Domino – Maintain, Commit to, or Vacate?

Lotus Domino still lives, and you have options for migrating away from or remaining with the platform.

Executive Summary

Info-Tech Insight

“HCL announced that they have somewhere in the region of 15,000 Domino customers worldwide, and also claimed that that number is growing. They also said that 42% of their customers are already on v11 of Domino, and that in the year or so since that version was released, it’s been downloaded 78,000 times. All of which suggests that the Domino platform is, in fact, alive and well.”
– Nigel Cheshire in Team Studio

Your Challenge

You have a Domino/Notes footprint embedded within your business units and business processes. This is taxing your support organization; you are meeting resistance from the business, and you are now asked to help the organization migrate away from the Lotus Notes platform. The Lotus Notes platform was long used by technology and businesses as a multipurpose solution that, over the years, became embedded within core business applications and processes.

Common Obstacles

For organizations that are struggling to understand their options for the Domino platform, the depth of business process usage is typically the biggest operational obstacle. Migrating off the Domino platform is a difficult option for most organizations due to business process and application complexity. In addition, migrating clients have to resolve the challenges with more than one replaceable solution.

Info-Tech Approach

The most common tactic is for the organization to better understand their Domino migration options and adopt an application rationalization strategy for the Domino applications entrenched within the business. Options include retiring, replatforming, migrating, or staying with your Domino platform.

Review

Is “Lotus” Domino still alive?

Problem statement

The number of member engagements with customers regarding the Domino platform has, as you might imagine, dwindled in the past couple of years. While many members have exited the platform, there are still many members and organizations that have entered a long exit program, but with how embedded Domino is in business processes, the migration has slowed and been met with resistance. Some organizations had replatformed the applications but found that the replacement target state was inadequate and introduced friction because the new solution was not a low-code/business-user-driven environment. This resulted in returning the Domino platform to production and working through a strategy to maintain the environment.

This research is designed for:

• IT strategic direction decision-makers
• IT managers responsible for an existing Domino platform
• Organizations evaluating migration options for mission-critical applications running on Domino

This research will help you:

1. Evaluate migration options.
2. Assess the fit and purpose.
3. Consider strategies for overcoming potential challenges.
4. Determine the future of this platform for your organization.

The “everything may work” scenario

Adopt and expand

Believe it or not, Domino and Notes are still options to consider when determining a migration strategy. With HCL still committed to the platform, there are options organizations should seek to better understand rather than assuming SharePoint will solve all. In our research, we consider:

Importance to current business processes

• Importance of use
• Complexity in migrations
• Choosing a new platform

Available tools to facilitate

• Talent/access to skills
• Economies of scale/lower cost at scale
• Access to technology

Info-Tech Insight

With multiple options to consider, take the time to clearly understand the application rationalization process within your decision making.

• Archive/retire
• Application migration
• Application replatform
• Stay right where you are

Eliminate your bias – consider the advantages

“There is a lot of bias toward Domino; decisions are being made by individuals who know very little about Domino and more importantly, they do not know how it impacts business environment.”

– Rob Salerno, Founder & CTO, Rivet Technology Partners

Domino advantages include:

Modern Cloud & Application

• No-code/low-code technology

Business-Managed Application

• Business written and supported
• Embrace the business support model
• Enterprise class application

Leverage the Application Taxonomy & Build

• A rapid application development platform
• Develop skill with HCL training

HCL Domino is a supported and developed platform

Why consider HCL?

• Consider scheduling a Roadmap Session with HCL. This is an opportunity to leverage any value in the mission and brand of your organization to gain insights or support from HCL.
• Existing Domino customers are not the only entities seeking certainty with the platform. Software solution providers that support enterprise IT infrastructure ecosystems (backup, for example) will also be seeking clarity for the future of the platform. HCL will be managing these relationships through the channel/partner management programs, but our observations indicate that Domino integrations are scarce.
• HCL Domino should be well positioned feature-wise to support low-code/NoSQL demands for enterprises and citizen developers.

Visualize Your Application Roadmap

1. Focus on the application portfolio and crafting a roadmap for rationalization.
   • The process is intended to help you determine each application’s functional and technical adequacy for the business process that it supports.
2. Document your findings on respective application capability heatmaps.
   • This drives your organization to a determination of application dispositions and provides a tool to output various dispositions for you as a roadmap.
3. Sort the application portfolio into a disposition status (keep, replatform, retire, consolidate, etc.)
   • This information will be an input into any cloud migration or modernization as well as consolidation of the infrastructure, licenses, and support for them.

Our external support perspective

by Darin Stahl

Member Feedback

• Some members who have remaining Domino applications in production – while the retire, replatform, consolidate, or stay strategy is playing out – have concerns about the challenges with ongoing support and resources required for the platform. In those cases, some have engaged external services providers to augment staff or take over as managed services.
• While there could be existing support resources (in house or on retainer), the member might consider approaching an external provider who could help backstop the single resource or even provide some help with the exit strategies. At this point, the conversation would be helpful in any case. One of our members engaged an external provider in a Statement of Work for IBM Domino Administration focused on one-time events, Tier 1/Tier 2 support, and custom ad hoc requests.
• The augmentation with the managed services enabled the member to shift key internal resources to a focus on executing the exit strategies (replatform, retire, consolidate), since the business knowledge was key to that success.
• The member also very aggressively governed the Domino environment support needs to truly technical issues/maintenance of known and supported functionality rather than coding new features (and increasing risk and cost in a migration down the road) – in short, freezing new features and functionality unless required for legal compliance or health and safety.
• There obviously are other providers, but at this point Info-Tech no longer maintains a market view or scan of those related to Domino due to low member demand.

Domino database assessments

Consider the database.

• Domino database assessments should be informed through the lens of a multi-value database, like jBase, or an object system.
• The assessment of the databases, often led by relational database subject matter experts grounded in normalized databases, can be a struggle since Notes databases must be denormalized.

Key/Value		Column
Use case: Heavily accessed, rarely updated, large amounts of data Data Model: Values are stored in a hash table of keys. Fast access to small data values, but querying is slow Processor friendly Based on amazon's Dynamo paper Example: Project Voldemort used by LinkedIn		Use case: High availability, multiple data centers Data Model: Storage blocks of data are contained in columns Handles size well Based on Google's BigTable Example: Hadoop/Hbase used by Facebook and Yahoo
Document		Graph
Use case: Rapid development, Web and programmer friendly Data Model: Stores documents made up of tagged elements. Uses Key/Value collections Better query abilities than Key/Value databases. Inspired by Lotus Notes. Example: CouchDB used by BBC		Use case: Best at dealing with complexity and relationships/networks Data model: Nodes and relationships. Data is processed quickly Inspired by Euler and graph theory Can easily evolve schemas Example: Neo4j

Understand your options

Archive/Retire

Store the application data in a long-term repository with the means to locate and read it for regulatory and compliance purposes.

Migrate

Migrate to a new version of the application, facilitating the process of moving software applications from one computing environment to another.

Replatform

Replatforming is an option for transitioning an existing Domino application to a new modern platform (i.e. cloud) to leverage the benefits of a modern deployment model.

Stay

Review the current Domino platform roadmap and understand HCL’s support model. Keep the application within the Domino platform.

Archive/retire

Retire the application, storing the application data in a long-term repository.

Abstract

The most common approach is to build the required functionality in whatever new application/solution is selected, then archive the old data in PDFs and documents.

Typically this involves archiving the data and leveraging Microsoft SharePoint and the new collaborative solutions, likely in conjunction with other software-as-a-service (SaaS) solutions.

Advantages

• Reduce support cost.
• Consolidate applications.
• Reduce risk.
• Reduce compliance and security concerns.
• Improve business processes.

Considerations

• Application transformation
• eDiscovery costs
• Legal implications
• Compliance implications
• Business process dependencies

Info-Tech Insights

Be aware of the costs associated with archiving. The more you archive, the more it will cost you.

Application migration

Migrate to a new version of the application

Abstract

An application migration is the managed process of migrating or moving applications (software) from one infrastructure environment to another.

This can include migrating applications from one data center to another data center, from a data center to a cloud provider, or from a company’s on-premises system to a cloud provider’s infrastructure.

Advantages

• Reduce hardware costs.
• Leverage cloud technologies.
• Improve scalability.
• Improve disaster recovery.
• Improve application security.

Considerations

• Data extraction, starting from the document databases in NSF format and including security settings about users and groups granted to read and write single documents, which is a powerful feature of Lotus Domino documents.
• File extraction, starting from the document databases in NSF format, which can contain attachments and RTF documents and embedded files.
• Design of the final relational database structure; this activity should be carried out without taking into account the original structure of the data in Domino files or the data conversion and loading, from the extracted format to the final model.
• Design and development of the target-state custom applications based on the new data model and the new selected development platform.

Application replatform

Transition an existing Domino application to a new modern platform

Abstract

This type of arrangement is typically part of an application migration or transformation. In this model, client can “replatform” the application into an off-premises hosted provider platform. This would yield many benefits of cloud but in a different scaling capacity as experienced with commodity workloads (e.g. Windows, Linux) and the associated application.

Two challenges are particularly significant when migrating or replatforming Domino applications:

• The application functionality/value must be reproduced/replaced with not one but many applications, either through custom coding or a commercial-off-the-shelf/SaaS solution.
• Notes “databases” are not relational databases and will not migrate simply to an SQL database while retaining the same business value. Notes databases are essentially NoSQL repositories and are difficult to normalize.

Advantages

• Leverage cloud technologies.
• Improve scalability.
• Align to a SharePoint platform.
• Improve disaster recovery.
• Improve application security.

Considerations

• Application replatform resource effort
• Network bandwidth
• New platform terms and conditions
• Secure connectivity and communication
• New platform security and compliance
• Degree of complexity

Info-Tech Insights

There is a difference between a migration and a replatform application strategy. Determine which solution aligns to the application requirements.

Stay with HCL

Stay with HCL, understanding its future commitment to the platform.

Abstract

Following the announced acquisition of IBM Domino and up until around December 2019, HCL had published no future roadmap for the platform. The public-facing information/website at the time stated that HCL acquired “the product family and key lab services to deliver professional services.” Again, there was no mention or emphasis on upcoming new features for the platform. The product offering on their website at the time stated that HCL would leverage its services expertise to advise clients and push applications into four buckets:

1. Replatform
2. Retire
3. Move to cloud
4. Modernize

That public-facing messaging changed with release 11.0, which had references to IBM rebranded to HCL for the Notes and Domino product – along with fixes already inflight. More information can be found on HCL’s FAQ page.

Advantages

• Known environment
• Domino is a supported platform
• Domino is a developed platform
• No-code/low-code optimization
• Business developed applications
• Rapid application framework

Understand your tools

Many tools are available to help evaluate or migrate your Domino Platform. Here are a few common tools for you to consider.

• SWING Software
  • Lotus Notes application archiving with Seascape for Notes: Seascape for Notes and Lotus Notes migration
  • Lotus Notes to SharePoint Migration
• Rivit MigrateMe
• SkyBow Notes to SharePoint
• CIMtrek: CIMtrek SharePoint Migrator and Migrating Lotus Notes Applications to the Cloud Using the CIMtrek migration tools [PDF]
• 4WS.Platform

Notes Archiving & Notes to SharePoint

Summary of Vendor

“SWING Software delivers content transformation and archiving software to over 1,000 organizations worldwide. Our solutions uniquely combine key collaborative platforms and standard document formats, making document production, publishing, and archiving processes more efficient.”*

Tools

Lotus Notes Data Migration and Archiving: Preserve historical data outside of Notes and Domino

Lotus Note Migration: Replacing Lotus Notes. Boost your migration by detaching historical data from Lotus Notes and Domino.

Headquarters

Croatia

Best fit

• Application archive and retire
• Migration to SharePoint

* swingsoftware.com

Domino Migration to SharePoint

Summary of Vendor

“Providing leading solutions, resources, and expertise to help your organization transform its collaborative environment.”*

Tools

Notes Domino Migration Solutions: Rivit’s industry-leading solutions and hardened migration practice will help you eliminate Notes Domino once and for all.

Rivive Me: Migrate Notes Domino applications to an enterprise web application

Headquarters

Canada

Best fit

• Application Archive & Retire
• Migration to SharePoint

* rivit.ca

Lotus Notes to M365

Summary of Vendor

“More than 300 organizations across 40+ countries trust skybow to build no-code/no-compromise business applications & processes, and skybow’s community of customers, partners, and experts grows every day.”*

Tools

SkyBow Studio: The low-code platform fully integrated into Microsoft 365

Headquarters:

Switzerland

Best fit

• Application Archive & Retire
• Migration to SharePoint

* skybow.com | About skybow

Notes to SharePoint Migration

Summary of Vendor

“CIMtrek is a global software company headquartered in the UK. Our mission is to develop user-friendly, cost-effective technology solutions and services to help companies modernize their HCL Domino/Notes® application landscape and support their legacy COBOL applications.”*

Tools

CIMtrek SharePoint Migrator: Reduce the time and cost of migrating your IBM® Lotus Notes® applications to Office 365, SharePoint online, and SharePoint on premises.

Headquarters

United Kingdom

Best fit

• Application replatform
• Migration to SharePoint

* cimtrek.com | About CIMtrek

Domino replatform/Rapid application selection framework

Summary of Vendor

“4WS.Platform is a rapid application development tool used to quickly create multi-channel applications including web and mobile applications.”*

Tools

4WS.Platform is available in two editions: Community and Enterprise.
The Platform Enterprise Edition, allows access with an optional support pack.

4WS.Platform’s technical support provides support services to the users through support contracts and agreements.

The platform is a subscription support services for companies using the product which will allow customers to benefit from the knowledge of 4WS.Platform’s technical experts.

Headquarters

Italy

Best fit

• Application replatform

* 4wsplatform.org

Activity

Understand your Domino options

Application Rationalization Exercise

Info-Tech Insight

Application rationalization is the perfect exercise to fully understand your business-developed applications, their importance to business process, and the potential underlying financial impact.

This activity involves the following participants:

• IT strategic direction decision-makers.
• IT managers responsible for an existing Domino platform
• Organizations evaluating platforms for mission-critical applications.

Outcomes of this step:

• Completed Application Rationalization Tool

Application rationalization exercise

Use this Application Rationalization Tool to input the outcomes of your various application assessments

In the Application Entry tab:

• Input your application inventory or subset of apps you intend to rationalize, along with some basic information for your apps.

In the Business Value & TCO Comparison tab, determine rationalization priorities.

• Input your business value scores and total cost of ownership (TCO) of applications.
• Review the results of this analysis to determine which apps should require additional analysis and which dispositions should be prioritized.

In the Disposition Selection tab:

• Add to or adapt our list of dispositions as appropriate.

In the Rationalization Inputs tab:

• Add or adapt the disposition criteria of your application rationalization framework as appropriate.
• Input the results of your various assessments for each application.

In the Disposition Settings tab:

• Add or adapt settings that generate recommended dispositions based on your rationalization inputs.

In the Disposition Recommendations tab:

• Review and compare the rationalization results and confirm if dispositions are appropriate for your strategy.

In the Timeline Considerations tab:

• Enter the estimated timeline for when you execute your dispositions.

In the Portfolio Roadmap tab:

• Review and present your roadmap and rationalization results.

Follow the instructions to generate recommended dispositions and populate an application portfolio roadmap.

Info-Tech Insight

Watch out for misleading scores that result from poorly designed criteria weightings.

Related Info-Tech Research

Build an Application Rationalization Framework

Manage your application portfolio to minimize risk and maximize value.

Embrace Business-Managed Applications

Empower the business to implement their own applications with a trusted business-IT relationship.

Satisfy Digital End Users With Low- and No-Code

Extend IT, automation, and digital capabilities to the business with the right tools, good governance, and trusted organizational relationships.

Maximize the Benefits from Enterprise Applications with a Center of Excellence

Optimize your organization’s enterprise application capabilities with a refined and scalable methodology.

Drive Successful Sourcing Outcomes With a Robust RFP Process

Leverage your vendor sourcing process to get better results.

Research Authors

Darin Stahl, Principal Research Advisor,
Info-Tech Research Group

Darin is a Principal Research Advisor within the Infrastructure practice, leveraging 38+ years of experience. His areas of focus include IT operations management, service desk, infrastructure outsourcing, managed services, cloud infrastructure, DRP/BCP, printer management, managed print services, application performance monitoring, managed FTP, and non-commodity servers (zSeries, mainframe, IBM i, AIX, Power PC).

Troy Cheeseman, Practice Lead,
Info-Tech Research Group

Troy has over 24 years of experience and has championed large enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) startups.

Research Contributors

Rob Salerno, Founder & CTO, Rivit Technology Partners

Rob is the Founder and Chief Technology Strategist for Rivit Technology Partners. Rivit is a system integrator that delivers unique IT solutions. Rivit is known for its REVIVE migration strategy which helps companies leave legacy platforms (such as Domino) or move between versions of software. Rivit is the developer of the DCOM Application Archiving solution.

Bibliography

Cheshire, Nigel. “Domino v12 Launch Keeps HCL Product Strategy On Track.” Team Studio, 19 July 2021. Web.

“Is LowCode/NoCode the best platform for you?” Rivit Technology Partners, 15 July 2021. Web.

McCracken, Harry. “Lotus: Farewell to a Once-Great Tech Brand.” TIME, 20 Nov. 2012. Web.

Sharwood, Simon. “Lotus Notes refuses to die, again, as HCL debuts Domino 12.” The Register, 8 June 2021. Web.

Woodie, Alex. “Domino 12 Comes to IBM i.” IT Jungle, 16 Aug. 2021. Web.

Drive Successful Sourcing Outcomes With a Robust RFP Process

Leverage your vendor sourcing process to get better results.

EXECUTIVE BRIEF

Drive Successful Sourcing Outcomes with a Robust RFP Process

Lack of RFP Process Causes... Stress Confusion Frustration Directionless Exhaustion Uncertainty Disappointment	Solution: RFP Process			Best value solutions Right-sized solutions Competitive Negotiations Better requirements that feed negotiations Internal alignment on requirements and solutions Vendor Management Governance Plan
	Requirements Risk Legal Support Security Technical Commercial Operational Vendor Management Governance	Templates, Tools, Governance RFP Template Your Contracts RFP Procedures Pricing Template Evaluation Guide Evaluation Matrix	Vendor Management Scorecards Classification Business Review Meetings Key Performance Indicators Contract Management Satisfaction Survey

Analyst Perspective

Consequences of a bad RFP

“A bad request for proposal (RFP) is the gift that keeps on taking – your time, your resources, your energy, and your ability to accomplish your goal. A bad RFP is ineffective and incomplete, it creates more questions than it answers, and, perhaps most importantly, it does not meet your organization’s expectations.”

Steven Jeffery
Principal Research Director, Vendor Management
Co-Author: The Art of Creating a Quality RFP
Info-Tech Research Group

Executive Summary

Your Challenge

• Most IT organizations are absent of standard RFP templates, tools, and processes.
• Many RFPs lack sufficient requirements from across the business (Legal, Finance, Security, Risk, Procurement, VMO).
• Most RFP team members are not adequately trained on RFP best practices.
• Most IT departments underestimate the amount of time required to perform an effective RFP.
• An ad hoc sourcing process is a common recipe for vendor performance failure.

Common Obstacles

• Lack of time
• Lack of resources
• Right team members not engaged
• Poorly defined requirements
• Too difficult to change supplier
• Lack of a process
• Lack of adequate tools/processes
• Lack of a vendor communications plan that includes all business stakeholders.
• Lack of consensus as to what the ideal result should look like.

Info-Tech’s Approach

• Establish a repeatable, consistent RFP process that maintains negotiation leverage and includes all key components.
• Create reusable templates to expedite the RFP evaluation and selection process.
• Maximize the competition by creating an equal and level playing field that encourages all the vendors to respond to your RFP.
• Create a process that is clear and understandable for both the business unit and the vendor to follow.
• Include Vendor Management concepts in the process.

Info-Tech Insight

A well planned and executed sourcing strategy that focuses on solid requirements, evaluation criteria, and vendor management will improve vendor performance.

Executive Summary

Your Challenge

Your challenge is to determine the best sourcing tool to obtain vendor information on capabilities, solution(s), pricing and contracting: RFI, RFP, eRFX.

Depending on your organization’s knowledge of the market, your available funding, and where you are in the sourcing process, there are several approaches to getting the information you need.

An additional challenge is to answer the question “What is the purpose of our RFX?”

If you do not have in-depth knowledge of the market, available solutions, and viable vendors, you may want to perform an RFI to provide available market information to guide your RFP strategy.

If you have defined requirements, approved funding, and enough time, you can issue a detailed, concise RFP.

If you have “the basics” about the solution to be acquired and are on a tight timeframe, an “enhanced RFI” may fit your needs.

This blueprint will provide you with the tools and processes and insights to affect the best possible outcome.

