Optimize Your Software Selection Process: Why 5 and 30 Are the Magic Numbers

Select your applications better, faster, and cheaper.

How to Read This Software Selection Insight Primer

1. 43,000 Data Points

This report is based on data gathered from a survey of 43,000 real-world IT practitioners.

2. Aggregating Feedback

The data is compiled from SoftwareReviews (a sister company of Info-Tech Research Group), which collects and aggregates feedback on a wide variety of enterprise technologies.

3. Insights Backed by Data

The insights, charts, and graphs in this presentation are all derived from data submitted by real end users.

The First Magic Number Is Five

The optimal software selection team comprises five people

• Derived from 43,000 data points. Analysis of thousands of software selection projects makes it clear a tight core selection team accelerates the selection process.
• Five people make up the core team. A small but cross-functional team keeps the project moving without getting bogged down on calendar alignment and endless back-and-forth.
• It is a balancing act. Having too few stakeholders on the core selection team will lead to missing valuable information, while having too many will lead to delays and politically driven inefficiencies.

There Are Major Benefits to Narrowing the Selection Team Size to Five

Limit the risk of ineffective “decision making by committee”

Expedite resolution of key issues and accelerate crucial decisions

Achieve alignment on critical requirements

Streamline calendar management

Info-Tech Insight

Too many cooks spoil the broth: create a highly focused selection team that can devote the majority of its time to the project while it’s in flight to demonstrate faster time to value.

Arm Yourself With Data to Choose the Right Plays for Selection

Software selection takes forever. The process of choosing even the smallest apps can drag on for years: sometimes in perpetuity.

Maximize project effectiveness with a five-person team. Project satisfaction and effectiveness are stagnant or decrease once the team grows beyond five people.

Empower both IT and end users with a standardized selection process to consistently achieve high satisfaction coming out of software selection projects.

Project Satisfaction and Effectiveness Are Stagnant Once the Team Grows Beyond Five People

• There is only a marginal difference in selection effectiveness when more people are involved, so why include so many? It only bogs down the process!
• Full-time resourcing: At least one member of the five team members must be allocated to the selection initiative as a full-time resource.

Info-Tech Insight

It sounds natural to include as many players as possible in the core selection group; however, expanding the group beyond five people does not lead to an increase in satisfaction. Consider including a general stakeholder feedback working session instead.

Shorten Project Duration by Capping the Selection Team at Five People

However, it is important to make all stakeholders feel heard

Exclusion is not the name of the game.

• Remember, we are talking about the core selection team.
• Help stakeholders understand their role in the project.
• Educate stakeholders about your approach to selection.
• Ensure stakeholders understand why the official selection team is being capped at five people.
• Soliciting requirements and feedback from a broader array of stakeholders is still critical.

Large Organizations Benefit From Compact Selection Teams Just as Much as Small Firms

Think big even if your organization is small

Small organizations

Teams smaller than five people are common due to limited resources.

Medium organizations

Selection project satisfaction peaks with teams of fewer than two people. Consider growing the team to about five people to make stakeholders feel more included with minimal drops in satisfaction.

Large organizations

Satisfaction peaks when teams are kept to three to five people. With many SMEs available, it is critical to choose the right players for your team.

Keep the Core Selection Team to Five People Regardless of the Software Category

Smaller selection teams yield increased satisfaction across software categories

Info-Tech Insight

Core team size remains the same regardless of the application being selected. However, team composition will vary depending on the end users being targeted.

Think beyond application complexity

• Our instinct is to vary the size of the core selection team based on perceived application complexity.
• The data has demonstrated that a small team yields increased satisfaction for applications across a wide array of application complexity profiles.
• The real differentiator for complex applications will be the number of stakeholders that the core selection team liaise with, particularly for defining strong requirements.

The Second Magic Number Is 30

Finish the project while stakeholders are still fully engaged in order to maximize satisfaction

• 30- to 60-day project timelines are critical. Keep stakeholders engaged with a defined application selection timeline that moves the project forward briskly.
• Strike while the iron is hot. Deliver applications in a timely manner after the initial request. Don’t let IT become the bottleneck for process optimization.
• Minimize scope creep: As projects drag on in perpetuity, the scope of the project balloons to something that cannot possibly achieve key business objectives in a timely fashion.

Aggressively Timeboxing the Project Yields Benefits Across Multiple Software Categories

After four weeks, stakeholder satisfaction is variable

Only categories with at least 1,000 responses were included in the analysis.

Achieve peak satisfaction by allotting 30 days for an application selection project.

• Spending two weeks or less typically leads to higher levels of satisfaction for each category because it leaves more time for negotiation, implementation, and making sure everything works properly (especially if there is a time constraint).
• Watch out for the “satisfaction danger zone” once project enters the 6- to 12-week mark. Completing a selection in four weeks yields greater satisfaction.

Spend Your Time Wisely to Complete the Selection in 30 Days

Save time in the first three phases of the selection project

Info-Tech Insight – Awareness

Timebox the process of impact analysis. More time should be spent performing the action than building a business case.

Info-Tech Insight – Education

Save time duplicating existing market research. Save time and maintain alignment with focus groups.

Info-Tech Insight – Evaluation

Decision committee time is valuable. Get up to speed using third-party data and written collateral. Use committee time to conduct investigative interviews instead. Salesperson charisma and marketing collateral quality should not be primary selection criteria. Sadly, this is the case far too often.

Limit Project Duration to 30 Days Regardless of the Application Being Selected

Timeboxing application selection yields increased satisfaction across software categories

Info-Tech Insight

Office collaboration tools are a great case study for increasing satisfaction with decreased time to selection. Given the sharp impetus of COVID-19, many organizations quickly selected tools like Zoom and Teams, enabling remote work with very high end-user satisfaction.

There are alternative approaches for enterprise-sized applications:

• New applications that demand rigorous business process improvement efforts may require allotting time for prework before engaging in the 30-day selection project.
• To ensure that IT is using the right framework, understand the cost and complexity profile of the application you’re looking to select.

The Data Also Shows That There Are Five Additional Keys to Improving Your Selection Process

1. Align & Eliminate Elapsed Time

✓ Ensure a formal selection process is in place.

✓ Reduce time by timeboxing the project to 30 days.

✓ Align the calendars of the five-person core selection team.

Improving Your IT Department’s Software Selection Capability Yields Big Results

Time spent building a better process for software selection is a great investment

• Enterprise application selection is an activity that every IT department must embark on, often many times per year.
• The frequency and repeatability of software selection means it is an indispensable process to target for optimization.

• A formal process is not always synonymous with a well-oiled process.
• Even if you have a formal selection process already in place, it’s imperative to take a concerted approach to continuous improvement.

It is critical to improve the selection process before formalizing

Leverage Info-Tech’s Rapid Application Selection Framework to gain insights on how you can fine-tune and accelerate existing codified approaches to application selection.

Before Condensing the Selection Team, First Formalize the Software Selection Process

Software selection processes are challenging

Defining formal process and methodology

Most Organizations Are Already Using a Formal Software Selection Methodology

Don’t get left behind!

• A common misconception for software selection is that only large organizations have formal processes.
• The reality is that organizations of all sizes are making use of formal processes for software selection.
• Moreover, using a standardized method to evaluate new technology is most likely common practice among your competitors regardless of their size.
• It is important to remember that the level of rigor for the processes will vary based not only on project size but also on organization size.

Only categories with at least 1,000 responses were included in the analysis.

Use a Formal Evaluation and Selection Methodology to Achieve Higher Satisfaction

A formal selection process does not equal a bloated selection process

• No matter what process is being used, you should consider implementing a formal methodology to reduce the amount of time required to select the software. This trend continues across different levels of software (commodity, complex, and enterprise).
• It is worth noting that using a process can actually add more time to the selection process, so it is important to know how to use it properly.
• Don’t use just one process: you should use a combination, but don’t use more than three when selecting your software.

Hit a Home Run With Your Business Stakeholders

Use a data-driven approach to select the right application vendor for their needs – fast

Investing time improving your software selection methodology has big returns.

Info-Tech Insight

Not all software selection projects are created equal – some are very small; some span the entire enterprise. To ensure that IT is using the right framework, understand the cost and complexity profile of the application you’re looking to select. The Rapid Application Selection Framework approach is best for commodity and mid-tier enterprise applications; selecting complex applications is better handled by the methodology described in Implement a Proactive and Consistent Vendor Selection Process.

Lock Down the Key Players Before Setting Up the Relevant Timeline

You are the quarterback of your selection team

Don’t get bogged down “waiting for the stars to align” in terms of people’s availability: if you wait for the perfect alignment, the project may never get done.

If a key stakeholder is unavailable for weeks or months due to PTO or other commitments, don’t jeopardize project timelines to wait for them to be free. Find a relevant designate that can act in their stead!

You don’t need the entire team on the field at once. Keep certain stakeholders on the bench to swap in and out as needed.

Info-Tech Insight

Assemble the key stakeholders for project kick-off to synchronize the application selection process and limit elapsed time. Getting all parties on the same page increases output satisfaction and eliminates rework. Save time and get input from key stakeholders at the project kick-off.

Assemble a Cross-Functional Team for Best Results

A blend of both worlds gets the best of both worlds from domain expertise (technical and business)

How to manage the cross-functional selection team:

• There should be a combination of IT and businesspeople involved in the selection process, and ideally the ratio would be balanced.
• No matter what you are looking for, you should never include more than five people in the selection process.
• You can keep key stakeholders and other important individuals informed with what is going on, but they don’t necessarily have to be involved in the selection process.

Leverage a Five-Person Team With Players From Both IT and the Business

For maximum effectiveness, assign at least one resource to the project on a full-time basis

Info-Tech Insight

It is critical for the selection team to determine who has decision rights. Organizational culture will play the largest role in dictating which team member holds the final say for selection decisions.

Ensure That Your Project Has the Right Mix of the Core Team and Ancillary Stakeholders

Who is involved in selecting the new application?

• Core selection team:
• The core team ideally comprises just five members.
• There will be representatives from IT and the specific business function that is most impacted by the application.
• The team is typically anchored by a business analyst or project management professional.
• This is the team that is ultimately accountable for ensuring that the project stays on track and that the right vendor is selected.
• Ancillary stakeholders:
• These stakeholders are brought into the selection project on an as-needed basis. They offer commentary on requirements and technical know-how.
• They will be impacted by the project outcome but they do not bear ultimate accountability for selecting the application.

Tweak the Team Composition Based on the Application Category in Question

All applications are different. Some categories may require a slightly different balance of business and IT users.

When to adjust the selection team’s business to IT ratio:

• Increase the number of business stakeholders for customer-centric applications like customer relationship management and customer service management.
• Keep projects staffed with more technical resources when selecting internal-facing tools like network monitoring platforms, next-generation firewalls, and endpoint protection systems.

When to adjust the selection team’s business to IT ratio:

• Increase the number of business stakeholders for customer-centric applications like customer relationship management and customer service management.
• Keep projects staffed with more technical resources when selecting internal-facing tools like network monitoring platforms, next-generation firewalls, and endpoint protection systems.

Balance the Selection Team With Decision Makers and Front-Line Resources

Find the right balance!

• Make sure to include key decision makers to increase the velocity of approvals.
• However, it is critical to include the right number of front-line resources to ensure that end-user needs are adequately reflected in the requirements and decision criteria used for selection.

Info-Tech Insight

When selecting their software, organizations have an average of two to four business and IT decision makers/influencers on the core selection team.

Optimize Meeting Cadence to Complete Selection in 30 Days

Project Cadence:

• Execute approximately one phase per week.
• Conduct weekly checkpoints to move through your formal selection framework.
• Allot two to four hours per touchpoint.

Info-Tech Insight

Use weekly touchpoints with the core selection team to eliminate broken telephone. Hold focus groups and workshops to take a more collaborative, timely, and consensus-driven approach to zero in on critical requirements.

2. Reduce Time Spent on Low-Impact Activities

✓ Reduce time spent on internet research. Leverage hard data and experts.

✓ Reduce RFP size or skip RFPs entirely.

✓ Reduce time spent watching vendor dog and pony shows.

Reduce Time Spent on Internet Research by Leveraging Hard Data and Experts

REDUCE BIAS

Taking a data-driven approach to vendor selection ensures that decisions are made in a manner that reduces human bias and exposure to misaligned incentives.

SCORING MODELS

Create a vendor scoring model that uses several different scored criteria (alignment to needs, alignment to architecture, cost, relationship, etc.) and weight them.

AGGREGATE EXPERIENCES

When you leverage services such as SoftwareReviews, you’re relying on amalgamated data from hundreds of others that have already been down this path: benefit from their experience!

PEER-DRIVEN INSIGHTS

Formally incorporate a review of Category Reports from SoftwareReviews into your vendor selection process to take advantage of peer-driven expert insights.

Contact Us

Info-Tech is just a phone call away. Our expert analysts can guide you to successful project completion at no additional cost to you.

Bloated RFPs Are Weighing You Down

Avoid “RFP overload” – parse back deliverables for smaller projects

1. Many IT and procurement professionals are accustomed to deliverable-heavy application selection projects.
2. Massive amounts of effort is spent creating onerous RFIs, RFPs, vendor demo scripts, reference guides, and Pugh matrices – with only incremental (if any) benefits.
3. For smaller projects, focus on creating a minimum viable RFP that sketches out a brief need statement and highlights three or four critical process areas to avoid RFP fatigue.

Draft a lightweight RFI (or minimum viable RFP) to give vendors a snapshot of your needs while managing effort

An RFI or MV-RFP is a truncated RFP document that highlights core use cases to vendors while minimizing the amount of time the team has to spend building it.

You may miss out on the right vendor if:

• The RFP is too long or cumbersome for the vendor to respond.
• Vendors believe their time is better spent relationship selling.
• The RFP is unclear and leads them to believe they won’t be successful.
• The vendor was forced to guess what you were looking for.

How to write a successful RFI/MV-RFP:

• Expend your energy relative to the complexity of the required solution or product you’re seeking.
• A good MV-RFP is structured as follows: a brief description of your organization, business context, and key requirements. It should not exceed a half-dozen pages in length.
• Be transparent.
• This could potentially be a long-term relationship, so don’t try to trick suppliers.
• Be clear in your expectations and focus on the key aspects of what you’re trying to achieve.

Use the appropriate Info-Tech template for your needs (RFI, RFQ, or RFP). The Request for Information Template is best suited to the RASF approach.

If Necessary, Make Sure That You Are Going About RFPs the Right Way

RFPs only add satisfaction when done correctly

Info-Tech Insight

Prescriptive yet flexible: Avoid RFP overload when selecting customer experience–centric applications, but a formal approach to selection is still beneficial.

When will an RFP increase satisfaction?

• Satisfaction is increased when the RFP is used in concert with a formal selection methodology. An RFP on its own does not drive significant value.
• RFPs that focus on an application’s differentiating features lead to higher satisfaction with the selection process.
• Using the RFP to evaluate mandatory or standard and/or mandatory features yields neutral results.

Reduce Time Spent Watching Vendor Dog and Pony Shows

Salesperson charisma and marketing collateral quality should not be primary selection criteria. Sadly, this is the case far too often.

Use data to take control back from the vendor

• Taking a data-driven approach to vendor selection ensures that decisions are made in a manner that reduces human bias and exposure to misaligned incentives.
• When you leverage services such as SoftwareReviews, you’re relying on amalgamated data from hundreds of others that have already been down this path: benefit from their collective experience!

Kill the “golf course effect” and eliminate stakeholder bias

• A leading cause of selection failure is human bias. While rarely malicious, the reality is that decision makers and procurement staff can become unduly biased over time by vendor incentives. Conference passes, box seats, a strong interpersonal relationship – these are all things that may be valuable to a decision maker but have no bearing on the efficacy of an enterprise application.
• A strong selection process mitigates human bias by using a weighted scoring model and basing decisions on hard data: cost, user satisfaction scores, and trusted third-party data from services such as SoftwareReviews.

Conduct a Day of Rapid-Fire Investigative Interviews

Zoom in on high-value use cases and answers to targeted questions

Rapid-Fire Vendor Investigative Interview

Invite vendors to come onsite (or join you via videoconference) to demonstrate the product and to answer questions. Use a highly targeted demo script to help identify how a vendor’s solution will fit your organization’s particular business capability needs.

Spend Your Time Wisely and Accelerate the Process

Join the B2B software selection r/evolution

Use a tier-based model to accelerate commodity and complex selection projects.

Eliminate elapsed process time with focus groups and workshops.

3. Focus on High-Impact Activities

✓ Narrow the field to four contenders prior to in-depth comparison.

✓ Identify portfolio overlap with accelerated enterprise architecture oversight.

✓ Focus on investigative interviews and proof of concept projects.

Narrow the Field to a Maximum of Four Contenders

Focus time spent on the players that we know can deliver strong value

1. ACCELERATE SELECTION

Save time by exclusively engaging vendors that support the organization’s differentiating requirements.

2. DECISION CLARITY

Prevent stakeholders from getting lost in the weeds with endless lists of vendors.

3.CONDENSED DEMOS

Limiting the project to four contenders allows you to stack demos/investigative interviews into the same day.

4. LICENSING LEVERAGE

Keep track of key differences between vendor offerings with a tight shortlist.

Rapid & Effective Selection Decisions

Consolidating the Vendor Shortlist Up-Front Reduces Downstream Effort

Put the “short” back in shortlist!

• Radically reduce effort by narrowing the field of potential vendors earlier in the selection process. Too many organizations don’t funnel their vendor shortlist until nearing the end of the selection process. The result is wasted time and effort evaluating options that are patently not a good fit.
• Leverage external data (such as SoftwareReviews) and expert opinion to consolidate your shortlist into a smaller number of viable vendors before the investigative interview stage and eliminate time spent evaluating dozens of RFP responses.
• Having fewer RFP responses to evaluate means you will have more time to do greater due diligence.

Rapid Enterprise Architecture Evaluations Are High-Impact Activities

When accelerating selection decisions, finding the right EA is a balancing act

• Neglecting enterprise architecture as a shortcut to save time often leads to downstream integration problems and decreases application satisfaction.
• On the other hand, overly drawn out enterprise architecture evaluations can lead to excessively focusing on technology integration versus having a clear and concise understanding of critical business needs.

Info-Tech Insight

Targeting an enterprise architecture evaluation as part of your software selection process that does not delay the selection while also providing sufficient insight into platform fit is critical.

