Build a Continual Improvement Program

Don’t stop with process standardization; plan to continually improve and help those improvements stick.

Analyst Perspective

Go beyond standardizing basics

IT managers often learn how to standardize IT services. Where they usually fail is in keeping these improvements sustainable. It’s one thing to build a quality process, but it’s another challenge entirely to keep momentum and know what to do next.

To fill the gap, build a continual improvement plan to continuously increase value for stakeholders. This plan will help connect services, products, and practices with changing business needs.

Without a continual improvement plan, managers may find themselves lost and wonder what’s next. This will lead to misalignment between ongoing and increasingly high stakeholder expectations and your ability to fulfill these requirements.

Build a continual improvement program to engage executives, leaders, and subject matter experts (SMEs) to go beyond break fixes, enable proactive enhancements, and sustain process changes.

Mahmoud Ramin, Ph.D. Senior Research Analyst Infrastructure and Operations Info-Tech Research Group

Executive Summary

Info-Tech Insight

Without continual improvement, any process maturity achieved around service quality will not be sustained. Organizations need to put in place an ongoing program to maintain their current maturity and continue to grow and improve by identifying new services and enhancing existing processes.

Benefits of embedding a cross-organizational continual improvement approach

Encourage end users to provide feedback on service quality.

Provide an opportunity to stakeholders to define requirements and raise their concerns.

Embed continual improvement in all service delivery procedures.

Turn failures into improvement opportunities rather than contributing to a blame culture.

Improve practice effectiveness that enhances IT efficiency.

Improve end-user satisfaction that positively impacts brand reputation.

Improve operational costs while maintaining a high level of satisfaction.

Help the business become more proactive by identifying and improving services.

Info-Tech Insight

It’s the responsibility of the organization’s leaders to develop and promote a continual improvement culture. Work with the business unit leads and communicate the benefits of continual improvement to get their buy-in for the practice and achieve the long-term impact.

Build a feedback program to get input into where improvement initiatives are needed

A well-maintained continual improvement process creates a proper feedback mechanism for the following stakeholder groups: Users Suppliers Service delivery team members Service owners Sponsors

An efficient feedback mechanism should be constructed around the following initiatives:

Stakeholders who participate in feedback activities should feel comfortable providing suggestions for improvement. Work closely with the service desk team to build communication channels to conduct surveys. Avoid formal bureaucratic communications and enforce openness in communicating the value of feedback the stakeholders can provide.

Info-Tech Insight

When conducting feedback activities with users, keep surveys anonymous and ensure users’ information is kept confidential. Make sure everyone else is comfortable providing feedback in a constructive way so that you can seek clarification and create a feedback loop.

Implement an iterative continual improvement model and ensure that your services align with your organizational vision

Build a six-step process for your continual improvement plan. Make it a loop, in which each step becomes an input for the next step.

1. Determine your goals

A vision statement communicates your desired future state of the IT organization.

Understand the high-level business objectives to set the vision for continual improvement in a way that will align IT strategies with business strategies. Obtaining a clear picture of your organization’s goals and overall corporate strategy is one of the crucial first steps to continual improvement and will set the stage for the metrics you select. Document your continual improvement program goals and objectives. Knowing what your business is doing and understanding the impact of IT on the business will help you ensure that any metrics you collect will be business focused. Understanding the long-term vision of the business and its appetite for commitment and sponsorship will also inform your IT strategy and continual improvement goals.

Assess the future state

At this stage, you need to visualize improvement, considering your critical success factors.

Critical success factors (CSFs) are higher-level goals or requirements for success, such as improving end-user satisfaction. They’re factors that must be met in order to reach your IT and business strategic vision.

Select key performance indicators (KPIs) that will identify useful information for the initiative: Define KPIs for each CSF. These will usually involve a trend, as an increase or decrease in something. If KPIs already exist for your IT processes, re-evaluate them to assess their relevance to current strategy and redefine if necessary. Selected KPIs should provide a full picture of the health of targeted practice.

KPIs should cover these four vectors of practice performance:

Quantity How many continual improvement initiatives are in progress Quality How well you implemented improvements Timeliness How long it took to get continual improvement initiatives done Compliance How well processes and controls are being executed, such as system availability

Examples of key CSFs and KPIs for continual improvement

Prepare a vision statement to communicate the improvement strategy

IT implications are derived from the business context and inform goals by aligning the IT goals with the business context. Business context encompasses an understanding of the factors impacting the business from various perspectives, how the business makes decisions, and what it is trying to achieve. IT goals are high-level, specific objectives that the IT organization needs to achieve to reach the target state. IT goals begin a process of framing what IT as an organization needs to be able to do in the target state. IT goals will help identify the target state, IT capabilities, and the initiatives that will need to be implemented to enable those capabilities. The vision statement is expressed in the present tense. It seeks to articulate the desired role of IT and how IT will be perceived.

Strong IT vision statements have the following characteristics: Describe a desired future Focus on ends, not means Communicate promise Work as an elevator pitch: Concise; no unnecessary words Compelling Achievable Inspirational Memorable

2. Define the process team

The structure of each continual improvement team depends on resource availability and competency levels.

Enable the continual improvement program by clarifying responsibilities

Determine roles and responsibilities to ensure accountability

The continual improvement activities will only be successful if specific roles and responsibilities are clearly identified.

3. Determine improvement initiatives

Businesses usually make the mistake of focusing too much on making existing processes better while missing gaps in their practices.

Gather stakeholder feedback to help you evaluate the maturity levels of IT practices You need to understand the current state of service operations to understand how you can provide value through continual improvement. Give everyone an opportunity to provide feedback on IT services. Use Info-Tech’s End User Satisfaction Survey to define the state of your core IT services. Info-Tech Insight Become proactive to improve satisfaction. Continual improvement is not only about identifying pain points and improving them. It enables you to proactively identify initiatives for further service improvement using both practice functionality and technology enablement.

Understand the current state of your IT practices Determine the maturity level of your IT areas to help you understand which processes need improvement. Involve the practice team in maturity assessment activities to get ideas and input from them. This will also help you get their buy-in and engagement for improvement. Leverage performance metrics to analyze performance level. Metrics play a key role in understanding what needs improvement. After you implement metrics, have an impact report regularly generated to monitor them. Use problem management to identify root causes for the identified gaps. Potential sources of problems can be: Recurring issues that may be an indicator of an underlying problem. Business processes or service issues that are not IT related, such as inefficient business process or service design issues.

Establish an improvement roadmap and execute initiatives

Activity: Use the Continual Improvement Register template to brainstorm responsibilities, generate improvement initiatives, and action plan

Download the Continual Improvement Register template

Activity: Use the Continual Improvement Register template to brainstorm responsibilities, generate improvement initiatives, and action plan

Identify “quick wins” that can provide immediate improvement

Prioritize these quick wins to immediately demonstrate the success of the continual service improvement effort to the business.

Activity: Prioritize improvement initiatives

2-3 hours

Input: List of initiatives for continual improvement

Output: Prioritized list of initiatives

Materials: Continual improvement register, Whiteboard/flip charts, Markers, Laptops

Participants: CIO, IT managers, Project managers, Continual improvement manager

1. In the CI Register tab of the Continual Improvement Register template, define the status, priority, effort/cost, and timeline according to the definition of each in the data entry tab.
2. Review improvement initiatives from the previous activity.
3. Record the CI coordinator, business owner, and IT owner for each initiative.
4. Fill out submission date to track when the initiative was added to the register.
5. According to the updated items, you will get a dashboard of items based on their categories, effort, priority, status, and timeline. You will also get a visibility into the total number of improvement initiatives.
6. Focus on the short-term initiatives that are higher priority and require less effort.
7. Refer to the Continual Improvement Workflow template and update the steps.

Download the Continual Improvement Register template

Download the Continual Improvement Workflow template

5. Execute improvement

Develop a plan for improvement

Make a business case for your action plan	Determine budget for implementing the improvement and move to execution.	Find out how long it takes to build the improvement in the practice.	Confirm the resources and skill sets you require for the improvement.	Communicate the improvement plan across the business for better visibility and for seamless organizational change management, if needed.	Lean into incremental improvements to ensure practice quality is sustained, not temporary.	Put in place an ongoing process to audit, enhance, and sustain the performance of the target practice.

Create a specific action plan to guide your improvement activities

As part of the continual improvement plan, identify specific actions to be completed, along with ownership for each action.

Info-Tech Insight

Every organization is unique in terms of its services, processes, strengths, weaknesses, and needs, as well as the expectations of its end users. There is no single action plan that will work for everyone. The improvement plan will vary from organization to organization, but the key elements of the plan (i.e. specific priorities, timelines, targets, and responsibilities) should always be in place.

Build a communication plan to ensure the implementation of continual improvement stakeholder buy-in

1. Throughout the improvement process, share information about both the status of the project and the impact of the improvement initiatives. Encourage a collaborative environment across all members of the practice team. Motivate every individual to continue moving upward and taking ownership over their roles. Communication among team members ensures that everyone is on the same page working together toward a common goal. The most important thing is to get the support of your team. Unless you have their support, you won’t be able to deliver any of the solutions you draw up.

2. The end users should be kept in the loop so they can feel that their contribution is valued. When improvements happen and only a small group of people are involved in the results and action plan, misconceptions will arise. If communication is lacking, end users will provide less feedback on the practice improvements. For end users to feel their concerns are being considered, you must communicate the findings in a way that conveys the impact of their contribution. Info-Tech Insight To be effective, continual improvement requires open and honest feedback from IT staff. Debriefings work well for capturing information about lessons learned. Break down the debriefings into smaller, individual activities completed within each phase of the project to better capture the large amount of data and lessons learned within that phase.

Measure the success of your improvement program

Continual improvement is everybody’s job within the organization.

How did we make improvements with our partners and suppliers? –› Look into your contracts and measure the SLAs and commitments. How could improvement initiatives impact the organization? –› Involve everybody to provide feedback. Rerun the end-user satisfaction survey and compare with the baseline that you obtained before improvement implementation. How does the improvement team feel about the whole process? –› What were the lessons learned, and can the team apply the lessons in the next improvement initiatives? How did the leaders manage and lead improvements? –› Were they able to provide proper vision to guide the improvement team through the process?

Measure changes in selected metrics to evaluate success

Measuring and reporting are key components in the improvement process.

Adjust improvement priority based on updated objectives. Justify the reason. Refer to your CIR to document it.

6. Establish a learning culture and apply it to other practices

Reflect on lessons learned to drive change forward

What did you learn? Ultimately, continual improvement is an ongoing educational program. By teaching your team how to learn better and identify sources of new knowledge that can be applied going forward, you maximize the efficacy of your team and improvement plan effort.

What obstacles prevented you from reaching your target condition? If you did not reach your target goals, reflect as a team on what obstacles prevented you from reaching that target. Focus on the obstacles that are preventing your team from reaching the target state. As obstacles are removed, new ones will appear, and old ones will disappear.

Compare expectations versus reality

Compare the EC (expected change) to the AC (actual change) Evaluate the differences: how large is the difference from what you expected? Things are on track and the issue could have simply been an issue with timing of the improvement. More reflection is needed. Perhaps it is a gap in understanding the goal or a poor execution of the action plan.

Info-Tech Insight Regardless of the cause, large differences between the EC and the AC provide great learning opportunities about how to approach change in the future.

Related Info-Tech Research

	Build a Business-Aligned IT Strategy Success depends on IT initiatives clearly aligned to business goals, IT excellence, and driving technology innovation.
	Develop Meaningful Service Metrics Reinforce service orientation in your IT organization by ensuring your IT metrics generate value-driven resource behavior.
	Improve Incident and Problem Management Rise above firefighter mode with structured incident management to enable effective problem management.

Works Cited

“Continual Improvement ITIL4 Practice Guide.” AXELOS, 2020. Accessed August 2022.

“5 Tips for Adopting ITIL 4’s Continual Improvement Management Practice.” SysAid, 2021. Accessed August 2022.

Jacob Gillingham. “ITIL Continual Service Improvement And 7-Step Improvement Process” Invensis Global Learning Services, 2022. Accessed August 2022.

Align Projects With the IT Change Lifecycle

Increase the success of your changes by integrating project touchpoints in the change lifecycle.

Analyst Perspective

Executive Summary

Info-Tech Insight

Improvement can be incremental. You do not have to adopt every recommended improvement right away. Ensure every process change you make will create value, and slowly add improvements to ease buy-in.

Info-Tech’s approach

Use the change lifecycle to identify touchpoints.

The Info-Tech difference:

1. Start with your change lifecycle to define how change control can align with project management.
2. Make improvements to project-change alignment to benefit the relationship between the two practices and the practices individually.
3. Scope the alignment to your organization. Take on the improvements to the left one by one instead of overhauling your current process.

Use this research to improve your current process

This deck is intended to align established processes. If you are just starting to build IT change processes, see the related research below.

Successful change management will provide benefits to both the business and IT

Respond to business requests faster while reducing the number of change-related disruptions.

IT satisfaction with change management will drive business satisfaction with IT. Once the process is working efficiently, staff will be more motivated to adhere to the process, reducing the number of unauthorized changes. As fewer changes bypass proper evaluation and testing, service disruptions will decrease and business satisfaction will increase.

Change management improves core benefits to the business: the four Cs

Most organizations have at least some form of change control in place, but formalizing change management leads to the four Cs of business benefits:

1. Alignment at intake

Define what is a change and what is a project.

Both changes and projects will end up in change control in the end. Here, we define the intake.

Changes and projects will both go to change control when ready to go live. However, defining the governance needed at intake is critical.

A change should be governed by change control from beginning to end. It would typically be less than a week’s worth of work for a SME to build and come in at a nominal cost (e.g. <$20k over operating costs).