Executive Summary

Common Obstacles

• Lack of process/tools
• Lack of input from stakeholders
• Stakeholders circumventing the process to vendors
• Vendors circumventing the process to key stakeholders
• Lack of clear, concise, and thoroughly articulated requirements
• Waiting until the vendor is selected to start contract negotiations
• Waiting until the RFP responses are back to consider vendor management requirements
• Lack of clear communication strategy to the vendor community that the team adheres to

Many organizations underestimate the time commitment for an RFP

Why Vendors Don’t Like RFPs

Negative effects on your organization from a lack of RFP process

Stress, because roles and responsibilities aren’t clearly defined and communication is haphazard, resulting in strained relationships. Confusion, because you don’t know what the expected or desired results are. Directionless, because you don’t know where the team is going. Uncertainty, with many questions of your own and many more from other team members. Frustration, because of all the questions the vendors ask as a result of unclear or incomplete requirements. Exhaustion, because reviewing RFP responses of insufficient quality is tedious. Disappointment in the results your company realizes. (Source: The Art of Creating a Quality RFP)

Info-Tech’s approach

Develop an inclusive and thorough approach to the RFP Process

The Info-Tech difference:

1. The secret to managing an RFP is to make it as manageable and as thorough as possible. The RFP process should be like any other aspect of business – by developing a standard process. With a process in place, you are better able to handle whatever comes your way, because you know the steps you need to follow to produce a top-notch RFP.
2. The business then identifies the need for more information about a product/service or determines that a purchase is required.
3. A team of stakeholders from each area impacted gather all business, technical, legal, and risk requirements. What are the expectations of the vendor relationship post-RFP? How will the vendors be evaluated?
4. Based on the predetermined requirements, either an RFI or an RFP is issued to vendors with a predetermined due date.

Insight Summary

Overarching insight

Without a well defined, consistent RFP process, with input from all key stakeholders, the organization will not achieve the best possible results from its sourcing efforts.

Phase 1 insight

Vendors are choosing to not respond to RFPs due to their length and lack of complete requirements.

Phase 2 insight

Be clear and concise in stating your requirements and include, in addition to IT requirements, procurement, security, legal, and risk requirements.

Phase 3 insight

Consider adding vendor management requirements to manage the ongoing relationship post contract.

Tactical insight

Consider the RFP Evaluation Process as you draft the RFP, including weighting the RFP components. Don’t underestimate the level of effort required to effectively evaluate responses – write the RFP with this in mind.

Tactical insight

Provide strict, prescriptive instructions detailing how the vendor should submit their responses. Controlling vendor responses will increase your team’s efficiency in evaluations while providing ease of reference responses across multiple vendors.

Key deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverables: Info-Tech provides you with the tools you need to go to market in the most efficient manner possible, with guidance on how to achieve your goals.	Long-Form RFP Template For when you have complete requirements and time to develop a thorough RFP.		Short-Form RFP Template When the requirements are not as extensive, time is short, and you are familiar with the market.
	Lean RFP Template When you have limited time and some knowledge of the market and wish to include only a few vendors.		Excel-Form RFP Template When there are many requirements, many options, multiple vendors, and a broad evaluation team.

Blueprint benefits

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is seven to twelve calls over the course of four to six months.

What does a typical GI on this topic look like?

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com1-888-670-8889

Phase 1

Identify Need

Steps 1.1 Establish the need to either purchase goods/services (RFP) or acquire additional information from the market (RFI).

This phase involves the following participants:

• Business stakeholders
• IT
• Sourcing/Procurement
• Finance

Identify the need based on business requirements, changing technology, increasing vendor costs, expiring contracts, and changing regulatory requirements.

Outcomes of this phase

Agreement on the need to go to market to make a purchase (RFP) or to acquire additional information (RFI) along with a high-level agreement on requirements, rough schedule (is there time to do a full blown RFP or are you time constrained, which may result in an eRFP) and the RFP team is identified.

Identify the Need for Your RFP

An RFP is issued to the market when you are certain that you intend to purchase a product/service and have identified an adequate vendor base from which to choose as a result of: IT Strategy Changes in technology Marketplace assessment Contract expiration/renewal Changes in regulatory requirements Changes in the business’ requirements An RFI is issued to the market when you are uncertain as to available technologies or supplier capabilities and need budgetary costs for planning purposes. Be sure to choose the right RFx tool for your situation!

Phase 2

Define Your RFP Requirements

Steps 2.1 Define and classify the technical, business, financial, legal, and support and security requirements for your business.

This phase involves the following participants:

• IT
• Legal
• Finance
• Risk management
• Sourcing/Procurement
• Business stakeholders

Outcomes of this phase

A detailed list of required business, technical, legal and procurement requirements classified as to absolute need(s), bargaining and concession need(s), and “nice to haves.”

Define Business Requirements

Define RFP Requirements

Key things to consider when defining requirements

• Must be inclusive of the needs of all stakeholders: business, technical, financial, and legal
• Strive for clarity and completeness in each area of consideration.
• Begin defining your “absolute,” “bargaining,” “concession,” and ‘”dropped/out of scope” requirements to streamline the evaluation process.
• Keep the requirements identified as “absolute” to a minimum, because vendors that do not meet absolute requirements will be removed from consideration.
• Do you have a standard contract that can be included or do you want to review the vendor’s contract?
• Don’t forget Data Security!
• Begin defining your vendor selection criteria.
• What do you want the end result to look like?
• How will you manage the selected vendor after the contract? Include key VM requirements.
• Defining requirements can’t be rushed or you’ll find yourself answering many questions, which may create confusion.
• Collect all your current spend and budget considerations regarding the needed product(s) and service(s).

“Concentrate on the needs of the organization and not the wants of the individuals when creating requirements to avoid scope creep.” (Donna Glidden, ITRG Research Director)

Leverage the “ABCD” approach found in our Prepare for Negotiations More Effectively blueprint:
https://tymansgrpup.com/research/ss/prepare-for-negotiations-more-effectively

2.1 Prioritize your requirements

Input: List of all requirements from IT and IT Security, Business, Sourcing/Procurement, Risk Management, and Legal

Output: Prioritized list of RFP requirements approved by the stakeholder team

Materials: The RFP Requirements Worksheet

Participants: All stakeholders impacted by the RFP: IT, IT Security, the Business, Sourcing/ Procurement, Risk Management, Legal

1. Use this tool to assist you and your team in documenting the requirements for your RFP. Leverage it to collect and categorize your requirements in preparation for negotiations. Use the results of this tool to populate the requirements section of your RFP.
2. As a group, review each of the requirements and determine their priority as they will ultimately relate to the negotiations.
   • Prioritizing your requirements will set up your negotiation strategy and streamline the process.
   • By establishing the priority of each requirement upfront, you will save time and effort in the selection process.
3. Review RFP requirements with stakeholders for approval.

Download the RFP Requirements Worksheet

Phase 3

Gain Business Authorization

Steps 3.1 Obtain business authorization from the business, technology, finance and Sourcing/Procurement

This phase involves the following participants:

• Business stakeholders
• Technology and finance (depending upon the business)
• Sourcing/Procurement

Outcomes of this phase

Approval by all key stakeholders to proceed with the issuing of the RFP and to make a purchase as a result.

Gain Business Authorization

Gain Business Authorization

Gain authorization for your RFP from all relevant stakeholders Alignment of stakeholders Agreement on final requirements Financial authorization Commitment of resources Agreement on what constitutes vendor qualification Finalization of selection criteria and their prioritization Obtaining cross-function alignment will clear the way for contract, SOW, and budget approvals and not waste any of your and your vendor’s resources in performing an RFP that your organization is not ready to implement or invest financial and human resources in.

Phase 4

Create and Issue

Steps 4.1 Build your RFP 4.2 Decide RFI or not 4.3 Create your RFP 4.4 Receive & answer questions 4.5 Perform Pre-Proposal Conference 4.6 Evaluate responses

This phase involves the following participants:

• The RFP owner
• IT
• Business SMEs/stakeholders

Outcomes of this phase

RFP package is issued to vendors and includes the date of the Pre-Proposal Conference, which should be held shortly after RFP release and includes all parties.

SME’s/stakeholders participate in providing answers to RFP contact for response to vendors.

Create and Issue Your RFP/RFI

Six Steps to Perform RFI/RFP

Build your RFP with evaluation in mind

Easing evaluation frustrations

At the beginning of your RFP creation process consider how your requirements will impact the vendor’s response. Concentrate on the instructions you provide the vendors and how you wish to receive their responses. View the RFP through the lens of the vendors and envision how they are going to respond to the proposal.

Limiting the number of requirements included in the RFP will increase the evaluation team’s speed when reviewing vendors’ responses. This is accomplished by not asking questions for common features and functionality that all vendors provide. Don’t ask multiple questions within a question. Avoid “lifting” vendor-specific language to copy into the RFP as this will signal to vendors who their competition might be and may deter their participation. Concentrate your requirement questions to those areas that are unique to your solution to reduce the amount of time required to evaluate the vendors’ response.

Things to Consider When Creating Your RFP:

• Consistency is the foundation for ease of evaluation.
• Provide templates, such as an Excel worksheet, for the vendor’s pricing submissions and for its responses to close-ended questions.
• Give detailed instructions on how the vendor should organize their response.
• Limit the number of open-ended questions requiring a long narrative response to must-have requirements.
• Organize your requirements and objectives in a numerical outline and have the vendor respond in the same manner, such as the following:
  • 1
  • 1.1
  • 1.1.1

Increase your response quality

Inconsistent formatting of vendor responses prevents an apples-to-apples evaluation between vendor responses. Evaluation teams are frequently challenged and are unable to evaluate vendors’ responses equally against each other for the following reasons:

Six Steps to Perform RFI/RFP

Perform Request for Information

Don’t underestimate the importance of the RFI

As the name implies, a request for information (RFI) is a tool for collecting information from vendors about the companies, their products, and their services. We find RFIs useful when faced with a lot of vendors that we don’t know much about, when we want to benchmark the marketplace for products and services, including budgetary information, and when we have identified more potential vendors than we care to commit a full RFP to.

RFIs are simpler and less time-consuming than RFPs to prepare and evaluate, so it can make a lot of sense to start with an RFI. Eliminating unqualified vendors from further consideration will save your team from weeding through RFP responses that do not meet your objectives. For their part, your vendors will appreciate your efforts to determine up-front which of them are the best bets before asking them to spend resources and money producing a costly proposal.

While many organizations rarely use RFIs, they can be an effective tool in the vendor manager’s toolbox when used at the right time in the right way. RFIs can be deployed in competitive targeted negotiations.

A Lean RFP is a two-stage strategy that speeds up the typical RFP process. The first stage is like an RFI on steroids, and the second stage is targeted competitive negotiation.

Don’t rely solely on the internet to qualify vendors; use an RFI to acquire additional information before finalizing an RFP.

4.2.1 In a hurry? Consider a Lean RFP instead of an RFP

1. Create an RFI with all of the normal and customary components. Next, add a few additional RFP-like requirements (e.g. operational, technical, and legal requirements). Make sure you include a request for budgetary pricing and provide any significant features and functionality requirements so that the vendors have enough information to propose solutions. In addition, allow the vendors to ask questions through your single point of coordination and share answers with all of the vendors. Finally, notify the vendors that you will not be doing an RFP.
2. Review the vendors’ proposals and evaluate their proposals against your requirements along with their notional or budgetary pricing.
3. Have the evaluators utilize the Lean RFP Template to record their scores accordingly.
4. After collecting the scores from the evaluators, consolidate the scores together to discuss which vendors – we recommend two or three – you want to present demos.
5. Based on the vendors’ demos, the team selects at least two vendors to negotiate contract and pricing terms with intent of selecting the best-value vendor.
6. The Lean RFP shortens the typical RFP process, maintains leverage for your organization, and works great with low- to medium-spend items (however your organization defines them). You’ll get clarification on vendors’ competencies and capabilities, obtain a fair market price, and meet your internal clients’ aggressive timelines while still taking steps to protect your organization.

Download the Lean RFP Template

Download the RFP Evaluation Tool

4.2.1 In a hurry? Consider a Lean RFP instead of an RFP continued

Six Steps to Perform RFI/RFP

4.3.1 RFP Calendar

Input: List duration in days of key activities, RFP Calendar and Key Date Tool, For all vendor-inclusive meetings, include the dates on your RFP calendar and reference them in the RFP

Output: A timeline to complete the RFP that has the support of each stakeholder involved in the process and that allows for a complete and thorough vendor response.

Materials: RFP Calendar and Key Date Tool

Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

1. As a group, identify the key activities to be accomplished and the amount of time estimated to complete each task:
   1. Identify who is ultimately accountable for the completion of each task
   2. Determine the length of time required to complete each task
2. Use the RFP Calendar and Key Date Tool to build the calendar specific to your needs.
3. Include vendor-related dates in the RFP, i.e., Pre-Proposal Conference, deadline for RFP questions as well as response.

Download the RFP Calendar and Key Date Tool

Draft your RFP

Create a template for the vendors’ response

Dictating to the vendors the format of their response will increase your evaluation efficiency Narrative Response: Create either a Word or Excel document that provides the vendor with an easy vehicle for their response. This template should include the question identifier that ties the response back to the requirement in the RFP. Instruct vendors to include the question number on any ancillary materials they wish to include. Pricing Response: Create a separate Excel template that the vendors must use to provide their financial offer. This template should include pricing for hardware, software, training, implementation, and professional services, as well as placeholders for any additional fees. Always be flexible in accepting alternative proposals after the vendor has responded with the information you requested in the format you require.

4.3.2 Vendor Pricing Tool

Input: Identify pricing components for hardware, software, training, consulting/services, support, and additional licenses (if needed)

Output: Vendor Pricing Tool

Materials: RFP Requirements Worksheet, Pricing template

Participants: IT, Finance, Business stakeholders, Sourcing/Procurement, Vendor management

1. Using a good pricing template will prevent vendors from providing pricing offers that create a strategic advantage designed to prevent you from performing an apples-to-apples comparison.
2. Provide specific instructions as to how the vendor is to organize their pricing response, which should be submitted separate from the RFP response.
3. Configure and tailor pricing templates that are specific to the product and/or services.
4. Upon receipt of all the vendor’s responses, simply cut and paste their total response to your base template for an easy side-by-side pricing comparison.
5. Do not allow vendors to submit financial proposals outside of your template.

Download the Vendor Pricing Tool

Three RFP Templates

Choose the right template for the right sourcing initiative

• Short-Form

Use the Short-Form RFP Template for simple, non-complex solutions that are medium to low dollar amounts that do not require numerous requirements.

• Long-Form

We recommend the Long-Form RFP Template for highly technical and complex solutions that are high dollar and have long implementation duration.

• Excel-Form

Leverage the Excel-Form RFP Tool for requirements that are more specific in nature to evaluate a vendor’s capability for their solution. This template is designed to be complete and inclusive of the RFP process, e.g., requirements, vendor response, and vendor response evaluation scoring.

Like tools in a carpenters’ tool box or truck, there is no right or wrong template for any job. Take into account your organization culture, resources available, time frame, policies, and procedures to pick the right tool for the job. (Steve Jeffery, Principal Research Director, Vendor Management, Co-Author: The Art of Creating a Quality RFP, Info-Tech Research Group)

4.3.3 Short-Form RFP Template

1-2 hours

Input: List of technical, legal, business, and data security requirements

Output: Full set of requirements, prioritized, that all participants agree to

Materials: Short-Form RFP Template, Vendor Pricing Tool, Supporting exhibits

Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

• This is a less complex RFP that has relatively basic requirements and perhaps a small window in which the vendors can respond. As with the long-form RFP, exhibits are placed at the end of the RFP, an arrangement that saves both your team and the vendors time. Of course, the short-form RFP contains less-specific instructions, guidelines, and rules for vendors’ proposal submissions.
• We find that short-form RFPs are a good choice when you need to use something more than a request for quote (RFQ) but less than an RFP running 20 or more pages. It’s ideal, for example, when you want to send an RFP to only one vendor or to acquire items such as office supplies, contingent labor, or commodity items that don’t require significant vendor risk assessment.

Download the Short-Form RFP Template

4.3.4 Long-Form RFP Template

1-3 hours

Input: List of technical, legal, business, and data security requirements

Output: Full set of requirements, prioritized, that all stakeholders agree to

Materials: Long-Form RFP Template, Vendor Pricing Tool, Supporting exhibits

Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

• A long-form or major RFP is an excellent tool for more complex and complicated requirements. This template is for a baseline RFP.
• It starts with best-in-class RFP terms and conditions that are essential to maintaining your control throughout the RFP process. The specific requirements for the business, functional, technical, legal, and pricing areas should be included in the exhibits at the end of the template. That makes it easier to tailor the RFP for each deal, since you and your team can quickly identify specific areas that need modification. Grouping the exhibits together also makes it convenient for both your team to review and the vendors to respond.
• You can use this sample RFP as the basis for your template RFP, taking it all as is or picking and choosing the sections that best meet the mission and objectives of the RFP and your organization.

Download the Long-Form RFP Template

4.3.5 Excel-Form RFP Tool

Several weeks

Input: List of technical, legal, business, and data security requirements

Output: Full set of requirements, prioritized, that all stakeholders agree to

Materials: Excel-Form RFP Template, Vendor Pricing Tool, Supporting exhibits

Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

• The Excel-Form RFP Tool is used as an alternative to the other RFP toolsets if you have multiple requirements and have multiple vendors to choose from.
• Requirements are written as a “statement” and the vendor can select from five answers as to their ability to meet the requirements, with the ability to provide additional context and materials to augment their answers, as needed.
• Requirements are listed separately in each tab, for example, Business, Legal, Technical, Security, Support, Professional Services, etc.

Download the Excel-Form RFP Template

Six Steps to Perform RFI/RFP

Answer Vendor Questions

Maintaining your equal and level playing field among vendors

Provide an adequate amount of time from the RFP issue date to the deadline for vendor questions. There may be multiple vendor staff/departments that need to read the RFP and then discuss their response approach and gather any clarifying questions, so we generally recommend three to five business days. There should be one point of contact for all Q&A, which should be submitted in writing via email only. Be sure to plan for enough time to get the answers back from the RFP stakeholders. After the deadline, collect all Q&A and begin the process of consolidating into one document.

Be sure to anonymize both vendor questions and your responses, so as not to reveal who asked or answered the question. Send the document to all RFP respondents via your sourcing tool or BCC in an email to the point of contact, with read receipt requested. That way, you can track who has received and opened the correspondence. Provide the answers a few days prior to the Pre-Proposal Conference to allow all respondents time to review the document and prepare any additional questions. Begin the preparation for the Pre-Proposal Conference.

Six Steps to Perform RFI/RFP

Conduct Pre-Proposal Conference

Maintain an equal and level playing field

• Consolidate all Q&A to be presented to all vendors during the Pre-Proposal Conference.
• If the Pre-Proposal Conference is conducted via conference call, be sure to record the session and advise all participants at the beginning of the call.
• Be sure to have key stakeholders present on the call to answer questions.
• Read each question and answer, after which ask if there are any follow up questions. Be sure to capture them and then add them to the Q&A document.
• Remind respondents that no further questions will be entertained during the remainder of the RFP response period.
• Send the updated and completed document to all vendors (even if circumstances prevented their attending the Pre-Proposal Conference). Use the same process as when you sent out the initial answers: via email, blind copy the respondents and request read/receipt.

“Using a Pre-Proposal Conference allows you to reinforce that there is a level playing field for all of the vendors…that each vendor has an equal chance to earn your business. This encourages and maximizes competition, and when that happens, the customer wins.” (Phil Bode, Principal Research Director, Co-Author: The Art of Creating a Quality RFP, Info-Tech Research Group)

Pre-Proposal Conference Agenda

Allow your executive or leadership sponsor to leave the Pre-Proposal Conference after they provide their comments to allow them to continue their day while demonstrating to the vendors the importance of the project.

Six Steps to Perform RFI/RFP

Evaluate Responses

Other important information

Consider separating the pricing component from the RFP responses before sending them to reviewers to maintain objectivity until after you have received all ratings on the proposals themselves. Each reviewer should set aside focused time to carefully read each vendor’s response Read the entire vendor proposal – they spent a lot time and money responding to your request, so please read everything. Remind reviewers that they should route any questions to the vendor through the RFP manager. Using the predetermined ranking system for each section, rate each section of the response, capturing any notes, questions, or concerns as you proceed through the document(s).

Use a proven evaluation method

Two proven methods to reviewing vendors’ proposals are by response and by objective

The first, by response, is when the evaluator reviews each vendor’s response in its entirety.

The second, reviewing by objective, is when the evaluator reviews each vendor’s response to a single objective before moving on to the next.

Maintain evaluation objectivity by reducing response evaluation biases

Evaluation teams can be naturally biased during their review of the vendors’ responses.

You cannot eliminate bias completely – the best you can do is manage it by identifying these biases with the team and mitigating their influence in the evaluation process.

Vendor The evaluator only trusts a certain vendor and is uncomfortable with any other vendor. Evaluate the responses blind of vendor names, if possible.		Account Representatives Relationships extend beyond business, and an evaluator doesn't want to jeopardize them. Craft RFP objectives that are vendor neutral.
Technical A vendor is the only technical solution the evaluator is looking for, and they will not consider anything else. Conduct fair and open solution demonstrations.		Price As humans, we can justify anything at a good price. Evaluate proposals without awareness of price.

