

    Teams has built-in functionality to call any team member within the organization through VoIP.

    However, Teams does not automatically connect to the PSTN, meaning that calling or receiving calls from external users is not immediately possible.

    Bridging VoIP calls with the PSTN through Teams is available as an add-on that can be attached to an E3 license or as part of an E5 license.

    There are two options to enable this capability:

    • Enable Phone System. This allows for call control and PBX capabilities in Office 365.
    • Use direct routing. You can use an existing PSTN connection via a Session Border Controller that links with Teams (Amaxra).

    Steps to implement Teams telephony:

    1. Ensure Phone System and required (non-Microsoft-related) services are available in your country or region.
    2. Purchase and assign Phone System and Calling Plan licenses. If Calling Plans are not available in your country or region, Microsoft recommends using Direct Routing.
    3. Get phone numbers and/or service numbers. There are three ways to do this:
      • Get new numbers through the Teams admin center.
      • If you cannot get new numbers through the Teams admin center, you can request new numbers from Microsoft directly.
      • Port or transfer existing numbers. To do this, you need to send Microsoft a letter of authorization, giving them permission to request and transfer existing numbers on your behalf.
    4. To enable service numbers, including toll-free numbers, Microsoft recommends setting up Communications Credits for your Calling Plans and Audio Conferencing.

    Overview: Teams rollout

    1. From Skype (and Slack) to Teams
    2. Gain stakeholder purchase
    3. Employ a phased deployment
    4. Engage end users

    Skype for Business is being retired; Microsoft offers a range of transitions to Teams.

    Combine the best transition mode with Info-Tech’s adoption best practices to successfully onboard and socialize Teams.

    From Skype to Teams

    Skype for Business Online will be retired on July 31, 2021. Choose from the options below to see which transition mode is right for your organization.

    Skype for Business On-Premises will be retired in 2024. To upgrade to Teams, first configure hybrid connectivity to Skype for Business Online.

    Islands mode (default)

    • Skype for Business and Teams coexist while Teams is rolled out.
    • Recommended for phased rollouts or when Teams is ready to use for chat, calling, and meetings.
    • Interoperability is limited. Teams and Skype for Business only transfer information if an internal Teams user sends communications to an external Skype for Business user.

    Teams only mode (final)

    • All capabilities are enabled in Teams and Skype for Business is disabled.
    • Recommended when end users are ready to switch fully to Teams.
    • End users may retain Skype for Business to join meetings with non-upgraded or external parties. However, this communication is only initiated from the Skype for Business external user.

    Collaboration first mode

    • Skype for Business and Teams coexist, but only Teams’ collaboration capabilities are enabled. Teams communications capabilities are turned off.
    • Recommended to leverage Skype for Business communications yet utilize Teams for collaboration.

    Meetings first mode

    • Skype for Business and Teams coexist, but only Teams’ meetings capabilities are enabled.
    • Recommended for organizations that want to leverage their Skype for Business On-Premises’ Enterprise Voice capability but want to benefit from Teams’ meetings through VoIP.

    From Slack to Teams

    The more that’s left behind in Slack, the easier the transition. As a prerequisite, pull together the following information:

    • Usage statistics of Slack workspaces and channels
    • What apps end users utilize in Slack
    • What message history you want to export
    • A list of users whose Slack accounts can map on to required Microsoft accounts
    Test content migration

    Your Slack service plan will determine what you can and can’t migrate. By default, public channels content can be exported. However, private channels may not be exportable, and a third-party app is needed to migrate Direct Messages.

    Files migration

    Once you have set up your teams and channels in Teams, you can programmatically copy files from Slack into the target Teams channel.

    Apps migration

    Once you have a list of apps and their configurations used in Slack’s workspaces, you can search in Teams’ app store to see if they’re available for Teams.

    User identity migration

    Slack user identities may not map onto a Microsoft account. This will cause migration issues, such as problems with exporting text content posted by that user.

    Follow the migration steps to the right.

    Importantly, determine which Slack workspaces and channels should become teams and channels within Teams.

    Usage statistics from Slack can help pinpoint which workspaces and channels are redundant.

    This will help IT paint an ordered first picture for new Teams end users.

    1. Create teams and channels in Teams
    2. Copy files into Teams
    3. Install apps, configure Office 365 Connecters
    4. Import Slack history
    5. Disable Slack user accounts

    Info-Tech Best Practice

    Avoid data-handling violations. Determine what privacy and compliance regulations (if any) apply to the handling, storage, and processing of data during this migration.

    Gain stakeholder purchase

    Change management is a challenging aspect of implementing a new collaboration tool. Creating a communication and adoption plan is crucial to achieving universal buy-in for Teams.

    To start, define SMART objectives and create a goals cascade.

    Specific Measurable Actionable Realistic Time Bound
    Make sure the objective is clear and detailed. Objectives are `measurable` if there are specific metrics assigned to measure success. Metrics should be objective. Objectives become actionable when specific initiatives designed to achieve the objective are identified. Objectives must be achievable given your current resources or known available resources. An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline.
    Who, what, where, why? How will you measure the extent to which the goal is met? What is the action-oriented verb? Is this within my capabilities? By when: deadline, frequency?

    Sample list of stakeholder-specific benefits from improving collaboration

    Stakeholder Driver Benefits
    Senior Leadership Resource optimization Increased transparency into IT operational costs.
    Better ability to forecast hardware, resourcing costs.
    All employees Increasing productivity Apps deployed faster.
    Issues fixed faster.
    Easier access to files.
    Able to work more easily offsite.
    LBU-HR, legal, finance Mitigating risk Better able to verify compliance with external regulations.
    Better understanding of IT risks.
    Service desk Resource optimization Able to resolve issues faster.
    Fewer issues stemming from updates.
    Tier 2 Increasing productivity Less time spent on routine maintenance.

    Use these activities to define what pain points stakeholders face and how Teams can directly mitigate those pain points.

    (Source: Rationalize Your Collaboration Tools (coming soon), Activities: 3.1C – 3.1D)

    Employ a phased deployment

    Info-Tech Best Practice

    Deploy Teams over a series of phases. As such, if you are already using Skype for Business, choose one of the coexistence phases to start.

      1. Identify and pilot Teams with early adopters that will become your champions. These champions should be formally trained, be encouraged to help and train their colleagues, and be positively reinforced for their efforts.
      2. Iron out bugs identified with the pilot group and train middle management. Enterprise collaboration tool adoption is strongly correlated with leadership adoption.
        1. Top-level management
          Control and direct overall organization.
        2. Middle management
          Execute top-level management’s plans in accordance with organization’s norms.
        3. First-level management
          Execute day-to-day activities.
      3. Use Info-Tech’s one-pager marketing template to advertise the new tool to stakeholders. Highlight how the new tool addresses specific pain points. Address questions stemming from fear and uncertainty to avoid employees’ embarrassment or their rejection of the tool.
    A screenshot of Info-Tech's one-pager marketing template.
    1. Extend the pilot to other departments and continue this process for the whole organization.

    (Source: Rationalize Your Collaboration Tools (coming soon), Tools:GANTT Chart and Marketing Materials, Activities: 3.2A – 3.2B)

    Info-Tech Insight

    Be in control of setting and maintaining expectations. Aligning expectations with reality and the needs of employees will lower onboarding resistance.

    Engage end users

    Short-term best practices

    Launch day:
    • Hold a “lunch and learn” targeted training session to walk end users through common use cases.
    • Open a booth or virtual session (through Teams!) and have tool representatives available to answer questions.
    • Create a game to get users exploring the new tool – from scavenger hunts to bingo.
    Launch week:
    • Offer incentives for using the tool and helping others, including small gift cards.
    • Publicize achievements if departments hit adoption milestones.

    Long-term best practices

    • Make available additional training past launch week. End users should keep learning new features to improve familiarity.
    • Distribute frequent training clips, slowly exposing end users to more complex ways of utilizing Teams.
    • Continue to positively reinforce and recognize those who use Teams well. This could be celebrating those that help others use the tool, how active certain users are, and attendance at learning events.

    Info-Tech Best Practice

    Microsoft has a range of training support that can be utilized. From instructor-led training to “Coffee in the Cloud” sessions, leverage all the support you can.

    Use case #1: Retain and search data for legal/regulatory compliance

    Scenario:

    Your organization requires you to retain data and documents for a certain period of time; however, after this period, your organization wishes to delete or archive the data instead of maintaining it indefinitely. Within the timeframe of the retention policy, the admin may be asked to retrieve information that has been requested through a legal channel.

    Purpose:
    • Maintain compliance with the legal and regulatory standards to which the organization is subject.
    Jobs:
    • Ensure the data is retained for the approved time period.
    • Ensure the policy applies to all relevant data and users.
    Solution: Retention Policies
    • Ensure that your organization has an Office 365 E3 or higher license.
    • Set the desired retention policy through the Security & Compliance Center or PowerShell by deciding which teams, channels, chats, and users the policies will apply to and what will happen once the retention period ends.
    • Ensure that matching retention policies are applied to SharePoint and OneDrive, since this is where files shared in Teams are stored.
    • Be aware that Teams retention policies cannot be applied to messages in private channels.
    Solution: e-Discovery
    • If legally necessary, place users or Teams on legal hold in order to retain data that would be otherwise deleted by your organization’s retention policies.
    • Perform e-discovery on Teams messages, files, and summaries of meetings and calls through the Security & Compliance Center.
    • See Microsoft’s chart on the next slide for what is e-discoverable.

    Content subject to e-discovery

    Content type eDiscoverable Notes
    Teams chat messages Yes Chat messages from chats where guest users are the only participants in a 1:1 or 1:N chat are not e-discoverable.
    Audio recordings No  
    Private channel messages Yes  
    Emojis, GIFs, stickers Yes  
    Code snippets No  
    Chat links Yes  
    Reactions (likes, hearts, etc) No  
    Edited messages Yes If the user is on hold, previous versions of edited messages are preserved.
    Inline images Yes  
    Tables Yes  
    Subject Yes  
    Quotes Yes Quoted content is searchable. However, search results don’t indicate that the content was quoted.
    Name of channel No  

    E-discovery does not capture audio messages and read receipts in MS Teams.

    Since files shared in private channels are stored separately from the rest of a team, follow Microsoft’s directions for how to include private channels in e-discovery. (Source: “Conduct an eDiscovery investigation of content in Microsoft Teams,” Microsoft, 2020.)

    Use case #2: Add external person to a team

    Scenario:

    A team in your organization needs to work in an ongoing way with someone external to the company. This user needs access to the relevant team’s work environment, but they should not be privy to the goings-on in the other parts of the organization.

    Jobs:

    This external person needs to be able to:

    • Attend meetings
    • Join calls
    • Chat with individual team members
    • View and collaborate on the team’s files
    Solution:
    • If necessary, set a data loss prevention policy to prevent your users from sharing certain types of information or files with external users present in your organization’s Teams chats and public channels.
    • Ensure that your Microsoft license includes DLP protection. However:
      • DLP cannot be applied to private channel messages.
      • DLP cannot block messages from external Skype for Business users nor external users who are not in “Teams only” mode.
    • Ensure that you have a team set up for the project that you wish the external user to join. The external user will be able to see all the channels in this team, unless you create a private channel they are restricted from.
    • Complete Microsoft’s “Guest Access Checklist” to enable guest access in Teams, if it isn’t already enabled.
    • As admin, give the external user guest access through the Teams admin center or Azure AD B2B collaboration. (If given permission, team owners can also add guests through the Teams client).
    • Decide whether to set a policy to monitor and audit external user activity.

    Use case #3: Delete/archive a team

    Scenario:

    In order to avoid teams sprawl, organizations may want IT to periodically delete or archive unused teams within the Teams client in order to improve the user interface.

    Alternately, if you are using a project-based approach to organizing Teams, you may wish to formalize a process to archive a team once the project is complete.

    Delete:
    • Determine if the team owner anticipates the team will need to be restored one day.
    • Ensure that deletion does not contradict the organization’s retention policy.
    • If not, proceed with deletion. Find the team in the Teams admin center and delete.
    • Restore a deleted team within 30 days of its initial deletion through PowerShell.
    Archive:
    • Determine if the team owner anticipates the team will need to be restored one day.
    • Find the relevant team in the Teams admin center and change its status to “Archived.”
    • Restore the archived team if the workspace becomes relevant once again.

    Info-Tech Best Practice

    Remind end users that they can hide teams or channels they do not wish to see in their Teams interface. Knowing a team can be hidden may impact a team owner’s decision to delete it.

    Section 2: Teams for End Users

    Best practices for utilizing teams, channels, chat, meetings, and live events

    Section 1

    Teams for IT

    Section 2

    Teams for end users

    From Teams how-tos to common use cases for end users.

    End user basics
    • Teams, channels, and chat
    • Meetings and live events
    Common use cases: Workspaces
    • WS#1: Departments
    • WS#2: A cross-functional committee
    • WS#3: An innovation day event
    • WS#4: A non-work-related social event
    • WS#5: A project team with a defined end time
    Common use cases: Meetings
    • M#1: Job interview with an external candidate
    • M#2: Quarterly board meeting
    • M#3: Weekly recurring team meeting
    • M#4: Morning stand-up/scrum
    • M#5: Phone call between two people

    Overview: Teams, channels, and chat

    Teams

    • Team: A workspace for a group of collaborative individuals.
      • Public channel: A focused area where all members of a team can meet, communicate, and share ideas and content.
      • Private channel: Like a public channel but restricted to a subset of team members, defined by channel owner.

    Chat

    • Chat: Two or more users collected into a common conversation thread.
    (Source: “Overview of teams and channels in Microsoft Teams,” Microsoft, 2020.)

    For any Microsoft Teams newcomer, the differences between teams, channels, and chat can be confusing.

    Use Microsoft’s figure (left) to see how these three mediums differ in their role and function.

    Best practices: Workspaces 1/2

      Team
    A workspace for a group of collaborative individuals.
    Public Channel
    A focused area where all members of a team can meet, communicate, and share ideas and content.
    Private Channel
    Like a public channel but restricted to a subset of team members, defined by channel owner.
    Group Chat
    Two or more users collected into a common conversation thread.
    Limits and Administrative Control
    Who can create? Default setting: All users in an organization can create a team

    Maximum 500,000 teams per tenant

    Any member of a team can create a public channel within the team

    Maximum 200 public channels per team

    Any member of a team can create a private channel and define its members

    Maximum 30 private channels per team

    Anyone
    Who can add members? Team owner(s); max 5,000 members per team N/A Channel owner(s) can add up to 250 members Anyone can bring new members into the chat (and decide if they can see the previous history) up to 100 members
    Who can delete? Team owner/admin can delete Any team member Channel owner(s) Anyone can leave a chat but cannot delete chat, but they are never effectively deleted
    Social Context
    Who can see it? Public teams are indexed and searchable

    Private teams are not indexed and are visible only to joined members

    All members of the team can see all public channels. Channels may be hidden from view for the purposes of cleaning up the UI. Individuals will only see private channels for which they have membership Only participants in the group chat can see the group chat
    Who can see the content? Team members can see any content that is not otherwise part of a private channel All team members All members of the private channel Only members of the group chat

    When does a Group Chat become a Channel?

    • When it’s appropriate for the conversation to have a gallery – an audience of members who may not be actively participating in the discussion.
    • When control over who joins the conversation needs to be centrally governed and not left up to anyone in the discussion.
    • When the discussion will persist over a longer time period.
    • When the number of participants approaches 100.

    When does a Channel become a Team?

    • When a team approaches 30 private channels, many of those private channels are likely candidates to become their own team.
    • When the channel membership needs to extend beyond the boundary of the team membership.

    Best practices: Workspaces 2/2

      Team
    A workspace for a group of collaborative individuals.
    Public Channel
    A focused area where all members of a team can meet, communicate, and share ideas and content.
    Private Channel
    Like a public channel but restricted to a subset of team members, defined by channel owner.
    Group Chat
    Two or more users collected into a common conversation thread.
    Data and Applications
    Where does the content live? SharePoint: Every team resides in its own SharePoint site SharePoint: Each team (public and private) has its own folder off the root of the SharePoint site’s repository SharePoint: Each team (public and private) has its own folder off the root of the SharePoint site’s repository OneDrive: Files that are shared in a chat are stored in the OneDrive folder of the original poster and shared to the other members
    How does the data persist or be retained? If a team expires/is deleted, its corresponding SharePoint site and those artifacts are also deleted Available for 21 days after deletion. Any member of the team can delete a public channel. The team owner and private channel owner can delete/restore a private channel Chats are never effectively deleted. They can be hidden to clean up the user interface.
    Video N/A Yes, select “Meet now” in channel below text entry box Yes, select “Meet now” in channel below text entry box Yes
    Phone calls N/A Yes, select “Meet now” in channel below text entry box Yes, select “Meet now” in channel below text entry box Yes
    Shared computer audio/screen N/A Yes, select “Meet now” in channel below text entry box Yes, select “Meet now” in channel below text entry box Yes
    File-sharing Within channels Yes. Frequently used/collaborated files can be turned into discrete tab. Yes. Frequently used/collaborated files can be turned into discrete tab. Yes
    Wikis Within channels Yes Yes No
    Whiteboarding No No No No

    When does a Team become a Channel?

    • When a team’s purpose for existing can logically be subsumed by another team that has a larger scope.

    When does a Channel become a Group Chat?

    • When a conversation within a channel between select users does not pertain to that channel’s scope (or any other existing channel), they should move the conversation to a group chat.
    • However, this is until that group chat desires to form a channel of its own.

    Create a new team

    Team owner: The person who creates the team. It is possible for the team owner to then invite other members of the team to become co-owners to distribute administrative responsibilities.

    Team members: People who have accepted their invitation to be a part of the team.

    NB: Your organization can control who has permission to set up a team. If you can’t set a up a team, contact your IT department.

    Screenshots detailing how to create a new team in Microsoft Teams, steps 1 to 3. Step 1: 'Click the <Teams data-verified= tab on the left-hand side of the app'. Step 2: 'At the bottom of the app, click '. Step 3: 'Under the banner , click '.">

    Create a new team

    Screenshot detailing how to create a new team in Microsoft Teams, the step 4 starting point with an arrow pointing to the 'Build a team from scratch' button.

    Decide from these two options:

    • Building a team from scratch, which will create a new group with no prior history imported (steps 4.1–4.3).
    • Creating a team from an existing group in Office 365, including an already existing team (steps 4.4–4.6).

    NB: You cannot create a team from an existing group if:

    • That group has 5,000 members or more.
    • That group is in Yammer.

    Screenshot detailing how to create a new team in Microsoft Teams, step 4.1. There are buttons for 'Private' and 'Public'.

    Decide if you want you new team from scratch to be private or public. If you set up a private team, any internal or external user you invite into the team will have access to all team history and files shared.

    Screenshot detailing how to create a new team in Microsoft Teams, step 4.2 and 4.3. 4.2 has a space to give your team a name and another for a description. 4.3 says 'Then click <Create data-verified='.">

    Create a new team

    Screenshot detailing how to create a new team in Microsoft Teams, the step 4 starting point with an arrow pointing to the 'Create from...' button.

    Decide from these two options:

    • Building a team from scratch, which will create a new group with no prior history imported (steps 4.1–4.3).
    • Creating a team from an existing group in Office 365, including an already existing team (steps 4.4–4.6).

    NB: You cannot create a team from an existing group if:

    • That group has 5,000 members or more.
    • That group is in Yammer.

    Screenshot detailing how to create a new team in Microsoft Teams, step 4.4. It reads 'Create a new team from something you already own' with a button for 'Team'.

    Configure your new team settings, including privacy, apps, tabs, and members.

    Screenshot detailing how to create a new team in Microsoft Teams, step 4.5 and 4.6. 4.5 has a space to give your team a name, a description, choose privacy settings, and what you'd like to include from the original team. 4.6 says 'Then click <Create data-verified='.">

    Add team members

    Remove team members

    Screenshot detailing how to add team members in Microsoft Teams, step 1.

    To add a team member, on the right-hand side of the team name, click “More options.”

    Then, from the drop-down menu, click “Add member.”

    Screenshot detailing how to remove team members in Microsoft Teams, step 1.

    Only team owners can remove a team member. To do so, on the right-hand side of the team name, click “More options.”

    Then, from the drop-down menu, click “Manage team.”

    Screenshot detailing how to add team members in Microsoft Teams, step 2.

    If you’re a team owner, you can then type a name or an email address to add another member to the team.

    If you’re a team member, typing a name or an email address will send a request to the team owner to consider adding the member.

    Screenshot detailing how to remove team members in Microsoft Teams, step 2.

    Under the “Members” tab, you’ll see a list of the members in the team. Click the “X” at the far right of the member’s name to remove them.

    Team owners can only be removed if they change their role to team member first.

    Create a new channel

    Screenshot detailing how to create a new channel in Microsoft Teams, step 1.

    On the right-hand side of the team name, click “More options.”

    Then, from the drop-down menu, click “Add channel.”

    Screenshot detailing how to create a new channel in Microsoft Teams, step 2.

    Name your channel, give a description, and set your channel’s privacy.

    Screenshot detailing how to create a new channel in Microsoft Teams, step 3.

    To manage subsequent permissions, on the right-hand side of the channel name, click “More options.”

    Then, from the drop-down menu, click “Manage channel.”

    Adding and removing members from channels:

    Only members in a team can see that team’s channels. Setting channel privacy as “standard” means that the channel can be accessed by anyone in a team. Unless privacy settings for a channel are set as “private” (from which the channel creator can choose who can be in that channel), there is no current way to remove members from channels.

    It will be up to the end user to decide which channels they want to hide.

    Link team/channel to SharePoint folder

    Screenshot detailing how to link a team or channel to a SharePoint folder in Microsoft Teams, steps 1, 2, and 3. Step 1: 'Along the top of the team/channel tab bar, click the “+” symbol'. Step 2: 'Select “Document Library” to link the team/channel to a SharePoint folder'. Step 3: 'Copy and paste the SharePoint URL for the desired folder, or search in “Relevant sites” if the folder can be found there'.

    Need to find the SharePoint URL?

    Screenshot detailing how to find the SharePoint URL in Microsoft Teams. 'Locate the folder in SharePoint and click <Show actions data-verified=', 'Click to access the folder's SharePoint URL.'">

    Hide/unhide teams

    Hide/unhide channels

    Screenshot detailing how to hide and unhide teams in Microsoft Teams, step 1.

    To hide a team, on the right-hand side of the team name, click “More options.”

    Then, from the drop-down menu, click “Hide.” Hidden teams are moved to the “hidden teams” menu at the bottom of your team list.

    Screenshot detailing how to hide and unhide channels in Microsoft Teams, step 1.

    To hide a channel, on the right-hand side of the channel name, click “More options.”

    Then, from the drop-down menu, click “Hide.” Hidden channels are moved to the “hidden channels” menu at the bottom of your channel list in that team.

    Screenshot detailing how to hide and unhide teams in Microsoft Teams, step 2. Screenshot of a button that says 'Hidden teams'.

    To unhide a team, click on the “hidden teams” menu. On the right-hand side of the team name, click “More options.”

    Then, from the drop-down menu, click “Show.”

    Screenshot detailing how to hide and unhide channels in Microsoft Teams, step 2.

    To unhide a channel, click on the “hidden channels” menu at the bottom of the team. This will produce a drop-down menu of all hidden channels in that team.

    Hover over the channel you want to unhide and click “Show.”

    Find/join teams

    Leave teams

    Screenshot detailing how to find and join teams in Microsoft Teams, step 1. Click the “Teams” tab on the left-hand side of the app. Screenshot detailing how to find and join teams in Microsoft Teams, step 2.

    At the bottom of the app, click “Join or create a team.” Teams will then suggest a range of teams that you might be looking for. You can join public teams immediately. You will have to request approval to join a private team.

    Screenshot detailing how to leave teams in Microsoft Teams.

    To leave a team, on the right-hand side of the team name, click “More options.”

    Then, from the drop-down menu, click “Leave the team.”

    NB: If the owner of a private team has switched off discoverability, you will have to contact that owner to join that team. Screenshot detailing how to find and join teams in Microsoft Teams, step 3. If you can’t immediately see the team, you have two options: either search for the team or enter that team’s code under the banner “Join a team with a code.” Can I find a channel?

    No. To join a channel, you need to first join the team that channel belongs to.

    Can I leave a channel?

    No. The most you can do is hide the channel. By default, if you join a team you will have access to all the channels within that team (unless a channel is private, in which case you’ll have to request access to that channel).

    Create a chat

    Screenshots detailing how to create a chat in Microsoft Teams, steps 1 to 5. Step 1:'Click the “Chat” tab on the left hand side of the app (or keyboard shortcut Ctrl+N)'. Step 2: 'Search the name of the person you want to chat with'. Step 3: 'You’re now ready to start the chat! You can also send a chat message while working in a separate channel by typing/chat into the search bar and entering the recipient’s name'. Step 4: 'For group chat, click the “Add people” button in the top right hand corner of the app to add other persons into the existing chat'. Step 5: 'You can then rename the group chat (if there are 3+ people) by clicking the “Name group chat” option to the right of the group chat members’ names'.

    Hide a chat

    Unhide a chat

    Screenshots detailing how to hide a chat in Microsoft Teams, steps 1 to 3. Step 1:'Click the “Chat” tab on the left-hand side of the app'. Step 2: 'Search the name of the chat or group chat that you want to hide'. Step 3: In either 'Single person chat options' or 'Group chat options' Click “More options.” Then click “Hide.”' To unhide a chat, search for the hidden person or name of the group chat in the search bar. Click “More options.” Then click “Unhide.” Screenshot detailing how to unhide a chat in Microsoft Teams.

    Leave a chat

    You can only leave group chats. To do so, click “More options.” Then click “Leave.” Screenshot detailing how to leave a chat in Microsoft Teams.

    Overview: Meetings and live events

    Teams Meetings: Real-time communication and collaboration between a group, limited to 250 people.

    Teams Live Events: designed for presentations and webinars to a large audience of up to 10,000 people, in which attendees watch rather than interact.

     

    Office 365 and Microsoft 365 Licenses

    I want to: F1 F3 E1 E3 E5 Audio conferencing add-on
    Join a Teams meeting No license required. Any email address can participate in a Teams meeting.
    Attend a Teams meeting with a dial-in phone number No license required. Any phone number can dial into a Teams meeting. (Meeting organizers need to have an Audio Conferencing add-on license to send an invite that includes dial-in conferencing.)
    Attend a Teams live event No license required. Any phone number can dial into a Teams live event.
    Create a Teams meeting for up to 250 attendees   One of these licensing plans
    Create a Teams meeting for up to 250 attendees with a dial-in phone number   One of these licensing plans + Audio Conferencing (Meeting organizers need to have an Audio Conferencing add-on license to send an invite that includes dial-in conferencing.)
    Create a Teams live event for up to 10,000 attendees     One of these licensing plans
    Dial out from a Teams meeting to add someone at their Call me at number   One of these licensing plans + Audio Conferencing (Meeting dial out to a Call me at number requires organizers to have an E5 or Audio Conference add-in license. A dial plan may also be needed.)

    Depending on the use case, end users will have to determine whether they need to hold a meeting or a live event.

    Use Microsoft’s table (left) to see what license your organization needs to perform meetings and live events.

    (Source: “Admin quick start – Meetings and live events in Microsoft Teams,” Microsoft, 2020.)

    Best practices: Meetings

      Ad Hoc Call
    Direct audio/video call
    Scheduled Meeting Live Event
    Limits and Administrative Control
    Who can create? Anyone Anyone Anyone, unless altered by admin (permission to create MS Stream events also required if external production tools are used).
    Who can add members? Anyone in the session. The meeting organizer can add new attendees to the meeting. The event creator (the “organizer”) sets attendee permissions and assigns event group roles (“producer” and “presenter”).
    Can external stakeholders attend? Yes, through email invite. However, collaboration tools are restricted. Yes, through email invite. However, collaboration tools are restricted. Public events: yes, through shared invite link.
    Org-wide event: yes, if guest/external access granted.
    Who can delete? Anyone can leave the session. There is no artifact to delete. The meeting organizer Any attendee can leave the session.
    The organizer can cancel the event.
    Maximum attendees 100 250 10,000 attendees and 10 active presenters/producers (250 presenters and producers can be present at the event).
    Social Context
    How does the request come in? Unscheduled.
    Notification of an incoming audio or video call.
    Scheduled.
    Meeting invite, populated in the calendar, at a scheduled time.
    Meeting only auto-populated in event group’s calendars. Organizer must circulate event invite link to attendees – for instance, by pasting link into an Outlook meeting invite.
    Available Functionality
    Screen-sharing Yes Yes Producers and Presenters (through Teams, no third-party app).
    Whiteboard No Yes Yes
    OneNote (for minutes) Yes (from a member’s OneDrive) Yes, part of the meeting construct. No. A Meeting Notes tab is available instead.
    Dedicated chat space Yes. Derived from a group chat. Meeting has its own chat room. The organizer can set up a moderated Q&A (not chat) when creating the event. Only Presenters and Producers can chat.
    Recording Yes Yes Yes. Event can last up to 4 hours.

    When should an Ad Hoc Call become a Scheduled Meeting?

    • When the participants need time to prepare content for the call.
    • When an answer is not required immediately.
    • When bringing a group of people together requires logistical organizing.

    When should a Scheduled Meeting become an Ad Hoc Call?

    • When the participants can meet on short notice.
    • When a topic under discussion requires creating alignment quickly.

    When should a Live Event be created?

    • When the expected attendance exceeds 250 people.
    • If the event does not require collaboration and is mostly a presenter conveying information.

    Create a scheduled meeting

    Screenshots detailing how to create a scheduled meeting in Microsoft Teams, steps 1 to 4. Step 1:'Click the “Calendar” tab on the left-hand side of the app'. Step 2: 'On the top-right of the app, click the drop-down menu for “+ New meeting” and then “Schedule meeting.”' Step 3: 'Fill in the meeting details. When inputting internal attendees, their names will drop down without needing their email. You will need to input email addresses for external attendees'. Step 4: 'To determine internal attendees’ availability, click “Scheduling assistant” on the top left. Then click “Save” to create the meeting'.

    Create an ad hoc meeting

    Screenshots detailing how to create an ad hoc meeting in Microsoft Teams, steps 1 to 4. Step 1:'Click the “Calendar” tab on the left-hand side of the app'. Step 2: 'Along the top-right, click “Meet now.”' Step 3: 'Name your meeting, choose your audio and video settings, and click “Join now.”'. Step 4: 'To determine internal attendees’ availability, click “Scheduling assistant” on the top left. Then click “Save” to create the meeting. You’ll then be prompted to fill in the meeting details. When inputting internal attendees, their names will drop down without needing their email. You will need to input email addresses for external attendees'.

    Tip: Use existing channels to host the chatrooms for your online meetings

    When you host a meeting online with Microsoft Teams, there will always be a chatroom associated with the meeting. While this is a great place for meeting participants to interact, there is one particular downside.

    Problem: The never-ending chat. Often the activity in these chatrooms can persist long after the meeting. The chatroom itself becomes, unofficially, a channel. When end users can’t keep up with the deluge of communication, the tools have failed them.

    Solution: Adding an existing channel to the meeting. This ensures that discussion activity is already hosted in the appropriate venue for the group, during and after the meeting. Furthermore, it provides non-attendees with a means to catch up on the discussion they have missed.

    In section two of this cookbook, we will often refer to this tactic.

    A screenshot detailing how to add an existing channel to a meeting in Microsoft Teams. 'Break the habit of online booking meetings in Outlook – use the Teams Calendar View instead! In order to make use of this function, the meeting must be setup in Microsoft Teams, not Microsoft Outlook. The option to assign a channel to the meeting will then be available to the meeting organizer.'

    Don’t have a channel for the chat session of your online meeting? Perhaps you should!

    If your meeting is with a group of individuals that will be collaborating frequently, they may need a workspace that persists beyond the meeting.

    Guests can still attend the meeting, but they can’t chat!

    If there are attendees in your meeting that do not have access to the channel you select to host the chat, they will not see the chat discussion nor have any ability to use this function.

    This may be appropriate in some cases – for example, a vendor providing a briefing as part of a regular team meeting.

    However, if there are attendees outside the channel membership that need to see the meeting chat, consider another channel or simply default to not assigning one.

    Meeting settings explained

    Show device settings. For settings concerning audio, video, and whether viewing is private.

    Show meeting notes. Use to take notes throughout the meeting. The notes will stay attached to this event.

    Show meeting details. Find meeting information for: a dial-in number, conference ID, and link to join.

    Enter full screen.

    Show background effects. Choose from a range of video backgrounds to hide/blur your location.

    Turn on the captions (preview). Turn on live speech-to-text captions.

    Keypad. For dialing a number within the meeting (when enabled as an add-on with E3 or as part of E5).

    Start recording. Recorded and saved using Microsoft Stream.

    End meeting.

    Turn off incoming video. To save network bandwidth, you can decline receiving attendee’s video.

    Click “More options” to access the meetings settings.

    Screen share. In the tool tray, select “Share” to share your screen. Select particular applications if you only want to share certain information; otherwise, you can share your whole desktop.

    System audio share. To share your device’s audio while screen sharing, checkbox the “Include system audio” option upon clicking “Share.”

    If you didn’t click that option at the start but now want to share audio during screen share, click the “Include systems audio” option in the tool tray along the top of the screen.

    Give/take control of screen share. To give control, click “Give control” in the tool tray along the top of the screen when sharing content. Choose from the drop-down who you would like to give control to. In the same spot, click “Take back control” when required.

    To request control, click “Request control” in the same space when viewing someone sharing their content. Click “Release control” once finished.

    Start whiteboarding

    1. You’ll first need to enable Microsoft Whiteboard in the Microsoft 365 admin center. Ask your relevant admin to do so if Whiteboard is not already enabled.
    2. Once enabled, click “Share” in a meeting. This feature only appears if you have 3+ participants in the meeting.
    3. Under the “Whiteboard” section in the bottom right, click “Microsoft Whiteboard.”
    4. Click the pen icons to the right of the screen to begin sketching.

    NB: Anonymous, federated, or guest users are currently not supported to start, view, or ink a whiteboard in a Teams meeting.

    Will the whiteboard session be recorded if the meeting is being recorded?

    No. However, the final whiteboard will be available to all meeting attendees after the meeting, under “Board Gallery” in the Microsoft Whiteboard app. Attendees can then continue to work on the whiteboard after the meeting has ended.

    Create a live event

    Screenshots detailing how to create a live event in Microsoft Teams, steps 1 to 3. Step 1: 'Click the “Calendar” tab on the left-hand side of the app'. Step 2: 'On the top right of the app, click the drop-down menu for “+ New meeting” and then “Live event.”' Step 3: 'You will be labeled the “Event organizer.” First, fill in the live event details on the left'. Screenshot detailing how to create a live event in Microsoft Teams, step 4.

    As the organizer, you can invite other people to the event who will be the “producers” or “presenters.”

    Producers: Control the live event stream, including being able to start and stop the event, share their own and others’ video, share desktop or window, and select layout.

    Presenters: Present audio, video, or a screen.

    Screenshot detailing how to create a live event in Microsoft Teams, step 5.

    Select who your audience will be for your live event from three options: specified people and groups, the organization, or the public with no sign-in required.

    Edit the setting for whether you want recording to be available for attendees.

    Then click “Schedule” to finish.

    Live event settings explained

    When you join the live event as a producer/presenter, nothing will be immediately broadcast. You’ll be in a pre-live state. Decide what content to share and in what order. Along the bottom of the screen, you can share your video and audio, share your screen, and mute incoming attendees.

    Once your content is ready to share along the bottom of the screen, add it to the screen on the left, in order of viewing. This is your queue – your “Pre-live” state. Then, click “Send now.”

    This content will now move to the right-hand screen, ready for broadcasting. Once you’re ready to broadcast, click “Start.” Your state will change from “Pre-live” to “Live.”

    Along the top right of the app will be a tools bar.

    Screenshot listing live events settings icons in Microsoft Teams. Beside the heart monitor icon is 'Monitor health and performance of network, devices, and media sharing'. Beside the notepad icon is 'Take meeting notes'. Beside the chatbox icon is 'Chat function'. Beside the two little people with a plus sign icon is 'Invite and show participants'. Beside the gear icon is 'Device settings'. Beside the small 'i' in a circle is 'Meeting details, including schedule, meeting link, and dial-in number'.

    Workspace #1: Departments

    Scenario: Most of your organization’s communication and collaboration occurs within its pre-existing departmental divisions.

    Conventional communication channels:

    • Oral communication: Employees work in proximity to each other and communicate in person, by phone, in department meetings
    • Email: Department-wide announcements
    • Memos: Typically posted/circulated in mailboxes

    Solution: Determine the best way to organize your organization’s departments in Teams based on its size and your requirements to keep information private between departments.

    Option A:

    • Create a team for the organization/division.
    • Create channels for each department. Remember that all members of a team can view all public channels created in that team and the default General channel.
    • Create private channels if you wish to have a channel that only select members of that team can see. Remember that private channels have some limitations in functionality.

    Option B:

    • Create a new team for each department.
    • Create channels within this team for projects or topics that are recurring workflows for the department members. Only department members can view the content of these channels.

    Option C:

    • Post departmental memos and announcements in the General channel.
    • Use “Meet now” in channels for ad hoc meetings. For regular department meetings, create a recurring Teams calendar event for the specific department channel (Option A) or the General channel (Option B). Remember that all members of a team can join a public channel meeting.

    Workspace #2: A cross-functional committee

    Scenario: Your organization has struck a committee composed of members from different departments. The rest of the organization should not have access to the work done in the committee.

    Purpose: To analyze a particular organizational challenge and produce a plan or report; to confidentially develop or carry out a series of processes that affect the whole organization.

    Jobs: Committee members must be able to:

    • Attend private meetings.
    • Share files confidentially.

    Solution:

    Ingredients:

    • Private team

    Construction:

    • Create a new private team for the cross-functional committee.
    • Add only committee members to the team.
    • Create channels based on the topics likely to be the focal point of the committee work.
    • Decide how you will use the mandatory General channel. If the committee is small and the work limited in scope, this channel may be the main communication space. If the committee is larger or the work more complex, use the General channel for announcements and move discussions to new topic-related channels.
    • Schedule recurring committee meetings in the Teams calendar. Add the relevant channel to the meeting invite to keep the meeting chat attached to this team and channel (as meeting organizer, put your name in the meeting invite notes, as the channel will show as the organizer in the Outlook invite).
    • Remember that all members of this team will have access to these meetings and be able to view that they are occurring.

    Workspace #3: An innovation day event

    Scenario: The organization holds a yearly innovation day event in which employees form small groups and work on a defined, short-term problem or project.

    Purpose: To develop innovative solutions and ideas.

    Jobs:

    • Convene small groups.
    • Work toward time-sensitive goals.
    • Communicate synchronously.
    • Share files.

    Solution:

    Ingredients:

    • Public team
    • Channel tabs
    • Whiteboard
    • Planner

    Construction:

    • Create a team for the innovation day event.
    • Add channels for each project working group.
    • Communicate to participants the schedule for the day and their assigned channel.
    • Use the General channel for announcements and instructions throughout the day. Ensure someone moderates the General channel for participants’ questions.
    • Pre-populate the channel tabs with files the participants need to work with. To add a scrum board, refer to M#4 (Morning stand-up/Scrum) in this slide deck.
    • For breakouts, instruct participants to use the “meet now” feature in their channel and how to use the Whiteboard during these meetings.
    • Arrange to have your IT admin archive the team after a certain point so the material is still viewable but not editable.

    Workspace #4: A non-work-related social event

    Scenario: Employees within the organization wish to organize social events around shared interests: board game clubs, book clubs, TV show discussion groups, trivia nights, etc.

    Purpose: To encourage cohesion among coworkers and boost morale.

    Jobs:

    • Schedule the event.
    • Invite participants.
    • Prepare the activity.
    • Host and moderate the discussion.

    Solution:

    Ingredients:

    • Public team
    • Private channels
    • Screen-sharing

    Construction:

    • Create a public team for the social event so that interested people can find and join it.
    • Example: Trivia Night
      • Schedule the event in the Teams calendar.
      • Publish the link to the Trivia Night team where other employees will see it.
      • Create private channels for each trivia team so they cannot see the other competitors’ discussions. Add yourself to each private channel so you can see their answers.
      • As the host, begin a meeting in the General channel. Pose the trivia questions live or present the questions on PowerPoint via screen-sharing.
      • Ask each team to post its answers to its private channel.
    • To avoid teams sprawl, ask your IT admin to set a deletion policy for the team, as long as this request does not contradict your organization’s policies on data retention. If the team becomes moribund, it can be set to auto-delete after a certain period of time.

    Workspace #5: A project team with a defined end time

    Scenario: Within a department/workplace team, employees are assigned to projects with defined end times, after which they will be assigned to a new project.

    Purpose: To complete project-based work that fulfills business needs.

    Jobs:

    • Oral communication with team members.
    • Synchronous and asynchronous work on project files.
    • The ability to attend scheduled meetings and ad hoc meetings.
    • The ability to access shared resources related to the project.

    Solution:

    If your working group already has its own team within Teams:

    • Create a new public or private channel for the project. Remember that some functionality is not available in private channels (such as Microsoft Planner).
    • Use the channel for the project team’s meetings (scheduled in Teams calendar or through Meet Now).
    • Add a tab that links to the team’s project folder in SharePoint.

    If your workplace team does not already have its own team in Teams:

    • Determine if there is a natural fit for this project as a new channel in an existing team. Remember that all team members will be able to see the channel if it is public and that all relevant project members need to belong to the Team to participate in the channel.
    • If necessary, create a new team for the project. Add the project members.
    • Create channels based on the type of work that comprises the project.
    • Use the channel for the project team’s meetings (scheduled in Teams calendar or through Meet Now)
    • Add a tab to link to the team’s project folder in SharePoint.

    Info-tech Best Practice

    Hide the channel after the project concludes to de-clutter your Teams user interface.

    Meeting #1: Job interview with external candidate

    Scenario: The organization must interview a slate of candidates to fill an open position.

    Purpose:

    • Select the most qualified candidate for the job.

    Jobs:

    • Create a meeting, ensuring the candidate and other attendees know when and where the meeting will happen.
    • Ensure the meeting is secure to protect confidential information.
    • Ensure the meeting is accessible, allowing the candidate to present themselves through audio and/or visual means.
    • Create a professional environment for the meeting to take place.
    • Engender a space for the candidate to share their CV, research, or other relevant file.
    • The interview must be transcribed and recorded.

    Solution:

    Ingredients:

    • Private Teams meeting
    • Screen-sharing
    • Microsoft Stream

    Construction:

    • Create a Teams meeting, inviting the candidate with their email, alongside other internal attendees. The Teams meeting invite will auto-generate a link to the meeting itself.
    • The host can control who joins the meeting through settings for the “lobby.”
    • Through the Teams meeting, the attendees will be able to use the voice and video chat functionality.
    • All attendees can opt to blur their backgrounds to maintain a professional online presence.
    • The candidate can share their screen, either specific applications or their whole desktop, during the Teams meeting.
    • A Teams meeting can be recorded and transcribed through Stream. After the meeting, the transcript can be searched, edited, and shared

    NB: The external candidate does not need the Teams application. Through the meeting invite, the external candidate will join via a web browser.

    Meeting #2: Quarterly board meeting

    Scenario: Every quarter, the organization holds its regular board meeting.

    Purpose: To discuss agenda items and determine the company’s future direction.

    Jobs:

    During meeting:
      • Attendance and minutes must be taken.
      • Votes must be recorded.
      • In-camera sessions must occur.
      • External experts must be included.
    After meeting:
    • Follow-up items must be assigned.
    • Reports must be submitted.

    Solution:

    Ingredients:

    • Teams calendar invite
    • Planner; Forms
    • Private channel
    • Microsoft Stream

    Construction:

    • Guest Invite: Invites can be sent to any non-domain-joined email address to join a private, invitation-only channel within the team controlled by the board chair.
    • SharePoint & Flow: Documents are emailed to the Team addresses, which kicks off an MS Flow routine to collect review notes.
    • Planner: Any board member can assign tasks to any employee.
    • Forms/Add-On: Chair puts down the form of the question and individual votes are tracked.
    • Teams cloud meeting recording: Recording available through Stream. Manual edits can be made to VTT caption file. Greater than acceptable transcription error rate.
    • Meeting Log: Real-time attendance is viewable but a point-in-time record needs admin access.

    NB: The external guests do not need the Teams application. Through the meeting invite, the guests will join via a web browser.

    Meeting #3: Weekly team meeting

    Scenario: A team meets for a weekly recurring meeting. The meeting is facilitated by the team lead (or manager) who addresses through agenda items and invites participation from the attendees.

    Purpose: The purpose of the meeting is to:

    • Share information verbally
    • Present content visually
    • Achieve consensus
    • Build team morale

    Jobs: The facilitator must:

    • Determine participants
    • Book room
    • Book meeting in calendar

    Solution:

    Ingredients:

    • Meeting Place: A channel in Microsoft Teams (must be public) where all members of the meeting make up the entirety of the audience.
    • Calendar Recurrence: A meeting is booked through Teams and appears in all participants’ Outlook calendar.
    • Collaboration Space: Participants join the meeting through video or audio and can share screens and contribute text, images, and links to the meeting chat.

    Construction:

    • Ensure your team already has a channel created for it. If not, create one in the appropriate team.
    • Create the meeting using the calendar view within Microsoft Teams:
      • Set the meeting’s name, attendees, time, and recurrence.
      • Add the team channel that serves as the most appropriate workplace for the meeting. (Any discussion in the meeting chat will be posted to this channel.)

    NB: Create the meeting in the Teams calendar, not Outlook, or you will not be able to add the Teams channel. As meeting organizer, put your name in the meeting invite notes, as the channel will show as the organizer in the Outlook invite.

    Meeting #4: Morning stand-up/scrum

    Scenario: Each morning, at 9am, members of the team meet online.

    Purpose: After some pleasantries, the team discusses what tasks they each plan to complete in the day.

    Jobs: The team leader (or scrum master) must:

    • Place all tasks on a scrum board, each represented by a sticky note denoting the task name and owner.
    • Move the sticky notes through the columns, adjusting assignments as needed.
    • Sort tasks into the following columns: “Not Started,” “In Progress,” and “Done.”

    Solution:

    Ingredients:

    • Meeting Place: A channel in Microsoft Teams (must be public) where all members of the meeting make up the entirety of the audience.
    • Scrum Board: A tab within that channel where a persistent scrum board has been created and is visible to all team members.

    Meeting Place Construction:

    • Create the meeting using the calendar view in Teams.
    • Set the meeting’s name, attendees, time, and work-week daily recurrence (see left).
    • Add the channel that is the most appropriate workplace for the meeting. Any meeting chat will be posted to this channel rather than a separate chat.

    Scrum Board Construction:

    • Add a tab to the channel using Microsoft Planner as the app. (You can use other task management apps such as Trello, but the identity integration of first-party Office 365 tools may be less hassle.)
    • Create a new (or import an existing) Plan to the channel. This will be used as the focal point.

    Meeting #5: Weekly team meeting

    Scenario: An audio-only conversation that could be a regularly scheduled event but is more often conducted on an ad-hoc basis.

    Purpose: To quickly share information, achieve consensus, or clarify misunderstandings.

    Jobs:

    • Dial recipient
    • See missed calls
    • Leave/check voicemail
    • Create speed-dial list
    • Conference call

    Solution:

    Ingredients:

    • Audio call begun through Teams chat.

    Construction:

    • Voice over IP calls between users in the same MS Teams tenant can begin in multiple ways:
      • A call can be initiated through any appearance of a user’s profile picture: hover over user’s profile photo in the Chat list and select the phone icon.
      • Enter your last chat with a user and click phone icon in upper-right corner.
      • Go to the Calls section and type the name in the “Make a call” text entry form.
    • Voicemail: Voicemail, missed calls, and call history are available in the Calls section.
    • Speed dial: Speed dial lists can be created in the Calls section.
    • Conference call: Other users can be added to an ongoing call.

    NB: Microsoft Teams can be configured to provide an organization’s telephony for external calls, but this requires an E5 license. Additional audio-conferencing licenses are required to call in to a Teams meeting over a phone.

    Bibliography 1/4

    Section 1: Teams for IT › Creation Process

    Overview: Creation process
    Assign admin roles
    Prepare the network
    Team creation
    Integrations with SharePoint Online
    Permissions

    Bibliography 2/4

    Section 1: Teams for IT › Creation Process (cont'd.)

    External and guest access
    Expiration and archiving
    Retention and data loss prevention
    Teams telephony

    Bibliography 3/4

    Section 1: Teams for IT › Teams Rollout

    From Skype to Teams
    From Slack to Teams
    Teams adoption

    Section 1: Teams for IT › Use Cases

    Bibliography 4/4

    Section 2: Teams for End Users › Teams, Channels, Chat

    Section 2: Teams for End Users › Meetings and Live Events

    Section 2: Teams for End Users › Use Cases

    2024 Tech Trends

    • Buy Link or Shortcode: {j2store}289|cart{/j2store}
    • member rating overall impact (scale of 10): 10
    • Parent Category Name: Innovation
    • Parent Category Link: /improve-your-core-processes/strategy-and-governance/innovation

    AI has revolutionized the landscape, placing the spotlight firmly on the generative enterprise.

    The far-reaching impact of generative AI across various sectors presents fresh prospects for organizations to capitalize on and novel challenges to address as they chart their path for the future. AI is more than just a fancy auto-complete. At this point it may look like that, but do not underestimate the evolutive power.

    In this year's Tech Trends report, we explore three key developments to capitalize on these opportunities and three strategies to minimize potential risks.

    Generative AI will take the lead.

    As AI transforms industries and business processes, IT and business leaders must adopt a deliberate and strategic approach across six key domains to ensure their success.

    Seize Opportunities:

    • Business models driven by AI
    • Automation of back-office functions
    • Advancements in spatial computing

    Mitigate Risks:

    • Ethical and responsible AI practices
    • Incorporating security from the outset
    • Ensuring digital sovereignty

    Secure Operations in High-Risk Jurisdictions

    • Buy Link or Shortcode: {j2store}369|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting

    Business operations in high-risk areas of the world contend with complex threat environments and risk scenarios that often require a unique response. But traditional approaches to security strategy often miss these jurisdictional risks, leaving organizations vulnerable to threats that range from cybercrime and data breaches to fines and penalties.

    Security leaders need to identify high-risk jurisdictions, inventory critical assets, identify vulnerabilities, assess risks, and identify security controls necessary to mitigate those risks.

    Secure operations and protect critical assets in high-risk regions

    Across risks that include insider threats and commercial surveillance, the two greatest vulnerabilities that organizations face in high-risk parts of the world are travel and compliance. Organizations can make small adjustments to their security program to address these risks:

    1. Support high-risk travel: Put measures and guidelines in place to protect personnel, data, and devices before, during, and after employee travel.
    2. Mitigate compliance risk: Consider data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth.

    Using these two prevalent risk scenarios in high-risk jurisdictions as examples, this research walks you through the steps to analyze the threat landscape, assess security risks, and execute a response to mitigate them.

    Secure Operations in High-Risk Jurisdictions Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Secure Operations in High-Risk Jurisdictions – A step-by-step approach to mitigating jurisdictional security and privacy risks.

    Traditional approaches to security strategy often miss jurisdictional risks. Use this storyboard to make small adjustments to your security program to mitigate security risks in high-risk jurisdictions.

    • Secure Operations in High-Risk Jurisdictions – Phases 1-3

    2. Jurisdictional Risk Register and Heat Map Tool – A tool to inventory, assess, and treat jurisdictional risks.

    Use this tool to track jurisdictional risks, assess the exposure of critical assets, and identify mitigation controls. Use the geographic heatmap to communicate inherent jurisdictional risk with key stakeholders.

    • Jurisdictional Risk Register and Heat Map Tool

    3. Guidelines for Key Jurisdictional Risk Scenarios – Two structured templates to help you develop guidelines for two key jurisdictional risk scenarios: high-risk travel and compliance risk

    Use these two templates to develop help you develop your own guidelines for key jurisdictional risk scenarios. The guidelines address high-risk travel and compliance risk.

    • Digital Safety Guidelines for International Travel
    • Guidelines for Compliance With Local Security and Privacy Laws Template

    Infographic

    Workshop: Secure Operations in High-Risk Jurisdictions

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Context for Risk Assessment

    The Purpose

    Assess business requirements and evaluate security pressures to set the context for the security risk assessment.

    Key Benefits Achieved

    Understand the goals of the organization in high-risk jurisdictions.

    Assess the threats to critical assets in these jurisdictions and capture stakeholder expectations for information security.

    Activities

    1.1 Determine assessment scope.

    1.2 Determine business goals.

    1.3 Determine compliance obligations.

    1.4 Determine risk appetite.

    1.5 Conduct pressure analysis.

    Outputs

    Business requirements

    Security pressure analysis

    2 Analyze Key Risk Scenarios for High-Risk Jurisdictions

    The Purpose

    Build key risk scenarios for high-risk jurisdictions.

    Key Benefits Achieved

    Identify critical assets in high-risk jurisdictions, their vulnerabilities to relevant threats, and the adverse impact should malicious agents exploit them.

    Assess risk exposure of critical assets in high-risk jurisdictions.

    Activities

    2.1 Identify critical assets.

    2.2 Identify threats.

    2.3 Assess risk likelihood.

    2.4 Assess risk impact.

    Outputs

    Key risk scenarios

    Jurisdictional risk exposure

    Jurisdictional Risk Register and Heat Map

    3 Build Risk Treatment Roadmap

    The Purpose

    Prioritize and treat jurisdictional risks to critical assets.

    Key Benefits Achieved

    Build an initiative roadmap to reduce residual risks in high-risk jurisdictions.

    Activities

    3.1 Identify and assess risk response.

    3.2 Assess residual risks.

    3.3 Identify security controls.

    3.4 Build initiative roadmap.

    Outputs

    Action plan to mitigate key risk scenarios

    Further reading

    Secure Operations in High-Risk Jurisdictions

    Assessments often omit jurisdictional risks. Are your assets exposed?

    EXECUTIVE BRIEF

    Analyst Perspective

    Operations in high-risk jurisdictions face unique security scenarios.

    The image contains a picture of Michel Hebert.

    Michel Hébert

    Research Director

    Security and Privacy

    Info-Tech Research Group


    The image contains a picture of Alan Tang.

    Alan Tang

    Principal Research Director

    Security and Privacy

    Info-Tech Research Group


    Traditional approaches to security strategies may miss key risk scenarios that critical assets face in high-risk jurisdictions. These include high-risk travel, heightened insider threats, advanced persistent threats, and complex compliance environments. Most organizations have security strategies and risk management practices in place, but securing global operations requires its own effort. Assess the security risk that global operations pose to critical assets. Consider the unique assets, threats, and vulnerabilities that come with operations in high-risk jurisdictions. Focus on the business activities you support and integrate your insights with existing risk management practices to ensure the controls you propose get the visibility they need. Your goal is to build a plan that mitigates the unique security risks that global operations pose and secures critical assets in high-risk areas. Don’t leave security to chance.

    Executive Summary

    Your Challenge

    • Security leaders who support operations in many countries struggle to mitigate security risks to critical assets. Operations in high-risk jurisdictions contend with complex threat environments and security risk scenarios that often require a unique response.
    • Security leaders need to identify critical assets, assess vulnerabilities, catalog threats, and identify the security controls necessary to mitigate related operational risks.

    Common Obstacles

    • Securing operations in high-risk jurisdictions requires additional due diligence. Each jurisdiction involves a different risk context, which complicates efforts to identify, assess, and mitigate security risks to critical assets.
    • Security leaders need to engage the organization with the right questions and identify high-risk vulnerabilities and security risk scenarios to help stakeholders make an informed decision about how to assess and treat the security risks they face in high-risk jurisdictions.

    Info-Tech’s Approach

    Info-Tech has developed an effective approach to protecting critical assets in high-risk jurisdictions.

    This approach includes tools for:

    • Evaluating the security context of your organization’s high-risk jurisdictions.
    • Identifying security risk scenarios unique to high-risk jurisdictions and assessing the exposure of critical assets.
    • Planning and executing a response.

    Info-Tech Insight

    Organizations with global operations must contend with a more diverse set of assets, threats, and vulnerabilities when they operate in high-risk jurisdictions. Security leaders need to take additional steps to secure operations and protect critical assets.

    Business operations in high-risk jurisdictions face a more complex security landscape

    Information security risks to business operations vary widely by region.

    The 2022 Allianz Risk Barometer surveyed 2,650 business risk specialists in 89 countries to identify the most important risks to operations. The report identified cybercrime, IT failures, outages, data breaches, fines, and penalties as the most important global business risks in 2022, but their results varied widely by region. The standout finding of the 2022 Allianz Risk Barometer is the return of security risks as the most important threat to business operations. Security risks will continue to be acute beyond 2022, especially in Africa, the Middle East, Europe, and the Asia-Pacific region, where they will dwarf risks of supply chain interruptions, natural catastrophe, and climate change.

    Global operations in high-risk jurisdictions contend with more diverse threats. These security risk scenarios are not captured in traditional security strategies.

    The image contains a picture of the world map that has certain areas of the map highlighted in various shades of blue based on higher security-related business risks.

    Figures represent the number of cybersecurity risks business risk specialists selected as a percentage of all business risks (Allianz, 2022). Higher scores indicate jurisdictions with higher security-related business risks. Jurisdictions without data are in grey.

    Different jurisdictions’ commitment to cybersecurity also varies widely, which increases security risks further

    The Global Cybersecurity Index (GCI) provides insight into the commitment of different countries to cybersecurity.

    The index assesses a country’s legal framework to identify basic requirements that public and private stakeholders must uphold and the legal instruments prohibiting harmful actions.

    The 2020 GCI results show overall improvement and strengthening of the cybersecurity agenda globally, but significant regional gaps persist. Of the 194 countries surveyed:

    • 33% had no data protection legislation.
    • 47% had no breach notification measures in place.
    • 50% had no legislation on the theft of personal information.
    • 19% still had no legislation on illegal access.

    Not every jurisdiction has the same commitment to cybersecurity. Protecting critical assets in high-risk jurisdictions requires additional due diligence.

    The image contains a picture of the world map that has certain areas of the map highlighted in various shades of blue based on scores in relation to the Global Security Index.

    The diagram sets out the score and rank for each country that took part in the Global Cybersecurity Index (ITU, 2021)

    Higher scores show jurisdictions with a lower rank on the CGI, which implies greater risk. Jurisdictions without data are in grey.

    Securing critical assets in high-risk jurisdictions requires additional effort

    Traditional approaches to security strategy may miss these key risk scenarios.

    As a result, security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets.

    Guide stakeholders to make informed decisions about how to assess and treat the security risks and secure operations.

    • Engage the organization with the right questions.
    • Identify critical assets and assess vulnerabilities.
    • Catalogue threats and build risk scenarios.
    • Identify the security controls necessary to mitigate risks.

    Work with your organization to analyze the threat landscape, assess security risks unique to high-risk jurisdictions, and execute a response to mitigate them.

    This project blueprint works through this process using the two most prevalent risk scenarios in high-risk jurisdictions: high-risk travel and compliance risk.

    Key Risk Scenarios

    • High-Risk Travel
    • Compliance Risk
    • Insider Threat
    • Advanced Persistent Threat
    • Commercial Surveillance
    The image contains a screenshot of an Info-Tech thought model regarding secure global operations in high-risk jurisdictions.

    Travel risk is the first scenario we use as an example throughout the blueprint

    • This project blueprint outlines a process to identify, assess, and mitigate key risk scenarios in high-risk jurisdictions. We use two common key risk scenarios as examples throughout the deck to illustrate how you create and assess your own scenarios.
    • Supporting high-risk travel is the first scenario we will study in-depth as an example. Business growth, service delivery, and mergers and acquisitions can lead end users to travel to high-risk jurisdictions where staff, devices, and data are at risk.
    • Compromised or stolen devices can provide threat actors with access to data that could compromise the organization’s strategic, economic, or competitive advantage or expose the organization to regulatory risk.

    The project blueprint includes template guidance in Phase 3 to help you build and deploy your own travel guidelines to protect critical assets and support end users before they leave, during their trip, and when they return.

    Before you leave

    • Identify high-risk countries.
    • Enable controls.
    • Limit what you pack.

    During your trip

    • Assume you are monitored.
    • Limit access to systems.
    • Prevent theft.

    When you return

    • Change your password.
    • Restore your devices.

    Compliance risk is the second scenario we use as an example

    • Mitigating compliance risk is the second scenario we will study as an example in this blueprint. The legal and regulatory landscape is evolving rapidly to keep step with the pace of technological change. Security and privacy leaders are expected to mitigate the risk of noncompliance as the organization expands to new jurisdictions.
    • Later sections will show how to think through at least four compliance risks, including:
      • Cross-border data transfer
      • Third-party risk management
      • Data breach notification
      • Data residency

    The project blueprint includes template guidance in Phase 3 to help you deploy your own compliance governance controls as a risk mitigation measure.

    Secure Operations in High-Risk Jurisdictions: Info-Tech’s methodology

    1. Identify Context

    2. Assess Risks

    3. Execute Response

    Phase Steps

    1. Assess business requirements
    2. Evaluate security pressures
    1. Identify risks
    2. Assess risk exposure
    1. Treat security risks
    2. Build initiative roadmap

    Phase Outcomes

    • Internal security pressures that capture the governance, policies, practices, and risk tolerance of the organization
    • External security pressures that capture the expectations of customers, regulators, legislators, and business partners
    • A heatmap that captures not only the global exposure of your critical assets but also the business processes they support
    • A security risk register to allow for the easy transfer of critical assets’ global security risk data to your organization’s enterprise risk management practice
    • A roadmap of prioritized initiatives to apply relevant controls and secure global assets
    • A set of key risk indicators to monitor and report your progress

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Business Security Requirements

    Identify the context for the global security risk assessment, including risk appetite and risk tolerance.

    Jurisdictional Risk Register and Heatmap

    Identify critical global assets and the threats they face in high-risk jurisdictions and assess exposure.

    Mitigation Plan

    Roadmap of initiatives and security controls to mitigate global risks to critical assets. Tools and templates to address key security risk scenarios.

    Key deliverable:

    Jurisdictional Risk Register and Heatmap

    Use the Jurisdictional Risk Register and Heatmap Tool to capture information security risks to critical assets in high-risk jurisdictions. The tool generates a world chart that illustrates the risks global operations face to help you engage the business and execute a response.

    Blueprint benefits

    Protect critical assets in high-risk jurisdictions

    IT Benefits

    Assess and remediate information security risk to critical assets in high-risk jurisdictions.

    Easily integrate your risk assessment with enterprise risk assessments to improve communication with the business.

    Illustrate key information security risk scenarios to make the case for action in terms the business understands.

    Business Benefits

    Develop mitigation plans to protect staff, devices, and data in high-risk jurisdictions.

    Support business growth in high-risk jurisdictions without compromising critical assets.

    Mitigate compliance risk to protect your organization’s reputation, avoid fines, and ensure business continuity.

    Quantify the impact of securing global operations

    The tool included with this blueprint can help you measure the impact of implementing the research

    • Use the Jurisdictional Risk Register and Heatmap Tool to describe the key risk scenarios you face, assess their likelihood and impact, and estimate the cost of mitigating measures. Working through the project in this way will help you quantify the impact of securing global operations.
    The image contains a screenshot of Info-Tech's Jurisdictional Risk Register and Heatmap Tool. The image contains a screenshot of the High-Risk Travel Jurisdiction.

    Establish Baseline Metrics

    • Review existing information security and risk management metrics and the output of the tools included with the blueprint.
    • Identify metrics to measure the impact of your risk management efforts. Focus specifically on high-risk jurisdictions.
    • Compare your results with those in your overall security and risk management program.

    ID

    Metric

    Why is this metric valuable?

    How do I calculate it?

    1.

    Overall Exposure – High-Risk Jurisdictions

    Illustrates the overall exposure of critical assets in high-risk jurisdictions.

    Use the Jurisdictional Risk Register and Heatmap Tool. Calculate the impact times the probability rating for each risk. Take the average.

    2.

    # Risks Identified – High-Risk Jurisdictions

    Informs risk tolerance assessments.

    Use the Jurisdictional Risk Register and Heatmap Tool.

    3.

    # Risks Treated – High-Risk Jurisdictions

    Informs residual risk assessments.

    Use the Jurisdictional Risk Register and Heatmap Tool.

    4.

    Mitigation Cost – High-Risk Jurisdictions

    Informs cost-benefit analysis to determine program effectiveness.

    Use the Jurisdictional Risk Register and Heatmap Tool.

    5.

    # Security Incidents – High-Risk Jurisdictions

    Informs incident trend calculations to determine program effectiveness.

    Draw the information from your service desk or IT service management tool.

    6.

    Incident Remediation Cost – High-Risk Jurisdictions

    Informs cost-benefit analysis to determine program effectiveness.

    Estimate based on cost and effort, including direct and indirect cost such as business disruptions, administrative finds, reputational damage, etc.

    7.

    TRENDS: Program Effectiveness – High-Risk Jurisdictions

    # of security incidents over time. Remediation : Mitigation costs over time

    Calculate based on metrics 5 to 7.

    Info-Tech offers various levels of support to best suit your needs.

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1

    Call #1: Scope project requirements, determine assessment scope, and discuss challenges.

    Phase 2

    Call #2: Conduct initial risk assessment and determine risk tolerance.

    Call #3: Evaluate security pressures in high-risk jurisdictions.

    Call #4: Identify risks in high-risk jurisdictions.

    Call #5: Assess risk exposure.

    Phase 3

    Call #6: Treat security risks in high-risk jurisdictions.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Days 1

    Days 2-3

    Day 4

    Day 5

    Identify Context

    Key Risk Scenarios

    Build Roadmap

    Next Steps and Wrap-Up (offsite)

    Activities

    1.1.1 Determine assessment scope.

    1.1.2 Determine business goals.

    1.1.3 Identify compliance obligations.

    1.2.1 Determine risk appetite.

    1.2.2 Conduct pressure analysis.

    2.1.1 Identify assets.

    2.1.2 Identify threats.

    2.2.1 Assess risk likelihood.

    2.2.2 Assess risk impact.

    3.1.1 Identify and assess risk response.

    3.1.2 Assess residual risks.

    3.2.1 Identify security controls.

    3.2.2 Build initiative roadmap.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. Business requirements for security risk assessment
    2. Identification of high-risk jurisdictions
    3. Security threat landscape for high-risk jurisdictions
    1. Inventory of relevant threats, critical assets, and their vulnerabilities
    2. Assessment of adverse effects should threat agents exploit vulnerabilities
    3. Risk register with key risk scenarios and heatmap of high-risk jurisdictions
    1. Action plan to mitigate key risk scenarios
    2. Investment and implementation roadmap
    1. Completed information security risk assessment for two key risk scenarios
    2. Risk mitigation roadmap

    No safe jurisdictions

    Stakeholders sometimes ask information security and privacy leaders to produce a list of safe jurisdictions from which to operate. We need to help them see that there are no safe jurisdictions, only relatively risky ones. As you build your security program, deepen the scope of your risk assessments to include risk scenarios critical assets face in different jurisdictions. These risks do not need to rule out operations, but they may require additional mitigation measures to keep staff, data, and devices safe and reduce potential reputational harms.

    Traditional approaches to security strategy often omit jurisdictional risks.

    Global operations must contend with a more complex security landscape. Secure critical assets in high-risk jurisdictions with a targeted risk assessment.

    The two greatest risks are high-risk travel and compliance risk.

    You can mitigate them with small adjustments to your security program.

    Support High-Risk Travel

    When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security. Put measures and guidelines in place to protect them before, during, and after travel.

    Mitigate Compliance Risk

    Think through data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth and mitigate compliance risks in high-risk jurisdictions to protect your organization’s reputation and avoid hefty fines or business disruptions.

    Phase 1

    Identify Context

    This phase will walk you through the following activities:

    • Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.
    • Evaluate jurisdictional security pressures to understand threats to critical assets and capture the expectations of external stakeholders, including customers, regulators, legislators, and business partners, and assess risk tolerance.

    This phase involves the following participants:

    • Business stakeholders
    • IT leadership
    • Security team
    • Risk and Compliance

    Step 1.1

    Assess Business Requirements

    Activities

    1.1.1 Determine assessment scope

    1.1.2 Identify enterprise goals in high-risk jurisdictions

    1.1.3 Identify compliance obligations

    This step involves the following participants:

    • Business stakeholders
    • IT leadership
    • Security team
    • Risk and Compliance

    Outcomes of this step

    • Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.

    Focus the risk assessment on high-risk jurisdictions

    Traditional approaches to information security strategy often miss threats to global operations

    • Successful security strategies are typically sensitive to risks to different IT systems and lines of business.
    • However, securing global operations requires additional focus on high-risk jurisdictions, considering what makes them unique.
    • This first phase of the project will help you evaluate the business context of operations in high-risk jurisdictions, including:
      • Enterprise and security goals.
      • Lines of business, physical locations, and IT systems that need additional oversight.
      • Unique compliance obligations.
      • Unique risks and security pressures.
      • Organizational risk tolerance in high-risk jurisdictions.

    Focus your risk assessment on the business activities security supports in high-risk jurisdictions and the unique threats they face to bridge gaps in your security strategy.

    Identify jurisdictions with higher inherent risks

    Your security strategy may not describe jurisdictional risk adequately.

    • Security strategies list lines of business, physical locations, and IT systems the organization needs to secure and those whose security will depend on a third-party. You can find additional guidance on fixing the scope and boundaries of a security strategy in Phase 1 of Build an Information Security Strategy.
    • However, security risks vary widely from one jurisdiction to another according to:
      • Active cyber threats.
      • Legal and regulatory frameworks.
      • Regional security and preparedness capabilities.
    • Your first task is to identify high-risk jurisdictions to target for additional oversight.

    Work closely with your enterprise risk management function.

    Enterprise risk management functions are often tasked with developing risk assessments from composite sources. Work closely with them to complete your own assessment.

    Countries at heightened risk of money laundering and terrorism financing are examples of high-risk jurisdictions. The Financial Action Task Force and the U.S. Treasury publish reports three times a year that identify Non-Cooperative Countries or Territories.

    Develop a robust jurisdictional assessment

    Design an intelligence collection strategy to inform your assessment

    Strategic Intelligence

    White papers, briefings, reports. Audience: C-Suite, board members

    Tactical Intelligence

    Internal reports, vendor reports. Audience: Security leaders

    Operational intelligence

    Indicators of compromise. Audience: IT Operations

    Operational intelligence focuses on machine-readable data used to block attacks, triage and validate alerts, and eliminate threats from the network. It becomes outdated in a matter of hours and is less useful for this exercise.

    Determine travel risks to bolster your assessments

    Not all locations and journeys will require the same security measures.

    • Travel risks vary significantly according to destination, the nature of the trip, and traveler profile.
    • Access to an up-to-date country risk rating system enables your organization and individual staff to quickly determine the overall level of risk in a specific country or location.
    • Based on this risk rating, you can specify what security measures are required prior to travel and what level of travel authorization is appropriate, in line with the organization's security policy or travel security procedures.
    • While some larger organizations can maintain their own country risk ratings, this requires significant capacity, particularly to obtain the necessary information to keep these regularly updated.
    • It may be more effective for your organization to make use of the travel risk ratings provided by an external security information provider, such as a company linked to your travel insurance or travel booking service, if available.
    • Alternatively, various open-source travel risk ratings are available via embassy travel sites or other website providers.

    Without a flexible system to account for the risk exposures of different jurisdictions, staff may perceive measures as a hindrance to operations.

    Develop a tiered risk rating

    The example below outlines potential risk indicators for high-risk travel.

    Rating

    Description

    Low

    Generally secure with adequate physical security. Low violent crime rates. Some civil unrest during significant events. Acts of terrorism rare. Risks associated with natural disasters limited and health threats mainly preventable.

    Moderate

    Periodic civil unrest. Antigovernment, insurgent, or extremist groups active with sporadic acts of terrorism. Staff at risk from common and violent crime. Transport and communications services are unreliable and safety records are poor. Jurisdiction prone to natural disasters or disease epidemics.

    High

    Regular periods of civil unrest, which may target foreigners. Antigovernment, insurgent, or extremist groups very active and threaten political or economic stability. Violent crime rates high, often targeting foreigners. Infrastructure and emergency services poor. May be regular disruption to transportation or communications services. Certain areas off-limits to foreigners. Jurisdictions experiencing natural disasters or epidemics are considered high risk.

    Extreme

    Undergoing active conflict or persistent civil unrest. Risk of being caught up in a violent incident or attack is very high. Authorities may have lost control of significant portions of the country. Lines between criminality and political and insurgent violence are blurred. Foreigners are likely to be denied access to parts of the country. Transportation and communication services are severely degraded or nonexistent. Violence presents a direct threat to staff security.

    Ratings are formulated by assessing several types of risk, including conflict, political/civil unrest, terrorism, crime, and health and infrastructure risks.

    1.1.1 Determine assessment scope

    1 – 2 hours

    1. As a group, brainstorm a list of high-risk jurisdictions to target for additional assessment. Write down as many items as possible to include in:
    • Lines of business
    • Physical locations
    • IT systems

    Pay close attention to elements of the assessment that are not in scope.

  • Discuss the response and the rationale for targeting each of them for additional risk assessments. Identify security-related concerns for different lines of business, locations, user groups, IT systems, and data.
  • Record your responses and your comments in the Information Security Requirements Gathering Tool.
  • Input

    Output

    • Corporate strategy
    • IT strategy
    • Security strategy
    • Relevant threat intelligence
    • A list of high-risk jurisdictions to focus your risk assessment

    Materials

    Participants

    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Enterprise Risk Management
    • Compliance
    • Legal

    Download the Information Security Requirements Gathering Tool

    Position your efforts in a business context

    Securing critical assets in high-risk jurisdictions is a business imperative

    • Many companies relegate their information security strategies to their IT department. Aside from the strain the choice places on a department that already performs many different functions, it wrongly implies that mitigating information security risk is simply an IT problem.
    • Managing information security risks is a business problem. It requires that organizations identify their risk appetite, prioritize relevant threats, and define risk mitigation initiatives. Business leaders can only do these activities effectively in a context that recognizes the business and financial benefits of implementing protections.
    • This is notably true of businesses with operations in many different countries. Each jurisdiction has its own set of security risks the organization must account for, as well as unique local laws and regulations that affect business operations.
    • In high-risk jurisdictions, your efforts must consider the unique operational challenges your organization may not face in its home country. Your efforts to secure critical assets will be most successful if you describe key risk scenarios in terms of their impact on business goals.
    • You can find additional guidance on assessing the business context of a security strategy in Phase 1 of Build an Information Security Strategy.

    Do you understand the unique business context of operations in high-risk jurisdictions?

    1.1.2 Identify business goals

    Estimated Time: 1-2 hours

    1. As a group, brainstorm the primary and secondary business goals of the organization. Focus your assessment on operations in high-risk jurisdictions you identified in Exercise 1.1.1. Review:
    • Relevant corporate and IT strategies.
    • The business goal definitions and indicator metrics in tab 2, “Goals Definition,” of the Information Security Requirements Gathering Tool.
  • Limit business goals to no more than two primary goals and three secondary goals. This limitation will help you prioritize security initiatives at the end of the project.
  • For each business goal, identify up to two security alignment goals that will support business goals in high-risk jurisdictions.
  • Input

    Output

    • Corporate strategy
    • IT strategy
    • Security strategy
    • Your goals for the security risk assessment for high-risk jurisdictions

    Materials

    Participants

    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Risk Management
    • Compliance
    • Legal

    Download the Information Security Requirements Gathering Tool

    Record business goals

    Capture the results in the Information Security Requirements Gathering Tool

    1. Record the primary and secondary business goals you identified in tab 3, “Goals Cascade,” of the Information Security Requirements Gathering Tool.
    2. Next, record the two security alignment goals you selected for each business goal based on the tool’s recommendations.
    3. Finally, review the graphic diagram that illustrates your goals on tab 6, “Results,” of the Information Security Requirements Gathering Tool.
    4. Revisit this exercise whenever operations expands to a new jurisdiction to capture how they contribute to the organization’s mission and vision and how the security program can support them.
    The image contains a screenshot of Tab 3, Goals Cascade.

    Tab 3, Goals Cascade

    The image contains a screenshot of Tab 6, Results.

    Tab 6, Results

    Analyze business goals

    Assess how operating in multiple jurisdictions adds nuance to your business goals

    • Security leaders need to understand the direction of the business to propose relevant security initiatives that support business goals in high-risk jurisdictions.
    • Operating in different jurisdictions carries its own degree of risk. The organization is subject not only to the information security risks and legal frameworks of its country of origin but also to those associated with international jurisdictions.
    • You need to understand where your organization operates and how these different jurisdictions contribute to your business goals to support their performance and protect the firm’s reputation.
    • This exercise will make an explicit link between security and privacy concerns in high-risk jurisdictions, what the business cares about, and what security is trying to accomplish.

    If the organization is considering a merger and acquisition project that will expand operations in jurisdictions with different travel risk profiles, the security organization needs to revise the security strategy to ensure the organization can support high-risk travel and mitigate risks to critical assets.

    Identify compliance obligations

    Data compliance obligations loom large in high-risk jurisdictions

    The image contains four hexagons, each with their own words. SOX, PCI DSS, HIPAA, HITECH.

    Security leaders are familiar with most conventional regulatory obligations that govern financial, personal, and healthcare data in North America and Europe.

    The image contains four hexagons, each with their own words. Residency, Cross-Border Transfer, Breach Notification, Third-Party Risk Mgmt.

    Data privacy concerns, nationalism, and the economic value of data are all driving jurisdictions to adopt data residency and data localization and to shut down the cross-border transfer of data.

    The next step requires you to consider the compliance obligations the organization needs to meet to support the business as it expands to other jurisdictions through natural growth, mergers, and acquisitions.

    1.1.3 Identify compliance obligations

    Estimated Time: 1-2 hours

    1. As a group, brainstorm compliance obligations in target jurisdictions. Focus your assessment on operations in high-risk jurisdictions.
    2. Include:

    • Laws
    • Governing regulations
    • Industry standards
    • Contractual agreements
  • Record your compliance obligations and comments on tab 4, “Compliance Obligations,” of the Information Security Requirements Gathering Tool.
  • If you need to take full stock of the laws and regulations in place in the jurisdictions where you operate that you are not familiar with, consider seeking local legal counsel to help you navigate this exercise.
  • Input

    Output

    • Legal and compliance frameworks in target jurisdictions
    • Mandatory and voluntary compliance obligations for target jurisdictions

    Materials

    Participants

    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Risk Management
    • Compliance
    • Legal

    Download the Information Security Requirements Gathering Tool

    Step 1.2

    Evaluate Security Pressures

    Activities

    1.2.1 Conduct initial risk assessment

    1.2.2 Conduct pressure analysis

    1.2.3 Determine risk tolerance

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    Identify threats to global assets and capture the security expectations of external stakeholders, including customers, regulators, legislators, and business partners, and determine risk tolerance.

    Evaluate security pressures to set the risk context

    Perform an initial assessment of high-risk jurisdictions to set the context.

    Assess:

    • The threat landscape.
    • The security pressures from key stakeholders.
    • The risk tolerance of your organization.

    You should be able to find the information in your existing security strategy. If you don’t have the information, work through the next three steps of the project blueprint.

    The image contains a diagram to demonstrate evaluating security pressures, as described in the text above.

    Some jurisdictions carry inherent risks

    • Jurisdictional risks stem from legal, regulatory, or political factors that exist in different countries or regions. They can also stem from unexpected legal changes in regions where critical assets have exposure. Understanding jurisdictional risks is critical because they can require additional security controls.
    • Jurisdictional risk tends to be higher in jurisdictions:
      • Where the organization:
        • Conducts high-value or high-volume financial transactions.
        • Supports and manages critical infrastructure.
        • Has high-cost data or data whose compromise could undermine competitive advantage.
        • Has a high percentage of part-time employees and contractors.
        • Experiences a high rate of employee turnover.
      • Where state actors:
        • Have a low commitment to cybersecurity, financial, and privacy legislation and regulation.
        • Support cybercrime organizations within their borders.

    Jurisdictional risk is often reduced to countries where money laundering and terrorist activities are high. In this blueprint, the term refers to the broader set of information security risks that arise when operating in a foreign country or jurisdiction.

    Five key risk scenarios are most prevalent

    Key Risk Scenarios

    • High-Risk Travel
    • Compliance Risk
    • Insider Threat
    • Advanced Persistent Threat
    • Commercial Surveillance

    Security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets. The goal of the next two exercises is to analyze the threat landscape and security pressures unique to high-risk jurisdictions, which will inform the construction of key scenarios in Phase 2. These five scenarios are most prevalent in high-risk jurisdictions. Keep them in mind as you go through the exercises in this section.

    1.2.1 Assess jurisdictional risk

    1-3 hours

    1. As a group, review the questions on tab 2, “Risk Assessment,” of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following risk elements with a focus on high-risk jurisdictions:
    3. Review each question in tab 2 of the Information Security Pressure Analysis Tool and select the most appropriate response.

    Input

    Output

    • Existing security strategy
    • List of organizational assets
    • Historical data on information security incidents
    • Completed risk assessment

    Materials

    Participants

    • Information Security Pressure Analysis Tool
    • Security team
    • IT leadership
    • Risk Management

    For more information on how to complete the risk assessment questionnaire, see Step 1.2.1 of Build an Information Security Strategy.

    1.2.2 Conduct pressure analysis

    1-3 hours

    1. As a group, review the questions on tab 3, “Pressure Analysis,” of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following pressure elements with a focus on high-risk jurisdictions:
    • Compliance and oversight
    • Customer expectations
    • Business expectations
    • IT expectations
  • Review each question in the questionnaire and provide the most appropriate response using the drop-down list. It may be helpful to consult with the appropriate departments to obtain their perspectives.
  • For more information on how to complete the pressure analysis questionnaire, see Step 1.3 of Build an Information Security Strategy.

    Input

    Output

    • Information on various pressure elements within the organization
    • Existing security strategy
    • Completed pressure analysis

    Materials

    Participants

    • Information Security Pressure Analysis Tool
    • Security team
    • IT leadership
    • Business leaders
    • Compliance

    A low security pressure means that your stakeholders do not assign high importance to information security. You may need to engage stakeholders with the right key risk scenarios to illustrate jurisdictional risk and generate support for new security controls.

    Download the Information Security Pressure Analysis Tool

    Assess risk tolerance

    • Risk tolerance expresses the types and amount of risk the organization is willing to accept in pursuit of its goals.
    • These expectations can help you identify, manage, and report on key risk scenarios in high-risk jurisdictions.
    • For instance, an organization with a low risk tolerance will require a stronger information security program to minimize operational security risks.
    • It’s up to business leaders to determine the risks they are willing to accept. They may need guidance to understand how system-level risks affect the organization’s ability to pursue its goals.

    A formalized risk tolerance statement can help:

    • Support risk-based security decisions that align with business goals.
    • Provide a meaningful rationale for security initiatives.
    • Improve the transparency of investments in the organization’s security program.
    • Provide guidance for monitoring inherent risk and residual risk exposure.

    The role of security professionals is to identify and analyze key risk scenarios that may prevent the organization from reaching its goals.

    1.2.3 Determine risk tolerance

    1-3 hours

    1. As a group, review the questions on tab 4, “Risk Tolerance,” of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following risk tolerance elements:
    • Recent IT problems, especially downtime and data recovery issues
    • Historical security incidents
  • Review any relevant documentation, including:
    • Existing security strategy
    • Business impact assessments
    • Service-level agreements

    For more information on how to complete the risk tolerance questionnaire, see Step 1.4 of Build an Information Security Strategy.

    Input

    Output

    • Existing security strategy
    • Data on recent IT problems and incidents
    • Business impact assessments
    • Completed risk tolerance statement

    Materials

    Participants

    • Information Security Pressure Analysis Tool
    • Security team
    • IT leadership
    • Risk Management

    Download the Information Security Pressure Analysis Tool

    Review the output of the results tab

    • The organizational risk assessment provides a high-level assessment of inherent risks in high-risk jurisdictions. Use the results to build and assess key risk scenarios in Phase 2.
    • Use the security pressure analysis to inform stakeholder management efforts. A low security pressure indicates that stakeholders do not yet grasp the impact of information security on organizational goals. You may need to communicate its importance before you discuss additional security controls.
    • Jurisdictions in which organizations have a low risk tolerance will require stronger information security controls to minimize operational risks.
    The image contains a screenshot of the organizational risk assessment. The image contains a screenshot of the security pressure analysis. The image contains a screenshot of the risk tolerance curve.

    Phase 2

    Assess Security Risks to Critical Assets

    This phase will walk you through the following activities:

    • Identify critical assets, their vulnerabilities to relevant threats, and the adverse impact a successful threat event would have on the organization.
    • Assess risk exposure of critical assets in high-risk jurisdictions for each risk scenario through an analysis of its likelihood and impact.

    This phase involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Step 2.1

    Identify Risks

    Activities

    2.1.1 Identify assets

    2.1.2 Identify threats

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Define risk scenarios that identify critical assets, their vulnerabilities to relevant threats, and the adverse impact a successful threat event would have on the organization.

    This blueprint focuses on mitigating jurisdictional risks

    The image contains a screenshot of the IT Risk Management Framework. The framework includes: Risk Identification, Risk Assessment, Risk Response, and Risk Governance.

    For a deeper dive into building a risk management program, see Info-Tech’s core project blueprints on risk management:

    Build an IT Risk Management Program

    Combine Security Risk Management Components Into One Program

    Draft key risk scenarios to illustrate adverse events

    Risk scenarios help decision-makers understand how adverse events affect business goals.

    • Risk-scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that describes the circumstances and consequences if it were to happen.
    • Risk scenarios set up the risk analysis stage of the risk assessment process. They are narratives that describe in detail:
      • The asset at risk.
      • The threat that can act against the asset.
      • Their intent or motivation.
      • The circumstances and threat actor model associated with the threat event.
      • The potential effect on the organization.
      • When or how often the event might occur.

    Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.

    Well-crafted risk scenarios have four components

    The second phase of the project will help you craft meaningful risk scenarios

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    An actor capable of harming an asset

    Anything of value that can be affected and results in loss

    Technique an actor uses to affect an asset

    How loss materializes

    Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors

    Examples: Systems, regulated data, intellectual property, people

    Examples: Credential compromise, privilege escalation, data exfiltration

    Examples: Loss of data confidentiality, integrity, or availability; impact on staff health & safety

    Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events. Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address and treat security risks in high-risk jurisdictions.

    The next slides review five key risk scenarios prevalent in high-risk jurisdictions. Use them as examples to develop your own.

    Travel to high-risk jurisdictions requires special measures to protect staff, devices, and data

    Governmental, academic, and commercial advisors compile lists of jurisdictions that pose greater travel risks annually.

    For instance, in the US, these lists might include countries that are:

    • Subjects of travel warnings by the US Department of State.
    • Identified as high risk by other US government sources such as:
      • The Department of the Treasury Office of Foreign Assets Control (OFAC).
      • The Federal Bureau of Investigation (FBI).
      • The Office of the Director of National Intelligence (ODNI).
    • Compiled from academic and commercial sources, such as Control Risks.

    When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security.

    The image contains a diagram to present high-risk jurisdictions.

    The diagram presents high-risk jurisdictions based on US governmental sources (2021) listed on this slide.

    High-risk travel

    Likelihood: Medium

    Impact: Medium

    Key Risk Scenario #1

    Malicious state actors, cybercriminals, and competitors can threaten staff, devices, and data during travel to high-risk jurisdictions. Device theft or compromise may occur while traveling through airports, accessing hotel computer and phone networks, or in internet cafés or other public areas. Threat actors can exploit data from compromised or stolen devices to undermine the organization’s strategic, economic, or competitive advantage. They can also infect compromised devices with malware that delivers malicious payloads once they reconnect with home networks.

    Threat Actor:

    • Malicious state actors
    • Cybercriminals
    • Competitors

    Assets:

    • Staff
    • IT systems
    • Sensitive data

    Effect:

    • Compromised staff health and safety
    • Loss of data
    • Lost of system integrity

    Methods:

    • Identify, steal, or target mobile devices.
    • Compromise network, wireless, or Bluetooth connections.
    • Leverage stolen devices as a means of infecting other networks.
    • Access devices to track user location.
    • Activate microphones on devices to collect information.
    • Intercept electronic communications users send from high-risk jurisdictions.

    The data compliance landscape is a jigsaw puzzle of data protection and data residency requirements

    Since the EU passed the GDPR in 2016, jurisdictions have turned to data regulations to protect citizen data

    Data privacy concerns, nationalism, and the economic value of data are all driving jurisdictions to adopt data residency, breach notification, and cross-border data transfer regulations. As 2021 wound down to a close, nearly all the world’s 30 largest economies had some form of data regulation in place. The regulatory landscape is shifting rapidly, which complicates operations as organizations grow into new markets or engage in merger and acquisition activities.

    Global operations require special attention to data-residency requirements, data breach notification requirements, and cross-border data transfer regulations to mitigate compliance risk.

    The image contains a diagram to demonstrate the data regulations placed in various places around the world.

    Compliance risk

    Likelihood: Medium

    Impact: High

    Key Risk Scenario #2

    Rapid changes in the privacy and security regulatory landscape threaten organizations’ ability to meet their compliance obligations from local legal and regulatory frameworks. Organizations risk reputational damage, administrative fines, criminal charges, and loss of market share. In extreme cases, organizations may lose their license to operate in high-risk jurisdictions. Shifts in the regulatory landscape can involve additional requirements for data residency, cross-border data transfer, data breach notification, and third-party risk management.

    Threat Actor:

    • Local, regional, and national state actors

    Asset:

    • Reputation, market share
    • License to operate

    Effect:

    • Administrative fines
    • Loss of reputation, brand trust, and consumer loyalty
    • Loss of market share
    • Suspension of business operations
    • Lawsuits due to collective actions and claims
    • Criminal charges

    Methods:

    • Shifts in the privacy and security regulatory landscape, including requirements for:
      • Data residency.
      • Cross-border data transfer.
      • Data breach notification.
      • Third-party security and privacy risk management.

    The incidence of insider threats varies widely by jurisdiction in unexpected ways

    On average, companies in North America, the Middle East, and Africa had the most insider incidents in 2021, while those in the Asia-Pacific region had the least.

    The Ponemon Institute set out to understand the financial consequences that result from insider threats and gain insight into how well organizations are mitigating these risks.

    In the context of this research, insider threat is defined as:

    • Employee or contractor negligence.
    • Criminal or malicious insider activities.
    • Credential theft (imposter risk).

    On average, the total cost to remediate insider threats in 2021 was US$15.4 million per incident.

    In all regions, employee or contractor negligence occurred most frequently. Organizations in North America and in the Middle East and Africa were most likely to experience insider threat incidents in 2021.

    the image contains a diagram of the world, with various places coloured in different shades of blue.

    The diagram represents the average number of insider incidents reported per organization in 2021. The results are analyzed in four regions (Ponemon Institute, 2022)

    Insider threat

    Likelihood: Low to Medium

    Impact: High

    Key Risk Scenario #3

    Malicious insiders, negligent employees, and credential thieves can exploit inside access to information systems to commit fraud, steal confidential or commercially valuable information, or sabotage computer systems. Insider threats are difficult to identify, especially when security is geared toward external threats. They are often familiar with the organization’s data and intellectual property as well as the methods in place to protect them. An insider may steal information for personal gain or install malicious software on information systems. They may also be legitimate users who make errors and disregard policies, which places the organization at risk.

    Threat Actor:

    • Malicious insiders
    • Negligent employees
    • Infiltrators

    Asset:

    • Sensitive data
    • Employee credentials
    • IT systems

    Effects:

    • Loss of system integrity
    • Loss of data confidentiality
    • Financial loss

    Methods:

    • Infiltrators may compromise credentials.
    • Malicious or negligent insiders may use corporate email to steal or share sensitive data, including:
      • Regulated data.
      • Intellectual property.
      • Critical business information.
    • Malicious agents may facilitate data exfiltration, as well as open-port and vulnerability scans.

    The risk of advanced persistent threats is more prevalent in Central and South America and the Asia-Pacific region

    Attacks from advanced persistent threat (APT) actors are more sophisticated than traditional ones.

    • More countries will use legal indictments as part of their cyber strategy. Exposing toolsets of APT groups carried out at the governmental level will drive more states to do the same.
    • Expect APTs to increasingly target network appliances like VPN gateways as organizations continue to sustain hybrid workforces.
    • The line between APTs and state-sanctioned ransomware groups is blurring. Expect cybercriminals to wield better tools, mount more targeted attacks, and use double-extortion tactics.
    • Expect more disruption and collateral damage from direct attacks on critical infrastructure.

    Top 10 Significant Threat Actors:

    • Lazarus
    • DeathStalker
    • CactusPete
    • IAmTheKing
    • TransparentTribe
    • StrongPity
    • Sofacy
    • CoughingDown
    • MuddyWater
    • SixLittleMonkeys

    Top 10 Targets:

    • Government
    • Banks
    • Financial Institutions
    • Diplomatic
    • Telecommunications
    • Educational
    • Defense
    • Energy
    • Military
    • IT Companies
    The image contains a world map coloured in various shades of blue.
    Top 12 countries targeted by APTs (Kaspersky, 2020)

    Track notable APTs to revise your list of high-risk jurisdictions and review the latest tactics and techniques

    Governmental advisors track notable APT actors that pose greater risks.

    The CISA Shields Up site, SANS Storm Center site, and MITRE ATT&CK group site provide helpful and timely information to understand APT risks in different jurisdictions.

    The following threat actors are currently associated with cyberattacks affiliated with the Russian government.

    Activity Group

    Risks

    APT28 (GRU)

    Known as Fancy Bear, this threat group has been tied to espionage since 2004. They compromised the Hillary Clinton campaign, amid other major events.

    APT29 (SVT)

    Tied to espionage since 2008. Reportedly compromised the Democratic National Committee in 2015. Cited in the 2021 SolarWinds compromise.

    Buhtrap/RTM Group

    Group focused on financial targets since 2014. Currently known to target Russian and Ukrainian banks.

    Gamaredon

    Operating in Crimea. Aligned with Russian interests. Has previously targeted Ukrainian government officials and organizations.

    DEV-0586

    Carried out wiper malware attacks on Ukrainian targets in January 2022.

    UNC1151

    Active since 2016. Linked to information operation campaigns and the distribution of anti-NATO material.

    Conti

    Most successful ransomware gang of 2021, with US$188M revenue. Supported Russian invasion of Ukraine, threatening attacks on allied critical infrastructure.

    Sources: MITRE ATT&CK; Security Boulevard, 2022; Reuters, 2022; The Verge, 2022

    Advanced persistent threat

    Likelihood: Low to Medium

    Impact: High

    Key Risk Scenario #4

    Advanced persistent threats are state actors or state-sponsored affiliates with the means to avoid detection by anti-malware software and intrusion detection systems. These highly-skilled and persistent malicious agents have significant resources with which to bypass traditional security controls, establish a foothold in the information technology infrastructure, and exfiltrate data undetected. APTs have the resources to adapt to a defender’s efforts to resist them over time. The loss of system integrity and data confidentiality over time can lead to financial losses, business continuity disruptions, and the destruction of critical infrastructure.

    Threat Actor:

    • State actors
    • State-sponsored affiliates

    Asset:

    • Sensitive data
    • IT systems
    • Critical infrastructure

    Effects:

    • Loss of system integrity
    • Loss of data confidentiality
    • Financial loss
    • Business continuity disruptions
    • Infrastructure destruction

    Methods:

    • Persistent, consistent attacks using the most advanced threats and tactics to bypass security defenses.
    • The goal of APTs is to maintain access to networks for prolonged periods without being detected.
    • The median dwell time differs widely between regions. FireEye reported the mean dwell time for 2018:
      • Americas: 71 days
      • Europe, Middle East, and Africa: 177 days
      • Asia-Pacific: 204 days
    Sources: Symantec, 2011; FireEye, 2019

    Threat agents have deployed invasive technology for commercial surveillance in at least 76 countries since 2015

    State actors and their affiliates purchased and used invasive spyware from companies in Europe, Israel, and the US.

    • “Customers are predominantly repressive regimes looking for new ways to control the flow of information and stifle dissent. Less than 10% of suspected customers are considered full democracies by the Economist Intelligence Unit.” (Top10VPN, 2021)
    • Companies based in economically developed and largely democratic states are profiting off the technology.
    • The findings demonstrate the need to consider geopolitical realities when assessing high-risk jurisdictions and to take meaningful action to increase layered defenses against invasive malware.
    • Spyware is having an increasingly well-known impact on civil society. For instance, since 2016, over 50,000 individual phone numbers have been identified as potential targets by NSO Group, the Israeli manufacturers of the notorious Pegasus Spyware. The target list contained the phone numbers of politicians, journalists, activists, doctors, and academics across the world.
    • The true number of those affected by spyware is almost impossible to determine given that many fall victim to the technology and do not notice.
    The image contains a map of the world with various countries highlighted in shades of blue.

    Countries where commercial surveillance tools have been deployed (“Global Spyware Market Index,” Top10VPN, 2021)

    The risks and effects of spyware vary greatly

    Spyware can steal mundane information, track a user’s every move, and everything in between.

    Adware

    Software applications that display advertisements while the program is running.

    Keyboard Loggers

    Applications that monitor and record keystrokes. Malicious agents use them to steal credentials and sensitive enterprise data.

    Trojans

    Applications that appear harmless but inflict damage or data loss to a system.

    Mobile Spyware

    Surveillance applications that infect mobile devices via SMS or MMS channels, though the most advanced can infect devices without user input.

    State actors and their affiliates use system monitors to track browsing habits, application usage, and keystrokes and capture information from devices’ GPS location data, microphone, and camera. The most advanced system monitor spyware, such as NSO Group’s Pegasus, can infect devices without user input and record conversations from end-to-end encrypted messaging systems.

    Commercial surveillance

    Likelihood: Low to Medium

    Impact: Medium

    Key Risk Scenario #5

    Malicious agents can deploy malware on end-user devices with commercial tools available off the shelf to secretly monitor the digital activity of users. Attacks exploit widespread vulnerabilities in telecommunications protocols. They occur through email and text phishing campaigns, malware embedded in untested applications, and sophisticated zero-click attacks that deliver payloads without requiring user interactions. Attacks target sensitive as well as mundane information. They can be used to track employee activities, investigate criminal activity, or steal credentials, credit card numbers, or other personally identifiable information.

    Threat Actor:

    • State actors
    • State-sponsored affiliates

    Asset:

    • Sensitive data
    • Staff health and safety
    • IT systems

    Effects:

    • Data breaches
    • Loss of data confidentiality
    • Increased risk to staff health and safety
    • Misuse of private data
    • Financial loss

    Methods:

    • Email and text phishing attacks that delivery malware payloads
    • Sideloading untested applications from a third-party source rather than an official retailer
    • Sophisticated zero-click attacks that deliver payloads without requiring user interaction

    Use the Jurisdictional Risk Register and Heatmap Tool

    The tool included with this blueprint can help you draft risk scenarios and risk statements in this section.

    The risk register will capture a list of critical assets and their vulnerabilities, the threats that endanger them, and the adverse effect your organization may face.

    The image includes two screenshots of the jurisdictional risk register and heatmap tool. The image contains a screenshot of the High-Risk Travel Jurisdiction.

    Download the Jurisdictional Risk Register and Heatmap Tool

    2.1.1 Identify assets

    1 – 2 hours

    1. As a group, consider critical or mission-essential functions in high-risk jurisdictions and the systems on which they depend. Brainstorm a list of the organization’s mission-supporting assets in high-risk jurisdictions. Consider:
    • Staff
    • Critical IT systems
    • Sensitive data
    • Critical operational processes
  • On a whiteboard, brainstorm the potential adverse effect of malicious agents in high-risk jurisdictions compromising critical assets. Consider the impact on:
    • Information systems.
    • Sensitive or regulated data.
    • Staff health and safety.
    • Critical operations and objectives.
    • Organizational finances.
    • Reputation and brand loyalty

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    Inputs for risk scenario identification

    Input

    Output

    • Corporate strategy
    • IT strategy
    • Security strategy
    • Business impact analyses
    • A list of the organization’s mission-supporting assets

    Materials

    Participants

    • Laptop
    • Projector
    • Whiteboard
    • Security team
    • IT leadership
    • System owner
    • Enterprise Risk Management

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    Inputs for risk scenario identification

    The image contains an example of the activity mentioned in the text above.

    Model threats to narrow the range of scenarios

    Motives and capabilities to perform attacks on critical assets vary across different threat actors.

    Category

    Actions

    Motivation

    Sophistication

    Nation-states

    Cyberespionage, cyberattacks

    Geopolitical

    High. Dedicated resources and personnel, extensive planning and coordination.

    Proxy organizations

    Espionage, destructive attacks

    Geopolitical, Ideological, Profit

    Moderate. Some planning and support functions and technical expertise.

    Cybercrime

    Theft, fraud, extortion

    Profit

    Moderate. Some planning and support functions and technical expertise.

    Hacktivists

    Disrupt operations, attack brands, release sensitive data

    Ideological

    Low. Rely on widely available tools that require little skill to deploy.

    Insiders

    Destruction or release of sensitive data, theft, exposure through negligence

    Incompetence, Discontent

    Internal access. Acting on their own or in concert with any of the above.

    • Criminals, hacktivists, and insiders vary in sophistication. Some criminal groups demonstrate a high degree of sophistication; however, a large cyber event that damages critical infrastructure does not align with their incentives to make money at minimal risk.
    • Proxy actors conduct offensive cyber operations on behalf of a beneficiary. They may be acting on behalf of a competitor, national government, or group of individuals.
    • Nation-states engage in long-term espionage and offensive cyber operations that support geopolitical and strategic policy objectives.

    2.1.2 Identify threats

    1 – 2 hours

    1. Review the outputs from activity 1.1.1 and activity 2.1.1.
    2. Identify threat agents that could undermine the security of critical assets in high-risk jurisdictions. Include internal and external actors.
    3. Assess their motives, means, and opportunities.
    • Which critical assets are most attractive? Why?
    • What paths and vulnerabilities can threat agents exploit to reach critical assets without going through a control?
    • How could they defeat existing controls? Draw on the MITRE framework to inform your analysis.
    • Once agents defeat a control, what further attack can they launch?

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    Inputs for risk scenario identification

    Input

    Output

    • Jurisdictional assessment from activity 1.1.1
    • Critical assets from activity 2.1.1
    • Potential vulnerabilities from:
      • Security control gap analysis
      • Security risk register
    • Threat intelligence
    • MITRE framework
    • A list of critical assets, threat agents, vulnerabilities, and potential attack vectors.

    Materials

    Participants

    • Laptop
    • Projector
    • Whiteboard
    • Security team
    • Infrastructure & Operations team
    • Enterprise Risk Management

    2.1.2 Identify threats (continued)

    1 – 2 hours

    1. On a whiteboard, brainstorm how threat agents will exploit vulnerabilities in critical assets to reach their goal. Redefine attack vectors to capture what could result from a successful initial attack.

    For example:

    • State actors and cybercriminals may steal or compromise end-user devices during travel to high-risk jurisdictions using malware they embed in airport charging stations, internet café networks, or hotel business centers.
    • Compromised devices may infect corporate networks and threaten sensitive data once they reconnect to them.

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    The image contains a screenshot of activity 2.1.2 as described in the text above.

    Bring together the critical risk elements into a single risk scenario

    Summarize the scenario further into a single risk statement

    Risk Scenario: High-Risk Travel

    State actors and cybercriminals can threaten staff, devices, and data during travel to high-risk jurisdictions. Device theft or compromise may occur while traveling through airports, accessing hotel computer and phone networks, or in internet cafés or other public areas. Threat actors can exploit data from compromised or stolen devices to undermine the organization’s strategic, economic, or competitive advantage. They can also infect compromised devices with malware that delivers malicious payloads once they reconnect with home networks.

    Risk Statement

    Cybercriminals compromise end-user devices during travel to high-risk jurisdictions, jeopardizing staff safety and leading to loss of sensitive data.

    Risk Scenario: Compliance Risk

    Rapid changes in the privacy and security regulatory landscape threaten an organization’s ability to meet its compliance obligations from local legal and regulatory frameworks. Organizations that fail to do so risk reputational damage, administrative fines, criminal charges, and loss of market share. In extreme cases, organizations may lose their license to operate in high-risk jurisdictions. Shifts in the regulatory landscape can involve additional requirements for data residency, cross-border data transfer, data breach notification, and third-party risk management.

    Risk Statement

    Rapid changes in the privacy and security regulations landscape threaten our ability to remain compliant, leading to reputational and financial loss.

    Fill out the Jurisdictional Risk Register and Heatmap Tool

    The tool is populated with data from two key risk scenarios: high-risk travel and compliance risk.

    The image includes two screenshots of the Jurisdictional Risk Register and Heatmap Tool.

    1. Label the risk in Tab 3, Column B.
    2. Record your risk scenario in Tab 3, Column C.
    3. Record your risk statement in Tab 3, Column D.
    4. Identify the applicable jurisdictions in Tab 3, Column E.
    5. You can further categorize the scenario as:
      • an enterprise risk (Column G).
      • an IT risk (Column H).

    Download the Jurisdictional Risk Register and Heatmap Tool

    Step 2.2

    Assess Risk Exposure

    Activities

    2.2.1 Identify existing controls

    2.2.2 Assess likelihood and impact

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Assess risk exposure for each risk scenario through an analysis of its likelihood and impact.

    Brush up on risk assessment essentials

    The next step will help you prioritize IT risks based on severity.

    Likelihood of Occurrence X Likelihood of Impact = Risk Severity

    Likelihood of occurrence: How likely the risk is to occur.

    Likelihood of impact: The likely impact of a risk event.

    Risk severity: The significance of the risk.

    Evaluate risk severity against the risk tolerance thresholds and the cost of risk response.

    Identify existing controls before you proceed

    Existing controls will reduce the inherent likelihood and impact of the risk scenario you face.

    Existing controls were put in place to avoid, mitigate, or transfer key risks your organization faced in the past. Without considering existing controls, you run the risk of overestimating the likelihood and impact of the risk scenarios your organization faces in high-risk jurisdictions.

    For instance, the ability to remote-wipe corporate-owned devices will reduce the potential impact of a device lost or compromised during travel to high-risk jurisdictions.

    As you complete the risk assessment for each scenario, document existing controls that reduce their inherent likelihood and impact.

    2.2.1 Document existing controls

    6-10 hours

    1. Document the Risk Category and Existing Controls in the Jurisdictional Risk Register and Heatmap Tool.
      • Tactical controls apply to individual risks only. For instance, the ability to remote-wipe devices mitigates the impact of a device lost in a high-risk jurisdiction.
      • Strategic controls apply to multiple risks. For instance, deploying MFA for critical applications mitigates the likelihood that malicious actors can compromise a lost device and impedes their access in devices they do compromise.

    Input

    Output

    • Risk scenarios
    • Existing controls for risk scenarios

    Materials

    Participants

    • Jurisdictional Risk Register and Heatmap Tool
    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Enterprise Risk Management

    Download the Jurisdictional Risk Register and Heatmap Tool.

    Assess the risk scenarios you identified in Phase 1

    The risk register is the central repository for risks in high-risk jurisdictions.

    • Use the second tab of the Jurisdictional Risk Register and Heatmap Tool to create likelihood, impact, and risk tolerance assessment scales to evaluate every risk event effectively.
    • Severity-level assessment is a “first pass” of your risk scenarios that will reveal your organization’s most severe risks in high-risk jurisdictions.
    • You can incorporate expected cost calculations into your evaluation to assess scenarios in greater detail.
    • Expected cost represents how much you would expect to pay in an average year for each risk event. Expected cost calculations can help compare IT risks to non-IT risks that may not use the same scales and communicate system-level risk to the business in a language they will understand.

    Expected cost calculations may not be practical. Determining robust likelihood and impact values to produce cost estimates can be challenging and time consuming. Use severity-level assessments as a first pass to make the case for risk mitigation measures and take your lead from stakeholders.

    The image contains two screenshots of the Jurisdictional Risk Register and Heatmap Tool.

    Use the Jurisdictional Risk Register and Heatmap Tool to capture and analyze your data.

    2.2.2 Assess likelihood and impact

    6-10 hours

    1. Assign each risk scenario a likelihood of occurrence and a likely impact level that represents the impact of the scenario on the whole organization considering existing controls. Record your results in Tab 3, column R and S, respectively.
    2. You can further dissect likelihood and impact into component parameters but focus first on total likelihood and impact to keep the task manageable.
    3. As you input the first few likelihood and impact values, compare them to one another to ensure consistency and accuracy. For instance, is a device lost in a high-risk jurisdiction truly more impactful than a device compromised with commercial surveillance software?
    4. The tool will calculate the probability of risk exposure based on the likelihood and consequence associated with the scenario. The results are published in Tab 3, Column T.

    Input

    Output

    • Risk scenarios
    • Assessed the likelihood of occurrence and impact for all identified risk events

    Materials

    Participants

    • Jurisdictional Risk Register and Heatmap Tool
    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Enterprise Risk Management

    Download the Jurisdictional Risk Register and Heatmap Tool.

    Refine your risk assessment to justify your estimates

    Document the rationale behind each value and the level of consensus in group discussions.

    Stakeholders will likely ask you to explain some of the numbers you assigned to likelihood and impact assessments. Pointing to an assessment methodology will give your estimates greater credibility.

    • Assign one individual to take notes during the assessment exercise.
    • Have them document the main rationale behind each value and the level of consensus.

    The goal is to develop robust intersubjective estimates of the likelihood and impact of a risk scenario.

    We assigned a 50% likelihood rating to a risk scenario. Were we correct?

    Assess the truth of the following statements to test likelihood assessments. In this case, do these two statements seem true?

    • The risk event will likely occur once in the next two years, all things being equal.
    • In two nearly identical organizations, one out of two will experience the risk event this year.
    The image includes a screenshot of the High-Risk Travel Jurisdictions.

    Phase 3

    Execute Response

    This phase will walk you through the following activities:

    • Prioritize and treat global risks to critical assets based on their value and exposure.
    • Build an initiative roadmap that identifies and applies relevant controls to protect critical assets. Identify key risk indicators to monitor progress.

    This phase involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Step 3.1

    Treat Security Risks

    Activities

    3.1.1 Identify and assess risk response

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Prioritize and treat global risks to critical assets based on their value and exposure.

    Analyze and select risk responses

    The next step will help you treat the risk scenarios you built in Phase 2.

    Identify

    Identify risk responses.

    Predict

    Predict the effectiveness of the risk response, if implemented, by estimating the residual likelihood and impact of the risk.

    Calculate

    The tool will calculate the residual severity of the risk after applying the risk response.

    The first part of the phase outlines project activities. The second part elaborates on high-risk travel and compliance risk, the two key risk scenarios we are following throughout the project. Use the Jurisdictional Risk Register and Heatmap Tool to capture your work.

    Analyze likelihood and impact to identify response

    The image contains a diagram of he risk response analysis. Risk Transfer and Risk Avoidance has the most likelihood, and Risk Acceptance and Risk Mitigation have the most impact. Risk Avoidance has the most likelihood and most impact in regards to risk response.

    3.1.1 Identify and assess risk response

    Complete the following steps for each risk scenario.

    1. Identify a risk response action that will help reduce the likelihood of occurrence or the impact if the scenario were to occur. Indicate the type of risk response (avoidance, mitigation, transfer, acceptance, or no risk exists).
    2. Assign each risk response action a residual likelihood level and a residual impact level. This is the same step you performed in Activity 2.2.2, but you are now are estimating the likelihood and impact of the risk event after you implemented the risk response action successfully. The Jurisdictional Risk Register and Heatmap Tool will generate a residual risk severity level for each risk event.
    3. Identify the potential Risk Action Owner (Project Manager) if the response is selected and turned into an IT project, and document this in the Jurisdictional Risk Register and Heatmap Tool .
    4. For each risk event, document risk response actions, residual likelihood and impact levels, and residual risk severity level.

    Input

    Output

    • Risk scenarios from Phase 2
    • Risk scenario mitigation plan

    Materials

    Participants

    • Whiteboard/flip charts
    • Jurisdictional Risk Register and Heatmap Tool
    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Download the Jurisdictional Risk Register and Heatmap Tool

    Step 3.2

    Mitigate Travel Risk

    Activities

    3.2.1 Develop a travel policy

    3.2.2 Develop travel procedures

    3.2.3 Design high-risk travel guidelines

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Prioritize and treat global risks to critical assets based on their value and exposure.

    Identify controls to mitigate jurisdictional risk

    This section provides guidance on the most prevalent risk scenarios identified in Phase 2 and provides a more in-depth examination of the two most prevalent ones, high-risk travel and compliance risk. Determine the appropriate response to each risk scenario to keep global risks to critical assets aligned with the organization’s risk tolerance.

    Key Risk Scenarios

    • High-Risk Travel
    • Compliance Risk
    • Insider Threat
    • Advanced Persistent Threat
    • Commercial Surveillance

    Travel risk is a common concern in organizations with global operations

    • The security of staff, devices, and data is one of the biggest challenges facing organizations with a global footprint. Working and traveling in unpredictable environments will aways carry a degree of risk, but organizations can do much to develop a safer and more secure working environment.
    • Compromised or stolen devices can provide threat actors with access to data that could compromise the organization’s strategic, economic, or competitive advantage or expose the organization to regulatory risk.
    • For many organizations, security risk assessments, security plans, travel security procedures, security training, and incident reporting systems are a key part of their operating language.
    • The following section provides a simple structure to help organizations demystify travel in high-risk jurisdictions.