Projects on the other hand, will be governed by project management in terms of scope, scheduling, resourcing, etc. Projects typically take over a week and/or cost more. However, the project, when ready to go live, should still be scheduled through change control to avoid any conflicts at implementation. At triage and intake, a project can be further scoped based on projected scale.

This initial touchpoint between change control and project management is crucial to ensure tasks and request are executed with the proper governance. To distinguish between changes and projects at intake, list examples of each and determine what resourcing separates changes from projects.

Need help scoping projects? Download the Project Intake Classification Matrix

Info-Tech Insight

While effort and cost are good indicators of changes and projects, consider evaluating risk and complexity too.

1 Define what constitutes a change

1. As a group, brainstorm examples of changes and projects. If you wish, you may choose to also separate out additional request types such as service requests (user), operational tasks (backend), and releases.
2. Have each participant write the examples on sticky notes and populate the following chart on the whiteboard/flip chart.
3. Use the examples to draw lines and determine what defines each category.

• What makes a change distinct from a project?
• What makes a change distinct from a service request?
• What makes a change distinct from an operational task?
• When do the category workflows cross over with other categories? (For example, when does a project interact with change management?

Download the Change Management Standard Operating Procedure (SOP).

2. Alignment at build and test

Keep communications open by pre-defining and communicating project milestones.

CAB touchpoints

Consistently communicate the plan and timeline for hitting these milestones so CAB can prioritize and plan changes around it. This will give change control advanced notice of altered timelines.

RFCs

Projects may have multiple associated RFCs. Keeping CAB appraised of the project RFC or RFCs gives them the ability to further plan changes.

Change Calendar

Query and fill the change calendar with project timelines and milestones to compliment the CAB touchpoints.

Leverage the RFC to record and communicate project details

The request for change (RFC) form does not have to be a burden to fill out. If designed with value in mind, it can be leveraged to set standards on all changes (from projects and otherwise).

When looking at the RFC during the Build and Test phase of a project, prioritize the following fields to ensure the implementation will be successful from a technical and user-adoption point of view.

Filling these fields of the RFC and communicating them to the CAB at go-live approval gives the approvers confidence that the project will be implemented successfully and measures are known for when that implementation is not successful.

Download the Request for Change Form Template

Provide clear definitions of what goes on the change calendar and who’s responsible

Inputs

• Freeze periods for individual business departments/applications (e.g. finance month-end periods, HR payroll cycle, etc. – all to be investigated)
• Maintenance windows and planned outage periods
• Project schedules, and upcoming major/medium changes
• Holidays
• Business hours (some departments work 9-5, others work different hours or in different time zones, and user acceptance testing may require business users to be available)

Guidelines

• Business-defined freeze periods are the top priority.
• No major or medium normal changes should occur during the week between Christmas and New Year’s Day.
• Vendor SLA support hours are the preferred time for implementing changes.
• The vacation calendar for IT will be considered for major changes.
• Change priority: High > Medium > Low.
• Minor changes and preapproved changes have the same priority and will be decided on a case-by-case basis.

Roles

• The Change Manager will be responsible for creating and maintaining a change calendar.
• Only the Change Manager can physically alter the calendar by adding a new change after the CAB has agreed upon a deployment date.
• All other CAB members, IT support staff, and other impacted stakeholders should have access to the calendar on a read-only basis to prevent people from making unauthorized changes to deployment dates.

Info-Tech Insight

Make the calendar visible to as many parties as necessary. However, limit the number of personnel who can make active changes to the calendar to limit calendar conflicts.

3. Alignment at approval

How can project management effectively contribute to CAB?

As optional CAB members

Project SMEs may attend when projects are ready to go live and when invited by the change manager. Optional members provide details on change cross-dependencies, high-level testing, rollback, communication plans, etc. to inform prioritization and scheduling decisions.

As project management representatives

Project management should also attend CAB meetings to report in on changes to ongoing projects, implementation timelines, and project milestones. Projects are typically high-priority changes when going live due to their impact. Advanced notice of timeline and milestone changes allow the rest of the CAB to properly manage other changes going into production.

As core CAB members

The core responsibilities of CAB must still be fulfilled:

1. Protect the live environment from poorly assessed, tested, and implemented changes.

2. Prioritize changes in a way that fairly reflects change impact, urgency, and likelihood.

3. Schedule deployments in a way the minimizes conflict and disruption.

If you need to define the authority and responsibilities of the CAB, see Activity 2.1.3 of the Optimize IT Change Management blueprint.

4. Alignment at implementation

At this stage, the project or project phase is treated as any other change.

If you need to define transitioning changes to production, download Transition Projects to the Service Desk

5. Alignment at post-implementation

Tackle the most neglected portion of change management to avoid making the same mistake twice.

1. Define RFC statuses that need a PIR

Conduct PIRs for failed changes. Successful changes can simply be noted and transitioned to operations.

2. Conduct a PIR for every failed change

It’s best to perform a PIR once a change-related incident is resolved.

3. Avoid making the same mistake twice

Include a root-cause analysis, mitigation actions/timeline, and lessons learned in the documentation.

4. Report to CAB

Socialize the findings of the PIR at the subsequent CAB meeting.

5. Circle back on previous PIRs

If a similar change is conducted, append the related PIR to avoid the same mistakes.

Info-Tech Insight

Include your PIR documentation right in the RFC for easy reference.

Download the RFC template for more details on post-implementation reviews

2 Implement your alignments stepwise

1. As a group, decide on which implementations you need to make to align change management and project management.
2. For each improvement, list a timeline for implementation.
3. Update section 3.5 in the Change Management Standard Operating Procedure (SOP). to outline the responsibilities of project management within IT Change Management.

Download the Change Management Standard Operating Procedure (SOP).

Related Info-Tech Research

Integrate IT Risk Into Enterprise Risk

Don’t fear IT risks, integrate them.

EXECUTIVE BRIEF

Analyst Perspective

Having siloed risks is risky business for any enterprise.

Valence Howden Principal Research Director, CIO Practice

Petar Hristov Research Director, Security, Privacy, Risk & Compliance

Ian Mulholland Research Director, Security, Risk & Compliance

Brittany Lutes Senior Research Analyst, CIO Practice

Ibrahim Abdel-Kader Research Analyst, CIO Practice

Every organization has a threshold for risk that should not be exceeded, whether that threshold is defined or not.

In the age of digital, information and technology will undoubtedly continue to expand beyond the confines of the IT department. As such, different areas of the organization cannot address these risks in silos. A siloed approach will produce different ways of identifying, assessing, responding to, and reporting on risk events. Integrated risk management is about embedding IT uncertainty to inform good decision making across the organization.

When risk is integrated into the organization's enterprise risk management program, it enables a single view of all risks and the potential impact of each risk event. More importantly, it provides a consistent view of the risk event in relation to uncertainty that might have once been seemingly unrelated to IT.

And all this can be achieved while remaining within the enterprise’s clearly defined risk appetite.

Executive Summary

Your Challenge

Most organizations fail to integrate IT risks into enterprise risks:

• IT risks, when considered, are identified and classified separately from the enterprise-wide perspective.
• IT is expected to own risks over which they have no authority or oversight.
• Poor behaviors, such as only considering IT risks when conducting compliance or project due diligence, have been normalized.

Common Obstacles

IT leaders have to overcome these obstacles when it comes to integrating risk:

• Making business leaders aware of, involved in, and able to respond to all enterprise risks.
• A lack of data or information being used to support a holistic risk management process.
• A low level of enterprise risk maturity.
• A lack of risk management capabilities.

Info-Tech’s Approach

By leveraging the Info-Tech Integrated Risk approach, your business can better address and embed risk by:

• Understanding gaps in the organization’s current approach to risk management practices.
• Establishing a standardized approach for how IT risks impact the enterprise as a whole.
• Driving a risk-aware organization toward innovation and considering alternative options for how to move forward.
• Helping integrate IT risks into the foundational risk practice.

Info-Tech Insight

Stop avoiding risk – integrate it. This provides a holistic view of uncertainty for the organization to drive innovative new approaches to optimize its ability to respond to risk.

What is integrated risk management?

• Integrated risk management is the process of ensuring all forms of risk information, including information and technology, are considered and included in the enterprise’s risk management strategy.
• It removes the siloed approach to classifying risks related to specific departments or areas of the organization, recognizing that each of those risks is a threat to the overarching enterprise.
• Aggregating the different threats or uncertainty that might exist within an organization allows for informed decisions to be made that align to strategic goals and continue to drive value back to the business.
• By holistically considering the different risks, the organization can make informed decisions on the best course of action that will reduce any negative impacts associated with the uncertainty and increase the overall value.

Enterprise Risk Management (ERM)

• IT
• Security
• Digital
• Vendor/Third Party
• Other

Enterprise risk management is the practice of identifying and addressing risks to your organization and using risk information to drive better decisions and better opportunities.

IT risk is enterprise risk

IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk.

Your challenge

Embedding IT risks into the enterprise risk management program is challenging because:

• Most organizations classify risks based on the departments or areas of the business where the uncertainty is likely to happen.
• Unnecessary expectations are placed on the IT department to own risks over which they have no authority or oversight.
• Risks are often only identified when conducting due diligence for a project or ensuring compliance with regulations and standards.

Risk-mature organizations have a unique benefit in that they often have established an overarching governance framework and embedded risk awareness into the culture.

35% — Only 35% of organizations had embraced ERM in 2020. (Source: AICPA and NC State Poole College of Management)

12% — Only 12% of organizations are leveraging risk as a tool to their strategic advantage. (Source: AICPA and NC State Poole College of Management)

Common obstacles

These barriers make integrating IT risks difficult to address for many organizations:

• IT risks are not seen as enterprise risks.
• The organization’s culture toward risk is not defined.
• The organization’s appetite and threshold for risk are not defined.
• Each area of the organization has a different method of identifying, assessing, and responding to risk events.
• Access to reliable and informative data to support risk management is difficult to obtain.
• Leadership does not see the business value of integrating risk into a single management program.
• The organization’s attitudes and behaviors toward risk contradict the desired and defined risk culture.
• Skills, training, and resources to support risk management are lacking, let alone those to support integrated risk management.

Integrating risks has its challenges

62% — Accessing and disseminating information is the main challenge for 62% of organizations maturing their organizational risk management. (Source: OECD)

20-28% — Organizations with access to machine learning and analytics to address future risk events have 20 to 28% more satisfaction. (Source: Accenture)

Integrate Risk and Use It to Your Advantage

Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.

Risk management is more than checking an audit box or demonstrating project due diligence.

Risk Drivers Audit & compliance Preserve value & avoid loss Previous risk impact driver Major transformation Strategic opportunities		Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021)	63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021)	Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020)	55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021)
		1. Assess Enterprise Risk Maturity	3. Build a Risk Management Program Plan	4. Establish Risk Management Processes	5. Implement a Risk Management Program
		2. Determine Authority with Governance Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020)
IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability. Governance and related decision making is optimized with integrated and aligned risk data.			ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types. The program plan is meant to consider all the major risk types in a unified approach.		Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action.

Integrated Risk Mapping — Downside Risk Focus

Integrated Risk Mapping — Downside and Upside Risk

Third-Party Risk Example

Insight Summary

Overarching insight

Stop fearing risk – integrate it. Integration leads to opportunities for organizations to embrace innovation and new digital technologies as well as reducing operational costs and simplifying reporting.

Govern risk strategically

Governance of risk management for information- and technology-related events is often misplaced. Just because it's classified as an IT risk does not mean it shouldn’t be owned by the board or business executive.

Assess risk maturity

Integrating risk requires a baseline of risk maturity at the enterprise level. IT can push integrating risks, but only if the enterprise is willing to adopt the attitudes and behaviors that will drive the integrated risk approach.

Manage risk

It is not a strategic decision to have different areas of the organization manage the risks perceived to be in their department. It’s the easy choice, but not the strategic one.

Implement risk management

Different areas of an enterprise apply risk management processes differently. Determining a single method for identification, assessment, response, and monitoring can ensure successful implementation of enterprise risk management.

Tactical insight

Good risk management will consider both the positives and negatives associated with a risk management program by recognizing both the upside and downside of risk event impact and likelihood.

Integrated risk benefits

Measure the value of integrating risk

• Reduce Operating Costs

  • Organizations can reduce their risk operating costs by 20 to 30% by adopting enterprise-wide digital risk initiatives (McKinsey & Company).

• Increase Cybersecurity Threat Preparedness

  • Increase the organization’s preparedness for cybersecurity threats. 79% of organizations that were impacted by email threats in 2020 were not prepared for the hit (Diligent)

• Increase Risk Management’s Impact to Drive Strategic Value

  • Currently, only 3% of organizations are extensively using risk management to drive their unique competitive advantage, compared to 35% of companies who do not use it at all (AICPA & NC State Poole College of Management).

• Reduce Lost Productivity for the Enterprise

  • Among small businesses, 76% are still not considering purchasing cyberinsurance in 2021, despite the fact that ransomware attacks alone cost Canadian businesses $5.1 billion in productivity in 2020 (Insurance Bureau of Canada, 2021).

“31% of CIO’s expected their role to expand and include risk management responsibilities.” (IDG “2021 State of the CIO,” 2021)

Make integrated risk management sustainable

Assessment

Assess your organization’s method of addressing risk management to determine if integrated risk is possible

Assessing the organization’s risk maturity

Mature or not, integrated risk management should be a consideration for all organizations The first step to integrating risk management within the enterprise is to understand the organization’s readiness to adopt practices that will enable it to successfully integrate information. In 2021, we saw enterprise risk management assessments become one of the most common trends, particularly as a method by which the organization can consolidate the potential impacts of uncertainties or threats (Lawton, 2021). A major driver for this initiative was the recognition that information and technology not only have enterprise-wide impacts on the organization’s risk management but that IT has a critical role in supporting processes that enable effective access to data/information. A maturity assessment has several benefits for an organization: It ensures there is alignment throughout the organization on why integrated risk is the right approach to take, it recognizes the organization’s current risk maturity, and it supports the organization in defining where it would like to go.