Additional insights when evaluating RFPs

When your evaluation team includes a member of the C-suite or senior leadership, ensure you give them extra time to sufficiently review the vendor's responses.		When your questions require a definitive “Yes”/“True” or “No”/“False” responses, we recommend giving the maximum score for “Yes”/“True” and the minimum score for “No”/“False”.
Increase your efficiency and speed of evaluation by evaluating the mandatory requirements first. If a vendor's response doesn't meet the minimum requirements, save time by not reviewing the remainder of the response.		Group your RFP questions with a high-level qualifying question, then the supporting detailed requirements. The evaluation team can save time by not evaluating a response that does not meet a high-level qualifying requirement.

Establish your evaluation scoring scale

Define your ranking scale to ensure consistency in ratings Within each section of your RFP are objectives, each of which should be given its own score. Our recommended approach is to award on a scale of 0 to 5. With such a scale, you need to define every level. Below are the recommended definitions for a 0 to 5 scoring scale. Score Criteria for Rating 5 Outstanding – Complete understanding of current and future needs; solution addresses current and future needs 4 Competent – Complete understanding and adequate solution 3 Average – Average understanding and adequate solution 2 Questionable – Average understanding; proposal questionable 1 Poor – Minimal understanding 0 Not acceptable – Lacks understanding

Weigh the sections of your RFP on how important or critical they are to the RFP

Obtain Alignment on Weighting the Scores of Each Section There are many ways to score responses, ranging from extremely simple to highly complicated. The most important thing is that everyone responsible for completing scorecards is in total agreement about how the scoring system should work. Otherwise, the scorecards will lose their value, since different weighting and scoring templates were used to arrive at their scores. You can start by weighting the scores by section, with all sections adding up to 100%.

Example RFP Section Weights (Source: The Art of Creating a Quality RFP, Jeffery et al., 2019)

Protect your negotiation leverage with these best practices

Protect your organization's reputation within the vendor community with a fair and balanced process. Unless you regularly have the evaluators on your evaluation team, always assume that the team members are not familiar nor experienced with your process and procedures. Do not underestimate the amount of preparations required to ensure that your evaluation team has everything they need to evaluate vendors’ responses without bias. Be very specific about the expectations and time commitment required for the evaluation team to evaluate the responses. Explain to the team members the importance of evaluating responses without conflicts of interest, including the fact that information contained within the responses and all discussions within the team are considered company owned and confidential. Include examples of the evaluation and scoring processes to help the evaluators understand what they should be doing. Finally – don’t forget to the thank the evaluation team and their managers for their time and commitment in contributing to this essential decision.

Evaluation teams must balance commercial vs. technical requirements

Do not alter the evaluation weights after responses are submitted. Evaluation teams are always challenged by weighing the importance of price, budget, and value against the technical requirements of “must-haves” and super cool “nice-to-haves.” Encouraging the evaluation team not to inadvertently convert the nice-to-haves to must-haves will prevent scope creep and budget pressure. The evaluation team must concentrate on the vendors’ responses that drive the best value when balancing both commercial and technical requirements.

4.6.1 Evaluation Guidebook

1 hour

Input: RFP responses, Weighted Scoring Matrix, Vendor Response Scorecard

Output: One or two finalists for which negotiations will proceed

Materials: RFP Evaluation Guidebook

Participants: IT, Finance, Business stakeholders, Sourcing/Procurement, Vendor management

1. Info-Tech provides an excellent resource for your evaluation team to better understand the process of evaluating vendor response. The guidebook is designed to be configured to the specifics of your RFP, with guidance and instructions to the team.
2. Use this guidebook to provide instruction to the evaluation team as to how best to score and rate the RFP responses.
3. Specific definitions are provided for applying the numerical scores to the RFP objectives will ensure consistency among the appropriate numerical score.

Download the RFP Evaluation Guidebook

4.6.2 RFP Vendor Proposal Scoring Tool

1-4 hours

Input: Each vendor’s RFP response, A copy of the RFP (less pricing), A list of the weighted criteria incorporated into a vendor response scorecard

Output: A consolidated ranked and weighted comparison of the vendor responses with pricing

Materials: Vendor responses, RFP Evaluation Tool

Participants: Sourcing/Procurement, Vendor management

1. Using the RFP outline as a base, develop a scorecard to evaluate and rate each section of the vendor response, based on the criteria predetermined by the team.
2. Provide each stakeholder with the scorecard when you provide the vendor responses for them to review and provide the team with adequate time to review each response thoroughly and completely.
3. Do not, at this stage, provide the pricing. Allow stakeholders to review the responses based on the technical, business, operational criteria without prejudice as to pricing.
4. Evaluators should always be reminded that they are evaluating each vendor’s response against the objectives and requirements of the RFP. The evaluators should not be evaluating each vendor’s response against one another.
5. While the team is reviewing and scoring responses, review and consolidate the vendor pricing submissions into one document for a side-by-side comparison.

Download the RFP Evaluation Tool

4.6.3 Total Cost of Owners (TCO)

Input: Consolidated vendor pricing responses, Consolidated vendor RFP responses, Current spend within your organization for the product/service, if available, Budget

Output: A completed TCO model summarizing the financial results of the RFP showing the anticipated costs over the term of the agreement, taking into consideration the impact of renewals.

Materials: Vendor TCO Tool, Vendor pricing responses

Participants: IT, Finance, Business stakeholders, Sourcing/Procurement

• Use Info-Tech’s Vendor TCO Tool to normalize each vendor’s pricing proposal and account for the lifetime cost of the product.
• Fill in pricing information (the total of all annual costs) from each vendor's returned Pricing Proposal.
• The tool will summarize the net present value of the TCO for each vendor proposal.
• The tool will also provide the rank of each pricing proposal.

Download the Vendor TCO Tool

Conduct an evaluation team results meeting

Follow the checklist below to ensure an effective evaluation results meeting

• Schedule the evaluation team’s review meeting well in advance to ensure there are no scheduling conflicts.
• Collect the evaluation team’s scores in advance.
• Collate scores and provide an initial ranking.
• Do not reveal the pricing evaluation results until after initial discussions and review of the scoring results.
• Examine both high and low scores to understand why the team members scored the response as they did.
• Allow the team to discuss, debate, and arrive at consensus on the ranking.
• After consensus, reveal the pricing to examine if or how it changes the ranking.
• Align the team on the next steps with the applicable vendors.

4.6.4 Consolidated RFP Response Scoring

1-2 hours

Input: Vendor Response Scorecard from each stakeholder, Consolidated RFP responses and pricing, Any follow up questions or items requiring further vendor clarification.

Output: An RFP Response Evaluation Summary that identifies the finalists based on pre-determined criteria.

Materials: RFP Evaluation Tool from each stakeholder, Consolidated RFP responses and pricing.

Participants: IT, Finance, Business stakeholders, Sourcing/Procurement, Vendor management

1. Collect from the evaluation team all scorecards and any associated questions requiring further clarification from the vendor(s). Consolidate the scorecards into one for presentation to the team and key decision makers.
2. Present the final scores to the team, with the pricing evaluation, to determine, based on your needs, two or three finalists that will move forward to the next steps of negotiations.
3. Discuss any scores that are have large gaps, e.g., a requirement with a score of one from one evaluator and the same requirement with a score five from different evaluator.
4. Arrive at a consensus of your top one or two potential vendors.
5. Determine any required follow-up actions with the vendors and include them in the Evaluation Summary.

Download the Consolidated Vender RFP Response Evaluation Summary

4.6.5 Vendor Recommendation Presentation

1. Use the Vendor Recommendation Presentation to present your finalist and obtain final approval to negotiate and execute any agreements.
2. The Vendor Recommendation Presentation provides leadership with:
   1. An overview of the RFP, its primary goals, and key requirements
   2. A summary of the vendors invited to participate and why
   3. A summary of each component of the RFP
   4. A side-by-side comparison of key vendor responses to each of the key/primary requirements, with ranking/weighting results
   5. A summary of the vendor’s responses to key legal terms
   6. A consolidated summary of the vendors’ pricing, augmented by the TCO calculations for the finalist(s).
   7. The RFP team’s vendor recommendations based on its findings
   8. A summary of next steps with dates
   9. Request approval to proceed to next steps of negotiations with the primary and secondary vendor

Download the Vendor Recommendation Presentation

4.6.5 Vendor Recommendation Presentation

Caution: Configure templates and tools to align with RFP objectives

Templates and tools are invaluable assets to any RFP process

Phase 5

Negotiate Agreement(s)

Steps 5.1 Perform negotiation process

This phase involves the following participants:

• Procurement
• Vendor management
• Legal
• IT stakeholders
• Finance

Outcomes of this phase

A negotiated agreement or agreements that are a result of competitive negotiations.

Negotiate Agreement(s)

Negotiate Agreement

You should evaluate your RFP responses first to see if they are complete and the vendor followed your instructions. Then you should: Plan negotiation(s) with one or more vendors based on your questions and opportunities identified during evaluation. Select finalist(s). Apply selection criteria. Resolve vendors’ exceptions. Info-Tech Insight Be certain to include any commitments made in the RFP, presentations, and proposals in the agreement – dovetails to underperforming vendor.

Leverage Info-Tech's negotiation process research for additional information

Negotiate before you select your vendor: Negotiating with two or more vendors will maintain your competitive leverage while decreasing the time it takes to negotiate the deal. Perform legal reviews as necessary. Use sound competitive negotiations principles. Info-Tech Insight Providing contract terms in an RFP can dramatically reduce time for this step by understanding the vendor’s initial contractual position for negotiation.

Phase 6

Purchase Goods and Services

Steps 6.1 Purchase Goods & Services

This phase involves the following participants:

• Procurement
• Vendor management
• IT stakeholders

Outcomes of this phase

A purchase order that completes the RFP process.

The beginning of the vendor management process.

Purchase Goods and Services

Purchase Goods and Services

Prepare to purchase goods and services

Prepare to purchase goods and services by completing all items on your organization’s onboarding checklist. Have the vendor complete applicable tax forms. Set up the vendor in accounts payable for electronic payment (ACH) set-up. Then transact day-to-day business: Provide purchasing forecasts. Complete applicable purchase requisition and purchase orders. Be sure to reference the agreement in the PO.

Info-Tech Insight

As a customer, honoring your contractual obligations and commitments will ensure that your organization is not only well respected but considered a customer of choice.

Phase 7

Assess and Measure Performance

Steps 7.1 Assess and measure performance against the agreement

This phase involves the following participants:

• Vendor management
• Business stakeholders
• Senior leadership (as needed)
• IT stakeholders
• Vendor representatives & senior management

Outcomes of this phase

A list of what went well during the period – it’s important to recognize successes

A list of areas needing improvement that includes:

• A timeline for each item to be completed
• The team member(s) responsible

Purchase Goods and Services

Assess and Measure Performance

Measure to manage: the job doesn’t end when the contract is signed.

• Classify vendor
• Assess vendor performance
• Manage improvement
• Conduct periodic vendor performance reviews or quarterly business reviews
• Ensure contract compliance for both the vendor and your organization
• Build knowledgebase for future
• Re-evaluate and improve appropriately your RFP processes

Info-Tech Insight

To be an objective vendor manager, you should also assess and measure your company’s performance along with the vendor’s performance.

Summary of Accomplishment

Problem Solved

Upon completion of this blueprint, guided implementation, or workshop, your team should have a comprehensive, well-defined end-to-end approach to performing a quality sourcing event. Leverage Info-Tech’s industry-proven tools and templates to provide your organization with an effective approach to maintain your negotiation leverage, improve the ease with which you evaluate vendor proposals, and reduce your risk while obtaining the best market value for your goods and services.

Additionally, your team will have a foundation to execute your vendor management principles. These principles will assist your organization in ensuring you receive the perceived value from the vendor as a result of your competitive negotiations.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

Final Thoughts: RFP Do’s and Don’ts

Bibliography

“2022 RFP Response Trends & Benchmarks.” Loopio, 2022. Web.

Corrigan, Tony. “How Much Does it Cost to Respond to an RFP?” LinkedIn, March 2017. Accessed 10 Dec. 2019

“Death by RFP:7 Reasons Not to Respond.” Inc. Magazine, 2013. Web.

Jeffery, Steven, George Bordon, and Phil Bode. The Art of Creating a Quality RFP, 3rd ed. Info-Tech Research Group, 2019.

“RFP Benchmarks: How Much Time and Staff Firms Devote to Proposals.” MarketingProfs, 2020. Web.

“State of the RFP 2019.” Bonfire, 2019. Web.

“What Vendors Want (in RFPs).” Vendorful, 2020. Web.

Related Info-Tech Research

	Prepare for Negotiations More Effectively Negotiations are about allocating risk and money – how much risk is a party willing to accept at what price point? Using a cross-functional/cross-insight team structure for negotiation preparation yields better results. Soft skills aren’t enough and theatrical negotiation tactics aren’t effective.
	Understand Common IT Contract Provisions to Negotiate More Effectively Focus on the terms and conditions, not just the price. Too often, organizations focus on the price contained within their contracts, neglecting to address core terms and conditions that can end up costing multiples of the initial price. Lawyers can’t ensure you get the best business deal. Lawyers tend to look at general terms and conditions for legal risk and may not understand IT-specific components and business needs.
	Jump Start Your Vendor Management Initiative Vendor management must be an IT strategy. Solid vendor management is an imperative – IT organizations must develop capabilities to ensure that services are delivered by vendors according to service-level objectives and that risks are mitigated according to the organization's risk tolerance. Visibility into your IT vendor community. Understand how much you spend with each vendor and rank their criticality and risk to focus on the vendors you should be concentrating on for innovative solutions.

Secure IT/OT Convergence

Create a holistic IT/OT security culture.

Analyst Perspective

Are you ready for secure IT/OT convergence?

IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.

In the past, OT systems were engineered to be air gapped, relying on physical protection and with little or no security in design, (e.g. OT protocols without confidentiality properties). However, now, OT has become dependent on the IT capabilities of the organization, thus OT inherits IT’s security issues, that is, OT is becoming more vulnerable to attack from outside the system. IT/OT convergence is complex because the culture, policies, and rules of IT are quite foreign to OT processes such as change management, and the culture, policies, and rules of OT are likewise foreign to IT processes.

A secure IT/OT convergence can be conceived of as a negotiation of a strong treaty between two systems: IT and OT. The essential initial step is to begin with communication between IT and OT, followed by necessary components such as governing and managing OT security priorities and accountabilities, converging security controls between IT and OT environments, assuring compliance with regulations and standards, and establishing metrics for OT security.

Ida Siahaan Research Director, Security and Privacy Practice Info-Tech Research Group

Executive Summary

Info-Tech Insight

Returning to isolated OT is not beneficial for the organization, so IT and OT need to learn to collaborate, starting with communication to build trust and to overcome their differences. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.

Consequences of unsecure IT/OT convergence

OT systems were built with no or little security design 90% of organizations that use OT experienced a security incident. (Fortinet, 2021. Ponemon, 2019.)

(Source: Fortinet, 2021.)

Lack of visibility 86% of OT security-related service engagements lack complete visibility of OT network in 2021 (90% in 2020, 81% in 2019). (Source: “Cybersecurity Year In Review” Dragos, 2022.)

The need for secure IT/OT convergence

Important Industrial Control System (ICS) cyber incidents

2000 Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released.	2012 Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files.	2014 Target: German Steel Mill. Method: Spear-phishing. Impact: Blast furnace failed to shut down.	2017 Target: Middle East safety instrumented system (SIS). Method: TRISIS/TRITON. Impact: Modified SIS ladder logic.	2022 Target: Viasat’s KA-SAT network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat’s services.
1903 Target: Marconi wireless telegraph presentation. Method: Morse code. Impact: Fake message sent “Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily.”	2010 Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs).	2013 Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers	2016 Target: Ukrainian power grid. Method: BlackEnergy. Impact: For 1-6 hours, power outages for 230,000 consumers.	2021 Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation.

(Source: US Department of Energy, 2018.

”Significant Cyber Incidents,” CSIS, 2022

MIT Technology Review, 2022.)

Info-Tech Insight

Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.

The Secure IT/OT Convergence Framework

Phases Plan Enhance Monitor & Optimize

Plan Outcomes Mapping business goals to IT/OT security goals RACI chart for priorities and accountabilities Compliance obligations register Readiness checklist Enhance Outcomes Security strategy for IT/OT convergence Risk management framework Security policies & procedures IR, DR, BCP Monitor & Optimize Outcomes Security awareness and training Security architecture and controls

Plan Benefits Improved flexibility and less divided IT/OT Improved compliance Enhance Benefits Increased strategic common goals Increased efficiency and versatility Monitor & Optimize Benefits Enhanced security Reduced costs

Plan

Initiate communication

Map organizational goals to IT/OT security goals

Input: Corporate, IT, and OT strategies

Output: Your goals for the security strategy

Materials: Secure IT/OT Convergence Requirements Gathering Tool

Participants: Executive leadership, OT leader, IT leader, Security leader, Compliance, Legal, Risk management

1. As a group, brainstorm organization goals.
   1. Review relevant corporate, IT, and OT strategies.
2. Record the most important business goals in the Secure IT/OT Convergence Requirements Gathering Tool. Try to limit the number of business goals to no more than 10 goals. This limitation will be critical to helping focus on your secure IT/OT convergence.
3. For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.

Download the Secure IT/OT Convergence Requirements Gathering Tool

Record organizational goals

Refer to the Secure IT/OT Convergence Framework when filling in the following elements.

1. Record your identified organization goals in the Goals Cascade tab of the Secure IT/OT Convergence Requirements Gathering Tool.
2. For each of your organizational goals, identify IT alignment goals.
3. For each of your organizational goals, identify OT alignment goals.
4. For each of your organizational goals, select one to two IT/OT security alignment goals from the drop-down lists.

Establish scope and boundaries

It is important to know at the outset of the strategy: What are we trying to secure in IT/OT convergence ?
This includes physical areas we are responsible for, types of data we care about, and departments or IT/OT systems we are responsible for.

Record scope and boundaries

Refer to the Secure IT/OT Convergence Framework when filling in the following elements: Record your security-related organizational scope, physical location scope, IT systems scope, and OT systems scope in the Scope tab of the Secure IT/OT Convergence Requirements Gathering Tool. For each item scoped, give the rationale for including it in the comments column. Careful attention should be paid to any elements that are not in scope.

Plan

Define roles and responsibilities

Input: List of relevant stakeholders

Output: Roles and responsibilities for the secure IT/OT convergence program

Materials: Secure IT/OT Convergence RACI Chart Tool

Participants: Executive leadership, OT leader, IT leader, Security leader

There are many factors that impact an organization’s level of effectiveness as it relates to IT/OT convergence. How the two groups interact, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, it is imperative in the planning phase to identify stakeholders who are:

• Responsible: The people who do the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
• Accountable: The person who is accountable for the completion of the activity. Ideally, this is a single person and will often be an executive or program sponsor.
• Consulted: The people who provide information. This is usually several people, typically called subject matter experts (SMEs).
• Informed: The people who are updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

Download the Secure IT/OT Convergence RACI Chart Tool

Define RACI Chart

Plan

Establish governance and build cross-functional team

To establish governance and build an IT/OT cross-functional team, it is important to understand the operation of OT systems and their interactions with IT within the organization, e.g. ad hoc, centralized, decentralized.

Info-Tech Insight

To determine IT/OT convergence maturity level, Info-Tech provides the IT/OT Convergence Self-Evaluation Tool.

Centralized security governance model example

Plan

Identify convergence elements and compliance obligations

Identify compliance obligations

Source: ENISA, 2013 DHS, 2009.

OT system has compliance obligations with industry regulations and security standards/regulations/guidelines. See the lists given. The lists are not exhaustive. OT system owner can use the standards/regulations/guidelines as a benchmark to determine and manage the security level provided by third parties. It is important to understand the various frameworks and to adhere to the appropriate compliance obligations, e.g. IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series.

IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series

(Source: Cooksley, 2021)

IEC/ISA 62443 is a comprehensive international series of standards covering security for ICS systems, which recognizes three roles, namely: asset owner, system integrator, and product manufacturer. In IEC/ISA 62443, requirements flow from the asset owner to the product manufacturer, while solutions flow in the opposite direction. For the asset owner who owns and operates a system, IEC 62443-2 enables defining target security level with reference to a threat level and using the standard as a benchmark to determine the current security level. For the system integrator, IEC 62443-3 assists to evaluate the asset owner’s requirements to create a system design. IEC 62443-3 also provides a method for verification that components provided by the product manufacturer are securely developed and support the functionality required.

Record your compliance obligations

Refer to the “Goals Cascade” tab of the Secure IT/OT Convergence Requirements Gathering Tool. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include: Laws Government regulations Industry standards Contractual agreements Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your secure IT/OT convergence, include only those that have OT security requirements. Record your compliance obligations, along with any notes, in your copy of the Secure IT/OT Convergence Requirements Gathering Tool. Refer to the “Compliance DB” tab for lists of standards/regulations/guidelines.

Plan

Assess readiness

Readiness checklist for secure IT/OT convergence

(Source: “Grid Modernization: Optimize Opportunities And Minimize Risks,” Info-Tech)

Enhance

Update security strategy

To update security strategy, it is important to actively encourage visible sponsorship across management and to provide regular updates.

(Source: NIST SP 800-82 Rev.3, “Guide to Operational Technology (OT) Security,” NIST, 2022.)