Key activities for rapid enterprise architecture evaluation include:

1. Security analysis
2. Portfolio overlap review + integration assessment
3. Application standards check

The data confirms that it is worthwhile to spend time on enterprise architecture

• Considering software architecture fit up-front to determine if new software aligns with the existing application architecture directly links to greater satisfaction.
• Stakeholders are most satisfied with their software value when there is a good architectural platform fit.
• Stakeholders that ranked Architectural Platform Fit lower during the selection process were ultimately more unsatisfied with their software choice.

Identify Portfolio Overlap With an Accelerated Enterprise Architecture Assessment

Develop a clear view of any overlap within your target portfolio subset and clear rationalization/consolidation options

• Application sprawl is a critical pain point in many organizations. It leads to wasted time, money, and effort as IT (and the business) maintain myriad applications that all serve the same functional purpose.
• Opportunities are missed to consolidate and streamline associated business process management, training, and end-user adoption activities.
• Identify which applications in your existing architecture serve a duplicate purpose: these applications are the ones you will want to target for consolidation.
• As you select a new application, identify where it can be used to serve the goal for application rationalization (i.e. can we replace/retire existing applications in our portfolio by standardizing the new one?).

Keep the scope manageable!

• Highlight the major functional processes that are closely related to the application you’re selecting and identify which applications support each.
• The template below represents a top-level view of a set of customer experience management (CXM) applications. Identify linkages between sets of applications and if they’re uni- or bi-directional.

Rapidly Evaluate the Security & Risk Profile for a Right-Sized Enterprise Architecture Evaluation

There are four considerations for determining the security and risk profile for the new application

1. Financial Risk

• Consider the financial impact the new application has on the organization.
• How significant is the investment in technology?
• If this application fails to meet its business goals and deliver strong return on investment, will there be a significant amount of financial resources to mitigate the problem?

• Understand the type of data that will be handled/stored by the application.
• For example, a CRM will house customer personally identifiable information (PII) and an ECM will store confidential business documentation.
• Determine the consequences of a potential breach (i.e. legal and financial).

• Consider whether the application category has a historically strong security track record.
• For example, enterprise cloud storage solutions may have a different level of vulnerability than an HRIS platform.

• Determine whether the new application requires changes to infrastructure or additional security investments to safeguard expanded infrastructure.
• Consider the ways in which the changes to infrastructure increase the vectors for security breaches.

Spend More Time Validating Key Issues With Deep Technical Assessments

Conversations With the Vendor

• Initial conversations with the vendor build alignment on overall application capabilities, scope of work, and pricing.

Pilot Projects and Trial Environments

• Conduct a proof of concept project to ensure that the application satisfies your non-functional requirements.
• Technical assessments not only demonstrate whether an application is compatible with your existing systems but also give your technical resources the confidence that the implementation process will be as smooth as possible.
• Marketing collateral glosses over actual capabilities and differentiation. Use unbiased third-party data and detailed system training material.

4. Use Rapid & Essential Assessment Tools

✓ Focus on key use cases, not lists of features.

✓ You only need three essential tools:

1. Info-Tech’s Vendor Evaluation Workbook
2. The Software Selection Workbook
3. A Business Stakeholder Manual

Focus on Key Use Cases, Not an Endless Laundry List of Table Stakes Features

Focus on Critical Requirements

Failure to differentiate must-have and nice-to-have use cases leads to applications full of non-critical features.

Go Beyond the Table Stakes

Accelerate the process by skipping common requirements that we know that every vendor will support.

Streamline the Quantity of Use Cases

Working with a tighter list of core use cases increases time spent evaluating the most impactful functionality.

Over-Customization Kills Projects

Eliminating dubious “sacred cow” requirements reduces costly and painful platform customization.

Only Make Use of Essential Selection Artifacts

Vendor selection projects often demand extensive and unnecessary documentation

The Software Selection Workbook

Work through the straightforward templates that tie to each phase of the Rapid Application Selection Framework, from assessing the business impact to requirements gathering.

The Vendor Evaluation Workbook

Consolidate the vendor evaluation process into a single document. Easily compare vendors as you narrow the field to finalists.

The Guide to Software Selection: A Business Stakeholder Manual

Quickly explain the Rapid Application Selection Framework to your team while also highlighting its benefits to stakeholders.

Software Selection Engagement

Five advisory calls over a five-week period to accelerate your selection process

• Expert analyst guidance over five weeks on average to select and negotiate software.
• Save money, align stakeholders, speed up the process, and make better decisions.
• Use a repeatable, formal methodology to improve your application selection process.
• Better, faster results, guaranteed, included in membership.

Click here to book your selection engagement

Software Selection Workshop

With 40 hours of advisory assistance delivered online, select better software, faster.

• 40 hours of expert analyst guidance.
• Project and stakeholder management assistance.
• Save money, align stakeholders, speed up the process, and make better decisions.
• Better, faster results, guaranteed; $20K standard engagement fee.

CLICK HERE TO BOOK YOUR WORKSHOP ENGAGEMENT

5. Select Two Viable Options & Engage Both in Negotiation

✓ Save more during negotiation by selecting two viable alternatives.

✓ Surface a consolidated list of demands prior to entering negotiation.

✓ Communicate your success with the organization.

Save More During Negotiation by Selecting Two Viable Alternatives

VENDOR 1

Build in a realistic plan B that allows you to apply leverage to the incumbent or primary vendor of choice.

VENDOR 2

If the top contender is aware that they do not have competition, they will be less inclined to make concessions.

Maintain momentum with two options

• Should you realize that the primary contender is no longer a viable option (i.e. security concerns), keeping a second vendor in play enables you to quickly pivot without slowing down the selection project.

Secure best pricing by playing vendors off each other

• Vendors are more likely to give concessions on the base price once they become aware that a direct competitor has entered the evaluation.

Truly commit to a thorough analysis of alternatives

• By evaluating competitive alternatives, you’ll get a more comprehensive view on market standards for a solution and be able to employ a range of negotiation tactics.

Focus on 5-10 Specific Contract Change Requests

Accelerate negotiation by picking your battles

Share Stories of Cost Savings With the Organization

Secure IT’s seat at the table

Hard cost savings speak louder than words. Executive leadership will see IT as the go-to team for driving business value quickly, yet responsibly.

Build hype around the new software

Generate enthusiasm by highlighting the improved user experience provided by the new software that was has just been selected.

Drive end-user adoption

Position the cost savings as an opportunity to invest in onboarding. An application is only as valuable as your employees’ ability to effectively use it.

Keep the process rolling

Use the momentum from the project and its successful negotiation to roll out the accelerated selection approach to more departments across the organization.

Overall: The Magic Number Saves You Time and Money

Software selection takes forever. The process of choosing even the smallest apps can drag on for years: sometimes in perpetuity.

Maximize project effectiveness with a five-person team. Project satisfaction and effectiveness are stagnant or decrease once the team grows beyond five people.

Empower both IT and end users with a standardized selection process to consistently achieve high satisfaction coming out of software selection projects.

Key Takeaways for Improving Your Selection Process

Appendix

This study is based on a survey of 43,000 real-world IT practitioners.

• SoftwareReviews (a sister company of Info-Tech Research Group) collects and aggregates feedback on a wide variety of enterprise technologies.
• The practitioners are actual end users of hundreds of different enterprise application categories.
• The following slides highlight the supplementary data points from the comprehensive survey.

Methodology

A comprehensive study based on the responses of thousands of real-world practitioners.

INFO-TECH RESEARCH GROUP

Develop a Security Operations Strategy

Transition from a security operations center to a threat collaboration environment.

Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2017 Info-Tech Research Group Inc.

ANALYST PERSPECTIVE

“A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Protect your assets by preparing for the inevitable; unify your prevention, detection, analysis, and response efforts and provide assurance to your stakeholders that you are making information security a top priority.”

Edward Gray,
Consulting Analyst, Security, Risk & Compliance
Info-Tech Research Group

Our understanding of the problem

Executive summary

Situation

• Current security practices are disjointed, operating independently with a wide variety of processes and tools to conduct incident response, network defense, and threat analysis. These disparate mitigations leave organizations vulnerable to the increasing number of malicious events.
• Threat management has become resource intensive, requiring continuous monitoring, collection, and analysis of massive volumes of security event data, while juggling business, compliance, and consumer obligations.

Complication

• There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
• The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
• Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of their security technology investments.
• It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
• There is limited communication between security functions due to a centralized security operations organizational structure.

Resolution

• A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
• This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

Info-Tech Insight

1. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
2. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
3. If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Data breaches are resulting in major costs across industries

Average data breach costs per compromised record hit an all-time high of $217 (in 2015); $74 is direct cost (e.g. legal fees, technology investment) and $143 is indirect cost (e.g. abnormal customer churn). (Source: Ponemon Institute, “2015 Cost of Data Breach Study: United States”)

(Source: The Network, “ Cisco 2017 Security Capabilities Benchmark Study”)

Persistent issues

• Organizational barriers separating prevention, detection, analysis, and response efforts.
  Siloed operations limit collaboration and internal knowledge sharing.
• Lack of knowledgeable security staff.
  Human capital is transferrable between roles and functions and must be cross-trained to wear multiple hats.
• Failure to evaluate and improve security operations.
  The effectiveness of operations must be frequently measured and (re)assessed through an iterative system of continuous improvement.
• Lack of standardization.
  Pre-established use cases and policies outlining tier-1 operational efforts will eliminate ad hoc remediation efforts and streamline operations.
• Failure to acknowledge the auditor as a customer.
  Many compliance and regulatory obligations require organizations to have comprehensive documentation of their security operations practices.

60% Of organizations say security operation teams have little understanding of each other’s requirements.

40% Of executives report that poor coordination leads to excessive labor and IT operational costs.

38-100% Increase in efficiency after closing operational gaps with collaboration.
(Source: Forbes, “The Game Plan for Closing the SecOps Gap”)

The solution

“Empower a few administrators with the best information to enable fast, automated responses.” – Ismael Valenzuela, IR/Forensics Technical Practice Manager, Foundstone® Services, Intel Security) Insufficient security personnel resourcing has been identified as the most prevalent challenge in security operations… When an emergency security incident strikes, weak collaboration and poor coordination among critical business functions will magnify inefficiencies in the incident response (IR) process, impacting the organization’s ability to minimize damage and downtime. The solution: optimize your SOC. Info-Tech has seen SOCs with five analysts outperform SOCs with 25 analysts through tools and process optimization. Sources: Ponemon. "2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” Syngress. Designing and Building a Security Operations Center.

Maintain a holistic security operations program

Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization.
Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operations, and technology infrastructure on a daily basis.	Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential.	Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs
	Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape.	Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort.

Info-Tech’s security operations blueprint ties together various initiatives

Design and Implement a Vulnerability Management Program	Vulnerability Management Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.	Deliverables Vulnerability Tracking Tool Vulnerability Scanning Tool RFP Template Penetration Test RFP Template Vulnerability Mitigation Process Template
Integrate Threat Intelligence Into Your Security Operations	Threat Intelligence Threat intelligence addresses the collection, analysis, and dissemination of external threat data. Analysts act as liaisons to their peers, publishing actionable threat alerts, reports, and briefings. Threat intelligence proactively monitors and identifies whether threat indicators are impacting your organization.	Maturity Assessment Tool Threat Intelligence RACI Tool Management Plan Template Threat Intelligence Policy Template Alert Template Alert and Briefing Cadence Schedule
Develop Foundational Security Operations Processes	Operations Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. Analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations.	Maturity Assessment Tool Event Prioritization Tool Efficiency Calculator SecOps Policy Template In-House vs. Outsourcing Decision-Making Tool SecOps RACI Tool TCO & ROI Comparison Calculator
Develop and Implement a Security Incident Management Program	Incident Response Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. IR teams coordinate root-cause analysis and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns.	Incident Management Policy Maturity Assessment Tool Incident Management RACI Tool Incident Management Plan Incident Runbook Prioritization Tool Various Incident Management Runbooks

This blueprint will…

…better protect your organization with an interdependent and collaborative security operations program.

Info-Tech integrates several best practices to create a best-of-breed security framework

Benefits of a collaborative and integrated operations program

Understand the cost of not having a suitable security operations program

A practical approach, justifying the value of security operations, is to identify the assets at risk and calculate the cost to the company should the information assets be compromised (i.e. assess the damage an attacker could do to the business).

Workshop Overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Develop a Security Operations Strategy

PHASE 1

Assess Operational Requirements

This step will walk you through the following activities:

• Determine why you need a sound security operations program.
• Understand Info-Tech’s threat collaboration environment.
• Evaluate your current security operation’s functions and capabilities.

Outcomes of this step

• A defined scope and motive for completing this project.
• Insight into your current security operations capabilities.
• A prioritized list of security operations initiatives based on maturity level.

Info-Tech Insight

Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.

Warm-up exercise: Why build a security operations program?

Estimated time to completion: 30 minutes

Info-Tech Best Practice

Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.

Decentralizing the SOC: Security as a function

Before you begin, remember that no two security operation programs are the same. While the end goal may be similar, the threat landscape, risk tolerance, and organizational requirements will differ from any other SOC. Determine what your DNA looks like before you begin to protect it.

Security operations must provide several fundamental functions: Real-time monitoring, detecting, and triaging of data from both internal and external sources. In-depth analysis of indicators and incidents, leveraging malware analysis, correlation and rule tweaking, and forensics and eDiscovery techniques. Network/host scanning and vulnerability patch management. Incident response, remediation, and reporting. Security operations must disseminate appropriate information/intelligence to relevant stakeholders. Comprehensive logging and ticketing capabilities that document and communicate events throughout the threat collaboration environment. Tuning and tweaking of technologies to ingest collected data and enhance the analysis process. Enhance overall organizational situational awareness by reporting on security trends, escalating incidents, and sharing adversary tools, tactics, and procedures.

At its core, a security operations program is responsible for the prevention, detection, analysis, and response of security events.

Optimized security operations can seamlessly integrate threat and incident management processes with monitoring and compliance workflows and resources. This integration unlocks efficiency.

Understand the levels of security operations

Take the time to map out what you need and where you should go. Security operations has to be more than just monitoring events – there must be a structured program.

Foundational		Operational		Strategic
Intrusion Detection Management Active Device and Event Monitoring Log Collection and Retention Reporting and Escalation Management Incident Management Audit Compliance Vendor Management Ticketing Processes Packet Capture and Analysis SIEM Firewall Antivirus Patch Management		Event Analysis and Incident Triage Security Log Management Vulnerability Management Host Hardening Static Malware Analysis Identity and Access Management Change Management Endpoint Management Business Continuity Management Encryption Management Cloud Security (if applicable)		SIEM with Defined Use Cases Big Data Security Analytics Threat Intelligence Network Flow Analysis VPN Anomaly Detection Dynamic Malware Analysis Use-Case Management Feedback and Continuous Improvement Management Visualization and Dashboarding Knowledge Portal Ticket Documentation Advanced Threat Hunting Control and Process Automation eDiscovery and Forensics Risk Management
——Security Operations Capabilities—–›

Understand security operations: Establish a unified threat collaboration environment

Design and Implement a Vulnerability Management Program	Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address threats impacting the organization’s brand, operations, and technology infrastructure. Managing incident escalation and response. Coordinating root-cause analysis and incident gathering. Facilitating post-incident lessons learned. Managing system patching and risk acceptance. Conducting vulnerability assessment and penetration testing. Monitoring in real-time and triaging of events. Escalating events to incident management team. Tuning and tweaking rules and reporting thresholds. Gathering and analyzing external threat data. Liaising with peers, industry, and government. Publishing threat alerts, reports, and briefings. Info-Tech Best Practice Ensure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next.
Integrate Threat Intelligence Into Your Security Operations
Develop Foundational Security Operations Processes
Develop and Implement a Security Incident Management Program

The threat collaboration environment is comprised of three core elements

Info-Tech Insight

The value of a SOC can be achieved with fewer prerequisites than you think. While it is difficult to cut back on process and technology requirements, human capital is transferrable between roles and functions and can be cross-trained to satisfy operational gaps.

	People. Effective human capital is fundamental to establishing an efficient security operations program, and if enabled correctly, can be the driving factor behind successful process optimization. Ensure you address several critical human capital components: Who is responsible for each respective threat collaboration environment function? What are the required operational roles, responsibilities, and competencies for each employee? Are there formalized training procedures to onboard new employees? Is there an established knowledge transfer and management program?
	Processes. Formal and informal mechanisms that bridge security throughout the collaboration environment and organization at large. Ask yourself: Are there defined runbooks that clearly outline critical operational procedures and guidelines? Is there a defined escalation protocol to transfer knowledge and share threats internally? Is there a defined reporting procedure to share intelligence externally? Are there formal and accessible policies for each respective security operations function? Is there a defined measurement program to report on the performance of security operations? Is there a continuous improvement program in place for all security operations functions? Is there a defined operational vendor management program?
	Technology. The composition of all infrastructure, systems, controls, and tools that enable processes and people to operate and collaborate more efficiently. Determine: Are the appropriate controls implemented to effectively prevent, detect, analyze, and remediate threats? Is each control documented with an assigned asset owner? Can a solution integrate with existing controls? If so, to what extent? Is there a centralized log aggregation tool such as a SIEM? What is the operational cost to effectively manage each control? Is the control the most up-to-date version? Have the most recent patches and configuration changes been applied? Can it be consolidated with or replaced by another control?

Conduct a preliminary maturity assessment before tackling this project

Design and Implement a Vulnerability Management Program	At a high level, assess your organization’s operational maturity in each of the threat collaboration environment functions. Determine whether the foundational processes exist in order to mature and streamline your security operations.
Integrate Threat Intelligence Into Your Security Operations
Develop Foundational Security Operations Processes
Develop and Implement a Security Incident Management Program

Assess the current maturity of your security operations program

	Prioritize the component most important to the development of your security operations program.
Each “security capability” covers a component of the overarching “security function.”	Assign a current and target maturity score to each respective security capability. (Note: The CMMI maturity scores are further explained on the following slide.)	Document any/all comments for future Info-Tech analyst discussions.

Assign each security capability a reflective and desired maturity score.