Maturity should inform your approach to risk management

The outcome of the risk maturity assessment should inform how risk management is approached within the organization.

For organizations with a low maturity, remaining superficial with risk will offer more benefits and align to the enterprise’s risk tolerance and appetite. This might mean no integrated risk is taking place.

However, organizations that have higher risk maturity should begin to integrate risk information. These organizations can identify the nuances that would affect the severity and impact of risk events.

Integrated Risk Maturity Assessment

The purpose of the Integrated Risk Maturity Assessment is to assess the organization's current maturity and readiness for integrated risk management (IRM).

Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.

Integrated Risk Maturity Assessment A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization

Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organization.

Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.

Position and Agree on ROI to Maximize the Impact of Data and Analytics

Data and analytics ROI strategy is based on the business problem being solved and agreed-upon value being generated.

Analyst Perspective

Missing out on a significant opportunity for returns could be the biggest cost to the project and its sponsor.

		This research is directed to the key decision makers tasked with addressing business problems. It also informs stakeholders that have any interest in ROI, especially when applying it to a data and analytics platform and practice. While organizations typically use ROI to measure the performance of their investments, the key to determining what investment makes sense is opportunity cost. Missing out on a significant opportunity for return could be the biggest cost to the project and its sponsor. By making sure you appropriately estimate costs and value returned for all data and analytics activities, you can prioritize the ones that bring in the greatest returns.
Ibrahim Abdel-Kader Research Analyst, Data & Analytics Practice Info-Tech Research Group	Ben Abrishami-Shirazi Technical Counselor Info-Tech Research Group

Executive Summary – ROI on Data and Analytics

Info-Tech Insight

ROI doesn’t have to be perfect. Parameters and measures of success need to be agreed upon with the key decision makers.

Glossary

Return on Investment (ROI): A financial term used to determine how much value has been or will be gained or lost based on the total cost of investment. It is typically expressed as a percentage and is supported by the following formula:

Payback: How quickly money is paid back (or returned) on the initial investment.
Business Problem Owner (BPO): A leader in the organization who is accountable and is the key decision maker tasked with addressing a business problem through a series of investments. BPOs may use ROI as a reference for how their financial investments have performed and to influence future investment decisions.
Problem Solver: A key stakeholder tasked with collaborating with the BPO in addressing the business problem at hand. One of the problem solver’s responsibilities is to ensure that there is an improved return on the BPO’s investments.
Return Enhancers: A category for capabilities that directly or indirectly enhance the return of an investment.
Cost Savers: A category for capabilities that directly or indirectly save costs in relation of an investment.
Investment Opportunity Enablers: A category for capabilities that create or enable a new investment opportunity that may yield a potential return.
Game Changing Components: The components of a capability that directly yield value in solving a business problem.

ROI strategy on data and analytics

ROI roles

Typical roles involved in the ROI strategy across the organization

CDOs and CAOs typically have their budget allocated from both IT and business units.

This is evidenced by the “State of the CIO Survey 2023” reporting that up to 63% of CDOs and CAOs have some budget allocated from within IT; therefore, up to 37% of budgets are entirely funded by business executives.

This signifies the need to be aligned with peer executives and to use mechanisms like ROI to maximize the performance of investments.

Source: Foundry, “State of the CIO Survey 2023.”

Demystify the New PMBOK Guide and the PMI Certifications

The PMP certification is still valuable and worth your time in 2023.

Analyst Perspective

The PMP (Project Management Professional) certification is still worth your time.

I often get asked, “Is the PMP worth it?” I then proceed with a question of my own: “If it gets you an interview or a foot in the door or bolsters your salary, would it be worth it?” Typically, the answer is a resounding “YES!”

CIO magazine ranked the PMP as the top project management certification in North America because it demonstrates that you have the specific skills employers seek, dedication to excellence, and the capacity to perform at the highest levels.

Given its popularity and the demand in the marketplace, I strongly believe it is still worth your time and investment. The PMP is a globally recognized certification that has dominated for decades. It is hard to overlook the fact that the Project Management Institute (PMI) has more than 1.2 million PMP certification holders worldwide and is still considered the gold standard for project management.

Yes, it’s worth it. It gets you interviews, a foot in the door, and bolsters your salary. Oh, and it makes you a more complete project manager.

Long Dam, PMP, PMI-ACP, PgMP, PfMP

Executive Summary

Info-Tech Insight

The PMP certification is still valuable and worthy of your time in 2023.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks are used throughout all four options.

The PMP dominated the market for decades and got over 1 million people certified

Info-Tech Insight

The PMI’s flagship PMP certification numbers have not significantly increased from 2021 to 2022. However, PMP substantially outpaces all competitors with over 1.2 million certified PMPs.

Source: projectmanagement.com

The PMP penetrated over 200 countries

PMP is the global project management gold standard.

• CIO magazine ranked the PMP as the top project management certification because it demonstrates you have the specific skills employers seek, dedication to excellence, and the capacity to perform at the highest levels.
• It delivers real value in the form of professional credibility, deep knowledge, and increased earning potential. Those benefits have staying power.
• The PMP now includes predictive, Agile, and hybrid approaches.
• The PMP demonstrates expertise across the wide array of planning and work management styles.

Source: PMI, “PMP Certification.” PMI, “Why You Should Get the PMP.”

The PMP was valuable in the past specifically because it was the standard

79% of project managers surveyed have the PMP certification out of 30,000 respondents in 40 countries.

The PMP became table stakes for jobs in project management and PMO’s.

Source: PMI’s Earning Power: Project Management Salary Survey—Twelfth Edition (2021)

The PMP put itself on a collision course with Agile

• The Agile Certified Practitioner (PMI-ACP) was introduced in 2012 which initially clashed with the PMP for project management supremacy from the PMI.
• Then the Disciplined Agile (DA) was introduced in 2019, which further compounded the issue and caused even more confusion with both the PMP and the PMI-ACP certification.
• Instead of complementing the PMP, these certifications began to inadvertently compete with it head-to-head.

There is a new PMBOK Guide Seventh Edition in town

The PMI made its most significant changes between 2017 and 2021.

Timeline adapted from Wikipedia, “Project Management Body of Knowledge.”

Roughly every 3-5 years, the PMI has released a new PMBOK version. It’s unclear if there will be an eighth edition.

The market got confused by PMBOK Guide – Seventh Edition

• Die-hard traditional project managers have a hard time grasping why the PMI messed around with the PMBOK Guide. There is sentiment that the PMBOK Guide V7 got diluted.
• Naysayers do not think that the PMBOK Guide V7 hit the mark and found it to be a concession to Agilists.
• The PMBOK Guide V7 was significantly trimmed down by almost two-thirds to 274 pages whereas the PMBOK V6 ballooned to 756 pages!
• Some Agile practitioners found this to be a refreshing, bold move from the PMI. Most, however, ignored or resisted it.

PMBOK Guide – Seventh edition released in 2021

• The PMBOK Guide – Seventh Edition was released in late 2021. It was the most radical change since 1987. For the first time, the PMI went from a process-based standard to a principles-based standard, and the guide went from knowledge areas to project performance domains. This may have diluted the traditional predictive project management practices. However, it was offset by incorporating more iterative, Agile, and hybrid approaches.
• The market is confused and is clearly shifting toward Agile and away from the rigor that is typically associated with the PMI.
• The PMI transitioned most of the process-based standards & ITTO to their new digital PMIStandards+ online platform, which can be found here (access for PMI members only).
• The PMBOK Guide is not the sole basis of the certification exam; however, it can be used as one of several reference resources. Using the exam content outline (ECO) is the way forward, which can be found here.

The Agile certification seems to be the focus for the PMI in the coming years

• The PMI started to get into the Agile game with the introduction of Agile certifications, which is where all the confusion started. Although the PMI-ACP & the DASM have seen a steady uptake recently, it appears to be at the expense of the PMP certification.
• The PMI acquired the Discipline Agile (DA) in late 2019, which expanded their offerings and capabilities for project managers and teams to choose their “way of working.”
• This was an important milestone for the PMI to address the new way of working for Agile practitioners with this offering to provide more options and to better support enterprise agility.

Source: projectmanagement.com as of July 2022

The PMI has lost more certified PMPs than they have gained so far in 2022

PMP – Project Management Professional

It is a concerning trend that their bread and butter, the PMP flagship certification, has largely stalled in 2022. We are unsure if this was attributed to them being displaced by competitors such as the Agile Alliance, their own Agile offerings, or the market’s lackluster reaction to PMBOK Guide – Seventh Edition.

Source: projectmanagement.com as of July 2022

The PMI’s total memberships have stalled since September 2021

The PMI’s membership appears to have a direct correlation to the PMP numbers. As the PMP number stalls, so do the PMI’s memberships.

Source: projectmanagement.com as of July 2022

The PMP and the PMBOK Guide are more focused on project management

• It became evident that other certifications were more tightly aligned to program and portfolio management for the PMOs. The PMI provides the following:
  • Program Management Professional (PgMP)
  • Portfolio Management Professional (PfMP)
• Axelos also has certifications for program management and portfolio management, such as:
  • Managing Successful Programmes (MSP)
  • Management of Portfolios (MoP)
  • Portfolio, Programme, and Project Offices (P3O)

The market didn’t know what to do with the PgMP or the PfMP

These were relatively unknown certifications for Program and Portfolio Management.

• The PMI’s story was that you would start as a project manager with the PMP certification and then the natural progression would be toward either Program Management (PgMP) or Portfolio Management (PfMP).
• The uptake for the PgMP and the PfMP certification has been insignificant and underwhelming. The appetite and the demand for PMO-aligned certifications has been lackluster since their inception.

Source: projectmanagement.com as of July 2022

There are other non-PMI certifications to consider

Depending on your experience level

Other non-PMI project management certifications

PRINCE2 and CSM appear to be the more popular ones in the market.

In April 2022, CIO.com outlined other popular project management certifications outside of the PMI.

Source: CIO.com

Project managers have an image problem among senior leaders

There is a perception that PMs are just box-checkers and note-takers.

• Project managers are seen as tactical troubleshooters rather than strategic partners. This suggests a widespread lack of understanding of the value and impact of project management at the C-suite level.
• Very few C-suite executives associate project managers with "realizing visions," being "essential," or being "changemakers."
• Strong strategic alignment between the PMO and the C-suite helps to reinforce the value of project management capabilities in achieving wider strategic aims.

Source: PMI, Narrowing The Talent Gap, 2021

Hiring practices have yet to change in response to the PMI’s moves

The PMP is still the standard, even for organizations transitioning to Agile and PMO/portfolio jobs.

• Savvy business leaders are still unsure about how Agile will impact them in the long term.
• According to the Narrowing the Talent Gap report, PMI and PwC’s latest global research indicates that talent strategies haven’t changed much. There’s a widespread lack of focus on developing and retaining existing project managers, and a lack of variety and innovation in attracting and recruiting new talent. The core problem is that there isn’t a business case for investment in talent.

Noteworthy Agile certifications to consider

Source: PMI, “Agile Certifications,” and ScrumAlliance, “Become a Certified ScrumMaster.”

Info-Tech Insight

There is a lot of chatter about which Agile certification is better, and the jury is still out with no consensus. There are pros and cons to both certifications. We believe the PMI-ACP will give you more mileage and flexibility because of its breath of coverage in the Agile practice compared to the CSM.

The talent shortage is a considerable risk to organizations

• According to the PMI’s 2021 Talent Gap report1, the talent gap is likely to impact every region. By 2030, at least 13 million project managers are expected to have retired, creating additional challenges for recruitment. To close the gap, 25 million new project professionals are needed by 2030.
• Young project managers will change the profession. Millennials and Generation Z are bringing fresh perspectives to projects. Learning to work alongside these younger generations isn't optional, as they increasingly dominate the labor force and extend their influence.
• Millennials have already arrived: According to Pew Research2, this group surpassed Gen X in 2016 and is now the largest generation in the US labor force.

1. PMI, Talent Gap, 2021.
2. PM Network, 2019.

Money talks – the PMP is still your best payoff

It is a financially rewarding profession!

The median salary for PMP holders in the US is 25% higher than those without PMP certification.

On a global level, the Project Management Professional (PMP) certification has been shown to bolster salary levels. Holders of the PMP certification report higher median salaries than those without a PMP certification – 16% higher on average across the 40 countries surveyed.

Source: PMI, Earning Power, 2021

Determine which skills and capabilities are needed in the coming years

• A scan of 2022 PM and PMO postings still shows continued dominance of the PMP certification requirement.
• People and relationships have become more important than predicting budgets and timelines.
• The PMI and PwC Global Survey on Transformation and Project Management 2021 identified the top five skills/capabilities for project managers (in order of priority):
  1. Relationship building
  2. Collaborative leadership
  3. Strategic thinking
  4. Creative problem solving
  5. Commercial awareness

Source: PMI, Narrowing The Talent Gap, 2021.

Prepare for product delivery by focusing on top digital-age skills

According to the PMI Megatrends 2022 report, they have identified six areas as the top digital-age skills for product delivery:

1. Innovative mindset
2. Legal and regulatory compliance knowledge
3. Security and privacy knowledge
4. Data science skills
5. Ability to make data-driven decisions
6. Collaborative leadership skills

Many organizations aren’t considering candidates who don’t have project-related qualifications. Indeed, many more are increasing the requirements for their qualifications than those who are reducing it.