OT system life cycle is like the IT system life cycle, starting with architectural design and ending with decommissioning. Currently, IT only gets involved from installation or maintenance, so they may not fully understand the OT system. Therefore, if OT security is compromised, the same personnel who commissioned the OT system (e.g. engineering, electrical, and maintenance specialists) must be involved. Thus, it is important to have the IT team collaborate with the OT team in each stage of the OT system’s life cycle. Finally, it is necessary to have propositional sharing of responsibilities between IT leaders, security leaders, and OT leaders who have broader responsibilities.

Enhance

Update risk management framework

The need for asset and threat taxonomy

One of issues in IT/OT convergence is that OT systems focus on production, so IT solutions like security patching or updates may deteriorate a machine or take a machine offline and may not be applicable. For example, some facilities run with reliability of 99.999%, which only allows maximum of 5 minutes and 35 seconds or less of downtime per year. Managing risks requires an understanding of the assets and threats for IT/OT systems. Having a taxonomy of the assets and the threats cand help. Applying normal IT solutions to mitigate security risks may not be applicable in an OT environment, e.g. running an antivirus tool on OT system may remove essential OT operations files. Thus, this approach must be avoided; instead, systems must be rebuilt from golden images.

(Source: ENISA, 2018.)

Enhance

Update security policies and procedures

Policy hierarchy example

This example of a policy hierarchy features templates from Info-Tech’s Develop and Deploy Security Policies and Identify the Best Framework for Your Security Policies research.

Enhance

Update IR, DR, and BCP

A proactive approach to security is important, so actions such as updating and testing the incident response plan for OT are a must. (“Cybersecurity Year In Review” Dragos, 2022.)

1. Customize organizational chart for IT/OT IR, DR, BCP based on governance and management model.
   E.g. ad hoc, internal distributed, internal centralized, combined distributed, and decentralized. (Software Engineering Institute, 2003)
2. Adjust the authority of the new organizational chart and decide if it requires additional staffing.
   E.g. full authority, shared authority. (Software Engineering Institute, 2003)
3. Update IR plan, DR plan, and BCP for IT/OT convergence.
   E.g. incorporate zero trust principles for converge network
4. Testing updated IR plan, DR plan, and BCP.

Optimize

Implement awareness, induction, and cross-training

Awareness may not correspond to readiness

Certifications

One of issues in certification is the complexity on relevancy in topics with respect to roles and levels. An example solution is the European Union Agency for Cybersecurity (ENISA)’s approach to analyzing existing certifications by orientation, scope, and supporting bodies, grouped into specific certifications, relevant certifications, and safety certifications. Specific cybersecurity certification of ICS/SCADA Example: ISA-99/IEC 62443 Cybersecurity Certificate Program, GIAC Global Industrial Cyber Security Professional (GICSP), Certified SCADA Security Architect (CSSA), EC-Council ICS/SCADA Cybersecurity Training Course. Other relevant certification schemes Example: Network and Information Security (NIS) Driving License, ISA Certified Automation Professional (CAP), Industrial Security Professional Certification (NCMS-ISP). Safety Certifications Example: Board of Certified Safety Professionals (BCSP), European Network of Safety and Health Professional Organisations (ENSHPO).

(Source: ENISA, 2015.)

Optimize

Design and deploy converging security architecture and controls

IT/OT convergence architecture can be modeled as a layered structure based on security. In this structure, the bottom layer is referred as “OT High-Security Zone” and the topmost layer is “IT Low-Security Zone.” In this model, each layer has its own set of controls configured and acts like an additional layer of security for the zone underneath it. The data flows from the “OT High-Security Zone” to the topmost layer, the “IT Low-Security Zone,” and the traffic must be verified to pass to another zone based on the need-to-know principle. In the normal control flow within the “OT High-Security Zone” from level 3 to level 0, the traffic must be verified to pass to another level based on the principle of least privilege. Remote access (dotted arrow) is allowed under strict access control and change control based on the zero-trust principle with clear segmentation and a point for disconnection between the “OT High-Security Zone” and the “OT Low-Security Zone” This model simplifies the security process, as if the lower layers have been compromised, then the compromise can be confined on that layer, and it also prevents lateral movement as access is always verified.

(Source: “Purdue Enterprise Reference Architecture (PERA) model,” ISA-99.)

Off-the-shelf solutions

Getting the right recipe: What criteria to consider?

Visibility and Asset Management Passive data monitoring using various protocol layers, active queries to devices, or parsing configuration files of OT, IoT, and IT environments on assets, processes, and connectivity paths. Threat Detection, Mitigation, and Response (+ Hunting) Automation of threat analysis (signature-based, specification-based, anomaly-based, sandboxing) not only in IT but also in relevant environments, e.g. IoT, IIoT, and OT on assets, data, network, and orchestration with threat intelligence sharing and analytics. Risk Assessment and Vulnerability Management Risk scoring approach (qualitative, quantitative) based on variables such as behavioral patterns and geolocation. Patching and vulnerability management. Usability, Architecture, Cost The user and administrative experience, multiple deployment options and extensive integration capabilities, and affordability.

Optimize

Establish and monitor IT/OT security metrics for effectiveness and efficiency

Further information

Related Info-Tech Research

Build an Information Security Strategy Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap.

Preparing for Technology Convergence in Manufacturing Information technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication. Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration.

Implement a Security Governance and Management Program Your security governance and management program needs to be aligned with business goals to be effective. This approach also helps provide a starting point to develop a realistic governance and management program. This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

Bibliography

Bibliography

Research Contributors and Experts

Jeff Campbell Manager, Technology Shared Services Horizon Power, AU Jeff Campbell has more than 20 years' experience in information security, having worked in both private and government organizations in education, finance, and utilities sectors. Having focused on developing and implementing information security programs and controls, Jeff is tasked with enabling Horizon Power to capitalize on IoT opportunities while maintaining the core security basics of confidentiality, integrity and availability. As Horizon Power leads the energy transition and moves to become a digital utility, Jeff ensures the security architecture that supports these services provides safer and more reliable automation infrastructures.

Christopher Harrington Chief Technology Officer (CTO) Carolinas Telco Federal Credit Union Frank DePaola Vice President, Chief Information Security Officer (CISO) Enpro Kwasi Boakye-Boateng Cybersecurity Researcher Canadian Institute for Cybersecurity

Build a Zero Trust Roadmap

Leverage an iterative and repeatable process to apply zero trust to your organization.

EXECUTIVE BRIEF

Analyst Perspective

Internet is the new corporate network.

For the longest time we have focused on reducing the attack surface to deter malicious actors from attacking organizations, but I dare say that has made these actors scream “challenge accepted.” With sophisticated tools, time, and money in their hands, they have embarrassed even the finest of organizations. A popular hybrid workforce and rapid cloud adoption have introduced more challenges for organizations, as the security and network perimeter have shifted and the internet is now the corporate network. Suffice it to say that a new mindset needs to be adopted to stay on top of the game.

The success of most attacks is tied to denial of service, data exfiltration, and ransom. A shift from focusing on the attack surface to the protect surface will help organizations implement an inside-out architecture that protects critical infrastructure, prevents the success of any attack, makes it difficult to gain access, and links directly to business goals.

Zero trust principles aid that shift across several pillars (Identity, Device, Application, Network, and Data) that make up a typical infrastructure; hence, the need for a zero trust roadmap to accomplish that which we desire for our organization.

Victor Okorie
Senior Research Analyst, Security and Privacy
Info-Tech Research Group

Executive Summary

Your Challenge

• Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
• The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.

Common Obstacles

• Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
• Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.

Info-Tech’s Approach

• Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined.
• Our unique approach:
• Assess resources and determine zero trust readiness.
• Address barriers and identify enablers.
• Prioritize initiatives and build out roadmap.
• Identify most appropriate vendors via vendor selection framework.
• Deploy zero trust and monitor with zero trust progress metrics.

Info-Tech Insight

A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Your challenge

This research is designed to help organizations:

• Understand what zero trust is and decide how best to deploy it with their existing IT resources. Zero trust is a set of principles that defaults to the highest level of security; a failed implementation can easily disrupt the business. A pragmatic zero trust implementation must be flexible and adaptable yet maintain a consistent level of protection.
• Move from a perimeter-based approach to security toward an “Always Verify” approach. The path to getting there is complex without a clear understanding of desired outcomes. Focusing efforts on key protection gaps and leveraging capable controls in existing architecture allows for a repeatable process that carries IT, security, and the business along on the journey.

On this zero trust journey, identify your valuable assets and zero trust controls to protect them.

Top three reasons for building a zero trust strategy

44%

Reduce attacker’s ability to move laterally

44%

Enforce least privilege access to critical resources

41%

Reduce enterprise attack surface

Common obstacles

These barriers make this challenge difficult to address for many organizations:

• Due to zero trust’s many components, performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.
• To feel ready to implement and to understand the benefits of zero trust, IT must first understand what zero trust means to the organization.
• Zero trust as a set of principles is a moving target, with many developing standards and competing technology definitions. A strategy built around evolving best practices must be supported by related business stakeholders.
• To ensure support, IT must be able to “sell” zero trust to business stakeholders by illustrating the value zero trust can bring to business objectives.

43%

Organizations with a full implementation of zero trust saved 43% on the costs of data breaches.
(Source: Teramind, 2021)

96%

Zero trust is considered key to the success of 96% of organizations in a survey conducted by Microsoft.
(Source: Microsoft, 2021)

What is zero trust?

It depends on who you ask…

• Vendors use zero trust as a marketing buzzword.
• Organizations try to comprehend zero trust in their own limited views.
• Zero trust regulations/standards are still developing.

“A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”

Source: NIST, SP 800-207: Zero Trust Architecture, 2020

“An evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”

Source: DOD, Zero Trust Reference Architecture, 2021

“A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.”

Source: NSA, Embracing a Zero Trust Security Model, 2021

“Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

Source: CISA, Zero Trust Maturity Model, 2021

“The foundational tenet of the zero trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.”

Source: OMB, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, 2022

What is zero trust?

From Theoretical to Practical

Zero trust is an ideal in the literal sense of the word, because it is a standard defined by its perfection. Just as nothing in life is perfect, there is no measure that determines an organization is absolutely zero trust. The best organizations can do is improve their security iteratively and get as close to ideal as possible.

In the most current application of zero trust in the enterprise, a zero trust strategy applies a set of principles, including least-privilege access and per-request access enforcement, to minimize compromise to critical assets. A zero trust roadmap is a plan that leverages zero trust concepts, considers relationships between technical elements as well as security solutions, and applies consistent access policies to minimize areas of exposure.

Info-Tech Insight

Solutions offering zero trust often align with one of five pillars. A successful zero trust implementation may involve a combination of solutions, each protecting the various data, application, assets, and/or services elements in the protect surface.

Zero trust business benefits

Reduce business and organizational risk

Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organizations practice.

36% of data breaches involved internal actors.
Source: Verizon, 2021

Reduce CapEx and OpEx

Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
Source: SecurityBrief - Australia, 2020.

Reduce scope and cost of compliance

Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.

Scope of compliance reduced due to segmentation.

Reduce risk of data breach

Reduced risk of data breach in any instance of a malicious attack as there’s no lateral movement, secure segment, and improved visibility.

10% Increase in data breach costs; costs went from $3.86 million to $4.24 million.
Source: IBM, 2021

Info-Tech’s methodology for Building a Zero Trust Roadmap

Protect what is relevant

Apply zero trust to key protect surfaces

A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Align protect surfaces to business objectives

Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

Identify zero trust capabilities

Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

Roadmap first, not solution first

Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

Create enforceable policies

The success of a zero trust implementation relies on consistent enforcement. Applying the Kipling methodology to each protect surface is the best way to design zero trust policies.

Success should benefit the organization

To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverable:

Zero Trust Communication Deck

Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.

Zero Trust Protect Surface Mapping Tool

Identify critical and vulnerable DAAS elements to protect and align them to business goals.

Zero Trust Program Gap Analysis Tool

Perform a gap analysis between current and target states to build a zero trust roadmap.

Zero Trust Candidate Solutions Selection Tool

Determine and evaluate candidate solutions based on defined criteria.

Zero Trust Progress Monitoring Tool

Develop metrics to track the progress and efficiency of the organization’s zero trust implementation.

Blueprint benefits

IT Benefits

• A mapped transaction flow of critical and vulnerable assets and visibility of where to implement security controls that aligns with the principle of zero trust.
• Improved security posture across the digital attack surface while focusing on the protect surface.
• An inside-out architecture that leverages current existing architecture to tighten security controls, is automated, and gives granular visibility.

Business Benefits

• Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organization’s practice.
• Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
• Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.
• Reduced risk of data breach in any instance of a malicious attack.

Measure the value of this blueprint

Save an average of $1.76 million dollars in the event of a data breach

• This research set seeks to help organizations develop a mature zero trust implementation which, according to IBM’s “Cost of a Data Breach 2021 Report,” saves organizations an average of $1.76 million in the event of a data breach.
• Leverage phase 5 of this research to develop metrics to track the implementation progress and efficacy of zero trust tasks.

43%

Organizations with a mature implementation of zero trust saved 43%, or $1.76 million, on the costs of data breaches.
Source: IBM, 2021

In phase 2 of this blueprint, we will help you establish zero trust implementation tasks for your organization.

In phase 3, we will help you develop a game plan and a roadmap for implementing those tasks.

Executive Brief Case Study

National Aeronautics and Space Administration (NASA)

INDUSTRY: Government

SOURCE: Zero Trust Architecture Technical Exchange Meeting

NASA recognized the potential benefits of both adopting a zero trust architecture (including aligning with OMB FISMA and DHS CDM DEFEND) and improving NASA systems, especially those related to user experience with dynamic access, application security with sole access from proxy, and risk-based asset management with trust score. The trust score is continually evaluated from a combination of static factors, such as credential and biometrics, and dynamic factors, such as location and behavior analytics, to determine the level of access. The enhanced access mechanism is projected on use-case flows of users and external partners to analyze the required initiatives.

The lessons learned in adapting zero trust were:

• Focus on access to data, assets, applications, and services; and don’t select solutions or vendors too early.
• Provide support for mobile and external partners.
• Complete zero trust infrastructure and services design with holistic risk-based management, including network access control with software-defined networking and an identity management program.
• Develop a zero trust strategy that aligns with mission objectives.

Results

NASA implemented zero trust architecture by leveraging the agency existing components on a roadmap with phases related to maturity. The initial development includes privileged access management, security user behavior analytics, and a proof-of-concept lab for evaluating the technologies.
Case Study Source: NASA, “Planning for a Zero Trust Architecture Target State,” 2019

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 12 calls over the course of 2 to 4 months.

Workshop Overview

Contact your account representative for more information.workshops@infotech.com 1-888-670-8889

Phase 1

Define Business Objectives and Protect Surfaces

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Identify and define the business goals.
• Identify the critical DAAS elements and protect surface.
• Align the business goals to the protect surface and critical DAAS elements.

This phase involves the following participants:

• Security Team
• Business Executives
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management

Analyze your business goals

Identifying business goals is the first step in aligning your zero trust roadmap with your business’ vision.

• Security leaders need to understand the direction the business is headed in.
• Wise security investments depend on aligning your security initiatives to business objectives.
• Zero trust, and information security at large, should contribute to your organization’s business objectives by supporting operational performance, ensuring brand protection and shareholder value.
• For example, if the organization is working on a new business initiative that requires the handling of credit card payments, the security organization needs to know as soon as possible to ensure the zero trust architecture will be extended to protect the PCI data and enable the organization to be PCI compliant.

Info-Tech Insight

Security and the business need to be in alignment when implementing zero trust. Defining the business goal helps rationalize the need for a zero trust implementation.

1.1 Define your organization’s business goals

Estimated time 1-3 hours

1. As a group, brainstorm the business goals of the organization.
2. Review relevant business and IT strategies.
3. Review the business goal definitions in tab “2. Business Objectives” of the Zero Trust Protect Surface Mapping Tool, including the key goal indicator metrics.
4. Record the most important business goals in the Business Goal column on tab “3. Protect Surfaces” of the Zero Trust Protect Surface Mapping Tool. Try to limit the number of business goals to no more than five primary goals. This limitation will be critical to help map the protect surface and the zero trust roadmap later.

Input

• Business and IT strategies

Output

• Prioritized list of business objectives

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• Security Team
• IT Leadership
• Business Stakeholders
• Risk Management
• Compliance
• Legal

Download the Zero Trust Protect Surface Mapping Tool

Info-Tech Insight

Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

What does zero trust mean for you?

For a successful implementation, focus on your zero trust outcome.

Regardless of whether the user is accessing resources internally or externally, zero trust is posed to authenticate, authorize, and continuously verify the security policies and posture before access is granted or denied. Many network architecture can be local, cloud based, or hybrid and with users working from any location, there is no network perimeter as we knew it and the internet is now the corporate network.

Zero trust framework seeks to extend the perimeter-less security to the present digital transformation.

Understand protect surface

Data, Application, Asset, and Services

A protect surface can be described as what’s critical, most vulnerable, or most valuable to your organization. This protect surface could include at least one of the following – data, assets, applications, and services (DAAS) – that requires protection. This is also the area that zero trust policy is aimed to protect. Understanding what your protect surface is can help channel the required energy into protecting that which is crucial to the business, and this aligns with the shift from focusing on the attack surface to narrowing it down to a smaller and achievable area of protection.

Anything and everything that connects to the internet is a potential attack surface and pursuing every loophole will leave us one step behind due to lack of resources. Since a protect surface contains one or more DAAS element, the micro-perimeter is created around it and the appropriate protection is applied around it. As a team, we can ask ourselves this question when thinking of our protect surface: to what degree does my organization want me to secure things? The knowledge of the answer to this question can be tied to the risk tolerance level of the organization and it is only fair for us to engage the business in identifying what the protect surface should be.

Components of a protect surface

• Data
• Application
• Asset
• Services

Info-Tech Insight

The protect surface is a shift from focusing on the attack surface. DAAS elements show where the initiatives and controls associated with the zero trust pillars (Identity, Devices, Network, Application, and Data) need to be applied.

Sample Scenario

INDUSTRY: Healthcare

SOURCE: Info-Tech Research Group

Illustration

A healthcare provider would consider personal health information a critical resource worthy of being protected against data exfiltration due to a host of reasons including but not limited to privacy regulations, loss of revenue, legal, and reputational loss; hence, this would be considered a protect surface.

• What is the data that can’t be risked exfiltrated?
• What application(s) is used to access this data?
• What assets are used to generate and store the data?
• What are the services we rely on to be able to access the data?

DAAS Element

• The data here is the patient information.
• The application used to access the personal health information would be EPIC, OR list, and any other application used in that organization.
• The assets used to store the data and generate the PHI would include physical workstations, medical scanners, etc.
• The services that can be exploited to disrupt the operation or used to access the data would include active directory, single sign-on, etc.

DAAS and Zero Trust Pillar

This granular identification provides an opportunity to not only see what the protect surface and DAAS elements are but also understand where to apply security controls that align with the principle of zero trust as well as how the transaction flows. The application pillar initiatives will provide protection to the EPIC application and the device pillar initiatives will provide protection to the workstations and physical scanners. The identity pillar initiatives will apply protection to the active directory, and single sign-on services. The zero trust pillar initiatives align with the protection of the DAAS elements.

Shift from attack surface to protect surface

Info-Tech Insight

The protect surface is a shift from focusing on the attack surface as it creates a micro-perimeter for the application of zero trust policies on the system. This drastically reduces the success of an attack whether internally or externally, reduces the attack surface, and is also repeatable.

1.2 Identify critical DAAS elements

Estimated time 1-3 hours

1. As a group, brainstorm and identify critical, valuable, sensitive assets or resources requiring high availability in the organization. Each DAAS element is part of a protect surface, or sometimes, the DAAS element itself is a protect surface.

• Data – The sensitive data that poses the greatest risk if exfiltrated or misused. What data needs to be protected?
• Applications – The applications that use sensitive data or control critical assets. Which applications are critical for your business functions?
• Assets – Physical or virtual assets, including an organization’s information technology (IT), operational technology (OT), or Internet of Things devices.
• Services – The services an organization most depends on. Services that can be exploited to disrupt normal IT or business operations.

Download the Zero Trust Protect Surface Mapping Tool

Input

• Critical resources to protect
• Understanding of how they interoperate or connect

Output

• Protect surfaces

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• Security Team
• IT Leadership
• Business Stakeholders

1.3 Map business goals to critical DAAS elements

Estimated time 1-2 hours

1. The protect surface will be generated from the critical DAAS elements as a standalone protect surface or a group of interconnected DAAS elements merged into one.

• Each protect surface can be tied back to a business objective.

• Type in your business objectives if the drop-down list does not apply.

Download the Zero Trust Protect Surface Mapping Tool

Phase 2

Assess Key Capabilities and Identify Zero Trust Initiatives

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Assess the organization’s current capabilities.
• Define the zero trust target state.
• Identify tasks to close gaps
• Define zero trust initiatives and align zero trust initiatives to business goals and protect surfaces.

