Assess Your IT Financial Management Maturity Effectively

Influence your organization’s strategic direction.

Analyst Perspective

Make better informed data-driven business decisions.

Technology has been evolving throughout the years, increasing complexity and investments, while putting more stress on operations and people involved. As an IT leader, you are now entrusted to run your outfit as a business, sit at the executive table as a true partner, and be involved in making decisions that best suit your organization. Therefore, you have an obligation to fulfill the needs of your end customers and live up to their expectations, which is not an easy task.

IT financial management (ITFM) helps you generate value to your organization’s clientele by bringing necessary trade-offs to light, while driving effective dialogues with your business partners and leadership team.

This research will focus on Info-Tech’s approach to ITFM maturity, aiming for a state of continuous improvement, where an organization can learn and grow as it adapts to change. As the ITFM practice matures, IT and business leaders will be able to better understand one another and together make better business decisions, driven by data.

This client advisory presentation and accompanying tool seek to support IT leaders and ITFM practitioners in evaluating and improving their current maturity. It will help document both current and target states as well as prioritize focus areas for improvement.

Bilal Alberto Saab Research Director, IT Financial Management Info-Tech Research Group

Executive Summary

The value of ITFM is undermined

ITFM is often discarded and not given enough importance and relevance due to the operational nature of IT, and the specialized skillset of its people, leading to several problems and challenges, such as:

• Unfamiliarity: Lack of knowledge and understanding related to ITFM maturity.
• Shortsightedness: Randomly reacting to changing circumstances.
• Exchange: Inability to consistently drive dialogues.
• Perception: IT is perceived as a cost center instead of a trustworthy strategic partner.

Constructive dialogues with business partners are not the norm

Business-driven conversations around financials (spending, cost, revenue) are a rarity in IT due to several factors, including:

• Foundation: Weak governance, inadequate skillset, and less than perfect processes and tools.
• Data: Lack of adequate taxonomy/data model, alongside inaccurate data leading to poor reporting and insights.
• Language: Lack of a common vocabulary across the organization.
• Organization culture: No alignment, alongside minimal communication and collaboration between IT and business partners.

Follow Info-Tech’s approach to move up the ITFM maturity ladder

Mature your ITFM practice by activating the means to make informed business decisions.

Info-Tech’s methodology helps you move the dial by focusing on three maturity focus areas:

• Build an ITFM Foundation
• Manage and Monitor IT Spending
• Bridge the Language Barrier

Info-Tech Insight

Influence your organization’s strategic direction by maturing your ITFM practice.

What is ITFM?

ITFM is not just about finance.

• ITFM has evolved from traditional budgeting, accounting, and cost optimization; however, it is much more than those activities alone.
• It starts with understanding the financial implications of technology by adopting different perspectives to become adept in communicating with various stakeholders, including finance, business partners, IT managers, and your CEO.
• Armed with this knowledge, ITFM helps you address a variety of questions, such as:
  • How are technology funds being spent?
  • Which projects is IT prioritizing and why?
  • What are the resources needed to speed IT delivery?
  • What’s the value of IT within the organization?
• ITFM’s main objective is thus to improve decision-making capabilities by facilitating communication between IT leaders and stakeholders, while enabling a customer focus attitude throughout the organization.

“ITFM embeds technology in financial management practices. Through cost, demand, and value, ITFM brings technology and business together, forging the necessary relationships and starting the right conversations to enable the best decisions for the organization.”
– Monica Braun, Research Director, Info-Tech Research Group

Your challenge

IT leaders struggle to articulate and communicate business value.

• IT spending is often questioned by different stakeholders, such as business partners and various IT business units. These questions, usually resulting from shifts in business needs, may revolve around investments, expenditures, services, and speed to market, among others. While IT may have an idea about its spending habits, aligning it to the business strategy may prove difficult.
• IT staff often does not have access to, or knowledge of, the business model and its intricacies. In an operational environment, the focus tends to be on technical issues rather than overall value.
• People tend to fear what they do not know. Some business managers may not be comfortable with technology. They do not recognize the implications and ramifications of certain implementations or understand the related terminology, which puts a strain on any conversation.

“Value is not the numbers you visualize on a chart, it’s the dialogue this data generates with your business partners and leadership team.”
– Dave Kish, Practice Lead, Info-Tech Research Group

Technology is constantly evolving

Increasing IT spending and decision-making complexity.

Common obstacles

IT leaders are not able to have constructive dialogues with their stakeholders.

• The way IT funds are spent has changed significantly, moving from the purchase of discrete hardware and software tools to implementing data lakes, cloud solutions, the metaverse and blockchain. This implies larger investments and more critical decisions. Conversations around interoperability, integration, and service-based solutions that focus more on big-picture architecture than day-to-day operations have become the norm.
• Speed to market is now a survival criterion for most organizations, requiring IT to shift rapidly based on changing priorities and customer expectations. This leads to the need for greater financial oversight, with the CFO as the gatekeeper. Today’s IT leaders need to possess both business and financial management savvy to justify their spending with various stakeholders.
• Any IT budget increase is tied to expectations of greater value. Hence, the compelling demands for IT to prove its worth to the business. Promoting value comes in two ways: 1) objectively, based on data, KPIs, and return on investment; and 2) subjectively, based on stakeholder satisfaction, alongside relationships. Building trust, credibility, and confidence can go a long way.

In a technology-driven world, advances come at a price. With greater spending required, more complex and difficult conversations arise.

Constructive dialogues are key

You don’t know what you don’t know.

• IT, being historically focused on operations, has become a hub for technically savvy personnel. On the downside, technology departments are often alien to business, causing problems such as:
  • IT staff have no knowledge of the business model and lack customer focus.
  • Business is not comfortable with technology and related jargon.
• The lack of two-way communication and business alignment is hence an important ramification. If the business does not understand technology, and IT does not speak in business terms, where does that lead us?
• Poor data quality and governance practices, alongside overly manual processes can only exasperate the situation.

IT Spending Survey

79% of respondents believe that decisions taking too long to make is either a significant or somewhat of a challenge (Flexera 2022 Tech Spend Pulse; N=501).

81% of respondents believe that ensuring spend efficiency (avoiding waste) is either a challenge or somewhat of a challenge (Flexera 2022 Tech Spend Pulse; N=501).

ITFM is trailing behind

IT leaders must learn to speak business.

In today’s world, where organizations are driving customer experience through technology investments, having a seat at the table means IT leaders must be well versed in business language and practice, including solid financial management skills.

However, IT staff across all industries aren’t very confident in how well IT is doing in managing its finances. This becomes evident after looking at three core processes:

• Demonstrating IT’s value to the business.
• Accounting of costs and budgets.
• Optimizing costs to gain the best return on investment.

Recent data from 4,137 respondents to Info-Tech’s IT Management & Governance Diagnostic shows that while most IT staff feel that these three financial management processes are important, notably fewer feel that IT management is effective at executing on them.

IT leadership’s capabilities around fundamental cost data capture appear to be lagging, not to mention the essential value-added capabilities around optimizing costs and demonstrating IT’s contribution to business value.

Source: Info-Tech Research Group, IT Management & Governance Diagnostic, 2023.

Info-Tech’s approach

We take a holistic approach to ITFM and support you throughout your maturity journey.

The Info-Tech difference:

• Info-Tech has a methodology and set of tools that will help assess your ITFM maturity and take the first step in developing an improvement plan. We have identified three maturity focus areas:
  • Build an ITFM Foundation
  • Manage and Monitor IT Spending
  • Bridge the Language Barrier
• No matter where you currently stand in your ITFM practice, there is always room for improvement. Hence, a maturity assessment should be viewed as a self-improvement tool, which is only valuable if you are willing to act on it.

Note: See Appendix A for maturity level definitions and descriptions.

Climb the maturity ladder

By growing along three maturity focus areas.

Info-Tech identified three maturity focus areas, each containing three levers.

Identify where you stand across the nine maturity levers, detect the gaps, and determine your priorities as a first step to develop an improvement plan.

Note: See Appendix B for maturity level definitions and descriptions per lever.

Key project deliverables

Each step of this activity is accompanied by supporting deliverables to help you accomplish your goals.

IT Financial Management Maturity Assessment Report Template

IT Financial Management Maturity Assessment Tool

Measure the value of this activity

Reach your 12-month maturity target.

• Determine your 12-month maturity target, identify your gaps, and set your priorities.
• Use the ITFM maturity assessment to kickstart your improvement plan by developing actionable initiatives.
• Implement your initiatives and monitor your progress to reach your 12-month target.

Build your improvement plan and implement your initiatives to move the dial and climb the maturity ladder.

Info-Tech offers various levels of support to best suit your needs

Step 1

Prepare for the ITFM maturity assessment

Content Overview

1. Identify your stakeholders
2. Set the context
3. Determine the methodology
4. Identify assessment takers

This step involves the following participants:

• CIO/IT director
• CFO/finance director
• IT finance lead
• IT audit lead
• Other IT management

1. Prepare to take the ITFM maturity assessment

3 hours

Input: Understanding your context, objectives, and methodology

Output: ITFM maturity assessment stakeholders and their objectives, ITFM maturity assessment methodology, ITFM maturity assessment takers

Materials: 1a. Prepare for Assessment tab in the ITFM Maturity Assessment Tool

Participants: CIO/IT director, CFO/finance director, IT finance lead, IT audit lead, Other IT management

1. Identify your stakeholders and document it in the ITFM Maturity Assessment Tool (see next slides). We recommend having representatives from different business units across the organization, most notably IT, IT finance, finance, and IT audit.
2. Set the context with your stakeholders and document it in the ITFM Maturity Assessment Tool. Discuss the reason behind taking the ITFM maturity assessment among the various stakeholders. Why do each of your stakeholders want to take the assessment? What are their main objectives? What would they like to achieve?
3. Determine the methodology and document it in the ITFM Maturity Assessment Tool. Discuss how you want to go about taking the assessment with your stakeholders. Do you want to have representatives from each business unit take the assessment individually, then share and discuss their findings? Do you prefer forming a working group with representatives from each business unit and go through the assessment together? Or does any of your stakeholders have a different suggestion? You will have to consider the effort, skillset, and knowledge required.
4. Identify the assessment takers and document it in the ITFM Maturity Assessment Tool. Determine who will be taking the assessment (specific names of stakeholders). Consider their availability, knowledge, and skills.

Download the IT Financial Management Maturity Assessment Tool

TEMPLATE & EXAMPLE

Document your stakeholders, objectives, and methodology

Excel Workbook: ITFM Maturity Assessment Tool – Prepare for Assessment worksheet

Refer to the example and guidelines below on how to document stakeholders, objectives, and methodology (table range: columns B to G and rows 8 to 15).

Review the following in the Excel workbook as per guidelines:

1. Navigate to the 1a. Prepare for Assessment tab.
2. Enter the full names and job titles of the ITFM maturity assessment stakeholders.
3. Document the maturity assessment objective of each of your stakeholders.
4. Document the agreed-upon methodology.

Download the IT Financial Management Maturity Assessment Tool

TEMPLATE & EXAMPLE

Document your assessment takers

Excel Workbook: ITFM Maturity Assessment Tool – Prepare for Assessment worksheet

Refer to the example and guidelines below on how to document assessment takers (table range: columns B to E and rows 18 to 25).

Review the following in the Excel workbook as per guidelines:

1. Navigate to the 1a. Prepare for Assessment tab.
2. Enter the full name of each assessment taker, along with the job title of the stakeholder they are representing.

Download the IT Financial Management Maturity Assessment Tool

Step 2

Take the ITFM maturity assessment

Content Overview

1. Complete the survey
2. Review your assessment results
3. Determine your priorities

This step involves the following participants:

• CIO/IT director
• CFO/finance director
• IT finance lead
• IT audit lead
• Other IT management

2. Take the ITFM maturity assessment

3 hours

Input: Understanding of your ITFM current state and 12-month target state, ITFM maturity assessment results

Output: ITFM current- and target-state maturity levels, average scores, and variance, ITFM current- and target-state average scores, variance, and priority by maturity focus area and maturity lever

Materials: 1b. Glossary, 2a. Assess ITFM Foundation, 2b. Assess Mngt. & Monitoring, 2c. Assess Language, and 3. Assessment Summary tabs in the ITFM Maturity Assessment Tool

Participants: CIO/IT director, CFO/finance director, IT finance lead, IT audit lead, Other IT management

1. Complete the survey: select the current and target state of each statement – refer to the glossary as needed for definitions of key terms – in the ITFM Maturity Assessment Tool (see next slides). There are three tabs (one per maturity focus area) with three tables each (nine maturity levers). Review and discuss statements with all assessment takers: consider variations, differing opinions, and reach an agreement on each statement inputs.
2. Review assessment results: navigate to the Assessment Summary tab in the ITFM maturity assessment tool (see next slides) to view your results. Review and discuss with all assessment takers: consider any shocking output and adjust survey input if necessary.
3. Determine your priorities: decide on the priority (Low/Medium/High) by maturity focus area and/or maturity lever. Rank your maturity focus area priorities from 1 to 3 and your maturity lever priorities from 1 to 9. Consider the feasibility in terms of timeframe, effort, and skillset required, positive and negative impacts on business and technology, likelihood of failure, and necessary approvals. Document your priorities in the ITFM maturity assessment tool (see next slides).
   Review and discuss priorities with all assessment takers: consider variations, differing opinions, and reach an agreement on each priority.

Download the IT Financial Management Maturity Assessment Tool

TEMPLATE & EXAMPLE

Complete the survey

Excel workbook: ITFM Maturity Assessment Tool – Survey worksheets

Refer to the example and guidelines below on how to complete the survey.

Review the following in the Excel workbook as per guidelines:

1. Navigate to the survey tabs: 2a. Assess ITFM Foundation, 2b. Assess Management and Monitoring, and 2c. Assess Language.
2. Select the appropriate current and target maturity levels.
3. Add any notes or comments per ITFM maturity statement where necessary or helpful.

Download the IT Financial Management Maturity Assessment Tool

TEMPLATE & EXAMPLE

Review your overall result

Excel Workbook: ITFM Maturity Assessment Tool – Assessment Summary worksheet

Refer to the example and guidelines below on how to review your results.

Review the following in the Excel workbook as per guidelines:

1. Navigate to tab 3. Assessment Summary.
2. Review your overall current state and target state result along with the corresponding variance.

Download the IT Financial Management Maturity Assessment Tool

TEMPLATE & EXAMPLE

Set your priorities

Excel Workbook: ITFM Maturity Assessment Tool – Assessment Summary worksheet

Refer to the example and guidelines below on how to review your results per maturity focus area and maturity lever, then prioritize accordingly.

Review the following in the Excel workbook as per guidelines:

1. Navigate to tab 3. Assessment Summary.
2. Review your current-state and target-state result along with the corresponding variance per maturity focus area and maturity lever.
3. Select the appropriate priority for each maturity focus area and maturity lever.
4. Enter a unique rank for each maturity focus area (1 to 3).
5. Enter a unique rank for each maturity lever (1 to 9).

Download the IT Financial Management Maturity Assessment Tool

Step 3

Communicate your ITFM maturity results

Content Overview

1. Review your assessment charts
2. Customize the assessment report
3. Communicate your results

This step involves the following participants:

• CIO/IT director
• CFO/finance director
• IT finance lead
• IT audit lead
• Other IT management

3. Communicate your ITFM maturity results

3 hours

Input: ITFM maturity assessment results

Output: Customized ITFM maturity assessment report

Materials: 3. Assessment Summary tab in the ITFM Maturity Assessment Tool, ITFM Maturity Assessment Report Template

Participants: CIO/IT director, CFO/finance director, IT finance lead, IT audit lead, Other IT management

1. Review assessment charts: navigate to the Assessment Summary tab in the ITFM Maturity Assessment Tool (see next slides) to view your results and related charts.
2. Edit the report template: complete the template based on your results and priorities to develop your customized ITFM maturity assessment report (see next slide).
3. Communicate results: communicate and deliberate the assessment results with assessment takers at a first stage, and with your stakeholders at a second stage. The objective is to agree on next steps, including developing an improvement plan.

Download the IT Financial Management Maturity Assessment Tool

TEMPLATE & EXAMPLE

Review assessment charts

Excel Workbook: ITFM Maturity Assessment Tool – Assessment Summary worksheet

Refer to the example below on charts depicting different views of the maturity assessment results across the three focus areas and nine levers.

From the Excel workbook, after completing your potential initiatives and filling all related entries in the Outline Initiatives tab:

1. Navigate to tab 3. Assessment Summary.
2. Review each of the charts.
3. Navigate back to the survey tabs to examine, drill down, and amend individual entries as you deem necessary.

Download the IT Financial Management Maturity Assessment Tool

TEMPLATE & EXAMPLE

Customize your report

PowerPoint presentation: ITFM Maturity Assessment Report Template

Refer to the example below on slides depicting different views of the maturity assessment results across the three maturity focus areas and nine maturity levers.

Slide 6: Edit levels based on your assessment results. Copy and paste the appropriate maturity level definition and description from slide 4.

Slide 7: Copy related charts from the assessment summary tab in the Excel workbook and remove the chart title. You can use the “Outer Offset: Bottom” shadow under shape effects on the chart.

Slide 8: Copy related charts from the assessment summary tab in the Excel workbook and remove the chart title and legend. You can use the “Outer Offset: Center” shadow under shape effects on the chart.

From the ITFM Maturity Assessment Report Template:

1. Edit the report based on your results found in the assessment summary tab of the Excel workbook (see previous slide).
2. Review slides 6 to 8 and bring necessary adjustments.

Download the IT Financial Management Maturity Assessment Report Template

Make informed business decisions

Take a holistic approach to ITFM.

• A thorough understanding of your technology spending in relation to business needs and drivers is essential to make informed decisions. As a trusted partner, you cannot have effective conversations around budgets and cost optimization without a solid foundation.
• It is important to realize that ITFM is not a one-time exercise, but a continuous, sustainable process to educate (teach, mentor, and train), increase transparency, and assign responsibility.
• Move up the ITFM maturity ladder by improving across three maturity focus areas:
  • Build an ITFM Foundation
  • Manage and Monitor IT Spending
  • Bridge the Language Barrier

What’s Next?

Communicate your maturity results with stakeholders and develop an actionable ITFM improvement plan.

And remember, having informed discussions with your business partners and stakeholders, where technology helps propel your organization forward, is priceless!

IT Financial Management Team

	Dave Kish Practice Lead, ITFM Practice Info-Tech Research Group
	Jennifer Perrier Principal Research Director, ITFM Practice Info-Tech Research Group
	Angie Reynolds Principal Research Director, ITFM Practice Info-Tech Research Group
	Monica Braun Research Director, ITFM Practice Info-Tech Research Group
	Rex Ding Research Specialist, ITFM Practice Info-Tech Research Group
	Aman Kumari Research Specialist, ITFM Practice Info-Tech Research Group

Research Contributors and Experts

	Amy Byalick Vice President, IT Finance Info-Tech Research Group	Amy Byalick is an IT Finance practitioner with 15 years of experience supporting CIOs and IT leaders elevating the IT financial storytelling and unlocking insights. Amy is currently working at Johnson Controls as the VP, IT Finance, previously working at PepsiCo, AmerisourceBergen, and Jacobs.
	Carol Carr Technical Counselor, Executive Services Info-Tech Research Group
	Scott Fairholm Executive Counselor, Executive Services Info-Tech Research Group
	Gokul Rajan Executive Counselor, Executive Services Info-Tech Research Group
	Allison Kinnaird Practice Lead, Infrastructure & Operations Info-Tech Research Group
	Isabelle Hertanto Practice Lead, Security & Privacy Info-Tech Research Group

Related Info-Tech Research

	Achieve IT Spending Transparency Mature your ITFM practice by activating the means to make informed business decisions.
	Build Your IT Cost Optimization Roadmap Develop an IT cost optimization strategy based on your specific circumstances and timeline.