Source: PMI, Narrowing The Talent Gap, 2021

Prioritize training and development at the C-suite level

Currently, there is an imbalance with more emphasis of training on tools, processes, techniques, and methodologies rather than business acumen skills, collaboration, and management skills. With the explosion of remote work, training needs to be revamped and, in some cases, redesigned altogether to accommodate remote employees.

Lack of strategic prioritization is evident in how training and development is being done, with organizations largely not embracing a diversity of learning preferences and opportunities.

Source: PMI, Narrowing The Talent Gap, 2021

PM is evolving into a more strategic role

• Ensure program and portfolio management roles are supported by the most appropriate certifications.
• For project managers that have evolved beyond the iron triangle of managing projects, there is applicability to the PgMP and the PfMP for program managers, portfolio managers, and those in charge of PMOs.
• Although these certifications have not been widely adopted due to lack of awareness and engagement at the decision-maker level, they still hold merit and prestige within the project management community.

Project managers are evolving. No longer creatures of scope, schedule, and budget alone, they are now – enabled by new technology – focusing on influencing outcomes, building relationships, and achieving the strategic goals of their organizations.

Source: PMI, Narrowing the Talent Gap, 2021

Overhaul your recruitment practices to align with skills/capabilities

Talent managers will need to retool their toolbox to fill the capability gap and to look beyond where the role is geographically based by embracing flexible staffing models.

They will need to evolve their talent strategies in line with changing business priorities.

Organizations should be actively working to increase the diversity of candidates and upskilling young people in underrepresented communities as a priority.

Most organizations are still relying on traditional approaches to recruit talent. Although we are prioritizing power skills and business acumen, we are still searching in the same, shrinking pool of talent.

Source: PMI, Narrowing the Talent Gap, 2021.

Bibliography

“Agile Certifications for Every Step in Your Career.” PMI. Web.

“Become a Certified ScrumMaster and Help Your Team Thrive.” ScrumAlliance. Web.

“Become a Project Manager.” PMI. Accessed 14 Sept. 2022.

Bucero, A. “The Next Evolution: Young Project Managers Will Change the Profession: Here's What Organizations Need to Know.” PM Network, 2019, 33(6), 26–27.

“Certification Framework.” PMI. Accessed 14 Sept. 2022.

“Certifications.” PMI. Accessed 14 Sept. 2022.

DePrisco, Mike. Global Megatrends 2022. “Foreword.” PMI, 2022. Accessed 14 Sept. 2022.

Earning Power: Project Management Salary Survey. 12th ed. PMI, 2021. Accessed 14 Sept. 2022.

“Global Research From PMI and PwC Reveals Attributes and Strategies of the World’s Leading Project Management Offices.” PMI, 1 Mar. 2022. Press Release. Accessed 14 Sept. 2022.

Narrowing the Talent Gap. PMI, 2021. Accessed 14 Sept. 2022.

“PMP Certification.” PMI. Accessed 4 Aug. 2022.

“Project Management Body of Knowledge.” Wikipedia, Wikimedia Foundation, 29 Aug. 2022.

“Project Portfolio Management Pulse Survey 2021.” PwC. Accessed 30 Aug. 2022.

Talent Gap: Ten-Year Employment Trends, Costs, and Global Implications. PMI. Accessed 14 Sept. 2022.

“The Critical Path.” ProjectManagement.com. Accessed 14 Sept. 2022.

“True Business Agility Starts Here.” PMI. Accessed 14 Sept. 2022.

White, Sarah K. and Sharon Florentine. “Top 15 Project Management Certifications.” CIO.com, 22 Apr. 2022. Web.

“Why You Should Get the PMP.” PMI. Accessed 14 Sept. 2022.

Build a Zero Trust Roadmap

Leverage an iterative and repeatable process to apply zero trust to your organization.

EXECUTIVE BRIEF

Analyst Perspective

Internet is the new corporate network.

For the longest time we have focused on reducing the attack surface to deter malicious actors from attacking organizations, but I dare say that has made these actors scream “challenge accepted.” With sophisticated tools, time, and money in their hands, they have embarrassed even the finest of organizations. A popular hybrid workforce and rapid cloud adoption have introduced more challenges for organizations, as the security and network perimeter have shifted and the internet is now the corporate network. Suffice it to say that a new mindset needs to be adopted to stay on top of the game.

The success of most attacks is tied to denial of service, data exfiltration, and ransom. A shift from focusing on the attack surface to the protect surface will help organizations implement an inside-out architecture that protects critical infrastructure, prevents the success of any attack, makes it difficult to gain access, and links directly to business goals.

Zero trust principles aid that shift across several pillars (Identity, Device, Application, Network, and Data) that make up a typical infrastructure; hence, the need for a zero trust roadmap to accomplish that which we desire for our organization.

Victor Okorie
Senior Research Analyst, Security and Privacy
Info-Tech Research Group

Executive Summary

Your Challenge

• Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
• The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.

Common Obstacles

• Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
• Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.

Info-Tech’s Approach

• Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined.
• Our unique approach:
• Assess resources and determine zero trust readiness.
• Address barriers and identify enablers.
• Prioritize initiatives and build out roadmap.
• Identify most appropriate vendors via vendor selection framework.
• Deploy zero trust and monitor with zero trust progress metrics.

Info-Tech Insight

A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Your challenge

This research is designed to help organizations:

• Understand what zero trust is and decide how best to deploy it with their existing IT resources. Zero trust is a set of principles that defaults to the highest level of security; a failed implementation can easily disrupt the business. A pragmatic zero trust implementation must be flexible and adaptable yet maintain a consistent level of protection.
• Move from a perimeter-based approach to security toward an “Always Verify” approach. The path to getting there is complex without a clear understanding of desired outcomes. Focusing efforts on key protection gaps and leveraging capable controls in existing architecture allows for a repeatable process that carries IT, security, and the business along on the journey.

On this zero trust journey, identify your valuable assets and zero trust controls to protect them.

Top three reasons for building a zero trust strategy

44%

Reduce attacker’s ability to move laterally

44%

Enforce least privilege access to critical resources

41%

Reduce enterprise attack surface

Common obstacles

These barriers make this challenge difficult to address for many organizations:

• Due to zero trust’s many components, performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.
• To feel ready to implement and to understand the benefits of zero trust, IT must first understand what zero trust means to the organization.
• Zero trust as a set of principles is a moving target, with many developing standards and competing technology definitions. A strategy built around evolving best practices must be supported by related business stakeholders.
• To ensure support, IT must be able to “sell” zero trust to business stakeholders by illustrating the value zero trust can bring to business objectives.

43%

Organizations with a full implementation of zero trust saved 43% on the costs of data breaches.
(Source: Teramind, 2021)

96%

Zero trust is considered key to the success of 96% of organizations in a survey conducted by Microsoft.
(Source: Microsoft, 2021)

What is zero trust?

It depends on who you ask…

• Vendors use zero trust as a marketing buzzword.
• Organizations try to comprehend zero trust in their own limited views.
• Zero trust regulations/standards are still developing.

“A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”

Source: NIST, SP 800-207: Zero Trust Architecture, 2020

“An evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”

Source: DOD, Zero Trust Reference Architecture, 2021

“A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.”

Source: NSA, Embracing a Zero Trust Security Model, 2021

“Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

Source: CISA, Zero Trust Maturity Model, 2021

“The foundational tenet of the zero trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.”

Source: OMB, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, 2022

What is zero trust?

From Theoretical to Practical

Zero trust is an ideal in the literal sense of the word, because it is a standard defined by its perfection. Just as nothing in life is perfect, there is no measure that determines an organization is absolutely zero trust. The best organizations can do is improve their security iteratively and get as close to ideal as possible.

In the most current application of zero trust in the enterprise, a zero trust strategy applies a set of principles, including least-privilege access and per-request access enforcement, to minimize compromise to critical assets. A zero trust roadmap is a plan that leverages zero trust concepts, considers relationships between technical elements as well as security solutions, and applies consistent access policies to minimize areas of exposure.

Info-Tech Insight

Solutions offering zero trust often align with one of five pillars. A successful zero trust implementation may involve a combination of solutions, each protecting the various data, application, assets, and/or services elements in the protect surface.

Zero trust business benefits

Reduce business and organizational risk

Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organizations practice.

36% of data breaches involved internal actors.
Source: Verizon, 2021

Reduce CapEx and OpEx

Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
Source: SecurityBrief - Australia, 2020.

Reduce scope and cost of compliance

Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.

Scope of compliance reduced due to segmentation.

Reduce risk of data breach

Reduced risk of data breach in any instance of a malicious attack as there’s no lateral movement, secure segment, and improved visibility.

10% Increase in data breach costs; costs went from $3.86 million to $4.24 million.
Source: IBM, 2021

Info-Tech’s methodology for Building a Zero Trust Roadmap

Protect what is relevant

Apply zero trust to key protect surfaces

A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Align protect surfaces to business objectives

Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

Identify zero trust capabilities

Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

Roadmap first, not solution first

Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

Create enforceable policies

The success of a zero trust implementation relies on consistent enforcement. Applying the Kipling methodology to each protect surface is the best way to design zero trust policies.

Success should benefit the organization

To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverable:

Zero Trust Communication Deck

Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.

Zero Trust Protect Surface Mapping Tool

Identify critical and vulnerable DAAS elements to protect and align them to business goals.

Zero Trust Program Gap Analysis Tool

Perform a gap analysis between current and target states to build a zero trust roadmap.

Zero Trust Candidate Solutions Selection Tool

Determine and evaluate candidate solutions based on defined criteria.

Zero Trust Progress Monitoring Tool

Develop metrics to track the progress and efficiency of the organization’s zero trust implementation.

Blueprint benefits

IT Benefits

• A mapped transaction flow of critical and vulnerable assets and visibility of where to implement security controls that aligns with the principle of zero trust.
• Improved security posture across the digital attack surface while focusing on the protect surface.
• An inside-out architecture that leverages current existing architecture to tighten security controls, is automated, and gives granular visibility.

Business Benefits

• Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organization’s practice.
• Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
• Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.
• Reduced risk of data breach in any instance of a malicious attack.

Measure the value of this blueprint

Save an average of $1.76 million dollars in the event of a data breach

• This research set seeks to help organizations develop a mature zero trust implementation which, according to IBM’s “Cost of a Data Breach 2021 Report,” saves organizations an average of $1.76 million in the event of a data breach.
• Leverage phase 5 of this research to develop metrics to track the implementation progress and efficacy of zero trust tasks.

43%

Organizations with a mature implementation of zero trust saved 43%, or $1.76 million, on the costs of data breaches.
Source: IBM, 2021

In phase 2 of this blueprint, we will help you establish zero trust implementation tasks for your organization.

In phase 3, we will help you develop a game plan and a roadmap for implementing those tasks.

Executive Brief Case Study

National Aeronautics and Space Administration (NASA)

INDUSTRY: Government

SOURCE: Zero Trust Architecture Technical Exchange Meeting

NASA recognized the potential benefits of both adopting a zero trust architecture (including aligning with OMB FISMA and DHS CDM DEFEND) and improving NASA systems, especially those related to user experience with dynamic access, application security with sole access from proxy, and risk-based asset management with trust score. The trust score is continually evaluated from a combination of static factors, such as credential and biometrics, and dynamic factors, such as location and behavior analytics, to determine the level of access. The enhanced access mechanism is projected on use-case flows of users and external partners to analyze the required initiatives.

The lessons learned in adapting zero trust were:

• Focus on access to data, assets, applications, and services; and don’t select solutions or vendors too early.
• Provide support for mobile and external partners.
• Complete zero trust infrastructure and services design with holistic risk-based management, including network access control with software-defined networking and an identity management program.
• Develop a zero trust strategy that aligns with mission objectives.

Results

NASA implemented zero trust architecture by leveraging the agency existing components on a roadmap with phases related to maturity. The initial development includes privileged access management, security user behavior analytics, and a proof-of-concept lab for evaluating the technologies.
Case Study Source: NASA, “Planning for a Zero Trust Architecture Target State,” 2019

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 12 calls over the course of 2 to 4 months.

Workshop Overview

Contact your account representative for more information.workshops@infotech.com 1-888-670-8889

Phase 1

Define Business Objectives and Protect Surfaces

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Identify and define the business goals.
• Identify the critical DAAS elements and protect surface.
• Align the business goals to the protect surface and critical DAAS elements.

This phase involves the following participants:

• Security Team
• Business Executives
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management

Analyze your business goals

Identifying business goals is the first step in aligning your zero trust roadmap with your business’ vision.

• Security leaders need to understand the direction the business is headed in.
• Wise security investments depend on aligning your security initiatives to business objectives.
• Zero trust, and information security at large, should contribute to your organization’s business objectives by supporting operational performance, ensuring brand protection and shareholder value.
• For example, if the organization is working on a new business initiative that requires the handling of credit card payments, the security organization needs to know as soon as possible to ensure the zero trust architecture will be extended to protect the PCI data and enable the organization to be PCI compliant.

Info-Tech Insight

Security and the business need to be in alignment when implementing zero trust. Defining the business goal helps rationalize the need for a zero trust implementation.

1.1 Define your organization’s business goals

Estimated time 1-3 hours

1. As a group, brainstorm the business goals of the organization.
2. Review relevant business and IT strategies.
3. Review the business goal definitions in tab “2. Business Objectives” of the Zero Trust Protect Surface Mapping Tool, including the key goal indicator metrics.
4. Record the most important business goals in the Business Goal column on tab “3. Protect Surfaces” of the Zero Trust Protect Surface Mapping Tool. Try to limit the number of business goals to no more than five primary goals. This limitation will be critical to help map the protect surface and the zero trust roadmap later.