This phase involves the following participants:

• Security Team
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

The Info-Tech Zero Trust Framework

Info-Tech’s Zero Trust Framework aligns with zero trust references, including:

• ACT Zero Trust Cybersecurity Current Trends. 2019
• NIST SP 800-207: Zero Trust Architecture. 2020
• DOD Zero Trust Reference Architecture. 2021
• NSA Embracing a Zero Trust Security Model. 2021
• CISA Zero Trust Maturity Model. 2021
• Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, The White House. 2021
• OMB Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. 2022
• NSTAC Zero Trust and Trusted Identity Management. 2022
• NIST SP 800-53 r5: Security and Privacy Controls for Information Systems and Organizations

Identity

• Authentication
• Authorization
• Privileged Access Management

Applications

• Software Defined Compute
• DevSecOps
• Software Supply Chain

Devices

• Authentication
• Authorization
• Compliance

Networks

• Software Defined Networking
• Macro Segmentations
• Micro Segmentation

Data

• Software Defined Storage
• Data Loss Prevention
• Data Rights Management

Info-Tech Insight

A best-of-breed approach ensures holistic coverage of your zero trust program while refraining from locking you into a specific reference.

2.1 Review the Info-Tech framework

Estimated time 30-60 minutes

1. As a group, have the team review the framework within the Zero Trust Program Gap Analysis Tool.
2. Customize the tool as required using the instructions in tab “2. Setup”:

• Define costing criteria
• Define benefits criteria
• Configure full-time equivalent hours and start year
• Input business goals as mapped to protect surfaces (see next slide)

Download the Zero Trust Program Gap Analysis Tool

Input

• Protect surfaces mapped to business objectives

Output

• Customized framework

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT

2.1.1 Input business goals as mapped to protect surfaces

Refer to the Protect Surface Mapping Tool, copy the following elements from the Protect Surface tab.

1. Enter Business Goals.
2. Enter Protect Surfaces.
3. Enter Data.
4. Enter Application.
5. Enter Assets.
6. Enter Services.

Info-Tech Insight

Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

2.2 Assess current capabilities and define zero trust target state

Estimated time 6-12 hours

1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
2. Follow the instructions on the next slides to complete your current-state and target-state assessment.
3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

Download the Zero Trust Program Gap Analysis Tool

Input

• Protect surfaces mapped to business objectives
• Information on current state of controls, including sources such as audit findings, vulnerability and penetration test results, and risk registers

Output

• Current-state and target-state assessment for gap analysis

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management

Understanding security target states

Maturity models are very effective for determining target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state in your organization.

AD HOC 01

Initial/ad hoc security programs are reactive. Lacking strategic vision, these programs are less effective and less responsive to the needs of the business.

DEVELOPING 02

Developing security programs can be effective at what they do but are not holistic. Governance is largely absent. These programs tend to rely on the talents of individuals rather than a cohesive plan.

DEFINED 03

A defined security program is holistic, documented, and proactive. At least some governance is in place; however, metrics are often rudimentary and operational in nature. These programs still often rely on best practices rather than strong risk management.

MANAGED 04

Managed security programs have robust governance and metrics processes. Management and board-level metrics for the overall program are produced. These are reviewed by business leaders and drive security decisions. More mature risk management practices take the place of best practices.

OPTIMIZED 05

An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs). Individual security services are optimized using key performance indicators (KPIs) that continually measure service effectiveness and efficiency.

2.2.1 Conduct current-state assessment

1. Carefully review each of the controls in the Gap Analysis tab that are needed for the protect surfaces. For each control, indicate the current maturity level of the organization. The tool uses the maturity levels of the CMMI model to score maturity.

• Only use “N/A” if you are confident that the control is not required in your protect surfaces. For example, if the protect surfaces do not require or use software-defined computing, select “N/A” for any controls related to software-defined computing.

Make sure that the gap between target state and current state is achievable for the current zero trust roadmap. For instance, if you set your current maturity to 1 – Ad Hoc, then having a target maturity of 4 – Managed or 5 – Optimized is not recommended due to the big jump.

2.2.2 Review the Gap Analysis Dashboard

1. Use the Dashboard to map your progress on assessing current- and future-state maturities. As you fill out the Zero Trust Program Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state.
2. Use the color-coded legend to see the size of the gap between your current and target state.
3. Zero trust processes that appear white have not yet been assessed or are rated as “N/A.”

2.3 Identify tasks to close gaps

Estimated time 5 hours

1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
2. Follow the instructions on the next slides to identify gap closure tasks for each control that requires improvement.
3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

Download the Zero Trust Program Gap Analysis Tool

Input

• Zero trust controls gap information

Output

• Gap closure task list

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management

2.3 Identify tasks to close gaps (cont.)

1. For each of the controls where there is a gap between the current and target state, a gap closure task should be identified:

• Review the example tasks and copy one or more of them if appropriate. Otherwise, enter your own gap closure task.

• In small groups, have participants ask, “what would we have to do to achieve the target state?” Document these in the Gap Closure Tasks column.
• The example gap closure tasks may be appropriate for your organization, but do not simply copy them without considering whether they are right for you.
• Not all gaps require their own task. You can enter one task that may address multiple gaps.
• Be aware that tasks that are along the lines of “investigate and make recommendations” may not fully close maturity gaps.

Make sure that the Gap Closure Tasks are SMART (Specific, Measurable, Achievable, Realistic, Timebound).

2.4 Define tasks and initiatives

Estimated time 2-4 hours

1. As a group, review the gap tasks identified in the Gap Analysis tab.
2. Using the instructions on the following slides, finalize your tab “5. Task List.”
3. Using the instructions on the following slides, review and consolidate your tab “6. Initiative List.”

Download the Zero Trust Program Gap Analysis Tool

Input

• Gap analysis

Output

• Refined list of tasks
• List of zero trust initiatives

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management
• Project Management Office

2.4.1 Finalize your task list

1. Define the gap closure task list in tab “5. Task List”:
1. Obtain a list of all your tasks from Gap Closure Tasks column in tab “3. Gap Analysis.”
2. Paste the list into the table in tab “5. Task List,” Task column.

• Use Paste Values to retain the table formatting.

• They have costs associated with them.
• They require initial effort to implement and ongoing effort to maintain.
• They must be accomplished dependently of other tasks.

1. For each new initiative, create the initiative name on Initiative Name column in the tab “6. Initiative List.”

Example: Initiative consolidation

In the example below, we see three gap closure tasks within the Authentication process for the Identity pillar being consolidated into a single initiative “IAM modernization.”

We can also see three gap closure tasks within the Micro Segmentation process for the Network pillar being grouped into another initiative “Network segmentation.”

Info-Tech Insight

As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.

2.4.2 Finalize your initiative list

1. As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.
2. Review your final list of initiatives in tab “6. Initiative List” and make any required updates.
1. Optionally, add a description or paste in a list of the individual gap closure actions that are associated with the initiative. This will make it easier to perform the cost and benefit analysis.
3. Obtain a list of all gap closure tasks associated with an initiative by filtering the Initiative Name column in the Task List tab.
4. Indicate the most appropriate pillar alignment for each initiative using the drop-down list.
1. Refer to tab “5. Task List” for the pillar associated with an initiative under the Initiative Name column.

If the list of tasks is too long for the Description column, then you can also shorten the name of the tasks or group several tasks to a more general task.

2.5 Align initiatives to business goals and protect surfaces

Estimated time 30-60 minutes

1. Using the instructions on the following slides, align initiatives to business goals in tab “6. Initiative List.”
2. Using the instructions on the following slides, align initiatives to protect surfaces in tab “6. Initiative List.”

Download the Zero Trust Program Gap Analysis Tool

Input

• List of zero trust initiatives
• Protect surfaces mapped to business objectives

Output

• List of zero trust initiatives aligned to business goals and protect surfaces

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management
• Project Management Office

2.5.1 Align initiatives to business goals

1. Indicate the most appropriate business goal(s) alignment for each initiative using the drop-down list in “Selection for Business Goal(s)” column.
1. Use the legend to determine the most appropriate business goal(s).
2. After that copy the selected business goal(s) to Business Goal(s) Alignment column.
3. Then reset the selection using the blank cell in Selection for Business Goal(s) column.

2.5.2 Align initiatives to protect surfaces

1. Indicate the most appropriate protect surface(s) for each initiative using the drop-down list in Selection for Protect Surface(s) column.
1. Use the legend to determine the most appropriate protect surface(s).
2. After that copy the selected protect surface(s) to Protect Surface(s) Coverage column.
3. Reset the selection using the blank cell in Selection for Protect Surface(s) column.

Phase 3

Evaluate Candidate Solutions and Finalize Roadmap

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Define solution criteria.
• Identify candidate solutions.
• Evaluate candidate solutions.
• Perform cost/benefit analysis.
• Prioritize initiatives and build roadmap.

This phase involves the following participants:

• Security Team
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

3.1 Define solution criteria

Estimated time 30-60 minutes

1. As a group, review the scoring system within the Zero Trust Candidate Solutions Selection Tool.
2. Customize the tool as required using the instructions on the following slides.

Info-Tech Insight

Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

Download the Zero Trust Candidate Solutions Selection Tool

Input

• Zero trust initiative list

Output

• Zero trust candidate solutions

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT

3.1.1 Define compliance and solution evaluation criteria

On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

1. Verify that the Description for each criterion is accurate.
2. Provide weights for the compliance score and the solution score, which are the overall evaluation:

• Compliance score consists of tenets score, pillar score, threat protection score, and trust algorithm score.
• Solution score consists of features score, usability score, affordability score, and architecture score.

3.1.2 Define remaining evaluation criteria

On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

1. Verify that the Description for each criterion is accurate.
2. Provide weights for the remaining evaluation criteria:

• Tenets: Considers how well each initiative aligns with zero trust principles.
• Pillars: Considers how well each initiative aligns with zero trust pillars.
• Threats: Considers what zero trust threats are relevant with the candidate solution.
• Trust Algorithm: Considers trust evaluation factors, trust evaluation process score, and input coverage.
• Cost Estimation: Considers initial costs, which are one-time, upfront capital investments (e.g. hardware and software costs), and ongoing cost, which is any annually recurring operating expenses that are new budgetary costs (e.g. licensing, maintenance, subscription fees).
• Deployment Architecture: Considers the solutions deployment architecture capabilities.

Review available candidate solutions

The Rapid Application Selection Framework is a comprehensive yet fast-moving approach to help you select the right software for your organization

Five key phases sequentially add rigor to your selection efforts while giving you a clear, swift-flowing methodology to follow.

Download the Rapid Application Selection Framework research

Evaluate software category leaders through vendor rankings and awards

SoftwareReviews

The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

Sample whiteboard activity

• Place sticky notes on the zero trust tenet that matches with the identified candidate solution to produce “solution requirements” that can be used to develop an RFP.
• A sample sticky note is provided below for privileged access management.

• The PAM solution should support MFA
• Live session monitoring, audit, and reporting
• Should have password vaulting to prevent privileged users from knowing the passwords to critical systems and resources

3.2 Identify candidate solutions

Estimated time 2 hours

1. As a group, have the team review the candidate solutions within the Zero Trust Program Gap Analysis Tool.
2. On tab 3 in the Zero Trust Candidate Solutions Selection Tool:

• Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.

Input

• Candidate solutions for zero trust tasks and initiatives

Output

• Suitability evaluation of candidate solutions

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT

Info-Tech Insight

Add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.

Download the Zero Trust Candidate Solutions Selection Tool

3.2.1 Review candidate solutions

1. Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.
2. Enter candidate solutions to the Compliance Data Entry tab on the Solution column within the Zero Trust Candidate Solutions Selection Tool.
3. Optionally, add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.

3.3 Evaluate candidate solutions

Estimated time 3 hours

On the Scoring tab, evaluate solution features, usability, affordability, and architecture using the instructions on the following slides. This activity will produce a solution score that can be used to identify the suitability of a solution.

Input

• Candidate solutions

Output

• Candidate solutions scored

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT

Download the Zero Trust Candidate Solutions Selection Tool

3.3.3 Evaluate solution scores

After all candidate solutions are evaluated, the Solution Score column can be sorted to rank the candidate solutions. After sorting, the top solutions can be used on prioritization of initiatives on Zero Trust Program Gap Analysis Tool.

1. On Features
   1. Enter Coverage.
   2. Enter Quality.
2. Enter Usability.
3. On Affordability
   1. Enter Initial Cost.
   2. Enter Ongoing Cost (annual).
4. Enter Architecture.

3.4 Perform cost/benefit analysis

Estimated time 1-2 hours

1. Assign costing and benefits information for each initiative, following the instructions on the next slide.
2. Define dependencies or business impacts if they will help with prioritization.

Input

• Ranked candidate solutions
• Gap analysis
• Initiative list

Output

• Completed cost/benefit analysis for initiative list

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management
• Project Management Office

Download the Zero Trust Program Gap Analysis Tool

3.4.1 Complete the cost/benefit analysis

Use Zero Trust Program Gap Analysis Tool.

1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.

• Use the result from candidate selection to define the estimated costs.
• If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.

The Cost / Effort Rating is calculated based on the weight defined on step 2.1.1. The Benefit Rating is calculated based on the weight defined on step 2.1.2.

3.4.2 Optionally enter detailed cost estimates

Use Zero Trust Program Gap Analysis Tool.

1. For each initiative, the tool will automatically populate the Detailed Cost Estimates and Detailed Staffing Estimates columns using the averages that you provided in step 2.1.1. However, if you have more detailed data about the costs and effort requirements for an initiative, you can override the calculated data by manually entering it into these columns. For example:

• You are planning to subscribe to a security awareness vendor, and you have a quote from them specifying that the initial cost will be $75,000.
• You have defined your “Medium” cost range as being “$10-100K,” so you select medium as your initial cost for this initiative in step 3.4.1. As you defined the average for medium costs as being $50,000, this is what the tool will put into the detailed cost estimate.
• You can override this average by entering $75,000 as the initial cost in the detailed cost estimate column.

The Benefits-Cost column will give results after comparing the cost and the benefit. Negative value means that the cost outweighs the benefit. Positive value means that the benefit outweighs the cost. Zero value means that the cost equals the benefit.

3.5 Prioritize initiatives

Estimated time 2-3 hours

1. As a group, review the results of the cost/benefit analysis. Optionally, complete the Other Considerations columns in the Prioritization tab:

• Dependencies can refer to other initiatives on the list or any other dependency that relates to activities or projects within the organization.
• Business impacts can be helpful to document as they may require additional planning and communication that could impact initiative timelines.

Input

• Gap analysis
• Initiative list
• Cost/benefit analysis

Output

• Prioritized list of initiatives

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• IT Leadership
• Project Management Office

Download the Zero Trust Program Gap Analysis Tool

3.5.1 Create a visual effort map for your organization

1 hour

An effort map is a tool used for the visualization of a cost and benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized based on tab 7 in the Zero Trust Program Gap Analysis Tool.

1. Establish the axes and colors for your effort map:
1. X-axis represents the Benefit value from column J
2. Y-axis represents the Cost/Effort value from column H
3. Sticky note color is determined using the Alignment to Business value from column I
2. Create sticky notes for each initiative and place them on the effort map or whiteboard based on the axes you have created with the help of your team.
3. As you place initiatives on the visual effort map, discuss and modify rankings based on team member input.

Input

• Outputs from activities 3.4.1 and 3.4.2

Output

• High-level prioritization for each of the gap-closing initiatives
• Visual representation of quantitative values

Materials

• Zero Trust Program Gap Analysis Tool (tab 7)
• Sticky notes
• Markers
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

3.5.2 Refine the effort map’s visual output

1 hour

Once the effort map is complete, work to further simplify the visual output by categorizing initiatives based on the quadrant in which they have been placed.

1. Before moving forward with the initiative wave prioritization (activity 3.7), identify any initiatives listed across all quadrants that are required as a part of compliance and mark with a sticky dot.
2. Document these initiatives as Execution Wave 1.

Input

• Outputs from activity 3.5.1

Output

• Prioritization for each of the gap-closing initiatives
• First execution wave of gap-closing initiatives

Materials

• Zero Trust Program Gap Analysis Tool (tab 7)
• Sticky notes
• Sticky dots
• Markers
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

3.5.3 Refine the effort map’s visual output

30 minutes

1. Use a separate area of the whiteboard to draw out four to five Execution Wave columns.
2. Group initiatives into each Execution Wave column based on their placement within the quadrant from activities 3.5.1 and 3.5.2.
1. Ensure that all identified mandatory activities as per governing privacy law fall within the first wave.
2. Leverage the following 0-4 Execution Wave scale:
0. Underway –Initiatives that are already underway
1. Must Do – Initiatives that must happen right away
2. Should Do – Initiatives that should happen but need more time/support
3. Could Do – Initiatives that are not a priority
4. Won’t Do – Initiatives that likely won’t be carried out
3. Indicate the granular level for each execution wave using the a-z scale.

• Use the lettering to track dependencies between initiatives.
• If one must take place before another, ensure that its letter comes first alphabetically.
• If multiple initiatives must take place at the same time, use the same letter to show they will take place in tandem.

Input

• Outputs from activity 3.5.2

Output

• Prioritization for each of the gap-closing initiatives
• First execution wave of gap-closing initiatives

Materials

• Zero Trust Program Gap Analysis Tool (tab 7)
• Sticky notes
• Sticky dots
• Markers
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

Wave assignment example

In the example below, we see “IAM modernization” was assessed as 9 on cost/effort rating and 5 on benefit rating and its Benefits-Cost has a positive value of 1. We can label this as SHOULD DO (wave 2).

We can also see “Network segmentation” was assessed as 6 on cost/effort rating and 4 on benefit rating and its Benefits-Cost has a positive value of 2. We can label this as MUST DO (wave 1).

We can also see “Unified Endpoints Management” was assessed as 8 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a negative value of -4. We can label this as WON’T DO (no wave).

We can also see “Data Protection” was assessed as 4 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a zero value. We can label this as COULD DO (wave 3).

It is recommended to define the threshold of each wave based on the value of Benefits-Cost before assigning waves.

3.6 Build roadmap

Estimated time 2-3 hours

1. As a group, follow step 3.6.1 to create your roadmap by scheduling initiatives into the Gantt chart within the Zero Trust Program Gap Analysis Tool.
2. Review the roadmap for resourcing conflicts and adjust as required.
3. Review the final cost and effort estimates for the roadmap.

Input

• Gap analysis
• Cost/benefit analysis
• Prioritized initiative list

Output

• Zero trust roadmap

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• IT Leadership
• Project Management Office

Download the Zero Trust Program Gap Analysis Tool

3.6.1 Schedule initiatives using the Gantt chart

1. On the Gantt Chart tab for each initiative, enter an owner (the role who will be primarily responsible for execution).
2. Additionally, enter a start month and year for the initiative and the expected duration in months.

• You can filter the Wave column to only see specific waves at any one time to assist with the scheduling.
• You do not need to schedule Wave 4 initiatives as the expectation is that these initiatives will not be done.
• 

3.6.2 Review your roadmap

1. When you have completed the Gantt chart, as a group review the overall roadmap to ensure that it is reasonable for your organization. Consider the following:

• Do you have other IT or business projects planned during this time frame that may impact your resourcing or scheduling?
• Does your organization have regular change freezes throughout the year that will impact the schedule?
• Do you have over-subscribed resources? You can filter the list on the Owner column to identify potential over-subscription of resources.
• Have you considered any long vacations, sabbaticals, parental leaves, or other planned longer-term absences?
• Are your initiatives adequately aligned to your budget cycle? For instance, if you have an initiative that is expected to make recommendations for capital expenditure, it must be completed prior to budget planning.

3.6.3 Review your cost/effort estimates table

1. Once you have completed your roadmap, review the total cost/effort estimates. This can be found in a table on the Results tab. This table will provide initial and ongoing costs and staffing requirements for each wave. This also includes the total three-year investment. In your review consider:

• Is this investment realistic? Will completion of your roadmap require adding more staff or funding than you otherwise expected?
• If the investment seems unrealistic, you may need to revisit some of your assumptions, potentially reducing target levels or increasing the amount of time to complete the strategy.

This table provides you with the information to have important conversations with management and stakeholders.

Phase 4

Formulate Policies for Roadmap Initiatives

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Formulate zero trust policies for critical DAAS elements.
• Formulate zero trust policies to secure a path to access critical DAAS elements.

This phase involves the following participants:

• CIO
• CISO
• Business Executives
• IT Manager
• Security Team

Understand the zero trust policy

Use the Kipling methodology as a vendor agnostic approach to identify appropriate allow list elements when deploying multiple zero trust solutions.
The policies help to prevent lateral movement.

Info-Tech Insight

The success of a zero trust implementation relies on enforcing policies consistently. Applying the Kipling methodology to the protect surface is the best way to design zero trust policies.

4.1.1 Formulate policy

Estimated time 1-2 hours

1. As a group, review the protect surface(s) identified in phase one, and using the Kipling methodology from the previous slide, formulate a policy. Each policy can be reviewed repeatedly until we are sure it satisfies the goal.
2. The policy created should be consistent for both cloud and on-prem environments.
3. As an example, let's use the healthcare scenario found in tab 3 of the Zero Trust Protect Surface Mapping Tool. The protect surface used is "Automated Medication Dispensing." Another example will be "Salesforce" accessed via the cloud.

Input

• Kipling methodology
• Protect surface

Output

• Zero trust policy

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• CIO
• CISO
• Business Executives
• IT Manager
• Security Team

4.1.2 Apply policy

1-2 hours

1. Place each protect surface in its own microperimeter. Each microperimeter should be segmented by a next-generation firewall or authentication broker that will serve as a segmentation gateway.
2. Name the microperimeter and place it on a firewall.