Bibliography

Eby, Kate. “The Complete Guide to Organizational Maturity: Models, Levels, and Assessments.” Smartsheet, 8 June 2022. Web.

“Financial Management Maturity Model.” National Audit Office, n.d. Accessed 28 Apr. 2023.

“ITFM/TBM Program Maturity Guide.” Nicus Software, n.d. Accessed 28 Apr. 2023.

Jouravlev, Roman. "Service Financial Management: ITIL 4 Practice Guide." Axelos, 2020.

McCarthy, Seamus. “Financial Management Maturity Model: A Good Practice Guide.” Office of the Comptroller & Auditor General, 26 June 2018. Web.

“Principles for Effective Risk Data Aggregation and Risk Reporting.“ Bank for International Settlements, Jan. 2013. Web.

“Role & Influence of the Technology Decision-Maker 2022.” Foundry, 2022. Web.

Stackpole, Beth. “State of the CIO, 2022: Focus turns to IT fundamentals.” CIO, 21 March 2022. Web.

“Tech Spend Pulse.” Flexera, 2022. Web.

Appendix A

Definition and Description
Per Maturity Level

ITFM maturity levels and definitions

Appendix B

Maturity Level Definitions and Descriptions
Per Lever

Establish your ITFM team

Maturity focus area: Build an ITFM foundation.

Set up your governance structure

Maturity focus area: Build an ITFM foundation

Adopt ITFM processes and tools

Maturity focus area: Build an ITFM foundation.

Standardize your taxonomy and data model

Maturity focus area: Manage and monitor IT spending.

Identify, gather, and prepare your data

Maturity focus area: Manage and monitor IT spending.

Analyze your findings and develop your reports

Maturity focus area: Manage and monitor IT spending.

Communicate your IT spending

Maturity focus area: Bridge the language barrier.

Educate the masses

Maturity focus area: Bridge the language barrier.

Influence your organization’s culture

Maturity focus area: Bridge the language barrier.

Navigate the Digital ID Ecosystem to Enhance Customer Experience

Beyond the hype: How it can help you become more customer-focused?

Executive Summary

Info-Tech Insight

Focusing on customer touchpoints and transforming them is key to excellent user experience and increasing their lifetime value (LTV) to them and to your organization. Digital ID is that tool of transformation.

Analyst Perspective

Digital Identity Ecosystem and vital ingredients of adoption

What is digital identity?

Definitions may vary, depending on the focus.

“Digital identity (ID) is a set of attributes that links a physical person with their online interactions. Digital ID refers to one’s online persona - an online footprint. It touches important aspects of one’s everyday life, from financial services to health care and beyond.” - DIACC Canada

“Digital identity is a digital representation of a person. It enables them to prove who they are during interactions and transactions. They can use it online or in person.” - UK Digital Identity and Attributes Trust Framework

“Digital identity is an electronic representation of an entity (person or other entity such as a business) and it allows people and other entities to be recognized online.” - Australia Trusted Digital Identity Framework

A digital identity is primarily an electronic form of identity representing an entity uniquely , while abstracting all other identity attributes of the entity. In addition to an electronic form, it may also exist in a physical form (identity certificate), linked through an identifier representing the same entity.

Digital identity has many dimensions*, and in turn categories

Info-Tech Insight

Digital ID has taken different meanings for different people, serving different purposes in different environments. Based on various aspects of Digital Identification, it can be categorized in several types. However, most of the time when people refer to a form of identification as Digital ID, they refer to a verified id with built-in trust either from the government OR the eco-system.

* Please refer to Taxonomy for the definition of each of the dimensions

Understanding a digital identity ecosystem is key to formulating your approach to adopt it

Info-Tech Insight

Digital identity ecosystems comprise many entities playing different roles, and sometimes more than one. In addition, variations in approach by jurisdictions drive how many active players are in the ecosystem for that jurisdiction.

For example, in countries like Estonia and India, government plays the role of trust and governance authority as well as ID provider, but didn’t start with any Digital ID wallet. In contrast, in Ukraine, Diia App is primarily a Digital ID Wallet. Similarly, in the US, different states are adopting private Digital ID Wallet providers like Apple.

Digital ID ecosystem’s sustainability lies in the key principles it is built on

Social, economic, and legal alignment with target stakeholders
Transparent governance and operation
Legally auditable and enforceable
Robust and Resilient – High availability
Security – At rest, in progress, and in transit
Privacy and Control with users
Omni-channel Convenience – User and Operations
Minimum data transfer between entities
Technical interoperability enabled through open standards and protocol
Scalable and interoperable at policy level
Cost effective – User and operations
Inclusive and accessible

Info-Tech Insight

A transparent, resilient, and auditable digital ID system must be aligned with socio-economic realities of the target stakeholders. It not only respects their privacy and security of their data by minimizing the data transfer between entities, but also drives desired customer experience by providing an omni-channel, interoperable, scalable, and inclusive ecosystem while still being cost-effective for the collaborators.

Source: Adapted from Canada PCTF, UK Trust framework, European Commission, Australia TDIF, and others

Focus on key success factors to drive the digital ID adoption

Digital ID success factors

Legislative regulatory framework – Removes uncertainty
Security & Privacy Assurance- builds trust
Smooth user experience – Drives preferences
Transparent ecosystem – Drives inclusivity
Multi-channel – Drive consistent experience online / offline
Inter-operability thorough open standards
Digital literacy – Education and awareness
Multi-purpose & reusable – Reduce consumer burden
Collaborative ecosystem –Build network effect

Source: Adapted from Canada PCTF, UK digital identity & attributes trust framework , European eIDAS, and others

Info-Tech Insight

Driving adoption of Digital ID requires affirmative actions from all ecosystem players including governing authorities, identity providers, and identity consumers (relying parties).

These nine success factors can help drive sustainable adoption of the Digital ID.

Among many responsibilities the ecosystem players have, identity governance is the key to sustainability

Digital identity provision Creating identity attributes Create a reusable identity and attribute service Create a digital identity Assess and manage quality of an identity and attributes Making identity provision inclusive and accessible Digital identity resolution Enabling inclusive access to products and services through digital identity Authenticate and authorize identity subjects before permitting access to their identity and attributes Digital identity governance Manage digital identity and attributes Make Identity service interoperable, and sharable Recover digital identity and attribute accounts Notifying users on accessing identity or making changes on more attributes Report and audit – exclusion, accessibility Retiring an identity or attribute service Respond to complaints and disputes Enterprise risk management and governance

Privacy and security Use encryption Privacy compliance framework Consumer Privacy Protection laws (CPPA, GDPR etc.) Acquiring and managing user consents & agreements Prohibited processing of personal data Security controls and governance Information management Record management Archival Disposal (on expiry or to comply with regulations) CIA (confidentiality, integrity, availability) Fraud management Fraud monitoring and reporting Fraud intelligence and analysis Sharing threat indicators Legal, policies and procedures for fraud management Incident response Respond to fraud incidents Respond to a service delivery incident Responding to data breaches Performing and participating in investigation

Global evolution of digital ID is following the socio-economic aspirations of countries

Source: Adapted from the book: Identification Revolution: Can Digital ID be harnessed for Development? (Gelb & Metz), 2018

Info-Tech Insight

The world became global a long time ago; however, it sustained economic progress without digital IDs for most of the world's population.

With the pandemic, when political rhetoric pointed to the demand for localized supply chains, economies became irreversibly digital. In this digital economy, the digital ID ecosystem is the fulcrum of sustainable growth.

At a time in overlapping jurisdictions, multiple digital IDs can exist. For example, one is issued by a local municipality, one by the province, and another by the national government.

Global footprint of digital ID is evolving rapidly, but varies in approach

Info-Tech Insight

Countries’ approach to the digital ID is rooted in their socio-economic environment and global aspirations.

Emerging economies with large underserved populations prioritize fast implementation of digital ID through centralized systems.

Developed economies with smaller populations, low trust in government, and established ID systems prioritize developing trust frameworks to drive decentralized full-scale implementation.

There is no right way except the one which follows Digital ID principles and aligns with a country’s and its people’s aspirations.

Estonia's e-identity is the key to its digital agenda 2030

India’s Aadhaar is the foundation of its digital journey through “India stack”

Ukraine’s Diia is a resilient act to preserve their identities during threat to their existence

Canada’s PCTF (Pan Canadian Trust Framework) driving the federated digital identity ecosystem

Regulatory Accountability: Treasury Board of Canada Secretariat (TBS); Canadian Digital Service (CDS); Office of CIO Standard Setting: Digital Identification and Authentication Council of Canada (DIACC)

Frameworks: Treasury Board Directive on Identity Management Pan Canadian Trust Framework (PCTF) Voilà Verified Trustmark Program: ISO aligned compliance certification program on PCTF Governing / Certificate Authority: Trustmark Oversight Board (TOB) and DIACC accredited assessor Operational Governance: Federated between identity providers and identity consumers Identity Providers: Public and Private Sector Other entities involved: Digital ID Lab (Voila Verified Auditor); Kuma (Accredited Assessor)

82% People supportive of Digital ID. 2/3 Canadians prefer public-private partnership for Pan-Canadian digital ID framework. >40% Canadians prefer completing various tasks and transactions digitally. 75% Canadians are willing to share personal information for better experience. >80% Trust government, healthcare providers, and financial institutions with their personal information. Source: DIACC Survey 2021

Uniqueness Although a few provinces in Canada started their Digital ID journey already, federally, Canada lacked an approach. Now Canada is developing a federated Digital ID ecosystem driven through the Pan-Canadian Trust Framework (PCTF) led by a non-profit (DIACC) formed with public and private partnership.

Australia’s digital id is pivotal to its vision to become one of the Top-3 digital governments globally by 2025*

* Australia Digital Government Strategy 2021

UK switches gear to the Trust Framework approach to build a public-private digital ID ecosystem

Government: Ministry of Digital Infrastructure / Department of Digital, Culture, Media, and Sport Governing Body / Certificate Authority / Operational Governance: TBD Approach: Trust Framework-based UK Digital Identity and attributes trust framework (UKDIATF) Identity providers: Transitioning from “GOV.UK Verify” to a federated digital identity system aligned with “Trust Framework” – enabling both government (“One Login for Government”) and private sector identity providers.

Uniqueness UK embarked its Digital ID journey through Gov.UK Verify but decided to scrap it recently. It is now preparing to build a trust framework-based federated digital ID ecosystem with roles like schema-owners and orchestration service providers for private sector and drive the collaboration between industry players.

Digital ID will transform all industries, though financial services and e-governance will gain most

USE CASE

Car rental

INDUSTRY: Travel & Tourism

Source: Info-Tech Research Group

USE CASE

e-Governance public distribution service

INDUSTRY: Government

Source: Info-Tech Research Group

USE CASE

Real-estate investment and sale

INDUSTRY: Asset Management

Source: Info-Tech Research Group

1 Global News (https://globalnews.ca/news/9437913/homeowner-impersonators-lined-32-fraud-cases-ontario-bc/)

2 UK Finance Lobby Group (https://www.ukfinance.org.uk/system/files/Half-year-fraud-update-2021-FINAL.pdf)

Adopting digital ID benefits everybody – governments, id providers, id consumers, and end users

Digital ID will transform all industries, though financial services and e-governance will gain most

Digital ID brings end users choice, convenience, control, and cost-saving, driving overall experience

Digital id benefits identity consumers by enhancing multiple dimensions of their value streams

Before embarking on the digital identity adoption journey, assess your readiness

Legislative coverage

Does your target jurisdiction have adequate legislative framework to enable uses of digital identities in your industry?

Trust framework

If the Digital ID ecosystem in your target jurisdiction is trust framework-based, do you have adequate understanding of it?

Customer touch-points

Do you have exact understanding of value stream and customer touch-points where you interact with user identity?

Relevant identity attributes

Do you have exact understanding of the identity attributes that your business processes need to deliver customer value?

Regulatory compliance

Do you have required systems to ensure your compliance with industry regulations around customer PII and identity?

Interoperability with IMS

Is your existing identity management system interoperable with Open-source Digital Identity ecosystem?

Enterprise governance

Have you established an integrated enterprise governance framework covering business processes, technical systems, and risk management?

Communication strategy

Do have a clear strategy (mode, method, means) to communicate with your target customer and persuade them to adopt digital identity?

Security operations center

Do you have security operations center coordinating detection, response, resolution, and communication of potential data breaches?

Ten steps to adopt to enhance the customer experience

Understand and manage the risks and challenges of digital identity adoption

Recommendations to help you realize the potential of digital identity into your value streams

Taxonomy – Digital ID ecosystem

(Alphabetical order)

Continues..

Attributes: An identity attribute is a statement or information about a specific aspect of entity’s identity ,substantiating they are who they claim to be, own, or have.

Attribute (or Credential) provider: An attribute or credential provider could be an organization which issues the primary attribute or credential to a subject or entity. They are also responsible for identity-attribute binding, credential maintenance, suspension, recovery, and authentication.

Attribute (or Credential) service provider: An attribute service provider could be an organization which originally vetted user’s credentials and certified a specific attribute of their identity. It could also be a software, such as digital wallet, which can store and share a user’s attribute with a third party once consented by the user. (Source: UK Govt. Trust Framework)

Attribute binding: This is a process an attribute service providers uses to link the attributes they created to a person or an organization through an identifier. This process makes attributes useful and valuable for other entities using these attributes. For example, when a new employee joins a company, they are given a unique employee number (an identifier), which links the person with their job title and other aspects (attributes) of his job. (Source: UK Govt. Trust Framework)

Authentication service provider: An organization which is responsible for creating and managing authenticators and their lifecycle (issuance, suspension, recovery, maintenance, revocation, and destruction of authenticators). (Source: DIACC)

Authenticator: Information or biometric characteristics under the control of an individual that is a specific instance of something the subject has, knows, or does. E.g. private signing keys, user passwords, or biometrics like face, fingerprints. (Source: Canada PCTF)

Authentication (identity verification): The process of confirming or denying that the identity presented relates to the subject who is making the claim by comparing the credentials presented with the ones presented during identity proofing.

Authorization: The process of validating if the authenticated entity has permission to access a resource (service or product).

Biometrics attributes: Human attributes like retina (iris), fingerprint, heartbeat, facial, handprint, thumbprint, voice print.

Centralized identity: Digital identities which are fully governed by a centralized government entity. It may have enrollment or registration agencies, private or public sector, to issue the identities, and the technical system may still be decentralized to keep data federated.

Certificate Authority (CA or accredited assessors): An organization or an entity that conducts assessments to validate the framework compliance of identity or attribute providers (such as websites, email addresses, companies, or individual persons) serving other users, and binding them to cryptographic keys through the issuance of electronic documents known as digital certificates.

Taxonomy – Digital ID ecosystem

(Alphabetical order)

Continues..

Collective (non-resolvable) attributes: Nationality, domicile, citizenship, immigration status, age group, disability, income group, membership, (outstanding) credit limit, credit score range.

Contextual identity: A type of identity which establishes an entity’s existence in a specific context – real or virtual. These can be issued by public or private identity providers and are governed by the organizational policies. E.g. employee ID, membership ID, social media ID, machine ID.

Credentials: A physical or a digital representation of something that establishes an entity’s eligibility to do something for which it is seeking permission, or an association/affiliation with another, generally well-known entity. E.g. Passport, DL, password. In the context of Digital Identity, every identity needs to be attached with a credential to ensure that the subject of the identity can control how and by whom that identity can be used.

Cryptographic hash function: A hash function is a one-directional mathematical operation performed on a message of any length to get a unique, deterministic, and fixed size numerical string (the hash) which can’t be reverse engineered to get the input data without deploying disproportionate resources. It is the foundation of modern security solutions in DLT / blockchain as they help in verifying the integrity and authenticity of the message.

Decentralized identity (DID) or self-sovereign identity: This is a way to give back the control of identity to the subject whose identity it is, using an identity wallet in which they collect verified information about themselves from certified issuers (such as the government). By controlling what information is shared from the wallet to requesting third parties (e.g. when registering for a new online service), the user can better manage their privacy, such as only presenting proof that they’re over 18 without needing to reveal their date of birth. Source: (https://www.gsma.com/identity/decentralised-identity)

Digital identity wallet: A type of digital wallet refers to a secure, trusted software applications (native mobile app, mobile web apps, or Rivas-hosted web applications) based on common standards, allowing a user to store and use their identity attributes, identifiers, and other credentials without loosing or sharing control of them. This is different than Digital Payment Wallets used for financial transactions. (Source: https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf)

Digital identity: A digital identity is primarily an electronic form of identity representing an entity uniquely , while abstracting all other identity attributes of the entity. In addition to an electronic form, it may also exist in a physical form (identity certificate), linked through an identifier representing the same entity. E.g. Estonia eID , India Aadhar, digital citizenship ID.

Digital object architecture: DOA is an open architecture for interoperability among various information systems, including ID wallets, identity providers, and consumers. It focuses on digital objects and comprises three core components: the identifier/resolution system, the repository system, and the registry system. There are also two protocols that connect these components. (Source: dona.net)

Digital signature: A digital signature is an electronic, encrypted stamp of authentication on digital information such as email messages, macros, or electronic documents. A signature confirms that the information originated from the signer and has not been altered. (Source: Microsoft)

Taxonomy – Digital ID ecosystem

(Alphabetical order)

Continues..

Entity (or Subject): In the context of identity, an entity is a person, group, object, or a machine whose claims need to be ascertained and identity needs to be established before his request for a service or products can be fulfilled. An entity can also be referred to as a subject whose identity needs to be ascertained before delivering a service.

Expiry: This is another dimension of an identity and determines the validity of an ID. Most of the identities are longer term, but there can be a few like digital tokens and URLs which can be issued for a few hours or even minutes. There are some which can be revoked after a pre-condition is met.

Federated identity: Federated identity is an agreement between two organizations about the definition and use of identity attributes and identifiers of a consumer entity requesting a service. If successful, it allows a consumer entity to get authenticated by one organization (identity provider) and then authorized by another organization. E.g. accessing a third-party website using Google credentials.

Foundational identity: A type of identity which establishes an entity’s existence in the real world. These are generally issued by public sector / government agencies, governed by a legal farmwork within a jurisdiction, and are widely accepted at least in that jurisdiction. E.g. birth certificate, citizenship certificate.

Governance: This is a dimension of identity that covers the governance model for a digital ID ecosystem. While traditionally it has been under the sovereign government or a federated structure, in recent times, it has been decentralized through DLT technologies or trust-framework based. It can also be self-sovereign, where individuals fully control their data and ID attributes.

Identifier: A digital identifier is a string of characters that uniquely represents an entity’s identity in a specific context and scope even if one or more identity attributes of the subject change over time. E.g. driver’s license, SSN, SIN, email ID, digital token, user ID, device ID, cookie ID.

Identity: An identity is an instrument used by an entity to provide the required information about itself to another entity in order to avail a service, access a resource, or exercise a privilege. An identity formed by 1-n identity attributes and a unique identifier.

Identity and access management (IAM): IAM is a set of frameworks, technologies, and processes to enable the creation, maintenance, and use of digital identity, ensuring that the right people gain access to the right materials and records at the right time. (Source: https://iam.harvard.edu/)

Identity consumer (Relying party): An organization, or an entity relying on identity provider to mitigate IT risks around knowing its customers before delivering the end-user value (product/service) without deteriorating end-user experience. E.g. Canada Revenue Agency using SecureKey service and relying on Banking institutions to authenticate users; Telecom service providers in India relying on Aadhaar identity system to authenticate the customer's identity.

Identity form: A dimension of identity that defines its forms depending on the scope it wants to serve. It can be a physical card for offline uses, a virtual identifier like a number, or an app/account with multiple identity attributes. Cryptographic keys and tokens can also be forms of identity.

Taxonomy – Digital ID ecosystem

(Alphabetical order)

Continues...

Identity infrastructure provider: Organizations involved in creating and maintaining technological infrastructure required to manage the lifecycle of digital identities, attributes, and credentials. They implement functions like security, privacy, resiliency, and user experience as specified in the digital identity policy and trust framework.