Input

• Business and IT strategies

Output

• Prioritized list of business objectives

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• Security Team
• IT Leadership
• Business Stakeholders
• Risk Management
• Compliance
• Legal

Download the Zero Trust Protect Surface Mapping Tool

Info-Tech Insight

Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

What does zero trust mean for you?

For a successful implementation, focus on your zero trust outcome.

Regardless of whether the user is accessing resources internally or externally, zero trust is posed to authenticate, authorize, and continuously verify the security policies and posture before access is granted or denied. Many network architecture can be local, cloud based, or hybrid and with users working from any location, there is no network perimeter as we knew it and the internet is now the corporate network.

Zero trust framework seeks to extend the perimeter-less security to the present digital transformation.

Understand protect surface

Data, Application, Asset, and Services

A protect surface can be described as what’s critical, most vulnerable, or most valuable to your organization. This protect surface could include at least one of the following – data, assets, applications, and services (DAAS) – that requires protection. This is also the area that zero trust policy is aimed to protect. Understanding what your protect surface is can help channel the required energy into protecting that which is crucial to the business, and this aligns with the shift from focusing on the attack surface to narrowing it down to a smaller and achievable area of protection.

Anything and everything that connects to the internet is a potential attack surface and pursuing every loophole will leave us one step behind due to lack of resources. Since a protect surface contains one or more DAAS element, the micro-perimeter is created around it and the appropriate protection is applied around it. As a team, we can ask ourselves this question when thinking of our protect surface: to what degree does my organization want me to secure things? The knowledge of the answer to this question can be tied to the risk tolerance level of the organization and it is only fair for us to engage the business in identifying what the protect surface should be.

Components of a protect surface

• Data
• Application
• Asset
• Services

Info-Tech Insight

The protect surface is a shift from focusing on the attack surface. DAAS elements show where the initiatives and controls associated with the zero trust pillars (Identity, Devices, Network, Application, and Data) need to be applied.

Sample Scenario

INDUSTRY: Healthcare

SOURCE: Info-Tech Research Group

Illustration

A healthcare provider would consider personal health information a critical resource worthy of being protected against data exfiltration due to a host of reasons including but not limited to privacy regulations, loss of revenue, legal, and reputational loss; hence, this would be considered a protect surface.

• What is the data that can’t be risked exfiltrated?
• What application(s) is used to access this data?
• What assets are used to generate and store the data?
• What are the services we rely on to be able to access the data?

DAAS Element

• The data here is the patient information.
• The application used to access the personal health information would be EPIC, OR list, and any other application used in that organization.
• The assets used to store the data and generate the PHI would include physical workstations, medical scanners, etc.
• The services that can be exploited to disrupt the operation or used to access the data would include active directory, single sign-on, etc.

DAAS and Zero Trust Pillar

This granular identification provides an opportunity to not only see what the protect surface and DAAS elements are but also understand where to apply security controls that align with the principle of zero trust as well as how the transaction flows. The application pillar initiatives will provide protection to the EPIC application and the device pillar initiatives will provide protection to the workstations and physical scanners. The identity pillar initiatives will apply protection to the active directory, and single sign-on services. The zero trust pillar initiatives align with the protection of the DAAS elements.

Shift from attack surface to protect surface

Info-Tech Insight

The protect surface is a shift from focusing on the attack surface as it creates a micro-perimeter for the application of zero trust policies on the system. This drastically reduces the success of an attack whether internally or externally, reduces the attack surface, and is also repeatable.

1.2 Identify critical DAAS elements

Estimated time 1-3 hours

1. As a group, brainstorm and identify critical, valuable, sensitive assets or resources requiring high availability in the organization. Each DAAS element is part of a protect surface, or sometimes, the DAAS element itself is a protect surface.

• Data – The sensitive data that poses the greatest risk if exfiltrated or misused. What data needs to be protected?
• Applications – The applications that use sensitive data or control critical assets. Which applications are critical for your business functions?
• Assets – Physical or virtual assets, including an organization’s information technology (IT), operational technology (OT), or Internet of Things devices.
• Services – The services an organization most depends on. Services that can be exploited to disrupt normal IT or business operations.

Download the Zero Trust Protect Surface Mapping Tool

Input

• Critical resources to protect
• Understanding of how they interoperate or connect

Output

• Protect surfaces

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• Security Team
• IT Leadership
• Business Stakeholders

1.3 Map business goals to critical DAAS elements

Estimated time 1-2 hours

1. The protect surface will be generated from the critical DAAS elements as a standalone protect surface or a group of interconnected DAAS elements merged into one.

• Each protect surface can be tied back to a business objective.

• Type in your business objectives if the drop-down list does not apply.

Download the Zero Trust Protect Surface Mapping Tool

Phase 2

Assess Key Capabilities and Identify Zero Trust Initiatives

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Assess the organization’s current capabilities.
• Define the zero trust target state.
• Identify tasks to close gaps
• Define zero trust initiatives and align zero trust initiatives to business goals and protect surfaces.

This phase involves the following participants:

• Security Team
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

The Info-Tech Zero Trust Framework

Info-Tech’s Zero Trust Framework aligns with zero trust references, including:

• ACT Zero Trust Cybersecurity Current Trends. 2019
• NIST SP 800-207: Zero Trust Architecture. 2020
• DOD Zero Trust Reference Architecture. 2021
• NSA Embracing a Zero Trust Security Model. 2021
• CISA Zero Trust Maturity Model. 2021
• Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, The White House. 2021
• OMB Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. 2022
• NSTAC Zero Trust and Trusted Identity Management. 2022
• NIST SP 800-53 r5: Security and Privacy Controls for Information Systems and Organizations

Identity

• Authentication
• Authorization
• Privileged Access Management

Applications

• Software Defined Compute
• DevSecOps
• Software Supply Chain

Devices

• Authentication
• Authorization
• Compliance

Networks

• Software Defined Networking
• Macro Segmentations
• Micro Segmentation

Data

• Software Defined Storage
• Data Loss Prevention
• Data Rights Management

Info-Tech Insight

A best-of-breed approach ensures holistic coverage of your zero trust program while refraining from locking you into a specific reference.

2.1 Review the Info-Tech framework

Estimated time 30-60 minutes

1. As a group, have the team review the framework within the Zero Trust Program Gap Analysis Tool.
2. Customize the tool as required using the instructions in tab “2. Setup”:

• Define costing criteria
• Define benefits criteria
• Configure full-time equivalent hours and start year
• Input business goals as mapped to protect surfaces (see next slide)

Download the Zero Trust Program Gap Analysis Tool

Input

• Protect surfaces mapped to business objectives

Output

• Customized framework

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT

2.1.1 Input business goals as mapped to protect surfaces

Refer to the Protect Surface Mapping Tool, copy the following elements from the Protect Surface tab.

1. Enter Business Goals.
2. Enter Protect Surfaces.
3. Enter Data.
4. Enter Application.
5. Enter Assets.
6. Enter Services.

Info-Tech Insight

Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

2.2 Assess current capabilities and define zero trust target state

Estimated time 6-12 hours

1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
2. Follow the instructions on the next slides to complete your current-state and target-state assessment.
3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

Download the Zero Trust Program Gap Analysis Tool

Input

• Protect surfaces mapped to business objectives
• Information on current state of controls, including sources such as audit findings, vulnerability and penetration test results, and risk registers

Output

• Current-state and target-state assessment for gap analysis

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management

Understanding security target states

Maturity models are very effective for determining target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state in your organization.

AD HOC 01

Initial/ad hoc security programs are reactive. Lacking strategic vision, these programs are less effective and less responsive to the needs of the business.

DEVELOPING 02

Developing security programs can be effective at what they do but are not holistic. Governance is largely absent. These programs tend to rely on the talents of individuals rather than a cohesive plan.

DEFINED 03

A defined security program is holistic, documented, and proactive. At least some governance is in place; however, metrics are often rudimentary and operational in nature. These programs still often rely on best practices rather than strong risk management.

MANAGED 04

Managed security programs have robust governance and metrics processes. Management and board-level metrics for the overall program are produced. These are reviewed by business leaders and drive security decisions. More mature risk management practices take the place of best practices.

OPTIMIZED 05

An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs). Individual security services are optimized using key performance indicators (KPIs) that continually measure service effectiveness and efficiency.

2.2.1 Conduct current-state assessment

1. Carefully review each of the controls in the Gap Analysis tab that are needed for the protect surfaces. For each control, indicate the current maturity level of the organization. The tool uses the maturity levels of the CMMI model to score maturity.

• Only use “N/A” if you are confident that the control is not required in your protect surfaces. For example, if the protect surfaces do not require or use software-defined computing, select “N/A” for any controls related to software-defined computing.

Make sure that the gap between target state and current state is achievable for the current zero trust roadmap. For instance, if you set your current maturity to 1 – Ad Hoc, then having a target maturity of 4 – Managed or 5 – Optimized is not recommended due to the big jump.

2.2.2 Review the Gap Analysis Dashboard

1. Use the Dashboard to map your progress on assessing current- and future-state maturities. As you fill out the Zero Trust Program Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state.
2. Use the color-coded legend to see the size of the gap between your current and target state.
3. Zero trust processes that appear white have not yet been assessed or are rated as “N/A.”

2.3 Identify tasks to close gaps

Estimated time 5 hours

1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
2. Follow the instructions on the next slides to identify gap closure tasks for each control that requires improvement.
3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

Download the Zero Trust Program Gap Analysis Tool

Input

• Zero trust controls gap information

Output

• Gap closure task list

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management

2.3 Identify tasks to close gaps (cont.)

1. For each of the controls where there is a gap between the current and target state, a gap closure task should be identified:

• Review the example tasks and copy one or more of them if appropriate. Otherwise, enter your own gap closure task.

• In small groups, have participants ask, “what would we have to do to achieve the target state?” Document these in the Gap Closure Tasks column.
• The example gap closure tasks may be appropriate for your organization, but do not simply copy them without considering whether they are right for you.
• Not all gaps require their own task. You can enter one task that may address multiple gaps.
• Be aware that tasks that are along the lines of “investigate and make recommendations” may not fully close maturity gaps.

Make sure that the Gap Closure Tasks are SMART (Specific, Measurable, Achievable, Realistic, Timebound).

2.4 Define tasks and initiatives

Estimated time 2-4 hours

1. As a group, review the gap tasks identified in the Gap Analysis tab.
2. Using the instructions on the following slides, finalize your tab “5. Task List.”
3. Using the instructions on the following slides, review and consolidate your tab “6. Initiative List.”

Download the Zero Trust Program Gap Analysis Tool

Input

• Gap analysis

Output

• Refined list of tasks
• List of zero trust initiatives

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management
• Project Management Office

2.4.1 Finalize your task list

1. Define the gap closure task list in tab “5. Task List”:
1. Obtain a list of all your tasks from Gap Closure Tasks column in tab “3. Gap Analysis.”
2. Paste the list into the table in tab “5. Task List,” Task column.

• Use Paste Values to retain the table formatting.

• They have costs associated with them.
• They require initial effort to implement and ongoing effort to maintain.
• They must be accomplished dependently of other tasks.

1. For each new initiative, create the initiative name on Initiative Name column in the tab “6. Initiative List.”

Example: Initiative consolidation

In the example below, we see three gap closure tasks within the Authentication process for the Identity pillar being consolidated into a single initiative “IAM modernization.”

We can also see three gap closure tasks within the Micro Segmentation process for the Network pillar being grouped into another initiative “Network segmentation.”

Info-Tech Insight

As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.

2.4.2 Finalize your initiative list

1. As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.
2. Review your final list of initiatives in tab “6. Initiative List” and make any required updates.
1. Optionally, add a description or paste in a list of the individual gap closure actions that are associated with the initiative. This will make it easier to perform the cost and benefit analysis.
3. Obtain a list of all gap closure tasks associated with an initiative by filtering the Initiative Name column in the Task List tab.
4. Indicate the most appropriate pillar alignment for each initiative using the drop-down list.
1. Refer to tab “5. Task List” for the pillar associated with an initiative under the Initiative Name column.

If the list of tasks is too long for the Description column, then you can also shorten the name of the tasks or group several tasks to a more general task.

2.5 Align initiatives to business goals and protect surfaces

Estimated time 30-60 minutes

1. Using the instructions on the following slides, align initiatives to business goals in tab “6. Initiative List.”
2. Using the instructions on the following slides, align initiatives to protect surfaces in tab “6. Initiative List.”

Download the Zero Trust Program Gap Analysis Tool

Input

• List of zero trust initiatives
• Protect surfaces mapped to business objectives

Output

• List of zero trust initiatives aligned to business goals and protect surfaces

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management
• Project Management Office

2.5.1 Align initiatives to business goals

1. Indicate the most appropriate business goal(s) alignment for each initiative using the drop-down list in “Selection for Business Goal(s)” column.
1. Use the legend to determine the most appropriate business goal(s).
2. After that copy the selected business goal(s) to Business Goal(s) Alignment column.
3. Then reset the selection using the blank cell in Selection for Business Goal(s) column.

2.5.2 Align initiatives to protect surfaces

1. Indicate the most appropriate protect surface(s) for each initiative using the drop-down list in Selection for Protect Surface(s) column.
1. Use the legend to determine the most appropriate protect surface(s).
2. After that copy the selected protect surface(s) to Protect Surface(s) Coverage column.
3. Reset the selection using the blank cell in Selection for Protect Surface(s) column.

Phase 3

Evaluate Candidate Solutions and Finalize Roadmap

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Define solution criteria.
• Identify candidate solutions.
• Evaluate candidate solutions.
• Perform cost/benefit analysis.
• Prioritize initiatives and build roadmap.