	Ad Hoc
	1		Initial/Ad Hoc: Activity is not well defined and is ad hoc, e.g. no formal roles or responsibilities exist, de facto standards are followed on an individual-by-individual basis.
	2		Developing: Activity is established and there is moderate adherence to its execution, e.g. while no formal policies have been documented, content management is occurring implicitly or on an individual-by-individual basis.
	3		Defined: Activity is formally established, documented, repeatable, and integrated with other phases of the process, e.g. roles and responsibilities have been defined and documented in an accessible policy, however, metrics are not actively monitored and managed.
	4		Managed and Measurable: Activity execution is tracked by gathering qualitative and quantitative feedback, e.g. metrics have been established to monitor the effectiveness of tier-1 SOC analysts.
	5		Optimized: Qualitative and quantitative feedback is used to continually improve the execution of the activity, e.g. the organization is an industry leader in the respective field; research and development efforts are allocated in order to continuously explore more efficient methods of accomplishing the task at hand.
	Optimized

Notes: Info-Tech seldom sees a client achieve a CMMI score of 4 or 5. To achieve a state of optimization there must be a subsequent trade-off elsewhere. As such, we recommend that organizations strive for a CMMI score of 3 or 4.

Ensure that your threat collaboration environment is of a sufficient maturity before progressing

Review the report cards for each of the respective threat collaboration environment functions. A green function indicates that you have exceeded the operational requirements to proceed with the security operations initiative. A yellow function indicates that your maturity score is below the recommended threshold; Info-Tech advises revisiting the attached blueprint. In the instance of a one-off case, the client can proceed with this security operations initiative. A red function indicates that your maturity score is well below the recommended threshold; Info-Tech strongly advises to not proceed with the security operations initiative. Revisit the recommended blueprint and further mature the specific function.

Are you ready to move on to the next phase?

Self-Assessment Questions

• Have you clearly defined the rationale for refining your security operations program?
• Have you clearly defined and prioritized the goals and outcomes of optimizing your security operations program?
• Have you assessed your respective people, process, and technological capabilities?
• Have you completed the Security Operations Preliminary Maturity Assessment Tool?
• Were all threat collaboration environment functions of a sufficient maturity level?

If you answered “yes” to the questions, then you are ready to move on to Phase 2: Develop Maturity Initiatives

Develop a Security Operations Strategy

PHASE 2

Develop Maturity Initiatives

This step will walk you through the following activities:

• Establish your goals, obligations, scope, and boundaries.
• Assess your current state and define a target state.
• Develop and prioritize gap initiatives.
• Define cost, effort, alignment, and security benefit of each initiative.
• Develop a security strategy operational roadmap.

Outcomes of this step

• A formalized understanding of your business, customer, and regulatory obligations.
• A comprehensive current and target state assessment.
• A succinct and consolidated list of gap initiatives that will collectively achieve your target state.
• A formally documented set of estimated priority variables (cost, effort, business alignment).
• A fully prioritized security roadmap that is in alignment with business goals and informed by the organization’s needs and limitations.

Info-Tech Insight

Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives

Align your security operations program with corporate goals and obligations

A common challenge for security leaders is learning to express their initiatives in terms that are meaningful to business executives.

Info-Tech Best Practice

Developing a security operations strategy is a proactive activity that enables you to get in front of any upcoming business projects or industry trends rather than having to respond reactively later on. Consider as many foreseeable variables as possible!

Determine your security operations program scope and boundaries

It is important to define all security-related areas of responsibility. Upon completion you should clearly understand what you are trying to secure.

This also includes what is not within scope. For some outsourced services or locations you may not be responsible for security. For some business departments you may not have control of security processes. Ensure that it is made explicit at the outset, what will be included and what will be excluded from security considerations.

Reference Info-Tech’s security strategy: goals, obligations, and scope activities

Explicitly understanding how security aligns with the core business mission is critical for having a strategic plan and fulfilling the role of business enabler.

Download and complete the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication. If previously completed, take the time to review your results. GOALS and OBLIGATIONS Proceed through each slide and brainstorm the ways that security operations supports business, customer, and compliance needs.

Goals & Obligations

PROGRAM SCOPE & BOUNDARIES Assess your current organizational environment. Document current IT systems, critical data, physical environments, and departmental divisions. If a well-defined corporate strategy does not exist, these questions can help pinpoint objectives: What is the message being delivered by the CEO? What are the main themes of investments and projects? What are the senior leaders measured on?

Program Scope & Boundaries

INFO-TECH OPPORTUNITY

For more information on how to complete the goals & obligations activity please reference Section 1.3 of Info-Tech’s Build an Information Security Strategy blueprint.

Complete the Information Security Requirements Gathering Tool

On tab 1. Goals and Obligations: Document all business, customer, and compliance obligations. Ensure that each item is reflective of the over-arching business strategy and is not security focused. In the second column, identify the corresponding security initiative that supports the obligation.
On tab 2. Scope and Boundaries: Record all details for what is in and out of scope from physical, IT, organizational, and data perspectives. Complete the affiliated columns for a comprehensive scope assessment. As a discussion guide, refer to the considerations slides prior to this in phase 1.3.
For the purpose of this security operations initiative please IGNORE the risk tolerance activities on tab 3.

Info-Tech Best Practice

A common challenge for security leaders is expressing their initiatives in terms that are meaningful to business executives. This exercise helps make explicit the link between what the business cares about and what security is trying to do.

Conduct a comprehensive security operations maturity assessment

The following slides will walk you through the process below.

Info-Tech Insight

Progressive improvements provide the most value to IT and your organization. Leaping from pre-foundation to complete optimization is an ineffective goal. Systematic improvements to your security performance delivers value to your organization, each step along the way.

Optimize your security operations workflow

Info-Tech consulted various industry experts and consolidated their optimization advice.

Self-assess your current-state capabilities and determine the appropriate target state

Info-Tech Best Practice

When customizing your gap initiatives consider your organizational requirements and scope while remaining realistic. Below is an example of lofty vs. realistic initiatives:
Lofty: Perform thorough, manual security analysis. Realistic: Leverage our SIEM platform to perform more automated security analysis through the use of log information.

Consolidate related gap initiatives to simplify and streamline your roadmap

Identify areas of commonality between gap initiative in order to effectively and efficiently implement your new initiatives.

1. After reviewing and documenting initiatives for each security control, begin sorting controls by commonality, where resources can be shared, or similar end goals and actions. Begin by copying all initiatives from tab 2. Current State Assessment into tab 5. Initiative List of the Security Operations Maturity Assessment Tool and then consolidating them.

Initiatives		Consolidated Initiatives
Document data classification and handling in AUP	—›	Document data classification and handling in AUP	Keep urgent or exceptional initiatives separate so they can be addressed appropriately.
Document removable media in AUP	—›	Define and document an Acceptable Use Policy	Other similar or related initiatives can be consolidated into one item.
Document BYOD and mobile devices in AUP	—›
Document company assets in Acceptable Use Policy (AUP)	—›



2. Review grouped initiatives and identify specific initiatives should be broken out and defined separately.
3. Record your consolidated gap initiatives in the Security Operations Maturity Assessment Tool, tab 6. Initiative Prioritization.

Understand your organizational maturity gap

After inputting your current and target scores and defining your gap initiatives in tab 2, review tab 3. Current Maturity and tab 4. Maturity Gap in Info-Tech’s Security Operations Maturity Assessment Tool. Automatically built charts and tables provide a clear visualization of your current maturity. Presenting these figures to stakeholders and management can help visually draw attention to high-priority areas and contextualize the gap initiatives for which you will be seeking support.

Info-Tech Best Practice

Communicate the value of future security projects to stakeholders by copying relevant charts and tables into an executive stakeholder communication presentation (ask an Info-Tech representative for further information).

Define cost, effort, alignment, and security benefit

Define low, medium, and high resource allocation, and other variables for your gap initiatives in the Concept of Operations Maturity Assessment Tool. These variables include: Define initial cost. One-time, upfront capital investments. The low cut-off would be a project that can be approved with little to no oversight. Whereas the high cut-off would be a project that requires a major approval or a formal capital investment request. Initial cost covers items such as appliance cost, installation, project based consulting fees, etc. Define ongoing cost. This includes any annually recurring operating expenses that are new budgetary costs, e.g. licensing or rental costs. Do not account for FTE employee costs. Generally speaking you can take 20-25% of initial cost as ongoing cost for maintenance and service. Define initial staffing in hours. This is total time in hours required to complete a project. Note: It is not total elapsed time, but dedicated time. Consider time required to research, document, implement, review, set up, fine tune, etc. Consider all staff hours required (2 staff at 8 hours means 16 hours total). Define ongoing staffing in hours. This is the ongoing average hours per week required to support that initiative. This covers all operations, maintenance, review, and support for the initiative. Some initiatives will have a week time commitment (e.g. perform a vulnerability scan using our tool once a week) versus others that may have monthly, quarterly, or annual time commitments that need to averaged out per week (e.g. perform annual security review requiring 0.4 hours/week (20 hours total based on 50 working weeks per year).

Info-Tech Best Practice When considering these parameters, aim to use already existing resource allocations. For example, if there is a dollar value that would require you to seek approval for an expense, this might be the difference between a medium and a high cost category.

Define cost, effort, alignment, and security benefit

Define Alignment with Business. This variable is meant to capture how well the gap initiative aligns with organizational goals and objectives. For example, something with high alignment usually can be tied to a specific organization initiative and will receive senior management support. You can either: Set low, medium, and high based on levels of support the organization will provide (e.g. High – senior management support, Medium – VP/business unit head support, IT support only) Attribute specific corporate goals or initiatives to the gap initiative (e.g. High – directly supports a customer requirement/key contract requirement; Medium – indirectly support customer requirement/key contract OR enables remote workforce; Low – security best practice). Define Security Benefit. This variable is meant to capture the relative security benefit or risk reduction being provided by the gap initiative. This can be represented through a variety of factors, such as: Reduces compliance or regulatory risk by meeting a control requirement Reduces availability and operational risk Implements a non-existent control Secures high-criticality data Secures at-risk end users

Info-Tech Best Practice Make sure you consider the value of AND/OR. For either alignment with business or security benefit, the use of AND/OR can become useful thresholds to rank similar importance but different value initiatives. Example: with alignment with business, an initiative can indirectly support a key compliance requirement OR meet a key corporate goal.

Info-Tech Insight

You cannot do everything – and you probably wouldn’t want to. Make educated decisions about which projects are most important and why.

Apply your variable criteria to your initiatives

A financial services organization defined its target security state and created an execution plan

Review your prioritized security roadmap

Review the final Gantt chart to review the expected start and end dates for your security initiatives as part of your roadmap.

In the Gantt chart, go through each wave in sequence and determine the planned start date and planned duration for each gap initiative. As you populate the planned start dates, take into consideration the resource constraints or dependencies for each project. Go back and revise the granular execution wave to resolve any conflicts you find.

Review considerations Does this roadmap make sense for our organization? Do we focus too much on one quarter over others? Will the business be going through any significant changes during the upcoming years that will directly impact this project?	This is a living management document You can use the same process on a per-case basis to decide where this new project falls in the priority list, and then add it to your Gantt chart. As you make progress, check items off of the list, and periodically use this chart to retroactively update your progress towards achieving your overall target state.

Consult an Info-Tech Analyst

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to successfully complete your project.	TJ Minichillo Senior Director – Security, Risk & Compliance Info-Tech Research Group Edward Gray Consulting Analyst – Security, Risk & Compliance Info-Tech Research Group Celine Gravelines Research Manager – Security, Risk & Compliance Info-Tech Research Group
If you are not communicating, then you are not secure.

Call 1-888-670-8889 or email workshops@infotech.com for more information.

Are you ready to move on to the next phase?

Self-Assessment Questions

• Have you identified your organization’s corporate goals along with your obligations?
• Have you defined the scope and boundaries of your security program?
• Have you determined your organization’s risk tolerance level?
• Have you considered threat types your organization may face?
• Are the above answers documented in the Security Requirements Gathering Tool?
• Have you defined your maturity for both your current and target state?
• Do you have clearly defined initiatives that would bridge the gap between your current and target state?
• Are each of the initiatives independent, specific, and relevant to the associated control?
• Have you indicated any dependencies between your initiatives?
• Have you consolidated your gap initiatives?
• Have you defined the parameters for each of the prioritization variables (cost, effort, alignment, and security benefit)?
• Have you applied prioritization parameters to each consolidated initiative?
• Have you recorded your final prioritized roadmap in the Gantt chart tab?
• Have you reviewed your final Gantt chart to ensure it aligns to your security requirements?

If you answered “yes” to the questions, then you are ready to move on to Phase 3: Define Operational Interdependencies

Develop a Security Operations Strategy

PHASE 3

Define Operational Interdependencies

This step will walk you through the following activities:

• Understand the current security operations process flow.
• Define the security operations stakeholders and their respective deliverables.
• Formalize an internal information sharing and collaboration plan.

Outcomes of this step

• A formalized security operations interaction agreement.
• A security operations service and product catalog.
• A structured operations collection plan.

Info-Tech Insight

If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Tie everything together with collaboration

If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Info-Tech Best Practice

Simple collaborative activities, such as a biweekly meeting, can unite prevention, detection, analysis, and response teams to help prevent siloed decision making.

Understand the security operations process flow

Process standardization and automation is critical to the effectiveness of security operations.

Document your security operations’ capabilities and tasks

Document your security operations’ functional capabilities and operational tasks to satisfy each capability.	What resources will you leverage to complete the specific task/capability? Identify your internal and external collection sources to satisfy the individual requirement.	Identify the affiliated product, service, or output generated from the task/capability.	Determine your escalation protocol. Who are the stakeholders you will be sharing this information with?
Capabilities The major responsibilities of a specific function. These are the high-level processes that are expected to be completed by the affiliated employees and/or stakeholders.		Tasks The specific and granular tasks that need to be completed in order to satisfy a portion of or the entire capability.

Download Info-Tech’s Security Operations RACI Chart & Program Plan.

Convert your results into actionable process flowcharts

Map each functional task or capability into a visual process-flow diagram.

The title should reflect the respective capability and product output. List all involved stakeholders (inputs and threat escalation protocol) along the left side. Ensure all relevant security control inputs are documented within the body of the process-flow diagram. Map out the respective processes in order to achieve the desired outcome. Segment each process within its own icon and tie that back to the respective input.

Title: Output #1

Download Info-Tech’s Security Operations RACI Chart & Program Plan.

Formalize the opportunities for collaboration within your security operations program

Security Operations Collaboration Plan

Security operations provides a single pane of glass through which the threat collaboration environment can manage its operations.

How to customize The security operations interaction agreement identifies opportunities for optimization through collaboration and cross-training. The document is composed of several components: Security operations program scope and objectives Operational capabilities and outputs on a per function basis A needs and requirements collection plan Escalation protocol and respective information-sharing guidance (i.e. a detailed cadence schedule) A security operations RACI chart

Info-Tech Best Practice

Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.

Assign responsibilities for the threat management process

Security Operations RACI Chart & Program Plan

Formally documenting roles and responsibilities helps to hold those accountable and creates awareness as to everyone’s involvement in various tasks.

How to customize Customize the header fields with applicable stakeholders. Identify stakeholders that are: Responsible: The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made. Accountable: The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor. Consulted: The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs). Informed: The person(s) who is updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

Download Info-Tech’s Security Operations RACI Chart & Program Plan.

Identify security operations consumers and their respective needs and requirements

Ensure your security operations program is constantly working toward satisfying a consumer need or requirement.

Info-Tech Best Practice

“In order to support a healthy constituency, network operations and security operations should be viewed as equal partners, rather than one subordinate to the other.” (Mitre world-class CISO)

Define the stakeholders, their respective outputs, and the underlying need

Security Operations Program Service & Product Catalog

Create an informal security operations program service and product catalog. Work your way backwards – map each deliverable to the respective stakeholders and functions.

Action/Output		Frequency			Stakeholders/Function
Document the key services and outputs produced by the security operations program. For example: Real-time monitoring Event analysis and incident coordination Malware analysis External information sharing Published alerts, reports, and briefings Metrics		Define the frequency for which each deliverable or service is produced or conducted. Leverage this activity to establish a state of accountability within your threat collaboration environment.			Identify the stakeholders or groups affiliated with each output. Remember to include potential MSSPs. Vulnerability Management Threat Intelligence Tier 1, 2, and 3 Analysts Incident Response MSSP Network Operations
Remember to include any target-state outputs or services identified in the maturity assessment.			Use this exercise as an opportunity to organize your security operations outputs and services.

Info-Tech Best Practice

Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment.

Internal information sharing helps to focus operational efforts

Organizations must share information internally and through secure external information sharing and analysis centers (ISACs).

Ensure information is shared in a format that relates to the particular end user. Internal consumers fall into two categories:

• Strategic Users — Intelligence enables strategic stakeholders to better understand security trends, minimize risk, and make more educated and informed decisions. The strategic intelligence user often lacks technical security knowledge; bridge the communication gap between security and non-technical decision makers by clearly communicating the underlying value and benefits.
• Operational Users — Operational users integrate information and indicators directly into their daily operations and as a result have more in-depth knowledge of the technical terms. Reports help to identify escalated alerts that are part of a bigger campaign, provide attribution and context to attacks, identify systems that have been compromised, block malicious URLs or malware signatures in firewalls, IDPS systems, and other gateway products, identify patches, reduce the number of incidents, etc.

Define the routine of your security operations program in a detailed cadence schedule

Security Operations Program Cadence Schedule Template

Design your meetings around your security operations program’s outputs and capabilities

How to customize Don’t operate in a silo. Formalize a cadence schedule to develop a state of accountability, share information across the organization, and discuss relevant trends. A detailed cadence schedule should include the following: Activity, output, or topic being discussed. Participants and stakeholders involved. Value and purpose of meeting. Duration and frequency of each meeting. Investment per participant per meeting.

Info-Tech Best Practice

Schedule regular meetings composed of key members from different working groups to discuss concerns, share goals, and communicate operational processes pertaining to their specific roles.

Apply a strategic lens to your security operations program

Frame the importance of optimizing the security operations program to align with that of the decision makers’ overarching strategy.

Strategies

1. Bridge the communication gap between security and non-technical decision makers. Communicate concisely in business-friendly terms.
2. Quantify the ROI for the given project.
3. Educate stakeholders – if stakeholders do not understand what a security operations program encompasses, it will be hard for them to champion the initiative.
4. Communicate the implications, value, and benefits of a security operations program.
5. Frame the opportunity as a competitive advantage, e.g. proactive security measures as a client acquisition strategy.
6. Address the increasing prevalence of threat actors. Use objective data to demonstrate the impact, e.g. through case studies, recent media headlines, or statistics.