Identity proofing: A process of asserting the identification of a subject at a useful identity assurance level when the subject provides evidence to a credential service provider (CSP), reliably identifying themselves. (Source: NIST Special Publication 800-63A)

Identity provider (Attestation authority): An organization or an entity validating the foundation or contextual claims of a subject and establishing identifier(s) for a subject. E.g. DMV (US) and MTA (Canada) issuing drivers’ licenses; Google / Facebook issuing authentication tokens for their users logging in on other websites.

Identity validation: The process of confirming or denying the accuracy of identity information of a subject as established by an authorized party. It doesn’t ensure that the presenter is using their own identity.

Identity verification (Authentication): The process of confirming or denying that the identity presented relates to the subject who is making the claim by comparing the credentials presented with the ones presented during identity proofing.

Internationalized resource identifier (IRI): IRIs are equivalent to URIs except that IRIs also allow non-ascii characters in the address space, while URIs only allow us-ascii encoding. (Source: w3.org)

Jurisdiction: A dimension of identity that covers the physical area or virtual space where an identity is legally acceptable for the purpose defined under law. It can be global, like it is for passport, or it can be local within a municipality for specific services. For unverified digital IDs, it can be the social network.

Multi-factor Authentication (MFA): Multi-factor authentication is a layered approach to securing digital assets (data and applications), where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. These factors can be a combination of (i) something you know like a password/PIN; (ii) something you have like a token on mobile device; and (iii) something you are like a biometric. (Adapted from https://www.cisa.gov/publication/multi-factor-authentication-mfa)

Oauth (Open authorization): OAuth is a standard authorization protocol and used for access delegation. It allows internet users to access websites by using credentials managed by a third-party authorization server / Identity Provider. It is designed for HTTP and allows access tokens to be issued by an authorization server to third-party websites. E.g. Google, Facebook, Twitter, LinkedIn use Oauth to delegate access.

OpenID: OpenID is a Web Authentication Protocol and implements reliance authentication mechanism. It facilitates the functioning of federated identity by allowing a user to use an existing account (e.g. Google, Facebook, Yahoo) to sign into third-party websites without needing to create new credentials. (Source: https://openid.net/).

Taxonomy – Digital ID ecosystem

(Alphabetical order)

Continues...

Personally identifiable information (PII): PII is a set of attributes which can be used, through direct or indirect means, to infer the real-world identity of the individual whose information is input. E.g. National ID (SSN/SIN/Aadhar) DL, name, date of birth, age, address, age, identifier, university credentials, health condition, email, domain name, website URI (web resolvable) , phone number, credit card number, username/password, public key / private key. (Source: https://www.dol.gov)

Predicates: The mathematical or logical operations such as equality or greater than on attributes (e.g. prove your salary is greater than x or your age is greater than y) to prove a claim without sharing the actual values.

Purpose: This dimension of a digital id defines for what purpose digital id can be used. It can be one or many of these – authentication, authorization, activity linking, historical record keeping, social interactions, and machine connectivity for IoT use cases.

Reliance authentication: Relying on a third-party authentication before providing a service. It is a method followed in a federated entity system.

Risk-based authentication: A mechanism to protect against account compromise or identity theft. It correlates an authentication request with transitional facts like requester’s location, past frequency of login, etc. to reduce the risk of potential fraud.

Scheme in trust framework: A specific set of rules (standard and custom) around the use of digital identities and attributes as agreed by one or more organizations. It is useful when those organizations have similar products, services, business processes. (Source: UK Govt. Trust Framework). E.g. Many credit unions agree on how they will use the identity in loan origination and servicing.

Selective disclosure (Assertion): A way to present one’s identity by sharing only a limited amount information that is critical to make an authentication / authorization decision. E.g. when presenting your credentials, you could share something proving you are 18 years or above, but not share your name, exact age, address, etc.

Trust: A dimension of an identity, which essentially is a belief in the reliability, truth, ability, or strength of that identity. While in the physical world all acceptable form of identities come with a verified trust, in online domain, it can be unverified. Also, where an identity is only acceptable as per the contract between two entities, but not widely.

Trust framework: The trust framework is a set of rules that different organizations agree to follow to deliver one or more of their services. This includes legislation, standards, guidance, and the rules in this document. By following these rules, all services and organizations using the trust framework can describe digital identities and attributes they’ve created in a consistent way. This should make it easier for organizations and users to complete interactions and transactions or share information with other trust framework participants. (Source: UK Govt. Trust Framework)

Taxonomy – Digital ID ecosystem

(Alphabetical order)

Continues...

Uniform resource identifier (URI): A universal name in registered name spaces and addresses referring to registered protocols or name spaces.

Uniform resource locator (URL): A type of URI which expresses an address which maps onto an access algorithm using network protocols. (Source: https://www.w3.org/)

Uniform resource name (URN): A type of URI that includes a name within a given namespace but may not be accessible on the internet.

Usability: A dimension of identity that defines how many times it can be used. While most of the identities are multi-use, a few digital identities are in token form and can be used only once to authenticate oneself.

Usage mode: A dimension of identity that defines the service mode in which a digital ID can be used. While all digital IDs are made for online usage, many can also be used in offline interactions.

Verifiable credentials: This W3C standard specification provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy-respecting, and machine-verifiable. (Source: https://www.w3.org/TR/vc-data-model/)

X.509 Certificates: X.509 certificates are standard digital documents that represent an entity providing a service to another entity. They're issued by a certification authority (CA), subordinate CA, or registration authority. These certificates play an important role in ascertaining the validity of an identity provider and in turn the identities issued by it. (Source: https://learn.microsoft.com/en-us/azure/iot-hub/reference-x509-certificates)

Zero-knowledge proofs: A method by which one party (the prover) can prove to another party (the verifier) that something is true, without revealing any information apart from the fact that this specific statement is true. (Source: 1989 SIAM Paper)

Zero-trust security: A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. It evaluates each access request as if it is a fraud attempt, and grants access only if it passes the authentication and authorization test. (Source: Adapted from NIST, SP 800-207: Zero Trust Architecture, 2020)

Related Info-Tech Research

Build a Zero Trust Roadmap
Leverage an iterative and repeatable process to apply zero trust to your organization.

Assess and Govern Identity Security
Strong identity security and governance are the keys to the zero-trust future.

Adopt Design Thinking in Your Organization
Innovation needs design thinking to ensure customer remains at the center of everything the organization does.

Social Media
Leveraging Social Media to connect with your customers and educate them to drive the value proposition of your efforts.

IT Diversity & Inclusion Tactics
Equip your teams to create an inclusive environment and mobilize inclusion efforts across the organization.

Research Contributors and Experts

	David Wallace Executive Counselor https://tymansgrpup.com/profiles/david-wallace
	Erik Avakian Technical Counselor, Data Architecture and Governance https://tymansgrpup.com/profiles/erik-avakian
	Matthew Bourne Managing Partner, Public Sector Global Services https://tymansgrpup.com/profiles/matthew-bourne
	Mike Tweedie Practice Lead, CIO Research Development https://tymansgrpup.com/profiles/mike-tweedie
	Aaron Shum Vice President, Security & Privacy https://tymansgrpup.com/profiles/aaron-shum

Works Cited

India Aadhaar PMJDY (https://pmjdy.gov.in/account)
Theis, S., Rusconi, G., Panggabean, E., Kelly, S. (2020). Delivering on the Potential of Digitized G2P: Driving Women’s Financial Inclusion and Empowerment through Indonesia’s Program Keluarga Harapan. Women’s World Banking.
DIACC Canada (https://diacc.ca/the-diacc/)
UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
Australia Trusted Digital Identity Framework (https://www.digitalidentity.gov.au/tdif#changes)
eIDAS (https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation)
Europe Digital Wallet – POTENTIAL (https://www.digital-identity-wallet.eu/)
Canada PCTF (https://diacc.ca/trust-framework/)
Identification Revolution: Can Digital ID be harnessed for Development? (Gelb & Metz), 2018
e-Estonia website (https://e-estonia.com/solutions/e-identity/id-card/)
Aadhaar Dashboard (https://uidai.gov.in/)
DIACC Website (https://diacc.ca/the-diacc/)
Australia Digital ID website (https://www.digitalidentity.gov.au/tdif#changes)
UK Policy paper - digital identity & attributes trust framework (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
Ukraine Govt. website (https://ukraine.ua/invest-trade/digitalization/)
Singapore SingPass Website (https://www.tech.gov.sg/products-and-services/singpass/)
Norway BankID Website (https://www.bankid.no/en/private/about-us/)
Brazil National ID Card website (https://www.gov.br/casacivil/pt-br/assuntos/noticias/2022/julho/nova-carteira-de-identidade-nacional-modelo-unico-a-partir-de-agosto)
Indonesia Coverage in Professional Security Magazine (https://www.professionalsecurity.co.uk/products/id-cards/indonesian-cards/)
Philippine ID System (PhilSys) website (https://www.philsys.gov.ph/)
China coverage on eGovReview (https://www.egovreview.com/article/news/559/china-announces-plans-national-digital-ids)
Thales Group Website - DHS’s Automated Biometric Identification System IDENT (https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/customer-cases/ident-automated-biometric-identification-system)
FranceConnect (https://franceconnect.gouv.fr/)
Germany: Office for authorization cert. (https://www.personalausweisportal.de/Webs/PA/DE/startseite/startseite-node.html)
Italian Digital Services Authority (https://www.spid.gov.it/en/)
Monacco Mconnect (https://mconnect.gouv.mc/en)
Estonia eID (https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf)
E-Residency Dashboard (https://www.e-resident.gov.ee/dashboard)
Unique ID authority of India (https://uidai.gov.in/aadhaar_dashboard/india.php)
State of Aadhaar (https://www.stateofaadhaar.in/)
World Bank (https://documents1.worldbank.org/curated/en/219201522848336907/pdf/Private-Sector-Economic-Impacts-from-Identification-Systems.pdf)
WorldBank - ID4D 2022 Annual Report (https://documents.worldbank.org/en/publication/documents-reports/documentdetail/099437402012317995/idu00fd54093061a70475b0a3b50dd7e6cdfe147)
Ukraine Govt. Website for Invest and trade (https://ukraine.ua/invest-trade/digitalization/)
Diia Case study prepared for the office of Canadian senator colin deacon (https://static1.squarespace.com/static/63851cbda1515c69b8a9a2b9/t/6398f63a9d78ae73d2fd5725/1670968891441/2022-case-study-report-diia-mobile-application.pdf)
Canadian Digital Identity Research (https://diacc.ca/wp-content/uploads/2022/04/DIACC-2021-Research-Report-ENG.pdf)
Voilà Verified Trustmark (https://diacc.ca/voila-verified/)
Digital Identity, 06A Federation Onboarding Guidance paper, March 2022 (https://www.digitalidentity.gov.au/sites/default/files/2022-04/TDIF%2006A%20Federation%20Onboarding%20Guidance%20-%20Release%204.6%20%28Doc%20Version%201.2%29.pdf)
UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
A United Nations Estimate of KYC/AML (https://www.imf.org/Publications/fandd/issues/2018/12/imf-anti-money-laundering-and-economic-stability-straight)
India Aadhaar PMJDY (https://pmjdy.gov.in/account)
Global News (https://globalnews.ca/news/9437913/homeowner-impersonators-lined-32-fraud-cases-ontario-bc/)
UK Finance Lobby Group (https://www.ukfinance.org.uk/system/files/Half-year-fraud-update-2021-FINAL.pdf) McKinsey Digital ID report ( https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/digital-identification-a-key-to-inclusive-growth) International Peace Institute ( https://www.ipinst.org/2016/05/information-technology-and-governance-estonia#7)
E-Estonia Report (https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf)
2022 Budget Statement (https://diacc.ca/2022/04/07/2022-budget-statement/)
World Bank ID4D - Private Sector Economic Impacts from Identification Systems 2018 (https://documents1.worldbank.org/curated/en/219201522848336907/Private-Sector-Economic-Impacts-from-Identification-Systems.pdf)
DIACC Canada (https://diacc.ca/the-diacc/)
UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
https://www.gsma.com/identity/decentralised-identity
https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf
Microsoft Digital signatures and certificates (https://support.microsoft.com/en-us/office/digital-signatures-and-certificates-8186cd15-e7ac-4a16-8597-22bd163e8e96)
https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf
https://www.dona.net/digitalobjectarchitecture
IAM (https://iam.harvard.edu/)
NIST Special Publication 800-63A (https://pages.nist.gov/800-63-3/sp800-63a.html)
https://www.cisa.gov/publication/multi-factor-authentication-mfa
https://openid.net/
U.S. DEPARTMENT OF LABOR (https://www.dol.gov/)
UK govt. trust framework (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
https://www.w3.org/
Verifiable Credentials Data Model v1.1 (https://www.w3.org/TR/vc-data-model/)
https://learn.microsoft.com/en-us/azure/iot-hub/reference-x509-certificates

INFO-TECH RESEARCH GROUP

Analyze Your Service Desk Ticket Data

Take a data-driven approach to service desk optimization.

EXECUTIVE BRIEF

Analyst Perspective

Benedict Chang Research Analyst, Infrastructure & Operations Info-Tech Research Group

Ken Weston ITIL MP, PMP, Cert.APM, SMC Research Director, Infrastructure & Operations Info-Tech Research Group

The perfect time to start analyzing your ticket data is now

Service desks improve their services by leveraging ticket data to inform their actions. However, many organizations don’t know where to start. It’s tempting to wait for perfect data, but there’s a lot of value in analyzing your ticket data as it exists today.

Start small. Track key tension metrics based on the out-of-the-box functionality in your tool. Review the metrics regularly to stay on track.

By reviewing your ticket data, you’re going to get better organically. You’re going to learn about the state of your environment, the health of your processes, and the quality of your services. Regularly analyze your data to drive improvements.

Make ticket analysis a weekly habit. Every week, you should be evaluating how the past week went. Every month, you should be looking for patterns and trends.

Executive Summary

Your Situation

Leverage your service desk ticket data to gain insights for improving your operations:

1. Use a data-based approach to allocate service desk resources.
2. Design appropriate SLOs and SLAs to better service end users.
3. Gain efficiencies for your shift-left strategy.
4. Communicate the current and future value of the service desk to the business.

Common Obstacles

Properly analyzing ticket data is challenging for the following reasons:

• Poor ticket hygiene and unclear ticket handling guidelines can lead to untrustworthy results.
• Undocumented tickets from various intake channels prevents you from seeing the whole picture.
• Service desk personnel are not sure where to start with analysis and are too busy to find time.
• Too many metrics are tracked to parse actionable insights from the noise.

Info-Tech’s Approach

Info-Tech’s approach to improvement:

• To reduce the noise, standardize your ticket data in a format that will ease analysis.
• Start with common analyses using the cleaned data set.
• Identify action items based on your ticket data.

Analyze your ticket data to help continually improve your service desk.

Slow down. Give yourself time.

Give yourself time to observe the new metrics and draw enough insights to make recommendations for improvement. Then, execute on those recommendations. Slow and steady improvement of the service desk only adds business value and will have a positive impact on customer satisfaction.

Your challenge

This research is designed to help service desk managers analyze their ticket data

Analyzing ticket data involves:

• Collecting ticket data and keeping it clean. Based on the metrics you’re analyzing, define ticket expectations and keep the data up to date.
• Showing the value of the service desk. SLAs are meaningless if they are not met consistently. The prerequisite to implementing proper SLAs is fully understanding the workload of the service desk.
• Understanding – and improving – the user experience. You cannot improve the user experience without meaningful metrics that allow you to understand the user experience. Different user groups will have different needs and different expectations of the level of service. Your metrics should reflect those needs and expectations.

36% of organizations are prioritizing ticket handling in IT for 2021 (Source: SDI, 2021)

12% of organizations are focusing directly on service desk improvement (Source: SDI, 2021)

Common obstacles

Many organizations face these barriers to analyzing their ticket data:

• Finding time to properly analyze ticket data is a challenge. Not knowing where to start can lead to not analyzing the proper data. Service desks end up either tracking too much data or not tracking the proper metrics.
• Data, even if clean, can be housed in various tools and databases. It’s difficult to aggregate data if the data is stored throughout various tools. Comparisons may also be difficult if the data sets aren’t consistent.
• Shifting left to move tickets toward self-service is difficult when there is no visibility into which tickets should be shifted left.

What your peers are saying about why they can’t start analyzing their ticket data:

• “My technicians do not consistently update and close tickets.”
• “My ITSM doesn’t have the capabilities I need to make informed decisions on shifting tickets left.”
• “My tickets are always missing data”
• “I’m constantly firefighting. I have no time for ticket data analysis.”
• “I have no idea where to start with the amount of data I have.”

Common obstacles that prevent effective ticket analysis

We asked IT service desk managers and teams about their biggest hurdles

Info-Tech’s approach

Repeat this analysis every business cycle:

• Gather Your Data
  Collect your ticket data OR start measuring the right metrics.
• Extract & Analyze
  Organize and visualize your data to extract insights
• Action the Results
  Implement low-effort improvements and celebrate quick successes.
• Implement Larger Changes
  Reference your ticket data while implementing process, tooling, and other changes.
• Communicate the Results
  Use your data to show the value of your effort.

Measure the value of this blueprint

Track these metrics as you improve

Use the data to tell you which aspects of IT need to be shifted left and which need to be automated

Your data will show you where you can improve.

As you act on your data, you should see:

• Lower costs per ticket
• Decreased average time to resolve
• Increased end-user satisfaction
• Fewer tickets escalated beyond Tier 1

See Info-Tech’s blueprint Optimize the Service Desk With a Shift-Left Strategy.

Info-Tech’s methodology for analyzing service desk tickets

Insight summary

Slow down. Give yourself time.

Give yourself time to observe the new metrics and draw enough insights to make recommendations for improvement. Then, execute on those recommendations. Slow and steady improvement of the service desk only adds business value and will have a positive impact on customer satisfaction.

Iterate on what to track rather than trying to get it right the first time.

Tracking the right data in your ticket can be challenging if you don’t know what you’re looking for. Start with standardized fields and iterate on your data analysis to figure out your gaps and needs.

If you don’t know where to go, ticket data can point you in the right direction.

If you have service desk challenges, you will need to allocate time to process improvement. However, prioritizing your initiatives is easier if you have the ticket data to point you in the right direction.

Start with data from one business cycle.

Service desks don’t need three years’ worth of data. Focus on gathering data for one business cycle (e.g. three months). That will give you enough information to start generating value.

Let the data do the talking.

Leverage the data to drive organizational and process change in your organization by tracking meaningful metrics. Choose those metrics using business-aligned goals.

Paint the whole picture.

Single metrics in isolation, even if measured over time, may not tell the whole story. Make sure you design tension metrics where necessary to get a holistic view of your service desk.

Blueprint deliverables

Blueprint benefits

IT Benefits

• Discover and implement the proper metrics to improve your service desk
• Use a data-based approach to improve your customer service and operational goals
• Increase visibility with the business and other IT departments using a structured presentation

Business Benefits

• Quicker resolutions to incidents and service requests
• Better expectations for the service desk and IT
• Better visibility into the current state, challenges, and goals of the service desk
• More effective support when contacting the service desk

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 3-4 calls over the course of 2-3 months.

What does a typical GI on this topic look like?

Phase 1

• Call #1: Scope requirements, objectives, and your specific challenges. Enter your data into the tool.

Phase 2

• Call #2: Assess the current state across the different dashboards.

Phase 3

• Call #3: Identify improvements and insights to include in the communication report.
• Call #4: Review the service desk ticket analysis report.