This phase involves the following participants:

• Security Team
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

3.1 Define solution criteria

Estimated time 30-60 minutes

1. As a group, review the scoring system within the Zero Trust Candidate Solutions Selection Tool.
2. Customize the tool as required using the instructions on the following slides.

Info-Tech Insight

Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

Download the Zero Trust Candidate Solutions Selection Tool

Input

• Zero trust initiative list

Output

• Zero trust candidate solutions

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT

3.1.1 Define compliance and solution evaluation criteria

On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

1. Verify that the Description for each criterion is accurate.
2. Provide weights for the compliance score and the solution score, which are the overall evaluation:

• Compliance score consists of tenets score, pillar score, threat protection score, and trust algorithm score.
• Solution score consists of features score, usability score, affordability score, and architecture score.

3.1.2 Define remaining evaluation criteria

On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

1. Verify that the Description for each criterion is accurate.
2. Provide weights for the remaining evaluation criteria:

• Tenets: Considers how well each initiative aligns with zero trust principles.
• Pillars: Considers how well each initiative aligns with zero trust pillars.
• Threats: Considers what zero trust threats are relevant with the candidate solution.
• Trust Algorithm: Considers trust evaluation factors, trust evaluation process score, and input coverage.
• Cost Estimation: Considers initial costs, which are one-time, upfront capital investments (e.g. hardware and software costs), and ongoing cost, which is any annually recurring operating expenses that are new budgetary costs (e.g. licensing, maintenance, subscription fees).
• Deployment Architecture: Considers the solutions deployment architecture capabilities.

Review available candidate solutions

The Rapid Application Selection Framework is a comprehensive yet fast-moving approach to help you select the right software for your organization

Five key phases sequentially add rigor to your selection efforts while giving you a clear, swift-flowing methodology to follow.

Download the Rapid Application Selection Framework research

Evaluate software category leaders through vendor rankings and awards

SoftwareReviews

The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

Sample whiteboard activity

• Place sticky notes on the zero trust tenet that matches with the identified candidate solution to produce “solution requirements” that can be used to develop an RFP.
• A sample sticky note is provided below for privileged access management.

• The PAM solution should support MFA
• Live session monitoring, audit, and reporting
• Should have password vaulting to prevent privileged users from knowing the passwords to critical systems and resources

3.2 Identify candidate solutions

Estimated time 2 hours

1. As a group, have the team review the candidate solutions within the Zero Trust Program Gap Analysis Tool.
2. On tab 3 in the Zero Trust Candidate Solutions Selection Tool:

• Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.

Input

• Candidate solutions for zero trust tasks and initiatives

Output

• Suitability evaluation of candidate solutions

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT

Info-Tech Insight

Add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.

Download the Zero Trust Candidate Solutions Selection Tool

3.2.1 Review candidate solutions

1. Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.
2. Enter candidate solutions to the Compliance Data Entry tab on the Solution column within the Zero Trust Candidate Solutions Selection Tool.
3. Optionally, add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.

3.3 Evaluate candidate solutions

Estimated time 3 hours

On the Scoring tab, evaluate solution features, usability, affordability, and architecture using the instructions on the following slides. This activity will produce a solution score that can be used to identify the suitability of a solution.

Input

• Candidate solutions

Output

• Candidate solutions scored

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT

Download the Zero Trust Candidate Solutions Selection Tool

3.3.3 Evaluate solution scores

After all candidate solutions are evaluated, the Solution Score column can be sorted to rank the candidate solutions. After sorting, the top solutions can be used on prioritization of initiatives on Zero Trust Program Gap Analysis Tool.

1. On Features
   1. Enter Coverage.
   2. Enter Quality.
2. Enter Usability.
3. On Affordability
   1. Enter Initial Cost.
   2. Enter Ongoing Cost (annual).
4. Enter Architecture.

3.4 Perform cost/benefit analysis

Estimated time 1-2 hours

1. Assign costing and benefits information for each initiative, following the instructions on the next slide.
2. Define dependencies or business impacts if they will help with prioritization.

Input

• Ranked candidate solutions
• Gap analysis
• Initiative list

Output

• Completed cost/benefit analysis for initiative list

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management
• Project Management Office

Download the Zero Trust Program Gap Analysis Tool

3.4.1 Complete the cost/benefit analysis

Use Zero Trust Program Gap Analysis Tool.

1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.

• Use the result from candidate selection to define the estimated costs.
• If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.

The Cost / Effort Rating is calculated based on the weight defined on step 2.1.1. The Benefit Rating is calculated based on the weight defined on step 2.1.2.

3.4.2 Optionally enter detailed cost estimates

Use Zero Trust Program Gap Analysis Tool.

1. For each initiative, the tool will automatically populate the Detailed Cost Estimates and Detailed Staffing Estimates columns using the averages that you provided in step 2.1.1. However, if you have more detailed data about the costs and effort requirements for an initiative, you can override the calculated data by manually entering it into these columns. For example:

• You are planning to subscribe to a security awareness vendor, and you have a quote from them specifying that the initial cost will be $75,000.
• You have defined your “Medium” cost range as being “$10-100K,” so you select medium as your initial cost for this initiative in step 3.4.1. As you defined the average for medium costs as being $50,000, this is what the tool will put into the detailed cost estimate.
• You can override this average by entering $75,000 as the initial cost in the detailed cost estimate column.

The Benefits-Cost column will give results after comparing the cost and the benefit. Negative value means that the cost outweighs the benefit. Positive value means that the benefit outweighs the cost. Zero value means that the cost equals the benefit.

3.5 Prioritize initiatives

Estimated time 2-3 hours

1. As a group, review the results of the cost/benefit analysis. Optionally, complete the Other Considerations columns in the Prioritization tab:

• Dependencies can refer to other initiatives on the list or any other dependency that relates to activities or projects within the organization.
• Business impacts can be helpful to document as they may require additional planning and communication that could impact initiative timelines.

Input

• Gap analysis
• Initiative list
• Cost/benefit analysis

Output

• Prioritized list of initiatives

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• IT Leadership
• Project Management Office

Download the Zero Trust Program Gap Analysis Tool

3.5.1 Create a visual effort map for your organization

1 hour

An effort map is a tool used for the visualization of a cost and benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized based on tab 7 in the Zero Trust Program Gap Analysis Tool.

1. Establish the axes and colors for your effort map:
1. X-axis represents the Benefit value from column J
2. Y-axis represents the Cost/Effort value from column H
3. Sticky note color is determined using the Alignment to Business value from column I
2. Create sticky notes for each initiative and place them on the effort map or whiteboard based on the axes you have created with the help of your team.
3. As you place initiatives on the visual effort map, discuss and modify rankings based on team member input.

Input

• Outputs from activities 3.4.1 and 3.4.2

Output

• High-level prioritization for each of the gap-closing initiatives
• Visual representation of quantitative values

Materials

• Zero Trust Program Gap Analysis Tool (tab 7)
• Sticky notes
• Markers
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

3.5.2 Refine the effort map’s visual output

1 hour

Once the effort map is complete, work to further simplify the visual output by categorizing initiatives based on the quadrant in which they have been placed.

1. Before moving forward with the initiative wave prioritization (activity 3.7), identify any initiatives listed across all quadrants that are required as a part of compliance and mark with a sticky dot.
2. Document these initiatives as Execution Wave 1.

Input

• Outputs from activity 3.5.1

Output

• Prioritization for each of the gap-closing initiatives
• First execution wave of gap-closing initiatives

Materials

• Zero Trust Program Gap Analysis Tool (tab 7)
• Sticky notes
• Sticky dots
• Markers
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

3.5.3 Refine the effort map’s visual output

30 minutes

1. Use a separate area of the whiteboard to draw out four to five Execution Wave columns.
2. Group initiatives into each Execution Wave column based on their placement within the quadrant from activities 3.5.1 and 3.5.2.
1. Ensure that all identified mandatory activities as per governing privacy law fall within the first wave.
2. Leverage the following 0-4 Execution Wave scale:
0. Underway –Initiatives that are already underway
1. Must Do – Initiatives that must happen right away
2. Should Do – Initiatives that should happen but need more time/support
3. Could Do – Initiatives that are not a priority
4. Won’t Do – Initiatives that likely won’t be carried out
3. Indicate the granular level for each execution wave using the a-z scale.

• Use the lettering to track dependencies between initiatives.
• If one must take place before another, ensure that its letter comes first alphabetically.
• If multiple initiatives must take place at the same time, use the same letter to show they will take place in tandem.

Input

• Outputs from activity 3.5.2

Output

• Prioritization for each of the gap-closing initiatives
• First execution wave of gap-closing initiatives

Materials

• Zero Trust Program Gap Analysis Tool (tab 7)
• Sticky notes
• Sticky dots
• Markers
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

Wave assignment example

In the example below, we see “IAM modernization” was assessed as 9 on cost/effort rating and 5 on benefit rating and its Benefits-Cost has a positive value of 1. We can label this as SHOULD DO (wave 2).

We can also see “Network segmentation” was assessed as 6 on cost/effort rating and 4 on benefit rating and its Benefits-Cost has a positive value of 2. We can label this as MUST DO (wave 1).

We can also see “Unified Endpoints Management” was assessed as 8 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a negative value of -4. We can label this as WON’T DO (no wave).

We can also see “Data Protection” was assessed as 4 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a zero value. We can label this as COULD DO (wave 3).

It is recommended to define the threshold of each wave based on the value of Benefits-Cost before assigning waves.

3.6 Build roadmap

Estimated time 2-3 hours

1. As a group, follow step 3.6.1 to create your roadmap by scheduling initiatives into the Gantt chart within the Zero Trust Program Gap Analysis Tool.
2. Review the roadmap for resourcing conflicts and adjust as required.
3. Review the final cost and effort estimates for the roadmap.

Input

• Gap analysis
• Cost/benefit analysis
• Prioritized initiative list

Output

• Zero trust roadmap

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• IT Leadership
• Project Management Office

Download the Zero Trust Program Gap Analysis Tool

3.6.1 Schedule initiatives using the Gantt chart

1. On the Gantt Chart tab for each initiative, enter an owner (the role who will be primarily responsible for execution).
2. Additionally, enter a start month and year for the initiative and the expected duration in months.

• You can filter the Wave column to only see specific waves at any one time to assist with the scheduling.
• You do not need to schedule Wave 4 initiatives as the expectation is that these initiatives will not be done.
• 

3.6.2 Review your roadmap

1. When you have completed the Gantt chart, as a group review the overall roadmap to ensure that it is reasonable for your organization. Consider the following:

• Do you have other IT or business projects planned during this time frame that may impact your resourcing or scheduling?
• Does your organization have regular change freezes throughout the year that will impact the schedule?
• Do you have over-subscribed resources? You can filter the list on the Owner column to identify potential over-subscription of resources.
• Have you considered any long vacations, sabbaticals, parental leaves, or other planned longer-term absences?
• Are your initiatives adequately aligned to your budget cycle? For instance, if you have an initiative that is expected to make recommendations for capital expenditure, it must be completed prior to budget planning.

3.6.3 Review your cost/effort estimates table

1. Once you have completed your roadmap, review the total cost/effort estimates. This can be found in a table on the Results tab. This table will provide initial and ongoing costs and staffing requirements for each wave. This also includes the total three-year investment. In your review consider:

• Is this investment realistic? Will completion of your roadmap require adding more staff or funding than you otherwise expected?
• If the investment seems unrealistic, you may need to revisit some of your assumptions, potentially reducing target levels or increasing the amount of time to complete the strategy.

This table provides you with the information to have important conversations with management and stakeholders.

Phase 4

Formulate Policies for Roadmap Initiatives

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Formulate zero trust policies for critical DAAS elements.
• Formulate zero trust policies to secure a path to access critical DAAS elements.

This phase involves the following participants:

• CIO
• CISO
• Business Executives
• IT Manager
• Security Team

Understand the zero trust policy

Use the Kipling methodology as a vendor agnostic approach to identify appropriate allow list elements when deploying multiple zero trust solutions.
The policies help to prevent lateral movement.

Info-Tech Insight

The success of a zero trust implementation relies on enforcing policies consistently. Applying the Kipling methodology to the protect surface is the best way to design zero trust policies.

4.1.1 Formulate policy

Estimated time 1-2 hours

1. As a group, review the protect surface(s) identified in phase one, and using the Kipling methodology from the previous slide, formulate a policy. Each policy can be reviewed repeatedly until we are sure it satisfies the goal.
2. The policy created should be consistent for both cloud and on-prem environments.
3. As an example, let's use the healthcare scenario found in tab 3 of the Zero Trust Protect Surface Mapping Tool. The protect surface used is "Automated Medication Dispensing." Another example will be "Salesforce" accessed via the cloud.

Input

• Kipling methodology
• Protect surface

Output

• Zero trust policy

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• CIO
• CISO
• Business Executives
• IT Manager
• Security Team

4.1.2 Apply policy

1-2 hours

1. Place each protect surface in its own microperimeter. Each microperimeter should be segmented by a next-generation firewall or authentication broker that will serve as a segmentation gateway.
2. Name the microperimeter and place it on a firewall.

Input

• Kipling methodology
• Protect surface

Output

• Zero trust policy

Materials

• Whiteboard/Flip Charts
• Sticky Notes
• Zero Trust Protect Surface Mapping Tool

Participants

• CIO
• CISO
• Business Executives
• IT Manager
• Security Team

Microperimeter A
Protect Surface:
DAAS Elements:

Microperimeter B
Protect Surface:
DAAS Elements:

Microperimeter C
Protect Surface:
DAAS Elements:

4.2 Secure a path to access critical DAAS elements

How should you allow access to the resource?

This component makes up the final piece of formulating the policies as it applies the protection of the application traffic.