(Source: iSIGHT, “ Definitive Guide to Threat Intelligence”)

Info-Tech Best Practice

Refrain from using scare tactics such as fear, uncertainty, and doubt (FUD). While this may be a short-term solution, it limits the longevity of your operations as senior management is not truly invested in the initiative.

Example: Align your strategic needs with that of management.

Identify assets of value, current weak security measures, and potential adversaries. Demonstrate how an optimized security operations program can mitigate those threats.

Develop a comprehensive measurement program to evaluate the effectiveness of your security operations

Info-Tech Best Practice Operational metrics have limited value beyond security operations – when communicating to management, focus on metrics that are actionable from a business perspective.

Download Info-Tech’s Security Operations Metrics Summary Document.

Identify the triggers for continual improvement

Continual Improvement

• Audits: Check for performance requirements in order to pass major audits.
• Assessments: Variances in efficiency or effectiveness of metrics when compared to the industry standard.
• Process maturity: Opportunity to increase efficiency of services and processes.
• Management reviews: Routine reviews that reveal gaps.
• Technology advances: For example, new security architecture/controls have been released.
• Regulations: Compliance to new or changed regulations.
• New staff or technology: Disruptive technology or new skills that allow for improvement.

Conduct tabletop exercises with Info-Tech’s onsite workshop

Leverage Info-Tech’s Security Operations Tabletop Exercise to guide simulations to validate your operational procedures. How to customize Use the templates to document actions and actors. For each new injection, spend three minutes discussing the response as a group. Then spend two minutes documenting each role’s contribution to the response. After the time limit, proceed to the following injection scenario. Review the responses only after completing the entire exercise.

This tabletop exercise is available through an onsite workshop as we can help establish and design a tabletop capability for your organization.

Are you ready to implement your security operations program?

Self-Assessment Questions

• Is there a formalized security operations collaboration plan?
• Are all key stakeholders documented and acknowledged?
• Have you defined your strategic needs and requirements in a formalized collection plan?
• Is there an established channel for management to communicate needs and requirements to the security operation leaders?
• Are all program outputs documented and communicated?
• Is there an accessible, centralized portal or dashboard that actively aggregates and communicates key information?
• Is there a formalized threat escalation protocol in order to facilitate both internal and external information sharing?
• Does your organization actively participate in external information sharing through the use of ISACs?
• Does your organization actively produce reports, alerts, products, etc. that feed into and influence the output of other functions’ operations?
• Have you assigned program responsibilities in a detailed RACI chart?
• Is there a structured cadence schedule for key stakeholders to actively communicate and share information?
• Have you developed a structured measurement program on a per function basis?
• Now that you have constructed your ideal security operations program strategy, revisit the question “Are you answering all of your objectives?”

If you answered “yes” to the questions, then you are ready to implement your security operations program.

Summary

Insights Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives If you are not communicating, then you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.		Best Practices Have a structured plan of attack. Define your unique threat landscape, as well as business, regulatory, and consumer obligations. Foster both internal and external collaboration. Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment. Do not bite off more than you can chew. Identify current people, processes, and technologies that satisfy immediate problems and enable future expansion. Leverage threat intelligence to create a predictive and proactive security operations analysis process. Formalize escalation procedures with logic and incident management flow. Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected. Ensure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next. Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment
Protect your organization with an interdependent and collaborative security operations program.

Bibliography

“2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” Ponemon Institute, June 2016. Web. 10 Nov. 2016.

Ahmad, Shakeel et al. “10 Tips to Improve Your Security Incident Readiness and Response.” RSA, n.d. Web. 12 Nov. 2016.

Anderson, Brandie. “ Building, Maturing & Rocking a Security Operations Center.” Hewlett Packard, n.d. Web. 4 Nov. 2016.

Barnum, Sean. “Standardizing cyber threat intelligence information with the structured threat information expression.” STIX, n.d. Web. 03 Oct. 2016.

Bidou, Renaud. “Security Operation Center Concepts & Implementation.” IV2-Technologies, n.d. Web. 20 Nov. 2016.

Bradley, Susan. “Cyber threat intelligence summit.” SANS Institute InfoSec Reading Room, n.d. Web. 03 Oct. 2016.

“Building a Security Operations Center.” DEF CON Communications, Inc., 2015. Web. 14 Nov. 2016.

“Building a Successful Security Operations Center.” ArcSight, 2015. Web. 21 Nov. 2016.

“Building an Intelligence-Driven Security Operations Center.” RSA, June 2014. Web. 25 Nov. 2016.

Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “Diamond Model of Intrusion Analysis,” Center for Cyber Threat Intelligence and Threat Research, 5 July 2013. Web. 25 Aug. 2016.

“Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions Organizations Are Taking.” The Network. Cisco, 31 Jan. 2017. Web. 11 Nov. 2017.

“CITP Training and Education.” Carnegie Mellon University, 2015. Web. 03 Oct. 2016.

“Creating and Maintaining a SOC.” Intel Security, n.d. Web. 14 Nov. 2016.

“Cyber Defense.” Mandiant, 2015. Web. 10 Nov. 2016.

“Cyber Security Operations Center (CSOC).” Northrop Grumman, 2014. Web. 14 Nov. 2016.

Danyliw, Roman. “Observations of Successful Cyber Security Operations.” Carnegie Mellon, 12 Dec. 2016. Web. 14 Dec. 2016.

“Designing and Building Security Operations Center.” SearchSecurity. TechTarget, Mar. 2016. Web. 14 Dec. 2016.

EY. “Managed SOC.” EY, 2015. Web. 14 Nov. 2016.

Fishbach, Nicholas. “How to Build and Run a Security Operations Center.” Securite.org, n.d. Web. 20 Nov. 2016.

“Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 12 Feb. 2014. Web.

Friedman, John, and Mark Bouchard. “Definitive Guide to Cyber Threat Intelligence.” iSIGHT, 2015. Web. 1 June 2015.

Goldfarb, Joshua. “The Security Operations Hierarchy of Needs.” Securityweek.com, 10 Sept. 2015. Web. 14 Dec. 2016.

“How Collaboration Can Optimize Security Operations.” Intel, n.d. Web. 2 Nov. 2016.

Hslatman. “Awesome threat intelligence.” GitHub, 16 Aug. 2016. Web. 03 Oct. 2016.

“Implementation Framework – Collection Management.” Carnegie Mellon University, 2015. Web.

“Implementation Framework – Cyber Threat Prioritization.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.

“Intelligent Security Operations Center.” IBM, 25 Feb. 2015. Web. 15 Nov. 2016.

Joshi Follow , Abhishek. “Best Practices for Security Operations Center.” LinkedIn, 01 Nov. 2015. Web. 14 Nov. 2016.

Joshi. “Best Practices for a Security Operations Center.” Cybrary, 18 Sept. 2015. Web. 14 Dec. 2016.

Kelley, Diana and Ron Moritz. “Best Practices for Building a Security Operations Center.” Information Security Today, 2006. Web. 10 Nov. 2016.

Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle, and Mark Zajicek. ”Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Carnegie Mellon Software Engineering Institute, Dec. 2003. Carnegie Mellon. Web. 10 Nov. 2016.

Kindervag , John. “SOC 2.0: Three Key Steps toward the Next-generation Security Operations Center.” SearchSecurity. TechTarget, Dec. 2010. Web. 14 Dec. 2016.

Kvochko, Elena. “Designing the Next Generation Cyber Security Operations Center.” Forbes Magazine, 14 Mar. 2016. Web. 14 Dec. 2016.

Lambert, P. “ Security Operations Center: Not Just for Huge Enterprises.” TechRepublic, 31 Jan. 2013. Web. 10 Nov. 2016.

Lecky, M. and D. Millier. “Re-Thinking Security Operations.” SecTor Security Education Conference. Toronto, 2014.

Lee, Michael. “Three Elements That Every Advanced Security Operations Center Needs.” CSO | The Resource for Data Security Executives, n.d. Web. 16 Nov. 2016.

Linch, David and Jason Bergstrom. “Building a Culture of Continuous Improvement in an Age of Disruption.” Deloitte LLP, 2014.

Lynch, Steve. “Security Operations Center.” InfoSec Institute, 14 May 2015. Web. 14 Dec. 2016.

Macgregor, Rob. “Diamonds or chains – cyber security updates.” PwC, n.d. Web. 03 Oct. 2016.

“Make Your Security Operations Center (SOC) More Efficient.” Making Your Data Center Energy Efficient (2011): 213-48. Intel Security. Web. 20 Nov. 2016.

Makryllos, Gordon. “The Six Pillars of Security Operations.” CSO | The Resource for Data Security Executives, n.d. Web. 14 Nov. 2016.

Marchany, R. “ Building a Security Operations Center.” Virginia Tech, 2015. Web. 8 Nov. 2016.

Marty, Raffael. “Dashboards in the Security Operations Center (SOC).” Security Bloggers Network, 15 Jan. 2016. Web. 14 Nov. 2016.

Minu, Adolphus. “Discovering the Value of Knowledge Portal.” IBM, n.d. Web. 1 Nov. 2016.

Muniz, J., G. McIntyre, and N. AlFardan. “Introduction to Security Operations and the SOC.” Security Operations Center: Building, Operating, and Maintaining your SOC. Cisco Press, 29 Oct. 2015. Web. 14 Nov. 2016.

Muniz, Joseph and Gary McIntyre. “ Security Operations Center.” Cisco, Nov. 2015. Web. 14 Nov. 2016.

Muniz, Joseph. “5 Steps to Building and Operating an Effective Security Operations Center (SOC).” Cisco, 15 Dec. 2015. Web. 14 Dec. 2016.

Nathans, David. Designing and Building a Security Operations Center. Syngress, 2015. Print.

National Institute of Standards and Technology. “SP 800-61 Revision 2: Computer Security Incident Handling Guide.” 2012. Web.

National Institute of Standards and Technology. “SP 800-83 Revision 1.” 2013. Web.

National Institute of Standards and Technology. “SP 800-86: Guide to Integrating Forensic Techniques into Incident Response.” 2006. Web.

F5 Networks. “F5 Security Operations Center.” F5 Networks, 2014. Web. 10 Nov. 2016.

“Next Generation Security Operations Center.” DTS Solution, n.d. Web. 20 Nov. 2016.

“Optimizing Security Operations.” Intel, 2015. Web. 4 Nov. 2016.

Paganini, Pierluigi. “What Is a SOC ( Security Operations Center)?” Security Affairs, 24 May 2016. Web. 14 Dec. 2016.

Ponemon Institute LLC. “Cyber Security Incident Response: Are we as prepared as we think?” Ponemon, 2014. Web.

Ponemon Institute LLC. “The Importance of Cyber Threat Intelligence to a Strong Security Posture.” Ponemon, Mar. 2015. Web. 17 Aug. 2016.

Poputa-Clean, Paul. “Automated defense – using threat intelligence to augment.” SANS Institute InfoSec Reading Room, 15 Jan. 2015. Web.

Quintagroup. “Knowledge Management Portal Solution.” Quintagroup, n.d. Web.

Rasche, G. “Guidelines for Planning an Integrated Security Operations Center.” EPRI, Dec. 2013. Web. 25 Nov. 2016.

Rehman, R. “What It Really Takes to Stand up a SOC.” Rafeeq Rehman – Personal Blog, 27 Aug. 2015. Web. 14 Dec. 2016.

Rothke, Ben. “Designing and Building Security Operations Center.” RSA Conference, 2015. Web. 14 Nov. 2016.

Ruks, Martyn and David Chismon. “Threat Intelligence: Collecting, Analysing, Evaluating.” MWR Infosecurity, 2015. Web. 24 Aug. 2016.

Sadamatsu, Takayoshi. “Practice within Fujitsu of Security Operations Center.” Fujitsu, July 2016. Web. 15 Nov. 2016.

Sanders, Chris. “Three Useful SOC Dashboards.” Chris Sanders, 24 Oct. 2016. Web. 14 Nov. 2016.

SANS Institute. “Incident Handler's Handbook.” 2011. Web.

Schilling, Jeff. “5 Pitfalls to Avoid When Running Your SOC.” Dark Reading, 18 Dec. 2014. Web. 14 Nov. 2016.

Schinagl, Stef, Keith Schoon, and Ronald Paans. “A Framework for Designing a Security Operations Centre (SOC).” 2015 48th Hawaii International Conference on System Sciences. Computer.org, 2015. Web. 20 Nov. 2016.

“Security – Next Gen SOC or SOF.” InfoSecAlways.com, 31 Dec. 2013. Web. 14 Nov. 2016.

“Security Operations Center Dashboard.” Enterprise Dashboard Digest, n.d. Web. 14 Dec. 2016.

“Security Operations Center Optimization Services.” AT&T, 2015. Web. 5 Nov. 2016.

“Security Operations Centers — Helping You Get Ahead of Cybercrime Contents.” EY, 2014. Web. 6 Nov. 2016.

Sheikh, Shah. “DTS Solution - Building a SOC (Security Operations Center).” LinkedIn, 4 May 2013. Web. 20 Nov. 2016.

Soto, Carlos. “ Security Operations Center (SOC) 101.” Tom's IT Pro, 28 Oct. 2015. Web. 14 Dec. 2016.

“Standardizing and Automating Security Operations.” National Institute of Standards and Technology, 3 Sept. 2006. Web.

“Strategy Considerations for Building a Security Operations Center.” IBM, Dec. 2013. Web. 5 Nov. 2016.

“Summary of Key Findings.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.

“Sustainable Security Operations.” Intel, 2016. Web. 20 Nov. 2016.

“The Cost of Malware Containment.” Ponemon Institute, Jan. 2015. Web.

“The Game Plan for Closing the SecOps Gap.” BMC. Forbes Magazine, Jan. 2016. Web. 10 Jan. 2017.

Veerappa Srinivas, Babu. “Security Operations Centre (SOC) in a Utility Organization.” GIAC, 17 Sept. 2014. Web. 5 Nov. 2016.

Wang, John. “Anatomy of a Security Operations Center.” NASA, 2015. Web. 2 Nov. 2016.

Weiss, Errol. “Statement for the Record.” House Financial Services Committee, 1 June 2012. Web. 12 Nov. 2016.

Wilson, Tim. “SOC 2.0: A Crystal-Ball Glimpse of the Next-Generation Security Operations Center.” Dark Reading, 22 Nov. 2010. Web. 10 Nov. 2016.

Zimmerman, Carson. “Ten Strategies of a World-Class Cybersecurity Operations Center.” Mitre, 2014. Web. 24 Aug. 2016.

INFO-TECH RESEARCH GROUP

Analyze Your Service Desk Ticket Data

Take a data-driven approach to service desk optimization.

EXECUTIVE BRIEF

Analyst Perspective

Benedict Chang Research Analyst, Infrastructure & Operations Info-Tech Research Group

Ken Weston ITIL MP, PMP, Cert.APM, SMC Research Director, Infrastructure & Operations Info-Tech Research Group

The perfect time to start analyzing your ticket data is now

Service desks improve their services by leveraging ticket data to inform their actions. However, many organizations don’t know where to start. It’s tempting to wait for perfect data, but there’s a lot of value in analyzing your ticket data as it exists today.

Start small. Track key tension metrics based on the out-of-the-box functionality in your tool. Review the metrics regularly to stay on track.

By reviewing your ticket data, you’re going to get better organically. You’re going to learn about the state of your environment, the health of your processes, and the quality of your services. Regularly analyze your data to drive improvements.

Make ticket analysis a weekly habit. Every week, you should be evaluating how the past week went. Every month, you should be looking for patterns and trends.

Executive Summary

Your Situation

Leverage your service desk ticket data to gain insights for improving your operations:

1. Use a data-based approach to allocate service desk resources.
2. Design appropriate SLOs and SLAs to better service end users.
3. Gain efficiencies for your shift-left strategy.
4. Communicate the current and future value of the service desk to the business.

Common Obstacles

Properly analyzing ticket data is challenging for the following reasons:

• Poor ticket hygiene and unclear ticket handling guidelines can lead to untrustworthy results.
• Undocumented tickets from various intake channels prevents you from seeing the whole picture.
• Service desk personnel are not sure where to start with analysis and are too busy to find time.
• Too many metrics are tracked to parse actionable insights from the noise.

Info-Tech’s Approach

Info-Tech’s approach to improvement:

• To reduce the noise, standardize your ticket data in a format that will ease analysis.
• Start with common analyses using the cleaned data set.
• Identify action items based on your ticket data.

Analyze your ticket data to help continually improve your service desk.

Slow down. Give yourself time.

Give yourself time to observe the new metrics and draw enough insights to make recommendations for improvement. Then, execute on those recommendations. Slow and steady improvement of the service desk only adds business value and will have a positive impact on customer satisfaction.

Your challenge

This research is designed to help service desk managers analyze their ticket data

Analyzing ticket data involves:

• Collecting ticket data and keeping it clean. Based on the metrics you’re analyzing, define ticket expectations and keep the data up to date.
• Showing the value of the service desk. SLAs are meaningless if they are not met consistently. The prerequisite to implementing proper SLAs is fully understanding the workload of the service desk.
• Understanding – and improving – the user experience. You cannot improve the user experience without meaningful metrics that allow you to understand the user experience. Different user groups will have different needs and different expectations of the level of service. Your metrics should reflect those needs and expectations.

36% of organizations are prioritizing ticket handling in IT for 2021 (Source: SDI, 2021)

12% of organizations are focusing directly on service desk improvement (Source: SDI, 2021)

Common obstacles

Many organizations face these barriers to analyzing their ticket data:

• Finding time to properly analyze ticket data is a challenge. Not knowing where to start can lead to not analyzing the proper data. Service desks end up either tracking too much data or not tracking the proper metrics.
• Data, even if clean, can be housed in various tools and databases. It’s difficult to aggregate data if the data is stored throughout various tools. Comparisons may also be difficult if the data sets aren’t consistent.
• Shifting left to move tickets toward self-service is difficult when there is no visibility into which tickets should be shifted left.

What your peers are saying about why they can’t start analyzing their ticket data:

• “My technicians do not consistently update and close tickets.”
• “My ITSM doesn’t have the capabilities I need to make informed decisions on shifting tickets left.”
• “My tickets are always missing data”
• “I’m constantly firefighting. I have no time for ticket data analysis.”
• “I have no idea where to start with the amount of data I have.”