Input

• Kipling methodology
• Protect surface

Output

• Zero trust policy

Materials

• Whiteboard/Flip Charts
• Sticky Notes
• Zero Trust Protect Surface Mapping Tool

Participants

• CIO
• CISO
• Business Executives
• IT Manager
• Security Team

Microperimeter A
Protect Surface:
DAAS Elements:

Microperimeter B
Protect Surface:
DAAS Elements:

Microperimeter C
Protect Surface:
DAAS Elements:

4.2 Secure a path to access critical DAAS elements

How should you allow access to the resource?

This component makes up the final piece of formulating the policies as it applies the protection of the application traffic.

The principle of least privilege is applied to the security policy to only allow access requests and restrict the access to the purpose it serves. This access request is then logged as well as the traffic (both internal and external). Most firewalls (NGFW) have policy rules that, by default, enable logging.

Segmentation gateways (NGFW, VM-series firewalls, agent-based and clientless VPN solutions), are used to apply zero trust policy (Kipling methodology) in the network, cloud, and endpoint (managed and unmanaged) for all local and remote users.

These policies need to be applied to security profiles on all allowed traffic. Some of these profiles include but are not limited to the following: URL filtering profile for web access and protect against phishing attacks, vulnerability protection profile intrusion prevention systems, anti spyware profiles to protect against command-and-control threats, malware and antivirus profile to protect against malware, and a file blocking profile to block and/or alert suspicious file types.

Good visibility on your network can also be tied to decryption as you can inspect traffic and data to the lowest level possible that is generally accepted by your organization and in compliance with regulation.

Conceptualized flow

With users working from anywhere on managed and unmanaged devices, access to the internet, SAAS, public cloud, and the data center will have consistent policies applied regardless of their location.

The policy is validating that the user is who they say they are based on the role profile, what they are trying to access to make sure their role or attribute profile has the appropriate permission to the application, and within the stipulated time limit. Where the data or application is located is also verified and the why needs to be satisfied before the requested access is granted. Based on the mentioned policies, the how element is then applied throughout the lifecycle of the access.

Phase 5

Monitor Zero Trust Roadmap Deployment

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Establish metrics for roadmap tasks.
• Track metrics for roadmap tasks.

This phase involves the following participants:

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

5.1 Establish metrics for roadmap tasks

Estimated time 2 hours

1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, identify metrics to measure implementation and efficacy of tasks
2. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, document metric metadata.
3. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.

• If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.

Input

• Zero trust roadmap task list

Output

• Metrics for measuring zero trust task implementation and efficacy

Materials

• Zero Trust Progress Monitoring Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Zero Trust Progress Monitoring Tool

5.1.1 Identify metrics to measure implementation and efficacy of tasks

Estimated time 3-4 hours

1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, for each section defined in columns C and D, enter zero trust implementation tasks into column E. If you completed the Zero Trust Program Gap Analysis Tool, use the tasks identified there to populate column E.
2. For each task, identify in column F any metrics that will communicate implementation progress and/or implementation efficacy.

• If multiple metrics are needed for a single task, we recommend expanding the size of the row and adding additional metrics onto a new line in the same row. A sample is provided in the tool.

Info-Tech Insight

To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

5.1.2 Document metric metadata

Estimated time 1-2 hours

For each metric defined in step 4.1.1:

1. Identify in column G whether the metric can be measured now (Phase 1), measured in a few months’ time (Phase 2), or measured in a few years’ time (Phase 3).
2. Identify in columns H through M who is responsible for collecting the metric (Person Source), who/what is consulted to collect the metric (Technology Source), who compiles the collected metric into dashboards and presentations (Compiler), and who is informed of the measurement of the metric (Audience).

• Add more columns under the Audience category if needed.
• Use “X” to identify if an audience group will be informed of the measurement of the metric.

5.2 Track and report metrics

Estimated time 2 hours

1. In the Zero Trust Progress Monitoring Tool, copy and paste metrics you plan to track in the tool from column F on tab 2 to column B on tab 3.
2. Use tab 3 to identify collection frequency, metric target, and measurements collected for each metric. Add notes or comments to each metric or measurement to track contextual elements that could affect metric measurements.
3. Leverage the graphs on tab 4 to communicate metrics to the appropriated audience groups, as defined in tab 2.

Input

• Metrics for measuring zero trust task implementation and efficacy

Output

• Metric data and graphs for presenting zero trust implementation metrics to audience groups

Materials

• Zero Trust Progress Monitoring Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Zero Trust Progress Monitoring Tool

5.2.1 Record baseline measurements for metrics

Estimated time 1-2 hours

On tab “3. Track Metrics” of the Zero Trust Progress Monitoring Tool:

1. Copy and paste the metrics from Column F on tab “2. Task & Metric Register” that you want to track into Column B of this tab.
2. For each metric, record the frequency of collection (Collection Frequency) and the metric target (Target) by referencing columns O and P on tab “2. Task & Metric Register.”
3. Begin to record baseline/initial values for each metric in column E. Rename columns to match your highest frequency of collection.
   (e.g. if any metric is being measured monthly, there should be one column per month)
4. Over time, conduct measurements of your metrics and store them in the table below.
5. Add notes, as necessary.

5.2.2 Report metric health to audience groups

Estimated time 1-2 hours

On tab “4. Graphs” of the Zero Trust Progress Monitoring Tool:

1. The Overall Metric Health gauge at the top of this tab presents the average percentage away from meeting metric targets for all metrics being tracked. To calculate this value, the differences between the most recent measurements and target values for each metric are averaged.
2. Below the Overall Metric Health gauge, use the drop-down list in cell D9 to select one of the metrics from tab “3. Track Metrics.”
3. Six different graphic representations of the tracked data for the selected metric will populate.

Copy and paste desired graphs into presentations for audience members identified in step 5.1.2.

5.3 Build a communication deck

Estimated time 2 hours

Leverage the Zero Trust Communication Deck to showcase the work that you have done in the tools and activities associated with this research.

In this communication deck template, you will find the following sections:

• Introduction
• Protect Surfaces
• Zero Trust Gap Analysis
• Zero Trust Initiatives & Tasks

Input

• Protect surfaces mapped to business goals
• Zero trust program gap analysis
• Zero trust roadmap initiatives and tasks
• Zero trust metrics

Output

• Communication deck for zero trust strategy

Materials

• Zero Trust Communication Deck

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Zero Trust Communication Deck

Summary of Accomplishment

Knowledge Gained

• Knowledge of protect surfaces and the business goals protecting them supports
• Comprehensive knowledge of zero trust current state and summary initiatives required to achieve zero trust objectives
• Assessment of which solutions for zero trust tasks and initiatives are the most appropriate for the organization
• A defined set of security metrics assessing zero trust implementation progress and efficacy

Deliverables Completed

• Zero Trust Protect Surface Mapping Tool
• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool
• Zero Trust Progress Monitoring Tool
• Zero Trust Communication Deck

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

Contact your account representative for more information

workshops@infotech.com

1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Zero Trust Program Gap Analysis Tool

Assess current security capabilities and build a roadmap of tasks and initiatives that close maturity gaps.

Zero Trust Progress Monitoring Tool

Identify and track metrics for zero trust tasks and initiatives.

Research Contributors

• Aaron Benson, CME Group, Director of IAM Governance
• Brad Mateski, Zones, Solutions Architect for CyberSecurity
• Bob Smock, Info-Tech Research Group, Vice President of Consulting
• Dr. Chase Cunningham, Ericom Software, Chief Strategy Officer
• John Kindervag, ON2IT Cybersecurity, Senior Vice President, Cybersecurity Strategy and ON2IT Group Fellow
• John Zhao, Fonterra, Enterprise Security Architect
• Rongxing Lu, University of New Brunswick, Associate Professor
• Sumanta Sarkar, University of Warwick, Assistant Professor
• Tim Malone, J.B. Hunt Transport, Senior Director Information Security
• Vana Matte, J.B. Hunt Transport, Senior Vice President of Technology Services

Related Info-Tech Research

Build an Information Security Strategy

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building out a security roadmap.

Determine Your Zero Trust Readiness

IT security was typified by perimeter security. However, the way the world does business has mandated a change to IT security. In response, zero trust is a set of principles that can add flexibility to planning your IT security strategy.

Use this blueprint to determine your zero trust readiness and understand how zero trust can benefit both security and the business.

Mature Your Identity and Access Management Program

Many organizations are looking to improve their identity and access management (IAM) practices but struggle with where to start and whether all areas of IAM have been considered. This blueprint will help you improve the organization's identity and access management practices by following our three-phase methodology:

• Assess identity and access requirements
• Identify initiatives using the identity lifecycle
• Prioritize initiatives and build a roadmap

Bibliography

• “2021 Data Breach Investigations Report.” Verizon, 2021. Web.
• “A Zero-Trust Strategy Has 3 Needs - Identify, Authenticate, and Monitor Users and Devices On and Off The Network.” Fortinet, 15 July 2021. Web.
• “Applying Zero Trust Principles to Enterprise Mobility.” CISA, March 2022. Web.
• Biden Jr., Joseph R. “Executive Order on Improving the Nation’s Cybersecurity.” The White House, 12 May 2021. Web.
• “CISA Zero Trust Maturity Model.” CISA - Cybersecurity Division, June 2021. Web.
• “Continuous Diagnostics and Mitigation Program Overview.” CISA, Jan. 2022. Web.
• Contributor. “The Five Business Benefits of a Zero Trust Approach to Security.” Security Brief - Australia, 19 Aug. 2020. Web.
• “Cost of a Data Breach Report 2021.” IBM, July 2021. Web.
• English, Melanie. “5 Stats That Show The Cost Saving Effect of Zero Trust.” Teramind, 29 Sept. 2021. Web.
• “Improve Application Access and Security With Fortinet Zero Trust Network Access.” Fortinet, 2 March 2021. Web.
• “Incorporating Zero-trust Strategies for Secure Network and Application Access.” Fortinet, 21 July 2021. Web.
• Jakkal, Vasu. “Zero Trust Adoption Report: How Does Your Organization Compare?” Microsoft, 28 July 2021. Web.
• “Jericho Forum™ Commandments.” The Open Group, Jericho Forum, May 2007. Web.
• Johnson, Derrick. “Zero Trust vs. SASE - Here's What You Need to Know.” Security Magazine, 23 July 2021. Web.
• Joint Defense Information Systems Agency (DISA) and National Security Agency (NSA) Zero Trust Engineering Team. “Department of Defense (DOD) Zero Trust Reference Architecture.” DoD CIO, Feb. 2021. Web.
• Kay, Dennis. “Planning for a Zero Trust Architecture Target State.” NASA, NIST, 13 Nov. 2019. Web.
• National Security Agency. “Embracing a Zero Trust Security Model.” U.S. Department of Defense, Feb. 2021. Web.
• NSTAC. “Draft Report to the President - Zero Trust and Trusted Identity Management.” CISA, NSTAC, n.d. Web.
• Rose, Scott W., et al. “Zero Trust Architecture.” NIST, 10 Aug. 2020. Web.
• “Securing Digital Innovation Demands Zero-Trust Access.” Fortinet, 15 July 2021. Web.
• Shackleford, Dave. “How to Create a Comprehensive Zero Trust Strategy.” SANS, Cisco, 2 Sept. 2020. Web.
• “The CISO’s Guide to Effective Zero-Trust Access.” Fortinet, 28 April 2021. Web.
• “The State of Zero Trust Security 2021.” Okta, June 2021. Web.
• Kerman, Alper, et al. “Implementing a Zero Trust Architecture.” NIST - National Cybersecurity Center of Excellence, March 2020. Web.
• Kindervag, John. “Keynote - John KINDERVAG - 021622.” Vimeo, VIRTUAL Eastern | CyberSecurity Conference, 16 Feb. 2022. Web.
• Lodewijkx, Koos. “IBM CISO Perspective: Zero Trust Changes Security From Something You Do to Something You Have.” SecurityIntelligence, IBM, 19 Nov. 2020. Web.
• VB Staff. “Report: Only 21% of Enterprises Use Zero Trust Architecture.” VentureBeat, 15 Feb. 2022. Web.
• Young, Shalanda D. “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The White House, EXECUTIVE OFFICE OF THE PRESIDENT - OFFICE OF MANAGEMENT AND BUDGET, 26 Jan. 2022. Web.
• “Zero Trust Access.” Fortinet, n.d. Web.
• “Zero Trust Architecture Technical Exchange Meeting.” NIST - National Cybersecurity Center of Excellence, 12 Nov. 2019. Web.
• “Zero Trust Cybersecurity Current Trends.” ACT-IAC, 18 April 2019. Web.
• “Zero-Trust Access for Comprehensive Visibility and Control.” Fortinet, 24 Sep. 2020. Web.

Achieve IT Spend & Staffing Transparency

Lay a foundation for meaningful conversations with the business.

Analyst Perspective

Take the first step in your IT spend journey.

Talking about money is hard. Talking to the CEO, CFO, and other business leaders about money is even harder, especially if IT is seen as just a cost center, is not understood by stakeholders, or is simply taken for granted. In times of economic hardship, already lean IT operations are tasked with becoming even leaner.

When there's little fat to trim, making IT spend decisions without understanding the spend's origin, location, extent, and purpose can lead to mistakes that weaken, not strengthen, the organization.

The first step in optimizing IT spend decisions is setting a baseline. This means having a comprehensive and transparent view of all technology spend, organization-wide. This baseline is the only way to have meaningful, data-driven conversations with stakeholders and approvers around what IT delivers to the business and the implications of making changes to IT funding.

Before stepping forward in your IT financial management journey, know exactly where you're standing today.

Jennifer Perrier
Principal Research Director, ITFM Practice
Info-Tech Research Group

Executive Summary

Info-Tech Insight
Create transparency in your IT financial data to power both collaborative and informed technology spend decisions.

IT spend has grown alongside IT complexity

Growth creates change ... and challenges

IT has become more integral to business operations and achievement of strategic goals, driving complexity in how IT funds are allocated and managed.

ITFM capabilities haven't grown with IT spend

IT still needs to prove itself.

Increased integration with the core business has made it a priority for the head of IT to be well-versed in business language and practice, specifically in the areas of measurement and financial management.

However, IT staff across all industries aren't very confident in how well IT is doing in managing its finances via three core processes:

• Accounting of costs and budgets.
• Optimizing costs to gain the best return on investment.
• Demonstrating IT's value to the business.

Recent data from 4,137 respondents to Info-Tech's IT Management & Governance Diagnostic shows that while most IT staff feel that these three financial management processes are important, notably fewer feel that IT management is effective at executing them.

IT leadership's capabilities around fundamental cost data capture appear to be lagging, not to mention the essential value-added capabilities around optimizing costs and showing how IT contributes to business value.

Source: IT Management & Governance Diagnostic, Info-Tech Research Group, 2022.

Take the perspective of key IT stakeholders as a first step in ITFM capability improvement

Other business unit leaders need to deliver on their own specific and unique accountabilities. Create true IT spend transparency by accounting for these multiple perspectives.

Exactly how is IT spending all that money we give them?
Many IT costs, like back-end infrastructure and apps maintenance, can be invisible to the business.

Why doesn't my department get more support from IT?
Some business needs won't align with spend priorities, while others seem to take more than their fair share.

Does the amount we spend on each IT service make sense?
IT will get little done or fall short of meeting service level requirements without appropriate funding.

I know what IT costs us, but what is it really worth?
Questions about value arise as IT investment and spend increase. How to answer these questions is critical.

At the end of the day, telling IT's spend story to the business is a significant challenge if you don't understand your audience, have a shared vocabulary, or use a repeatable framework.

Mapping your IT spend against a reusable framework helps generate transparency

A framework makes transparency possible by simplifying methods, creating common language, and reducing noise.

However, the best methodological framework won't work if the materials and information plugged into it are weak. With IT spend, the materials and information are your staff and your vendor financial data. To achieve true transparency, inputs must have the following three characteristics:

A framework is an organizing principle. When it comes to better understanding your IT spend, the things being organized by a framework are your method and your data.

If your IT spend information is transparent, you have an excellent foundation for having the right conversations with the right people in order to make strategically impactful decisions.

Info-Tech's approach enables meaningful dialogue with stakeholders about IT spend

Investing time in preparing and mapping your IT spend data enables better IT governance

While other IT spend transparency methods exist, Info-Tech's is designed to be straightforward and tactical.

Put your data to work instead of being put to work by your data.

Introducing Info-Tech's methodology for creating transparency on technology spend

Insight Summary

Overarching insight
Take the perspective of key stakeholders and lay out your organization's complete IT spend footprint in terms they understand to enable meaningful conversations and start evolving your IT financial management capability.

Phase 1 insight
Your IT spend transparency efforts are only useful if you actually do something with the outcomes of those efforts. Be clear about where you want your IT transparency journey to take you.

Phase 2 insight
Your IT spend transparency efforts are only as good as the quality of your inputs. Take the time to properly source, clean, and organize your data.

Phase 3 insight
Map your IT staff spend data first. It involves work but is relatively straightforward. Practice your mapping approach here and carry forward your lessons learned.

Phase 4 insight
The importance of good, usable data will become apparent when mapping your IT vendor spend. Apply consistent and meaningful vendor labels to enable true aggregation and insight.

Phase 5 insight
Communicating your final IT spend transparency mapping with executive stakeholders is your opportunity to debut IT financial management as not just an IT issue but an organization-wide concern.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

Use this tool in Phases 1-4

IT Spend & Staffing Transparency Workbook

Input your IT staff and vendor spend data to generate visual outputs for analysis and presentation in your communications.

Key deliverable:

IT Spend & Staffing Transparency Executive Presentation

Create a showcase for your newly-transparent IT staff and vendor spend data and present it to key business stakeholders.

Use this tool in Phase 5

IT and business blueprint benefits

Measure the value of this blueprint

You will know that your IT spend and staffing transparency effort is succeeding when:

• Your understanding of where technology funds are really being allocated is comprehensive.
• You're having active and meaningful dialogue with key stakeholders about IT spend issues.
• IT spend transparency is a permanent part of your IT financial management toolkit.

In phase 1 of this blueprint, we will help you identify initiatives where you can leverage the outcomes of your IT spend and staffing transparency effort.

In phases 2, 3, and 4, we will guide you through the process of mapping your IT staff and vendor spend data so you can generate your own IT spend metrics based on reliable sources and verifiable facts.

Win #1: Knowing how to reliably source the financial data you need to make decisions.

Win #2: Getting your IT spend data in an organized format that you can actually analyze.

Win #3: Having a framework that puts IT spend in a language stakeholders understand.

Win #4: Gaining a practical starting point to mature ITFM practices like cost optimization.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

Info-Tech recommends the following calls in your Guided Implementation.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between four to six calls over the course of two to three months.

Want even more help with your IT spend transparency effort?

Let us fast-track your IT spend journey.

The path to IT financial management maturity starts with knowing exactly where your money is going. To streamline this effort, Info-Tech offers an IT Spend & Staffing Benchmarking service that provides full transparency into where your money is going without any heavy lifting on your part.

This unique service features:

• A client-proven approach to meet your IT spend transparency goals.
• Vendor and staff spend mapping that reveals business consumption of IT.
• Industry benchmarking to compare your spending and staffing to that of your peers.
• Results in a fraction of the time with much less effort than going it alone.
• Expert review of results and ongoing discussions with Info-Tech analysts.

If you'd like Info-Tech to pave the way to IT spend transparency, contact your account manager for more information - we're happy to talk anytime.

Phase 1

Know Your Objectives

This phase will walk you through the following activities:

• Establish IT spend and staffing transparency uses and objectives
• Assess your readiness to tackle IT spend and staffing transparency

This phase involves the following participants:

• Head of IT
• IT financial lead
• Other members of IT management

Phase 1: Know your objectives

Envision what transparency can do.

You're at the very beginning of your IT spend transparency journey. In this phase you will:

• Set your objectives for making your IT spend and staffing transparent.
• Assess your readiness to tackle the exercise and gauge how much work you'll need to do in order to do it well.

"I've heard this a lot lately from clients: 'I've got my hands on this data, but it's not structured in a way that will allow me to make any decisions about it. I have these journal entries and they have some accounting codes, GL descriptors, cost objects, and some vendors, but it's not enough detail to make any decisions about my services, my applications, my asset spend.'"
- Angie Reynolds, Principal Research Director, ITFM Practice, Info-Tech Research Group

Transparency positively enables both business outcomes and the practice of business ethics

However, transparency's real superpower is in how it provides fact-based context.

• More accurate and relevant data for decision-making.
• Better managed and more impactful financial outcomes.
• Increased inclusion of people in the decisions that affect them.
• Clearer accountabilities for organizational efficiency and effectiveness goals.
• Concrete proof that business priorities and decisions are being acted on and implemented.
• Greater trust and respect between IT and the business.
• Demonstration of integrity in how funds are being used.

IT spend transparency efforts are only useful if you actually do something with the outputs

Identify in advance how you plan to leverage IT spend transparency outcomes.

CFO expense view

• Demonstrate actual IT costs at the right level of granularity.
• Update/change the categories finance uses to track IT spend.
• Adjust the expected CapEx/OpEx ratio.

CXO business view

• Calculate consumption of IT resources by department.
• Implement a showback/chargeback mechanism.
• Change the funding conversation about proposed IT projects.