PHASE 1

Import Your Ticket Data

This phase will walk you through the following activities:

• 1.1.1 Define your objectives for analyzing ticket data
• 1.1.2 Identify success metrics
• 1.1.3 Import your ticket data into the tool
• 1.1.4 Update your ticket fields for future analysis

This phase involves the following participants:

• Service Desk Manager
• ITSM Manager
• Service Desk Technician

1.1.1 Define your objectives for analyzing ticket data

Input: Understanding of current service desk process and ticket routing

Output: Defined objectives for the project

Materials: Whiteboard/flip charts, Ticket Analysis Report

Participants: Service Desk Staff, Service Desk Manager, IT Director, CIO

Use the discussion questions below as a guide

1. Identify your main objective for analyzing ticket data. Use these three sample objectives as a starting point:
   • Demonstrate value to the business by improving customer service.
   • Improve service desk operations.
   • Reduce the number of recurring incidents.
2. Answer the following questions as a group:
   • What challenges do you have getting accurate data for this objective?
   • What data is missing for supporting this objective?
   • What kind of issues must be solved for us to make progress on achieving this objective?
   • What decisions are held up from a lack of data?
   • How can better ticket data help us to more effectively manage our services and operations?

Document in the Ticket Analysis Report.

1.1.2 Identify success metrics

Select metrics that will track your progress on meeting the objective identified in Activity 1.1.1.

Input: Understanding of current service desk process and ticket routing

Output: Defined objectives for the project

Materials: Whiteboard/flip charts, Ticket Analysis Report

Participants: Service Desk Manager, IT Director, CIO

Use these sample metrics as a starting point:

Document in the Ticket Analysis Report.

Inefficient ticket-handling processes lead to SLA breaches and unplanned downtime

Analyze the ticket data to catch mismanaged or lost tickets that lead to unnecessary escalations and impact business profitability

• Ticket Category – Are your tickets categorized by type of asset? By service?
• Average Ticket Times – How long does it take to resolve or fulfill tickets?
• Ticket Priority – What is the impact and urgency of the ticket?
• SLA/OLA Violations – Did we meet our SLA objectives? If not, why?
• Ticket Channel – How was the issue reported or ticket received?
• Response and Fulfillment – Did we complete first contact resolution? How many times was it transferred?
• Associated Tasks and Tickets – Is this incident associated with any other tasks like change tickets or problem tickets?

Encourage proper ticket-handling procedures to enable data quality

Ensure everyone understands the expectations and the value created from having ticket data that follows these expectations

• Create and update tickets, but not at the expense of good customer service. Agents can start the ticket but shouldn’t spend five minutes creating the ticket when they should be troubleshooting the problem.
• Update the ticket when the issue is resolved or needs to be escalated. If agents are escalating, they should make sure all relevant information is passed along within the ticket to the next technician.
• Update user of ETA if issue cannot be resolved quickly.
• Ticket templates for common incidents can lead to fast creation, data input, and categorizations. Templates can reduce the time it takes to create tickets from two minutes to 30 seconds.
• Update categories to reflect the actual issue and resolution.
• Reference or link to the knowledgebase article as the documented steps taken to resolve the incident.
• Validate with the client that the incident is resolved; automate this process with ticket closure after a certain time.
• Close or resolve the ticket on time.

Info-Tech Insight

Ticket handling ensures clean handovers, whether it is to higher tiers or back to the customer. When filling the ticket out with information intended for another party, ensure the information is written for their benefit and from their point of view.

Service Desk Ticket Analysis Tool overview

The Service Desk Ticket Analysis Tool will help you standardize your ticket data in a meaningful format that will allow you to apply common analyses to identify the actions you need to take to improve service desk operations

TABS 1 & 2 INSTRUCTIONS & DATA ENTRY	TAB 3 : TICKET SUMMARY TICKET SUMMARY DASHBOARDS	TABS 4 to 8: DASHBOARDS INCIDENT SERVICE REQUEST CATEGORY
Input at least three months of your exported ticket data into the corresponding columns in the tool to feed into the common analysis graphs in the other tabs.	This tab contains multiple dashboards analyzing how tickets come in, who requests them, who resolves them, and how long it takes to resolve them.	These tabs each have dashboards outlining analysis on incidents and service requests. The category tab will allow you to dive deeper on commonly reported issues.

1.1.3 Import your data into our Service Desk Ticket Analysis Tool

You can still leverage your current data, but use this opportunity to improve your service desk ticket fields down the line

Input: ITSM data log

Output: Populated Service Desk Ticket Data Analysis Tool

Materials: Whiteboard/flip charts, Service Desk Ticket Analysis Tool

Participants: Service Desk Manager, Service Desk Technicians

Start here:

• Extract your ticket data from your ITSM tool in an Excel or text format.
• Look at the fields on the data entry tab of the Service Desk Ticket Analysis Tool.
• Fill the fields with your ticket data by copying and pasting relevant sections. It is okay if you don’t have all the fields, but take note of the fields you are missing.
• With the list of the fields you are missing, run through the following activity to decide if you will need to adopt or add fields to your own service desk ticket tool.

When entering your data, pay close attention to the following fields:

• Time to Resolve: This is automatically calculated using data in the Open Date, Open Time, Close Date, and Close Time fields. You have three options for entering your data in these fields:
  1. Enter your data as the fields describe. Ensure your data contain only the field description (e.g. Open Date separated from Open Time). If your data contain Open Date AND Open Time, Excel will not show both.
  2. Enter your data only in Open Date and Close Date. If your ITSM does not separate date and time, you can keep the data in a single cell and enter it in the column. The formula in Time to Resolve will still be accurate.
  3. If your ITSM outputs Time to Resolve, overwrite the formula in the Time to Resolve column.
• SLA: If your ITSM outputs SLA fulfilled: Y/N, enter that directly into the SLA Fulfilled column.
• Blank Columns: If you do not have data for all the columns, that is okay. Continue with the following activity. Note that some stock dashboards will be empty if that is the case.
• Incidents vs. Service Requests: If you separate incidents and service requests, be sure to capture that in the SR/Incident for Tabs 4 and 5. If you do not separate the two, then you will only need to analyze Tab 3.

Use Info-Tech’s tool instead of building your own. Download the Service Desk Ticket Analysis Tool.

1.1.4 Update your ticket fields for future analysis

Input: Populated Service Desk Ticket Data Analysis Tool

Output: New ticket fields to track

Materials: Whiteboard/flip charts, Service Desk Ticket Analysis Tool

Participants: Service Desk Manager, Service Desk Technicians

As a group, pay attention to the ticket fields populated in the tool as well as the ticket fields that you were not able to populate. Use the example “Fields Captured” table to the right, which lists all fields present in the ticket analysis tool.

Discuss the following questions:

1. Consider the fields not captured. Would it be valuable to start capturing that data for future analysis?
2. If so, does your ITSM support that field?
3. Can you make the change in-house or do you have to bring in an external ITSM administrator to make the change?
4. Capture the results in the Ticket Analysis Report.

Document in the Ticket Analysis Report.

Info-Tech Insight

Don’t wait for your ticket quality to be perfect. You can still draw actions from your ticket data. They will likely be process improvements initially, but the exercise of pulling the data is a necessary first step.

Common ticket fields tracked by your peers

Which of these metrics do you track and action?

• Remember you don’t have to track every metric. Only track metrics that are actionable.

For each metric that you end up tracking:

• Look for trends over time.
• Brainstorm reasons why the metric could rise or fall.

Associate a metric with each improvement you execute.

• Performing this step will allow you to better see the value from your team’s efforts.
• It will also give you a quicker response than waiting for spikes in your data.

(Source: Info-Tech survey, 2021; N=20)

PHASE 2

Analyze Your Ticket Data

This phase will walk you through the following activities:

• 2.1.1 Review high-level ticket dashboards
• 2.2.1 Review incident, service request, and ticket category dashboards

This phase involves the following participants:

• Service Desk Manager
• Service Desk Technicians
• IT Managers

Visualize your ticket data as a first step to analysis

Identifying trends is easier when looking at diagrams, graphs, and figures

Start your analysis with common visuals employed by other service desk professionals

• Phase 2 will walk you through visualizing your data to get a better understanding of your ticket intake, incident management, and service request management.
• Each step will walk you through:
  • Common visualizations used by service desks
  • Patterns to look for in your visualizations
  • Actions to take to address negative patterns and to continue positive trends
• Share diagrams that underscore both the value being provided by the service desk as well as the scope of the pain points. Use Info-Tech’s Ticket Analysis Report template as a starting point.

“Being able to tell stories with data is a skill that’s becoming ever more important in our world of increasing data and desire for data-driven decision making. An effective data visualization can mean the difference between success and failure when it comes to communicating the findings of your study, raising money for your nonprofit, presenting to your board, or simply getting your point across to your audience.” - Cole Knaflic, Founder and CEO, Storytelling with Data: A Data Visualization Guide for Business Professionals

Use the detailed dashboards to determine the next steps for improvement

A single number doesn’t tell the whole picture

Analyze trends over time:

• Analyze trends by day, by week, by month, and by year to determine:
  • When are the busy periods? (E.g. Do tickets tend to spike every morning, every Monday, or every September?)
  • When are the slow periods? (E.g. Do tickets drop at the end of the day, at midday, on Fridays, or over the summer?)
• Are spikes or drops in volume consistent trends or one-time anomalies?

Then build a plan to address them:

• How will you handle volume spikes, if they’re consistent?
• What can your resources work on during slow times, if they are consistent?
• If you assume no shrinkage, can you handle the peaks in volume if you make all FTEs available to work on tickets at a certain time of day?

Look for seasonal trends. In this example, we see high ticket volumes in May and January, with lower ticket volumes in June and July when many staff are taking holidays. However, also be careful to look at the big picture of how you pulled the data. August through October sees a high volume of open tickets because the data set is pulled in November, not because there’s a seasonal spike on tickets not closing at the end of the fiscal year.

Track ticket data over time

Make low-effort adjustments before major changes

Don’t rush to a decision based off the first numbers you see

Review ticket summary dashboard

Ideally, you should track ticket patterns over an entire year to get a full sense of trends within each month of the year. At minimum, track for 30 days, then 60, then 90, and see if anything changes. The longer you can track ticket patterns, the more accurate your picture will be.

Review additional dashboards

If you separate incidents and service requests, and you have accurate ticket categories, then you can use these dashboards to further break down the data to identify ticket trends.

The output of the ticket analysis will only be as accurate as its input.
To get the most accurate results, first ensure your data is accurate, then analyze it over as much time as possible. Aggregating with accurate data will give you a better picture of the trends in demand that your service desk sees.

Not separating incidents and service requests? Need to fix your ticket categories? Visit Standardize the Service Desk to get started.

Analyze incidents and requests separately

Each type has its own set of customer experiences and expectations

• Different ticket types are associated with radically different prioritization, routing, and service levels. For instance, most incidents are resolved within a business day, but requests take longer to implement.
• If you fail to distinguish between ticket types, your metrics will obscure service desk performance.
• From a ticket analysis standpoint, separating ticket types prior to analysis or, better yet, at intake allows for cleaner data. In turn, this means more structured analyses, better insights, and more meaningful actions. Not separating ticket types may still get you to the same conclusions, but it will be much more difficult to sift through the data.

Incident

An unanticipated interruption of a service.
The goal of incident management is to restore the service as soon as possible, even if the resolution involves a workaround.

Request

A generic description for a small change or service access.
Requests are small, frequent, and low risk. They are best handled by a process distinct from incident, change, and project management.

Not separating incidents and service requests? Need to fix your ticket categories? Visit Standardize the Service Desk to get started.

Step 2.1

Analyze Your High-Level Ticket Data

Dashboards

• Ticket Volume
• Ticket Intake
• Ticket Handling and Resolution
• Ticket Categorization

This step will walk you through the following activities:

Visualize the current state of your service desk.

This step involves the following participants:

• Service Desk Manager
• Service Desk Technicians
• IT Managers

Outcomes of this step

Build your metrics baseline to compare with future metric results.

Dashboards: Ticket Volume

Analyze your data for insights

• Analyze volume trends by day, by week, by month, and by year to determine:
  • When are the busy periods? (E.g. Do tickets tend to spike every morning, every Monday, or every September?)
  • When are slow periods? (E.g. Do tickets drop at the end of the day, at midday, on Fridays, or over the summer?)
• Are spikes or drops in volume consistent trends or one-time anomalies?
• What can your resources be working on during slow times? Are you able to address ticket backlog?

Dashboards: Ticket Intake

Analyze your data for insights

• Determine how to drive intake to the most appropriate solution for your organization:
  • A web portal is the most efficient intake method, but it must be user friendly to increase its adoption.
  • The phone should be available for urgent requests or incidents. Encourage those who call with a request to submit a ticket through the portal.
  • Discourage use of email if it is unstructured, as users don’t provide enough detail, and often two or three transactions are required for triage.
  • If walk-ups are encouraged, structure and formalize the support so it can be resourced and managed rather than interrupt-driven.

Dashboard: Ticket Handling and Resolution

Analyze your data for insights

• Look at your ticket load by technician and by tier. This is an essential step to set your baseline to measure your shift-left initiatives. If you are focusing on self-service or Tier 1 training, the ticket load from higher tiers should decrease over time.
• If Tiers 2 and 3 are handling the majority of the tickets, this could be a red flag indicating tickets are inappropriately escalated or Tier 1 could use more training and support.
• For average time to resolve and average time to resolve by tier, are you meeting your SLAs? If not, are your SLAs too aggressive? Are tickets left open and not properly closed?

Dashboard: Ticket Categorization

Analyze your data for insights

• Ticket categorization is critical to clean data. Having a categorization scheme with categories that are miscellaneous, too specific, or too general easily leads to inaccurate reporting or confusing workflows for technicians.
• When looking at your ticket categories, first look for duplicate categories that could be collapsed into one.
• Also look at your top five to seven categories and see if they make sense. Are these good candidates in your organization for automation or shift-left?
• Compare your Tier 1 categories. The level of specificity for these categories should be comparable to easily run reports. If they are not, assess the need for a category redesign.

Step 2.2

Analyze Incidents, Service Requests, and Ticket Categories

Dashboards

• Incidents
• Service Requests
• Volume by Ticket Category
• Resolution Times by Priority and/or Category
• Tabs for More Granular Investigation and Reporting

This step will walk you through the following activities:

Visualize your incident and service request ticket load and analyze trends. Use this information and cross reference data sets to gain a holistic view of how the service desk interacts with IT and the business.

This step involves the following participants:

• Service Desk Manager
• Service Desk Technicians
• IT Managers

Outcomes of this step

Gain actionable, data-driven improvements based on your incident and service request data. Show the value of the service desk and highlight improvements needed.

Incident and Service Requests Dashboard: Priority and SLA

Analyze your data for insights

• Your ticket priority distribution for overall load and time to resolve (TTR) should look something like above with low-priority tickets having higher load and TTR and high/critical-priority tickets having a lower load and lower TTR. If it is reversed, that is a good indication that the service desk is too reactive or isn’t properly prioritizing its work.
• If your SLA has a high failure rate, consider reassessing your targets with SLOs that you can meet before publishing them as achievable SLAs.

Incident and Service Requests Dashboard: Priority and SLA

Analyze your data for insights

• Examine your ticket handling by looking at ticket status and resolution codes.
  • If you have a lot of blanks, then tickets are not properly handled. Consider reinforcing your standards for close codes and statuses.
  • Alternatively, if tickets are left open, you may have to build follow-ups on stale tickets into your process or introduce proper auto-close processes.

Category, Resolution Time, and Resolution Code Dashboards

These PivotCharts allow you to dig deeper

Investigate whether there are trends in ticket volume and resolution times within specific categories and subcategories

Tab 6, Category Dashboard; tab 7, Resolution Time Dashboard; and tab 8, Resolution Code Dashboard are PivotCharts. Use these tabs to investigate whether there are trends in ticket volume, resolution times, and resolution codes within specific categories and subcategories.

Start with the charts that are available. The +/- buttons will allow you to show more granular information. By default, this granularity will be into the levels of the ticket categorization scheme.

For most categorization schemes, there will be too many categories to properly graph. You can apply a filter to investigate specific categories by clicking on the drop-down buttons.

Use these tabs for more granular investigation and reporting

TAB 6 CATEGORY DASHBOARD	TAB 7 RESOLUTION TIME DASHBOARD	TAB 8 RESOLUTION TIME DASHBOARD
Investigate ticket distributions in first, second, and third levels. Are certain categories overcrowded, suggesting they can be split? Are certain categories not being used?	Do average resolution times match your service level agreements? Do certain categories have significantly different resolution times? Are there areas that can benefit from shift-left?	Are resolution codes being accurately used? Are there trends in resolution codes? Are these codes providing sufficient information for problem management?

PHASE 3

Communicate Your Insights

This phase will walk you through the following activities:

• 3.1.1 Review common recommendations
• 3.2.1 Review ticket reports daily
• 3.2.2 Incorporate ticket data into retrospectives and team updates
• 3.2.3 Regularly review trends with business leaders
• 3.2.4 Tell a story with your data

This phase involves the following participants:

• Service Desk Manager
• Service Desk Technicians
• IT Managers

Step 3.1

Build Recommendations Based on Your Ticket Data

Activities

• 3.1.1 Review common recommendations

This step will walk you through the following activities:

Review common recommendations as a first step to extracting insights from your own data.

This step involves the following participants:

• Service Desk Manager
• Service Desk Technicians

Outcomes of this step

You will gain an understanding of the common challenges with service desks and ticket analysis in general. See which ones apply to you to inform your ticket data analysis moving forward.

Review these common recommendations

1. Fix your ticket categories
   Organize your ticket categorization scheme for proper routing and reporting.
2. Focus more on self-service
   Self-service is essential to enable shift-left strategies. Focus on knowledgebase processes and portal ease of use.
3. Update your service catalog
   Improve your service catalog, if necessary, to make it easy for end users to request services and for the service desk to provide those services.
4. Direct volume toward other channels
   Walk-ups make it more difficult to properly log tickets and assign service desk resources. Drive volume to other channels to improve your ticket quality.
5. Crosstrain Tier 1 on certain topics
   Tier 1 breadth of knowledge is essential to drive up first contact resolution.
6. Build more automation
   Identify bottlenecks and challenges with your ticket data to streamline ticket handling and resolution.
7. Revisit service level agreements
   Update your SLAs and/or SLOs to prioritize expectation management for your end users.
8. Improve your data quality
   You can only analyze data that exists. Revisit your ticket-handling guidelines and more regularly check tickets to ensure they comply with those standards.

Optimize your processes and look for opportunities for automation

Leverage Info-Tech research to improve service desk processes

Review your service desk processes and tools for optimization opportunities:

• Clearly establish ticket-handling guidelines.
• Use ticket templates to reduce time spent entering tickets.
• Document incident management and service request fulfillment workflows and eliminate any unnecessary steps.
• Automate manual tasks wherever possible.
• Build or improve a self-service portal with a knowledgebase to allow users to resolve their own issues, reducing incoming ticket volume to the service desk.
• Optimize your internal knowledgebase to reduce time spent troubleshooting recurring issues.
• Leverage AI capabilities to speed up ticket processing and resolution.

Standardize the Service Desk

This project will help you build and improve essential service desk processes, including incident management, request fulfillment, and knowledge management.

Optimize the Service Desk With a Shift-Left Strategy

This project will help you build a strategy to shift service support left to optimize your service desk operations and increase end-user satisfaction.

Step 3.2

Action and Communicate Your Ticket Data

Activities

• 3.2.1 Review your ticket queues daily
• 3.2.2 Incorporate ticket data into retrospectives and team status updates
• 3.2.3 Regularly review trends with business leaders
• 3.2.4 Tell a story with your data

This step will walk you through the following activities:

Organize your scrums to report on the metrics that will inform daily and monthly operations.

This step involves the following participants:

• Service Desk Manager
• Service Desk Technicians
• IT Managers

Outcomes of this step

Use the dashboards and data to inform your daily and monthly scrums.

3.2.1 Review your ticket queues daily

Clean data is still useless if not used properly

• The metrics you’ve chosen to measure and visualize in the previous step are useful for informing your day-to-day, week-to-week, and month-to-month strategies for the service desk and IT. Conduct scrums daily to action your dashboard data to help clear ticket queues.
• Reference your dashboards daily with each IT team.
• You need to have a dashboard of open tickets assigned to each team.