Common obstacles that prevent effective ticket analysis

We asked IT service desk managers and teams about their biggest hurdles

Info-Tech’s approach

Repeat this analysis every business cycle:

• Gather Your Data
  Collect your ticket data OR start measuring the right metrics.
• Extract & Analyze
  Organize and visualize your data to extract insights
• Action the Results
  Implement low-effort improvements and celebrate quick successes.
• Implement Larger Changes
  Reference your ticket data while implementing process, tooling, and other changes.
• Communicate the Results
  Use your data to show the value of your effort.

Measure the value of this blueprint

Track these metrics as you improve

Use the data to tell you which aspects of IT need to be shifted left and which need to be automated

Your data will show you where you can improve.

As you act on your data, you should see:

• Lower costs per ticket
• Decreased average time to resolve
• Increased end-user satisfaction
• Fewer tickets escalated beyond Tier 1

See Info-Tech’s blueprint Optimize the Service Desk With a Shift-Left Strategy.

Info-Tech’s methodology for analyzing service desk tickets

Insight summary

Slow down. Give yourself time.

Give yourself time to observe the new metrics and draw enough insights to make recommendations for improvement. Then, execute on those recommendations. Slow and steady improvement of the service desk only adds business value and will have a positive impact on customer satisfaction.

Iterate on what to track rather than trying to get it right the first time.

Tracking the right data in your ticket can be challenging if you don’t know what you’re looking for. Start with standardized fields and iterate on your data analysis to figure out your gaps and needs.

If you don’t know where to go, ticket data can point you in the right direction.

If you have service desk challenges, you will need to allocate time to process improvement. However, prioritizing your initiatives is easier if you have the ticket data to point you in the right direction.

Start with data from one business cycle.

Service desks don’t need three years’ worth of data. Focus on gathering data for one business cycle (e.g. three months). That will give you enough information to start generating value.

Let the data do the talking.

Leverage the data to drive organizational and process change in your organization by tracking meaningful metrics. Choose those metrics using business-aligned goals.

Paint the whole picture.

Single metrics in isolation, even if measured over time, may not tell the whole story. Make sure you design tension metrics where necessary to get a holistic view of your service desk.

Blueprint deliverables

Blueprint benefits

IT Benefits

• Discover and implement the proper metrics to improve your service desk
• Use a data-based approach to improve your customer service and operational goals
• Increase visibility with the business and other IT departments using a structured presentation

Business Benefits

• Quicker resolutions to incidents and service requests
• Better expectations for the service desk and IT
• Better visibility into the current state, challenges, and goals of the service desk
• More effective support when contacting the service desk

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 3-4 calls over the course of 2-3 months.

What does a typical GI on this topic look like?

Phase 1

• Call #1: Scope requirements, objectives, and your specific challenges. Enter your data into the tool.

Phase 2

• Call #2: Assess the current state across the different dashboards.

Phase 3

• Call #3: Identify improvements and insights to include in the communication report.
• Call #4: Review the service desk ticket analysis report.

PHASE 1

Import Your Ticket Data

This phase will walk you through the following activities:

• 1.1.1 Define your objectives for analyzing ticket data
• 1.1.2 Identify success metrics
• 1.1.3 Import your ticket data into the tool
• 1.1.4 Update your ticket fields for future analysis

This phase involves the following participants:

• Service Desk Manager
• ITSM Manager
• Service Desk Technician

1.1.1 Define your objectives for analyzing ticket data

Input: Understanding of current service desk process and ticket routing

Output: Defined objectives for the project

Materials: Whiteboard/flip charts, Ticket Analysis Report

Participants: Service Desk Staff, Service Desk Manager, IT Director, CIO

Use the discussion questions below as a guide

1. Identify your main objective for analyzing ticket data. Use these three sample objectives as a starting point:
   • Demonstrate value to the business by improving customer service.
   • Improve service desk operations.
   • Reduce the number of recurring incidents.
2. Answer the following questions as a group:
   • What challenges do you have getting accurate data for this objective?
   • What data is missing for supporting this objective?
   • What kind of issues must be solved for us to make progress on achieving this objective?
   • What decisions are held up from a lack of data?
   • How can better ticket data help us to more effectively manage our services and operations?

Document in the Ticket Analysis Report.

1.1.2 Identify success metrics

Select metrics that will track your progress on meeting the objective identified in Activity 1.1.1.

Input: Understanding of current service desk process and ticket routing

Output: Defined objectives for the project

Materials: Whiteboard/flip charts, Ticket Analysis Report

Participants: Service Desk Manager, IT Director, CIO

Use these sample metrics as a starting point:

Document in the Ticket Analysis Report.

Inefficient ticket-handling processes lead to SLA breaches and unplanned downtime

Analyze the ticket data to catch mismanaged or lost tickets that lead to unnecessary escalations and impact business profitability

• Ticket Category – Are your tickets categorized by type of asset? By service?
• Average Ticket Times – How long does it take to resolve or fulfill tickets?
• Ticket Priority – What is the impact and urgency of the ticket?
• SLA/OLA Violations – Did we meet our SLA objectives? If not, why?
• Ticket Channel – How was the issue reported or ticket received?
• Response and Fulfillment – Did we complete first contact resolution? How many times was it transferred?
• Associated Tasks and Tickets – Is this incident associated with any other tasks like change tickets or problem tickets?

Encourage proper ticket-handling procedures to enable data quality

Ensure everyone understands the expectations and the value created from having ticket data that follows these expectations

• Create and update tickets, but not at the expense of good customer service. Agents can start the ticket but shouldn’t spend five minutes creating the ticket when they should be troubleshooting the problem.
• Update the ticket when the issue is resolved or needs to be escalated. If agents are escalating, they should make sure all relevant information is passed along within the ticket to the next technician.
• Update user of ETA if issue cannot be resolved quickly.
• Ticket templates for common incidents can lead to fast creation, data input, and categorizations. Templates can reduce the time it takes to create tickets from two minutes to 30 seconds.
• Update categories to reflect the actual issue and resolution.
• Reference or link to the knowledgebase article as the documented steps taken to resolve the incident.
• Validate with the client that the incident is resolved; automate this process with ticket closure after a certain time.
• Close or resolve the ticket on time.

Info-Tech Insight

Ticket handling ensures clean handovers, whether it is to higher tiers or back to the customer. When filling the ticket out with information intended for another party, ensure the information is written for their benefit and from their point of view.

Service Desk Ticket Analysis Tool overview

The Service Desk Ticket Analysis Tool will help you standardize your ticket data in a meaningful format that will allow you to apply common analyses to identify the actions you need to take to improve service desk operations

TABS 1 & 2 INSTRUCTIONS & DATA ENTRY	TAB 3 : TICKET SUMMARY TICKET SUMMARY DASHBOARDS	TABS 4 to 8: DASHBOARDS INCIDENT SERVICE REQUEST CATEGORY
Input at least three months of your exported ticket data into the corresponding columns in the tool to feed into the common analysis graphs in the other tabs.	This tab contains multiple dashboards analyzing how tickets come in, who requests them, who resolves them, and how long it takes to resolve them.	These tabs each have dashboards outlining analysis on incidents and service requests. The category tab will allow you to dive deeper on commonly reported issues.

1.1.3 Import your data into our Service Desk Ticket Analysis Tool

You can still leverage your current data, but use this opportunity to improve your service desk ticket fields down the line

Input: ITSM data log

Output: Populated Service Desk Ticket Data Analysis Tool

Materials: Whiteboard/flip charts, Service Desk Ticket Analysis Tool

Participants: Service Desk Manager, Service Desk Technicians

Start here:

• Extract your ticket data from your ITSM tool in an Excel or text format.
• Look at the fields on the data entry tab of the Service Desk Ticket Analysis Tool.
• Fill the fields with your ticket data by copying and pasting relevant sections. It is okay if you don’t have all the fields, but take note of the fields you are missing.
• With the list of the fields you are missing, run through the following activity to decide if you will need to adopt or add fields to your own service desk ticket tool.

When entering your data, pay close attention to the following fields:

• Time to Resolve: This is automatically calculated using data in the Open Date, Open Time, Close Date, and Close Time fields. You have three options for entering your data in these fields:
  1. Enter your data as the fields describe. Ensure your data contain only the field description (e.g. Open Date separated from Open Time). If your data contain Open Date AND Open Time, Excel will not show both.
  2. Enter your data only in Open Date and Close Date. If your ITSM does not separate date and time, you can keep the data in a single cell and enter it in the column. The formula in Time to Resolve will still be accurate.
  3. If your ITSM outputs Time to Resolve, overwrite the formula in the Time to Resolve column.
• SLA: If your ITSM outputs SLA fulfilled: Y/N, enter that directly into the SLA Fulfilled column.
• Blank Columns: If you do not have data for all the columns, that is okay. Continue with the following activity. Note that some stock dashboards will be empty if that is the case.
• Incidents vs. Service Requests: If you separate incidents and service requests, be sure to capture that in the SR/Incident for Tabs 4 and 5. If you do not separate the two, then you will only need to analyze Tab 3.

Use Info-Tech’s tool instead of building your own. Download the Service Desk Ticket Analysis Tool.

1.1.4 Update your ticket fields for future analysis

Input: Populated Service Desk Ticket Data Analysis Tool

Output: New ticket fields to track

Materials: Whiteboard/flip charts, Service Desk Ticket Analysis Tool

Participants: Service Desk Manager, Service Desk Technicians

As a group, pay attention to the ticket fields populated in the tool as well as the ticket fields that you were not able to populate. Use the example “Fields Captured” table to the right, which lists all fields present in the ticket analysis tool.

Discuss the following questions:

1. Consider the fields not captured. Would it be valuable to start capturing that data for future analysis?
2. If so, does your ITSM support that field?
3. Can you make the change in-house or do you have to bring in an external ITSM administrator to make the change?
4. Capture the results in the Ticket Analysis Report.

Document in the Ticket Analysis Report.

Info-Tech Insight

Don’t wait for your ticket quality to be perfect. You can still draw actions from your ticket data. They will likely be process improvements initially, but the exercise of pulling the data is a necessary first step.

Common ticket fields tracked by your peers

Which of these metrics do you track and action?

• Remember you don’t have to track every metric. Only track metrics that are actionable.

For each metric that you end up tracking:

• Look for trends over time.
• Brainstorm reasons why the metric could rise or fall.

Associate a metric with each improvement you execute.

• Performing this step will allow you to better see the value from your team’s efforts.
• It will also give you a quicker response than waiting for spikes in your data.

(Source: Info-Tech survey, 2021; N=20)

PHASE 2

Analyze Your Ticket Data

This phase will walk you through the following activities:

• 2.1.1 Review high-level ticket dashboards
• 2.2.1 Review incident, service request, and ticket category dashboards

This phase involves the following participants:

• Service Desk Manager
• Service Desk Technicians
• IT Managers

Visualize your ticket data as a first step to analysis

Identifying trends is easier when looking at diagrams, graphs, and figures

Start your analysis with common visuals employed by other service desk professionals

• Phase 2 will walk you through visualizing your data to get a better understanding of your ticket intake, incident management, and service request management.
• Each step will walk you through:
  • Common visualizations used by service desks
  • Patterns to look for in your visualizations
  • Actions to take to address negative patterns and to continue positive trends
• Share diagrams that underscore both the value being provided by the service desk as well as the scope of the pain points. Use Info-Tech’s Ticket Analysis Report template as a starting point.

“Being able to tell stories with data is a skill that’s becoming ever more important in our world of increasing data and desire for data-driven decision making. An effective data visualization can mean the difference between success and failure when it comes to communicating the findings of your study, raising money for your nonprofit, presenting to your board, or simply getting your point across to your audience.” - Cole Knaflic, Founder and CEO, Storytelling with Data: A Data Visualization Guide for Business Professionals

Use the detailed dashboards to determine the next steps for improvement

A single number doesn’t tell the whole picture

Analyze trends over time:

• Analyze trends by day, by week, by month, and by year to determine:
  • When are the busy periods? (E.g. Do tickets tend to spike every morning, every Monday, or every September?)
  • When are the slow periods? (E.g. Do tickets drop at the end of the day, at midday, on Fridays, or over the summer?)
• Are spikes or drops in volume consistent trends or one-time anomalies?

Then build a plan to address them:

• How will you handle volume spikes, if they’re consistent?
• What can your resources work on during slow times, if they are consistent?
• If you assume no shrinkage, can you handle the peaks in volume if you make all FTEs available to work on tickets at a certain time of day?

Look for seasonal trends. In this example, we see high ticket volumes in May and January, with lower ticket volumes in June and July when many staff are taking holidays. However, also be careful to look at the big picture of how you pulled the data. August through October sees a high volume of open tickets because the data set is pulled in November, not because there’s a seasonal spike on tickets not closing at the end of the fiscal year.

Track ticket data over time

Make low-effort adjustments before major changes

Don’t rush to a decision based off the first numbers you see

Review ticket summary dashboard

Ideally, you should track ticket patterns over an entire year to get a full sense of trends within each month of the year. At minimum, track for 30 days, then 60, then 90, and see if anything changes. The longer you can track ticket patterns, the more accurate your picture will be.

Review additional dashboards

If you separate incidents and service requests, and you have accurate ticket categories, then you can use these dashboards to further break down the data to identify ticket trends.

The output of the ticket analysis will only be as accurate as its input.
To get the most accurate results, first ensure your data is accurate, then analyze it over as much time as possible. Aggregating with accurate data will give you a better picture of the trends in demand that your service desk sees.

Not separating incidents and service requests? Need to fix your ticket categories? Visit Standardize the Service Desk to get started.

Analyze incidents and requests separately

Each type has its own set of customer experiences and expectations

• Different ticket types are associated with radically different prioritization, routing, and service levels. For instance, most incidents are resolved within a business day, but requests take longer to implement.
• If you fail to distinguish between ticket types, your metrics will obscure service desk performance.
• From a ticket analysis standpoint, separating ticket types prior to analysis or, better yet, at intake allows for cleaner data. In turn, this means more structured analyses, better insights, and more meaningful actions. Not separating ticket types may still get you to the same conclusions, but it will be much more difficult to sift through the data.

Incident

An unanticipated interruption of a service.
The goal of incident management is to restore the service as soon as possible, even if the resolution involves a workaround.

Request

A generic description for a small change or service access.
Requests are small, frequent, and low risk. They are best handled by a process distinct from incident, change, and project management.

Not separating incidents and service requests? Need to fix your ticket categories? Visit Standardize the Service Desk to get started.

Step 2.1

Analyze Your High-Level Ticket Data

Dashboards

• Ticket Volume
• Ticket Intake
• Ticket Handling and Resolution
• Ticket Categorization

This step will walk you through the following activities:

Visualize the current state of your service desk.

This step involves the following participants:

• Service Desk Manager
• Service Desk Technicians
• IT Managers

Outcomes of this step

Build your metrics baseline to compare with future metric results.

Dashboards: Ticket Volume

Analyze your data for insights

• Analyze volume trends by day, by week, by month, and by year to determine:
  • When are the busy periods? (E.g. Do tickets tend to spike every morning, every Monday, or every September?)
  • When are slow periods? (E.g. Do tickets drop at the end of the day, at midday, on Fridays, or over the summer?)
• Are spikes or drops in volume consistent trends or one-time anomalies?
• What can your resources be working on during slow times? Are you able to address ticket backlog?

Dashboards: Ticket Intake

Analyze your data for insights

• Determine how to drive intake to the most appropriate solution for your organization:
  • A web portal is the most efficient intake method, but it must be user friendly to increase its adoption.
  • The phone should be available for urgent requests or incidents. Encourage those who call with a request to submit a ticket through the portal.
  • Discourage use of email if it is unstructured, as users don’t provide enough detail, and often two or three transactions are required for triage.
  • If walk-ups are encouraged, structure and formalize the support so it can be resourced and managed rather than interrupt-driven.

Dashboard: Ticket Handling and Resolution

Analyze your data for insights

• Look at your ticket load by technician and by tier. This is an essential step to set your baseline to measure your shift-left initiatives. If you are focusing on self-service or Tier 1 training, the ticket load from higher tiers should decrease over time.
• If Tiers 2 and 3 are handling the majority of the tickets, this could be a red flag indicating tickets are inappropriately escalated or Tier 1 could use more training and support.
• For average time to resolve and average time to resolve by tier, are you meeting your SLAs? If not, are your SLAs too aggressive? Are tickets left open and not properly closed?

Dashboard: Ticket Categorization

Analyze your data for insights

• Ticket categorization is critical to clean data. Having a categorization scheme with categories that are miscellaneous, too specific, or too general easily leads to inaccurate reporting or confusing workflows for technicians.
• When looking at your ticket categories, first look for duplicate categories that could be collapsed into one.
• Also look at your top five to seven categories and see if they make sense. Are these good candidates in your organization for automation or shift-left?
• Compare your Tier 1 categories. The level of specificity for these categories should be comparable to easily run reports. If they are not, assess the need for a category redesign.

Step 2.2

Analyze Incidents, Service Requests, and Ticket Categories

Dashboards

• Incidents
• Service Requests
• Volume by Ticket Category
• Resolution Times by Priority and/or Category
• Tabs for More Granular Investigation and Reporting

This step will walk you through the following activities:

Visualize your incident and service request ticket load and analyze trends. Use this information and cross reference data sets to gain a holistic view of how the service desk interacts with IT and the business.

This step involves the following participants:

• Service Desk Manager
• Service Desk Technicians
• IT Managers

Outcomes of this step

Gain actionable, data-driven improvements based on your incident and service request data. Show the value of the service desk and highlight improvements needed.

Incident and Service Requests Dashboard: Priority and SLA

Analyze your data for insights

• Your ticket priority distribution for overall load and time to resolve (TTR) should look something like above with low-priority tickets having higher load and TTR and high/critical-priority tickets having a lower load and lower TTR. If it is reversed, that is a good indication that the service desk is too reactive or isn’t properly prioritizing its work.
• If your SLA has a high failure rate, consider reassessing your targets with SLOs that you can meet before publishing them as achievable SLAs.

Incident and Service Requests Dashboard: Priority and SLA

Analyze your data for insights

• Examine your ticket handling by looking at ticket status and resolution codes.
  • If you have a lot of blanks, then tickets are not properly handled. Consider reinforcing your standards for close codes and statuses.
  • Alternatively, if tickets are left open, you may have to build follow-ups on stale tickets into your process or introduce proper auto-close processes.