    The image contains a diagram to present high-risk jurisdictions.

    Before you leave

    • Identify high-risk countries.
    • Enable controls.
    • Limit what you pack.

    During your trip

    • Assume you are monitored.
    • Limit access to systems.
    • Prevent theft.

    When you return

    • Change your password.
    • Restore your devices.

    Case study

    Higher Education: Camosun College

    Interview: Evan Garland

    Frame additional security controls as a value-added service.

    Situation

    The director of the international department at Camosun College reached out to IT security for additional support. Department staff often traveled to hostile environments. They were concerned malicious agents would either steal end-user devices or compromise them and access sensitive data. The director asked IT security for options that would better protect traveling staff, their devices, and the information they contain.

    Challenges

    First, controls would need to admit both work and personal use of corporate devices. Staff relied exclusively on work devices for travel to mitigate the risk of personal device theft. Personal use of corporate devices during travel was common. Second, controls needed to strike the right balance between friction and effortless access. Traveling staff had only intermittent access to IT support. Restrictive controls could prevent them from accessing their devices and data altogether.

    Solution

    IT consulted staff to discuss light-touch solutions that would secure devices without introducing too much complexity or compromising functionality. They then planned security controls that involved user interaction and others that did not and identified training requirements.

    Results

    Controls with user interaction

    Controls without user interaction

    • Multifactor authentication for college systems and collaboration platforms
    • Password manager for both work and personal use for staff for stronger passwords and practices
    • Security awareness training to help traveling staff identify potential threats while traveling through airports or accessing public Wi-Fi.
    • Drive encryption and always-on VPN to protect data at rest and in transit
    • Increased setting for phishing and spam filtering for traveling staff email
    • Enhanced anti-malware/endpoint detection and response (EDR) solution for traveling laptops

    Build a program to mitigate travel risks

    There is no one-size-fits-all solution.

    The most effective solution will take advantage of existing risk management policies, processes, and procedures at your organization.

    • Develop a framework. Outline the organization’s approach to high-risk travel, including the policies, procedures, and mechanisms put in place to ensure safe travel to high-risk jurisdictions.
    • Draft a policy. Outline the organization’s risk attitude and key security principles and define roles and responsibilities. Include security responsibilities and obligations in job descriptions of staff members and senior managers.
    • Provide flexible options. Inherent travel risk will vary from one jurisdiction to another. You will likely not find an approach that works for every case. Establish locally relevant measures and plans in different security contexts and risk environments.
    • Look for quick wins. Identify measures or requirements that you can establish quickly but that can have a positive effect on the security of staff, data, and devices.
    • Monitor and review. Undertake periodic reviews of the organization’s security approach and management framework, as well as their implementation, to ensure the framework remains effective.

    3.2.1 Develop a travel policy

    1. Work with your business leaders to build a travel policy for high-risk jurisdictions. The policy should be a short and accessible document structured around four key sections:
      • A statement on the importance of staff security and safety, the scope of the policy, and who it applies to (staff, consultants, contractors, volunteers, visitors, accompanying dependants, etc.).
      • A principles section explaining the organization’s security culture, risk attitude, and the key principles that shape the organization’s approach to staff security and safety.
      • A responsibilities section setting out the organization’s security risk management structure and the roles and actions allocated to specific positions.
      • A minimal security requirements section establishing the specific security requirements that must be in place in all locations and specific locations.
    2. Common security principles include:
    • Shared responsibility – Managing risks to staff is a shared organizational responsibility.
    • Acknowledgment of risk – Managing security will not remove all risks. Staff need to appreciate, as part of their informed consent, that they are still exposed to risk.
    • Primacy of life – Staff safety is of the highest importance. Staff should never place themselves at excessive risk to meet program objectives or protect property.
    • Proportionate risk – Risks must be assessed to ensure they are proportionate to the benefits organizational activities provide and the ability to manage those risks.
    • Right to withdraw – Staff have the right to withdraw from or refuse to take up work in a particular area due to security concerns.
    • No right to remain – The organization has the right to suspend activities that it considers too dangerous.
  • Cross-reference the organization’s other governing policies that outline requirements related to security risk management, such as the health and safety policy, access control policy, and acceptable use of security assets.
  • Input

    Output

    • List of high-risk jurisdictions
    • Risk scenarios from Phase 2
    • Data inventory and data flows
    • Travel policy for high-risk jurisdictions

    Materials

    Participants

    • Whiteboard/flip charts
    • Jurisdictional Risk Register and Heatmap Tool
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Develop security plans for high-risk travel

    Security plans advise staff on how to manage the risk identified in assessments.

    Security plans are key country documents that outline the security measures and procedures in place and the responsibilities and resources required to implement them. Security plans should be established in high-risk jurisdictions where your organization has a regular, significant presence. Security plans must remain relevant and accessible documents that address the specific risks that exist in that location, and, if appropriate, are specific about where the measures apply and who they apply to. Plans should be updated regularly, especially following significant incidents or changes in the operating environment or activities.

    Key Components

    Critical information – One-page summary of pertinent information for easy access and quick reference (e.g. curfew times, no-go areas, important contacts).

    Overview – Purpose and scope of the document, responsibilities for security plan, organization’s risk attitude, date of completion and review date, and a summary of the security strategy and policy.

    Current Context – Summary of current operating context and overall security situation; main risks to staff, assets, and operations; and existing threats and risk rating.

    Procedures – Simple security procedures that staff should adhere to in order to prevent incidents and how to respond should problems arise. Standard operating procedures (SOPs) should address key risks identified in the assessment.

    Security levels – The organization's security levels/phases, with situational indicators that reflect increasing risks to staff in that context and location and specific actions/measures required in response to increasing insecurity.

    Incident reporting – The procedures and responsibilities for reporting security-related incidents; for example, the type of incidents to be reported, the reporting structure, and the format for incident reporting.

    Determine travel risk

    Tailor your risk response to the security risk assessment you conducted in earlier stages of this project.

    Ratings are formulated by assessing several types of risk, including conflict, political/civil unrest, terrorism, crime, and health and infrastructure risks.

    Rating

    Description (Examples)

    Recommended Action

    Low

    Generally secure with adequate physical security. Low violent crime rates. Some civil unrest during significant events. Acts of terrorism rare. Risks associated with natural disasters limited and health threats mainly preventable.

    Basic personal security, travel, and health precautions required.

    Moderate

    Periodic civil unrest. Antigovernment, insurgent, or extremist groups active with sporadic acts of terrorism. Staff at risk from common and violent crime. Transport and communications services are unreliable and safety records are poor. Jurisdiction prone to natural disasters or disease epidemics.

    Increased vigilance and routine security procedures required.

    High

    Regular periods of civil unrest, which may target foreigners. Antigovernment, insurgent, or extremist groups very active and threaten political or economic stability. Violent crime rates high and targeting of foreigners is common. Infrastructure and emergency services poor. May be regular disruption to transportation or communications services. Certain areas off-limits to foreigners. Jurisdictions experiencing a natural disaster or a disease epidemic are considered high risk.

    High level of vigilance and effective, context-specific security precautions required.

    Extreme

    Undergoing active conflict or persistent civil unrest. Risk of being caught up in a violent incident or attack is very high. Civil authorities may have lost control of significant portions of the country. Lines between criminality and political and insurgent violence are blurred. Foreigners are likely to be denied access to significant parts of the country. Transportation and communication services are severely degraded or non-existent. Violence presents a direct threat to staff security.

    Stringent security precautions essential and may not be sufficient to prevent serious incidents.

    Program activities may be suspended and staff withdrawn at very short notice.

    3.2.2 Develop travel procedures

    1. Work with your business leaders to build travel procedures for high-risk jurisdictions. The procedures should be tailored to the risk assessment and address the risk scenarios identified in Phase 2.
    2. Use the categories outlined in the next two slides to structure the procedure. Address all types of travel, detail security measures, and outline what the organization expects of travelers before, during, and after their trip.
    3. Consider the implementation of special measures to limit the impact of a potential security event, including:
      • Information end-user device loaner programs.
      • Temporary travel service email accounts.
    4. Specify what happens when staff add personal travel to their work trip to cover issues such as insurance, check-in, actual travel times, etc.
    5. Discuss the rationale for each procedure. Ensure the components align with the policy statements outlined in the high-risk travel policy developed in the previous step.

    Input

    Output

    • List of high-risk jurisdictions
    • Risk scenarios from Phase 2
    • High-risk travel policy
    • Travel procedures for high-risk jurisdictions

    Materials

    Participants

    • Whiteboard/flip charts
    • Jurisdictional Risk Register and Heatmap Tool
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Draft procedures to mitigate travel risks

    Address all types of travel, detail security measures, and outline what the organization expects of travelers before, during, and after their trip

    Introduction

    Clarifies who the procedures apply to. Highlights any differences in travel security requirements or support provided to staff, consultants, partners, and official visitors.

    Travel risk ratings

    Explains the travel or country risk rating system, how staff access the information, the different categories and indicators, and their implications.

    Roles and responsibilities

    Clarifies the responsibilities of travelers, their line managers or contact points, and senior management regarding travel security and how this changes for destinations with higher risk ratings.

    Travel authorization

    Stipulates who in the organization authorizes travel, the various compliance measures required, and how this changes for destinations with higher risk ratings.

    Travel risk assessment

    Explains when travel risk assessments are required, the template that should be used, and who approves the completed assessments.

    Travel security procedures should specify what happens when staff add personal travel to their work trip to cover issues such as insurance, check-in, actual travel times, etc.

    Pre-travel briefings

    Outlines the information that must be provided to travelers prior to departure, the type of briefing required and who provides it, and how these requirements change as risk ratings increase.

    Security training

    Explain security training required prior to travel. This may vary depending on the country’s risk rating. Includes information on training waiver system, including justifications and authorization.

    Traveler profile forms

    Travelers should complete a profile form, which includes personal details, emergency contacts, medical details, social media footprint, and proof-of-life questions (in contexts where there are abduction risks).

    Check-in protocol

    Specifies who travelers must maintain contact with while traveling and how often, as well as the escalation process in case of loss of contact. The frequency of check-ins should reflect the increase in the risk rating for the destination.

    Emergency procedures

    Outlines the organization's emergency procedures for security and medical emergencies.

    3.2.3 Design high-risk travel guidelines

    • Supplement the high-risk travel policies and procedures with guidelines to help international travelers stay safe.
    • The document is intended for an end-user audience and should reflect your organization’s policies and procedures for the use of information and information systems during international travel.
    • Use the Digital Safety Guidelines for International Travel template in concert with this blueprint to provide guidance on what end users can do to stay safe before they leave, during their trip, and when they return.
    • Consider integrating the guidelines into specialized security awareness training sessions that target end users who travel to high-risk jurisdictions.
    • The guidelines should supplement and align with existing technical controls.

    Input

    Output

    • List of high-risk jurisdictions
    • Risk scenarios from Phase 2
    • High-risk travel policy
    • High-risk travel procedure
    • Travel guidelines for high-risk jurisdictions

    Materials

    Participants

    • Whiteboard/flip charts
    • Jurisdictional Risk Register and Heatmap Tool
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Digital Safety Guidelines for International Travel template

    Step 3.3

    Mitigate Compliance Risk

    Activities

    3.3.1 Identify data localization obligations

    3.3.2 Integrate obligations into IT system design

    3.3.3 Document data processing activities

    3.3.4 Choose the right mechanism

    3.3.5 Implement the appropriate controls

    3.3.6 Identify data breach notification obligations

    3.3.7 Integrate data breach notification into incident response

    3.3.8 Identify vendor security and data protection requirements

    3.3.9 Build due diligence questionnaire

    3.3.10 Build appropriate data processing agreement

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Prioritize and treat global risks to critical assets based on their value and exposure.

    Compliance risk is a prevalent risk in organizations with a global footprint

    • The legal and regulatory landscape is evolving rapidly to keep step with the pace of technological change. Security and privacy leaders are expected to mitigate the risk of noncompliance as the organization expands to new jurisdictions.
    • Organizations with a global footprint must stay abreast of local regulations and provide risk management guidance to business leaders to support global operations.
    • This sections describes four compliance risks in this context:
      • Cross-border data transfer
      • Third-party risk management
      • Data breach notification
      • Data residency

    Compliance with local obligations

    Likelihood: Medium to High

    Impact: High

    Data Residency

    Gap Controls

    • Identify and document the data localization obligations for the jurisdictions that the organization is operating in.
    • Design and implement IT systems that satisfy the data localization requirements.
    • Comply with data localization obligations within each jurisdiction.

    Heatmap of Global Data Residency Regulations

    The image contains a screenshot of a picture of a world map with various shades of blue to demonstrate the heatmap of global data residency regulations.
    Source: InCountry, 2021

    Examples of Data Residency Requirements

    Country

    Data Type

    Local Storage Requirements

    Australia

    Personal data – heath record

    My Health Records Act 2012

    China

    Personal information — critical information infrastructure operators

    Cybersecurity law

    Government cloud data

    Opinions of the Office of the Central Leading Group for Cyberspace Affairs on Strengthening Cybersecurity Administration of Cloud Computing Services for Communist Party and Government Agencies

    India

    Government email data

    The Public Records Act of 1993

    Indonesia

    Data held by electronic system operator for the public service

    Regulation 82 concerning “Electronic System and Transaction Operation”

    Germany

    Government cloud service data

    Criteria for the procurement and use of cloud services by the federal German administration

    Russia

    Personal data

    The amendments of Data Protection Act No. 152 FZ

    Vietnam

    Data held by internet service providers

    The Decree on Management, Provision, and Use of Internet Services and Information Content Online (Decree 72)

    US

    Government cloud service data

    Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018)

    3.3.1 Identify data localization obligations

    1-2 hours

    1. Work with your business leaders to identify and document the jurisdictions where your organization is operating in or providing services and products to consumers within.
    2. Work with your legal team to identify and document all relevant data localization obligations for the data your organization generates, collects, and processes in order to operate your business.
    3. Record your data localization obligations in the table below.

    Jurisdiction

    Relevant Regulations

    Local Storage Requirements

    Date Type

    Input

    Output

    • List of jurisdictions your organization is operating in
    • Relevant security and data protection regulations
    • Data inventory and data flows
    • Completed list of data localization obligations

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Privacy team
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.2 Integrate obligations into your IT system design

    1-2 hours

    1. Work with your IT department to design the IT architecture and systems to satisfy the data localization requirements.
    2. The table below provides a checklist for integrating privacy considerations into your IT systems.

    Item

    Consideration

    Answer

    Supporting Document

    1

    Have you identified business services that process data that will be subject to localization requirements?

    2

    Have you identified IT systems associated with the business services mentioned above?

    3

    Have you established a data inventory (i.e. data types, business purposes) for the IT systems mentioned above?

    4

    Have you established a data flow diagram for the data identified above?

    5

    Have you identified the types of data that should be stored locally?

    6

    Have you confirmed whether a copy of the data locally stored will satisfy the obligations?

    7

    Have you confirmed whether an IT redesign is needed or whether modifications (e.g. adding a server) to the IT systems would satisfy the obligations?

    8

    Have you confirmed whether access from another jurisdiction is allowed?

    9

    Have you identified how long the data should be stored?

    Input

    Output

    • Data localization obligations
    • Business services that process data that will be subject to localization requirements
    • IT systems associated with business services
    • Data inventory and data flows
    • Completed checklist of localization obligations for IT system design

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Privacy team
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    Compliance with local obligations

    Likelihood: Medium to High

    Impact: High

    Cross-Border Transfer

    Gap Controls

    • Know where you transfer your data.
    • Identify jurisdictions that your organization is operating in and that impose different requirements for the cross-border transfer of personal data.
    • Adopt and implement a proper cross-border data transfer mechanism in accordance with applicable privacy laws and regulations.
    • Re-evaluate at appropriate intervals.

    Which cross-border transfer mechanism should I choose?

    Transfer Mechanism

    Advantages

    Disadvantages

    Standard Contractual Clauses (SCC)

    • Easy to implement
    • No DPA (data processing agreement) approval
    • Not suitable for complex data transfers
    • Do not meet business agility
    • Needs legal solution

    Binding Corporate Rules (BCRs)

    • Meets business agility needs
    • Raises trust in the organization
    • Doubles as solution for art. 24/25 of the GDPR
    • Sets high compliance maturity level
    • Takes time to draft/implement
    • Requires DPA approval (scrutiny)
    • Requires culture of compliance
    • Approved by one "lead" authority and two other "co-lead“ authorities
    • Takes usually between six and nine months for the approval process only

    Code of Conduct

    • Raises trust in the sector
    • Self-regulation instead of law
    • No code of conduct approved yet
    • Takes time to draft/implement
    • Requires DPA approval and culture of compliance
    • Needs of organization may not be met

    Certification

    • Raises trust in the organization
    • No certification schemes available yet
    • Risk of compliance at minimum necessary
    • Requires audits

    Consent

    • Legal certainty
    • Transparent
    • Administrative burden
    • Some data subjects are incapable of consenting all or nothing

    3.3.3 Document data processing activities

    1-2 hours

    1. Identify and document the following information:
      • Name of business process
      • Purposes of processing
      • Lawful basis
      • Categories of data subjects and personal data
      • Data subject categories
      • Which system the data resides in
      • Recipient categories
      • Third country/international organization
      • Documents for appropriate safeguards for international transfer (adequacy, SCCs, BCRs, etc.)
      • Description of mitigating measures

    Input

    Output

    • Name of business process
    • Categories of personal data
    • Which system the data resides
    • Third country/international organization
    • Documents for appropriate safeguards for international transfer
    • Completed list of data processing activities

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Privacy team
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.4 Choose the right mechanism

    1-2 hours

    1. Identify jurisdictions that your organization is operating in and that impose different requirements for the cross-border transfer of personal data. For example, the EU’s GDPR and China’s Personal Information Protection Law require proper cross-border transfer mechanisms before the data transfers. Your organization should decide which cross-border transfer mechanism is the best fit for your cross-border data transfer scenarios.
    2. Use the following table to identify and document the pros and cons of each data transfer mechanism and the final decision.

    Data Transfer Mechanism

    Pros

    Cons

    Final Decision

    SCC

    BCR

    Code of Conduct

    Certification

    Consent

    Input

    Output

    • List of relevant data transfer mechanisms
    • Assessment of the pros and cons of each mechanism
    • Final decision regarding which data transfer mechanism is the best fit for your organization

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Privacy team
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.5 Implement the appropriate controls

    1-3 hours

    • One of the most common mechanisms is standard contractual clauses (SCCs).
    • Use Info-Tech’s Standard Contractual Clauses Template to facilitate your cross-border transfer activities.
    • Identify and check whether the following core components are covered in your SCC and record the results in the table below.
    # Core Components Status Note
    1 Purpose and scope
    2 Effect and invariability of the Clauses
    3 Description of the transfer(s)
    4 Data protection safeguards
    5 Purpose limitation
    6 Transparency
    7 Accuracy and data minimization
    8 Duration of processing and erasure or return of data
    9 Storage limitation
    10 Security of processing
    11 Sensitive data
    12 Onward transfers
    13 Processing under the authority of the data importer
    14 Documentation and compliance
    15 Use of subprocessors
    16 Data subject rights
    17 Redress
    18 Liability
    19 Local laws and practices affecting compliance with the Clauses
    20 Noncompliance with the Clauses and termination
    21 Description of data processing activities, such as list of parties, description of transfer, etc.
    22 Technical and organizational measures
    InputOutput
    • Description of the transfer(s)
    • Duration of processing and erasure or return of data
    • Onward transfers
    • Use of subprocessors
    • Etc.
    • Draft of the standard contractual clauses (SCC)
    MaterialsParticipants
    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    Compliance with local obligations

    Likelihood: High

    Impact: Medium to High

    Data Breach

    Gap Controls

    • Identify jurisdictions that your organization is operating in and that impose different obligations for data breach reporting.
    • Document the notification obligations for various business scenarios, such as controller to DPA, controller to data subject, and processor to controller.
    • Integrate breach notification obligations into security incident response process.

    Examples of Data Breach Notification Obligations

    Location

    Regulation/ Standard

    Reporting Obligation

    EU

    GDPR

    72 hours

    China

    PIPL

    Immediately

    US

    HIPAA

    No later than 60 days

    Canada

    PIPEDA

    As soon as feasible

    Global

    PCI DSS

    • Visa – immediately after breach discovered
    • Mastercard – within 24 hours of discovering breach
    • American Express – immediately after breach discovered

    Summary of US State Data Breach Notification Statutes

    The image contains a graph to show the summary of the US State Data Breach Notification Statutes.

    Source: Davis Wright Tremaine

    3.3.6 Identify data breach notification obligations

    1-2 hours

    1. Identify jurisdictions that your organization is operating in and that impose different obligations for data breach reporting.
    2. Document the notification obligations for various business scenarios, such as controller to DPA, controller to data subject, and processor to controller.
    3. Record your data breach obligations in the table below.
    Region Regulation/Standard Reporting Obligation

    Input

    Output

    • List of regions and jurisdictions your business is operating in
    • List of relevant regulations and standards
    • Documentation of data breach reporting obligations in applicable jurisdictions

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.7 Integrate data breach notification into incident response

    1-2 hours

    • Integrate breach notification obligations into the security incident response process. Understand the security incident management framework.
    • All incident runbooks follow the same process: detection, analysis, containment, eradication, recovery, and post-incident activity.
    • The table below provides a basic checklist for you to consider when implementing your data breach and incident handling process.
    # Phase Considerations Status Notes
    1 Prepare Ensure the appropriate resources are available to best handle an incident.
    2 Detect Leverage monitoring controls to actively detect threats.
    3 Analyze Distill real events from false positives.
    4 Contain Isolate the threat before it can cause additional damage.
    5 Eradicate Eliminate the threat from your operating environment.
    6 Recover Restore impacted systems to a normal state of operations.
    7 Report Report data breaches to relevant regulators and data subjects if required.
    8 Post-Incident Activities Conduct a lessons-learned post-mortem analysis.
    InputOutput
    • Security and data protection incident response steps
    • Key considerations for integrating data breach notifications into incident response
    • Data breach notifications integrated into the incident response process
    MaterialsParticipants
    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Security team
    • Privacy team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    Compliance with local obligations

    Likelihood: High

    Impact: Medium to High

    Third-Party Risk

    Gap Controls

    • Build an end-to-end third-party security and privacy risk management process.
    • Perform internal due diligence prior to selecting a service provider.
    • Stipulate the security and privacy protection obligations of the third party in a legally binding document such as contract or data processing agreement, etc.

    End-to-End Third-Party Security and Privacy Risk Management

    1. Pre-Contract
    • Due diligence check
  • Signing of Contract
    • Data processing agreement
  • Post-Contract
    • Continuous monitoring
    • Regular check or audit
  • Termination of Contract
    • Data deletion
    • Access deprovisioning

    Examples of Vendor Security Management Requirements

    Region

    Law/Standard

    Section

    EU

    General Data Protection Regulation (GDPR)

    Article 28 (1)

    Article 46 (1)

    US

    Health Insurance Portability and Accountability Act (HIPAA)

    §164.308(b)(1)

    US

    New York Department of Financial Services Cybersecurity Requirements

    500.11(a)

    Global

    ISO 27002:2013

    15.1.1

    15.1.2

    15.1.3

    15.2.1

    15.2.2

    US

    NIST 800-53

    SA-12

    SA-12 (2)

    US

    NIST Cybersecurity Framework

    ID-SC-1

    ID-SC-2

    ID-SC-3

    ID-SC-4

    Canada

    OSFI Cybersecurity Guidelines

    4.25

    4.26

    3.3.8 Identify vendor security and data protection requirements

    1-2 hours

    • Effective vendor security risk management is an end-to-end process that includes assessment, risk mitigation, and periodic reassessments.
    • An efficient and effective assessment process can only be achieved when all stakeholders are participating.
    • Identify and document your vendor security and data protection requirements in the table below.
    Region Law/Standard Section Requirements

    Input

    Output

    • List of regions and jurisdictions your business is operating in
    • List of relevant regulations and standards
    • Documentation of vendor security and data protection obligations in applicable jurisdictions

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.9 Build due diligence questionnaire

    1-2 hours

    Perform internal due diligence prior to selecting a service provider.

    1. Build and right-size your vendor security questionnaire by leveraging Info-Tech’s Vendor Security Questionnaire template.
    2. Document your vendor security questionnaire in the table below.
    # Question Vendor Request Vendor Comments
    1 Document Requests
    2 Asset Management
    3 Governance
    4 Supply Chain Risk Management
    5 Identify Management, Authentication, and Access Control
    InputOutput
    • List of regions and jurisdictions your business is operating in
    • List of relevant regulations and standards
    • Business security and data protection requirements and expectations
    • Draft of due diligence questionnaire
    MaterialsParticipants
    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.10 Build appropriate data processing agreement

    1-2 hours

    1. Stipulate the security and privacy protection obligations of the third party in a legally binding document such as contract or data processing agreement, etc.
    2. Leverage Info-Tech’s Data Processing Agreement Template to put the language into your legally binding document.
    3. Use the table below to check whether core components of a typical DPA are covered in your document.
    # Core Components Status Note
    1 Processing of personal data
    2 Scope of application and responsibilities
    3 Processor's obligations
    4

    Controller's obligations

    5 Data subject requests
    6 Right to audit and inspection
    7 Subprocessing
    8 Data breach management
    9 Security controls
    10 Transfer of personal data
    11 Duty of confidentiality
    12 Compliance with applicable laws
    13 Service termination
    14 Liability and damages
    InputOutput
    • Processing of personal data
    • Processor’s obligations
    • Controller’s obligations
    • Subprocessing
    • Etc.
    • Draft of data processing agreement (DPA)
    MaterialsParticipants
    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    Summary of Accomplishment

    Problem Solved

    By following Info-Tech’s methodology for securing global operations, you have:

    • Evaluated the security context of your organization’s global operations.
    • Identified security risks scenarios unique to high-risk jurisdictions and assessed the exposure of critical assets.
    • Planned and executed a response.

    You have gone through a deeper analysis of two key risk scenarios that affect global operations:

    • Travel to high-risk jurisdictions.
    • Compliance risk.

    If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation.

    Contact your account representative for more information.

    workshop@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    The image contains a picture of Michel Hebert.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    The image contains a screenshot of High-Risk Travel Jurisdictions.

    Identify High-Risk Jurisdictions

    Develop requirements to identify high-risk jurisdictions.

    The image contains a screenshot of Build Risk Scenarios.

    Build Risk Scenarios

    Build risk scenarios to capture assets, vulnerabilities, threats, and the potential effect of a compromise.

    External Research Contributors

    Ken Muir

    CISO

    LMC Security

    Premchand Kurup

    CEO

    Paramount Computer Systems

    Preeti Dhawan

    Manager, Security Governance

    Payments Canada

    Scott Wiggins

    Information Risk and Governance

    CDPHP

    Fritz Y. Jean Louis

    CISO

    Globe and Mail

    Eric Gervais

    CIO

    Ovivo Water

    David Morrish

    CEO

    MBS Techservices

    Evan Garland

    Manager, IT Security

    Camosun College

    Jacopo Fumagalli

    CISO

    Axpo

    Dennis Leon

    Governance and Security Manager

    CPA Canada

    Tero Lehtinen

    CIO

    Planmeca Oy

    Related Info-Tech Research

    Build an IT Risk Management Program

    • Build a program to identify, evaluate, assess, and treat IT risks.
    • Monitor and communicate risks effectively to support business decision making.

    Combine Security Risk Management Components Into One Program

    • Develop a program focused on assessing and managing information system risks.
    • Build a governance structure that integrates security risks within the organization’s broader approach to risk management.

    Build an Information Security Strategy

    • Build a holistic, risk-aware strategy that aligns to business goals.
    • Develop a roadmap of prioritized initiatives to implement the strategy over 18 to 36 months.

    Bibliography

    2022 Cost of Insider Threats Global Report.” Ponemon Institute, NOVIPRO, 9 Feb. 2022. Accessed 25 May 22.

    “Allianz Risk Barometer 2022.” Allianz Global Corporate & Specialty, Jan. 2022. Accessed 25 May 22.

    Bickley, Shaun. “Security Risk Management: a basic guide for smaller NGOs”. European Interagency Security Forum (EISF), 2017. Web.

    “Biden Administration Warns against spyware targeting dissidents.” New York Times, 7 Jan 22. Accessed 20 Jan 2022.

    Boehm, Jim, et al. “The risk-based approach to cybersecurity.” McKinsey & Company, October 2019. Web.

    “Cost of a Data Breach Report 2021.” IBM Security, July 2021. Web.

    “Cyber Risk in Asia-Pacific: The Case for Greater Transparency.” Marsh & McLennan Companies, 2017. Web.

    “Cyber Risk Index.” NordVPN, 2020. Accessed 25 May 22

    Dawson, Maurice. “Applying a holistic cybersecurity framework for global IT organizations.” Business Information Review, vol. 35, no. 2, 2018, pp. 60-67.

    “Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 16 Apr 2018. Web.

    “Global Cybersecurity Index 2020.” International Telecommunication Union (ITU), 2021. Accessed 25 May 22.

    “Global Risk Survey 2022.” Control Risks, 2022. Accessed 25 May 22.

    “International Travel Guidance for Government Mobile Devices.” Federal Mobility Group (FMG), Aug. 2021. Accessed 18 Nov 2021.

    Kaffenberger, Lincoln, and Emanuel Kopp. “Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment.” Carnegie Endowment for International Peace, September 2019. Accessed 11 Jan 2022.

    Koehler, Thomas R. Understanding Cyber Risk. Routledge, 2018.

    Owens, Brian. “Cybersecurity for the travelling scientist.” Nature, vol. 548, 3 Aug 2017. Accessed 19 Jan. 2022.

    Parsons, Fintan J., et al. “Cybersecurity risks and recommendations for international travellers.” Journal of Travel Medicine, vol. 1, no. 4, 2021. Accessed 19 Jan 2022.

    Quinn, Stephen, et al. “Identifying and estimating cybersecurity risk for enterprise risk management.” National Institute of Standards and Technology (NIST), Interagency or Internal Report (IR) 8286A, Nov. 2021.

    Quinn, Stephen, et al. “Prioritizing cybersecurity risk for enterprise risk management.” NIST, IR 8286B, Sept. 2021.

    “Remaining cyber safe while travelling security recommendations.” Government of Canada, 27 April 2022. Accessed 31 Jan 2022.

    Stine, Kevin, et al. “Integrating cybersecurity and enterprise risk management.” NIST, IR 8286, Oct. 2020.

    Tammineedi, Rama. “Integrating KRIs and KPIs for effective technology risk management.” ISACA Journal, vol. 4, 1 July 2018.

    Tikk, Eneken, and Mika Kerttunen, editors. Routledge Handbook of International Cybersecurity. Routledge, 2020.

    Voo, Julia, et al. “National Cyber Power Index 2020.” Belfer Center for Science and International Affairs, Harvard Kennedy School, Sept. 2020. Web.

    Zhang, Fang. “Navigating cybersecurity risks in international trade.” Harvard Business Review, Dec 2021. Accessed 31 Jan 22.

    Appendix

    Insider Threat

    Key Risk Scenario

    Likelihood: Medium to High

    Impact: High

    Gap Controls

    The image contains a picture of the Gap Controls. The controls include: Policy and Awareness, Identification, Monitoring and Visibility, which leads to Cooperation.

    • Identification: Effective and efficient management of insider threats begins with a threat and risk assessment to establish which assets and which employees to consider, especially in jurisdictions associated with sensitive or critical data. You need to pay extra attention to employees who are working in satellite offices in jurisdictions with loose security and privacy laws.
    • Monitoring and Visibility: Organizations should monitor critical assets and groups with privileged access to defend against malicious behavior. Implement an insider threat management platform that provides your organization with the visibility and context into data movement, especially cross-border transfers that might cause security and privacy breaches.
    • Policy and Awareness Training: Insider threats will persist without appropriate action and culture change. Training and consistent communication of best practices will mitigate vulnerabilities to accidental or negligent attacks. Customized training materials using local languages and role-based case studies might be needed for employees in high-risk jurisdictions.
    • Cooperation: An effective insider threat management program should be built with cross-team functions such as Security, IT, Compliance and Legal, etc.

    For more holistic approach, you can leverage our Reduce and Manage Your Organization’s Insider Threat Risk blueprint.

    Info-Tech Insight

    You can’t just throw tools at a human problem. While organizations should monitor critical assets and groups with privileged access to defend against malicious behavior, good management and supervision can help detect attacks and prevent them from happening in the first place.

    Insider threats are not industry specific, but malicious insiders are

    Industry

    Actors

    Risks

    Tactics

    Motives

    State and Local Government

    • Full-time employees
    • Current employees
    • Privileged access to personally identifiable information, financial assets, and physical property
    • Abuse of privileged access
    • Received or transferred fraudulent funds
    • Financial gain
    • Recognition
    • Benefiting foreign entity

    Information Technology

    • Equal mix of former and current employees
    • Privileged access to networks or systems as well as data
    • Highly technical attacks
    • Received or transferred fraudulent funds
    • Revenge
    • Financial gain

    Healthcare

    • Majority were full-time and current employees
    • Privileged access to customer data with personally identifiable information, financial assets
    • Abuse of privileged access
    • Received or transferred fraudulent funds
    • Financial gain
    • Entitlement

    Finance and Insurance

    • Majority were full-time and current employees
    • Authorized users
    • Electronic financial assets
    • Privileged access to customer data
    • Created or used fraudulent accounts
    • Fraudulent purchases
    • Identity theft
    • Financial gain
    • Gambling addiction
    • Family pressures
    • Multiple motivations

    Source: Carnegie Mellon University Software Engineering Institute, 2019

    Advanced Persistent Threat

    Key Risk Scenario #4

    Likelihood: Medium to High

    Impact: High

    Gap Controls

    The image contains a screenshot of the Gap Controls listed: Prevent, Detect, Analyze, Respond.

    Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Effective anti-malware, diligent patching and vulnerability management, and strong human-centric security are essential.

    Detect: There are two types of companies – those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.

    Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape.

    Respond: Organizations can’t rely on ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.

    Best practices moving forward

    Defense in Depth

    Lock down your organization. Among other tactics, control administrative privileges, leverage threat intelligence, use IP whitelisting, adopt endpoint protection and two-factor authentication, and formalize incident response measures.

    Block Indicators

    Information alone is not actionable. A successful threat intelligence program contextualizes threat data, aligns intelligence with business objectives, and then builds processes to satisfy those objectives. Actively block indicators and act upon gathered intelligence.

    Drive Adoption

    Create organizational situational awareness around security initiatives to drive adoption of foundational security measures: network hardening, threat intelligence, red-teaming exercises, and zero-day mitigation, policies, and procedures.

    Supply Chain Security

    Security extends beyond your organization. Ensure your organization has a comprehensive view of your organizational threat landscape and a clear understanding of the security posture of any managed service providers in your supply chain.

    Awareness and Training

    Conduct security awareness and training. Teach end users how to recognize current cyberattacks before they fall victim – this is a mandatory first line of defense.

    Additional Resources

    Follow only official sources of information to help you assess risk

    The image contains an image highlighting a few additional resources.

    As misinformation is a major attack vector for malicious actors, follow only reliable sources for cyberalerts and actionable intelligence. Aggregate information from these reliable sources.

    Federal Cyber Agency Alerts

    Informational Resources

    Info-Tech Insight

    The CISA Shields Up site provides the latest cyber risk updates on the Russia-Ukraine conflict and should provide the most value in staying informed.

    Application Portfolio Management Foundations

    • Buy Link or Shortcode: {j2store}172|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $54,542 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy

    Organizations consider application oversight a low priority and app portfolio knowledge is poor:

    • No dedicated or centralized effort to manage the app portfolio means no single source of truth is available to support informed decision making.
    • Organizations acquire more applications over time, creating redundancy, waste, and the need for additional support.
    • Organizations are more vulnerable to changing markets. Flexibility and growth are compromised when applications are unadaptable or cannot scale.

    Our Advice

    Critical Insight

    • You cannot outsource application strategy.
    • Modern software options have lessened the need for organizations to have robust in-house application management capabilities. But your applications’ future and governance of the portfolio still require centralized oversight to ensure the best overall return on investment.
    • Application portfolio management is the mechanism to ensure that the applications in your enterprise are delivering value and support for your value streams and business capabilities. Understanding value, satisfaction, technical health, and total cost of ownership are critical to digital transformation, modernization, and roadmaps.

    Impact and Result

    Build an APM program that is actionable and fit for size:

    • Understand your current state, needs, and goals for your application portfolio management.
    • Create an application and platform inventory that is built for better decision making.
    • Rationalize your apps with business priorities and communicate risk in operational terms.
    • Create a roadmap that improves communication between those who own, manage, and support your applications.

    Application Portfolio Management Foundations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Application Portfolio Management Foundations Deck – A guide that helps you establish your core application inventory, simplified rationalization, redundancy comparison, and modernization roadmap.

    Enterprises have more applications than they need and rarely apply oversight to monitor the health, cost, and relative value of applications to ensure efficiency and minimal risk. This blueprint will help you build a streamlined application portfolio management process.

    • Application Portfolio Management Foundations – Phases 1-4

    2. Application Portfolio Management Diagnostic Tool – A tool that assesses your current application portfolio.

    Visibility into your application portfolio and APM practices will help inform and guide your next steps.

    • Application Portfolio Management Diagnostic Tool

    3. Application Portfolio Management Foundations Playbook – A template that builds your application portfolio management playbook.

    Capture your APM roles and responsibilities and build a repeatable process.

    • Application Portfolio Management Foundations Playbook

    4. Application Portfolio Management Snapshot and Foundations Tool – A tool that stores application information and allows you to execute rationalization and build a portfolio roadmap.

    This tool is the central hub for the activities within Application Portfolio Management Foundations.

    • Application Portfolio Management Snapshot and Foundations Tool
    [infographic]

    Workshop: Application Portfolio Management Foundations

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Lay Your Foundations

    The Purpose

    Work with key corporate stakeholders to come to a shared understanding of the benefits and aspects of application portfolio management.

    Key Benefits Achieved

    Establish the goals of APM.

    Set the scope of APM responsibilities.

    Establish business priorities for the application portfolio.

    Activities

    1.1 Define goals and metrics.

    1.2 Define application categories.

    1.3 Determine steps and roles.

    1.4 Weight value drivers.

    Outputs

    Set short- and long-term goals and metrics.

    Set the scope for applications.

    Set the scope for the APM process.

    Defined business value drivers.

    2 Improve Your Inventory

    The Purpose

    Gather information on your applications to build a detailed inventory and identify areas of redundancy.

    Key Benefits Achieved

    Populated inventory based on your and your team’s current knowledge.

    Understanding of outstanding data and a plan to collect it.

    Activities

    2.1 Populate inventory.

    2.2 Assign business capabilities.

    2.3 Review outstanding data.

    Outputs

    Initial application inventory

    List of areas of redundancy

    Plan to collect outstanding data

    3 Gather Application Information

    The Purpose

    Work with the application subject matter experts to collect and compile data points and determine the appropriate disposition for your apps.

    Key Benefits Achieved

    Dispositions for individual applications

    Application rationalization framework

    Activities

    3.1 Assess business value.

    3.2 Assess end-user perspective.

    3.3 Assess TCO.

    3.4 Assess technical health.

    3.5 Assess redundancies.

    3.6 Determine dispositions.

    Outputs

    Business value score for individual applications

    End-user satisfaction scores for individual applications

    TCO score for individual applications

    Technical health scores for individual applications

    Feature-level assessment of redundant applications

    Assigned dispositions for individual applications

    4 Gather, Assess, and Select Dispositions

    The Purpose

    Work with application delivery specialists to determine the strategic plans for your apps and place these in your portfolio roadmap.

    Key Benefits Achieved

    Prioritized initiatives

    Initial application portfolio roadmap

    Ongoing structure of APM

    Activities

    4.1 Prioritize initiatives

    4.2 Populate roadmap.

    4.3 Determine ongoing APM cadence.

    4.4 Build APM action plan.

    Outputs

    Prioritized new potential initiatives.

    Built an initial portfolio roadmap.

    Established an ongoing cadence of APM activities.

    Built an action plan to complete APM activities.

    Further reading

    Application Portfolio Management Foundations

    Ensure your application portfolio delivers the best possible return on investment.

    Analyst Perspective

    You can’t outsource accountability.

    Many lack visibility into their overall application portfolio, focusing instead on individual projects or application development. Inevitably, application sprawl creates process and data disparities, redundant applications, and duplication of resources and stands as a significant barrier to business agility and responsiveness. The shift from strategic investment to application maintenance creates an unnecessary constraint on innovation and value delivery.

    With the rise and convenience of SAAS solutions, IT has an increasing need to discover and support all applications in the organization. Unmanaged and unsanctioned applications can lead to increased reputational risk. What you don’t know WILL hurt you.

    You can outsource development, you can even outsource maintenance, but you cannot outsource accountability for the portfolio. Organizations need a holistic dashboard of application performance and dispositions to help guide and inform planning and investment discussions. Application portfolio management (APM) can’t tell you why something is broken or how to fix it, but it is an important tool to determine if an application’s value and performance are up to your standards and can help meet your future goals.

    The image contains a picture of Hans Eckman.

    Hans Eckman
    Principal Research Director
    Info-Tech Research Group


    Is this research right for you?

    Research Navigation

    Managing your application portfolio is essential regardless of its size or whether your software is purchased or developed in house. Each organization must have some degree of application portfolio management to ensure that applications deliver value efficiently and that their risk or gradual decline in technical health is appropriately limited.

    Your APM goals

    If this describes your primary goal(s)

    • We are building a business case to determine where and if APM is needed now.
    • We want to understand how well supported are our business capabilities, departments, or core functions by our current applications.
    • We want to start our APM program with our core or critical applications.
    • We want to build our APM inventory for less than 150 applications (division, department, operating unit, government, small enterprise, etc.).
    • We want to start simple with a quick win for our 150 most important applications.
    • We want to start with an APM pilot before committing to an enterprise APM program.
    • We need to rationalize potentially redundant and underperforming applications to determine which to keep, replace, or retire.
    • We want to start enterprise APM, with up to 150 critical applications.
    • We want to collect and analyze detailed information about our applications.
    • We need tools to help us calculate total cost of ownership (TCO) and value.
    • We want to customize our APM journey and rationalization.
    • We want to build a formal communication strategy for our APM program.

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    • Organizations consider application oversight a low priority and app portfolio knowledge is poor.
    • No dedicated or centralized effort to manage the app portfolio means no single source of truth is available to support informed decision making.
    • Organizations acquire more applications over time, creating redundancy, waste, and the need for additional support.
    • Organizations are more vulnerable to changing markets. Flexibility and growth are compromised when applications are unadaptable or cannot scale.
    • APM implies taking a holistic approach and compiling multiple priorities and perspectives.
    • Organizations have limited time to act strategically or proactively and need to be succinct.
    • Uncertainties on business value prevent IT from successfully advising software decision making.
    • IT knows its technical debt but struggles to get the business to act on technical risks.
    • Attempts at exposing these problems rarely gain buy-in and discourage the push for improvement.
    • Think low priority over no priority.
    • Integrate these tasks into your mixed workload.
    • Create an inventory built for better decision making.
    • Rationalize your apps in accordance with business priorities and communicate risks on their terms.
    • Create a roadmap that improves communication between those who own, manage, and support an application.
    • Build your APM process fit for size.

    Info-Tech Insight: You can’t outsource strategy.

    Modern software options have decreased the need for organizations to have robust in-house application management capabilities. Your applications’ future and governance of the portfolio still require a centralized IT oversight to ensure the best return on investment.

    The top IT challenges for SE come from app management

    #1 challenge small enterprise owners face in their use of technology:

    Taking appropriate security precautions

    24%

    The costs of needed upgrades to technology

    17%

    The time it takes to fix problems

    17%

    The cost of maintaining technology

    14%

    Lack of expertise

    9%

    Breaks in service

    7%
    Source: National Small Business Association, 2019

    Having more applications than an organization needs means unnecessarily high costs and additional burden on the teams who support the applications. Especially in the case of small enterprises, this is added pressure the IT team cannot afford.

    A poorly maintained portfolio will eventually hurt the business more than it hurts IT.

    Legacy systems, complex environments, or anything that leads to a portfolio that can’t adapt to changing business needs will eventually become a barrier to business growth and accomplishing objectives. Often the blame is put on the IT department.

    56%

    of small businesses cited inflexible technology as a barrier to growth

    Source: Salesforce as quoted by Tech Republic, 2019

    A hidden and inefficient application portfolio is the root cause of so many pains experienced by both IT and the business.

    • Demand/Capacity Imbalance
    • Overspending
    • Security and Business Continuity Risk
    • Delays in Delivery
    • Barriers to Growth

    APM comes at a justified cost

    The image contains a screenshot of a graph to demonstrate APM and the costs.

    The benefits of APM

    APM identifies areas where you can reduce core spending and reinvest in innovation initiatives.

    Other benefits can include:

    • Fewer redundancies
    • Less risk
    • Less complexity
    • Improved processes
    • Flexibility
    • Scalability

    APM allows you to better understand and set the direction of your portfolio

    Application Inventory

    The artifact that documents and informs the business of your application portfolio.

    Application Rationalization

    The process of collecting information and assessing your applications to determine recommended dispositions.

    Application Alignment

    The process of revealing application information through interviewing stakeholders and aligning to business capabilities.

    Application Roadmap

    The artifact that showcases the strategic directions for your applications over a given timeline.

    Application Portfolio Management (APM):

    The ongoing practice of:

    • Providing visibility into applications across the organization.
    • Recommending corrections or enhancements to decision makers.
    • Aligning delivery teams on priority.
    • Showcasing the direction of applications to stakeholders.

    Create a balanced approach to value delivery

    Enterprise Agility and Value Realization

    Product Lifecycle Management

    Align your product and service improvement and execution to enterprise strategy and value realization in three key areas: defining your products and services, aligning product/service owners, and developing your product vision.

    Product Delivery Lifecycle (Agile DevOps)

    Enhance business agility by leveraging an Agile mindset and continuously improving your delivery throughput, quality, value realization, and adaptive governance.

    Application Portfolio Management

    Transform your application portfolio into a cohesive service catalog aligned to your business capabilities by discovering, rationalizing, and modernizing your applications while improving application maintenance, management, and reuse.

    The image contains a screenshot of a Thought Model on the Application Department Strategy.


    The image contains a screenshot of a Thought Model on Accelerate Your Transition to Product Delivery.

    Every organization experiences some degree of application sprawl

    The image contains a screenshot of images to demonstrate application sprawl.

    Causes of Sprawl

    • Poor Lifecycle Management
    • Turnover & Lack of Knowledge Transfer
    • Siloed Business Units & Decentralized IT
    • Business-Managed IT
    • (Shadow IT)
    • Mergers & Acquisitions

    Problems With Sprawl

    • Redundancy and Inefficient Spending
    • Disparate Apps & Data
    • Obsolescence
    • Difficulties in Prioritizing Support
    • Barriers to Change & Growth

    Application Sprawl:

    Inefficiencies within your application portfolio are created by the gradual and non-strategic accumulation of applications.

    You have more apps than you need.

    Only 34% of software is rated as both IMPORTANT and EFFECTIVE by users.

    Source: Info-Tech’s CIO Business Vision

    Build your APM journey map

    The image contains screenshots of diagrams that reviews building your APM journey map.

    Application rationalization provides insight

    Directionless portfolio of applications

    Info-Tech’s Five Lens Model

    Assigned dispositions for individual apps

    The image contains a screenshot of an example of directionless portfolio of applications.

    Application Alignment

    Business Value

    Technical Health

    End-User Perspective

    Total Cost of Ownership (TCO)

    Maintain: Keep the application but adjust its support structure.

    Modernize: Create a new initiative to address an inadequacy.

    Consolidate: Create a new initiative to reduce duplicate functionality.

    Retire: Phase out the application.

    Disposition: The intended strategic direction or implied course of action for an application.

    How well do your apps support your core functions and teams?

    How well are your apps aligned to value delivery?

    Do your apps meet all IT quality standards and policies?

    How well do your apps meet your end users’ needs?

    What is the relative cost of ownership and operation of your apps?

    Application rationalization requires the collection of several data points that represent these perspectives and act as the criteria for determining a disposition for each of your applications.

    APM is an iterative and evergreen process

    APM provides oversight and awareness of your application portfolio’s performance and support for your business operations and value delivery to all users and customers.

    Determine Scope and categories Build your list of applications and capabilities Score each application based on your values Determine outcomes based on app scoring and support for capabilities

    1. Lay Your Foundations

    1.1 Assess the state of your current application portfolio.

    1.2 Determine narrative.

    1.3 Define goals and metrics.

    1.4 Define application categories.

    1.5 Determine APM steps and roles (SIPOC).

    2. Improve Your Inventory

    2.1 Populate your inventory.

    2.2 Align to business capabilities.

    *Repeat

    3. Rationalize Your Apps

    3.1 Assess business value.

    3.2 Assess technical health.

    3.3 Assess end-user perspective.

    3.4 Assess total cost of ownership.

    *Repeat

    4. Populate Your Roadmap

    4.1 Review APM Snapshot results.

    4.2 Review APM Foundations results.

    4.3 Determine dispositions.

    4.4 Assess redundancies (optional).

    4.5 Determine dispositions for redundant applications (optional).

    4.6 Prioritize initiatives.

    4.7 Determine ongoing cadence.

    *Repeat

    Repeat according to APM cadence and application changes

    Executive Brief Case Study

    INDUSTRY: Retail

    SOURCE: Deloitte, 2017

    Supermarket Company

    The grocer was a smaller organization for the supermarket industry with a relatively low IT budget. While its portfolio consisted of a dozen applications, the organization still found it difficult to react to an evolving industry due to inflexible and overly complex legacy systems.

    The IT manager found himself in a scenario where he knew the applications well but had little awareness of the business processes they supported. Application maintenance was purely in keeping things operational, with little consideration for a future business strategy.

    As the business demanded more responsiveness to changes, the IT team needed to be able to react more efficiently and effectively while still securing the continuity of the business.

    The IT manager found success by introducing APM and gaining a better understanding of the business use and future needs for the applications. The organization started small but then increased the scope over time to produce and develop techniques to aid the business in meeting strategic goals with applications.

    Results

    The IT manager gained credibility and trust within the organization. The organization was able to build a plan to move away from the legacy systems and create a portfolio more responsive to the dynamic needs of an evolving marketplace.

    The application portfolio management initiative included the following components:

    Train teams and stakeholders on APM

    Model the core business processes

    Collect application inventory

    Assign APM responsibilities

    Start small, then grow

    Info-Tech’s application portfolio management methodology

    1. Lay Your Foundations

    2. Improve Your Inventory

    3. Rationalize Your Apps

    4. Populate Your Roadmap

    Phase Activities

    1.1 Assess your current application portfolio

    1.2 Determine narrative

    1.3 Define goals and metrics

    1.4 Define application categories

    1.5 Determine APM steps and roles

    2.1 Populate your inventory

    2.2 Align to business capabilities

    3.1 Assess business value

    3.2 Assess technical health

    3.3 Assess end-user perspective

    3.4 Assess total cost of ownership

    4.1 Review APM Snapshot results

    4.2 Review APM Foundations results

    4.3 Determine dispositions

    4.4 Assess redundancies (optional)

    4.5 Determine dispositions for redundant applications (optional)

    4.6 Prioritize initiatives

    4.7 Determine ongoing APM cadence

    Phase Outcomes

    Work with the appropriate management stakeholders to:

    • Extract key business priorities.
    • Set your goals.
    • Define scope of APM effort.

    Gather information on your own understanding of your applications to build a detailed inventory and identify areas of redundancy.

    Work with application subject matter experts to collect and compile data points and determine the appropriate disposition for your apps.

    Work with application delivery specialists to determine the strategic plans for your apps and place these in your portfolio roadmap.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

    Application Portfolio Management Foundations Playbook

    Application Portfolio Management Snapshot and Foundations Tool

    This template allows you to capture your APM roles and responsibilities and build a repeatable process.

    This tool stores all relevant application information and allows you to assess your capability support, execute rationalization, and build a portfolio roadmap.

    The image contains screenshots of the Application Portfolio Management Foundations Playbook. The image contains screenshots of the Application Portfolio Management Snapshot and Foundations Tool.

    Key deliverable:

    Blueprint Storyboard

    This is the PowerPoint document you are viewing now. Follow this guide to understand APM, learn how to use the tools, and build a repeatable APM process that will be captured in your playbook.

    The image contains a screenshot of the blueprint storyboard.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI for on this topic look like?

    Phase 1 Phase 2 Phase 3 Phase 4

    Call #1: Establish goals and foundations for your APM practice.

    Call #2:

    Initiate inventory and determine data requirements.

    Call #3:

    Initiate rationalization with group of applications.

    Call #4:

    Review result of first iteration and perform retrospective.

    Call #5:

    Initiate your roadmap and determine your ongoing APM practice.

    Note: The Guided Implementation will focus on a subset or group of applications depending on the state of your current APM inventory and available time. The goal is to use this first group to build your APM process and models to support your ongoing discovery, rationalization, and modernization efforts.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our right-sized best practices in your organization. A typical GI, using our materials, is 3 to 6 calls over the course of 1 to 3 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    1. Lay Your Foundations

    2. Improve Your Inventory

    3. Rationalize Your Apps

    4. Populate Your Roadmap

    Post Workshop Steps

    Activities

    1.1 Assess your current
    application portfolio

    1.2 Determine narrative

    1.3 Define goals and metrics

    1.4 Define application categories

    1.5 Determine APM steps and roles

    2.1 Populate your inventory

    2.2 Align to business capabilities

    3.1 Assess business value

    3.2 Assess technical health

    3.3 Assess end-user perspective

    3.4 Assess total cost of ownership

    4.1 Review APM Snapshot results

    4.2 Review APM Foundations results

    4.3 Determine dispositions

    4.4 Assess redundancies (optional)

    4.5 Determine dispositions for redundant applications (optional)

    4.6 Prioritize initiatives

    4.7 Determine ongoing APM cadence

    • Complete in-progress deliverables from the previous four days.
    • Set up review time for workshop deliverables and to discuss the next steps.

    Outcomes

    Work with the appropriate management stakeholders to:

    1. Extract key business priorities
    2. Set your goals
    3. Agree on key terms and set the scope for your APM effort

    Work with your applications team to:

    1. Build a detailed inventory
    2. Identify areas of redundancy

    Work with the SMEs for a subset of applications to:

    1. Define your rationalization criteria, descriptions, and scoring
    2. Evaluate each application using rationalization criteria

    Work with application delivery specialists to:

    1. Determine the appropriate disposition for your apps
    2. Build an initial application portfolio roadmap
    3. Establish an ongoing cadence of APM activities

    Info-Tech analysts complete:

    1. Workshop report
    2. APM Snapshot and Foundations Toolset
    3. Action plan

    Note: The workshop will focus on a subset or group of applications depending on the state of your current APM inventory and available time. The goal is to use this first group to build your APM process and models to support your ongoing discovery, rationalization, and modernization efforts.

    Workshop Options

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Outcomes

    1-Day Snapshot

    3-Day Snapshot and Foundations (Key Apps)

    4-Day Snapshot and Foundations (Pilot Area)

    APM Snapshot

    • Align applications to business capabilities
    • Evaluate application support for business capabilities

    APM Foundations

    • Define your APM program and cadence
    • Rationalize applications using weighted criteria
    • Define application dispositions
    • Build an application roadmap aligned to initiatives

    Establish APM practice with a small sample set of apps and capabilities.

    Establish APM practice with a pilot group of apps and capabilities.

    Blueprint Pre-Step: Get the right stakeholders to the right exercises

    The image contains four steps and demonstrates who should be handling each exercise. 1. Lay Your Foundations, is to be handled by the APM Lead/Owner and the Key Corporate Stakeholders. 2. Improve Your Inventory, is to be handled by the APM Lead/Owner and the Applications Subject Matter Experts. 3. Rationalize Your Apps, is to be handled by the APM Lead/Owner, the Applications Subject Matter Experts, and the Delivery Leads. 4. Populate Your Roadmap, is to be handled by the APM Lead/Owner, the Key Corporate Stakeholders, and the Delivery Leads.

    APM Lead/Owner (Recommended)

    ☐ Applications Lead or the individual responsible for application portfolio management, along with any applications team members, if available

    Key Corporate Stakeholders

    Depending on size and structure, participants could include:

    ☐ Head of IT (CIO, CTO, IT Director, or IT Manager)

    ☐ Head of shared services (CFO, COO, VP HR, etc.)

    ☐ Compliance Officer, Steering Committee

    ☐ Company owner or CEO

    Application Subject Matter Experts

    Individuals who have familiarity with a specific subset of applications

    ☐ Business owners (product owners, Head of Business Function, power users)

    ☐ Support owners (Operations Manager, IT Technician)

    Delivery Leads

    ☐ Development Managers

    ☐ Solution Architects

    ☐ Project Managers

    Understand your APM tools and outcomes

    1.Diagnostic The image contains a screenshot of the diagnostic APM tool.

    5. Foundations: Chart

    The image contains a screenshot of the Foundations: Chart APM tool.

    2. Data Journey

    The image contains a screenshot of the data journey APM tool.

    6. App Comparison

    The image contains a screenshot of the App Comparison APM tool.

    3. Snapshot

    The image contains a screenshot of the snapshot APM tool.

    7. Roadmap

    The image contains a screenshot of the Roadmap APM tool.

    4. Foundations: Results

    The image contains a screenshot of the Foundations: Results APM Tool.

    Examples and explanations of these tools are located on the following slides and within the phases where they occur.

    Assess your current application portfolio with Info-Tech’s APM Diagnostic Tool

    The image contains a screenshot of the APM Diagnostic Tool.

    One of the primary purposes of application portfolio management is to get what we know and need to know on paper so we can share a common vision and understanding of our portfolio. This enables better discussions and decisions with your application owners and stakeholders.

    APM worksheet data journey map

    The image contains a screenshot of the APM worksheet data journey map.

    Interpreting your APM Snapshot results

    The image contains a screenshot of the APM snapshots results.

    Interpreting your APM Foundations results

    The image contains a screenshot of the APM Foundations results.

    Interpreting your APM Foundations chart

    The image contains a screenshot of the APM Foundations chart.

    Compare application groups

    Group comparison can be used for more than just redundant/overlapping applications.

    The image contains a screenshot of images that demonstrate comparing application groups.

    Apply Info-Tech’s 6 R’s Rationalization Disposition Model

    The image contains a screenshot of Info-Tech's 6 R's Rationalization Disposition Model.

    Disposition

    Description

    Reward

    Prioritize new features or enhancement requests and openly welcome the expansion of these applications as new requests are presented.

    Refresh

    Address the poor end-user satisfaction with a prioritized project. Consult with users to determine if UX issues require improvement to address satisfaction.

    Refocus

    Determine the root cause of the low value. Refocus, retrain, or refresh the UX to improve value. If there is no value found, aim to "keep the lights on" until the app can be decommissioned.

    Replace

    Replace or rebuild the application as technical and user issues are putting important business capabilities at risk. Decommission application alongside replacement.

    Remediate

    Address the poor technical health or risk with a prioritized project. Further consult with development and technical teams to determine if migration or refactoring is suited to address the technical issue.

    Retire

    Cancel any requested features and enhancements. Schedule the proper decommission and transfer end users to a new or alternative system if necessary.

    TCO, compared relatively to business value, helps determine the practicality of a disposition and the urgency of any call to action. Application alignment is factored in when assessing redundancies and has a separate set of dispositions.

    Populate roadmap example

    The image contains an example of the populate roadmap.

    ARE YOU READY TO GET STARTED?

    Phase 1

    Lay Your Foundations

    Phase 1

    1.1 Assess Your Current Application Portfolio

    1.2 Determine Narrative

    1.3 Define Goals and Metrics

    1.4 Define Application Categories

    1.5 Determine APM Steps and Roles

    Phase 2

    2.1 Populate Your Inventory

    2.2 Align to Business Capabilities

    Phase 3

    3.1 Assess Business Value

    3.2 Assess Technical Health

    3.3 Assess End-User Perspective

    3.4 Assess Total Cost of Ownership

    Phase 4

    4.1 Review APM Snapshot Results

    4.2 Review APM Foundations Results

    4.3 Determine Dispositions

    4.4 Assess Redundancies (Optional)

    4.5 Determine Dispositions for Redundant Applications (Optional)

    4.6 Prioritize Initiatives

    4.7 Determine Ongoing APM Cadence

    This phase involves the following participants:

    Applications Lead

    Key Corporate Stakeholders

    Additional Resources

    APM supports many goals

    Building an APM process requires a proper understanding of the underlying business goals and objectives of your organization’s strategy. Effectively identifying these drivers is paramount to gaining buy-in and the approval for any changes you plan to make to your application portfolio.

    After identifying these goals, you will need to ensure they are built into the foundations of your APM process.

    “What is most critical?” but also “What must come first?”

    Discover

    Improve

    Transform

    Collect Inventory

    Uncover Shadow IT

    Uncover Redundancies

    Anticipate Upgrades

    Predict Retirement

    Reduce Cost

    Increase Efficiency

    Reduce Applications

    Eliminate Redundancy

    Limit Risk

    Improve Architecture

    Modernize

    Enable Scalability

    Drive Business Growth

    Improve UX

    Assess your current application portfolio with Info-Tech’s APM Diagnostic Tool

    The image contains a screenshot of the APM Diagnostic Tool.

    One of the primary purposes of application portfolio management is to get what we know and need to know on paper so we can share a common vision and understanding of our portfolio. This enables better discussions and decisions with your application owners and stakeholders.

    1.1 Assess your current application portfolio with Info-Tech’s diagnostic tool

    Estimated time: 1 hour

    1. This tool provides visibility into your application portfolio and APM practices.
    2. Based on your assessment, you should gain a better understanding of whether the appropriate next steps are in application discovery, rationalization, or roadmapping.
    3. Complete the “Data Entry” worksheet in the Application Portfolio Management Diagnostic Tool (Excel).
    4. Review the “Results” worksheet to help inform and guide your next steps.

    Download the Application Portfolio Management Diagnostic Tool

    Input Output
    • Current APM program
    • Application landscape
    • APM current-state assessment
    Materials Participants
    • Application Portfolio Management Diagnostic Tool
    • Applications Lead

    1.1 Understanding the diagnostic results

    • Managed Apps are your known knowns and most of your portfolio.
    • Unmanaged and Unsanctioned Apps are known but have unknown risks and compliance. Bring these under IT support.
    • Unknown Apps are high risk and noncompliant. Prioritize these based on risk, cost, and use.
    The image contains a screenshot of the diagnostic APM tool.
    • APM is more than an inventory and assessment. A strong APM program provides ongoing visibility and insights to drive application improvement and value delivery.
    • Use your Sprawl Factors to identify process and organizational gaps that may need to be addressed.
    • Your APM inventory is only as good as the information in it. Use this chart to identify gaps and develop a path to define missing information.
    • APM is an iterative process. Use this state assessment to determine where to focus most of your current effort.

    Understand potential motivations for APM

    The value of APM is defined by how the information will be used to drive better decisions.

    Portfolio Governance

    Transformative Initiatives

    Event-Driven Rationalization

    Improves:

    • Spending efficiency
    • Risk
    • Retirement of aged and low-value applications
    • Business enablement

    Impact on your rationalization framework:

    • Less urgent
    • As rigorous as appropriate
    • Apply in-depth analysis as needed

    Enables:

    • Data migration or harmonization
    • Legacy modernization
    • Infrastructure/cloud migration
    • Standardizing platforms
    • Shift to cloud and SAAS

    Impact on your rationalization framework:

    • Time sensitive
    • Scope on impacted areas
    • Need to determine specific dispositions
    • Outcomes need to include detailed and actionable steps

    Responds to:

    • Mergers and acquisitions
    • Regulatory and compliance change
    • New applications
    • Application retirement by vendors
    • Changes in business operations
    • Security risks and BC/DR

    Impact on your rationalization framework:

    • Time constrained
    • Lots of discovery work
    • Primary focus on duplication
    • Increased process and system understanding

    Different motivations will influence the appropriate approach to and urgency of APM or, specifically, rationalizing the portfolio. When rationalizing is directly related to enabling or in response to a broader initiative, you will need to create a more structured approach with a formal budget and resources.

    1.2 Determine narrative

    Estimated time: 30 minutes-2 hours

    1. Open the “Narrative” tab in the APM Snapshot and Foundations Tool.
    2. Start by listing your prevailing IT pain points with the application portfolio. These will be the issues experienced predominantly by the IT team and not necessarily by the stakeholders. Be sure to distinguish pain points from their root causes.
    3. Determine an equivalent business pain point for each IT pain point. This should be how the problem manifests itself to business stakeholders and should include potential risks to the organization is exposed to.
    4. Determine the business goal for each business pain point. Ideally, these are established organizational goals that key decision-makers will recognize. These goals should address the business pain points you have documented.
    5. Determine the technical objective for each business goal. These speak to the general corrections or enhancements to the portfolio required to accomplish the business goals.
    6. Use the “Narrative - Matrix” worksheet to group items into themes if needed.

    Record the results in the APM Snapshot and Foundations Tool

    Input Output
    • Familiarity with application landscape
    • Organizational context and strategic artifacts
    • Narrative for application portfolio transformation
    Materials Participants
    • APM Snapshot and Foundations Tool
    • Application Portfolio Manager

    Connect your pains to what the business cares about to find the most effective narrative

    Root Cause

    IT Pain Points

    Business Pain Points

    Business Goals

    Narrative

    Technical Objectives

    Sprawl

    Shadow IT/decentralized oversight

    Neglect over time

    Poor delivery processes

    Back-End Complexity

    Disparate Data/Apps

    Poor Architectural Fit

    Redundancy

    Maintenance Demand/
    Resource Drain

    Low Maintainability

    Technical Debt

    Legacy, Aging, or Expiring Apps

    Security Vulnerabilities

    Unsatisfied Customers

    Hurdles to Growth/Change

    Poor Business Analytics

    Process Inefficiency

    Software Costs

    Business Continuity Risk

    Data Privacy Risk

    Data/IP Theft Risk

    Poor User Experience

    Low-Value Apps

    Scalability

    Flexibility/Agility

    Data-Driven Insights

    M&A Transition

    Business Unit Consolidation/ Centralization

    Process Improvement

    Process Modernization

    Cost Reduction

    Stability

    Customer Protection

    Security

    Employee Enablement

    Business Enablement

    Innovation

    Create Strategic Alignment

    Identify specific business capabilities that are incompatible with strategic initiatives.

    Reduce Application Intensity

    Highlight the capabilities that are encumbered due to functional overlaps and complexity.

    Reduce Software Costs

    Specific business capabilities come at an unnecessarily or disproportionately high cost.

    Mitigate Business Continuity Risk

    Specific business capabilities are at risk of interruption or stoppages due to unresolved back-end issues.

    Mitigate Security Risk

    Specific business capabilities are at risk due to unmitigated security vulnerabilities or breaches.

    Increase Satisfaction Applications

    Specific business capabilities are not achieving their optimal business value.

    Platform Standardization

    Platform Standardization Consolidation

    Data Harmonization

    Removal/Consolidation of Redundant Applications

    Legacy Modernization

    Application Upgrades

    Removal of Low-Value Applications

    1.3 Define goals and metrics

    Estimated time: 1 hour

    1. Determine the motivations behind APM. You may want to collect and review any of the organization’s strategic documents that provide additional context on previously established goals.
    2. With the appropriate stakeholders, discuss the goals of APM. Try to label your goals as either:
      1. Short term: Refers to immediate goals used to represent the progress of APM activities. Likely these goals are more IT-oriented
      2. Long term: Refers to broader and more distant goals more related to the impact of APM. These goals tend to be more business-oriented.
    3. To help clearly define your goals, discuss appropriate metrics for each goal. Often these metrics can be expressed as:
      1. Leading indicators: Metrics used to gauge the success of your short-term goals and the progress of APM activities.
      2. Lagging indicators: Metrics used to gauge the success of your long-term goals.

    Record the results in the APM Snapshot and Foundations Tool

    Input Output
    • Overarching organizational strategy
    • IT strategy
    • Defined goals and metrics for APM
    Materials Participants
    • Whiteboard
    • Markers
    • APM Snapshot and Foundations Tool
    • Applications Lead
    • Key Corporate Stakeholders

    1.3 Define goals and metrics: Example

    Goals

    Metric

    Target

    Short Term

    Improve ability to inform the business

    Leading Indicators

    • Application inventory with all data fields completed
    • Applications with recommended dispositions
    • 80% of portfolio

    Improve ownership of applications

    • Applications with an assigned business and technical owner
    • 80% of portfolio

    Reduce costs of portfolio

    • TCO of full application portfolio
    • The number of recovered/avoided software licenses from retired apps
    • Reduce by 5%
    • $50,000

    Long Term

    Migrate platform

    Lagging Indicators

    • Migrate all applications
    • Total value change in on-premises apps switched to SaaS
    • 100% of applications
    • Increase 50%

    Improve overall satisfaction with portfolio

    • End-user satisfaction rating
    • Increase 25%

    Become more customer-centric

    • Increased sales
    • Increased customer experience
    • Increase 35%

    “Application” doesn’t have the same meaning to everyone

    The image contains a picture of Martin Fowler.

    Code: A body of code that's seen by developers as a single unit.

    Functionality: A group of functionality that business customers see as a single unit.

    Funding: An initiative that those with the money see as a single budget.

    ?: What else?

    “Essentially applications are social constructions.

    Source: Martin Fowler

    APM focuses on business applications.

    “Software used by business users to perform a business function.”

    – ServiceNow, 2020

    Unfortunately, that definition is still quite vague.

    You must set boundaries and scope for “application”

    1. Many individual items can be considered applications on their own or components within or associated with an application.

    2. Different categories of applications may be out of scope or handled differently within the activities and artifacts of APM.

    Different categories of applications may be out of scope or handled differently within the activities and artifacts of APM.

    • Interface
    • Software Component
    • Supporting Software
    • Platform
    • Presentation Layer
    • Middleware
    • Micro Service
    • Database
    • UI
    • API
    • Data Access/ Transfer/Load
    • Operating System

    Apps can be categorized by generic categories

    • Enterprise Applications
    • Unique Function-Specific Applications
    • Productivity Tools
    • Customer-Facing Applications
    • Mobile Applications

    Apps can be categorized by bought vs. built or install types

    • Custom
    • On-Prem
    • Off the Shelf
    • SaaS
    • Hybrid
    • End-User-Built Tools

    Apps can be categorized by the application family

    • Parent Application
    • Child Application
    • Package
    • Module
    • Suite
    • Component (Functional)

    Apps can be categorized by the group managing them

    • IT-Managed Applications
    • Business-Managed Applications (Shadow IT)
    • Partner/External Applications

    Apps can be categorized by tiers

    • Mission Critical
    • Tier 2
    • Tier 3

    Set boundaries on what is an application or the individual unit that you’re making business decisions on. Also, determine which categories of applications are in scope and how they will be included in the activities and artifacts of APM. Use your product families defined in Deliver Digital Products at Scale to help define your application categories, groups, and boundaries.

    1.4 Define application categories

    Estimated time: 1 hour

    1. Review the items listed on the previous slide and consider what categories provide the best initial grouping to help organize your rationalization and dispositions. Update the category list to match your application groupings.
    2. Identify the additional categories you need to manage in your application portfolio.
    3. For each category, establish or modify a description or definition and provide examples that exist in your current portfolio.
    4. For each category, answer:
      1. Will these be documented in the application inventory?
      2. Will these be included in application rationalization? Think about if this item will be assigned a TCO, value score, and, ultimately, a disposition.
      3. Will these be listed in the application portfolio roadmap?
    5. If you completed Deliver Digital Products at Scale, use your product families to help define your application categories.

    Record the results in the APM Snapshot and Foundations Tool

    InputOutput
    • Working list of applications
    • Definitions and guidelines for which application categories are in scope for APM
    MaterialsParticipants
    • Whiteboard and markers
    • APM Snapshot and Foundations Tool
    • Applications Lead
    • Key Corporate Stakeholders

    1.4 APM worksheet data journey map

    The image contains a screenshot of the APM worksheet data journey map.

    1.4 Define application categories: Example

    Category

    Definition/Description

    Examples

    Documented in your application inventory?

    Included in application rationalization?

    Listed in your application portfolio roadmap?

    Business Application

    End-user facing applications that directly enable specific business functions. This includes enterprise-wide and business-function-specific applications. Separate modules will be considered a business application when appropriate.

    ERP system, CRM software, accounting software

    Yes

    Yes. Unless currently in dev. TCO of the parent application will be divided among child apps.

    Yes

    Software Components

    Back-end solutions are self-contained units that support business functions.

    ETL, middleware, operating systems

    No. Documentation in CMDB. These will be listed as a dependency in the application inventory.

    No. These will be linked to a business app and included in TCO estimates and tech health assessments.

    No

    Productivity Tools

    End-user-facing applications that enable standard communication of general document creation.

    MS Word, MS Excel, corporate email

    Yes

    No

    Yes

    End-User- Built Microsoft Tools

    Single instances of a Microsoft tool that the business has grown dependent on.

    Payroll Excel tool, Access databases

    No. Documentation in Business Tool Glossary.

    No No

    Partner Applications

    Partners or third-party applications that the business has grown dependent on but are internally owned or managed.

    Supplier’s ERP portal, government portal

    No No

    Yes

    Shadow IT

    Business-managed applications.

    Downloaded tools

    Yes

    Yes. However, just from a redundancy perspective.

    Yes

    The roles in APM rarely exist; you need to adapt

    Application Portfolio Manager

    • Responsible for the health and evolution of the application portfolio.
    • Facilitates the rationalization process.
    • Compiles and assesses application information and recommends and supports key decisions regarding the direction of the applications.
    • This is rarely a dedicated role even in large enterprises. For small enterprises, this should be an IT employee at a manager level – an IT manager or operations manager.

    Business Owner

    • Responsible for managing individual applications on a functional level and approves and prioritizes projects.
    • Provides business process or functional subject matter expertise for the assessment of applications.
    • For small enterprises, this role is rarely defined, but the responsibility should exist. Consider the head of a business unit or a process owner as the owner of the application.

    Support Owner

    • Responsible for the maintenance and management of individual applications.
    • Provides technical information and subject matter expertise for the assessment of an application.
    • For small enterprises, this would be those responsible for maintaining the application and those responsible for its initial implementation. Often support responsibilities are external, and this role will be more of a vendor manager.

    Project Portfolio Manager

    • Responsible for intake, planning, and coordinating the resources that deliver any changes.
    • The body that consumes the results of rationalization and begins planning any required action or project.
    • For small enterprises, the approval process can come from a steering committee but it is often less formal. Often a smaller group of project managers facilitates planning and coordination and works closely with the delivery leads.

    Corner-of-the-Desk Approach

    • No one is explicitly dedicated to building a strategy or APM practices.
    • Information is collected whenever the applications team has time available.
    • Benefits are pushed out and the value is lost.

    Dedicated Approach

    • The initiative is given a budget and formal agenda.
    • Roles and responsibilities are assigned to team members.

    The high-level steps of APM present some questions you need to answer

    Build Inventory

    Create the full list of applications and capture all necessary attributes.

    • Who will build the inventory?
    • Do you know all your applications (Shadow IT)?
    • Do you know your applications’ functionality?
    • Do you know where your applications overlap?
    • Who do you need to consult with to fill in the gaps?
    • Who will provide specific application information?

    Collect & Compile

    Engage with appropriate SMEs and collect necessary data points for rationalization.

    • Who will collect and compile the data points for rationalization?
    • What are the specific data points?
    • Are some of the data points currently documented?
    • Who will provide specific data points on technical health, cost, performance, and business value?
    • Who will determine what business value is?

    Assess & Recommend

    Apply rationalization framework and toolset to determine dispositions.

    • Who will apply a rationalization tool or decision-making framework to generate dispositions for the applications?
    • Who will modify the tool or framework to ensure results align to the goals of the organization?
    • Who will define any actions or projects that result from the rationalization? And who needs to be consulted to assess the feasibility of any potential project?

    Validate & Roadmap

    Present dispositions for validation and communicate any decisions or direction for applications.

    • Who will present the recommended disposition, corrective action, or new project to the appropriate decision maker?
    • Who is the appropriate decision maker for application changes or project approval?
    • What format is recommended (idea, proposal, business case) and what extra analysis is required?
    • Who needs to be consulted regarding the potential changes?

    1.5 Determine APM steps and roles (SIPOC)

    Estimated time: 1-2 hours

    1. Begin by comparing Info-Tech’s list of common APM roles to the roles that exist in your organization with respect to application management and ownership.
    2. There are four high-level steps for APM: build inventory, collect & compile, assess & recommend, and validate & roadmap. Apply the SIPOC (Supplier, Input, Process, Output, Customer) model by completing the following for each step:
      1. In the Process column, modify the description, if necessary. Identify who is responsible for performing the step.
      2. In the Inputs column, modify the list of inputs.
      3. In the Suppliers column, identify who must be included to provide the inputs.
      4. In the Outputs column, modify the list of outputs.
      5. In the Customers column, identify who consumes the outputs.
    3. (Optional) Outline how the results of APM will be consumed. For example, project intake or execution, data or platform migration, application or product management, or whichever is appropriate.

    Record the results in the APM Snapshot and Foundations Tool

    Input Output
    • Existing function and roles regarding application delivery, management, and ownership
    • Scope of APM
    • Responsibilities assigned to your roles
    Materials Participants
    • Whiteboard and markers
    • “Supporting Activities – SIPOC” worksheet in the APM Snapshot and Foundations Tool
    • Applications Lead
    • Key Corporate Stakeholders

    1.5 Determine steps and roles

    Suppliers

    Inputs

    Process

    Outputs

    Customers

    • Applications Manager
    • Operations Manager
    • Business Owners
    • IT Team
    • List of applications
    • Application attributes
    • Business capabilities

    Build Inventory

    Create the full list of applications and capture all necessary attributes.

    Resp: Applications Manager & IT team member

    • Application inventory
    • Identified redundancies
    • Whole organization
    • Applications SMEs
    • Business Owners
    • Support Owners & Team
    • End Users
    • Application inventory
    • Existing documentation
    • Additional collection methods
    • Knowledge of business value, cost, and performance for each application

    Collect & Compile

    Engage with appropriate SMEs and collect necessary data points for rationalization.

    Resp: IT team member

    • Data points of business value, cost, and performance for each application
    • Applications Manager
    • Applications Manager
    • Defined application rationalization framework and toolset
    • Data points of business value, cost, and performance for each application

    Assess & Recommend

    Apply rationalization framework and toolset to determine dispositions.

    Resp: Applications Manager

    • Assigned disposition for each application
    • New project ideas for applications
    • Business Owners
    • Steering Committee
    • Business Owners
    • Steering Committee
    • Assigned disposition for each application
    • New project ideas for applications
    • Awareness of goals and priorities
    • Awareness of existing projects and resources capacity

    Validate & Roadmap

    Present dispositions for validation and communicate any decisions or direction for applications.

    Resp: Applications Manager

    • Application portfolio roadmap
    • Confirmed disposition for each application
    • Project request submission
    • Whole organization
    • Applications Manager
    • Solutions Engineer
    • Business Owner
    • Project request submission
    • Estimated cost
    • Estimated value or ROI

    Project Intake

    Build business case for project request.

    Resp: Project Manager

    • Approved project
    • Steering Committee

    Planning your APM modernization journey steps

    Discovery Rationalization Disposition Roadmap

    Enter your pilot inventory.

    • Optional Snapshot: Populate your desired snapshot grouping lists (departments, functions, groups, capabilities, etc.).

    Score your pilot apps to refine your rationalization criteria and scoring.

    • Score 3 to 9 apps to adjust and get comfortable with the scoring.
    • Validate scoring with the remaining apps in your pilot group. Refine and finalize the criteria and scoring descriptions.
    • Optional Snapshot: Use the Group Alignment Matrix to match your grouping list to select which apps support each grouping item.

    Determine recommended disposition for each application.

    • Review and adjust the disposition recommendations on the “Disposition Options” worksheet and set your pass/fail threshold.
    • Review your apps on the “App Rationalization Results” worksheet. Update (override) the recommended disposition and priority if needed.

    Populate your application roadmap.

    • Indicate programs, projects, initiatives, or releases that are planned for each app.
    • Update the priority based on the initiative.
    • Use the visual roadmap to show high-level delivery phases.

    Phase 2

    Improve Your Inventory

    Phase 1

    1.1 Assess Your Current Application Portfolio

    1.2 Determine Narrative

    1.3 Define Goals and Metrics

    1.4 Define Application Categories

    1.5 Determine APM Steps and Roles

    Phase 2

    2.1 Populate Your Inventory

    2.2 Align to Business Capabilities

    Phase 3

    3.1 Assess Business Value

    3.2 Assess Technical Health

    3.3 Assess End-User Perspective

    3.4 Assess Total Cost of Ownership

    Phase 4

    4.1 Review APM Snapshot Results

    4.2 Review APM Foundations Results

    4.3 Determine Dispositions

    4.4 Assess Redundancies (Optional)

    4.5 Determine Dispositions for Redundant Applications (Optional)

    4.6 Prioritize Initiatives

    4.7 Determine Ongoing APM Cadence

    This phase involves the following participants:

    • Applications Lead
    • Applications Team

    Additional Resources

    Document Your Business Architecture

    Industry Reference Architectures

    Application Capability Template

    Pre-step: Collect your applications

    1. Consult with your IT team and leverage any existing documentation to gather an initial list of your applications.
    2. Build an initial working list of applications. This is just meant to be a starting point. Aim to include any new applications in procurement, implementation, or development.
    3. The rationalization and roadmapping phases are best completed when iteratively focusing on manageable groups of applications. Group your applications into subsets based on shared subject matter experts. Likely this will mean grouping applications by business units.
    4. Select a subset to be the first group of applications that will undergo the activities of rationalization and roadmapping to refine your APM processes, scoring, and disposition selection.

    Info-Tech Best Practice

    The more information you plan to capture, the larger the time and effort, especially as you move along toward advanced and strategic items. Capture the information most aligned to your objectives to make the most of your investment.

    If you completed Deliver Digital Products at Scale, use your product families and products to help define your applications.

    Learn more about automated application discovery:
    High Application Satisfaction Starts With Discovering Your Application Inventory

    Discover your applications

    The image contains a screenshot of examples of applications that support APM.

    2.1 Populate your inventory

    Estimated time: 1-4 hours per group

    1. Review Info-Tech’s list of application inventory attributes.
    2. Open the “Application Inventory Details” tab of the APM Snapshot and Foundations Tool. Modify, add, or omit attributes.
    3. For each application, populate your prioritized data fields or any fields you know at the time of discovery. You will complete all the fields in future iterations.
    4. Complete this the best you can based on your team’s familiarity and any readily available documentation related to these applications.
    5. Use the drop-down list to select Enabling, Redundant/Overlapping, and Dependent apps. This will be used to help determine dispositions and comparisons.
    6. Highlight missing information or placeholder values that need to be verified.

    Record the results in the APM Snapshot and Foundations Tool

    Input Output
    • Working list of applications
    • Determined attributes for inventory
    • Populated inventory
    Materials Participants
    • APM Snapshot and Foundations Tool
    • Applications Lead
    • Any Applications Team Members

    2.1 APM worksheet data journey map

    The image contains a screenshot of the APM worksheet data journey map.

    Why is the business capability so important?

    For the purposes of an inventory, business capabilities help all stakeholders gain a sense of the functionality the application provides.

    However, the true value of business capability comes with rationalization.

    Upon linking all the organization’s applications to a standardized and consistent set of business capabilities, you can then group your applications based on similar, complementary, or overlapping functionality. In other words, find your redundancies and consolidation opportunities.

    Important Consideration

    Defining business capabilities and determining the full extent of redundancy is a challenging undertaking and often is a larger effort than APM all together.

    Business capabilities should be defined according to the unique functions and language of your organization, at varying levels of granularity, and ideally including target-state capabilities that identify gaps in the future strategy.

    This blueprint provides a simplified and generic list for the purpose of categorizing similar functionality. We strongly encourage exploring Document Your Business Architecture to help in the business capability defining process, especially when visibility into your portfolio and knowledge of redundancies is poor.

    The image contains a screenshot of the business capability scenarios.

    For a more detailed capability mapping, use the Application Portfolio Snapshot and the worksheets in your current workbook.

    What is a business capability map?

    The image contains a screenshot of a business capability map.

    A business capability map (BCM) is an abstraction of business operations that helps describe what the enterprise does to achieve its vision, mission, and goals. Business capabilities are the building blocks of the enterprise. They are typically defined at varying levels of granularity and include target-state capabilities that identify gaps in the future strategy. These are the people, process, and tool units that deliver value to your teams and customers.

    Info-Tech’s Industry Coverage and Reference Architectures give you a head start on producing a BCM fit for your organization. The visual to the left is an example of a reference architecture for the retail industry.

    These are the foundational piece for our Application Portfolio Snapshot. By linking capabilities to your supporting applications, you can better visualize how the portfolio supports the organization at a single glance. More specifically, you can highlight how issues with the portfolio are impacting capability delivery.

    Reminder: Best practices imply that business capabilities are methodologically defined by business stakeholders and business architects to capture the unique functions and language of your organization.

    The approach laid out in this service is about applying minimal time and effort to make the case for proper investment into the best practices, which can include creating a tailored BCM. Start with a good enough example to produce a useful visual and generate a positive conversation toward resourcing and analyses.

    We strongly encourage exploring Document Your Business Architecture and the Application Portfolio Snapshot to understand the thorough methods and tactics for BCM.

    Why perform a high-level application alignment before rationalization?

    Having to address redundancy complicates the application rationalization process. There is no doubt that assessing applications in isolation is much easier and allows you to arrive at dispositions for your applications in a timelier manner.

    Rationalization has two basic steps: first, collect and compile information, and second, analyze that information and determine a disposition for each application. When you don’t have redundancy, you can analyze an application and determine a disposition in isolation. When you do have redundancies, you need to collect information for multiple applications, likely across departments or lines of business, then perform a comparative analysis.

    Most likely your approach will fall somewhere between the examples below and require a hybrid approach.

    Benefits of a high-level application alignment:

    • Review the degree of redundancy across your portfolio.
    • Understand the priority areas for rationalization and the sequence of information collection.

    The image contains a screenshot of a timeline of rationalization effort.

    2.2 Align apps to capabilities and functions

    Estimated time: 1-4 hours per grouping

    The APM tool provides up to three different grouping comparisons to assess how well your applications are supporting your enterprise. Although business capabilities are important, identify your organizational perspectives to determine how well your portfolio supports these functions, departments, or value streams. Each grouping should be a consistent category, type, or arrangement of applications.

    1. Enter the business capabilities, from either your own BCM or the Info-Tech reference architectures, into the Business Capability column under Grouping 1.
    2. Open the “Group 1 Alignment Matrix” worksheet in the APM Snapshot and Foundations Tool.
    3. For each application’s row, enter an “X” in the column of a capability that the application supports.
    4. Optionally, repeat these steps under Grouping 2 and 3 for each value stream, department, function, or business unit where you’d like to assess application support. Note: To use Grouping 3, unhide the columns on the “Application and Group Lists” worksheet and unhide the worksheet “Grouping 3 Alignment Matrix.”

    Record the results in the APM Snapshot and Foundations Tool

    InputOutput
    • Application inventory
    • List of business capabilities, Info-Tech Reference Architecture capabilities, departments, functions, divisions, or value streams for grouping comparison
    • Assigned business capabilities to applications
    MaterialsParticipants
    • Whiteboard and markers
    • APM Snapshot and Foundations Tool
    • Applications Lead
    • Any Applications Team Members

    2.2 APM worksheet data journey map

    The image contains a screenshot of the APM worksheet data journey map.

    2.2 Aligning applications to groups example

    Alignment Matrix: Identify applications supporting each capability or function.

    Capability, Department, or Function 1

    Capability, Department, or Function 2

    Capability, Department, or Function 3

    Capability, Department, or Function 4

    Capability, Department, or Function 5

    Capability, Department, or Function 6

    Application A

    x

    Application B

    x

    Application C

    x

    Application D

    x

    Application E

    x x

    Application F

    x

    Application G

    x

    Application H

    x

    Application I

    x

    Application J

    x

    In this example:

    BC 1 is supported by App A

    BC 2 is supported by App B

    BC 3 is supported by Apps C & D

    BCs 4 & 5 are supported by App E

    BC 6 is supported by Apps F-G. BC 6 shows an example of potential redundancy and portfolio complexity.

    The APM tool supports three different Snapshot groupings. Repeat this exercise for each grouping.

    Align application to capabilities – tool view

    The image contains screenshots of the align application to capabilities - tool view

    Phase 3

    Rationalize Your Applications

    Phase 1

    1.1 Assess Your Current Application Portfolio

    1.2 Determine Narrative

    1.3 Define Goals and Metrics

    1.4 Define Application Categories

    1.5 Determine APM Steps and Roles

    Phase 2

    2.1 Populate Your Inventory

    2.2 Align to Business Capabilities

    Phase 3

    3.1 Assess Business Value

    3.2 Assess Technical Health

    3.3 Assess End-User Perspective

    3.4 Assess Total Cost of Ownership

    Phase 4

    4.1 Review APM Snapshot Results

    4.2 Review APM Foundations Results

    4.3 Determine Dispositions

    4.4 Assess Redundancies (Optional)

    4.5 Determine Dispositions for Redundant Applications (Optional)

    4.6 Prioritize Initiatives

    4.7 Determine Ongoing APM Cadence

    This phase involves the following participants:

    • Applications Lead
    • Application SMEs

    Additional Resources

    Phase pre-step: Sequence rationalization assessments appropriately

    Use the APM Snapshot results to determine APM iterations

    • Application rationalization requires an iterative approach.
    • Review your application types and alignment from Phase 2 to begin to identify areas of overlapping or redundant applications.
    • Sequence the activities of Phase 3 based on whether you have a:
      • Redundant Portfolio
        • Use the APM Snapshot to prioritize analysis by grouping.
        • Complete the application functional analysis.
        • Use the “Application Comparison” worksheet to aid your comparison of application subsets.
        • Update application dispositions and roadmap initiatives.
      • Non-Redundant Portfolio
        • Use the APM Snapshot to prioritize analysis by grouping.
        • Update application dispositions and roadmap initiatives.

    The image contains a screenshot of a timeline of rationalization effort.

    Phase pre-step: Are the right stakeholders present?

    Make sure you have the right people at the table from the beginning.

    • Application rationalization requires specific stakeholders to provide specific data points.
    • Ensure your application subsets are grouped by shared subject matter experts. Ideally, these are grouped by business units.
    • For each subset, identify the appropriate SMEs for the five areas of rationalization criteria.
    • Communicate and schedule interviews with groups of stakeholders. Inform them of additional information sources to have readily available.
    • (Optional) This phase’s activities follow the clockwise sequence of the diagram to the right. Reorder the sequence of activities based on overlaps of availability in subject matter expertise.

    Application

    Rationalization

    Additional Information Sources

    Ideal Stakeholders

    • KPIs

    Business Value

    • Business Application/Product Owners
    • Business Unit/ Process Owners
    • Survey Results

    End User

    • Business Application/ Product Owners
    • Key/Power Users
    • End Users
    • General Ledger
    • Service Desk
    • Vendor Contracts

    TCO

    • Operations/Maintenance Manager
    • Vendor Managers
    • Finance & Acct.
    • Service Desk
    • ALM Tools

    Technical Health

    • Operations/ Maintenance Manager
    • Solution Architect
    • Security Manager
    • Dev. Manager
    • Capability Maps
    • Process Maps

    Application Alignment

    • Business Unit/ Process Owners

    Rationalize your applications

    The image contains screenshots of diagrams that reviews building your APM journey map.

    One of the principal goals of application rationalization is determining dispositions

    Disposition: The intended strategic direction or course of action for an application.

    Directionless portfolio of applications

    Assigned dispositions for individual apps

    High-level examples:

    The image contains a screenshot of an image that demonstrates a directionless portfolio of applications.

    Maintain: Keep the application but adjust its support structure.

    The image contains screenshots of a few images taken from the directionless application to demonstrate the text above.

    Modernize: Create a new project to address an inadequacy.

    The image contains screenshots of a few images taken from the directionless application to demonstrate the text above.

    Consolidate: Create a new project to reduce duplicate functionality.

    The image contains screenshots of a few images taken from the directionless application to demonstrate the text above.

    Retire: Phase out the application.

    The image contains screenshots of a few images taken from the directionless application to demonstrate the text above.

    Application rationalization provides insight

    Directionless portfolio of applications

    Info-Tech’s Five Lens Model

    Assigned dispositions for individual apps

    The image contains a screenshot of an example of directionless portfolio of applications.

    Application Alignment

    Business Value

    Technical Health

    End-User Perspective

    Total Cost of Ownership (TCO)

    Maintain: Keep the application but adjust its support structure.

    Modernize: Create a new initiative to address an inadequacy.

    Consolidate: Create a new initiative to reduce duplicate functionality.

    Retire: Phase out the application.

    Disposition: The intended strategic direction or implied course of action for an application.

    How well do your apps support your core functions and teams?

    How well are your apps aligned to value delivery?

    Do your apps meet all IT quality standards and policies?

    How well do your apps meet your end users’ needs?

    What is the relative cost of ownership and operation of your apps?

    Application rationalization requires the collection of several data points that represent these perspectives and act as the criteria for determining a disposition for each of your applications.

    Disposition: The intended strategic direction or implied course of action for an application.

    3.1-3.4 APM worksheet data journey map

    The image contains a screenshot of the APM worksheet data journey map.

    Assessing application business value

    The Business Business Value of Applications IT
    Keepers of the organization’s mission, vision, and value statements that define IT success. The business maintains the overall ownership and evaluation of the applications. Technical subject matter experts of the applications they deliver and maintain. Each IT function works together to ensure quality applications are delivered to stakeholder expectations.

    First, the authorities on business value need to define and weigh their value drivers that describe the priorities of the organization.

    This will then allow the applications team to apply a consistent, objective, and strategically aligned evaluation of applications across the organization.

    In this context…business value is the value of the business outcome that the application produces and how effective the application is at producing that outcome.

    Business value IS NOT the user’s experience or satisfaction with the application.

    Review the value drivers of your applications

    The image contains a screenshot of a the business value matrix.

    Financial vs. Human Benefits

    Financial benefits refer to the degree to which the value source can be measured through monetary metrics and are often quite tangible.

    Human benefits refer to how an application can deliver value through a user’s experience.

    Inward vs. Outward Orientation

    Inward orientation refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations.

    Outward orientation refers to value sources that come from your interaction with external factors, such as the market or your customers.

    Increased Revenue

    Reduced Costs

    Enhanced Services

    Reach Customers

    Application functions that are specifically related to the impact on your organization’s ability to generate revenue and deliver value to your customers.

    Reduction of overhead. The ways in which an application limits the operational costs of business functions.

    Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.

    Application functions that enable and improve the interaction with customers or produce market information and insights.

    3.1 Assess business value

    Estimated time: 1 -4 hours

    1. Review Info-Tech’s four quadrants of business value: increase revenue/value, reduce costs, enhance services, and reach customers. Edit your value drivers, description, and scoring on the “Rationalization Inputs” worksheet. For each value driver, update the key indicators specific to your organization’s priorities. When editing the scoring descriptions, keep only the one you are using.
    2. (Optional) Add an additional value driver if your organization has distinct value drivers (e.g. compliance, sustainability, innovation, and growth).
    3. For each application, score on a scale of 0 to 5 how impactful the application is for each value driver. Use the indicators set in Phase 1 to guide your scoring.
    4. For each value driver, adjust the criteria weighting to match its relative importance to the organization. Start with a balanced or low weighting. Adjust the weights to ensure that the category score matches your relative values and priorities.

    Record the results in the APM Snapshot and Foundations Tool

    InputOutput
    • Knowledge of organizational priorities
    • (Optional) Existing mission, vision, and value statements
    • Scoring scheme for assessing business value
    MaterialsParticipants
    • Whiteboard and markers
    • APM Snapshot and Foundations Tool
    • Applications Lead
    • Key Corporate Stakeholders

    3.1 Weigh value drivers: Example

    The image contains a screenshot example of the weigh value drivers.

    For additional support in implementing a balanced value framework, refer to Build a Value Measurement Framework.

    Understand the back end and technical health of your applications

    Technical health identifies the extent of technology risk to the organization.

    MAINTAINABILITY (RAS)

    RAS refers to an app’s reliability, availability, and serviceability. How often, how long, and how difficult is it for your resources to keep an app functioning, and what are the resulting continuity risks? This can include root causes of maintenance challenges.

    SECURITY

    Applications should be aligned and compliant with ALL security policies. Are there vulnerabilities or is there a history of security incidents? Remember that threats are often internal and non-malicious.

    ADAPTABILITY

    How easily can the app be enhanced or scaled to meet changes in business needs? Does the app fit within the business strategy?

    INTEROPERABILITY

    The degree to which an app is integrated with current systems. Apps require comprehensive technical planning and oversight to ensure they connect within the greater application architecture. Does the app fit within your enterprise architecture strategy?

    BUSINESS CONTINUITY/DISASTER RECOVERY

    The degree to which the application is compatible with business continuity/disaster recovery (BC/DR) policies and plans that are routinely tested and verified.

    Unfortunately, the business only cares about what they can see or experience. Rationalization is your opportunity to get risk on the business’ radar and gain buy-in for the necessary action.

    3.2 Assess technical health

    Estimated time: 1-4 hours

    1. Review Info-Tech’s suggested technical health criteria. Edit your criteria, descriptions, and scoring on the “Rationalization Inputs” worksheet. For each criterion, update the key indicators specific to your organization’s priorities.
    2. For each application, score on a scale of 1 to 5 on how impactful the application is for each criterion.
    3. For each criterion, adjust the weighting to match its relative importance to the organization. Start with a balanced or low weighting. Adjust the weights to ensure that the category score matches your relative values and priorities.
    InputOutput
    • Familiarity of technical health perspective for applications within this subset
    • Maintenance history, architectural models
    • Technical health scores for each application
    MaterialsParticipants
    • APM Snapshot and Foundations Tool
    • Technical SMEs
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    End users provide valuable perspective

    Your end users are your best means of determining front-end issues.

    Data Quality

    To what degree do the end users find the data quality sufficient to perform their role and achieve their desired outcome?

    Effectiveness

    To what degree do the end users find the application effective for performing their role and desired outcome?

    Usability

    To what degree do the end users find the application reliable and easy to use to achieve their desired outcome?

    Satisfaction

    To what degree are end users satisfied with the features of this application?

    What else matters to you?

    Tune your criteria to match your values and priorities.

    Info-Tech Best Practice

    When facing large user groups, do not make assumptions or use lengthy methods of collecting information. Use Info-Tech’s Application Portfolio Assessment to collect data by surveying your end users’ perspectives.

    3.3 Assess end-user perspective

    Estimated time: 1-4 hours

    1. Review Info-Tech’s suggested end-user perspective criteria. Edit your criteria, descriptions and scoring on the “Rationalization Inputs” worksheet. For each criterion, update the key indicators specific to your organization’s priorities.
    2. For each application, score on a scale of 1 to 5 on how impactful the application is for each criterion.
    3. For each criterion, adjust the weighting to match its relative importance to the organization. Start with a balanced or low weighting. Adjust the weights to ensure that the category score matches your relative values and priorities.
    InputOutput
    • Familiarity of end user’s perspective for applications within this subset
    • User satisfaction scores for each application
    MaterialsParticipants
    • APM Snapshot and Foundations Tool
    • Business Owners, Key Users
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    Consider the spectrum of application cost

    An application’s cost extends past a vendor’s fee and even the application itself.

    LICENSING AND SUBSCRIPTIONS: Your recurring payments to a vendor.

    Many commercial off-the-shelf applications require a license on a per-user basis. Review contracts and determine costs by looking at per-user or fixed rates charged by the vendor.

    MAINTENANCE COSTS: Your internal spending to maintain an app.

    These are the additional costs to maintain an application such as support agreements, annual maintenance fees, or additional software or hosting expenses.

    INDIRECT COSTS: Miscellaneous expenses necessary for an app’s continued use.

    Expenses like end-user training, developer education, and admin are often neglected, but they are very real costs organizations pay regularly.

    RETURN ON INVESTMENT: Perceived value of the application related to its TCO.

    Some of our most valuable applications are the most expensive. ROI is an optional criterion to account for the value and importance of the application.

    Info-Tech Best Practice

    The TCO assessment is one area where what you are considering the ”application” matters quite a bit. An application’s peripherals or software components need to be considered in your estimates. For additional help calculating TCO, use the Application TCO Calculator from Build a Rationalization Framework.

    3.4 Assess total cost of ownership

    Estimated time: 1-4 hours

    1. Review Info-Tech’s suggested TCO criteria. Edit your criteria, descriptions, and scoring on the “Rationalization Inputs” worksheet. For each criterion, update the key indicators specific to your organization’s priorities.
    2. For each application, score on a scale of 1 to 5 on how impactful the application is for each criterion.
    3. For each criterion, adjust the weighting to match its relative importance to the organization. Start with a balanced or low weighting. Adjust the weights to ensure that the category score matches your relative values and priorities.
    InputOutput
    • Familiarity with the TCO for applications within this subset
    • Vendor contracts, maintenance history
    • TCO scores for each application
    MaterialsParticipants
    • APM Snapshot and Foundations Tool
    • Business Owners, Vendor Managers, Operations Managers
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    Phase 4

    Populate Your Roadmap

    Phase 1

    1.1 Assess Your Current Application Portfolio

    1.2 Determine Narrative

    1.3 Define Goals and Metrics

    1.4 Define Application Categories

    1.5 Determine APM Steps and Roles

    Phase 2

    2.1 Populate Your Inventory

    2.2 Align to Business Capabilities

    Phase 3

    3.1 Assess Business Value

    3.2 Assess Technical Health

    3.3 Assess End-User Perspective

    3.4 Assess Total Cost of Ownership

    Phase 4

    4.1 Review APM Snapshot Results

    4.2 Review APM Foundations Results

    4.3 Determine Dispositions

    4.4 Assess Redundancies (Optional)

    4.5 Determine Dispositions for Redundant Applications (Optional)

    4.6 Prioritize Initiatives

    4.7 Determine Ongoing APM Cadence

    his phase involves the following participants:

    • Applications Lead
    • Delivery Leads

    Additional Resources

    Review your APM Snapshot

    The image contains a screenshot of examples of applications that support APM.

    4.1 Review your APM Snapshot results

    Estimated time: 1-2 hours

    1. The APM Snapshot provides a dashboard to support your APM program’s focus and as an input to demand planning. Unhide the “Group 3” worksheet if you completed the alignment matrix.
    2. For each grouping area, review the results to determine underperforming areas. Use this information to prioritize your application root cause analysis and demand planning. Use the key on the following slide to guide your analysis.
    3. Analysis guidance:
      1. Start with the quartile grouping to find areas scoring in Remediate or Critical Need and focus follow-up actions on these areas.
      2. Use the lens/category heat map to determine which lenses are underperforming. Use this to then look up the individual app scores supporting that group to identify application issues.
      3. Use the “Application Comparison” worksheet to select and compare applications for the group to make your review and comparison easier.
      4. Work with teams in the group to provide root cause analysis for low scores.
      5. Build a plan to address any apps not supported by IT.
    InputOutput
    • Application list
    • Application to Group mapping
    • Rationalization scores
    • Awareness of application support for each grouping

    Materials

    Participants
    • APM Snapshot and Foundations Tool
    • Business Owners
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    Interpreting your APM Snapshot

    The image contains a screenshot of the APM Snapshot with guides on how to interpret it.

    4.1 APM worksheet data journey map

    The image contains a screenshot of the AMP worksheet data journey map.

    Review your APM rationalization results

    The image contains a screenshot of examples of applications that support APM.

    4.2 Review your APM Foundations results

    Estimated time: 1-2 hours

    The APM Foundations Results dashboard (“App Rationalization Results” worksheet) provides a detailed summary of your relative app scoring to serve as input to demand planning.

    1. For each grouping, review the results to determine underperforming app support. Use this information to prioritize your application root cause analysis using the individual criteria scores on the “Rationalization Inputs” worksheet.
    2. Use guidance on the following example slides to understand each area of the results.
    3. Any applications marked as N/A for evaluation will display N/A on the results worksheet and will not be displayed in the chart. You can still enter dispositions.
    4. Use the column filters to compare a subset of applications or use the “App Comparison” worksheet to maintain an ongoing view by grouping, redundancy, or category.
    5. Any applications marked as N/A for evaluation will display N/A on the results worksheet and will not be displayed in the chart. You can still enter dispositions.
    InputOutput
    • Application list
    • Rationalization scores
    • Application awareness
    MaterialsParticipants
    • APM Snapshot and Foundations Tool
    • Business Owners
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    4.2 APM worksheet data journey map

    The image contains a screenshot of the AMP worksheet data journey map.

    Interpreting your APM Foundations results

    The image contains a screenshot of the APM Foundations results.

    Interpreting your APM Foundations chart

    The image contains a screenshot of the APM Foundations chart.

    Modernize your applications

    The image contains a screenshot of examples of applications that support APM.

    Apply Info-Tech’s 6 R’s Rationalization Disposition Model

    The image contains a screenshot of Info-Tech's 6 R's Rationalization Disposition Model.

    Disposition

    Description

    Reward

    Prioritize new features or enhancement requests and openly welcome the expansion of these applications as new requests are presented.

    Refresh

    Address the poor end-user satisfaction with a prioritized project. Consult with users to determine if UX issues require improvement to address satisfaction.

    Refocus

    Determine the root cause of the low value. Refocus, retrain, or refresh the UX to improve value. If there is no value found, aim to "keep the lights on" until the app can be decommissioned.

    Replace

    Replace or rebuild the application as technical and user issues are putting important business capabilities at risk. Decommission application alongside replacement.

    Remediate

    Address the poor technical health or risk with a prioritized project. Further consult with development and technical teams to determine if migration or refactoring is suited to address the technical issue.

    Retire

    Cancel any requested features and enhancements. Schedule the proper decommission and transfer end users to a new or alternative system if necessary.

    TCO, compared relatively to business value, helps determine the practicality of a disposition and the urgency of any call to action. Application alignment is factored in when assessing redundancies and has a separate set of dispositions.

    4.3 Determine dispositions

    Estimated time: 1-4 hours

    1. The Recommended Disposition and Priority fields are prepopulated from your scoring thresholds and options on the “Disposition Options” worksheet. You can update any individual application disposition or priority using the drop-down menu and it will populate your selection on the “Roadmap” worksheet.
    2. Question if that disposition is appropriate. Be sure to consider:
      1. TCO – cost should come into play for any decisions.
      2. Alignment to strategic goals set for the overarching organizational, IT, technology (infrastructure), or application portfolio.
      3. Existing organizational priorities or funded initiatives impacting the app.
    3. Some dispositions may imply a call to action, new project, or initiative. Ideate and/or discuss with the team any potential initiatives. You can use different dispositions and priorities on the “App Rationalization Results” and “Roadmap” worksheets.
    4. Note: Modify the list of dispositions on the “Disposition Options” worksheet as appropriate for your rationalization initiative. Any modifications to the Disposition column will be automatically updated in the “App Rationalization Results” and “Roadmap” worksheets.
    InputOutput
    • Rationalization results
    • Assigned dispositions for applications
    MaterialsParticipants
    • APM Snapshot and Foundations Tool
    • Business Owners
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    4.3 APM worksheet data journey map

    The image contains a screenshot of the worksheet data journey map.

    Redundancies require a different analysis and set of dispositions

    Solving application redundancy is a lot more complicated than simply keeping one application and eliminating the others.

    First, you need to understand the extent of the redundancy. The applications may support the same capability, but do they offer the same functions? Determine which apps offer which functions within a capability. This means you cannot accurately arrive at a disposition until you have evaluated all applications.

    Next, you need to isolate the preferred system. This is completed by comparing the same data points collected for rationalization and the application alignment analysis. Cost and coverage of all necessary functions become the more important factors in this decision-making process.

    Lastly, for the non-preferred redundant applications you need to determine: What will you do with the users? What will you do with the data? And what can you do with the functionality (can the actual coding be merged onto a common platform)?

    Disposition

    Description & Additional Analysis

    Call to Action (Priority)

    Keep & Absorb

    Higher value, health satisfaction, and cost than alternatives

    These are the preferred apps to be kept. However, additional efforts are still required to migrate new users and data and potentially configure the app to new processes.

    Application or Process Initiative

    (Moderate)

    Shift & Retire

    Lower value, health satisfaction, and cost than alternatives

    These apps will be decommissioned alongside efforts to migrate users and data to the preferred system.

    *Confirm there are no unique and necessary features.

    Process Initiative & Decommission

    (Moderate)

    Merge

    Lower value, health satisfaction, and cost than alternatives but still has some necessary unique features

    These apps will be merged with the preferred system onto a common platform.

    *Determine the unique and necessary features.

    *Determine if the multiple applications are compatible for consolidation.

    Application Initiative

    (Moderate)

    Compare groups of applications

    The image contains a screenshot of examples of applications that support APM.

    4.4 Assess redundancies (optional)

    Estimated rime: 1 hour per group

    This exercise is best performed after aligning business capabilities to applications across the portfolio and identifying your areas of redundancy. At this stage, this is still an information collection exercise, and it will not yield a consolidation-based disposition until applied to all relevant applications. Lastly, this exercise may still be at too high a level to outline the full details of redundancy, but it is still vital information to collect and a starting point to determine which areas require more concentrated analysis.

    1. Determine which areas of redundancy or comparisons are desired. Duplicate the “App Comparison” worksheet for each grouping or comparison.
    2. Extend the comparison to better identify redundancy.
      1. For each area of redundancy, identify the high-level features. Aim to limit the features to ten, grouping smaller features if necessary. SoftwareReviews can be a resource for identifying common features.
      2. Label features using the MoSCoW model: must have, should have, could have, will not have.
      3. For each application, identify which features they support. You can use the grouping alignment matrix as a template for feature alignment comparison. Duplicate the worksheet, unlock it, and replace the grouping cell references with your list of features.
    Input Output
    • Areas of redundancy
    • Familiarity with features for applications within this subset
    • Feature-level review of application redundancy
    Materials Participants
    • Whiteboard and markers
    • APM Snapshot and Foundations Tool
    • Business Owners
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    4.4 Assess redundancies (optional)

    Account Management

    Call Management

    Order/Transaction Processing

    Contract Management

    Lead/Opportunity Management

    Forecasting/Planning

    Customer Surveying

    Email Synchronization

    M M M M S S C W

    CRM 1

    CRM 2

    CRM 3

    4.5 Determine dispositions for redundant applications (optional)

    Estimated time: 1 hour per group

    1. Based on the feature-level assessment, determine if you can omit applications if they don’t truly overlap with other applications.
    2. Make a copy of the “App Comparison” worksheet and select the applications you want to compare based on your functional analysis.
    3. Determine the preferred application(s). Use the diagram to inform your decision. This may be the application closest to the top right (strong health and value). However, less expensive options or any options that provide a more complete set of features may be preferable.
    4. Open the “App Rationalization Results” worksheet. Update your disposition for each application.
    5. Use these updated dispositions to determine a call to action, new project, or initiative. Ideate and/or discuss with the team any potential initiatives. Update your roadmap with these initiatives in the next step.
    InputOutput
    • Feature-level review of application redundancy
    • Redundancy comparison
    • Assigned dispositions for redundant applications
    MaterialsParticipants
    • APM Snapshot and Foundations Tool
    • Business Owners
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    Compare application groups

    Group comparison can be used for more than just redundant/overlapping applications.

    The image contains a screenshot of images that demonstrate comparing application groups.

    Roadmaps are used for different purposes

    Roadmaps are used for different communication purposes and at varying points in your application delivery practice. Some use a roadmap to showcase strategy and act as a feedback mechanism that allows stakeholders to validate any changes (process 1). Others may use it to illustrate and communicate approved and granular elements of a change to an application to inform appropriate stakeholders of what to anticipate (process 2).

    Select Dispositions & Identify New Initiatives

    Add to Roadmap

    Validate Direction

    Plan Project

    Execute Project

    Select Dispositions & Identify New Initiatives

    • Project Proposal
    • Feasibility/ Estimation
    • Impact Assessment
    • Business Case
    • Initial Design

    Approve Project

    Add to Roadmap

    Execute Project

    The steps between selecting a disposition and executing on any resulting project will vary based on the organization’s project intake standards (or lack thereof).

    This blueprint focuses on building a strategic portfolio roadmap prior to any in-depth assessments related to initiative/project intake, approval, and prioritization. For in-depth support related to intake, approval, prioritization, or planning, review the following resources.

    The image contains a screenshot of the Deliver on your Digital Product Vision blueprint. The image contains a screenshot of the Deliver Digital Products at Scale blueprint.

    Determine what makes it onto the roadmap

    A roadmap should not be limited to what is approved or committed to. A roadmap should be used to present the items that need to happen and begin the discussion of how or if this can be put into place. However, not every idea should make the cut and end up in front of key stakeholders.

    The image contains a screenshot of steps to be taken to determine what makes it onto the roadmap.