Review Daily

• Ticket volume over the last day (look for spikes)
• SLA breach risks/SLA breaches
• Recurring incidents
• Tickets open
• Tickets handed over (confirmation of handover)

3.2.2 Incorporate ticket data into retrospectives and team status updates

Explain your metric spikes and trends

• Hold weekly or monthly meetings to review the ticket trends selected during Phases 1 and 2 of this blueprint.
• Review ticket spikes, identify seasonal trends, and discuss root causes (e.g. projects/changes going live, onboarding blitz).
• Discuss any actions associated with spikes and seasonal trends (e.g. resource allocation, hiring, training).
• You can incorporate other IT leaders or departments in this meeting as needed to discuss action items for improvement, quality assurance concerns, customer service concerns, and/or operating level agreement concerns.

Review Weekly/Monthly

• Ticket volume
• Ticket category by priority level over time
• Tickets from different business groups, VIP groups, and different vertical levels
• Tickets escalated, tickets that didn’t need to be escalated, tickets that were incorrectly escalated
• Ticket priority levels over time
• Most requested services
• Tickets resolved by which group over time
• Ability to meet SLAs and OLAs over time by different groups

3.2.3 Regularly review trends with business leaders

Use your data to help improve business relationships

Review the following with business leaders:

• Volume of work done this past time cycle for the leader’s group
• Trends and spikes in the data and possible explanations for them (note: get their input on the potential causes of trends)
• Improvements you plan to execute within the service desk
• Action items you need from the business leader

Use your data to show the value you provide to the group. Schedule quarterly meetings with the heads of different business groups to discuss the work that the service desk does for each group.

Show trends in incidents and service requests: “I see you have a spike in CRM tickets. I’ve been working with the CRM team to address this issue.”

3.2.4 Tell a story with your data

Effectively communicate with the business and leadership

• With your visualized metrics, organize your story into a presentation for different stakeholder groups. You can use the Ticket Analysis Report as a starting point to provide data about:
  • Value provided by the service desk
  • Successes
  • Opportunities for Improvements
  • Current state of KPIs
• Include information about the causes of data trends and actions you will take in response to the data.
• For each of these themes, look at the metrics you’ve chosen to track and see which ones fit to tell the story. Let the data do the talking.
• Consider supplementing the ticket data with data from other systems. For example, you can include data on transactional customer satisfaction surveys, knowledgebase utilization, and self-service utilization.

Download the Ticket Analysis Report.

Ticket Analysis Report

Include the following information as you build your ticket analysis report:

• Value Provided by the Service Desk
  Start with the value provided by the service desk to different areas of the business. Include information about first contact resolution, average resolution times, ticket volume (e.g. by category, priority, location, requestor).
• Successes
  Successes is a general field that can include how process improvements have impacted the service desk or how initiatives have enhanced shift-left opportunities. Highlight any positive trends over time.
• Opportunities for Improvement
  Let the data guide the conversation to where improvements can be made. Day-to-day ops, self-service tools, shifting work left from Tier 2, Tier 3, standardizing a non-standard service, and staffing adjustments are possibilities for this section.
• Current State of KPIs
  Mean time to resolve, FCR, ticket volume, and end-user satisfaction are great KPIs to include as a starting point.

Download the Ticket Analysis Report.

Summary of Accomplishment

Problem Solved

You now have a better understanding of how to action your service desk ticket data, including improvements to your current ticket templates for incidents and service requests.

You also have the data to craft a story to different stakeholder groups to celebrate the successes of the service desk and highlight possible improvements. Continue this exercise iteratively to continue improving the service desk.

Remember, ticket analysis is not a single event but an ongoing initiative. As you track, analyze, and action more data, you will find more improvements.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Analyze your dashboards An analyst will walk through the ticket data and dashboards with you and your team to help interpret the data and tailor improvements	Populate your ticket data report Given the action items from this solution set, an analyst will help you craft a report to celebrate the successes and highlight needed improvements in the service desk.

Related Info-Tech Research

Optimize the Service Desk With a Shift-Left Strategy

The best type of service desk ticket is the one that doesn’t exist.

Incident & Problem Management

Don’t let persistent problems govern your department.

Design & Build a User-Facing Service Catalog

Improve user satisfaction with IT with a convenient menu-like catalog.

Bibliography

Bayes, Scarlett. “ITSM: 2021 & Beyond.” Service Desk Institute, 2021. Web.

“Benchmarking Report v.9.” Service Desk Institute, 17 Jan. 2020. Web.

Bennett, Micah. “The 9 Help Desk Metrics That Should Guide Your Customer Support.” Zapier, 3 Dec. 2015. Web.

“Global State of Customer Service: The transformation of customer service from 2015 to present day.” Microsoft Dynamics 365, Microsoft, 2020. Web.

Goodey, Ben. “How to Manually Analyze Support Tickets.” SentiSum, 26 July 2021. Web.

Jadhav, Megha. “Four Metrics to Analyze When Using Ticketing Software.” Vision Helpdesk Blog, 21 Mar. 2016. Web.

Knaflic, Cole Nussbaumer. Storytelling with Data: A Data Visualization Guide for Business Professionals. Wiley, 2015.

Li, Ta Hsin, et al. “Incident Ticket Analytics for IT Application Management Services.” 2014 IEEE International Conference on Services Computing, 2014. Web.

Olson, Sarah. “10 Help Desk Metrics for Service Desks and Internal Help Desks.” Zendesk Blog, Sept. 2021. Web.

Paramesh, S.P., et al. “Classifying the Unstructured IT Service Desk Tickets Using Ensemble of Classifiers.” 2018 3rd International Conference on Computational Systems and Information Technology for Sustainable Solutions (CSITSS), 2018. Web.

Volini, Erica, et al. “2021 Global Human Capital Trends: Special Report.” Deloitte Insights, 21 July 2021. Web.

“What Kind of Analysis You Can Perform on a Ticket Management System.” Commence, 3 Dec. 2019. Web.

INFO-TECH RESEARCH GROUP

Prepare for Post-Quantum Cryptography

It is closer than you think, and you need to act now.

Analyst Perspective

It is closer than you think, and you need to act now.

The quantum realm presents itself as a peculiar and captivating domain, shedding light on enigmas within our world while pushing the boundaries of computational capabilities. The widespread availability of quantum computers is expected to occur sooner than anticipated. This emerging technology holds the potential to tackle valuable problems that even the most powerful classical supercomputers will never be able to solve. Quantum computers possess the ability to operate millions of times faster than their current counterparts.

As we venture further into the era of quantum mechanics, organizations relying on encryption must contemplate a future where these methods no longer suffice as effective safeguards. The astounding speed and power of quantum machines have the potential to render many existing security measures utterly ineffective, including the most robust encryption techniques used today. To illustrate, a task that currently takes ten years to crack through a brute force attack could be accomplished by a quantum computer in under five minutes.

Amid this transition into a quantum future, the utmost priority for organizations remains data security, particularly safeguarding sensitive information. Organizations must proactively prepare for the development of countermeasures and essential resilience measures to attain a state of being "quantum safe."

Alan Tang
Principal Research Director, Security and Privacy
Info-Tech Research Group

Executive Summary

Your Challenge

• Anticipated advancements in fault-tolerant quantum computers, surpassing existing encryption algorithms and cryptographic systems, are expected to materialize sooner than previously projected. The timeframe for their availability is diminishing daily.
• Data that is presently deemed secure faces potential vulnerability due to the emergence of harvest-now-decrypt-later strategies.
• Numerous contemporary security controls, including the most robust encryption techniques, have become obsolete and offer little efficacy.

Common Obstacles

• The complexity involved makes it challenging for organizations to incorporate quantum-resistant cryptography into their current IT infrastructure.
• The endeavor of transitioning to quantum-resilient cryptography demands significant effort and time, with the specific requirements varying for each organization.
• A lack of comprehensive understanding regarding the cryptographic technologies employed in existing IT systems poses difficulties in identifying and prioritizing systems for upgrading to post-quantum cryptography.

Info-Tech's Approach

• The development of quantum-resistant cryptography capabilities is essential for safeguarding the security and integrity of critical applications.
• Organizations must proactively initiate their transition toward quantum-resistant encryption to ensure data protection.
• Ensuring the security of corporate data assets should be of utmost importance for organizations, with special emphasis on those possessing highly critical information in light of the advancements in quantum technology.

Info-Tech Insight

The advent of quantum computing (QC) is closer than you think: some nations have demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer be sufficient as a means of protection. You need to act now to begin your transformation to quantum-resistant encryption.

Evolvement of QC theory and technologies

Info-Tech Insight

The advent of QC will significantly change our perception of computing and have a crucial impact on the way we protect our digital economy using encryption. The technology's applicability is no longer a theory but a reality to be understood, strategized about, and planned for.

Fundamental physical principles and business use cases

Unlike conventional computers that rely on bits, quantum computers use quantum bits or qubits. QC technology surpasses the limitations of current processing powers. By leveraging the properties of superposition, interference, and entanglement, quantum computers have the capacity to simultaneously process millions of operations, thereby surpassing the capabilities of today's most advanced supercomputers.

A 2021 Hyperion Research survey of over 400 key decision makers in North America, Europe, South Korea, and Japan showed nearly 70% of companies have some form of in-house QC program.

Three fundamental QC physical principles

1. Superposition
2. Interference
3. Entanglement

Info-Tech Insight

Organizations need to reap the substantial benefits of QC's power, while simultaneously shielding against the same technologies when used by cyber adversaries.

Percentage of Surveyed Companies That Have QC Programs

• 31% Have some form of in-house QC program
• 69% Have no QC program

Early adopters and business value

QC early adopters see the promise of QC for a wide range of computational workloads, including machine learning applications, finance-oriented optimization, and logistics/supply chain management.

Info-Tech Insight

Experienced attackers are likely to be the early adopters of quantum-enabled cryptographic solutions, harnessing the power of QC to exploit vulnerabilities in today's encryption methods. The risks are particularly high for industries that rely on critical infrastructure.

The need of quantum-safe solution is immediate

Critical components of classical cryptography will be at risk, potentially leading to the exposure of confidential and sensitive information to the general public. Business, technology, and security leaders are confronted with an immediate imperative to formulate a quantum-safe strategy and establish a roadmap without delay.

Case Study – Google, 2019

In 2019, Google claimed that "Our Sycamore processor takes about 200 seconds to sample one instance of a quantum circuit a million times—our benchmarks currently indicate that the equivalent task for a state-of-the-art classical supercomputer would take approximately 10,000 years."
Source: Nature, 2019

Why You Should Start Preparation Now

• The complexity with integrating QC technology into existing IT infrastructure.
• The effort to upgrade to quantum-resilient cryptography will be significant.
• The amount of time remaining will decrease every day.

Case Study – Development in China, 2020

On December 3, 2020, a team of Chinese researchers claim to have achieved quantum supremacy, using a photonic peak 76-qubit system (43 average) known as Jiuzhang, which performed calculations at 100 trillion times the speed of classical supercomputers.
Source: science.org, 2020

Info-Tech Insight

The emergence of QC brings forth cybersecurity threats. It is an opportunity to regroup, reassess, and revamp our approaches to cybersecurity.

Security threats posed by QC

Quantum computers have reached a level of advancement where even highly intricate calculations, such as factoring large numbers into their primes, which serve as the foundation for RSA encryption and other algorithms, can be solved within minutes.

Threat to data confidentiality

QC could lead to unauthorized decryption of confidential data in the future. Data confidentiality breaches also impact improperly disposed encrypted storage media.

Threat to authentication protocols and digital governance

A recovered private key, which is derived from a public key, can be used through remote control to fraudulently authenticate a critical system.

Threat to data integrity

Cybercriminals can use QC technology to recover private keys and manipulate digital documents and their digital signatures.

Example:

Consider RSA-2048, a widely used public-key cryptosystem that facilitates secure data transmission. In a 2021 survey, a majority of leading authorities believed that RSA-2048 could be cracked by quantum computers within a mere 24 hours.
Source: Quantum-Readiness Working Group, 2022

Info-Tech Insight

The development of quantum-safe cryptography capabilities is of utmost importance in ensuring the security and integrity of critical applications' data.

US Quantum Computing Cybersecurity Preparedness Act

The US Congress considers cryptography essential for the national security of the US and the functioning of the US economy. The Quantum Computing Cybersecurity Preparedness Act was introduced on April 18, 2022, and became a public law (No: 117-260) on December 21, 2022.

Purpose

The purpose of this Act is to encourage the migration of Federal Government information technology systems to quantum-resistant cryptography, and for other purposes.

Scope and Exemption

• Scope: Systems of government agencies.
• Exemption: This Act shall not apply to any national security system.

"It is the sense of Congress that (1) a strategy for the migration of information technology of the Federal Government to post-quantum cryptography is needed; and (2) the government wide and industry-wide approach to post- quantum cryptography should prioritize developing applications, hardware intellectual property, and software that can be easily updated to support cryptographic agility." – Quantum Computing Cybersecurity Preparedness Act

The development of post-quantum encryption

Since 2016, the National Institute of Standards and Technology (NIST) has been actively engaged in the development of post-quantum encryption standards. The objective is to identify and establish standardized cryptographic algorithms that can withstand attacks from quantum computers.

NIST QC Initiative Key Milestones

Four Selected Candidates to be Standardized

NIST recommends two primary algorithms to be implemented for most use cases: CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures). In addition, the signature schemes FALCON and SPHINCS+ will also be standardized.

Info-Tech Insight

There is no need to wait for formal NIST PQC standards selection to begin your post-quantum mitigation project. It is advisable to undertake the necessary steps and allocate resources in phases that can be accomplished prior to the finalization of the standards.

Prepare for post-quantum cryptography

The advent of QC is closer than you think: some nations have demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer be sufficient as a means of protection. You need to act now to begin your transformation to quantum-resistant encryption.

Insight summary

Overarching Insight

The advent of QC is closer than you think as some nations have demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer be sufficient as a means of protection. You need to act now to begin your transformation to quantum-resistant encryption.

Business Impact Is High

The advent of QC will significantly change our perception of computing and have a crucial impact on the way we protect our digital economy using encryption. The technology's applicability is no longer a theory but a reality to be understood, strategized about, and planned for.

It's a Collaborative Effort

Embedding quantum resistance into systems during the process of modernization requires collaboration beyond the scope of a Chief Information Security Officer (CISO) alone. It is a strategic endeavor shaped by leaders throughout the organization, as well as external partners. This comprehensive approach involves the collective input and collaboration of stakeholders from various areas of expertise within and outside the organization.

Leverage Industry Standards

There is no need to wait for formal NIST PQC standards selection to begin your post-quantum mitigation project. It is advisable to undertake the necessary steps and allocate resources in phases that can be accomplished prior to the finalization of the standards.

Take a Holistic Approach

The advent of QC poses threats to cybersecurity. It's a time to regroup, reassess, and revamp.

Blueprint benefits

Info-Tech Project Value

Get prepared for a post-quantum world

The advent of sufficiently powerful quantum computers poses a risk of compromising or weakening traditional forms of asymmetric and symmetric cryptography. To safeguard data security and integrity for critical applications, it is imperative to undertake substantial efforts in migrating an organization's cryptographic systems to post-quantum encryption. The development of quantum-safe cryptography capabilities is crucial in this regard.

Phase 1 - Prepare

• Obtain buy-in from leadership team.
• Educate your workforce about the upcoming transition.
• Create defined projects to reduce risks and improve crypto-agility.

Phase 2 - Discover

• Determine the extent of your exposed data, systems, and applications.
• Establish an inventory of classical cryptographic use cases.

Phase 3 - Assess

• Assess the security and data protection risks posed by QC.
• Assess the readiness of transforming existing classical cryptography to quantum-resilience solutions.

Phase 4 - Prioritize

• Prioritize transformation plan based on criteria such as business impact, near-term technical feasibility, and effort, etc.
• Establish a roadmap.

Phase 5 - Mitigate

• Implement post-quantum mitigations.
• Decommissioning old technology that will become unsupported upon publication of the new standard.
• Validating and testing products that incorporate the new standard.

Phase 1 – Prepare: Protect data assets in the post-quantum era

The rise of sufficiently powerful quantum computers has the potential to compromise or weaken conventional asymmetric and symmetric cryptography methods. In anticipation of a quantum-safe future, it is essential to prioritize crypto-agility. Consequently, organizations should undertake specific tasks both presently and in the future to adequately prepare for forthcoming quantum threats and the accompanying transformations.

Quantum-resistance preparations must address two different needs:

Reinforce digital transformation initiatives

To thrive in the digital landscape, organizations must strengthen their digital transformation initiatives by embracing emerging technologies and novel business practices. The transition to quantum-safe encryption presents a unique opportunity for transformation, allowing the integration of these capabilities to evolve business transactions and relationships in innovative ways.

Protect data assets in the post-quantum era

Organizations should prioritize supporting remediation efforts aimed at ensuring the quantum safety of existing data assets and services. The implementation of crypto-agility enables organizations to respond promptly to cryptographic vulnerabilities and adapt to future changes in cryptographic standards. This proactive approach is crucial, as the need for quantum-safe measures existed even before the complexities posed by QC emerged.

Preparation for the post-quantum world has been recommended by the US government and other national bodies since 2016.

In 2016, NIST, the National Security Agency (NSA), and Central Security Service stated in their Commercial National Security Algorithm Suite and QC FAQ: "NSA believes the time is now right [to start preparing for the post-quantum world] — consistent with advances in quantum computing."
Source: Cloud Security Alliance, 2021

Phase 1 – Prepare: Key tasks

Preparing for quantum-resistant cryptography goes beyond simply acquiring knowledge and conducting experiments in QC. It is vital for senior management to receive comprehensive guidance on the challenges, risks, and potential mitigations associated with the post-quantum landscape. Quantum and post-quantum education should be tailored to individuals based on their specific roles and the impact of post-quantum mitigations on their responsibilities. This customized approach ensures that individuals are equipped with the necessary knowledge and skills relevant to their respective roles.

Leadership Buy-In

• Get senior management commitment to post-quantum project.
• Determine the extent of exposed data, systems, and applications.
• Identify near-term, achievable cryptographic maturity goals, creating defined projects to reduce risks and improve crypto-agility.

Roles and Responsibilities

• The ownership should be clearly defined regarding the quantum-resistant cryptography program.
• This should be a cross-functional team within which members represent various business units.

Awareness and Education

• Senior management needs to understand the strategic threat to the organization and needs to adequately address the cybersecurity risk in a timely fashion.
• Educate your workforce about the upcoming transition. All training and education should seek to achieve awareness of the following items with the appropriate stakeholders.

Info-Tech Insight

Embedding quantum resistance into systems during the process of modernization requires collaboration beyond the scope of a CISO alone. It is a strategic endeavor shaped by leaders throughout the organization, as well as external partners. This comprehensive approach involves the collective input and collaboration of stakeholders from various areas of expertise within and outside the organization.

Phase 2 – Discover: Establish a data protection inventory

During the discovery phase, it is crucial to locate and identify any critical data and devices that may require post-quantum protection. This step enables organizations to understand the algorithms in use and their specific locations. By conducting this thorough assessment, organizations gain valuable insights into their existing infrastructure and cryptographic systems, facilitating the implementation of appropriate post-quantum security measures.

Inventory Core Components

1. Description of devices and/or data
2. Location of all sensitive data and devices
3. Criticality of the data
4. How long the data or devices need to be protected
5. Effective cryptography in use and cryptographic type
6. Data protection systems currently in place
7. Current key size and maximum key size
8. Vendor support timeline
9. Post-quantum protection readiness

Key Things to Consider

• The accuracy and thoroughness of the discovery phase are critical factors that contribute to the success of a post-quantum project.
• It is advisable to conduct this discovery phase comprehensively across all aspects, not solely limited to public-key algorithms.
• Performing a data protection inventory can be a time-consuming and challenging phase of the project. Breaking it down into smaller subtasks can help facilitate the process.
• Identifying all information can be particularly challenging since data is typically scattered throughout an organization. One approach to begin this identification process is by determining the inputs and outputs of data for each department and team within the organization.
• To ensure accountability and effectiveness, it is recommended to assign a designated individual as the ultimate owner of the data protection inventory task. This person should have the necessary responsibilities and authority to successfully accomplish the task.