Category, Resolution Time, and Resolution Code Dashboards

These PivotCharts allow you to dig deeper

Investigate whether there are trends in ticket volume and resolution times within specific categories and subcategories

Tab 6, Category Dashboard; tab 7, Resolution Time Dashboard; and tab 8, Resolution Code Dashboard are PivotCharts. Use these tabs to investigate whether there are trends in ticket volume, resolution times, and resolution codes within specific categories and subcategories.

Start with the charts that are available. The +/- buttons will allow you to show more granular information. By default, this granularity will be into the levels of the ticket categorization scheme.

For most categorization schemes, there will be too many categories to properly graph. You can apply a filter to investigate specific categories by clicking on the drop-down buttons.

Use these tabs for more granular investigation and reporting

TAB 6 CATEGORY DASHBOARD	TAB 7 RESOLUTION TIME DASHBOARD	TAB 8 RESOLUTION TIME DASHBOARD
Investigate ticket distributions in first, second, and third levels. Are certain categories overcrowded, suggesting they can be split? Are certain categories not being used?	Do average resolution times match your service level agreements? Do certain categories have significantly different resolution times? Are there areas that can benefit from shift-left?	Are resolution codes being accurately used? Are there trends in resolution codes? Are these codes providing sufficient information for problem management?

PHASE 3

Communicate Your Insights

This phase will walk you through the following activities:

• 3.1.1 Review common recommendations
• 3.2.1 Review ticket reports daily
• 3.2.2 Incorporate ticket data into retrospectives and team updates
• 3.2.3 Regularly review trends with business leaders
• 3.2.4 Tell a story with your data

This phase involves the following participants:

• Service Desk Manager
• Service Desk Technicians
• IT Managers

Step 3.1

Build Recommendations Based on Your Ticket Data

Activities

• 3.1.1 Review common recommendations

This step will walk you through the following activities:

Review common recommendations as a first step to extracting insights from your own data.

This step involves the following participants:

• Service Desk Manager
• Service Desk Technicians

Outcomes of this step

You will gain an understanding of the common challenges with service desks and ticket analysis in general. See which ones apply to you to inform your ticket data analysis moving forward.

Review these common recommendations

1. Fix your ticket categories
   Organize your ticket categorization scheme for proper routing and reporting.
2. Focus more on self-service
   Self-service is essential to enable shift-left strategies. Focus on knowledgebase processes and portal ease of use.
3. Update your service catalog
   Improve your service catalog, if necessary, to make it easy for end users to request services and for the service desk to provide those services.
4. Direct volume toward other channels
   Walk-ups make it more difficult to properly log tickets and assign service desk resources. Drive volume to other channels to improve your ticket quality.
5. Crosstrain Tier 1 on certain topics
   Tier 1 breadth of knowledge is essential to drive up first contact resolution.
6. Build more automation
   Identify bottlenecks and challenges with your ticket data to streamline ticket handling and resolution.
7. Revisit service level agreements
   Update your SLAs and/or SLOs to prioritize expectation management for your end users.
8. Improve your data quality
   You can only analyze data that exists. Revisit your ticket-handling guidelines and more regularly check tickets to ensure they comply with those standards.

Optimize your processes and look for opportunities for automation

Leverage Info-Tech research to improve service desk processes

Review your service desk processes and tools for optimization opportunities:

• Clearly establish ticket-handling guidelines.
• Use ticket templates to reduce time spent entering tickets.
• Document incident management and service request fulfillment workflows and eliminate any unnecessary steps.
• Automate manual tasks wherever possible.
• Build or improve a self-service portal with a knowledgebase to allow users to resolve their own issues, reducing incoming ticket volume to the service desk.
• Optimize your internal knowledgebase to reduce time spent troubleshooting recurring issues.
• Leverage AI capabilities to speed up ticket processing and resolution.

Standardize the Service Desk

This project will help you build and improve essential service desk processes, including incident management, request fulfillment, and knowledge management.

Optimize the Service Desk With a Shift-Left Strategy

This project will help you build a strategy to shift service support left to optimize your service desk operations and increase end-user satisfaction.

Step 3.2

Action and Communicate Your Ticket Data

Activities

• 3.2.1 Review your ticket queues daily
• 3.2.2 Incorporate ticket data into retrospectives and team status updates
• 3.2.3 Regularly review trends with business leaders
• 3.2.4 Tell a story with your data

This step will walk you through the following activities:

Organize your scrums to report on the metrics that will inform daily and monthly operations.

This step involves the following participants:

• Service Desk Manager
• Service Desk Technicians
• IT Managers

Outcomes of this step

Use the dashboards and data to inform your daily and monthly scrums.

3.2.1 Review your ticket queues daily

Clean data is still useless if not used properly

• The metrics you’ve chosen to measure and visualize in the previous step are useful for informing your day-to-day, week-to-week, and month-to-month strategies for the service desk and IT. Conduct scrums daily to action your dashboard data to help clear ticket queues.
• Reference your dashboards daily with each IT team.
• You need to have a dashboard of open tickets assigned to each team.

Review Daily

• Ticket volume over the last day (look for spikes)
• SLA breach risks/SLA breaches
• Recurring incidents
• Tickets open
• Tickets handed over (confirmation of handover)

3.2.2 Incorporate ticket data into retrospectives and team status updates

Explain your metric spikes and trends

• Hold weekly or monthly meetings to review the ticket trends selected during Phases 1 and 2 of this blueprint.
• Review ticket spikes, identify seasonal trends, and discuss root causes (e.g. projects/changes going live, onboarding blitz).
• Discuss any actions associated with spikes and seasonal trends (e.g. resource allocation, hiring, training).
• You can incorporate other IT leaders or departments in this meeting as needed to discuss action items for improvement, quality assurance concerns, customer service concerns, and/or operating level agreement concerns.

Review Weekly/Monthly

• Ticket volume
• Ticket category by priority level over time
• Tickets from different business groups, VIP groups, and different vertical levels
• Tickets escalated, tickets that didn’t need to be escalated, tickets that were incorrectly escalated
• Ticket priority levels over time
• Most requested services
• Tickets resolved by which group over time
• Ability to meet SLAs and OLAs over time by different groups

3.2.3 Regularly review trends with business leaders

Use your data to help improve business relationships

Review the following with business leaders:

• Volume of work done this past time cycle for the leader’s group
• Trends and spikes in the data and possible explanations for them (note: get their input on the potential causes of trends)
• Improvements you plan to execute within the service desk
• Action items you need from the business leader

Use your data to show the value you provide to the group. Schedule quarterly meetings with the heads of different business groups to discuss the work that the service desk does for each group.

Show trends in incidents and service requests: “I see you have a spike in CRM tickets. I’ve been working with the CRM team to address this issue.”

3.2.4 Tell a story with your data

Effectively communicate with the business and leadership

• With your visualized metrics, organize your story into a presentation for different stakeholder groups. You can use the Ticket Analysis Report as a starting point to provide data about:
  • Value provided by the service desk
  • Successes
  • Opportunities for Improvements
  • Current state of KPIs
• Include information about the causes of data trends and actions you will take in response to the data.
• For each of these themes, look at the metrics you’ve chosen to track and see which ones fit to tell the story. Let the data do the talking.
• Consider supplementing the ticket data with data from other systems. For example, you can include data on transactional customer satisfaction surveys, knowledgebase utilization, and self-service utilization.

Download the Ticket Analysis Report.

Ticket Analysis Report

Include the following information as you build your ticket analysis report:

• Value Provided by the Service Desk
  Start with the value provided by the service desk to different areas of the business. Include information about first contact resolution, average resolution times, ticket volume (e.g. by category, priority, location, requestor).
• Successes
  Successes is a general field that can include how process improvements have impacted the service desk or how initiatives have enhanced shift-left opportunities. Highlight any positive trends over time.
• Opportunities for Improvement
  Let the data guide the conversation to where improvements can be made. Day-to-day ops, self-service tools, shifting work left from Tier 2, Tier 3, standardizing a non-standard service, and staffing adjustments are possibilities for this section.
• Current State of KPIs
  Mean time to resolve, FCR, ticket volume, and end-user satisfaction are great KPIs to include as a starting point.

Download the Ticket Analysis Report.

Summary of Accomplishment

Problem Solved

You now have a better understanding of how to action your service desk ticket data, including improvements to your current ticket templates for incidents and service requests.

You also have the data to craft a story to different stakeholder groups to celebrate the successes of the service desk and highlight possible improvements. Continue this exercise iteratively to continue improving the service desk.

Remember, ticket analysis is not a single event but an ongoing initiative. As you track, analyze, and action more data, you will find more improvements.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Analyze your dashboards An analyst will walk through the ticket data and dashboards with you and your team to help interpret the data and tailor improvements	Populate your ticket data report Given the action items from this solution set, an analyst will help you craft a report to celebrate the successes and highlight needed improvements in the service desk.

Related Info-Tech Research

Optimize the Service Desk With a Shift-Left Strategy

The best type of service desk ticket is the one that doesn’t exist.

Incident & Problem Management

Don’t let persistent problems govern your department.

Design & Build a User-Facing Service Catalog

Improve user satisfaction with IT with a convenient menu-like catalog.

Bibliography

Bayes, Scarlett. “ITSM: 2021 & Beyond.” Service Desk Institute, 2021. Web.

“Benchmarking Report v.9.” Service Desk Institute, 17 Jan. 2020. Web.

Bennett, Micah. “The 9 Help Desk Metrics That Should Guide Your Customer Support.” Zapier, 3 Dec. 2015. Web.

“Global State of Customer Service: The transformation of customer service from 2015 to present day.” Microsoft Dynamics 365, Microsoft, 2020. Web.

Goodey, Ben. “How to Manually Analyze Support Tickets.” SentiSum, 26 July 2021. Web.

Jadhav, Megha. “Four Metrics to Analyze When Using Ticketing Software.” Vision Helpdesk Blog, 21 Mar. 2016. Web.

Knaflic, Cole Nussbaumer. Storytelling with Data: A Data Visualization Guide for Business Professionals. Wiley, 2015.

Li, Ta Hsin, et al. “Incident Ticket Analytics for IT Application Management Services.” 2014 IEEE International Conference on Services Computing, 2014. Web.

Olson, Sarah. “10 Help Desk Metrics for Service Desks and Internal Help Desks.” Zendesk Blog, Sept. 2021. Web.

Paramesh, S.P., et al. “Classifying the Unstructured IT Service Desk Tickets Using Ensemble of Classifiers.” 2018 3rd International Conference on Computational Systems and Information Technology for Sustainable Solutions (CSITSS), 2018. Web.

Volini, Erica, et al. “2021 Global Human Capital Trends: Special Report.” Deloitte Insights, 21 July 2021. Web.

“What Kind of Analysis You Can Perform on a Ticket Management System.” Commence, 3 Dec. 2019. Web.

INFO-TECH RESEARCH GROUP

Build a Data Classification MVP for M365

Kickstart your governance with data classification users will actually use!

Executive Summary

Info-Tech Insight

• Creating an MVP gets you started in data governance
  Information protection and governance are not something you do once and then you are done. It is a constant process where you start with the basics (a minimum-viable product or MVP) and enhance your schema over time. The objective of the MVP is reducing obstacles to establishing an initial governance position, and then enabling rapid development of the solution to address a variety of real risks, including data loss prevention (DLP), data retention, legal holds, and data labeling.
• Define your information and protection strategy
  The initial strategy is to start looking across your organization and identifying your customer data, regulatory data, and sensitive information. To have a successful data protection strategy you will include lifecycle management, risk management, data protection policies, and DLP. All key stakeholders need to be kept in the loop. Ensure you keep track of all available data and conduct a risk analysis early. Remember, data is your highest valued intangible asset.
• Planning and resourcing are central to getting started on MVP
  A governance plan and governance decisions are your initial focus. Create a team of stakeholders that include IT and business leaders (including Legal, Finance, HR, and Risk), and ensure there is a top-level leader who is the champion of the governance objective, which is to ensure your data is safe, secure, and not prone to leakage or theft, and maintain confidentiality where it is warranted.

Executive Summary

Info-Tech Insight

Data classification is the lynchpin to any effective governance of O/M365 and your objective is to navigate through this easily and effectively and build a robust, secure, and viable governance model. Start your journey by identifying what and where your data is and how much data do you have. You need to understand what sensitive data you have and where it is stored before you can protect or govern it. Ensure there is a high-level leader who is the champion of the governance objectives. Data classification fulfills the governance objectives of risk mitigation, governance and compliance, efficiency and optimization, and analytics.

Questions you need to ask

Four key questions to kick off your MVP.

Classification tiers

Build your schema.

Info-Tech Insight

Deciding on how granular you go into data classification will chiefly be governed by what industry you are in and your regulatory obligations – the more highly regulated your industry, the more classification levels you will be mandated to enforce. The more complexity you introduce into your organization, the more operational overhead both in cost and resources you will have to endure and build.

Microsoft MIP Topology

Microsoft Information Protection (MIP), which is Microsoft’s Data Classification Services, is the key to achieving your governance goals. Without an MVP, data classification will be overwhelming; simplifying is the first step in achieving governance.

(Source: Microsoft, “Microsoft Purview compliance portal”)

Info-Tech Insight

Using least-complex sensitivity labels in your classification are your building blocks to compliance and security in your data management schema; they are your foundational steps.

MVP RACI Chart

Data governance is a "takes a whole village" kind of effort.

Clarify who is expected to do what with a RACI chart.

What and where your data resides Data types that require classification.

M365 Workload Containers
Email Attachments	Site Collections, Sites	Sites	Project Databases
Contacts	Teams and Group Site Collections, Sites	Libraries and Lists	Sites
Metadata	Libraries and Lists	Documents Versions	Libraries and Lists
Teams Conversations	Documents Versions	Metadata	Documents Versions
Teams Chats	Metadata	Permissions Internal Sharing External Sharing	Metadata
	Permissions Internal Sharing External Sharing	Files Shared via Teams Chats	Permissions Internal Sharing External Sharing

Info-Tech Insight

Knowing where your data resides will ensure you do not miss any applicable data that needs to be classified. These are examples of the workload containers; you may have others.

Discover and classify on- premises files using AIP

AIP helps you manage sensitive data prior to migrating to Office 365: Use discover mode to identify and report on files containing sensitive data. Use enforce mode to automatically classify, label, and protect files with sensitive data. Can be configured to scan: SMB files SharePoint Server 2016, 2013

Map your network and find over-exposed file shares. Protect files using MIP encryption. Inspect the content in file repositories and discover sensitive information. Classify and label file per MIP policy.

Azure Information Protection scanner helps discover, classify, label, and protect sensitive information in on-premises file servers. You can run the scanner and get immediate insight into risks with on-premises data. Discover mode helps you identify and report on files containing sensitive data (Microsoft Inside Track and CIAOPS, 2022). Enforce mode automatically classifies, labels, and protects files with sensitive data.

Info-Tech Insight

Any asset deployed to the cloud must have approved data classification. Enforcing this policy is a must to control your data.

Understanding governance

Microsoft Information Governance

Retention and backup policy decision

Retention is not backup.

Understand retention policy

What are retention policies used for? Why you need them as part of your MVP?

Do not confuse retention labels and policies with backup.

Remember: “retention [policies are] auto-applied whereas retention label policies are only applied if the content is tagged with the associated retention label” (AvePoint Blog, 2021).

E-discovery tool retention policies are not turned on automatically.

Retention policies are not a backup tool – when you activate this feature you are unable to delete anyone.

“Data retention policy tools enable a business to:

• “Decide proactively whether to retain content, delete content, or retain and then delete the content when needed.
• “Apply a policy to all content or just content meeting certain conditions, such as items with specific keywords or specific types of sensitive information.
• “Apply a single policy to the entire organization or specific locations or users.
• “Maintain discoverability of content for lawyers and auditors, while protecting it from change or access by other users. […] ‘Retention Policies’ are different than ‘Retention Label Policies’ – they do the same thing – but a retention policy is auto-applied, whereas retention label policies are only applied if the content is tagged with the associated retention label.

“It is also important to remember that ‘Retention Label Policies’ do not move a copy of the content to the ‘Preservation Holds’ folder until the content under policy is changed next.” (Source: AvePoint Blog, 2021)

Definitions

Data classification is a focused term used in the fields of cybersecurity and information governance to describe the process of identifying, categorizing, and protecting content according to its sensitivity or impact level. In its most basic form, data classification is a means of protecting your data from unauthorized disclosure, alteration, or destruction based on how sensitive or impactful it is.

Once data is classified, you can then create policies; sensitive data types, trainable classifiers, and sensitivity labels function as inputs to policies. Policies define behaviors, like if there will be a default label, if labeling is mandatory, what locations the label will be applied to, and under what conditions. A policy is created when you configure Microsoft 365 to publish or automatically apply sensitive information types, trainable classifiers, or labels.

Sensitivity label policies show one or more labels to Office apps (like Outlook and Word), SharePoint sites, and Office 365 groups. Once published, users can apply the labels to protect their content.

Data loss prevention (DLP) policies help identify and protect your organization's sensitive info (Microsoft Docs, April 2022). For example, you can set up policies to help make sure information in email and documents is not shared with the wrong people. DLP policies can use sensitive information types and retention labels to identify content containing information that might need protection.

Retention policies and retention label policies help you keep what you want and get rid of what you do not. They also play a significant role in records management.

Data examples for MVP classification

• Examples of the type of data you consider to be Confidential, Internal, or Public.
• This will help you determine what to classify and where it is.

New container sensitivity labels (MIP)

New container sensitivity labels

What users will see when they create or label a Team/Group/Site

(Source: Microsoft, “Microsoft Purview compliance portal”)

Info-Tech Insights

• Manage privacy of Teams Sites and M365 Groups
• Manage external user access to SPO sites and teams
• Manage external sharing from SPO sites
• Manage access from unmanaged devices

Data protection and security baselines

Info-Tech Insights

• Controls are already in place to set data protection policy. This assists in the MVP activities.
• Finally, you need to set your security baseline to ensure proper permissions are in place.