    4.6 Prioritize initiatives

    Estimated time: 1-4 hours

    1. This is a high-level assessment to provide a sense of feasibility, practicality, and priority as well as an estimated timeline of a given initiative. Do not get lost in granular estimations. Use this as an input to your demand planning process.
    2. Enter the specific name or type of initiative.
      1. Process Initiative: Any project or effort focused on process improvements without technical modification to an app (e.g. user migration, change in SLA, new training program). Write the application and initiative name on a blue sticky note.
      2. App Initiative: Any project or effort involving technical modification to an app (e.g. refactoring, platform migration, feature addition or upgrade). Write the application and initiative name on a yellow sticky note.
      3. Decommission Initiative: Any project and related efforts to remove an app (e.g. migrating data, removal from server). Write the application and initiative name on a red sticky note.
    3. Prioritize the initiative to aid in demand planning. This is prepopulated from your selected application disposition, but you can set a different priority for the initiative here.
    4. Select the Initiative Phase in the timeline to show the intended schedule and sequencing of the initiative.
    Input Output
    • Assigned dispositions
    • Rationalization results
    • Prioritized initiatives
    Materials Participants
    • Whiteboard and markers
    • APM Snapshot and Foundations Tool
    • Delivery Leads
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    4.6 APM worksheet data journey map

    The image contains a screenshot of the worksheet data journey map.

    Populate roadmap example

    The image contains an example of the populate roadmap.

    Create a recurring update plan

    • Application inventories become stale before you know it. Build steps in your procurement process to capture the appropriate information on new applications. Also, build in checkpoints to revisit your inventory regularly to assess the accuracy of inventory data.
    • Rationalization is not one and done; it must occur with an appropriate cadence.
      • Business priorities change, which will impact the current and future value of your apps.
      • Now more than ever, user expectations evolve rapidly.
      • Application sprawl likely won’t stop, so neither will shadow IT and redundancies.
      • Obsolescence, growing technical debt, changing security threats, or shifting technology strategies are all inevitable, as is the gradual decline of an app’s health or technical fit.
    • An application’s disposition changes quicker than you think, and rationalization requires a structured cadence. You need to plan to minimize the need for repeated efforts. Conversely, many use preceding iterations to increase the analysis (e.g. more thorough TCO projections or more granular capability-application alignment).
    • Portfolio roadmaps require a cadence for both updates and presentations to stakeholders. Updates are often completed semiannually or quarterly to gauge the business adjustments that affect the timeline of the domain-specific applications. The presentation of a roadmap should be completed alongside meetings or gatherings of key decision makers.
    • M&A or other restructuring events will prompt the need to address all the above.

    The image contains a screenshot of chart to help determine frequency of updating your roadmap.

    Build your APM maturity by taking the right steps at the right time

    The image contains a diagram to demonstrate the steps taken to build APM maturity.

    Info-Tech’s Build an Application Rationalization Framework provides additional TCO and value tools to help build out your portfolio strategy.

    APM is an iterative and evergreen process

    APM provides oversight and awareness of your application portfolio’s performance and support for your business operations and value delivery to all users and customers.

    Determine scope and categories Build your list of applications and capabilities Score each application based on your values Determine outcomes based on app scoring and support for capabilities

    1. Lay Your Foundations

    • 1.1 Assess the state of your current application portfolio
    • 1.2 Determine narrative
    • 1.3 Define goals and metrics
    • 1.4 Define application categories
    • 1.5 Determine APM steps and roles (SIPOC)

    2. Improve Your Inventory

    • 2.1 Populate your inventory
    • 2.2 Align to business capabilities

    3. Rationalize Your Apps

    • 3.1 Assess business value
    • 3.2 Assess technical health
    • 3.3 Assess end-user perspective
    • 3.4 Assess total cost of ownership

    4. Populate Your Roadmap

    • 4.1 Review APM Snapshot results
    • 4.2 Review APM Foundations results
    • 4.3 Determine dispositions
    • 4.4 Assess redundancies (Optional)
    • 4.5 Determine dispositions for redundant applications (Optional)
    • 4.6 Prioritize initiatives
    • 4.7 Ongoing APM cadence

    Repeat according to APM cadence and application changes

    4.7 Ongoing APM cadence

    Estimated time: 1-2 hours

    1. Determine how frequently you will update or present the artifacts of your APM practice: Application Inventory, Rationalization, Disposition, and Roadmap.
    2. For each artifact, determine the:
      1. Owner: Who is accountable for the artifact and the data or information within the artifact and will be responsible for or delegate the responsibility of updating or presenting the artifact to the appropriate audience?
      2. Update Cadence: How frequently will you update the artifact? Include what regularly scheduled meetings this activity will be within.
      3. Update Scope: Describe what activities will be performed to keep the artifact up to date. The goal here is to minimize the need for a full set of activities laid out within the blueprint. Optional: How will you expand the thoroughness of your analysis?
      4. Audience: Who is the audience for the artifact or assessment results?
      5. Presentation Cadence: How frequently and when will you review the artifact with the audience?
    InputOutput
    • Initial experience with APM
    • Strategic meetings schedule
    • Ongoing cadence for APM activities
    MaterialsParticipants
    • Whiteboard and markers
    • APM Snapshot and Foundations Tool
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    4.7 Ongoing APM cadence

    Artifact

    Owner

    Update Cadence

    Update Scope

    Audience

    Presentation Cadence

    Inventory

    Greg Dawson

    • As new applications are acquired
    • Annual review
    • Add new application data points (this is added to implementation standards)
    • Review inventory and perform a data health check
    • Validate with app’s SME
    • Whole organization
    • Always available on team site

    Rationalization Tool

    Judy Ng

    • Annual update
    • Revisit value driver weights
    • Survey end users
    • Interview support owners
    • Interview business owners
    • Update TCO based on change in operational costs; expand thoroughness of cost estimates
    • Rescore applications
    • Business owners of applications
    • IT leaders
    • Annually alongside yearly strategy meeting

    Portfolio Roadmap

    Judy Ng

    • Monthly update alongside project updates
    • Shift the timeline of the roadmap to current day 1
    • Carry over project updates and timeline changes
    • Validate with PMs and business owners
    • Steering Committee
    • Business owners of applications
    • IT leaders
    • Quarterly alongside Steering Committee meetings
    • Upon request

    Appendices

    • Additional support slides
    • Bibliography

    The APM tool provides a single source of truth and global data sharing

    The table shows where source data is used to support different aspects of APM discovery, rationalization, and modernization.

    Worksheet Data Mapping

    Application and Capability List

    Group Alignment Matrix (1-3)

    Rationalization Inputs

    Group 1-3 Results

    Application Inventory Details

    App Rationalization Results

    Roadmap

    App Redundancy Comparison

    Application and Capability List

    App list, Groupings

    App list

    App list, Groupings

    App list, Categories

    App list, Categories

    App list

    App list

    Groups 1-3 Alignment Matrix

    App to Group Tracing

    Application Categories

    Category
    drop-down

    Category

    Category

    Rationalization Inputs

    Lens Scores (weighted input to Group score)

    Lens Scores (weighted input)

    Disposition Options

    Disposition list, Priorities list, Recommended Disposition and Priority

    Lens Scores (weighted input)

    App Rationalization Results

    Disposition

    Common application inventory attributes

    Attribute Description Common Collection Method
    Name Organization’s terminology used for the application. Auto-discovery tools will provide names for the applications they reveal. However, this may not be the organizational nomenclature. You may adapt the names by leveraging pre-existing documentation and internal knowledge or by consulting business users.
    ID Unique identifiers assigned to the application (e.g. app number). Typically an identification system developed by the application portfolio manager.
    Description A brief description of the application, often referencing core capabilities. Typically completed by leveraging pre-existing documentation and internal knowledge or by consulting business users.
    Business Units A list of all business units, departments, or user groups. Consultation, surveys, or interviews with business unit representatives. However, this doesn’t always expose hidden applications. Application-capability mapping is the most effective way to determine all the business units/user groups of an app.
    Business Capabilities A list of business capabilities the application is intended to enable. Application capability mapping completed via interviews with business unit representatives.
    Criticality A high-level grading of the importance of the application to the business, typically used for support prioritization purposes (i.e. critical, high, medium, low). Typically the criticality rating is determined by a committee representing IT and business leaders.
    Ownership The individual accountable for various aspect of the application (e.g. product owner, product manager, application support, data owner); typically includes contact information and alternatives. If application ownership is an established accountability in your organization, typically consulting appropriate business stakeholders will reveal this information. Otherwise, application capability mapping can be an effective means of identifying who that owner should be.
    Application SMEs Any relevant subject matter experts who can speak to various aspects of the application (e.g. business process owners, development managers, data architects, data stewards, application architects, enterprise architects). Technical SMEs should be known within an IT department, but shadow IT apps may require interviews with the business unit. Application capability mapping will determine the identity of those key users/business process SMEs.
    Type An indication of whether the application was developed in-house, commercial off-the-shelf, or a hybrid option. Consultation, surveys, or interviews with product owners or development managers.
    Active Status An indication of whether the application is currently active, out of commission, in repair, etc. Consultation, surveys, or interviews with product owners or operation managers.

    Common application inventory attributes

    Attribute Description Common Collection Method
    Vendor Information Identification of the vendor from whom the software was procured. May include additional items such as the vendor’s contact information. Consultation with business SMEs, end users, or procurement teams, or review of vendor contracts or license agreements.
    Links to Other Documentation Pertinent information regarding the other relevant documentation of the application (e.g. SLA, vendor contracts, data use policies, disaster recovery plan). Typically includes links to documents. Consultation with product owners, service providers, or SMEs, or review of vendor contracts or license agreements.
    Number of Users The current number of users for the application. This can be based on license information but will often require some estimation. Can include additional items of quantities at different levels of access (e.g. admin, key users, power users). Consultation, surveys, or interviews with product owners or appropriate business SMEs or review of vendor contracts or license agreements. Auto-discovery tools can reveal this information.
    Software Dependencies List of other applications or operating components required to run the application. Consultation with application architects and any architectural tools or documentation. This information can begin to reveal itself through application capability mapping.
    Hardware Dependencies Identification of any hardware or infrastructure components required to run the application (i.e. databases, platform). Consultation with infrastructure or enterprise architects and any architectural tools or documentation. This information can begin to reveal itself through application capability mapping.
    Development Language Coding language used for the application. Consultation, surveys, or interviews with development managers or appropriate technical SMEs.
    Platform A framework of services that application programs rely on for standard operations. Consultation, surveys, or interviews with infrastructure or development managers.
    Lifecycle Stage Where an application is within the birth, growth, mature, end-of-life lifecycle. Consultation with business owners and technical SMEs.
    Scheduled Updates Any major or minor updates related to the application, including the release date. Consultation with business owners and vendor managers.
    Planned or In-Flight Projects Any projects related to the application, including estimated project timeline. Consultation with business owners and project managers.

    Bibliography

    ”2019 Technology & Small Business Survey.” National Small Business Association (NSBA), n.d. Accessed 1 April 2020.
    “Application Rationalization – Essential Part of the Process for Modernization and Operational Efficiency.” Flexera, 2015. Web.
    “Applications Rationalization during M&A: Standardize, Streamline, Simplify.” Deloitte Consulting, 2016. Web.
    Bowling, Alan. “Clearer Visibility of Product Roadmaps Improves IT Planning.” ComputerWeekly.com, 1 Nov. 2010. Web.
    Brown, Alex. “Calculating Business Value.” Agile 2014 Orlando, 13 July 2014. Scrum Inc. 2014. Web.
    Brown, Roger. “Defining Business Value.” Scrum Gathering San Diego 2017. Agile Coach Journal. Web.
    “Business Application Definition.” Microsoft Docs, 18 July 2012. Web.
    “Connecting Small Businesses in the US.” Deloitte Consulting, 2017. Accessed 1 April. 2020.
    Craveiro, João. “Marty meets Martin: connecting the two triads of Product Management.” Product Coalition, 18 Nov. 2017. Web.
    Curtis, Bill. “The Business Value of Application Internal Quality.” CAST, 6 April 2009. Web.
    Fleet, Neville, Joan Lasselle, and Paul Zimmerman. “Using a Balance Scorecard to Measure the Productivity and Value of Technical Documentation Organizations.” CIDM, April 2008. Web.
    Fowler, Martin. “Application Boundary.” MartinFowler.com, 11 Sept. 2003. Web.
    Harris, Michael. “Measuring the Business Value of IT.” David Consulting Group, 2007. Web.
    “How Application Rationalization Contributes to the Bottom Line.” LeanIX, 2017. Web.
    Jayanthi, Aruna. “Application Landscape Report 2014.” Capgemini, 4 March 2014. Web.
    Lankhorst, Marc., et al. “Architecture-Based IT Valuation.” Via Nova Architectura, 31 March 2010. Web.
    “Management of business application.” ServiceNow, Jan.2020. Accessed 1 April 2020.
    Mauboussin, Michael J. “The True Measures of Success.” HBR, Oct. 2012. Web.
    Neogi, Sombit., et al. “Next Generation Application Portfolio Rationalization.” TATA, 2011. Web.
    Riverbed. “Measuring the Business Impact of IT Through Application Performance.” CIO Summits, 2015. Web.
    Rouse, Margaret. “Application Rationalization.” TechTarget, March 2016. Web.
    Van Ramshorst, E.A. “Application Portfolio Management from an Enterprise Architecture Perspective.” Universiteit Utrecht, July 2013.
    “What is a Balanced Scorecard?” Intrafocus, n.d. Web.
    Whitney, Lance. “SMBs share their biggest constraints and great challenges.” Tech Republic, 6 May 2019. Web.

    Make Your IT Governance Adaptable

    • Buy Link or Shortcode: {j2store}359|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $123,499 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • People don’t understand the value of governance, seeing it as a hindrance to productivity and efficiency.
    • Governance is delegated to people and practices that don’t have the ability or authority to make these decisions.
    • Decisions are made within committees that don’t meet frequently enough to support business velocity.
    • It is difficult to allocate time and resources to build or execute governance effectively.

    Our Advice

    Critical Insight

    • IT governance applies not just to the IT department but to all uses of information and technology.
    • IT governance works against you if it no longer aligns with or supports your organizational direction, goals, and work practices.
    • Governance doesn’t have to be bureaucratic or control based.
    • Your governance model should be able to adapt to changes in the organization’s strategy and goals, your industry, and your ways of working.
    • Governance can be embedded and automated into your practices.

    Impact and Result

    • You will produce more value from IT by developing a governance framework optimized for your current needs and context, with the ability to adapt as your needs shift.
    • You will create the foundation and ability to delegate and empower governance to enable agile delivery.
    • You will identify areas where governance does not require manual oversight and can be embedded into the way you work.

    Make Your IT Governance Adaptable Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make Your IT Governance Adaptable Deck – A document that walks you through how to design and implement governance that fits the context of your organization and can adapt to change.

    Our dynamic, flexible, and embedded approach to governance will help drive organizational success. The three-phase methodology will help you identify your governance needs, select and refine your governance model, and embed and automate governance decisions.

    • Make Your IT Governance Adaptable – Phases 1-3

    2. Adaptive and Controlled Governance Model Templates and Workbook – Documents that gather context information about your organization to identify the best approach for governance.

    Use these templates and workbook to identify the criteria and design factors for your organization and the design triggers to maintain fit. Upon completion this will be your new governance framework model.

    • Controlled Governance Models Template
    • IT Governance Program Overview
    • Governance Workbook

    3. Implementation Plan and Workbook – Tools that help you build and finalize your approach to implement your new or revised governance model.

    Upon completion you will have a finalized implementation plan and a visual roadmap.

    • Governance Implementation Plan
    • Governance Roadmap Workbook

    4. Governance Committee Charter Templates – Base charters that can be adapted for communication.

    Customize these templates to create the committee charters or terms of reference for the committees developed in your governance model.

    • IT PMO Committee Charter
    • IT Risk Committee Charter for Controlled Governance
    • IT Steering Committee Charter for Controlled Governance
    • Program Governance Committee Charter
    • Architecture Review Board Charter
    • Data Governance Committee Charter
    • Digital Governance Committee Charter

    5. Governance Automation Criteria Checklist and Worksheet – Tools that help you determine which governance decisions can be automated and work through the required logic and rules.

    The checklist is a starting point for confirming which activities and decisions should be considered for automation or embedding. Use the worksheet to develop decision logic by defining the steps and information inputs involved in making decisions.

    • Governance Automation Criteria Checklist
    • Governance Automation Worksheet

    Infographic

    Workshop: Make Your IT Governance Adaptable

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Develop Your Guiding Star

    The Purpose

    Establish the context for your governance model.

    Key Benefits Achieved

    Core understanding of the context that will enable us to build an optimal model

    Activities

    1.1 Confirm mission, vision, and goals.

    1.2 Define scope and principles.

    1.3 Adjust for culture and finalize context.

    Outputs

    Governance principles

    Governance context and goals

    2 Define the Governance Model

    The Purpose

    To select and adapt a governance model based on your context.

    Key Benefits Achieved

    A selected and optimized governance model

    Activities

    2.1 Select and refine governance model.

    2.2 Confirm and adjust the structure.

    2.3 Review and adapt governance responsibilities and activities.

    2.4 Validate governance mandates and membership.

    Outputs

    IT governance model and adjustment triggers

    IT governance structure, responsibilities, membership, and cadence

    Governance committee charters

    3 Build Governance Process and Policy

    The Purpose

    Refine your governance practices and associate policies properly.

    Key Benefits Achieved

    A completed governance model that can be implemented with clear update triggers and review timing

    Policy alignment with the right levels of authority

    Activities

    3.1 Update your governance process.

    3.2 Align policies to mandate.

    3.3 Adjust and confirm your model.

    3.4 Identify and document update triggers and embed into review cycle.

    Outputs

    IT governance process and information flow

    IT governance policies

    Finalized governance model

    4 Embed and Automate Governance

    The Purpose

    Identify options to automate and embed governance activities and decisions.

    Key Benefits Achieved

    Simply more consistent governance activities and automate them to enhance speed and support governance delegation and empowerment

    Activities

    4.1 Identify decisions and standards that can be automated. Develop decision logic.

    4.2 Plan verification and validation approach.

    4.3 Build implementation plan.

    4.4 Develop communication strategy and messaging.

    Outputs

    Selected automation options, decision logic, and business rules

    Implementation and communication plan

    Further reading

    Make Your IT Governance Adaptable

    Governance isn't optional, so keep it simple and make it flexible.

    Table of Contents

    4 Analyst Perspective

    5 Executive Summary

    13 Governance Stages

    14 Info-Tech’s IT Governance Thought Model

    19 Info-Tech’s Approach

    23 Insight Summary

    30 Phase 1: Identify Your Governance Needs

    54 Phase 2: Select and Refine Your Governance Model

    76 Phase 3: Embed and Automate

    94 Summary of Accomplishment

    95 Additional Support

    97 Contributors

    98 Bibliography

    Make Your IT Governance Adaptable

    Governance isn't optional, so keep it simple and make it flexible.

    EXECUTIVE BRIEF

    Analyst Perspective

    Governance will always be part of the fabric of your organization. Make it adaptable so it doesn’t constrain your success.

    Photo of Valence Howden, Principal Research Director, Info-Tech Research Group

    Far too often, the purpose of information and technology (I&T) governance is misunderstood. Instead of being seen as a way to align the organization’s vision to its investment in information and technology, it has become so synonymous with compliance and control that even mentioning the word “governance” elicits a negative reaction.

    Success in modern digital organizations depends on their ability to adjust for velocity and uncertainty, requiring a dynamic and responsive approach to governance – one that is embedded and automated in your organization to enable new ways of working, innovation, and change.

    Evolutionary theory describes adaptability as the way an organism adjusts to fit a new environment, or changes to its existing environment, to survive. Applied to organizations, adaptable governance is critical to the ability to survive and succeed.

    If your governance doesn’t adjust to enable your changing business environment and customer needs, it will quickly become misaligned with your goals and drive you to failure.

    It is critical that people build an approach to governance that is effective and relevant today while building in adaptability to keep it relevant tomorrow.

    Valence Howden
    Principal Research Director, Info-Tech Research Group

    Executive Summary

    Your Challenge

    • People don’t understand the value of governance, seeing it as a hindrance to productivity and efficiency.
    • Governance is delegated to people and practices that don’t have the ability or authority to make decisions.
    • Decisions are made within committees that don’t meet frequently enough to support business velocity.
    • It is difficult to allocate time and resources to build or execute governance effectively

    Common Obstacles

    • You are unable to clearly communicate how governance adds value to your organization.
    • Your IT governance approach no longer aligns with or supports your organizational direction, goals, and work practices.
    • Governance is seen and performed as a bureaucratic control-based exercise.
    • Governance activities are not transparent.
    • The governance committee gets too deeply involved with project deep dives and daily management, derailing its effectiveness and ability to produce value.

    Info-Tech’s Approach

    • Use Info-Tech’s IT governance models to identify a base model similar to the way you are organized. Confirm your current and future placement in governance execution.
    • Adjust the model based on industry needs, your principles, regulatory requirements, and your future direction.
    • Identify where to embed or automate decision making and compliance and what is required to do so effectively.
    • Implement your governance model for success.

    Info-Tech Insight

    IT governance must be embedded and automated, where possible, to effectively meet the needs and velocity of digital organizations and modern practices and to drive success and value.

    What is governance?

    IT governance is a critical and embedded practice that ensures that information and technology investments, risks, and resources are aligned in the best interests of the organization and produce business value.

    Effective governance ensures that the right technology investments are made at the right time to support and enable your organization’s mission, vision, and goals.

    5 KEY OUTCOMES OF GOOD GOVERNANCE

    STRATEGIC ALIGNMENT

    Technology investments and portfolios are aligned with the organization's strategic objectives.

    RISK OPTIMIZATION

    Organizational risks are understood and addressed to minimize impact and optimize opportunities.

    VALUE DELIVERY

    IT investments and initiatives deliver their expected benefits.

    RESOURCE OPTIMIZATION

    Resources (people, finances, time) are appropriately allocated across the organization to optimal organizational benefit.

    PERFORMANCE MEASUREMENT

    The performance of technology investments is monitored and used to determine future courses of action and to confirm achievement of success.

    ‹–EVALUATE–DIRECT–MONITOR–›

    Why is this necessary?

    • Governance is not simply a committee or an activity that you perform at a specific point in time; it is a critical and continuously active practice that drives the success of your organization. It is part of your organization’s DNA and is just as unique, with some attributes common to all (IT governance elements), some specific to your family (industry refinements), and some specific to you (individual organization).
    • Your approach to governance needs to change over time in order to remain relevant and continue to enable value and success, but organizations rarely want to change governance once it’s in place.
    • To meet the speed and flow of practices like Lean, DevOps, and Agile, your IT governance needs to be done differently and become embedded into the way your organization works. You must adjust your governance model based on key moments of change – organizational triggers – to maintain the effectiveness of your model.

    Info-Tech Insight

    Build an optimal model quickly and implement the core elements using an iterative approach to ensure the changes provide the most value.

    The Technology Value Trinity

    Delivery of Business Value & Strategic Needs

    • DIGITAL & TECHNOLOGY STRATEGY
      The identification of objectives and initiatives necessary to achieve business goals.
    • IT OPERATING MODEL
      The model for how IT is organized to deliver on business needs and strategies.
    • INFORMATION & TECHNOLOGY GOVERNANCE
      The governance to ensure the organization and its customers get maximum value from the use of information and technology.

    All three elements of the Technology Value Trinity work in harmony to deliver business value and meet strategic needs. As one changes, the others need to change as well.

    • Digital and IT Strategy tells you what you need to achieve to be successful.
    • IT Operating Model and Organizational Design is the alignment of resources to deliver on your strategy and priorities.
    • Information & Technology Governance is the confirmation that IT’s goals and strategy align with the business’ strategy. It is the mechanism by which you continuously prioritize work to ensure that what you deliver is in line with the strategy. This oversight involves evaluating, directing, and monitoring the delivery of outcomes to ensure that the use of resources results in achieving the organization’s goals.

    Too often strategy, operating model and organizational design, and governance are considered separate practices. As a result, “strategic documents” end up being wish lists, and projects continue to be prioritized based on who shouts the loudest rather than on what is in the best interest of the organization.

    Where information & technology governance fits within an organization

    An infographic illustrating where Governance fits within an organization. The main section is titled 'Enterprise Governance and Strategy' and contains 'Value Outcomes', 'Mission and Vision', 'Goals and Objectives', and 'Guiding Principles'. These all feed into the highlighted 'Information & Technology Governance', which then contributes to 'IT Strategy', which lies outside the main section.

    I&T governance hasn’t achieved its purpose

    Governance is the means by which IT ensures that information and technology delivery and spend is aligned to business goals and delivers business outcomes. However, most CEOs continue to perceive IT as being poorly aligned to the business’ strategic goals, which indicates that governance is not implemented or executed properly.

    For I&T governance to be effective you need a clear understanding of the things that drive your organization and its success. This understanding becomes your guiding star, which is critical for effective governance. It also requires participation by all parts of the organization, not just IT.

    Info-Tech CIO/CEO Alignment Diagnostics (N=124)

    43% of CEOs believe that business goals are going unsupported by IT.

    60% of CEOs believe that improvement is required around IT’s understanding of business goals.

    80% of CIOs/CEOs are misaligned on the target role for IT.

    30% of business stakeholders are supporters (N=32,536) of their IT departments

    Common causes of poor governance

    Key causes of poor or misaligned governance

    1. Governance and its value to your organization is not well understood, often being confused or integrated with more granular management activities.
    2. Business executives fail to understand that IT governance is a function of the business and not the IT department.
    3. Poor past experiences have made “governance” a bad word in the organization. People see it as a constraint and barrier that must be circumvented to get work done.
    4. There is misalignment between accountability and authority throughout the organization, and the wrong people are involved in governance practices.
    5. There is an unwillingness to change a governance approach that has served the organization well in the past, leading to challenges when the organization starts to change practices and speed of delivery.
    6. There is a lack of data and data-related capabilities required to support good decision making and the automation of governance decisions.
    7. The goals and strategy of the organization are not known or understood, leaving nothing for IT governance to orient around.

    Key symptoms of ineffective governance committees

    1. No actions or decisions are generated. The committee produces no value and makes no decisions after it meets. The lack of value output makes the usefulness of the committee questionable.
    2. Resources are overallocated. There is a lack of clear understanding of capacity and value in work to be done, leading to consistent underestimation of required resources and poor resource allocation.
    3. Decisions are changed outside of committee. Decisions made or initiatives approved by the committee are later changed when the proper decision makers are involved or the right information becomes available.
    4. Governance decisions conflict with organizational direction. This shows an obvious lack of alignment and behavioral disconnect that work against organizational success. It is often due to not accounting for where power really exists within the structure.
    5. Consistently poor outcomes are produced from governance direction. Committee members’ lack of business acumen, relevant data, or understanding of organizational goals results in decisions that fail to drive successful measured outcomes.

    Mature your governance by transitioning from ad hoc to automated

    Organizations should look to progress in their governance stages. Ad hoc and controlled governance practices tend to be more rigid, making these a poor fit for organizations requiring higher velocity delivery or using more agile and adaptive practices.

    The goal as you progress through these stages is to delegate governance and empower teams based on your fit and culture, enabling teams where needed to make optimal decisions in real time, ensuring that they are aligned with the best interests of the organization.

    Automate governance for optimal velocity while mitigating risks and driving value.

    This puts your organization in the best position to be adaptive, able to react effectively to volatility and uncertainty.

    A graph illustrating the transition from Ad Hoc to Automated. The y-axis is 'Process Integration' and x-axis is 'Trust & Empowerment'. 'Ad Hoc: Inconsistent Decision Making' lies close to the origin, ranking low on both axes' values. 'Controlled: Authoritarian, Highly Structured' ranks slightly higher on both axes. 'Agile: Distributed & Empowered' ranks 2nd highest on both axes. 'Automated: High Velocity, Embedded & Flexible' ranks highest on both axes.

    Stages of governance

    Adaptive
    Data-Centric


    ˆ


    ˆ


    ˆ


    ˆ


    ˆ
    Traditional
    (People- and Document-Centric)

    4

    Automated Governance
    • Entrenched into organizational processes and product/service design
    • Empowered and fully delegated to maintain fit and drive organizational success and survival

    3

    Agile Governance
    • Flexible enough to support different needs in the organization and respond quickly to change
    • Driven by principles and delegated throughout the company

    2

    Controlled Governance
    • Focused on compliance and hierarchy-based authority
    • Levels of authority defined and often driven by regulatory requirements

    1

    Ad Hoc Governance
    • Not well defined or understood within the organization
    • Occurs out of necessity but often not done by the right people or bodies

    Make Governance Adaptable and Automated to Drive Success and Value

    Governance adaptiveness ensures the success of digital organizations and modern practice implementation.

    THE PROBLEM

    • The wrong people are making decisions.
    • Organizations don't understand what governance is or why it's done.
    • Governance scope and design is a bad fit, damaging the organization.
    • People think governance is optional.

    THE SOLUTION

    ESTABLISH YOUR GUIDING PRINCIPLES

    Define and establish the guiding principle that drive your organization toward success.

    • Mission & Vision
    • Business Goals & Success Criteria
    • Operating Model & Work Practices
    • Governance Scope
    • Principles
    SELECT AND REFINE YOUR MODEL

    Use Info-Tech's IT Governance Models to identify a base model similar to the way you are organized. Confirm your current and future placement in governance execution.

    IDENTIFY MODEL UPDATE TRIGGERS

    Adjust the model based on industry needs, your principles, regulatory requirements, and future direction.

    • Principles
      Select principles that allow the organization to be adaptive while still ensuring the governance continues to stay on course with pursuing its guiding star.
    • Responsibilities
      Decide on the governance responsibilities related to Oversight Level, Strategic Alignment, Value Delivery, Risk Optimization, Resource Optimization, and Performance Management.
    • Structure
      Determine at which structured level governance is appropriate: Enterprise, Strategic, Tactical, or Operational.
    • Processes
      Establish processes that will enable governance to occur such as: Embed the processes required for successful governance.
    • Membership
      Identify the Responsibility & Accountability of those who should be involved in governance processes, policies, guidelines, and responsibilities.
    • Policies
      Confirm any governing policies that need to be adhered to and considered to manage risk.
    DETERMINE AUTOMATION OPTIONS AND DECISION RULES

    Identify where to embed or automate decision making and compliance and what is required to do so effectively.

    STAGES OF GOVERNANCE

      Traditional (People- and document-centric)
    1. AD HOC GOVERNANCE
      Governance that is not well defined or understood within the organization. It occurs out of necessity but often not by the right people or bodies.
    2. CONTROLLED GOVERNANCE
      Governance focused on compliance and hierarchy-based, authority-driven control of decisions. Levels of Authority are defined and often driven by regulatory requirements.
    3. Adaptive (Data Centric)
    4. AGILE GOVERNANCE
      Governance that is flexible to support different needs and quick responses in the organization. Driven by principles and delegated throughout the company.
    5. AUTOMATED GOVERNANCE
      Governance that is entrenched and automated into the organizational processes and product/service design. Empowered and fully delegated governance to maintain fit and drive organizational success and survival.

    KEY INSIGHT

    Governance must actively adapt to changes in your organization, environment, and practices or it will drive you to failure.

    Developing governance principles

    Governance principles support the move from controlled to automated governance by providing guardrails that guide your decisions. They provide the ethical boundaries and cultural perspectives that contextualize your decisions and keep you in line with organizational values. Determining principles are global in nature.

    CONTROLLED CHANGE ACTIONS AND RATIONALE AUTOMATED
    Disentangle governance and management Move from governance focused on evaluating, directing, and monitoring strategic decisions around information and technology toward defining and automating rules and principles for decision making into processes and practices, empowering the organization and driving adaptiveness. Delegate and empower
    Govern toward value Move from identifying the organization’s mission, goals, and key drivers toward orienting IT to align with those value outcomes and embedding value outcomes into design and delivery practices. Deliver to defined outcomes
    Make risk-informed decisions Move from governance bodies using risk information to manually make informed decisions based on their defined risk tolerance toward having risk information and attestation baked into decision making across all aspects and layers of the IT organization – from design to sustainment. Embed risk decision making into processes and practices
    Measure to drive improvement Move from static lagging metrics that validate that the work being done is meeting the organization’s needs and guide future decision making toward automated governance with more transparency driven by data-based decision making and real-time data insights. Trust through real-time reporting
    Enforce standards and behavior Move from enforcing standards and behavior and managing exceptions to ensure that there are consistent outcomes and quality toward automating standards and behavioral policies and embedding adherence and changes in behavior into the organization’s natural way of working. Automate standards through automated decision rules, verification, and validation

    Find your guiding star

    MISSION AND VISION –› GOALS AND OBJECTIVES –› GUIDING PRINCIPLES –›

    VALUE

    Why your organization exists and what value it aims to provide. The purpose you build a strategy to achieve. What your organization needs be successful at to fulfill its mission. Key propositions and guardrails that define and guide expected organizational behavior and beliefs.

    Your mission and vision define your goals and objectives. These are reinforced by your guiding principles, including ethical considerations, your culture, and expected behaviors. They provide the boundaries and guardrails for enabling adaptive governance, ensuring you continue to move in the right direction for organizational success.

    To paraphrase Lewis Carroll, “If you don't know where you want to get to, it doesn't much matter which way you go.” Once you know what matters, where value resides, and which considerations are necessary to make decisions, you have consistent directional alignment that allows you to delegate empowered governance throughout the organization, taking you to the places you want to go.

    Understand governance versus management

    Don’t blur the lines between governance and management; each has a unique role to play. Confusing them results in wasted time and confusion around ownership.

    Governance

    I&T governance defines WHAT should be done and sets direction through prioritization and decision making, monitoring overall IT performance.

    Governance aligns with the mission and vision of the organization to guide IT.

    A cycle of processes split into two halves, 'Governance Processes' and 'Management Processes'. Beginning on the Management side, the processes are 'Plan', 'Build', 'Run', 'Monitor', then to the Governance side, 'Evaluate', 'Direct', 'Monitor', and back to the beginning.

    Management

    Management focuses on HOW to do things to achieve the WHAT. It is responsible for executing on, operating, and monitoring activities as determined by I&T governance.

    Management makes decisions for implementation based on governance direction.

    Data is critical to automating governance

    Documents and subjective/non-transparent decisions do not create sufficient structure to allow for the true automation of governance. Data related to decisions and aggregated risk allow you to define decision logic and rules and algorithmically embed them into your organization.

    People- and Document-Centric

    Governance drives activities through specific actors (individuals/committees) and unstructured data in processes and documents that are manually executed, assessed, and revised. There are often constraints caused by gaps or lack of adequate and integrated information in support of good decisions.

    Data-Centric

    Governance actors provide principles, parameters, and decision logic that enable the creation of code, rulesets, and algorithms that leverage organizational data. Attestation is automatic – validated and managed within the process, product, or service.

    Info-Tech’s Approach

    Define your context and build your model

    ESTABLISH YOUR GUIDING PRINCIPLES

    Define and establish the guiding principle that drive your organization toward success.

    • Mission & Vision
    • Business Goals & Success Criteria
    • Operating Model & Work Practices
    • Governance Scope
    • Principles
    SELECT AND REFINE YOUR MODEL

    Use Info-Tech's IT Governance Models to identify a base model similar to the way you are organized. Confirm your current and future placement in governance execution.

    MODEL UPDATE TRIGGERS

    Adjust the model based on industry needs, your principles, regulatory requirements, and future direction.

    • Principles
      Select principles that allow the organization to be adaptive while still ensuring the governance continues to stay on course with pursuing its guiding star.
    • Responsibilities
      Decide on the governance responsibilities related to Oversight Level, Strategic Alignment, Value Delivery, Risk Optimization, Resource Optimization, and Performance Management.
    • Structure
      Determine at which structured level governance is appropriate: Enterprise, Strategic, Tactical, or Operational.
    • Processes
      Establish processes that will enable governance to occur such as: Embed the processes required for successful governance.
    • Membership
      Identify the Responsibility & Accountability of those who should be involved in governance processes, policies, guidelines, and responsibilities.
    • Policies
      Confirm any governing policies that need to be adhered to and considered to manage risk.
    AUTOMATION OPTIONS AND DECISION RULES

    Identify where to embed or automate decision making and compliance and what is required to do so effectively.

    The Info-Tech Difference

    Define your context and build your model

    1. Quickly identify the organizational needs driving governance and your guiding star.
    2. Select and refine a base governance model based on our templates.
    3. Define and document the key changes in your organization that will trigger a need to update or revise your governance.
    4. Determine where you might be able to automate aspects of your governance.
    5. Design your decision rules where appropriate to support automated and adaptive governance.

    How to use this research

    Where are you in your governance optimization journey?

    MY GOVERNANCE IS AD HOC AND WE’RE STARTING FROM SCRATCH I NEED TO BUILD A NEW GOVERNANCE STRUCTURE OUR GOVERNANCE APPROACH IS INEFFECTIVE AND NEEDS IMPROVEMENT I NEED TO LOOK AT OPTIONS FOR AUTOMATING GOVERNANCE PRACTICES
    Step 1.1: Define Your Governance Context Step 1.2: Structure Your IT Governance Phase 2: Select and Refine Your Model Phase 3: Embed and Automate

    IT governance is about ensuring that the investment decisions made around information and technology drive the optimal organizational value, not about governing the IT department.

    In this section we will clarify your organizational context for governance and define your guiding star to orient your governance design and inform your structure.

    There is no need to start from scratch! Start with Info-Tech’s best-practice IT governance models and customize them based on your organizational context.

    The research in this section will help you to select the right base model to work from and provide guidance on how to refine it.

    Governance practices eventually stop being a good fit for a changing organization, and things that worked before become bottlenecks.

    Governing roles and committees don’t adjust well, don’t have consistent practices, and lack the right information to make good decisions.

    The research in this section will help you improve and realign your governance practices.

    Once your governance is controlled and optimized you are ready to investigate opportunities to automate.

    This phase of the blueprint will help you determine where it’s feasible to automate and embed governance, understand key governance automation practices, and develop governing business rules to move your journey forward.

    Related Research:

    If you are looking for details on specific associated practices, please see our related research:

    1. I need to establish data governance.
    2. I need to manage my project portfolio, from intake to confirmation of value.
    3. I need better risk information to support decision making.
    4. I need to ensure I am getting the expected outcomes and benefits from IT spend.
    5. I need to prioritize my product backlog or service portfolio.

    Info-Tech’s methodology for building and embedding adaptive governance

    1. Identify Your Governance Needs 2. Select and Refine Your Governance Model 3. Embed and Automate
    Phase Steps
    1. Confirm Mission, Vision, and Goals
    2. Define Scope and Principles
    3. Adjust for Culture and Finalize Context
    1. Select and Refine Your Governance Model
    2. Identify and Document Your Governance Triggers
    3. Build Your Implementation Plan
    1. Identify Decisions to Embed and Automate
    2. Plan Validation and Verification
    3. Update Implementation Plan
    Phase Outcomes
    • Governance context, guiding star, and principles
    • Completed governance model with associated decisions and policies
    • Implementation plan
    • List of automation options
    • Decision logic, rules, and rulesets
    • Validation and verification approach
    • Finalized implementation plan

    Insight summary

    Value

    To remain valuable, I&T governance must actively adapt to changes in your organization, environment, and practices, or it will drive you to failure instead of success.

    Focus

    I&T governance does not focus on the IT department. Rather, its intent is to ensure your organization makes sound decisions around investment in and use of information and technology.

    Maturity

    Your governance approach progresses in stages from ad hoc to automated as your organization matures. Your stage depends on your organizational needs and ways of working.

    Good governance

    Good governance does not equate to control and does not stifle innovation.

    Automation

    Automating governance must be done in stages, based on your capabilities, level of maturity, and amount of usable data.

    Strategy

    Establish the least amount of governance required to allow you to achieve your goals.

    Guiding star

    If you don’t establish a guiding star to align the different stakeholders in your organization, governance practices will create conflict and confusion.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key Deliverable:
    Governance Framework Model

    The governance framework model provides the design of your new governance model and the organizational context to retain stakeholder alignment and organizational satisfaction with governance.

    The model includes the structures, practices, and responsibilities to drive effective governance in your organization.

    Sample of the key blueprint deliverable 'Governance Framework Model'.

    Governance Implementation Plan

    This roadmap lays out the changes required to implement the governance model, the cultural items that need to be addressed, and anticipated timing.

    Sample of the blueprint deliverable 'Governance Implementation Plan'.

    Governance Committee Charters

    Develop a detail governance charter or term of reference for each governing body. Outline the mandate, responsibilities, membership, process, and associated policies for each.

    Sample of the blueprint deliverable 'Governance Committee Charters'.

    Blueprint benefits

    IT Benefits

    • Stronger, traceable alignment of IT decisions and initiatives to business needs.
    • Improved ability for IT to meet the changing demands and velocity of the business.
    • Better support and enablement of innovation – removing constraints and barriers.
    • Optimized governance that supports and enables modern work practices.
    • Increased value generation from IT initiatives and optimal use of IT resources.
    • Designed adaptability to ensure you remain in alignment as your business and IT environments change.

    Business Benefits

    • Clear transparent focus of IT initiatives on generating strategic business value.
    • Improved ability to measure the value and contribution of IT to business goals.
    • Alignment and integration of business/IT strategy.
    • Optimized development and use of IT capabilities to meet business needs.
    • Improved integration with corporate/enterprise governance.

    Executive Brief Case Study

    INDUSTRY Manufacturing
    SOURCE Info-Tech analyst experience

    Improving the governance approach and delegating decision making to support a change in business operation

    Challenge

    The large, multi-national organization has locations across the world but has two primary headquarters, in Europe and the United States.

    Market shifts drove an organizational shift in strategy, leading to a change in operating models, a product focus, and new work approaches across the organization.

    Much of the implementation and execution was done in isolation, and effectiveness was slowed by poor integration and conflicting activities that worked against each other.

    The product owner role was not well defined.

    Solution

    After reviewing the organization’s challenges and governance approach, we redefined and realigned its organizational and regional goals and identified outcomes that needed to be driven into their strategies.

    We also reviewed their span of control and integration requirements and properly defined decisions that could be made regionally versus globally, so that decisions could be made to support new work practices.

    We defined the product and service owner roles and the decisions each needed to make.

    Results

    We saw an improvement in the alignment of organizational activities and the right people and bodies making decisions.

    Work and practices were aimed at the same key outcomes and alignment between teams toward organizational goal improved.

    Within one year, the success rate of the organization’s initiatives increased by 22%, and the percentage of product-related decisions made by product owners increased by 50%.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 5 and 8 calls over the course of 2 to 3 months.

    What does a typical GI on this topic look like?

      Phase 1: Identify Your Governance Needs

    • Call #1: Confirm your organization’s mission and vision and review your strategy and goals.
    • Call #2: Identify considerations and governance needs. Develop your guiding star and governing principles.
    • Phase 2: Select and Refine Your Model

    • Call #3: Select your base model and optimize it to meet your governance needs.
    • Call #4: Define your adjustment triggers and develop your implementation plan.
    • Phase 3: Embed and Automate

    • Call #5: Identify decisions and standards you can automate and where to embed them.
    • Call #6: Confirm levels of authority and data requirements. Establish your approach and update the implementation plan.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889

    Session 1 Session 2 Session 3 Session 4 Session 5
    Activities
    Develop Your Guiding Star

    1.1 Confirm mission, vision, and goals

    1.2 Define scope and principles

    1.3 Adjust for culture and finalize context

    Define the Governance Model

    2.1 Select and refine governance model

    2.2 Confirm and adjust the structure

    2.3 Review and adapt governance responsibilities and activities

    2.4 Validate governance mandates and membership

    Build Governance Process and Policy

    3.1 Update your governance process

    3.2 Align policies to mandate

    3.3 Adjust and confirm your governance model

    3.4 Identify and document your update triggers

    3.5 Embed triggers into review cycle

    Embed and Automate Governance

    4.1 Identify decisions and standards to automate

    4.2 Plan verification and validation approach

    4.3 Build implementation plan

    4.4 Develop communication strategy and messaging

    Next Steps and Wrap-Up

    5.1 Complete in-progress outputs from previous four sessions

    5.2 Set up review time for workshop outputs and to discuss next steps

    Outcomes
    1. Governance context and goals
    2. Governance principles
    1. IT governance model and adjustment triggers
    2. IT governance structure, responsibilities, membership, and cadence
    3. Governance committee charters
    1. IT governance process and information flow
    2. IT governance policies
    3. Finalized governance model
    1. Selected automation options, decision logic, and business rules
    2. Implementation and communication plan
    1. Governance context and principles
    2. Finalized governance model and charters
    3. Finalized implementation plan

    Make Your IT Governance Adaptable

    Phase 1

    Identify your Governance Needs

    Phase 1

    • 1.1 Define Your Guiding Star
    • 1.2 Define Scope and Principles
    • 1.3 Adjust for Culture and Finalize Context

    Phase 2

    • 2.1 Choose and Adapt Your Model
    • 2.2. Identify and Document Your Governance Triggers
    • 2.3 Build Your Implementation Approach

    Phase 3

    • 3.1 Identify Decisions to Embed and Automate
    • 3.2 Plan Validation and Verification
    • 3.3 Update Implementation Plan

    This phase will walk you through the following activities:

    Identify the organization’s goals, mission, and vision that will guide governance.

    Define the scope of your governance model and the principles that will guide how it works.

    Account for organizational attitudes, behaviors, and culture related to governance and finalize your context.

    This phase involves the following participants:

    • Senior IT leadership
    • Governance leads

    Step 1.1

    Define Your Guiding Star

    Activities
    • 1.1.1 Document and interpret your strategy, mission, and vision
    • 1.1.2 Document and interpret the business and IT goals and outcomes
    • 1.1.3 Identify your operating model and work processes

    This step will walk you through the following activities:

    Review your business and IT strategy, mission, and vision to ensure understanding of organizational direction.

    Identify the business and IT goals that governance needs to align.

    Confirm your operating model and any work practices that need to be accounted for in your model.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Identified guiding star outcomes to align governance outcomes with

    Defined operating model type and work style that impact governance design

    Identify Your Governance Needs

    Step 1.1 – Define your Guiding Star Step 1.2 – Define Scope and Principles Step 1.3 – Adjust for Culture and Finalize Context

    Govern by intent

    Find the balance for your designed governance approach

    Organic governance occurs during the formation of an organization and shifts with challenges, but it is rarely transparent and understood. It changes your culture in uncontrolled ways. Intentional governance is triggered by changes in organizational needs, working approaches, goals, and structures. It is deliberate and changes your culture to enable success.
    Stock photo of a weight scale.

    Info-Tech Insight

    Your approach to governance needs to be designed, even if your execution of governance is adaptable and delegated.

    What is your guiding star?

    Your guiding star is a combination of your organization’s mission, vision, and strategy and the goals that have been defined to meet them.

    It provides you with a consistent focal point around which I&T-related activities and projects orbit, like planets around a star.

    It generates the gravity that governance uses to keep things from straying too far away from the goal of achieving relevant value.

    1. Mission & Vision
    2. Business Goals & Success Criteria
    3. Operating Model & Work Practices
    4. Governance Scope
    5. Principles

    1.1.1 Document and interpret your strategy, mission, and vision

    30 minutes

    Input: Business strategy, IT strategy, Mission and vision statements

    Output: Updated Governance Workbook, Documented strategic outcomes and organizational aims that governance needs to achieve

    Materials: Whiteboard/flip charts, Governance Workbook

    Participants: IT senior leadership

    1. Gather your available business, digital, and IT strategy, mission, and vision information and document everything in your Governance Workbook. It’s ok if you don’t have all of it.
    2. Review and your mission and vision as a group. Discuss and document key points, including:
      • Which activities do you perform as an organization that embody your vision?
      • What key decisions and behaviors are required to ensure that your mission and vision are achievable?
      • What do you require from leadership to enable you to govern effectively?
      • What are the implications of the mission and vision on how the organization needs to work? What are the implications on decisions around opportunities and risks?

    Download the Governance Workbook

    1.1.2 Document and interpret the business and IT goals and outcomes

    60 minutes

    Input: Business strategy, Business and IT goals and related initiatives

    Output: Required success outcomes for goals, Links between IT and business goals that governance needs to align

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Document the business and IT goals that have been created to achieve the mission and vision.
    2. Discuss if there are any gaps between the goals and the mission and vision. Ask yourself – if we accomplish these goals will we have successfully achieved the mission?
    3. For each goal, define what successful achievement of the goal looks like. Starting with one goal or objective, ask:
      • How would I know I am on the right path and how will I know I have gotten there?
      • How would I know if I am not on the right path and what does a bad result look like?
    4. Document your success criteria.
    5. Brainstorm some examples of decisions that support or constrain the achievement of your goals.
    6. Repeat this exercise for your remaining goals.
    7. As a group, map IT goals to business goals.

    What is your operating model and why is it important?

    An IT operating model is a visual representation of the way your IT organization needs to be designed and the capabilities it requires to deliver on the business mission, strategic objectives, and technological ambitions.

    The model is critical in the optimization and alignment of the IT organization’s structure in order to deliver the capabilities required to achieve business goals. It is a key determinant of how governance needs to be designed and where it is implemented.

    Little visualizations of different operating models: 'Centralized', 'Decentralized', and 'Hybrid'.

    1.1.3 Identify your operating model and work practices

    60 minutes

    Input: Organizational structure, Operating model (if available)

    Output: Confirmed operating approach, Defined work practices

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Identify the way your organization functions:
      • How do we currently operate? Are we centralized, decentralized or a hybrid? Are we focused on delivering products and services? Do we provide service ourselves or do we use vendors for delivery?
      • Can we achieve our mission, goals, and strategies, if we continue to operate this way? What would we have to change in how we operate to be successful in the future?
    2. Identify your governance needs. Do we need to be more structured or more flexible to support our future ways of working?
      • If you operate in a more traditional way, consider whether you are implementing or moving toward more modern practices (e.g. Agile, DevOps, enterprise service management). Do you need to make more frequent but lower-risk decisions?
      • Is your organization ready to delegate governance culturally and in terms of business understanding? Is there enough available information to support adaptive decisions and actions?
    3. Document your operating style, expected changes in work style, and cultural readiness. You will need to consider the implications on design.

    Step 1.2

    Define Scope and Principles

    Activities
    • 1.2.1 Determine the proper scope for your governance
    • 1.2.2 Confirm your determining governing principles
    • 1.2.3 Develop your specific governing principles

    This step will walk you through the following activities:

    Identify what is included and excluded within the scope of your governance.

    Develop the determining and specific principles that provide guardrails for governance activities and decisions.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Documented governance scope and principles to apply

    Identify Your Governance Needs

    Step 1.1 – Define your Guiding Star Step 1.2 – Define Scope and Principles Step 1.3 – Adjust for Culture and Finalize Context

    Define the context for governance

    Based on the goals and principles you defined and the operating model you selected, confirm where oversight will be necessary and at what level. Focus on the necessity to expedite and clear barriers to the achievement of goals and on the ownership of risks and compliance. Some key considerations:

    • Where in the organization will you need to decide on work that needs to be done?
    • What type of work will you need to do?
    • In what areas could there be conflicts in prioritization/resource allocation to address?
    • Who is accountable for risks to the organization and its objectives?
    • Where are your regional or business-unit-specific concerns that require focused local attention?
    • Are we using more agile, rapid delivery methods to produce work?

    Understand your governance scope

    Your governance scope helps you define the boundaries of what your governance model and practices will cover. This includes key characteristics of your organization that impact what governance needs to address.

    Sample Considerations

    • Organizational Span
      • The geographical area the organization operates within. Regional laws and requirements will affect governance delegation and standards/policy development.
    • Level of Regulation
      • Higher levels of regulation create more standards and controls for risk and compliance, impacting how authority can be delegated or automated.
    • Sourcing Model
      • Changing technology sourcing introduces additional vendor governance requirements and may impact compliance and audit.
    • Risk Posture
      • The appetite for risk organizationally, and in pockets, impacts the level of uncertainty you are willing to work within and impact decision-making authority positioning.
    • Size
      • The size of your organization impacts the approach to governance, practice implementation, and delegation of authority.
    • What Is Working Today?
      • Which elements of your current governance approach should be retained, and what are the biggest pain points that need to be addressed?
    (Source: COBIT 2019)

    1.2.1 Determine the proper scope for your governance

    60 minutes

    Input: Context information from Activity 1.1, Scoping areas

    Output: Defined scope and span of control

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Determine the scope/span of control required for your governance by:
      • Reviewing your key IT capabilities. Identify the ones where the responsibilities and decisions require oversight to ensure they meet the needs of the organization.
      • Identify what works well or poorly in your current governance approach.
      • Discuss and document the level and type of knowledge and business understanding required.
      • Identify and document any regulations, standards, or laws that apply to your organization/industry and how broadly they have to be applied.
      • Identify the organization’s risk appetite, where known, and areas where acceptable thresholds of risk have been defined. Where are key risk and opportunity decisions made? Who owns risk in your organization?
      • Identify and document the perceived role of the IT group in your organization (e.g. support, innovator, partner) and sourcing model (e.g. insource, outsource).
      • Is there sufficient information and data available in your organization to support effective decision making?

    How should your governance be structured?

    Organizations often have too many governance bodies, creating friction without value. Where that isn’t the case, the bodies are often inefficient, with gaps or overlaps in accountability and authority. Structure your governance to optimize its effectiveness, designing with the intent to have the fewest number of governing bodies to be effective, but no less than is necessary.

    Start with your operating model.

    • Understand what’s different about your governance based on whether your organization in centralized, distributed, or a different model (e.g. hybrid, product).
    • Identify and include governance structures that are mandatory due to regulation or industry.
    • Based on your context, identify how many of your governance activities should be performed together.

    Determine whether your governance should be controlled or adaptive.

    • Do you have the capability to distribute governance and is your organization empowered enough culturally?
    • Do you have sufficient standards and data to leverage? Do you have the tools and capabilities?
    • Identify governance structures that are required due to regulation or industry.

    Info-Tech Insight

    Your approach to governance needs to be designed and structured, even if your execution of governance is adaptable and delegated.

    Identify and Refine your Principles

    Confirm your defining principles based on your selection of controlled or adaptive governance. Create specific principles to clarify boundaries or provide specific guidance for teams within the organization.

    Controlled Adaptive
    Disentangle governance and management Delegate and empower
    Govern toward value Deliver to defined outcomes
    Make risk-informed decisions Embed risk into decision making
    Measure to drive improvement Trust though real-time reporting
    Enforce standards and behavior Automate decision making though established standards

    Determining Principle: Delegate and empower.

    Specific Principle: Decisions should be made at the lowest reasonable level of the organization with clarity.

    Rationale: To govern effectively with the velocity required to address business needs, governance needs to be executed deeper into the organization and organizational goals need to be clearly understood everywhere.

    Implication: Decision making needs to be delegated throughout the organization, so information and data requirements need to be identified, decision-making approach and principles need to be shared, and authority needs to be delegated clearly.

    1.2.2 Confirm your determining governance principles

    30-45 minutes

    Input: Governance Framework Model– Governance Principles

    Output: Governance workbook - Finalized list of determining principles

    Materials: Whiteboard/flip charts, Governance Workbook

    Participants: IT senior leadership

    1. Review the IT governance principles in your Governance Workbook.
    2. Within your IT senior leadership team (or IT governance working group) assign one or two principles to teams of two to three participants. Have each team identify what this would mean for your organization. Answering the questions:
      • In what ways do our current governance practices support this?
      • What are some examples of changes that would need to be made to make this a reality?
      • How would applying this principle improve your governance?
    3. Have each team present their results and compile the findings and implications in the Governance Workbook to use for future communication of the change.

    Specific governing principles

    Specific governing principles are refined principles derived from a determining principle, when additional specificity and detail is necessary. It allows you to define an approach for specific behaviors and activities. Multiple specific principles may underpin the determining one.

    A visualization of a staircase with stairs labelled, bottom to top, 'Determining Principle', 'Rationale', 'Implications', 'Specific Principles'.

    Specific Principles – Related principles that may be required to ensure the implications of the determining principal are addressed within the organization. They may be specific to individual areas and may be addressed in policies.

    Implications – The implications of this principle on the organization, specific to how and where governance is executed and the level of information and authority that would be necessary.

    Rationale – The reason(s) driving the determining principle.

    Determining Principle – A core overarching principle – a defining aspect of your governance model.

    1.2.3 Develop your specific governing principles

    30 minutes

    Input: Updated determining principles

    Output: List of specific principles linked to determining principles

    Materials: Whiteboard/flip charts, Governance Workbook

    Participants: IT senior leadership

    1. Confirm the determining principles for your governance model based on your previous discussions.
    2. Identify where to apply the principles. This is based on:
      1. Your governance scope (how much is within your span of control)
      2. The amount of data you have available
      3. Your cultural readiness for delegation
    3. Create specific principles to support the determining principles:
      1. Document the rationale driving the determining principles.
      2. Identify the implications.
      3. Create specific principles that will support the success in achieving the goals of each determining principle.
    4. Document all information on the “Governance guiding star” slide in the Governance Workbook.

    Download the Governance Workbook

    Step 1.3

    Adjust for Culture and Finalize Context

    Activities
    • 1.3.1 Identify and address the impact of attitude, behavior, and culture
    • 1.3.2 Finalize your context

    This step will walk you through the following activities:

    Identify your organizational attitude, behavior, and culture related to governance.

    Identify positives that can be leveraged and develop means to address negatives.

    Finalize the context that your model will leverage and align to.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Downloaded tool ready to select the base governance model for your organization

    Identify Your Governance Needs

    Step 1.1 – Define your Guiding Star Step 1.2 – Define Scope and Principles Step 1.3 – Adjust for Culture and Finalize Context

    Understanding attitude, behavior, and culture

    A

    ttitude

    What people think and feel. It can be seen in their demeanor and how they react to change initiatives, colleagues, and users. This manifests in the belief that governance is a constraint that needs to be avoided or ignored – often with unintended consequences.

    A stock photo of a lightbulb over a person's head and a blackboard behind them reading 'New Mindset - data-verified= New Results'.">

    Any form of organizational change involves adjusting people’s attitudes to create buy-in and commitment.

    You need to identify and address attitudes that can lead to negative behaviors and actions or that are counter-productive.

    Understanding attitude, behavior, and culture

    B

    ehavior

    What people do. This is influenced by attitude and the culture of the organization. In governance, this manifests as people’s willingness to be governed, who pushes back, and who tries to bypass it.

    A stock photo of someone walking up a set of stairs into the distant sunlight.

    To implement change within IT, especially at a tactical and strategic level, organizational behavior needs to change.

    This is relevant because people gravitate toward stability and will resist change in an active or passive way unless you can sell the need, value, and benefit of changing their behavior and way of working.

    Understanding attitude, behavior, and culture

    C

    ulture

    The accepted and understood ways of working in an organization. The values and standards that people find normal and what would be tacitly identified to new resources. In governance terms, this is how decisions are really made and where responsibility really exists rather than what is identified formally.

    A stock photo of a compass pointing to 'VALUES'.

    The impact of the organizational or corporate “attitude” on employee behavior and attitude is often not fully understood.

    Culture is an invisible element, which makes it difficult to identify, but it has a strong impact and must be addressed to successfully embed governance models. In the case of automating governance, cultural readiness for automation is a critical success factor.

    1.3.1 Identify and address the impact of attitude, behavior, and culture

    45 minutes

    Input: Senior leadership knowledge

    Output: Updated Governance Workbook

    Materials: Governance Workbook

    Participants: IT senior leadership

    1. Break into three groups. Each group will discuss and document the positive and negative aspects of one of attitude, behavior, or culture related to governance in your organization.
    2. Each group will present and explain their list to the group.
    3. Add any additional suggestions in each area that are identified by the other groups.
    4. Identify the positive elements of attitude, behavior, and culture that would help with changing or implementing your updated governance model.
    5. Identify any challenges that will need to be addressed for the change to be successful.
    6. As a group, brainstorm some mitigations or solutions to these challenges. Document them in the Governance Workbook to be incorporated into the implementation plan.

    Download the Governance Workbook

    Attitude, behavior, and culture

    Evaluate the organization across the three contexts. The positive items represent opportunities for leveraging these characteristics with the implementation of the governance model, while the negative items must be considered and/or mitigated.

    Attitude Behavior Culture
    Positive
    Negative
    Mitigation

    1.3.2 Finalize your governance context

    30 minutes

    Input: Documented governance principles and scope from previous exercises

    Output: Finalized governance context in the Governance Workbook

    Materials: Whiteboard/flip charts, Governance Workbook

    Participants: IT senior leadership

    1. Use the information that has been gathered throughout this section to update and finalize your IT governance context.
    2. Document it in your Governance Workbook.

    Download the Governance Workbook

    Make Your IT Governance Adaptable

    Phase 2

    Select and Refine Your Governance Model

    Phase 1

    • 1.1 Define Your Guiding Star
    • 1.2 Define Scope and Principles
    • 1.3 Adjust for Culture and Finalize Context

    Phase 2

    • 2.1 Choose and Adapt Your Model
    • 2.2. Identify and Document Your Governance Triggers
    • 2.3 Build Your Implementation Approach

    Phase 3

    • 3.1 Identify Decisions to Embed and Automate
    • 3.2 Plan Validation and Verification
    • 3.3 Update Implementation Plan

    This phase will walk you through the following activities:

    Select a base governance model and refine it to suit your organization.

    Identify scenarios and changes that will trigger updates to your governance model.

    Build your implementation plan.

    This phase involves the following participants:

    • Senior IT leadership
    • Governance resources

    Step 2.1

    Choose and Adapt Your Model

    Activities
    • 2.1.1 Choose your base governance model
    • 2.1.2 Confirm and adjust the structure of your model
    • 2.1.3 Define the governance responsibilities
    • 2.1.4 Validate the governance mandates and membership
    • 2.1.5 Update your committee processes
    • 2.1.6 Adjust your associated policies
    • 2.1.7 Adjust and confirm your governance model

    This step will walk you through the following activities:

    Review and selecting your base governance model.

    Adjust the structure, responsibilities, policies, mandate, and membership to best support your organization.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Downloaded tool ready to select the base governance model for your organization

    Select and Refine Your Governance Model

    Step 2.1 – Choose and Adapt Your Model Step 2.2 – Identify and Document Your Governance Triggers Step 2.3 – Build Implementation Approach

    Your governance framework has six key components

    GOVERNANCE FRAMEWORK

    • GUIDELINES
      The key behavioral factors that ground your governance framework
    • MEMBERSHIP
      Formalization of who has authority and accountability to make specific governance decisions
    • RESPONSIBILITIES
      The definition of which decisions and outcomes your governance structure and each governance body is accountable for
    • STRUCTURE
      Which governance bodies and roles are in place to articulate where decisions are made in the organization
    • PROCESS
      Identification of the how your governance will be executed, how decisions are made, and the inputs, outputs, and connections to related processes
    • POLICY
      Set of principles established to address risk and drive expected and required behavior

    4 layers of governance bodies

    There are traditionally 4 layers of governance in an enterprise, and organizations have governing bodies or individuals at each level

    RESPONSIBILITIES AND TYPICAL MEMBERSHIP
    ENTERPRISE Defines organizational goals. Directs or regulates the performance and behavior of the enterprise, ensuring it has the structure and capabilities to achieve its goals.

    Membership: Business executives, Board

    STRATEGIC Ensures IT initiatives, products, and services are aligned to organizational goals and strategy and provide expected value. Ensure adherence to key principles.

    Membership: Business executives, CIO, CDO

    TACTICAL Ensures key activities and planning are in place to execute strategic initiatives.

    Membership: Authorized division leadership, related IT leadership

    OPERATIONAL Ensures effective execution of day-to-day functions and practices to meet their key objectives.

    Membership: Service/product owners, process owners, architecture leadership, directors, managers

    2.1.1 Choose your base governance model

    30 minutes

    Input: Governance models templates

    Output: Selected governance model

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Download Info-Tech’s base governance models (Controlled Governance Models Template and IT Governance Program Overview) and review them to find a template that most closely matches your context from Phase 1. You can start with a centralized, decentralized, or product/service hybrid IT organization. Remove unneeded models.
    2. If you do not have documented governance today, start with a controlled model as your foundation. Continue working through this phase if you have a documented governance framework you wish to optimize using our best practices or move to Phase 3 if you are looking to automate or embed your governance activities.

    Controlled Governance Models Template

    Adaptive Governance Models Template

    2.1.2 Confirm and adjust the structure of your model

    30-45 minutes

    Input: Selected base governance model, Governance context/scope

    Output: Updated governance bodies and relationships

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Validate your selected governance body structural model.
      • Are there any governing bodies you must maintain that should replace the ones listed? In part or in full?
      • Are there any missing bodies? Look at alternative committees for examples.
      • Document the adjustments.
    2. Are there any governing bodies that are not required?
      • Based on your size and needs, can they be done within one committee?
      • Is the capability or data not in place to perform the work?
      • Document the required changes.

    There are five key areas of governance responsibility

    A cyclical visualization of the five keys areas of governance responsibility, 'Strategic Alignment', 'Value Delivery', 'Risk Management', 'Resource Management', and 'Performance Measurement'.

    STRATEGIC ALIGNMENT
    Ensures that technology investments and portfolios are aligned with the organization’s needs.

    VALUE DELIVERY
    Reviews the outcomes of technology investments and portfolios to ensure benefits realization.

    RISK MANAGEMENT
    Defines and owns the risk thresholds and register to ensure that decisions made are in line with the posture of the organization.

    RESOURCE MANAGEMENT
    Ensures that people, financial knowledge, and technology resources are appropriately allocated across the organization.

    PERFORMANCE MEASUREMENT
    Monitors and directs the performance or technology investments to determine corrective actions and understand successes.

    2.1.3 Define the governance responsibilities

    Ensure you have the right responsibilities in the right place

    45-60 minutes

    Input: Selected governance base model, Governance context

    Output: Updated responsibilities and activities, Updated activities for selected governance bodies, New or removed governing bodies

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Based on your context and model, review the responsibilities identified for each committee and confirm that they align with the mandate and the stated outcome.
    2. Identify and highlight any responsibilities and activities that would not be involved in informing and enabling the mandate of the committee.
    3. Adjust the wording of confirmed responsibilities and activities to reflect your organizational language.
    4. Review each highlighted “bad fit” activity and move it to a committee whose mandate it would support or remove it if it’s not performed in your organization.
    5. If an additional committee is required, define the mandate and scope, then include any additional responsibilities that might have been a bad fit elsewhere

    2.1.4 Validate the governance mandates and membership

    30 minutes

    Input: Selected governance base model, Updated structure and responsibilities

    Output: Adjusted mandates and refined committee membership

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Review the mandate and membership slides in your selected governance model.
    2. Adjust the mandate to ensure that it aligns to and conveys:
      1. The outcome that the committee is meant to generate for the organization.
      2. Its scope/span of control.
    3. Discuss the type of information members would require for the committee to be successful in achieving its mandate.
    4. Document the member knowledge requirement in the mandate slide of the model template.

    Determine the right membership for your governance

    One of the biggest benefits of governance committees is the perspective provided by people from various parts of the organization, which helps to ensure technology investments are aligned with strategic goals. However, having too many people – or the wrong people – involved prevents the committee from being effective. Avoid this by following these principles.

    Three principles for selecting committee membership

    1. Determine membership based on responsibilities and required knowledge.
      Organizations often make the mistake of creating committees and selecting members before defining what they will do. This results in poor governance because members don’t have the knowledge required to make decisions. Define the mandate of the committee to determine which members are the right fit.
    2. Ensure members are accountable and authorized to make the decisions.
      Effective governance requires the members to have the authority and accountability to make decisions. This ensures meetings achieve their outcome and produce value, which improves the committee’s chances of survival.
    3. Select leaders who see the big picture.
      Often committee decisions and responsibilities become tangled in the web of organizational politics. Include people, often C-level, whose attendance is critical and who have the requisite knowledge, mindset, and understanding to put business needs ahead of their own.

    2.1.5 Update your committee processes

    20 minutes

    Input: Selected governance base model, Updated structure and responsibilities

    Output: Updated committee processes

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Review the committee details based on the changes you have made in goals, mandate, and responsibilities.
    2. Identify and document changes required to the committee outputs (outcomes) and adjust the consumer of the outputs to match.
    3. Review the high-level process steps required to get to the modified output. Add required activities or remove unnecessary ones. Review the process flow. Does it make sense? Are there unnecessary steps?
    4. Review and update inputs required for the process steps and update the information/data sources.
    5. Adjust the detailed process steps to reflect the work that needs to be done to support each high-level process step that changed.

    2.1.6 Adjust your associated policies

    20 minutes

    Input: Selected governance base model, Updated structure and responsibilities

    Output: Adjusted mandates and refined committee membership

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Review the policies associated with the governing bodies in your base model. Identify the policies that apply to your organization, those that are missing, and those that are not necessary.
    2. Confirm the policies that you require.
    3. Make sure the policies and policy purposes (or risks and related behaviors the policy addresses) are matched to the governance committee that has responsibilities in that area. Move policies to the right committee.

    2.1.7 Adjust and confirm your governance model

    1. Confirm the adjustment of governance bodies, structure, and input/output linkages.
    2. Confirm revisions to decisions and responsibilities.
    3. Confirm policy and regulation/standards associations.
    4. Select related governance committee charters from the provided set and revise the charters to reflect the elements defined in your updated model.
    5. Finalize your governance model.

    Samples of slides related to adjusting and confirming governance models in the Governance Workbook.

    Step 2.2

    Identify and Document Your Governance Triggers

    Activities
    • 2.2.1 Identify and document update triggers
    • 2.2.2 Embed triggers into the review cycle

    This step will walk you through the following activities:

    Identify scenarios that will create a need to review or change your governance model.

    Update your review/update approach to receiving trigger notifications.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Downloaded tool ready to select the base governance model for your organization

    Select and Refine Your Governance Model

    Step 2.1 – Choose and Adapt Your Model Step 2.2 – Identify and Document Your Governance Triggers Step 2.3 – Build Implementation Approach

    What are governance triggers

    Governance triggers are organizational or environmental changes within or around an organization that are inflection points that start the review and revision of governance models to maintain their fit with the organization. This is the key to adaptive governance design.

    A target with five arrows sticking out of the bullseye, 'Operating Model', 'Business Strategy', 'Mandate Change', 'Management Practices', and 'Digital Transformation'.

    2.2.1 Identify and document update triggers

    30 minutes

    Input: Governance Workbook

    Output: Updated workbook with defined and documented governance triggers, points of origin, and integration

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Open the Governance Workbook to the “Triggers” slides.
    2. Review the list of governance triggers. Retain the ones that apply to your organization, remove those you feel are unnecessary, and add any change scenarios you feel should be included.
    3. Identify where you would receive notifications of these changes and the related processes or activities that would generate these notifications, if applicable.
    4. Document any points of integration required between governance processes and the source process. Highlight any where the integration is not currently in place.

    Sample of the 'Triggers' slide in the Governance Workbook.

    2.2.2 Embed triggers into the review cycle

    30 minutes

    Input: Governance model

    Output: Review cycle update

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Identify which triggers impact the entire governance model and which impact specific committees.
    2. Add an activity for triggered review of the impacted governance model into your governance committee process.

    Step 2.3

    Build Your Implementation Approach

    Activities
    • 2.3.1 Identify and document your implementation plan
    • 2.3.2 Build your roadmap
    • 2.3.3 Build your sunshine diagram

    This step will walk you through the following activities:

    Transfer changes to the Governance Implementation Plan Template.

    Determine the timing for the implementation phases.

    This step involves the following participants:

    • Senior IT leadership
    • Governance process owner

    Outcomes of this step

    Implementation plan for adaptive governance framework model

    Select and Refine Your Governance Model
    Step 2.1 – Choose and Adapt Your Model Step 2.2 – Identify and Document Your Governance Triggers Step 2.3 – Build Implementation Approach

    2.3.1 Identify and document your implementation plan

    60 minutes

    Input: Governance model, Guiding principles, Update triggers, Cultural factors and mitigations

    Output: Implementation roadmap

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. As a group, discuss the changes required to implement the governance model, the cultural items that need to be addressed, and the anticipated timing.
    2. Document the implementation activities and consolidate them into groupings/themes based on similarities or shared outcomes.
    3. Name the grouped themes for clarity and identify key dependencies between activities in each area and across themes.
    4. Identify and document your approach (e.g. continuous, phased) and high-level timeline for implementation.
    5. Document the themes and initiatives in the Governance Implementation Plan.

    Download the Governance Implementation Plan

    Illustrate the implementation plan using roadmaps

    Info-Tech recommends two different methods to roadmap the initiatives in your Governance Implementation Plan.

    Gantt Chart
    Sample of a Gantt Chart.

    This type of roadmap depicts themes, related initiatives, the associated goals, and exact start and end dates for each initiative. This diagram is useful for outlining a larger number of activities and initiatives and has an easily digestible and repeatable format.

    Sunshine Diagram
    Sample of a Sunshine Diagram.

    This type of roadmap depicts themes and their associated initiatives. The start and end dates for the initiatives are approximated based on years or phases. This diagram is useful for highlighting key initiatives on one page.

    2.3.2 Build your roadmap

    30 minutes

    Input: Governance themes and initiatives

    Output: roadmap visual

    Materials: Governance Roadmap Workbook, Governance Workbook

    Participants: CIO, IT senior leadership

    1. Open the Governance Implementation Plan and review themes and initiatives.
    2. Open the Governance Roadmap Workbook.
    3. Discuss whether the implementation roadmap should be developed as a Gantt chart, a sunshine diagram, or both.
      For the Gantt chart:
      • Input the roadmap start year and date.
      • Change the months and year in the Gantt chart to reflect the same roadmap start year.
      • Input and populate the planned start and end dates for the list of high-priority initiatives.

    Develop your Gantt chart in the Governance Roadmap Workbook

    2.3.3 Build your sunshine diagram

    30 minutes

    Input: Governance themes and initiatives

    Output: Sunshine diagram visual

    Materials: Whiteboard/flip charts, Markers, Governance Implementation Plan

    Participants: CIO, IT senior leadership

    1. Review your list of themes and initiatives.
    2. Build a model with “rays” radiating out from a central theme or objective.
    3. Using curved arcs, break the grid into timeline periods or phases.
    4. Complete your sunshine diagram in the Governance Implementation Plan.

    Customize your sunshine diagram in the Governance Implementation Plan

    Make Your IT Governance Adaptable

    Phase 3

    Embed and Automate

    Phase 1

    • 1.1 Define Your Guiding Star
    • 1.2 Define Scope and Principles
    • 1.3 Adjust for Culture and Finalize Context

    Phase 2

    • 2.1 Choose and Adapt Your Model
    • 2.2. Identify and Document Your Governance Triggers
    • 2.3 Build Your Implementation Approach

    Phase 3

    • 3.1 Identify Decisions to Embed and Automate
    • 3.2 Plan Validation and Verification
    • 3.3 Update Implementation Plan

    This phase will walk you through the following activities:

    Identify which decisions you are ready to automate.

    Identify standards and policies that can be embedded and automated.

    Identify integration points.

    Confirm data requirements to enable success.

    This phase involves the following participants:

    • IT senior leadership
    • Governance process owner
    • Product and service owners
    • Policy owners

    Step 3.1

    Identify Decisions to Embed and Automate

    Activities
    • 3.1.1 Review governance decisions and standards and the required level of authority
    • 3.1.2 Build your decision logic
    • 3.1.3 identify constraints and mitigation approaches
    • 3.1.4 Develop decision rules and principles

    This step will walk you through the following activities:

    Identify your key decisions.

    Develop your decision logic.

    Confirm decisions that could be automated.

    Identify and address constraints.

    Develop decision rules and principles.

    This step involves the following participants:

    • IT senior leadership

    Outcomes of this step

    Developed decision rules, rulesets, and principles that can be leveraged to automate governance

    Defined integration points

    Embed and Automate

    Step 3.1 – Identify Decisions to Embed and Automate Step 3.2 – Plan Validation and Verification Step 3.3 – Update Implementation Plan

    What is decision automation?

    Decision automation is the codifying of rules that connect the logic of how decisions are made with the data required to make those decisions. This is then embedded and automated into processes and the design of products and services.

    • It is well suited to governance where the same types of decisions are made on a recurring basis, using the same set of data. It requires clean, high-quality data to be effective.
    • Improvements in artificial intelligence (AI) and machine learning (ML) have allowed the creation of scenarios where a hybrid of rules and learning can improve decision outcomes.

    Key Considerations

    • Data Availability
    • Legality
    • Contingencies
    • Decision Transparency
    • Data Quality
    • Auditability

    How complexity impacts decisions

    Decision complexity impacts the type of rule(s) you create and the amount of data required. It also helps define where or if decisions can be automated.

    1. SIMPLE
      Known and repeatable with consistent and familiar outcomes – structured, causal, and easy to standardize and automate.
    2. COMPLICATED
      Less known and outcomes are not consistently repeatable. Expertise can drive standards and guidelines that can be used to automate decisions.
    3. COMPLEX
      Unknown and new, highly uncertain in terms of outcomes, impact, and data. Requires more exploration and data. Difficult to automate but can be built into the design of products and services.
    4. CHAOTIC
      Unstructured and unknown situation. Requires adaptive and immediate action without active data – requires retained human governance
    5. (Based on Dave Snowden’s Cynefin framework)

    Governance Automation Criteria Checklist

    The Governance Automation Criteria Checklist provides a view of key considerations for determining whether a governing activity or decision is a good candidate for automation.

    The criteria identify key qualifiers/disqualifiers to make it easier to identify eligibility.

    Sample of the Governance Automation Criteria Checklist.

    Download the Governance Automation Criteria Checklist

    Governance Automation Worksheet

    Sample of the Governance Automation Worksheet.

    The Governance Automation Worksheet provides a way to document your governance and systematically identify information about the decisions to help determine if automation is possible.

    From there, decision rules, logic, and rulesets can be designed in support of building a structure flow to allow for automation.

    Download the Governance Automation Worksheet

    3.1.1 Review governance decisions and standards and the required level of authority

    30 minutes

    Input: Automation Criteria Checklist, Governance Automation Worksheet, Updated governance model

    Output: Documented decisions and related authority, Selected options for automation, Updated Governance Automation Worksheet

    Materials: Whiteboard/flip charts, Governance Automation Worksheet

    Participants: IT senior leadership

    1. Identify the decisions that are made within each committee in your updated governance model and document them in the Governance Automation Worksheet.
    2. Confirm the level of authority required to make each decision.
    3. Review the automation checklist to confirm whether each decision is positioned well for automation.
    4. Select and document the decisions that are the strongest options for automation/embedding and document them in the Governance Automation Worksheet.

    What are decision rules?

    Decision rules provide specific instructions and constraints that must be considered in making decisions and are critical for automating governance.

    They provide the logical path to assess governance inputs to make effective decisions with positive business outputs.

    Inputs would include key information such as known risks, your defined prioritization matrix, portfolio value scoring, and compliance controls.

    Individual rules can be leveraged in different places.

    Some decision rule types are listed here.

    1. Statement Rules
      Natural expression of logical progression, written through logical elements
    2. Decision Tree Rules
      Decision tree with two axes that overlap to generate a decision
    3. Sequential Rules
      A sequence of decisions that move from one step to the next
    4. Expression Rule
      A particular set of rules triggered by a particular rule condition being met
    5. Truth table rules
      Combines many decision factors into one place; produces different outputs

    What are decision rulesets

    Rulesets are created to make complex decisions. Individual rule types are combined to create rulesets that are applied together to generate effective decisions. One rule will provide contextual information required for additional rules to execute in a Rule-Result-Rule-Result-Rule-Decision flow.

    A visualization of two separate rulesets made up of the decision rules on the previous slide. 'Ruleset 1' contains '1) Statement Rules', '2) Decision Tree Rules', and 5) Truth Table Rules'. 'Ruleset 2' contains '3) Sequential Rules' and '4) Expression Rule'.

    3.1.2 Build your decision logic

    30 minutes

    Input: Governance Automation Worksheet

    Output: Documented decision logic to support selected decision types and data requirements

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. For each selected decision, identify the principles that drive the considerations around the decision.
    2. For each decision, develop the decision logic by defining the steps and information inputs involved in making the decision and documenting the flow from beginning to end.
    3. Determine whether this is one specific decision or a combination of different decisions (in sequence or based on decisions).
    4. Name your decision rule.

    Sample of the Governance Automation Worksheet.

    3.1.3 Identify constraints and mitigation approaches

    60 minutes
    1. Document constraints to automation of decisions related to:
      • Availability of decision automation tools
      • Decision authority change requirements
      • Data constraints
      • Knowledge requirements
      • Process adjustment requirements
      • Product/service design levels
    2. Brainstorm and identify approaches to mitigate constraints and score based on likelihood of success.
    3. Identify mitigation owners and initial timeline expectations.
    4. Document the constraints and mitigations in the Governance Workbook on the constraints and mitigations slide.

    Sample of the 'Constraints and mitigations' slide of the 'Governance Workbook'.

    3.1.4 Develop decision rules and principles

    1.5-2 hours

    Input: Governance Automation Worksheet

    Output: Defined decision integration points, Confirmed data availability sets, Decision rules, rulesets, and principles with control indicators

    Materials: Whiteboard/flip charts, Governance Automation Worksheet

    Participants: IT senior leadership

    1. Review the decision logic for those decisions that you have confirmed for automation. Identify the processes where the decision should be executed.
    2. Associate each decision with specific process steps or stages or how it would be included in software/product design.
    3. For each selected decision, identify the availability of data required to support the decision logic and the level of complexity and apply governing principles.
    4. Create the decision rules and identify data gaps.
    5. Define the decision flow and create rulesets as needed.
    6. Confirm automation requirements and define control indicators.

    Step 3.2

    Plan Validation and Verification

    Activities
    • 3.2.1 Define verification approach for embedded and automated governance
    • 3.2.2 Define validation approach for embedded and automated governance

    This step will walk you through the following activities:

    Define how decision outcomes will be measured.

    Determine how the effectiveness of automated governance will be reported.

    This step involves the following participants:

    • IT senior leadership

    Outcomes of this step

    Tested and verified automation of decisions

    Embed and Automate

    Step 3.1 – Identify Decisions to Embed and Automate Step 3.2 – Plan Validation and Verification Step 3.3 – Update Implementation Plan

    Decision rule relationship through to verification

    1. Rules

    Focus on clear decision logic

    Often represented in simple statement types and supported by data:

    IF – THEN

    IF – AND – THEN

    IF – AND NOT – THEN

    2. Rulesets

    Aggregate rules for more complex decisions

    Integrated flows between different required rules:
    Rule 1:
    (Output 1) – Rule 2
    (Output 2) – Rule 6
    Rule 6: (Output 1) – Rule 7
    3. Rule Attestation

    Verify success of automated decisions

    Attestation of embedded and automated rules with key control indicators embedded within process and products.

    Principles embedded into automated software controls.

    3.2.1 Define verification approach for embedded and automated governance

    60 minutes

    Input: Governance rules and rulesets as defined in the Governance Automation Worksheet, Defined decision outcomes

    Output: A defined measurement of effective decision outcomes, Approach to automate and/or report the effectiveness of automated governance

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    Verify

    1. Confirm expected outcome of rules.
    2. Select a sampling of new required decisions or recently performed decisions related to areas of automation.
    3. Run the decisions through the decision rules or rule groupings that were developed and compare to parallel decisions made using the traditional approach. (These must be segregated activities.)
    4. Review the outcome of the rules and adjust based on the output. Identify areas of adjustment. Confirm that the automation meets your requirements.

    3.2.2 Define validation approach for embedded and automated governance

    60 minutes

    Input: Governance rules and rulesets as defined in the Governance Automation Worksheet, Defined decision outcomes

    Output: Defined assurance and attestation requirements, Key control indicators that can be automated

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    Validate

    1. Develop an approach to measure automated decisions. Align success criteria to current governance KPIs and metrics.
    2. If no such metrics exist, define expected outcome. Define key risk indicators based on the expected points of automation.
    3. Establish quality assurance checkpoints within the delivery lifecycles to adjust for variance.
    4. Create triggers back to rule owners to drive changes and improvements to rules and rule groupings.

    Step 3.3

    Update Implementation Plan

    Activities
    • 3.3.1 Finalize the implementation plan

    This step will walk you through the following activities:

    Review implications and mitigations to make sure all have been considered.

    Finalize the implementation plan and roadmap.

    This step involves the following participants:

    • Senior IT leadership

    Outcomes of this step

    Completed Governance implementation plan and roadmap

    Embed and Automate

    Step 3.1 – Identify Decisions to Embed and Automate Step 3.2 – Plan Validation and Verification Step 3.3 – Update Implementation Plan

    3.3.1 Finalize the implementation plan

    30 minutes

    Input: Governance workbook, Updated governance model, Draft implementation plan and roadmap

    Output: Finalized implementation plan and roadmap

    Materials: Whiteboard/flip charts, Governance Implementation Plan

    Participants: IT senior leadership

    1. Document automation activities within phases in a governance automation theme in the Governance Implementation Plan.
    2. Review timelines in the implementation plan and where automation fits within the roadmap.
    3. Updated the implementation plan and roadmap.

    Governance Implementation Plan

    Summary of Accomplishment

    Problem Solved

    Through this project we have:

    • Improved your governance model to ensure a better fit for your organization, while creating adaptivity for the future.
    • Ensured your governance operates as an enabler of success with the proper bodies and levels of authority established.
    • Established triggers to ensure your governance model is actively adjusted to maintain its fit.
    • Developed a plan to embed and automate governance.
    • Created decision rules and principles and identified where to embed them within your practices.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Photo of Valence Howden.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    Related Info-Tech Research

    Improve IT Governance to Drive Business Results

    Avoid bureaucracy and achieve alignment with a minimalist approach. Align with your organizational context.

    Establish Data Governance

    Establish data trust and accountability with strong governance.

    Maximize Business Value From IT Through Benefits Realization

    Embed value and alignment confirmation into your governance to ensure you optimize IT value achievement for resource spend.

    Build a Better Product Owner

    Strengthen the product/service owner role in your organization by focusing on core capabilities and proper alignment.

    Research contributors and experts

    Photo of Sidney Hodgson, Senior Director, Industry, Info-Tech Research Group. Sidney Hodgson
    Senior Director, Industry
    Info-Tech Research Group
    • Sidney has over 30 years of experience in IT leadership roles as CIO of three organizations in Canada and the US as well as international consulting experience in the US and Asia.
    • Sid has a breadth of knowledge in IT governance, project management, strategic and operational planning, enterprise architecture, business process re-engineering, IT cost reduction, and IT turnaround management.
    Photo of David Tomljenovic, Principal Research Advisor, Industry, Info-Tech Research Group. David Tomljenovic
    Principal Research Advisor, Industry
    Info-Tech Research Group
    • David brings extensive experience from the Financial Services sector, having worked 25 years on Bay Street. Most recently he was a Corporate Finance and Strategy Advisor for Infiniti Labs (Toronto/Hong Kong), Automotive, and Smart City Accelerator, where he provided financial and mergers & acquisitions advisory services to accelerator participants with a focus on early-stage fundraising activities.

    Research contributors and experts

    Photo of Cole Cioran, Practice Lead, Applications and Agile Development, Info-Tech Research Group. Cole Cioran
    Practice Lead, Applications and Agile Development
    Info-Tech Research Group
    • Over the past 25 years, Cole has developed software; designed data, infrastructure, and software solutions; defined systems and enterprise architectures; delivered enterprise-wide programs; and managed software development, infrastructure, and business systems analysis practices.
    Photo of Crystal Singh, Research Director, Applications – Data and Information Management, Info-Tech Research Group. Crystal Singh
    Research Director, Applications – Data and Information Management
    Info-Tech Research Group
    • Crystal brings a diverse and global perspective to her role, drawing from her professional experiences in various industries and locations. Prior to joining Info-Tech, Crystal led the Enterprise Data Services function at Rogers Communications, one of Canada’s leading telecommunications companies.

    Research contributors and experts

    Photo of Carlene McCubbin, Practice Lead, CIO, Info-Tech Research Group. Carlene McCubbin
    Practice Lead, CIO
    Info-Tech Research Group
    • Carlene covers key topics in organization and leadership and specializes in governance, organizational design, relationship management, and human capital development. She led the development of Info-Tech’s Organization and Leadership practice.
    Photo of Denis Goulet, Senior Workshop Director, Info-Tech Research Group. Denis Goulet
    Senior Workshop Director
    Info-Tech Research Group
    • Denis is a transformational leader and experienced strategist who focuses on helping clients communicate, relate, and adapt for success. Having developed Governance Model and IT strategies in organizations ranging from small to billion-dollar multi-nationals, he firmly believes in a collaborative value-driven approach to work.

    Bibliography

    “2020 State of Data Governance and Automation Report.” Erwin.com, 28 Jan. 2020. Web.

    “Adaptive IT Governance.” Google search, 15 Nov. 2020.

    “Adaptive IT Governance Framework.” CIO Index, 3 Nov. 2011. Accessed 15 Nov. 2020.

    “Agile Governance Made Easy.” Agilist, n.d. Accessed 15 Nov. 2020.

    “Automating Governance — Our Work.” Humanising Machine Intelligence, n.d. Accessed 15 Nov. 2020.

    “Automation – Decisions.” IBM, 2020. Accessed 15 Oct. 2020.

    Chang, Charlotte. “Accelerating Agile through effective governance.” Medium, 22 Sept. 2020. Web.

    “COBIT 5: Enabling Processes.” ISACA, 2012. Web. Oct. 2016.

    COBIT 2019. ISACA, Dec. 2018. Web.

    Curtis, Blake. “The Value of IT Governance.” ISACA, 29 June 2020. Accessed 15 Nov. 2020.

    De Smet, Aaron. “Three Keys to Faster, Better Decisions.” McKinsey & Company, 1 May 2019. Accessed 15 Nov. 2020.

    “Decision Rules and Decision Analysis.” Navex Global, 2020. Web.

    “Decisions Automation with Business Rules Management Solution.” Sumerge, 4 Feb. 2020. Accessed 15 Nov. 2020.

    “DevGovOps – Key factors for IT governance for enterprises in a DevOps world.” Capgemini, 27 Sept. 2019. Web.

    Eisenstein, Lena. “IT Governance Checklist.” BoardEffect, 19 Feb. 2020. Accessed 15 Nov. 2020.

    “Establishing Effective IT and Data Governance.” Chartered Professional Accountants Canada, n.d. Accessed 15 Nov. 2020.

    Gandzeichuk, Ilya. “Augmented Analytics: From Decision Support To Intelligent Decision-Making.” Forbes, 8 Jan. 2020. Accessed 15 Nov. 2020.

    Georgescu, Vlad. “What Is IT Governance? Understanding From First Principles.” Plutora, 18 Oct. 2019. Web.

    Goodwin, Bill. “IT Governance in the Era of Shadow IT.” ComputerWeekly, 5 Aug. 2014. Accessed 15 Nov. 2020.

    “Governance of IT, OT and IOT.” ISACA Journal, 2019. Web.

    Gritsenko, Daria, and Matthew Wood. “Algorithmic Governance: A Modes of Governance Approach.” Regulation & Governance, 10 Nov. 2020. Web.

    Hansert, Philipp. “Adaptive IT Governance with Clausmark’s Bee4IT.” Bee360, 25 Oct. 2019. Accessed 15 Nov. 2020.

    Havelock, Kylie. “What Does Good Product Governance Look Like?” Medium. 8 Jan. 2020. Web.

    Haven, Dolf van der. “Governance of IT with ISO 38500 - A More Detailed View” LinkedIn article, 24 Oct. 2016. Accessed 15 Nov. 2020.

    Hong, Sounman, and Sanghyun Lee. “Adaptive Governance and Decentralization: Evidence from Regulation of the Sharing Economy in Multi-Level Governance.” Government Information Quarterly, vol. 35, no. 2, April 2018, pp. 299–305. Web.

    ISACA. “Monthly Seminar & Networking Dinner: CIO Dashboard.” Cvent, Feb. 2012. Accessed 15 Nov. 2020.

    ISO/IEC 38500, ISO, 2018 and ongoing.

    “IT Governance.” Kenway Consulting, n.d. Accessed 15 Nov. 2020.

    “IT Governance in the Age of COVID 19.” Union of Arab Banks Webinar, 19-21 Oct. 2020. Accessed 15 Nov. 2020.

    Jaffe, Dennis T. “Introducing the Seven Pillars of Governance.” Triple Pundit, 15 Nov. 2011. Accessed 15 Nov. 2020.

    Janssen, Marijn, and Haiko van der Voort. “Agile and Adaptive Governance in Crisis Response: Lessons from the COVID-19 Pandemic.” International Journal of Information Management, vol. 55, December 2020. Web.

    Jodya, Tiffany. “Automating Enterprise Governance within Delivery Pipelines.” Harness.io, 14 May 2020. Web.

    Kumar, Sarvesh. “AI-Based Decision-Making Automation.” Singular Intelligence, 17 June 2019. Web.

    “Lean IT Governance.” Disciplined Agile, n.d. Accessed 15 Nov. 2020.

    Lerner, Mark. “Government Tech Projects Fail by Default. It Doesn’t Have to Be This Way.” Belfer Center for Science and International Affairs, 21 Oct. 2020. Accessed 15 Nov. 2020.

    Levstek, Aleš, Tomaž Hovelja, and Andreja Pucihar. “IT Governance Mechanisms and Contingency Factors: Towards an Adaptive IT Governance Model.” Organizacija, vol. 51, no. 4, Nov. 2018. Web.

    Maccani, Giovanni, et al. “An Emerging Typology of IT Governance Structural Mechanisms in Smart Cities.” Government Information Quarterly, vol. 37, no. 4, Oct. 2020. Web.

    Magowan, Kirstie. “IT Governance vs IT Management: Mastering the Differences.” BMC Blogs, 18 May 2020. Accessed 15 Nov. 2020.

    Mazmanian, Adam. “Is It Time to Rethink IT Governance? ” Washington Technology, 26 Oct. 2020. Accessed 15 Nov. 2020.

    Mukherjee, Jayanto. “6 Components of an Automation (DevOps) Governance Model.” Sogeti, n.d. Accessed 15 Nov. 2020.

    Ng, Cindy. “The Difference Between Data Governance and IT Governance.” Inside Out Security, updated 17 June 2020. Web.

    Pearson, Garry. “Agile or Adaptive Governance Required?” Taking Care of the Present (blog), 30 Oct. 2020. Accessed 15 Nov. 2020.

    Peregrine, Michael, et al. “The Long-Term Impact of the Pandemic on Corporate Governance.” Harvard Law School Forum on Corporate Governance, 16 July 2020. Web.

    Raymond, Louis, et al. “Determinants and Outcomes of IT Governance in Manufacturing SMEs: A Strategic IT Management Perspective.” International Journal of Accounting Information Systems, vol. 35, December 2019. Web.

    Rentrop, Christopher. “Adaptive IT Governance – Foundation of a Successful Digitalization.” Business IT Cooperation Coordination Controlling (blog). May 2, 2018. Web.

    Schultz, Lisen, et al. “Adaptive Governance, Ecosystem Management, and Natural Capital.” Proceedings of the National Academy of Sciences, vol. 112, no. 24, 2015, pp. 7369–74. Web.

    Selig, Gad J. Implementing IT Governance: A Practical Guide to Global Best Practices in IT Management. Van Haren Publishing, 2008. Accessed 15 Nov. 2020.

    Sharma, Chiatan. “Rule Governance for Enterprise-Wide Adoption of Business Rules: Why Does a BRMS Implementation Need a Governance Framework?” Business Rules Journal, vol. 13, no. 4, April 2012. Accessed 15 Nov. 2020.

    Smallwood, Robert. “Information Governance, IT Governance, Data Governance – What’s the Difference?” The Data Administration Newsletter, 3 June 2020. Accessed 15 Nov. 2020.

    Snowden, Dave. "Cynefin – weaving sense-making into the fabric of our world", Cognitive Edge, 20 October 2020.

    “The Place of IT Governance in the Enterprise Governance.” Institut de la Gouvernance des Systemes d’Information, 2005. Accessed 15 Nov. 2020.

    Thomas, Mark. “Demystifying IT Governance Roles in a Dynamic Business Environment.” APMG International, 29 Oct. 2020. Webinar. Accessed 15 Nov. 2020.

    “The Four Pillars of Governance Best Practice.” The Institute of Directors in New Zealand, 4 Nov. 2019. Web.

    Wang, Cancan, Rony Medaglia, and Lei Zheng. “Towards a Typology of Adaptive Governance in the Digital Government Context: The Role of Decision-Making and Accountability.” Government Information Quarterly, vol. 35, no. 2, April 2018, pp. 306–22.

    Westland, Jason. “IT Governance: Definitions, Frameworks and Planning.” ProjectManager.com, 17 Dec. 2019. Web.

    Wilkin, Carla L., and Jon Riddett. “IT Governance Challenges in a Large Not-for-Profit Healthcare Organization: The Role of Intranets.” Electronic Commerce Research vol. 9, no. 4, 2009, pp. 351-74. Web.

    Zalnieriute, Monika, et al. “The Rule of Law and Automation of Government Decision Making.” Modern Law Review, 25 Feb. 2019. Web.

    Mature and Scale Product Ownership

    • Buy Link or Shortcode: {j2store}145|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $21,919 Average $ Saved
    • member rating average days saved: 13 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Product owners must bridge the gap between the customers, operations, and delivery to ensure products continuously deliver increasing value.
    • Product owners are often assigned to projects or product delivery without proper support, guidance, or alignment.
    • In many organizations, the product owner role is not well-defined, serves as a proxy for stakeholder ownership, and lacks reinforcement of the key skills needed to be successful.

    Our Advice

    Critical Insight

    A product owner is the CEO for their product. Successful product management starts with empowerment and accountability. Product owners own the vision, roadmap, and value realization for their product or family aligned to enterprise goals and priorities.

    • Product and service ownership share the same foundation - underlying capabilities and best practices to own and improve a product or service are identical for both roles. Use the terms that make the most sense for your culture.
    • Product owners represent three primary perspectives: Business (externally facing), Technical (systems and tools), or Operational (manual processes). Although all share the same capabilities, how they approach their responsibilities is influenced by their primary perspective.
    • Product owners are operating under an incomplete understanding of the capabilities needed to succeed. Most product/service owners lack a complete picture of the needed capabilities, skills, and activities to successfully perform their roles.

    Impact and Result

    • Create a culture of product management trust and empowerment with product owners aligned to your operational structure and product needs.
    • Promote and develop true Agile skills among your product owners and family managers.
    • Implement Info-Tech’s product owner capability model to define the role expectations and provide a development path for product owners.

    Mature and Scale Product Ownership Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Mature and Scale Product Ownership Storyboard – Establish a culture of success for product management and mature product owner capabilities.

    Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

  • Establish a foundation for empowerment and success.
  • Assign and align product owners with products and stakeholders.
  • Mature product owner capabilities and skills.
    • Mature and Scale Product Ownership Storyboard

    2. Mature and Scale Product Ownership Readiness Assessment – Determine your readiness for a product-centric culture based on Info-Tech’s CLAIM+G model.

    Using Info-Tech’s CLAIM model, quickly determine your organization’s strengths and weaknesses preparing for a product culture. Use the heat map to identify key areas.

    • Mature and Scale Product Ownership Readiness Assessment

    3. Mature and Scale Product Ownership Playbook – Playbook for product owners and product managers.

    Use the blueprint exercises to build your personal product owner playbook. You can also use the workbook to capture exercise outcomes.

    • Mature and Scale Product Ownership Playbook

    4. Mature and Scale Product Ownership Workbook – Workbook for product owners and product managers.

    Use this workbook to capture exercise outcomes and transfer them to your Mature and Scale Product Ownership Playbook (optional).

    • Mature and Scale Product Ownership Workbook

    5. Mature and Scale Product Ownership Proficiency Assessment – Determine your current proficiency and improvement areas.

    Product owners need to improve their core capabilities and real Agile skills. The assessment radar will help identify current proficiency and growth opportunities.

    • Mature and Scale Product Ownership Proficiency Assessment
    [infographic]

    Workshop: Mature and Scale Product Ownership

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the foundation for product ownership

    The Purpose

    Establish the foundation for product ownership.

    Key Benefits Achieved

    Product owner playbook with role clarity and RACI.

    Activities

    1.1 Define enablers and blockers of product management.

    1.2 Define your product management roles and names.

    1.3 Assess your product management readiness.

    1.4 Identify your primary product owner perspective.

    1.5 Define your product owner RACI.

    Outputs

    Enablers and blockers

    Role definitions.

    Product culture readiness

    Product owner perspective mapping

    Product owner RACI

    2 Align product owners to products

    The Purpose

    Align product owners to products.

    Key Benefits Achieved

    Assignment of resources to open products.

    A stakeholder management strategy.

    Activities

    2.1 Assign resources to your products and families.

    2.2 Visualize relationships to identify key influencers.

    2.3 Group stakeholders into categories.

    2.4 Prioritize your stakeholders.

    Outputs

    Product resource assignment

    Stakeholder management strategy

    Stakeholder management strategy

    Stakeholder management strategy

    3 Mature product owner capabilities

    The Purpose

    Mature product owner capabilities.

    Key Benefits Achieved

    Assess your Agile product owner readiness

    Assess and mature product owner capabilities

    Activities

    3.1 Assess your real Agile skill proficiency.

    3.2 Assess your vison capability proficiency.

    3.3 Assess your leadership capability proficiency.

    3.4 Assess your PLM capability proficiency.

    3.5 Assess your value realization capability proficiency.

    3.6 Identify your business value drivers and sources of value.

    Outputs

    Real Agile skill proficiency assessment

    Info-Tech’s product owner capability model proficiency assessment

    Info-Tech’s product owner capability model proficiency assessment

    Info-Tech’s product owner capability model proficiency assessment

    Info-Tech’s product owner capability model proficiency assessment

    Business value drivers and sources of value

    Further reading

    Mature and Scale Product Ownership

    Strengthen the product owner’s role in your organization by focusing on core capabilities and proper alignment.

    Executive Brief

    Analyst Perspective

    Empower product owners throughout your organization.

    Hans Eckman

    Whether you manage a product or service, the fundamentals of good product ownership are the same. Organizations need to focus on three key elements of product ownership in order to be successful.

    • Create an environment of empowerment and service leadership to reinforce product owners and product family managers as the true owners of the vision, improvement, and realized the value of their products.
    • Align product and product family owner roles based on operational alignment and the groups defined when scaling product management.
    • Develop your product owners to improve the quality of roadmaps, alignment to enterprise goals, and profit and loss (P&L) for each product or service.

    By focusing the attention of the teammates serving in product owner or service owner roles, your organization will deliver value sooner and respond to change more effectively.

    Hans Eckman

    Principal Research Director – Application Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Product owners must bridge the gap between the customers, operations, and delivery to ensure products continuously deliver increasing value.

    Product owners are often assigned to projects or product delivery without proper support, guidance, or alignment.

    In many organizations the product owner role is not well-defined, serves as a proxy for stakeholder ownership, and lacks reinforcement of the key skills needed to be successful.

    Common Obstacles

    Organizations have poor alignment or missing product owners between lines of business, IT, and operations.

    Product owners are aligned to projects and demand management rather than long-term strategic product ownership.

    Product families are not properly defined, scaled, and supported within organizations.

    Individuals in product owner roles have an incomplete understanding of needed capabilities and lack a development path.

    Info-Tech's Approach

    Create a culture of product management trust and empowerment with product owners aligned to your operational structure and product needs.

    Promote and develop true Agile skills among your product owners and family managers.

    Implement Info-Tech’s product owner capability model to define the role expectations and provide a development path for product owners.

    Extend product management success using Deliver on Your Digital Product Vision and Deliver Digital Products at Scale.

    Info-Tech Insight

    There is no single correct approach to product ownership. Product ownership must be tuned and structured to meet the delivery needs of your organization and the teams it serves.

    Info-Tech’s Approach

    Product owners make the final decision

    • Establish a foundation for empowerment and success
    • Assign product owners and align with products and stakeholders
    • Mature product owner capabilities and skills
    Product Owner capabilities: Vision, Product Lifecycle Management, Leadership, Value Realization

    The Info-Tech difference

    1. Assign product owners where product decisions are needed, not to match org charts or delivery teams. The product owner has the final word on product decisions.
    2. Organize product owners into related teams to ensure product capabilities delivered are aligned to enterprise strategy and goals.
    3. Shared products and services must support the needs of many product owners with conflicting priorities. Shared service product owners must map and prioritize demand to align to enterprise priorities and goals.
    4. All product owners share the same capability model.

    Insight summary

    There is no single correct approach to product ownership

    Successful product management starts with empowerment and accountability. Product owners own the vision, roadmap, and value realization for their product or family aligned to enterprise goals and priorities.

    Phase 1 insight

    Product owners represent three primary perspectives: business (external-facing), technical (systems and tools), or operational (manual processes). Although all share the same capabilities, how they approach their responsibilities is influenced by their primary perspective.

    Phase 2 insight

    Start with your operational grouping of products and families, identifying where an owner is needed. Then, assign people to the products and families. The owner does not define the product or family.

    Phase 3 insight

    Product owners are operating under an incomplete understanding of the capabilities needed to succeed. Most product/service owners lack a complete picture of the needed capabilities, skills, and activities to successfully perform their roles.

    Product and service ownership share the same foundation

    The underlying capabilities and best practices to own and improve a product or service are identical for both roles. Use the terms that make the most sense for your culture.

    Map product owner roles to your existing job titles

    Identify where product management is needed and align expectations with existing roles. Successful product management does not require a dedicated job family.

    Projects can be a mechanism for funding product changes and improvements

    Projects can be a mechanism for funding product changes and improvements. Shows difference of value for project life-cycles, hybrid life-cycles, and product life-cycles.

    Projects within products

    Regardless of whether you recognize yourself as a product-based or project-based shop, the same basic principles should apply.

    You go through a period or periods of project-like development to build a version of an application or product.

    You also have parallel services along with your project development, which encompass the more product-based view. These may range from basic support and maintenance to full-fledged strategy teams or services like sales and marketing.

    Product and services owners share the same foundation and capabilities

    For the purpose of this blueprint, product/service and product owner/service owner are used interchangeably. The term “product” is used for consistency but would apply to services, as well.

    Product = Service

    Common foundations: Focus on continuous improvement, ROI, and value realization. Clear vision, goals, roadmap, and backlog.

    “Product” and “service” are terms that each organization needs to define to fit its culture and customers (internal and external). The most important aspect is consistent use and understanding of:

    • External products
    • Internal products
    • External services
    • Internal services
    • Products as a service (PaaS)
    • Productizing services (SaaS)

    Recognize the product owner perspectives

    The 3 product owner perspectives. 1. Business: Customer-facing, value-generating. 2. Technical: IT systems and tools. 3. Operations: Keep-the-lights-on processes.

    Product owners represent one of three primary perspectives. Although all share the same capabilities, how they approach their responsibilities is influenced by their primary perspective.

    Info-Tech Insight

    Product owners must translate needs and constraints from their perspective into the language of their audience. Kathy Borneman, Digital Product Owner at SunTrust Bank, noted the challenges of finding a common language between lines of business and IT (e.g. what is a unit?).

    Match your product management role definitions to your product family levels

    Product ownership exists at the different operational tiers or levels in your product hierarchy. This does not imply a management relationship.

    Product portfolio

    Groups of product families within an overall value stream or capability grouping.

    Project portfolio manager

    Product family

    A collection of related products. Products can be grouped along architectural, functional, operational, or experiential patterns.

    Product family manager

    Product

    Single product composed of one or more applications and services.

    Product owner

    Info-Tech Insight

    Define the current roles that will perform the product management function or define consistent role names to product owners and managers.

    Align enterprise value through product families

    Product families are operational groups based on capabilities or business functions. Product family managers translate goals, priorities, and constraints so they are actionable at the next level. Product owners prioritize changes to enhance the capabilities that allow you to realize your product family. Enabling capabilities realize value and help reach your goals.

    Understand special circumstances

    In Deliver Digital Products at Scale, products were grouped into families using Info-Tech’s five scaling patterns. Assigning owners to Enterprise Applications and Shared Services requires special consideration.

    Value stream alignment

    • Business architecture
      • Value stream
      • Capability
      • Function
    • Market/customer segment
    • Line of business (LoB)
    • Example: Customer group > value stream > products

    Enterprise applications

    • Enabling capabilities
    • Enterprise platforms
    • Supporting apps
    • Example: HR > Workday/Peoplesoft > Modules Supporting: Job board, healthcare administrator

    Shared Services

    • Organization of related services into service family
    • Direct hierarchy does not necessarily exist within the family
    • Examples: End-user support and ticketing, workflow and collaboration tools

    Technical

    • Domain grouping of IT infrastructure, platforms, apps, skills, or languages
    • Often used in combination with Shared Services grouping or LoB-specific apps
    • Examples: Java, .NET, low-code, database, network

    Organizational alignment

    • Used at higher levels of the organization where products are aligned under divisions
    • Separation of product managers from organizational structure is no longer needed because the management team owns the product management role

    Map sources of demand and influencers

    Use the stakeholder analysis to define the key stakeholders and sources of demand for enterprise applications and shared services. Extend your mapping to include their stakeholders and influencers to uncover additional sources of demand and prioritization.

    Map of key stakeholders for enterprise applications and shared services.

    Info-Tech Insight

    Your product owner map defines the influence landscape your product operates. It is every bit as important as the teams who enhance, support and operate your product directly.

    Combine your product owner map with your stakeholder map to create a comprehensive view of influencers.

    The primary value of the product owner is to fill the backlog with the highest ROI opportunities aligned with enterprise goals.

    Info-Tech Insight

    The product owner owns the direction of the product.

    • Roadmap - Where are we going?
    • Backlog - What changes are needed to get there?
    • Product review - Did we get close enough?

    Product delivery realizes value for your product family

    While planning and analysis are done at the family level, work and delivery are done at the individual product level.

    Product strategy includes: Vision, Goals, Roadmap, backlog and Release plan.

    Product family owners are more strategic

    When assigning resources, recognize that product family owners will need to be more strategic with their planning and alignment of child families and products.

    Product family owners are more strategic. They require a roadmap that is strategic, goal-based, high-level, and flexible.

    Info-Tech Insight

    Roadmaps for your product family are, by design, less detailed. This does not mean they aren’t actionable! Your product family roadmap should be able to communicate clear intentions around the future delivery of value in both the near and long term.

    Connecting your product family roadmaps to product roadmaps

    Your product and product family roadmaps should be connected at an artifact level that is common between both. Typically, this is done with capabilities, but it can be done at a more granular level if an understanding of capabilities isn’t available.

    Product family roadmap versus Product Roadmaps.

    Develop a product owner stakeholder strategy

    Stakeholder management, Product lifecycle, Project delivery, Operational support.

    Stakeholders are a critical cornerstone to product ownership. They provide the context, alignment, and constraints that influence or control what a product owner can accomplish.

    Product owners operate within a network of stakeholders who represent different perspectives within the organization.

    First, product owners must identify members of their stakeholder network. Next, they should devise a strategy for managing stakeholders.

    Without a stakeholder strategy, product owners will encounter obstacles, resistance, or unexpected changes.

    Create a stakeholder network map to product roadmaps and prioritization

    Follow the trail of breadcrumbs from your direct stakeholders to their influencers, to uncover hidden stakeholders.

    Stakeholder network map defines the influence landscape your product operates. Connectors determine who may be influencing your direct stakeholders.

    Info-Tech Insight

    Your stakeholder map defines the influence landscape your product operates. It is every bit as important as the teams who enhance, support and operate your product directly.

    Use “connectors” to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have informal yet substantive relationships with your stakeholders.

    Being successful at Agile is more than about just doing Agile

    The following represents the hard skills needed to “Do Agile”:

    Being successful at Agile needs 4 hard skills: 1. Engineering skills, 2. Technician Skills, 3. Framework/Process skills, 4. Tools skills.
    • Engineering skills. These are the skills and competencies required for building brand-new valuable software.
    • Technician skills. These are the skills and competencies required for maintaining and operating the software delivered to stakeholders.
    • Framework/Process skills. These are the specific knowledge skills required to support engineering or technician skills.
    • Tools skills. This represents the software that helps you deliver other software.

    While these are important, they are not the whole story. To effectively deliver software, we believe in the importance of being Agile over simply doing Agile.

    Adapted from: “Doing Agile” Is Only Part of the Software Delivery Pie

    Why focus on core skills?

    They are the foundation to achieve business outcomes

    Skills, actions, output and outcomes

    The right skills development is only possible with proper assessment and alignment against outcomes.

    Focus on these real Agile skills

    Agile skills

    • Accountability
    • Collaboration
    • Comfort with ambiguity
    • Communication
    • Empathy
    • Facilitation
    • Functional decomposition
    • Initiative
    • Process discipline
    • Resilience

    Product capabilities deliver value

    As a product owner, you are responsible for managing these facets through your capabilities and activities.

    The core product and value stream consists of: Funding - Product management and governance, Business functionality - Stakeholder and relationship management, and Technology - Product delivery.

    Info-Tech Best Practice

    It is easy to lose sight of what matters when we look at a product from a single point of view. Despite what "The Agile Manifesto" says, working software is not valuable without the knowledge and support that people need in order to adopt, use, and maintain it. If you build it, they will not come. Product owners must consider the needs of all stakeholders when designing and building products.

    Recognize product owner knowledge gaps

    Pulse survey of product owners

    Pulse survey of product owners. Graph shows large percentage of respondents have alignment to common agile definition of product owners. Yet a significant perception gap in P&L, delivery, and analytics.

    Info-Tech Insight

    1. Less than 15% of respondents identified analytics or financial management as a key component of product ownership.
    2. Assess your product owner’s capabilities and understanding to develop a maturity plan.