The principle of least privilege is applied to the security policy to only allow access requests and restrict the access to the purpose it serves. This access request is then logged as well as the traffic (both internal and external). Most firewalls (NGFW) have policy rules that, by default, enable logging.

Segmentation gateways (NGFW, VM-series firewalls, agent-based and clientless VPN solutions), are used to apply zero trust policy (Kipling methodology) in the network, cloud, and endpoint (managed and unmanaged) for all local and remote users.

These policies need to be applied to security profiles on all allowed traffic. Some of these profiles include but are not limited to the following: URL filtering profile for web access and protect against phishing attacks, vulnerability protection profile intrusion prevention systems, anti spyware profiles to protect against command-and-control threats, malware and antivirus profile to protect against malware, and a file blocking profile to block and/or alert suspicious file types.

Good visibility on your network can also be tied to decryption as you can inspect traffic and data to the lowest level possible that is generally accepted by your organization and in compliance with regulation.

Conceptualized flow

With users working from anywhere on managed and unmanaged devices, access to the internet, SAAS, public cloud, and the data center will have consistent policies applied regardless of their location.

The policy is validating that the user is who they say they are based on the role profile, what they are trying to access to make sure their role or attribute profile has the appropriate permission to the application, and within the stipulated time limit. Where the data or application is located is also verified and the why needs to be satisfied before the requested access is granted. Based on the mentioned policies, the how element is then applied throughout the lifecycle of the access.

Phase 5

Monitor Zero Trust Roadmap Deployment

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Establish metrics for roadmap tasks.
• Track metrics for roadmap tasks.

This phase involves the following participants:

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

5.1 Establish metrics for roadmap tasks

Estimated time 2 hours

1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, identify metrics to measure implementation and efficacy of tasks
2. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, document metric metadata.
3. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.

• If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.

Input

• Zero trust roadmap task list

Output

• Metrics for measuring zero trust task implementation and efficacy

Materials

• Zero Trust Progress Monitoring Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Zero Trust Progress Monitoring Tool

5.1.1 Identify metrics to measure implementation and efficacy of tasks

Estimated time 3-4 hours

1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, for each section defined in columns C and D, enter zero trust implementation tasks into column E. If you completed the Zero Trust Program Gap Analysis Tool, use the tasks identified there to populate column E.
2. For each task, identify in column F any metrics that will communicate implementation progress and/or implementation efficacy.

• If multiple metrics are needed for a single task, we recommend expanding the size of the row and adding additional metrics onto a new line in the same row. A sample is provided in the tool.

Info-Tech Insight

To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

5.1.2 Document metric metadata

Estimated time 1-2 hours

For each metric defined in step 4.1.1:

1. Identify in column G whether the metric can be measured now (Phase 1), measured in a few months’ time (Phase 2), or measured in a few years’ time (Phase 3).
2. Identify in columns H through M who is responsible for collecting the metric (Person Source), who/what is consulted to collect the metric (Technology Source), who compiles the collected metric into dashboards and presentations (Compiler), and who is informed of the measurement of the metric (Audience).

• Add more columns under the Audience category if needed.
• Use “X” to identify if an audience group will be informed of the measurement of the metric.

5.2 Track and report metrics

Estimated time 2 hours

1. In the Zero Trust Progress Monitoring Tool, copy and paste metrics you plan to track in the tool from column F on tab 2 to column B on tab 3.
2. Use tab 3 to identify collection frequency, metric target, and measurements collected for each metric. Add notes or comments to each metric or measurement to track contextual elements that could affect metric measurements.
3. Leverage the graphs on tab 4 to communicate metrics to the appropriated audience groups, as defined in tab 2.

Input

• Metrics for measuring zero trust task implementation and efficacy

Output

• Metric data and graphs for presenting zero trust implementation metrics to audience groups

Materials

• Zero Trust Progress Monitoring Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Zero Trust Progress Monitoring Tool

5.2.1 Record baseline measurements for metrics

Estimated time 1-2 hours

On tab “3. Track Metrics” of the Zero Trust Progress Monitoring Tool:

1. Copy and paste the metrics from Column F on tab “2. Task & Metric Register” that you want to track into Column B of this tab.
2. For each metric, record the frequency of collection (Collection Frequency) and the metric target (Target) by referencing columns O and P on tab “2. Task & Metric Register.”
3. Begin to record baseline/initial values for each metric in column E. Rename columns to match your highest frequency of collection.
   (e.g. if any metric is being measured monthly, there should be one column per month)
4. Over time, conduct measurements of your metrics and store them in the table below.
5. Add notes, as necessary.

5.2.2 Report metric health to audience groups

Estimated time 1-2 hours

On tab “4. Graphs” of the Zero Trust Progress Monitoring Tool:

1. The Overall Metric Health gauge at the top of this tab presents the average percentage away from meeting metric targets for all metrics being tracked. To calculate this value, the differences between the most recent measurements and target values for each metric are averaged.
2. Below the Overall Metric Health gauge, use the drop-down list in cell D9 to select one of the metrics from tab “3. Track Metrics.”
3. Six different graphic representations of the tracked data for the selected metric will populate.

Copy and paste desired graphs into presentations for audience members identified in step 5.1.2.

5.3 Build a communication deck

Estimated time 2 hours

Leverage the Zero Trust Communication Deck to showcase the work that you have done in the tools and activities associated with this research.

In this communication deck template, you will find the following sections:

• Introduction
• Protect Surfaces
• Zero Trust Gap Analysis
• Zero Trust Initiatives & Tasks

Input

• Protect surfaces mapped to business goals
• Zero trust program gap analysis
• Zero trust roadmap initiatives and tasks
• Zero trust metrics

Output

• Communication deck for zero trust strategy

Materials

• Zero Trust Communication Deck

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Zero Trust Communication Deck

Summary of Accomplishment

Knowledge Gained

• Knowledge of protect surfaces and the business goals protecting them supports
• Comprehensive knowledge of zero trust current state and summary initiatives required to achieve zero trust objectives
• Assessment of which solutions for zero trust tasks and initiatives are the most appropriate for the organization
• A defined set of security metrics assessing zero trust implementation progress and efficacy

Deliverables Completed

• Zero Trust Protect Surface Mapping Tool
• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool
• Zero Trust Progress Monitoring Tool
• Zero Trust Communication Deck

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

Contact your account representative for more information

workshops@infotech.com

1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Zero Trust Program Gap Analysis Tool

Assess current security capabilities and build a roadmap of tasks and initiatives that close maturity gaps.

Zero Trust Progress Monitoring Tool

Identify and track metrics for zero trust tasks and initiatives.

Research Contributors

• Aaron Benson, CME Group, Director of IAM Governance
• Brad Mateski, Zones, Solutions Architect for CyberSecurity
• Bob Smock, Info-Tech Research Group, Vice President of Consulting
• Dr. Chase Cunningham, Ericom Software, Chief Strategy Officer
• John Kindervag, ON2IT Cybersecurity, Senior Vice President, Cybersecurity Strategy and ON2IT Group Fellow
• John Zhao, Fonterra, Enterprise Security Architect
• Rongxing Lu, University of New Brunswick, Associate Professor
• Sumanta Sarkar, University of Warwick, Assistant Professor
• Tim Malone, J.B. Hunt Transport, Senior Director Information Security
• Vana Matte, J.B. Hunt Transport, Senior Vice President of Technology Services

Related Info-Tech Research

Build an Information Security Strategy

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building out a security roadmap.

Determine Your Zero Trust Readiness

IT security was typified by perimeter security. However, the way the world does business has mandated a change to IT security. In response, zero trust is a set of principles that can add flexibility to planning your IT security strategy.

Use this blueprint to determine your zero trust readiness and understand how zero trust can benefit both security and the business.

Mature Your Identity and Access Management Program

Many organizations are looking to improve their identity and access management (IAM) practices but struggle with where to start and whether all areas of IAM have been considered. This blueprint will help you improve the organization's identity and access management practices by following our three-phase methodology:

• Assess identity and access requirements
• Identify initiatives using the identity lifecycle
• Prioritize initiatives and build a roadmap

Bibliography

• “2021 Data Breach Investigations Report.” Verizon, 2021. Web.
• “A Zero-Trust Strategy Has 3 Needs - Identify, Authenticate, and Monitor Users and Devices On and Off The Network.” Fortinet, 15 July 2021. Web.
• “Applying Zero Trust Principles to Enterprise Mobility.” CISA, March 2022. Web.
• Biden Jr., Joseph R. “Executive Order on Improving the Nation’s Cybersecurity.” The White House, 12 May 2021. Web.
• “CISA Zero Trust Maturity Model.” CISA - Cybersecurity Division, June 2021. Web.
• “Continuous Diagnostics and Mitigation Program Overview.” CISA, Jan. 2022. Web.
• Contributor. “The Five Business Benefits of a Zero Trust Approach to Security.” Security Brief - Australia, 19 Aug. 2020. Web.
• “Cost of a Data Breach Report 2021.” IBM, July 2021. Web.
• English, Melanie. “5 Stats That Show The Cost Saving Effect of Zero Trust.” Teramind, 29 Sept. 2021. Web.
• “Improve Application Access and Security With Fortinet Zero Trust Network Access.” Fortinet, 2 March 2021. Web.
• “Incorporating Zero-trust Strategies for Secure Network and Application Access.” Fortinet, 21 July 2021. Web.
• Jakkal, Vasu. “Zero Trust Adoption Report: How Does Your Organization Compare?” Microsoft, 28 July 2021. Web.
• “Jericho Forum™ Commandments.” The Open Group, Jericho Forum, May 2007. Web.
• Johnson, Derrick. “Zero Trust vs. SASE - Here's What You Need to Know.” Security Magazine, 23 July 2021. Web.
• Joint Defense Information Systems Agency (DISA) and National Security Agency (NSA) Zero Trust Engineering Team. “Department of Defense (DOD) Zero Trust Reference Architecture.” DoD CIO, Feb. 2021. Web.
• Kay, Dennis. “Planning for a Zero Trust Architecture Target State.” NASA, NIST, 13 Nov. 2019. Web.
• National Security Agency. “Embracing a Zero Trust Security Model.” U.S. Department of Defense, Feb. 2021. Web.
• NSTAC. “Draft Report to the President - Zero Trust and Trusted Identity Management.” CISA, NSTAC, n.d. Web.
• Rose, Scott W., et al. “Zero Trust Architecture.” NIST, 10 Aug. 2020. Web.
• “Securing Digital Innovation Demands Zero-Trust Access.” Fortinet, 15 July 2021. Web.
• Shackleford, Dave. “How to Create a Comprehensive Zero Trust Strategy.” SANS, Cisco, 2 Sept. 2020. Web.
• “The CISO’s Guide to Effective Zero-Trust Access.” Fortinet, 28 April 2021. Web.
• “The State of Zero Trust Security 2021.” Okta, June 2021. Web.
• Kerman, Alper, et al. “Implementing a Zero Trust Architecture.” NIST - National Cybersecurity Center of Excellence, March 2020. Web.
• Kindervag, John. “Keynote - John KINDERVAG - 021622.” Vimeo, VIRTUAL Eastern | CyberSecurity Conference, 16 Feb. 2022. Web.
• Lodewijkx, Koos. “IBM CISO Perspective: Zero Trust Changes Security From Something You Do to Something You Have.” SecurityIntelligence, IBM, 19 Nov. 2020. Web.
• VB Staff. “Report: Only 21% of Enterprises Use Zero Trust Architecture.” VentureBeat, 15 Feb. 2022. Web.
• Young, Shalanda D. “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The White House, EXECUTIVE OFFICE OF THE PRESIDENT - OFFICE OF MANAGEMENT AND BUDGET, 26 Jan. 2022. Web.
• “Zero Trust Access.” Fortinet, n.d. Web.
• “Zero Trust Architecture Technical Exchange Meeting.” NIST - National Cybersecurity Center of Excellence, 12 Nov. 2019. Web.
• “Zero Trust Cybersecurity Current Trends.” ACT-IAC, 18 April 2019. Web.
• “Zero-Trust Access for Comprehensive Visibility and Control.” Fortinet, 24 Sep. 2020. Web.

Enable Omnichannel Commerce That Delights Your Customers

Create a cohesive, omnichannel framework that supports the right transactions through the right channels for the right customers.

Analyst Perspective

A clearly outlined commerce strategy is a necessary component of a broader customer experience strategy.

Ben Dickie
Research Lead, Research – Applications
Info-Tech Research Group

“Your commerce strategy is where the rubber hits the road, converting your prospects into paying customers. To maximize revenue (and provide a great customer experience), it’s essential to have a clearly defined commerce strategy in place.

A strong commerce strategy seeks to understand your target customer personas and commerce journey maps and pair these with the right channels and enabling technologies. There is not a “one-size-fits-all” approach to selecting the right commerce channels: while many organizations are making a heavy push into e-commerce and mobile commerce, others are seeking to differentiate themselves by innovating in traditional brick-and-mortar sales. Hybrid channel design now dominates many commerce strategies – using a blend of e-commerce and other channels to deliver the best-possible customer experience.

IT leaders must work with the business to create a succinct commerce strategy that defines personas and scenarios, outlines the right channel matrix, and puts in place the right enabling technologies (for example, point-of-sale and e-commerce platforms).”

Stop! Are you ready for this project?

This Research Is Designed For:

• IT leaders and business analysts supporting their commercial and marketing organizations in developing and executing a technology enablement strategy for e-commerce or brick-and-mortar commerce.
• Any organization looking to develop a persona-based approach to identifying the right channels for their commerce strategy.

This Research Will Help You:

• Identify key personas and customer journeys for a brick-and-mortar and/or e-commerce strategy.
• Select the right channels for your commerce strategy and build a commerce channel matrix to codify the results.
• Review the “art of the possible” and new developments in brick-and-mortar and e-commerce execution.