Prerequisite baseline

Security MFA or SSO to access from anywhere, any device Banned password list BYOD sync with corporate network

Users Sign out inactive users automatically Enable guest users External sharing Block client forwarding rules

Resources Account lockout threshold OneDrive SharePoint

Controls Sensitivity labels, retention labels and policies, DLP Mobile application management policy

Building baselines

Sensitivity Profiles: Public, Internal, Confidential; Subcategory: Highly Confidential

Microsoft 365 Collaboration Protection Profiles

Please Note: Global/Compliance Admins go to the 365 Groups platform, the compliance center (Purview), and Teams services (Source: Microsoft Documentation, “Microsoft Purview compliance documentation”)

Info-Tech Insights

• Building baseline profiles will be a part of your MVP. You will understand what type of information you are addressing and label it accordingly.
• Sensitivity labels are a way to classify your organization's data in a way that specifies how sensitive the data is. This helps you decrease risks in sharing information that shouldn't be accessible to anyone outside your organization or department. Applying sensitivity labels allows you to protect all your data easily.

MVP activities

ACME Company MVP for M/O365

Related Blueprints

Govern Office 365

Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals.

Map your organizational goals to the administration features available in the Office 365 console. Your governance should reflect your requirements.

Migrate to Office 365 Now

Jumping into an Office 365 migration project without careful thought of the risks of a cloud migration will lead to project halt and interruption. Intentionally plan in order to expose risk and to develop project foresight for a smooth migration.

Microsoft Teams Cookbook

IT Governance, Risk & Compliance

Several blueprints are available on a broader topic of governance, from Make Your IT Governance Adaptable to Improve IT Governance to Drive Business Results and Build an IT Risk Management Program.

Bibliography

“Best practices for sharing files and folders with unauthenticated users.” Microsoft Build, 28 April 2022. Accessed 2 April 2022.

“Build and manage assessments in Compliance Manager.” Microsoft Docs, 15 June 2022. Web.

“Building a modern workplace with Microsoft 365.” Microsoft Inside Track, n.d. Web.

Crane, Robert. “June 2020 Microsoft 365 Need to Know Webinar.” CIAOPS, SlideShare, 26 June 2020. Web.

“Data Classification: Overview, Types, and Examples.” Simplilearn, 27 Dec. 2021. Accessed 11 April 2022.

“Data loss prevention in Exchange Online.” Microsoft Docs, 19 April 2022. Web.

Davies, Nahla. “5 Common Data Governance Challenges (and How to Overcome Them).” Dataversity. 25 October 2021. Accessed 5 April 2022.

“Default labels and policies to protect your data.” Microsoft Build, April 2022. Accessed 3 April 2022.

M., Peter. "Guide: The difference between Microsoft Backup and Retention." AvePoint Blog, 9 Oct. 2021. Accessed 4 April 2022.

Meyer, Guillaume. “Sensitivity Labels: What They Are, Why You Need Them, and How to Apply Them.” nBold, 6 October 2021. Accessed 2 April 2022.

“Microsoft 365 guidance for security & compliance.” Microsoft, 27 April 2022. Accessed 28 April 2022.

“Microsoft Purview compliance portal.” Microsoft, 19 April 2022. Accessed 22 April 2022.

“Microsoft Purview compliance documentation.” Microsoft, n.d. Accessed 22 April 2022.

“Microsoft Trust Center: Products and services that run on trust.” Microsoft, 2022. Accessed 3 April 2022.

“Protect your sensitive data with Microsoft Purview.” Microsoft Build, April 2022. Accessed 3 April 2022.

Zimmergren, Tobias. “4 steps to successful cloud governance in Office 365.” Rencore, 9 Sept. 2021. Accessed 5 April 2022.

Adopt Change Management Practices & Succeed at IT Organizational Redesign

The perfect IT organizational structure will fail to be implemented if there is no change management.

Analyst Perspective

Don’t doom your organizational redesign efforts

After helping hundreds of organizations across public and private sector industries redesign their organizational structure, we can say there is one thing that will always doom this effort: A failure to properly identify and implement change management efforts into the process. Employees will not simply move forward with the changes you suggest just because you as the CIO are making them. You need to be prepared to describe the individual benefits each employee can expect to receive from the new structure. Moreover, it has to be clear why this change was needed in the first place. Redesign efforts should be driven by a clear need to align to the organization’s vision and support the various objectives that will need to take place. Most organizations do a great job defining a new organizational structure. They identify a way of operating that tells them how they need to align their IT capabilities to deliver on strategic objectives. What most organizations do poorly is invest in their people to ensure they can adopt this new way of operating. Brittany Lutes Research Director, Organizational Transformation Info-Tech Research Group

Executive Summary

Info-Tech Insight

Implementing your organizational design with good change management practices is more important than defining the new organizational structure.

Your challenge

This research enables organizations to succeed at their organizational redesign:

• By implementing the right change management practices. These methods prevent:
  • The loss of critical IT employees who will voluntarily exit the organization.
  • Employees from creating rumors that will be detrimental to the change.
  • Confusion about why the change was needed and how it will benefit the strategic objectives the organization is seeking to achieve.
  • Spending resources (time, money, and people) on the initiative longer than is necessary.

McKinsey reported less than 25% of organizational redesigns are successful. Which is worse than the average change initiative, which has a 70% failure rate.

Source: AlignOrg, 2020.

The value of the organizational redesign efforts is determined by the percentage of individuals who adopt the changes and operate in the desired way of working.

When organizations properly use organizational design processes, they are:

4× more likely to delight customers

13× more effective at innovation

27× more likely to retain employees

Source: The Josh Bersin Company, 2022

Common obstacles

These barriers make implementing an organizational redesign difficult to address for many organizations:

• You communicated the wrong message to the wrong audience at the wrong time. Repeatedly.
• There is a lack of clarity around the drivers for an organizational redesign.
• A readiness assessment was not completed ahead of the changes.
• There is no flexibility built into the implementation approach.
• The structure is not aligned to the strategic goals of IT and the organization.
• IT leadership is not involved in their staff’s day-to-day activities, making it difficult to suggest realistic changes.

Don’t doom your organizational redesign with poor change management

Only 17% of frontline employees believe the lines of communication are open.

Source: Taylor Reach Group, 2019

43% Percentage of organizations that are ineffective at the organizational design methodology.

Source: The Josh Bersin Company, 2022.

Change management is a must for org design

Forgetting change management is the easiest way to fail at redesigning your IT organizational structure

• Change management is not a business transformation.
• Change management consists of the practices and approaches your organization takes to support your people through a transformation.
• Like governance, change management happens regardless of whether it is planned or ad hoc.
• However, good change management will be intentional and agile, using data to help inform the next action steps you will take.
• Change management is 100% focused on the people and how to best support them as they learn to understand the need for the change, what skills they must have to support and adopt the change, and eventually to advocate for the change.

"Organizational transformation efforts rarely fail because of bad design, but rather from lack of sufficient attention to the transition from the old organization to the new one."

– Michael D. Watkins & Janet Spencer. ”10 Reason Why Organizational Change Fails.”

Info-Tech’s approach

Redesigning the IT structure depends on good change management

Common changes in organizational redesigns

Top reasons organizational redesigns fail

1. The rationale for the redesign is not clear.
2. Managers do not have the skills to lead their teams through a change initiative like organizational redesign.
3. You communicated the wrong messages at the wrong times to the wrong audiences.
4. Frontline employees were not included in the process.
5. The metrics you have to support the initiative are countering one another – if you have metrics at all.
6. Change management and project management are being treated interchangeably.

Case study: restructuring to reduce

Clear Communication & Continuous Support

Situation

On July 26th, 2022, employees at Shopify – an eCommerce platform – were communicated to by their CEO that a round of layoffs was about to take place. Effective that day, 1,000 employees or 10% of the workforce would be laid off.

In his message to staff, CEO Tobi Lutke admitted he had assumed continual growth in the eCommerce market when the COVID-19 pandemic forced many consumers into online shopping. Unfortunately, it was clear that was not the case.

In his communications, Tobi let people know what to expect throughout the day, and he informed people what supports would be made available to those laid off. Mainly, employees could expect to see a transparent approach to severance pay; support in finding new jobs through coaching, connections, or resume creation; and ongoing payment for new laptops and internet to support those who depend on this connectivity to find new jobs.

Results

Unlike many of the other organizations (e.g. Wayfair and Peloton) that have had to conduct layoffs in 2022, Shopify had a very positive reaction. Many employees took to LinkedIn to thank their previous employer for all that they had learned with the organization and to ask their network to support them in finding new opportunities. Below is a letter from the CEO:

Shopify, 2022.

Forbes, 2022.

Aligned to a Meaningful Vision

An organizational redesign must be aligned to a clear and meaningful vision of the organization.

Define the drivers for organizational redesign

And align the structure to execute on those drivers.

• Your structure should follow your strategy. However, 83% of people in an organization do not fully understand the strategy (PWC, 2017).
• How can employees be expected to understand why the IT organization needs to be restructured to meet a strategy if the strategy itself is still vague and unclear?
• When organizations pursue a structural redesign, there are often a few major reasons:
  • Digital/organizational transformation
  • New organizational strategy
  • Acquisition or growth of products, services, or capabilities
  • The need to increase effectiveness
  • Cost savings
• Creating a line of sight for your employees and leadership team will increase the likelihood that they want to adopt this structure.

“The goal is to align your operating model with your strategy, so it directly supports your differentiating capabilities.”

– PWC, 2017.

How to align structure to strategy

Recommended action steps:

• Describe the end state of the organizational structure and how long you anticipate it will take to reach that state. It's important that employees be able to visualize the end state of the changes being made.
• Ensure people understand the vision and goals of the IT organization. Are you having discussions about these? Are managers discussing these? Do people understand that their day-to-day job is intended to support those goals?
• Create a visual:
  • The goals of the organization → align to the initiatives IT → which require this exact structure to deliver.
• Do not assume people are willing to move forward with this vision. If people are not willing, assess why and determine if there are benefits specific to the individual that can support them in adopting the future state.
• Define and communicate the risks of not making the organizational structure changes.

Info-Tech Insight

A trending organizational structure or operating model should never be the driver for an organizational redesign.

IT Leaders Are Not Set Up To Succeed

Empower these leaders to have difficult conversations.

Lacking key leadership capabilities in managers

Technical leaders are common in IT, but people leaders are necessary during the implementation of an organizational structure.

• Managers are important during a transformational change for many reasons:
  • Managers play a critical role in being able to identify the skill gaps in employees and to help define the next steps in their career path.
  • After the sponsor (CIO) has communicated to the group the what and the why, the personal elements of the change fall to managers.
  • Managers’ displays of disapproval for the redesign can halt the transformation.
• However, many managers (37%) feel uncomfortable talking to employees and providing feedback if they think it will elicit a negative response (Taylor Reach Group, 2019).
• Unfortunately, organizational redesign is known for eliciting negative responses from employees as it generates fears around the unknown.
• Therefore, managers must be able to have conversations with employees to further the successful implementation and adoption of the structure.

“Successful organizational redesign is dependent on the active involvement of different managerial levels."

– Marianne Livijn, “Managing Organizational Redesign: How Organizations Relate Macro and Micro Design.”

They might be managers, but are they leaders?

Recommended action steps:

• Take time to speak with managers one on one and understand their thoughts, feelings, and understanding of the change.
• Ensure that middle-managers have an opportunity to express the benefits they believe will be realized through the proposed changes to the organizational chart.
• Provide IT leaders with leadership training courses (e.g. Info-Tech’s Leadership Programs).
• Do not allow managers to start sharing and communicating the changes to the organizational structure if they are not demonstrating support for this change. Going forward, the group is all-in or not, but they should never demonstrate not being bought-in when speaking to employees.
• Ensure IT leaders want to manage people, not just progress to a management position because they cannot climb a technical career ladder within the proposed structure. Provide both types of development opportunities to all employees.
• Reduce the managers’ span of control to ensure they can properly engage all direct reports and there is no strain on the managers' time.

Info-Tech Insight

47% of direct reports do not agree that their leader is demonstrating the change behaviors. Often, a big reason is that many middle-managers do not understand their own attitudes and beliefs about the change.

Source: McKinsey & Company “How Do We Manage the Change Journey?”

Check out Info-Tech’s Build a Better Manager series to support leadership development

These blueprints will help you create strong IT leaders who can manage their staff and themselves through a transformation.

Build a Better Manager: Basic Management Skills

Build a Better Manager: Personal Leadership

Build a Better Manager: Manage Your People

Build Successful Teams

Transparent & Frequent Communication

Provide employees with several opportunities to hear information and ask questions about the changes.

Communication must be done with intention

Include employees in the conversation to get the most out of your change management.

• Whether it is a part of a large transformation or a redesign to support a specific goal of IT, begin thinking about how you will communicate the anticipated changes and who you will communicate those changes to right away.
• The first group of people who need to understand why this initiative is important are the other IT leaders. If they are not included in the process and able to understand the foundational drivers of the initiative, you should not continue to try and gain the support of other members within IT.
• Communication is critical to the success of the organizational redesign.
• Communicating the right information at the right time will make the difference between losing critical talent and emerging from the transition successfully.
• The sponsor of this redesign initiative must be able to communicate the rationale of the changes to the other members of leadership, management, and employees.
• The sponsor and their change management team must then be prepared to accept the questions, comments, and ideas that members of IT might have around the changes.

"Details about the new organization, along with details of the selection process, should be communicated as they are finalized to all levels of the organization.”

– Courtney Jackson, “7 Reasons Why Organizational Structures Fail.”

Two-way communication is necessary

Recommended action steps:

• Don't allow rumors to disrupt this initiative – be transparent with people as early as possible.
• If the organizational restructure will not result in a reduction of staff – let them know! If someone's livelihood (job) is on the line, it increases the likelihood of panic. Let's avoid panic.
• Provide employees with an opportunity to voice their concerns, questions, and recommendations – so long as you are willing to take that information and address it. Even if the answer to a recommendation is "no" or the answer to a question is "I don't know, but I will find out," you've still let them know their voice was heard in the process.
• As the CIO, ensure that you are the first person to communicate the changes. You are the sponsor of this initiative – no one else.
• Create communications that are clear and understandable. Imagine someone who does not work for your organization is hearing the information for the first time. Would they be able to comprehend the changes being suggested?
• Conduct a pulse survey on the changes to identify whether employees understand the changes and feel heard by the management team.

Info-Tech Insight

The project manager of the organizational redesign should not be the communicator. The CIO and the employees’ direct supervisor should always be the communicators of key change messages.

Communication spectrum

An approach to communication based on the type of redesign taking place

Include Employees in the Redesign Process

Stop talking at employees and ensure they are involved in the changes impacting their day-to-day lives.

Employees will enable the change

Old-school approaches to organizational redesign have argued employee engagement is a hinderance to success – it’s not.

• We often fail to include the employees most impacted by a restructuring in the redesign process. As a result, one of the top reasons employees do not support the change is that they were not included in the change.
• A big benefit of including employees in the process is it mitigates the emergence of a rumor mill.
• Moreover, being open to suggestions from staff will help the transformation succeed.
• Employees can best describe what this transition might entail on a day-to-day basis and the supports they will require to succeed in moving from their current state to their future state.
  • CIOs and other IT leaders are often too far removed from the day-to-day to best describe what will or will not work.
• When employees feel included in the process, they are more likely to feel like they had a choice in what and how things change.

"To enlist employees, leadership has to be willing to let things get somewhat messy, through intensive, authentic engagement and the involvement of employees in making the transformation work."

– Michael D. Watkins & Janet Spencer, “10 Reasons Why Organizational Change Fails.”

Empowering employees as change agents

Recommended action steps:

• Do not tell employees what benefits they will gain from this new change. Instead, ask them what benefits they anticipate.
• Ask employees what challenges they anticipate, and identify actions that can be taken to minimize those challenges.
• Identify who the social influencers are in the organization by completing an influencer map. The informal social networks in your organization can be powerful drivers of change when the right individuals are brought onboard.
• Create a change network using those influencers. The change network includes individuals who represent all levels within the organization and can represent the employee perspective. Use them to help communicate the change and identify opportunities to increase the success of adoption: “Engaging influencers in change programs makes them 3.8 times more likely to succeed," (McKinsey & Company, 2020).
• Ask members of the change network to identify possible resistors of the new IT structure and inform you of why they might be resisting the changes.

Info-Tech Insight

Despite the persistent misconceptions, including employees in the process of a redesign reduces uncertainty and rumors.

Monitor employee engagement & adoption throughout the redesign

Only 22% of organizations include the employee experience as a part of the design process

– The Josh Bersin Company, 2022.

Employee Pulse Survey

Conduct mindful and frequent check-ins with employees

Process to conduct survey:

1. Using your desired survey solution (e.g. MS Forms, SurveyMonkey, Qualtrics) input the questions into the survey and send to staff. A template of the survey in MS Forms is available here: IT Organizational Redesign Pulse Survey Template.
2. When sending to staff, ensure that the survey is anonymous and reinforce this message.
3. Leverage the responses from the survey to learn where there might be opportunities to improve the transformation experience (aligning the structure to the vision, employee inclusion, communication, or managerial support for the change). Review the recommended action steps in this research set for help.
4. This assessment is intended for frequent but purposeful use. Only send out the survey when you have taken actions in order to improve adoption of the change or have provided communications. The Employee Pulse Survey should be reevaluated on a regular basis until adoption across all four categories reaches the desired state (80-100% adoption is recommended).

Define Key Metrics of Adoption & Success

Metrics have a dual benefit of measuring successful implementation and meeting the original drivers.

Measuring the implementation is a two-pronged approach

Both employee adoption and the transformation of the IT structure need to be measured during implementation

• Organizations that are going through any sort of transformation – such as organizational redesign – should be measuring whether they are successfully on track to meet their target or have already met that goal.
• Throughout the organizational structure transition, a major factor that will impact the success of that goal is employee willingness to move forward with the changes.
• However, rather than measuring these two components using hard data, we rely on gut checks that let us know if we think we are on track to gaining adoption and operating in the desired future state.
• Given how fluid employees and their responses to change can be, conducting a pulse survey at a regular (but strategically identified) interval will provide insight into where the changes will be adopted or resisted.

“Think about intentionally measuring at the moments in the change storyline where feedback will allow leaders to make strategic decisions and interventions.”

– Bradley Wilson, “Employee Survey Questions: The Ultimate Guide.”