    Source: Pulse Survey (N=18)

    Implement the Info-Tech product owner capability model

    Unfortunately, most product owners operate with incomplete knowledge of the skills and capabilities needed to perform the role. Common gaps include focusing only on product backlogs, acting as a proxy for product decisions, and ignoring the need for key performance indicators (KPIs) and analytics in both planning and value realization.

    Product Owner capabilities: Vision, Product Lifecycle Management, Leadership, Value Realization

    Vision

    • Market Analysis
    • Business Alignment
    • Product Roadmap

    Leadership

    • Soft Skills
    • Collaboration
    • Decision Making

    Product Lifecycle Management

    • Plan
    • Build
    • Run

    Value Realization

    • KPIs
    • Financial Management
    • Business Model

    Product owner capabilities provide support

    Vision predicts impact of Value realization. Value realization provides input to vision

    Your vision informs and aligns what goals and capabilities are needed to fulfill your product or product family vision and align with enterprise goals and priorities. Each item on your roadmap should have corresponding KPIs or OKRs to know how far you moved the value needle. Value realization measures how well you met your target, as well as the impacts on your business value canvas and cost model.

    Product lifecycle management builds trust with Leadership. Leadership improves quality of Product lifecycle management.

    Your leadership skills improve collaborations and decisions when working with your stakeholders and product delivery teams. This builds trust and improves continued improvements to the entire product lifecycle. A product owner’s focus should always be on finding ways to improve value delivery.

    Product owner capabilities provide support

    Leadership enhances Vision. Vision Guides Product Lifecycle Management. Product Lifecycle Management delivers Value Realization. Leadership enhances Value Realization

    Develop product owner capabilities

    Each capability: Vision, Product lifecycle management, Value realization and Leadership has 3 components needed for successful product ownership.

    Avoid common capability gaps

    Vision

    • Focusing solely on backlog grooming (tactical only)
    • Ignoring or failing to align product roadmap to enterprise goals
    • Operational support and execution
    • Basing decisions on opinion rather than market data
    • Ignoring or missing internal and external threats to your product

    Leadership

    • Failing to include feedback from all teams who interact with your product
    • Using a command-and-control approach
    • Viewing product owner as only a delivery role
    • Acting as a proxy for stakeholder decisions
    • Avoiding tough strategic decisions in favor of easier tactical choices

    Product lifecycle management

    • Focusing on delivery and not the full product lifecycle
    • Ignoring support, operations, and technical debt
    • Failing to build knowledge management into the lifecycle
    • Underestimating delivery capacity, capabilities, or commitment
    • Assuming delivery stops at implementation

    Value realization

    • Focusing exclusively on “on time/on budget” metrics
    • Failing to measure a 360-degree end-user view of the product
    • Skipping business plans and financial models
    • Limiting financial management to project/change budgets
    • Ignoring market analysis for growth, penetration, and threats

    Your product vision is your North Star

    It's ok to dream a little!

    Who is the target customer, what is the key benefit, what do they need, what is the differentiator

    Adapted from: Crossing the Chasm

    Info-Tech Best Practice

    A product vision shouldn’t be so far out that it doesn’t feel real or so short-term that it gets bogged down in minutiae and implementation details. Finding the right balance will take some trial and error and will be different for each organization.

    Leverage the product canvas to state and inform your product vision

    Leverage the product Canvas to state and inform your product vision. Includes: Product name, Tracking info, Vision, List of business objectives or goals, Metrics used to measure value realization, List of groups who consume the product/service, and List of key resources or stakeholders.

    Define product value by aligning backlog delivery with roadmap goals

    In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    Use a balanced value to establish a common definition of goals and value

    Value drivers are strategic priorities aligned to our enterprise strategy and translated through our product families. Each product and change has an impact on the value driver helping us reach our enterprise goals.

    Importance of the value driver multiplied by the Impact of value score is equal to the Value score.

    Info-Tech Insight

    Your value drivers and impact helps estimate the expected value of roadmap items, prioritize roadmap and backlog items, and identify KPIs and OKRs to measure value realization and actual impact.

    Use CLAIM to guide your journey

    Culture, Learning, Automation, Integrated teams, Metrics and governance.

    Value is best created by self-managing teams who deliver in frequent, short increments supported by leaders who coach them through challenges.

    Product-centric delivery and Agile are a radical change in how people work and think. Structured, facilitated learning is required throughout the transformation to help leaders and practitioners make the shift.

    Product management, Agile, and DevOps have inspired SDLC tools that have become a key part of delivery practices and work management.

    Self-organizing teams that cross business, delivery, and operations are essential to gain the full benefits of product-centric delivery.

    Successful implementations require the disciplined use of metrics that support developing better teams

    Communicate reasons for changes and how they will be implemented

    Five elements of communicating change: What is the change? Why are we doing it? How are we going to go about it? How long will it take us to do it? What will the role be for each department individual?

    Leaders of successful change spend considerable time developing a powerful change message; that is, a compelling narrative that articulates the desired end state, and that makes the change concrete and meaningful to staff.

    The organizational change message should:

    • Explain why the change is needed.
    • Summarize what will stay the same.
    • Highlight what will be left behind.
    • Emphasize what is being changed.
    • Explain how the change will be implemented.
    • Address how change will affect various roles in the organization.
    • Discuss the staff’s role in making the change successful.

    Info-Tech’s methodology for mature and scale product ownership

    Phase steps

    1. Establish the foundation for product ownership

    Step 1.1 Establish an environment for product owner success

    Step 1.2 Establish your product ownership model

    2. Align product owners to products

    Step 2.1 Assign product owners to products

    Step 2.2 Manage stakeholder influence

    3. Mature product owner capabilities

    Step 3.1 Assess your Agile product owner readiness

    Step 3.2 Mature product owner capabilities

    Phase outcomes

    1.1.1 Define enablers and blockers of product management

    1.1.2 Define your product management roles and names

    1.2.1 Identify your primary product owner perspective

    1.2.2 Define your product owner RACI

    2.1.1 Assign resources to your products and families

    2.2.1 Visualize relationships to identify key influencers

    2.2.2 Group stakeholders into categories

    2.2.3 Prioritize your stakeholders

    3.1.1 Assess your real Agile skill proficiency

    3.2 Mature product owner capabilities

    3.2.1 Assess your vision capability proficiency

    3.2.2 Assess your leadership capability proficiency

    3.2.3 Assess your PLM capability proficiency

    3.2.4 Identify your business value drivers and sources of value

    3.2.5 Assess your value realization capability proficiency

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

    Key deliverable

    Mature and Scale Product Ownership Playbook

    Capture and organize the outcomes of the activities in the workbook.

    Mature and Scale Product Ownership Workbook

    The workbook helps organize and communicate the outcomes of each activity.

    Mature and Scale Product Ownership Readiness Assessment

    Determine your level of mastery of real Agile skills and product owner capabilities.


    Blueprint benefits

    IT benefits

    • Competent product owner who can support teams operating in any delivery methodology.
    • Representative viewpoint and input from the technical and operational product owner perspectives.
    • Products aligned to business needs and committed work are achievable.
    • Single point of contact with a business representative.
    • Acceptance of product owner role outside the Scrum teams.

    Business benefits

    • Better alignment to enterprise goals, vision, and outcomes.
    • Improved coordination with stakeholders.
    • Quantifiable value realization tied to vision.
    • Product decisions made at the right time and with the right input.
    • Product owner who has the appropriate business, operations, and technical knowledge.

    Measure the value of this blueprint

    Align product owner metrics to product delivery and value realization.

    Member outcome

    Suggested Metric

    Estimated impact

    Increase business application satisfaction Satisfaction of business applications (CIO BV Diagnostic) 20% increase within one year after implementation
    Increase effectiveness of application portfolio management Effectiveness of application portfolio management (M&G Diagnostic) 20% increase within one year after implementation
    Increase importance and effectiveness of application portfolio Importance and effectiveness to business (APA Diagnostic) 20% increase within one year after implementation
    Increase satisfaction of support of business operations Support to business (CIO BV Diagnostic) 20% increase within one year after implementation
    Successfully deliver committed work (productivity) Number of successful deliveries; burndown Reduction in project implementation overrun by 20%

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project"

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Establish the Foundation for Product Ownership

    Phase 2 Align Product Owners to Products

    Phase 3 Mature Product Owner Capabilities

    • Call #1:
      Scope objectives and your specific challenges
    • Call #2:
      Step 1.1 Establish an environment for product owner success
      Step 1.2 Establish your product ownership model
    • Call #3:
      Step 2.1 Assign product owners to products
    • Call #4:
      Step 2.2 Manage stakeholder influence
    • Call #5:
      Step 3.1 Assess your Agile product owner readiness
    • Call #6:
      Step 3.2 Mature product owner capabilities

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 and 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Phase 1

    Phase 2

    Phase 3

    Activities

    Establish the Foundation for Product Ownership

    Step 1.1 Establish an environment for product owner success

    1.1.1 Define enablers and blockers of product management

    1.1.2 Define your product management roles and names

    1.1.3 Assess your product management readiness

    Step 1.2 Establish your product ownership model

    1.2.1 Identify your primary product owner perspective

    1.2.2 Define your product owner RACI

    Align Product Owners to Products

    Step 2.1 Assign product owners to products

    2.1.1 Assign resources to your products and families

    Step 2.2 Manage stakeholder influence

    2.2.1 Visualize relationships to identify key influencers

    2.2.2 Group stakeholders into categories

    2.2.3 Prioritize your stakeholders

    Mature Product Owner Capabilities

    Step 3.1 Assess your Agile product owner readiness

    3.1.1 Assess your real Agile skill proficiency

    Step 3.2 Mature product owner capabilities=

    3.2.1 Assess your Vision capability proficiency

    3.2.2 Assess your Leadership capability proficiency

    3.2.3 Assess your PLM capability proficiency

    3.2.4 Identify your business value drivers and sources of value

    3.2.5 Assess your Value Realization capability proficiency

    Deliverables

    1. Enablers and blockers
    2. Role definitions
    3. Product culture readiness
    4. Product owner perspective mapping
    5. Product owner RACI
    1. Product resource assignment
    2. Stakeholder management strategy
    1. Real Agile skill proficiency assessment
    2. Info-Tech’s product owner capability model proficiency assessment
    3. Business value drivers and sources of value

    Related Info-Tech Research

    Product delivery

    Deliver on Your Digital Product Vision

    Build a product vision your organization can take from strategy through execution.

    Deliver Digital Products at Scale

    Deliver value at the scale of your organization through defining enterprise product families.

    Build Your Agile Acceleration Roadmap

    Quickly assess the state of your Agile readiness and plan your path forward to higher value realization.

    Develop Your Agile Approach for a Successful Transformation

    Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.

    Implement DevOps Practices That Work

    Streamline business value delivery through the strategic adoption of DevOps practices.

    Extend Agile Practices Beyond IT

    Further the benefits of Agile by extending a scaled Agile framework to the business.

    Build Your BizDevOps Playbook

    Embrace a team sport culture built around continuous business-IT collaboration to deliver great products.

    Embed Security Into the DevOps Pipeline

    Shift security left to get into DevSecOps.

    Spread Best Practices With an Agile Center of Excellence

    Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Enable Organization-Wide Collaboration by Scaling Agile

    Execute a disciplined approach to rolling out Agile methods in the organization.

    Related Info-Tech Research

    Application portfolio management

    APM Research Center

    See an overview of the APM journey and how we can support the pieces in this journey.

    Application Portfolio Management Foundations

    Ensure your application portfolio delivers the best possible return on investment.

    Streamline Application Maintenance

    Effective maintenance ensures the long-term value of your applications.

    Streamline Application Management

    Move beyond maintenance to ensuring exceptional value from your apps.

    Build an Application Department Strategy

    Delivering value starts with embracing what your department can do.

    Embrace Business-Managed Applications

    Empower the business to implement its own applications with a trusted business-IT relationship.

    Optimize Applications Release Management

    Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Related Info-Tech Research

    Value, delivery metrics, estimation

    Build a Value Measurement Framework

    Focus product delivery on business value-driven outcomes.

    Select and Use SDLC Metrics Effectively

    Be careful what you ask for, because you will probably get it.

    Application Portfolio Assessment: End User Feedback

    Develop data-driven insights to help you decide which applications to retire, upgrade, re-train on, or maintain to meet the demands of the business.

    Create a Holistic IT Dashboard

    Mature your IT department by measuring what matters.

    Refine Your Estimation Practices With Top-Down Allocations

    Don’t let bad estimates ruin good work.

    Estimate Software Delivery With Confidence

    Commit to achievable software releases by grounding realistic expectations.

    Reduce Time to Consensus With an Accelerated Business Case

    Expand on the financial model to give your initiative momentum.

    Optimize Project Intake, Approval, and Prioritization

    Deliver more projects by giving yourself the voice to say “no” or “not yet” to new projects.

    Enhance PPM Dashboards and Reports

    Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Related Info-Tech Research

    Organizational design and performance

    Redesign Your IT Organizational Structure

    Focus product delivery on business value-driven outcomes.

    Build a Strategic Workforce Plan

    Have the right people in the right place, at the right time.

    Implement a New Organizational Structure

    Reorganizations are inherently disruptive. Implement your new structure with minimal pain for staff while maintaining IT performance throughout the change.

    Build an IT Employee Engagement Program

    Don’t just measure engagement, act on it.

    Set Meaningful Employee Performance Measures

    Set holistic measures to inspire employee performance.

    Phase 1

    Establish the Foundation for Product Ownership

    Phase 1: Establish an environment for product owner success, Establish your product ownership model

    Mature and Scale Product Ownership

    This phase will walk you through the following activities:

    1.1.1 Define enablers and blockers of product management

    1.1.2 Define your product management roles and names

    1.1.3 Assess your product management readiness

    1.2.1 Identify your primary product owner perspective

    1.2.2 Define your product owner RACI

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Delivery managers
    • Business analysts

    Step 1.1

    Establish an environment for product owner success

    Activities

    1.1.1 Define enablers and blockers of product management

    1.1.2 Define your product management roles and names

    1.1.3 Assess your product management readiness

    Establish the foundation for product ownership

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Delivery managers
    • Business analysts

    Outcomes of this step

    • Enablers and blockers
    • Role definitions

    Empower product owners as the true owners of their product

    Product ownership requires decision-making authority and accountability for the value realization from those decisions. POs are more than a proxy for stakeholders, aggregators for changes, and the communication of someone else’s priorities.

    “A Product Owner in its most beneficial form acts like an Entrepreneur, like a 'mini-CEO'. The Product Owner is someone who really 'owns' the product.”

    – Robbin Schuurman,
    “Tips for Starting Technical Product Managers”

    Info-Tech Best Practice

    Implement Info-Tech’s Product Owner Capability Model to help empower and hold product owners accountable for the maturity and success of their product. The product owner must understand how their product fits into the organization’s mission and strategy in order to align to enterprise value.

    Product and service owners share the same foundation and capabilities

    For the purpose of this blueprint, product/service and product owner/service owner are used interchangeably. The term “product” is used for consistency but applies to services, as well.

    Product = Service

    Common foundations: Focus on continuous improvement, ROI, and value realization. Clear vision, goals, roadmap, and backlog.

    “Product” and “service” are terms that each organization needs to define to fit its culture and customers (internal and external). The most important aspect is consistent use and understanding of:

    • External products
    • Internal products
    • External services
    • Internal services
    • Products as a service (PaaS)
    • Productizing services (SaaS)

    Define product ownership to match your culture and customers

    Characteristics of a discrete product:

    • Has end users or consumers
    • Delivers quantifiable value
    • Evolves or changes over time
    • Has predictable delivery
    • Has definable boundaries
    • Has a cost to produce and operate
    • Has a discrete backlog and roadmap of improvements

    What does not need a product owner?

    • Individual features
    • Transactions
    • Unstructured data
    • One-time solutions
    • Non-repeatable processes
    • Solutions that have no users or consumers
    • People or teams

    Info-Tech Insight

    • Products are long-term endeavors that don’t end after the project finishes.
    • Products mature and improve their ability to deliver value.
    • Products have a discrete backlog of changes to improve the product itself, separate from operational requests fulfilled by the product or service.

    Need help defining your products or services? Download our blueprint Deliver Digital Products at Scale.

    Connect roadmaps to value realization with KPIs

    Every roadmap item should have an expected realized value once it is implemented. The associate KPIs or OKRs determine if our goal was met. Any gap in value feedback back into the roadmap and backlog refinement.</p data-verified=

    " loading="lazy">

    Info-Tech Insight

    Every roadmap item should have an expected realized value once it is implemented. The associate KPIs or OKRs determine if our goal was met. Any gap in value feedback back into the roadmap and backlog refinement.

    Identify the differences between a project-centric and a product-centric organization

    Differences between Project centric and Product centric organizations in regards to: Funding, Prioritization, Accountability, Product management, Work allocation, and Capacity management.

    Info-Tech Insight

    Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that support improving end-user value and enterprise alignment.

    Projects can be a mechanism for funding product changes and improvements

    Projects lifecycle, hybrid lifecycle and product lifecycle. Period or periods of project development have parallel services that encompass a more product-based view.

    Projects withing products

    Regardless of whether you recognize yourself as a product-based or project-based shop, the same basic principles should apply.

    You go through a period or periods of project-like development to build a version of an application or product.

    You also have parallel services along with your project development, which encompasses a more product-based view. These may range from basic support and maintenance to full-fledged strategy teams or services like sales and marketing.

    Recognize common barriers to product management

    The transition to product ownership is a series of behavioral and cultural changes supported by processes and governance. It takes time and consistency to be successful.

    • Command and control structures
    • Lack of ownership and accountability
    • High instability in the market, demand, or organization
    • Lack of dedicated teams align to delivery, service, or product areas
    • Culture of one-off projects
    • Lack of identified and engaged stakeholders
    • Lack of customer exposure and knowledge

    Agile’s four core values

    “…while there is value in the items on the right, we value the items on the left more.”

    Source: “The Agile Manifesto”

    We value...

    We value being agile: Individuals and interactions, Working Software, Customer collaboration, Responding to change. Versus being prescriptive: Processes and tools, Comprehensive documentation, Contract negotiation, following a plan.

    Exercise 1.1.1 Define enablers and blockers of product management

    1 hour
    1. Identify and mitigate blockers of product management in your organization.
    2. What enablers will support strong product owners?
    3. What blockers will make the transition to product management harder?
    4. For each blocker, also define at least one mitigating step.
    Define enablers e.g. team culture. Define blockers and at least one mitigating step

    Output

    • Enablers and blockers

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Capture in the Mature and Scale Product Ownership Playbook.

    Align enterprise value through product families

    Product families are operational groups based on capabilities or business functions. Product family managers translate goals, priorities, and constraints so they are actionable at the next level. Product owners prioritize changes to enhance the capabilities that allow you to realize your product family. Enabling capabilities realize value and help reach your goals.

    Effective product delivery requires thinking about more than just a single product

    Good application and product management begins with strengthening good practices for a single or small set of applications, products, and services.

    Product portfolio

    Groups of product families within an overall value stream or capability grouping.

    Project portfolio manager

    Product family

    A collection of related products. Products can be grouped along architectural, functional, operational, or experiential patterns.

    Product family manager

    Product

    Single product composed of one or more applications and services.

    Product owner

    Info-Tech Insight

    Define the current roles that will perform the product management function or define consistent role names to product owners and managers.

    Exercise 1.1.2 Define your product management roles and names

    1-2 hour
    1. Identify the roles in which product management activities will be owned.
    2. Define a common set of role names and describe the role.
    3. Map the level of accountability for each role: Product or Product Family
    4. Product owner perspectives will be defined in the next step.

    Define roles, description and level of product accountability.

    Output

    • Role definitions

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Capture in the Mature and Scale Product Ownership Playbook.

    Use CLAIM to guide your journey

    Culture, Learning, Automation, Integrated teams, Metrics and governance.

    Value is best created by self-managing teams who deliver in frequent, short increments supported by leaders who coach them through challenges.

    Product-centric delivery and Agile are a radical change in how people work and think. Structured, facilitated learning is required throughout the transformation to help leaders and practitioners make the shift.

    Product management, Agile, and DevOps have inspired SDLC tools that have become a key part of delivery practices and work management.

    Self-organizing teams that cross business, delivery, and operations are essential to gain the full benefits of product-centric delivery.

    Successful implementations require the disciplined use of metrics that support developing better teams

    Exercise 1.1.3 Assess your product management readiness

    1 hour
    1. Open and complete the Mature and Scale Product Ownership Readiness Assessment in your Playbook or the provided Excel tool.
    2. Discuss high and low scores for each area to reach a consensus.
    3. Record your results in your Playbook.

    Assess your culture, learning, automation, Integrated teams, metrics and governance.

    Output

    • Assessment of product management readiness based on Info-Tech’s CLAIM+G model.

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Capture in the Mature and Scale Product Ownership Readiness Assessment.

    Communicate reasons for changes and how they will be implemented

    Five elements of communicating change: What is the change? Why are we doing it? How are we going to go about it? How long will it take us to do it? What will the role be for each department individual?

    Leaders of successful change spend considerable time developing a powerful change message; that is, a compelling narrative that articulates the desired end state, and that makes the change concrete and meaningful to staff.

    The organizational change message should:

    Step 1.2

    Establish your product ownership model

    Activities

    1.2.1 Identify your primary product owner perspective

    1.2.2 Define your product owner RACI

    Establish the foundation for product ownership

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Delivery managers
    • Business analysts

    Outcomes of this step

    • Product owner perspective mapping
    • Product owner RACI

    Recognize the product owner perspectives

    The 3 product owner perspectives. 1. Business: Customer-facing, value-generating. 2. Technical: IT systems and tools. 3. Operations: Keep-the-lights-on processes.

    Product owners represent one of three primary perspectives. Although all share the same capabilities, how they approach their responsibilities is influenced by their primary perspective.

    Info-Tech Best Practice

    Product owners must translate needs and constraints from their perspective into the language of their audience. Kathy Borneman, Digital Product Owner at SunTrust Bank, noted the challenges of finding a common language between lines of business and IT (e.g. what is a unit?).

    Identify and align to product owner perspectives to ensure product success

    Product owner perspectives

    The 3 product owner perspectives. 1. Business: Customer-facing, value-generating. 2. Technical: IT systems and tools. 3. Operations: Keep-the-lights-on processes.
    1. Each product owner perspective provides important feedback, demand, and support for the product.
    2. Where a perspective is represented by a distinct role, the perspective is managed with that product owner.
    3. If separate roles don’t exist, the product owner must evaluate their work using two or three perspectives.
    4. The ultimate success of a product, and therefore product owner, is meeting the end-user value of the business product owner, tool support of the technical product owner, and manual processing support of the operations product owner.

    Line of business (LOB) product owners

    LOB product owners focus on the products and services consumed by the organization’s external consumers and users. The role centers on the market needs, competitive landscape, and operational support to deliver products and services.

    Business perspective

    • Alignment to enterprise strategy and priorities
    • Growth: market penetration and/or revenue
    • Perception of product value
    • Quality, stability, and predictability
    • Improvement and innovation
    • P&L
    • Market threats and opportunities
    • Speed to market
    • Service alignment
    • Meet or exceed individual goals

    Relationship to Operations

    • Customer satisfaction
    • Speed of delivery and manual processing
    • Continuity

    Relationship to Technical

    • Enabler
    • Analysis and insight
    • Lower operating and support costs

    Technical product owners

    Technical product owners are responsible for the IT systems, tools, platforms, and services that support business operations. Often they are identified as application or platform managers.

    Technical perspective

    • Application, application suite, or group of applications
    • Core platforms and tools
    • Infrastructure and networking
    • Third-party technology services
    • Enable business operations
    • Direct-to-customer product or service
    • Highly interconnected
    • Need for continuous improvement
    • End-of-life management
    • Internal value proposition and users

    Relationship to Business

    • Direct consumers
    • End users
    • Source of funding

    Relationship to Operations

    • End users
    • Process enablement or automation
    • Support, continuity, and manual intervention

    Operations (service) product owners

    Operational product owners focus on the people, processes, and tools needed for manual processing and decisions when automation is not cost-effective. Operational product owners are typically called service owners due to the nature of their work.

    Operational perspective

    • Business enablement
    • Continuity
    • Problem, incident, issue resolution
    • Process efficiency
    • Throughput
    • Error/defect avoidance
    • Decision enablement
    • Waste reduction
    • Limit time in process
    • Disaster recovery

    Relationship to Business

    • Revenue enablement
    • Manual intervention and processing
    • End-user satisfaction

    Relationship to Technical

    • Process enabler
    • Performance enhancement
    • Threat of automation

    Exercise 1.2.1 Identify your primary product owner perspective

    1 hour
    1. Identify which product owner perspective represents your primary focus.
    2. Determine where the other perspectives need to be part of your product roadmap or if they are managed by other product owners.

    Identify product/service name, identify product owner perspective, determine if other perspectives need to be part of roadmap.

    Output

    • Identification of primary product owner perspective.

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Capture in the Mature and Scale Product Ownership Playbook.

    Realign differences between project managers and product owners

    Differences between Project Manager and Product Owners in regards to: Funding, Prioritization, Accountability, Product management, Work allocation, and Capacity management.

    Manage and communicate key milestones

    Successful product owners understand and define the key milestones in their product delivery lifecycles. These need to be managed along with the product backlog and roadmap.

    Define key milestones and their product delivery life-cycles.

    Info-Tech Best Practice

    Product ownership isn’t just about managing the product backlog and development cycles. Teams need to manage key milestones such as learning milestones, test releases, product releases, phase gates, and other organizational checkpoints.

    Define who manages each key milestone

    Key milestones must be proactively managed. If a project manager is not available, those responsibilities need to be managed by the product owner or Scrum Master. Start with responsibility mapping to decide which role will be responsible.

    Example milestones and Project Manager, Product Owner and Team Facilitator.

    *Scrum Master, Delivery Manager, Team Lead

    Exercise 1.2.2 Define your product owner RACI

    60 minutes
    1. Review your product and project delivery methodologies to identify key milestones (including approvals, gates, reviews, compliance checks, etc.). List each milestone on a flip chart or whiteboard.
    2. For each milestone, define who is accountable for the completion.
    3. For each milestone, define who is responsible for executing the milestone activity. (Who does the work that allows the milestone to be completed?)
    4. Review any responsibility and accountability gaps and identify opportunities to better support and execute your operating model.
    5. If you previously completed Deliver Digital Products at Scale , review and update your RACI in the Mature and Scale Product Ownership Workbook .

    Define: Milestones, Project Manager, Product/service owner, Team Facilitator, and Other roles.

    Output

    • Product owner RACI

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Capture in the Mature and Scale Product Ownership Playbook.

    Phase 2

    Align Product Owners to Products

    Phase 2: Assign product owners to products, Manage stakeholder influence

    Mature and Scale Product Ownership

    This phase will walk you through the following activities:

    2.1.1 Assign resources to your products and families

    2.2.1 Visualize relationships to identify key influencers

    2.2.2 Group stakeholders into categories

    2.2.3 Prioritize your stakeholders

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Delivery managers
    • Business analysts

    Step 2.1

    Assign product owners to products

    Activities

    2.1.1 Assign resources to your products and families

    Align product owners to products

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Delivery managers
    • Business analysts

    Outcomes of this step

    • Product resource assignment

    Match your product management role definitions to your product family levels

    Using the role definitions, you created in Exercise 1.1.2, determine which roles correspond to which levels of your product families.

    Product portfolio

    Groups of product families within an overall value stream or capability grouping.

    Project portfolio manager

    Product family

    A collection of related products. Products can be grouped along architectural, functional, operational, or experiential patterns.

    Product family manager

    Product

    Single product composed of one or more applications and services.

    Product owner

    Info-Tech Insight

    Define the current roles that will perform the product management function or define consistent role names to product owners and managers.

    Assign resources throughout your product families

    Project families are owned by a product manager. Product owners own each product that has a distinct backlog.

    Info-Tech Insight

    • Start by assigning resources to each product or product family box.
    • A product owner can be responsible for more than one product.
    • Ownership of more than one product does not mean they share the same backlog.
    • For help organizing your product families, please download Deliver Digital Products at Scale.

    Understand special circumstances

    In Deliver Digital Products at Scale , products were grouped into families using Info-Tech’s five scaling patterns. Assigning owners to Enterprise Applications and Shared Services requires special consideration.

    Value stream alignment

    • Business architecture
      • Value stream
      • Capability
      • Function
    • Market/customer segment
    • Line of business (LoB)
    • Example: Customer group > value stream > products

    Enterprise applications

    • Enabling capabilities
    • Enterprise platforms
    • Supporting apps
    • Example: HR > Workday/Peoplesoft > Modules Supporting: Job board, healthcare administrator

    Shared Services

    • Organization of related services into service family
    • Direct hierarchy does not necessarily exist within the family
    • Examples: End-user support and ticketing, workflow and collaboration tools

    Technical

    • Domain grouping of IT infrastructure, platforms, apps, skills, or languages
    • Often used in combination with Shared Services grouping or LoB-specific apps
    • Examples: Java, .NET, low-code, database, network

    Organizational alignment

    • Used at higher levels of the organization where products are aligned under divisions
    • Separation of product managers from organizational structure is no longer needed because the management team owns the product management role

    Map the source of demand to each product

    With enterprise applications and shared services, your demand comes from other product and service owners rather than end customers in a value stream.

    Enterprise applications

    • Primary demand comes from the operational teams and service groups using the platform.
    • Each group typically has processes and tools aligned to a module or portion of the overall platform.
    • Product owners determine end-user needs to assist with process improvement and automation.
    • Product family managers help align roadmap goals and capabilities across the modules and tools to ensure consistency and the alignment of changes.

    Shared services

    • Primary demand for shared services comes from other product owners and service managers whose solution or application is dependent on the shared service platform.
    • Families are grouped by related themes (e.g. workflow tools) to increase reusability, standard enterprise solutions, reduced redundancy, and consistent processes across multiple teams.
    • Product owners manage the individual applications or services within a family.

    Pattern: Enterprise applications

    A division or group delivers enabling capabilities and the team’s operational alignment maps directly to the modules/components of an enterprise application and other applications that support the specific business function.

    Workforce Management, Strategic HR, Talent Management, Core HR

    Example:

    • Human resources is one corporate function. Within HR, however, there are subfunctions that operate independently.
    • Each operational team is supported by one or more applications or modules within a primary HR system.
    • Even though the teams work independently, the information they manage is shared with, or ties into processes used by other teams. Coordination of efforts helps provide a higher level of service and consistency.

    For additional information about HRMS, please download Get the Most Out of Your HRMS.

    Assigning owners to enterprise applications

    Align your enterprise application owners to your operating teams that use the enterprise applications. Effectively, your service managers will align with your platform module owners to provide integrated awareness and planning.

    Family manager (top-level), Family managers (second-level) and Product owners.

    Pattern: Shared services

    Grouping by service type, knowledge area, or technology allows for specialization while families align service delivery to shared business capabilities.

    Grouping by service type, knowledge area, or technology allows for specialization while families align service delivery to shared business capabilities.

    Example:

    • Recommended for governance, risk, and compliance; infrastructure; security; end-user support; and shared platforms (workflow, collaboration, imaging/record retention). Direct hierarchies do not necessarily exist within the shared service family.
    • Service groupings are common for service owners (also known as support managers, operations managers, etc.).
    • End-user ticketing comes through a common request system, is routed to the team responsible for triage, and then is routed to a team for resolution.
    • Collaboration tools and workflow tools are enablers of other applications, and product families might support multiple apps or platforms delivering that shared capability.

    Assigning owners to shared services

    Assign owners by service type, knowledge area, or technology to provide alignment of shared business capabilities and common solutions.

    Family manager (top-level), Family managers (second-level) and Product owners.

    Map sources of demand and influencers

    Use the stakeholder analysis to define the key stakeholders and sources of demand for enterprise applications and shared services. Extend your mapping to include their stakeholders and influencers to uncover additional sources of demand and prioritization.

    Map of key stakeholders for enterprise applications and shared services.

    Info-Tech Insight

    Your product owner map defines the influence landscape your product operates. It is every bit as important as the teams who enhance, support, and operate your product directly.

    Combine your product owner map with your stakeholder map to create a comprehensive view of influencers.

    Exercise 2.1.1 Assign resources to your products and families

    1-4 hours
    1. Use the product families you completed in Deliver Digital Products at Scale to determine which products and product families need a resource assigned. Where the same resource fills more than one role, they are the product owner or manager for each independently.
    2. Product families that are being managed as products (one backlog for multiple products) should have one owner until the family is split into separate products later.
    3. For each product and family, define the following:
      • Who is the owner (role or person)?
      • Is ownership clearly defined?
      • Are there other stakeholders who make decisions for the product?
    4. Record the results in the Mature and Scale Product Ownership Workbook on the Product Owner Mapping worksheet.

    Output

    • Product owner and manager resource alignment.

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Capture in the Mature and Scale Product Ownership Playbook.

    Step 2.2

    Manage stakeholder influence

    Activities

    2.2.1 Visualize relationships to identify key influencers

    2.2.2 Group stakeholders into categories

    2.2.3 Prioritize your stakeholders

    Align product owners to products

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Delivery managers
    • Business analysts

    Outcomes of this step

    • Stakeholder management strategy

    Develop a product owner stakeholder strategy

    Stakeholder management, Product lifecycle, Project delivery, Operational support.

    Stakeholders are a critical cornerstone to product ownership. They provide the context, alignment, and constraints that influence or control what a product owner can accomplish.

    Product owners operate within a network of stakeholders who represent different perspectives within the organization.

    First, product owners must identify members of their stakeholder network. Next, they should devise a strategy for managing stakeholders.

    Without a stakeholder strategy, product owners will encounter obstacles, resistance, or unexpected changes.

    Create a stakeholder network map to product roadmaps and prioritization

    Follow the trail of breadcrumbs from your direct stakeholders to their influencers to uncover hidden stakeholders.

    Create a stakeholder network map to product roadmaps and prioritization. Use connectors to determine who may be influencing your direct stakeholders.

    Info-Tech Insight

    Your stakeholder map defines the influence landscape your product operates. It is every bit as important as the teams who enhance, support, and operate your product directly.

    Use connectors to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have informal yet substantive relationships with your stakeholders.

    Exercise 2.2.1 Visualize relationships to identify key influencers

    1 hour
    1. List direct stakeholders for your product.
    2. Determine the stakeholders of your stakeholders and consider adding each of them to the stakeholder list.
    3. Assess who has either formal or informal influence over your stakeholders; add these influencers to your stakeholder list.
    4. Construct a diagram linking stakeholders and their influencers together.
      • Use black arrows to indicate the direction of professional influence.
      • Use dashed green arrows to indicate informal bidirectional influence relationships.
    5. Record the results in the Mature and Scale Product Ownership Workbook .

    Output

    • Relationships among stakeholders and influencers

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Capture in the Mature and Scale Product Ownership Playbook.

    Categorize your stakeholders with a prioritization map

    A stakeholder prioritization map helps product owners categorize their stakeholders by their level of influence and ownership in the product and/or teams.

    Influence versus Ownership/Interest

    There are four areas on the map, and the stakeholders within each area should be treated differently.

    • Players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediments to the objectives.
    • Mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.
    • Noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively but have little ability to enact their wishes.
    • Spectators are generally apathetic and have little influence over or interest in the initiative.

    Exercise 2.2.2 Group stakeholders into categories

    1 hour
    1. Identify your stakeholders’ interest in and influence on your Agile implementation as high, medium, or low by rating the attributes below.
    2. Map your results to the model below to determine each stakeholder’s category.
    3. Record the results in the Mature and Scale Product Ownership Workbook .

    Influence versus Ownership/Interest with CMO, CIO and Product Manager in assigned areas.

    Output

    • Categorization of stakeholders and influencers

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Capture in the Mature and Scale Product Ownership Playbook.

    Prioritize your stakeholders

    There may be too many stakeholders to be able to manage them all. Focus your attention on the stakeholders that matter most.

    Stakeholder category versus level of support.

    Consider the three dimensions of stakeholder prioritization: influence, interest, and support. Support can be determined by rating the following question: How likely is it that your stakeholder would recommend your product? These parameters are used to prioritize which stakeholders are most important and should receive your focused attention. The table to the right indicates how stakeholders are ranked.

    Exercise 2.2.3 Prioritize your stakeholders

    1 hour
    1. Identify the level of support of each stakeholder by answering the following question: How likely is it that your stakeholder would endorse your product?
    2. Prioritize your stakeholders using the prioritization scheme on the previous slide.
    3. Record the results in the Mature and Scale Product Ownership Workbook .

    Stakeholder, Category, level of support, prioritization.

    Output

    • Stakeholder and influencer prioritization

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Capture in the Mature and Scale Product Ownership Playbook.

    Define strategies for engaging stakeholders by type

    Authority Vs. Ownership/Interest.

    Type

    Quadrant

    Actions

    Players

    High influence, high interest – actively engage Keep them updated on the progress of the project. Continuously involve players in the process and maintain their engagement and interest by demonstrating their value to its success.

    Mediators

    High influence, low interest – keep satisfied They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders.

    Noisemakers

    Low influence, high interest – keep informed Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using mediators to help them.

    Spectators

    Low influence, low interest – monitor They are followers. Keep them in the loop by providing clarity on objectives and status updates.

    Info-Tech Insight

    Each group of stakeholders draws attention and resources away from critical tasks. By properly identifying your stakeholder groups, the product owner can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy spectators and noisemakers while ensuring the needs of mediators and players are met.

    Phase 3

    Mature Product Owner Capabilities

    Phase 3: Assess your Agile product owner readiness, Mature product owner capabilities.

    Mature and Scale Product Ownership

    This phase will walk you through the following activities:

    3.1.1 Assess your real Agile skill proficiency

    3.2.1 Assess your vision capability proficiency

    3.2.2 Assess your leadership capability proficiency

    3.2.3 Assess your PLM capability proficiency

    3.2.4 Identify your business value drivers and sources of value

    3.2.5 Assess your value realization capability proficiency

    This phase involves the following participants:

    • Product owners
    • Product managers

    Step 3.1

    Assess your Agile product owner readiness

    Activities

    3.1.1 Assess your real Agile skill proficiency

    Mature product owner capabilities

    This step involves the following participants:

    • Product owners
    • Product managers

    Outcomes of this step

    • Real Agile skill proficiency assessment

    Why focus on core skills?

    They are the foundation to achieve business outcomes

    Skills, actions, output and outcomes

    The right skills development is only possible with proper assessment and alignment against outcomes.

    Being successful at Agile is more than about just doing Agile

    The following represents the hard skills needed to “Do Agile”:

    Being successful at Agile needs 4 hard skills: 1. Engineering skills, 2. Technician Skills, 3. Framework/Process skills, 4. Tools skills.

    • Engineering skills. These are the skills and competencies required for building brand-new valuable software.
    • Technician skills. These are the skills and competencies required for maintaining and operating the software delivered to stakeholders.
    • Framework/Process skills. These are the specific knowledge skills required to support engineering or technician skills.
    • Tools skills. This represents the software that helps you deliver other software.

    While these are important, they are not the whole story. To effectively deliver software, we believe in the importance of being Agile over simply doing Agile.

    Adapted from: “Doing Agile” Is Only Part of the Software Delivery Pie

    Focus on these real Agile skills

    Agile skills

    • Accountability
    • Collaboration
    • Comfort with ambiguity
    • Communication
    • Empathy
    • Facilitation
    • Functional decomposition
    • Initiative
    • Process discipline
    • Resilience

    Info-Tech research shows these are the real Agile skills to get started with

    Skill Name

    Description

    Accountability

    Refers to the state of being accountable. In an Agile context, it implies transparency, dedication, acting responsibly, and doing what is necessary to get the job done.

    Collaboration

    Values diverse perspectives and working with others to achieve the best output possible. Effective at working toward individual, team, department, and organizational goals.

    Comfort with ambiguity

    Allows you to confidently take the next steps when presented with a problem without having all the necessary information present.

    Communication

    Uses different techniques to share information, concerns, or emotions when a situation arises, and it allows you to vary your approach depending on the current phase of development.

    Empathy

    Is the ability to understand and share the feelings of another to better serve your team and your stakeholders.

    Facilitation

    Refers to guiding and directing people through a set of conversations and events to learn and achieve a shared understanding.

    Functional decomposition

    Is being able to break down requirements into constituent epics and stories.

    Initiative

    Is being able to anticipate challenges and then act on opportunities that lead to better business outcomes.

    Process discipline

    Refers to the focus of following the right steps for a given activity at the right time to achieve the right outcomes.

    Resilience

    Refers to the behaviors, thoughts, and actions that allow a person to recover from stress and adversity.

    Accountability

    An accountable person:

    • Takes ownership of their own decisions and actions and is responsible for the quality of results.
    • Recognizes personal accountabilities to others, including customers.
    • Works well autonomously.
    • Ensures that the mutual expectations between themselves and others are clearly defined.
    • Takes the appropriate actions to ensure that obligations are met in a timely manner.
    • As a leader, takes responsibility for those being led.

    Accountability drives high performance in teams and organizations

    • The performance level of teams depends heavily on accountability and who demonstrates it:
      • In weak teams, there is no accountability.
      • In mediocre teams, supervisors demonstrate accountability.
      • In high-performance teams, peers manage most performance problems through joint accountability. (Grenny, 2014)
    • According to Bain & Company, accountability is the third most important attribute of high-performing companies. Some of the other key attributes include honest, performance-focused, collaborative, and innovative. (Mankins, 2013)

    All components of the employee empowerment driver have a strong, positive correlation with engagement.

    Employee empowerment and Correlation with engagement.

    Source: McLean & Company Engagement Database, 2018; N=71,794

    Accountability

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Alerts others to possible problems in a timely manner.
    • Seeks appropriate support to solve problems.
    • Actively contributes to the creation and evaluation of possible solutions.
    • Acts on solutions selected and decisions made as directed.
    • Makes effective decisions about how to complete work tasks.
    • Demonstrates the capability of breaking down concrete issues into parts and synthesizing information succinctly.
    • Collects and analyzes information from a variety of sources.
    • Seeks information and input to fully understand the cause of problems.
    • Takes action to address obstacles and problems before they impact performance and results.
    • Initiates the evaluation of possible solutions to problems.
    • Makes effective decisions about work task prioritization.
    • Appropriately assesses risks before deciding.
    • Effectively navigates through ambiguity, using multiple data points to analyze issues and identify trends.
    • Does not jump to conclusions.
    • Draws logical conclusions and provides opinions and recommendations with confidence.
    • Takes ownership over decisions and their consequences.
    • Demonstrates broad knowledge of information sources that can be used to assess problems and make decisions.
    • Invests time in planning, discovery, and reflection to drive better decisions.
    • Effectively leverages hard data as inputs to making decisions.
    • Garners insight from abstract data and makes appropriate decisions.
    • Coaches others in effective decision-making practices.
    • Has the authority to solve problems and make decisions.
    • Thinks several steps ahead in deciding the best course of action, anticipating likely outcomes, risks, or implications.
    • Establishes metrics to aid in decision-making, for self and teams
    • Prioritizes objective and ambiguous information and analyzes this when making decisions.
    • Solicits a diverse range of opinions and perspectives as inputs to decision making.
    • Applies frameworks to decision making, particularly in situations that have little base in prior experience.
    • Makes effective decisions about organizational priorities.
    • Holds others accountable for their decisions and consequences.
    • Creates a culture of empowerment and trust to facilitate effective problem solving and decision making.
    • Makes sound decisions that have organization-wide consequences and that influence future direction.

    Collaboration as a skill

    The principles and values of Agile revolve around collaboration.

    • Works well with others on specialized and cross-functional teams.
    • Can self-organize while part of a team.
    • Respects the commitments that others make.
    • Identifies and articulates dependencies.
    • Values diverse perspectives and works with others to achieve the best output possible.
    • Effective at working toward individual, team, department, and organizational goals.
    The principles and values of Agile revolve around collaboration. Doing what was done before (being prescriptive), going though the motions (doing Agile), living the principles (being Agile)

    Collaboration

    The Agile Manifesto has three principles that focus on collaboration:

    1. The business and developers must work together daily throughout the project.
    2. Build projects around motivated individuals. Give them the environment and support they need and trust them to get the job done.
    3. The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.

    Effective collaboration supports Agile behaviors, including embracing change and the ability to work iteratively.

    Collaboration

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Understands role on the team and the associated responsibilities and accountabilities.
    • Treats team members with respect.
    • Contributes to team decisions and to the achievement of team goals and objectives.
    • Demonstrates a positive attitude.
    • Works cross-functionally to achieve common goals and to support the achievement of other team/department goals.
    • Values working in a diverse team and understands the importance of differing perspectives to develop unique solutions or ideas.
    • Fosters team camaraderie, collaboration, and cohesion.
    • Understands the impact of one's actions on the ability of team members to do their jobs.
    • Respects the differences other team members bring to the table by openly seeking others' opinions.
    • Helps the team accomplish goals and objectives by breaking down shared goals into smaller tasks.
    • Approaches challenging team situations with optimism and an open mind, focusing on coming to a respectful conclusion.
    • Makes suggestions to improve team engagement and effectiveness.
    • Supports implementation of team decisions.
    • Professionally gives and seeks feedback to achieve common goals.
    • Values working in a diverse team and understands the importance of differing perspectives to develop unique solutions or ideas.
    • Motivates the team toward achieving goals and exceeding expectations.
    • Reaches out to other teams and departments to build collaborative, cross-functional relationships.
    • Creates a culture of collaboration that leverages team members' strengths, even when the team is remote or virtual.
    • Participates and encourages others to participate in initiatives that improve team engagement and effectiveness.
    • Builds consensus to make and implement team decisions, often navigating through challenging task or interpersonal obstacles.
    • Values leading a diverse team and understands the importance of differing perspectives to develop unique solutions or ideas.
    • Creates a culture of collaboration among teams, departments, external business partners, and all employee levels.
    • Breaks down silos to achieve inter-departmental collaboration.
    • Demonstrates ownership and accountability for team/department/ organizational outcomes.
    • Uses an inclusive and consultative approach in setting team goals and objectives and making team decisions.
    • Coaches others on how to identify and proactively mitigate potential points of team conflict.
    • Recognizes and rewards teamwork throughout the organization.
    • Provides the tools and resources necessary for teams to succeed.
    • Values diverse teams and understands the importance of differing perspectives to develop unique solutions or ideas.

    Comfort with ambiguity

    Ability to handle ambiguity is a key factor in Agile success.

    • Implies the ability to maintain a level of effectiveness when all information is not present.
    • Able to confidently act when presented with a problem without all information present.
    • Risk and uncertainty can comfortably be handled.
    • As a result, can easily adapt and embrace change.
    • People comfortable with ambiguity demonstrate effective problem-solving skills.

    Relative importance of traits found in Agile teams

    1. Handles ambiguity
    2. Agreeable
    3. Conscientious

    Comfort with ambiguity

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Requires most information to be present before carrying out required activities.
    • Can operate with some information missing.
    • Comfortable asking people within their known circles for help.
    • Significant time is taken to reveal small pieces of information.
    • More adept at operating with information missing.
    • Willing to reach out to people outside of their regular circles for assistance and clarification.
    • Able to apply primary and secondary research methods to fill in the missing pieces.
    • Can operate essentially with a statement and a blank page.
    • Able to build a plan, drive others and themselves to obtain the right information to solve the problem.
    • Able to optimize only pulling what is necessary to answer the desired question and achieve the desired outcome.

    Communication

    Even though many organizations recognize its importance, communication is one of the root causes of project failure.

    Project success vs Communication effectiveness. Effective communications is associated with a 17% increase in finishing projects within budget.

    56%

    56% of the resources spent on a project are at risk due to ineffective communications.

    PMI, 2013.

    29%

    In 29% of projects started in the past 12 months, poor communication was identified as being one of the primary causes of failure.

    PMI, 2013.

    Why are communication skills important to the Agile team?

    It’s not about the volume, it’s about the method.

    • Effectively and appropriately interacts with others to build relationships and share ideas and information.
    • Uses tact and diplomacy to navigate difficult situations.
    • Relays key messages by creating a compelling story, targeted toward specific audiences.

    Communication effectiveness, Activity and Effort required.

    Adapted From: Agile Modeling

    Communication

    Your Score:____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Actively listens, learns through observation, and uses clear and precise language.
    • Possesses an open and approachable demeanor, with a positive and constructive tone.
    • Demonstrates interest in the thoughts and feelings of others.
    • Considers potential responses of others before speaking or acting.
    • Checks own understanding of others’ communication by repeating or paraphrasing.
    • Demonstrates self-control in stressful situations.
    • Provides clear, concise information to others via verbal or written communication.
    • Seeks to understand others' points of view, looking at verbal and non-verbal cues to encourage open and honest discussions.
    • Invites and encourages others to participate in discussions.
    • Projects a sincere and genuine tone.
    • Remains calm when dealing with others who are upset or angry.
    • Provides and seeks support to improve communication.
    • Does not jump to conclusions or act on assumptions.
    • Tailors messages to meet the different needs of different audiences.
    • Accurately interprets responses of others to their words and actions.
    • Provides feedback effectively and with empathy.
    • Is a role model for others on how to effectively communicate.
    • Ensures effective communication takes place at the departmental level.
    • Engages stakeholders using appropriate communication methods to achieve desired outcomes.
    • Creates opportunities and forums for discussion and idea sharing.
    • Demonstrates understanding of the feelings, motivations, and perspectives of others, while adapting communications to anticipated reactions.
    • Shares insights about their own strengths, weaknesses, successes, ad failures to show empathy and help others relate.
    • Discusses contentious issues without getting defensive and maintains a professional tone.
    • Coaches others on how to communicate effectively and craft targeted messages.
    • Sets and exemplifies standards for respectful and effective communications in the organization.
    • Comfortably delivers strategic messages supporting their function and the organization at the enterprise level.
    • Communicates with senior-level executives on complex organizational issues.
    • Promotes inter-departmental communication and transparency.
    • Achieves buy-in and consensus from people who share widely different views.
    • Shares complex messages in clear, understandable language.
    • Accurately interprets how they are perceived by others.
    • Rallies employees to communicate ideas and build upon differing perspectives to drive innovation.

    Empathy

    Empathy is the ability to understand and share the feelings of another in order to better serve your team and your stakeholders. There are three kinds:

    Cognitive

    Thought, understanding, intellect

    • Knowing how someone else feels and what they might be thinking.
    • Contributes to more effective communication.

    Emotional

    Feelings, physical sensation

    • You physically feel the emotions of the other person.
    • Helps build emotional connections with others.

    Compassionate

    Intellect, emotion with action

    • Along with understanding, you take action to help.

    How is empathy an Agile skill?

    Empathy enables you to serve your team, your customers, and your organization

    Serving the team

    • Primary types: Emotional and compassionate empathy.
    • The team is accountable for delivery.
    • By being able to empathize with the person you are talking to, complex issues can be addressed.
    • A lack of empathy leads to a lack of collaboration and being able to go forward on a common path.

    Serving your customers and stakeholders

    • Primary type: Cognitive empathy.
    • Agile enables the delivery of the right value at the right time to your stakeholders
    • Translating your stakeholders' needs requires an understanding of who they are as people. This is done through observations, interviews and conversations.
    • Leveraging empathy maps and user-story writing is an effective tool.

    Empathy

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Knowing how someone else feels and what they might be thinking.
    • Ability to build emotional connections with others.
    • Able to harness emotional connections to achieve tangible and experiential outcomes.
    • Demonstrates an awareness of different feelings and ways of thinking by both internal and external stakeholders.
    • Limited ability to make social connections with others outside of the immediate team.
    • Able to connect with similarly minded people to improve customer/stakeholder satisfaction. (Insights into action)
    • Able to interact and understand others with vastly different views.
    • Lack of agreement does not stop individual. from asking questions, understanding, and pushing the conversation forward

    Facilitation

    It’s not just your manager’s problem.

    “Facilitation is the skill of moderating discussions within a group in order to enable all participants to effectively articulate their views on a topic under discussion, and to ensure that participants in the discussion are able to recognize and appreciate the differing points of view that are articulated.” (IIBA, 2015)

    • Drives action through influence, often without authority.
    • Leads and impacts others' thinking, decisions, or behavior through inclusive practices and relationship building.
    • Encourages others to self-organize and hold themselves accountable.
    • Identifies blockers and constructively removes barriers to progress.

    Facilitation

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Drives action through influence, often without authority.
    • Leads and impacts others' thinking, decisions, or behavior through inclusive practices and relationship building.
    • Encourages others to self-organize and hold themselves accountable.
    • Identifies blockers and constructively removes barriers to progress.
    • Maps and executes processes effectively.
    • Uses facts and concrete examples to demonstrate a point and gain support from others.
    • Openly listens to the perspectives of others.
    • Builds relationships through honest and consistent behavior.
    • Understands the impact of their own actions and how others will perceive it.
    • Identifies impediments to progress.
    • Anticipates the effect of one's approach on the emotions and sensitivities of others.
    • Practices active listening while demonstrating positivity and openness.
    • Customizes discussion and presentations to include "what’s in it for me" for the audience.
    • Presents compelling information to emphasize the value of an idea.
    • Involves others in refining ideas or making decisions in order to drive buy-in and action.
    • Knows how to appropriately use influence to achieve outcomes without formal authority.
    • Seeks ways and the help of others to address barriers or blockers to progress.
    • Leverages a planned approach to influencing others by identifying stakeholder interests, common goals, and potential barriers.
    • Builds upon successes to gain acceptance for new ideas.
    • Facilitates connections between members of their network for the benefit of the organization or others.
    • Demonstrates the ability to draw on trusting relationships to garner support for ideas and action.
    • Encourages a culture that allows space for influence to drive action.
    • Adept at appropriately leveraging influence to achieve business unit outcomes.
    • Actively manages the removal of barriers and blockers for teams.

    Functional decomposition

    It’s not just a process, it’s a skill.

    “Functional decomposition helps manage complexity and reduce uncertainty by breaking down processes, systems, functional areas, or deliverables into their simpler constituent parts and allowing each part to be analyzed independently."

    (IIBA, 2015)

    Being able to break down requirements into constituent consumable items (example: epics and user stories).

    Start: Strategic Initiatives. 1: Epics. 2: Capabilities. 3: Features. End: Stories.

    Use artifact mapping to improve functional decomposition

    In our research, we refer to these items as epics, capabilities, features, and user stories. How you develop your guiding principles and structure your backlog should be based on the terminology and artifact types commonly used in your organization.

    Agile, Waterfall, Relationship, Decomposition skill most in demand, definition.

    Functional Decomposition

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Able to decompose items with assistance from other team members.
    • Able to decompose items independently, ensuring alignment with business value.
    • Able to decompose items independently and actively seeks out collaboration opportunities with relevant SME's during and after the refinement process to ensure completion.
    • Able to decompose items at a variety of granularity levels.
    • Able to teach and lead others in their decomposition efforts.
    • Able to quickly operate at different levels of the requirements stack.

    Initiative and self-organization

    A team that takes initiative can self-organize to solve critical problems.

    • "The best architectures, requirements, and designs emerge from self-organizing teams." (Agile Manifesto)
    • In a nutshell, the initiative represents the ability to anticipate challenges and act on opportunities that lead to better business outcomes.
    • Anticipates challenges and acts on opportunities that lead to better business outcomes.
    • Thinks critically and is motivated to use both specialist expertise and general knowledge.
    • Driven by the delivery of business value and better business outcomes.
    • Empowers others to act and is empowered and self-motivated.

    Initiative and self-organization

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Demonstrates awareness of an opportunity or issue which is presently occurring or is within the immediate work area.
    • Reports an opportunity or issue to the appropriate person.
    • Acts instead of waiting to be asked.
    • Willingly takes on challenges, even if they fall outside their area of expertise.
    • Is proactive in identifying issues and making recommendations to resolve them.
    • Within the scope of the work environment, takes action to improve processes or results, or to resolve problems.
    • Not deterred by obstacles.
    • Tackles challenges that require risk taking.
    • Procures the necessary resources, team and technical support to enable success.
    • Assists others to get the job done.
    • Demonstrates awareness of an opportunities or issues which are in the future or outside the immediate work area.
    • Typically exceeds the expectations of the job.
    • Learns new technology or skills outside their specialization so that they can be a more effective team member.
    • Recommends solutions to enhance results or prevent potential issues.
    • Drives implementation of new processes within the team to improve results.
    • Able to provide recommendations on plans and decisions that are strategic and future-oriented for the organization.
    • Identifies areas of high risk or of organizational level impact.
    • Able to empower significant recourses from the organization to enable success.
    • Leads long-term engagements that result in improved organizational capabilities and processes.

    Process discipline

    A common misconception is that Agile means no process and no discipline. Effective Agile teams require more adherence to the right processes to create a culture of self-improvement.

    • Refers to the focus of following the right steps for a given activity at the right time to achieve the right outcomes.
    • Focus on following the right steps for a given activity at the right time to achieve desired outcomes.
    Example: Scrum Ceremonies during a sprint (1 - 4 weeks/sprint). 1: Sprint planning, 2: Daily scrum, 3: Sprint review, 4: Sprint retrospective.

    Process discipline

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Demonstrates awareness of the key processes and steps that are needed in a given situation.
    • Limited consistency in following processes and limited understanding of the 'why' behind the processes.
    • Aware and follows through with key agile processes in a consistent manner.
    • Demonstrates not only the knowledge of processes but understands the 'why' behind their existence.
    • Aware and follows through with key agile processes in a consistent manner.
    • Demonstrates understanding of not only why specific processes exist but can suggest changes to improve efficiency, consistency, and outcomes.

    N/A -- Maximum level is '3

    Resilience

    If your team hits the wall, don’t let the wall hit them back.

    • Resilience is critical for an effective Agile transformation. A team that demonstrates resilience always exhibits:
    • Evolution over transformation – There is a recognition that changes happen over time.
    • Intensity and productivity – A race is not won by the ones who are the fastest, but by the ones who are the most consistent. Regardless of what comes up, the team can push through.
    • That organizational resistance is futile – Given that it is working on the right objectives, the team needs to demonstrate a consistency of approach and intensity regardless of what may stand in its way.
    • Refers to the behaviors, thoughts, and actions that allow a person to recover from stress and adversity.

    How resilience aligns with Agile

    A team is not “living the principles” without resilience.

    1. Purpose

      Aligns with: “Our highest priority is to satisfy the customer through early and continuous delivery of valuable software.” The vision or goals may not be clear in certain circumstances and can be difficult to relate to a single work item. Being able to intrinsically source and harness a sense of purpose becomes more important, especially as a self-organizing team.
    2. Perseverance

      Aligns with: “Agile processes harness change for the customer's competitive advantage.” Perseverance enables teams to continuously deliver at a steady pace, addressing impediments or setbacks and continuing to move forward.
    3. Composure

      Aligns with: “Agile processes promote sustainable development,” and “At regular intervals, the team reflects ... and adjusts its behavior accordingly.”
      When difficult situations arise, composure allows us to understand perspectives, empathize with customers, accept late changes, and sustain a steady pace.
    4. Self-Reliance

      Aligns with: “The best architectures, requirements, and designs emerge from self-organizing teams.” Knowing oneself, recognizing strengths, and drawing on past successes, can be a powerful aid in creating high-performing Agile teams
    5. Authenticity

      Aligns with: “At regular intervals, the team reflects … and adjusts its behavior accordingly,” and “Build projects around motivated individuals.”
      When difficult situations arise, authenticity is crucial. “For example, being able to openly disclose areas outside of your strengths in sprint planning or being able to contribute constructively toward self-organization.”

    Adapted from: Why Innovation, 2019.

    Resilience

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Easily distracted and stopped by moderately stressful and challenging situations.
    • Requires significant help from others to get back on track.
    • Not frequently able (or knows) how to ask for help
    • Handles typical stresses and challenges for the given role.
    • Able to get back on track with limited assistance.
    • Able to ask for help when they need it.
    • Quality of work unaffected by an increase in pressures and challenges.
    • Handles stresses and challenges what is deemed above and beyond their given role.
    • Able to provide advice to others on how to handle difficult and challenging situations.
    • Quality of work and outcomes is maintained and sometimes exceeded as pressure increases.
    • Team looks to this individual as being the gold standard on how to approach any given problem or situation.
    • Directly mentors others on approaches in situations regardless of the level of challenge.

    Exercise 1.2.1 Identify your primary product owner perspective

    1 hour
    1. Review each real Agile skill and determine your current proficiency.
    2. Complete your assessment in the Mature and Scale Product Owner Proficiency Assessment tool.
    3. Record the results in the Mature and Scale Product Ownership Playbook.
    4. Review the skills map to identify strengths and areas of growth.

    Accountability, Collaboration, Comfort in Ambiguity, Communication, Empathy, Facilitation, Functional Decomposition, Initiative, Process Discipline, Resilience.

    Output

    • Agile skills assessment results.

    Participants

    • Product owners
    • Product managers

    Capture in the Mature and Scale Product Owner Proficiency Assessment.

    Determine your Agile skills proficiency: Edit chart data to plot your scores or add your data points and connect the lines.

    Step 3.2

    Mature product owner capabilities

    Activities

    3.2.1 Assess your vision capability proficiency

    3.2.2 Assess your leadership capability proficiency

    3.2.3 Assess your PLM capability proficiency

    3.2.4 Identify your business value drivers and sources of value

    3.2.5 Assess your value realization capability proficiency

    Mature product owner capabilities

    This step involves the following participants:

    • Product owners
    • Product managers

    Outcomes of this step

    • Info-Tech product owner capability model proficiency assessment

    Product capabilities deliver value

    As a product owner, you are responsible for managing these facets through your capabilities and activities.

    The core product and value stream consists of: Funding - Product management and governance, Business functionality - Stakeholder and relationship management, and Technology - Product delivery.

    Info-Tech Best Practice

    It is easy to lose sight of what matters when we look at a product from a single point of view . Despite what "The Agile Manifesto" says, working software is not valuable without the knowledge and support that people need in order to adopt, use, and maintain it. If you build it, they will not come. Product owners must consider the needs of all stakeholders when designing and building products.

    Recognize product owner knowledge gaps

    Pulse survey of product owners

    Pulse survey of product owners. Graph shows large percentage of respondents have alignment to common agile definition of product owners. Yet a significant perception gap in P&L, delivery, and analytics.

    Info-Tech Insight

    1. Less than 15% of respondents identified analytics or financial management as a key component of product ownership.
    2. Assess your product owner’s capabilities and understanding to develop a maturity plan.

    Source: Pulse Survey (N=18)

    Implement the Info-Tech product owner capability model

    Unfortunately, most product owners operate with incomplete knowledge of the skills and capabilities needed to perform the role. Common gaps include focusing only on product backlogs, acting as a proxy for product decisions, and ignoring the need for key performance indicators (KPIs) and analytics in both planning and value realization.

    Product Owner capabilities: Vision, Product Lifecycle Management, Leadership, Value Realization

    Vision

    • Market Analysis
    • Business Alignment
    • Product Roadmap

    Leadership

    • Soft Skills
    • Collaboration
    • Decision Making

    Product Lifecycle Management

    • Plan
    • Build
    • Run

    Value Realization

    • KPIs
    • Financial Management
    • Business Model

    Product owner capabilities provide support

    Vision predicts impact of Value realization. Value realization provides input to vision

    Your vision informs and aligns what goals and capabilities are needed to fulfill your product or product family vision and align with enterprise goals and priorities. Each item on your roadmap should have corresponding KPIs or OKRs to know how far you moved the value needle. Value realization measures how well you met your target, as well as the impacts on your business value canvas and cost model.

    Product lifecycle management builds trust with Leadership. Leadership improves quality of Product lifecycle management.

    Your leadership skills improve collaborations and decisions when working with your stakeholders and product delivery teams. This builds trust and improves continued improvements to the entire product lifecycle. A product owner’s focus should always be on finding ways to improve value delivery.

    Product owner capabilities provide support

    Leadership enhances Vision. Vision Guides Product Lifecycle Management. Product Lifecycle Management delivers Value Realization. Leadership enhances Value Realization

    Develop product owner capabilities

    Each capability: Vision, Product lifecycle management, Value realization and Leadership has 3 components needed for successful product ownership.

    Avoid common capability gaps

    Vision

    • Focusing solely on backlog grooming (tactical only)
    • Ignoring or failing to align product roadmap to enterprise goals
    • Operational support and execution
    • Basing decisions on opinion rather than market data
    • Ignoring or missing internal and external threats to your product

    Leadership

    • Failing to include feedback from all teams who interact with your product
    • Using a command-and-control approach
    • Viewing product owner as only a delivery role
    • Acting as a proxy for stakeholder decisions
    • Avoiding tough strategic decisions in favor of easier tactical choices

    Product lifecycle management

    • Focusing on delivery and not the full product lifecycle
    • Ignoring support, operations, and technical debt
    • Failing to build knowledge management into the lifecycle
    • Underestimating delivery capacity, capabilities, or commitment
    • Assuming delivery stops at implementation

    Value realization

    • Focusing exclusively on “on time/on budget” metrics
    • Failing to measure a 360-degree end-user view of the product
    • Skipping business plans and financial models
    • Limiting financial management to project/change budgets
    • Ignoring market analysis for growth, penetration, and threats

    Capabilities: Vision

    Market Analysis

    • Customer Empathy: Identify the target users and unique value your product provides that is not currently being met. Define the size of your user base, segmentation, and potential growth.
    • Customer Journey: Define the future path and capabilities your users will respond to.
    • Competitive analysis: Complete a SWOT analysis for your end-to-end product lifecycle. Use Info-Tech’s Business SWOT Analysis Template.

    Business Alignment

    • Enterprise alignment: Align to enterprise and product family goals, strategies, and constraints.
    • Delivery and release strategy: Develop a delivery strategy to achieve value quickly and adapt to internal and external changes. Value delivery is constrained by your delivery pipeline.
    • OCM and go-to-market strategy: Create organizational change management, communications, and a user implementation approach to improve adoption and satisfaction from changes.

    Product Roadmap

    • Roadmap strategy: Determine the duration, detail, and structure of your roadmap to accurately communicate your vision.
    • Value prioritization: Define criteria used to evaluate and sequence demand items.
    • Release and capacity planning: Build your roadmap with realistic goals and milestones based on your delivery pipeline and dependencies.

    “Customers are best heard through many ears.”

    – Thomas K. Connellan, Inside the Magic Kingdom

    Vision: Market Analysis, Business Alignment, and Product Roadmap.

    Info-Tech Insight

    Data comes from many places and may still not tell the complete story.

    Build your product strategy playbook

    Complete Deliver on Your Digital Product Vision to define your Vision, Goals, Roadmap approach, and Backlog quality filters.

    Digital Product Strategy Supporting Workbook

    Supporting workbook that captures the interim results from a number of exercises that will contribute to your overall digital product vision.

    Product Backlog Item Prioritization Tool

    An optional tool to help you capture your product backlog and prioritize based on your given criteria

    Product Roadmap Tool

    An optional tool to help you build out and visualize your first roadmap.

    Your Digital Product Vision Details Strategy

    Record the results from the exercises to help you define, detail, and make real your digital product vision.

    Your product vision is your North Star

    It's ok to dream a little!

    Who is the target customer, what is the key benefit, what do they need, what is the differentiator

    Adapted from: Geoffrey Moore, 2014.

    Info-Tech Best Practice

    A product vision shouldn’t be so far out that it doesn’t feel real or so short-term that it gets bogged down in minutiae and implementation details. Finding the right balance will take some trial and error and will be different for each organization.

    Use product roadmaps to guide delivery

    In Deliver on Your Digital Product Vision, we showed how the product roadmap is key to value realization. As a product owner, the product roadmap is your communicated path to align teams and changes to your defined goals, while aligning your product to enterprise goals and strategy.

    As a product owner, the product roadmap is your communicated path to align teams and changes to your defined goals, while aligning your product to enterprise goals and strategy

    Info-Tech Best Practice

    Info-Tech Best Practice Product delivery requires a comprehensive set of business and technical competencies to effectively roadmap, plan, deliver, support, and validate your product portfolio. Product delivery is a “multi-faceted, complex discipline that can be difficult to grasp and hard to master.” It will take time to learn and adopt methods and become a competent product manager or owner (“What Is Product Management?”, Pichler Consulting Limited).

    Match your roadmap and backlog to the needs of the product

    Ultimately, you want products to be able to respond faster to changes and deliver value sooner. The level of detail in the roadmap and backlog is a tool to help the product owner plan for change. The duration of your product roadmap is all directly related to the tier of product owner in the product family.

    The level of detail in the roadmap and backlog is a tool to help the product owner plan for change. The duration of your product roadmap is all directly related to the tier of product owner in the product family.

    Product delivery realizes value for your product family

    While planning and analysis are done at the family level, work and delivery are done at the individual product level.

    Product strategy includes: Vision, Goals, Roadmap, backlog and Release plan.

    Use artifact mapping to improve functional decomposition

    In our research, we refer to these items as epics, capabilities, features, and user stories. How you develop your guiding principles and structure your backlog should be based on the terminology and artifact types commonly used in your organization.

    Agile, Waterfall, Relationship, Decomposition skill most in demand, definition.

    Manage and communicate key milestones

    Successful product owners understand and define the key milestones in their product delivery lifecycles. These need to be managed along with the product backlog and roadmap.

    Define key milestones and their release dates.

    Info-Tech Best Practice

    Product ownership isn’t just about managing the product backlog and development cycles! Teams need to manage key milestones such as learning milestones, test releases, product releases, phase gates, and other organizational checkpoints!

    Milestones

    • Points in the timeline when the established set of artifacts is complete (feature-based), or checking status at a particular point in time (time-based).
    • Typically assigned a date and used to show the progress of development.
    • Plays an important role when sequencing different types of artifacts.

    Release dates

    • Releases mark the actual delivery of a set of artifacts packaged together in a new version of the product.
    • Release dates, firm or not, allow stakeholders to anticipate when this is coming.

    Leverage the product canvas to state and inform your product vision

    Leverage the product Canvas to state and inform your product vision. Includes: Product name, Tracking info, Vision, List of business objectives or goals, Metrics used to measure value realization, List of groups who consume the product/service, and List of key resources or stakeholders.

    Capability: Vision

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Product backlog.
    • Basic roadmap with milestones and releases.
    • Unprioritized stakeholder list.
    • Understanding of product’s purpose and value.
    • Customers and end-users defined with core needs identified.
    • Roadmap with goals and capabilities defined by themes and set to appropriate time horizons.
    • Documented stakeholder management plan with communication and collaboration aligned to the stakeholder strategy.
    • Value drivers traced to product families and enterprise goals.
    • Customer personas defined with pain relievers and value creators defined.
    • Fully-developed roadmap traced to family (and child) roadmaps.
    • Expected ROI for all current and next roadmap items.
    • KPIs/OKRs used to improve roadmap prioritization and sequencing.
    • Proactive stakeholder engagement and reviews.
    • Cross-functional engagement to align opportunities and drive enterprise value.
    • Formal metrics to assess customer needs and value realization.
    • Roadmaps managed in an enterprise system for full traceability, value realization reporting, and views for defined audiences.
    • Proactive stakeholder engagement with regular planning and review ceremonies tied to their roadmaps and goals.
    • Cross-functional innovation to find disruptive opportunities to drive enterprise value.
    • Omni-channel metrics and customer feedback mechanisms to proactively evaluate goals, capabilities, and value realization.

    Exercise 3.2.1 Assess your Vision capability proficiency

    1 hour
    1. Review the expectations for this capability and determine your current proficiency for each skill.
    2. Complete your assessment in the Mature and Scale Product Owner Proficiency Assessment tool.
    3. Record the results in the Mature and Scale Product Ownership Playbook.
    4. Review the skills map to identify strengths and areas of growth.

    Output

    • Product owner capability assessment

    Participants

    • Product owners
    • Product managers

    Capture in the Mature and Scale Product Owner Proficiency Assessment.

    Capabilities: Leadership

    Soft Skills

    • Communication: Maintain consistent, concise, and appropriate communication using SMART guidelines (specific, measurable, attainable, relevant, and timely).
    • Integrity: Stick to your values, principles, and decision criteria for the product to build and maintain trust with your users and teams.
    • Influence: Manage stakeholders using influence and collaboration over contract negotiation.

    Collaboration

    • Stakeholder management: Build a communications strategy for each stakeholder group, tailored to individual stakeholders.
    • Relationship management: Use every interaction point to strengthen relationships, build trust, and empower teams.
    • Team development: Promote development through stretch goals and controlled risks to build team capabilities and performance.

    Decision Making

    • Prioritized criteria: Remove personal bias by basing decisions off data analysis and criteria.
    • Continuous improvement: Balance new features with the need to ensure quality and create an environment of continuous improvement.
    • Team empowerment/negotiation: Push decisions to teams closest to the problem and solution, using Delegation Poker to guide you.

    “Everything walks the walk. Everything talks the talk.”

    – Thomas K. Connellan, Inside the Magic Kingdom

    Leadership: Soft skills, collaboration, decision making.

    Info-Tech Insight

    Product owners cannot be just a proxy for stakeholder decisions. The product owner owns product decisions and management of all stakeholders.

    Capability: Leadership

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Activities are prioritized with minimal direction and/or assistance.
    • Progress self-monitoring against objectives with leadership apprised of deviations against plan.
    • Facilitated decisions from stakeholders or teams.
    • Informal feedback on performance and collaboration with teams.
    • Independently prioritized activities and provide direction or assistance to others as needed.
    • Managed issue resolution and provided guidance on goals, priorities, and constraints.
    • Product decision ownership with input from stakeholders, SMEs, and delivery teams.
    • Formal product management retrospectives with tracked and measured changes to improve performance.
    • Consulted in the most challenging situations to provide subject matter expertise on leading practices and industry standards.
    • Provide mentoring and coaching to your peers and/or teammates.
    • Use team empowerment, pushing decisions to the lowest appropriate level based on risk and complexity.
    • Mature and flexible communication.
    • Provide strategies and programs ensuring all individuals in the delivery organization obtain the level of coaching and supervision required for success in their position.
    • Provide leadership to the organization’s coaches ensuring delivery excellence across the organization.
    • Help develop strategic initiatives driving common approaches and utilizing information assets and processes across the enterprise.

    Exercise 3.2.2 Assess your Leadership capability proficiency

    1 hour
    1. Review the expectations for this capability and determine your current proficiency for each skill.
    2. Complete your assessment in the Mature and Scale Product Owner Proficiency Assessment tool.
    3. Record the results in the Mature and Scale Product Ownership Playbook.
    4. Review the skills map to identify strengths and areas of growth.

    Output

    • Product owner capability assessment

    Participants

    • Product owners
    • Product managers

    Capture in the Mature and Scale Product Owner Proficiency Assessment.

    Capability: Product lifecycle management

    Plan

    • Product backlog: Follow a schedule for backlog intake, grooming, updates, and prioritization.
    • Journey map: Create an end-user journey map to guide adoption and loyalty.
    • Fit for purpose: Define expected value and intended use to ensure product meets your end user’s needs.

    Build

    • Capacity management: Work with operations and delivery teams to ensure consistent and stable outcomes.
    • Release strategy: Build learning, release, and critical milestones into a repeatable release plan.
    • Compliance: Build policy compliance into delivery practices to ensure alignment and reduce avoidable risk (privacy, security).

    Run

    • Adoption: Focus attention on end-user adoption and proficiency to accelerate value and maximize retention.
    • Support: Build operational support and business continuity into every team.
    • Measure: Measure KPIs and validate expected value to ensure product alignment to goals and consistent product quality.

    “Pay fantastic attention to detail. Reward, recognize, celebrate.”

    – Thomas K. Connellan, Inside the Magic Kingdom

    Product Lifecycle Management: Plan, Build, Run

    Info-Tech Insight

    Product owners must actively manage the full lifecycle of the product.

    Define product value by aligning backlog delivery with roadmap goals

    In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    A backlog stores and organizes PBIs at various stages of readiness

    A backlog stores and organizes PBIs at different levels of readiness. Stage 3 - Ideas are composed of raw, vague ideas that have yet to go through any formal valuation. Stage 2 - Qualified are researched and qualified PBIs awaiting refinement. Stage 1 - Ready are Discrete, refined RBIs that are read to be placed in your development team's sprint plans.

    A well-formed backlog can be thought of as a DEEP backlog:

    Detailed Appropriately: PBIs are broken down and refined, as necessary.

    Emergent: The backlog grows and evolves over time as PBIs are added and removed.

    Estimated: The effort a PBI requires is estimated at each tier.

    Prioritized: The PBI’s value and priority are determined at each tier.

    (Perforce, 2018)

    Distinguish your specific goals for refining in the product backlog vs. planning for a sprint itself

    Often backlog refinement is used interchangeably or considered a part of sprint planning. The reality is they are very similar, as the required participants and objectives are the same; however, there are some key differences.

    Backlog refinement versus Sprint planning. Differences in Objectives, Cadence and Participants

    Use quality filters to promote high value items into the delivery pipeline

    Product backlog has quality filters such as: Backlogged, Qualified and Ready. Sprint backlog has a backlog of accepted PBI's

    Basic scrum process

    The scrum process coordinates multiple stakeholders to deliver on business priorities.

    Prioritized Backlog, Sprint Backlog, Manage Delivery, Sprint Review, Product Release

    Capability: Product lifecycle management

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Informal or undocumented intake process.
    • Informal or undocumented delivery lifecycle.
    • Unstable or unpredictable throughput or quality.
    • Informal or undocumented testing and release processes.
    • Informal or undocumented organizational change management planning for each release.
    • Informal or undocumented compliance validation with every release.
    • Documented intake process with stakeholder prioritization of requests.
    • Consistent delivery lifecycle with stable and predictable throughput with an expected range of delivery variance.
    • Formal and documented testing and release processes.
    • Organizational change management planning for each major release.
    • Compliance validation with every major release.
    • Intake process using value drivers and prioritization criteria to sequence all items.
    • Consistent delivery lifecycle with stable and predictable throughput with little variance.
    • Risk-based and partially automated testing and release processes.
    • Organizational change management planning for all releases.
    • Automated compliance validation with every major release.
    • Intake process using enterprise value drivers and prioritization criteria to sequence all items.
    • Stable Agile DevOps with low variability and automation.
    • Risk-based automated and manual testing.
    • Multiple release channels based on risk. Automated build, validation, and rollback capabilities.
    • Cross-channel, integrated organizational change management for all releases.
    • Automated compliance validation with every change or release.

    Exercise 3.2.3 Assess your PLM capability proficiency

    1 hour
    1. Review the expectations for this capability and determine your current proficiency for each skill.
    2. Complete your assessment in the Mature and Scale Product Owner Proficiency Assessment tool.
    3. Record the results in the Mature and Scale Product Ownership Playbook.
    4. Review the skills map to identify strengths and areas of growth.

    Output

    • Product owner capability assessment

    Participants

    • Product owners
    • Product managers

    Capture in the Mature and Scale Product Owner Proficiency Assessment.

    Capabilities: Value realization

    Key performance indicators (KPIs)

    • Usability and user satisfaction: Assess satisfaction through usage monitoring and end-user feedback.
    • Value validation: Directly measure performance against defined value proposition, goals, and predicted ROI.
    • Fit for purpose: Verify the product addresses the intended purpose better than other options.

    Financial management

    • P&L: Manage each product as if it were its own business with profit and loss statements.
    • Acquisition cost/market growth: Define the cost of acquiring a new consumer, onboarding internal users, and increasing product usage.
    • User retention/market share: Verify product usage continues after adoption and solution reaches new user groups to increase value.

    Business model

    • Defines value proposition: Dedicate your primary focus to understanding and defining the value your product will deliver.
    • Market strategy and goals: Define your acquisition, adoption, and retention plan for users.
    • Financial model: Build an end-to-end financial model and plan for the product and all related operational support.

    “The competition is anyone the customer compares you with.”

    – Thomas K. Connellan, Inside the Magic Kingdom

    Value Realization: KPIs, Financial management, Business model

    Info-Tech Insight

    Most organizations stop with on-time and on-budget. True financial alignment needs to define and manage the full lifecycle P&L.

    Use a balanced value to establish a common definition of goals and value

    Value drivers are strategic priorities aligned to our enterprise strategy and translated through our product families. Each product and change has an impact on the value driver helping us reach our enterprise goals.

    Importance of the value driver multiplied by the Impact of value score is equal to the Value score.

    Info-Tech Insight

    Your value drivers and impact helps estimate the expected value of roadmap items, prioritize roadmap and backlog items, and identify KPIs and OKRs to measure value realization and actual impact.

    Include balanced value as one criteria to guide better decisions

    Your balanced value is just one of many criteria needed to align your product goals and sequence roadmap items. Feasibility, delivery pipeline capacity, shared services, and other factors may impact the prioritization of backlog items.

    Build your balanced business value score by using four key value drivers.

    Determine your value drivers

    Competent organizations know that value cannot always be represented by revenue or reduced expenses. However, it is not always apparent how to envision the full spectrum of sources of value. Dissecting value by benefit type and the value source’s orientation allows you to see the many ways in which a product or service brings value to the organization.

    Business value matrix

    Graph with 4 quadrants representing Outward versus Inward, and Financial benefit versus Human benefit. The quadrants are Reach customers, Increase revenue/demonstrate value, Enhance services, Reduce costs.

    Financial benefits vs. improved capabilities

    Financial benefits refer to the degree to which the value source can be measured through monetary metrics and is often quite tangible.

    Human benefits refer to how a product or service can deliver value through a user’s experience.

    Inward vs. outward orientation

    Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations.

    Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.

    Exercise 3.2.4 Identify your business value drivers and sources of value

    1 hour
    1. Brainstorm the different types of business value that you produce on the sticky notes (one item per page). Draw from examples of products in your portfolio.
    2. Identify the most important value items for your organization (two to three per quadrant).
    3. Record the results in the Mature and Scale Product Ownership Workbook.

    Output

    • Product owner capability assessment

    Participants

    • Product owners
    • Product managers

    Capture in the Mature and Scale Product Ownership Workbook.

    My business value sources

    Graph with 4 quadrants representing Outward versus Inward, and Financial benefit versus Human benefit. The quadrants are Reach customers, Increase revenue/demonstrate value, Enhance services, Reduce costs.

    Capability: Value realization

    Your Score: ____

    1 - Foundational: Transitioning and Growing

    2 - Capable/Competent: Core Contributor

    3 - Influential: Gifted Improver

    4 - Transformational: Towering Strength

    • Product canvas or basic product positioning overview.
    • Simple budget or funding mechanism for changes.
    • Product demos and informal user feedback mechanisms.
    • Business value canvas or basic business model tied to roadmap funding.
    • Product funding tied to roadmap milestones and prioritization.
    • Defined KPIs /OKRs for roadmap delivery throughput and value realization measurement.
    • Business model with operating cost structures, revenue/value traceability, and market/user segments.
    • Scenario-based roadmap funding alignment.
    • Roadmap aligned KPIs /OKRs for delivery throughput and value realization measurement as a key factor in roadmap prioritization.
    • Business model tied to enterprise operating costs and value realization KPIs/OKRs.
    • P&L roadmap and cost accounting tied to value metrics.
    • Roadmap aligned enterprise and scenario-based KPIs /OKRs for delivery throughput and value realization measurement as a key factor in roadmap prioritization.

    Exercise 3.2.5 Assess your value realization capability proficiency

    1 hour
    1. Review the expectations for this capability and determine your current proficiency for each skill.
    2. Complete your assessment in the Mature and Scale Product Owner Proficiency Assessment tool.
    3. Record the results in the Mature and Scale Product Ownership Playbook.
    4. Review the skills map to identify strengths and areas of growth.

    Output

    • Product owner capability assessment

    Participants

    • Product owners
    • Product managers

    Capture in the Mature and Scale Product Owner Proficiency Assessment.

    Determine your product owner capability proficiency in regards to: Vision, Leadership, Product Lifecycle, and Value Realization

    Summary of Accomplishment

    Problem solved.

    Product ownership can be one of the most difficult challenges facing delivery and operations teams. By focusing on operational grouping and alignment of goals, organizations can improve their value realization at all levels in the organization.

    The foundation for delivering and enhancing products and services is rooted in the same capability model. Traditionally, product owners have focused on only a subset of skills and capabilities needed to properly manage and grow their products. The product owner capability model is a useful tool to ensure optimal performance from product owners and assess the right level of detail for each product within the product families.

    Congratulations. You’ve completed a significant step toward higher-value products and services.

    If you would like additional support, have our analysts guide you through other phases as apart of an Info-Tech workshop

    Contact your account representative for more information

    workshops@infotech.com
    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as apart of an Info-Tech workshop

    Contact your account representative for more information
    workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1.1 Assess your real Agile skill proficiency

    Assess your skills and capabilities against the real Agile skills inventory

    2.2.3 Prioritize your stakeholders

    Build a stakeholder management strategy.

    Research Contributors and Experts

    Emily Archer

    Lead Business Analyst,
    Enterprise Consulting, authentic digital agency

    Emily Archer is a consultant currently working with Fortune 500 clients to ensure the delivery of successful projects, products, and processes. She helps increase the business value returned for organizations’ investments in designing and implementing enterprise content hubs and content operations, custom web applications, digital marketing, and e-commerce platforms.

    David Berg

    Founder & CTO
    Strainprint Technologies Inc.

    David Berg is a product commercialization expert who has spent the last 20 years delivering product management and business development services across a broad range of industries. Early in his career, David worked with product management and engineering teams to build core network infrastructure products that secure and power the internet we benefit from today. David’s experience also includes working with clean technologies in the area of clean power generation, agritech, and Internet of Things infrastructure. Over the last five years, David has been focused on his latest venture, Strainprint Technologies, a data and analytics company focused on the medical cannabis industry. Strainprint has built the largest longitudinal medical cannabis dataset in the world, with a goal to develop an understanding of treatment behavior, interactions, and chemical drivers to guide future product development.

    Research Contributors and Experts

    Kathy Borneman

    Digital Product Owner, SunTrust Bank

    Kathy Borneman is a senior product owner who helps people enjoy their jobs again by engaging others in end-to-end decision making to deliver software and operational solutions that enhance the client experience and allow people to think and act strategically.

    Charlie Campbell

    Product Owner, Merchant e-Solutions

    Charlie Campbell is an experienced problem solver with the ability to quickly dissect situations and recommend immediate actions to achieve resolution, liaise between technical and functional personnel to bridge the technology and communication gap, and work with diverse teams and resources to reach a common goal.

    Research Contributors and Experts

    Yarrow Diamond

    Sr. Director, Business Architecture
    Financial Services

    Yarrow Diamond is an experienced professional with expertise in enterprise strategy development, project portfolio management, and business process reengineering across financial services, healthcare and insurance, hospitality, and real estate environments. She has a master’s in Enterprise Architecture from Penn State University, LSSMBB, PMP, CSM, ITILv3.

    Cari J. Faanes-Blakey, CBAP, PMI-PBA

    Enterprise Business Systems Analyst,
    Vertex, Inc.

    Cari J. Faanes-Blakey has a history in software development and implementation as a Business Analyst and Project Manager for financial and taxation software vendors. Active in the International Institute of Business Analysis (IIBA), Cari participated on the writing team for the BA Body of Knowledge 3.0 and the certification exam.

    Research Contributors and Experts

    Kieran Gobey

    Senior Consultant Professional Services
    Blueprint Software Systems

    Kieran Gobey is an IT professional with 24 years of experience, focused on business, technology, and systems analysis. He has split his career between external and internal customer-facing roles, and this has resulted in a true understanding of what is required to be a Professional Services Consultant. His problem-solving skills and ability to mentor others have resulted in successful software implementations.

    Kieran’s specialties include deep system troubleshooting and analysis skills, facilitating communications to bring together participants effectively, mentoring, leadership, and organizational skills.

    Rupert Kainzbauer

    VP Product, Digital Wallets
    Paysafe Group

    Rupert Kainzbauer is an experienced senior leader with a passion for defining and delivering products that deliver real customer and commercial benefit. With a team of highly experienced and motivated product managers, he has successfully led highly complex, multi-stakeholder payments initiatives, from proposition development and solution design through to market delivery. Their domain experience is in building online payment products in high-risk and emerging markets, remittance, prepaid cards, and mobile applications.

    Research Contributors and Experts

    Saeed Khan

    Founder,
    Transformation Labs

    Saeed Khan has been working in high tech for 30 years in Canada and the US and has held several leadership roles in Product Management in that time. He speaks regularly at conferences and has been writing publicly about technology product management since 2005.

    Through Transformation Labs, Saeed helps companies accelerate product success by working with product teams to improve their skills, practices, and processes. He is a cofounder of ProductCamp Toronto and currently runs a Meetup group and global Slack community called Product Leaders; the only global community of senior level product executives.

    Hoi Kun Lo

    Product Owner
    Nielsen

    Hoi Kun Lo is an experienced change agent who can be found actively participating within the IIBA and WITI groups in Tampa, FL and a champion for Agile, architecture, diversity, and inclusion programs at Nielsen. She is currently a Product Owner in the Digital Strategy team within Nielsen Global Watch Technology.

    Research Contributors and Experts

    Abhishek Mathur

    Sr Director, Product Management
    Kasisto, Inc.

    Abhishek Mathur is a product management leader, an artificial intelligence practitioner, and an educator. He has led product management and engineering teams at Clarifai, IBM, and Kasisto to build a variety of artificial intelligence applications within the space of computer vision, natural language processing, and recommendation systems. Abhishek enjoys having deep conversations about the future of technology and helping aspiring product managers enter and accelerate their careers.

    Jeff Meister

    Technology Advisor and Product Leader

    Jeff Meister is a technology advisor and product leader. He has more than 20 years of experience building and operating software products and the teams that build them. He has built products across a wide range of industries and has built and led large engineering, design, and product organizations.

    Jeff most recently served as Senior Director of Product Management at Avanade, where he built and led the product management practice. This involved hiring and leading product managers, defining product management processes, solution shaping and engagement execution, and evangelizing the discipline through pitches, presentations, and speaking engagements.

    Jeff holds a Bachelor of Applied Science (Electrical Engineering) and a Bachelor of Arts from the University of Waterloo, an MBA from INSEAD (Strategy), and certifications in product management, project management, and design thinking.

    Research Contributors and Experts

    Vincent Mirabelli

    Principal,
    Global Project Synergy Group

    With over 10 years of experience in both the private and public sectors, Vincent Mirabelli possesses an impressive track record of improving, informing, and transforming business strategy and operations through process improvement, design and re-engineering, and the application of quality to business analysis, project management, and process improvement standards.

    Oz Nazili

    VP, Product & Growth
    TWG

    Oz Nazili is a product leader with a decade of experience in both building products and product teams. Having spent time at funded startups and large enterprises, he thinks often about the most effective way to deliver value to users. His core areas of interest include Lean MVP development and data-driven product growth.

    Research Contributors and Experts

    Mike Starkey

    Director of Engineering
    W.W. Grainger

    Mike Starkey is a Director of Engineering at W.W. Grainger, currently focusing on operating model development, digital architecture, and building enterprise software. Prior to joining W.W. Grainger, Mike held a variety of technology consulting roles throughout the system delivery lifecycle spanning multiple industries such as healthcare, retail, manufacturing, and utilities with Fortune 500 companies.

    Anant Tailor

    Cofounder and Head of Product
    Dream Payments Corp.

    Anant Tailor is a cofounder at Dream Payments where he currently serves as the COO and Head of Product, having responsibility for Product Strategy & Development, Client Delivery, Compliance, and Operations. He has 20+ years of experience building and operating organizations that deliver software products and solutions for consumers and businesses of varying sizes.

    Prior to founding Dream Payments, Anant was the COO and Director of Client Services at DonRiver Inc, a technology strategy and software consultancy that he helped to build and scale into a global company with 100+ employees operating in seven countries.

    Anant is a Professional Engineer with a Bachelor degree in Electrical Engineering from McMaster University and a certificate in Product Strategy & Management from the Kellogg School of Management at Northwestern University.

    Research Contributors and Experts

    Angela Weller

    Scrum Master, Businessolver

    Angela Weller is an experienced Agile business analyst who collaborates with key stakeholders to attain their goals and contributes to the achievement of the company’s strategic objectives to ensure a competitive advantage. She excels when mediating or facilitating teams.

    Related Info-Tech Research

    Product Delivery

    Deliver on Your Digital Product Vision

    Build a product vision your organization can take from strategy through execution.

    Deliver Digital Products at Scale

    Deliver value at the scale of your organization through defining enterprise product families.

    Build Your Agile Acceleration Roadmap

    Quickly assess the state of your Agile readiness and plan your path forward to higher value realization.

    Implement Agile Practices That Work

    Improve collaboration and transparency with the business to minimize project failure.

    Implement DevOps Practices That Work

    Streamline business value delivery through the strategic adoption of DevOps practices.

    Extend Agile Practices Beyond IT

    Further the benefits of Agile by extending a scaled Agile framework to the business.

    Build Your BizDevOps Playbook

    Embrace a team sport culture built around continuous business-IT collaboration to deliver great products.

    Embed Security Into the DevOps Pipeline

    Shift security left to get into DevSecOps.

    Spread Best Practices With an Agile Center of Excellence

    Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Enable Organization-Wide Collaboration by Scaling Agile

    Execute a disciplined approach to rolling out Agile methods in the organization.

    Related Info-Tech Research

    Application Portfolio Management

    APM Research Center

    See an overview of the APM journey and how we can support the pieces in this journey.

    Application Portfolio Management Foundations

    Ensure your application portfolio delivers the best possible return on investment.

    Streamline Application Maintenance

    Effective maintenance ensures the long-term value of your applications.

    Streamline Application Management

    Move beyond maintenance to ensuring exceptional value from your apps.

    Build an Application Department Strategy

    Delivering value starts with embracing what your department can do.

    Embrace Business-Managed Applications

    Empower the business to implement their own applications with a trusted business-IT relationship

    Optimize Applications Release Management

    Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Related Info-Tech Research

    Value, Delivery Metrics, Estimation

    Build a Value Measurement Framework

    Focus product delivery on business value–driven outcomes.

    Select and Use SDLC Metrics Effectively

    Be careful what you ask for, because you will probably get it.

    Application Portfolio Assessment: End User Feedback

    Develop data-driven insights to help you decide which applications to retire, upgrade, re-train on, or maintain to meet the demands of the business.

    Create a Holistic IT Dashboard

    Mature your IT department by measuring what matters.

    Refine Your Estimation Practices With Top-Down Allocations

    Don’t let bad estimates ruin good work.

    Estimate Software Delivery With Confidence

    Commit to achievable software releases by grounding realistic expectations.

    Reduce Time to Consensus With an Accelerated Business Case

    Expand on the financial model to give your initiative momentum.

    Optimize Project Intake, Approval, and Prioritization

    Deliver more projects by giving yourself the voice to say “no” or “not yet” to new projects.

    Enhance PPM Dashboards and Reports

    Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Related Info-Tech Research

    Organizational Design and Performance

    Redesign Your IT Organizational Structure

    Focus product delivery on business value-driven outcomes.

    Build a Strategic IT Workforce Plan

    Have the right people, in the right place, at the right time.

    Implement a New Organizational Structure

    Reorganizations are inherently disruptive. Implement your new structure with minimal pain for staff while maintaining IT performance throughout the change.

    Build an IT Employee Engagement Program

    Don’t just measure engagement, act on it

    Set Meaningful Employee Performance Measures

    Set holistic measures to inspire employee performance.

    Bibliography (Product Management)

    “12th Annual State of Agile Report.” VersionOne, 9 April 2018. Web.

    A, Karen. “20 Mental Models for Product Managers.” Product Management Insider, Medium, 2 Aug. 2018. Web.

    Adams, Paul. “Product Teams: How to Build & Structure Product Teams for Growth.” Inside Intercom, 30 Oct. 2019. Web.

    Aghina, Handscomb, Ludolph, West, and Abby Yip, “How to select and develop individuals for successful agile teams: A practical guide” McKinsey & Company 20 Dec. 2018. Web.

    Agile Alliance. “Product Owner.” Agile Alliance. n.d. Web.

    Ambler, Scott W. "Communication on Agile Software Teams“, Agile Modeling. 2001-2022. Web.

    Ambysoft. “2018 IT Project Success Rates Survey Results.” Ambysoft. 2018. Web.

    Banfield, Richard, et al. “On-Demand Webinar: Strategies for Scaling Your (Growing) Enterprise Product Team.” Pluralsight, 31 Jan. 2018. Web.

    Beck, Beedle, van Bennekum, Cockburn, Cunningham, Fowler, Grenning, Highsmith, Hunt, Jeffries, Kern, Marick, Martin, Mellor, Schwaber, Sutherland, Thomas, "Manifesto for Agile Software Development." agilemanifesto.org. 2001

    Berez, Steve, et al. “How to Plan and budget for Agile at Scale.” Bain & Company, 08 Oct 2019. Web

    Blueprint. “10 Ways Requirements Can Sabotage Your Projects Right From the Start.” Blueprint. 2012. Web.

    Breddels, Dajo, and Paul Kuijten. “Product Owner Value Game.” Agile2015 Conference, Agile Alliance 2015. Web.

    Cagan, Martin. “Behind Every Great Product.” Silicon Valley Product Group. 2005. Web.

    Cohn, Mike. “What Is a Product?” Mountain Goat Software. 6 Sept. 2016. Web.

    Connellan, Thomas K. Inside the Magic Kingdom, Bard Press, 1997.

    Curphey, Mark. “Product Definition.” SlideShare, 25 Feb. 2007. Web.

    “Delegation Poker Product Image.” Management 3.0, n.d. Web.

    Distel, Dominic, et al. “Finding the sweet spot in product-portfolio management.’ McKinsey, 4 Dec. 2020. Web

    Eringa, Ron. “Evolution of the Product Owner.” RonEringa.com, 12 June 2016. Web.

    Fernandes, Thaisa. “Spotify Squad Framework - Part I.” PM101, Medium, 6 Mar. 2017. Web.

    Galen, Robert. “Measuring Product Ownership – What Does ‘Good’ Look Like?” RGalen Consulting, 5 Aug. 2015. Web.

    Grenny, Joseph. “The Best Teams Hold Themselves Accountable.” Harvard Business Review, 30 May 2014. Web.

    Halisky, Merland, and Luke Lackrone. “The Product Owner’s Universe.” Agile2016 Conference, Agile Alliance, 2016. Web.

    Bibliography (Product Management)

    IIBA "A Guide to the Business Analysis Body of Knowledge® (BABOK® Guide) v3" IIBA. 15 APR 2015

    Kamer, Jurriaan. “How to Build Your Own ‘Spotify Model’.” The Ready, Medium, 9 Feb. 2018. Web.

    Kendis Team. “Exploring Key Elements of Spotify’s Agile Scaling Model.” Scaled Agile Framework, Medium, 23 Jul. 2018. Web.

    Lindstrom, Lowell. “7 Skills You Need to Be a Great Product Owner.” Scrum Alliance, n.d. Web.

    Lukassen, Chris. “The Five Belts Of The Product Owner.” Xebia.com, 20 Sept. 2016. Web.

    Mankins, Michael. “The Defining Elements of a Winning Culture.” Bain, 19 Dec. 2013. Web.

    McCloskey, Heather. “Scaling Product Management: Secrets to Defeating Common Challenges.” ProductPlan, 12 July 2019. Web.

    McCloskey, Heather. “When and How to Scale Your Product Team.” UserVoice, 21 Feb. 2017. Web. Mironov, Rich. “Scaling Up Product Manager/Owner Teams.” Rich Mironov's Product Bytes, Mironov Consulting, 12 Apr. 2014. Web.

    Moore, Geoffrey A. “Crossing the Chasm, 3rd Edition.” Collins Business Essentials, 28 Jan 2014

    Oh, Paul. “How Mastering Resilience Can Help Drive Agile Transformations.” Why Innovation!, 10 Oct. 2019.

    Overeem, Barry. “A Product Owner Self-Assessment.” Barry Overeem, 6 Mar. 2017. Web.

    Overeem, Barry. “Retrospective: Using the Team Radar.” Barry Overeem, 27 Feb. 2017. Web.

    Pichler, Roman. “How to Scale the Scrum Product Owner.” Roman Pichler, 28 June 2016 . Web.

    Pichler, Roman. “Product Management Framework.” Pichler Consulting Limited, 2014. Web.

    Pichler, Roman. “Sprint Planning Tips for Product Owners.” LinkedIn, 4 Sept. 2018. Web.

    Pichler, Roman. “What Is Product Management?” Pichler Consulting Limited, 26 Nov. 2014. Web.

    PMI "The high cost of low performance: the essential role of communications“. PMI Pulse of Profession, May 2013.

    Radigan,Dan. “Putting the ‘Flow' Back in Workflow With WIP Limits.” Atlassian, n.d. Web.

    Bibliography (Product Management)

    Rouse, Margaret. “Definition: product.” TechTarget, Sept. 2005. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on (Business) Value.” Scrum.org, 30 Nov. 2017. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on Agile Product Management.” Scrum.org, 28 Nov. 2017. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on Product Backlog Management.” Scrum.org, 5 Dec. 2017. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on the Product Vision.” Scrum.org, 29 Nov. 2017. Web.

    Schuurman, Robbin. “Tips for Starting Product Owners.” Scrum.org, 27 Nov. 2017. Web.

    Sharma, Rohit. “Scaling Product Teams the Structured Way.” Monetary Musings, 28 Nov. 2016. Web.

    Shirazi, Reza. “Betsy Stockdale of Seilevel: Product Managers Are Not Afraid To Be Wrong.” Austin Voice of Product, 2 Oct. 2018. Web.

    Spitz, Enid R. “The Three Kinds of Empathy: Emotional, Cognitive, Compassionate.” The Three Kinds of Empathy: Emotional, Cognitive, Compassionate. Heartmanity. Web.

    Steiner, Anne. “Start to Scale Your Product Management: Multiple Teams Working on Single Product.” Cprime, 6 Aug. 2019. Web.

    “The Qualities of Leadership: Leading Change.” Cornelius & Associates, 2016. Web.

    “The Standish Group 2015 Chaos Report.” The Standish Group. 2015. Web.

    Theus, Andre. “When Should You Scale the Product Management Team?” ProductPlan, 7 May 2019. Web.

    Tolonen, Arto. “Scaling Product Management in a Single Product Company.” Smartly.io, 26 Apr. 2018. Web.

    Ulrich, Catherine. “The 6 Types of Product Managers. Which One Do You Need?” Medium, 19 Dec. 2017. Web.

    Verwijs, Christiaan. “Retrospective: Do The Team Radar.” The Liberators, Medium, 10 Feb. 2017. Web.

    Vlaanderen, Kevin. “Towards Agile Product and Portfolio Management”. Academia.edu. 2010. Web.

    Backlog

    2009 Business Analysis Benchmark Study.” IAG Consulting, 2009. Web.

    Armel, Kate. “Data-driven Estimation, Management Lead to High Quality.” Quantitative Software Management Inc, 2015. Web.

    Bradley, Marty. “Agile Estimation Guidance.” Leading Agile, 30 Aug. 2016. Web. Feb. 2019.

    CollabNet and VersionOne. “12th Annual State of Agile Report.” VersionOne, 9 April 2018. Web.

    Craveiro, João. “Marty meets Martin: connecting the two triads of Product Management.” Product Coalition, 18 Nov. 2017. Accessed Feb. 2019.

    “Enablers.” Scaled Agile, n.d. Web.

    “Epic.” Scaled Agile, n.d. Web.

    Fischer, Christian. “Scrum Compact.” Itemis, n.d. Web. Feb. 2019.

    Hackshall, Robin. “Product Backlog Refinement.” Scrum Alliance, 9 Oct. 2014. Accessed Feb. 2019.

    Hartman, Bob. “New to agile? INVEST in good user stories.” Agile For All, 14 May 2009. Web.

    Huether, Derek. “Cheat Sheet for Product Backlog Refinement (Grooming).” Leading Agile, 2 Nov. 2013. Accessed Feb. 2019.

    Karlsson, Johan. “Backlog Grooming: Must-Know Tips for High-Value Products.” Perforce, 18 May 2018. Accessed Feb. 2019.

    Khan, Saeed. “Good Bye ‘Product Owner’, Hello ‘Backlog Manager.’” On Product Management, 27 June 2011. Accessed Feb. 2019.

    Khan, Saeed. “Let’s End the Confusion: A Product Owner is NOT a Product Manager.” On Product Management, 14 July 2017. Accessed Feb. 2019.

    Lawrence, Richard. “New Story Splitting Resource.” Agile For All. 27 Jan. 2012. Web. Feb. 2019.

    Leffingwell, Dean. “SAFe 4.0.” Scaled Agile Inc, 2017. Accessed Feb. 2019.

    Lucero, Mario. “Product Backlog – Deep Model.” Agilelucero, 8 Oct. 2014. Web.

    “PI Planning.” Scaled Agile, n.d. Web.

    Pichler, Roman. “The Product Roadmap and the Product Backlog.” Roman Pichler, 9 Sept. 2014. Accessed Feb. 2019.

    Rubin, Kenneth S. Essential Scrum: A Practical Guide to the Most Popular Agile Process. Pearson Education, 2012.

    Schuurman, Robbin. “10 Tips for Product Owners on Product Backlog Management.” Burozeven, 20 Nov. 2017. Accessed Feb. 2019.

    Srinivasan, Vibhu. “Product Backlog Management: Tips from a Seasoned Product Owner.” Agile Alliance, n.d. Accessed Feb. 2019.

    Todaro, Dave. “Splitting Epics and User Stories.” Ascendle, n.d. Accessed Feb. 2019.

    “What Characteristics Make Good Agile Acceptance Criteria?” Segue Technologies, 3 Sept. 2015. Web. Feb. 2019.

    Bibliography (Roadmap)

    Bastow, Janna. “Creating Agile Product roadmaps Everyone Understands.” ProdPad, 22 Mar. 2017. Accessed Sept. 2018.

    Bastow, Janna. “The Product Tree Game: Our Favorite Way To Prioritize Features.” ProdPad, 21 Feb. 2016. Accessed Sept. 2018.

    Chernak, Yuri. “Requirements Reuse: The State of the Practice.” 2012 IEEE International Conference, 12 June 2012, Herzliya, Israel. Web.

    Fowler, Martin. “Application Boundary.” MartinFowler.com, 11 Sept. 2003. Accessed 20 Nov. 2017.

    Harrin, Elizabeth. “Learn What a Project Milestone Is.” The Balance Careers, 10 May 2018. Accessed Sept. 2018.

    “How to create a product roadmap.” Roadmunk, n.d. Accessed Sept. 2018.

    Johnson, Steve. “How to Master the 3 Horizons of Product Strategy.” Aha!, 24 Sept. 2015. Accessed Sept. 2018.

    Johnson, Steve. “The Product Roadmap vs. the Technology Roadmap.” Aha!, 23 June 2016. Accessed Sept. 2018

    Juncal, Shaun. “How Should You Set Your Product Roadmap Timeframes?” ProductPlan, Web. Sept. 2018.

    Leffingwell, Dean. “SAFe 4.0.” Scaled Agile, 2017. Web.

    Maurya, Ash. “What is a Minimum Viable Product (MVP).” Leanstack, 12 June 2017. Accessed Sept. 2018.

    Pichler, Roman. “10 Tips for Creating an Agile Product Roadmap.” Roman Pichler, 20 July 2016. Accessed Sept. 2018.

    Pichler, Roman. Strategize: Product Strategy and Product Roadmap Practices for the Digital Age. Pichler Consulting, 2016.

    “Product Roadmap Contents: What Should You Include?” ProductPlan, n.d. Accessed 20 Nov. 2017.

    Saez, Andrea. “Why Your Roadmap Is Not a Release Plan.” ProdPad, 23 October 2015. Accessed Sept. 2018.

    Schuurman, Robbin. “Tips for Agile product roadmaps & product roadmap examples.” Scrum.org, 7 Dec. 2017. Accessed Sept. 2018.

    Bibliography (Vision and Canvas)

    Adams, Paul. “The Future Product Canvas.” Inside Intercom, 10 Jan. 2014. Web.

    “Aligning IT Funding Models to the Pace of Technology Change.” EDUCAUSE, 14 Dec. 2015. Web.

    Altman, Igor. “Metrics: Gone Bad.” OpenView, 10 Nov. 2009. Web.

    Barry, Richard. “The Product Vision Canvas – a Strategic Tool in Developing a Successful Business.” Polymorph, 2019. Web.

    “Business Canvas – Business Models & Value Propositions.” Strategyzer, 2019. Web.

    “Business Model Canvas.” Wikipedia: The Free Encyclopedia, 4 Aug. 2019. Web.

    Charak, Dinker. “Idea to Product: The Working Model.” ThoughtWorks, 13 July 2017. Web.

    Charak, Dinker. “Product Management Canvas - Product in a Snapshot.” Dinker Charak, 29 May 2017. Web.

    Chudley, James. “Practical Steps in Determining Your Product Vision (Product Tank Bristol, Oct. 2018).” LinkedIn SlideShare. Uploaded by cxpartners, 2 Nov. 2018. Web.

    Cowan, Alex. “The 20 Minute Business Plan: Business Model Canvas Made Easy.” COWAN+, 2019. Web.

    Craig, Desiree. “So You've Decided To Become A Product Manager.” Start it up, Medium, 2 June 2019. Web.

    “Create an Aha! Business Model Canvas Strategic Model.” Aha! Support, 2019. Web.

    Eick, Stephen. “Does Code Decay? Assessing the Evidence from Change Management Data.” IEEE Transactions on Software Engineering, vol. 27, no. 1, Jan. 2001, pp. 1-12. Web.

    Eriksson, Martin. “The next Product Canvas.” Mind the Product, 22 Nov. 2013. Web.

    “Experience Canvas: a Lean Approach: Atlassian Team Playbook.” Atlassian, 2019. Web.

    Freeman, James. “How to Make a Product Canvas – Visualize Your Product Plan.” Edraw, 23 Dec. 2019. Web.

    Fuchs, Danny. “Measure What Matters: 5 Best Practices from Performance Management Leaders.” OpenGov, 8 Aug. 2018. Web.

    Gorisse, Willem. “A Practical Guide to the Product Canvas.” Mendix, 28 Mar. 2017. Web.

    Gothelf, Jeff. “The Lean UX Canvas.” Jeff Gothelf, 15 Dec. 2016. Web.

    Gottesdiener, Ellen. “Using the Product Canvas to Define Your Product: Getting Started.” EBG Consulting, 15 Jan. 2019. Web.

    Gottesdiener, Ellen. “Using the Product Canvas to Define Your Product's Core Requirements.” EBG Consulting, 4 Feb. 2019. Web.

    Gray, Mark Krishan. “Should I Use the Business Model Canvas or the Lean Canvas?” Blog, Medium.com, 2019. Web.

    Bibliography (Vision and Canvas)

    Hanby, Jeff. "Software Maintenance: Understanding and Estimating Costs." LookFar, 21 Oct. 2016. Web.

    “How do you define a product?” Scrum.org, 4 Apr 2017, Web

    Juncal, Shaun. “How to Build a Product Roadmap Based on a Business Model Canvas.” ProductPlan, 19 June 2019. Web.

    “Lean Canvas Intro - Uber Example.” YouTube, uploaded by Railsware Product Academy, 12 Oct. 2018. Web.

    “Lesson 6: Product Canvas.” ProdPad Help Center, 2019. Web.

    Lucero, Mario. “The Product Canvas.” Agilelucero.com, 22 June 2015. Web.

    Maurya, Ash. “Create a New Lean Canvas.” Canvanizer, 2019. Web.

    Maurya, Ash. “Don't Write a Business Plan. Create a Lean Canvas Instead.” LEANSTACK, 2019. Web.

    Maurya, Ash. “Why Lean Canvas vs Business Model Canvas?” Medium, 27 Feb. 2012. Web.

    Mirabelli, Vincent. “The Project Value Canvas.” Vincent Mirabelli, 2019. Web.

    Mishra, LN. “Business Analysis Canvas – The Ultimate Enterprise Architecture.” BA Times, 19 June 2019. Web.

    Muller. Jerry Z. “Why performance metrics isn’t always the best way to judge performance.” Fast Company, 3 April 2019. Web.

    Perri, Melissa. “What Is Good Product Strategy?” Melissa Perri, 14 July 2016. Web.

    Pichler, Roman. “A Product Canvas for Agile Product Management, Lean UX, Lean Startup.” Roman Pichler, 16 July 2012. Web.

    Pichler, Roman. “Introducing the Product Canvas.” JAXenter, 15 Jan. 2013. Web.

    Pichler, Roman. “Roman's Product Canvas: Introduction.” YouTube, uploaded by Roman Pichler, 3 Mar. 2017. Web.

    Pichler, Roman. “The Agile Vision Board: Vision and Product Strategy.” Roman Pichler, 10 May 2011. Web.

    Pichler, Roman. “The Product Canvas – Template.” Roman Pichler, 11 Oct. 2016. Web.

    Pichler, Roman. “The Product Canvas Tutorial V1.0.” LinkedIn SlideShare. Uploaded by Roman Pichler, 14 Feb. 2013. Web.

    Pichler, Roman. “The Product Vision Board: Introduction.” YouTube uploaded by Roman Pichler, 3 Mar. 2017. Web.

    “Product Canvas PowerPoint Template.” SlideModel, 2019. Web.

    Bibliography (Vision and Canvas)

    “Product Canvas.” SketchBubble, 2019, Web.

    “Product Canvas.” YouTube, uploaded by Wojciech Szramowski, 18 May 2016. Web.

    “Product Roadmap Software to Help You Plan, Visualize, and Share Your Product Roadmap.” Productboard, 2019. Web.

    Roggero, Giulio. “Product Canvas Step-by-Step.” LinkedIn SlideShare, uploaded by Giulio Roggero, 18 May 2013. Web.

    Royce, Dr. Winston W. “Managing the Development of Large Software Systems.” Scf.usc.edu, 1970. Web.