CIO service view

• Calculate the total cost to deliver a specific IT service.
• Adjust the IT service spend-to-value ratio as per business priorities.
• Rightsize IT service levels to reflect true value to the business.

CEO innovation view

• Formalize the organization's position on use of cloud/outsourcing.
• Reduce the portion of spend dedicated to "keeping the lights on."
• Develop a plan for boosting commitment to innovation investment.

When determining your end objectives, think about the real questions IT is being asked by the business and how IT spend transparency will help you answer them.

CFO: Financial accounting perspective

IT spend used to be looked at from a strictly financial accounting perspective - this is the view of the CFO and the finance department. Their question, "exactly how is IT spending all that money we give them," is really about how money is distributed across different asset classes. This question breaks down into other questions that IT leaders needs to ask themselves in order to provide answers:

• How should I classify my IT costs? What are the standard categories you need to have that are meaningful to folks crunching the corporate numbers? If you're too detailed, it won't make sense to them. If you pick outmoded categories, you'll have to adjust in the future as IT evolves, which makes tracking year-over-year spend patterns harder.
• What information should I include in my plans and reports? This is about two things. One is about communicating with the finance department in language that reduces back-and-forth and eliminates misinterpretation. The other is about aligning with the categories the finance department uses to track financial data in the general ledger.
• How do I justify current spend? This is about clarity and transparency. Specifically itemizing spend into categories that are meaningful for your audience does a lot of justification work for you since you don't have to re-explain what everything means.
• How do I justify a budget increase? In a declining economy, this question may not be appropriate. However, establishing a baseline puts you in a better position to discuss spend requirements based on past performance and to focus the conversation.

Exactly how is IT spending all that money we give them?

CIO: IT operations management perspective

As the CIO role was adopted, IT spend was viewed from the IT operations management perspective. Optimizing the IT delivery model is a critical step to reducing time to provision services. For the IT leader, the questions they need to ask themselves are:

• What's the impact of cloud adoption on speed of delivery? Leveraging a SaaS solution can reduce time to deployment as well as increase your ability to scale; however, integration with other functionality will still be a challenge that will incur costs.
• Where can I improve spend efficiency? This is about optimizing spend in your IT delivery model. What service levels does the business require and what's the most cost-effective way to meet those levels without incurring significant technical debt?
• Is my support model optimized? By reviewing where support staff are focused and which services are using most of your resources, you can investigate underlying drivers of your staffing requirements. If staff costs in support of a business function are high, perhaps the portfolio of applications needs to be reviewed.
• How does our spend compare to others? Benchmarking against peers is a useful input, but reflects common practice, not best practice. For example, if you need to invest in IT security, your entire industry is lagging on this front, and you happen to be doing slightly better than most, then bringing forth this benchmark won't help you make the case. Starting with year-over-year internal benchmarking is essential - establish your categories, establish your baseline, and track it consistently.

Does the amount we spend on each IT service make sense?

CXO: Business unit perspective

As business requests have increased, so too has the importance of the business unit perspective. Each business function has a unique mandate to fulfill in the organization and also competes with other business functions for IT resources. By understanding business consumption of IT, organizations can bring transparency and drive a different dialog with their business partners. Every IT leader should find out the answers to these questions:

• Which business units consume the most IT resources? By understanding consumption of IT by business function, IT organizations can clearly articulate which business units are getting the highest share of IT resources. This will bring much needed clarity when it comes to IT spend prioritization and investment.
• Which business units are underserved by IT? By providing full transparency into where all IT spend is consumed, organizations can determine if certain business functions may need increased attention in an upcoming budget cycle. Knowing which levers to pull is critical in aligning IT activities with delivering business value.
• How do I best communicate spend data internally? Different audiences need information presented to them differently. This is not just about the language - it's also about the frequency, format, and channel you use. Ask your audiences directly what methods of communication stand the best chance of you being seen and heard.
• Where do I need better business sponsorship for IT projects? If a lot of IT spend is going toward one or two business units, the leaders of those units need to be active sponsors of IT projects and associated spend that will benefit all users.

Why doesn't my business unit get more support from IT?

CEO: Strategic vs. operations perspective

With a business view now available, evaluating IT spend from a strategic standpoint is critical. Simply put, how much is being spent keeping the lights on (KTLO) in the organization versus supporting business or organizational growth versus net-new business innovations? This view is not about what IT costs but rather how it is being prioritized to drive revenue, operating margin, or market share. Here are the questions IT leaders should be asking themselves along with the organization's executive leadership and the CEO:

• Why is KTLO spend so high? This question is a good gauge of where the line is drawn between operations and strategy. Many IT departments want to reduce time spent on maintenance and redeploy resource investment toward strategic projects. This reallocation must include retiring or eliminating technologies to free up funds.
• What should our operational spend priorities be? Maintenance and basic operations aren't going anywhere. The issue is what is necessary and what could be done more wisely. Are you throwing good money after bad on a high-maintenance legacy system?
• Which projects and investments should we prioritize? The answer to this question should tightly align with business strategic goals and account for the lion's share of growth and innovation spend.
• Are we spending enough on innovative initiatives? This is the ultimate dialogue between business partners, the CEO, and IT that needs to take place, yet often doesn't.

I know what IT costs us, but what is it really worth?

Be clear about where you want your IT spend transparency journey to take you in real life

Transparent IT spend data will allow you to have conversations you couldn't have before. Consider this example of how telling an IT spend story could evolve.

I want to ...
Analyze the impact of the cloud on IT operating expenditure to update finance's expectations of a realistic IT CapEx/OpEx ratio now and into the future.

To address the problem of ...

• Many of our key software vendors have eliminated on-premises products and only offer software as an OpEx service.
• Assumptions that modern IT solutions are largely on-premises and can be treated as capitalizable assets are out-of-date and don't reflect IT financial realities.

And will use transparency to ...

• Provide the CFO with specific, accurate, and annotated OpEx by product/service and vendor for all cloud-based and on-premises solutions.
• Facilitate a realistic calculation of CapEx/OpEx distribution based on actuals, as well as let us develop defendable projections of OpEx into the future based on typical annual service fee increases and anticipated growth in the number of users/licenses.

1.1 Establish ITFM objectives that leverage IT spend transparency

Duration: One hour

1. Consider the problems or issues commonly voiced by the business about IT, as well as your own ongoing challenges in communicating with stakeholders. Document these problems/issues as questions or statements as spoken by a person. To help structure your brainstorming, consider these general process domains and examples:
   1. Spend tracking and reporting. E.g. Why is IT's OpEx so high? We need you to increase IT's percentage of CapEx.
   2. Service levels and business continuity. E.g. Why do we need to hire more service desk staff? There are more of them in IT than any other role.
   3. Project and operations resourcing. E.g. Why can't IT just buy this new app we want? It's not very expensive.
   4. Strategy and innovation. E.g. Did output increase or decrease last quarter per input unit? IT should be able to run those reports for us.
2. For each problem/issue noted, identify:
   1. The source(s) of the question/concern (e.g. CEO, CFO, CXO, CIO).
   2. The financial process involved (e.g. accurate costing, verification of costs, building a business case to invest).
3. For each problem/issue, identify a broader project-style initiative where having transparent IT spend data is a valuable input. One initiative may apply to multiple problems/issues. For each initiative:
   1. Give it a working title.
   2. State the goal for the initiative with reference to ITFM aspirations.
   3. Identify key stakeholders (these will likely overlap with the problem/issue source).
   4. Set general time frames for resolution.

Document your outputs on the slide immediately following the instruction slides for this exercise. Examples are included.

1.1 Establish ITFM objectives that leverage IT spend transparency

ITFM initiatives that leverage transparency

Your organization's governance culture will affect how you approach transparency

IT's current maturity around ITFM practice will also affect your approach to transparency

1.2 Assess your readiness to tackle IT spend transparency

Duration: One hour

Note: This assessment is general in nature. It's intended to help you identify and prepare for potential challenges in your IT spend and staffing transparency effort.

1. Rate your agreement with the "Data & Information" and "Experience, Expertise, & Support" statements listed on the slide immediately following the two instruction slides for this exercise. For each statement, indicate the extent to which you agree or disagree, where:
   1. 1 = Strongly disagree
   2. 2 = Disagree
   3. 3 = Neither agree nor disagree
   4. 4 = Agree
   5. 5 = Strongly agree
2. Add up your numerical scores for all statements, where the highest possible score is 65.
3. Assess your general readiness against the following guidelines:
   1. 50-65: Ready. The transparency exercise will involve work, but should be straightforward since you have the data, skills, tools, processes, and support to do it.
   2. 40-49: Ready, with caveats. The transparency exercise is doable but will require some preparatory legwork and investigation on your part around data sourcing, organization, and interpretation.
   3. 30-39: Challenged. The transparency exercise will present some obstacles. Expect to encounter data gaps, inconsistencies, errors, roadblocks, and frustrations that will need to be resolved.
   4. Less than 30: Not ready. You don't have the data, skills, tools, processes, and/or support to do the data transparency exercise. Take time to develop a stronger foundation of financial literacy and governance before tackling it.

Document your outputs on the slide immediately following the two instruction slides for this exercise.

1.2 Assess your readiness to tackle IT spend transparency

IT spend transparency readiness assessment

Rating scale:
1 = Strongly Disagree; 2 = Disagree; 3 = Neither agree nor disagree; 4 = Agree; 5 = Strongly agree
Assessment scale:
Less than 30 = Not ready; 30-39 = Challenged; 40-49 = Ready with caveats; 50-65 = Ready

Take a closer look at the statements you rated 1, 2, or 3. These will be areas of challenge no matter what your total score on the assessment scale.

Phase 1: Know your objectives

Achievement summary

You've now completed the first two steps on your IT spend transparency journey. You have:

• Set your objectives for making your IT spend and staffing transparent.
• Assessed your readiness to tackle the exercise and know how much work you'll need to do in order to do it well.

"Mapping to a transparency model is labor intensive. You can do it once and never revisit it again, but we would never advise that. What it does is play well into an IT financial management maturity roadmap."
- Monica Braun, Research Director, ITFM Practice, Info-Tech Research Group

Phase 2

Gather Required Data

This phase will walk you through the following activities:

• Gather, clean, and organize your data
• Build your industry-specific business views

This phase involves the following participants:

• Head of IT
• IT financial lead
• Other members of IT management

Phase 2: Gather required data

Finish your preparation.

You're now ready to do the final preparation for your IT spend and staffing transparency journey. In this phase you will:

• Gather your IT spend and staffing data and information.
• Clean and organize your data to streamline mapping.
• Identify your baseline data points.

"Some feel like they don't have all the data, so they give up. Don't. Every data point counts."
- Rex Ding, Research Specialist, ITFM Practice, Info-Tech Research Group

Your IT spend transparency efforts are only as good as the quality of your inputs

Aim for a comprehensive, complete, and accurate set of data and information.

Start by understanding what's included in technology spend

In scope:

• All network, telecom, and data center equipment.
• All end-user productivity software and devices (e.g. laptops, peripheral devices, cell phones).
• Information security.
• All acquisition, development, maintenance, and management of business and operations software.
• All systems used for the storage and management of business assets, data, records, and information.
• All managed IT services.
• Third-party consulting services.
• All identifiable spend from the business for the above.

Expand your thinking: Total tech spend goes beyond what's under IT's operational umbrella

"Technology" means all technology in the organization regardless of where it lives, who bought it, who owns it, who runs it, or who uses it.

IT may have low or no visibility into technologies that exist in the broader business environment beyond IT. Accept that you won't gain 100% visibility right now. However, do get started and be persistent.

Where to look for non-IT technology ...

• Highly specialized business functions - niche tools that are probably used by only a few people.
• Power users and the "underserved" - cloud-based workflow, communication, and productivity tools they got on their own.
• Operational technology - network-connected industrial, building, or physical security sensors and control systems.
• Recently acquired/merged entities - inherited software.

Who might get you what you need ...

• Business unit and team leaders - identification of what they use and copies of their spend records and/or contracts.
• Finance - a report of the "software" expenditure category to spot unrecognized technologies and their owners.
• Vendors - copies of contracts if not forthcoming internally.
• Your service desk - informal knowledge gained about unknown technologies at play in the course of doing their job.

The IT spend and staffing transparency exercise is an opportunity to kick-start a technology discovery process that will give you and the business a true picture of your technology profile, use, and spend.

Seek out data at the right level of granularity with the right supporting information

Key data and information to seek out:

• Credits applied to appropriate debits that show net expense, or detailed descriptions of credits with no matching debit.
• Cash-based accounting (not accrual accounting). If accrual, will need to determine how to simplify the data for your uses.
• Vendor names, asset classes, descriptors, and departments.
• A total spend amount (CapEx + OpEx) that:
  • Aligns with the spend period.
  • Passes your gut check for total IT spend.
  • Includes annual amounts for multi-year contracts (e.g. one year of a three-year Microsoft enterprise agreement).
  • Includes technology spend from the business (e.g. OT that IT supports).
• Insights on large projects.
• Consolidated recurring payments, salaries and benefits, and other small expenses.

Look for these data descriptors in your files:

• Cost center/accounting unit
• Cost center/department description
• GL ACCT
• CL account description
• Activity description
• Status
• Program/business function/project description
• Accounting period
• Transaction amount
• Vendor/vendor name
• Product/product name

Avoid data that's hard to use or problematic as it will slow you down and bring limited benefits

Spend data that's out of scope:

• Depreciation/amortization.
• Gain or loss of asset write-off.
• Physical security (e.g. key cards, cameras, motion sensors, floodlights).
• Printer consumables costs.
• Heating and cooling costs (for data centers).

Challenging data formats:

• Large raw data files with limited or no descriptors.
• Major accounts (hardware and software) combined in the same line item.
• Line items (especially software) with no vendor reference information.
• PDF files or screenshots that you can't extract data from readily. Use Excel or CSV files whenever possible.

Getting at the data you need can be easy or hard – it all depends

This is where your governance culture and ITFM maturity start to come into play.

There may be some data or information you can't get without a Herculean effort. Don't worry about it too much - these items are usually relatively minor and won't significantly affect the overall picture.

Commit to finding out what you don't know

Many IT leaders don't have visibility into other departments' technology spend. In some cases, the fact that spend is even happening may be a complete surprise.

Near-term visibility fix ...

• Ask your finance department for a report on all technology-related spend categories. "Software" is a broad category that finance departments tend to track. Scan the report for items that don't look familiar and confirm the originating department or approver.
• Check in with the procurement office. See what technology-related contracts they have on record and which departments "own" them. Get copies of those contracts if possible.
• Contact individual department heads or technology spend approvers. Devise your contact shortlist based on what you already know or learned from finance and procurement. Position your outreach as a discovery process that supports your transparency effort. Avoid coming across as though you're judging their spend or planning to take over their technologies.

Long-term visibility fix ...

• Develop your relationships with other business unit leaders. This will help open the lines of communication permanently.
• Establish a cross-functional central technology office or group. The main task of this unit is to set and manage technology standards organization-wide, including standards for tracking and documenting technology costs and asset lifecycle factors.
• Ensure IT is formally involved in all technology spend proposals and plans. This gives IT the opportunity to assess them for security compliance, IT network/system interoperability, manageability, and IT support requirements prior to purchase.
• Ensure IT is notified of all technology financial transactions. This includes contracts, invoices, and payments for all one-time purchases, subscription fees, and maintenance costs.

Finally, note any potential anomalies in the IT spend period you're looking at

No two years have the exact same spend patterns. One-time spend for a big capital project, for example, can dramatically alter your overall spend landscape.

Look for the following anomalies:

• New or ongoing capital implementations or projects that span more than one fiscal year.
• Completed projects that have recently transitioned, or are transitioning, from CapEx (decreasing) to OpEx (increasing).
• A major internal reorganization or merger, acquisition, or divestiture event.
• Crises, disasters, or other rare emergencies.
• Changes in IT funding sources (e.g. new or expiring grants).

These anomalies often explain why IT spend is unusually high in certain areas. There's often a good business reason.

In many cases, doing a separate spend transparency exercise for these anomalous projects or events can isolate their costs from other spend so their true nature and impact can be better understood.

2.1 Gather your input data and information

Duration: Variable

1. Develop a complete list of the spending and staffing data and information you need to complete the transparency mapping exercise. For each required item, note the following:
   1. Description of data needed (i.e. type, timeframe, and format).
   2. Ideal timeframe or deadline for receipt.
   3. Probable source(s) and contact(s).
   4. Additional facilitation/support required.
   5. Person on your transparency team responsible for obtaining it.
2. Set up a data and information repository to store all files as soon as they're received. Ideally, you'll want all data/information files to be in an electronic format so that everything can be stored in one place. Avoid paper documents if possible.
3. Conduct your outreach to obtain the input data and information on your list. This could include delegating it to a subordinate, sending emails, making phone calls, booking meetings, and so on.
4. Review the data and information received to confirm that it's the right type of data, at the correct level of granularity, for the right timeframe, in a usable format, and is generally accurate.
5. Enter documentation about your data and information sources in tab "1. Data & Information Sources" in the IT Spend & Staffing Transparency Workbook to reflect what you needed and where you got it in order to make the discovery process easier in the future.
6. In the same tab in the IT Spend & Staffing Transparency Workbook, document any significant events that occurred that directly or indirectly impacted the selected year's spend values. These could include mergers/acquisitions/divestitures, major reorganizations or changes in leadership, significant shifts in product offerings or strategic direction, large capital projects, legal/regulatory changes, natural disasters, or changes in the economy.

Download the IT Spend & Staffing Transparency Workbook

2.1 Gather your input data and information

Tidy up your data before beginning any spend mapping

Most organizations aren't immaculate in their tech spend documentation and tracking practices. This creates data rife with gaps that lives in hard-to-use formats.

The more preparation you do to approach the "good data" intersection point in the diagram below, the easier your mapping effort will be and the more useful and insightful your final findings.

Make your data "un-unique" to reduce the number of line items and make it manageable

There's a good chance that the IT spend data you've received is in the form of tens of thousands of unique line items. Use the checklist below to help you roll it up.

Warning: Never overwrite your original data. Insert new columns/rows and put your alternate information in these instead.

Step 1: Standardize vendor names

• Start with known large vendors.
• Select a standard name for the vendor.
• Brainstorm possible variations on the vendor name, including abbreviations and shortforms.
• Search for the vendor in your data and document the new standardized vendor name in the appropriate row.
• Repeat the above for all vendors.
• Sort the new vendor name column from A-Z. Look for instances where names remain unique or are missing entirely. Reconcile if needed and fill in missing data.

Step 2: Consolidate vendor spend

• Sort the new vendor name column from A-Z. Start with vendors that have the most line items.
• Add together related spend items from a given vendor. Create a new row for the consolidated spend item and flag it as consolidated. Keep the following item types in separate rows:
  • Hardware vs. software spend for the same vendor.
  • Cloud vs. on-premises spend for the same vendor.
• Repeat the above for all vendors.
• Consider breaking out separate rows for overly consolidated line items that contain too many different types of IT spend.

2.2 Clean and organize your data

Duration: Variable

1. Check to ensure that you have all data and information required to conduct the IT spend transparency exercise.
2. Conduct an initial scan to assess the data's current state of hygiene and overall usability. Flag anything of concern and follow up with the data/information provider to fix or reconcile any issues.
3. Normalize your data to make it easier to work with. This includes selecting data format standards and changing anything that doesn't conform to those standards. This includes items such as date conventions, currencies, and so on.
4. Standardize product and vendor naming/references throughout to enable searching, sorting, and grouping. For example, Microsoft Office may be variably referred to as "Microsoft", "Office", "Office 365", and "Office365" throughout your data. Pick one descriptor for the product/vendor and replace all related references with that descriptor.
5. Consolidate and aggregate your data. Ideally, the data you received from your sources has already been simplified; however, you may need to further organize it to reduce the number of individual line items to a more manageable number. The transparency exercise uses relatively high-level categories, so combine data sets and aggregate where feasible without losing appropriate granularity.
6. Archive any original copies of files that have been modified or replaced with consolidated/aggregated versions for future reference if needed.

2.2 Clean and organize your data

Select IT spend "buckets" for the CXO Business View as your final preparatory step

Every organization has both industry-agnostic and industry-specific lines of business that are the direct beneficiaries of IT spend.

Common shared business functions:

• Human resources.
• Finance and accounting.
• Sales/customer service.
• Marketing and advertising.
• Legal services and regulatory compliance.
• Information technology.

It may seem odd to see IT on the business functions list since the purpose of this exercise is to map IT spend. For business view purposes, IT spend refers to what IT spends on itself to support its own internal operations.

Examples of industry-specific functions:

• Manufacturing: Product research and development; production operations; supply chain management.
• Retail banking: Core banking services; loan, mortgage and credit services; investment and wealth management services.
• Hospitals: Patient intake and admissions; patient diagnosis; patient treatment; patient recovery and ongoing care.
• Insurance: Actuarial analysis; policy creation; underwriting; claims processing.

See the Appendix of this blueprint for definitions of shared business functions plus sample industry-specific business view categories.

Define your CXO Business View categories to set yourself up well for future ITFM analyses

The CXO Business View buckets you set up today are tools you can and should reuse in your overall approach to ITFM governance. Spend some time to get them right.