Phase 3 – Assess: The workflow

Quantum risk assessment entails evaluating the potential consequences of QC on existing security measures and devising strategies to mitigate these risks. This process involves analyzing the susceptibility of current systems to attacks by quantum computers and identifying robust security measures that can withstand QC threats.

Risk Assessment Workflow

By identifying the security gaps that will arise with the advent of QC, organizations can gain insight into the substantial vulnerabilities that core business operations will face when QC becomes a prevalent reality. This proactive understanding enables organizations to prepare and implement appropriate measures to address these vulnerabilities in a timely manner.

Phase 4 – Prioritize: Balance business value, security risks, and effort

Organizations need to prioritize the mitigation initiatives based on various factors such as business value, level of security risk, and the effort needed to implement the mitigation controls. In the diagram below, the size of the circle reflects the degree of effort. The bigger the size, the more effort is needed.

QC Adopters Anticipated Annual Budgets

Source: Hyperion Research, 2022

Hyperion's survey found that the range of expected budget varies widely.

• The most selected option, albeit by only 38% of respondents, was US$5 million to US$15 million.
• About one-third of respondents foresaw annual budgets that exceeded US$15 million, and one-fifth expected budgets to exceed US$25 million.

Build your risk mitigation roadmap

2 hours

1. Review the quantum-resistance initiatives generated in Phase 3 – Assessment.
2. With input from all stakeholders, prioritize the initiatives based on business value, security risks, and effort using the 2x2 grid.
3. Review the position of all initiatives and adjust accordingly considering other factors such as dependency, etc.
4. Place prioritized initiatives to a wave chart.
5. Assign ownership and target timeline for each initiative.

Input

• Data protection inventory created in phase 2
• Risk assessment produced in phase 3
• Business unit leaders' and champions' understanding (high-level) of challenges posed by QC

Output

• Prioritization of quantum-resistance initiatives

Materials

• Whiteboard/flip charts
• Sticky notes
• Pen/whiteboard markers

Participants

• Quantum-resistance program owner
• Senior leadership team
• Business unit heads
• Chief security officer
• Chief privacy officer
• Chief information officer
• Representatives from legal, risk, and governance

Phase 5 – Mitigate: Implement quantum-resistant encryption solutions

To safeguard against cybersecurity risks and threats posed by powerful quantum computers, organizations need to adopt a robust defense-in-depth approach. This entails implementing a combination of well-defined policies, effective technical defenses, and comprehensive education initiatives. Organizations may need to consider implementing new cryptographic algorithms or upgrading existing protocols to incorporate post-quantum encryption methods. The selection and deployment of these measures should be cost-justified and tailored to meet the specific needs and risk profiles of each organization.

Governance

Implement solid governance mechanisms to promote visibility and to help ensure consistency

• Update policies and documents
• Update existing acceptable cryptography standards
• Update security and privacy audit programs

Industry Standards

• Stay up to date with newly approved standards
• Leverage industry standards (i.e. NIST's post-quantum cryptography) and test the new quantum-safe cryptographic algorithms

Technical Mitigations

Each type of quantum threat can be mitigated using one or more known defenses.

• Physical isolation
• Replacing quantum-susceptible cryptography with quantum-resistant cryptography
• Using QKD
• Using quantum random number generators
• Increasing symmetric key sizes
• Using hybrid solutions
• Using quantum-enabled defenses

Vendor Management

• Work with key vendors on a common approach to quantum-safe governance
• Assess vendors for possible inclusion in your organization's roadmap
• Create acquisition policies regarding quantum-safe cryptography

Research Contributors and Experts

Adib Ghubril
Executive Advisor, Executive Services
Info-Tech Research Group

Erik Avakian
Technical Counselor
Info-Tech Research Group

Alaisdar Graham
Executive Counselor
Info-Tech Research Group

Carlos Rivera
Principal Research Advisor
Info-Tech Research Group

Hendra Hendrawan
Technical Counselor
Info-Tech Research Group

Fritz Jean-Louis
Principal Cybersecurity Advisor
Info-Tech Research Group

Bibliography

117th Congress (2021-2022). H.R.7535 - Quantum Computing Cybersecurity Preparedness Act. congress.gov, 21 Dec 2022.
Arute, Frank, et al. Quantum supremacy using a programmable superconducting processor. Nature, 23 Oct 2019.
Bernhardt, Chris. Quantum Computing for Everyone. The MIT Press, 2019.
Bob Sorensen. Quantum Computing Early Adopters: Strong Prospects For Future QC Use Case Impact. Hyperion Research, Nov 2022.
Candelon, François, et al. The U.S., China, and Europe are ramping up a quantum computing arms race. Here's what they'll need to do to win. Fortune, 2 Sept 2022.
Curioni, Alessandro. How quantum-safe cryptography will ensure a secure computing future. World Economic Forum, 6 July 2022.
Davis, Mel. Toxic Substance Exposure Requires Record Retention for 30 Years. Alert presented by CalChamber, 18 Feb 2022.
Eddins, Andrew, et al. Doubling the size of quantum simulators by entanglement forging. arXiv, 22 April 2021.
Gambetta, Jay. Expanding the IBM Quantum roadmap to anticipate the future of quantum-centric supercomputing. IBM Research Blog, 10 May 2022.
Golden, Deborah, et al. Solutions for navigating uncertainty and achieving resilience in the quantum era. Deloitte, 2023.
Grimes, Roger, et al. Practical Preparations for the Post-Quantum World. Cloud Security Alliance, 19 Oct 2021.
Harishankar, Ray, et al. Security in the quantum computing era. IBM Institute for Business Value, 2023.
Hayat, Zia. Digital trust: How to unleash the trillion-dollar opportunity for our global economy. World Economic Forum, 17 Aug 2022.
Mateen, Abdul. What is post-quantum cryptography? Educative, 2023.
Moody, Dustin. Let's Get Ready to Rumble—The NIST PQC 'Competition.' NIST, 11 Oct 2022.
Mosca, Michele, Dr. and Dr. Marco Piani. 2021 Quantum Threat Timeline Report. Global Risk Institute, 24 Jan 2022.
Muppidi, Sridhar and Walid Rjaibi. Transitioning to Quantum-Safe Encryption. Security Intelligence, 8 Dec 2022.
Payraudeau, Jean-Stéphane, et al. Digital acceleration: Top technologies driving growth in a time of crisis. IBM Institute for Business Value, Nov 2020.
Quantum-Readiness Working Group (QRWG). Canadian National Quantum-Readiness- Best Practices and Guidelines. Canadian Forum for Digital Infrastructure Resilience (CFDIR), 17 June 2022.
Rotman, David. We're not prepared for the end of Moore's Law. MIT Technology Review, 24 Feb 2020.
Saidi, Susan. Calculating a computing revolution. Roland Berger, 2018.
Shorter., Ted. Why Companies Must Act Now To Prepare For Post-Quantum Cryptography. Forbes.com, 11 Feb 2022.
Sieger, Lucy, et al. The Quantum Decade, Third edition. IBM, 2022.
Sorensen, Bob. Broad Interest in Quantum Computing as a Driver of Commercial Success. Hyperion Research, 17 Nov 2021.
Wise, Jason. How Much Data is Created Every Day in 2022? Earthweb, 22 Sept 2022.
Wright, Lawrence. The Plague Year. The New Yorker, 28 Dec 2020.
Yan, Bao, et al. Factoring integers with sublinear resources on a superconducting quantum processor. arXiv, 23 Dec 2022.
Zhong, Han-Sen, et al. Quantum computational advantage using photons. science.org, 3 Dec 2020.

Develop Infrastructure & Operations Policies and Procedures

Document what you need to document and forget the rest.

Table of contents

Project Rationale

Project Outlines

• Phase 1: Identify Policy and Procedure Gaps
• Phase 2: Develop Policies
• Phase 3: Document Effective Procedures

Bibliography

ANALYST PERSPECTIVE

Document what you need to document now and forget the rest.

Our understanding of the problem

This Research Is Designed For:

• Infrastructure Managers
• Chief Technology Officers
• IT Security Managers

This Research Will Help You:

• Address policy gaps
• Develop effective procedures and procedure documentation to support policy compliance

This Research Will Also Assist:

• Chief Information Officers
• Enterprise Risk and Compliance Officers
• Chief Human Resources Officers
• Systems Administrators and Engineers

This Research Will Help Them:

• Understand the importance of a coherent approach to policy development
• Understand the importance of Infrastructure & Operations policies
• Support Infrastructure & Operations policy development and enforcement

Info-Tech Best Practice

This blueprint supports templates for key policies and procedures that help Infrastructure & Operations teams to govern and manage internal operations. For security policies, see the NIST SP 800-171 aligned Info-Tech blueprint, Develop and Deploy Security Policies.

Executive Summary

Situation

• Time and money are wasted dealing with mistakes or missteps that should have been addressed by procedures or policies.
• Standard operating procedures are less effective without a policy to provide a clear mandate and direction.

Complication

• Existing policies were written, approved, signed – and forgotten for years because no one has time to maintain them.
• Adhering to policies is rarely a priority, as compliance often feels like an impediment to getting work done.
• Processes aren’t measured or audited to assess policy compliance, which makes enforcing the policies next to impossible.

Resolution

• Start with a comprehensive policy framework to help you identify policy gaps. Prioritize and address those policy gaps.
• Create effective policies that are reasonable, measurable, auditable, and enforceable.
• Create and document procedures to support policy changes.

Info-Tech Insight

1. Document what you need to document and forget the rest.
   Always check if a previously approved policy exists before you create a new one. You may only need to create new guidelines or standards rather than approve a new policy.
2. Support policies with documented procedures.
   Build procedures that embed policy adherence in daily operations. Find opportunities to automate policy adherence (e.g. removing local admin rights from user computers).

What are policies, procedures, and processes?

A policy is a governing document that states the long-term goals of the organization and in broad strokes outlines how they will be achieved (e.g. a Data Protection Policy).

In the context of policies, a procedure is composed of the steps required to complete a task (e.g. a Backup and Restore Procedure). Procedures are informed by required standards and recommended guidelines. Processes, guidelines, and standards are three pillars that support the achievement of policy goals.

A process is higher level than a procedure – a set of tasks that deliver on an organizational goal.

Better policies and procedures reduce organizational risk and, by strengthening the ability to execute processes, enhance the organization’s ability to execute on its goals.

Document to improve governance and operational processes

Deliver value

Build, deliver, and support Infrastructure assets in a consistent way, which ultimately reduces costs associated with downtime, errors, and rework. A good manual process is the foundation for a good automated process.

Simplify Training

Use documentation for knowledge transfer. Routine tasks can be delegated to less-experienced staff.

Maintain compliance

Comply with laws and regulations. Policies are often required for compliance, and formally documented and enforced policies help the organization maintain compliance by mandating required due diligence, risk reduction, and reporting activities.

Provide transparency

Build an open kitchen. Other areas of the organization may not understand how Infra & Ops works. Your documentation can provide the answer to the perennial question: “Why does that take so long?”

Info-Tech Best Practice

Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

Document what you need to document – and forget the rest

Half of all organizations believe their policy suite is insufficient. (Info-Tech myPolicies Survey Data (N=59))

Too much documentation and a lack of documentation are both ineffective. (Info-Tech myPolicies Survey Data (N=59))

77% of IT professionals believe their policies require improvement. (Kaspersky Lab)

Presenting: A COBIT-aligned policy suite

We’ve developed a suite of effective policy templates for every Infra & Ops manager based on Info-Tech’s IT Management & Governance Framework.

Info-Tech Best Practice

Look for these symbols as you work through the deck. Prioritize and focus on the policies you work on first based on the value of the policy to the enterprise and the existing gaps in your governance structure.

Use these icons to help direct you as you navigate this research

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Accelerate policy development with a Guided Implementation

Your trusted advisor is just a call away.

• Identify Policy and Procedure Gaps (Calls 1-2)
  Assess current policies, operational challenges, and gaps. Mitigate significant risks first.
• Create and Review Policies (Calls 2-4)
  Modify and review policy templates with an Info-Tech analyst.
• Create and Review Procedures (Calls 4-6)
  Workflow procedures, using templates wherever possible. Review documentation best practices.

Contact Info-Tech to set up a Guided Implementation with a dedicated advisor who will walk you through every stage of your policy development project.

Develop Infrastructure & Operations Policies and Procedures

Phase 1

Identify Policy and Procedure Gaps

PHASE 1: Identify Policy and Procedure Gaps

Step 1.1: Review and right-size the existing policy set

This step will walk you through the following activities:

• Identify gaps in your existing policy suite
• Document challenges to core Infrastructure & Operations processes
• Identify documentation that can close gaps
• Prioritize your documentation effort

This step involves the following participants:

• Infrastructure & Operations Manager
• Infrastructure Supervisors

Results & Insights

• Results: A review of the existing policy suite and identification of opportunities for improvement.
• Insights: Not all gaps necessarily require a fresh policy. Repurpose, refresh, or supplement existing documentation wherever appropriate.

Conduct a policy review

You’ve got time to review your policy suite. Make the most of it.

1. Start with organizational requirements.
   • What initiatives are on the go? What policies or procedures do you have a mandate to create?
2. Weed out expired and dated policies.
   • Gather your existing policies. Identify when each one was published or last reviewed.
   • Decide whether to retire, merge, or update expired or obviously dated policy.
3. Review policy statements.
   • Check that the organization is adequately supporting policy statements with SOPs, standards, and guidelines. Ensure role-related information is up to date.
4. Document and bring any gaps forward to the next activity. If no action is required, indicate that you have completed a review and submit the findings for approval.

But they just want one policy...

• Existing policies may address what you’re trying to do with a new policy. Using or modifying an existing policy avoids overlap and contradiction and saves you the effort required to create, communicate, approve, and maintain a new policy.
• Review the suite to validate that you’re addressing the most important challenges first.

Brainstorm improvements for core Infrastructure & Operations processes

Supplement the list of gaps from your policy review with process challenges.

1. Write out key Infra & Ops–related processes – one piece of flipchart paper per process. You can work through all of these processes or cherry-pick the processes you want to improve first.
2. With participants, write out in point form how you currently execute on these processes (e.g. for Asset Management, you might be tagging hardware, tracking licenses, etc.)
3. Work through a “Start – Stop – Continue” exercise. Ask participants: What should we start doing? What must we stop doing? What do we do currently that’s valuable and must continue? Write ideas on sticky notes.
4. Once you’ve worked through the “Start – Stop – Continue” exercise for all processes, group similar suggestions for improvements.

Asset Management: Manage hardware and software assets across their lifecycle to protect assets and manage costs.

Availability and Capacity Management: Balance current and future availability, capacity, and performance needs with cost-to-serve.

Business Continuity Management: Continue operation of critical business processes and IT services.

Change Management: Deliver technical changes in a controlled manner.

Configuration Management: Define and maintain relationships between technical components.

Problem Management: Identify incident root cause.

Operations Management: Coordinate operations.

Release and Patch Management: Deliver updates and manage vulnerabilities in a controlled manner.

Service Desk: Respond to user requests and all incidents.

PHASE 1: Identify Policy and Procedure Gaps

Step 1.2: Create an action plan to address policy gaps

This step will walk you through the following activities:

• Identify challenges and gaps that can be addressed via documentation
• Prioritize high-value, high-risk gaps

This step involves the following participants:

• Infrastructure & Operations Manager
• Infrastructure Supervisors

Results & Insights

• Results: An action plan to tackle policy and procedures gaps, aligned with business requirements and business value.
• Insights: Not all documentation is equally valuable. Prioritize documentation that delivers value and mitigates risk.

Support policies with procedures, standards, and guidelines

Use a working definition for each type of document.

Policy: Directives, rules, and mandates that support the overarching, long-term goals of the organization.

• Standards: Prescriptive, uniform requirements.
• Procedures: Specific, detailed, step-by-step instructions for completing a task.
• Guidelines: Non-enforceable, recommended best practices.

Info-Tech Best Practice

Take advantage of your Info-Tech advisory membership by scheduling review sessions with an analyst. We provide high-level feedback to ensure your documentation is clear, concise, and consistent and aligns with the governance objectives you’ve identified.

Answer the following questions to decide if governance documentation can help close gaps

1(c) 30 minutes

Documentation supports knowledge sharing, process consistency, compliance, and transparency. Ask the following questions:

1. What is the purpose of the documentation?
   Procedures support task completion. Policies set direction and manage organizational risk.
2. Should it be enforceable?
   Policies and standards are enforceable; guidelines are not. Procedures are enforceable in that they should support policy enforcement.
3. What is the scope?
   To document a task, create a procedure. Set overarching rules with policies. Use standards and guidelines to set detailed rules and best practices.
4. What’s the expected cadence for updates?
   Policies should be revisited and revised less frequently than procedures.

Info-Tech Best Practice

Reinvent the wheel? I don’t think so!

Always check to see if a gap can be addressed with existing tools before drafting a new policy

• Is there an existing policy that could be supported with new or updated procedures, technical standards, or guidelines?
• Is there a technical control you can deploy that would enforce the terms of an existing, approved policy?
• It may be simpler to amend an existing policy instead of creating a new one.

Some problems can’t be solved by better documentation (or by documentation alone). Consider additional strategies that address people, process, and technology.

Tackle high-value, high-risk gaps first

1(d) 30 minutes

Prioritize your documentation effort.

1. List each proposed piece of documentation on the board.
2. Assign a score to the risk posed to the business by the lack of documentation and to the expected benefit of completing the documentation. Use a scoring scale between 1 and 3 such as the one on the right.
3. Prioritize documentation that mitigates risks and maximizes benefits.
4. If you need to break ties, consider effort required to develop, implement, and enforce policies or procedures.

Example Scoring Scale

Info-Tech Insight

Documentation pulls resources away from other important programs and projects, so ultimately it must be a demonstrably higher priority than other work. This exercise is designed to align documentation efforts with business goals.

Phase 1: Review accomplishments

Policy pillars: Standards, Procedures, Guidelines

Summary of Accomplishments

• Identified gaps in the existing policy suite and identified pain points in existing Infra & Ops processes.
• Developed a list of policies and procedures that can address existing gaps and prioritized the documentation effort.

Develop Infrastructure & Operations Policies and Procedures

Phase 2

Develop Policies

PHASE 2: Develop Policies

Step 2.1: Modify policy templates and gather feedback

This step will walk you through the following activities:

• Modify policy templates

This step involves the following participants:

• Infrastructure & Operations Manager
• Technical Writer

Results & Insights

• Results: Your own COBIT-aligned policies built by modifying Info-Tech templates.
• Insights: Effective policies are easy to read and navigate.

Write Good-er: Be Clear, Consistent, and Concise

Effective policies adhere to the three Cs of documentation.

1. Be clear. Make it as easy as possible for a user to learn how to comply with your policy.
2. Be consistent. Write policies that complement each other, not contradict each other.
3. Be concise. Make it as quick and easy as possible to read and understand your policy.

Info-Tech Best Practice

To download the full suite of templates all at once, click the “Download Research” button on the research landing page on the website.

Use the three Cs: Be Clear

Understanding makes compliance possible. Create policy with the goal of making compliance as easy as possible. Use positive, simple language to convey your intentions and rationale to your audience. Staff will make an effort adhere to your policy when they understand the need and are able to comply with the terms.