    Ryan, Dustin. “The Product Canvas.” Qdivision, Medium, 20 June 2017. Web.

    Snow, Darryl. “Product Vision Board.” Medium, 6 May 2017. Web.

    Stanislav, Shymansky. “Lean Canvas – a Tool Your Startup Needs Instead of a Business Plan.” Railsware, 12 Oct. 2018. Web.

    Stanislav, Shymansky. “Lean Canvas Examples of Multi-Billion Startups.” Railsware, 20 Feb. 2019. Web.

    “The Product Vision Canvas.” YouTube, Uploaded by Tom Miskin, 20 May 2019. Web.

    Tranter, Leon. “Agile Metrics: the Ultimate Guide.” Extreme Uncertainty, n.d. Web.

    “Using Business Model Canvas to Launch a Technology Startup or Improve Established Operating Model.” AltexSoft, 27 July 2018. Web.

    Veyrat, Pierre. “Lean Business Model Canvas: Examples + 3 Pillars + MVP + Agile.” HEFLO BPM, 10 Mar. 2017. Web.

    “What Are Software Metrics and How Can You Track Them?” Stackify, 16 Sept. 2017. Web

    “What Is a Product Vision?” Aha!, 2019. Web.

    Supporting Research

    Transformation topics and supporting Info-Tech research to make the journey easier, with less rework.

    Supporting research and services

    Improving IT alignment

    Build a Business-Aligned IT Strategy

    Success depends on IT initiatives clearly aligned to business goals, IT excellence, and driving technology innovation.

    Includes a "Strategy on a page" template

    Make Your IT Governance Adaptable

    Governance isn't optional, so keep it simple and make it flexible.

    Create an IT View of the Service Catalog

    Unlock the full value of your service catalog with technical components.

    Application Portfolio Management Foundations

    Ensure your application portfolio delivers the best possible return on investment.

    Supporting research and services

    Shifting toward Agile DevOps

    Agile/DevOps Resource Center

    Tools and advice you need to be successful with Agile.

    Develop Your Agile Approach for a Successful Transformation

    Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.

    Implement DevOps Practices That Work

    Streamline business value delivery through the strategic adoption of DevOps practices.

    Perform an Agile Skills Assessment

    Being Agile isn't about processes, it's about people.

    Define the Role of Project Management in Agile and Product-Centric Delivery

    Projects and products are not mutually exclusive.

    Supporting research and services

    Shifting toward product management

    Make the Case for Product Delivery

    Align your organization on the practices to deliver what matters most.

    Deliver on Your Digital Product Vision

    Build a product vision your organization can take from strategy through execution.

    Deliver Digital Products at Scale

    Deliver value at the scale of your organization through defining enterprise product families.

    Build a Better Product Owner

    Strengthen the product owner's role in your organization by focusing on core capabilities and proper alignment.

    Supporting research and services

    Improving value and delivery metrics

    Build a Value Measurement Framework

    Focus product delivery on business value-driven outcomes.

    Create a Holistic IT Dashboard

    Mature your IT department by measuring what matters.

    Select and Use SDLC Metrics Effectively

    Be careful what you ask for because you will probably get it.

    Reduce Time to Consensus With an Accelerated Business Case

    Expand on the financial model to give your initiative momentum.

    Supporting research and services

    Improving governance, prioritization, and value

    Make Your IT Governance Adaptable

    Governance isn't optional, so keep it simple and make it flexible.

    Maximize Business Value from IT Through Benefits Realization

    Embed benefits realization into your governance process to prioritize IT spending and confirm the value of IT.

    Drive Digital Transformation With Platform Strategies

    Innovate and transform your business models with digital platforms.

    Succeed With Digital Strategy Execution

    Building a digital strategy is only half the battle: create a systematic roadmap of technology initiatives to execute the strategy and drive digital transformation.

    Build a Value Measurement Framework

    Focus product delivery on business value-driven outcomes.

    Create a Holistic IT Dashboard

    Mature your IT department by measuring what matters.

    Supporting research and services

    Improving requirements management and quality assurance

    Requirements Gathering for Small Enterprises

    Right-size the guidelines of your requirements gathering process.

    Improve Requirements Gathering

    Back to basics: great products are built on great requirements.

    Build a Software Quality Assurance Program

    Build quality into every step of your SDLC.

    Automate Testing to Get More Done

    Drive software delivery throughput and quality confidence by extending your automation test coverage.

    Manage Your Technical Debt

    Make the case to manage technical debt in terms of business impact.

    Create a Business Process Management Strategy

    Avoid project failure by keeping the "B" in BPM.

    Build a Winning Business Process Automation Playbook

    Optimize and automate your business processes with a user-centric approach.

    Create a Winning BPI Playbook

    Don't waste your time focusing on the "as is." Focus on the improvements and the "to be."

    Supporting research and services

    Improving release management

    Optimize Applications Release Management

    Build trust by right-sizing your process using appropriate governance.

    Streamline Application Maintenance

    Effective maintenance ensures the long-term value of your applications.

    Streamline Application Management

    Move beyond maintenance to ensure exceptional value from your apps.

    Optimize Change Management

    Right-size your change management process.

    Manage Your Technical Debt

    Make the case to manage technical debt in terms of business impact.

    Improve Application Development Throughput

    Drive down your delivery time by eliminating development inefficiencies and bottlenecks while maintaining high quality.

    Supporting research and services

    Business relationship management

    Embed Business Relationship Management

    Leverage knowledge of the business to become a strategic IT partner.

    Improving security

    Build an Information Security Strategy

    Create value by aligning your strategy to business goals and business risks.

    Develop and Deploy Security Policies

    Enhance your overall security posture with a defensible and prescriptive policy suite.

    Simplify Identity and Access Management

    Leverage risk- and role-based access control to quantify and simplify the IAM process.

    Supporting research and services

    Improving and supporting business-managed applications

    Embrace Business-Managed Applications

    Empower the business to implement their own applications with a trusted business-IT relationship.

    Enhance Your Solution Architecture Practices

    Ensure your software systems solution is architected to reflect stakeholders’ short-and long-term needs.

    Satisfy Digital End Users With Low- and No-Code

    Extend IT, automation, and digital capabilities to the business with the right tools, good governance, and trusted organizational relationships.

    Build Your First RPA Bot

    Support RPA delivery with strong collaboration and management foundations.

    Automate Work Faster and More Easily With Robotic Process Automation

    Embrace the symbiotic relationship between the human and digital workforce.

    Supporting research and services

    Improving business intelligence, analytics, and reporting

    Modernize Data Architecture for Measurable Business Results

    Enable the business to achieve operational excellence, client intimacy, and product leadership with an innovative, Agile, and fit-for-purpose data architecture practice.

    Build a Reporting and Analytics Strategy

    Deliver actionable business insights by creating a business-aligned reporting and analytics strategy.

    Build Your Data Quality Program

    Quality data drives quality business decisions.

    Design Data-as-a-Service

    Journey to the data marketplace ecosystems.

    Build a Robust and Comprehensive Data Strategy

    Key to building and fostering a data-driven culture.

    Build an Application Integration Strategy

    Level the table before assembling the application integration puzzle or risk losing pieces.

    Appendix

    Pulse survey results

    Pulse survey (N=18): What are the key components of product/service ownership?

    Pulse survey results: What are the key components of product/service ownership? Table shows answer options and responses in percentage.

    Pulse Survey (N=18): What are the key individual skills for a product/service owner?

    What are the key individual skills for a product/service owner? Table shows answer options and responses in percentage

    Other choices entered by respondents:

    • Anticipating client needs, being able to support delivery in all phases of the product lifecycle, adaptability, and ensuring a healthy backlog (at least two sprints’ worth of work).
    • Requirements elicitation and prioritization.
    • The key skill is being product-focused to ensure it provides value for competitive advantage.

    Pulse Survey (N=18): What are three things an outstanding product/service owner does that an average one doesn’t?

    What are three things an outstanding product/service owner does that an average one doesn't? Table shows results.

    Drive Business Value With a Right-Sized Project Gating Process

    • Buy Link or Shortcode: {j2store}445|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $61,999 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Low sponsor commitment on projects.
    • Poor quality on completed projects.
    • Little to no visibility into the project portfolio.
    • Organization does not operationalize change .
    • Analyzing, fixing, and redeploying is a constant struggle. Even when projects are done well, they fail to deliver the intended outcomes and benefits.

    Our Advice

    Critical Insight

    • Stop applying a one-size-fits-all-projects approach to governance.
    • Engage the sponsor by shifting the accountability to the business so they can get the most out of the project.
    • Do not limit the gating process to project management – expand to portfolio management.

    Impact and Result

    • Increase Project Throughput: Do more projects by ensuring the right projects and right amount of projects are approved and executed.
    • Validate Project Quality: Ensure issues are uncovered and resolved with standard check points in the project.
    • Increase Reporting and Visibility: Easily compare progress of projects across the portfolio and report outcomes to leadership.
    • Reduce Resource Waste: Terminate low-value projects early and assign the right resources to approved projects.
    • Achieve Intended Project Outcomes: Keep the sponsor engaged throughout the gating process to achieve desired outcomes.

    Drive Business Value With a Right-Sized Project Gating Process Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should design a right-sized project gating process, review Info-Tech’s methodology, and understand the four ways we can support you.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Lay the groundwork for tailored project gating

    This phase will walk you through the following activities:

  • Understand the role of gating and why we need it.
  • Determine what projects will follow the gating process and how to classify them.
  • Establish the role of the project sponsor throughout the entire project lifecycle.
    • Drive Business Value With a Right-Sized Project Gating Process – Phase 1: Lay the Groundwork for Tailored Project Gating
    • Project Intake Classification Matrix
    • Project Sponsor Role Description Template

    2. Establish level 1 project gating

    This phase will help you customize Level 1 Project Gates with appropriate roles and responsibilities.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 2: Establish Level 1 Project Gating
    • Project Gating Strategic Template

    3. Establish level 2 project gating

    This phase will help you customize Level 2 Project Gates with appropriate roles and responsibilities.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 3: Establish Level 2 Project Gating

    4. Establish level 3 project gating

    This phase will help you customize Level 3 Project Gates with appropriate roles and responsibilities. It will also help you determine next steps and milestones for the adoption of the new process.

    • Drive Business Value With a Right-Sized Project Gating Process – Phase 4: Establish Level 3 Project Gating
    • Project Gating Reference Document
    [infographic]

    Workshop: Drive Business Value With a Right-Sized Project Gating Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Lay the Groundwork for Tailored Project Gating

    The Purpose

    Understand the role of gating and why we need it.

    Determine what projects will follow the gating process and how to classify them.

    Establish the role of the project sponsor throughout the entire project lifecycle.

    Key Benefits Achieved

    Get stakeholder buy-in for the process.

    Ensure there is a standard leveling process to determine size, risk, and complexity of requests.

    Engage the project sponsor throughout the portfolio and project processes.

    Activities

    1.1 Project Gating Review

    1.2 Establish appropriate project levels

    1.3 Define the role of the project sponsor

    Outputs

    Project Intake Classification Matrix

    Project Sponsor Role Description Template

    2 Establish Level 1 Project Gating

    The Purpose

    This phase will help you customize Level 1 Project Gates with appropriate roles and responsibilities.

    Key Benefits Achieved

    Create a lightweight project gating process for small projects.

    Activities

    2.1 Review level 1 project gating process

    2.2 Determine what gates should be part of your custom level 1 gating process

    2.3 Establish required artifacts for each gate

    2.4 Define the stakeholder’s roles and responsibilities at each gate

    Outputs

    Documented outputs in the Project Gating Strategic Template

    3 Establish Level 2 Project Gating

    The Purpose

    This phase will help you customize Level 2 Project Gates with appropriate roles and responsibilities.

    Key Benefits Achieved

    Create a heavier project gating process for medium projects.

    Activities

    3.1 Review level 2 project gating process

    3.2 Determine what gates should be part of your custom level 2 gating process

    3.3 Establish required artifacts for each gate

    3.4 Define the stakeholder’s roles and responsibilities at each gate

    Outputs

    4 Establish Level 3 Project Gating

    The Purpose

    This phase will help you customize Level 3 Project Gates with appropriate roles and responsibilities.

    Come up with a roadmap for the adoption of the new project gating process.

    Key Benefits Achieved

    Create a comprehensive project gating process for large projects.

    Activities

    4.1 Review level 3 project gating process

    4.2 Determine what gates should be part of your custom level 3 gating process

    4.3 Establish required artifacts for each gate

    4.4 Define the stakeholder’s roles and responsibilities at each gate

    4.5 Determine next steps and milestones for process adoption

    Outputs

    Documented outputs in the Project Gating Strategic Template

    Documented Project Gating Reference Document for all stakeholders

    Improve Service Desk Ticket Intake

    • Buy Link or Shortcode: {j2store}481|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk

    • Customers expect a consumer experience with IT. It won’t be long until this expectation expands to IT service support.
    • Messaging and threads are becoming central to how businesses organize information and conversations, but voice isn’t going away. It is still by far people’s favorite channel.
    • Tickets are becoming more complicated. BYOD, telework, and SaaS products present a perfect storm.
    • Traditional service metrics are not made for self service. Your mean-time-to-resolve will increase and first-contact resolution will decrease.

    Our Advice

    Critical Insight

    • Bring the service desk to the people. Select channels that are most familiar to your users, and make it as easy possible to talk to a human.
    • Integrate channels. Users should have a consistent experience, and technicians should know user history.
    • Don’t forget the human aspect. People aren’t always good with technology. Allow them to contact a person if they are struggling.

    Impact and Result

    • Define which channels will be prioritized.
    • Identify improvements to these channels based on best practices and our members’ experiences.
    • Streamline your ticket intake process to remove unnecessary steps.
    • Prioritize improvements based on their value. Implement a set of improvements every quarter.

    Improve Service Desk Ticket Intake Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should improve your ticket intake, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define and prioritize ticket channels

    Align your improvements with business goals and the shift-left strategy.

    • Improve Service Desk Ticket Intake – Phase 1: Define and Prioritize Ticket Channels
    • Service Desk Maturity Assessment
    • Service Desk Improvement Presentation Template

    2. Improve ticket channels

    Record potential improvements in your CSI Register, as you review best practices for each channel.

    • Improve Service Desk Ticket Intake – Phase 2: Improve Ticket Channels
    • Service Desk Continual Improvement Roadmap
    • Service Desk Ticket Intake Workflow Samples (Visio)
    • Service Desk Ticket Intake Workflow Samples (PDF)
    • Service Definition Checklist
    • Service Desk Site Visit Checklist Template

    3. Define next steps

    Streamline your ticket intake process and prioritize opportunities for improvement.

    • Improve Service Desk Ticket Intake – Phase 3: Define Next Steps
    [infographic]

    Workshop: Improve Service Desk Ticket Intake

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Optimize Ticket Channels

    The Purpose

    Brainstorm improvements to your systems and processes that will help you optimize.

    Key Benefits Achieved

    Develop a single point of contact.

    Reduce the time before a technician can start productively working on a ticket.

    Enable Tier 1 and end users to complete more tickets.

    Activities

    1.1 Prioritize channels for improvement.

    1.2 Optimize the voice channel.

    1.3 Identify improvements for self service.

    1.4 Improve Tier 1 agents’ access to information.

    1.5 Optimize supplementary ticket channels.

    Outputs

    Action items to improve the voice channel.

    Populated CSI Register for self-service channels.

    Identified action items for the knowledgebase.

    Populated CSI Register for additional ticket channels.

    2 Streamline Ticket Intake

    The Purpose

    Create long-term growth by taking a sustainable approach to improvements.

    Key Benefits Achieved

    Streamline your overall ticket intake process for incidents and service requests.

    Activities

    2.1 Map out the incident intake processes.

    2.2 Identify opportunities to streamline the incident workflow.

    2.3 Map out the request processes.

    2.4 Identify opportunities to streamline the request workflow.

    Outputs

    Streamlined incident intake process.

    Streamlined request intake process.

    Populated CSI Register for request intake.

    Exploit Disruptive Infrastructure Technology

    • Buy Link or Shortcode: {j2store}298|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Disruptive & Emerging Technologies
    • Parent Category Link: /disruptive-emerging-technologies
    • New technology can hit like a meteor. Not only disruptive to IT, technology provides opportunities for organization-wide advantage.
    • Your role is endangered. If you don’t prepare for the most disruptive technologies, you could be overshadowed. Don’t let the Chief Marketing Officer (CMO) set the technological innovation agenda
    • Predicting the future isn’t easy. Most IT leaders fail to realize how quickly technology increases in capability. Even for the tech savvy, predicting which specific technologies will become disruptive is difficult.
    • Communication is difficult when the sky is falling. Even forward-looking IT leaders struggle with convincing others to devote time and resources to monitoring technologies with a formal process.

    Our Advice

    Critical Insight

    • Establish the core working group, select a leader, and select a group of visionaries to help brainstorm emerging technologies.
    • Brainstorm about creating a better future, begin brainstorming an initial longlist.
    • Train the group to think like futurists.
    • Evaluate the shortlist.
    • Define your PoC list and schedule.
    • Finalize, present the plan to stakeholders and repeat.

    Impact and Result

    • Create a disruptive technology working group.
    • Produce a longlist of disruptive technologies.
    • Evaluate the longlist to produce a shortlist of disruptive technologies.
    • Develop a plan for a proof-of-concept project for each shortlisted technology.

    Exploit Disruptive Infrastructure Technology Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Exploit Disruptive Infrastructure Technology – A guide to help IT leaders make the most of disruptive impacts.

    As a CIO, there is a need to move beyond day-to-day technology management with an ever-increasing need to forecast technology impacts. Not just from a technical perspective but to map out the technical understandings aligned to potential business impacts and improvements. Technology transformation and innovation is moving more quickly than ever before and as an innovation champion, the CIO or CTO should have foresight in specific technologies with the understanding of how the company could be disrupted in the near future.

    • Exploit Disruptive Infrastructure Technology – Phases 1-3

    2. Disruptive Technology Exploitation Plan Template – A guide to develop the plan for exploiting disruptive technology.

    The Disruptive Technology Exploitation Plan Template acts as an implementation plan for developing a long-term strategy for monitoring and implementing disruptive technologies.

    • Disruptive Technology Exploitation Plan Template

    3. Disruptive Technology Look to the Past Tool – A tool to keep track of the missed technology disruption from previous opportunities.

    The Disruptive Technology Look to the Past Tool will assist you to collect reasonability test notes when evaluating potential disruptive technologies.

    • Disruptive Technology Look to the Past Tool

    4. Disruptive Technology Research Database Tool – A tool to keep track of the research conducted by members of the working group.

    The Disruptive Technology Research Database Tool will help you to keep track of the independent research that is conducted by members of the disruptive technology exploitation working group.

    • Disruptive Technology Research Database Tool

    5. Disruptive Technology Shortlisting Tool

    The Disruptive Technology Shortlisting Tool will help you to codify the results of the disruptive technology working group's longlist winnowing process.

    • Disruptive Technology Shortlisting Tool

    6. Disruptive Technology Value-Readiness and SWOT Analysis Tool – A tool to systematize notional evaluations of the value and readiness of potential disruptive technologies.

    The Disruptive Technology Value Readiness & SWOT Analysis Tool will assist you to systematize notional evaluations of the value and readiness of potential disruptive technologies.

    • Disruptive Technology Value-Readiness and SWOT Analysis Tool

    7. Proof of Concept Template – A handbook to serve as a reference when deciding how to proceed with your proposed solution.

    The Proof of Concept Template will guide you through the creation of a minimum-viable proof-of-concept project.

    • Proof of Concept Template

    8. Disruptive Technology Executive Presentation Template – A template to help you create a brief progress report presentation summarizing your project and program progress.

    The Disruptive Technology Executive Presentation Template will assist you to present an overview of the disruptive technology process, outlining the value to your company.

    • Disruptive Technology Executive Presentation Template

    Infographic

    Workshop: Exploit Disruptive Infrastructure Technology

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Pre-work: Establish the Disruptive Tech Process

    The Purpose

    Discuss the general overview of the disruptive technology exploitation process.

    Develop an initial disruptive technology exploitation plan.

    Key Benefits Achieved

    Stakeholders are on board, the project’s goals are outlined, and the working group is selected.

    Activities

    1.1 Get execs and stakeholders on board.

    1.2 Review the process of analyzing disruptive tech.

    1.3 Select members for the working group.

    1.4 Choose a schedule and time commitment.

    1.5 Select a group of visionaries.

    Outputs

    Initialized disruptive tech exploitation plan

    Meeting agenda, schedule, and participants

    2 Hold the Initial Meeting

    The Purpose

    Understand how disruption will affect the organization, and develop an initial list of technologies to explore.

    Key Benefits Achieved

    Knowledge of how to think like a futurist.

    Understanding of organizational processes vulnerable to disruption.

    Outline of potentially disruptive technologies.

    Activities

    2.1 Start the meeting with introductions.

    2.2 Train the group to think like futurists.

    2.3 Brainstorm about disruptive processes.

    2.4 Brainstorm a longlist.

    2.5 Research and brainstorm separate longlists.

    Outputs

    List of disruptive organizational processes

    Initial longlist of disruptive tech

    3 Create a Longlist and Assess Shortlist

    The Purpose

    Evaluate the specific value of longlisted technologies to the organization.

    Key Benefits Achieved

    Defined list of the disruptive technologies worth escalating to the proof of concept stage.

    Activities

    3.1 Converge the longlists developed by the team.

    3.2 Narrow the longlist to a shortlist.

    3.3 Assess readiness and value.

    3.4 Perform a SWOT analysis.

    Outputs

    Finalized longlist of disruptive tech

    Shortlist of disruptive tech

    Value-readiness analysis

    SWOT analysis

    Candidate(s) for proof of concept charter

    4 Create an Action Plan

    The Purpose

    Understand how the technologies in question will impact the organization.

    Key Benefits Achieved

    Understanding of the specific effects of the new technology on the business processes it is intended to disrupt.

    Business case for the proof-of-concept project.

    Activities

    4.1 Build a problem canvas.

    4.2 Identify affected business units.

    4.3 Outline and map the business processes likely to be disrupted.

    4.4 Map disrupted business processes.

    4.5 Recognize how the new technology will impact business processes.

    4.6 Make the case.

    Outputs

    Problem canvas

    Map of business processes: current state

    Map of disrupted business processes

    Business case for each technology

    Further reading

    Analyst Perspective

    The key is in anticipation.

    “We all encounter unexpected changes and our responses are often determined by how we perceive and understand those changes. We react according to the unexpected occurrence. Business organizations are no different.

    When a company faces a major technology disruption in its markets – one that could fundamentally change the business or impact its processes and technology – the way its management perceive and understand the disruption influences how they describe and plan for it. In other words, the way management sets the context of a disruption – the way they frame it – shapes the strategy they adopt. Technology leaders can vastly influence business strategy by adopting a proactive approach to understanding disruptive and innovative technologies by simply adopting a process to review and evaluate technology impacts to the company’s lines of business.”

    This is a picture of Troy Cheeseman

    Troy Cheeseman
    Practice Lead, Infrastructure & Operations Research
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • New technology can hit like a meteor. Not only disruptive to IT, technology provides opportunities for organization-wide advantage.
    • Your role is endangered. If you don’t prepare for the most disruptive technologies, you could be overshadowed. Don’t let the chief marketing officer (CMO) set the technological innovation agenda.

    Common Obstacles

    • Predicting the future isn’t easy. Most IT leaders fail to realize how quickly technology increases in capability. Even for the tech savvy, predicting which specific technologies will become disruptive is difficult.
    • Communication is difficult when the sky is falling. Even forward-looking IT leaders struggle with convincing others to devote time and resources to monitoring technologies with a formal process.

    Info-Tech’s Approach

    • Identify, resolve, and evaluate. Use an annual process as described in this blueprint: a formal evaluation of new technology that turns analysis into action.
    • Lead the analysis from IT. Establish a team to carry out the annual process as a cure for the causes of “airline magazine syndrome” and to prevent it from happening in the future.
    • Train your team on the patterns of progress, track technology over time in a central database, and read Info-Tech’s analysis of upcoming technology.
    • Create your KPIs. Establish your success indicators to create measurable value when presenting to your executive.
    • Produce a comprehensive proof-of-concept plan that will allow your company to minimize risk and maximize reward when engaging with new technology.

    Info-Tech Insight

    Proactively monitoring, evaluating, and exploiting disruptive tech isn’t optional.
    This will protect your role, IT’s role, and the future of the organization.

    A diverse working group maximizes the insight brought to bear.
    An IT background is not a prerequisite.

    The best technology is only the best when it brings immediate value.
    Good technology might not be ready; ready technology might not be good.

    Review

    We help IT leaders make the most of disruptive impacts.

    This research is designed for:

    Target Audience: CIO, CTO, Head of Infrastructure

    This research will help you:

    • Develop a process for anticipating, analyzing, and exploiting disruptive technology.
    • Communicate the business case for investing in disruptive technology.
    • Categorize emerging technologies to decide what to do with them.
    • Develop a plan for taking action to exploit the technology that will most affect your organization.

    Problem statement:

    As a CIO, there is a need to move beyond day-to-day technology management with an ever-increasing need to forecast technology impacts. Not just from a technical perspective but to map out the technical understandings aligned to potential business impacts and improvements. Technology transformation and innovation is moving more quickly than ever before and as an innovation champion, the CIO or CTO should have foresight in specific technologies with the understanding of how the company could be disrupted in the near future. Foresight + Current Technology + Business Understanding = Understanding the Business Disruption. This should be a repeatable process, not an exception or reactionary response.

    Insight Summary

    Establish the core working group, select a leader, and select a group of visionaries to help brainstorm emerging technologies.

    The right team matters. A core working group will keep focus through the process and a leader will keep everyone accountable. Visionaries are out-of-the-box thinkers and once they understand how to think like a "futurists," they will drive the longlist and shortlist actions.

    Train the group to think like futurists

    To keep up with exponential technology growth you need to take a multi-threaded approach.

    Brainstorm about creating a better future; begin brainstorming an initial longlist

    Establish the longlist. The longlist helps create a holistic view of most technologies that could impact the business. Assigning values and quadrant scoring will shortlist the options and focus your PoC option.

    Converge everyone’s longlists

    Long to short...that's the short of it. Using SWOT, value readiness, and quadrant mapping review sessions will focus the longlist, creating a shortlist of potential POC candidates to review and consider.

    Evaluate the shortlist

    There is no such thing as a risk-free endeavor. Use a systematic process to ensure that the risks your organization takes have the potential to produce significant rewards.

    Define your PoC list and schedule

    Don’t be afraid to fail! Inevitably, some proof-of-concept projects will not benefit the organization. The projects that are successful will more than cover the costs of the failed projects. Roll out small scale and minimize losses.

    Finalize, present the plan to stakeholders, and repeat!

    Don't forget the C-suite. Effectively communicate and present the working group’s finding with a well-defined and succinct presentation. Start the process again!

    This is a screenshot of the Thought map for Exploit disruptive infrastructure Technology.
    1. Identify
      • Establish the core working group and select a leader; select a group of visionaries
      • Train the group to think like futurists
      • Hold your initial meeting
    2. Resolve
    • Create and winnow a longlist
    • Assess and create the shortlist
  • Evaluate
    • Create process maps
    • Develop proof of concept charter
  • The Key Is in Anticipation!

    Use Info-Tech’s approach for analyzing disruptive technology in your own disruptive tech working group

    Phase 1: Identify Phase 2: Resolve Phase 3: Evaluate

    Phase Steps

    1. Establish the disruptive technology working group
    2. Think like a futurist (Training)
    3. Hold initial meeting or create an agenda for the meeting
    1. Create and winnow a longlist
    2. Assess shortlist
    1. Create process maps
    2. Develop proof of concept charter

    Phase Outcomes

    • Establish a team of subject matter experts that will evaluate new, emerging, and potentially disruptive technologies.
    • Establish a process for including visionaries from outside of the working group who will provide insight and direction.
    • Introduce the core working group members.
    • Gain a better understanding of how technology advances.
    • Brainstorm a list of organizational processes.
    • Brainstorm an initial longlist.
    • Finalized longlist
    • Finalized shortlist
    • Initial analysis of each technology on the shortlist
    • Finalized shortlist
    • Initial analysis of each technology on the shortlist
    • Business process maps before and after disruption
    • Proof of concept charter
    • Key performance indicators
    • Estimation of required resources
    • Executive presentation

    Four key challenges make it essential for you to become a champion for exploiting disruptive technology

    1. New technology can hit like a meteor. It doesn’t only disrupt IT; technology provides opportunities for organization-wide advantage.
    2. Your role is endangered. If you don’t prepare for the most disruptive technologies, you could be overshadowed. Don’t let the CMO rule technological innovation.
    3. Predicting the future isn’t easy. Most IT leaders fail to realize how quickly technology increases in capability. Even for the tech savvy, predicting which specific technologies will become disruptive is difficult.
    4. Communication is difficult when the sky is falling. Even forward-looking IT leaders struggle with convincing others to devote time and resources to monitoring emerging technologies with a formal process.

    “Look, you have never had this amount of opportunity for innovation. Don’t forget to capitalize on it. If you do not capitalize on it, you will go the way of the dinosaur.”
    – Dave Evans, Co-Founder and CTO, Stringify

    Technology can hit like a meteor

    “ By 2025:

    • 38.6 billion smart devices will be collecting, analyzing, and sharing data.
    • The web hosting services market is to reach $77.8 billion in 2025.
    • 70% of all tech spending is expected to go for cloud solutions.
    • There are 1.35 million tech startups.
    • Global AI market is expected to reach $89.8 billion.”

    – Nick Gabov

    IT Disruption

    Technology disrupts IT by:

    • Affecting the infrastructure and applications that IT needs to use internally.
    • Affecting the technology of end users that IT needs to support and deploy, especially for technologies with a consumer focus.
    • Allowing IT to run more efficiently and to increase the efficiency of other business units.
    • Example: The rise of the smartphone required many organizations to rethink endpoint devices.

    Business Disruption

    Technology disrupts the business by:

    • Affecting the viability of the business.
    • Affecting the business’ standing in relation to competitors that better deal with disruptive technology.
    • Affecting efficiency and business strategy. IT should have a role in technology-related business decisions.
    • Example: BlackBerry failed to anticipate the rise of the apps ecosystem. The company struggled as it was unable to react with competitive products.

    Senior IT leaders are expected to predict disruptions to IT and the business, while tending to today’s needs

    You are expected to be both a firefighter and a forecaster

    • Anticipating upcoming disruptions is part of your job, and you will be blamed if you fail to anticipate future business disruptions because you are focusing on the present.
    • However, keeping IT running smoothly is also part of your job, and you will be blamed if today’s IT environment breaks down because you are focusing on the future.

    You’re caught between the present and the future

    • You don’t have a process that anticipates future disruptions but runs alongside and integrates with operations in the present.
    • You can’t do it alone. Tending to both the present and the future will require a team that can help you keep the process running.

    Info-Tech Insight

    Be prepared when disruptions start coming down, even though it isn’t easy. Use this research to reduce the effort to a simple process that can be performed alongside everyday firefighting.

    Make disruptive tech analysis and exploitation part of your innovation agenda

    A scatter plot graph is depicted, plotting IT Innovative Leadership (X axis), and Satisfaction with IT(Y axis). IT innovative leadership explains 75% of variation in satisfaction with IT

    Organizations without high satisfaction with IT innovation leadership are only 20% likely to be highly satisfied with IT

    “You rarely see a real-world correlation of .86!”
    – Mike Battista, Staff Scientist, Cambridge Brain Sciences, PhD in Measurement

    There is a clear relationship between satisfaction with IT and the IT department’s innovation leadership.

    Prevent “airline magazine syndrome” by proactively analyzing disruptive technologies

    “The last thing the CIO needs is an executive saying ‘I don’t what it is or what it does…but I want two of them!”
    – Tim Lalonde

    Airline magazine syndrome happens to IT leaders caught between the business and IT. It usually occurs in this manner:

    1. While on a flight, a senior executive reads about an emerging technology that has exciting implications for the business in an airline magazine.
    2. The executive returns and approaches IT, demanding that action be taken to address the disruptive technology – and that it should have been (ideally) completed already.

    Without a Disruptive Technology Exploitation Plan:

    “I don’t know”

    With a Disruptive Technology Exploitation Plan:

    “Here in IT, we have already considered that technology and decided it was overhyped. Let me show you our analysis and invite you to join our working group.”

    OR

    “We have already considered that technology and have started testing it. Let me show you our testing lab and invite you to join our working group.”

    Info-Tech Insight

    Airline magazine syndrome is a symptom of a wider problem: poor CEO-CIO alignment. Solve this problem with improved communication and documentation. Info-Tech’s disruptive tech iterative process will make airline magazine syndrome a thing of the past!

    IT leaders who do not keep up with disruptive technology will find their roles diminished

    “Today’s CIO dominion is in a decaying orbit with CIOs in existential threat mode.”
    – Ken Magee

    Protect your role within IT

    • IT is threatened by disruptive technology:
      • Trends like cloud services, increased automation, and consumerization reduce the need for IT to be involved in every aspect of deploying and using technology.
      • In the long term, machines will replace even intellectually demanding IT jobs, such as infrastructure admin and high-level planning.
    • Protect your role in IT by:
      • Anticipating new technology that will disrupt the IT department and your place within it.
      • Defining new IT roles and responsibilities that accurately reflect the reality of technology today.
      • Having a process for the above that does not diminish your ability to keep up with everyday operations that remain a priority today.

    Protect your role against other departments

    • Your role in the business is threatened by disruptive technology:
      • The trends that make IT less involved with technology allow other executives – such as the CMO – to make IT investments.
      • As the CMO gains the power and data necessary to embrace new trends, the CIO and IT managers have less pull.
    • Protect your role in the business by:
      • Being the individual to consult about new technology. It isn’t just a power play; IT leaders should be the ones who know technology thoroughly.
      • Becoming an indispensable part of the entire business’ innovation strategy through proposing and executing a process for exploiting disruptive technology.

    IT leaders who do keep up have an opportunity to solidify their roles as experts and aggregators

    “The IT department plays a critical role in [innovation]. What they can do is identify a technology that potentially might introduce improvements to the organization, whether it be through efficiency, or through additional services to constituents.”
    – Michael Maguire, Management Consultant

    The contemporary CIO is a conductor, ensuring that IT works in harmony with the rest of the business.

    The new CIO is a conductor, not a musician. The CIO is taking on the role of a business engineer, working with other executives to enable business innovation.

    The new CIO is an expert and an aggregator. Conductor CIOs increasingly need to keep up on the latest technologies. They will rely on experts in each area and provide strategic synthesis to decide if, and how, developments are relevant in order to tune their IT infrastructure.

    The pace of technological advances makes progress difficult to predict

    “An analysis of the history of technology shows that technological change is exponential, contrary to the common-sense ‘intuitive linear’ view. So we won’t experience 100 years of progress in the 21st century – it will be more like 20,000 years of progress (at today’s rate).”
    – Ray Kurzweil

    Technology advances exponentially. Rather than improving by the same amount of capability each year, it multiplies in capability each year.

    Think like a futurist to anticipate technology before it goes mainstream.

    Exponential growth happens much faster than linear growth, especially when it hits the knee of the curve. Even those who acknowledge exponential growth underestimate how capabilities can improve.

    To predict new advances, turn innovation into a process

    “We spend 70 percent of our time on core search and ads. We spend 20 percent on adjacent businesses, ones related to the core businesses in some interesting way. Examples of that would be Google News, Google Earth, and Google Local. And then 10 percent of our time should be on things that are truly new.”
    – Eric Schmidt, Google

    • Don’t get caught in the trap of refining your core processes to the exclusion of innovation. You should always be looking for new processes to improve, new technology to pilot, and where possible, new businesses to get into.
    • Devote about 10% of your time and resources to exploring new technology: the potential rewards are huge.

    You and your team need to analyze technology every year to predict where it’s going.

    A bar graph is shown which depicts the proportion of technology use from 2018-2022. the included devices are: Tablets; PCs; TVs; Non-smartphones; Smartphones; M2M
    • Foundational technologies, such as computing power, storage, and networks, are improving exponentially.
    • Disruptive technologies are specific manifestations of foundational advancements. Advancements of greater magnitude give rise to more manifestations; therefore, there will be more disruptive technologies every year.
    • There is a lot of noise to cut through. Remember Google Glasses? As technology becomes ubiquitous and consumerization reigns, everybody is a technology expert. How do you decide which technologies to focus on?

    Protect IT and the business from disruption by implementing a simple, repeatable disruptive technology exploitation process

    “One of the most consistent patterns in business is the failure of leading companies to stay at the top of their industries when technologies or markets change […] Managers must beware of ignoring new technologies that can’t initially meet the needs of their mainstream customers.”
    – Joseph L. Bower and Clayton M. Christensen

    Challenge

    Solution

    New technology can hit like a meteor, but it doesn’t have to leave a crater:

    Use the annual process described in this blueprint to create a formal evaluation of new technology that turns analysis into action.

    Predicting the future isn’t easy, but it can be done:

    Lead the analysis from the office of the CIO. Establish a team to carry out the annual process as a cure for airline magazine syndrome.

    Your role is endangered, but you can survive:

    Train your team on the patterns of progress, track technology over time in a central database, and read Info-Tech’s analysis of upcoming technology.

    Communication is difficult when the sky is falling, so have a simple way to get the message across:

    Track metrics that communicate your progress, and summarize the results in a single, easy-to-read exploitation plan.

    Info-Tech Insight

    Use Info-Tech’s tools and templates, along with this storyboard, to walk you through creating and executing an exploitation process in six steps.

    Create measurable value by using Info-Tech’s process for evaluating the disruptive potential of technology

    This image contains a bar graph with the following Title: Which are the primary benefits you've either realized or expect to realize by deploying hyperconverged infrastructure in the near term.

    No business process is perfect.

    • Use Info-Tech’s Proof of Concept Template to create a disruptive technology proof of concept implementation plan.
    • Harness your company’s internal wisdom to systematically vet new technology. Engage only in calculated risk and maximize potential benefit.

    Info-Tech Insight

    Inevitably, some proof of concept projects will not benefit the organization. The projects that are successful will more than cover the costs of the failed projects. Roll out small scale and minimize losses.

    Establish your key performance indicators (KPIs)

    Key performance indicators allow for rigorous analysis, which generates insight into utilization by platform and consumption by business activity.

    • Brainstorm metrics that indicate when process improvement is actually taking place.
    • Have members of the group pitch KPIs; the facilitator should record each suggestion on a whiteboard.
    • Make sure to have everyone justify the inclusion of each metric: how does it relate to the improvement that the proof of concept project is intended to drive? How does it relate to the overall goals of the business?
    • Include a list of KPIs, along with a description and a target (ensuring that it aligns with SMART metrics).
    Key Performance Indicator Description Target Result

    Number of Longlist technologies

    Establish a range of Longlist technologies to evaluate 10-15
    Number of Shortlist technologies Establish a range of Shortlist technologies to evaluate 5-10
    number of "look to the past" likes/dislikes Minimum number of testing characteristics 6
    Number of POCs Total number of POCs Approved 3-5

    Communicate your plan with the Disruptive Technology Exploitation Plan Template

    Use the Disruptive Technology Exploitation Plan Template to summarize everything that the group does. Update the report continuously and use it to show others what is happening in the world of disruptive technology.

    Section Title Description
    1 Rationale and Summary of Exploitation Plan A summary of the current efforts that exist for exploring disruptive technology. A summary of the process for exploiting disruptive technology, the resources required, the team members, meeting schedules, and executive approval.
    2 Longlist of Potentially Disruptive Technologies A summary of the longlist of identified disruptive technologies that could affect the organization, shortened to six or less that have the largest potential impact based on Info-Tech’s Disruptive Technology Shortlisting Tool.
    3 Analysis of Shortlist Individually analyze each technology placed on the shortlist using Info-Tech’s Disruptive Technology Value-Readiness and SWOT Analysis Tool.
    4 Proof of Concept Plan Use the results from Section 3 to establish a plan for moving forward with the technologies on the shortlist. Determine the tasks required to implement the technologies and decide who will complete them and when.
    5 Hand-off Pass the project along to identified stakeholders with significant interest in its success. Continue to track metrics and prepare to repeat the disruptive technology exploitation process annually.

    Whether you need a process for exploiting disruptive technology, or an analysis of current trends, Info-Tech can help

    Two sets of research make up Info-Tech’s disruptive technology coverage:

    This image contains four screenshots from each of the following Info-Tech Blueprints: Exploit disruptive Infrastructure Technology; Infrastructure & operations priorities 2022

    This storyboard, and the associated tools and templates, will walk you through creating a disruptive technology working group of your own.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Disruptive Technology Exploitation Plan Template

    The Disruptive Technology Exploitation Plan Template acts as an implementation plan for developing a long-term strategy for monitoring and implementing disruptive technologies.

    Proof of Concept Template

    The Proof of Concept Template will guide you through the creation of a minimum-viable proof-of-concept project.

    Executive Presentation

    The Disruptive Technology Executive Presentation Template will assist you to present an overview of the disruptive technology process, outlining the value to your company.

    Disruptive Technology Value Readiness & SWOT Analysis Tool

    The Disruptive Technology Value Readiness & SWOT Analysis Tool will assist you to systematize notional evaluations of the value and readiness of potential disruptive technologies.

    Disruptive Technology Research Database Tool

    The Disruptive Technology Research Database Tool will help you to keep track of the independent research that is conducted by members of the disruptive technology exploitation working group.

    Disruptive Technology Shortlisting Tool

    The Disruptive Technology Shortlisting Tool will help you to codify the results of the disruptive technology working group's longlist winnowing process.

    Disruptive Technology Look to the Past Tool

    The Disruptive Technology Look to the Past Tool will assist you to collect reasonability test notes when evaluating potential disruptive technologies.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Explore the need for a disruptive technology working group.

    Call #3: Review the agenda for the initial meeting.

    Call #5: Review how you’re brainstorming and your sources of information.

    Call #7: Review the final shortlist and assessment.

    Call #9: Review the progress of your team.

    Call #2: Review the team name, participants, and timeline.

    Call #4: Assess the results of the initial meeting.

    Call #6: Review the final longlist and begin narrowing it down.

    Call #8: Review the next steps.

    Call #10: Review the communication plan.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Pre-Work Day 1 Day 2 Day 3 Day 4
    Establish the Disruptive Tech Process Hold Your Initial Meeting Create a Longlist and Assess Shortlist Create Process Maps Develop a Proof of Concept Charter

    Activities

    1.1.a Get executives and stakeholders on board.

    1.1.b Review the process of analyzing disruptive tech.

    1.1.c Select members for the working group.

    1.1.d Choose a schedule and time commitment.

    1.1.e Select a group of visionaries.

    1.2.a Start the meeting with introductions.

    1.2.b Train the group to think like futurists.

    1.2.c Brainstorm about disruptable processes.

    1.2.d Brainstorm a longlist.

    1.2.e Research and brainstorm separate longlists.

    2.1.a Converge the longlists developed by the team.

    2.2.b Narrow the longlist to a shortlist.

    2.2.c Assess readiness and value.

    2.2.d Perform a SWOT analysis.

    3.1.a Build a problem canvas.

    3.1.b Identify affected business units.

    3.1.c Outline and map the business processes likely to be disrupted.

    3.1.d Map disrupted business processes.

    3.1.e Recognize how the new technology will impact business processes.

    3.1.f Make the case.

    3.2.a Develop key performance indicators (KPIs).

    3.2.b Identify key success factors.

    3.2.c Outline project scope.

    3.2.d Identify responsible team.

    3.2.e Complete resource estimation.

    Deliverables

    1. Initialized Disruptive Tech Exploitation Plan
    1. List of Disruptable Organizational Processes
    2. Initial Longlist of Disruptive Tech
    1. Finalized Longlist of Disruptive Tech
    2. Shortlist of Disruptive Tech
    3. Value-Readiness Analysis
    4. SWOT Analysis
    5. Candidate(s) for Proof of Concept Charter
    1. Problem Canvas
    2. Map of Business Processes: Current State
    3. Map of Disrupted Business Processes
    4. Business Case for Each Technology
    1. Completed Proof of Concept Charter

    Exploit Disruptive Infrastructure Technology

    Disrupt or be disrupted.

    Identify

    Create your working group.

    PHASE 1

    Use Info-Tech’s approach for analyzing disruptive technology in your own disruptive tech working group

    1. Identify
      1. Establish the core working group and select a leader; select a group of visionaries
      2. Train the group to think like futurists
      3. Hold your initial meeting
    2. Resolve
      1. Create and winnow a longlist
      2. Assess and create the shortlist
    3. Evaluate
      1. Create process maps
      2. Develop proof of concept charter

    The Key Is in Anticipation!

    Phase 1: Identify

    Create your working group.

    Activities:

    Step 1.1: Establish the core working group and select a leader; select a group of visionaries
    Step 1.2: Train the group to think like futurists
    Step 1.3: Hold the initial meeting

    This step involves the following participants:

    IT Infrastructure Manager

    CIO or CTO

    Potential members and visionaries of the working group

    Outcomes of this step:

    • Establish a team of subject matter experts that will evaluate new, emerging, and potentially disruptive technologies.
    • Establish a process for including visionaries from outside of the working group who will provide insight and direction.
    • Introduce the core working group members.
    • Gain a better understanding of how technology advances.
    • Brainstorm a list of organizational processes.
    • Brainstorm an initial longlist.

    Step 1.1

    Establish the core working group and select a leader; select a group of visionaries.

    Activities:

    • Articulate the long- and short-term benefits and costs to the entire organization
    • Gain support by articulating the long- and short-term benefits and costs to the IT department
    • Gain commitment from key stakeholders and executives
    • Help stakeholders understand what goes into formally exploiting disruptive tech by reviewing this process
    • Establish the core working group and select a leader
    • Create a schedule with a time commitment appropriate to your organization’s size; it doesn’t need to take long
    • Select a group of visionaries external to IT to help the working group brainstorm disruptive technologies

    This step involves the following participants:

    • IT Infrastructure Manager
    • CIO or CTO
    • Potential members and visionaries of the working group

    Outcomes of this step

    • Establish a team of subject matter experts that will evaluate new, emerging, and potentially disruptive technologies.
    • Establish a process for including visionaries from outside of the working group that will provide insight and direction.

    1.1.A Articulate the long- and short-term benefits and costs to the entire organization

    A cost/benefit analysis will give stakeholders a picture of how disruptive technology could affect the business. Use the chart as a starting point and customize it based on your organization.

    Disruptive Technology Affects the Organization

    Benefits Costs

    Short Term

    • First-mover advantage from implementing new technology in the business before competitors – and before start-ups.
    • Better brand image as an organization focused on innovation.
    • Increased overall employee satisfaction by implementing new technology that increases employee capabilities or lowers effort.
    • Possibility of increased IT budget for integrating new technology.
    • Potential for employees to reject wide-scale use of unfamiliar technology.
    • Potential for technology to fail in the organization if it is not sufficiently tested.
    • Executive time required for making decisions about technology recommended by the team.

    Long Term

    • Increased internal business efficiencies from the integration of new technology (e.g. energy efficiency, fewer employees needed due to automation).
    • Better services or products for customers, resulting in increased long-term revenue.
    • Lowered costs of services or products and potential to grow market share.
    • Continued relevance of established organizations in a world changed by disruptive technologies.
    • Technology may not reach the capabilities initially expected, requiring waiting for increased value or readiness.
    • Potential for customers to reject new products resulting from technology.
    • Lack of focus on current core capabilities if technology is massively disruptive.

    1.1.B Gain support by articulating the long- and short-term benefits and costs to the IT department

    A cost/benefit analysis will give stakeholders a picture of how disruptive technology could affect the business. Use the chart as a starting point and customize it based on your organization.

    Disruptive Technology Affects IT

    BenefitsCosts

    Short Term

    • Perception of IT as a core component of business practices.
    • Increase IT’s capabilities to better serve employees (e.g. faster network speeds, better uptime, and storage and compute capacity that meet demands).
    • Cost for acquiring or implementing new technology and updating infrastructure to integrate with it.
    • Cost for training IT staff and end users on new IT technology and processes.
    • Minor costs for initial setup of disruptive technology exploitation process and time taken by members.

    Long Term

    • More efficient and powerful IT infrastructure that capitalizes on emerging trends at the right time.
    • Lower help desk load due to self-service and automation technology.
    • Increased satisfaction with IT due to implementation of improved enterprise technology and visible IT influence on improvements.
    • Increased end-user satisfaction with IT due to understanding and support of consumer technology that affects their lives.
    • New technology may result in lower need for specific IT roles. Cultural disruptions due to changing role of IT.
    • Perception of failure if technology is tested and never implemented.
    • Expectation that IT will continue to implement the newest technology available, even when it has been dismissed as not having value.

    1.1.C Gain commitment from key stakeholders and executives

    Gaining approval from executives and key stakeholders is the final obstacle. Ensure that you cover the following items to have the best chance for project approval.

    • Use a sample deck similar to this section for gaining buy-in, ensuring that you add/remove information to make it specific to your organization. Cover this section, including:
      • Who: Who will lead the team and who will be on it (working group)?
      • What: What resources will be required by the team (costs)?
      • Where/When: How often and where will the team meet (meeting schedule)?
      • Why: Why is there a need to exploit disruptive technology (benefits and examples)?
      • How: How is the team going to exploit disruptive technology (the process)?
    • Go through this blueprint prior to presenting the plan to stakeholders so that you have a strong understanding of the details behind each process and tool.
    • Frame the first iteration of the cycle as a pilot program. Use the completed results of the pilot to establish exploiting disruptive technology as a necessary company initiative.

    Insert the resources required by the disruptive tech exploitation team into Section 1.5 of the Disruptive Technology Exploitation Plan Template. Have executives sign-off on the project in Section 1.6.

    Disruption has undermined some of the most successful tech companies

    “The IT department plays a critical role in [innovation]. What they can do is identify a technology that potentially might introduce improvements to the organization, whether it be through efficiency or through additional services to constituents.”
    - Michael Maguire, Management Consultant

    VoIP’s transformative effects

    Disruptive technology:
    Voice over Internet Protocol (VoIP) is a modern means of making phone calls through the internet by sending voice packets using data, as opposed to the traditional circuit transmissions of the PSTN.

    Who won:
    Organizations that realized the cost savings that VoIP provided for businesses with a steady internet connection saved as much as 60% on telephony expenses. Even in the early stages, with a few more limitations, organizations were able to save a significant amount of money and the technology has continued to improve.

    Who lost?
    Telecom-related companies that failed to realize VoIP was a potential threat to their market, and organizations that lacked the ability to explore and implement the disruptive technology early.

    Digital photography — the new norm

    Disruptive technology:
    Digital photography refers to the storing of photographs in a digital format, as opposed to traditional photography, which exposes light to sensitive photographic film.

    Who won:
    Photography companies and new players that exploited the evolution of data storage and applied it to photography succeeded. Those that were able to balance providing traditional photography and exploiting and introducing digital photography, such as Nikon, left competitors behind. Smartphone manufacturers also benefited by integrating digital cameras.

    Who lost?
    Photography companies, such as Kodak, that failed to respond to the digital revolution found themselves outcompeted and insolvent.

    1.1.D Help stakeholders understand what goes into formally exploiting disruptive tech by reviewing this process

    There are five steps to formally exploiting disruptive technology, each with its own individual outputs and tools to take analysis to the next level.

    Step 1.2:
    Hold Initial Meeting

    Output:

    • Initial list of disruptable processes;
    • Initial longlist

    Step 2.1:

    Brainstorm Longlist

    Output:

    • Finalized longlist;
    • Shortlist

    Step 2.2:

    Assess Shortlist

    Output:

    • Final shortlist;
    • SWOT analysis;
    • Tech categorization

    Step 3.1:
    Create Process Maps

    Output:

    • Completed process maps

    Step 3.2:
    Develop a proof of concept charter

    Output:

    • Proof-of-concept template with KPIs

    Info-Tech Insight

    Before going to stakeholders, complete the entire blueprint to better understand the tools and outputs of the process.

    1.1.E Establish the core working group and select a leader

    • Selecting your core membership for the working group is a critical step to the group’s success. Ensure that you satisfy the following criteria:
      • This is a team of subject matter experts. They will be overseeing the learning and piloting of disruptive technologies. Their input will also be valuable for senior executives and for implementing these technologies.
      • Choose members that can take time away from firefighting tasks to dedicate time to meetings.
      • It may be necessary to reach outside of the organization now or in the future for expertise on certain technologies. Use Info-Tech as a source of information.
    Organization Size Working Group Size
    Small 02-Jan
    Medium 05-Mar
    Large 10-May
    • Once the team is established, you must decide who will lead the group. Ensure that you satisfy the following criteria:
      • A leader should be credible, creative, and savvy in both technology and business.
      • The leader should facilitate, acting as both an expert and an aggregator of the information gathered by the team.

    Choose a compelling name

    The working group needs a name. Be sure to select one with a positive connotation within your organization.

    Section 1.3 of the Disruptive Technology Exploitation Plan Template

    1.1.F Create a schedule with a time commitment appropriate to your organization’s size; it doesn’t need to take long

    Time the disruptive technology working group’s meetings to coincide and integrate with your organization’s strategic planning — at least annually.

    Size Meeting Frequency Time per Meeting Example Meeting Activities
    Small Annually One day A one-day meeting to run through phase 2 of the project (SWOT analysis and shortlist analysis).
    Medium Two days A two-day meeting to run through the project. The additional meeting involves phase 3 of this deck, developing a proof-of-concept plan.
    Large Two+ days Two meetings, each two days. Two days to create and winnow the longlist (phase 2), and two further days to develop a proof of concept plan.

    “Regardless of size, it’s incumbent upon every organization to have some familiarity of what’s happening over the next few years, [and to try] to anticipate what some of those trends may be. […] These trends are going to accelerate IT’s importance in terms of driving business strategy.”
    – Vern Brownell, CEO, D-Wave

    Section 1.4 of the Disruptive Technology Exploitation Plan Template

    1.1.G Select a group of visionaries external to IT to help the working group brainstorm disruptive technologies

    Selecting advisors for your group is an ongoing step, and the roster can change.

    Ensure that you satisfy the following criteria:

    • Look beyond IT to select a team representing several business units.
    • Check for self-professed “geeks” and fans of science fiction that may be happy to join.
    • Membership can be a reward for good performance.

    This group does not have to meet as regularly as the core working group. Input from external advisors can occur between meetings. You can also include them on every second or third iteration of the entire process.

    However, the more input you can get into the group, the more innovative it can become.

    “It is … important to develop design fictions based on engagement with directly or indirectly implicated publics and not to be designed by experts alone.”
    – Emmanuel Tsekleves, Senior Lecturer in Design Interactions, University of Lancaster

    Section 1.3 of the Disruptive Technology Exploitation Plan Template

    The following case study illustrates the innovative potential that is created when you include a diverse group of people

    INDUSTRY - Chip Manufacturing
    SOURCE - Clayton Christensen, Intel

    To achieve insight, you need to collaborate with people from outside of your department.

    Challenge

    • Headquartered in California, through the 1990s, Intel was the largest microprocessor chip manufacturer in the world, with revenue of $25 billion in 1997.
    • All was not perfect, however. Intel faced a challenge from Cyrix, a manufacturer of low-end chips. In 18 months, Cyrix’s share of the low-margin entry-level chip manufacturing business mushroomed from 10% to 70%.

    Solution

    • Troubled by the potential for significant disruption of the microprocessor market, Intel brought in external consultants to hold workshops to educate managers about disruptive innovation.
    • Managers would break into groups and discuss ways Intel could facilitate the disruption of its competitors. In one year, Intel hosted 18 workshops, and 2,000 managers went through the process.

    Results

    • Intel launched the Celeron chip to serve the lower end of the PC market and win market share back from Cyrix (which no longer exists as an independent company) and other competitors like AMD.
    • Within one year, Intel had captured 35% of the market.

    “[The models presented in the workshops] gave us a common language and a common way to frame the problem so that we could reach a consensus around a counterintuitive course of action.” – Andy Grove, then-CEO, Intel Corporation

    Phase 1: Identify

    Create your working group.

    Activities:

    Step 1.1: Establish the core working group and select a leader; select a group of visionaries
    Step 1.2: Train the group to think like futurists
    Step 1.3: Hold the initial meeting

    This step involves the following participants:

    • IT Infrastructure Manager
    • CIO or CTO
    • Potential members and visionaries of the working group

    Outcomes of this phase:

    • Establish a team of subject matter experts that will evaluate new, emerging, and potentially disruptive technologies.
    • Establish a process for including visionaries from outside of the working group who will provide insight and direction.
    • Introduce the core working group members.
    • Gain a better understanding of how technology advances.
    • Brainstorm a list of organizational processes.
    • Brainstorm an initial longlist.

    Step 1.2

    Train the group to think like futurists

    Activities:

    1. Look to the past to predict the future:
      • Step 1: Review the technology opportunities you missed
      • Step 2: Review and record what you liked about the tech
      • Step 3: Review and record your dislikes
      • Step 4: Record and test the reasonability
    2. Crash course on futurology principles
    3. Peek into the future

    This step involves the following participants:

    • IT Infrastructure Manager
    • CIO or CTO
    • Core working group members
    • Visionaries

    Outcomes of this step

    • Team members thinking like futurists
    • Better understanding of how technology advances
    • List of past examples and characteristics

    Info-Tech Insight

    Business buy-in is essential. Manage your business partners by providing a summary of the EDIT methodology and process. Validate the process value, which will allow you create a team of IT and business representatives.

    1.2 Train the group to think like futurists

    1 hour

    Ensure the team understands how technology advances and how they can identify patterns in upcoming technologies.

    1. Lead the group through a brainstorming session.
    2. Follow the next phases and steps.
    3. This session should be led by someone who can facilitate a thought-provoking discussion.
    4. This training deck finishes with a video.

    Input

    • Facilitated creativity
    • Training deck [following slides]

    Output

    • Inspiration
    • Anonymous ideas

    Materials

    • Futurist training “steps”
    • Pen and paper

    Participants

    • Core working group
    • Visionaries
    • Facilitator

    1.2.A Look to the past to predict the future

    30 minutes

    Step 1

    Step 2 Step 3 Step 4

    Review what you missed.

    What did you like?

    What did you dislike?

    Test the reasonability.

    Think about a time you missed a technical disruptive opportunity.

    Start with a list of technologies that changed your business and processes.

    Consider those specifically you could have identified with a repeatable process.

    What were the most impactful points about the technology?

    Define a list of “characteristics” you liked.

    Create a shortlist of items.

    Itemize the impact to process, people, and technology.

    Why did you pass on the tech?

    Define a list of “characteristics” you did not like.

    Create a shortlist of items.

    Itemize the impact to process, people, and technology.

    Avoid the “arm chair quarterback” view.

    Refer to the six positive and negative points.

    Check against your data points at the end of each phase.

    Record the list of missed opportunities

    Record 6 characteristics

    Record 6 characteristics

    Completed “Think like a Futurists” tool

    Use the Disruptive Technology Research Look to the Past Tool to record your output.

    Input

    • Facilitated creativity
    • Speaker’s notes

    Output

    • Inspiration
    • Anonymous ideas
    • Recorded missed opportunities
    • Recorded positive points
    • Recorded dislikes
    • Reasonability test list

    Materials

    • Futurist training “steps”
    • Pen and paper
    • “Look to the Past” tool

    Participants

    • Core working group
    • Visionaries
    • Facilitator

    Understand how the difference between linear and exponential growth will completely transform many organizations in the next decade

    “The last ten years have seen exponential growth in research on disruptive technologies and their impact on industries, supply chains, resources, training, education and employment markets … The debate is still open on who will be the winners and losers of future industries, but what is certain is that change has picked up pace and we are now in a new technology revolution whose impact is potentially greater than the industrial revolution.”
    – Gary L. Evans

    Exponential advancement will ensure that life in the next decade will be very different from life today.

    • Linear growth happens one step at a time.
    • The difference between linear and exponential is hard to notice, at first.
    • We are now at the knee of the curve.

    What about email?

    • Consider the amount of email you get daily
    • Double it
    • Triple it

    Exponential growth happens much faster than linear growth, especially when it hits the knee of the curve. Technology grows exponentially, and we are approaching the knee of the curve.

    This graph is adapted from research by Ray Kurzweil.

    Growth: Linear vs. Exponential

    This image contains a graph demonstrating examples of exponential and linear trends.

    1.2.B Crash course on futurology principles

    1 hour

    “An analysis of the history of technology shows that technological change is exponential, contrary to the common-sense ‘intuitive linear’ view. So we won’t experience 100 years of progress in the 21st century — it will be more like 20,000 years of progress (at today’s rate).”
    - Ray Kurzweil

    Review the differences between exponential and linear growth

    The pace of technological advances makes progress difficult to predict.

    Technology advances exponentially. Rather than improving by the same amount of capability each year, it multiplies in capability each year.

    Think like a futurist to anticipate technology before it goes mainstream.

    Exponential growth happens much faster than linear growth, especially when it hits the knee of the curve. Even those who acknowledge exponential growth underestimate how capabilities can improve.

    The following case study illustrates the rise of social media providers

    “There are 7.7 billion people in the world, with at least 3.5 billion of us online. This means social media platforms are used by one in three people in the world and more than two-thirds of all internet users.”
    – Esteban Ortiz-Ospina

    This graph depicts the trend of the number of people using social media platforms between 2005 and 2019

    The following case study illustrates the rapid growth of Machine to Machine (M2M) connections

    A bar graph is shown which depicts the proportion of technology use from 2018-2022. the included devices are: Tablets; PCs; TVs; Non-smartphones; Smartphones; M2M

    Ray Kurzweil’s Law of Accelerating Returns

    “Ray Kurzweil has been described as ‘the restless genius’ by The Wall Street Journal, and ‘the ultimate thinking machine’ by Forbes. He was ranked #8 among entrepreneurs in the United States by Inc Magazine, calling him the ‘rightful heir to Thomas Edison,’ and PBS included Ray as one of 16 ‘revolutionaries who made America,’ along with other inventors of the past two centuries.”
    Source: KurzweilAI.net

    Growth is linear?

    “Information technology is growing exponentially. That’s really my main thesis, and our intuition about the future is not exponential, it’s really linear. People think things will go at the current pace …1, 2, 3, 4, 5, and 30 steps later, you’re at 30.”

    Better IT strategy enables future business innovation

    “The reality of information technology like computers, like biological technologies now, is it goes exponentially … 2, 4, 8, 16. At step 30, you’re at a billion, and this is not an idle speculation about the future.” [emphasis added]

    “When I was a student at MIT, we all shared a computer that cost tens of millions of dollars. This computer [pulling his smartphone out of his pocket] is a million times cheaper, a thousand times more powerful — that’s a billion-fold increase in MIPS per dollar, bits per dollar… and we’ll do it again in 25 years.”
    Source: “IT growth and global change: A conversation with Ray Kurzweil,” McKinsey & Company

    1.2.C Peak into the future

    1 hour

    Leverage industry roundtables and trend reports to understand the art of the possible

    • Uncover important business and industry trends that can inform possibilities for technology disruption.
    • Market research is critical in identifying factors external to your organization and identifying technology innovation that will provide a competitive edge. It’s important to evaluate the impact each trend or opportunity will have in your organization and market.

    Visit Info-Tech’s Trends & Priorities Research Center

    Visit Info-Tech’s Industry Coverage Research to get started.

    Phase 1: Identify

    Create your working group

    Activities:

    Step 1.1: Establish the core working group and select a leader; select a group of visionaries
    Step 1.2: Train the group to think like futurists
    Step 1.3: Hold the initial meeting

    This step involves the following participants:

    • IT Infrastructure Manager
    • CIO or CTO
    • Potential members and visionaries of the working group

    Outcomes of this phase:

    • Establish a team of subject matter experts that will evaluate new, emerging, and potentially disruptive technologies.
    • Establish a process for including visionaries from outside of the working group who will provide insight and direction.
    • Introduce the core working group members.
    • Gain a better understanding of how technology advances.
    • Brainstorm a list of organizational processes.
    • Brainstorm an initial longlist.

    Info-Tech Insight

    Establish the longlist. The longlist help create a holistic view of most technologies that could impact the business. Assigning values and quadrant scoring will shortlist the options and focus your PoC option.

    Step 1.3

    Hold the initial meeting

    Activities:

    1. Create an agenda for the meeting
    2. Start the kick-off meeting with introductions and a recap
    3. Brainstorm about creating a better future
    4. Begin brainstorming an initial longlist
    5. Have team members develop separate longlists for their next meeting

    This step involves the following participants:

    • IT Infrastructure Manager
    • CIO or CTO
    • Core working group members
    • Visionaries

    Outcomes of this step

    • Introduce the core working group members
    • Gain a better understanding of how technology advances
    • Brainstorm a list of organizational processes
    • Brainstorm an initial longlist

    1.3.A Create an agenda for the meeting

    1 hour

    Kick-off this cycle of the disruptive technology process by welcoming your visionaries and introducing your core working group.

    The purpose of the initial meeting is to brainstorm where new technology will be the most disruptive within the organization. You’ll develop two longlists: one of business processes and one of disruptive technology. These longlists are in addition to the independent research your core working group will perform before Phase 2.

    • Find an outgoing facilitator. Sitting back will let you focus more on ideating, and an engaging presenter will help bring out ideas from your visionaries.
    • The training deck (see step 1.2c) includes presenting a video. We’ve included some of our top choices for you to choose from.
      • Feel free to find your own video or bring in a keynote speaker.
      • The object of the video is to get the group thinking about the future.
      • Customize the training deck as needed.
    • If a cycle has been completed, present your findings and all of the group’s completed deliverables in the first section.
    • This session is the only time you have with your visionaries. Get their ideas on what technologies will be disruptive to start forming a longlist.

    Info-Tech Insight

    The disruptive tech team is prestigious. If your organization is large enough or has the resources, consider having this meeting in an offsite location. This will drive excitement to join the working group if the opportunity arises and incentivize good work.

    Meeting Agenda (Sample)

    Time

    Activity

    8:00am-8:30am Introductions and previous meeting recap
    8:30am-9:30am Training deck
    9:30 AM-10:00am Brainstorming
    10:00am-10:15am Break
    10:15am-10:45am Develop good research techniques
    10:45am-12:00pm Begin compiling your longlist

    Info-Tech Insight

    The disruptive tech team is prestigious. If your organization is large enough or has the resources, consider having this meeting in an offsite location. This will drive excitement to join the working group if the opportunity arises and incentivize good work.

    1.3.B Start the kick-off meeting with introductions and a summary of what work has been done so far

    30 minutes

    1. Start the meeting off with an icebreaker activity. This isn’t an ordinary business meeting – or even group – so we recommend starting off with an activity that will emphasize this unique nature. To get the group in the right mindset, try this activity:
      1. Go around the group and have people present:
      2. Their names and roles
      3. Pose some or all of the following questions/prompts to the group:
        • “Tell me about something you have created.”
        • “Tell me about a time you created a process or program considered risky.”
        • “Tell me about a situation in which you had to come up with several new ideas in a hurry. Were they accepted? Were they successful?”
        • “Tell me about a time you took a risk.”
        • “Tell me about one of your greatest failures and what you learned from it.”
    2. Once everyone has been introduced, present any work that has already been completed.
      1. If you have already completed a cycle, give a summary of each technology that you investigated and the results from any piloting.
      2. If this is the first cycle for the working group, present the information decided in Step 1.1.

    Input

    • Disruptive technology exploitation plan

    Output

    • Networking
    • Brainstorming

    Materials

    • Meeting agenda

    Participants

    • Core working group
    • Visionaries
    • Facilitator

    1.3.C Brainstorm about creating a better future for the company, the stakeholders, and the employees

    30 minutes

    Three sticky notes are depicted, at the top of each note are the following titles: What can we do better; How can we make a better future; How can we continue being successful

    1. Have everyone put up at least two ideas for each chart paper.
    2. Go around the room and discuss their ideas. You may generate some new ideas here.

    These generated ideas are organizational processes that can be improved or disrupted with emerging technologies. This list will be referenced throughout Phases 2 and 3.

    Input

    • Inspiration
    • Anonymous ideas

    Output

    • List of processes

    Materials

    • Chart paper and markers
    • Pen and paper

    Participants

    • Core working group
    • Visionaries

    1.3.D Begin brainstorming a longlist of future technology, and discuss how these technologies will impact the business

    30 minutes

    • Use the Disruptive Technology Research Database Tool to organize technologies and ideas. Longstanding working groups can track technologies here over the course of several years, updating the tool between meetings.
    • Guide the discussion with the following questions, and make sure to focus on the processes generated from Step 1.2.d.

    Focus on

    The Technology

    • What is the technology and what does it do?
    • What processes can it support?

    Experts and Other Organizations

    • What are the vendors saying about the technology?
    • Are similar organizations implementing the technology?

    Your Organization

    • Is the technology ready for wide-scale distribution?
    • Can the technology be tested and implemented now?

    The Technology’s Value

    • Is there any indication of the cost of the technology?
    • How much value will the technology bring?

    Download the Disruptive Technology Database Tool

    Input

    • Inspiration
    • List of processes

    Output

    • Initial longlist

    Materials

    • Chart paper and markers
    • Pen and paper
    • Disruptive Technology Research Database Tool

    Participants

    • Core working group
    • Visionaries

    1.3.E Explore these sources to generate your disruptive technology longlist for the next meeting

    30 Minutes

    There are many sources of information on new and emerging technology. Explore as many sources as you can.

    Science fiction is a valid source of learning. It drives and is influenced by disruptive technology.

    “…the inventor of the first liquid-fuelled rocket … was inspired by H.G. Wells’ science fiction novel War of the Worlds (1898). More recent examples include the 3D gesture-based user interface used by Tom Cruise’s character in Minority Report (2002), which is found today in most touch screens and the motion sensing capability of Microsoft’s Kinect. Similarly, the tablet computer actually first appeared in Stanley Kubrick’s 2001: A Space Odyssey (1968) and the communicator – which we’ve come to refer today as the mobile phone – was first used by Captain Kirk in Star Trek (1966).”
    – Emmanuel Tsekleves, senior lecturer, University of Lancaster

    Right sources: blogs, tech news sites, tech magazines, the tech section of business sites, popular science books about technology, conferences, trade publications, and vendor announcements

    Quantity over quality: early research is not the time to dismiss ideas.

    Discuss with your peers: spark new and innovative ideas

    Insert a brief summary of how independent research is conducted in Section 2.1 of the Disruptive Technology Exploitation Plan Template.

    1.3.E (Cont.) Explore these sources to generate your disruptive technology longlist for the next meeting

    30 Minutes

    There are many sources of information on new and emerging technology. Use this list to kick-start your search.

    Connect with practitioners that are worth their weight in Reddit gold. Check out topic-based LinkedIn groups and subreddits such as r/sysadmin and r/tech. People experienced with technology frequent these groups.

    YouTube is for more than cat videos. Many vendors use YouTube for distributing their previous webinars. There are also videos showcasing various technologies that are uploaded by lecturers, geeks, researchers, and other technology enthusiasts.

    Test your reasonability. Check your “Think Like a Futurist” Tool

    Resolve

    Evaluate Disruptive Technologies

    PHASE 2

    Phase 2: Resolve

    Evaluate disrupted technologies

    Activities:

    Step 2.1: Create and Winnow a Longlist
    Step 2.2: Assess Shortlist

    Info-Tech Insight

    Long to short … that’s the short of it. Using SWOT, value readiness, and quadrant mapping review sessions will focus the longlist, creating a shortlist of potential PoC candidates to review and consider.

    This step involves the following participants:

    • Core working group
    • Infrastructure Management

    Outcomes of this step:

    • Finalized longlist
    • Finalized shortlist
    • Initial analysis of each technology on the shortlist

    Step 2.1

    Create and winnow a longlist

    Activities:

    1. Converge everyone’s longlists
    2. Narrow technologies from the longlist down to a shortlist using Info-Tech’s Disruptive Technology Shortlisting Tool
    3. Use the shortlisting tool to help participants visualize the potential
    4. Input the technologies on your longlist into the Disruptive Technology Shortlisting Tool to produce a shortlist

    This step involves the following participants:

    • Core working group members

    Outcomes of this step:

    • Finalized longlist
    • Finalized shortlist
    • Initial analysis of each technology on the shortlist

    2.1 Organize a meeting with the core working group to combine your longlists and create a shortlist

    1 hour

    Plan enough time to talk about each technology on the list. Each technology was included for a reason.

    • Start with the longlist. Review the longlist compiled at the initial meeting, and then have everyone present the lists that they independently researched.
    • Focus on the company’s context. Make sure that the working group analyzes these disruptive technologies in the context of the organization.
    • Start to compile the shortlist. Begin narrowing down the longlist by excluding technologies that are not relevant.

    Meeting Agenda (Sample)

    TimeActivity
    8:00am-9:30amConverge longlists
    9:30am-10:00amBreak
    10:00am-10:45amDiscuss tech in organizational context
    10:45am-11:15amBegin compiling the shortlist

    Disruptive Technology Exploitation Plan Template

    2.1.A Converge the longlists developed by your team

    90 minutes

    • Start with the longlist developed at the initial meeting. Write this list on the whiteboard.
    • If applicable, have a member present the longlist that was created in the last cycle. Remove technologies that:
      • Are no longer disruptive (e.g. have been implemented or rejected).
      • Have become foundational.
    • Eliminate redundancy: remove items that are very similar.
    • Have members “pitch” items on their lists:
      • Explain why their technologies will be disruptive (2-5 minutes maximum)
      • Add new technologies to the whiteboard
    • Record the following for metrics:
      • Each presented technology
      • Reasons the technology could be disruptive
      • Source of the information
    • Use Info-Tech’s Disruptive Technology Research Database Tool as a starting point.

    Insert the final longlist into Section 2.2 of your Disruptive Technology Exploitation Plan Template.

    Input

    • Longlist developed at first meeting
    • Independent research
    • Previous longlist

    Output

    • Finalized longlist

    Materials

    • Disruptive Technology Research Database Tool
    • Whiteboard and markers
    • Virtual whiteboard

    Participants

    • Core working group

    Review the list of processes that were brainstormed by the visionary group, and ask for input from others

    • IT innovation is most highly valued by the C-suite when it improves business processes, reduces costs, and improves core products and services.
    • By incorporating this insight into your working group’s analysis, you help to attract the attention of senior management and reinforce the group’s necessity.
    • Any input you can get from outside of IT will help your group understand how technology can be disruptive.
      • Visionaries consulted in Phase 1 are a great source for this insight.
    • The list of processes that they helped to brainstorm in Step 1.2 reflects processes that can be impacted by technology.
    • Info-Tech’s research has shown time and again that both CEOs and CIOs want IT to innovate around:
      • Improving business processes
      • Improving core products and services
      • Reducing costs

    Improved business processes

    80%

    Core product and service improvement

    48%

    Reduced costs

    48%

    Increased revenues

    23%

    Penetration into new markets

    21%

    N=364 CXOs & CIOs from the CEO-CIO Alignment Diagnostic Questions were asked on a 7-point scale of 1 = Not at all to 7 = Very strongly. Results are displayed as percentage of respondents selecting 6 or 7.

    Info-Tech Insight

    The disruptive tech team is prestigious. If your organization is large enough or has the resources, consider having this meeting in an offsite location. This will drive excitement to join the working group if the opportunity arises and incentivize good work.

    2.1.B Narrow technologies from the longlist down to a shortlist using Info-Tech’s Disruptive Technology Shortlisting Tool

    90 minutes

    To decide which technology has potential for your organization, have the working group or workshop participants evaluate each technology:

    1. Record each potentially disruptive technology in the longlist on a whiteboard.
    2. Making sure to carefully consider the meaning of the terms, have each member of the group evaluate each technology as “high” or “low” along each of the axes, innovation and transformation, on a piece of paper.
    3. The facilitator collects each piece of paper and inputs the results by technology into the Disruptive Technology Shortlisting Tool.
    Technology Innovation Transformation
    Conversational Commerce High High

    Insert the final shortlist into Section 2.2 of your Disruptive Technology Exploitation Plan Template.

    Input

    • Longlist
    • Futurist brainstorming

    Output

    • Shortlist

    Materials

    • Disruptive Technology Research Database Tool
    • Whiteboard and markers
    • Virtual whiteboard

    Participants

    • Core working group

    Disruptive technologies are innovative and transformational

    Innovation

    Transformation

    • Elements:
      • Creative solution to a problem that is relatively new on the scene.
      • It is different, counterintuitive, or insightful or has any combination of these qualities.
    • Questions to Ask:
      • How new is the technology?
      • How different is the technology?
      • Have you seen anything like it before? Is it counterintuitive?
      • Does it offer an insightful solution to a persistent problem?
    • Example:
      • The sharing economy: Today, simple platforms allow people to share rides and lodgings cheaply and have disrupted traditional services.
    • Elements:
      • Positive change to the business process.
      • Highly impactful: impacts a wide variety of roles in a company in a nontrivial way or impacts a smaller number of roles more significantly.
    • Questions to Ask:
      • Will this technology have a big impact on business operations?
      • Will it add substantial value? Will it change the structure of the company?
      • Will it impact a significant number of employees in the organization?
    • Example:
      • Flash memory improved storage technology incrementally by building on an existing foundation.

    Info-Tech Insight

    Technology can be transformational but not innovative. Not every new technology is disruptive. Even where technology has improved the efficiency of the business, if it does this in an incremental way, it might not be worth exploring using this storyboard.

    2.1.C Use the shortlisting tool to help participants visualize the potential

    1 hour

    Use the Disruptive Technology Shortlisting Tool, tabs 2 and 3.

    Assign quadrants

    • Input group members’ names and the entire longlist (up to 30 technologies) into tab 2 of the Disruptive Technology Shortlisting Tool.
    • On tab 3 of the Disruptive Technology Shortlisting Tool, input the quadrant number that corresponds to the innovation and transformation scores each participant has assigned to each technology.

    Note

    This is an assessment meant to serve as a guide. Use discretion when moving forward with a proof-of-concept project for any potentially disruptive technology.

    Participant Evaluation Quadrant
    High Innovation, High Transformation 1
    High Innovation, Low Transformation 2
    Low Innovation, Low Transformation 3
    Low Innovation, High Transformation 4

    four quadrants are depicted, labeled 1-4. The quadrants are coloured as follows: 1- green; 2- yellow; 3; red; 4; yellow

    2.1.D Use the Disruptive Technology Shortlisting Tool to produce a shortlist

    1 hour

    Use the Disruptive Technology Shortlisting Tool, tabs 3 and 4.

    Use the populated matrix and the discussion list to arrive at a shortlist of four to six potentially disruptive technologies.

    • The tool populates each quadrant based on how many votes it received in the voting exercise.
    • Technologies selected for a particular quadrant by a majority of participants are placed in the quadrant on the graph. Where there was no consensus, the technology is placed in the discussion list.
    • Technologies in the upper right quadrant – high transformation and high innovation – are more likely to be good candidates for a proof-of-concept project. Those in the bottom left are likely to be poor candidates, while those in the remaining quadrants are strong on one of the axes and are unlikely candidates for further systematic evaluation.

    This image contains a screenshot from tab 3 of the Disruptive Technology Shortlisting Tool.

    Input the results of the vote into tab 3 of the Disruptive Technology Shortlisting Tool.

    This image contains a screenshot from tab 4 of the Disruptive Technology Shortlisting Tool.

    View the results on tab 4.

    Phase 2: Resolve

    Evaluate disrupted technologies

    Activities:

    Step 2.1: Create and Winnow a Longlist
    Step 2.2:- Assess Shortlist

    This step involves the following participants:

    • Core working group
    • Infrastructure Management

    Outcomes of this step:

    • Finalized longlist
    • Finalized shortlist
    • Initial analysis of each technology on the shortlist

    Assess Shortlist

    Activities:

    1. Assess the value of each technology to your organization by breaking it down into quality and cost
    2. Investigate the overall readiness of the technologies on the shortlist
    3. Interpret each technology’s value score
    4. Conduct a SWOT analysis for each technology on the shortlist
    5. Use Info-Tech’s disruptive technology shortlist analysis to visualize the tool’s outputs
    6. Select the shortlisted technologies you would like to move forward with

    This step involves the following participants:

    • Core working group members
    • IT Management

    Outcomes of this step:

    • Finalized shortlist
    • Initial analysis of each technology on the shortlist

    2.2 Evaluate technologies based on their value and readiness, and conduct a SWOT analysis for each one

    Use the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    • A technology monitor diagram prioritizes investment in technology by analyzing its readiness and value.
      • Readiness: how close the technology is to being practical and implementable in your industry and organization.
      • Value: how worthwhile the technology is, in terms of its quality and its cost.
    • Value and readiness questionnaires are included in the tool to help determine current and future values for each, and the next four slides explain the ratings further.
    • Categorize technology by its value-readiness score, and evaluate how much potential value each technology has and how soon your company can realize that value.
    • Use a SWOT analysis to qualitatively evaluate the potential that each technology has for your organization in each of the four categories (strengths, weaknesses, opportunities, and threats).

    The technology monitor diagram appears in tab 9 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    This image depicts tab 9 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    2.2.A Assess the value of each technology to your organization by breaking it down into quality and cost

    1 hour

    Update the Disruptive Technology Value-Readiness and SWOT Analysis Tool, tab 4.

    Populate the chart to produce a score for each technology’s overall value to the company conceptualized as the interaction of quality and cost.

    Overall Value

    Quality Cost

    Each technology, if it has a product associated with it, can be evaluated along eight dimensions of quality. Consider how well the product performs, its features, its reliability, its conformance, its durability, its serviceability, its aesthetics, and its perceived quality.

    IT budgets are broken down into capital and operating expenditures. A technology that requires a significant investment along either of these lines is unlikely to produce a positive return. Also consider how much time it will take to implement and operate each technology.

    The value assessment is part of the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    This image contains a screenshot from tab 4 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool.

    Info-Tech Insight

    Watch your costs: Technology that seems cheap at first can actually be expensive over time. Be sure to account for operational and opportunity costs as well.

    2.2.B Investigate the overall readiness of the technologies on the shortlist

    1 hour

    Update the Disruptive Technology Value-Readiness and SWOT Analysis Tool, tab 4.

    Overall Readiness

    Age

    How much time has the technology had to mature? Older technology is more likely to be ready for adoption.

    Venture Capital

    The amount of venture capital gathered by important firms in the space is an indicator of market faith.

    Market Size

    How big is the market for the technology? It is more difficult to break into a giant market than a niche market.

    Market Players

    Have any established vendors (Microsoft, Facebook, Google, etc.) thrown their weight behind the technology?

    Fragmentation

    A large number of small companies in the space indicates that the market has yet to reach equilibrium.

    The readiness assessment is part of the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    This image contains a screenshot of the Readiness Scoring tab of the Disruptive Technology Value-Readiness and SWOT Analysis Tool.

    Use a variety of sources to populate the chart

    Google is your friend: search each shortlisted technology to find details about its development and important vendors.

    Websites like Crunchbase, VentureBeat, and Mashable are useful sources for information on the companies involved in a space and the amount of money they have each raised.

    2.2.C Interpret each technology’s value score

    1 hour

    Insert the result of the SWOT analysis into tab 7 of Info-Tech’s Disruptive Technology Value-Readiness and SWOT Analysis Tool.

    Visualize the results of the quality-cost analysis

    • Quality and cost are independently significant; it is essential to understand how each technology stacks up on the axes.
    • Use tab 6 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool for an illustration of how quality and cost interact to produce each technology’s final position on the tech monitor graph.
    • Remember: the score is notional and reflects the values that you have assigned. Be sure to treat it accordingly.

    This image contains a screenshot of the Value Analysis tab of the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    Green represents a technology that scores extremely high on one axis or the other, or quite high on both. These technologies are the best candidates for proof-of-concept projects from a value perspective.

    Red represents a technology that has scored very low on both axes. These technologies will be expensive, time consuming, and of poor quality.

    Yellow represents the fuzzy middle ground. These technologies score moderately on both axes. Be especially careful when considering the SWOT analysis of these technologies.

    2.2.D Conduct a SWOT analysis for each technology on the shortlist

    1 hour

    Use tab 6 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool.

    A formal process for analyzing disruptive technology is the only way to ensure that it is taken seriously.

    Write each technology as a heading on a whiteboard. Spend 10-15 minutes on each technology conducting a SWOT analysis together.

    Consider four categories for each technology:

    • Strengths: Current uses of the technology or supporting technology and ways in which it helps your organization.
    • Weaknesses: Current limitations of the technology and challenges or barriers to adopting it in your organization.
    • Opportunities: Potential uses of the technology, especially as it advances or improves.
    • Threats: Potential negative disruptions resulting from the technology, especially as it advances or improves.

    The list of processes generated at the cycle’s initial meeting is a great source for opportunities and threats.

    Disruptive Technology Value-Readiness and SWOT Analysis Tool

    This image contains screenshots of the technology tab of the Disruptive Technology Value-Readiness and SWOT Analysis Tool.

    2.2.E Use Info-Tech’s disruptive technology shortlist analysis to visualize the tool’s outputs

    1 hour

    Disruptive Technology Value-Readiness and SWOT Analysis Tool, tab 9

    The tool’s final tab displays the results of the value-readiness analysis and the SWOT analysis in a single location.

    This image contains a screenshot from tab 9 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    Insert the shortlist analysis report into Section 3 of your Disruptive Technology Exploitation Plan Template.

    2.2.F Select the shortlisted technologies you would like to move forward with

    1 hour

    Present your findings to the working group.

    • The Disruptive Technology Value-Readiness and SWOT Analysis Tool aggregates your inputs in an easy-to-read, consistent way.
    • Present the tool’s outputs to members of the core working group.
    • Explain the scoring and present the graphic to the group. Go over each technology’s strengths and weaknesses as well as the opportunities and threats it presents/poses to the organization.
    • Go through the proof-of-concept planning phase before striking any technologies from the list.

    This image contains a screenshot of the disruptive technology shortlist analysis from the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    Info-Tech Insight

    A technology’s exceptional value and immediate usability make it the best. A technology can be promising and compelling, but it is unsuitable unless it can bring immediate and exceptional value to your organization. Don’t get caught up in the hype.

    Evaluate

    Create an Action Plan to Exploit Disruptive Technologies

    PHASE 3

    Phase 3: Evaluate

    Create an Action Plan to Exploit Disruptive Technologies

    Activities:

    Step 3.1: Create Process Maps
    Step 3.2: Develop Proof of Concept Charter

    This step involves the following participants:

    • Core working group
    • Infrastructure Management
    • Working group leader
    • CIO

    Outcomes of this step:

    • Business process maps before and after disruption
    • Proof of concept charter
    • Key performance indicators
    • Estimation of required resources

    Step 3.1

    Create Process Maps

    Activities:

    1. Creating a problem canvas by identifying stakeholders, jobs, pains, and gains
    2. Clarify the problem the proof-of-concept project will solve
    3. Identify jobs and stakeholders
    4. Outline how disruptive technology will solve the problem
    5. Map business processes
    6. Identify affected business units
    7. Outline and map the business processes likely to be disrupted
    8. Recognize how the new technology will impact business processes
    9. Make the case: Outline why the new business process is superior to the old

    This step involves the following participants:

    • Working group leader
    • CIO

    Outcomes of this step:

    • Business process maps before and after disruption

    3.1 Create an action plan to exploit disruptive technologies

    Clarify the problem in order to make the case. Fill in section 1.1 of Info-Tech’s Proof of Concept Template to clearly outline the problem each proof of concept is designed to solve.

    Establish roles and responsibilities. Use section 1.2 of the template to outline the roles and responsibilities that fall to each member of the team. Ensure that clear lines of authority are delineated and that the list of stakeholders is exhaustive: include the executives whose input will be required for project approval, all the way to the technicians on the frontline responsible for implementing it.

    Outline the solution to the problem. Demonstrate how each proof-of-concept project provides a solution to the problem outlined in section 1.1. Be sure to clarify what makes the particular technology under investigation a potential solution and record the results in section 1.3.

    This image contains a screenshot of the Proof of concept project template

    Use the Proof of Concept Project Template to track the information you gather throughout Phase 3.

    3.1.A Creating a problem canvas by identifying stakeholders, jobs, pains, and gains

    2 hours

    Instructions:

    1. On a whiteboard, draw the visual canvas supplied below.
    2. Select your issue area, and list jobs, pains, and gains in the associated sections.
    3. Record the pains, jobs, and gains in sections 1.1-1.3 of the Proof of Concept Template.

    Gains

    1. More revenue

    2. Job security

    3. ……

    Jobs

    1. Moving product

    2. Per sale value

    3. ……

    Pains

    1. Clunky website

    2. Bad site navigation

    3. ……

    Input

    • Inspiration
    • Anonymous ideas

    Output

    • List of processes

    Materials

    • Chart paper and markers
    • Pen and paper

    Participants

    • Core working group
    • Visionaries

    3.1.B Clarify the problem the proof-of-concept project will solve

    2 hours

    What is the problem?

    • Every technology is designed to solve a problem faced by somebody somewhere. For each technology that your team has decided to move forward with, identify and clearly state the problem it would solve.
    • A clear problem statement is a crucial part of a new technology’s business case. It is impossible to earn buy-in from the rest of the organization without demonstrating the necessity of a solution.
    • Perfection is impossible to achieve: during the course of their work, everyone encounters pain points. Identify those pain points to arrive at the problem that needs to be solved.

    Example:

    List of pains addressed by conversational commerce:

    • Search functions can be clunky and unresponsive.
    • Corporate websites can be difficult to navigate.
    • Customers are uncomfortable in unfamiliar internet environments.
    • Customers do not like waiting in a long queue to engage with customer service representatives when they have concerns.

    “If I were given one hour to solve a problem, I would spend 59 minutes defining the problem and one minute resolving it.”
    – Albert Einstein

    Input the results of this exercise into Section 1.1 of the Proof of Concept Template.

    3.1.C Identify jobs and stakeholders

    1 hour

    Jobs

    Job: Anything that the “customer” (the target of the solution) needs to get done but that is complicated by a pain.

    Examples:
    The job of the conversational commerce interface is to make selling products easier for the company.
    From the customer perspective, the job of the conversational interface is to make the act of purchasing a product simpler and easier.

    Stakeholders

    Stakeholder: Anyone who is impacted by the new technology and who will end up using, approving, or implementing it.

    Examples:
    The executive is responsible for changing the company’s direction and approving investment in a new sales platform.
    The IT team is responsible for implementing the new technology.
    Marketing will be responsible for selling the change to customers.
    Customers, the end users, will be the ones using the conversational commerce user interface.

    Input the results of this exercise into Section 1.2 of the Proof of Concept Template.

    Info-Tech Insight

    Process deconstruction reveals strengths and weaknesses. Promising technology should improve stakeholders’ abilities to do jobs.

    3.1.D Outline how disruptive technology will solve the problem

    1 hour

    How will the technology in question make jobs easier?

    • How will the disruptive technology you have elected to move forward with create gains for the organization?
    • First, identify the gains that are supposed to come with the project. Consider the benefits that the various stakeholders expect to derive from the jobs identified.
    • Second, make note of how the technology in question facilitates the gains you have noted. Be sure to articulate the exclusive features of the new technology that make it an improvement over the current state.

    Note: The goal of this exercise is to make the case for a particular technology. Sell it!

    Expected Gain: Increase in sales.

    Conversational Commerce’s Contribution: Customers are more likely to purchase products using interfaces they are comfortable with.

    Expected Gain: Decrease in costs.

    Conversational Commerce’s Contribution: Customers who are satisfied with the conversational interface are less likely to interact with live agents, saving labor costs.

    Input the results of this exercise into Section 1.3 of the Proof of Concept Template.

    3.1.E Map business processes

    1 hour

    Map the specific business processes the new technology will impact.

    • Disruptive technologies will impact a wide variety of business processes.
    • Map business processes to visualize what parts of your organization (departments, silos, divisions) will be impacted by the new technology, should it be adopted after the proof of concept.
    • Identify how the disruption will take place.
    • Demonstrate the value of each technology by including the results of the Disruptive Technology Value-Readiness and SWOT Analysis Tool with your process map.

    This image contains a screenshot of the Proof of concept project template

    Use the Proof of Concept Project Template to track the information you gather throughout Phase 3.

    3.1.F Identify affected business units

    30 minutes per technology

    Disruptive technology will impact business units.

    • Using the stakeholders identified earlier in the project, map each technology to the business units that will be affected.
    • Make your list exhaustive. While some technologies will have a limited impact on the business as a whole, others will have ripple effects throughout the organization.
    • Examine affected units at all scales: How will the technology impact operations at the team level? The department level? The division level?

    “The disruption is not just in the technology. Sometimes a good business model can be the disruptor.”
    – Jason Hong, Associate Professor, Carnegie Mellon

    Example:

    • Customer service teams: Conversational commerce will replace some of the duties of the customer service representative. They will have to reorganize to account for this development.
    • IT department: The IT department will be responsible for building/maintaining the conversational interface (or, more likely, they will be responsible for managing the contract with the vendor).
    • Sales analytics: New data from customers in natural language might provide a unique opportunity for the analytics team to develop new initiatives to drive sales growth.

    Input the results of this exercise into Section 2.1 of the Proof of Concept Template.

    3.1.G Outline and map the business processes likely to be disrupted

    15 minutes per technology

    Leverage the insights of the diverse working group.

    • Processes are designed to transform inputs into outputs. All business activities can be mapped into processes.
    • A process map illustrates the sequence of actions and decisions that transform an input into an output.
    • Effective mapping gives managers an “aerial” view of the company’s processes, making it easier to identify inefficiencies, reduce waste, and ultimately, streamline operations.
    • To identify business processes, have group members familiar with the affected business units identify how jobs are typically accomplished within those units.

    “To truly understand a business process, we need information from both the top-down and bottom-up points of view. Informants higher in the organizational hierarchy with a strategic focus are less likely to know process details or problems. But they might advocate and clearly articulate an end-to-end, customer-oriented philosophy that describes the process in an idealized form. Conversely, the salespeople, customer service representatives, order processors, shipping clerks, and others who actually carry out the processes will be experts about the processes, their associated documents, and problems or exception cases they encounter.”
    – Robert J. Glushko, Professor at UC Berkeley and Tim McGrath, Business Consultant

    Info-Tech Insight

    Opinions gathered from a group that reflect the process in question are far more likely to align with your organization’s reality. If you have any questions about a particular process, do not be afraid to go outside of the working group to ask someone who might know.

    3.1.G Outline and map the business processes likely to be disrupted (continued)

    15 minutes per technology

    Create a simple diagram of identified processes.

    • Use different shapes to identify different points in the process.
    • Rectangles represent actions, diamonds represent decisions.
    • On a whiteboard, map out the actions and decisions that take place to transform an input into an output.
    • Input the result into section 2.2 of the Proof of Concept Template.

    This image contains a screenshot of the Software Service Cross-Function Process tab from Edraw Visualization Solutions.

    Source: Edraw Visualization Solutions

    Example: simplified process map

    1. User: visits company website
    2. User: engages search function or browses links
    3. User: selects and purchases product from a menu
    4. Company: ships product to customer

    3.1.H Recognize how the new technology will impact business processes

    15 minutes per technology

    Using the information gleaned from the previous activities, develop a new process map that takes the new technology into account.

    Identify the new actions or decisions that the new technology will affect.

    User: visits company website; User: engages conversational; commerce platform; User: engages search function or browses links; User: makes a natural language query; User: selects and purchases product from a menu</p data-verified=

    User: selects and purchases product from a menu; Company: ships product to customer; Company: ships product to customer">

    Info-Tech Insight

    It’s ok to fail! The only way to know you’re getting close to the “knee of curve" is from multiple failed PoC tests. The more PoC options you have, the more likely it will be that you will have two to three successful results.

    3.1.I Make the case: Outline why the new business process is superior to the old

    15 minutes per technology

    Articulate the main benefits of the new process.

    • Using the revised process map, make the case for each new action.
    • Questions to consider: How does the new technology relieve end-user/customer pains? How does the new technology contribute to the streamlining of the business process? Who will benefit from the new action? What are the implications of those benefits?
    • Record the results of this exercise in section 2.4 of the Proof of Concept Template.

    This image contains an example of an outline comparing the benefits of new and the old business processes.

    Info-Tech Insight

    If you cannot articulate how a new technology will benefit a business process, reconsider moving forward with the proof-of-concept project.

    Phase 3: Evaluate

    Create an Action Plan to Exploit Disruptive Technologies

    Activities:

    Step 3.1: Create Process Maps
    Step 3.2: Develop Proof of Concept Charter

    Develop Proof of Concept Charter

    This step involves the following participants:

    • Core working group
    • Infrastructure Management
    • Working group leader
    • CIO

    Outcomes of this step:

    • Business process maps before and after disruption
    • Proof of concept charter
    • Key performance indicators
    • Estimation of required resources

    Step 3.2

    Develop Proof of Concept Charter

    Activities:

    1. Use SMART success metrics to define your objectives
    2. Develop key performance indicators (KPIs)
    3. Identify key success factors for the project
    4. Outline the project’s scope
    5. Identify the structure of the team responsible for the proof-of-concept project
    6. Estimate the resources required by the project
    7. Be aware of common IT project concerns
    8. Communicate your working group’s findings and successes to a wide audience
    9. Hand off the completed proof-of-concept project plan
    10. Disruption is constant: Repeat the evaluation process regularly to protect the business

    This step involves the following participants:

    • Working group leader
    • CIO

    Outcomes of this step:

    • Proof of concept charter
    • Key performance indicators
    • Estimation of required resources

    3.2 Develop a proof of concept charter

    Keep your proof of concept on track by defining five key dimensions.

    1. Objective: Giving an overview of the planned proof of concept will help to focus and clarify the rest of this section. What must the proof of concept achieve? Objectives should be: specific, measurable, attainable, relevant, and time bound. Outline and track key performance indicators.
    2. Key Success Factors: These are conditions that will positively impact the proof of concept’s success.
    3. Scope: High-level statement of scope. More specifically, state what is in scope and what is out of scope.
    4. Project Team: Identify the team’s structure, e.g. sponsors, subject-matter experts.
    5. Resource Estimation: Identify what resources (time, materials, space, tools, expertise, etc.) will be needed to build and socialize your prototype. How will they be secured?

    Input the results of this exercise into Section 3.0 of the Proof of Concept Template.

    3.2.A Use SMART success metrics to define your objectives

    Specific

    Measurable

    Actionable

    Realistic

    Time Bound

    Make sure the objective is clear and detailed.

    Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective.

    Objectives become actionable when specific initiatives designed to achieve the objective are identified.

    Objectives must be achievable given your current resources or known available resources.

    An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline.

    Who, what, where, why?

    How will you measure the extent to which the goal is met?

    What is the action-oriented verb?

    Is this within my capabilities?

    By when: deadline, frequency?

    Examples:

    1. Increase in sales by $40,000 per month by the end of next quarter.
    2. Immediate increase in web traffic by 600 unique page views per day.
    3. Number of pilots approved per year.
    4. Number of successfully deployed solutions per year.

    Input the results of this exercise into Section 3.0 of the Proof of Concept Template.

    3.2.B Develop key performance indicators (KPIs)

    30 minutes per technology

    Key performance indicators allow for rigorous analysis, which generates insight into utilization by platform and consumption by business activity.

    • Use the process improvements identified in step 3.1 to brainstorm metrics that indicate when process improvement is actually taking place.
    • Have members of the group pitch KPIs; the facilitator should record each suggestion on a whiteboard.
    • Make sure to have everyone justify the inclusion of each metric: How does it relate to the improvement that the proof of concept project is intended to drive? How does it relate to the overall goals of the business?
    • Include a list of KPIs, along with a description and a target (ensuring that it aligns with SMART metrics) in section 3.1 of the Proof of Concept Template.

    “An estimated 70% of performance measurement systems fail after implementation. Carefully select your KPIs and avoid this trap!”
    Source: Collins et al. 2016

    Key Performance Indicator Description Target

    Result

    Conversion rate What percentage of customers who visit the site/open the conversational interface continue on to make a purchase? 40%
    Average order value

    How much does each customer spend per visit to the website?

    $212
    Repeat customer rate What percentage of customers have made more than one purchase over time? 65%
    Lifetime customer value Over the course of their interaction with the company, what is the typical value each customer brings? $1566

    Input the results of this exercise into Section 3.1 of the Proof of Concept Template.

    3.2.C Identify key success factors for the project

    30 minutes per technology

    Effective project management involves optimizing four key success factors (Clarke, 1999)

    • Communication: Communicate the expected changes to stakeholders, making sure that everyone who needs to know does know. Example: Make sure customer service representatives know their duties will be impacted by the conversational UI well before the proof-of-concept project begins.
    • Clarity: All involved in the project should be apprised of what the project is intended to accomplish and what the project is not intended to accomplish. Example: The conversational commerce project is not intended to be rolled out to the entire customer base all at once; it is not intended to disrupt normal online sales.
    • Compartmentalization: The working group should suggest some ways that the project can be broken down to facilitate its effective implementation. Example: Sales provides details of customers who might be amenable to a trial, IT secures a vendor, customer service writes a script.
    • Flexibility: The working group’s final output should not be treated as gospel. Ensure that the document can be altered to account for unexpected events. Example: The conversational commerce platform might drive sales of a particular product more than others, necessitating adjustments at the warehouse and shipping level.

    Input the results of this exercise into Section 3.0 of the Proof of Concept Template.

    3.2.D Outline the project’s scope

    10 minutes per technology

    Create a high-level outline of the project’s scope.

    • Questions to consider: Broadly speaking, what are the project’s goals? What is the desired future state? Where in the company will the project be rolled out? What are some of the company’s goals that the project is not designed to cover?
    • Be sure to avoid scope creep! Remember: The goal of the proof-of-concept project is to produce a minimum case for viability in a carefully defined area. Reserve a detailed accounting of costs and benefits for the post-proof-of-concept stage.
    • Example: The conversational user interface will only be rolled out in an e-commerce setting. Other business units (HR, for example) are beyond the scope of this particular project.

    “Although scope creep is not the only nemesis a project can have, it does tend to have the farthest reach. Without a properly defined project and/or allowing numerous changes along the way, a project can easily go over budget, miss the deadline, and wreak havoc on project success.”
    – University Alliance, Villanova University

    Input the results of this exercise into Section 3.0 of the Proof of Concept Template.

    3.2.E Identify the structure of the team responsible for the proof-of-concept project

    10 minutes per technology

    Brainstorm who will be involved in project implementation.

    • Refer back to the list of stakeholders identified in 3.1.a. Which stakeholders should be involved in implementing the proof-of-concept plan?
    • What business units do they represent?
    • Who should be accountable for the project? At a high level, sketch the roles of each of the participants. Who will be responsible for doing the work? Who will approve it? Who needs to be informed at every stage? Who are the company’s internal subject matter experts?

    Example

    Name/Title Role
    IT Manager Negotiate the contract for the software with vendor
    CMO Promote the conversational interface to customers

    Input the results of this exercise into Section 3.0 of the Proof of Concept Template.

    3.2.F Estimate the resources required by the project

    10 minutes per technology

    Time and Money

    • Recall: Costs can be operational, capital, or opportunity.
    • Revisit the Disruptive Technology Value-Readiness and SWOT Analysis Tool. Record the capital and operational expenses expected to be associated with each technology, and add detail where possible (use exact figures from particular vendors instead of percentages).
    • Write the names and titles of each expected participant in the project on a whiteboard. Next to each name, write the number of hours they are expected to devote to the project and include a rough estimate of the cost of their participation to the company. Use full-time employee equivalent (FTE measures) as a base.
    • Outline how other necessary resources (space, tools, expertise, etc.) will be secured.

    Example: Conversational Commerce

    • OpEx: $149/month + 2.9¢/transaction* (2,000 estimated transactions)
    • CapEx: $0!
    • IT Manager: 5 hours at $100/hour
    • IT Technician: 40 hours at $45/hour
    • CMO: 1 hour at $300/hour
    • Customer Service Representative: 10 hours at $35/hour
    • *Estimated total cost for a one-month proof-of-concept project: $3,157

    *This number is a sample taken from the vendor Rhombus

    Input the results of this exercise into Section 3.0 of the Proof of Concept Template.

    3.2.G Be aware of common IT project concerns

    Of projects that did not meet business expectations or were cancelled, how significant were the following issues?

    A bar graph is depicted, comparing small, medium, and large businesses for the following datasets: Over budget; Project failed to be delivered on time; Breach of scope; Low quality; Failed to deliver expected benefit or value

    This survey data did not specifically address innovation projects.

    • Disruptive technology projects will be under increased scrutiny in comparison to other projects.
    • Be sure to meet deadlines and stay within budget.
    • Be cognizant that your projects can go out of scope, and there will be projects that may have to be cancelled due to low quality. Remember: Even a failed test is a learning opportunity!

    Info-Tech’s CIO-CEO Alignment Survey, N=225

    Organization size was determined by the number of IT employees within the organization

    Small = 10 or fewer IT staff, medium = 11 to 25 IT staff, and large/enterprise = 26 or greater IT staff

    3.2.H Communicate your working group’s findings and successes to a wide audience

    Advertise the group’s successes and help prevent airline magazine syndrome from occurring.

    • Share your group’s results internally:
      • Run your own analysis by senior management and then share it across the organization.
      • Maintain a list of technologies that the working group has analyzed and solicit feedback from the wider organization.
      • Post summaries of the technologies in a publicly available repository. The C-suite may not read it right away, but it will be easy to provide when they ask.
      • If senior management has declined to proceed with a certain technology, avoid wasting time and resources on it. However, include notes about why the technology was rejected.
    • These postings will also act as an advertisement for the group. Use the garnered interest to attract visionaries for the next cycle.
    • These postings will help to reiterate the innovative value of the IT department and help bring you to the decision-making table.

    “Some CIOs will have to battle the bias that they belong in the back office and shouldn’t be included in product architecture planning. CIOs must ‘sell’ IT’s strength in information architecture.”
    – Chris Curran, Chief Technologist, PwC (Curran, 2014)

    Info-Tech Insight

    Cast a wide net. By sharing your results with as many people as possible within your organization, you’ll not only attract more attention to your working group, but you will also get more feedback and ideas.

    3.2.I Hand off the completed proof-of-concept project plan

    The proof of concept template is filled out – now what?

    • The core working group is responsible for producing a vision of the future and outlining new technology’s disruptive potential. The actual implementation of the proof of concept (purchasing the hardware, negotiating the SLA with the vendor) is beyond the working group’s responsibilities.
    • If the proof of concept goes ahead, the facilitator should block some time to evaluate the completed project against the key performance indicators identified in the initial plan.
    • A cure for airline magazine syndrome: Be prepared when executives ask about new technology. Present them with the results of the shortlist analysis and the proof-of-concept plan. A clear accounting of the value, readiness, strengths, weaknesses, opportunities, and threats posed by each technology, along with its impact on business processes, is an invaluable weapon against poor technology choices.

    Use section 3.2.b to identify the decision-making stakeholder who has the most to gain from a successful proof-of-concept project. Self-interest is a powerful motivator – the project is more likely to succeed in the hands of a passionate champion.

    Info-Tech Insight

    Set a date for the first meeting of the new iteration of the disruptive technology working group before the last meeting is done. Don’t risk pushing it back indefinitely.

    3.2.J Hand off the completed proof-of-concept project plan

    Record the results of the proof of concept. Keep track of what worked and what didn’t.

    Repeat the process regularly.

    • Finalize the proof of concept template, but don’t stop there: Keep your ear to the ground; follow tech developments using the sources identified in step 1.2.
    • Continue expanding the potential longlist with independent research: Be prepared to expand your longlist. Remember, the more technologies you have on the longlist, the more potential airline magazine syndrome cures you have access to.
    • Have the results of the previous session’s proof of concept plan on hand: At the start of each new iteration, conduct a review. What technologies were successful beyond the proof of concept phase? Which parts of the process worked? Which parts did not? How could they be improved?

    Info-Tech Insight

    The key is in anticipation. This is not a one-and-done exercise. Technology innovation operates at a faster pace than ever before, well below the Moores Law "18 month" timeline as an example. Success is in making EDIT a repeatable process.

    Related Info-Tech Research

    Define Your Digital Business Strategy
    After a major crisis, find your place in the digital economy.

    Develop a Project Portfolio Management Strategy
    Drive project throughput by throttling resource capacity.

    Adopt Design Thinking in Your Organization
    Innovation needs design thinking.

    Digital Maturity Improvement Service
    Prepare your organization for digital transformation – or risk falling behind.

    Research contributors and experts

    Nitin Babel

    Nitin Babel, Co-Founder, niki.ai

    Nitin Babel, MSc, co-created conversational commerce platform niki.ai in early 2015. Since then, the technology has been featured on the front page of the Economic Times, and has secured the backing of Ratan Tata, former chairman of the Tata Group, one of the largest companies in the world.

    Mark Hubbard

    Mark Hubbard, Senior Vice President, FirstOnSite

    Mark is the SVP for Information Technology in Canada with FirstOnSite, a full service disaster recovery and property restoration company. Mark has over 25 years of technology leadership guiding global organizations through the development of strategic and tactical plans to strengthen their technology platforms and implement business aligned technology strategies.

    Chris Green

    Chris Green, Enterprise Architect, Boston Private
    Chris is an IT architect with over 15 years’ experience designing, building, and implementing solutions. He is a results-driven leader and contributor, skilled in a broad set of methods, tools, and platforms. He is experienced with mobile, web, enterprise application integration, business process, and data design.

    Andrew Kope

    Andrew Kope, Head of Data Analytics
    Big Blue Bubble
    Andrew Kope, MSc, oversees a team that develops and maintains a user acquisition tracking solution and a real-time metrics dashboard. He also provides actionable recommendations to the executive leadership of Big Blue Bubble – one of Canada’s largest independent mobile game development studios.

    Jason Hong

    Jason Hong, Associate Professor, School of Computer Science, Human-Computer Interaction Institute, Carnegie Mellon University

    Jason Hong is a member of the faculty at Carnegie Mellon’s School of Computer Science. His research focus lies at the intersection of human-computer interaction, privacy and security, and systems. He is a New America National Cyber Security Fellow (2015-2017) and is widely published in academic and industry journals.

    Tim Lalonde

    Tim Lalonde, Vice President, Mid-Range

    Tim Lalonde is the VP of Technical Operations at Mid-Range. He works with leading-edge companies to be more competitive and effective in their industries. He specializes in developing business roadmaps leveraging technology that create and support change from within — with a focus on business process re-engineering, architecture and design, business case development and problem-solving. With over 30 years of experience in IT, Tim’s guiding principle remains simple: See a problem, fix a problem.

    Jon Mavor

    Jon Mavor, Co-Founder and CTO, Envelop VR
    Jon Mavor is a programmer and entrepreneur, whose past work includes writing the graphics engine for the PC game Total Annihilation. As Chief Technology Officer of Envelop VR, a virtual reality start-up focused on software for the enterprise, Jon has overseen the launch of Envelop for Windows’s first public beta.

    Dan Pitt

    Dan Pitt, President, Palo Alto Innovation Advisors
    Dan Pitt is a network architect who has extensive experience in both the academy and industry. Over the course of his career, Dan has served as Executive Director of the Open Networking Foundation, Dean of Engineering at Santa Clara University, Vice President of Technology and Academic Partnerships at Nortel, Vice President of the Architecture Lab at Bay Networks, and, currently, as President of Palo Alto Innovation Advisors, where he advises and serves as an executive for technology start-ups in the Palo Alto area and around the world.

    Courtney Smith

    Courtney Smith, Co-Founder, Executive Creative Director
    PureMatter

    Courtney Smith is an accomplished creative strategist, storyteller, writer, and designer. Under her leadership, PureMatter has earned hundreds of creative awards and been featured in the PRINT International Design Annual. Courtney has juried over 30 creative competitions, including Creativity International. She is an invited member of the Academy of Interactive and Visual Arts.

    Emmanuel Tsekleves

    Emmanuel Tsekleves, Senior Lecturer in Design Interactions, University of Lancaster
    Dr. Emmanuel Tsekleves is a senior lecturer and writer based out of the United Kingdom. Emmanuel designs interactions between people, places, and products by forging creative design methods along with digital technology. His design-led research in the areas of health, ageing, well-being, and defence has generated public interest and attracted media attention by the national press, such as the Daily Mail, Daily Mirror, The Times, the Daily Mail, Discovery News, and several other international online media outlets.

    Bibliography

    Airini Ab Rahman. “Emerging Technologies with Emerging Effects; A Review”. Universiti Teknologi Malaysia. PERINTIS eJournal, June 2017. Web.

    Anthony, Scott. “Kodak’s Downfall Wasn’t About Technology.” Harvard Business Review, 15 July 2016. Web.

    ARM. The Intelligent Flexible Cloud. 26 Feb. 2015. Web.

    Association of Computing Machinery. Communications of the ACM, n.d. Web.

    Barnett, Thomas. “Three Mobile Trends to Watch.” Cisco Blogs, 3 Feb. 2015. Web.

    Batelle, John. “The 70 Percent Solution.” CNN, 1 Dec 2005. Web.

    Booz Allen Hamilton. Managing Technological Change: 7 Ways to Talk Tech with Management, n.d. Web.

    Brynjolfsson, Erik, and Andrew McAfee. The Second Machine Age: Work, Progress, and Prosperity in a Time of Brilliant Technologies. W. W. Norton, 2014. Print.

    Christensen, Clayton M. “What is Disruptive Innovation?” Harvard Business Review, Dec 2015. Web.

    Christensen, Clayton M. and James Euchner. “Managing Disruption: An Interview With Clayton Christensen.” Research-Technology Management, 22 Dec 2015. vol. 54, no. 1. Web.