Report that the organizational redesign for IT was a success

Recommended action steps:

• Create clear metrics related to how you will measure the success of the organizational redesign, and communicate those metrics to people. Ensure the metrics are not contrary to the goals of other initiatives or team outcomes.
• Create one set of metrics related to adoption and another set of metrics tied to the successful completion of the project objective.
  • Are people changing their attitudes and behaviors to reflect the required outcome?
  • Are you meeting the desired outcome of the organizational redesign?
• Use the metrics to inform how you move forward. Do not attempt the next phase of the organizational transformation before employees have clearly indicated a solid understanding of the changes.
• Ensure that any metrics used to measure success will not negatively interfere with another team’s progress. The metrics of the group need to work together, not against each other.

Info-Tech Insight

Getting 100% adoption from employees is unlikely. However, if employee adoption is not sitting in the 80-90% range, it is not recommended that you move forward with the next phase of the transformation.

Example sustainment metrics

Change Management ≠ Project Management

Stop treating the two interchangeably.

IT organizations struggle to mature their OCM capabilities

Because frankly they didn’t need it

• Change management is all about people.
• If the success of your organization is dependent on this IT restructuring, it is important to invest the time to do it right.
• This means it should not be something done off the side of someone's desk.
• Hire a change manager or look to roles that have a responsibility to deliver on organizational change management.
• While project success is often measured by if it was delivered on time, on budget, and in scope, change management is adaptable. It can move backward in the process to secure people's willingness to adopt the required behaviors.
• Strategic organizations recognize it’s not just about pushing an initiative or project forward. It’s about making sure that your employees are willing to move that initiative forward too.
• A major organizational transformation initiative like restructuring requires you lean into employee adoption and buy-in.

“Only if you have your employees in mind can you implement change effectively and sustainably.”

– Creaholic Pulse Feedback, “Change Management – And Why It Has to Change.”

Take the time to educate & communicate

Recommended action steps:

• Do not treat change management and project management as synonymous.
• Hire a change manager to support the organizational redesign transformation.
• Invest the resources (time, money, people) that can support the change and enable its success. This can look like:
  • Training and development.
  • Hiring the right people.
  • Requesting funds during the redesign process to support the transition.
• Create a change management plan – and be willing to adjust the timelines or actions of this plan based on the feedback you receive from employees.
• Implement the new organizational structure in a phased approach. This allows time to receive feedback and address any fears expressed by staff.

Info-Tech Insight

OCM is often not included or used due to a lack of understanding of how it differs from project management.

And an additional five experts across a variety of organizations who wish to remain anonymous.

Research Contributors and Experts

Info-Tech Research Group

Related Info-Tech Research

Bibliography

Aronowitz, Steven, et al. “Getting Organizational Design Right,” McKinsey, 2015. Web.
Ayers, Peg. “5 Ways to Engage Your Front-Line Staff.” Taylor Reach Group, 2019. Web.
Bushard, Brian, and Carlie Porterfield. “Meta Reportedly Scales Down, Again – Here Are the Major US Layoffs This Year.” Forbes, September 28, 2022. Web.
Caruci, Ron. “4 Organizational Design Issues that Most Leaders Misdiagnose.” Harvard Business Review, 2019.
“Change Management – And Why It Has to Change.” Creaholic Pulse Feedback. Web.
“Communication Checklist for Achieving Change Management.” Prosci, 27 Oct. 2022. Web.
“Defining Change Impact.” Prosci. 29 May 2019. Web.
“The Definitive Guide To Organization Design.” The Josh Bersin Company, 2022.
Deshler, Reed. “Five Reasons Organizational Redesigns Fail to Deliver.” AlignOrg. 28 Jan. 2020. Web.
The Fit for Growth Mini Book. PwC, 12 Jan. 2017.
Helfand, Heidi. Dynamic Reteaming: The Art and Wisdom of Changing Teams. 2nd ed., O’Reilly Media, 2020.
Jackson, Courtney. “7 Reasons Why Organizational Structures Fail.” Scott Madden Consultants. Web.
Livijn, Marianne. Managing Organizational Redesign: How Organizations Relate Macro and Micro Design. Doctoral dissertation. Department of Management, Aarhus University, 2020.
Lutke, Tobias. “Changes to Shopify’s Team.” Shopify. 26 July 2022.
McKinsey & Company. “How Do We Manage the Change Journey?” McKinsey & Company.2020.
Pijnacker, Lieke. “HR Analytics: Role Clarity Impacts Performance.” Effectory, 29 Sept. 2019. Web.
Tompkins, Teri C., and Bruce G. Barkis. “Conspiracies in the Workplace: Symptoms and Remedies.” Graziadio Business Review, vol. 21, no. 1, 2021.Web.
“Understanding Organizational Structures.” SHRM,2022.
Watkins, Michael D., and Janet Spencer. “10 Reasons Why Organizational Change Fails.” I by IMD, 10 March 2021. Web.
Wilson, Bradley. “Employee Survey Questions: The Ultimate Guide.” Perceptyx, 1 July 2020. Web.

Legacy Active Directory Environment

Kill the technical debt of your legacy Active Directory environment.

Analyst Perspective

Understand what Active Directory is and why Azure Active Directory does not replace it.

It’s about Kerberos and New Technology LAN Manager (NTLM).

Many organizations that want to innovate and migrate from on-premises applications to software as a service (SaaS) and cloud services are held hostage by their legacy Active Directory (AD). Microsoft did a good job taking over from Novell back in the late 90s, but its hooks into businesses are so deep that many have become dependent on AD services to manage devices and users, when in fact AD falls far short of needed capabilities, restricting innovation and progress. Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD. While Azure AD is a secure authentication store that can contain users and groups, that is where the similarities end. In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially for businesses that have an in-house footprint of servers and applications. If you are a greenfield business and intend to take advantage of software, infrastructure, and platform as a service (SaaS, IaaS, and PaaS), as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD. John Donovan Principal Director, I&O Practice Info-Tech Research Group

Insight Summary

Executive Summary

Info-Tech Insight

Don’t allow Active Directory services to dictate your enterprise innovation and modernization strategies. Determine if you can safely remove objects and move them to a cloud service where your Azure AD Domain Services can handle your authentication and manage users and groups.

The history of Active Directory

The evolution of your infrastructure environment

From NT to the cloud

Organizations depend on AD

AD is the backbone of many organizations’ IT infrastructure

73% of organizations say their infrastructure is built on AD.

82% say their applications depend on AD data.

89% say AD enables authenticated access to file servers.

90% say AD is the main source for authentication.

Source: Dimensions research: Active Directory Modernization :

Info-Tech Insight

Organizations fail to move away from AD for many reasons, including:

• Lack of time, resources, budget, and tools.
• Difficulty understanding what has changed.
• Migrating from AD being a low priority.

Active Directory components

Physical and logical structure

Authentication, authorization, and auditing

Active Directory has its hooks in!

AD creates infrastructure technical debt and is difficult to migrate away from.

Info-Tech Insight

Due to the pervasive nature of Active Directory in the IT ecosystem, IT organizations are reluctant to migrate away from AD to modernize and innovate.

Migration to Microsoft 365 in Azure has forced IT departments’ hand, and now that they have dipped their toe in the proverbial cloud “lake,” they see a way out of the mounting technical debt.

AD security

Security is the biggest concern with Active Directory.

Neglecting Active Directory security

98% of data breaches came from external sources.

Source: Verizon, Data Breach Report 2022

85% of data breach took weeks or even longer to discover.

Source: Verizon Data Breach Report, 2012

The biggest challenge for recovery after an Active Directory security breach is identifying the source of the breach, determining the extent of the breach, and creating a safe and secure environment.

Info-Tech Insight

Neglecting legacy Active Directory security will lead to cyberattacks. Malicious users can steal credentials and hijack data or corrupt your systems.

What are the security risks to legacy AD architecture?

• It's been 22 years since AD was released by Microsoft, and it has been a foundational technology for most businesses over the years. However, while there have been many innovations over those two decades, like Amazon, Facebook, iPhones, Androids, and more, Active Directory has remained mostly unchanged. There hasn’t been a security update since 2016.
• This lack of security innovation has led to several cyberattacks over the years, causing businesses to bolt on additional security measures and added complexity. AD is not going away any time soon, but the security dilemma can be addressed with added security features.

AD event logs

84% of organizations that had a breach had evidence of that breach in their event logs.

Source: Verizon Data Breach Report, 2012

What is the business risk

How does AD impact innovation in your business?

It’s widely estimated that Active Directory remains at the backbone of 90% of Global Fortune 1000 companies’ business infrastructure (Lepide, 2021), and with that comes risk. The risks include:

• Constraints of AD and growth of your digital footprint
• Difficulty integrating modern technologies
• Difficulty maintaining consistent security policies
• Inflexible central domains preventing innovation and modernization
• Inability to move to a self-service password portal
• Vulnerability to being hacked
• BYOD not being AD friendly

AD is dependent on Windows Server

1. Even though AD is compliant with LDAP, software vendors often choose optional features of LDAP that are not supported by AD. It is possible to implement Kerberos in a Unix system and establish trust with AD, but this is a difficult process and mistakes are frequent.
2. Restricting your software selection to Windows-based systems reduces innovation and may hamper your ability to purchase best-in-class applications.

Azure AD is not a replacement for AD

AD was designed for an on-premises enterprise

• Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD.
• In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially those businesses that have an in-house footprint of servers and applications.
• If you are a greenfield business and intend to take advantage of SaaS, IaaS, and PaaS, as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD.

"Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.

That’s why there is no actual ‘migration’ path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc."

– Gregory Hall,
Brand Representative for Microsoft
(Source: Spiceworks)

The hybrid model for AD and Azure AD

How the model works

Note: AD Federated Services (ADFS) is not a replacement for AD. It’s a bolt-on that requires maintenance, support, and it is not a liberating service.

Many companies are:

• Moving to SaaS solutions for customer relationship management, HR, collaboration, voice communication, file storage, and more.
• Managing non-Windows devices.
• Moving to a hybrid model of work.
• Enabling BYOD.

Given these trends, Active Directory is becoming obsolete in terms of identity management and permissions.

The difference between AD Domain Services and Azure AD DS

One of the core principles of Azure AD is that the user is the security boundary, not the network.

Kerberos is the default authentication and authorization protocol for AD. Kerberos is involved in nearly everything from the time you log on to accessing Sysvol, which is used to deliver policy and logon scripts to domain members from the Domain Controller.

Info-Tech Insight

If you are struggling to get away from AD, Kerberos and NTML are to blame. Working around them is difficult. Azure AD uses SAML2.0 OpenID Connect and OAuth2.0.

Source: “Compare self-managed Active Directory Domain Services...” Azure documentation, 2022

Impact of work-from-anywhere

How AD poses issues that impact the user experience

IT organizations are under pressure to enable work-from-home/work-from-anywhere.

• IT teams regard legacy infrastructure, namely Active Directory, as inadequate to securely manage remote workloads.
• While organizations previously used VPNs to access resources through Active Directory, they now have complex webs of applications that do not reside on premises, such as AWS, G-Suite, and SaaS customer relationship management and HR management systems, among others. These resources live outside the Windows ecosystem, complicating user provisioning, management, and security.
• The work environment has changed since the start of COVID-19, with businesses scrambling to enable work-from-home. This had a huge impact on on-premises identity management tools such as AD, exposing their limitations and challenges. IT admins are all too aware that AD does not meet the needs of work-from-home.
• As more IT organizations move infrastructure to the cloud, they have the opportunity to move their directory services to the cloud as well.
  • JumpCloud, OneLogin, Okta, Azure AD, G2, and others can be a solution for this new way of working and free up administrators from the overloaded AD environment.
  • Identity and access management (IAM) can be moved to the cloud where the modern infrastructure lives.
  • Alternatives for printers using AD include Google Cloud Print, PrinterOn, and PrinterLogic.

How AD can impact your migration to Microsoft 365

The beginning of your hybrid environment

• Businesses that have a large on-premises footprint have very few choices for setting up a hybrid environment that includes their on-premises AD and Azure AD synchronization.
• Microsoft 365 uses Azure AD in the background to manage identities.
• Azure AD Connect will need to be installed, along with IdFix to identify errors such as duplicates and formatting problems in your AD.
• Password hash should be implemented to synchronize passwords from on-premises AD so users can sign in to Azure without the need for additional single sign-on infrastructure.
• Azure AD Connect synchronizes accounts every 30 minutes and passwords within two minutes.

Alternatives to AD

When considering retiring Active Directory from your environment, look at alternatives that can assist with those legacy application servers, handle Kerberos and NTML, and support LDAP.

• JumpCloud: Cloud-based directory services. JumpCloud provides LDAP-as-a-Service and RADIUS-as-a-Service. It authenticates, authorizes, and manages employees, their devices, and IT applications. However, domain name changes are not supported.
• Apache Directory Studio Pro: Written in Java, it supports LDAP v3–certified directory services. It is certified by Eclipse-based database utilities. It also supports Kerberos, which is critical for legacy Microsoft AD apps authentication.
• Univention Corporate Server (UCS): Open-source Linux-based solution that has a friendly user interface and gets continuous security and feature updates. It supports Kerberos V5 and LDAP, works with AD, and is easy to sync. It also supports DNS server, DHCP, multifactor authentication and single sign-on, and APIs and REST APIs. However, it has a limited English knowledgebase as it is a German tool.

What to look for

If you are embedded in Windows systems but looking for an alternative to AD, you need a similar solution but one that is capable of working in the cloud and on premises.

Aside from protocols and supporting utilities, also consider additional features that can help you retire your Active Directory while maintaining highly secure access control and a strong security posture.

These are just a few examples of the many alternatives available.

Market drivers to modernize your infrastructure

The business is now driving your Active Directory migration

What IT must deal with in the modern world of work:

• Leaner footprint for evolving tech trends
• Disaster recovery readiness
• Dynamic compliance requirements
• Increased security needs
• The need to future-proof
• Mergers and acquisitions
• Security extending the network beyond Windows

Organizations are making decisions that impact Active Directory, from enabling work-from-anywhere to dealing with malicious threats such as ransomware. Mergers and acquisitions also bring complexity with multiple AD domains.
The business is putting pressure on IT to become creative with security strategies, alternative authentication and authorization, and migration to SaaS and cloud services.

Activity

Build a checklist to migrate off Active Directory.

Related Info-Tech Research

Manage the Active Directory in the Service Desk

• Build and maintain your Active Directory with good data.
• Actively maintaining the Active Directory is a difficult task that only gets more difficult with issues like stale accounts and privilege creep.

SoftwareReviews: Microsoft Azure Active Directory

• The Azure Active Directory (Azure AD) enterprise identity service provides SSO and multifactor authentication to help protect your users from 99.9% of cybersecurity attacks

Define Your Cloud Vision

• Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud-first isn’t always the way to go.

Bibliography

“2012 Data Breach Investigations Report.” Verizon, 2012. Web.
“2022 Data Breach Investigations Report.” Verizon, 2012. Web.
“22 Best Alternatives to Microsoft Active Directory.” The Geek Page, 16 Feb 2022. Accessed 12 Sept. 2022.
Altieri, Matt. “Infrastructure Technical Debt.” Device 42, 20 May 2019. Accessed Sept 2022.
“Are You Ready to Make the Move from ADFS to Azure AD?’” Steeves and Associates, 29 April 2021. Accessed 28 Sept. 2022.
Blanton, Sean. “Can I Replace Active Directory with Azure AD? No, Here’s Why.” JumpCloud, 9 Mar 2021. Accessed Sept. 2022.
Chai, Wesley, and Alexander S. Gillis. “What is Active Directory and how does it work?” TechTarget, June 2021. Accessed 10 Sept. 2022.
Cogan, Sam. “Azure Active Directory is not Active Directory!” SamCogan.com, Oct 2020. Accessed Sept. 2022.
“Compare Active Directory to Azure Active Directory.” Azure documentation, Microsoft Learn, 18 Aug. 2022. Accessed 12 Sept. 2022.
"Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services." Azure documentation, Microsoft Learn, 23 Aug. 2022. Accessed Sept. 2022.
“Dimensional Research, Active Directory Modernization: A Survey of IT Professionals.” Quest, 2017. Accessed Sept 2022.
Grillenmeier, Guido. “Now’s the Time to Rethink Active Directory Security.“ Semperis, 4 Aug 2021. Accessed Oct. 2013.
“How does your Active Directory align to today’s business?” Quest Software, 2017, accessed Sept 2022
Lewis, Jack “On-Premises Active Directory: Can I remove it and go full cloud?” Softcat, Dec.2020. Accessed 15 Sept 2022.
Loshin, Peter. “What is Kerberos?” TechTarget, Sept 2021. Accessed Sept 2022.
Mann, Terry. “Why Cybersecurity Must Include Active Directory.” Lepide, 20 Sept. 2021. Accessed Sept. 2022.
Roberts, Travis. “Azure AD without on-prem Windows Active Directory?” 4sysops, 25 Oct. 2021. Accessed Sept. 2022.
“Understanding Active Directory® & its architecture.” ActiveReach, Jan 2022. Accessed Sept. 2022.
“What is Active Directory Migration?” Quest Software Inc, 2022. Accessed Sept 2022.

Reduce Shadow IT With a Service Request Catalog

Foster business partnerships with sourcing-as-a-service.

Analyst Perspective

Improve the request management process to reduce shadow IT.

In July 2022, Ivanti conducted a study on the state of the digital employee experience, surveying 10,000 office workers, IT professionals, and C-suite executives. Results of this study indicated that 49% of employees are frustrated by their tools, and 26% of employees were considering quitting their jobs due to unsuitable tech. 42% spent their own money to gain technology to improve their productivity. Despite this, only 21% of IT leaders prioritized user experience when selecting new tools.

Any organization’s workers are expected to be productive and contribute to operational improvements or customer experience. Yet those workers don’t always have the tools needed to do the job. One option is to give the business greater control, allowing them to choose and acquire the solutions that will make them more productive. Info-Tech's blueprint Embrace Business-Managed Applications takes you down this path.

However, if the business doesn’t want to manage applications, but just wants have access to better ones, IT is positioned to provide services for application and equipment sourcing that will improve the employee experience while ensuring applications and equipment are fully managed by the asset, service, and security teams.

Improving the request management and deployment practice can give the business what they need without forcing them to manage license agreements, renewals, and warranties.

Sandi Conrad
ITIL Managing Professional
Principal Research Director, IT Infrastructure & Operations,
Info-Tech Research Group

Your challenge

This research is designed to help organizations that are looking to improve request management processes and reduce shadow IT.

Shadow IT: The IT team is regularly surprised to discover new products within the organization, often when following up on help desk tickets or requests for renewals from business users or vendors.