1. Choose a skilled writer. Select a writer who can write clearly and succinctly.
2. Default to simple language and define key terms. Define scope and key terms upfront. Avoid using technical terms outside of technical documentation; if they’re necessary be sure to define them as well.
3. Use active, positive language. Where possible, tell people what they can do, not what they can’t.
4. Keep the structure simple. Complicated documents are less likely to be understood and read. Use short sentences and paragraphs. Lists are a helpful way to summarize important information. Guide your reader through the document with appropriately named section headers, tables of contents, and numeration.
5. Add a process for handling exceptions. Refer to procedures, standards, and guidelines documentation. Try to keep these links as static as possible. Also, refer to a process for handling exceptions.
6. Manage the integrity of electronic documents. When published electronically, the policy should have restricted editing access or should be published in a non-editable format. Access to the procedure and policy storage database for employees should be read-only.

Info-Tech Insight

Highly effective policies are easy to navigate. Your policies should be “skimmable.” Very few people will fully read a policy before accepting it. Make it easy to navigate so the reader can easily find the policy statements that apply to them.

Use the three Cs: Be Consistent

Ensure that policies are aligned with other organizational policies and procedures. It detracts from compliance if different policies prescribe different behavior in the same situation. Moreover, your policies should reflect the corporate culture and other company standards. Use your policies to communicate rules and get employees aligned with how your company works.

1. Use standard sentences and paragraphs. Policies are usually expressed in short, standard sentences. Lists should also be used when necessary or appropriate.
2. Remember the three Ws. When writing a policy, always be sure to clearly state what the rule is, when it should be applied, and who needs to follow it. Policies should clearly define their scope of application and whether directives are mandatory or recommended.
3. Use an outline format. Using a numbered or outline format will make a document easier to read and will make content easier to look up when referring back to the document at a later time.
4. Avoid amendments. Avoid the use of information that is quickly outdated and requires regular amendment (e.g. names of people).
5. Reference a set of supplementary documents. Codify your tactics outside of the policy document, but make reference to them within the text. This makes it easier to ensure consistency in the behavior prescribed by your policies.

"One of the issues is the perception that policies are rules and regulations. Instead, your policies should be used to say ‘this is the way we do things around here.’" (Mike Hughes CISA CGEIT CRISC, Principal Director, Haines-Watts GRC)

Use the three Cs: Be Concise

Reading and understanding policies shouldn’t be challenging, and it shouldn’t significantly detract from productive time. Long policies are more difficult to read and understand, increasing the work required for employees to comply with them. Put it this way: How often do you read the Terms and Conditions of software you’ve installed before accepting them?

1. Be direct. The quicker you get to the point, the easier it is for the reader to interpret and comply with your policy.
2. Your policy is a rule, not a recipe. Your policy should outline what needs to be accomplished and why – your standards, guidelines, and SOPs address the how.
3. Keep policies short. Nobody wants to read a huge policy book, so keep your policies short.
4. Use additional documentation where needed. In addition to making consistency easier, this shortens the length of your policies, making them easier to read.
5. Policy still too large? Modularize it. If you have an extremely large policy, it’s likely that it’s too widely scoped or that you’re including statements that should be part of procedure documentation. Consider breaking your policy into smaller, focused, more digestible documents.

"If the policy’s too large, people aren’t going to read it. Why read something that doesn’t apply to me?" (Carole Fennelly, Owner and Principal, cFennelly Consulting)

"I always try to strike a good balance between length and prescriptiveness when writing policy. Your policies … should be short and describe the problem and your approach to solving it. Below policies, you write standards, guidelines, and SOPs." (Michael Deskin, Policy and Technical Writer, Canadian Nuclear Safety Commission)

Customize policy documents

Use the policies templates to support key Infrastructure & Operations programs.

INPUT: List of prioritized policies

OUTPUT: Written policy drafts ready for review

Materials: Policy templates

Participants: Policy writer, Signing authority

No policy template will be a perfect fit for your organization. Use Info-Tech’s research to develop your organization’s program requirements. Customize the policy templates to support those requirements.

1. Work through policies from highest to lowest priority as defined in Phase 1.
2. Follow the instructions written in grey text to customize the policy. Follow the three Cs when you write your policy.
3. When your draft is finished, prepare to request signoff from your signing authority by reviewing the draft with an Info-Tech analyst.
4. Complete the highest ranked three or four draft policies. Review all these policies with relevant stakeholders and include all relevant signing authorities in the signoff process.
5. Rinse and repeat. Iterate until all relevant polices are complete.

Request, Incident, and Problem Management

An effective, timely service desk correlates with higher overall end-user satisfaction across all other IT services. (Info-Tech Research Group, 2016 (N=25,998))

Use the following template to create a policy that outlines the goals and mandate for your service and support organization:

• IT Triage and Support Policy

Support the program and associated policy statements using Info-Tech’s research:

• Standardize the Service Desk
• Incident and Problem Management
• Design & Build a User-Facing Service Catalog

Embrace Standardization

• Outline the support and service mandate with the policy. Support the policy with the methodology in Info-Tech’s research.
• Over time, organizations without standardized processes face confusion, redundancies, and cost overruns. Standardization avoids wasting energy and effort building new solutions to solved issues.
• Standard processes for IT services define repeatable approaches to work and sandbox creative activities.
• Create tickets for every task and categorize them using a standard classification system. Use the resulting data to support root-cause analysis and long-term trend management.
• Create a single point of contact for users for all incidents and requests. Escalate and resolve tickets faster.
• Empower end users and technicians with knowledge bases that help them solve problems without intervention.

Change, Release, and Patch Management

Slow turnaround, unauthorized changes, and change-related incidents are all too familiar to many managers.

Use the following templates to create policies that define effective patch, release, and change management:

• Change Management Policy
• Release and Patch Management Policy
• Change Control – Freezes & Risk Evaluation Policy

Ensure the policy is supported by using the following Info-Tech research:

• Optimize Change Management

Embrace Change

• IT system owners resist change management when they see it as slow and bureaucratic.
• At the same time, an increasingly interlinked technical environment may cause issues to appear in unexpected places. Configuration management systems are often not kept up to date, so preventable conflicts get missed.
• No process exists to support the identification and deployment of critical security patches. Tracking down users to find a maintenance window takes significant, dedicated effort and intervention from the management team.
• Create a unified change management process that reduces risk and is balanced in its approach toward deploying changes, while also maintaining throughput of patches, fixes, enhancements, and innovation.

IT Asset Management (ITAM)

A proactive, dynamic ITAM program will pay dividends in support, contract management, appropriate provisioning, and more.

Start by outlining the requirements for effective asset management:

• Hardware Asset Management Policy
• Software Asset Management Policy

Support ITAM policies with the following Info-Tech research:

• Implement IT Asset Management

Leverage Asset Data

• Create effective, directional policies for your asset management program that provide a mandate for action. Support the policies with robust procedures, capable staff, and right-fit technology solutions.
• Poor management of assets generally leads to higher costs due to duplicated purchases, early replacement, loss, and so on.
• Visibility into asset location and ownership improves security and accountability.
• A centralized repository of asset data supports request fulfilment and incident management.
• Asset management is an ongoing program, not a one-off project, and must be resourced accordingly. Organizations often implement an asset management program and let it stagnate.

"Many of the large data breaches you hear about… nobody told the sysadmin the client data was on that server. So they weren’t protecting and monitoring it." (Carole Fennelly, Owner and Principal, cFennelly Consulting)

Business Continuity Management (BCM)

Streamline the traditional approach to make BCM practical and repeatable.

Set the direction and requirements for effective BCM:

• Business Continuity Management Policy

Support the BCM policy with the following Info-Tech research:

• Create a Right-Sized Disaster Recovery Plan
• Develop a Business Continuity Plan

Build Organizational Resilience

• Evidence of disaster recovery and business continuity planning is increasingly required to comply with regulations, mitigate business risk, and meet customer demands.
• IT leaders are often asked to take the lead on business continuity, but overall accountability for business continuity rests with the board of directors, and each business unit must create and maintain its business continuity plan.
• Set an organizational mandate for BCM with the policy.
• Divide the business continuity mandate into manageable parcels of work. Follow Info-Tech’s practical methodology to tackle key disaster recovery and business continuity planning activities one at a time.

Info-Tech Best Practice

Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

Availability, Capacity, and Operations Management

What was old is new again. Use time-tested techniques to manage and plan cloud capacity and costs.

Set the direction and requirements for effective availability and capacity management:

• Availability and Capacity Management Policy
• System Maintenance Policy – NIST

Support the policy with the following Info-Tech research:

• Develop an Availability and Capacity Management Plan
• Improve IT Operations Management
• Develop an IT Infrastructure Services Playbook

Mature Service Delivery

• Hybrid IT deployments – managing multiple locations, delivery models, and service providers – are the future of IT. Hybrid deployments significantly complicate capacity planning and operations management.
• Effective operations management practices develop structured processes to automate activities and increase process consistency across the IT organization, ultimately improving IT efficiency.
• Trying to add mature service delivery can feel like playing whack-a-mole. Systematically improve your service capabilities using the tactical, iterative approach outlined in Improve IT Operations Management.

Enhance your overall security posture with a defensible, prescriptive policy suite

Align your security policy suite with NIST Special Publication 800-171.

Security policies support the organization’s larger security program. We’ve created a dedicated research blueprint and a set of templates that will help you build security policies around a robust framework.

• Start with a security charter that aligns the security program with organizational objectives.
• Prioritize security policies that address significant risks.
• Work with technical and business stakeholders to adapt Info-Tech’s NIST SP 800-171–aligned policy templates (at right) to reflect your organizational objectives.

Review and download Info-Tech's blueprint Develop and Deploy Security Policies.

Info-Tech Best Practice

Customize Info-Tech’s policy framework to align your policy suite to NIST SP 800-171. Given NIST’s requirements for the control of confidential information, organizations that align their policies to NIST standards will be in a strong governance position.

PHASE 2: Develop Policies

Step 2.2: Implement, enforce, measure, and maintain new policies

This step will walk you through the following activities:

• Gather stakeholder feedback
• Identify preventive and detective controls
• Identify required supports
• Seek policy approval
• Establish roles and responsibilities for policy maintenance

This step involves the following participants:

• Infrastructure & Operations Manager
• Infrastructure Supervisors
• Technical Writer
• Policy Stakeholders

Results & Insights

• Results: Well-supported policies that have received signoff.
• Insights: If you’re not prepared to enforce the policy, you might not actually need a policy. Use the policy statements as guidelines or standards, create and implement procedures, and build a culture of compliance. Once you can confidently execute on required controls, seek signoff.

Gather feedback from users to assess the feasibility of the new policies

2(b) Review period: 1-2 weeks

Once the policies are drafted, roundtable the drafts with stakeholders.

INPUT: Draft policies

OUTPUT: Reviewed policy drafts ready for approval

Materials: Policy drafts

Participants: Policy stakeholders

1. Form a test group of users who will be affected by the policy in different ways. Keep the group to around five staff.
2. Present new policies to the testers. Allow them to read the documents and attempt to comply with the new policies in their daily routines.
3. Collect feedback from the group.
   • Consider using interviews, email surveys, chat channels, or group discussions.
   • Solicit ideas on how policy statements could be improved or streamlined.
4. Make reasonable changes to the first draft of the policies before submitting them for approval. Policies will only be followed if they’re realistic and user friendly.

Info-Tech Best Practice

Allow staff the opportunity to provide input on policy development. Giving employees a say in policy development helps avoid obstacles down the road. This is especially true if you’re trying to change behavior rather than lock it in.

Develop mechanisms for monitoring and enforcement

Brainstorm preventive and detective controls.

INPUT: Draft policies

OUTPUT: Reviewed policy drafts ready for approval

Materials: Policy drafts

Participants: Policy stakeholders

Preventive controls are designed to discourage or pre-empt policy breaches before they occur. Training, approvals processes, and segregation of duties are examples of preventive controls. (Ohio University)

Detective controls help enforce the policy by identifying breaches after they occur. Forensic analysis and event log auditing are examples of detective controls. (Ohio University)

Not all policies require the same level of enforcement. Policies that are required by law or regulation generally require stricter enforcement than policies that outline best practices or organizational values.

Identify controls and enforcement mechanisms that are in line with policy requirements. Build control and enforcement into procedure documentation as needed.

Suggestions:

1. Have staff sign off on policies. Disclose any monitoring/surveillance.
2. Ensure consequences match the severity of the infraction. Document infractions and ensure that enforcement is applied consistently across all infractions.
3. Automatic controls shouldn’t get in the way of people’s ability to do their jobs. Test controls with users before you roll them out widely.

Support the policy before seeking approval

A policy is only as strong as its supporting pillars.

Create Standards

Standards are requirements that support policy adherence. Server builds and images, purchase approval criteria, and vulnerability severity definitions can all be examples of standards that improve policy adherence.

Where reasonable, use automated controls to enforce standards. If you automate the control, consider how you’ll handle exceptions.

Create Guidelines

If no standards exist – or best practices can’t be monitored and enforced, as standards require – write guidelines to help users remain in compliance with the policy.

Create Procedures: We’ll cover procedure development and documentation in Phase 3.

Info-Tech Insight

In general, failing to follow or strictly enforce a policy creates a risk for the business. If you’re not confident a policy will be followed or enforced, consider using policy statements as guidelines or standards as an interim measure as you update procedures and communicate and roll out changes that support adherence and enforcement.

Seek approval and communicate the policy

Policies ultimately need to be accepted by the business.

• Once the drafts are completed, identify who is in charge of approving the policies.
• Ensure all stakeholders understand the importance, context, and repercussions of the policies.
• The approvals process is about appropriate oversight of the drafted policies. For example:
  • Do the policies satisfy compliance and regulatory requirements?
  • Do the policies work with the corporate culture?
  • Do the policies address the underlying need?

If the draft is rejected:

• Acquire feedback and make revisions.
• Resubmit for approval.

If the draft is approved:

• Set the effective date and a review date.
• Begin communication, training, and implementation.

• Employees must know that there are new policies and understand the steps they must take to comply with the policies in their work.
• Employees must be able to interpret, understand, and know how to act upon the information they find in the policies.
• Employees must be informed on where to get help or ask questions and from whom to request policy exceptions.

"A lot of board members and executive management teams… don’t understand the technology and the risks posed by it." (Carole Fennelly, Owner and Principal, cFennelly Consulting)

Identify policy management roles and responsibilities

Discuss and assign roles and responsibilities for ongoing policy management.

"Whether at the level of a government, a department, or a sub-organization: technology and policy expertise complement one another and must be part of the conversation." (Peter Sheingold, Portfolio Manager, Cybersecurity, MITRE Corporation)

Phase 2: Review accomplishments

Effective Policies: Clear, Consistent, and Concise

Summary of Accomplishments

• Built priority policies based on templates aligned with the IT Management & Governance Framework and COBIT 5.
• Reviewed controls and policy supports.
• Assigned roles and responsibilities for ongoing policy maintenance.

Develop Infrastructure & Operations Policies and Procedures

Phase 3

Document Effective Procedures

PHASE 3: Document Effective Procedures

Step 3.1: Scope and outline procedures

This step will walk you through the following activities:

• Prioritize SOP documentation
• Draft workflows using a tabletop exercise
• Modify templates, as applicable

This step involves the following participants:

• Infrastructure & Operations Manager
• Technical Writer
• Infrastructure Supervisors

Results & Insights

• Results: An action plan for SOP documentation and an outline of procedure workflows.
• Insights: Don’t let tools get in the way of documentation – low-tech solutions are often the most effective way to build and analyze workflows.

Prioritize your SOP documentation effort

Build SOP documentation that gets used and doesn’t just check a box.

1. Review the list of procedure gaps from Phase 1. Are any other procedures needed? Are some of the procedures now redundant?
2. Establish the scope of the proposed procedures. Who are the stakeholders? What policies do they support?
3. Run a basic prioritization exercise using a three-point scale. Higher scores mean greater risks or greater benefits. Score the risk of the undocumented procedure to the business (e.g. potential effect on data, productivity, goodwill, health and safety, or compliance). Score the benefit to the business of documenting the procedure (e.g. throughput improvements or knowledge transfer).
4. Different procedures require different formats. Decide on one or more formats that can help you effectively document the procedure:
   • Flowcharts: Depict workflows and decision points. Provide an at-a-glance view that is easy to follow. Can be supported by checklists and diagrams where more detail is required.
   • Checklists: A reminder of what to do, rather than how to do it. Keep instructions brief.
   • Diagrams: Visualize objects, topologies, and connections for reference purposes.
   • Tables: Establish relationships between related categories.
   • Prose: Use full-text instructions where other documentation strategies are insufficient.

Modify the following Info-Tech templates for larger SOPs

Support these processes...	...with these blueprints...	...to create SOPs using these templates.
	Create a Right-Sized Disaster Recovery Plan	DRP Summary
	Implement IT Asset Management	HAM SOP and SAM SOP
	Optimize Change Management	Change Management SOP
	Standardize the Service Desk	Service Desk SOP

Use tabletop planning or whiteboards to draft workflows

3(b) 30 minutes

Tabletop planning is a paper-based exercise in which your team walks through a particular process and maps out what happens at each stage.

OUTPUT: Steps in the current process for one SOP

Materials: Tabletop, pen, and cue cards

Participants: Process owners, SMEs

1. For this exercise, choose one particular process to document.
2. Document each step of the process on cue cards, which can be arranged on the table in sequence.
3. Be sure to include task ownership in your steps.
4. Map out the process as it currently happens – we’ll think about how to improve it later.
5. Keep focused. Stay on task and on time.

Example:

• Step 3: PM reviews new defects daily
• Step 4: PM assigns defects to tech leads
• Step 5: Assigned resource updates status – frequency is based on ticket priority

Info-Tech Insight

Don’t get weighed down by tools. Relying on software or other technological tools can detract from the exercise. Use simple tools such as cue cards to record steps so that you can easily rearrange steps or insert steps based on input from the group.

Collaborate to optimize the SOP

Review the tabletop exercise. What gaps exist in current processes?
How can the processes be made better? What are the outputs and checkpoints?

OUTPUT: Identify steps to optimize the SOP

Materials: Tabletop, pen, and cue cards

Participants: Process owners, SMEs

Example:

• Step 3: PM reviews new defects daily
• NEW STEP: Schedule 10-minute daily defect reviews with PM and tech leads to evaluate ticket priority
• Step 4: PM assigns defects to tech leads
• Step 5: Assigned resource updates status – frequency is based on ticket priority
  • Step 5 Subprocess: Ticket status update
  • Step 5 Output: Ticket status moved to OPEN by assigned resource – acknowledges receipt by assigned resource

A note on colors: Use white cards to record steps. Record gaps on yellow cards (e.g. a process step not documented) and risks on red cards (e.g. only one person knows how to execute a step) to highlight your gaps/to-dos and risks to be mitigated or accepted.

If it’s necessary to clarify complex process flows during the exercise, you can also use green cards for decision diamonds, purple for document/report outputs, and blue for subprocesses.

PHASE 3: Document Effective Procedures

Step 3.2: Document effective procedures

This step will walk you through the following activities:

• Document workflows, checklists, and diagrams
• Establish a cadence for document review and updates

This step involves the following participants:

• Infrastructure Manager
• Technical Writer

Results & Insights

• Results: Improved SOP documentation and document management practices.
• Insights: It’s possible to keep up with changes if you put the right cues and accountabilities in place. Include document review in project and change management procedures and hold staff accountable for completion.

Document workflows with flowcharting software

Suggestions for workflow documentation

• Whether you draft the workflow on a whiteboard or using cue cards, the first iteration is usually messy. Clean up the flow as you document the results of the exercise.
• Make the workflow as simple as possible and no simpler. Eliminate any decision points that aren’t strictly necessary to complete the procedure.
• Use standard flowchart shapes (see next slide).
• Use links to connect to related documentation.
• Review the documented workflow with participants.

Download the following workflow examples:

• XMPL Recovery Workflows
• Workflow Library

Establish flowcharting standards

If you don’t have existing flowchart standards, then keep it simple and stick to basic flowcharting conventions as described below.