    Christensen, Clayton M., Rory McDonald, and Elizabeth J. Altman. “Disruptive Innovation: An Intellectual History and Directions for Future Research”. Wiley Online Library. Web.

    Christensen, Clayton M., Taddy Hall, Karen Dillon, and David S. Duncan. “Know Your Customers’ Jobs to be Done.” Harvard Business Review, Sept. 2016. Web.

    Cisco. “Cisco Annual Internet Report.” n.d. Web.

    Cisco. Cisco Visual Networking Index: Forecast and Methodology, 2014-2019, 27 May 2015. Web.

    Clark, Steven. “Elon Musk hopes SpaceX will send humans to Mars in 2024.” Spaceflight Now, 2 June 2016. Web.

    Clarke, Angela. “A practical use of key success factors to improve the effectiveness of project management,” International Journal of Project Management, June 1999 (17): 139-145.

    Collins, Andrew L., Patrick Hester, Barry Ezell, and John Horst. “An improvement selection methodology for key performance indicators.” Environmental Systems and Decisions, June 2016, 36 (2): 196-208.

    Computer Sciences Corporation. CSC Global CIO Survey: 2014-2015: CIOs Emerge as Disruptive Innovators: An Annual Barometer of Global CIOs’ Plans, Priorities, Threats, and Opportunities, 2014. Web.

    Constine, John. “Voice is Chat’s Next Battleground.” TechCrunch, 19 Sept. 2016. Web.

    Cressman, Daryl. “Disruptive Innovation and the Idea of Technology”. Maastricht University, June 2019. Web.

    Crown Prosecution Service. A Guide to Process Mapping and Improvement. n.d. Web.

    Curran, Chris. “The CIO’s Role in the Internet of Things.” PwC, 13 Mar. 2014. Web.

    Darbha, Sheta, Mike Shevenell, and Jason Normandin. “Impact of Software-Defined Networking on Infrastructure Management.” CA Technology Exchange, 4.3, Nov. 2013, pp. 33-43. Web.

    Denecken, Sven. Conquering Disruption Through Digital Transformation: Technologies, Leadership Strategies, and Best Practices to Create Opportunities for Innovation. SAP, 2014. Web.

    DHL Trend Research and Cisco Consulting Services. Internet of Things in Logistics: A Collaborative Report by DHL and Cisco on Implications and Use Cases for the Logistics Industry, 2015. Web.

    Dirican, Cüneyt. “The Impacts of Robotics, Artificial Intelligence on Business and Economics.” Procedia: Social and Behavioral Sciences, vol. 195, 2015, pp. 564-573. Web.

    Edraw Visualization Solutions. Examples of Flowcharts, Org Charts and More. “Cross-Function Flowchart Examples – Service Flowchart.”

    Emerson. Data Center 2025: Exploring the Possibilities, 2014. Web.

    Ericsson. Next-Generation Data Center Infrastructure, Feb. 2015. Web.

    Eurotech. Connecting M2M Applications to the Cloud to Bolster Hardware Sales, 2014. Web.

    Evans Gary, Llewellyn. “Disruptive Technology and the Board: The Tip of the Iceberg”. Economics and Business Review, n.d. Web.

    Evans Gary, Llewellyn. “Disruptive Technology and the Board: The Tip of the Iceberg”. Economics and Business Review, n.d. Web.

    Gage, Deborah. “The Venture Capital Secret: 3 Out of 4 Start-Ups Fail.” Wall Street Journal, 20 Sept. 2012. Web.

    Garvin, David A. “Competing on the Eight Dimensions of Quality.” Harvard Business Review, November 1987. Web.

    Gibbs, Colin. Augmented Reality in the Enterprise: Opportunities and Challenges. Gigaom Research, 26 Jan. 2015. Web.

    Glushko, Robert J. and Tim McGrath. Document Engineering: Analyzing and Designing Documents for Business Informatics and Web Services. MIT Press, 2005.

    Hadfield, Tom. “Facebook’s Messenger Bot Store could be the most important launch since the App Store.” TechCrunch, 17 March 2016. Web.

    Healey, Nic. “Microsoft's mixed reality vision: 80 million devices by 2020.” CNET, 1 June 2016. Web.

    Hewlett-Packard. Go Beyond Cost Reduction: Use Robotic Process Automation, Oct. 2015. Web.

    Hewlett-Packard. HP Composable Infrastructure: Bridging Traditional IT with the New Style of Business, June 2015. Web.

    Hewlett-Packard. HP Labs, n.d. Web.

    Hong, Jason. “Inside the Great Wall.” Communications of the ACM, 25 May 2016. Web.

    IBM Institute for Value. Your Cognitive Future: How Next-Gen Computing Changes the Way We Live and Work, 2015. Web.

    IBM. A New Way to Work: Futurist Insights to 2025 and Beyond, Jan. 2015. Web.

    Infinity. The Evolution of the Data Centre [sic], 2015. Web.

    Intel Corporation. Intel Annual Report, 1997. Web.

    Isaac, Mike. “Facebook Bets on Bots for its Messenger App.” New York Times, 12 April 2016. Web.

    ISACA. COBIT 5: Enabling Processes. ISACA, 2012. Print.

    K-12 Blueprint. “Planning a Proof of Concept.” 2014. Web.

    Kaushik Rukmini, Meenakshi. “The Impact of Pandemic COVID -19 in Workplace.” European Journal of Business Management and Research, May 2020. Web.

    Knight, Will. “Conversational Interfaces Powerful speech technology from China’s leading Internet company makes it much easier to use a smartphone.” MIT Technology Review, n.d. Web.

    Kostoff, Ronald N., Robert Boylan, and Gene R. Simons. “Disruptive Technology Roadmaps.” Technological Forecasting and Social Change, 2004. Vol. 71. Web.

    Kurzweil, Ray. “The Accelerating Power of Technology.” TED, Feb. 2005. Web.

    Kurzweil, Ray. Kurzweil: Accelerating Intelligence, 2015. Web.

    MacFarquhar, Larissa. “When Giants Fall: What Business Has Learned From Clayton Christensen,” New Yorker, 14 May 2012. Web.

    McClintock, Cat. “2016: The Year for Augmented Reality in the Enterprise.” PTC, n.d. Web.

    McKinsey & Company. IT Growth and Global Change: A Conversation with Ray Kurzweil. 29 Feb. 2012, YouTube. Web.

    Messina, Chris. “2016 Will be the Year of Conversational Commerce.” Medium, 19 Jan 2016. Web.

    Microsoft. Microsoft Research, n.d. Web.

    Miller, Ron. “Forget the Apple Watch, Think Drones in the Enterprise.” TechCrunch, 10 Sep. 2015. Web.

    Nokia Networks. FutureWorks [sic]: Teaching Networks to be Self-Aware: Technology Vision 2020. 2014. Web.

    Nokia Networks. Internet of Things. n.d. Web.

    O’Reilly, Charles, and Andrew J. M. Binns, “The Three Stages of Disruptive Innovation: Idea Generation, Incubation, and Scaling”. Sage Journals, n.d. Web.

    Pew Research Center. AI, Robotics, and the Future of Jobs: Experts Envision Automation and Intelligent Digital Agents Permeating Vast Areas of Our Work and Personal Lives by 2025, but they are Divided on Whether these Advances will Displace More Jobs than they Create. Aug. 2014. Web.

    Ramiller, Neil. “Airline Magazine Syndrome: Reading a Myth of Mismanagement.” Information Technology & People, Sept 2001. Print.

    Raymond James & Associates. The Internet of Things: A Study in Hype, Reality, Disruption, and Growth. 2014. Web.

    Richter, Felix. “No Growth in Sight for Global PC Market.” Statista, 14 March 2016. Web.

    Roy, Mekhala. “4 Examples of Digital Transformation Success in Business”. TechTarget, n.d. Web.

    Simon Weinreich, “How to Manage Disruptive Innovation - a conceptional methodology for value-oriented portfolio planning,” Sciencedirect. 31st CIRP Design Conference 2021.

    Spice Works. The Devices are Coming! How the “Internet of Things” will affect IT… and why resistance is futile. May 2014. Web.

    Spradlin, Dwayne. “Are You Solving the Right Problem?” Harvard Business Review, Sept. 2012. Web.

    Statista. “Number of smartphones sold to end users worldwide from 2007 to 2015 (in million units).” N.d. Web.

    Statista. “Worldwide tablet shipments from 2nd quarter 2010 to 2nd quarter 2016 (in million units).” N.d. Web.

    Sven Schimpf, “Disruptive Field Study; How Companies Identify, Evaluate, Develop and Implement Disruptive Technologies.” Fraunhofer Group for Innovation Research, 2020. Web.

    Tsekleves, Emmanuel. “Science fiction as fact: how desires drive discoveries.” The Guardian. 13 Aug. 2015. Web.

    Tsekleves, Emmanuel. “Science fiction as fact: how desires drive discoveries.” The Guardian, 13 Aug. 2015. Web.

    United States Department of Transportation. “National Motor Vehicle Crash Causation Survey: Report to Congress.” National Highway Traffic Safety Administration, July 2008. Web.

    United States Department of Transportation. “National Motor Vehicle Crash Causation Survey: Report to Congress.” National Highway Traffic Safety Administration, July 2008. Web.

    University Alliance (Villanova U). Managing Scope Creep in Project Management. N.d. Web.

    Vavoula, Giasemi N., and Mike Sharples. “Future Technology Workshop: A Collaborative Method for the Design of New Learning Technologies and Activities.” International Journal of Computer Supported Collaborative Learning, Dec 2007. Vol. 2 no. 4. Web.

    Walraven Pieter. “It’s Operating Systems Vs. Messaging Apps In The Battle For Tech’s Next Frontier.” TechCrunch, 11 Aug 2015. Web.

    Webb, Amy. “The Tech Trends You Can’t Ignore in 2015.” Harvard Business Review, 5 Jan. 2015. Web.

    Wenger, Albert. “The Great Bot Rush of 2015-16.” Continuations, 16 Dec 2015. Web.

    White, Chris. “IoT Tipping Point Propels Digital Experience Era.” Cisco Blogs, 12 Nov. 2014. Web.

    World Economic Forum and Accenture. Industrial Internet of Things: Unleashing the Potential of Connected Products and Services. 2015. Web.

    Yu Dan and Hang Chang Chieh, "A reflective review of disruptive innovation theory," PICMET '08 - 2008 Portland International Conference on Management of Engineering & Technology, 2008, pp. 402-414, doi: 10.1109/PICMET.2008.4599648.

    Select and Use SDLC Metrics Effectively

    • Buy Link or Shortcode: {j2store}150|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $2,991 Average $ Saved
    • member rating average days saved: 32 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Your organization wants to implement (or revamp existing) software delivery metrics to monitor performance as well as achieve its goals.
    • You know that metrics can be a powerful tool for managing team behavior.
    • You also know that all metrics are prone to misuse and mismanagement, which can lead to unintended consequences that will harm your organization.
    • You need an approach for selecting and using effective software development lifecycle (SDLC) metrics that will help your organization to achieve its goals while minimizing the risk of unintended consequences.

    Our Advice

    Critical Insight

    • Metrics are powerful, dangerous, and often mismanaged, particularly when they are tied to reward or punishment. To use SDLC metrics effectively, know the dangers, understand good practices, and then follow Info-Tech‘s TAG (team-oriented, adaptive, and goal-focused) approach to minimize risk and maximize impact.

    Impact and Result

    • Begin by understanding the risks of metrics.
    • Then understand good practices associated with metrics use.
    • Lastly, follow Info-Tech’s TAG approach to select and use SDLC metrics effectively.

    Select and Use SDLC Metrics Effectively Research & Tools

    Start here – read the Executive Brief

    Understand both the dangers and good practices related to metrics, along with Info-Tech’s TAG approach to the selection and use of SDLC metrics.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the dangers of metrics

    Explore the significant risks associated with metrics selection so that you can avoid them.

    • Select and Use SDLC Metrics Effectively – Phase 1: Understand the Risks of Metrics

    2. Know good practices related to metrics

    Learn about good practices related to metrics and how to apply them in your organization, then identify your team’s business-aligned goals to be used in SDLC metric selection.

    • Select and Use SDLC Metrics Effectively – Phase 2: Know Good Practices Related to Metrics
    • SDLC Metrics Evaluation and Selection Tool

    3. Rank and select effective SDLC metrics for your team

    Follow Info-Tech’s TAG approach to selecting effective SDLC metrics for your team, create a communication deck to inform your organization about your selected SDLC metrics, and plan to review and revise these metrics over time.

    • Select and Use SDLC Metrics Effectively – Phase 3: Rank and Select Effective SDLC Metrics for Your Team
    • SDLC Metrics Rollout and Communication Deck
    [infographic]

    Workshop: Select and Use SDLC Metrics Effectively

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand the Dangers of Metrics

    The Purpose

    Learn that metrics are often misused and mismanaged.

    Understand the four risk areas associated with metrics: Productivity loss Gaming behavior Ambivalence Unintended consequences

    Productivity loss

    Gaming behavior

    Ambivalence

    Unintended consequences

    Key Benefits Achieved

    An appreciation of the dangers associated with metrics.

    An understanding of the need to select and manage SDLC metrics carefully to avoid the associated risks.

    Development of critical thinking skills related to metric selection and use.

    Activities

    1.1 Examine the dangers associated with metric use.

    1.2 Share real-life examples of poor metrics and their impact.

    1.3 Practice identifying and mitigating metrics-related risk.

    Outputs

    Establish understanding and appreciation of metrics-related risks.

    Solidify understanding of metrics-related risks and their impact on an organization.

    Develop the skills needed to critically analyze a potential metric and reduce associated risk.

    2 Understand Good Practices Related to Metrics

    The Purpose

    Develop an understanding of good practices related to metric selection and use.

    Introduce Info-Tech’s TAG approach to metric selection and use.

    Identify your team’s business-aligned goals for SDLC metrics.

    Key Benefits Achieved

    Understanding of good practices for metric selection and use.

    Document your team’s prioritized business-aligned goals.

    Activities

    2.1 Examine good practices and introduce Info-Tech’s TAG approach.

    2.2 Identify and prioritize your team’s business-aligned goals.

    Outputs

    Understanding of Info-Tech’s TAG approach.

    Prioritized team goals (aligned to the business) that will inform your SDLC metric selection.

    3 Rank and Select Your SDLC Metrics

    The Purpose

    Apply Info-Tech’s TAG approach to rank and select your team’s SDLC metrics.

    Key Benefits Achieved

    Identification of potential SDLC metrics for use by your team.

    Collaborative scoring/ranking of potential SDLC metrics based on their specific pros and cons.

    Finalize list of SDLC metrics that will support goals and minimize risk while maximizing impact.

    Activities

    3.1 Select your list of potential SDLC metrics.

    3.2 Score each potential metric’s pros and cons against objectives using a five-point scale.

    3.3 Collaboratively select your team’s first set of SDLC metrics.

    Outputs

    A list of potential SDLC metrics to be scored.

    A ranked list of potential SDLC metrics.

    Your team’s first set of goal-aligned SDLC metrics.

    4 Create a Communication and Rollout Plan

    The Purpose

    Develop a rollout plan for your SDLC metrics.

    Develop a communication plan.

    Key Benefits Achieved

    SDLC metrics.

    A plan to review and adjust your SDLC metrics periodically in the future.

    Communication material to be shared with the organization.

    Activities

    4.1 Identify rollout dates and responsible individuals for each SDLC metric.

    4.2 Identify your next SDLC metric review cycle.

    4.3 Create a communication deck.

    Outputs

    SDLC metrics rollout plan

    SDLC metrics review plan

    SDLC metrics communication deck

    Present Security to Executive Stakeholders

    • Buy Link or Shortcode: {j2store}262|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $2,000 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • There is a disconnect between security leaders and executive stakeholders on what information is important to present.
    • Security leaders find it challenging to convey the necessary information to obtain support for security objectives.
    • Changes to the threat landscape and shifts in organizational goals exacerbate the issue, as they impact security leaders' ability to prioritize topics to be communicated.
    • Security leaders struggle to communicate the importance of security to a non-technical audience.

    Our Advice

    Critical Insight

    Security presentations are not a one-way street. The key to a successful executive security presentation is having a goal for the presentation and ensuring that you have met your goal.

    Impact and Result

    • Developing a thorough understanding of the security communication goals.
    • Understanding the importance of leveraging highly relevant and understandable data.
    • Developing and delivering presentations that will keep your audience engaged and build trust with your executive stakeholders.

    Present Security to Executive Stakeholders Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Present Security to Executive Stakeholders – A step-by-step guide to communicating security effectively to obtain support from decision makers.

    Use this as a guideline to assist you in presenting security to executive stakeholders.

    • Present Security to Executive Stakeholders Storyboard

    2. Security Presentation Templates – A set of security presentation templates to assist you in communicating security to executive stakeholders.

    The security presentation templates are a set of customizable templates for various types of security presentation including:

    • Present Security to Executive Stakeholders Templates

    Infographic

    Further reading

    Present Security to Executive Stakeholders

    Learn how to communicate security effectively to obtain support from decision makers.

    Analyst Perspective

    Build and deliver an effective security communication to your executive stakeholders.

    Ahmad Jowhar

    As a security leader, you’re tasked with various responsibilities to ensure your organization can achieve its goals while its most important assets are being protected.

    However, when communicating security to executive stakeholders, challenges can arise in determining what topics are pertinent to present. Changes in the security threat landscape coupled with different business goals make identifying how to present security more challenging.

    Having a communication framework for presenting security to executive stakeholders will enable you to effectively identify, develop, and deliver your communication goals while obtaining the support you need to achieve your objectives.

    Ahmad Jowhar
    Research Specialist, Security & Privacy

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    • Many security leaders struggle to decide what to present and how to present security to executive stakeholders.
    • Constant changes in the security threat landscape impacts a security leader’s ability to prioritize topics to be communicated.
    • There is a disconnect between security leaders and executive stakeholders on what information is important to present.
    • Security leaders struggle to communicate the importance of security to a non-technical audience.
    • Developing a thorough understanding of security communication goals.
    • Understanding the importance of leveraging highly relevant and understandable data.
    • Developing and delivering presentations that will keep your audience engaged and build trust with your executive stakeholders.

    Info-Tech Insight

    Security presentations are not a one-way street. The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

    Your challenge

    As a security leader, you need to communicate security effectively to executive stakeholders in order to obtain support for your security objectives.

    • When it comes to presenting security to executive stakeholders, many security leaders find it challenging to convey the necessary information in order to obtain support for security objectives.
    • This is attributed to various factors, such as an increase in the threat landscape, changes to industry regulations and standards, and new organizational goals that security has to align with.
    • Furthermore, with the limited time to communicate with executive stakeholders, both in frequency and duration, identifying the most important information to address can be challenging.

    76% of security leaders struggle in conveying the effectiveness of a cybersecurity program.

    62% find it difficult to balance the risk of too much detail and need-to-know information.

    41% find it challenging to communicate effectively with a mixed technical and non-technical audience.

    Source: Deloitte, 2022

    Common obstacles

    There is a disconnect between security leaders and executive stakeholders when it comes to the security posture of the organization:

    • Executive stakeholders are not confident that their security leaders are doing enough to mitigate security risks.
    • The issue has been amplified, with security threats constantly increasing across all industries.
    • However, security leaders don’t feel that they are in a position to make themselves heard.
    • The lack of organizational security awareness and support from cross-functional departments has made it difficult to achieve security objectives (e.g. education, investments).
    • Defining an approach to remove that disconnect with executive stakeholders is of utmost importance for security leaders, in order to improve their organization’s security posture.

    9% of boards are extremely confident in their organization’s cybersecurity risk mitigation measures.

    77% of organizations have seen an increase in the number of attacks in 2021.

    56% of security leaders claimed their team is not involved when leadership makes urgent security decisions.

    Source: EY, 2021
    The image contains a screenshot of an Info-Tech Thoughtmodel titled: Presenting Security to Executive Stakeholders.

    Info-Tech’s methodology for presenting security to executive stakeholders

    1. Identify communication goals

    2. Collect information to support goals

    3. Develop communication

    4. Deliver communication

    Phase steps

    1. Identify drivers for communicating to executives
    2. Define your goals for communicating to executives
    1. Identify data to collect
    2. Plan how to retrieve data
    1. Plan communication
    2. Build a compelling communication document
    1. Deliver a captivating presentation
    2. Obtain/verify goals

    Phase outcomes

    A defined list of drivers and goals to help you develop your security presentations

    A list of data sources to include in your communication

    A completed communication template

    A solidified understanding of how to effectively communicate security to your stakeholders

    Develop a structured process for communicating security to your stakeholders

    Security presentations are not a one-way street
    The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

    Identifying your goals is the foundation of an effective presentation
    Defining your drivers and goals for communicating security will enable you to better prepare and deliver your presentation, which will help you obtain your desired outcome.

    Harness the power of data
    Leveraging data and analytics will help you provide quantitative-based communication, which will result in a more meaningful and effective presentation.

    Take your audience on a journey
    Developing a storytelling approach will help engage with your audience.

    Win your audience by building a rapport
    Establishing credibility and trust with executive stakeholders will enable you to obtain their support for security objectives.

    Tactical insight
    Conduct background research on audience members (i.e. professional background) to help understand how best to communicate with them and overcome potential objections.

    Tactical insight
    Verifying your objectives at the end of the communication is important, as it ensures you have successfully communicated to executive stakeholders.

    Project deliverables

    This blueprint is accompanied by a supporting deliverable which includes five security presentation templates.

    Report on Security Initiatives
    Template showing how to inform executive stakeholders of security initiatives.

    Report on Security Initiatives.

    Security Metrics
    Template showing how to inform executive stakeholders of current security metrics that would help drive future initiatives.

    Security Metrics.

    Security Incident Response & Recovery
    Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.

    Security Incident Response & Recovery

    Security Funding Request
    Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.

    Security Funding Request

    Key template:

    Security and Risk Update

    Template showing how to inform executive stakeholders of proactive security and risk initiatives.

    Blueprint benefits

    IT/InfoSec benefits

    Business benefits

    • Reduce effort and time spent preparing cybersecurity presentations for executive stakeholders by having templates to use.
    • Enable security leaders to better prepare what to present and how to present it to their executive stakeholders, as well as driving the required outcomes from those presentations.
    • Establish a best practice for communicating security and IT to executive stakeholders.
    • Gain increased awareness of cybersecurity and the impact executive stakeholders can have on improving an organization’s security posture.
    • Understand how security’s alignment with the business will enable the strategic growth of the organization.
    • Gain a better understanding of how security and IT objectives are developed and justified.

    Measure the value of this blueprint

    Phase

    Measured Value (Yearly)

    Phase 1: Identify communication goals

    Cost to define drivers and goals for communicating security to executives:

    16 FTE hours @ $233K* =$1,940

    Phase 2: Collect information to support goals

    Cost to collect and synthesize necessary data to support communication goals:

    16 FTE hours @ $233K = $1,940

    Phase 3: Develop communication

    Cost to develop communication material that will contextualize information being shown:

    16 FTE hours @ $233K = $1,940

    Phase 4: Deliver communication

    Potential Savings:

    Total estimated effort = $5,820

    Our blueprint will help you save $5,820 and over 40 FTE hours

    * The financial figure depicts the annual salary of a CISO in 2022

    Source: Chief Information Security Officer Salary.” Salary.com, 2022

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Phase 1

    Identify communication goals

    Phase 1 Phase 2 Phase 3 Phase 4

    1.1 Identify drivers for communicating to executives

    1.2 Define your goals for communicating to executives

    2.1 Identify data to collect

    2.2 Plan how to retrieve data

    3.1 Plan communication

    3.2 Build a compelling communication document

    4.1 Deliver a captivating presentation

    4.2 Obtain/verify support for security goals

    This phase will walk you through the following activities:

    • Understanding the different drivers for communicating security to executive stakeholders
    • Identifying different communication goals

    This phase involves the following participants:

    • Security leader

    1.1. Identify drivers for communicating to executive stakeholders

    As a security leader, you meet with executives and stakeholders with diverse backgrounds, and you aim to showcase your organization’s security posture along with its alignment with the business’ goals.

    However, with the constant changes in the security threat landscape, demands and drivers for security could change. Thus, understanding potential drivers that will influence your communication will assist you in developing and delivering an effective security presentation.

    39% of organizations had cybersecurity on the agenda of their board’s quarterly meeting.

    Source: EY, 2021.

    Info-Tech Insight

    Not all security presentations are the same. Keep your communication strategy and processes agile.

    Know your drivers for security presentations

    By understanding the influences for your security presentations, you will be able to better plan what to present to executive stakeholders.

    • These meetings, which are usually held once per quarter, provide you with less than one hour of presentation time.
    • Hence, it is crucial to know why you need to present security and whether these drivers are similar across the other presentations.

    Understanding drivers will also help you understand how to present security to executive stakeholders.

    • These drivers will shape the structure of your presentation and help determine your approach to communicating your goals.
    • For example, financial-based presentations that are driven by budget requests might create a sense of urgency or assurance about investment in a security initiative.

    Identify your communication drivers, which can stem from various initiatives and programs, including:

    • Results from internal or external audit reports.
    • Upcoming budget meetings.
    • Briefing newly elected executive stakeholders on security.

    When it comes to identifying your communication drivers, you can collaborate with subject matter experts, like your corporate secretary or steering committees, to ensure the material being communicated will align with some of the organizational goals.

    Examples of drivers for security presentations

    Audit
    Upcoming internal or external audits might require updates on the organization’s compliance

    Organizational restructuring
    Restructuring within an organization could require security updates

    Merger & Acquisition
    An M&A would trigger presentations on organization’s current and future security posture

    Cyber incident
    A cyberattack would require an immediate presentation on its impact and the incident response plan

    Ad hoc
    Provide security information requested by stakeholders

    1.2. Define your goals for communicating to executives

    After identifying drivers for your communication, it’s important to determine what your goals are for the presentation.

    • Communication drivers are mainly triggers for why you want to present security.
    • Communication goals are the potential outcomes you are hoping to obtain from the presentation.
    • Your communication goals would help identify what data and metrics to include in your presentation, the structure of your communication deck, and how you deliver your communication to executive stakeholders.

    Identifying your communication goals could require the participation of the security team, IT leadership, and other business stakeholders.

    • As a group, brainstorm the security goals that align with your business goals for the coming year.
      • Aim to have at least two business goals that align with each security goal.
    • Identify what benefits and value the executive stakeholders will gain from the security goal being presented.
      • E.g. Increased security awareness, updates on organization's security posture.
    • Identify what the ask is for this presentation.
      • E.g. Approval for increasing budget to support security initiatives, executive support to implement internal security programs.

    Info-Tech Insight

    There can be different reasons to communicate security to executive stakeholders. You need to understand what you want to get out of your presentation.

    Examples of security presentation goals

    Educate
    Educate the board on security trends and/or latest risks in the industry

    Update
    Provide updates on security initiatives, relevant security metrics, and compliance posture

    Inform
    Provide an incident response plan due to a security incident or deliver updates on current threats and risks

    Investment
    Request funding for security investments or financial updates on past security initiatives

    Ad hoc
    Provide security information requested by stakeholders

    Phase 2

    Collect information to support goals

    Phase 1Phase 2Phase 3Phase 4

    1.1 Identify drivers for communicating to executives

    1.2 Define your goals for communicating to executives

    2.1 Identify data to collect

    2.2 Plan how to retrieve data

    3.1 Plan communication

    3.2 Build a compelling communication document

    4.1 Deliver a captivating presentation

    4.2 Obtain/verify support for security goals

    This phase will walk you through the following activities:

    • Understanding what types of data to include in your security presentations
    • Defining where and how to retrieve data

    This phase involves the following participants:

    • Security leader
    • Network/security analyst

    2.1 Identify data to collect

    After identifying drivers and goals for your communication, it’s important to include the necessary data to justify the information being communicated.

    • Leveraging data and analytics will assist in providing quantitative-based communication, which will result in a more meaningful and effective presentation.
    • The data presented will showcase the visibility of an organization’s security posture along with potential risks and figures on how to mitigate those risks.
    • Providing analysis of the quantitative data presented will also showcase further insights on the figures, allow the audience to better understand the data, and show its relevance to the communication goals.

    Identifying data to collect doesn’t need to be a rigorous task; you can follow these steps to help you get started:

    • Work with your security team to identify the main type of data applicable to the communication goals.
      • E.g. Financial data would be meaningful to use when communicating a budget presentation.
    • Identify supporting data linked to the main data defined.
      • E.g. If a financial investment is made to implement a security initiative, then metrics on improvements to the security posture will be relevant.
    • Show how both the main and supporting data align with the communication goals.
      • E.g. Improvement in security posture would increase alignment with regulation standards, which would result in additional contracts being awarded and increased revenue.

    Info-Tech Insight

    Understand how to present your information in a way that will be meaningful to your audience, for instance by quantifying security risks in financial terms.

    Examples of data to present

    Educate
    Number of organizations in industry impacted by data breaches during past year; top threats and risks affecting the industries

    Update
    Degree of compliance with standards (e.g. ISO-27001); metrics on improvement of security posture due to security initiatives

    Inform
    Percentage of impacted clients and disrupted business functions; downtime; security risk likelihood and financial impact

    Investment
    Capital and operating expenditure for investment; ROI on past and future security initiatives

    Ad hoc
    Number of security initiatives that went over budget; phishing test campaign results

    2.2 Plan how to retrieve the data

    Once the data that is going to be used for the presentation has been identified, it is important to plan how the data can be retrieved, processed, and shared.

    • Most of the data leveraged for security presentations are structured data, which are highly organized data that are often stored in a relational and easily searchable database.
      • This includes security log reports or expenditures for ongoing and future security investments.
    • Retrieving the data, however, would require collaboration and cooperation from different team members.
    • You would need to work with the security team and other appropriate stakeholders to identify where the data is stored and who the data owner is.

    Once the data source and owner has been identified, you need to plan how the data would be processed and leveraged for your presentation

    • This could include using queries to retrieve the relevant information needed (e.g. SQL, Microsoft Excel).
    • Verify the accuracy and relevance of the data with other stakeholders to ensure it is the most appropriate data to be presented to the executive stakeholders.

    Info-Tech Insight

    Using a data-driven approach to help support your objectives is key to engaging with your audience.

    Plan where to retrieve the data

    Identifying the relevant data sources to retrieve your data and the appropriate data owner enables efficient collaboration between departments collecting, processing, and communicating the data and graphics to the audience.

    Examples of where to retrieve your data

    Data Source

    Data

    Data Owner

    Communication Goal

    Audit & Compliance Reports

    Percentage of controls completed to be certified with ISO 27001; Number of security threats & risks identified.

    Audit Manager;

    Compliance Manager;

    Security Leader

    Ad hoc, Educate, Inform

    Identity & Access Management (IAM) Applications

    Number of privileged accounts/department; Percentage of user accounts with MFA applied

    Network/Security Analyst

    Ad hoc, Inform, Update

    Security Information & Event Management (SIEM)

    Number of attacks detected and blocked before & after implementing endpoint security; Percentage of firewall rules that triggered a false positive

    Network/Security Analyst

    Ad hoc, Inform, Update

    Vulnerability Management Applications

    Percentage of critical vulnerabilities patched; Number of endpoints encrypted

    Network/Security Analyst

    Ad hoc, Inform, Update

    Financial & Accounting Software

    Capital & operating expenditure for future security investments; Return on investment (ROI) on past and current security investments

    Financial and/or Accounting Manager

    Ad hoc, Educate, Investments

    Phase 3

    Develop communication

    Phase 1Phase 2Phase 3Phase 4

    1.1 Identify drivers for communicating to executives

    1.2 Define your goals for communicating to executives

    2.1 Identify data to collect

    2.2 Plan how to retrieve data

    3.1 Plan communication

    3.2 Build a compelling communication document

    4.1 Deliver a captivating presentation

    4.2 Obtain/verify support for security goals

    This phase will walk you through the following activities:

    • Identifying a communication strategy for presenting security
    • Identifying security templates that are applicable to your presentation

    This phase involves the following participants:

    • Security leader

    3.1 Plan communication: Know who your audience is

    • When preparing your communication, it's important to understand who your target audience is and to conduct background research on them.
    • This will help develop your communication style and ensure your presentation caters to the expected audience in the room.

    Examples of two profiles in a boardroom

    Formal board of directors

    The executive team

    • In the private sector, this will include an appointed board of shareholders and subcommittees external to the organization.
    • In the public sector, this can include councils, commissions, or the executive team itself.
    • In government, this can include mayors, ministers, and governors.
    • The board’s overall responsibility is governance.
    • This audience will include your boss and your peers internal to the organization.
    • This category is primarily involved in the day-to-day operations of the organization and is responsible for carrying out the strategic direction set by the board.
    • The executive team’s overall responsibility is operations.

    3.1.1 Know what your audience cares about

    • Understanding what your executive stakeholders value will equip you with the right information to include in your presentations.
    • Ensure you conduct background research on your audience to assist you in knowing what their potential interests are.
    • Your background research could include:
      • Researching the audience’s professional background through LinkedIn.
      • Reviewing their comments from past executive meetings.
      • Researching current security trends that align with organizational goals.
    • Once the values and risks have been identified, you can document them in notes and share the notes with subject matter experts to verify if these values and risks should be shared in the coming meetings.

    A board’s purpose can include the following:

    • Sustaining and expanding the organization’s purpose and ability to execute in a competitive market.
    • Determining and funding the organization’s future and direction.
    • Protecting and increasing shareholder value.
    • Protecting the company’s exposure to risks.

    Examples of potential values and risks

    • Business impact
    • Financial impact
    • Security and incidents

    Info-Tech Insight
    Conduct background research on audience members (e.g. professional background on LinkedIn) to help understand how best to communicate to them and overcome potential objections.

    Understand your audience’s concerns

    • Along with knowing what your audience values and cares about, understanding their main concerns will allow you to address those items or align them with your communication.
    • By treating your executive stakeholders as your project sponsors, you would build a level of trust and confidence with your peers as the first step to tackling their concerns.
    • These concerns can be derived from past stakeholder meetings, recent trends in the industry, or strategic business alignments.
    • After capturing their concerns, you’ll be equipped with the necessary understanding on what material to include and prioritize during your presentations.

    Examples of potential concerns for each profile of executive stakeholders

    Formal board of directors

    The executive team

    • Business impact (What is the impact of IT in solving business challenges?)
    • Investments (How will it impact organization’s finances and efficiency?)
    • Cybersecurity and risk (What are the top cybersecurity risks, and how is IT mitigating those risks to the business?)
    • Business alignment (How do IT priorities align to the business strategy and goals?)
    • IT operational efficiency (How is IT set up for success with foundational elements of IT’s operational strategy?)
    • Innovation & transformation priorities (How is IT enabling the organization’s competitive advantage and supporting transformation efforts as a strategic business partner?)

    Build your presentation to tackle their main concerns

    Your presentation should be well-rounded and compelling when it addresses the board’s main concerns about security.

    Checklist:

    • Research your target audience (their backgrounds, board composition, dynamics, executive team vs. external group).
    • Include value and risk language in your presentation to appeal to your audience.
    • Ensure your content focuses on one or more of the board’s main concerns with security (e.g. business impact, investments, or risk).
    • Include information about what is in it for them and the organization.
    • Research your board’s composition and skillsets to determine their level of technical knowledge and expertise. This helps craft your presentation with the right amount of technology vs. business-facing information.

    Info-Tech Insight
    The executive stakeholder’s main concerns will always boil down to one important outcome: providing a level of confidence to do business through IT products, services, and systems – including security.

    3.1.2 Take your audience through a security journey

    • Once you have defined your intended target and their potential concerns, developing the communication through a storytelling approach will be the next step to help build a compelling presentation.
    • You need to help your executive stakeholders make sense of the information being conveyed and allow them to understand the importance of cybersecurity.
    • Taking your audience through a story will allow them to see the value of the information being presented and better resonate with its message.
    • You can derive insights for your storytelling presentation by doing the following:
      • Provide a business case scenario on the topic you are presenting.
      • Identify and communicate the business problem up front and answer the three questions (why, what, how).
      • Quantify the problems in terms of business impact (money, risk, value).

    Info-Tech Insight
    Developing a storytelling approach will help keep your audience engaged and allow the information to resonate with them, which will add further value to the communication.

    Identify the purpose of your presentation

    You should be clear about your bottom line and the intent behind your presentation. However, regardless of your bottom line, your presentation must focus on what business problems you are solving and why security can assist in solving the problem.

    Examples of communication goals

    To inform or educate

    To reach a decision

    • In this presentation type, it is easy for IT leaders to overwhelm a board with excessive or irrelevant information.
    • Focus your content on the business problem and the solution proposed.
    • Refrain from too much detail about the technology – focus on business impact and risk mitigated. Ask for feedback if applicable.
    • In this presentation type, there is a clear ask and an action required from the board of directors.
    • Be clear about what this decision is. Once again, don’t lead with the technology solution: Start with the business problem you are solving, and only talk about technology as the solution if time permits.
    • Ensure you know who votes and how to garner their support.

    Info-Tech Insight
    Nobody likes surprises. Communicate early and often. The board should be pre-briefed, especially if it is a difficult subject. This also ensures you have support when you deliver a difficult message.

    Gather the right information to include in your boardroom presentation

    Once you understand your target audience, it’s important to tailor your presentation material to what they will care about.

    Typical IT boardroom presentations include:

    • Communicating the value of ongoing business technology initiatives.
    • Requesting funds or approval for a business initiative that IT is spearheading.
    • Security incident response/Risk/DRP.
    • Developing a business program or an investment update for an ongoing program.
    • Business technology strategy highlights and impacts.
    • Digital transformation initiatives (value, ROI, risk).

    Info-Tech Insight
    You must always have a clear goal or objective for delivering a presentation in front of your board of directors. What is the purpose of your board presentation? Identify your objective and outcome up front and tailor your presentation’s story and contents to fit this purpose.

    Info-Tech Insight
    Telling a good story is not about the message you want to deliver but the one the executive stakeholders want to hear. Articulate what you want them to think and what you want them to take away, and be explicit about it in your presentation. Make your story logically flow by identifying the business problem, complication, the solution, and how to close the gap. Most importantly, communicate the business impacts the board will care about.

    Structure your presentation to tell a logical story

    To build a strong story for your presentation, ensure you answer these three questions:

    WHY

    Why is this a business issue, or why should the executive stakeholders care?

    WHAT

    What is the impact of solving the problem and driving value for the company?

    HOW

    How will we leverage our resources (technology, finances) to solve the problem?

    Examples:

    Scenario 1: The company has experienced a security incident.

    Intent: To inform/educate the board about the security incident.

    WHY

    The data breach has resulted in a loss of customer confidence, negative brand impact, and a reduction in revenue of 30%.

    WHAT

    Financial, legal, and reputational risks identified, and mitigation strategies implemented. IT is working with the PR team on communications. Incident management playbook executed.

    HOW

    An analysis of vulnerabilities was conducted and steps to address are in effect. Recovery steps are 90% completed. Incident management program reviewed for future incidents.

    Scenario 2: Security is recommending investments based on strategic priorities.

    Intent: To reach a decision with the board – approve investment proposal.

    WHY

    The new security strategy outlines two key initiatives to improve an organization’s security culture and overall risk posture.

    WHAT

    Security proposed an investment to implement a security training & phishing test campaign, which will assist in reducing data breach risks.

    HOW

    Use 5% of security’s budget to implement security training and phishing test campaigns.

    Time plays a key role in delivering an effective presentation

    What you include in your story will often depend on how much time you have available to deliver the message.

    Consider the following:

    • Presenting to executive stakeholders often means you have a short window of time to deliver your message. The average executive stakeholder presentation is 15 minutes, and this could be cut short due to other unexpected factors.
    • If your presentation is too long, you risk overwhelming or losing your audience. You must factor in the time constraints when building your board presentation.
    • Your executive stakeholders have a wealth of experience and knowledge, which means they could jump to conclusions quickly based on their own experiences. Ensure you give them plenty of background information in advance. Provide your presentation material, a brief, or any other supporting documentation before the meeting to show you are well prepared.
    • Be prepared to have deep conversations about the topic, but respect that the executive stakeholders might not be interested in hearing the tactical information. Build an elevator pitch, a one-pager, back-up slides that support your ask and the story, and be prepared to answer questions within your allotted presentation time to dive deeper.

    Navigating through Q&A

    Use the Q&A portion to build credibility with the board.

    • It is always better to say, “I’m not certain about the answer but will follow up,” than to provide false or inaccurate information on the spot.
    • When asked challenging or irrelevant questions, ensure you have an approach to deflect them. Questions can often be out of scope or difficult to answer in a group. Find what works for you to successfully navigate through these questions:
      • “Let’s work with the sub-committee to find you an answer.”
      • “Let’s take that offline to address in more detail.”
      • “I have some follow-up material I can provide you to discuss that further after our meeting.”
    • And ensure you follow up! Make sure to follow through on your promise to provide information or answers after the meeting. This helps build trust and credibility with the board.

    Info-Tech Insight
    The average board presentation is 15 minutes long. Build no more than three or four slides of content to identify the business problem, the business impacts, and the solution. Leave five minutes for questions at the end, and be prepared with back-up slides to support your answers.

    Storytelling checklist

    Checklist:

    • Tailor your presentation based on how much time you have.
    • Find out ahead of time how much time you have.
    • Identify if your presentation is to inform/educate or reach a decision.
    • Identify and communicate the business problem up front and answer the three questions (why, what, how).
    • Express the problem in terms of business impact (risk, value, money).
    • Prepare and send pre-meeting collateral to the members of the board and executive team.
    • Include no more than 5-6 slides for your presentation.
    • Factor in Q&A time at the end of your presentation window.
    • Articulate what you want them to think and what you want them to take away – put it right up front and remind them at the end.
    • Have an elevator speech handy – one or two sentences and a one-pager version of your story.
    • Consider how you will build your relationship with the members outside the boardroom.

    3.1.3 Build a compelling communication document

    Once you’ve identified your communication goals, data, and plan to present to your stakeholders, it’s important to build the compelling communication document that will attract all audiences.

    A good slide design increases the likelihood that the audience will read the content carefully.

    • Bad slide structure (flow) = Audience loses focus
      • You can have great content on a slide, but if a busy audience gets confused, they’ll just close the file or lose focus. Structure encompasses horizontal and vertical logic.
    • Good visual design = Audience might read more
      • Readers will probably skim the slides first. If the slides look ugly, they will already have a negative impression. If the slides are visually appealing, they will be more inclined to read carefully. They may even use some slides to show others.
    • Good content + Good structure + Visual appeal = Good presentation
      • A presentation is like a house. Good content is the foundation of the house. Good structure keeps the house strong. Visual appeal differentiates houses.

    Slide design best practices

    Leverage these slide design best practices to assist you in developing eye-catching presentations.

    • Easy to read: Assume reader is tight on time. If a slide looks overwhelming, the reader will close the document.
    • Concise and clear: Fewer words = more skim-able.
    • Memorable: Use graphics and visuals or pithy quotes whenever you can do so appropriately.
    • Horizontal logic: Good horizontal logic will have slide titles that cascade into a story with no holes or gaps.
    • Vertical logic: People usually read from left to right, top to bottom, or in a Z pattern. Make sure your slide has an intuitive flow of content.
    • Aesthetics: People like looking at visually appealing slides, but make sure your attempts to create visual appeal do not detract from the content.

    Your presentation must have a logical flow

    Horizontal logic

    Vertical logic

    • Horizontal logic should tell a story.
    • When slide titles are read in a cascading manner, they will tell a logical and smooth story.
    • Title & tagline = thesis (best insight).
    • Vertical logic should be intuitive.
    • Each step must support the title.
    • The content you intend to include within each slide is directly applicable to the slide title.
    • One main point per slide.

    Vertical logic should be intuitive

    The image contains a screenshot example of a bad design layout for a slide. The image contains a screenshot example of a good design layout for a slide.

    The audience is unsure where to look and in what order.

    The audience knows to read the heading first. Then look within the pie chart. Then look within the white boxes to the right.

    Horizontal and vertical logic checklists

    Horizontal logic

    Vertical logic

    • List your slide titles in order and read through them.
    • Good horizontal logic should feel like a story. Incomplete horizontal logic will make you pause or frown.
    • After a self-test, get someone else to do the same exercise with you observing them.
    • Note at which points they pause or frown. Discuss how those points can be improved.
    • Now consider each slide title proposed and the content within it.
    • Identify if there is a disconnect in title vs. content.
    • If there is a disconnect, consider changing the title of the slide to appropriately reflect the content within it, or consider changing the content if the slide title is an intended path in the story.

    Make it easy to read

    The image contains a screenshot that demonstrates an uneasy to read slide. The image contains a screenshot that demonstrates an easy to read slide.
    • Unnecessary coloring makes it hard on the eyes
    • Margins for title at top is too small
    • Content is not skim-able (best to break up the slide)

    Increase skim-ability:

    • Emphasize the subheadings
    • Bold important words

    Make it easier on the eyes:

    • Declutter and add sections
    • Have more white space

    Be concise and clear

    1. Write your thoughts down
      • This gets your content documented.
      • Don’t worry about clarity or concision yet.
    2. Edit for clarity
      • Make sure the key message is very clear.
      • Find your thesis statement.
    3. Edit for concision
      • Remove unnecessary words.
      • Use the active voice, not passive voice (see below for examples).

    Passive voice

    Active voice

    “There are three things to look out for” (8 words)

    “Network security was compromised by hackers” (6 words)

    “Look for these three things” (5 words)

    “Hackers compromised network security” (4 words)

    Be memorable

    The image contains a screenshot of an example that demonstrates a bad example of how to be memorable. The image contains a screenshot of an example that demonstrates a good example of how to be memorable.

    Easy to read, but hard to remember the stats.

    The visuals make it easier to see the size of the problem and make it much more memorable.

    Remember to:

    • Have some kind of visual (e.g. graphs, icons, tables).
    • Divide the content into sections.
    • Have a bit of color on the page.

    Aesthetics

    The image contains a screenshot of an example of bad aesthetics. The image contains a screenshot of an example of good aesthetics.

    This draft slide is just content from the outline document on a slide with no design applied yet.

    • Have some kind of visual (e.g. graphs, icons, tables) as long as it’s appropriate.
    • Divide the content into sections.
    • Have a bit of color on the page.
    • Bold or italicize important text.

    Why use visuals?

    How graphics affect us

    Cognitively

    • Engage our imagination
    • Stimulate the brain
    • Heighten creative thinking
    • Enhance or affect emotions

    Emotionally

    • Enhance comprehension
    • Increase recollection
    • Elevate communication
    • Improve retention

    Visual clues

    • Help decode text
    • Attract attention
    • Increase memory

    Persuasion

    • 43% more effective than text alone
    Source: Management Information Systems Research Center

    Presentation format

    Often stakeholders prefer to receive content in a specific format. Make sure you know what you require so that you are not scrambling at the last minute.

    • Is there a standard presentation template?
    • Is a hard-copy handout required?
    • Is there a deadline for draft submission?
    • Is there a deadline for final submission?
    • Will the presentation be circulated ahead of time?
    • Do you know what technology you will be using?
    • Have you done a dry run in the meeting room?
    • Do you know the meeting organizer?

    Checklist to build compelling visuals in your presentation

    Leverage this checklist to ensure you are creating the perfect visuals and graphs for your presentation.

    Checklist:

    • Do the visuals grab the audience’s attention?
    • Will the visuals mislead the audience/confuse them?
    • Do the visuals facilitate data comparison or highlight trends and differences in a more effective manner than words?
    • Do the visuals present information simply, cleanly, and accurately?
    • Do the visuals display the information/data in a concentrated way?
    • Do the visuals illustrate messages and themes from the accompanying text?

    3.2 Security communication templates

    Once you have identified your communication goals and plans for building your communication document, you can start building your presentation deck.

    These presentation templates highlight different security topics depending on your communication drivers, goals, and available data.

    Info-Tech has created five security templates to assist you in building a compelling presentation.

    These templates provide support for presentations on the following five topics:

    • Security Initiatives
    • Security & Risk Update
    • Security Metrics
    • Security Incident Response & Recovery
    • Security Funding Request

    Each template provides instructions on how to use it and tips on ensuring the right information is being presented.

    All the templates are customizable, which enables you to leverage the sections you need while also editing any sections to your liking.

    The image contains screenshots of the Security Presentation Templates.

    Download the Security Presentation Templates

    Security template example

    It’s important to know that not all security presentations for an organization are alike. However, these templates would provide a guideline on what the best practices are when communicating security to executive stakeholders.

    Below is an example of instructions to complete the “Security Risk & Update” template. Please note that the security template will have instructions to complete each of its sections.

    The image contains a screenshot of the Executive Summary slide. The image contains a screenshot of the Security Goals & Objectives slide.

    The first slide following the title slide includes a brief executive summary on what would be discussed in the presentation. This includes the main security threats that would be addressed and the associated risk mitigation strategies.

    This slide depicts a holistic overview of the organization’s security posture in different areas along with the main business goals that security is aligning with. Ensure visualizations you include align with the goals highlighted.

    Security template example (continued)

    The image contains a screenshot example of the Top Threats & Risks. The image contains a screenshot example of the Top Threats & Risks.

    This slide displays any top threats and risks an organization is facing. Each threat consists of 2-3 risks and is prioritized based on the negative impact it could have on the organization (i.e. red bar = high priority; green bar = low priority). Include risks that have been addressed in the past quarter, and showcase any prioritization changes to those risks.

    This slide follows the “Top Threats & Risks” slide and focuses on the risks that had medium or high priority. You will need to work with subject matter experts to identify risk figures (likelihood, financial impact) that will enable you to quantify the risks (Likelihood x Financial Impact). Develop a threshold for each of the three columns to identify which risks require further prioritization, and apply color coding to group the risks.

    Security template example (continued)

    The image contains a screenshot example of the slide, Risk Analysis. The image contains a screenshot example of the slide, Risk Mitigation Strategies & Roadmap.

    This slide showcases further details on the top risks along with their business impact. Be sure to include recommendations for the risks and indicate whether further action is required from the executive stakeholders.

    The last slide of the “Security Risk & Update” template presents a timeline of when the different initiatives to mitigate security risks would begin. It depicts what initiatives will be completed within each fiscal year and the total number of months required. As there could be many factors to a project’s timeline, ensure you communicate to your executive stakeholders any changes to the project.

    Phase 4

    Deliver communication

    Phase 1Phase 2Phase 3Phase 4

    1.1 Identify drivers for communicating to executives

    1.2 Define your goals for communicating to executives

    2.1 Identify data to collect

    2.2 Plan how to retrieve data

    3.1 Plan communication

    3.2 Build a compelling communication document

    4.1 Deliver a captivating presentation

    4.2 Obtain/verify support for security goals

    This phase will walk you through the following activities:

    • Identifying a strategy to deliver compelling presentations
    • Ensuring you follow best practices for communicating and obtaining your security goals

    This phase involves the following participants:

    • Security leader

    4.1 Deliver a captivating presentation

    You’ve gathered all your data, you understand what your audience is expecting, and you are clear on the outcomes you require. Now, it’s time to deliver a presentation that both engages and builds confidence.

    Follow these tips to assist you in developing an engaging presentation:

    • Start strong: Give your audience confidence that this will be a good investment of their time. Establish a clear direction for what’s going to be covered and what the desired outcome is.
    • Use your time wisely: Odds are, your audience is busy, and they have many other things on their minds. Be prepared to cover your content in the time allotted and leave sufficient time for discussion and questions.
    • Be flexible while presenting: Do not expect that your presentation will follow the path you have laid out. Anticipate jumping around and spending more or less time than you had planned on a given slide.

    Keep your audience engaged with these steps

    • Be ready with supporting data. Don’t make the mistake of not knowing your content intimately. Be prepared to answer questions on any part of it. Senior executives are experts at finding holes in your data.
    • Know your audience. Who are you presenting to? What are their specific expectations? Are there sensitive topics to be avoided? You can’t be too prepared when it comes to understanding your audience.
    • Keep it simple. Don’t assume that your audience wants to learn the details of your content. Most just want to understand the bottom line, the impact on them, and how they can help. More is not always better.
    • Focus on solving issues. Your audience members have many of their own problems and issues to worry about. If you show them how you can help make their lives easier, you’ll win them over.

    Info-Tech Insight
    Establishing credibility and trust with executive stakeholders is important to obtaining their support for security objectives.

    Be honest and straightforward with your communication

    • Be prepared. Being properly prepared means not only that your update will deliver the value that you expect, but also that you will have confidence and the flexibility you require when you’re taken off track.
    • Don’t sugarcoat it. These are smart, driven people that you are presenting to. It is neither beneficial nor wise to try to fool them. Be open and transparent about problems and issues. Ask for help.
    • No surprises. An executive stakeholder presentation is not the time or the place for a surprise. Issues seen as unexpected or contentious should always be dealt with prior to the meeting with those most impacted.

    Hone presentation skills before meeting with the executive stakeholders

    Know your environment

    Be professional but not boring

    Connect with your audience

    • Your organization has standards for how people are expected to dress at work. Make sure that your attire meets this standard – don’t be underdressed.
    • Think about your audience – would they appreciate you starting with a joke, or do they want you to get to the point as quickly as possible?
    • State the main points of your presentation confidently. While this should be obvious, it is essential. Your audience should be able to clearly see that you believe the points you are stating.
    • Present with lots of energy, smile, and use hand gestures to support your speech.
    • Look each member of the audience in the eye at least once during your presentation. Avoid looking at the ceiling, the back wall, or the floor. Your audience should feel engaged – this is essential to keeping their attention on you.
    • Never read from your slides. If there is text on a slide, paraphrase it while maintaining eye contact.

    Checklist for presentation logistics

    Optimize the timing of your presentation:

    • Less is more: Long presentations are detrimental to your cause – they lead to your main points being diluted. Keep your presentation short and concise.
    • Keep information relevant: Only present information that is important to your audience. This includes the information that they are expecting to see and information that connects to the business.
    • Expect delays: Your audience will likely have questions. While it is important to answer each question fully, it will take away from the precious time given to you for your presentation. Expect that you will not get through all the information you have to present.

    Script your presentation:

    • Use a script to stay on track: Script your presentation before the meeting. A script will help you present your information in a concise and structured manner.
    • Develop a second script: Create a script that is about half the length of the first script but still contains the most important points. This will help you prepare for any delays that may arise during the presentation.
    • Prepare for questions: Consider questions that may be asked and script clear and concise answers to each.
    • Practice, practice, practice: Practice your presentation until you no longer need the script in front of you.

    Checklist for presentation logistics (continued)

    Other considerations:

    • After the introduction of your presentation, clearly state the objective – don’t keep people guessing and consequently lose focus on your message.
    • After the presentation is over, document important information that came up. Write it down or you may forget it soon after.
    • Rather than create a long presentation deck full of detailed slides that you plan to skip over during the presentation, create a second, compact deck that contains only the slides you plan to present. Send out the longer deck after the presentation.

    Checklist for delivering a captivating presentation

    Leverage this checklist to ensure you are prepared to develop and deliver an engaging presentation.

    Checklist:

    • Start with a story or something memorable to break the ice.
    • Go in with the end state in mind (focus on the outcome/end goal and work back from there) – What’s your call to action?
    • Content must compliment your end goal, filter out any content that doesn’t compliment the end goal.
    • Be prepared to have less time to speak. Be prepared with shorter versions of your presentation.
    • Include an appendix with supporting data, but don’t be data heavy in your presentation. Integrate the data into a story. The story should be your focus.

    Checklist for delivering a captivating presentation (continued)

    • Be deliberate in what you want to show your audience.
    • Ensure you have clean slides so the audience can focus on what you’re saying.
    • Practice delivering your content multiple times alone and in front of team members or your Info-Tech counselor, who can provide feedback.
    • How will you handle being derailed? Be prepared with a way to get back on track if you are derailed.
    • Ask for feedback.
    • Record yourself presenting.

    4.2 Obtain and verify support on security goals

    Once you’ve delivered your captivating presentation, it’s imperative to communicate with your executive stakeholders.

    • This is your opportunity to open the floor for questions and clarify any information that was conveyed to your audience.
    • Leverage your appendix and other supporting documents to justify your goals.
    • Different approaches to obtaining and verifying your goals could include:
      • Acknowledgment from the audience that information communicated aligns with the business’s goals.
      • Approval of funding requests for security initiatives.
      • Written and verbal support for implementation of security initiatives.
      • Identifying next steps for information to communicate at the next executive stakeholder meeting.

    Info-Tech Insight
    Verifying your objectives at the end of the presentation is important, as it ensures you have successfully communicated to executive stakeholders.

    Checklist for obtaining and verify support on security goals

    Follow this checklist to assist you in obtaining and verifying your communication goals.

    Checklist:

    • Be clear about follow-up and next steps if applicable.
    • Present before you present: Meet with your executive stakeholders before the meeting to review and discuss your presentation and other supporting material and ensure you have executive/CEO buy-in.
    • “Be humble, but don’t crumble” – demonstrate to the executive stakeholders that you are an expert while admitting you don’t know everything. However, don’t be afraid to provide your POV and defend it if need be. Strike the right balance to ensure the board has confidence in you while building a strong relationship.
    • Prioritize a discussion over a formal presentation. Create an environment where they feel like they are part of the solution.

    Summary of Accomplishment

    Problem Solved

    A better understanding of security communication drivers and goals

    • Understanding the difference between communication drivers and goals
    • Identifying your drivers and goals for security presentation

    A developed a plan for how and where to retrieve data for communication

    • Insights on what type of data can be leveraged to support your communication goals
    • Understanding who you can collaborate with and potential data sources to retrieve data from

    A solidified communication plan with security templates to assist in better presenting to your audience

    • A guideline on how to prepare security presentations to executive stakeholders
    • A list of security templates that can be customized and used for various security presentations

    A defined guideline on how to deliver a captivating presentation to achieve your desired objectives

    • Clear message on best practices for delivering security presentations to executive stakeholders
    • Understanding how to verify your communication goals have been obtained

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Related Info-Tech Research

    Build an Information Security Strategy
    This blueprint will walk you through the steps of tailoring best practices to effectively manage information security.

    Build a Security Metrics Program to Drive Maturity
    This blueprint will assist you in identifying security metrics that can tie to your organizational goals and build those metrics to achieve your desired maturity level.

    Bibliography

    Bhadauriya, Amit S. “Communicating Cybersecurity Effectively to the Board.” Metricstream. Web.
    Booth, Steven, et al. “The Biggest Mistakes Made When Presenting Cyber Security to Senior Leadership or the Board, and How to Fix Them.” Mandiant, May 2019. Web.
    Bradford, Nate. “6 Slides Every CISO Should Use in Their Board Presentation.” Security Boulevard, 9 July 2020. Web.
    Buckalew, Lauren, et al. “Get the Board on Board: Leading Cybersecurity from the Top Down.” Newsroom, 2 Dec. 2019. Web.
    Burg, Dave, et al. “Cybersecurity: How Do You Rise above the Waves of a Perfect Storm?” EY US - Home, EY, 22 July 2021. Web.
    Carnegie Endowment for International Peace. Web.
    “Chief Information Security Officer Salary.” Salary.com, 2022. Web.
    “CISO's Guide to Reporting to the Board - Apex Assembly.” CISO's Guide To Reporting to the Board. Web.
    “Cyber Security Oversight in the Boardroom” KPMG, Jan. 2016. Web.
    “Cybersecurity CEO: My 3 Tips for Presenting in the Boardroom.” Cybercrime Magazine, 31 Mar. 2020. Web.
    Dacri , Bryana. Do's & Don'ts for Security Professionals Presenting to Executives. Feb. 2018. Web.
    Froehlich, Andrew. “7 Cybersecurity Metrics for the Board and How to Present Them: TechTarget.” Security, TechTarget, 19 Aug. 2022. Web.
    “Global Board Risk Survey.” EY. Web.
    “Guidance for CISOs Presenting to the C-Suite.” IANS, June 2021. Web.
    “How to Communicate Cybersecurity to the Board of Directors.” Cybersecurity Conferences & News, Seguro Group, 12 Mar. 2020. Web.
    Ide, R. William, and Amanda Leech. “A Cybersecurity Guide for Directors” Dentons. Web.
    Lindberg, Randy. “3 Tips for Communicating Cybersecurity to the Board.” Cybersecurity Software, Rivial Data Security, 8 Mar. 2022. Web.
    McLeod, Scott, et al. “How to Present Cybersecurity to Your Board of Directors.” Cybersecurity & Compliance Simplified, Apptega Inc, 9 Aug. 2021. Web.
    Mickle, Jirah. “A Recipe for Success: CISOs Share Top Tips for Successful Board Presentations.” Tenable®, 28 Nov. 2022. Web.
    Middlesworth, Jeff. “Top-down: Mitigating Cybersecurity Risks Starts with the Board.” Spiceworks, 13 Sept. 2022. Web.
    Mishra, Ruchika. “4 Things Every CISO Must Include in Their Board Presentation.” Security Boulevard, 17 Nov. 2020. Web.
    O’Donnell-Welch, Lindsey. “CISOs, Board Members and the Search for Cybersecurity Common Ground.” Decipher, 20 Oct. 2022. Web.

    Bibliography

    “Overseeing Cyber Risk: The Board's Role.” PwC, Jan. 2022. Web.
    Pearlson, Keri, and Nelson Novaes Neto. “7 Pressing Cybersecurity Questions Boards Need to Ask.” Harvard Business Review, 7 Mar. 2022. Web.
    “Reporting Cybersecurity Risk to the Board of Directors.” Web.
    “Reporting Cybersecurity to Your Board - Steps to Prepare.” Pondurance ,12 July 2022. Web.
    Staynings, Richard. “Presenting Cybersecurity to the Board.” Resource Library. Web.
    “The Future of Cyber Survey.” Deloitte, 29 Aug. 2022. Web.
    “Top Cybersecurity Metrics to Share with Your Board.” Packetlabs, 10 May 2022. Web.
    Unni, Ajay. “Reporting Cyber Security to the Board? How to Get It Right.” Cybersecurity Services Company in Australia & NZ, 10 Nov. 2022. Web.
    Vogel, Douglas, et al. “Persuasion and the Role of Visual Presentation Support.” Management Information Systems Research Center, 1986.
    “Welcome to the Cyber Security Toolkit for Boards.” NCSC. Web.

    Research Contributors

    • Fred Donatucci, New-Indy Containerboard, VP, Information Technology
    • Christian Rasmussen, St John Ambulance, Chief Information Officer
    • Stephen Rondeau, ZimVie, SVP, Chief Information Officer

    Build an Information Security Strategy

    • Buy Link or Shortcode: {j2store}242|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $45,303 Average $ Saved
    • member rating average days saved: 34 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Many security leaders struggle to decide how to best to prioritize their scarce information security resources
    • The need to move from a reactive approach to security towards a strategic planning approach is clear. The path to getting there is less so.

    Our Advice

    Critical Insight

    The most successful information security strategies are:

    • Holistic – They consider the full spectrum of information security, including people, processes, and technology.
    • Risk aware – They understand that security decisions should be made based on the security risks facing their organization, not just on “best practice.”
    • Business aligned – They demonstrate an understanding of the goals and strategies of the organization and how the security program can support the business.

    Impact and Result

    • Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for more than seven years with hundreds of different organizations:
    • This approach includes tools for:
      • Ensuring alignment with business objectives.
      • Assessing organizational risk and stakeholder expectations.
      • Enabling a comprehensive current state assessment.
      • Prioritizing initiatives and building out a security roadmap.

    Build an Information Security Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Information Security (IS) Strategy Research – A step-by-step document that helps you build a holistic, risk-based, and business-aligned IS strategy.

    Your security strategy should not be based on trying to blindly follow best practices but on a holistic risk-based assessment that is risk aware and aligns with your business context. Use this storyboard to augment your security strategy by ensuring alignment with business objectives, assessing your organization's risk and stakeholder expectations, understanding your current security state, and prioritizing initiatives and a security roadmap.

    • Build an Information Security Strategy – Phases 1-4

    2. Information Security Requirements Gathering Tool – A tool to make informed security risk decisions to support business needs.

    Use this tool to formally identify business goals and customer and compliance obligations and make explicit links to how security initiatives propose to support these business interests. Then define the scope and boundaries for the security strategy and the risk tolerance definitions that will guide future security risk decisions.

    • Information Security Requirements Gathering Tool

    3. Information Security Pressure Analysis Tool – An evaluation tool to invest in the right security functions using a pressure analysis approach.

    Security pressure posture analysis helps your organization assess your real security context and enables you to invest in the right security functions while balancing the cost and value in alignment with business strategies. Security pressure sets the baseline that will help you avoid over-investing or under-investing in your security functions.

    • Information Security Pressure Analysis Tool

    4. Information Security Program Gap Analysis Tool – A structured tool to systematically understand your current security state.

    Effective security planning should not be one size fits all – it must consider business alignment, security benefit, and resource cost. To enable an effective security program, all areas of security need to be evaluated closely to determine where the organization sits currently and where it needs to go in the future.

    • Information Security Program Gap Analysis Tool

    5. Information Security Strategy Communication Deck – A best-of-breed presentation document to build a clear, concise, and compelling strategy document.

    Use this communication deck template to present the results of the security strategy to stakeholders, demonstrate the progression from the current state to the future state, and establish the roadmap of the security initiatives that will be implemented. This information security communication deck will help ensure that you’re communicating effectively for your cause.

    • Information Security Strategy Communication Deck

    6. Information Security Charter – An essential document for defining the scope and purpose of a security project or program.

    A charter is an essential document for defining the scope and purpose of security. Without a charter to control and set clear objectives for this committee, the responsibility of security governance initiatives will likely be undefined within the enterprise, preventing the security governance program from operating efficiently. This template can act as the foundation for a security charter to provide guidance to the governance of information security.

    • Information Security Charter
    [infographic]

    Workshop: Build an Information Security Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Security Requirements

    The Purpose

    Understand business and IT strategy and plans.

    Key Benefits Achieved

    Defined security obligations, scope, and boundaries.

    Activities

    1.1 Define business and compliance.

    1.2 Establish security program scope.

    1.3 Analyze the organization’s risk and stakeholder pressures.

    1.4 Identify the organizational risk tolerance level.

    Outputs

    Security obligations statement

    Security scope and boundaries statement

    Defined risk tolerance level

    Risk assessment and pressure analysis

    2 Perform a Gap Analysis

    The Purpose

    Define the information security target state.

    Key Benefits Achieved

    Set goals and Initiatives for the security strategy in line with the business objectives.

    Activities

    2.1 Assess current security capabilities.

    2.2 Identify security gaps.

    2.3 Build initiatives to bridge the gaps.

    Outputs

    Information security target state

    Security current state assessment

    Initiatives to address gaps

    3 Complete the Gap Analysis

    The Purpose

    Continue assessing current security capabilities.

    Key Benefits Achieved

    Identification of security gaps and initiatives to bridge them according to the business goals.

    Activities

    3.1 Identify security gaps.

    3.2 Build initiatives to bridge the maturity gaps.

    3.3 Identify initiative list and task list.

    3.4 Define criteria to be used to prioritize initiatives.

    Outputs

    Completed security current state assessment

    Task list to address gaps

    Initiative list to address gaps

    Prioritize criteria

    4 Develop the Roadmap

    The Purpose

    Create a plan for your security strategy going forward.

    Key Benefits Achieved

    Set path forward to achieving the target state for the business through goal cascade and gap initiatives.

    Activities

    4.1 Conduct cost/benefit analysis on initiatives.

    4.2 Prioritize gap initiatives based on cost and alignment with business.

    4.3 Build an effort list.

    4.4 Determine state times and accountability.

    4.5 Finalize security roadmap and action plan.

    4.6 Create communication plan.

    Outputs

    Information security roadmap

    Draft communication deck

    5 Communicate and Implement

    The Purpose

    Finalize deliverables.

    Key Benefits Achieved

    Consolidate documentation into a finalized deliverable that can be used to present to executives and decision makers to achieve buy-in for the project.

    Activities

    5.1 Support communication efforts.

    5.2 Identify resources in support of priority initiatives.

    Outputs

    Security strategy roadmap documentation

    Detailed cost and effort estimates

    Mapping of Info-Tech resources against individual initiatives

    Further reading

    Build an Information Security Strategy

    Create value by aligning your strategy to business goals and business risks.

    Analyst Perspective

    Set your security strategy up for success.

    “Today’s rapid pace of change in business innovation and digital transformation is a call to action to information security leaders.

    Too often, chief information security officers find their programs stuck in reactive mode, a result of years of mounting security technical debt. Shifting from a reactive to proactive stance has never been more important. Unfortunately, doing so remains a daunting task for many.

    While easy to develop, security plans premised on the need to blindly follow ‘best practices’ are unlikely to win over many stakeholders. To be truly successful, an information security strategy needs to be holistic, risk-aware, and business-aligned.”

    Kevin Peuhkurinen

    Research Director – Security, Risk & Compliance

    Info-Tech Research Group

    Executive summary

    Your Challenge

    • Many security leaders struggle to decide how best to prioritize their scarce information security resources.
    • The need to move from a reactive approach to security toward a strategic planning approach is clear. The path to getting there is less clear.

    Common Obstacle

    • Developing a security strategy can be challenging. Complications include:
      • Performing an accurate assessment of your current security program can be extremely difficult when you don’t know what to assess or how.
      • Determining the appropriate target state for security can be even more challenging. A strategy built around following best practices is unlikely to garner significant support from business stakeholders.

    Info-Tech’s Approach

    • Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for 7+ years with hundreds of organizations.
    • This unique approach includes tools for:
      • Ensuring alignment with business objectives.
      • Assessing organizational risk and stakeholder expectations.
      • Enabling a comprehensive current state assessment.
      • Prioritizing initiatives and building out a security roadmap.

    Info-Tech Insight

    The most successful information security strategies are:

    • Holistic. They consider the full spectrum of information security, including people, processes, and technologies.
    • Risk-Aware. They understand that security decisions should be made based on the security risks facing their organization, not just on best practice.
    • Business-Aligned. They demonstrate an understanding of the goals and strategies of the organization, and how the security program can support the business.

    It’s not a matter of if you have a security incident, but when

    Organizations need to prepare and expect the inevitable security breach.

    Fifty-eight percent of companies surveyed that experienced a breach were small businesses.

    Eighty-nine percent of breaches have a financial or espionage motive.

    Three graphs are depicted. The first is labeled ‘Total Cost for Three Data Breach Root Causes,’ the second ‘Distribution of Benchmark by Root Cause of the Data Breach,’ and the third ‘Per Capita for Three Root Causes of a Data Breach.’ The three root causes are malicious or criminal attack (US$166 million per capita), system glitch ($132 million per capita), and human error ($133 million per capita).

    Source: Ponemon Institute, “2019 Global Cost of Data Breach Study”

    An information security strategy can help you prepare for incidents

    Organizations need to expect the inevitable security breach.

    90%

    of businesses have experienced an external threat in the last year.

    50%

    of IT professionals consider security to be their number one priority.

    53%

    of organizations claimed to have experienced an insider attack in the previous 12 months. 1

    46%

    of businesses believe the frequency of attacks is increasing. 2

    Effective IT leaders approach their security strategy from an understanding that attacks on their organization will occur. Building a strategy around this assumption allows your security team to understand the gaps in your current approach and become proactive instead of being reactive.

    Sources: 1 Kaspersky Lab, “Global IT Security Risks Survey”; 2 CA Technologies, “Insider Threat 2018 Report”

    Persistent Issues

    Evolving Ransomware

    • Continual changes in types and platforms make ransomware a persistent threat. The frequency of ransomware attacks was reported to have increased by 67% in the past five years. 1

    Phishing Attacks

      • Despite filtering and awareness, email remains the most common threat vector for phishing attacks (94%) and an average of 3% of participants in phishing campaigns still click on them. 2

    Insider Privilege and Misuse

    • Typically, 34% of breaches are perpetrated by insiders, with 15% involving privilege misuse. Takeaway: Care less about titles and more about access levels. 3

    Denial of Service

    • The median amount of time that an organization is under attack from DDoS attack is three days.

    Emerging Trends

    Advanced Identity and Access Governance

    • Using emerging technologies in automation, orchestration, and machine learning, the management and governance of identities and access has become more advanced.

    Sources: 1 Accenture, “2019 The Cost of Cyber Crime Study”; 2,3 Verizon, “2019 Data Breach Investigations Report”

    New threat trends in information security aren’t new.

    Previously understood attacks are simply an evolution of prior implementations, not a revolution.

    Traditionally, most organizations are not doing a good-enough job with security fundamentals, which is why attackers have been able to use the same old tricks.

    However, information security has finally caught the attention of organizational leaders, presenting the opportunity to implement a comprehensive security program.

    Cyberattacks have a significant financial impact

    Global average cost of a data breach: $3.92 Million

    Source: Ponemon Institute, “2019 Cost of a Data Breach Study: Global Overview”

    A bar graph, titled ‘Average cost of data breach by industry,’ is depicted. Of 17 industries depicted, public is the lowest average cost (US$1.29 million) and health is the highest average cost ($6.45 million).

    Primary incident type (with a confirmed data breach)

    1. Leading incident type is Denial of Service attacks (DoS), taking up to 70% of all incidents.
    2. When it comes to data breaches, we see that the use of stolen credentials leads to the most cases of confirmed breaches, accounting for 29%.

    Personal records tend to be the most compromised data types, while databases tend to be the most frequently involved asset in breaches.

    Source: Verizon, “2019 Data Breach Investigations Report”

    Security threats are not going away

    We continue to see and hear of security breaches occurring regularly.

    A bar graph depicts the percentage of businesses who experienced a data breach in the last year–US total and global total. Numbers have increased from 2016 to 2019. In 2016, 19 percent of US businesses experienced a breach. In 2019, this number was 59 percent.

    An attacker must be successful only once. The defender – you – must be successful every time.

    Info-Tech’s approach

    Maturing from reactive to strategic information security

    Two circular graphs depict the move from ‘reactive security’ to ‘strategic security’ organizations can accomplish using Info-Tech’s approach.

    Tools icon that is used in the first three stages of the strategic security graph above. Indicates Info-Tech tools included in this blueprint.

    The Info-Tech difference:

    1. A proven, structured approach to mature your information security program from reactive to strategic.
    2. A comprehensive set of tools to take the pain out of each phase in the strategy building exercise.
    3. Visually appealing templates to communicate and socialize your security strategy and roadmap to your stakeholders.

    Info-Tech’s Security Strategy Model

    Info-Tech’s Security Strategy Model is depicted in this rectangular image with arrows. The first level depicts business context (enterprise goals, compliance obligations, scope and boundaries) and pressures (security risks, risk tolerance, stakeholder expectations). The second level depicts security target state (maturity model, security framework, security alignment goals, target maturity, time frame) and current state (current state assessment, gap analysis). The third level depicts the information security roadmap (initiative list, task list, prioritization methodology, and Gantt chart).

    The Info-Tech difference:

    An information security strategy model that is:

    1. Business-Aligned. Determines business context and cascades enterprise goals into security alignment goals.
    2. Risk-Aware. Understands the security risks of the business and how they intersect with the overall organizational risk tolerance.
    3. Holistic. Leverages a best-of-breed information security framework to provide comprehensive awareness of organizational security capabilities.

    Info-Tech’s best-of-breed security framework

    This image shows how Info-Tech’s framework is based on ISO 27000 series, CIS Top 20, COBIT 2019, NIST 800-53, and NIST CSF.

    Info-Tech’s approach

    Creating an information security strategy

    Value to the business

    Outcome

    Best-of-breed security strategy

    Have documentation that paints a picture of the road to compliance. Integrate your framework with your risk tolerance and external pressures.

    Be ready for future changes by aligning your security strategy to security framework best practices.

    Address the nature of your current information security

    Eliminate gaps in process and know what is in scope for your security strategy. Learn what pressures your business and industry are under.

    Gain insight into your current state, allowing you to focus on high-value projects first, transitioning towards a target state.

    Highlight overlooked functions of your current security strategy

    Build a comprehensive security program that brings to light all aspects of your security program.

    Instead of pursing ad hoc projects, know what needs work and how to prioritize your pressing security issues.

    Create a tangible roadmap to your target state

    Create a plan for your future state of information security. Refer to and update your target state as your business needs change.

    Document your current progress and path forward in the future. Know your goals and requirements, codified in a living document.

    Use our prepopulated deliverables to fast track your progress

    Let Info-Tech do the work for you. With completed deliverables, have tangible documents to convey your business needs.

    A comprehensive set of deliverables with concrete, defensible data to justify any business changes.

    A living security strategy

    Pivot and change prioritization to meet the needs of your security deficits.

    Future-proof your security strategy for any contingency.

    The Info-Tech difference:

    Evolve the security program to be more proactive by leveraging Info-Tech’s approach to building a security strategy.

    • Dive deep into security obligations and security pressures to define the business context.
    • Conduct a thorough current state and future state analysis that is aligned with a best-of-breed framework.
    • Prioritize gap-closing initiatives to create a living security strategy roadmap.

    Use Info-Tech’s blueprint to save one to three months

    This image depicts how using Info-Tech’s four-phase blueprint can save an estimated seven to 14 weeks of an organization’s time and effort.

    Iterative benefit

    Over time, experience incremental value from your initial security strategy. Through continual updates your strategy will evolve but with less associated effort, time, and costs.

    These estimates are based on experiences with Info-Tech clients throughout the creation of this blueprint.

    Key deliverable:

    Information Security Strategy Communication Deck (PPT)

    Present your findings in a prepopulated document that can summarizes all key findings of the blueprint.

    Screenshots from Info-Tech’s Information Security Strategy Communication Deck Template.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Information Security Requirements Gathering Tool

    Define the business, customer, and compliance alignment for your security program.

    Information Security Pressure Analysis Tool

    Determine your organization’s security pressures and ability to tolerate risk.

    Information Security Program Gap Analysis Tool

    Use our best-of-breed security framework to perform a gap analysis between your current and target states.

    Information Security Charter

    Ensure the development and management of your security policies meet the broader program vision.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostic and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical Guided Implementation on this topic look like?

    Guided Implementation #1 - Assess security requirements
    • Call #1 - Introduce project and complete pressure analysis.
    Guided Implementation #2 - Build a gap initiative strategy
    • Call #1 - Introduce the maturity assessment.
    • Call #2 - Perform gap analysis and translate into initiatives.
    • Call #3 - Consolidate related gap initiatives and define, cost, effort, alignment, and security benefits.
    Guided Implementation #3 - Prioritize initiatives and build roadmap
    • Call #1 - Review cost/benefit analysis and build an effort map.
    • Call #2 - Build implementation waves and introduce Gantt chart.
    Guided Implementation #4 - Execute and maintain
    • Call #1 - Review Gantt chart and ensure budget/buy-in support.
    • Call #2 - Three-month check-in: Execute and maintain.

    A Guided Implementation is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical Guided Implementation is between 2-12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information, or contact workshops@infotech.com or 1-888-670-8889.

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Activities

    Assess Security Requirements

    Perform a Gap Analysis

    Complete the Gap Analysis

    Develop Roadmap

    Communicate and Implement

    1.1 Understand business and IT strategy and plans

    1.2 Define business and compliance requirements

    1.3 Establish the security program scope

    1.4 Analyze the organization’s risks and stakeholder pressures

    1.5 Identify the organizational risk tolerance level

    2.1 Define the information security target state

    2.2 Assess current security capabilities

    2.3 Identify security gaps

    2.4 Build initiatives to bridge the gaps

    3.1 Continue assessing current security capabilities

    3.2 Identify security gaps

    3.3 Build initiatives to bridge the maturity gaps

    3.4 Identify initiative list and task list

    3.5 Define criteria to be used to prioritize initiatives

    4.1 Conduct cost/benefit analysis on initiatives

    4.2 Prioritize gap initiatives based on cost, time, and alignment with the business

    4.3 Build effort map

    4.4 Determine start times and accountability

    4.5 Finalize security roadmap and action plan

    4.6 Create communication plan

    5.1 Finalize deliverables

    5.2 Support communication efforts

    5.3 Identify resources in support of priority initiatives

    Deliverables

    1.Security obligations statement

    2.Security scope and boundaries statement

    3.Defined risk tolerance level

    4.Risk assessment and pressure analysis

    1.Information security target state

    2.Security current state assessment

    3.Initiatives to address gaps

    1.Completed security current state assessment

    2.Task list to address gaps address gaps

    4.Prioritization criteria

    1.Information security roadmap

    2.Draft communication deck

    1.Security strategy roadmap documentation

    2.Detailed cost and effort estimates

    3.Mapping of Info-Tech resources against individual initiatives

    Executive Brief Case Study

    Credit Service Company

    Industry: Financial Services

    Source: Info-Tech Research group

    Founded over 100 years ago, Credit Service Company (CSC)* operates in the United States with over 40 branches located across four states. The organization services over 50,000 clients.

    Situation

    Increased regulations, changes in technology, and a growing number of public security incidents had caught the attention of the organization’s leadership. Despite awareness, an IT and security strategy had not been previously created. Management was determined to create a direction for the security team that aligned with their core mission of providing exceptional service and expertise.

    Solution

    During the workshop, the IT team and Info-Tech analysts worked together to understand the organization’s ideal state in various areas of information security. Having a concise understanding of requirements was a stepping stone to beginning to develop CSC’s prioritized strategy.

    Results

    Over the course of the week, the team created a document that concisely prioritized upcoming projects and associated costs and benefits. On the final day of the workshop, the team effectively presented the value of the newly developed security strategy to senior management and received buy-in for the upcoming project.

    *Some details have been changed for client privacy.

    Phase 1

    Assess Security Requirements

      Phase 1

    • 1.1 Define goals & scope
    • 1.2 Assess risks
    • 1.3 Determine pressures
    • 1.4 Determine risk tolerance
    • 1.5 Establish target state

      Phase 2

    • 2.1 Review Info-Tech’s security framework
    • 2.2 Assess your current state
    • 2.3 Identify gap closure actions

      Phase 3

    • 3.1 Define tasks & initiatives
    • 3.2 Perform cost/benefit analysis
    • 3.3 Prioritize initiatives
    • 3.4 Build roadmap

      Phase 4

    • 4.1 Build communication deck
    • 4.2 Develop a security charter
    • 4.3 Execute on your roadmap

    This phase will walk you through the following activities:

    1.1 Define goals and scope of the security strategy.

    1.2 Assess your organization’s current inherent security risks.

    1.3 Determine your organization’s stakeholder pressures for security.

    1.4 Determine your organization’s risk tolerance.

    1.5 Establish your security target state.

    1.1.1 Record your business goals

    Once you have identified your primary and secondary business goals, as well as the corresponding security alignment goals, record them in the Information Security Requirements Gathering Tool. The tool provides an activity status that will let you know if any parts of the tool have not been completed.

    1. Record your identified primary and secondary business goals in the Goals Cascade tab of the Information Security Requirements Gathering Tool.

    Use the drop-down lists to select an appropriate goal or choose “Other.” If you do choose “Other,” you will need to manually enter an appropriate business goal.

    2. For each of your business goals, select one to two security alignment goals. The tool will provide you with recommendations, but you can override these by selecting a different goal from the drop-down lists.

    A screenshot of the ‘Business Goals Cascade,’ which is part of the ‘Information Security Requirements Gathering Tool.’

    A common challenge for security leaders is how to express their initiatives in terms that are meaningful to business executives. This exercise helps to make an explicit link between what the business cares about and what security is trying to accomplish.

    1.1.2 Review your goals cascade

    Estimated Time: 15 minutes

    1. When you have completed the goals cascade, you can review a graphic diagram that illustrates your goals. The graphic is found on the Results tab of the Information Security Requirements Gathering Tool.
      • Security must support the primary business objectives. A strong security program will enable the business to compete in new and creative ways, rather than simply acting as an obstacle.
      • Failure to meet business obligations can result in operational problems, impacting the organization’s ability to function and the organization’s bottom line.
    2. Once you have reviewed the diagram, copy it into the Information Security Strategy Communication Deck.

    A screenshot of the ‘Goal Cascade Diagrams,’ which is part of the ‘Information Security Requirements Gathering Tool.’

    Identify your compliance obligations

    Most conventional regulatory obligations are legally mandated legislation or compliance obligations, such as:

    Sarbanes-Oxley Act (SOX)

    Applies to public companies that have registered equity or debt securities within the SEC to guarantee data integrity against financial fraud.

    Payment Card Industry Data Security Standard (PCI DSS)

    Applies to any organization that processes, transmits, or stores credit card information to ensure cardholder data is protected.

    Health Insurance Portability and Accountability Act (HIPAA)

    Applies to the healthcare sector and protects the privacy of individually identifiable healthcare information.

    Health Information Technology for Economic and Clinical Health (HITECH)

    Applies to the healthcare sector and widens the scope of privacy and security protections available under HIPAA.

    Personal Information Protection and Electronic Documents Act (PIPEDA)

    Applies to private sector organizations that collect personal information in Canada to ensure the protection of personal information in the course of commercial business.

    Compliance obligations also extend to voluntary security frameworks:

    NIST

    National Institute of Standards and Technology; a non-regulatory agency that develops and publicizes measurement

    CIS – 20 CSC

    Center for Internet Security – 20 Critical Security Controls; foundational set of effective cybersecurity practices.

    ISO 27001

    An information security management system framework outlining policies and procedures.

    COBIT 5

    An information technology and management and governance framework.

    HITRUST

    A common security framework for organizations that use or hold regulated personal health information.

    1.1.3 Record your compliance obligations

    Estimated Time: 30 minutes

    1. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include:
      • Laws
      • Government regulations
      • Industry standards
      • Contractual agreements
      Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your security strategy, include only those that have information security or privacy requirements.
    2. Record your compliance obligations, along with any notes, in your copy of the Information Security Requirements Gathering Tool.

    A screenshot of ‘Security Compliance Obligations,’ part of the ‘Information Security Requirements Gathering Tool.’

    Establish your scope and boundaries

    It is important to know at the outset of the strategy: what are we trying to secure?

    This includes physical areas we are responsible for, types of data we care about, and departments or IT systems we are responsible for.

    This also includes what is not in scope. For some outsourced services or locations, you may not be responsible for their security. In some business departments, you may not have control of security processes. Ensure that it is made explicit at the outset what will be included and what will be excluded from security considerations.

    Physical Scope and Boundaries

    • How many offices and locations does your organization have?
    • Which locations/offices will be covered by your information security management system (ISMS)?
    • How sensitive is the data residing at each location?
    • You may have many physical locations, and it is not necessary to list every one. Rather, list exceptional cases that are specifically in or out of scope.

    IT Systems Scope and Boundaries

    • There may be hundreds of applications that are run and maintained in your organization. Some of these may be legacy applications. Does your ISMS need to secure all your programs or a select few?
    • Is the system owned or outsourced?
    • Where are we accountable for security?
    • How sensitive is the data that each system handles?

    Organizational Scope and Boundaries

    • Will your ISMS cover all departments within your organization? For example, do certain departments (e.g. Operations) not need any security coverage?
    • Do you have the ability to make security decisions for each department?
    • Who are the key stakeholders/data owners for each department?

    Organizational scope considerations

    Many different groups will fall within the purview of the security strategy. Consider these two main points when deciding which departments will be in scope:

    1. If a group/user has access to data or systems that can impact the organization, then securing that group/user should be included within scope of the security strategy.
    2. If your organization provides some work direction to a group/user, they should be included within scope of the security strategy.
    1. Identify your departments and business groups
      • Start by identifying departments that provide some essential input or service to the organization or departments that interact with sensitive data.
    2. Break out different subsidiaries or divisions
      • Subsidiaries may or may not be responsible for securing themselves and protecting their data, but either way they are often heavily reliant on corporate for guidance and share IT resourcing support.
    3. Identify user groups
      • Many user groups exist, all requiring different levels of security. For example, from on-premises to remote access, from full-time employees to part-time or contractors.

    Physical scope considerations

    List physical locations by type

    Offices

    The primary location(s) where business operations are carried out. Usually leased or owned by the business.

    Regional Offices

    These are secondary offices that can be normal business offices or home offices. These locations will have a VPN connection and some sort of tenant.

    Co-Locations

    These are redundant data center sites set up for additional space, equipment, and bandwidth.

    Remote Access

    This includes all remaining instances of employees or contractors using a VPN to connect.

    Clients and Vendors

    Various vendors and clients have dedicated VPN connections that will have some control over infrastructure (whether owed/laaS/other).

    List physical locations by nature of the location

    Core areas within physical scope

    These are many physical locations that are directly managed. These are high-risk locations with many personal and services, resulting in many possible vulnerabilities and attack vectors.

    Locations on the edge of control

    These are on the edge of the physical scope, and thus, in scope of the security strategy. These include remote locations, remote access connections, etc.

    Third-party connections

    Networks of third-party users are within physical scope and need defined security requirements and definitions of how this varies per user.

    BYOD

    Mostly privately owned mobile devices with either on-network or remote access.

    It would be overkill and unhelpful to list every single location or device that is in scope. Rather, list by broad categories as suggested above or simply list exceptional cases that are in/out of scope.

    IT systems scope considerations

    Consider identifying your IT systems by your level of control or ownership.

    Fully owned systems

    These are systems that are wholly owned or managed by your organization.

    IT is almost always the admin of these systems. Generally they are hosted on premises. All securitization through methods such as patching or antivirus is done and managed by your IT department.

    Cloud/remote hosted (SaaS)

    These are systems with a lot of uncertainties because the vendor or service provided is either not known or what they are doing for security is not fully known.

    These systems need to be secured regardless, but supplier and vendor relationship management becomes a major component of how to manage these systems. Often, each system has varying levels of risk based on vendor practices.

    Hybrid owned (IaaS/PaaS)

    You likely have a good understanding of control for these systems, but they may not be fully managed by you (i.e. ownership of the infrastructure). These systems are often hosted by third parties that do some level of admin work.

    A main concern is the unclear definition of responsibility in maintaining these systems. These are managed to some degree by third parties; it is challenging for your security program to perform the full gamut of security or administrative functions.

    Unknown/unowned systems

    There are often systems that are unowned and even unknown and that very few people are using. These apps can be very small and my not fall under your IT management system framework. These systems create huge levels of risk due to limited visibility.

    For example, unapproved (shadow IT) file sharing or cloud storage applications would be unknown and unowned.

    1.1.4 Record your scope and boundaries

    Estimated Time: 30-60 minutes

    1. Divide into groups and give each group member a handful of sticky notes. Ask them to write down as many items as possible for the organization that could fall under one of the scope buckets.
    2. Collect each group’s responses and discuss the sticky notes and the rationale for including them. Discuss your security-related locations, data, people, and technologies, and define their scope and boundaries.
      • Careful attention should be paid to any elements of the strategy that are not in scope.
    3. Discuss and aggregate all responses as to what will be in scope of the security strategy and what will not be. Record these in the Information Security Requirements Gathering Tool.

    A screenshot of ‘Scope and Boundaries,’ part of the ‘Information Security Requirements Gathering Tool.’

    1.2 Conduct a risk assessment

    Estimated Time: 1-3 hours

    1. As a group, review the questions on the Risk Assessment tab of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following risk elements:
      • Threats
      • Assets
      • Vulnerabilities (people, systems, supply chain)
      • Historical security incidents

    Input

    • List of organizational assets
    • Historical data on information security incidents

    Output

    • Completed risk assessment

    Materials

    • Information Security Pressure Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Risk Management

    Download the Information Security Pressure Analysis Tool

    1.2.1 Complete the risk assessment questionnaire

    Estimated Time: 60-90 minutes

    1. Review each question in the questionnaire and provide the most appropriate response using the drop-down list.
      • If you are unsure of the answer, consult with subject matter experts to obtain the required data.
      • Otherwise, provide your best estimation
    2. When providing responses for the historical incident questions, only count incidents that had a sizeable impact on the business.

    A screenshot of the ‘Organizational Security Risk Assessment,’ part of the ‘Information Security Pressure Analysis Tool.’

    Info-Tech Insight

    Understanding your organization’s security risks is critical to identifying the most appropriate level of investment into your security program. Organizations with more security risks will need more a mature security program to mitigate those risks.

    1.2.2 Review the results of the risk assessment

    Estimated Time: 30 minutes

    1. Once you have completed the risk assessment, you can review the output on the Results tab.
    2. If required, the weightings of each of the risk elements can be customized on the Weightings tab.
    3. Once you have reviewed the results, copy your risk assessment diagram into the Information Security Strategy Communication Deck.

    A screenshot showing sample results of the ‘Organizational Risk Assessment,’ part of the ‘Information Security Pressure Analysis Tool.’

    It is important to remember that the assessment measures inherent risk, meaning the risk that exists prior to the implementation of security controls. Your security controls will be assessed later as part of the gap analysis.

    1.3 Conduct pressure analysis

    Estimated Time: 1-2 hours

    1. As a group, review the questions on the Pressure Analysis tab of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following pressure elements:
      • Compliance and oversight
      • Customer expectations
      • Business expectations
      • IT expectations

    Input

    • Information on various pressure elements within the organization

    Output

    • Completed pressure analysis

    Materials

    • Information Security Pressure Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Business Leaders
    • Compliance

    Download the Information Security Pressure Analysis Tool

    Risk tolerance considerations

    At this point, we want to frame risk tolerance in terms of business impact. Meaning, what kinds of impacts to the business would we be able to tolerate and how often? This will empower future risk decisions by allowing the impact of a potential event to be assessed, then compared against the formalized tolerance. We will consider impact from three perspectives:

    F

    Functional Impact

    The disruption or degradation of business/organizational processes.

    I

    Informational Impact

    The breach of confidentiality, privacy, or integrity of data/information.

    R

    Recoverability Impact

    The disruption or degradation of the ability to return to conditions prior to a security incident.

    Consider these questions:

    Questions to ask

    Description

    Is there a hard-dollar impact from downtime?

    This refers to when revenue or profits are directly impacted by a business disruption. For example, when an online ordering system is compromised and shut down, it affects sales, and therefore, revenue.

    Is regulatory compliance a factor?

    Depending on the circumstances of the vulnerabilities, it can be a violation of compliance obligations that would cause significant fines.

    Are any critical services dependent on this asset?

    Functional dependencies are sometimes not obvious, and assets that appear marginal can have huge impacts on critical services.

    Is there a health or safety risk?

    Some operations are critical to health and safety. For example, medical organizations have operations that are necessary to ensure uninterrupted critical health services. An exploited vulnerability that impacts these operations can have life and death consequences.

    ANALYST PERSPECTIVE

    It is crucial to keep in mind that you care about a risk scenario impact to the main business processes.

    For example, imagine a complete functional loss of the corporate printers. For most businesses, even the most catastrophic loss of printer function will have a small impact on their ability to carry out the main business functions.

    On the flip side, even a small interruption to email or servers could have a large functional impact on business processes.

    Risk tolerance descriptions

    High

    • Organizations with high risk tolerances are often found in industries with limited security risk, such as Construction, Agriculture and Fishing, or Mining.
    • A high risk tolerance may be appropriate for organizations that do not rely on highly sensitive data, have limited compliance obligations, and where their customers do not demand strong security controls. Organizations that are highly focused on innovation and rapid growth may also tend towards a higher risk tolerance.
    • However, many organizations adopt a high risk tolerance by default simply because they have not adequately assessed their risks.

    Moderate

    • Organizations with medium risk tolerances are often found in industries with moderate levels of security risk, such as Local Government, Education, or Retail and Wholesale
    • A medium risk tolerance may be appropriate for organizations that store and process some sensitive data, have a modest number of compliance obligations, and where customer expectations for security tend to be implicit rather than explicit.

    Low

    • Organizations with low risk tolerances are often found in industries with elevated security risk, such as Financial Services, Federal Governments, or Defense Contractors.
    • A low risk tolerance may be appropriate for organizations that store very sensitive data, process high-value financial transactions, are highly regulated, and where customers demand strong security controls.
    • Some organizations claim to have a low risk tolerance, but in practice will often allow business units or IT to accept more security risk than would otherwise be permissible. A strong information security program will be required to manage risks to an acceptable level.

    1.4.1 Complete the risk tolerance questionnaire

    Estimated Time: 30-60 minutes

    1. In a group discussion, review the low-, medium-, and high-impact scenarios and examples for each impact category. Ensure that everyone has a consistent understanding of the scenarios.
    2. For each impact type, use the frequency drop-down list to identify the maximum frequency that the organization could tolerate for the event scenarios, considering:
      • The current frequency with which the scenarios are occurring in your organization may be a good indication of your tolerance. However, keep in mind that you may be able to tolerate these incidents happening more frequently than they do.
      • Hoping is not the same as tolerating. While everyone hopes that high-impact incidents never occur, carefully consider whether you could tolerate them occurring more frequently.

    A screenshot showing the ‘Organizational Security Risk Tolerance Assessment,’ part of the ‘Information Security Pressure Analysis Tool.’

    1.4.2 Review the results of the risk tolerance analysis

    Estimated Time: 30 minutes

    1. Once you have completed the risk tolerance exercise, you can review the output on the Results tab.
    2. If required, the weightings of each of the impact types can be customized on the Weightings tab.
    3. Once you have reviewed the results, copy your risk tolerance diagram into the Information Security Strategy Communication Deck.

    A screenshot showing the results of the 'Information Security Risk Tolerance Assessment,' part of the ‘Information Security Pressure Analysis Tool.’

    A low risk tolerance will require a stronger information security program to ensure that operational security risk in the organization is minimized. If this tool reports that your risk tolerance is low, it is recommended that you review the results with your senior stakeholders to ensure agreement and support for the security program.

    1.5 Establish your target state

    Estimated Time: 30-60 minutes

    1. As a group, review the overall results of the requirements gathering exercise:
      • Business goals cascade
      • Compliance obligations
      • Scope
    2. Review the overall results of the risk assessment, pressure analysis, and risk tolerance exercises.
    3. Conduct a group discussion to arrive at a consensus of what the ideal target state for the information security program should look like.
      • Developing mission and vision statements for security may be useful for focusing the group.
      • This discussion should also consider the desired time frame for achieving the target state.

    Download the Information Security Pressure Analysis Tool

    Input

    • Information security requirements (goals cascade, compliance obligations, scope)
    • Risk assessment
    • Pressure analysis
    • Risk tolerance

    Output

    • Completed information security target state

    Materials

    Participants

    • Security Team
    • IT Leadership
    • Risk Management
    • Business Leaders
    • Compliance

    Understanding security target states

    Maturity models are very effective for determining information security target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state for information security in your organization.

    1. AD HOC

      Initial/Ad hoc security programs are reactive. Lacking strategic vision, these programs are less effective and less responsive to the needs of the business.
    2. DEVELOPING

      Developing security programs can be effective at what they do but are not holistic. Governance is largely absent. These programs tend to rely on the talents of individuals rather than a cohesive plan.
    3. DEFINED

      A defined security program is holistic, documented, and proactive. At least some governance is in place, however, metrics are often rudimentary and operational in nature. These programs still often rely on best practices rather than strong risk management.
    4. MANAGED

      Managed security programs have robust governance and metrics processes. Management and board-level metrics for the overall program are produced. These are reviewed by business leaders and drive security decisions. More mature risk management practices take the place of best practices.
    5. OPTIMIZED

      An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs). Individual security services are optimized using key performance indicators (KPIs) that continually measure service effectiveness and efficiency.

    1.5.1 Review the results of the target state recommendation

    Estimated Time: 30-60 minutes

    1. Based upon your risk assessment, pressure analysis, and risk tolerance, the Information Security Pressure Analysis Tool will provide a recommended information security target state.
    2. With your group, review the recommendation against your expectations.
    3. If required, the weightings of each of the factors can be customized on the Weightings tab.
    4. Once you have reviewed the results, copy your target state diagram into the Information Security Strategy Communication Deck.

    A screenshot showing the results of the ‘Information Security Target State,’ part of the ‘Information Security Pressure Analysis Tool.’

    Info-Tech Insight

    Higher target states require more investment to attain. It is critical to ensure that all key stakeholders agree on the security target state. If you set a target state that aims too high, you may struggle to gain support and funding for the strategy. Taking this opportunity to ensure alignment from the start will pay off dividends in future.

    1.5.2 Review and adjust risk and pressure weightings

    Estimated Time: 30 minutes

    1. If the results of your risk assessment, pressure analysis, risk tolerance, or target state do not match your expectations, you may need to review and adjust the weightings for the elements within one or more of these areas.
    2. On the Weightings tab, review each of the strategic categories and adjust the weights as required.
      • Each domain is weighted to contribute to your overall pressure score based on the perceived importance of the domain to the organization.
      • The sum of all weights for each category must add up to 100%.

    A screenshot showing the results of the weightings given to each factor in a category, part of the ‘Information Security Pressure Analysis Tool.’

    Case Study

    Credit Service Company

    Industry: Financial Services

    Source: Info-Tech Research group

    Below are some of the primary requirements that influenced CSC’s initial strategy development.

    External Pressure

    Pressure Level: High

    • Highly regulated industries, such as Finance, experience high external pressure.
    • Security pressure was anticipated to increase over the following three years due to an increase in customer requirement.

    Obligations

    Regulatory: Numerous regulations and compliance requirements as a financial institution (PCI, FFIEC guidance).

    Customer: Implicitly assumes personal, financial, and health information will be kept secure.

    Risk Tolerance

    Tolerance Level: Low

    1. Management: Are risk averse and have high visibility into information security.
    2. Multiple locations controlled by a central IT department decreased the organization’s risk tolerance.

    Summary of Security Requirements

    Define and implement dynamic information security program that understands and addresses the business’ inherent pressure, requirements (business, regulatory, and customer), and risk tolerance.

    Phase 2

    Build a Gap Initiative Strategy

      Phase 1

    • 1.1 Define goals & scope
    • 1.2 Assess risks
    • 1.3 Determine pressures
    • 1.4 Determine risk tolerance
    • 1.5 Establish target state

      Phase 2

    • 2.1 Review Info-Tech’s security framework
    • 2.2 Assess your current state
    • 2.3 Identify gap closure actions

      Phase 3

    • 3.1 Define tasks & initiatives
    • 3.2 Perform cost/benefit analysis
    • 3.3 Prioritize initiatives
    • 3.4 Build roadmap

      Phase 4

    • 4.1 Build communication deck
    • 4.2 Develop a security charter
    • 4.3 Execute on your roadmap

      This phase will walk you through the following activities:

    • 2.1 Review Info-Tech’s framework.
    • 2.2 Assess your current state of security against your target state.
    • 2.3 Identify actions required to close gaps.

    2.1 Review the Info-Tech framework

    Estimated Time: 30-60 minutes

    1. As a group, have the security team review the security framework within the Information Security Gap Analysis Tool.
    2. Customize the tool as required using the instructions on the following slides.

    Input

    • Information security requirements
    • Security target state

    Output

    • Customized security framework

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team

    Download the Information Security Gap Analysis Tool

    Understand the Info-Tech framework

    Info-Tech’s security framework uses a best-of-breed approach to leverage and align with most major security standards, including:

    • ISO 27001/27002
    • COBIT
    • Center for Internet Security (CIS) Critical Controls
    • NIST Cybersecurity Framework
    • NIST SP 800-53
    • NIST SP 800-171

    A diagram depicting Info-Tech’s best-of-breed security framework.

    A best-of-breed approach ensures holistic coverage of your information security program while refraining from locking you in to a specific compliance standard.

    2.1.1 Configure the Information Security Gap Analysis Tool

    Estimated Time: 30 minutes

    Review the Setup tab of the Information Security Gap Analysis Tool. This tab contains several configurable settings that should be customized to your organization. For now, the three settings you will need to modify are:

    • The security target state. Enter the target state from your Information Security Pressure Analysis Tool. If you do not enter a target state, the tool will default to a target of 3 (Defined).
    • Your Security Alignment Goals (from your Information Security Requirements Gathering Tool).
    • The starting year for your security roadmap.

    A screenshot showing the ‘Setup’ tab of the ‘Information Security Gap Analysis Tool.’

    2.2 Assess current state of security

    Estimated Time: 8-16 hours

    1. Using the Information Security Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
    2. Follow the instructions on the next slides to complete your current state and target state assessment.
    3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

    Input

    • Security target state
    • Information on current state of security controls, including sources such as audit findings, vulnerability and penetration test results, and risk registers

    Output

    • Gap analysis

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management

    Download the Information Security Gap Analysis Tool

    Example maturity levels

    To help determine appropriate current and target maturity levels, refer to the example below for the control “Email communication is filtered for spam and potential malicious communications.”

    AD HOC 01

    There is no centrally managed spam filter. Spam may be filtered by endpoint email clients.

    DEVELOPING 02

    There is a secure email gateway. However, the processes for managing it are not documented. Administrator roles are not well defined. Minimal fine-tuning is performed, and only basic features are in use.

    DEFINED 03

    There is a policy and documented process for email security. Roles are assigned and administrators have adequate technical training. Most of the features of the solution are being used. Rudimentary reports are generated, and some fine-tuning is performed.

    MANAGED 04

    Metrics are produced to measure the effectiveness of the email security service. Advanced technical features of the solution have been implemented and are regularly fine-tuned based on the metrics.

    OPTIMIZED 05

    There is a dedicated email security administrator with advanced technical training. Custom filters are developed to further enhance security, based on relevant cyber threat intelligence. Email security metrics feed key risk indicators that are reported to senior management.

    2.2.1 Conduct current state assessment

    Estimated Time: 8-16 hours

    1. Carefully review each of the controls in the Gap Analysis tab. For each control, indicate the current maturity level using the drop-down list.
      • You should only use “N/A” if you are confident that the control is not required in your organization.
      • For example, if your organization does not perform any software development then you can select “N/A” for any controls related to secure coding practices.
    2. Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
    3. Select the target maturity for the control. The tool will default to the target state for your security program, but this can be overridden using the drop-down list.

    2.2.1 Conduct current state assessment

    Estimated Time: 8-16 hours

    1. Carefully review each of the controls in the Gap Analysis tab. For each control, indicate the current maturity level using the drop-down list.
      • You should only use “N/A” if you are confident that the control is not required in your organization. For example, if your organization does not perform any software development then you can select “N/A” for any controls related to secure coding practices.
    2. Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
    3. Select the target maturity for the control. The tool will default to the target state for your security program, but this can be overridden using the drop-down list.

    A screenshot showing the 'Gap Analysis' tab of the 'Information Security Gap Analysis Tool.'

    Review the Gap Analysis Dashboard

    Use the Gap Assessment Dashboard to map your progress. As you fill out the Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state.

    Use the color-coded legend to see how large the gap between your current and target state is. The legend can be customized further if desired.

    Security domains that appear white have not yet been assessed or are rated as “N/A.”

    2.2.3 Identify actions required to close gaps

    Estimated Time: 4-8 hours

    1. Using the Information Security Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
    2. Follow the instructions on the next slides to identify gap closure actions for each control that requires improvement.
    3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

    Input

    • Security control gap information

    Output

    • Gap closure action list

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management

    Download the Information Security Gap Analysis Tool

    2.3.1 Identify gap closure actions

    Estimated Time: 4-8 hours

    1. For each of the controls where there is a gap between the current and target state, a gap closure action should be identified:
      • Review the example actions and copy one or more of them if appropriate. Otherwise, enter your own gap closure action.
    2. Identify whether the action should be managed as a task or as an initiative. Most actions should be categorized as an initiative. However, it may be more appropriate to categorize them as a task when:
      1. They have no costs associated with them
      2. They require a low amount of initial effort to implement and no ongoing effort to maintain
      3. They can be accomplished independently of other tasks

    A screenshot showing gap closure actions, part of the 'Gap Analysis' tab of the 'Information Security Gap Analysis Tool.'

    Considerations for gap closure actions

    • In small groups, have participants ask, “what would we have to do to achieve the target state?” Document these in the Gap Closure Actions column.
    • The example gap closure actions may be appropriate for your organization, but do not simply copy them without considering whether they are right for you.
    • Not all gaps will require their own action. You can enter one action that may address multiple gaps.
    • If you find that many of your actions are along the lines of “investigate and make recommendations,” you should consider using the estimated gap closure percentage column to track the fact that these gaps will not be fully closed by the actions.

    A screenshot showing considerations for gap closure actions, part of the 'Gap Analysis' tab of the 'Information Security Gap Analysis Tool.'

    2.3.2 Define gap closure action effectiveness

    Estimated Time: 1-2 hours

    For each of the gap closure actions, optionally enter an estimated gap closure percentage to indicate how effective the action will be in fully closing the gap.

    • For instance, an action to “investigate solutions and make recommendations” will not fully close the gap.
    • This is an optional step but will be helpful to understand how much progress towards your security target state you will make based on your roadmap.
    • If you do not fill in this column, the tool will assume that your actions will fully close all gaps.

    A screenshot showing considerations for estimated gap closure percentage, part of the 'Gap Analysis' tab of the 'Information Security Gap Analysis Tool.'

    Completing this step will populate the “Security Roadmap Progression” diagram in the Results tab, which will provide a graphic illustration of how close to your target state you will get based upon the roadmap.

    Phase 3

    Prioritize Initiatives and Build Roadmap

    Phase 1

    • 1.1 Define goals & scope
    • 1.2 Assess risks
    • 1.3 Determine pressures
    • 1.4 Determine risk tolerance
    • 1.5 Establish target state

    Phase 2

    • 2.1 Review Info-Tech’s security framework
    • 2.2 Assess your current state
    • 2.3 Identify gap closure actions

    Phase 3

    • 3.1 Define tasks & initiatives
    • 3.2 Perform cost/benefit analysis
    • 3.3 Prioritize initiatives
    • 3.4 Build roadmap

    Phase 4

    • 4.1 Build communication deck
    • 4.2 Develop a security charter
    • 4.3 Execute on your roadmap

    This phase will walk you through the following activities:

    • 3.1 Define tasks and initiatives.
    • 3.2 Define cost, effort, alignment, and security benefit of each initiative.
    • 3.3 Prioritize initiatives.
    • 3.4 Build the prioritized security roadmap

    3.1 Define tasks and initiatives

    Estimated Time: 2-4 hours

    1. As a group, review the gap actions identified in the Gap Analysis tab.
    2. Using the instructions on the following slides, finalize your task list.
    3. Using the instructions on the following slides, review and consolidate your initiative list.

    Input

    • Gap analysis

    Output

    • List of tasks and initiatives

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Information Security Gap Analysis Tool

    3.1.1 Finalize your task list

    Estimated Time: 1-2 hours

    1. Obtain a list of all your task actions by filtering on the Action Type column in the Gap Analysis tab.
    2. Paste the list into the table on the Task List tab.
      • Use Paste Values to retain the table formatting
    3. Enter a task owner and due date for each task. Without accountability, it is too easy to fall into complacency and neglect these tasks.

    A screenshot showing the 'Task List' tab of the 'Information Security Gap Analysis Tool.'

    Info-Tech Insight

    Tasks are not meant to be managed to the same degree that initiatives will be. However, they are still important. It is recommended that you develop a process for tracking these tasks to completion.

    3.1.2 Consolidate your gap closure actions into initiatives

    Estimated Time: 2-3 hours

    1. Once you have finalized your task list, you will need to consolidate your list of initiative actions. Obtain a list of all your initiative actions by filtering on the Action Type column in the Gap Analysis tab.
    2. Create initiatives on the Initiative List tab. While creating initiatives, consider the following:
      • As much as possible, it is recommended that you consolidate multiple actions into a single initiative. Reducing the total number of initiatives will allow for more efficient management of the overall roadmap.
      • Start by identifying areas of commonality between gap closure actions, for instance:
        • Group all actions within a security domain into a single initiative.
        • Group together similar actions, such as all actions that require updating policies.
        • Consider combining actions that have inter-dependencies.
      • While it is recommended that you consolidate actions as much as possible, some actions should become initiatives on their own. This will be appropriate when:
        • The action is time sensitive and consolidating it with other actions will cause scheduling issues.
        • Actions that could otherwise be consolidated have different business sponsors or owners and need to be kept separate for funding or accountability reasons.
    3. Link the initiative actions on the Gap Analysis tab using the drop-down list in the Initiative Name column.

    Initiative consolidation example

    In the example below, we see three gap closure actions within the Security Culture and Awareness domain being consolidated into a single initiative “Develop security awareness program.”

    We can also see one gap closure action within the same domain being grouped with two actions from the Security Policies domain into another initiative “Update security policies.”

    Info-Tech Insight

    As you go through this exercise, you may find that some actions that you previously categorized as tasks could be consolidated into an initiative.

    A screenshot showing how six sample gap closure actions can be distilled into two gap closure initiatives. Part of the 'Information Security Gap Analysis Tool.'

    3.1.3 Finalize your initiative list

    Estimated Time: 30 minutes

    1. Review your final list of initiatives and make any required updates.
    2. Optionally, add a description or paste in a list of the individual gap closure actions that are associated with the initiative. This will make it easier to perform the cost and benefit analysis.
    3. Use the drop-down list to indicate which of the security alignment goals most appropriately reflects the objectives of the initiative. If you are unsure, use the legend next to the table to find the primary security domain associated with the initiative and then select the recommended security alignment goal.
      • This step is important to understand how the initiative supports the business goals identified earlier.

     A screenshot showing the primary security alignment goal, part of the 'Initiative List' tab of the 'Information Security Gap Analysis Tool.'

    3.2 Conduct cost/ benefit analysis

    Estimated Time: 1-2 hours

    1. As a group, define the criteria to be used to conduct the cost/benefit analysis, following the instructions on the next slide.
    2. Assign costing and benefits information for each initiative.
    3. Define dependencies or business impacts if they will help with prioritization.