Stay high-level

Getting too granular invites administrative headaches and overhead. Keep things high-level and general:

• Limit the number of direct stakeholders represented: This will reduce communication overhead and ensure you're dealing only with people who have real decision-making authority.
• Look to your org. chart: Note the departments or business units listed across the top of the chart that have one executive or top-ranking senior manager accountable for them. These business units often translate as-is into a tidy CXO Business View category.

Limit your number of buckets

Tracking IT spend across more than 8-10 shared and industry-specific business categories is impractical.

• Simplify your options: Too many buckets gets confusing and invites time-wasting doubt.
• Reduce future rework: Business structures will change, which means recategorizing spend data. Using a forklift is a lot easier than using tweezers.
• Stick to major business units: Create separate "Business Other" and "Industry Other" catch-all categories to track IT spend for smaller functions that fall outside of major business unit structures.

Be clear on what's in and what's out of your categories to keep everyone on the same page

Clear lines of demarcation between CXO Business View categories reduce confusion, doubt, and wheel-reinvention when deciding where to allocate IT spend.

Ensure clear boundaries

Mutual exclusivity is key when defining categories in any taxonomical structure.

• Avoid overlaps: Each high-level business function category should have few or no core function or process overlaps with another business function category. Aim for clear vertical separation.
• Be encompassing: When defining a category, list all the business capabilities and sub-functions included in that category. For example, if defining the finance and accounting function, remember to specify its less obvious accountabilities, like enterprise asset management if appropriate.

Identify exclusions

Listing what's out can be just as informative and clarifying as listing what's in.

• Beware odd bedfellows: Minor business groups are often tucked under a bigger organizational entity even though the two use different processes and technologies. Separate them if appropriate and state this exclusion in the bigger entity's definition.
• Draw a line: If a process crosses business function categories, state which sub-steps are out of scope.
• Document your decisions: This helps ensure you allocate IT spend the same way every time.

2.3 Build your industry-specific business views

Duration: Two hours

1. Confirm your list of high-level shared business services (human resources, finance and accounting, etc.) as provided in Info-Tech's IT Spend & Staffing Transparency Workbook. Rename them if needed to match the nomenclature used in your organization.
2. Set and define your additional list of high-level, industry-specific business categories that are unique to or define your industry. See the slides immediately following this exercise for tips on developing these categories, as well as the appendix of this blueprint for some examples of industry-specific categories and definitions.
3. Create "Business Other" and "Industry Other" categories to capture minor groups and activities supported by IT that fall beyond the major shared and industry-specific business functions you've shortlisted. Briefly note the business groups/activities that fall under these categories.
4. Edit/enter your shared and industry-specific business function categories and their definitions on tab "2. Business View Definitions" in the IT Spend & Staffing Transparency Workbook.

Download the IT Spend & Staffing Transparency Workbook

2.3 Build your industry-specific business views

Lock in key pieces of baseline data

Calculating core IT spend metrics relies on a few key numbers. Settle these first based on known data before diving into detailed mapping.

These baseline data will allow you to calculate high-level metrics like IT spend as a percent of revenue and year-over-year percent change in IT spend, as well as more granular metrics like IT staff spend per employee for a specific IT service.

Baseline data checklist

• IT spend analysis period (date range).
• Currency used.
• Organizational revenue.
• Organizational OpEx.
• Total current year IT spend.
• Total current year IT CapEx and IT OpEx.
• Total previous-year IT spend.
• Total projected next-year IT spend.
• Number of organizational employees.
• Number of IT employees.

You may have discovered some things you didn't know about during the mapping process. Revisit your baseline data when your mapping is complete and make adjustments where needed.

2.4 Enter your baseline data

Duration: One hour

1. Navigate to tab "3. Baseline Data" in the IT Spend & Staffing Transparency Workbook. Using the data you've gathered, enter the following information to set your baseline data for future calculations:
   1. Your IT spend analysis date range. This can be concrete dates, a fiscal year abbreviation, etc.
   2. The currency you will be using throughout the workbook. It's important that all monetary values entered are in the same currency.
   3. Your organization's total revenue and total operating expenditure (OpEx) for the spend analysis data range you've specified. Revenue includes all sources of funding/income.
   4. Your total IT OpEx and total IT capital expenditure (CapEx). The workbook will add your OpEx and CapEx values for you to arrive at a total IT spend value.
   5. Total IT spend for the year prior to the current IT spend analysis date range, as well as anticipated total IT spend for the year following.
   6. Total IT staff spend (salaries, benefits, training, travel, and fees for employees and contractors in a staff augmentation role) for the spend analysis date range.
   7. The total number of organizational employees and total number of IT employees. These are typically full-time equivalent (FTE) values and include contractors in a staff augmentation role.
2. Make note of any issues that have influenced the values you entered.

Download the IT Spend & Staffing Transparency Workbook

2.4 Enter your baseline data

Phase 2: Gather required data

Achievement summary

You've now completed all preparation steps for your IT spend transparency journey. You have:

• Gathered your IT spend and staffing data and information.
• Cleaned and organized your data to streamline mapping.
• Identified your baseline data points.

"As an IT person, you're not speaking the same language at all as the accounting department. There's almost always a session of education that's required first."
- Angie Reynolds, Principal Research Director, ITFM Practice, Info-Tech Research Group

Phase 3

Map Your IT Staff Spend

This phase will walk you through the following activities:

• Mapping your IT staff spend across the four views of the ITFM Cost Model
• Validating your mapping

This phase involves the following participants:

• Head of IT
• IT financial lead
• Other members of IT management

Phase 3: Map your IT staff spend

Allocate your workforce costs across the four views.

Now it's time to tackle the first part of your hands-on spend mapping effort, namely IT staff spend. In this phase you will:

• Allocate your IT staff spend across the four views of the ITFM Cost Model.
• Validate your mapping to ensure that it's accurate and complete.

"We're working towards the truth. We know the answer, but it's how to get it. Take Data & BI. For some organizations, four FTEs is too many. Are these people really doing Data & BI? Look at the big picture and see if something's missing."
- Rex Ding, Research Specialist, ITFM Practice, Info-Tech Research Group

Staffing costs comprise a significant percent of OpEx

Staffing is the first thing that comes to mind when it comes to spend. Intentionally bring it out of the shadows to promote constructive conversations.

• Total staffing costs stand out from other IT spend line items. This is because they're comparatively large, often comprising 30-50% of total IT costs.
• Standing out comes at a price. Staff costs are where business leadership looks first if they want cuts. If IT leadership doesn't bring forward ways to cut staffing costs as part of a broader cost-cutting mandate, it will be seen as ignorant of business priorities at best and outright insubordinate at worst.
• Staffing costs as a percentage of total costs vary between IT functions. On the business side, there's a lack of understanding about what functions IT staff serve and support and the real-world costs of obtaining (and keeping) needed IT skills. For example, IT security staffing costs as a percentage of that service's total OpEx will likely be higher than service desk staff given the scarcity and higher market value of the former. Trimming 20% of IT staffing costs from the IT security function has much different implications than cutting 20% of service desk staffing costs.

Staffing spend transparency can do a lot to change the conversation from one where the business thinks that IT management is just being self-protecting to one where they know that IT management is actually protecting the business.

Demonstrating the legitimate reasons behind IT staff spend is critical in both rationalizing past and current spend decisions as well as informing future decisions.

Info-Tech recommends that you map your IT staffing costs before all other IT costs

Mapping your IT staffing spend first is a good idea because:

• Staffing costs are usually documented more clearly, simply, and accurately than other IT costs.
• Gathering all your IT staffing data is usually a one-stop shop (i.e. the HR department).
• The comparative straightforwardness of mapping staff costs compared to other IT costs gives you the opportunity to:
  • Get familiar with the ITFM Cost Model views and categories.
  • Get the hang of the hands-on mapping process.
  • Determine the kinds of speed bumps and questions you'll encounter down the road when you tackle the more complicated mappings.

"Some companies will say software developer. Others say application development specialist or engineer. What are these things? You have to have conversations ..."
- Rex Ding, Research Specialist, ITFM Practice, Info-Tech Research Group

Understand the CFO Expense View: "Workforce" categories defined

For the staffing spend mapping exercise, we're defining the Workforce category here and will offer Vendor category definitions in the vendor spend mapping exercise later.

Workforce: The total costs of employing labor in the IT organization. This includes all salary/wages, benefits, travel/training, dues and memberships, and contractor pay. Managed services expenses associated with an external service provider should be excluded from Workforce and included in Contract Services.

Employee: A person employed by the IT organization on a permanent full-time or part-time basis. Costs include salary, benefits, training, travel and expenses, and professional dues and memberships. These relationships are managed under human resources and the bulk of spend transactions via payroll processes.

Contractor: A person serving in a non-permanent staff augmentation role. These relationships are typically managed under procurement or finance and spend transactions handled via invoicing and accounts payable processes. Labor costs associated with an external service provider are excluded.

Mapping your IT staff across the CFO Expense View is relatively cut-and-dried

The CFO Expense View is the most straightforward in terms of mapping IT staffing costs as it's made up of only two main categories: Workforce and Vendor.

In the CFO Expense View, all IT spend on staffing is allocated to the Workforce bucket under either Employee or Contractor.

What constitutes a Contractor can be confusing given increased use of long-term labor augmentation strategies, so being absolutely clear about this is imperative. For spend mapping purposes:

• Any staff members under independent contract where individuals are paid directly by your organization as opposed to indirectly via a service provider (e.g. staffing firm) are considered Workforce > Contractor.
• Any circumstances where you pay a third-party organization for labor is slotted under Vendor > Contract Services.

Understand the CIO Service View: Categories defined

We've provided definitions for the major categories that require clarification.

Applications Development: Purchase/development, testing, and deployment of application projects. Includes internally developed or packaged solutions.

Applications Maintenance: Software maintenance fees or maintaining current application functionality along with minor enhancements.

Hosting & Networks: Compute, storage, and network functionality for running/hosting applications and providing communications/connectivity for the organization.

End User: Procurement, provision, management, and maintenance (break/fix) of end-user devices (desktop, laptops, tablets, peripherals, and phones) as well as purchase/support and use of productivity software on these devices. The IT service desk is included here as well.

PPM & Projects: People, processes, and technologies dedicated to the management of IT projects and the IT project portfolio as a whole.

Data & BI: Strategy and oversight of the technology used to support data warehousing, business intelligence, and analytics.

IT Management: Senior IT leadership, IT finance, IT strategy and governance, enterprise architecture, process management, vendor management, talent management, and program and portfolio management oversight.

Security: Information security strategy and oversight, practices, procedures, compliance, and risk mitigation to protect and prevent unauthorized access to organizational data and technology assets.

Mapping your IT staff across the CIO Service View is a slightly harder exercise

The complexity of mapping staff across this view depends on how your IT department is organized and the degree of role specialization vs. generalization.

The CIO Service View mirrors how many IT departments are organized into teams or work groups. However, some partial percentage-based allocations are probably required, especially for smaller IT units with more generalized, cross-functional roles. For example:

• A systems administrator's costs may need to be allocated 80% to Hosting & Networks and 20% to Security.
• An app development team lead may spend about 40% of their time doing hands-on Development work and the other 60% on project management (i.e. PPM & Projects).

Info-Tech has found that allocating staffing costs for Data & BI raises the most doubts as it can be very entangled with Applications and other spend. Do the best you can.

Understand the CXO Expense View: Categories defined

Expand shared services and industry function categories as suits your organization.

Industry Functions: As listed and defined by you for your specific industry.

Human Resources: IT staff and specific application functionality in support of organizational human resource management.

Finance & Accounting: IT staff and specific application functionality in support of corporate finance and accounting.

Shared Services Other: IT staff and specific application functionality in support of all other shared enterprise functions.

Information Technology: IT staff and specific application functionality in support of IT performing its own internal IT operations functions.

Industry Other: IT staff and specific application functionality in support of all other industry-specific functions.

Mapping your IT staff across the CXO Business View warrants the most time

This view is probably the most difficult as many IT department roles are set up according to lines of IT service, not lines of business. Prepare to do a little math.

The CXO Expense View also requires percentage-based splitting of role spend, but to a greater extent.

• Start by mapping staff cost allocations for those roles that are at, or close to, 100% dedicated to a specific business function (if any).
• For IT roles that support organization-wide or multi-department functions, knowing the percent of employees that work in each relevant business unit and parceling IT staff spend by those same percentages may be easiest. For example, a general systems administrator's costs could be allocated as 4% to HR, 2% to finance, 25% to sales, 20% to production operations, and so on based on the percentage of employees in each of the supported business units.

Take a minute to figure out how you plan to map IT's indirect CXO Business View costs

Direct IT costs are those that are dedicated to a specific business unit or user group, such a marketing campaign management app, specialized devices used by a specific subset of workers in the field, or a business analyst embedded full-time in a sales organization.

VS

Indirect IT costs are pretty much everything else that's shared broadly across the organization and can't be tied to just one stakeholder or user group, such as network infrastructure, the service desk, and office productivity apps. These costs must be fairly and evenly distributed.

No indirect mapping method is perfect, but here's a suggestion:

• Take the respective headcount of all business functions sharing the IT resource/service in question.
• Calculate each business function's staff as a percentage of all organizational staff.
• Use this same percent of staff to calculate and allocate a business function's indirect staff and indirect vendor costs.

"There is always a conversation about indirect allocations. There's never been an organization I've heard of or worked for which has been able to allocate every technology cost directly to a business consumption or business unit."
Monica Braun, ITFM Research Director, Info-Tech Research Group

Example:

• A company of 560 employees has six HR staff (about 1.1% of total staff).
• Network admin staffing costs $143,000, so $1,573 (1.1%) would be allocated to HR.
• Internet services cost $40,000, so $440 (1.1%) would be allocated to HR.

Some indirect costs are shared by multiple business functions, but not all. In these cases, exclude non-participating business functions from the total number of organizational employees and re-calculate a new percent of staff for each participating business function.

Know where you're most likely to encounter direct vs. indirect IT staffing costs

Info-Tech has found that direct vs. indirect staffing spend is more commonly found in some areas than others. Use this insight to focus your work.

Direct IT staffing spend

Definition: Individuals or teams whose total time is formally dedicated to the support of one business unit/function.

• Data & BI (direct to one non-IT unit)
• IT Management (direct to IT)
  • Service planning & Architecture
  • Strategy & Governance
  • Financial Management
  • People & Resources

Hybrid IT staffing spend

Definition: Teams with a percent of time or entire FTEs formally dedicated to one business unit/function while the remainder of the time or team is generalized.

• Applications
  • Applications Development
  • Applications Maintenance
• IT Management
  • PPM & Projects

Indirect IT staffing spend

Definition: Individuals or teams whose total time is generalized to the support of multiple or all business units or functions.

• Infrastructure
  • Hosting & Networks
  • End Users
• Security

Indirect staff spend only comes into play in the CXO Business View. Thoroughly map the CIO Service View first and leverage its outcomes to inform your allocations to individual business and industry functions.

Understand the CEO Innovation View: Categories defined

Be particularly clear on your understanding of the difference between business growth and business innovation.

Business Innovation: IT spend/ activities focused on the development of new business capability, new products and services, and/or introduction of existing products/ services into new markets. It does not include expansion or update of existing capabilities.

Business Growth: IT spend/activities focused on the expansion, scaling, or modernization of an existing business capability, product/service, or market. This is specifically related to growth within a current market.

Keep the Lights On: IT spend/activities focused on keeping the organization running on a day-to-day basis. This includes all activities used to ensure the smooth operation of business functions and overall business continuity.

Important Note

Info-Tech analysts often skip mapping staff for the CEO Innovation View when delivering the IT Spend & Staffing Benchmarking Service.

This is because, for many organizations, either most IT staff spend is allocated to Keep the Lights On or any IT staff allocation to Business Growth and Business Innovation activities is untracked, undocumented, and difficult to parse out.

Mapping your IT staff across the CEO Innovation View is largely straightforward

Clear divisions between CapEx and OpEx can be your friend when it comes to mapping this view. Focus your efforts on parsing growth vs. innovation.

• The majority of IT staff costs are OpEx: And the majority of OpEx will land in the Keep the Lights On category. This is a comparatively simple mapping exercise. Know in advance that this will be the largest of the three buckets in the CEO Innovation View by a very wide margin, so don't be surprised if over 90% of IT staffing costs end up here.
• Most of the remaining IT staff costs will be tied to capital projects and investments: This means that they will land in either Business Growth or Business Innovation, with the majority typically sitting under Business Growth. Again, don't be surprised if the Business Innovation category holds less than 3% of total IT staffing spend.

Take your IT staff spend mapping to the next level with detailed time and headcount data

Overlay a broader assessment of your IT staff

Info-Tech's IT Staffing Assessment diagnostic can expand your view of what's really happening on the staffing front.

• Learn your true distribution of IT staff across the same IT services listed in the ITFM Cost Model's CIO Service View.
• Get other metrics such as degrees of seniority, manager span of control, and IT staff perception of their effectiveness.

Take action

1. Set it up: Contact your Info-Tech Account Manager and sign your team up to take the diagnostic.
2. Assess the findings: Review the output report, specifically how your staff says they spend their time versus what your organization chart's been telling you.
3. Apply the percentages: Use the FTE allocation percentages in the output report to guide how you distribute your staff spend across the CIO Service View.
4. Expand your analysis: Use your staff's feedback around perceived aids and obstacles to effectiveness in order to inform and defend your recommendations and decisions on how IT funds should be spent.

Consider these final tips for mapping your IT staffing costs before diving in

Mapping your IT staffing costs definitely requires some work. However, knowing the common stumbling blocks and being systematic will yield the best results.

Approach: Be efficient to be effective

Start with what you know best: Map the CFO Expense View first to plug in information you already have. Next, map the CIO Service View since it's most aligned to your organization chart.

Keep a list of questions: You'll need to seek clarifications. Note your questions, but don't reach out until you've done a first pass at the mapping - don't annoy people with a barrage of questions.

Delegate: Your managers and leads have a more accurate view of exactly what their staff do. Consider delegating the CIO Service View and CXO Business View to them or turn the mapping exercise into a series of collaborative leadership team activities.

Biggest challenge: Role/title ambiguity

• The Business Analyst role is often vague. These staffers are often jacks-of-all-trades in IT. You probably can't rely on a generic job description to figure out exactly which services and business functions BAs are spending their time on. Plan to ask a lot of questions.
• Other role titles may be completely inaccurate. Is the word "system" referring to apps, infrastructure, or both? Is the user experience specialist actually a programmer? Is a manager really managing anything? Know your organization's tendencies around meaningful job titling and set your workload expectations accordingly.

Key step - validate! If you see services or functions with low or no allocation, or something just doesn't look right, investigate. Someone's doing that work - take the time to figure out who.

3.1 Map your IT staffing costs

Duration: Variable

1. Navigate to tab "4. Staff Spend Mapping" in the IT Spend & Staffing Transparency Workbook. On one row, enter the name of an individual or group to be mapped, their role/title (if an individual), and their total known cost as per your collected data.
2. Under the CFO Expense View (columns F-G), enter the number of FTEs represented by the individual or group named and their status (i.e. Employee or Contractor).
3. Under the CIO Service View (columns L-AF), allocate the individual or group's spend as a percentage across all service categories. If the allocation for a service is 0%, leave the cell blank.
4. Under the CXO Business View (columns AI-BA), allocate the individual or group's spend as a percentage across all business function and industry-specific function categories. If the allocation for a function is 0%, leave the cell blank.
5. Under the CEO Innovation View (columns BD-BH), allocate the individual or group's spend as a percentage across Business Innovation, Business Growth, and Keep the Lights On. If the allocation for an investment type is 0%, leave the cell blank.
6. Repeat steps 2 to 5 for all other IT staff (as individuals or groups).
7. Follow up on and resolve any additional inquiries you need to make based on questions that arose during the mapping process.
8. Validate your mapping by:
   1. Identifying spend categories that have zero staff spend allocation. Additional percentage allocation splits for certain roles are probably required.
   2. Investigating spend categories that seem to have very high or very low spend allocations based on a gut check. Again, double-check your percentage allocation splits.
   3. Ensuring your amounts add up to your previously calculated total IT staff spend. A balance tracker is provided on tab "6. Tracker & General Outputs" of the IT Spend & Staffing Transparency Workbook.

Download the IT Spend & Staffing Transparency Workbook

3.1 Map your staffing costs

Phase 3: Map your IT staff spend

Achievement summary

You've now completed your IT staff spend mapping. You have:

• Allocated your IT staff spend across the four views of the ITFM Cost Model.
• Validated your mapping to ensure it's accurate and complete.

"Some want to allocate everybody to IT, but that's not how we do it. [In one CXO Business View mapping], a client allocated all their sand network people to the IT department. At the end of the process, the IT department itself accounted for 20% of total IT spend. We went back and reallocated those indirect staff costs across the business."
- Kennedy Confurius, Research Analyst, ITFM Practice, Info-Tech Research Group

Phase 4

Map Your IT Vendor Spend

This phase will walk you through the following activities:

• Mapping your IT vendor spend across the four views of the ITFM Cost Model
• Validating your mapping

This phase involves the following participants:

• Head of IT
• IT financial lead
• Other members of IT management

Phase 4: Map your IT vendor spend