	Start, End, and Connector: Traditional flowcharting standards reserve this shape for connectors to other flowcharts or other points in the existing flowchart. Unified Modeling Language (UML) also uses the circle for start and end points.
	Start and End: Traditional flowcharting standards use this for start and end. However, Info-Tech recommends using the circle shape to reduce the number of shapes and avoid confusion with other similar shapes.
	Process Step: Individual process steps or activities (e.g. create ticket or escalate ticket). If it’s a series of steps, then use the subprocess symbol and flowchart the subprocess separately.
	Subprocess: A series of steps. For example, a critical incident SOP might reference a recovery process as one of the possible actions. Marking it as a subprocess, rather than listing each step within the critical incident SOP, streamlines the flowchart and avoids overlap with other flowcharts (e.g. the recovery process).
	Decision: Represents decision points, typically with Yes/No branches, but you could have other branches depending on the question (e.g. a “Priority?” question could branch into separate streams for Priority 1, 2, 3, 4, and 5 issues).
	Document/Report Output: For example, the output from a backup process might include an error log.

Support workflows with checklists and diagrams

Diagrams

• Diagrams are a visual representation of real-world phenomena and the connections between them.
• Be sure to use standard shapes. Clearly label elements of the diagram. Use standard practices, including titles, dates, authorship, and versioning.
• IT systems and interconnections are layered. Include physical, logical, protocol, and data flow connections.

Examples:

• XMPL Recovery Workflows
• Workflow Library

Checklists

• Checklists are best used as short-form reminders on how to complete a particular task.
• Remember the audience. If the process will be carried out by technical staff, there’s technical background material you won’t need to spell out in detail.

Examples:

• Employee Termination Process Checklist
• XMPL Systems Recovery Playbook

Establish a cadence for documentation review and maintenance

Lock-in the work with strong document management practices.

• Identify documentation requirements as part of project planning.
• Require a manager or supervisor to review and approve SOPs.
• Check documentation status as part of change management.
• Hold staff accountable for documentation.

"It isn’t unusual for us to see infrastructure or operations documentation that is wildly out of date. We’re talking months, even years. Often it was produced as one big effort and then not reliably maintained." (Gary Patterson, Consultant, Quorum Resources)

Only a quarter of organizations update SOPs as needed

Info-Tech Best Practice

Use Info-Tech’s research Create Visual SOP Documents to further evaluate document management practices and toolsets.

Phase 3: Review accomplishments

Workflow documentation: Cue cards into flowcharts

Summary of Accomplishments

• Identified priority procedures for documentation activities.
• Created procedure documentation in the appropriate format and level of granularity to support Infra & Ops policies.
• Published and maintained procedure documentation.

Research contributors and experts

Carole Fennelly, Owner
cFennelly Consulting

Carole Fennelly provides pragmatic cyber security expertise to help organizations bridge the gap between technical and business requirements. She authored the Center for Internet Security (CIS) Solaris and Red Hat benchmarks, which are used globally as configuration standards to secure IT systems. As a consultant, Carole has defined security strategies, and developed policies and procedures to implement them, at numerous Fortune 500 clients. Carole is a Certified Information Security Manager (CISM), Certified Security Compliance Specialist (CSCS), and Certified HIPAA Professional (CHP).

Marko Diepold, IT Audit Manager
audit2advise

Marko is an IT Audit Manager at audit2advise, where he delivers audit, risk advisory, and project management services. He has worked as a Security Officer, Quality Manager, and Consultant at some of Germany’s largest companies. He is a CISA and is ITIL v3 Intermediate and ITGCP certified.

Research contributors and experts

Martin Andenmatten, Founder & Managing Director
Glenfis AG

Martin is a digital transformation enabler who has been involved in various fields of IT for more than 30 years. At Glenfis, he leads large Governance and Service Management projects for various customers. Since 2002, he has been the course manager for ITIL® Foundation, ITIL® Service Management, and COBIT training. He has published two books on ISO 20000 and ITIL.

Myles F. Suer, CIO Chat Facilitator
CIO.com/Dell Boomi

Myles Suer, according to LeadTails, is the number 9 influencer of CIOs. He is also the facilitator for the CIOChat, which has executive-level participants from around the world in such industries as banking, insurance, education, and government. Myles is also the Industry Solutions Marketing Manager at Dell Boomi.

Research contributors and experts

Peter Sheingold, Portfolio Manager
Cybersecurity, Homeland Security Center, The MITRE Corporation

Peter leads tasks that involve collaboration with the Department of Homeland Security (DHS) sponsors and MITRE colleagues and connect strategy, policy, organization, and technology. He brings a deep background in homeland security and strategic analysis to his work with DHS in the immigration, border security, and cyber mission spaces. Peter came to MITRE in 2005 but has worked with DHS from its inception.

Robert D. Austin, Professor
Ivey Business School

Dr. Austin is a professor of Information Systems at Ivey Business School and an affiliated faculty member at Harvard Medical School. Before his appointment at Ivey, he was a professor of Innovation and Digital Transformation at Copenhagen Business School, and, before that, a professor of Technology and Operations Management at the Harvard Business School.

Research contributors and experts

Ron Jones, Director of IT Infrastructure and Service Management
DATA Communications

Ron is a senior IT leader with over 20 years of management experiences from engineering to IT Service Management and operations support. He is known for joining organizations and leading enhanced process efficiency and has improved software, hardware, infrastructure, and operations solution delivery and support. Ron has worked for global and Canadian firms including BlackBerry, DoubleClick, Cogeco, Infusion, Info-Tech Research Group, and Data Communications Management.

Scott Genung, Executive Director of Networking, Infrastructure, and Service Operations
University of Chicago

Scott is an accomplished IT executive with 26 years of experience in technical and leadership roles. In his current role, Scott provides strategic leadership, vision, and oversight for an IT portfolio supporting 31,000 users consisting of services utilized by campuses located in North America, Asia, and Europe; oversees the University’s Command Center; and chairs the UC Cyberinfrastructure Alliance (UCCA), a group of research IT providers that collectively deliver services to the campus and partners.

Research contributors and experts

Steve Weil, CISSP, CISM, CRISC, Information Security Director, Cybersecurity Principal Consultant
Point B

Steve has 20 years of experience in information security design, implementation, and assessment. He has provided information security services to a wide variety of organizations, including government agencies, hospitals, universities, small businesses, and large enterprises. With his background as a systems administrator, security consultant, security architect, and information security director, Steve has a strong understanding of both the strategic and tactical aspects of information security. Steve has significant hands-on experience with security controls, operating systems, and applications. Steve has a master's degree in Information Science from the University of Washington.

Tony J. Read, Senior Program/Project Lead & Interim IT Executive
Read & Associates

Tony has over 25 years of international IT leadership experience, within high tech, computing, telecommunications, finance, banking, government, and retail industries. Throughout his career, Tony has led and successfully implemented key corporate initiatives, contributing millions of dollars to the top and bottom line. He established Read & Associates in 2002, an international IT management and program/project delivery consultancy practice whose aim is to provide IT value-based solutions, realizing stakeholder economic value and network advantage. These key concepts are presented in his new book: The IT Value Network: From IT Investment to Stakeholder Value, published by J. Wiley, NJ.

Related Info-Tech research

• Develop and Deploy Security Policies
• Develop an Availability and Capacity Management Plan
• Improve IT Operations Management
• Develop an IT Infrastructure Services Playbook
• Create a Right-Sized Disaster Recovery Plan
• Develop a Business Continuity Plan
• Implement IT Asset Management
• Optimize Change Management
• Standardize the Service Desk
• Incident and Problem Management
• Design & Build a User-Facing Service Catalog

Bibliography

“About Controls.” Ohio University, ND. Web. 2 Feb 2018.

England, Rob. “How to implement ITIL for a client?” The IT Skeptic. Two Hills Ltd, 4 Feb. 2010. Web. 2018.

“Global Corporate IT Security Risks: 2013.” Kaspersky Lab, May 2013. Web. 2018.

“Information Security and Technology Policies.” City of Chicago, Department of Innovation and Technology, Oct. 2014. Web. 2018.

ISACA. COBIT 5: Enabling Processes. International Systems Audit and Control Association. Rolling Meadows, IL.: 2012.

“IT Policy & Governance.” NYC Information Technology & Telecommunications, ND. Web. 2018.

King, Paula and Kent Wada. “IT Policy: An Essential Element of IT Infrastructure”. EDUCAUSE Review. May-June 2001. Web. 2018.

Luebbe, Max. “Simplicity.” Site Reliability Engineering. O’Reilly Media. 2017. Web. 2018.

Swartout, Shawn. “Risk assessment, acceptance, and exception with a process view.” ISACA Charlotte Chapter September Event, 2013. Web. 2018.

“User Guide to Writing Policies.” Office of Policy and Efficiency, University of Colorado, ND. Web. 2018.

“The Value of Policies and Procedures.” New Mexico Municipal League, ND. Web. 2018.

CIO Priorities 2023

Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

Analyst Perspective

Take a full view of the board and use all your pieces to win.

In our Tech Trends 2023 report, we called on CIOs to think of themselves as chess grandmasters. To view strategy as playing both sides of the board, simultaneously attacking the opponent's king while defending your own. In our CIO Priorities 2023 report, we'll continue with that metaphor as we reflect on IT's capability to respond to trends.

If the trends report is a study of the board state that CIOs are playing with, the priorities report is about what move they should make next. We must consider all the pieces we have at our disposal and determine which ones we can afford to use to seize on opportunity. Other pieces are best used by staying put to defend their position.

In examining the different capabilities that CIOs will require to succeed in the year ahead, it's apparent that a siloed view of IT isn't going to work. Just like a chess player in a competitive match would never limit themselves to only using their knights or their rooks, a CIO's responsibility is to deploy each of their pieces to win the day. While functional leaders may only see their next move, as head of the organization with a complete view of all the pieces, the CIO has full awareness of the board state.

It's up to them to assess their gaps, consider the present scenario, and then make their next move.

Brian Jackson
Principal Research Director, Research – CIO
Info-Tech Research Group

CIO Priorities 2023 is informed by Info-Tech's primary research data of surveys and benchmarks

Info-Tech's Tech Trends 2023 report and State of Hybrid Work in IT: A Trend Report inform the externalities faced by organizations in the year ahead. They imply opportunities and risks that organizations face. Leadership must determine if they will respond and how to do so. CIOs then determine how to support those responses by creating or improving their IT capabilities. The priorities are the initiatives that will deliver the most value across the capabilities that are most in demand. The CIO Priorities 2023 report draws on data from several different Info-Tech surveys and diagnostic benchmarks.

2023 Tech Trends and Priorities Survey; N=813 (partial), n=521 (completed)
Info-Tech's Trends and Priorities 2023 Survey was conducted between August 9 and September 9, 2022. We received 813 total responses with 521 completed surveys. More than 90% of respondents work in IT departments. More than 84% of respondents are at a manager level of seniority or higher.

2023 The State of Hybrid Work in IT Survey; N=518
The State of Hybrid Work in IT Survey was conducted between July 11 and July 29 and received 518 responses. Nine in ten respondents were at a manager level of seniority or higher.

Every organization will have its own custom list of priorities based on its internal context. Organizational goals, IT maturity level, and effectiveness of capabilities are some of the important factors to consider. To provide CIOs with a starting point for their list of priorities for 2023, we used aggregate data collected in our diagnostic benchmark tools between August 1, 2021, and October 31, 2022.

Info-Tech's CEO-CIO Alignment Program is intended to be completed by CIOs and their supervisors (CEO or other executive position [CxO]) and will provide the average maturity level and budget expectations (N=107). The IT Management and Governance Diagnostic will provide the average capability effectiveness and importance ranking to CIOs (N=271). The CIO Business Vision Diagnostic will provide stakeholder satisfaction feedback (N=259).

The 2023 CIO priorities are based on that data, internal collaboration sessions at Info-Tech, and external interviews with CIOs and subject matter experts.

Build IT alignment

Assess your IT processes

Determine stakeholder satisfaction

Most IT departments should aim to drive outcomes that deliver better efficiency and cost savings

Slightly more than half of CIOs using Info-Tech's CEO-CIO Alignment Program rated themselves at a Support level of maturity in 2022. That aligns with IT professionals' view of their organizations from our Tech Trends and Priorities Survey, where organizations are rated at the Support level on average. At this level, IT departments can provide reliable infrastructure and support a responsive IT service desk that reasonably satisfies stakeholders.

In the future, CIOs aspire to attain the Transform level of maturity. Nearly half of CIOs select this future state in our diagnostic, indicating a desire to deliver reliable innovation and lead the organization to become a technology-driven firm. However, we see that fewer CxOs aspire for that level of maturity from IT. CxOs are more likely than CIOs to say that IT should aim for the Optimize level of maturity. At this level, IT will help other departments become more efficient and lower costs across the organization.

Whether a CIO is aiming for the top of the maturity scale in the future or not, IT maturity is achieved one step at a time. Aiming for outcomes at the Optimize level will be a realistic goal for most CIOs in 2023 and will satisfy many stakeholders.

Current and future state of IT maturity

Trends indicate a need to focus on leadership and change management

Trends imply new opportunities and risks that an organization must decide on. Organizational leadership determines if action will be taken to respond to the new external context based on its importance compared to current internal context. To support their organizations, IT must use its capabilities to deliver on initiatives. But if a capability's effectiveness is poor, it could hamper the effort.

To determine what capabilities IT departments may need to improve or create to support their organizations in 2023, we conducted an analysis of our trends data. Using the opportunities and risks implied by the Tech Trends 2023 report and the State of Hybrid Work in IT: A Trend Report, we've determined the top capabilities IT will need to respond. Capabilities are defined by Info-Tech's IT Management and Governance Framework.

Tier 1: The Most Important Capabilities In 2023

Enterprise Application Selection & Implementation Manage the selection and implementation of enterprise applications, off-the-shelf software, and software as a service to ensure that IT provides the business with the most appropriate applications at an acceptable cost.
Leadership, Culture, and Values Ensure that the IT department reflects the values of your organization. Improve the leadership skills of your team to generate top performance.
Data Architecture Manage the business' databases, including the technology, the governance processes, and the people that manage them. Establish the principles, policies, and guidelines relevant to the effective use of data within the organization.
Organizational Change Management Implement or optimize the organization's capabilities for managing the impact of new business processes, new IT systems, and changes in organizational structure or culture.
External Compliance Ensure that IT processes and IT-supported business processes are compliant with laws, regulations, and contractual requirements.

Info-Tech's Management and Diagnostic Benchmark

Tier 2: Other Important Capabilities In 2023

Ten more capabilities surfaced as important compared to others but not as important as the capabilities in tier 1.

Asset Management Track IT assets through their lifecycle to make sure that they deliver value at optimal cost, remain operational, and are accounted for and physically protected. Ensure that the assets are reliable and available as needed.
Business Intelligence and Reporting Develop a set of capabilities, including people, processes, and technology, to enable the transformation of raw data into meaningful and useful information for the purpose of business analysis.
Business Value Secure optimal value from IT-enabled initiatives, services, and assets by delivering cost-efficient solutions and services and by providing a reliable and accurate picture of costs and benefits.
Cost and Budget Management Manage the IT-related financial activities and prioritize spending through the use of formal budgeting practices. Provide transparency and accountability for the cost and business value of IT solutions and services.
Data Quality Put policies, processes, and capabilities in place to ensure that appropriate targets for data quality are set and achieved to match the needs of the business.
Enterprise Architecture Establish a management practice to create and maintain a coherent set of principles, methods, and models that are used in the design and implementation of the enterprise's business processes, information systems, and infrastructure.
IT Organizational Design Set up the structure of IT's people, processes, and technology as well as roles and responsibilities to ensure that it's best meeting the needs of the business.
Performance Measurement Manage IT and process goals and metrics. Monitor and communicate that processes are performing against expectations and provide transparency for performance and conformance.
Stakeholder Relations Manage the relationship between the business and IT to ensure that the stakeholders are satisfied with the services they need from IT and have visibility into IT processes.
Vendor Management Manage IT-related services provided by all suppliers, including selecting suppliers, managing relationships and contracts, and reviewing and monitoring supplier performance.

Defining the CIO Priorities for 2023

Understand the CIO priorities by analyzing both how CIOs respond to trends in general and how a specific CIO responded in the context of their organization.

The Five CIO Priorities for 2023

Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

1. Adjust IT operations to manage for inflation
   • Business Value
   • Vendor Management
   • Cost and Budget Management
2. Prepare your data pipeline to train AI
   • Business Intelligence and Reporting
   • Data Quality
   • Data Architecture
3. Go all in on zero-trust security
   • Asset Management
   • Stakeholder Relations
   • External Compliance
4. Engage employees in the digital age
   • Leadership, Culture, and Values
   • Organizational Change Management
   • Enterprise Architecture
5. Shape the IT organization to improve customer experience
   • Enterprise Application Selection & Implementation
   • Performance Measurement
   • IT Organizational Design

Adjust IT operations to manage for inflation

Priority 01

• APO06 Cost and Budget Management
• APo10 Vendor Management
• EDM02 Business Value

Recognize the relative impact of higher inflation on IT's spending power and adjust accordingly.

Inflation takes a bite out of the budget

Two-thirds of IT professionals are expecting their budgets to increase in 2023, according to our survey. But not every increase is keeping up with the pace of inflation. The International Monetary Fund forecasts that global inflation rose to 8.8% in 2022. It projects it will decline to 6.5% in 2023 and 4.1% by 2024 (IMF, 2022).

CIOs must account for the impact of inflation on their IT budgets and realize that what looks like an increase on paper is effectively a flat budget or worse. Applied to our survey takers, an IT budget increase of more than 6.5% would be required to keep pace with inflation in 2023. Only 40% of survey takers are expecting that level of increase. For the 27% expecting an increase between 1-5%, they are facing an effective decrease in budget after the impact of inflation. Those expecting no change in budget or a decrease will be even worse off.

Looking ahead to 2023, how do you anticipate your IT spending will change compared to spending in 2022?

Global inflation estimates by year

International Monetary Fund, 2022

CIOs are more optimistic about budgets than their supervisors

Data from Info-Tech's CEO-CIO Alignment Diagnostic benchmark also shows that CIOs and their supervisors are planning for increases to the budget. This diagnostic is designed for a CIO to use with their direct supervisor, whether it's the CEO or otherwise (CxO). Results show that on average, CIOs are more optimistic than their supervisors that they will receive budget increases and headcount increases in the years ahead.

While 14% of CxOs estimated the IT budget would see no change or a decrease in the next three to five years, only 3% of CIOs said the same. A larger discrepancy is seen in headcount, where nearly one-quarter of CXOs estimated no change or decrease in the years ahead, versus only 10% of CIOs estimating the same.

When we account for the impact of inflation in 2023, this misalignment between CIOs and their supervisors increases. When adjusting for inflation, we need to view the responses projecting an increase of between 1-5% as an effective decrease. With the inflation adjustment, 26% of CXOs are predicting IT budgets to stay flat or see a decrease compared to only 10% of CIOs.

CIOs should consider how inflation has affected their projected spending power over the past year and take into account projected inflation rates over the next couple of years. Given that the past decade has seen inflation rates between 2-3%, the higher rates projected will have more of an impact on organizational budgets than usual.

Expect headcount to stay flat or decline over 3-5 years

IT budget expectations to stay flat or decrease before inflation

IT budget expectations to stay flat or decrease adjusted for inflation

Info-Tech's CEO-CIO Alignment Program

Opportunities

Appoint a "cloud economist"

Organizations that migrated from on-premises data centers to infrastructure as a service shifted their capital expenditures on server racks to operational expenditures on paying the monthly service bill. Managing that monthly bill so that it is in line with desired performance levels now becomes crucial. The expected benefit of the cloud is that an organization can turn the dial up to meet higher demand and turn it down when demand slows. In practice this is sometimes more difficult to execute than anticipated. Some IT departments realize their cloud-based data flows aren't always connected to the revenue-generating activity seen in the business. As a result, a "cloud economist" is needed to closely monitor cloud usage and adjust it to financial expectations. Especially during any recessionary period, IT departments will want to avoid a "bill shock" incident.

Partner with technology providers