    Input

    • Gap analysis
    • Initiative list

    Output

    • Completed cost/benefit analysis for initiative list

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Information Security Gap Analysis Tool

    3.2.1 Define costing criteria

    Estimated Time: 30 minutes

    1. On the Setup tab of the Information Security Gap Analysis Tool, enter high, medium, and low ranges for initial and ongoing costs and efforts.
      1. Initial costs are one-time, upfront capital investments (e.g. hardware and software costs, project-based consulting fees, training).
      2. Ongoing cost is any annually recurring operating expenses that are new budgetary costs (e.g. licensing, maintenance, subscription fees).
      3. Initial staffing in hours is total time in person hours required to complete a project. It is not total elapsed time but dedicated time. Consider time required to gather requirements and to design, test, and implement the solution.
      4. Ongoing staffing in FTEs is the ongoing average effort required to support that initiative after implementation.
    2. In addition to ranges, provide an average for each. These will be used to calculate estimated total costs for the roadmap.

    A screenshot showing the initiative costs for estimation, part of the 'Setup' tab of the 'Information Security Gap Analysis Tool.' The range of costs is labeled with an arrow with number 1 on it, and the average cost per initiative is labeled with an arrow with number 2 on it.

    Make sure that your ranges allow for differentiation between initiatives to enable prioritization. For instance, if you set your ranges too low, all your initiatives will be assessed as high cost, providing no help when you must prioritize them.

    3.2.2 Define benefits criteria

    Estimated Time: 30 minutes

    1. On the Setup tab of the Information Security Gap Analysis Tool, enter high, medium, and low values for the Alignment with Business Benefit.
      • This variable is meant to capture how well each initiative aligns with organizational goals and objectives.
      • By default, this benefit is linked directly to business goals through the primary and secondary security alignment goals. This allows the tool to automatically calculate the benefit based on the security alignment goals associated with each initiative.
      • If you change these values, you may need to override the calculated values in the prioritization tab.
    2. Enter a high, medium, and low value for the Security Benefit.
      • This variable is meant to capture the relative security benefit or risk reduction being provided by the gap initiative.
      • By default, this benefit is linked to security risk reduction.

    A screenshot showing the initiative benefits for estimation, part of the 'Setup' tab of the 'Information Security Gap Analysis Tool.'

    Some organizations prefer to use the “Security Benefit” criteria to demonstrate how well each initiative supports specific compliance goals.

    3.2.3 Complete the cost/benefit analysis

    Estimated Time: 1-2 hours

    1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.
      • If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.
    2. Enter the estimated benefits, also using the criteria defined earlier.
      • The Alignment with Business benefit will be automatically populated, but you can override this value using the drop-down list if desired.

    A screenshot showing the estimated cost, estimated effort, and estimated benefits section, part of the 'Prioritization' tab of the 'Information Security Gap Analysis Tool.' Estimated cost and estimated effort are labeled with an arrow with number 1 on it, and estimated benefits is labeled with an arrow with a number 2 on it.

    3.2.4 Optionally enter detailed cost estimates

    Estimated Time: 30 minutes

    1. For each initiative, the tool will automatically populate the Detailed Cost Estimates and Detailed Staffing Estimates columns using the averages that you provided in steps 3.2.1 and 3.2.2. However, if you have more detailed data about the costs and effort requirements for an initiative, you can override the calculated data by manually entering it into these columns. For example:
      • You are planning to subscribe to a security awareness vendor, and you have a quote from them specifying that the initial cost will be $75,000.
      • You have defined your “Medium” cost range as being “$10-100K”, so you select medium as your initial cost for this initiative in step 3.2.3. As you defined the average for medium costs as being $50,000, this is what the tool will put into the detailed cost estimate.
      • You can override this average by entering $75,000 as the initial cost in the detailed cost estimate column.

    A screenshot showing the detailed cost estimates and detailed staffing estimates columns, part of the 'Prioritization' tab of the 'Information Security Gap Analysis Tool.' These columns are labeled with an arrow with a number 1 on it.

    Case Study

    Credit Service Company

    Industry: Financial Services

    Source: Info-Tech Research Group

    A chart titled 'Framework Components,' displaying how the Credit Service Company profiled in the case study performed a current state assessment, created gap initiatives, and prioritized gap initiatives.

    3.3 Prioritize initiatives

    Estimated Time: 2-3 hours

    1. As a group, review the results of the cost/benefit analysis. Optionally, complete the Other Considerations columns in the Prioritization tab:
      • Dependencies can refer to other initiatives on the list or any other dependency that relates to activities or projects within the organization.
      • Business impacts can be helpful to document as they may require additional planning and communication that could impact initiative timelines.
    2. Follow step 3.3.1 to create an effort map with the results of the cost/benefit analysis.
    3. Follow step 3.3.2 to assign initiatives into execution waves.

    Input

    • Gap analysis
    • Initiative list
    • Cost/benefit analysis

    Output

    • Prioritized list of initiatives

    Materials

    • Information Security Gap Analysis Tool
    • Whiteboard

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Download the Information Security Gap Analysis Tool

    3.3.1 Create effort map

    Estimated Time: 30 minutes

    1. On a whiteboard, draw the quadrant diagram shown.
    2. Create sticky notes for each initiative on your initiative list.
    3. For each initiative, use the “Cost/Effort Rating” and the “Benefit Rating” calculated on the Prioritization tab to place the corresponding sticky note onto the diagram.

    An effort map is a tool used for the visualization of a cost/benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized. In this example, the initiative “Update Security Policies” was assessed as low cost/effort (3) and high benefit (10).

    An image showing how 'update security policies,' as ranked on a cost/effort and benefit quadrant, translates to a cost/effort and benefit rating on the 'Prioritization' tab of the 'Information Security Gap Analysis Tool.'

    3.3.2 Assign initiatives to execution waves

    Estimated Time: 60 minutes

    1. Using sticky flip chart sheets, create four sheets and label them according to the four execution waves:
      • MUST DO – These are initiatives that need to get moving right away. They may be quick wins, items with critical importance, or foundational projects upon which many other initiatives depend.
      • SHOULD DO – These are important initiatives that need to get done but cannot launch immediately due to budget constraints, dependencies, or business impacts that require preparation.
      • COULD DO – Initiatives that have merit but are not a priority.
      • WON’T DO – Initiatives where the costs outweigh the benefits.
    2. Using the further instructions on the following slides, move the initiative sticky notes from your effort map into the waves.

    Considerations for prioritization

    • Starting from the top right of the effort map, begin pulling stickies off and putting them in the appropriate roadmap category.
    • Keep dependencies in mind. If an important initiative depends on a low-priority one being completed first, then pull dependent initiatives up the list.
    • It may be helpful to think of each wave as representing a specific time frame (e.g. wave 1 = first year of your roadmap, wave 2 = year two, wave 3 = year three).

    Info-Tech Insight

    Use an iterative approach. Most organizations tend to put too many initiatives into wave 1. Be realistic about what you can accomplish and take several passes at the exercise to achieve a balance.

    An image showing how to map the sticky notes from a sample exercise, as placed on a cost/effort and benefit quadrant, into waves.

    3.3.3 Finalize prioritization

    Estimated Time: 30 minutes

    1. Once you have completed placing your initiative sticky notes into the waves, update the Prioritization tab with the Roadmap Wave column.
    2. Optionally, use the Roadmap Sub-Wave column to prioritize initiatives within a single wave.
      • This will allow you more granular control over the final prioritization, especially where dependencies require extra granularity.

    Any initiatives that are currently in progress should be assigned to Wave 0.

    An image showing the roadmap wave and roadmap sub-wave sections, part of the 'Prioritization' tab of the 'Information Security Gap Analysis Tool.' Roadmap wave is labeled with an arrow with a number 1 on it, and roadmap sub-wave is labeled with an arrow with a number 2 on it.

    3.4 Build roadmap

    Estimated Time: 1-3 hours

    1. As a group, follow step 3.4.1 to create your roadmap by scheduling initiatives into the Gantt chart within the Information Security Gap Analysis Tool.
    2. Review the roadmap for resourcing conflicts and adjust as required.
    3. Review the final cost and effort estimates for the roadmap.

    Input

    • Gap analysis
    • Cost/benefit analysis
    • Prioritized initiative list
    • (Optional) List of other non-security IT and business projects

    Output

    • Security strategic roadmap

    Materials

    • Information Security Gap Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Download the Information Security Gap Analysis Tool

    3.4.1 Schedule initiatives using the Gantt chart

    Estimated Time: 1-2 Hours

    1. On the Gantt Chart tab for each initiative, enter an owner (the individual who will be primarily responsible for execution).
    2. Additionally, enter a start month and year for the initiative and the expected duration in months.
      • You can filter the Wave column to only see specific waves at any one time to assist with the scheduling.
      • You do not need to schedule Wave 4 initiatives as the expectation is that these initiatives will not be done.

    Info-Tech Insight

    Use the Owner column to help identify resourcing constraints. If a single individual is responsible for many different initiatives that are planned to start at the same time, consider staggering those initiatives.

    An image showing the owner and planned start sections, part of the 'Security Roadmap Gantt Chart' tab of the 'Information Security Gap Analysis Tool.' The owner column is labeled with an arrow with a 1 on it, and the planned start column is labeled with an arrow with a 2 on it.

    3.4.2 Review your roadmap

    Estimated Time: 30-60 minutes

    1. When you have completed the Gantt chart, as a group review the overall roadmap to ensure that it is reasonable for your organization. Consider the following:
      • Do you have other IT or business projects planned during this time frame that may impact your resourcing or scheduling?
      • Does your organization have regular change freezes throughout the year that will impact the schedule?
      • Do you have over-subscribed resources? You can filter the list on the Owner column to identify potential over-subscription of resources.
      • Have you considered any long vacations, sabbaticals, parental leaves, or other planned longer-term absences?
      • Are your initiatives adequately aligned to your budget cycle? For instance, if you have an initiative that is expected to make recommendations for capital expenditure, it must be completed prior to budget planning.

    A screenshot image showing parts of the 'Security Roadmap Gantt Chart' tab with sample data in it. Taken from the 'Information Security Gap Analysis Tool.'

    3.4.3 Review your expected roadmap progression

    Estimated Time: 30 minutes

    1. If you complete the optional exercise of filling in the Estimated Gap Closure Percentage column on the Gap Analysis tab, the tool will generate a diagram showing how close to your target state you can expect to get based on the tasks and initiatives in your roadmap. You can review this diagram on the Results tab.
      • Remember that this Expected Maturity at End of Roadmap score assumes that you will complete all tasks and initiatives (including all Wave 4 initiatives).
    2. Copy the diagram into the Information Security Strategy Communication Deck.

    Info-Tech Insight

    Often, internal stakeholders will ask the question “If we do everything on this roadmap, will we be at our target state?” This diagram will help answer that question.

    A screenshot image showing the 'Expected Security Roadmap Progression' with sample data in it. Part of the 'Results' tab of the 'Information Security Gap Analysis Tool.'

    3.4.4 Review your cost/effort estimates table

    Estimated Time: 30 minutes

    1. Once you have completed your roadmap, review the total cost/effort estimates. This can be found in a table on the Results tab. This table will provide initial and ongoing costs and staffing requirements for each wave. This also includes the total three-year investment. In your review consider:
      • Is this investment realistic? Will completion of your roadmap require adding more staff or funding than you otherwise expected?
      • If the investment seems unrealistic, you may need to revisit some of your assumptions, potentially reducing target levels or increasing the amount of time to complete the strategy.
      • This table provides you with the information to have important conversations with management and stakeholders
    2. When you have completed your review, copy the table into the Information Security Strategy Communication Deck.

    A screenshot image showing the 'Information Security Roadmap Cost/Effort Estimates,' part of the 'Results' tab of the 'Information Security Gap Analysis Tool.'

    Phase 4

    Execute and Maintain

    Phase 1

    • 1.1 Define goals & scope
    • 1.2 Assess risks
    • 1.3 Determine pressures
    • 1.4 Determine risk tolerance
    • 1.5 Establish target state

    Phase 2

    • 2.1 Review Info-Tech’s security framework
    • 2.2 Assess your current state
    • 2.3 Identify gap closure actions

    Phase 3

    • 3.1 Define tasks & initiatives
    • 3.2 Perform cost/benefit analysis
    • 3.3 Prioritize initiatives
    • 3.4 Build roadmap

    Phase 4

    • 4.1 Build communication deck
    • 4.2 Develop a security charter
    • 4.3 Execute on your roadmap

    This phase will walk you through the following activities:

    • 4.1 Build your security strategy communication deck.
    • 4.2 Develop a security charter.
    • 4.3 Execute on your roadmap.

    4.1 Build your communication deck

    Estimated Time: 1-3 hours

    1. As a group, review the Information Security Strategy Communication Deck.
    2. Follow the instructions within the template and on the next few slides to customize the template with the results of your strategic roadmap planning.

    Input

    • Completed Security Requirements Gathering Tool
    • Completed Security Pressure Analysis Tool
    • Completed Security Gap Analysis Tool

    Output

    • Information Security Strategy Communication Deck

    Materials

    • Information Security Strategy Communication Deck

    Participants

    • Security Team
    • IT Leadership

    Download the Information Security Gap Analysis Tool

    4.1.1 Customize the Communication Deck

    Estimated Time: 1-2 hours

    1. When reviewing the Information Security Strategy Communication Deck, you will find slides that contain instructions within green text boxes. Follow the instructions within the boxes, then delete the boxes.
      • Most slides only require that you copy and paste screenshots or tables from your tools into the slides.
      • However, some slides require that you customize or add text explanations that need to reflect your unique organization.
      • It is recommended that you pay attention to the Next Steps slide at the end of the deck. This will likely have a large impact on your audience.
    2. Once you have customized the existing slides, you may wish to add additional slides. For instance, you may wish to add more context to the risk assessment or pressure analysis diagrams or provide details on high-priority initiatives.

    An image showing the 'Business Goals Cascade,' part of the 'Information Security Strategy Communication Deck.' A green box on top of the screenshot instructs you to 'Paste your goals cascade from the Information Security Requirements Gathering Tool here.'

    Consider developing multiple versions of the deck for different audiences. Senior management may only want an executive summary, whereas the CIO may be more interested in the methodology used to develop the strategy.

    Communication considerations

    Developing an information security strategy is only half the job. For the strategy to be successful, you will need to garner support from key internal stakeholders. These may include the CIO, senior executives, and business leaders. Without their support, your strategy may never get the traction it needs. When building your communication deck and planning to present to these stakeholders, consider the following:

    • Gaining support from stakeholders requires understanding their needs. Before presenting to a new audience, carefully consider their priorities and tailor your presentation to address them.
    • Use the communication deck to clarify the business context and how your initiatives that will support business goals.
    • When presenting to senior stakeholders, anticipate what questions they might ask and be sure to prepare answers in advance. Always be prepared to speak to any data point within the deck.
    • If you are going to present your strategy to a group and you anticipate that one or more members of that group may be antagonistic, seek out an opportunity to speak to them before the meeting and address their concerns one on one.

    If you have already fully engaged your key stakeholders through the requirements gathering exercises, presenting the strategy will be significantly easier. The stakeholders will have already bought in to the business goals, allowing you to show how the security strategy supports those goals.

    Info-Tech Insight

    Reinforce the concept that a security strategy is an effort to enable the organization to achieve its core mission and goals and to protect the business only to the degree that the business demands. It is important that stakeholders understand this point.

    4.2 Develop a security charter

    Estimated Time: 1-3 hours

    1. As a group, review the Information Security Charter.
    2. Customize the template as required to reflect your information security program. It may include elements such as:
      • A mission and vision statement for information security in your organization
      • The objectives and scope of the security program
      • A description of the security principles upon which your program is built
      • High-level roles and responsibilities for information security within the organization

    Input

    • Completed Security Requirements Gathering Tool
    • Completed Security Pressure Analysis Tool
    • Completed Security Gap Analysis Tool

    Output

    • Information security charter

    Materials

    • Information Security Charter

    Participants

    • Security Team

    Download the Information Security Gap Analysis Tool

    4.2.1 Customize the Information Security Charter

    Estimated Time: 1-3 hours

    1. Involve the stakeholders that were present during Phase 1 activities to allow you to build a charter that is truly reflective of your organization.
    2. The purpose of the security charter is too:
      • Establish a mandate for information security within the organization.
      • Communicate executive commitment to risk and information security management.
      • Outline high-level responsibilities for information security within the organization.
      • Establish awareness of information security within the organization.

    A screenshot of the introduction of the 'Information Security Charter' template.

    A security charter is a formalized and defined way to document the scope and purpose of your security program. It will define security governance and allow it to operate efficiently through your mission and vision.

    4.3 Execute on your roadmap

    1. Executing on your information security roadmap will require coordinated effort by multiple teams within your organization. To ensure success, consider the following recommendations:
      1. If you have a project management office, leverage them to help apply formal project management methodologies to your initiatives.
      2. Develop a process to track the tasks on your strategy task list. Because these will not be managed as formal initiatives, it will be easy to lose track of them.
      3. Develop a schedule for regular reporting of progress on the roadmap to senior management. This will help hold yourself and others accountable for moving the project forward.
    2. Plan to review and update the strategy and roadmap on a regular basis. You may need to add, change, or remove initiatives as priorities shift.

    Input

    • Completed Security Gap Analysis Tool

    Output

    • Execution of your strategy and roadmap

    Materials

    • Information Security Gap Analysis Tool
    • Project management tools as required

    Participants

    • Security Team
    • Project Management Office
    • IT and Corporate Teams, as required

    Info-Tech Insight

    Info-Tech has many resources that can help you quickly and effectively implement most of your initiatives. Talk to your account manager to learn more about how we can help your strategy succeed.

    Summary of Accomplishment

    Knowledge Gained

    • Knowledge of organizational pressures and the drivers behind them
    • Insight into stakeholder goals and obligations
    • A defined security risk tolerance information and baseline
    • Comprehensive knowledge of security current state and summary initiatives required to achieve security objectives

    Deliverables Completed

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com
    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Information Security Program Gap Analysis Tool

    Use our best-of-breed security framework to perform a gap analysis between your current and target states.

    Information Security Requirements Gathering Tool

    Define the business, customer, and compliance alignment for your security program.

    Related Info-Tech Research

    Develop a Security Operations Strategy

    A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.

    This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

    Implement a Security Governance and Management Program

    Your security governance and management program needs to be aligned with business goals to be effective.

    This approach also helps to provide a starting point to develop a realistic governance and management program.

    This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

    Align Your Security Controls to Industry Frameworks for Compliance

    Don’t reinvent the wheel by reassessing your security program using a new framework.

    Instead, use the tools in this blueprint to align your current assessment outcomes to required standards.

    Bibliography

    “2015 Cost of Data Breach Study: United States.” Sponsored by IBM. Ponemon Institute, May 2015. Web.

    “2016 Cost of Cyber Crime Study & the Risk of Business Innovation.” Ponemon Institute, Oct. 2016. Web. 25 Oct. 2016.

    “2016 Cost of Data Breach Study: Global Analysis.” Ponemon Institute, June 2016. Web. 26 Oct. 2016.

    “2016 Data Breach Investigations Report.” Verizon, 2016. Web. 25 Oct. 2016.

    “2016 NowSecure Mobile Security Report.” NowSecure, 2016. Web. 5 Nov. 2016.

    “2017 Cost of Cyber Crime Study.” Ponemon Institute, Oct. 2017. Web.

    “2018 Cost of Data Breach Study: Global Overview.” Ponemon Institute, July 2018. Web.

    “2018 Data Breach Investigations Report.” Verizon, 2018. Web. Oct. 2019.

    “2018 Global State of Information Security Survey.” CSO, 2017. Web.

    “2018 Thales Data Threat Report.” Thales eSecurity, 2018. Web.

    “2019 Data Breach Investigations Report.” Verizon, 2020. Web. Feb. 2020.

    “2019 Global Cost of a Data Breach Study.” Ponemon Institute, Feb. 2020. Web.

    “2019 The Cost of Cyber Crime Study.” Accenture, 2019. Web Jan 2020.

    “2020 Thales Data Threat Report Global Edition.” Thales eSecurity, 2020. Web. Mar. 2020.

    Ben Salem, Malek. “The Cyber Security Leap: From Laggard to Leader.” Accenture, 2015. Web. 20 Oct. 2016.

    “Cisco 2017 Annual Cybersecurity Report.” Cisco, Jan. 2017. Web. 3 Jan. 2017.

    “Cyber Attack – How Much Will You Lose?” Hewlett Packard Enterprise, Oct. 2016. Web. 3 Jan. 2017.

    “Cyber Crime – A Risk You Can Manage.” Hewlett Packard Enterprise, 2016. Web. 3 Jan. 2017.

    “Global IT Security Risks Survey.” Kaspersky Lab, 2015. Web. 20 October 2016.

    “How Much Is the Data on Your Mobile Device Worth?” Ponemon Institute, Jan. 2016. Web. 25 Oct. 2016.

    “Insider Threat 2018 Report.” CA Technologies, 2018. Web.

    “Kaspersky Lab Announces the First 2016 Consumer Cybersecurity Index.” Press Release. Kaspersky Lab, 8 Sept. 2016. Web. 3 Jan. 2017.

    “Kaspersky Lab Survey Reveals: Cyberattacks Now Cost Large Businesses an Average of $861,000.” Press Release. Kaspersky Lab, 13 Sept. 2016. Web. 20 Oct. 2016.

    “Kaspersky Security Bulletin 2016.” Kaspersky Lab, 2016. Web. 25 Oct. 2016.

    “Managing Cyber Risks in an Interconnected World: Key Findings From the Global State of Information Security Survey 2015.” PwC, 30 Sept. 2014. Web.

    “Measuring Financial Impact of IT Security on Business.” Kaspersky Lab, 2016. Web. 25 Oct. 2016.

    “Ponemon Institute Releases New Study on How Organizations Can Leapfrog to a Stronger Cyber Security Posture.” Ponemon Institute, 10 Apr. 2015. Web. 20 Oct. 2016.

    “Predictions for 2017: ‘Indicators of Compromise’ Are Dead.” Kaspersky Lab, 2016. Web. 4 Jan. 2017.

    “Take a Security Leap Forward.” Accenture, 2015. Web. 20 Oct. 2016.

    “Trends 2016: (In)security Everywhere.” ESET Research Laboratories, 2016. Web. 25 Oct. 2016.

    Research Contributors

    • Peter Clay, Zeneth Tech Partners, Principal
    • Ken Towne, Zeneth Tech Partners, Security Architect
    • Luciano Siqueria, Road Track, IT Security Manager
    • David Rahbany, The Hain Celestial Group, Director IT Infrastructure
    • Rick Vadgama, Cimpress, Head of Information Privacy and Security
    • Doug Salah, Wabtec Corp, Manager of Information Security and IT Audit
    • Peter Odegard, Children’s Hospitals and Clinics, Information Security Officer
    • Trevor Butler, City of Lethbridge, Information Technology General Manager
    • Shane Callahan, Tractor Supply, Director of Information Security
    • Jeff Zalusky, Chrysalis, President/CEO
    • Candy Alexander, Independent Consultant, Cybersecurity and Information Security Executive
    • Dan Humbert, YMCA of Central Florida, Director of Information Technology
    • Ron Kirkland, Crawford & Co, Manager ICT Security & Customer Service
    • Jason Bevis – FireEye, Senior Director Orchestration Product Management - Office of the CTO
    • Joan Middleton, Village of Mount Prospect, IT Director
    • Jim Burns, Great America Financial Services, Vice President Information Technology
    • Ryan Breed, Hudson’s Bay, Information Security Analyst
    • James Fielder, Farm Credit Services – Central Illinois, Vice President of Information Systems

    Evaluate Your Vendor Account Team to Optimize Vendor Relations

    • Buy Link or Shortcode: {j2store}222|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Understand how important your account is to the vendor and how it is classified.
    • Understand how informed the account team is about your company and your industry.
    • Understand how long the team has been with the vendor. Have they been around long enough to have developed a “brand” or trust within their organization?
    • Understand and manage the relationships and influence the account team has within your organization to maintain control of the relationship.

    Our Advice

    Critical Insight

    Conducting the appropriate due diligence on your vendor’s account team is as important as the due diligence you put into the vendor. Ongoing management of the account team should follow the lifecycle of the vendor relationship.

    Impact and Result

    Understanding your vendor team’s background, experience, and strategic approach to your account is key to the management of the relationship, the success of the vendor agreement, and, depending on the vendor, the success of your business.

    Evaluate Your Vendor Account Team to Optimize Vendor Relations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Evaluate Your Vendor Account Team to Optimize Vendor Relations Deck – Understand the value of knowing your account team’s influence in their organization, and yours, to drive results.

    Learn how to best qualify that you have the right team for your business needs, using the accompanying tools to measure and monitor success throughout the relationship.

    • Evaluate Your Vendor Account Team to Optimize Vendor Relations Storyboard

    2. Vendor Rules of Engagement Template – Use this template to create a vendor rules of engagement document for inclusion in your company website, RFPs, and contracts.

    The Vendor Rules of Engagement template will help you develop your written expectations for the vendor for how they will interact with your business and stakeholders.

    • Vendor Rules of Engagement

    3. Evalu-Rate Your Account Team – Use this tool to develop criteria to evaluate your account team and gain feedback from your stakeholders.

    Evaluate your vendor account teams using this template to gather stakeholder feedback on vendor performance.

    • Evalu-Rate Your Account Team
    [infographic]

    Further reading

    Evaluate Your Vendor Account Team to Optimize Vendor Relations

    Understand the value of knowing your account team’s influence in their organization, and yours, to drive results.

    Analyst Perspective

    Having the wrong account team has consequences for your business.

    IT professionals interact with vendor account teams on a regular basis. You may not give it much thought, but do you have a good understanding of your rep’s ability to support/service your account, in the manner you expect, for the best possible outcome? The consequences to your business of an inappropriately assigned and poorly trained account team can have a disastrous impact on your relationship with the vendor, your business, and your budget. Doing the appropriate due diligence with your account team is as important as the due diligence you should put into the vendor. And, of course, ongoing management of the account team relationship is vital. Here we will share how best to qualify that you have the right team for your business needs as well as how to measure and monitor success throughout the relationship.

    Photo of Donna Glidden, Research Director, Vendor Management, Info-Tech Research Group.

    Donna Glidden
    Research Director, Vendor Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge
    • Understand how important your account is to the vendor and how it is classified.
    • Understand how informed the account team is about your company and your industry.
    • Understand how long the team has been with the vendor. Have they been around long enough to have developed a “brand” or trust within their organization?
    • Understand and manage the relationships and influence the account team has within your organization to maintain control of the relationship.
    Common Obstacles
    • The vendor account team “came with the deal.”
    • The vendor account team has limited training and experience.
    • The vendor account team has close relationships within your organization outside of Procurement.
    • Managing your organization’s vendors is ad hoc and there is no formalized process for vendors to follow.
    • Your market position with the vendor is not optimal.
    Info-Tech’s Approach
    • Establish a repeatable, consistent vendor management process that focuses on the account team to maintain control of the relationship and drive the results you need.
    • Create a questionnaire for gaining stakeholder feedback to evaluate the account team on a regular basis.
    • Consider adding a vendor rules of engagement exhibit to your contracts and RFXs.

    Info-Tech Insight

    Understanding your vendor team’s background, their experience, and their strategic approach to your account is key to the management of the relationship, the success of the vendor agreement, and, depending on the vendor, the success of your business.

    Blueprint benefits

    IT Benefits

    • Clear lines of communication
    • Correct focus on the specific needs of IT
    • More accurate project scoping
    • Less time wasted

    Mutual IT and
    Business Benefits

    • Reduced time to implement
    • Improved alignment between IT & business
    • Improved vendor performance
    • Improved vendor relations

    Business Benefits

    • Clear relationship guidelines based on mutual understanding
    • Improved communications between the parties
    • Mutual understanding of roles/goals
    • Measurable relationship criteria

    Insight Summary

    Overarching insight

    Conducting the appropriate due diligence on your vendor’s account team is as important as the due diligence you put into the vendor. Ongoing management of the account team should follow the lifecycle of the vendor relationship.

    Introductory/RFP phase
    • Track vendor contacts with your organization.
    • Qualify the account team as you would the vendor:
      • Background
      • Client experience
    • Consider including vendor rules of engagement as part of your RFP process.
    • How does the vendor team classify your potential account?
    Contract phase
    • Set expectations with the account team for the ongoing relationship.
    • Include a vendor rules of engagement exhibit in the contract.
    • Depending on your classification of the vendor, establish appropriate account team deliverables, meetings, etc.
    Vendor management phase
    • “Evalu-rate” your account team by using a stakeholder questionnaire to gain measurable feedback.
    • Identify the desired improvements in communications and service delivery.
    • Use positive reinforcements that result in positive behavior.
    Tactical insight

    Don’t forget to look at your organization’s role in how well the account team is able to perform to your expectations.

    Tactical insight

    Measure to manage – what are the predetermined criteria that you will measure the account team’s success against?

    Lack of adequate sales training and experience can have a negative impact on the reps’ ability to support your needs adequately

    • According to Forbes (2012), 55% of salespeople lack basic sales skills.
    • 58% of buyers report that sales reps are unable to answer their questions effectively.
    • According to a recent survey, 84% of all sales training is lost after 90 days. This is due to the lack of information retention among sales personnel.
    • 82% of B2B decision-makers think sales reps are unprepared.
    • At least 50% of prospects are not a good fit for the product or service that vendors are selling (Sales Insights Lab).
    • It takes ten months or more for a new sales rep to be fully productive.

    (Source: Spotio)

    Info-Tech Insight

    Remember to examine the inadequacies of vendor training as part of the root cause of why the account team may lack substance.

    Why it matters

    1.8 years

    is the average tenure for top ten tech companies

    2.6 years is the average experience required to hire.

    2.4 years is the average account executive tenure.

    44% of reps plan to leave their job within two years.

    The higher the average contract value, the longer the tenure.

    More-experienced account reps tend to stay longer.

    (Source: Xactly, 2021)
    Image of two lightbulbs labeled 'skill training' with multiple other buzzwords on the glass.

    Info-Tech Insight

    You are always going to be engaged in training your rep, so be prepared.

    Before you get started…

    • Take an inward look at how your company engages with vendors overall:
      • Do you have a standard protocol for how initial vendor inquiries are handled (emails, phone calls, meeting invitations)?
      • Do you have a standard protocol for introductory vendor meetings?
      • Are vendors provided the appropriate level of access to stakeholders/management?
      • Are you prompt in your communications with vendors?
      • What is the quality of the data provided to vendors? Do they need to reach out repeatedly for more/better data?
      • How well are you able to forecast your needs?
      • Is your Accounts Payable team responsive to vendor inquiries?
      • Are Procurement and stakeholders on the same page regarding the handling of vendors?
    • While you may not have a formal vendor management initiative in place, try to understand how important each of your vendors are to your organization, especially before you issue an RFP, so you can set the right expectations with potential vendor teams.
    • Classify vendors as strategic, operational, tactical, or commodity.
      • This will help you focus your time appropriately and establish the right meeting cadence according to the vendor’s place in your business.
      • See Info-Tech’s research on vendor classification.
    When you formalize your expectations regarding vendor contact with your organization and create structure around it, vendors will take notice.

    Consider a standard intake process for fielding vendor inquiries and responding to requests for meetings to save yourself the headaches that come with trying to keep up with them.

    Stakeholder teams, IT, and Procurement need to be on the same page in this regard to avoid missteps in the important introductory phase of dealing with vendors and the resulting confusion on the part of vendor account teams when they get mixed messages and feel “passed around.”

    1. Introductory Phase

    If vendors know you have no process to track their activities, they’ll call who they want when they want, and the likelihood of them having more information about your business than you about theirs is significant.

    Vendor contacts are made in several ways:

    • Cold calls
    • Emails
    • Website
    • Conferences
    • Social introductions

    Things to consider:

    • Consider having a link on your company website to your Sourcing & Procurement team, including:
      • An email address for vendor inquiries.
      • Instructions to vendors on how to engage with you and what information they should provide.
      • A link to your Vendor Rules of Engagement.
    • Track vendor inquiries so you have a list of potential respondents to future RFPs.
    • Work with stakeholders and gain their buy-in on how vendor inquiries are to be routed and handled internally.
    Not every vendor contact will result in an “engagement” such as invitation to an RFP or a contract for business. As such, we recommend that you set up an intake process to track/manage supplier inquiries so that when you are ready to engage, the vendor teams will be set up to work according to your expectations.

    2. RFP/Contract Phase

    What are your ongoing expectations for the account team?
    • Understand how your business will be qualified by the vendor. Where you fit in the market space regarding spend, industry, size of your business, etc., determines what account team(s) you will have access to.
    • Add account team–specific questions to your RFP(s) to gain an understanding of their capabilities and experience up front.
    • How have you classified the vendor/solution? Strategic, tactical, operational, or commodity?
      • Depending on the classification/criticality (See Info-Tech’s Vendor Classification Tool) of the vendor, set the appropriate expectation for vendor review meetings, e.g. weekly, monthly, quarterly, annually.
      • Set the expectation that their support of your account will be regularly measured/monitored by your organization.
      • Consider including a set of vendor rules of engagement in your RFPs and contracts so vendors will know up front what your expectations are for how to engage with Procurement and stakeholders.
    Stock image of smiling coworkers.

    3. Ongoing Vendor Management

    Even if you don’t have a vendor management initiative in place, consider these steps to manage both new and legacy vendor relationships:
    • Don’t wait until there is an issue to engage the account team. Develop an open, honest relationship with vendors and get to know their key players.
    • Seek regular feedback from stakeholders on both parties’ performance against the agreement, based on agreed-upon criteria.
    • Measure vendor performance using the Evalu-Rate Your Account Team tool included with this research.
    • Based on vendor criticality, set a regular cadence of vendor meetings to discuss stakeholder feedback, both positive feedback as well as areas needing improvement and next steps, if applicable.
    Stock image of smiling coworkers.

    Info-Tech Insight

    What your account team doesn’t say is equally important as what they do say. For example, an account rep with high influence says, “I can get that for you” vs. “I'll get back to you.” Pay attention to the level of detail in their responses to you – it references how well they are networked within their own organization.

    How effective is your rep?

    The Poser
    • Talks so much they forget to listen
    • Needs to rely on the “experts”
    • Considers everyone a prospect
    Icons relating to the surrounding rep categories. Ideal Team Player
    • Practices active listening
    • Understands the product they are selling
    • Asks great questions
    • Is truthful
    • Approaches sales as a service to others
    The Bulldozer
    • Unable to ask the right questions
    • If push comes to shove, they keep pushing until you push back
    • Has a sense of entitlement
    • Lacks genuine social empathy
    Skillful Politician
    • Focuses on the product instead of people
    • Goes by gut feel
    • Fears rejection and can’t roll with the punches

    Characteristics of account reps

    Effective
    • Is truthful
    • Asks great questions
    • Practices active listening
    • Is likeable and trustworthy
    • Exhibits emotional intelligence
    • Is relatable and knowledgeable
    • Has excellent interpersonal skills
    • Has a commitment to personal growth
    • Approaches sales as a service to others
    • Understands the product they are selling
    • Builds authentic connections with clients
    • Is optimistic and has energy, drive, and confidence
    • Makes an emotional connection to whatever they are selling
    • Has the ability to put themselves in the position of the client
    • Builds trust by asking the right questions; listens and provides appropriate solutions without overpromising and underdelivering
    Ineffective
    • Goes by gut feel
    • Has a sense of entitlement
    • Lacks genuine social empathy.
    • Considers everyone a prospect
    • Is unable to ask the right questions.
    • Is not really into sales – it’s “just a job”
    • Focuses on the product instead of people
    • Loves to talk so much they forget to listen
    • Fears rejection and can’t roll with the punches
    • If push comes to shove, they keep pushing until you push back
    • Is clueless about their product and needs to rely on the “experts”

    How to support an effective rep

    • Consider being a reference account.
    • Say thank you as a simple way to boost morale and encourage continued positive behavior.
    • If you can, provide opportunities to increase business with the vendor – that is the ultimate thanks.
    • Continue to support open, honest communication between the vendor and your team.
    • Letters or emails of recognition to the vendor team’s management have the potential to boost the rep’s image within their own organization and shine a spotlight on your organization as a good customer.
    • Supplier awards for exemplary service and support may be awarded as part of a more formal vendor management initiative.
    • Refer to the characteristics of an effective rep – which ones best represent your account team?
    A little recognition goes a long way in reinforcing a positive vendor relationship.

    Info-Tech Insight

    Don’t forget to put the relationship in vendor relationship management – give a simple “Thank you for your support” to the account team from executive management.

    How to support an ineffective rep

    An ineffective rep can take your time and attention away from more important activities.
    • Understand what role, if any, you and/or your stakeholders may play in the rep’s lack of performance by determining the root cause:
      • Unrealistic expectations
      • Unclear and incomplete instructions
      • Lack of follow through by your stakeholders to provide necessary information
      • Disconnects between Sourcing/Procurement/IT that lead to poor communication with the vendor team (lack of vendor management)
    • Schedule more frequent meetings with the team to address the issues and measure progress.
    • Be open to listening to your rep(s) and ask them what they need from you in order to be effective in supporting your account.
    • Be sure to document in writing each instance where the rep has underperformed and include the vendor team’s leadership on all communications and meetings.
    • Refer to the characteristics of an ineffective rep – which ones best describe your ineffective vendor rep?
    “Addressing poor performance is an important aspect of supplier management, but prevention is even more so.” (Logistics Bureau)

    Introductory questions to ask vendor reps

    • What is the vendor team’s background, particularly in the industry they are representing? How did they get to where they are?
      • Have they been around long enough to have developed credibility throughout their organization?
      • Do they have client references they are willing to share?
    • How long have they been in this position with the vendor?
      • Remember, the average rep has less than 24 months of experience.
      • If they lack depth of experience, are they trainable?
    • How long have they been in the industry?
      • Longevity and experience matters.
    • What is their best customer experience?
      • What are they most proud of from an account rep perspective?
    • What is their most challenging customer experience?
      • What is their biggest weakness?
    • How are their relationships with their delivery and support teams?
      • Can they get the job done for you by effectively working their internal relationships?
    • What are their goals with this account?
      • Besides selling a lot.
    • What relationships do they have within your organization?
      • Are they better situated within your organization than you are?
    Qualify the account team as you would the vendor – get to know their background and history.

    Vendor rules of engagement

    Articulate your vendor expectations in writing

    Clearly document your expectations via formal rules of engagement for vendor teams in order to outline how they are expected to interact with your business and stakeholders. This can have a positive impact on your vendor and stakeholder relationships and enable you to gain control of:

    • Onsite visits and meetings.
    • Submission of proposals, quotes, contracts.
    • Communication between vendors, stakeholders and Procurement.
    • Expectations for ongoing relationship management.

    Include the rules in your RFXs and contracts to formalize your expectations.

    See the Vendor Rules of Engagement template included with this research.

    Download the Vendor Rules of Engagement template

    Sample of the Vendor Rules of Engagement template.

    Evalu-rate your vendor account team

    Measure stakeholder feedback to ensure your account team is on target to meet your needs. Sample of the Evalu-Rate Your Account Team tool.

    Download the Evalu-Rate Your Account Team tool

    • Use a measurable, repeatable process for evaluations.
    • Include feedback from key stakeholders engaged in the relationship.
    • Keep the feedback fact based and have backup.

    Final thoughts: Do’s and don’ts

    DO

    • Be friendly, approachable.
    • Manage the process by which vendors contact your organization – take control!
    • Understand your market position when sourcing goods/services to establish how much leverage you have with vendors.
    • Set vendor meetings according to their criticality to your business.
    • Evaluate your account teams to understand their strengths/weaknesses.
    • Gain stakeholder buy-in to your vendor processes.

    DON'T

    • Don’t be “friends.”
    • Don’t criticize in public.
    • Don’t needlessly escalate.
    • Don’t let the process of vendors communicating with your stakeholders “just happen.”
    • Don’t accept poor performance or attitude.

    Summary of Accomplishment

    Problem Solved

    Upon completion of this blueprint, Guided Implementation, or workshop, your team should have a comprehensive, well-defined, end-to-end approach to evaluating and managing your account team. Leveraging Info-Tech’s industry-proven tools and templates provides your organization with an effective approach to establishing, maintaining, and evaluating your vendor account team; improving your vendor and stakeholder communications; and maintaining control of the client/vendor relationship.

    Additionally, your team will have a foundation to execute your vendor management principles. These principles will assist your organization in ensuring you receive the perceived value from the vendor as a result of your vendor account team evaluation process.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Bibliography

    “14 Essential Qualities of a Good Salesperson.” Forbes, 5 Oct. 2021. Accessed 11 March 2022.

    “149 Eye-Opening Sales Stats to Consider.” Spotio, 30 Oct. 2018. Accessed 11 March 2022.

    “35 Sales Representative Interview Questions and Answers.” Indeed, 29 Oct. 2021. Accessed 8 March 2022.

    “8 Intelligent Questions for Evaluating Your Sales Reps Performance” Inc., 16 Aug. 2016. Accessed 9 March 2022.

    Altschuler, Max. “Reality Check: You’re Probably A Bad Salesperson If You Possess Any Of These 11 Qualities.” Sales Hacker, 9 Jan. 2018. Accessed 4 May 2022.

    Bertuzzi, Matt. “Account Executive Data Points in the SaaS Marketplace.” Treeline, April 12, 2017. Accessed 9 March 2022. “Appreciation Letter to Vendor – Example, Sample & Writing Tips.” Letters.org, 10 Jan. 2020. Web.

    D’Entremont, Lauren. “Are Your Sales Reps Sabotaging Your Customer Success Without Realizing It?” Proposify, 4 Dec. 2018. Accessed 7 March 2022.

    Freedman, Max. “14 Important Traits of Successful Salespeople.” Business News Daily, 14 April 2022. Accessed 10 April 2022.

    Hansen, Drew. “6 Tips For Hiring Your Next Sales All-Star.” Forbes, 16 Oct. 2012. Web.

    Hulland, Ryan. “Getting Along with Your Vendors.” MonMan, 12 March 2014. Accessed 9 March 2022.

    Lawrence, Jess. “Talking to Vendors: 10 quick tips for getting it right.” Turbine, 30 Oct. 2018. Accessed 11 March 2022.

    Lucero, Karrie. “Sales Turnover Statistics You Need To Know.” Xactly, 24 Aug. 2021. Accessed 9 March 2022.

    Noyes, Jesse. “4 Qualities to Look For in Your Supplier Sales Representative.” QSR, Nov. 2017. Accessed 9 March 2022.

    O’Byrne, Rob. “How To Address Chronic Poor Supplier Performance.” Logistics Bureau, 26 July 2016. Accessed 4 May 2022.

    O'Brien, Jonathan. Supplier Relationship Management: Unlocking the Hidden Value in Your Supply Base. Kogan Page, 2014.

    Short, Alex. “Three Things You Should Consider to Become A Customer of Choice.” Vizibl, 29 Oct. 2021. Web.

    Wayshak, Marc. “18 New Sales Statistics for 2022 from Our Groundbreaking Study!” Sales Insights Lab, 28 March 2022. Web.

    “What Does a Good Customer Experience Look Like In Technology?” Virtual Systems, 23 June 2021. Accessed 10 March 2022.

    Maintain an Organized Portfolio

    • Buy Link or Shortcode: {j2store}432|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $3,059 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • All too often, the portfolio of programs and projects looks more like a random heap than a strategically organized and balanced collection of investments that will drive the business forward.
    • Portfolio managers know that with the right kind of information and the right level of process maturity they can get better results through the portfolio; however, organizations often assume (falsely) that the required level of maturity is out of reach from their current state and perpetually delay improvements.

    Our Advice

    Critical Insight

    • The information needed to define clear and usable criteria for organizing the portfolio of programs and projects already exists. Portfolio managers only need to identify the sources of that information and institute processes for regularly reviewing that information in order to define those criteria.
    • Once a portfolio manager has a clear idea of the goals and constraints that shape what ought to be included (or removed) from the portfolio and once these have been translated into clear and usable portfolio criteria, basic portfolio management processes can be instituted to ensure that these criteria are used consistently throughout the various stages of the project lifecycle.
    • Portfolio management frameworks and processes do not need to be built from scratch. Well-known frameworks – such as the one outlined in COBIT 5 APO05 – can be instituted in a way that will allow even low-maturity organizations to start organizing their portfolio.
    • Organizations do not need to grow into portfolio management frameworks to get the benefits of an organized portfolio; instead, they can grow within such frameworks.

    Impact and Result

    • An organized portfolio will ensure that the projects and programs included in it are strategically aligned and can actually be executed within the finite constraints of budgetary and human resource capacity.
    • Portfolio managers are better empowered to make decisions about which projects should be included in the portfolio (and when) and are better empowered to make the very tough decisions about which projects should be removed from the portfolio (i.e. cancelled).
    • Building and maturing a portfolio management framework will more fully integrate the PMO into the broader IT management and governance frameworks, making it a more integral part of strategic decisions and a better business partner in the long run.

    Maintain an Organized Portfolio Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should maintain an organized portfolio of programs and projects, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess the current state of the portfolio and PPM processes

    Analyze the current mix of programs and projects in your portfolio and assess the maturity of your current PPM processes.

    • Maintain an Organized Portfolio – Phase 1: Assess the Current State of the Portfolio and PPM Processes
    • Project Portfolio Organizer
    • COBIT APO05 (Manage Portfolio) Alignment Workbook

    2. Enhance portfolio organization through improved PPM criteria and processes

    Enhance and optimize your portfolio management processes to ensure portfolio criteria are clearly defined and consistently applied across the project lifecycle when making decisions about which projects to include or remove from the portfolio.

    • Maintain an Organized Portfolio – Phase 2: Enhance Portfolio Organization Through Improved PPM Criteria and Processes
    • Portfolio Management Standard Operating Procedures

    3. Implement improved portfolio management practices

    Implement your portfolio management improvement initiatives to ensure long-term sustainable adoption of new PPM practices.

    • Maintain an Organized Portfolio – Phase 3: Implement Improved Portfolio Management Practices
    • Portfolio Management Improvement Roadmap Tool
    [infographic]

    Workshop: Maintain an Organized Portfolio

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Portfolio Mix and Portfolio Process Current State

    The Purpose

    Analyze the current mix of the portfolio to determine how to better organize it according to organizational goals and constraints.

    Assess which PPM processes need to be enhanced to better organize the portfolio.

    Key Benefits Achieved

    An analysis of the existing portfolio of projects (highlighting areas of concern).

    An analysis of the maturity of current PPM processes and their ability to support the maintenance of an organized portfolio.

    Activities

    1.1 Pre-work: Prepare a complete project list.

    1.2 Define existing portfolio categories, criteria, and targets.

    1.3 Analyze the current portfolio mix.

    1.4 Identify areas of concern with current portfolio mix.

    1.5 Review the six COBIT sub-processes for portfolio management (APO05.01-06).

    1.6 Assess the degree to which these sub-processes have been currently achieved at the organization.

    1.7 Assess the degree to which portfolio-supporting IT governance and management processes exist.

    1.8 Perform a gap analysis.

    Outputs

    Analysis of the current portfolio mix

    Assessment of COBIT alignment and gap analysis.

    2 Define Portfolio Target Mix, Criteria, and Roadmap

    The Purpose

    Define clear and usable portfolio criteria.

    Record/design portfolio management processes that will support the consistent use of portfolio criteria at all stages of the project lifecycle.

    Key Benefits Achieved

    Clearly defined and usable portfolio criteria.

    A portfolio management framework that supports the consistent use of the portfolio criteria across all stages of the project lifecycle.

    Activities

    2.1 Identify determinants of the portfolio mix, criteria, and constraints.

    2.2 Define the target mix, portfolio criteria, and portfolio metrics.

    2.3 Identify sources of funding and resourcing.

    2.4 Review and record the portfolio criteria based upon the goals and constraints.

    2.5 Create a PPM improvement roadmap.

    Outputs

    Portfolio criteria

    Portfolio metrics for intake, monitoring, closure, termination, reprioritization, and benefits tracking

    Portfolio Management Improvement Roadmap

    3 Design Improved Portfolio Sub-Processes

    The Purpose

    Ensure that the portfolio criteria are used to guide decision making at each stage of the project lifecycle when making decisions about which projects to include or remove from the portfolio.

    Key Benefits Achieved

    Processes that support decision making based upon the portfolio criteria.

    Processes that ensure the portfolio remains consistently organized according to the portfolio criteria.

    Activities

    3.1 Ensure that the metrics used for each sub-process are based upon the standard portfolio criteria.

    3.2 Establish the roles, accountabilities, and responsibilities for each sub-process needing improvement.

    3.3 Outline the workflow for each sub-process needing improvement.

    Outputs

    A RACI chart for each sub-process

    A workflow for each sub-process

    4 Change Impact Analysis and Stakeholder Engagement Plan

    The Purpose

    Ensure that the portfolio management improvement initiatives are sustainably adopted in the long term.

    Key Benefits Achieved

    Stakeholder engagement.

    Sustainable long-term adoption of the improved portfolio management practices.

    Activities

    4.1 Conduct a change impact analysis.

    4.2 Create a stakeholder engagement plan.

    Outputs

    Change Impact Analysis

    Stakeholder Engagement Plan

    Completed Portfolio Management SOP

    Skills Development on the Mainframe Platform

    • Buy Link or Shortcode: {j2store}336|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    Mainframes remain a critical part of an organization’s infrastructure and will need to support these platforms for the foreseeable future. Despite the importance, it can be a challenge for organizations to find qualified resources to support them. Meanwhile, companies are unsure of where to find help to train and develop their teams on mainframe technologies and are at risk of a skills gap within their teams.

    Our Advice

    Critical Insight

    • Mainframes continue to have wide usage, particularly in enterprise organizations. The complexity of moving or replatforming many of these applications means these platforms will be around for a long time still.
    • Companies need to be proactive about developing their teams to support their mainframe systems.

    Impact and Result

    • Companies can protect their assets by cultivating a pipeline of qualified resources to support their mainframe infrastructure.
    • There is a robust training ecosystem headed by large, reputable organizations to help develop and support companies' resources. You don’t have to do it alone.

    Skills Development on the Mainframe Platform Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Skills Development on the Mainframe Platform Storyboard – An overview of the solutions available to support your mainframe training and skills development needs.

    Your mainframes are not going to disappear overnight. These systems often support the most critical operations in your organization. You need to ensure you have the right qualified resources to support your platforms.

    • Skills Development on the Mainframe Platform Storyboard
    [infographic]

    Tell Your Story With Data Visualization

    • Buy Link or Shortcode: {j2store}364|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy

    Analysts do not feel empowered to challenge requirements to deliver a better outcome. This alongside underlying data quality issues prevents the creation of accurate and helpful information. Graphic representations do not provide meaningful and actionable insights.

    Our Advice

    Critical Insight

    As organizations strive to become more data-driven, good storytelling with data visualization supports growing corporate data literacy and helps analysts in providing insights that improves organization's decision-making and value-driving processes, which ultimately boosts business performance.

    Impact and Result

    Follow a step-by-step guide to address the business bias of tacet experience over data facts and increase audience's understanding and acceptance toward data solutions.

    Save the lost hours and remove the challenges of reports and dashboards being disregarded due to ineffective usage.

    Gain insights from data-driven recommendations and have decision support to make informed decisions.

    Tell Your Story With Data Visualization Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Tell Your Story With Data Visualization Deck – Solve challenging business problems more effectively and improve communication with audiences by demonstrating significant insights through data storytelling with impactful visuals.

    Here is our step-by-step process of getting value out of effective storytelling with data visualization:

  • Step 1: Frame the business problem and the outcomes required.
  • Step 2: Explore the potential drivers and formulate hypotheses to test.
  • Step 3: Construct a meaningful narrative which the data supports.
    • Tell Your Story With Data Visualization Storyboard

    2. Storytelling Whiteboard Canvas Template – Plan out storytelling using Info-Tech’s whiteboard canvas template.

    This storytelling whiteboard canvas is a template that will help you create your visualization story narrative by:

  • Identifying the problem space.
  • Finding logical relationships and data identification.
  • Reviewing analysis and initial insights.
  • Building the story and logical conclusion.
    • Storytelling Whiteboard Canvas Template
    [infographic]

    Further reading

    Tell Your Story With Data Visualization

    Build trust with your stakeholders.

    Analyst Perspective

    Build trust with your stakeholders.

    Data visualization refers to graphical representations of data which help an audience understand. Without good storytelling, however, these representations can distract an audience with enormous amounts of data or even lead them to incorrect conclusions.

    Good storytelling with data visualization involves identifying the business problem, exploring potential drivers, formulating a hypothesis, and creating meaningful narratives and powerful visuals that resonate with all audiences and ultimately lead to clear actionable insights.

    Follow Info-Tech's step-by-step approach to address the business bias of tacit experience over data facts, improve analysts' effectiveness and support better decision making.

    Ibrahim Abdel-Kader, Research Analyst

    Ibrahim Abdel-Kader
    Research Analyst,
    Data, Analytics, and Enterprise Architecture

    Nikitha Patel, Research Specialist

    Nikitha Patel
    Research Specialist,
    Data, Analytics, and Enterprise Architecture

    Ruyi Sun, Research Specialist

    Ruyi Sun
    Research Specialist,
    Data, Analytics, and Enterprise Architecture

    Our understanding of the problem

    This research is designed for

    • Business analysts, data analysts, or their equivalent who (in either a centralized or federated operating model) look to solve challenging business problems more effectively and improve communication with audiences by demonstrating significant insights through visual data storytelling.

    This research will also assist

    • A CIO or business unit (BU) leader looking to improve reporting and analytics, reduce time to information, and embrace decision making.

    This research will help you

    • Identify the business problem and root causes that you are looking to address for key stakeholders.
    • Improve business decision making through effective data storytelling.
    • Focus on insight generation rather than report production.
    • Apply design thinking principles to support the collection of different perspectives.

    This research will help them

    • Understand the report quickly and efficiently, regardless of their data literacy level.
    • Grasp the current situation of data within the organization.

    Executive Summary

    Your Challenge Common Obstacles Info-Tech's Approach
    As analysts, you may experience some critical challenges when presenting a data story.
    • The graphical representation does not provide meaningful or actionable insights.
    • Difficulty selecting the right visual tools or technologies to create visual impact.
    • Lack of empowerment, where analysts don't feel like they can challenge requirements.
    • Data quality issues that prevent the creation of accurate and helpful information.
    Some common roadblocks may prevent you from addressing these challenges.
    • Lack of skills and context to identify the root cause or the insight that adds the most value.
    • Lack of proper design or over-visualization of data will mislead/confuse the audience.
    • Business audience bias, leading them to ignore reliable insights presented.
    • Lack of the right access to obtain data could hinder the process.
    • Understand and dissect the business problem through Info-Tech's guidance on root cause analysis and design thinking process.
    • Explore each potential hypothesis and construct your story's narratives.
    • Manage data visualization using evolving tools and create visual impact.
    • Inform business owners how to proceed and collect feedback to achieve continuous improvement.

    Info-Tech Insight
    As organizations strive to become more data-driven, good storytelling with data visualization supports growing corporate data literacy and helps analysts provide insights that improve organizational decision-making and value-driving processes, which ultimately boosts business performance.

    Glossary

    • Data: Facts or figures, especially those stored in a computer, that can be used for calculating, reasoning, or planning. When data is processed, organized, structured, or presented in a given context to make it useful, it is called information. Data leaders are accountable for certain data domains and sets.
    • Data storytelling: The ability to create a narrative powered by data and analytics that supports the hypothesis and intent of the story. Narrators of the story should deliver a significant view of the message in a way easily understood by the target audience. Data visualization can be used as a tactic to enhance storytelling.
    • Data visualization: The ability to visually represent a complete story to the target audience powered by data & analytics, using data storytelling as an enabling mechanism to convey narratives. Typically, there are two types of visuals used as part of data visualization: explanatory/informative visuals (the entire story or specific aspects delivered to the audience) and exploratory visuals (the collected data used to clarify what questions must be answered).
    • Data literacy: The ability to read, work with, analyze, and argue with data. Easy access to data is essential to exercising these skills. All organizational employees involved with data-driven decisions should learn to think critically about the data they use for analytics and how they assess and interpret the results of their work.
    • Data quality: A measure of the condition of data based on factors such as accuracy, completeness, consistency, reliability, and being up-to-date. This is about how well-suited a data set is to serve its intended purpose, therefore business users and stakeholders set the standards for what is good enough. The governance function along with IT ensures that data quality measures are applied, and corrective actions taken.
    • Analytics/Business intelligence (BI): A technology-driven process for analyzing data and delivering actionable information that helps executives, managers, and workers make informed business decisions. As part of the BI process, organizations collect data from internal IT systems and external sources, prepare it for analysis, run queries against the data, and create data visualizations.
      Note: In some frameworks, analytics and BI refer to different types of analyses (i.e. analytics predict future outcomes, BI describes what is or has been).

    Getting value out of effective storytelling with data visualization

    Data storytelling is gaining wide recognition as a tool for supporting businesses in driving data insights and making better strategic decisions.

    92% of respondents agreed that data storytelling is an effective way of communicating or delivering data and analytics results.

    87% of respondents agreed that if insights were presented in a simpler/clearer manner, their organization's leadership team would make more data-driven decisions.

    93% of respondents agreed that decisions made based on successful data storytelling could potentially help increase revenue.

    Source: Exasol, 2021

    Despite organizations recognizing the value of data storytelling, issues remain which cannot be remedied solely with better technology.

    61% Top challenges of conveying important insights through dashboards are lack of context (61%), over-communication (54%), and inability to customize contents for intended audiences (46%).

    49% of respondents feel their organizations lack storytelling skills, regardless of whether employees are data literate.

    Source: Exasol, 2021

    Info-Tech Insight
    Storytelling is a key component of data literacy. Although enterprises are increasingly investing in data analytics software, only 21% of employees are confident with their data literacy skills. (Accenture, 2020)

    Prerequisite Checklist

    Before applying Info-Tech's storytelling methodology, you should have addressed the following criteria:

    • Select the right data visualization tools.
    • Have the necessary training in statistical analysis and data visualization technology.
    • Have competent levels of data literacy.
    • Good quality data founded on data governance and data architecture best practices.

    To get a complete view of the field you want to explore, please refer to the following Info-Tech resources:

    Select and Implement a Reporting and Analytics Solution

    Build a Data Architecture Roadmap

    Establish Data Governance

    Build Your Data Quality Program

    Foster Data-Driven Culture With Data Literacy

    Info-Tech's Storytelling With Data Visualization Framework

    Data Visualization Framework

    Info-Tech Insight
    As organizations strive to become more data-driven, good storytelling with data visualization supports growing corporate data literacy and helps analysts provide insights that improve organizational decision-making and value-driving processes, which ultimately boosts business performance.

    Research Benefits

    Member Benefits Business Benefits
    • Reduce time spent on getting your audience in the room and promote business involvement with the project.
    • Eliminate ineffectively used reports and dashboards being disregarded for lack of storytelling skills, resulting in real-time savings and monetary impact.
    • Example: A $50k reporting project has a 49% risk of the company being unable to communicate effective data stories (Exasol, 2021). Therefore, a $50k project has an approx. 50% chance of being wasted. Using Info-Tech's methodology, members can remove the risk, saving $25k and the time required to produce each report.
    • Address the common business bias of tacit experience over data-supported facts and increase audience understanding and acceptance of data-driven solutions.
    • Clear articulation of business context and problem.
    • High-level improvement objectives and return on investment (ROI).
    • Gain insights from data-driven recommendations to assist with making informed decisions.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Portfolio Management

    • Buy Link or Shortcode: {j2store}47|cart{/j2store}
    • Related Products: {j2store}47|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.6/10
    • member rating average dollars saved: $40,234
    • member rating average days saved: 30
    • Parent Category Name: Applications
    • Parent Category Link: /applications

    The challenge

    • Typically your business wants much more than your IT development organization can deliver with the available resources at the requested quality levels.
    • Over-damnd has a negative influence on delivery throughput. IT starts many projects (or features) but has trouble delivering most of them within the set parameters of scope, time, budget, and quality. Some requested deliverables may even be of questionable value to the business.
    • You may not have the right project portfolio management (PPM) strategy to bring order in IT's delivery activities and to maximize business value.

    Our advice

    Insight

    • Many in IT mix PPM and project management. Your project management playbook does not equate to the holistic view a real PPM practice gives you.
    • Some organizations also mistake PPM for a set of processes. Processes are needed, but a real strategy works towards tangible goals.
    • PPM works at the strategic level of the company; hence executive buy-in is critical. Without executive support, any effort to reconcile supply and demand will be tough to achieve.

    Impact and results 

    • PPM is a coherent business-aligned strategy that maximizes business value creation across the entire portfolio, rather than in each project.
    • Our methodology tackles the most pressing challenge upfront: get executive buy-in before you start defining your goals. With senior management behind the plan, implementation will become easier.
    • Create PPM processes that are a cultural fit for your company. Define your short and long-term goals for your strategy and support them with fully embedded portfolio management processes.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started.

    Read our executive brief to understand why you should develop a PPM strategy and understand how our methodology can help you. We show you how we can support you.

    Obtain executive buy-in for your strategy

    Ensure your strategy is a cultural fit or cultural-add for your company.

    • Develop a Project Portfolio Management Strategy – Phase 1: Get Executive Buy-In for Your PPM Strategy (ppt)
    • PPM High-Level Supply-Demand Calculator (xls)
    • PPM Strategic Plan Template (ppt)
    • PPM Strategy-Process Goals Translation Matrix Template (xls)

    Align the PPM processes to your company's strategic goals

    Use the advice and tools in this stage to align the PPM processes.

    • Develop a Project Portfolio Management Strategy – Phase 2: Align PPM Processes to Your Strategic Goals (ppt)
    • PPM Strategy Development Tool (xls)

    Refine and complete your plan

    Use the inputs from the previous stages and add a cost-benefit analysis and tool recommendation.

    • Streamline Application Maintenance – Phase 3: Optimize Maintenance Capabilities (ppt)

    Streamline your maintenance delivery

    Define quality standards in maintenance practices. Enforce these in alignment with the governance you have set up. Show a high degree of transparency and open discussions on development challenges.

    • Develop a Project Portfolio Management Strategy – Phase 3: Complete Your PPM Strategic Plan (ppt)
    • Project Portfolio Analyst / PMO Analyst (doc)

     

     

    Annual CIO Survey Report 2024

    • Buy Link or Shortcode: {j2store}106|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    CIOs today face increasing pressures, disruptive emerging technologies, talent shortages, and a slew of other challenges. What are their top concerns, priorities, and technology bets that will define the future direction of IT?

    CIO responses to our Future of IT 2024 survey reveal key insights on spending projects, the potential disruptions causing the most concern, plans for adopting emerging technology, and how firms are responding to generative AI.

    See how CIOs are sizing up the opportunities and threats of the year ahead

    Map your organization’s response to the external environment compared to CIOs across geographies and industries. Learn:

    • The CIO view on continuing concerns such as cybersecurity.
    • Where they rate their IT department’s maturity.
    • What their biggest concerns and budget increases are.
    • How they’re approaching third-party generative AI tools.

    Annual CIO Survey Report 2024 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Future of IT Survey 2024 – A summary of key insights from the CIO responses to our Future of IT 2024 survey.

    Take the pulse of the IT industry and see how CIOs are planning to approach 2024.

    • Annual CIO Survey Report for 2024
    [infographic]

    Further reading

    Annual CIO Survey Report 2024

    An inaugural look at what's on the minds of CIOs.

    1. Firmographics

    • Region
    • Title
    • Organization Size
    • IT Budget Size
    • Industry

    Firmographics

    The majority of CIO responses came from North America. Contributors represent regions from around the world.

    Countries / Regions Response %
    United States 47.18%
    Canada 11.86%
    Australia 9.60%
    Africa 6.50%
    China 0.28%
    Germany 1.13%
    United Kingdom 5.37%
    India 1.41%
    Brazil 1.98%
    Mexico 0.56%
    Middle East 4.80%
    Asia 0.28%
    Other country in Europe 4.52%

    n=354

    Firmographics

    A typical CIO respondent held a C-level position at a small to mid-sized organization.

    Half of CIOs hold a C-level position, 10% are VP-level, and 20% are director level

    Pie Chart of CIO positions

    38% of respondents are from an organization with above 1,000 employees

    Pie chart of size of organizations

    Firmographics

    A typical CIO respondent held a C-level position at a small to mid-sized organization.

    40% of CIOs report an annual budget of more than $10 million

    Pie chart of CIO annual budget

    A range of industries are represented, with 29% of respondents in the public sector or financial services

    Range of industries

    2. Key Factors

    • IT Maturity
    • Disruptive Factors
    • IT Spending Plans
    • Talent Shortage

    Two in three respondents say IT can deliver outcomes that Support or Optimize the business

    IT drives outcomes

    Most CIOs are concerned with cybersecurity disruptions, and one in four expect a budget increase of above 10%

    How likely is it that the following factors will disrupt your business in the next 12 months?

    Chart for factors that will disrupt your business

    Looking ahead to 2024, how will your organization's IT spending change compared to spending in 2023?

    Chart of IT spending change

    3. Adoption of Emerging Technology

    • Fastest growing tech for 2024 and beyond

    CIOs plan the most new spend on AI in 2024 and on mixed reality after 2024

    Top five technologies for new spending planned in 2024:

    1. Artificial intelligence - 35%
    2. Robotic process automation or intelligent process automation - 24%
    3. No-code/low-code platforms - 21%
    4. Data management solutions - 14%
    5. Internet of Things (IoT) - 13%

    Top five technologies for new spending planned after 2024:

    1. Mixed reality - 20%
    2. Blockchain - 19%
    3. Internet of Things (IoT) - 17%
    4. Robotics/drones - 16%
    5. Robotic process automation or intelligent process automation - 14%

    n=301

    Info-Tech Insight
    Three in four CIOs say they have no plans to invest in quantum computing, more than any other technology with no spending plans.

    4. Adoption of AI

    • Interest in generative AI applications
    • Tasks to be completed with AI
    • Progress in deploying AI

    CIOs are most interested in industry-specific generative AI applications or text-based

    Rate your business interest in adopting the following generative AI applications:

    Chart for interest in AI

    There is interest across all types of generative AI applications. CIOs are least interested in visual media generators, rating it just 2.4 out of 5 on average.

    n=251

    Info-Tech Insight
    Examples of generative AI solutions specific to the legal industry include Litigate, CoCounsel, and Harvey.

    By the end of 2024, CIOs most often plan to use AI for analytics and repetitive tasks

    Most popular use cases for AI by end of 2024:

    1. Business analytics or intelligence - 69%
    2. Automate repetitive, low-level tasks - 68%
    3. Identify risks and improve security - 66%
    4. IT operations - 62%
    5. Conversational AI or virtual assistants - 57%

    Fastest growing uses cases for AI in 2024:

    1. Automate repetitive, low-level tasks - 39%
    2. IT operations - 38%
    3. Conversational AI or virtual assistants - 36%
    4. Business analytics or intelligence - 35%
    5. Identify risks and improve security - 32%

    n=218

    Info-Tech Insight
    The least popular use case for AI is to help define business strategy, with 45% saying they have no plans for it.

    One in three CIOs are running AI pilots or are more advanced with deployment

    How far have you progressed in the use of AI?

    Chart of progress in use of AI

    Info-Tech Insight
    Almost half of CIOs say ChatGPT has been a catalyst for their business to adopt new AI initiatives.

    5. AI Risk

    • Perceived impact of AI
    • Approach to third-party AI tools
    • AI features in business applications
    • AI governance and accountability

    Six in ten CIOs say AI will have a positive impact on their organization

    What overall impact do you expect AI to have on your organization?

    Overall impact of AI on organization

    The majority of CIOs are waiting for professional-grade generative AI tools

    Which of the following best describes your organization's approach to third-party generative AI tools (such as ChatGPT or Midjourney)?

    Third-party generative AI

    Info-Tech Insight
    Business concerns over intellectual property and sensitive data exposure led OpenAI to announce ChatGPT won't use data submitted via its API for model training unless customers opt in to do so. ChatGPT users can also disable chat history to avoid having their data used for model training (OpenAI).

    One in three CIOs say they are accountable for AI, and the majority are exploring it cautiously

    Who in your organization is accountable for governance of AI?

    Governance of AI

    More than one-third of CIOs say no AI governance steps are in place today

    What AI governance steps does your organization have in place today?

    Chart of AI governance steps

    Among organizations that plan to invest in AI in 2024, 30% still say there are no steps in place for AI governance. The most popular steps to take are to publish clear explanations about how AI is used, and to conduct impact assessments (n=170).

    Chart of AI governance steps

    Among all CIOs, including those that do not plan to invest in AI next year, 37% say no steps are being taken toward AI governance today (n=243).

    6. Contribute to Info-Tech's Research Community

    • Volunteer to be interviewed
    • Attend LIVE in Las Vegas

    It's not too late; take the Future of IT online survey

    Contribute to our tech trends insights

    If you haven't already contributed to our Future of IT online survey, we are keeping the survey open to continue to collect insights and inform our research reports and agenda planning process. You can take the survey today. Those that complete the survey will be sent a complimentary Tech Trends 2024 report.

    Complete an interview for the Future of IT research project

    Help us chart the future course of IT

    If you are receiving this for completing the Future of IT online survey, thank you for your contribution. If you are interested in further participation and would like to provide a complementary interview, please get in touch at brian.Jackson@infotech.com. All interview subjects must also complete the online survey.

    If you've already completed an interview, thank you very much, and you can look forward to seeing more impacts of your contribution in the near future.

    LIVE 2023

    Methodology

    All data in this report is from Info-Tech's Future of IT online survey 2023 edition.

    A CIO focus for the Future of IT

    Data in this report represents respondents to the Future of IT online survey conducted by Info-Tech Research Group between May 11 and July 7, 2023.

    Only CIO respondents were selected for this report, defined as those who indicated they are the most senior member of their organization's IT department.

    This data segment reflects 355 total responses with 239 completing every question on the survey.

    Further data from the Future of IT online survey and the accompanying interview process will be featured in Info-Tech's Tech Trends 2024 report this fall and in forthcoming Priorities reports including Applications, Data & EA, CIO, Infrastructure, and Security.

    Understand the Difference Between Backups and Archives

    • Buy Link or Shortcode: {j2store}506|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Storage & Backup Optimization
    • Parent Category Link: /storage-and-backup-optimization
    • You don’t understand the difference between a backup and an archive or when to use one or the other.
    • Data is not constant. It is ever-changing and growing. How do you protect it?
    • You just replaced an application that was in use since day one, and even though you have a fully functional replacement, you would like to archive that original application just in case.
    • You want to save money, so you use your backup solution to archive data, but you know that is not ideal. What is the correct solution?

    Our Advice

    Critical Insight

    Keep in mind that backups are for recovery while archives are for discovery. Backups and archives are often confused but understanding the differences can result in significant savings of time and money. Backing up and archiving may be considered IT tasks, but recovery and discovery are capabilities the business wants and is willing to pay for.

    Impact and Result

    Archives and backups are not the same, and there is a use case for each. Sometimes minor adjustments may be required to make the use case work. Understanding the basics of backups and archives can lead to significant savings at a monetary and effort level.

    Understand the Difference Between Backups and Archives Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the Difference Between Backups and Archives

    What is the difference between a backup and a data archive? When should I use one over the other? They are not the same and confusing the two concepts could be expensive.

    • Understand the Difference Between Backups and Archives Storyboard
    [infographic]

    Further reading

    Understand the Difference Between Backups and Archives

    They are not the same, and confusing the two concepts could be expensive

    Analyst Perspective

    Backups and archives are not interchangeable, but they can complement each other.

    Photo of P.J. Ryan, Research Director, Infrastructure & Operations, Info-Tech Research Group.

    Backups and archives are two very different operations that are quite often confused or misplaced. IT and business leaders are tasked with protecting corporate data from a variety of threats. They also must conform to industry, geographical, and legal compliance regulations. Backup solutions keep the data safe from destruction. If you have a backup, why do you also need an archive? Archive solutions hold data for a long period of time and can be searched. If you have an archive, why do you also need a backup solution? Backups and archives used to be the same. Remember when you would keep the DAT tape in the same room as the argon gas fire suppression system for seven years? Now that's just not feasible. Some situations require a creative approach or a combination of backups and archives.

    Understand the difference between archives and backups and you will understand why the two solutions are necessary and beneficial to the business.

    P.J. Ryan
    Research Director, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge
    • You don’t understand the difference between a backup and an archive or when to use one over the other.
    • Data is not constant. It is ever-changing and growing. How do you protect it?
    • You just replaced an application that had been in use since day one, and even though you have a fully functional replacement, you would like to archive that original application just in case.
    • You want to save money, so you use your backup solution to archive data, but you know that is not ideal. What is the correct solution?
    Common Obstacles
    • Storage costs can be expensive, as can some backup and archiving solutions.
    • Unclear requirements definition to decide between backups or archives.
    • Historically, people referred to archiving as tossing something into a box and storing it away indefinitely. Data archiving has a different meaning.
    • Executives want retired applications preserved but do not provide reasons or requirements.
    Info-Tech’s Approach
    • Spend wisely. Why spend money on an archive solution when a backup will suffice? Don’t leave money on the table.
    • Be creative and assess each backup or archive situation carefully. A custom solution may be required.
    • Backup your production data for the purpose of restoring it and adhere to the 3-2-1 rule of backups (Naviko.com).
    • Archive your older data to an alternate storge platform to save space, allow for searchability, and provide retention parameters.

    Info-Tech Insight

    Keep in mind that backups are for recovery while archives are for discovery. Backups and archives are often confused but understanding the differences can result in significant savings of time and money. Backing up and archiving may be considered IT tasks but recovery and discovery are capabilities the business wants and is willing to pay for.

    Archive

    What it IS

    A data archive is an alternate location for your older, infrequently accessed production data. It is indexed and searchable based on keywords. Archives are deleted after a specified period based on your retention policy or compliance directives.

    What it IS NOT

    Archives are not an emergency copy of your production data. They are not any type of copy of your production data. Archives will not help you if you lose your data or accidentally delete a file. Archives are not multiple copies of production data from various recovery points.

    Why use it

    Archives move older data to an alternate location. This frees up storage space for your current data. Archives are indexed and can be searched for historical purposes, compliance reasons, or in the event of a legal matter where specific data must be provided to a legal team.

    Tips & Tricks – Archiving

    • Archiving will move older data to an alternate location. This will free up storage space in the production environment.
    • Archiving solutions index the data to allow for easier searchability. This will aid in common business searches as well as assist with any potential legal searches.
    • Archiving allows companies to hold onto data for historical purposes as well as for specific retention periods in compliance with industry and regional regulations such as SOX, GDPR, FISMA, as well as others (msp360.com).

    Backup

    What it IS

    A backup is a copy of your data from a specific day and time. It is primarily used for recovery or restoration if something happens to the production copy of data. The restore will return the file or folder to the state it was in at the time of the backup.

    Backups occur frequently to ensure the most recent version of data is copied to a safe location.

    A typical backup plan makes a copy of the data every day, once a week, and once a month. The data is stored on tapes, disk, or using cloud storage.

    What it IS NOT

    Backups are not designed for searching or discovery. If you backup your email and must go to that backup in search of all email pertaining to a specific topic, you must restore the full backup and then search for that specific topic or sender. If you kept all the monthly backups for seven years, that will mean repeating that process 84 times to have a conclusive search, assuming you have adequate storage space to restore the email database 84 times.

    Backups do not free up space.

    Why use it

    Backups protect your data in the event of disaster, deletion, or accidental damage. A good backup strategy will include multiple backups on different media and offsite storage of at least one copy.

    Tips & Tricks – Backups

    • Production data should be backed up on a regular basis, ideally once a day or more frequently if possible.
    • Backups are intended to restore data when it gets deleted, over-written, or otherwise compromised. Most restore requests are from the last 24 to 48 hours, so it may be advantageous to keep a backup readily available on disk for a quick restore when needed.
    • Some vendors and industry subject matter experts advocate the use of a 3-2-1 rule when it comes to backups:
      • Keep three copies of your production data
      • In at least two separate locations (some advocate two different formats), and
      • One copy should be offsite (nakivo.com)

    Cold Storage

    • Cold storage refers to a storage option offered by some cloud vendors. In the context of the discussion between backups and archives, it can be an option for a dedicated backup solution for a specific period. Cost is low and the data is protected from destruction.
    • If an app has been replaced and all data transferred to the replacement solution but for some reason the company wishes to hold onto the data, you want a backup, not an archive. Extract the data, convert it into MongoDB or a similar solution, and drop it into cheap cloud storage (cold storage) for less than $5 per TB/month.

    Case Study

    Understanding the difference between archives and backups could save you a lot of time and money

    INDUSTRY: Manufacturing | SOURCE: Info-Tech Research

    Understanding the difference between an archive and a backup was the first step in solving their challenge.

    A leading manufacturing company found themselves in a position where they had to decide between archiving or doing nothing.

    The company had completed several acquisitions and ended up with multiple legacy applications that had been merged or migrated into replacement solutions. These legacy applications were very important to the original companies and although the data they held had been migrated to a replacement solution, executives felt they should hold onto these applications for a period of time, just in case.

    Some of the larger applications were archived using a modern archiving solution, but when it came to the smaller applications, the cost to add them to the archiving solution greatly exceeded the cost to just keep them running and maintain the associated infrastructure.

    A research advisor from Info-Tech Research Group joined a call with the manufacturing company and discussed their situation. The difference between archives and backups was explained and through the course of the conversation it was discovered that the solution was a modified backup. The application data had already been preserved through the migration, so data could be accessed in the production environment. The requirement to keep the legacy application up and running was not necessary but in compliance with the request to keep the information, the data could be exported from the legacy application into a non-sequential database, compressed, and stored in cloud-based cold storage for less than five dollars per terabyte per month. The manufacturing company’s staff realized that they could apply this same approach to several of their legacy applications and save tens of thousands of dollars in the process.

    Understand the Difference Between Backups and Archives

    Backups

    Backups are for recovery. A backup is a snapshot copy of production data at a specific point in time. If the production data is lost, destroyed, or somehow compromised, the data can be restored from the backup.

    Archives

    Archives are for discovery. It is production data that is moved to an alternate location to free up storage space, allow the data to be searchable, and still hold onto the data for historical or compliance purposes.

    Info-Tech Insight

    Archives and backups are not the same, and there is a use case for each. Sometimes minor adjustments may be required to make the use case work. Understanding the basics of backups and archives can lead to significant savings at a monetary and effort level.

    Additional Guidance

    Production data should be backed up.

    The specific backup solution is up to the business.

    Production data that is not frequently accessed should be archived.

    The specific solution to perform and manage the archiving of the data is up to the business

    • Archived data should also be backed up at least once.
    If the app has been replaced and all data transferred, you want a backup not an archive if you want to keep the data.
    • Short term – fence it off.
    • Long term – extract into Mongo then drop it into cheap cloud storage.

    Case Study

    Using tape backups as an archive solution could result in an expensive discovery and retrieval exercise.

    INDUSTRY: Healthcare | SOURCE: Zasio Enterprises Inc.

    “Do not commingle archive data with backup or disaster recovery tapes.”

    A court case in the United States District Court for the District of Nevada involving Guardiola and Renown Health in 2015 is a good example of why using a backup solution to solve an archiving challenge is a bad idea.

    Renown Health used a retention policy that declared any email older than six months of age as inactive and moved that email to a backup tape. Renown Health was ordered by the court to produce emails from a period of time in the past. Renown estimated that it would cost at least $248,000 to produce those emails, based on the effort involved to restore data from each tape and search for the email in question. Renown Health argued that this long and expensive process would result in undue costs.

    The court reviewed the situation and ruled against Renown Health and ordered them to comply with the request (Zasio.com).

    A proper archiving solution would have provided a quick and low-cost method to retrieve the emails in question.

    Backups and archives are complementary to each other

    • Archives are still production data, but the data does not change. A backup is recommended for the archived data, but the frequency of the backups can be lowered.
    • Backups protect you if a disaster strikes by providing a copy of the production data that was compromised or damaged. Archives allow you to access older data that may have just been forgotten, not destroyed or compromised. Archives could also protect you in a legal court case by providing data that is older but may prove your argument in court.

    Archives and backups are not the same.

    Backups copy your data. Archives move your data. Backups facilitate recovery. Archives facilitate discovery.

    Archive Backup
    Definition Move rarely accessed (but still production) data to separate media. Store a copy of frequently used data on a separate media to ensure timely operational recovery.
    Use Case Legal discovery, primary storage reduction, compliance requirements, and audits. Accidental deletion and/or corruption of data, hardware/software failures.
    Method Disk, cloud storage, appliance. Disk, backup appliance, snapshots, cloud.
    Data Older, rarely accessed production data. Current production data.

    Is it a backup or archive?

    • You want to preserve older data for legal and compliance reasons, so you put extra effort into keeping your tape backups safe and secure for seven years. That’s a big mistake that may cost you time and money. You want an archive solution.
    • You replace your older application and migrate all data to the new system, but you want to hold onto the old data, just in case. That’s a backup, not an archive.
    • A long serving senior executive recently left the company. You want to preserve the contents of the executive's laptop in case it is needed in the future. That’s a backup.

    Considerations When Choosing Between Solutions

    1

    Backup or archive?

    2

    What are you protecting?

    3

    Why are you protecting data?

    4

    Solution

    Backup

    Backup and/or archive.
    Additional information required.
    Column 3 may help

    Archive

    Device

    Data

    Application

    Operational Environment

    Operational recovery

    Disaster recovery

    Just in case

    Production storage space reduction

    Retention and preservation

    Governance, risk & compliance

    Backup

    Archive

    Related Info-Tech Research

    Stock image of light grids and flares. Establish an Effective Data Protection Plan

    Give data the attention it deserves by building a strategy that goes beyond backup.

    Stock image of old fuse box switches. Modernize Enterprise Storage

    Current and emerging storage technologies are disrupting the status quo – prepare your infrastructure for the exponential rise in data and its storage requirements.

    Logo for 'Software Reviews' and their information on 'Compare and Evaluate: Data Archiving.'
    Sample of Info-Tech's 'Data Archiving Policy'. Data Archiving Policy

    Bibliography

    “Backup vs. archiving: Know the difference.” Open-E. Accessed 05 Mar 2022.Web.

    G, Denis. “How to build retention policy.” MSP360, Jan 3, 2020. Accessed 10 Mar 2022.

    Ipsen, Adam. “Archive vs Backup: What’s the Difference? A Definition Guide.” BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.

    Kang, Soo. “Mitigating the expense of E-discovery; Recognizing the difference between back-ups and archived data.” Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.

    Mayer, Alex. “The 3-2-1 Backup Rule – An Efficient Data Protection Strategy.” Naviko. Accessed 12 Mar 2022.

    “What is Data-Archiving?” Proofpoint. Accessed 07 Mar 2022.

    Satisfy Digital End Users With Low- and No-Code

    • Buy Link or Shortcode: {j2store}185|cart{/j2store}
    • member rating overall impact (scale of 10): 8.5/10 Overall Impact
    • member rating average dollars saved: $2,460 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Your organization decided to invest in digital solutions to support their transition to a digital and automated workplace. They are ready to begin the planning and delivery of these solutions.
    • However, IT capacity is constrained due to the high and aggressive demand to meet business priorities and maintain mission critical applications. Technical experience and skills are difficult to find, and stakeholders are increasing their expectations to deliver technologies faster with high quality using less resources.
    • Stakeholders are interested in low and no code solutions as ways to their software delivery challenges and explore new digital capabilities.

    Our Advice

    Critical Insight

    • Current software delivery inefficiencies and lack of proper governance and standards impedes the ability to successfully scale and mature low and no code investments and see their full value.
    • Many operating models and culture do not enable or encourage the collaboration needed to evaluate business opportunities and underlying operational systems.This can exacerbate existing shadow IT challenges and promote a negative perception of IT.
    • Low and no code tools bring significant organizational, process, and technical changes that IT and the business may not be prepared or willing to accept and adopt, especially when these tools support business and worker managed applications and services.

    Impact and Result

    • Establish the right expectations. Profile your digital end users and their needs and challenges. Discuss current IT and business software delivery and digital product priorities to determine what to expect from low- and no-code.
    • Build your low- and no-code governance and support. Clarify the roles, processes, and tools needed for low- and no-code delivery and management through IT and business collaboration.
    • Evaluate the fit of low- and no-code and shortlist possible tools. Obtain a thorough view of the business and technical complexities of your use cases. Indicate where and how low- and no-code is expected to generate the most return.

    Satisfy Digital End Users With Low- and No-Code Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Satisfy Digital End Users With Low- and No-Code Deck – A step-by-step guide on selecting the appropriate low- and no-code tools and building the right people, processes, and technologies to support them.

    This blueprint helps you develop an approach to understand your low- and no-code challenges and priorities and to shortlist, govern, and manage the right low- and no-code tools.

    • Satisfy Digital End Users With Low- and No-Code – Phases 1-3

    2. Low- and No-Code Communication Template – Clearly communicate the goal and approach of your low- and no-code implementation in a language your audience understands.

    This template narrates a story to describe the need and expectations of your low- and no-code initiative to get buy-in from stakeholders and interested parties.

    • Low- and No-Code Communication Template

    Infographic

    Workshop: Satisfy Digital End Users With Low- and No-Code

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Select Your Tools

    The Purpose

    Understand the personas of your low- and no-code users and their needs.

    List the challenges low- and no-code is designed to solve or the opportunities you hope to exploit.

    Identify the low- and no-code tools to address your needs.

    Key Benefits Achieved

    Level set expectations on what low- and no-code can deliver.

    Identify areas where low- and no-code can be the most beneficial.

    Select the tools to best address your problem and opportunities.

    Activities

    1.1 Profile your digital end users

    1.2 Set reasonable expectations

    1.3 List your use cases

    1.4 Shortlist your tools

    Outputs

    Digital end-user skills assessment

    Low- and no-code objectives and metrics

    Low- and no-code use case opportunities

    Low- and no-code tooling shortlist

    2 Deliver Your Solution

    The Purpose

    Optimize your product delivery process to accommodate low- and no-code.

    Review and improve your product delivery and management governance model.

    Discuss how to improve your low- and no-code capacities.

    Key Benefits Achieved

    Encourage business-IT collaborative practices and improve IT’s reputation.

    Shift the right accountability and ownership to the business.

    Equip digital end users with the right skills and competencies.

    Activities

    2.1 Adapt your delivery process

    2.2 Transform your governance

    2.3 Identify your low- and no-code capacities

    Outputs

    Low- and no-code delivery process and guiding principles

    Low- and no-code governance, including roles and responsibilities, product ownership and guardrails

    List of low- and no-code capacity improvements

    3 Plan Your Adoption

    The Purpose

    Design a CoE and/or CoP to support low- and no-code capabilities.

    Build a roadmap to illustrate key low- and no-code initiatives.

    Key Benefits Achieved

    Ensure coordinated, architected, and planned implementation and adoption of low- and no-code consistently across the organization.

    Reaffirm support for digital end users new to low- and no-code.

    Clearly communicate your approach to low- and no-code.

    Activities

    3.1 Support digital end users and facilitate cross-functional sharing

    3.2 Yield results with a roadmap

    Outputs

    Low- and no-code supportive body design (e.g. center of excellence, community of practice)

    Low- and no-code roadmap

    Implement Hardware Asset Management

    • Buy Link or Shortcode: {j2store}312|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $29,447 Average $ Saved
    • member rating average days saved: 25 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Executives are often aware of the benefits asset management offers, but many organizations lack a defined program to manage their hardware.
    • Efforts to implement hardware asset management (HAM) are stalled because organizations feel overwhelmed navigating the process or under use the data, failing to deliver value.

    Our Advice

    Critical Insight

    • Organizations often implement an asset management program as a one-off project and let it stagnate.
    • Organizations often fail to dedicate adequate resources to the HAM process, leading to unfinished processes and inconsistent standards.
    • Hardware asset management programs yield a large amount of useful data. Unfortunately, this data is often underutilized. Departments within IT become data siloes, preventing effective use of the data.

    Impact and Result

    • As the IT environment continues to change, it is important to establish consistency in the standards around IT asset management.
    • A current state assessment of your HAM program will shed light on the steps needed to safeguard your processes.
    • Define the assets that will need to be managed to inform the scope of the ITAM program before defining processes.
    • Build and involve an ITAM team in the process from the beginning to help embed the change.
    • Define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.

    Implement Hardware Asset Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should Implement Hardware Asset Management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Lay foundations

    Build the foundations for the program to succeed.

    • Implement Hardware Asset Management – Phase 1: Lay Foundations
    • HAM Standard Operating Procedures
    • HAM Maturity Assessment Tool
    • IT Asset Manager
    • IT Asset Administrator

    2. Procure & receive

    Define processes for requesting, procuring, receiving, and deploying hardware.

    • Implement Hardware Asset Management – Phase 2: Procure and Receive
    • HAM Process Workflows (Visio)
    • HAM Process Workflows (PDF)
    • Non-Standard Hardware Request Form
    • Purchasing Policy

    3. Maintain & dispose

    Define processes and policies for managing, securing, and maintaining assets then disposing or redeploying them.

    • Implement Hardware Asset Management – Phase 3: Maintain and Dispose
    • Asset Security Policy
    • Hardware Asset Disposition Policy

    4. Plan implementation

    Plan the hardware budget, then build a communication plan and roadmap to implement the project.

    • Implement Hardware Asset Management – Phase 4: Plan Implementation 
    • HAM Budgeting Tool
    • HAM Communication Plan
    • HAM Implementation Roadmap
    [infographic]

    Workshop: Implement Hardware Asset Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Lay Foundations

    The Purpose

    Build the foundations for the program to succeed.

    Key Benefits Achieved

    Evaluation of current challenges and maturity level

    Defined scope for HAM program

    Defined roles and responsibilities

    Identified metrics and reporting requirements

    Activities

    1.1 Outline hardware asset management challenges.

    1.2 Conduct HAM maturity assessment.

    1.3 Classify hardware assets to define scope of the program.

    1.4 Define responsibilities.

    1.5 Use a RACI chart to determine roles.

    1.6 Identify HAM metrics and reporting requirements.

    Outputs

    HAM Maturity Assessment

    Classified hardware assets

    Job description templates

    RACI Chart

    2 Procure & Receive

    The Purpose

    Define processes for requesting, procuring, receiving, and deploying hardware.

    Key Benefits Achieved

    Defined standard and non-standard requests for hardware

    Documented procurement, receiving, and deployment processes

    Standardized asset tagging method

    Activities

    2.1 Identify IT asset procurement challenges.

    2.2 Define standard hardware requests.

    2.3 Document standard hardware request procedure.

    2.4 Build a non-standard hardware request form.

    2.5 Make lease vs. buy decisions for hardware assets.

    2.6 Document procurement workflow.

    2.7 Select appropriate asset tagging method.

    2.8 Design workflow for receiving and inventorying equipment.

    2.9 Document the deployment workflow(s).

    Outputs

    Non-standard hardware request form

    Procurement workflow

    Receiving and tagging workflow

    Deployment workflow

    3 Maintain & Dispose

    The Purpose

    Define processes and policies for managing, securing, and maintaining assets then disposing or redeploying them.

    Key Benefits Achieved

    Policies and processes for hardware maintenance and asset security

    Documented workflows for hardware disposal and recovery/redeployment

    Activities

    3.1 Build a MAC policy, request form, and workflow.

    3.2 Design process and policies for hardware maintenance, warranty, and support documentation handling.

    3.3 Revise or create an asset security policy.

    3.4 Identify challenges with IT asset recovery and disposal and design hardware asset recovery and disposal workflows.

    Outputs

    User move workflow

    Asset security policy

    Asset disposition policy, recovery and disposal workflows

    4 Plan Implementation

    The Purpose

    Select tools, plan the hardware budget, then build a communication plan and roadmap to implement the project.

    Key Benefits Achieved

    Shortlist of ITAM tools

    Hardware asset budget plan

    Communication plan and HAM implementation roadmap

    Activities

    4.1 Generate a shortlist of ITAM tools that will meet requirements.

    4.2 Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget.

    4.3 Build HAM policies.

    4.4 Develop a communication plan.

    4.5 Develop a HAM implementation roadmap.

    Outputs

    HAM budget

    Additional HAM policies

    HAM communication plan

    HAM roadmap tool

    Further reading

    Implement Hardware Asset Management

    Build IT services value on the foundation of a proactive asset management program.

    ANALYST PERSPECTIVE

    IT asset data impacts the entire organization. It’s time to harness that potential.

    "Asset management is like exercise: everyone is aware of the benefits, but many struggle to get started because the process seems daunting. Others fail to recognize the integrative potential that asset management offers once an effective program has been implemented.

    A proper hardware asset management (HAM) program will allow your organization to cut spending, eliminate wasteful hardware, and improve your organizational security. More data will lead to better business decision-making across the organization.

    As your program matures and your data gathering and utility improves, other areas of your organization will experience similar improvements. The true value of asset management comes from improved IT services built upon the foundation of a proactive asset management program." - Sandi Conrad, Practice Lead, Infrastructure & Operations Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • Asset Managers and Service Delivery Managers tasked with developing an asset management program who need a quick start.
    • CIOs and CFOs who want to reduce or improve budgeting of hardware lifecycle costs.
    • Information Security Officers who need to mitigate the risk of sensitive data loss due to insecure assets.

    This Research Will Help You:

    • Develop a hardware asset management (HAM) standard operating procedure (SOP) that documents:
      • Process roles and responsibilities.
      • Data classification scheme.
      • Procurement standards, processes, and workflows for hardware assets.
      • Hardware deployment policies, processes, and workflows.
      • Processes and workflows for hardware asset security and disposal.
    • Identify requirements for an IT asset management (ITAM) solution to help generate a shortlist.
    • Develop a hardware asset management implementation roadmap.
    • Draft a communication plan for the initiative.

    Executive summary

    Situation

    • Executives are aware of the numerous benefits asset management offers, but many organizations lack a defined ITAM program and especially a HAM program.
    • Efforts to implement HAM are stalled because organizations cannot establish and maintain defined processes and policies.

    Complication

    • Organizations often implement an asset management program as a one- off project and let it stagnate, but asset management needs to be a dynamic, continually involving process to succeed.
    • Organizations often fail to dedicate adequate resources to the HAM process, leading to unfinished processes and inconsistent standards.
    • Hardware asset management programs yield a large amount of useful data. Unfortunately, this data is often underused. Departments within IT become data siloes, preventing effective use of the data.

    Resolution

    • As the IT environment continues to change, it is important to establish consistency in the standards around IT asset management.
    • A current state assessment of your HAM program will shed light on the steps needed to safeguard your processes.
    • Define the assets that will need to be managed to inform the scope of the ITAM program before defining processes.
    • Build and involve an ITAM team in the process from the beginning to help embed the change.
    • Define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.
    • Pace yourself; a staged implementation will make your ITAM program a success.

    Info-Tech Insight

    1. HAM is more than just tracking inventory. A mature asset management program provides data for proactive planning and decision making to reduce operating costs and mitigate risk.
    2. ITAM is not just IT. IT leaders need to collaborate with Finance, Procurement, Security, and other business units to make informed decisions and create value across the enterprise.
    3. Treat HAM like a process, not a project. HAM is a dynamic process that must react and adapt to the needs of the business.

    Implement HAM to reduce and manage costs, gain efficiencies, and ensure regulatory compliance

    Save & Manage Money

    • Companies with effective HAM practices achieve cost savings through redeployment, reduction of lost or stolen equipment, power management, and on-time lease returns.
    • The right HAM system will enable more accurate planning and budgeting by business units.

    Improve Contract Management

    • Real-time asset tracking to vendor terms and conditions allows for more effective negotiation.

    Inform Technology Refresh

    • HAM provides accurate information on hardware capacity and compatibility to inform upgrade and capacity planning

    Gain Service Efficiencies

    • Integrating the hardware lifecycle with the service desk will enable efficiencies through Install/Moves/Adds/Changes (IMAC) processes, for larger organizations.

    Meet Regulatory Requirements

    • You can’t secure organizational assets if you don’t know where they are! Meet governance and privacy laws by knowing asset location and that data is secure.

    Prevent Risk

    • Ensure data is properly destroyed through disposal processes, track lost and stolen hardware, and monitor hardware to quickly identify and isolate vulnerabilities.

    HAM is more than just inventory; 92% of organizations say that it helps them provide better customer support

    Hardware asset management (HAM) provides a framework for managing equipment throughout its entire lifecycle. HAM is more than just keeping an inventory; it focuses on knowing where the product is, what costs are associated with it, and how to ensure auditable disposition according to best options and local environmental laws.

    Implementing a HAM practice enables integration of data and enhancement of many other IT services such as financial reporting, service management, green IT, and data and asset security.

    Cost savings and efficiency gains will vary based on the organization’s starting state and what measures are implemented, but most organizations who implement HAM benefit from it. As organizations increase in size, they will find the greatest gains operationally by becoming more efficient at handling assets and identifying costs associated with them.

    A 2015 survey by HDI of 342 technical support professionals found that 92% say that HAM has helped their teams provide better support to customers on hardware-related issues. Seventy-seven percent have improved customer satisfaction through managing hardware assets. (HDI, 2015)

    HAM delivers cost savings beyond only the procurementstage

    HAM cost savings aren’t necessarily realized through the procurement process or reduced purchase price of assets, but rather through the cost of managing the assets.

    HAM delivers cost savings in several ways:

    • Use a discovery tool to identify assets that may be retired, redeployed, or reused to cut or reallocate their costs.
    • Enforce power management policies to reduce energy consumption as well as costs associated with wasted energy.
    • Enforce policies to lock down unauthorized devices and ensure that confidential information isn’t lost (and you don’t have to waste money recovering lost data).
    • Know the location of all your assets and which are connected to the network to ensure patches are up to date and avoid costly security risks and unplanned downtime.
    • Scan assets to identify and remediate vulnerabilities that can cause expensive security attacks.
    • Improve vendor and contract management to identify areas of hardware savings.

    The ROI for HAM is significant and measurable

    Benefit Calculation Sample Annual Savings

    Reduced help desk support

    • The length of support calls should be reduced by making it easier for technicians to identify PC configuration.
    # of hardware-related support tickets per year * cost per ticket * % reduction in average call length 2,000 * $40 * 20% = $16,000

    Greater inventory efficiency

    • An ITAM solution can automate and accelerate inventory preparation and tasks.
    Hours required to complete inventory * staff required * hourly pay rate for staff * number of times a year inventory required 8 hours * 5 staff * $33 per hour * 2 times a year = $2,640

    Improved employee productivity

    • Organizations can monitor and detect unapproved programs that result in lost productivity.
    # of employees * percentage of employees who encounter productivity loss through unauthorized software * number of hours per year spent using unauthorized software * average hourly pay rate 500 employees * 10% * 156 hours * $18 = $140,400

    Improved security

    • Improved asset tracking and stronger policy enforcement will reduce lost and stolen devices and data.
    # of devices lost or stolen last year * average replacement value of device + # of devices stolen * value of data lost from device (50 * $1,000) + (50 * $5,000) = $300,000
    Total Savings: $459,040
    1. Weigh the return against the annual cost of investing in an ITAM solution to calculate the ROI.
    2. Don’t forget about the intangible benefits that are more difficult to quantify but still significant, such as increased visibility into hardware, more accurate IT planning and budgeting, improved service delivery, and streamlined operations.

    Avoid these common barriers to ITAM success

    Organizations that struggle to implement ITAM successfully usually fall victim to these barriers:

    Organizational resistance to change

    Senior-level sponsorship, engagement, and communication is necessary to achieve the desired outcomes of ITAM; without it, ITAM implementations stall and fail or lack the necessary resources to deliver the value.

    Lack of dedicated resources

    ITAM often becomes an added responsibility for resources who already have other full-time responsibilities, which can quickly cause the program to lose focus. Increase the chance of success through dedicated resources.

    Focus on tool over process

    Many organizations buy a tool thinking it will do most of the work for them, but without supporting processes to define ITAM, the data within the tool can become unreliable.

    Choosing a tool or process that doesn’t scale

    Some organizations are able to track assets through manual discovery, but as their network and user base grows, this quickly becomes impossible. Choose a tool and build processes that will support the organization as it grows.

    Using data only to respond to an audit without understanding root causes

    Often, organizations implement ITAM only to the extent necessary to achieve compliance for audits, but without investigating the underlying causes of non-compliance and thus not solving the real problems.

    To help you make quick progress, Info-Tech Research Group parses hardware asset management into essential processes

    Focus on hardware asset lifecycle management essentials:

    IT Asset Procurement:

    • Define procurement standards for new hardware along with related warranties and support options.
    • Develop processes and workflows for purchasing and work out financial implications to inform budgeting later.

    IT Asset Intake and Deployment:

    • Define policies, processes, and workflows for hardware and receiving, inventory, and tracking practices.
    • Develop processes and workflows for managing imaging, change and moves, and large-scale rollouts.

    IT Asset Security and Maintenance:

    • Develop processes, policies, and workflows for asset tracking and security.
    • Maintain contracts and agreements.

    IT Asset Disposal or Recovery:

    • Manage the employee termination and equipment recovery cycle.
    • Securely wipe and dispose of assets that have reached retirement stage.

    The image is a circular graphic, with Implement HAM written in the middle. Around the centre circle are four phrases: Recover or Dispose; Plan & Procure; Receive & Deploy; Secure & Maintain. Around that circle are six words: Retire; Plan; Request; Procure; Receive; Manage.

    Follow Info-Tech’s methodology to build a plan to implement hardware asset management

    Phase 1: Assess & Plan Phase 2: Procure & Receive Phase 3: Maintain & Dispose Phase 4: Plan Budget & Build Roadmap
    1.1 Assess current state & plan scope 2.1 Request & procure 3.1 Manage & maintain 4.1 Plan budget
    1.2 Build team & define metrics 2.2 Receive & deploy 3.2 Redeploy or dispose 4.2 Communicate & build roadmap
    Deliverables
    Standard Operating Procedure (SOP)
    HAM Maturity Assessment Procurement workflow User move workflow HAM Budgeting Tool
    Classified hardware assets Non-standard hardware request form Asset security policy HAM Communication Plan
    RACI Chart Receiving & tagging workflow Asset disposition policy HAM Roadmap Tool
    Job Descriptions Deployment workflow Asset recovery & disposal workflows Additional HAM policies

    Asset management is a key piece of Info-Tech's COBIT- inspired IT Management and Governance Framework

    The image shows a graphic which is a large grid, showing Info-Tech's research, sorted into categories.

    Cisco IT reduced costs by upwards of $50 million through implementing ITAM

    CASE STUDY

    Industry IT

    Source Cisco Systems, Inc.

    Cisco Systems, Inc.

    Cisco Systems, Inc. is the largest networking company in the world. Headquartered in San Jose, California, the company employees over 70,000 people.

    Asset Management

    As is typical with technology companies, Cisco boasted a proactive work environment that encouraged individualism amongst employees. Unfortunately, this high degree of freedom combined with the rapid mobilization of PCs and other devices created numerous headaches for asset tracking. At its peak, spending on hardware alone exceeded $100 million per year.

    Results

    Through a comprehensive ITAM implementation, the new asset management program at Cisco has been a resounding success. While employees did have to adjust to new rules, the process as a whole has been streamlined and user-satisfaction levels have risen. Centralized purchasing and a smaller number of hardware platforms have allowed Cisco to cut its hardware spend in half, according to Mark Edmondson, manager of IT services expenses for Cisco Finance.

    This case study continues in phase 1

    The image shows four bars, from bottom to top: 1. Asset Gathering; 2. Asset Distribution; 3. Asset Protection; 4. Asset Data. On the right, there is an arrow pointing upwards labelled ITAM Program Maturity.

    Info-Tech delivers: Use our tools and templates to accelerate your project to completion

    HAM Standard Operating Procedures (SOP)

    HAM Maturity Assessment

    Non-Standard Hardware Request Form

    HAM Visio Process Workflows

    HAM Policy Templates

    HAM Budgeting Tool

    HAM Communication Plan

    HAM Implementation Roadmap Tool

    Measured value for Guided Implementations (GIs)

    Engaging in GIs doesn’t just offer valuable project advice, it also results in significant cost savings.

    GI Measured Value
    Phase 1: Lay Foundations
    • Time, value, and resources saved by using Info-Tech’s tools and templates to assess current state and maturity, plan scope of HAM program, and define roles and metrics.
    • For example, 2 FTEs * 14 days * $80,000/year = $8,615
    Phase 2: Procure & Receive
    • Time, value, and resources saved by using Info-Tech’s tools and templates to build processes for hardware request, procurement, receiving, and deployment.
    • For example, 2 FTEs * 14 days * $80,000/year = $8,615
    Phase 3: Maintain & Dispose
    • Time, value, and resources saved by following Info-Tech’s tools and methodology to build processes and policies for managing and maintaining hardware and disposing or redeploying of equipment.
    • For example, 2 FTE * 14 days * $80,000/year = $8,615
    Phase 4: Plan Implementation
    • Time, value, and resources saved by following Info-Tech’s tools and methodology to select tools, plan the hardware budget, and build a roadmap.
    • For example, 2 FTE * 14 days * $80,000/year = $8,615
    Total savings $25,845

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation overview

    1. Lay Foundations 2. Procure & Receive 3. Maintain & Dispose 4. Budget & Implementation
    Best-Practice Toolkit

    1.1 Assess current state & plan scope

    1.2 Build team & define metrics

    2.1 Request & procure

    2.2 Receive & deploy

    3.1 Manage & maintain

    3.2 Redeploy or dispose

    4.1 Plan budget

    4.2 Communicate & build roadmap

    Guided Implementation
    • Assess current state.
    • Define scope of HAM program.
    • Define roles and metrics.
    • Define standard and non-standard hardware.
    • Build procurement process.
    • Determine asset tagging method and build equipment receiving and deployment processing.
    • Define processes for managing and maintaining equipment.
    • Define policies for maintaining asset security.
    • Build process for redeploying or disposing of assets.
    • Discuss best practices for effectively managing a hardware budget.
    • Build communications plan and roadmap.
    Results & Outcomes
    • Evaluation of current maturity level of HAM
    • Defined scope for the HAM program including list of hardware to track as assets
    • Defined roles and responsibilities
    • Defined and documented KPIs and metrics to meet HAM reporting requirements
    • Defined standard and non- standard requests and processes
    • Defined and documented procurement workflow and purchasing policy
    • Asset tagging method and process
    • Documented equipment receiving and deployment processes
    • MAC policies and workflows
    • Policies and processes for hardware maintenance and asset security
    • Documented workflows for hardware disposal and recovery/redeployment
    • Shortlist of ITAM tools
    • Hardware asset budget plan
    • Communication plan and HAM implementation roadmap

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.comfor more information.

    Phases: Teams, Scope & Hardware Procurement Hardware Procurement and Receiving Hardware Maintenance & Disposal Budgets, Roadmap & Communications
    Duration* 1 day 1 day 1 day 1 day
    * Activities across phases may overlap to ensure a timely completion of the engagement
    Projected Activities
    • Outline hardware asset management goals
    • Review HAM maturity and anticipated milestones
    • Define scope and classify hardware assets
    • Define roles and responsibilities
    • Define metrics and reporting requirements
    • Define standard and non-standard hardware requests
    • Review and document procurement workflow
    • Discuss appropriate asset tagging method
    • Design and document workflow for receiving and inventorying equipment
    • Review/create policy for hardware procurement and receiving
    • Identify data sources and methodology for inventory and data collection
    • Define install/moves/adds/changes (MAC) policy
    • Build workflows to document user MAC processes and design request form
    • Design process and policies for hardware maintenance, warranty, and support documentation handling
    • Design hardware asset recovery and disposal workflows
    • Define budgeting process and review Info-Tech’s HAM Budgeting Tool
    • Develop a communication plan
    • Develop a HAM implementation plan
    Projected Deliverables
    • Standard operating procedures for hardware
    • Visio diagrams for all workflows
    • Workshop summary with milestones and task list
    • Budget template
    • Policy draft

    Phase 1

    Lay Foundations

    Implement Hardware Asset Management

    A centralized procurement process helped cut Cisco’s hardware spend in half

    CASE STUDY

    Industry IT

    Source Cisco Systems, Inc.

    Challenge

    Cisco Systems’ hardware spend was out of control. Peaking at $100 million per year, the technology giant needed to standardize procurement processes in its highly individualized work environment.

    Users had a variety of demands related to hardware and network availability. As a result, data was spread out amongst multiple databases and was managed by different teams.

    Solution

    The IT team at Cisco set out to solve their hardware-spend problem using a phased project approach.

    The first major step was to identify and use the data available within various departments and databases. The heavily siloed nature of these databases was a major roadblock for the asset management program.

    This information had to be centralized, then consolidated and correlated into a meaningful format.

    Results

    The centralized tracking system allowed a single point of contact (POC) for the entire lifecycle of a PC. This also created a centralized source of information about all the PC assets at the company.

    This reduced the number of PCs that were unaccounted for, reducing the chance that Cisco IT would overspend based on its hardware needs.

    There were still a few limitations to address following the first step in the project, which will be described in more detail further on in this blueprint.

    This case study continues in phase 2

    Step 1.1: Assess current state and plan scope

    Phase 1: Assess & Plan

    1.1 Assess current state & plan scope

    1.2 Build team & define metrics

    This step will walk you through the following activities:

    1.1.1 Complete MGD (optional)

    1.1.2 Outline hardware asset management challenges

    1.1.3 Conduct HAM maturity assessment

    1.1.4 Classify hardware assets to define scope of the program

    This step involves the following participants:

    • CIO/CFO
    • IT Director
    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Security (optional)
    • Operations (optional)

    Step Outcomes

    • Understand key challenges related to hardware asset management within your organization to inform program development.
    • Evaluate current maturity level of hardware asset management components and overall program to determine starting point.
    • Define scope for the ITAM program including list of hardware to track as assets.

    Complete the Management & Governance Diagnostic (MGD) to weigh the effectiveness of ITAM against other services

    1.1.1 Optional Diagnostic

    The MGD helps you get the data you need to confirm the importance of improving the effectiveness of your asset management program.

    The MGD allows you to understand the landscape of all IT processes, including asset management. Evaluate all team members’ perceptions of each process’ importance and effectiveness.

    Use the results to understand the urgency to change asset management and its relevant impact on the organization.

    Establish process owners and hold team members accountable for process improvement initiatives to ensure successful implementation and realize the benefits from more effective processes.

    To book a diagnostic, or get a copy of our questions to inform your own survey, visit Info-Tech’s Benchmarking Tools, contact your account manager, or call toll-free 1-888-670-8889 (US) or 1-844-618-3192 (CAN).

    Sketch out challenges related to hardware asset management to shape the direction of the project

    Common HAM Challenges

    Processes and Policies:

    • Existing asset management practices are labor intensive and time consuming
    • Manual spreadsheets are used, making collaboration and automation difficult
    • Lack of HAM policies and standard operating procedures
    • Asset management data is not centralized
    • Lack of clarity on roles and responsibilities for ITAM functions
    • End users don’t understand the value of asset management

    Tracking:

    • Assets move across multiple locations and are difficult to track
    • Hardware asset data comes from multiple sources, creating fragmented datasets
    • No location data is available for hardware
    • No data on ownership of assets

    Security and Risk:

    • No insight into which assets contain sensitive data
    • There is no information on risks by asset type
    • Rogue systems need to be identified as part of risk management best practices
    • No data exists for assets that contain critical/sensitive data

    Procurement:

    • No centralized procurement department
    • Multiple quotes from vendors are not currently part of the procurement process
    • A lack of formal process can create issues surrounding employee onboarding such as long lead times
    • Not all procurement standards are currently defined
    • Rogue purchases create financial risk

    Receiving:

    • No formal process exists, resulting in no assigned receiving location and no assigned receiving role
    • No automatic asset tracking system exists

    Disposal:

    • No insight into where disposed assets go
    • Formal refresh and disposal system is needed

    Contracts:

    • No central repository exists for contracts
    • No insight into contract lifecycle, hindering negotiation effectiveness and pricing optimization

    Outline hardware asset management challenges

    1.1.1 Brainstorm HAM challenges

    Participants

    • CIO/CFO
    • IT Director
    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Security
    • Operations (optional)

    A. As a group, outline the hardware asset management challenges facing the organization.

    Use the previous slide to help you get started. You can use the following headings as a guide or think of your own:

    • Processes and Policies
    • Tracking
    • Procurement
    • Receiving
    • Security and Risk
    • Disposal
    • Contracts

    B. If you get stuck, use the Hardware Asset Management Maturity Assessment Tool to get a quick view of your challenges and maturity targets and kick-start the conversation.

    To be effective with hardware asset management, understand the drivers and potential impact to the organization

    Drivers of effective HAM Results of effective HAM
    Contracts and vendor licensing programs are complex and challenging to administer without data related to assets and their environment. Improved access to accurate data on contracts, licensing, warranties, installed hardware and software for new contracts, renewals, and audit requests.
    Increased need to meet compliance requires a formal approach to tracking and managing assets, regardless of device type. Encryption, hardware tracking and discovery, software application controls, and change notifications all contribute to better asset controls and data security.
    Cost cutting is on the agenda, and management is looking to reduce overall IT spend in the organization in any possible way. Reduction of hardware spend by as much as 5% of the total budget through data for better forecasting and planning.
    Assets with sensitive data are not properly secured, go missing, or are not safely disposed of when retired. Document and enforce security policies for end users and IT staff to ensure sensitive data is properly secured, preventing costs much larger than the cost of only the device.

    Each level of HAM maturity comes with its own unique challenges

    Maturity People & Policies Processes Technology
    Chaos
    • No dedicated staff
    • No policies published
    • Procedures not documented or standardized
    • Hardware not safely secured or tagged
    • Hardware purchasing decisions not based on data
    • Minimal tracking tools in place
    Reactive
    • Semi-focused HAM manager
    • No policies published
    • Reliance on suppliers to provide reports for hardware purchases
    • Hardware standards are enforced
    • Discovery tools and spreadsheets used to manage hardware
    Controlled
    • Full-time HAM manager
    • End-user policies published
    • HAM manager involved in budgeting and planning sessions
    • Inventory tracking is in place
    • Hardware is secured and tagged
    • Discovery and inventory tools used to manage hardware
    • Compliance reports run as needed
    Proactive
    • Extended HAM team, including Help Desk, HR, Purchasing
    • Corporate hardware use policies in place and enforced
    • HAM process integrated with help desk and HR processes
    • More complex reporting and integrated financial information and contracts with asset data
    • Hardware requests are automated where possible
    • Product usage reports and alerts in place to harvest and reuse licenses
    • Compliance and usage reports used to negotiate software contracts
    Optimized
    • HAM manager trained and certified
    • Working with HR, Legal, Finance, and IT to enforce policies
    • Quarterly meetings with ITAM team to review policies, procedures, upcoming contracts, and rollouts; data is reviewed before any financial decisions made
    • Full transparency into hardware lifecycle
    • Aligned with business objectives
    • Detailed savings reports provided to executive team annually
    • Automated policy enforcement and process workflows

    Conduct a hardware maturity assessment to understand your starting point and challenges

    1.1.3 Complete HAM Maturity Assessment Tool

    Complete the Hardware Asset Management Maturity Assessment Tool to understand your organization’s overall maturity level in HAM, as well as the starting maturity level aligned with each step of the blueprint, in order to identify areas of strength and weakness to plan the project. Use this to track progress on the project.

    An effective asset management project has four essential components, with varying levels of management required

    The hardware present in your organization can be classified into four categories of ascending strategic complexity: commodity, inventory, asset, and configuration.

    Commodity items are devices that are low-cost, low-risk items, where tracking is difficult and of low value.

    Inventory is tracked primarily to identify location and original expense, which may be depreciated by Finance. Typically there will not be data on these devices and they’ll be replaced as they lose functionality.

    Assets will need the full lifecycle managed. They are identified by cost and risk. Often there is data on these devices and they are typically replaced proactively before they become unstable.

    Configuration items will generally be tracked in a configuration management database (CMDB) for the purpose of enabling the support teams to make decisions involving dependencies, configurations, and impact analysis. Some data will be duplicated between systems, but should be synchronized to improve accuracy between systems.

    See Harness Configuration Management Superpowers to learn more about building a CMDB.

    Classify your hardware assets to determine the scope and strategy of the program

    Asset: A unique device or configuration of devices that enables a user to perform productive work tasks and has a defined location and ownership attributes.

    • Hardware asset management involves tracking and managing physical components from procurement through to retirement. It provides the base for software asset management and is an important process that can lead to improved lifecycle management, service request fulfillment, security, and cost savings through harvesting and redeployment.
    • When choosing your strategy, focus on those devices that are high cost and high risk/function such as desktops, laptops, servers, and mobile devices.

    ASSET - Items of high importance and may contain data, such as PCs, mobile devices, and servers.

    INVENTORY - Items that require significant financial investment but no tracking beyond its existence, such as a projector.

    COMMODITY - Items that are often in use but are of relatively low cost, such as keyboards or mice.

    Classify your hardware assets to define the scope of the program

    1.1.4 Define the assets to be tracked within your organization

    Participants

    • Participants
    • CIO/CFO
    • IT Director
    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Security (optional)
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 1 – Overview & Scope

    1. Determine value/risk threshold at which items should be tracked (e.g. over $1,000 and holding data).
    2. Divide a whiteboard or flip chart into three columns: commodity, asset, and inventory.
    3. Divide participants into groups by functional role to brainstorm devices in use within the organization. Write them down on sticky notes.
    4. Place the sticky notes in the column that best describes the role of the product in your organization.

    Align the scope of the program with business requirements

    CASE STUDY

    Industry Public Administration

    Source Client Case Study

    Situation

    A state government designed a process to track hardware worth more than $1,000. Initially, most assets consisted of end-user computing devices.

    The manual tracking process, which relied on a series of Excel documents, worked well enough to track the lifecycle of desktop and laptop assets.

    However, two changes upended the organization’s program: the cost of end-user computing devices dropped dramatically and the demand for network services led to the proliferation of expensive equipment all over the state.

    Complication

    The existing program was no longer robust enough to meet business requirements. Networking equipment was not only more expensive than end-user computing devices, but also more critical to IT services.

    What was needed was a streamlined process for procuring high-cost, high-utility equipment, tracking their location, and managing their lifecycle costs without compromising services.

    Resolution

    The organization decided to formalize, document, and automate hardware asset management processes to meet the new challenges and focus efforts on high-cost, high-utility end-user computing devices only.

    Step 1.2: Build team and define metrics

    Phase 1: Assess & Plan

    1.1 Assess current state & plan scope

    1.2 Build team and define metrics

    This step will walk you through the following activities:

    1.2.1 Define responsibilities for Asset Manager and Asset Administrator

    1.2.2 Use a RACI chart to determine roles within HAM team

    1.2.3 Further clarify HAM responsibilities for each role

    1.2.4 Identify HAM reporting requirements

    This step involves the following participants:

    • CIO/CFO
    • IT Director
    • IT Managers
    • Asset Manager
    • Asset Coordinators
    • ITAM Team
    • Service Desk
    • End-User Device Support Team

    Step Outcomes:

    • Defined responsibilities for Asset Manager and Asset Administrator
    • Documented RACI chart assigning responsibility and accountability for core HAM processes
    • Documented responsibilities for ITAM/HAM team
    • Defined and documented KPIs and metrics to meet HAM reporting requirements

    Form an asset management team to lead the project

    Asset management is an organizational change. To gain buy-in for the new processes and workflows that will be put in place, a dedicated, passionate team needs to jump-start the project.

    Delegate the following roles to team members and grow your team accordingly.

    Asset Manager

    • Responsible for setting policy and governance of process and data accuracy
    • Support budget process
    • Support asset tracking processes in the field
    • Train employees in asset tracking processes

    Asset Administrator

    • The front-lines of asset management
    • Communicates with and supports asset process implementation teams
    • Updates and contributes information to asset databases
    Service Desk, IT Operations, Applications
    • Responsible for advising asset team of changes to the IT environment, which may impact pricing or ability to locate devices
    • Works with Asset Coordinator/Manager to set standards for lifecycle stages
    • The ITAM team should visit and consult with each component of the business as well as IT.
    • Engage with leaders in each department to determine what their pain points are.
    • The needs of each department are different and their responses will assist the ITAM team when designing goals for asset management.
    • Consultations within each department also communicates the change early, which will help with the transition to the new ITAM program.

    Info-Tech Insight

    Ensure that there is diversity within the ITAM team. Assets for many organizations are diverse and the composition of your team should reflect that. Have multiple departments and experience levels represented to ensure a balanced view of the current situation.

    Define the responsibilities for core ITAM/HAM roles of Asset Manager and Asset Administrator

    1.2.1 Use Info-Tech’s job description templates to define roles

    The role of the IT Asset Manager is to oversee the daily and long-term strategic management of software and technology- related hardware within the organization. This includes:

    • Planning, monitoring, and recording software licenses and/or hardware assets to ensure compliance with vendor contracts.
    • Forming procurement strategies to optimize technology spend across the organization.
    • Developing and implementing procedures for tracking company assets to oversee quality control throughout their lifecycles.

    The role of the IT Asset Administrator is to actively manage hardware and software assets within the organization. This includes:

    • Updating and maintaining accurate asset records.
    • Planning, monitoring, and recording software licenses and/or hardware assets to ensure compliance with vendor contracts.
    • Administrative duties within procurement and inventory management.
    • Maintaining records and databases regarding warranties, service agreements, and lifecycle management.
    • Product standardization and tracking.

    Use Info-Tech’s job description templates to assist in defining the responsibilities for these roles.

    Organize your HAM team based on where they fit within the strategic, tactical, and operational components

    Typically the asset manager will answer to either the CFO or CIO. Occasionally they answer to a vendor manager executive. The hierarchy may vary based on experience and how strategic a role the asset manager will play.

    The image shows a flowchart for organizing the HAM team, structured by three components: Strategic (at the top); Tactical (in the middle); and Operational (at the bottom). The chart shows how the job roles flow together within the hierarchy.

    Determine the roles and responsibilities of the team who will support your HAM program

    1.2.2 Complete a RACI

    A RACI chart will identify who should be responsible, accountable, consulted, and informed for each key activity during the consolidation.

    Participants

    • Project Sponsor
    • IT Director, CIO
    • Project Manager
    • IT Managers and Asset Manager(s)
    • ITAM Team

    Document

    Document in the Standard Operating Procedure.

    Instructions:

    1. Write out the list of all stakeholders along the top of a whiteboard. Write out the key initiative steps for the consolidation project along the left side (use this list as a starting point).
    2. For each initiative, identify each team member’s role. Are they:
      • Responsible? The one responsible for getting the job done.
      • Accountable? Only one person can be accountable for each task.
      • Consulted? Involved through input of knowledge and information.
      • Informed? Receive information about process execution and quality.
    3. As you proceed through the initiative, continue to add tasks and assign responsibility to this RACI chart.

    A sample RACI chart is provided on the next slide

    Start with a RACI chart to determine the responsibilities

    1.2.2 Complete a RACI chart for your organization

    HAM Tasks CIO CFO HAM Manager HAM Administrator Service Desk (T1,T2, T3) IT Operations Security Procurement HR Business Unit Leaders Compliance /Legal Project Manager
    Policies and governance A I R I I C I C C I I
    Strategy A R R R R
    Data entry and quality management C I A I C C I I C C
    Risk management and asset security A R C C R C C
    Process compliance auditing A R I I I I I
    Awareness, education, and training I A I I C
    Printer contracts C A C C C R C C
    Hardware contract management A I R R I I R R I I
    Workflow review and revisions I A C C C C
    Budgeting A R C I C
    Asset acquisition A R C C C C I C C
    Asset receiving (inspection/acceptance) I A R R I
    Asset deployment A R R I I
    Asset recovery/harvesting A R R I I
    Asset disposal C A R R I I
    Asset inventory (input/validate/maintain) I I A/R R R R I I I

    Further clarify HAM responsibilities for each role

    1.2.3 Define roles and responsibilities for the HAM team

    Participants

    • Participants IT Asset Managers and Coordinators
    • ITAM Team
    • IT Managers and IT Director

    Document

    1. Discuss and finalize positions to be established within the ITAM/HAM office as well as additional roles that will be involved in HAM.
    2. Review the sample responsibilities below and revise or create responsibilities for each key position within the HAM team.
    3. Document in the HAM Standard Operating Procedures.
    Role Responsibility
    IT Manager
    • Responsible for writing policies regarding asset management and approving final documents
    • Build and revise budget, tracking actual spend vs. budget, seeking final approvals from the business
    • Process definition, communication, reporting and ensuring people are following process
    • Awareness campaign for new policy and process
    Asset Managers
    • Approval of purchases up to $10,000
    • Inventory and contract management including contract review and recommendations based on business and IT requirements
    • Liaison between business and IT regarding software and hardware
    • Monitor and improve workflows and asset related processes
    • Monitor controls, audit and recommend policies and procedures as needed
    • Validate, manage and analyze data as related to asset management
    • Provide reports as needed for decision making and reporting on risk, process effectiveness and other purposes as required
    • Asset acquisition and disposal
    Service Desk
    Desktop team
    Security
    Infrastructure teams

    Determine criteria for success: establish metrics to quantify and demonstrate the results and value of the HAM function

    HAM metrics fall in the following categories:

    HAM Metrics

    • Quantity e.g. inventory levels and need
    • Cost e.g. value of assets, budget for hardware
    • Compliance e.g. contracts, policies
    • Quality e.g. accuracy of data
    • Duration e.g. time to procure or deploy hardware

    Follow a process for establishing metrics:

    1. Identify and obtain consensus on the organization’s ITAM objectives, prioritized if possible.
    2. For each ITAM objective, select two or three metrics in the applicable categories (not all categories will apply to all objectives); be sure to select metrics that are achievable with reasonable effort.
    3. Establish a baseline measurement for each metric.
    4. Establish a method and accountability for ongoing measurement and analysis/reporting.
    5. Establish accountability for taking action on reported results.
    6. As ITAM expands and matures, change or expand the metrics as appropriate.

    Define KPIs and associated metrics

    • Identify the critical success factors (CSFs) for your hardware asset management program based on strategic goals.
    • For each success factor, identify the key performance indicators (KPIs) to measure success and specific metrics that will be tracked and reported on.
    • Sample metrics are below:
    CSF KPI Metrics
    Improve accuracy of IT budget and forecasting
    • Asset costs and value
    • Average cost of workstation
    • Total asset spending
    • Total value of assets
    • Budget vs. spend
    Identify discrepancies in IT environment
    • Unauthorized or failing assets
    • Number of unauthorized assets
    • Assets identified as cause of service failure
    Avoid over purchasing equipment
    • Number of unused and underused computers
    • Number of unaccounted-for computers
    • Money saved from harvesting equipment instead of purchasing new
    Make more-effective purchasing decisions
    • Predicted replacement time and cost of assets
    • Deprecation rate of assets
    • Average cost of maintaining an asset
    • Number of workstations in repair
    Improve accuracy of data
    • Accuracy of asset data
    • Accuracy rate of inventory data
    • Percentage improvement in accuracy of audit of assets
    Improved service delivery
    • Time to deploy new hardware
    • Mean time to purchase new hardware
    • Mean time to deploy new hardware

    Identify hardware asset reporting requirements and the data you need to collect to meet them

    1.2.4 Identify asset reporting requirements

    Participants

    • CIO/CFO
    • IT Director
    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 13: Reporting

    1. Discuss the goals and objectives of implementing or improving hardware asset management, based on challenges identified in Step 1.2.
    2. From the goals, identify the critical success factors for the HAM program
    3. For each CSF, identify one to three key performance indicators to evaluate achievement of the success factor.
    4. For each KPI, identify one to three metrics that can be tracked and reported on to measure success. Ensure that the metrics are tangible and measurable and will be useful for decision making or to take action.
    5. Determine who needs this information and the frequency of reporting.
    6. If you have existing ITAM data, record the baseline metric.
    CSF KPI Metrics Stakeholder/frequency

    Phase 1 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Lay Foundations

    Proposed Time to Completion: 4 weeks

    Step 1.1: Assess current state and plan scope

    Start with an analyst kick-off call:

    • Review challenges.
    • Assess current HAM maturity level.
    • Define scope of HAM program.

    Then complete these activities…

    • Complete MGD (optional).
    • Outline hardware asset management challenges.
    • Conduct HAM maturity assessment.
    • Classify hardware assets to define scope of the program.

    With these tools & templates:

    HAM Maturity Assessment

    Standard Operating Procedures

    Step 1.2: Build team and define metrics

    Review findings with analyst:

    • Define roles and responsibilities.
    • Assess reporting requirements.
    • Document metrics to track.

    Then complete these activities…

    • Define responsibilities for Asset Manager and Asset Administrator.
    • Use a RACI chart to determine roles within HAM team.
    • Document responsibilities for HAM roles.
    • Identify HAM reporting requirements.

    With these tools & templates:

    RACI Chart

    Asset Manager and Asset Administrator Job Descriptions

    Standard Operating Procedures

    Phase 1 Results & Insights:

    For asset management to succeed, it needs to support the business. Engage business leaders to determine needs and build your HAM program around these goals.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.4 Classify hardware assets to define scope of the program

    Determine value/risk threshold at which assets should be tracked, then divide a whiteboard into four quadrants representing four categories of assets. Participants write assets down on sticky notes and place them in the appropriate quadrant to classify assets.

    1.2.2 Build a RACI chart to determine responsibilities

    Identify all roles within the organization that will play a part in hardware asset management, then document all core HAM processes and tasks. For each task, assign each role to be responsible, accountable, consulted, or informed.

    Phase 2

    Procure and Receive

    Implement Hardware Asset Management

    Step 2.1: Request and Procure Hardware

    Phase 2: Procure & Receive

    2.1 Request & Procure

    2.2 Receive & Deploy

    This step will walk you through the following activities:

    2.1.1 Identify IT asset procurement challenges

    2.1.2 Define standard hardware requests

    2.1.3 Document standard hardware request procedure

    2.1.4 Build a non-standard hardware request form

    2.1.5 Make lease vs. buy decisions for hardware assets

    2.1.6 Document procurement workflow

    2.1.7 Build a purchasing policy

    This step involves the following participants:

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • CFO or other management representative from Finance

    Step Outcomes:

    • Definition of standard hardware requests for roles, including core vs. optional assets
    • End-user request process for standard hardware
    • Non-standard hardware request form
    • Lease vs. buy decisions for major hardware assets
    • Defined and documented procurement workflow
    • Documented purchasing policy

    California saved $40 million per year using a green procurement strategy

    CASE STUDY

    Industry Government

    Source Itassetmanagement.net

    Challenge

    Signed July 27, 2004, Executive order S-20-04, the “Green Building Initiative,” placed strict regulations on energy consumption, greenhouse gas emissions, and raw material usage and waste.

    In compliance with S-20-04, the State of California needed to adopt a new procurement strategy. Its IT department was one of the worst offenders given the intensive energy usage by the variety of assets managed under the IT umbrella.

    Solution

    A green IT initiative was enacted, which involved an extensive hardware refresh based on a combination of agent-less discovery data and market data (device age, expiry dates, power consumption, etc.).

    A hardware refresh of almost a quarter-million PCs, 9,500 servers, and 100 email systems was rolled out as a result.

    Other changes, including improved software license compliance and data center consolidation, were also enacted.

    Results

    Because of the scale of this hardware refresh, the small changes meant big savings.

    A reduction in power consumption equated to savings of over $40 million per year in electricity costs. Additionally, annual carbon emissions were trimmed by 200,000 tons.

    Improve your hardware asset procurement process to…

    Asset Procurement

    • Standardization
    • Aligned procurement processes
    • SLAs
    • TCO reduction
    • Use of centralized/ single POC

    Standardize processes: Using standard products throughout the enterprise lowers support costs by reducing the variety of parts that must be stocked for onsite repairs or for provisioning and supporting equipment.

    Align procurement processes: Procurement processes must be aligned with customers’ business requirements, which can have unique needs.

    Define SLAs: Providing accurate and timely performance metrics for all service activities allows infrastructure management based on fact rather than supposition.

    Reduce TCO: Management recognizes service infrastructure activities as actual cost drivers.

    Implement a single POC: A consolidated service desk is used where the contact understands both standards (products, processes, and practices) and the user’s business and technical environment.

    Identify procurement challenges to identify process improvement needs

    2.1.1 Identify IT asset procurement challenges

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    1. As a group, brainstorm existing challenges related to IT hardware requests and procurement.
    2. If you get stuck, consider the common challenges listed below.
    3. Use the results of the discussion to focus on which problems can be resolved and integrated into your organization as operational standards.

    Document hardware standards to speed time to procure and improve communications to users regarding options

    The first step in your procurement workflow will be to determine what is in scope for a standard request, and how non-standard requests will be handled. Questions that should be answered by this procedure include:

    • What constitutes a non-standard request?
    • Who is responsible for evaluating each type of request? Will there be one individual or will each division in IT elect a representative to handle requests specific to their scope of work?
    • What additional security measures need to be taken?
    • Are there exceptions made for specific departments or high-ranking individuals?

    If your end-user device strategy requires an overhaul, schedule time with an Info-Tech analyst to review our blueprint Build an End-User Computing Strategy.

    Once you’ve answered questions like these, you can outline your hardware standards as in the example below:

    Use Case Mobile Standard Mac Standard Mobile Power User
    Asset Lenovo ThinkPad T570 iMac Pro Lenovo ThinkPad P71
    Operating system Windows 10 Pro Mac OSX Windows 10 Pro, 64 bit
    Display 15.6" 21.5" 17.3”

    Memory

    32GB 8GB 64GB
    Processor Intel i7 – 7600U Processor 2.3GHz Xeon E3 v6 Processor
    Drive 500GB 1TB 1TB
    Warranty 3 year 1 year + 2 extended 3 year

    Info-Tech Insight

    Approach hardware standards from a continual improvement frame of mind. Asset management is a dynamic process. Hardware standards will need to adapt over time to match the needs of the business. Plan assessments at routine intervals to ensure your current hardware standards align with business needs.

    Document specifications to meet environmental, security, and manageability requirements

    Determine environmental requirements and constraints.

    Power management

    Compare equipment for power consumption and ability to remotely power down machines when not in use.

    Heat and noise

    Test equipment run to see how hot the device gets, where the heat is expelled, and how much noise is generated. This may be particularly important for users who are working in close quarters.

    Carbon footprint

    Ask what the manufacturer is doing to reduce post-consumer waste and eliminate hazardous materials and chemicals from their products.

    Ensure security requirements can be met.

    • Determine if network/wireless cards meet security requirements and if USB ports can be turned off to prevent removal of data.
    • Understand the level of security needed for mobile devices including encryption, remote shut down or wipe of hard drives, recovery software, or GPS tracking.
    • Decide if fingerprint scanners with password managers would be appropriate to enable tighter security and reduce the forgotten-password support calls.

    Review features available to enhance manageability.

    • Discuss manageability goals with your IT team to see if any can be solved with added features, for example:
      • Remote control for troubleshooting and remote management of data security settings.
      • Asset management software or tags for bar coding, radio frequency identification (RFID), or GPS, which could be used in combination with strong asset management practices to inventory, track, and manage equipment.

    If choosing refurbished equipment, avoid headaches by asking the right questions and choosing the right vendor

    • Is the equipment functional and for how long is it expected to last?
    • How long will the vendor stand behind the product and what support can be expected?
      • This is typically two to five years, but will vary from vendor to vendor.
      • Will they repair or replace machines? Many will just replace the machine.
    • How big is the inventory supply?
      • What kind of inventory does the vendor keep and for how long can you expect the vendor to keep it?
      • How does the vendor source the equipment and do they have large quantities of the same make and model for easier imaging and support?
    • How complete is the refurbishment process?
      • Do they test all components, replace as appropriate, and securely wipe or replace hard drives?
      • Are they authorized to reload MS Windows OEM?
    • Is the product Open Box or used?
      • Open Box is a new product returned back to the vendor. Even if it is not used, the product cannot be resold as a new product. Open Box comes with a manufacturer’s warranty and the latest operating system.
      • If used, how old is the product?

    "If you are looking for a product for two or three years, you can get it for less than half the price of new. I bought refurbished equipment for my call center for years and never had a problem". – Glen Collins, President, Applied Sales Group

    Info-Tech Insight

    Price differences are minimal between large and small vendors when dealing with refurbished machines. The decision to purchase should be based on ability to provide and service equipment.

    Define standard hardware requests, including core and optional assets

    2.1.2 Identify standards for hardware procurement by role

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • Representatives from all other areas of the business

    Document

    Document in the Standard Operating Procedures, Section 7: Procurement.

    1. Divide a whiteboard into columns representing all major areas of the business.
    2. List the approximate number of end users present at each tier and record these totals on the board.
    3. Distribute sticky notes. Use two different sizes: large sizes represent critically important hardware and small sizes represent optional hardware.
    4. Define core hardware assets for each division as well as optional hardware assets.
    5. Focus on the small sticky notes to determine if these optional purchases are necessary.
    6. Finalize the group decision to determine the standard hardware procurement for each role in the organization. Record results in a table similar to the example below:
    Department Core Hardware Assets Optional Hardware Assets
    IT PC, tablet, monitor Second monitor
    Sales PC, monitor Laptop
    HR PC, monitor Laptop
    Marketing PC (iMac) Tablet, laptop

    Document procedures for users to make standard hardware requests

    2.1.3 Document standard hardware request procedure

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • Representatives from all other areas of the business

    Document

    Document in the Standard Operating Procedures, Section 6: End-User Request Process.

    Discuss and document the end-user request process:

    1. In which cases can users request a primary device?
    2. In which cases can users request a secondary (optional device)?
    3. What justification is needed to approve of a secondary device?
      1. E.g. The request for a secondary device should be via email to the IS Projects and Procurements Officer. This email should outline the business case for why multiple devices are required.
    4. Will a service catalog be available and integrated with an ITAM solution for users to make standard requests? If so, can users also configure their options?
    5. Document the process in the standard operating procedure. Example:

    End-User Request Process

    • Hardware and software will be purchased through the user-facing catalog.
    • Peripherals will be ordered as needed.
    • End-user devices will be routed to business managers for approval prior to fulfillment by IT.
    • Requests for secondary devices must be accompanied by a business case.
    • Equipment replacements due to age will be managed through IT replacement processes.

    Improve the process for ordering non-standard hardware by formalizing the request process, including business needs

    2.1.4 Build a non-standard hardware request form

    • Although the goal should be to standardize as much as possible, this isn’t always possible. Ensure users who are requesting non-standard hardware have a streamlined process to follow that satisfies the justifications for increased costs to deliver.
    • Use Info-Tech’s template to build a non-standard hardware request form that may be used by departments/users requesting non-standard hardware in order to collect all necessary information for the request to be evaluated, approved, and sent to procurement.
    • Ensure that the requestor provides detailed information around the equipment requested and the reason standard equipment does not suffice and includes all required approvals.
    • Include instructions for completing and submitting the form as well as expected turnaround time for the approval process.

    Info-Tech Insight

    Include non-standard requests in continual improvement assessment. If a large portion of requests are for non-standard equipment, it’s possible the hardware doesn’t meet the recommended requirements for specialized software in use with many of your business users. Determine if new standards need to be set for all users or just “power users.”

    Identify the information you need to collect to ensure a smooth purchasing process

    Categories Peripherals Desktops/Laptops Servers
    Financial
    • Operational expenses
    • Ordered for inventory with the exceptions of monitors that will be ordered as needed
    • Equipment will be purchased through IT budget
    • Capital expenses
    • Ordered as needed…
    • Inventory kept for…
    • End-user devices will be purchased through departmental budgets
    • Capital expenses
    • Ordered as needed to meet capacity or stability requirements
    • Devices will be purchased through IT budgets
    Request authorization
    • Any user can request
    • Users who are traveling can purchase and expense peripherals as needed, with manager approvals
    • Tier 3 technicians
    Required approvals
    • Manager approvals required for monitors
    • Infrastructure and applications manager up to [$]
    • CIO over [$]
    Warranty requirements
    • None
    • Three years
    • Will be approved with project plan
    Inventory requirements
    • Minimum inventory at each location of 5 of each: mice, keyboards, cables
    • Docking stations will be ordered as needed
    • Laptops (standard): 5
    • Laptops (ultra light): 1
    • Desktops: 5
    • Inventory kept in stock as per DR plan
    Tracking requirements
    • None
    • Added to ITAM database, CMDB
    • Asset tag to be added to all equipment
    • Added to ITAM database, CMDB

    Info-Tech Best Practice

    Take into account the possibility of encountering taxation issues based on where the equipment is being delivered as well as taxes imposed or incurred in the location from which the asset was shipped or sent. This may impact purchasing decisions and shipping instructions.

    Develop a procurement plan to get everyone in the business on the same page

    • Without an efficient and structured process around how IT purchases are budgeted and authorized, maverick spending and dark procurement can result, limiting IT’s control and visibility into purchases.
    • The challenge many IT departments face is that there is a disconnect between meeting the needs of the business and bringing in equipment according to existing policies and procedures.
    • The asset manager should demonstrate how they can bridge the gaps and improve tracking mechanisms at the same time.

    Improve procurement decisions:

    • Demonstrate how technology is a value-add.
    • Make a clear case for the budget by using the same language as the rest of the business.
    • Quantify the output of technology investments in tangible business terms to justify the cost.
    • Include the refresh cycle in the procurement plan to ensure mission- critical systems will include support and appropriate warranty.
    • Plan technology needs for the future and ensure IT technology will continue to meet changing needs.
    • Synchronize redundant organizational procurement chains in order to lower cost.

    Document the following in your procurement procedure:

    • Process for purchase requests
    • Roles and responsibilities, including requestors and approvers
    • Hardware assets to purchase and why they are needed
    • Timelines for purchase
    • Process for vendors

    Info-Tech Insight

    IT procurement teams are often heavily siloed from ITAM teams. The procurement team is typically found in the finance department. One way to bridge the gap is to implement routine, reliable reporting between departments.

    Determine if it makes sense to lease or buy your equipment; weigh the pros and cons of leasing hardware

    Pros

    • Keeps operational costs low in the short term by containing immediate cost.
    • Easy, predictable payments makes it easier to budget for equipment over long term.
    • Get the equipment you need to start doing business right away if you’re just starting out.
    • After the leasing term is up, you can continue the lease and update your hardware to the latest version.
    • Typical leases last 2 or 3 years, meaning your hardware can get upgrades when it needs it and your business is in a better position to keep up with technology.
    • Leasing directly from the vendor provides operational flexibility.
    • Focus on the business and let the vendor focus on equipment service and updates as you don’t have to pay for maintenance.
    • Costs structured as OPEX.

    Cons

    • In the long term, leasing is almost always more expensive than buying because there’s no equity in leased equipment and there may be additional fees and interest.
    • Commitment to payment through the entire lease period even if you’re not using the equipment anymore.
    • Early termination fees if you need to get out of the lease.
    • No option to sell equipment once you’re finished with it to make money back.
    • Maintenance is up to leasing company’s specifications.
    • Product availability may be limited.

    Recommended for:

    • Companies just starting out
    • Business owners with limited capital or budget
    • Organizations with equipment that needs to be upgraded relatively often

    Weigh the pros and cons of purchasing hardware

    Pros

    • Complete control over assets.
    • More flexible and straightforward procurement process.
    • Tax incentives: May be able to fully deduct the cost of some newly purchased assets or write off depreciation for computers and peripherals on taxes.
    • Preferable if your equipment will not be obsolete in the next two or three years.
    • You can resell the asset once you don’t need it anymore to recover some of the cost.
    • Customization and management of equipment is easier when not bound by terms of leasing agreement.
    • No waiting on vendor when maintenance is needed; no permission needed to make changes.

    Cons

    • High initial cost of investment with CAPEX expense model.
    • More paperwork.
    • You (as opposed to vendor) are responsible for equipment disposal in accordance with environmental regulations.
    • You are responsible for keeping up with upgrades, updates, and patches.
    • You risk ending up with out-of-date or obsolete equipment.
    • Hardware may break after terms of warranty are up.

    Recommended for:

    • Established businesses
    • Organizations needing equipment with long-term lifecycles

    Make a lease vs. buy decision for equipment purchases

    2.1.4 Decide whether to purchase or lease

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • Representatives from all other areas of the business

    Document

    Document policy decisions in the Standard Operating Procedures – Section 7: Procurement

    1. Identify hardware equipment that requires a purchase vs. lease decision.
    2. Discuss with Finance whether it makes sense to purchase or lease each major asset, considering the following:
    • Costs of equipment through each method
    • Tax deductions
    • Potential resale value
    • Potential revenue from using the equipment
    • How quickly the equipment will be outdated or require refresh
    • Size of equipment
    • Maintenance and support requirements
    • Overall costs
  • The leasing vs. buying decision should take considerable thought and evaluation to make the decision that best fits your organizational needs and situation.
  • Determine appropriate warranty and service-level agreements for your organization

    Determine acceptable response time, and weigh the cost of warranty against the value of service.

    • Standard warranties vary by manufacturer, but are typically one or three years.
    • Next-day, onsite service may be part of the standard offering or may be available as an uplift.
    • Four-hour, same-day service can also be added for high availability needs.
    • Extended warranties can be purchased beyond three years, although not many organizations take advantage of this offering.
    • Other organizations lower or remove the warranty and have reported savings of as much as $150 per machine.

    Speak to your partner to see how they can help the process of distributing machines.

    • Internal components change frequently with laptops and desktops. If purchasing product over time rather than buying in bulk, ensure the model will be available for a reasonable term to reduce imaging and support challenges.
    • Determine which services are important to your organization and request these services as part of the initial quote. If sending out a formal RFQ or RFP, document required services and use as the basis for negotiating SLAs.
    • Document details of SLA, including expectations of services for manufacturer, vendor, and internal team.
    • If partner will be providing services, request they stock an appropriate number of hot spares for frequently replaced parts.
    • If self-certifying, review resource capabilities, understand skill and certification requirements; for example, A+ certification may be a pre-requisite.
    • Understand DOA policy and negotiate a “lemon policy,” meaning if product dies within 15 or 30 days it can be classified as DOA. Seek clarity on return processes.

    Consider negotiation strategies, including how and when to engage with different partners during acquisition

    Direct Model

    • Dell’s primary sales model is direct either through a sales associate or through its e-commerce site. Promotions are regularly listed on the website, or if customization is required, desktops and laptops have some flexibility in configuration. Discounts can be negotiated with a sales rep on quantity purchases, but the discount level changes based on the model and configuration.
    • Other tier-one manufacturers typically sell direct only from their e-commerce sites, providing promotions based on stock they wish to move, and providing some configuration flexibility. They rely heavily on the channel for the majority of their business.

    Channel Model

    • Most tier one manufacturers have processes in place to manage a smaller number of partners rather than billing and shipping out to individual customers. Deviating from this process and dealing direct with end customers can create order processing issues.
    • Resellers have the ability to negotiate discounts based on quantities. Discounts will vary based on model, timing (quarter or year end), and quantity commitment.
    • Negotiations on large quantities should involve a manufacturer rep as well as the reseller to clearly designate roles and services, ensure processes are in place to fulfill your needs, and agree on pricing scheme. This will prevent misunderstandings and bring clarity to any commitments.
    • Often the channel partners are authorized to provide repair services under warranty for the manufacturer.
    • Dell also uses the channel model for distribution where customers demand additional services.

    Expect discounts to reflect quantity and method of purchase

    Transaction-based purchases will receive the smallest discounting.

    • Understand requirements to find the most appropriate make and model of equipment.
    • Prepare a forecast of expected purchases for the year and discuss discounting.
    • Typically initial discounts will be 3-5% off suggested retail price.
    • Once a history is in place, and the vendor is receiving regular orders, it may extend deeper discounts.

    Bulk purchases will receive more aggressive discounting of 5-15% off suggested retail price, depending on quantities.

    • Examine shipping options and costs to take advantage of bulk deliveries; in some cases vendors may waive shipping fees as an extension of the discounting.
    • If choosing end-of-line product, ensure appropriate quantity of a single model is available to efficiently roll out equipment.
    • Various pricing models can be used to obtain best price.

    Larger quantities rolled out over time will require commitments to the manufacturer to obtain deepest discounts.

    • Discuss all required services as part of negotiation to ensure there are no surprise charges.
    • Several pricing models can be used to obtain the best price.
      • Suggested retail price minus as much as 20%.
      • Cost plus 3% up to 10% or more.
      • Fixed price based on negotiating equipment availability with budget requirements.

    If sending out to bid, determine requirements and scoring criteria

    It’s nearly impossible to find two manufacturers with the exact same specifications, so comparisons between vendors is more art than science.

    New or upgraded components will be introduced into configurations when it makes the most sense in a production cycle. This creates a challenge in comparing products, especially in an RFP. The best way to handle this is to:

    • Define and document minimum technology requirements.
    • Define and document service needs.
    • Compare vendors to see if they’ve met the criteria or not; if yes, compare prices.
    • If the vendors have included additional offerings, see if they make sense for your organization. If they do, include that in the scoring. If not, exclude and score based on price.
    • Recognize that the complexity of the purchase will dictate the complexity of scoring.

    "The hardware is the least important part of the equation. What is important is the warranty, delivery, imaging, asset tagging, and if they cannot deliver all these aspects the hardware doesn’t matter." – Doug Stevens, Assistant Manager Contract Services, Toronto District School Board

    Document and analyze the hardware procurement workflow to streamline process

    The procurement process should balance the need to negotiate appropriate pricing with the need to quickly approve and fulfill requests. The process should include steps to follow for approving, ordering, and tracking equipment until it is ready for receipt.

    Within the process, it is particularly important to decide if this is where equipment is added into the database or if it will happen upon receipt.

    A poorly designed procurement workflow:

    • Includes many bottlenecks, stopping and starting points.
    • May impact project and service requests and requires unrealistic lead times.
    • May lead to lost productivity for users and lost credibility for the IT department.

    A well-designed hardware procurement workflow:

    • Provides reasonable lead times for project managers and service or hardware request fulfillment.
    • Provides predictability for technical resources to plan deployments.
    • Reduces bureaucracy and workload for following up on missing shipments.
    • Enables improved documentation of assets to start lifecycle management.

    Info-Tech Insight

    Where the Hardware Asset Manager is unable to affect procurement processes to reduce time to deliver, consider bringing inventory onsite or having your hardware vendor keep stock, ready to ship on demand. Projects, replacements, and new-user requests cannot be delayed in a service-focused IT organization due to bureaucratic processes.

    Document and analyze your procurement workflow to identify opportunities for improvement and communicate process

    Determine if you need one workflow for all equipment or multiples for small vs. large purchases.

    Occasionally large rollouts require significant changes from lower dollar purchases.

    Watch for:

    • Back and forth communications
    • Delays in approvals
    • Inability to get ETAs from vendors
    • Too many requests for quotes for small purchases
    • Entry into asset database

    This sample can be found in the HAM Process Workflows.

    The image shows a workflow, titled Procurement-Equipment-Small Quantity. On the left, the chart is separated into categories: IT Procurment; Tier 2 or Tier 3; IT Director; CIO.

    Design the process workflow for hardware procurement

    2.1.6 Illustrate procurement workflow with a tabletop exercise

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • CFO or other management representative from Finance

    Document

    Document in the Standard Operating Procedures, Section 7: Procurement

    1. In a group, distribute sticky notes or cue cards.
    2. Designate a space on the table/whiteboard to plot the workflow.
    3. Determine which individuals are responsible for handling non-standard requests. Establish any exceptions that may apply to your defined hardware standard.
    4. Gather input from Finance on what the threshold will be for hardware purchases that will require further approval.
    5. Map the procurement process for a standard hardware purchase.
    6. If applicable, map the procurement process for a non-standard request separately.
    7. Evaluate the workflow to identify any areas of inefficiency and make any changes necessary to improve the process.
    8. Be sure to discuss and include:
      • All necessary approvals
      • Time required for standard equipment process
      • Time required for non-standard equipment process
      • How information will be transferred to ITAM database

    Document and share an organizational purchasing policy

    2.1.7 Build a purchasing policy

    A purchasing policy helps to establish company standards, guidelines, and procedures for the purchase of all information technology hardware, software, and computer-related components as well as the purchase of all technical services.

    The policy will ensure that all purchasing processes are consistent and in alignment with company strategy. The purchasing policy is key to ensuring that corporate purchases are effective and the best value for money is obtained.

    Implement a purchasing policy to prevent or reduce:

    • Costly corporate conflict of interest cases.
    • Unauthorized purchases of non-standard, difficult to support equipment.
    • Unauthorized purchases resulting in non-traceable equipment.
    • Budget overruns due to decentralized, equipment acquisition.

    Download Info-Tech’s Purchasing Policytemplate to build your own purchasing policy.

    Step 2.2: Receive and Deploy Hardware

    Phase 2: Procure & Receive

    2.1 Request & Procure

    2.2 Receive & Deploy

    This step will walk you through the following activities:

    2.2.1 Select appropriate asset tagging method

    2.2.2 Design workflow for receiving and inventorying equipment

    2.2.3 Document the deployment workflow(s)

    This step involves the following participants:

    • Asset Manager
    • Purchasing
    • Receiver (optional)
    • Service Desk Manager
    • Operations (optional)

    Step Outcomes:

    • Understanding of the pros and cons of various asset tagging methods
    • Defined asset tagging method, process, and location by equipment type
    • Identified equipment acceptance, testing, and return procedures
    • Documented equipment receiving and inventorying workflow
    • Documented deployment workflows for desktop hardware and large-scale deployments

    Cisco implemented automation to improve its inventory and deployment system

    CASE STUDY

    Industry Networking

    Source Cisco IT

    Challenge

    Although Cisco Systems had implemented a centralized procurement location for all PCs used in the company, inventory tracking had yet to be addressed.

    Inventory tracking was still a manual process. Given the volume of PCs that are purchased each year, this is an incredibly labor-intensive process.

    Sharing information with management and end users also required the generation of reports – another manual task.

    Solution

    The team at Cisco recognized that automation was the key component holding back the success of the inventory management program.

    Rolling out an automated process across multiple offices and groups, both nationally and internationally, was deemed too difficult to accomplish in the short amount of time needed, so Cisco elected to outsource its PC management needs to an experienced vendor.

    Results

    As a result of the PC management vendor’s industry experience, the implementation of automated tracking and management functions drastically improved the inventory management situation at Cisco.

    The vendor helped determine an ideal leasing set life of 30 months for PCs, while also managing installations, maintenance, and returns.

    Even though automation helped improve inventory and deployment practices, Cisco still needed to address another key facet of asset management: security.

    This case study continues in phase 3.

    An effective equipment intake process is critical to ensure product is correct, documented, and secured

    Examine your current process for receiving assets. Typical problems include:

    Receiving inventory at multiple locations can lead to inconsistent processes. This can make invoice reconciliation challenging and result in untracked or lost equipment and delays in deployment.

    Equipment not received and secured quickly. Idle equipment tends to go missing if left unsupervised for too long. Missed opportunities to manage returns where equipment is incorrect or defective.

    Disconnect between procurement and receiving where ETAs are unknown or incorrect. This can create an issue where no one is prepared for equipment arrival and is especially problematic on large orders.

    How do you solve these problems? Create a standardized workflow that outlines clear steps for asset receiving.

    A workflow will help to answer questions such as:

    • How do you deal with damaged shipments? Incorrect shipments?
    • Did you reach an agreement with the vendor to replace damaged/incorrect shipments within a certain timeframe?
    • When does the product get tagged and entered into the system as received?
    • What information needs to get captured on the asset tag?

    Standardize the process for receiving your hardware assets

    The first step in effective hardware asset intake is establishing proper procedures for receiving and handling of assets.

    Process: Start with information from the procurement process to determine what steps need to follow to receive into appropriate systems and what processes will enable tagging to happen as soon as possible.

    People: Ensure anyone who may impact this process is aware of the importance of documenting before deployment. Having everyone who may be handling equipment on board is key to success.

    Security: Equipment will be secured at the loading dock or reception. It will need to be secured as inventory and be secured if delivering directly to the bench for imaging. Ensure all receiving activities are done before equipment is deployed.

    Tools: A centralized ERP system may already provide a place to receive and reconcile with purchasing and invoicing, but there may still be a need to receive directly into the ITAM and/or CMDB database rather than importing directly from the ERP system.

    Tagging: A variety of methods can be used to tag equipment to assist with inventory. Consider the overall lifecycle management when determining which tagging methods are best.

    Info-Tech Insight

    Decentralized receiving doesn’t have to mean multiple processes. Take advantage of enterprise solutions that will centralize the data and ensure everyone follows the same processes unless there is an uncompromising and compelling logistical reason to deviate.

    Evaluate the pros and cons of different asset tagging methods

    Method Cost Strengths Weaknesses Recommendation
    RFID with barcoding – asset tag with both a barcode and RFID solution $$$$
    • Secure, fast, and robust
    • Track assets in real time
    • Quick and efficient
    • Most expensive option, requiring purchase of barcode scanner with RFID reader and software)
    • Does not work as well in an environment with less control over assets
    • Requires management of asset database
    • Best in a controlled environment with mature processes and requirement for secure assets
    RFID only – small chip with significant data capacity $$$
    • Track assets from remote locations
    • RFID can be read through boxes so you don’t have to unpack equipment
    • Scan multiple RFID-tagged hardware simultaneously
    • Large data capacity on small chip
    • Expensive, requiring purchase of RFID reading equipment and software
    • Ideal if your environment is spread over multiple locations
    Barcoding only – adding tags with unique barcodes $$
    • Reasonable security
    • Report inventory directly to database
    • Relatively low cost
    • Only read one at a time
    • Need to purchase barcode scanners and software
    • Can be labor intensive to deploy with manual scanning of individual assets
    • Less secure
    • Can’t hold as much data
    • Not as secure as barcodes with RFID but works for environments that are more widely distributed and less controlled

    Evaluate the pros and cons of different asset tagging methods

    Method Cost Strengths Weaknesses Recommendation
    QR codes – two-dimensional codes that can store text, binary, image, or URL data $$
    • Easily scannable from many angles
    • Save and print on labels
    • Can be read by barcode scanning apps or mobile phones
    • Can encode more data than barcodes
    • QR codes need to be large enough to be usable, which can be difficult with smaller IT assets
    • Scanning on mobile devices takes longer than scanning barcodes
    • Ideal if you need to include additional data and information in labels and want workers to use smartphones to scan labels
    Manual tags – tag each asset with your own internal labels and naming system $
    • Most affordable
    • Manual
    • Tags are not durable
    • Labor intensive and time consuming
    • Leaves room for error, misunderstanding, and process variances between locations
    • As this is the most time consuming and resource intensive with a low payoff, it is ideal for low maturity organizations looking for a low-cost option for tagging assets
    Asset serial numbers – tag assets using their serial number $
    • Less expensive
    • Unique serial numbers identified by vendor
    • Serial numbers have to be added to database manually, which is labor intensive and leaves room for error
    • Serial numbers can rub off over time
    • Hard to track down already existing assets
    • Doesn’t help track location of assets after deployment
    • Potential for duplicates
    • Inconsistent formats of serial numbers by manufacturers makes this method prone to error and not ideal for asset management

    Select the appropriate method for tagging and tracking your hardware assets

    2.2.1 Select asset tagging method

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 8

    1. Define your asset tagging method. For most organizations, asset tracking is done via barcoding or QR codes, either by using one method or a combination of the two. Other methods, including RFID, may be applicable based on cost or tracking complexity. Overall, barcodes embedded with RFID are the most robust and efficient method for asset tagging, but also the most expensive. Choose the best method for your organization, taking into account affordability, labor-intensiveness, data complexity needs, and ease of deployment.
    2. Define the process for tagging assets, including how soon they should receive the tag, whose responsibility it is, and whether the tag type varies depending on the asset type.
    3. Define the location of asset tags according to equipment type. Example:
    Asset Type Asset Tag Location
    PC desktop Right upper front corner
    Laptop Right corner closest to user when laptop is closed
    Server Right upper front corner
    Printer Right upper front corner
    Modems Top side, right corner

    Inspect and test equipment before accepting it into inventory to ensure it’s working according to specifications

    Upon receipt of procured hardware, validate the equipment before accepting it into inventory.

    1. Receive - Upon taking possession of the equipment, stage them for inspection before placing them into inventory or deploying for immediate use.
    2. Inspect - The inspection process should involve at minimum examining the products that have been delivered to determine conformance to purchase specifications.
    3. Test -Depending on the type and cost of hardware, some assets may benefit from additional testing to determine if they perform at a satisfactory level before being accepted.
    4. Accept - If the products conform to the requirements of the purchase order, acknowledge receipt so the supplier may be paid. Most shipments are automatically considered as accepted and approved for payment within a specific timeframe.

    Assign responsibility and accountability for inspection and acceptance of equipment, verifying the following:

    • The products conform to purchase order requirements.
    • The quantity ordered is the same as the quantity delivered.
    • There is no damage to equipment.
    • Delivery documentation is acceptable.
    • Products are operable and perform according to specifications.
    • If required, document an acceptance testing process as a separate procedure.

    Build the RMA procedure into the receiving process to handle receipt of defective equipment

    The return merchandise authorization (RMA) process should be a standard part of the receiving process to handle the return of defective materials to the vendor for either repair or replacement.

    If there is a standard process in place for all returns in the organization, you can follow the same process for returning hardware equipment:

    • Call the vendor to receive a unique RMA number that will be attached to the equipment to be returned, then follow manufacturer specifications for returning equipment within allowable timelines according to the contract where applicable.
    • Establish a lemon policy with vendors, allowing for full returns up to 30 days after equipment is deployed if the product proves defective after initial acceptance.

    Info-Tech Insight

    Make sure you’re well aware of the stipulations in your contract or purchase order. Sometimes acceptance is assumed after 60 days or less, and oftentimes the clock starts as soon as the equipment is shipped out rather than when it is received.

    Info-Tech Best Practice

    Keep in mind that the serial number on the received assed may not be the asset that ultimately ends up on the user’s desk if the RMA process is initiated. Record the serial number after the RMA process or add a correction process to the workflow to ensure the asset is properly accounted for.

    Determine what equipment should be stocked for quick deployment where demand is high or speed is crucial

    The most important feature of your receiving and inventory process should be categorization. A well-designed inventory system should reflect not only the type of asset, but also the usage level.

    A common technique employed by asset managers is to categorize your assets using an ABC analysis. Assets are classified as either A, B, or C items. The ratings are based on the following criteria:

    A

    A items have the highest usage. Typically, 10-20% of total assets in your inventory account for upwards of 70-80% of the total asset requests.

    A items should be tightly controlled with secure storage areas and policies. Avoiding stock depletion is a top priority.

    B

    B items are assets that have a moderate usage level, with around 30% of total assets accounting for 15-25% of total requests.

    B items must be monitored; B items can transition to A or C items, especially during cycles of heavier business activity.

    C

    C items are assets that have the lowest usage, with upwards of 50% of your total inventory accounting for just 5% of total asset requests.

    C items are reordered the least frequently, and present a low demand and high risk for excessive inventory (especially if they have a short lifecycle). Many organizations look to move towards an on-demand policy to mitigate risk.

    Info-Tech Insight

    Get your vendor to keep stock of your assets. If large quantities of a certain asset are required but you lack the space to securely store them onsite, ask your vendor to keep stock for you and release as you issue purchase orders. This speeds up delivery and delays warranty activation until the item is shipped. This does require an adherence to equipment standards and understanding of demand to be effective.

    Define the process for receiving equipment into inventory

    Define the following in your receiving process:

    • When will equipment be opened once delivered?
    • Who will open and validate equipment upon receipt?
    • How will discrepancies be resolved?
    • When will equipment be tagged and identified in the tracking tool?
    • When will equipment be locked in secure storage?
    • Where will equipment go if it needs to be immediately deployed?

    The image shows a workflow chart titled Receiving and Tagging. The process is split into two sections, labelled on the left as: Desktop Support Team and Procurement.

    Design the workflow for receiving and inventorying equipment

    2.2.2 Illustrate receiving workflow with a tabletop exercise

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • CFO or other management representative from Finance

    Document

    Document in the Standard Operating Procedures, Section 8: Receiving and Equipment Inventory

    Option 1: Whiteboard

    1. Discuss the workflow and draw it on the whiteboard.
    2. Assess whether you are using the best workflow. Modify it if necessary.
    3. Use the sample workflow from this step as a guide if starting from scratch.
    4. Engage the team in refining the process workflow.
    5. Transfer data to Visio and add to the SOP.

    Option 2: Tabletop Exercise

    1. Distribute index cards to each member of the team.
    2. Have each person write a single task they perform on the index card. Be granular. Include the title or the name of the person responsible.
    3. Mark cards that are decision points. Use a card of a different color or use a marker to make a colored dot.
    4. Arrange the index cards in order, removing duplicates.
    5. Assess whether you are using the best workflow. Engage the team to refine it if necessary.
    6. Transfer data to Visio and add to the SOP.

    Improve device deployment by documenting software personas for each role

    • Improve the deployment process for new users by having a comprehensive list of software used by common roles within the organization. With large variations in roles, it may be impossible to build a complete list, but as you start to see patterns in requirements, you may find less distinct personas than anticipated.
    • Consider a survey to business units to determine what they need if this will solve some immediate problems. If this portion of the project will be deferred, use the data uncovered in the discovery process to identify which software is used by which roles.
    • Replacement equipment can have the software footprint created by what was actually utilized by the user, not necessarily what software was installed on the previous device.

    The image shows 4 bubbles, representing software usage. The ARC-GIS bubble is the largest, Auto CAD the second largest, and MS Office and Adobe CS equal in size.

    A software usage snapshot for an urban planner/engineer.

    • Once software needs are determined, use this information to review the appropriate device for each persona.
      • Ensure hardware is appropriate for the type of work the user does and supports required software.
      • If it is more appropriate for a user to have a tablet, ensure the software they use can be used on any device.
    • Review deployment methods to determine if there is any opportunity to improve the imaging or software deployment process with better tools or methodologies.
    • Document the device’s location if it will be static, or if the user may be more mobile, add location information for their primary location.
    • Think about the best place to document – if this information can be stored in Active Directory and imported to the ITAM database, you can update once and use in multiple applications. But this process is built into your add/move/change workflows.

    Maintain a lean library to simplify image management

    Simplify, simplify, simplify. Use a minimal number of desktop images and automate as much as you can.

    • Embrace minimalism. When it comes to managing your desktop image library, your ultimate goal should be to minimize the manual effort involved in provisioning new desktops.
    • Less is more. Try to maintain as few standard desktop images as possible and consider a thin gold image, which can be patched and updated on a regular basis. A thin image with efficient application deployment will improve the provisioning process.
    • Standardize and repeat. System provisioning should be a repeatable process. This means it is ripe for standardization and automation. Look at balancing the imaging process with software provisioning, using group policy and deployment tools to reduce time to provision and deliver equipment.
    • Outsource where appropriate. Imaging is one of the most employed services, where the image is built in-house and deployed by the hardware vendor. As a minimum, quarterly updates should still be provided to integrate the latest patches into the operating system.

    Document the process workflow for hardware deployment

    Define the process for deploying hardware to users.

    Include the following in your workflow:

    • How will equipment be configured and imaged before deployment?
    • Which images will be used for specific roles?
    • Which assets are assigned to specific roles?
    • How will the device status be changed in the ITAM tool once deployed?

    The image shows a workflow chart titled Hardware Deployment. It is divided into two categories, listed on the left: Desktop Support Team and Procurement.

    Large-scale deployments should be run as projects, benefitting from economies of scale in each step

    Large-scale desktop deployments or data center upgrades will likely be managed as projects.

    These projects should include project plans, including resources, timelines, and detailed procedures.

    Define the process for large-scale deployment if it will differ from the regular deployment process.

    The image is a graphic of a flowchart titled Deployment-Equipment-Large Quantity Rollout. It is divided into three categories, listed on the left: IT Procurement; Desktop Rollout Team; Asset Manager.

    Document the deployment workflow(s)

    2.2.3 Document deployment workflows for desktop and large-scale deployment

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • CFO or other management representative from Finance

    Document

    Document in the Standard Operating Procedures, Section 9: Deployment

    Document each step in the system deployment process with notecards or on a whiteboard. Identify the challenges faced by your organization and strategize potential solutions.

    1. Outline each step in the process of desktop deployment. Be as granular as possible. On each card, describe the step as well as the individual responsible for it.
    2. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    3. Examine each challenge or pain point. Discuss whether or not there is a clear solution to the problem. If yes, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, taking into account people, processes, and available technology.
    4. Document separately the process for large-scale deployment if required.

    Look for opportunities to improve the request and deployment process with better communication and tools

    The biggest challenge in deploying equipment is meeting expectations of the business, and without cooperation from multiple departments, this becomes significantly more difficult.

    • Work with the procurement and the services team to ensure inventory is accessible, and regularly validate that inventory levels in the ITAM database are accurate.
    • Work with the HR department to predict (where possible) anticipated new hires. Plan for inventory ebbs and flows to match the hiring timelines where there are large variations.
    • If service catalogs will be made available for communicating options and SLAs for equipment purchases, work with the service catalog administrators to automate inventory checks and notifications. Work with the end-user device managers to set standards and reduce equipment variations to a manageable amount.
    • Where deployments are part of equipment refresh, ensure data is up to date for the services team to plan the project rollouts and know which software should be redeployed with the devices.
    • Infrastructure and security teams may have specific hardware assets relating to networking, data centers, and security, which may bypass the end-user device workflows but need to be tagged and entered into inventory early in the process. Work with these teams to have their equipment follow the same receiving and inventory processes. Deployment will vary based on equipment type and location.

    Automate hardware deployment where users are dispersed and deployment volume is high

    Self-serve kiosks (vending machines) can provide cost reductions in delivery of up to 25%. Organizations that have a high distribution rate are seeing reductions in cost of peripherals averaging 30-35% and a few extreme cases of closer to 85%.

    Benefits of using vending machines:

    • Secure equipment until deployed.
    • Equipment can be either purchased by credit card or linked to employee ID cards, enabling secure transactions and reporting.
    • Access rights can be controlled in real time, preventing terminated employees from accessing equipment or managing how many devices can be deployed to each user.
    • Vending machines can be managed through a cellular or wireless network.
    • Technology partners can be tasked with monitoring and refilling vending machines.
    • Employees are able to access technology wherever a vending machine can be located rather than needing to travel to the help desk.
    • Equipment loans and new employee packages can be managed through vending machines.

    Phase 2 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Request, Procure, Receive, and Deploy

    Proposed Time to Completion: 4 weeks

    Step 2.1: Request & Procure

    Start with an analyst kick-off call:

    • Define standard and non-standard hardware.
    • Weigh the pros and cons of leasing vs. buying.
    • Build the procurement process.

    Then complete these activities…

    • Define standard hardware requests.
    • Document standard hardware request procedure.
    • Document procurement workflow.
    • Build a purchasing policy.

    With these tools & templates:

    • Standard Operating Procedures
    • Non-Standard Hardware Request Form
    • Hardware Procurement Workflow
    • Purchasing Policy

    Step 2.2: Receive & Deploy

    Review findings with analyst:

    • Determine appropriate asset tagging method.
    • Define equipment receiving process.
    • Define equipment deployment process.

    Then complete these activities…

    • Select appropriate asset tagging method.
    • Design workflow for receiving and inventorying equipment.
    • Document the deployment workflow(s).

    With these tools & templates:

    • Standard Operating Procedures
    • Equipment Receiving & Tagging Workflow
    • Deployment Workflow

    Phase 2 Insight: Bridge the gap between IT and Finance to build a smoother request and procurement process through communication and routine reporting. If you’re unable to affect procurement processes to reduce time to deliver, consider bringing inventory onsite or having your hardware vendor keep stock, ready to ship on demand.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.2 Define standard hardware requests

    Divide whiteboard into columns representing core business areas. Define core hardware assets for end users in each division along with optional hardware assets. Discuss optional assets to narrow and define standard equipment requests.

    2.2.1 Select appropriate method for tagging and tracking assets

    Discuss the various asset tagging methods and choose the tagging method that is most appropriate for your organization. Define the process for tagging assets and document the standard asset tag location according to equipment type.

    Phase 3

    Maintain and Dispose

    Implement Hardware Asset Management

    Cisco overcame organizational resistance to change to improve asset security

    CASE STUDY

    Industry Networking

    Source Cisco IT

    Challenge

    Cisco Systems had created a dynamic work environment that prized individuality. This environment created high employee satisfaction, but it also created a great deal of risk surrounding device security.

    Cisco lacked an asset security policy; there were no standards for employees to follow. This created a surplus of not only hardware, but software to support the variety of needs amongst various teams at Cisco.

    Solution

    The ITAM team at Cisco recognized that their largest problem was the lack of standardization with respect to PCs. Variance in cost, lifecycle, and software needs/compatibility were primary issues.

    Cisco introduced a PC leasing program with the help of a PC asset management vendor to correct these issues. The primary goal was to increase on-time returns of PCs. A set life of 30 months was defined by the vendor.

    Results

    Cisco engaged employees to help contribute to improving its asset management protocols, and the approach worked.

    On-time returns increased from 60% to 80%. Costs were reduced due to active tracking and disposal of any owned assets still present.

    A reduction in hardware and software platforms has cut costs and increased security thanks to improved tracking capabilities.

    This case study continues in phase 4

    Step 3.1: Manage, Maintain, and Secure Hardware Assets

    Phase 3: Maintain & Dispose

    3.1 Manage & Maintain

    3.2 Dispose or Redeploy

    This step will walk you through the following activities:

    3.1.1 Build a MAC policy and request form

    3.1.2 Build workflows to document user MAC processes

    3.1.3 Design process and policies for hardware maintenance, warranty, and support documentation handling

    3.1.4 Revise or create an asset security policy

    This step involves the following participants:

    • Asset Manager
    • Service Desk Manager
    • Operations (optional)
    • Security Department

    Step Outcomes

    • Understanding of inventory management process best practices
    • Templates for move/add/change request policy and form
    • Documented process workflows for the user move/add/change process
    • Process and policies for hardware maintenance, warranty, and support documentation handling
    • Defined policies for maintaining asset security

    Determine methods for performing inventory audits on equipment

    Auto-discovery

    • Auto-discovery tools will be crucial to the process of understanding what equipment is connected to the network and in use.
    • The core functionality of discovery tools is to scan the environment and collect configuration data from all connected assets, but most tools can also be used to collect usage data, network monitoring, and software asset management data including software distribution, compliance, and license information.
    • These tools may not connect to peripheral devices such as monitors and external drives, will not scan devices that are turned off or disconnected from the network, may not inventory remote users, and will rarely provide location information. This often results in a need to complete physical audits as well.

    Info-Tech Insight

    One of the most common mistakes we see when it comes to asset management is to assume that the discovery tool will discovery most or all of your inventory and do all the work. It is better to assume only 80-90% coverage by the discovery tool and build ownership records to uncover the unreportable assets that are not tied into the network.

    Physical audit

    • The physical audit can be greatly improved with barcode, RFID, or QR codes, allowing items to be scanned, records opened, then updated.
    • If not everything is tagged or entered into the ITAM database, then searching closets, cabinets, and desk drawers may be required to tag and enter those devices into the database.
    • Provide the inventory team with exact instructions on what needs to be collected, verified, and recorded. Depending on the experience and thoroughness of the team, spot checks early in the process may alleviate quality issues often discovered at the end of the inventory cycle.

    Determine requirements for performing inventory audits on equipment

    Conduct an annual hardware audit to ensure hardware is still assigned to the person and location identified in your ITAM system, and assess its condition.

    Perform a quarterly review of hardware stock levels in order to ensure all equipment is relevant and usable. The table below is an example of how to organize this information.

    Item Target Stock Levels Estimated $ Value
    Desktop computers
    Standard issue laptops
    Mice
    Keyboards
    Network cables
    Phones

    Info-Tech Insight

    Don’t forget about your remotely deployed assets. Think about how you plan to inventory remotely deployed equipment. Some tools will allow data collection through an agent that will talk to the server over the internet, and some will completely ignore those assets or provide a way to manually collect the data and email back to the asset manager. Mobile device management tools may also help with this inventory process. Determine what is most appropriate based on the volume of remote workers and devices.

    Build an inventory management process to maintain an accurate view of owned hardware assets

    • Your inventory should capture which assets are on hand, where they are located, and who owns them, at minimum. Maintaining an accurate, up-to-date view of owned hardware assets allows you to see at any time the actual state of the components that make up your infrastructure across the enterprise.
    • Automated inventory practices save time and effort from doing physical inventories and also reduce the interruption to business users while improving accuracy of data.
    • If you are just starting out, define the process for conducting an inventory of deployed assets, and then define the process for regular upkeep and audit of inventory data.

    Inventory Methods

    • Electronic – captures networked asset information only and can be deployed over the network with no deskside service interaction.
    • Physical – captures environmental detail and must be performed manually by a service technician with possible disruption to users.
    • Full inventory – both physical and electronic inventory of assets.

    Internal asset information to collect electronically

    • Hardware configuration
    • Installed software
    • Operating system
    • System BIOS
    • Network configuration
    • Network drive mappings
    • Printer setups
    • System variables

    External asset information that cannot be detected electronically

    • Assigned user
    • Associated assets
    • Asset/user location
    • Usage of asset
    • Asset tag number

    IMAC (Install, Move, Add, Change) services will form the bulk of asset management work while assets are deployed

    IMAC services are usually performed at a user’s deskside by a services technician and can include:

    • Installing new desktops or peripherals
    • Installing or modifying software
    • Physically moving an end user’s equipment
    • Upgrading or adding components to a desktop

    Specific activities may include:

    Changes

    • Add new user IDs
    • Manage IDs
    • Network changes
    • Run auto-discovery scan

    Moves

    • Perform new location site survey
    • Coordinate with facilities
    • Disconnect old equipment
    • Move to new location
    • Reconnect at new location
    • Test installed asset
    • Obtain customer acceptance
    • Close request

    Installs and Adds

    • Perform site survey
    • Perform final configuration
    • Coordinate with Facilities
    • Asset tagging
    • Transfer data from old desktop
    • Wipe old desktop hard drive
    • Test installed asset
    • Initiate auto-discovery scan
    • Obtain customer acceptance
    • Close request

    A strong IMAC request process will lessen the burden on IT asset managers

    • When assets are actively in use, Asset Managers must also participate in the IMAC (Install-Move-Add-Change) process and ensure that any changes to asset characteristics or locations are updated and tracked in the asset management tool and that the value and usefulness of the asset is monitored.
    • The IMAC process should not only be reactive in response to requests, but proactive to plan for moves and relocations during any organizational change events.

    Recommendations:

    Automate. Wherever possible, use tools to automate the IMAC process.

    E-forms, help desk, ticketing, or change management software can automate the request workflow by allowing the requestor to submit a request ticket that can then be automatically assigned to a designated team member according to the established chain of command. As work is completed, the ticket can be updated, and the requestor will be able to check the status of the work at any time.

    Communicate the length of any downtime associated with execution of the IMAC request to lessen the frustration and impatience among users.

    Involve HR. When it comes to adding or removing user accounts, HR can be a valuable resource. As most new employees should be hired through HR, work with them to improve the onboarding process with enough advanced notice to set up accounts and equipment. Role changes with access rights and software modifications can benefit from improved communications. Review the termination process as well, to secure data and equipment.

    Build a MAC request policy and form for end users

    A consistent Move, Add, Change (MAC) request process is essential for lessening the burden on the IT department. MAC requests are used to address any number of tasks, including:

    • Relocation of PCs and/or peripherals.
    • New account setup.
    • Hardware or software upgrades.
    • Equipment swaps or replacements.
    • User account/access changes.
    • Document generation.
    • User acceptance testing.
    • Vendor coordination.

    Create a request form.

    If you are not using help desk or other ticketing software, create a request template that must be submitted for each MAC. The request should include:

    • The name and department of the requester.
    • The date of the request.
    • Severity of the request. For example, severity can be graded on a score of high, medium, or low where high represents a mission-critical change that could compromise business continuity if not addressed immediately, and low represents a more cosmetic change that will not negatively affect operations. The severity of the request can be determined by the service-level agreement (SLA) associated with the service.
    • Date the request must be completed by. Or at least, what would be the ideal date for completion. This will vary greatly depending on the severity of the request. For example, deleting the access of a terminated employee would be very time sensitive.
    • Item or service to be moved, added, or changed. Include location, serial number, or other designated identifier where possible.
    • If the item or service is to be moved, indicated where it is being moved.
    • It is a good idea to include a comments section where the requester can add any additional questions or details.

    Use Info-Tech’s templates to build your MAC policy and request form

    3.1.1 Build a MAC policy and request form

    Desktop Move/Add/Change Policy

    This desktop move/add/change policy should be put in place to mitigate the risk associated with unauthorized changes, minimize disruption to the business, IT department, and end users, and maintain consistent expectations.

    Move, Add, Change Request Form

    Help end users navigate the move/add/change process. Use the Move/Add/Change Request Form to increase efficiency and organization for MAC requests.

    Document the process for user equipment moves

    Include the following in your process documentation:

    • How and when will any changes to user or location information be made in the ITAM tool?
    • Will any changes in AD automatically update in the ITAM tool?
    • How should requests for equipment moves or changes be made?
    • How will resources be scheduled?

    The image shows a flowchart titled SErvice Request - User Moves. The chart of processes is split into three categories, listed on the left side of the chart: User Manager; IT Coordinator; and Tier 2 & Facilities.

    Build workflows to document user MAC processes

    3.1.2 Build MAC process workflows

    Participants

    • Asset Manager
    • Service Desk Manager
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 10: Equipment Install, Adds, Moves, and Changes

    Document each step in the system deployment process using notecards or on a whiteboard. Identify the challenges faced by your organization and strategize potential solutions.

    1. Outline each step in the process of desktop deployment. Be as granular as possible. On each card, describe the step as well as the individual responsible for each step.
    2. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    3. Examine each challenge or pain point. Discuss whether or not there is a clear solution to the problem. If so, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, taking into account people, processes, and available technology.
    4. Document separately the process for large-scale deployment if required.

    Define a policy to ensure effective maintenance of hardware assets

    Effective maintenance and support of assets provides longer life, higher employee productivity, and increased user satisfaction.

    • Your asset management documentation and database should store equipment maintenance contract information so that it can be consulted whenever hardware service is required.
    • Record who to contact as well as how, warranty information, and any SLAs that are associated with the maintenance agreement.
    • Record all maintenance that hardware equipment receives, which will be valuable for evaluating asset and supplier performance.
    • In most cases, the Service Desk should be the central point of contact for maintenance calls to all suppliers.

    Sample equipment maintenance policy terms:

    • Maintenance and support arrangements are required for all standard and non-standard hardware.
    • All onsite hardware should be covered by onsite warranty agreements with appropriate response times to meet business continuity needs.
    • Defective items under warranty should be repaired in a timely fashion.
    • Service, maintenance, and support shall be managed through the help desk ticketing system.

    Design process and policies for hardware maintenance, warranty, and support documentation handling

    3.1.3 Design process for hardware maintenance

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Security
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 10

    1. Discuss and document the policy for hardware maintenance, warranty, and support.
    2. Key outcomes should include:
    • Who signs off on policies?
    • What is the timeline for documentation review?
    • Where are warranty and maintenance documents stored?
    • How will equipment be assessed for condition during audits?
    • How often will deployed equipment be reimaged?
    • How will equipment repair needs be requested?
    • How will repairs for equipment outside warranty be handled?
  • Document in the Standard Operating Procedure.
  • Use your HAM program to improve security and meet regulatory requirements

    ITAM complements and strengthens security tools and processes, improving the company’s ability to protect its data and systems and reduce operational risk.

    It’s estimated that businesses worldwide lose more than $221 billion per year as a result of security breaches. HAM is one important factor in securing data, equipment investment, and meeting certain regulatory requirements.

    How does HAM help keep your organization secure?

    • Educating users on best practices for securing their devices, and providing physical security such as cable locks and tracking mechanisms.
    • Best practices for reporting lost or stolen equipment for quickly removing access and remotely wiping devices.
    • Accurate location and disposal records will enable accurate reporting for HIPAA and PCI DSS audits where movement of media or hardware containing data is a requirement. Best practices for disposal will include properly wiping drives, recording information, and ensuring equipment is disposed of according to environmental regulations.
    • Secure access to data through end-user mobile devices. Use accurate records and MDM tools to securely track, remove access, and wipe mobile devices if compromised.
    • Encrypt devices that may be difficult to track such as USB drives or secure ports to prevent data from being copied to external drives.
    • Managed hardware allows software to be managed and patched on a regular basis.

    Best Practices

    1. Educate end users about traveling with equipment. Phones and laptops are regularly stolen from cars; tablets and phones are left on planes. Encourage users to consider how they store equipment on the way home from work.
    2. Cable locks used at unsecured offsite or onsite work areas should be supplied to employees.
    3. Equipment stored in IT must be secured at all times.

    Implement mobile device management (MDM) solutions

    Organizations with a formal mobile management strategy have fewer problems with their mobile devices.

    Develop a secure MDM to:

    • Provide connection and device support when the device is fully subsidized by the organization to increase device control.
    • Have loaner devices for when traveling to limit device theft or data loss.
    • Personal devices not managed by MDM should be limited to internet access on a guest network.
    • Limit personal device access to only internet access or a limited zone for data access and a subset of applications.
    • Advanced MDM platforms provide additional capabilities including containerization.

    The benefits of a deployed MDM solution:

    • Central management of a variety of devices and platforms is the most important advantage of MDM. Administrators can gain visibility into device status and health, set policies to groups of users, and control who has access to what.
    • Security features such as enforcing passcodes and remote wipe are also essential, given the increased risk of mobile devices.
      • Remote wipe should be able to wipe either the whole device or just selected areas.
    • Separation of personal data is becoming increasingly important as BYOD becomes the norm. This is a feature that vendors are approaching radically differently.
    • Device lock: Be able to lock the device itself, its container, or its SIM. Even if the SIM is replaced, the device should still remain locked. Consider remote locking a device if retrieval is possible.

    Mobile device management is constantly evolving to incorporate new features and expand to new control areas. This is a high-growth area that warrants constant up-to-date knowledge on the latest developments.

    What can be packed into an MDM can vary and be customized in many forms for what your organization needs.

    Secure endpoint devices to protect the data you cannot control

    Endpoint Encryption

    Endpoints Average None
    Desktop 73% 4%
    Laptops 65% 9%
    Smartphones 27% 28%
    Netbooks 26% 48%
    Tablets 16% 59%
    Grand average 41%

    Benefits from endpoint encryption:

    • Reduced risk associated with mobile workers.
    • Enabled sharing of data in secured workspace.
    • Enhanced end-user accountability.
    • Reduced number of data breach incidents.
    • Reduced number of regulatory violations.

    Ways to reduce endpoint encryption costs:

    • Use multiple vendors (multiple platforms): 33%
    • Use a single vendor (one platform): 40%
    • Use a single management console: 22%
    • Outsource to managed service provider: 26%
    • Permit user self-recovery: 26%

    Remote Wiping

    • If all else fails, a device can always be erased of all its data, protecting sensitive data that may have been on it.
    • Selective wipe takes it a step further by erasing only sensitive data.

    Selective wipe is not perfect.

    It is nearly impossible to keep the types of data separate, even with a sandbox approach. Selective wipe will miss some corporate data, and even a full remote wipe can only catch some of users’ increasingly widely distributed data.

    Selective wipe can erase:

    • Corporate profiles, email, and network settings.
    • Data within a corporate container or other sandbox.
    • Apps deployed across the enterprise.

    Know when to perform a remote wipe.

    Not every violation of policy warrants a wipe. Playing Candy Crush during work hours probably does not warrant a wipe, but jail breaking or removing a master data management client can open up security holes that do warrant a wipe.

    Design an effective asset security policy to protect the business

    Data security is not simply restricted to compromised software. In fact, 70% of all data breaches in the healthcare industry since 2010 are due to device theft or loss, not hacking. (California Data Breach Report – October, 2014) ITAM is not just about tracking a device, it is also about tracking the data on the device.

    Organizations often struggle with the following with respect to IT asset security:

    • IT hardware asset removal control.
    • Personal IT hardware assets (BYOD).
    • Data removal from IT hardware assets.
    • Inventory control with respect to leased hardware and software.
    • Unused software.
    • Repetitive versions of software.
    • Unauthorized software.

    Your security policy should seek to protect IT hardware and software that:

    • Have value to the business.
    • Require ongoing maintenance and support.
    • Create potential risk in terms of financial loss, data loss, or exposure.

    These assets should be documented and controlled in order to meet security requirements.

    The asset security policy should encompass the following:

    • Involved parties.
    • Hardware removal policy/documentation procedure.
    • End-user asset security responsibilities.
    • Theft/loss reporting procedure.
    • BYOD standards, procedures, and documentation requirements.
    • Data removal.
    • Software usage.
    • Software installation.

    Info-Tech Insight

    Hardware can be pricey; data is priceless. The cost of losing a device is minimal compared to the cost of losing data contained on a device.

    Revise or create an asset security policy

    3.1.4 Develop IT asset security policy

    Participants

    • CIO or IT Director
    • Asset Manager
    • Service Desk Manager
    • Security
    • Operations (optional)

    Document

    Document in the Asset Security Policy.

    1. Identify asset security challenges within your organization. Record them in a table like the one below.
    Challenge Current Security Risk Target Policy
    Hardware removal Secure access and storage, data loss Designated and secure storage area
    BYOD No BYOD policy in place N/A → phasing out BYOD as an option
    Hardware data removal Secure data disposal Data disposal, disposal vendor
    Unused software Lack of support/patching makes software vulnerable Discovery and retirement of unused software
    Unauthorized software Harder to track, less secure Stricter stance on pirated software
    1. Brainstorm the reasons for why these challenges exist.
    2. Identify target policy details that pertain to each challenge. Record the outcomes in section(s) 5.1, 5.2, or 5.3 of the Asset Security Policy.

    Poor asset security and data protection had costly consequences for UK Ministry of Justice

    CASE STUDY

    Industry Legal

    Source ICO

    Challenge

    The Ministry of Justice (MoJ) in the UK had a security problem: hard drives that contained sensitive prisoner data were unencrypted and largely unprotected for theft.

    These hard drives contained information related to health, history of drug use, and past links to organized crime.

    After two separate incidents of hard drive theft that resulted in data breaches, the Information Commissioner’s Office (ICO), stepped in.

    Solution

    It was determined that after the first hard drive theft in October 2011, replacement hard drives with encryption software were provisioned to prisons managed by the MoJ.

    Unfortunately, the IT security personnel employed by the MoJ were unaware that the encryption software required manual activation.

    When the second hard drive theft occurred, the digital encryption could not act as a backup to poor physical security (the hard drive was not secured in a locker as per protocol).

    Results

    The perpetrators were never found and the stolen hard drives were never recovered.

    As a result of the two data breaches, the MoJ had to implement costly security upgrades to its data protection system.

    The ICO fined the MoJ £180,000 for its repeated security breaches. This costly fine could have been avoided if more diligence was present in the MoJ’s asset management program.

    Step 3.2: Dispose or Redeploy Assets

    3.1 Manage & Maintain

    3.2 Dispose or Redeploy

    This step will walk you through the following activities:

    3.2.1 Identify challenges with IT asset recovery and disposal

    3.2.2 Design hardware asset recovery and disposal workflows

    3.2.3 Build a hardware asset disposition policy

    This step involves the following participants:

    • Infrastructure Director/Manager
    • Asset Manager
    • Service Desk Manager
    • Operations (optional)

    Step Outcomes:

    • Defined process to determine when to redeploy vs. dispose of hardware assets
    • Process for recovering and redeploying hardware equipment
    • Process for safely disposing of assets that cannot be redeployed
    • Comprehensive asset disposition policy

    Balance the effort to roll out new equipment against the cost to maintain equipment when building your lifecycle strategy

    The image shows two line graphs. The graph on the left is titled: Desktop Refresh Rate by Company Size (based on Revenue). The graph on the right is titled: Laptop Refresh Rate by Company Size (based on Revenue). Each graph has four lines, defined by a legend in the centre of the image: yellow is small ($25mm); dark blue is Mid ($25-500MM); light blue is large ( data-verified=$500MM); and orange is Overall.">

    (Info-Tech Research Group; N=96)

    Determining the optimal length of time to continue to use equipment will depend on use case and equipment type

    Budget profiles Refresh methods

    Stretched

    Average equipment age: 7+ years

    To save money, some organizations will take a cascading approach, using the most powerful machines for engineers or scientists to ensure processing power, video requirements and drives will meet the needs of their applications and storage needs; then passing systems down to departments who will require standard-use machines. The oldest and least powerful machines are either used as terminals or disposed.

    Generous

    Average equipment age: 3 years

    Organizations that do not want to risk user dissatisfaction or potential compatibility or reliability issues will take a more aggressive replacement approach. These organizations often have less people assigned to end-user device maintenance and will not repair equipment outside of warranty. There is little variation in processing power among devices, with major differences determined by mobility and operating system.

    Cautious

    Average equipment age: 4 to 5 years

    Organizations that fit between the other two profiles will look to stretch the budget beyond warranty years, but will keep a close eye on maintenance requirements. Repairs needed outside of warranty will require an eye to costs, efforts, and subsequent administrative work of loaning equipment to keep the end user productive while waiting on service.

    Recommendations to keep users happy and equipment in prime form is to check condition at the 2-3 year mark, reimage at least once to improve performance, and have backup machines, if equipment starts to become problematic.

    Build a process to determine when and how to redeploy or dispose of hardware assets at end of use

    • When equipment is no longer needed for the function or individual to whom it was assigned, the Hardware Asset Manager needs to use data to ensure the right decision is made as to what to do with the asset.
    • End of use involves evaluating options for either continuing to use the equipment in another capacity or by another individual or determining that the asset has no remaining value to the organization in any capacity and it is time to retire it.
    • If the asset is retired, it may still have capacity for continued use outside of the organization or it may be disposed.

    Redeployment

    • Deliver the asset to a new user if it is no longer needed by the original user but still has value and usability.
    • Redeployment saves money and prevents unnecessary purchases.
    • Common when employees leave the company or a merge or acquisition changes the asset pool.

    VS.

    Disposal

    • When an asset is no longer of use to the organization, it may be disposed of.
    • Need to consider potential financial and public relations considerations if disposal is not done according to environmental legislation.
    • Need to ensure proper documentation and data removal is built into disposition policy.

    Use persistent documentation and communication to improve hardware disposal and recovery

    Warning! Poor hardware disposal and recovery practices can be caused by the following:

    1. Your IT team is too busy and stretched thin. Data disposal is one of many services your IT team is likely to have to deal with, but this service requires undivided attention. By standardizing hardware refreshes, you can instill more predictability with your hardware life cycles and better manage disposal.
    2. Poor inventory management. Outdated data and poor tracking practices can result in lost assets during the disposal phase. It only takes a single lost asset to cause a disastrous data breach in your supply chain.
    3. Obliviousness to disposal regulations. Electronic disposal and electronically stored data are governed by strict regulation.

    How do you improve your hardware disposal and recovery process?

    • A specific, controlled process needs to be in place to wipe all equipment and verify that it’s been wiped properly. Otherwise, companies will continue to spend money to protect data while equipment is in use, but overlook the dangerous implications of careless IT asset disposal. Create a detailed documentation process to track your assets every step of the way to ensure that data and applications are properly disposed of. Detailed documentation can also help bolster sustainability reporting for organizations wishing to track such data.
    • Better communication should be required. Most decommissioning or refresh processes use multiple partners for manufacturing, warehousing, data destruction, product resale, and logistics. Setting up and vetting these networks can take years, and even then, managing them can be like playing a game of telephone; transparency is key.

    Address three core challenges of asset disposal and recovery

    Asset Disposal

    Data Security

    Sixty-five percent of organizations cite data security as their top concern. Many data breaches are a result of hardware theft or poor data destruction practices.

    Choosing a reputable IT disposal company or data removal software is crucial to ensuring data security with asset disposal.

    Environmental

    Electronics contain harmful heavy metals such as mercury, arsenic, and cadmium.

    Disposal of e-waste is heavily regulated, and improper disposal can result in hefty fines and bad publicity for organizations.

    Residual value

    Many obsolete IT assets are simply confined to storage at their end of life.

    This often imposes additional costs with maintenance or storage fees and leaves a lot of value on the table through assets that could be sold or re-purposed within the organization.

    Identify challenges with IT asset recovery and disposal with a triple bottom line scorecard

    3.2.1 Identify challenges with IT asset recovery and disposal

    Participants

    • Infrastructure Director/Manager
    • Asset Manager
    • Service Desk Manager
    • Operations (optional)
    1. Divide the whiteboard into three boxes: Social, Economic, and Environmental.
    2. Divide each box into columns like the one shown below:
    Economic
    Challenge Objectives Targets Initiatives
    No data capture during disposal Develop reporting standards 80% disposed assets recorded Work with Finance to develop reporting procedure
    Idle assets Find resale market/dispose of idle assets 50% of idle assets disposed of within the year Locate resale vendor and disposal service
    1. Ask participants to list challenges associated with each area.
    2. Once challenges facing recovery and disposal have been exhausted from the group, assign a significance of 1-5 (1 being the lowest and 5 being the highest) to each challenge.
    3. Discuss the most significant challenges and how they might be addressed through the next steps of building recovery & disposal processes.

    Build a process for recovery and redeployment of hardware

    • Having hardware standards in place makes redeploying easier by creating a larger pool of possible users for a standardized asset.
    • Most redeployment activities will be carried out by the Help Desk as a service request ticket, so it is important to have clear communication and guidelines with the Help Desk as to which tasks need to be carried out as part of the request.

    Ensure the following are addressed:

    • Where will equipment be stored before being redeployed?
    • Will shipping be required and are shipping costs factored into analysis?
    • Ensure equipment is cleaned before it is redeployed.
    • Do repairs and reconfigurations need to be made?
    • How will software be removed and licenses harvested and reported to Software Asset Manager?
    • How will data be securely wiped and protected?

    The image shows a work process in flowchart format titled Equipment Recovery. The chart is divided into two sections, listed on the left: Business Manager/HR and Desktop Support Team.

    Define the process for safely disposing of assets that cannot be redeployed

    Asset Disposal Checklist

    1. Review the data stored on the device.
    2. Determine if there has been any sensitive or confidential information stored.
    3. Remove all sensitive/confidential information.
    4. Determine if software licenses are transferable.
    5. Remove any non- transferable software prior to reassignment.
    6. Update the department’s inventory record to indicate new individual assigned custody.
    7. In the event of a transfer to another department, remove data and licensed software.
    8. If sensitive data has been stored, physically destroy the storage device.
    • Define the process for retiring and disposing of equipment that has reached replacement age or no longer meets minimum conditions or standards.
    • Clearly define the steps that need to be taken both before and after the involvement of an ITAD partner.

    The image shows a flowchart titled Equipment Disposal. It is divided into two sections, labelled on the left as: Desktop Support Team and Asset Manager.

    Design hardware asset recovery and disposal workflows

    3.2.2 Design hardware asset recovery and disposal policies and workflows

    Participants

    • Infrastructure Director/Manager
    • Asset Manager
    • Service Desk Manager
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Sections 11 and 12

    Document each step in the recovery and disposal process in two separate workflows using notecards or on a whiteboard. Identify the challenges faced by your organization and strategize potential solutions.

    1. Keeping in mind current challenges around hardware asset recovery and disposal, design the target state for both the asset recovery and disposal processes.
    2. Outline each step of the process and be as granular as possible.
    3. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    4. Examine each challenge or pain point. Discuss whether or not there is a clear solution to the problem. If so, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, taking into account people, processes, and available technology.
    5. Review the checklists on the previous slides to ensure all critical tasks are accounted for in your process workflows.

    Add equipment disposition to asset lifecycle decisions to meet environmental regulations and mitigate risk

    Although traditionally an afterthought in asset management, IT asset disposition (ITAD) needs to be front and center. Increase focus on data security and concern surrounding environmental sustainability and develop an awareness of the cost efficiencies possible through best-practices disposition.

    Optimized ITAD solutions:

    1. Protect sensitive or valuable data
    2. Support sustainability
    3. Focus on asset value recovery

    Info-Tech Insight

    A well-thought-out asset management program mitigates risk and is typically less costly than dealing with a large-scale data loss incident or an inappropriate disposal suit. Also, it protects your company’s reputation – which is difficult to put a price on.

    Partner with an ITAD vendor to support your disposition strategy

    Maximizing returns on assets requires knowledge and skills in asset valuation, upgrading to optimize market return, supply chain management, and packaging and shipping. It’s unlikely that the return will be adequate to justify that level of investment, so partnering with a full-service ITAD vendor is a no-brainer.

    • An ITAD vendor knows the repurpose and resale space better than your organization. They know the industry and have access to more potential buyers.
    • ITAD vendors can help your organization navigate costly environmental regulations for improper disposal of IT assets.

    Disposal doesn’t mean your equipment has to go to waste.

    Additionally, your ITAD vendor can assist with a large donation of hardware to a charitable organization or a school.

    Donating equipment to schools or non-profits may provide charitable receipts that can be used as taxable benefits.

    Before donating:

    • Ensure equipment is needed and useful to the organization.
    • Be prepared for an appraisal requirement. Receipts can only be issued for fair market value.
    • Prevent compromised data by thoroughly wiping or completely replacing drives.
    • Ensure official transfer of ownership to prevent liability if improper disposal practices follow.

    Info-Tech Insight

    Government assistance grants may be available to help keep your organization’s hardware up to date, thereby providing incentives to upgrade equipment while older equipment still has a useful life.

    Protect the organization by sufficiently researching potential ITAD partners

    Research ITAD vendors as diligently as you would primary hardware vendors.

    Failure to thoroughly investigate a vendor could result in a massive data breach, fines for disposal standards violations, or a poor resale price for your disposed assets. Evaluate vendors using questions such as the following:

    • Are you a full-service vendor or are you connected to a wholesaler?
    • Who are your collectors and processors?
    • How do you handle data wiping? If you erase the data, how many passes do you perform?
    • What do you do with the e-waste? How much is reused? How much is recycled?
    • Do you have errors and omissions insurance in case data is compromised?
    • How much will it cost to recycle or dispose of worthless equipment?
    • How much will I receive for assets that still have useful life?

    ITAD vendors that focus on recycling will bundle assets to ship to an e-waste plant – leaving money on the table.

    ITAD vendors with a focus on reuse will individually package salable assets for resale – which will yield top dollars.

    Info-Tech Insight

    To judge the success of a HAM overhaul, you need to establish a baseline with which to compare final results. Be sure to take HAM “snapshots” before ITAD partnering so it’s easy to illustrate the savings later.

    Work with ITAD partner or equipment supplier to determine most cost-effective method and appropriate time for disposal

    2-4 Two-to-four year hardware refresh cycle

    • Consider selling equipment to an ITAD partner who specializes in sales of refurbished equipment.
    • Consider donating equipment to schools or non-profits, possibly using an ITAD partner who specializes in refurbishing equipment and managing the donation process.

    5-7 Five-to-seven year hardware refresh cycle

    • At this stage equipment may still have a viable life, but would not be appropriate for school or non-profit donations, due to a potentially shorter lifespan. Consider selling equipment to an ITAD partner who has customers interested in older, refurbished equipment.

    7+ Seven or more years hardware refresh cycle

    • If keeping computers until they reach end of life, harvest parts for replacement on existing machines and budget for disposal fees.
    • Ask new computer supplier about disposal services or seek out ITAD partner who will disassemble and dispose of equipment in an environmentally responsible manner.

    Info-Tech Insight

    • In all cases, ensure hard drives are cleansed of data with no option for data recovery. Many ITAD partners will provide a drive erasure at DoD levels as part of their disposal service.
    • Many ITAD partners will provide analysts to help determine the most advantageous time to refresh.

    Ensure data security and compliance by engaging in reliable data wiping before disposition

    Failure to properly dispose of data can not only result in costly data breaches, but also fines and other regulatory repercussions. Choosing an ITAD vendor or a vendor that specializes in data erasure is crucial. Depending on your needs, there are a variety of data wiping methods available.

    Certified data erasure is the only method that leaves the asset’s hard drive intact for resale or donation. Three swipes is the bare minimum, but seven is recommended for more sensitive data (and required by the US Department of Defense). Data erasure applications may be destructive or non-destructive – both methods overwrite data to make it irretrievable.

    Physical destruction must be done thoroughly, and rigorous testing must be done to verify data irretrievability. Methods such as hand drilling are proven to be unreliable.

    Degaussing uses high-powered magnets to erase hard drives and makes them unusable. This is the most expensive option; degaussing devices can be purchased or rented.

    Info-Tech Best Practice

    Data wiping can be done onsite or can be contracted to an ITAD partner. Using an ITAD partner can ensure greater security at a more affordable price.

    Make data security a primary driver of asset disposition practices

    It is estimated that 10-15% of data loss cases result from insecure asset disposal. Protect yourself by following some simple disposition rules.

    1. Reconcile your data onsite
    • Verify that bills of landing and inventory records match before assets leave. Otherwise, you must take the receiver’s word on shipment contents.
  • Wipe data at least once onsite
    • Do at least one in-house data wipe before the assets leave the site for greater data security.
  • Transport promptly after data wiping
    • Prompt shipment will minimize involvement with the assets, and therefore, cost. Also, the chance of missing assets will drop dramatically.
  • Avoid third-party transport services
    • Reputable ITAD companies maintain strict chain of custody control over assets. Using a third party introduces unnecessary risk.
  • Keep detailed disposition records
    • Records will protect you in the event of an audit, a data loss incident, or an environmental degradation claim. They could save you millions.
  • Wipe all data-carrying items
    • Don’t forget cell phones, fax machines, USB drives, scanners, and printers – they can carry sensitive information that can put the organization at risk.
  • Only partner with insured ITAD vendors
    • You are never completely out of danger with regards to liability, but partnering with an insured vendor is potent risk mitigation.
  • Work these rules into your disposition policy to mitigate data loss risk.

    Support your HAM efforts with a comprehensive disposition policy

    3.2.3 Build a Hardware Asset Disposition Policy

    Implementation of a HAM program is a waste of time if you aren’t going to maintain it. Maintenance requires the implementation of detailed policies, training, and an ongoing commitment to proper management.

    Use Info-Tech’s Hardware Asset Disposition Policy to:

    1. Establish and define clear standards, procedures, and restrictions surrounding disposition.
    2. Ensure continual compliance with applicable data security and environmental legislation.
    3. Assign specific responsibilities to individuals or groups to ensure ongoing adherence to policy standards and that costs or benefits are in line with expectations.

    Phase 3 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Maintain & Dispose

    Proposed Time to Completion: 4 weeks

    Start with an analyst kick-off call:

    • Discuss inventory management best practices.
    • Build process for moves, adds, and changes.
    • Build process for hardware maintenance.
    • Define policies for maintaining asset security.

    Then complete these activities…

    • Build a MAC policy and request form.
    • Build workflows to document user MAC processes.
    • Design processes and policies for hardware maintenance, warranty, and support documentation handling.
    • Build an asset security policy.

    With these tools & templates:

    • Standard Operating Procedures
    • Asset Security Policy

    Step 3.2: Dispose or Redeploy Assets

    Review findings with analyst:

    • Discuss when to dispose vs. redeploy assets.
    • Build process for redeploying vs. disposing of assets.
    • Review ITAD vendors.

    Then complete these activities…

    • Identify challenges with IT asset recovery and disposal.
    • Design hardware asset recovery and disposal workflows.
    • Build a hardware asset disposition policy.

    With these tools & templates:

    • Standard Operating Procedures
    • Asset Recovery Workflow
    • Asset Disposal Workflow
    • Hardware Asset Disposition Policy

    Phase 3 Insight: Not all assets are created equal. Taking a blanket approach to asset maintenance and security is time consuming and costly. Focus on the high-cost, high-use, and data-sensitive assets first.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1.4 Revise or create an asset security policy

    Discuss asset security challenges within the organization; brainstorm reasons the challenges exist and process changes to address them. Document a new asset security policy.

    3.2.2 Design hardware asset recovery and disposal workflows

    Document each step in the hardware asset recovery and disposal process, including all decision points. Examine challenges and amend the workflow to address them.

    Phase 4

    Plan Budget Process and Build Roadmap

    Implement Hardware Asset Management

    Cisco deployed an enterprise-wide re-education program to implement asset management

    CASE STUDY

    Industry Networking

    Source Cisco IT

    Challenge

    Even though Cisco Systems had designed a comprehensive asset management program, implementing it across the enterprise was another story.

    An effective solution, complete with a process that could be adopted by everyone within the organization, would require extensive internal promotion of cost savings, efficiencies, and other benefits to the enterprise and end users.

    Cisco’s asset management problem was as much a cultural challenge as it was a process challenge.

    Solution

    The ITAM team at Cisco began discussions with departments that had been tracking and managing their own assets.

    These sessions were used as an educational tool, but also as opportunities to gather internal best practices to deploy across the enterprise.

    Eventually, Cisco introduced weekly meetings with global representation to encourage company-wide communication and collaboration.

    Results

    By establishing a process for managing PC assets, we have cut our hardware costs in half.” – Mark Edmonson, Manager – IT Services Expenses

    Cisco reports that although change was difficult to adopt, end-user satisfaction has never been higher. The centralized asset management approach has resulted in better contract negotiations through better data access.

    A reduced number of hardware and software platforms has streamlined tracking and support, and will only drive down costs as time goes on.

    Step 4.1: Plan Hardware Asset Budget

    Phase 4: Plan Budget & Build Roadmap

    4.1 Plan Budget

    4.2 Communicate & Build Roadmap

    This step will walk you through the following activities:

    4.1 Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

    This step involves the following participants:

    • IT Director
    • Asset Manager
    • Finance Department

    Step Outcomes

    • Know where to find data to budget for hardware needs accurately
    • Learn how to manage a hardware budget
    • Plan hardware asset budget with a budgeting tool

    Gain control of the budget to increase the success of HAM

    A sophisticated hardware asset management program will be able to uncover hidden costs, identify targets for downsizing, save money through redistributing equipment, and improve forecasting of equipment to help control IT spending.

    While some asset managers may not have experience managing budgets, there are several advantages to ITAM owning the hardware budget:

    • Be more involved in negotiating pricing with suppliers.
    • Build better relationships with stakeholders across the business.
    • Forecast requirements more accurately.
    • Inform benchmarks for hardware performance.
    • Gain more responsibility and have a greater influence on purchasing decisions.
    • Directly impact the reduction in IT spend.
    • Manage the asset database more easily and have a greater understanding of hardware needs.
    • Build a continuous rolling refresh.

    Use ITAM data to forecast hardware needs accurately and realistically

    Your IT budget should be realistic, accounting for business needs, routine maintenance, hardware replacement costs, unexpected equipment failures, and associated support and warranty costs. Know where to find the data you need and who to work with to forecast hardware needs as accurately as possible.

    What type of data should I take into account?

    Plan for:

    • New hardware purchases required
      • Planned refreshes based on equipment lifecycle
      • Inventory for break and fix
      • Standard equipment for new hires
      • Non-standard equipment required
      • Hardware for planned projects
      • Implementation and setup costs
      • Routine hardware implementation
      • Large hardware implementation for projects
      • Support and warranty costs

    Take into account:

    • Standard refresh cycle for each hardware asset
    • Amount of inventory to keep on hand
    • Length of time from procurement to inventory
    • Current equipment costs and equipment price increases
    • Equipment depreciation rates and resale profits

    Where do I find the information I need to budget accurately?

    • Work with HR to forecast equipment needs for new hires.
    • Work with the Infrastructure Manager to forecast devices and equipment needed for approved and planned projects.
    • Use the asset management database to forecast hardware refresh and replacement needs based on age and lifecycle.
    • Work with business stakeholders to ensure all new equipment needs are accounted for in the budget.

    Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

    4.1.1 Build HAM budget

    This tool is designed to assist in developing and justifying the budget for hardware assets for the upcoming year. The tool will allow you to budget for projects requiring hardware asset purchases as well as equipment requiring refresh and to adjust the budget as needed to accommodate both projects and refreshes. Follow the instructions on each tab to complete the tool.

    The hardware budget should serve as a planning and communications tool for the organization

    The most successful relationships have a common vocabulary. Thus, it is important to translate “tech speak” into everyday language and business goals and initiatives as you plan your budget.

    One of the biggest barriers that infrastructure and operations team face with regards to equipment budgeting is the lack of understanding of IT infrastructure and how it impacts the rest of the organization. The biggest challenge is to help the rest of the organization overcome this barrier.

    There are several things you can do to overcome this barrier:

    • Avoid using technical terms or jargon. Terms many would consider common knowledge, such as “WLAN,” are foreign to many.
    • Don’t assume the business knows how the technology you’re referring to will impact their day-to-day work. You will need to demonstrate it to them.
    • Help the audience understand the business impact of not implementing each initiative. What does this mean for them?
    • Discuss the options on the table in terms of the business value that the hardware can enable. Review how deferring refresh projects can impact user-facing applications, systems, and business unit operations.
    • Present options. If you can’t implement everything on the project list, present what you can do at different levels of funding.

    Info-Tech Insight

    Err on the side of inviting more discussion. Your budgeting process relies on business decision makers and receiving actionable feedback requires an ongoing exchange of information.

    Help users understand the importance of regular infrastructure refreshes

    Getting business users to support regular investments in maintenance relies on understanding and trust. Present the facts in plain language. Provide options, and clearly state the impact of each option.

    Example: Your storage environment is nearing capacity.

    Don’t:

    Explain the project exclusively in technical terms or slang.

    We’re exploring deduping technology as well as cheap solid state, SATA, and tape storage to address capacity.”

    Do:

    • Explain impact in terms that the business can understand.

    Deduplication technology can reduce our storage needs by up to 50%, allowing us to defer a new storage purchase.”

    • Be ready to present project alternatives and impacts.

    Without implementing deduplication technology, we will need to purchase additional storage by the end of the year at an estimated cost of $25,000.”

    • Connect the project to business initiatives and strategic priorities.

    This is a cost-effective technique to increase storage capacity to manage annual average data growth at around 20% per year.

    Step 4.2: Build Communication Plan and Roadmap

    Phase 4: Plan Budget & Build Roadmap

    4.1 Plan Budget

    4.2 Communicate & Build Roadmap

    This step will walk you through the following activities:

    4.2 Develop a HAM implementation roadmap

    This step involves the following participants:

    • CIO
    • IT Director
    • Asset Manager
    • Service Desk Manager

    Step Outcomes

    • Documented end-user hardware asset management policies
    • Communications plan to achieve support from end users and other business units
    • HAM implementation roadmap

    Educate end users through ITAM training to increase program success

    As part of your communication plan and overall HAM implementation, training should be provided to end users within the organization.

    All facets of the business, from management to new hires, should be provided with ITAM training to help them understand their role in the project’s success.

    ITAM solutions are complex by nature with both business process and technical knowledge required to use them correctly. Keep the message appropriate to the audience – end users don’t need to know the complete process, but will need to know policy and how to request.

    Management may have priorities that appear to clash with new processes. Engage management by making them aware of the benefits and importance of ITAM. Include the benefits and consequences of not implementing ITAM in your education approach. Encourage them to support efforts by reinforcing your messages to end users.

    New hires should have ITAM training bundled into their onboarding process. Fresh minds are easier to train and the ITAM program will be seen as an organizational standard, not merely a change.

    Policy documents can help summarize end users’ obligations and clarify processes. Consider an IT Resources Acceptable UsePolicy.

    "The lowest user is the most important user in your asset management program. New employees are your most important resource. The life cycle of the assets will go much smoother if new employees are brought on board." – Tyrell Hall, ITAM Program Coordinator

    Info-Tech Insight

    During training, you should present the material through the lens of “what’s in it for me?” Otherwise, you risk alienating end users through implementing organizational change viewed as low value.

    Include policy design and enforcement in your communication plan

    • Hardware asset management policies should define the actions to be taken to protect and preserve technology assets from failure, loss, destruction, theft, or damage.
    • Implementing asset management policies enforces the notion that the organization takes its IT assets and the management of them seriously, and will help ensure the benefits of ITAM are achieved.
    • Designing, approving, documenting, and adopting one set of standard ITAM policies for each department to follow will ensure the processes are enforced equally across the organization.
    • Good ITAM policies answer the “what, how, and why” of IT asset management, provide the means for ITAM governance, and provide a basis for strategy and decision making.

    Info-Tech Insight

    Use policy templates to jumpstart your policy development and ensure policies are comprehensive, but be sure to modify and adapt policies to suit your corporate culture or they will not gain buy-in from employees. For a policy to be successful, it must be a living document and have participation and involvement from the committees and departments to whom it will pertain.

    Use Info-Tech’s policy templates to build HAM policies

    4.2.1 Build HAM policies

    Use these HAM policy templates to get started:

    Information Technology Standards Policy

    This policy establishes standards and guidelines for a company’s information technology environment to ensure the confidentiality, integrity, and availability of company computing resources.

    Desktop Move/Add/Change Policy

    This desktop move/add/change policy is put in place for users to request to change their desktop computing environments. This policy applies configuration changes within a company.

    Purchasing Policy

    The purchasing policy helps to establish company standards, guidelines, and procedures for the purchase of all information technology hardware, software, and computer-related components as well as the purchase of all technical services.

    Hardware Asset Disposition Policy

    This policy assists in creating guidelines around disposition in the last stage of the asset lifecycle.

    Additional policy templates

    Info-Tech Insight

    Use policy templates to jumpstart your policy development and ensure policies are comprehensive, but modify and adapt them to suit your corporate culture or they will not gain buy-in from employees. For a policy to be successful, it must be a living document and have participation from the committees and departments to whom it will pertain.

    Create a communication plan to achieve end-user support and adherence to policies

    Communication is crucial to the integration and overall implementation of your ITAM program. An effective communication plan will:

    • Gain support from management at the project proposal phase.
    • Create end-user buy-in once the program is set to launch.
    • Maintain the presence of the program throughout the business.
    • Instill ownership throughout the business from top-level management to new hires.

    Use the variety of components as part of your communication plan in order to reach the organization.

    1. Advertise successes.
    • Regularly demonstrate the value of the ITAM program with descriptive statistics focused on key financial benefits.
    • Share data with the appropriate personnel; promote success to obtain further support from senior management.
  • Report and share asset data.
    • Sharing detailed asset-related reports frequently gives decision makers useful data to aid in their strategy.
    • These reports can help your organization prepare for audits, adjust asset budgeting, and detect unauthorized assets.
  • Communicate the value of ITAM.
    • Educate management and end users about how they fit into the bigger picture.
    • Individuals need to know that their behaviors can adversely affect data quality and, ultimately, lead to better decision making.
  • Develop a communication plan to convey the right messages

    4.2.2 Develop a communication plan to convey the right messages

    Participants

    • CIO
    • IT Director
    • Asset Manager
    • Service Desk Manager

    Document

    Document in the HAM Communication Plan

    1. Identify the groups that will be affected by the HAM program as those who will require communication.
    2. For each group requiring a communication plan, identify the following:
    • Benefits of HAM for that group of individuals (e.g. better data, security).
    • The impact the change will have on them (e.g. change in the way a certain process will work).
    • Communication method (i.e. how you will communicate).
    • Timeframe (i.e. when and how often you will communicate the changes).
  • Complete this information in a table like the one below and document in the Communication Plan.
  • Group Benefits Impact Method Timeline
    Service Desk Improve end-user device support Follow new processes Email campaign 3 months
    Executives Mitigate risks, better security, more data for reporting Review and sign off on policies
    End Users Smoother request process Adhere to device security and use policies
    Infrastructure Faster access to data and one source of truth Modified processes for centralized procurement and inventory

    Implement ITAM in a phased, constructive approach

    • One of the most difficult decisions to make when implementing ITAM is: “where do we start?”
    • The pyramid to the right mirrors Maslow’s hierarchy of needs. The base is the absolute bare minimum that should be in place, and each level builds upon the previous one.
    • As you track up the pyramid, your ITAM program will become more and more mature.

    Now that your asset lifecycle environment has been constructed in full, it’s time to study it. Gather data about your assets and use the results to create reports and new solutions to continually improve the business.

    • Asset Data
    • Asset Protection: safely protect and dispose of assets once they are mass distributed throughout your organization.
    • Asset Distribution: determine standards for asset provisioning and asset inventory strategy.
    • Asset Gathering: define what assets you will procure, distribute, and track. Classifying your assets by tier will allow you to make decisions as you progress up the pyramid.

    ↑ ITAM Program Maturity

    Integrate your HAM program into the organization to assist its implementation

    The HAM program cannot perform on its own – it must be integrated with other functional areas of the organization in order to maintain its stability and support.

    • Effective IT asset management is supported by a comprehensive set of processes as part of its implementation.
    • For example, integration with the purchasing/procurement team is required to gather hardware and software purchase data to control asset costs and mitigate software license compliance risk.
    • Integration with Finance is required to support internal cost allocations and charge backs.

    To integrate your ITAM program into your organization effectively, a clear implementation roadmap needs to be designed. Prioritize “quick wins” in order to demonstrate success to the business early and gain buy-in from your team. Long-term goals should be designed that will be supported by the outcomes of the short-term gains of your ITAM program.

    Short-term goal Long-term goal
    Identify inventory classification and tool (hardware first) Hardware contract data integration (warranty, maintenance, lease)
    Create basic ITAM policies and processes Continual improvement through policy impact review and revision
    Implement ITAM auto-discovery tools Software compliance reports, internal audits

    Info-Tech Insight

    Installing an ITAM tool does not mean you have an effective asset management program. A complete solution needs to be built around your tool, but the strength of ITAM comes from processes embedded in the organization that are shaped and supported by your ITAM data.

    Develop an IT hardware asset management implementation roadmap

    4.2.3 Develop a HAM implementation roadmap

    Participants

    • CIO
    • IT Director
    • Asset Manager
    • Service Desk Manager

    Document

    Document in the IT Hardware Asset Management Implementation Roadmap

    1. Identify up to five streams to work on initiatives for the hardware asset management project.
    2. Fill out key tasks and objectives for each process. Assign responsibility for each task.
    3. Select a start date and end date for each task. See tab 1 of the tool for instructions on which letters to input for each stage of the process.
    4. Once your list is complete, open tab 3 of the tool to see your completed sunshine diagram.
    5. Keep this diagram visible for your team and use it as a guide to task completion as you work towards your future-state value stream.

    Focus on continual improvement to sustain your ITAM program

    Periodically review the ITAM program in order to achieve defined goals, objectives, and benefits.

    Act → Plan → Do → Check

    Once ITAM is in place in your organization, a focus on continual improvement creates the following benefits:

    • Remain in sync with the business: your asset management program reflects the current and desired future states of your organization at the time of its creation. But the needs of the business change. As mentioned previously, asset management is a dynamic process, so in order for your program to keep pace, a focus on continual improvement is needed.
      • For example, imagine if your organization had designed your ITAM program before cloud-based solutions were an option. What if your asset classification scheme did not include personal devices or tablets or your asset security policy lacked a section on BYOD?
    • Create funding for new projects through ITAM continual improvement: one of the goals is to save money through more efficient use of your assets by “sweating” out underused hardware and software.
      • It may be tempting to simply present the results to Finance as savings, but instead, describe the results as “available funds for other projects.” Otherwise, Finance may view the savings as a nod to restrict IT’s budget and allocate funds elsewhere. Make it clear that any saved funds are still required, albeit in a different capacity.

    Info-Tech Best Practice

    Look for new uses for ITAM data. Ask management what their goals are for the next 12-18 months. Analyze the data you are gathering and determine how your ITAM data can assist with achieving these goals.

    Phase 4 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Step 4.1: Plan Budget

    Start with an analyst kick-off call:

    • Know where to find data to budget for hardware needs accurately.
    • Learn how to manage a hardware budget.

    Then complete these activities…

    • Plan hardware asset budget.

    With these tools & templates:

    HAM Budgeting Tool

    Step 4.2: Communicate & Roadmap

    Review findings with analyst:

    • Develop policies for end users.
    • Build communications plan.
    • Build an implementation roadmap.

    Then complete these activities…

    • Build HAM policies.
    • Develop a communication plan.
    • Develop a HAM implementation roadmap.

    With these tools & templates:

    HAM policy templates

    HAM Communication Plan

    HAM Implementation Roadmap

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1.1 Build a hardware asset budget

    Review upcoming hardware refresh needs and projects requiring hardware purchases. Use this data to forecast and budget equipment for the upcoming year.

    4.2.2 Develop a communication plan

    Identify groups that will be affected by the new HAM program and for each group, document a communications plan.

    Insight breakdown

    Overarching Insights

    HAM is more than just tracking inventory. A mature asset management program provides data for proactive planning and decision making to reduce operating costs and mitigate risk.

    ITAM is not just IT. IT leaders need to collaborate with Finance, Procurement, Security, and other business units to make informed decisions and create value across the enterprise.

    Treat HAM like a process, not a project. HAM is a dynamic process that must react and adapt to the needs of the business.

    Phase 1 Insight

    For asset management to succeed, it needs to support the business. Engage business leaders to determine needs and build your HAM program around these goals.

    Phase 2 Insight

    Bridge the gap between IT and Finance to build a smoother request and procurement process through communication and routine reporting. If you’re unable to affect procurement processes to reduce time to deliver, consider bringing inventory onsite or having your hardware vendor keep stock, ready to ship on demand.

    Phase 3 Insight

    Not all assets are created equal. Taking a blanket approach to asset maintenance and security is time consuming and costly. Focus on the high-cost, high-use, and data-sensitive assets first.

    Phase 4 Insight

    Deploying a fancy ITAM tool will not make hardware asset management implementation easier. Implementation is a project that requires you focus on people and process first – the technology comes after.

    Related Info-Tech research

    Implement Software Asset Management

    Build an End-User Computing Strategy

    Find the Value – and Remain Valuable – With Cloud Asset Management

    Consolidate IT Asset Management

    Harness Configuration Management Superpowers

    IT Asset Management Market Overview

    Bibliography

    Chalkley, Martin. “Should ITAM Own Budget?” The ITAM Review. 19 May 2011. Web.

    “CHAMP: Certified Hardware Asset Management Professional Manual.” International Association of Information Technology Asset Managers, Inc. 2008. Web.

    Foxen, David. “The Importance of Effective HAM (Hardware Asset Management).” The ITAM Review. 19 Feb. 2015. Web.

    Foxen, David. “Quick Guide to Hardware Asset Tagging.” The ITAM Review. 5 Sep. 2014. Web.

    Galecki, Daniel. “ITAM Lifecycle and Savings Opportunities – Mapping out the Journey.” International Association of IT Asset Managers, Inc. 16 Nov. 2014. Web.

    “How Cisco IT Reduced Costs Through PC Asset Management.” Cisco IT Case Study. 2007. Web.

    Irwin, Sherry. “ITAM Metrics.” The ITAM Review. 14 Dec. 2009. Web.

    “IT Asset and Software Management.” ECP Media LLC, 2006. Web.

    Rains, Jenny. “IT Hardware Asset Management.” HDI Research Brief. May 2015. Web.

    Riley, Nathan. “IT Asset Management and Tagging Hardware: Best Practices.” Samanage Blog. 5 March 2015. Web.

    “The IAITAM Practitioner Survey Results for 2016 – Lean Toward Ongoing Value.” International Association of IT Asset Managers, Inc. 24 May 2016. Web.