This Research Will Also Assist:

• Sales managers, brand managers, and any marketing professional looking to build a cohesive commerce strategy.
• E-commerce or POS project teams or working groups tasked with managing an RFP process for vendor selection.

This Research Will Help Them:

• Build a persona-centric commerce strategy.
• Understand key technology trends in the brick-and-mortar and e-commerce space.

Executive Summary

Your Challenge

Today’s customers expect to be able to transact with you in the channels of their choice.

The proliferation of e-commerce, innovations in brick-and-mortar retail, and developments in mobile commerce and social media selling mean that IT organizations are managing added complexity in drafting a strategy for commerce enablement.

The right technology stack is critical to support world-class e-commerce and brick-and-mortar interactions with customers.

Common Obstacles

Many organizations do not define strong, customer-centric drivers for dictating which channels they should be investing in for transactional capabilities.

As many retailers look to move shopping experiences online during the pandemic, the impetus for having a strong e-commerce suite has markedly increased. The proliferation of commerce vendors has made it difficult to identify and shortlist the right solution, while the pandemic has also highlighted the importance of adopting new vendors quickly and efficiently: companies need to understand the top players in different commerce market landscapes.

IT is receiving a growing number of commerce platform requests and must be prepared to speak intelligently about requirements and the “art of the possible.”

Info-Tech’s Approach

• Leverage Info-Tech’s proven, road-tested approach to using personas and scenarios to build strong business drivers for your commerce strategy.
• Before selecting and deploying technology solutions, create a cohesive channel matrix outlining which channels your organization will support with transactional capabilities.
• Understand evolving trends in the commerce solution space, such as AI-driven product recommendations and integration with other essential enterprise applications (i.e. customer relationship management [CRM] and marketing automation platforms).
• Understand and apply operational best practices such as content optimization and dynamic personalization to improve the conversion rate via your e-commerce channels.

Info-Tech Insight

• Support the right transactional channels for the right customers: there is no “one-size-fits-all” approach to commerce enablement – understand your customers to drive selection of the right transactional channels.
• Don’t assume that “traditional” commerce channels have stagnated: IoT, customer analytics, and blended retail are reinvigorating brick-and-mortar selling.
• Don’t buy best-of-breed; buy best-for-you: base commerce vendor selection on your requirements and use cases, not on the vendor’s overall performance.

A strong commerce strategy is an essential component of a savvy approach to customer experience management

A commerce strategy outlines an organization’s approach to selling its products and services. A strong commerce strategy identifies target customers’ personas, commerce journeys that the organization wants to support, and the channels that the organization will use to transact with customers.

Many commerce strategies encompass two distinct but complementary branches: a commerce strategy for transacting through traditional channels and an e-commerce strategy. While the latter often receives more attention from IT, it still falls on IT leaders to provide the appropriate enabling technologies to support traditional brick-and-mortar channels as well. Traditional channels have also undergone a digital renaissance in recent years, with forward-looking companies capitalizing on new technology to enhance customer experiences in their stores.

Traditional Channels

• Physical Stores (Brick and Mortar)
• Kiosks or Pop-Up Stores
• Telesales
• Mail Orders
• EDI Transactions

E-Commerce Channels

• E-Commerce Websites
• Mobile Commerce Apps
• Embedded Social Shopping
• Customer Portals
• Configure Price Quote Tool Sets (CPQ)
• Hybrid Retail

Info-Tech Insight

To better serve their customers, many companies position themselves as “click-and-mortar” shops – allowing customers to transact at a store or online.

Customers’ expectations are on the rise: meet them!

Today’s consumers expect speed, convenience, and tailored experiences at every stage of the customer lifecycle. Successful organizations strive to support these expectations.

58%
of retail customers admitted that their expectations now are higher than they were a year ago (FinancesOnline).

70%
of consumers between the ages of 18 and 34 have increasing customer expectations year after year (FinancesOnline).

69%
of consumers now expect store associates to be armed with a mobile device to deliver value-added services, such as looking up product information and checking inventory (V12).

73%
of support leaders agree that customer expectations are increasing, but only…

42%
of support leaders are confident that they’re actually meeting those expectations.

How can you be sure that you are meeting your customers’ expectations?

1. Offer more personalization throughout the entire customer journey
2. Practice quality customer service – ensure staff have up-to-date knowledge and offer quick resolution time for complaints
3. Focus on offering low-effort experiences and easy-to-use platforms (i.e. “one-click buying”)
4. Ensure your products and services perform well and do what they’re meant to do
5. Ensure omnichannel availability – 9 in 10 consumers want a seamless omnichannel experience

Info-Tech Insight

Customers expect to interact with organizations through the channels of their choice. Now more than ever, you must enable your organization to provide tailored commerce and transactional experiences.

Omnichannel commerce is the way of the future

Create a strategy that embraces this reality with the right tools!

Get ahead of the competition by doing omnichannel right! Devise a strategy that allows you to create and maintain a consistent, seamless commerce experience by optimizing operations with an omnichannel framework. Customers want to interact with you on their own terms, and it falls to IT to ensure that applications are in place to support and manage both traditional and e-commerce channels. There must also be consistency of copy, collateral, offers, and pricing between commerce channels.

71%
of consumers want a consistent experience across all channels, but only…

29%
say that they actually get it.

(Source: Business 2 Community, 2020)

Omnichannel is a “multichannel approach that aims to provide customers with a personalized, integrated, and seamless shopping experience across diverse touchpoints and devices.”
Source: RingCentral, 2021

IT is responsible for providing technology enablement of the commerce strategy: e-commerce platforms are a cornerstone

An e-commerce platform is an enterprise application that provides end-to-end capabilities for allowing customers to purchase products or services from your company via an online channel (e.g. a traditional website, a mobile application, or an embedded link in a social media post). Modern e-commerce platforms are essential for delivering a frictionless customer journey when it comes to purchasing online.

$6.388
trillion dollars worth of sales will be conducted online by 2024 (eMarketer, 14 Jan. 2021).

44%
of all e-commerce transactions are expected to be completed via a mobile device by 2024 (Insider).

21.8%
of all sales will be made from online purchases by 2024 (eMarketer, 14 Jan. 2021).

Strong E-Commerce Platforms Enable a Wide Range of Functional Areas:

• Product Catalog Management
• Web Content Delivery
• Product Search Engine
• Inventory Management
• Shopping Cart Management
• Discount and Coupon Management
• Return Management and Reverse Logistics
• Dynamic Personalization
• Dynamic Promotions
• Predictive Re-Targeting
• Predictive Product Recommendations
• Transaction Processing
• Compliance Management
• Commerce Workflow Management
• Loyalty Program Management
• Reporting and Analytics

An e-commerce solution boosts the effectiveness and efficiency of your operations and drives top-line growth

Take time to learn the capabilities of modern e-commerce applications. Understanding the “art of the possible” will help you to get the most out of your e-commerce platform.

An e-commerce platform helps marketers and sales staff in three primary ways:

1. It allows the organization to effectively and efficiently operate e-commerce operations at scale.
2. It allows commercial staff to have a single system for managing and monitoring all commercial activity through online channels.
3. It allows the organization to improve the customer-facing e-commerce experience, boosting conversions and top-line sales.

A dedicated e-commerce platform improves the efficiency of customer-commerce operations

• Workflow automation reduces the amount of time spent executing dynamic e-commerce campaigns.
• The use of internal or third-party data increases conversion effectiveness from customer databases across the organization.

Info-Tech Insight

A strong e-commerce provides marketers with the data they need to produce actionable insights about their customers.

Case Study

INDUSTRY - Retail
SOURCE - Salesforce (a)

PetSmart improves customer experience by leveraging a new commerce platform in the Salesforce ecosystem

PetSmart

PetSmart is a leading retailer of pet products, with a heavy footprint across North America. Historically, PetSmart was a brick-and-mortar retailer, but it has placed a heavy emphasis on being a true multi-channel “click-and-mortar” retailer to ensure it maintains relevance against competitors like Amazon.

E-Commerce Overhaul Initiative

To improve its e-commerce capabilities, PetSmart recognized that it needed to consolidate to a single, unified e-commerce platform to realize a 360-degree view of its customers. A new platform was also required to power dynamic and engaging experiences, with appropriate product recommendations and tailored content. To pursue this initiative, the company settled on Salesforce.com’s Commerce Cloud product after an exhaustive requirements definition effort and rigorous vendor selection approach.

Results

After platform implementation, PetSmart was able to effortlessly handle the massive transaction volumes associated with Black Friday and Cyber Monday and deliver 1:1 experiences that boosted conversion rates.

PetSmart standardized on the Commerce Cloud from Salesforce to great effect.

Case Study

Icebreaker exceeds customer expectations by using AI to power product recommendations

INDUSTRY - Retail
SOURCE - Salesforce (b)

Icebreaker

Icebreaker is a leading outerwear and lifestyle clothing company, operating six global websites and owning over 5,000 stores across 50 countries. Icebreaker is focused on providing its shoppers with accurate, real-time product suggestions to ensure it remains relevant in an increasingly competitive online market.

E-Commerce Overhaul Initiative

To improve its e-commerce capabilities, Icebreaker recognized that it needed to adopt a predictive recommendation engine that would offer its customers a more personalized shopping experience. This new system would need to leverage relevant data to provide both known and anonymous shoppers with product suggestions that are of interest to them. To pursue this initiative, Icebreaker settled on using Salesforce.com’s Commerce Cloud Einstein, a fully integrated AI.

Results

After integrating Commerce Cloud Einstein on all its global sites, Icebreaker was able to cross-sell and up-sell its merchandise more effectively by providing its shoppers with accurate product recommendations, ultimately increasing average order value.

IT must also provide technology enablement for other channels, such as point-of-sale systems for brick-and-mortar

Point-of-sale systems are the “real world” complement to e-commerce platforms. They provide functional capabilities for selling products in a physical store, including basic inventory management, cash register management, payment processing, and retail analytics. Many firms struggle with legacy POS environments that inhibit a modern customer experience.

$27.338
trillion dollars in retail sales are expected to be made globally in 2022 (eMarketer, 2022).

84%
of consumers believe that retailers should be doing more to integrate their online and offline channels (Invoca).

39%
of consumers are unlikely or very unlikely to visit a retailer’s store if the online store doesn’t provide physical store inventory information (V12).

Strong Point-of-Sale Platforms Enable a Wide Range of Functional Areas:

• Product Catalog Management
• Discount Management
• Coupon Management and Administration
• Cash Management
• Cash Register Reconciliation
• Product Identification (Barcode Management)
• Payment Processing
• Compliance Management
• Basic Inventory Management
• Commerce Workflow Management
• Exception Reporting and Overrides
• Loyalty Program Management
• Reporting and Analytics

E-commerce and POS don’t live in isolation

They’re key components of a well-oiled customer experience ecosystem!

Integrate commerce solutions with other customer experience applications – and with ERP or logistics systems – to handoff transactions for order fulfilment.

Having a customer master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for traditional and e-commerce success. Typically, the POS or e-commerce platform is not the system of record for the master customer profile: this information lives in a CRM platform or customer data warehouse. Conceptually, this system is at the center of the customer-experience ecosystem.

Strong POS and e-commerce solutions orchestrate transactions but typically do not do the heavy lifting in terms of order fulfilment, shipping logistics, economic inventory management, and reverse logistics (returns). In an enterprise-grade environment, these activities are executed by an enterprise resource planning (ERP) solution – integrating your commerce systems with a back-end ERP solution is a crucial step from an application architecture point of view.

Case Study

INDUSTRY - Retail
SOURCES - Amazon, n.d. CNET, 2020

Amazon is creating a hybrid omnichannel experience for retail by introducing innovative brick-and-mortar stores

Amazon

Amazon began as an online retailer of books in the mid-1990s, and rapidly expanded its product portfolio to nearly every category imaginable. Often hailed as the foremost success story in online commerce, the firm has driven customer loyalty via consistently strong product recommendations and a well-designed site.

Bringing Physical Retail Into the Digital Age

Beginning in 2016 (and expanding in 2018), Amazon introduced Amazon Go, a next-generation grocery retailer, to the Seattle market. While most firms that pursue an e-commerce strategy traditionally come from a brick-and-mortar background, Amazon upended the usual narrative: the world’s largest online retailer opening physical stores to become a true omnichannel, “click-and-mortar” vendor. From the get-go, Amazon Go focused on innovating the physical retail experience – using cameras, IoT capabilities, and mobile technologies to offer “checkout-free” virtual shopping carts that automatically know what products customers take off the shelves and bill their Amazon accounts accordingly.

Results

Amazon received a variety of industry and press accolades for re-inventing the physical store experience and it now owns and operates seven separate store brands, with more still on the horizon.

Case Study

INDUSTRY - Retail
SOURCES - Glossy, 2020

Old Navy

Old Navy is a clothing and accessories retail company that owns and operates over 1,200 stores across North America and China. Typically, Old Navy has relied on using traditional marketing approaches, but recently it has shifted to producing more digitally focused campaigns to drive revenue.

Bringing Physical Retail Into the Digital Age

To overcome pandemic-related difficulties, including temporary store closures, Old Navy knew that it had to have strong holiday sales in 2020. With the goal of stimulating retail sales growth and maximizing its pre-existing omnichannel capabilities, Old Navy decided to focus more of its holiday campaign efforts online than in years past. With this campaign centered on connected TV platforms, such as Hulu, and social media channels including Facebook, Instagram, and TikTok, Old Navy was able to take a more unique, fun, and good-humored approach to marketing.

Results

Old Navy’s digitally focused campaign was a success. When compared with third quarter sales figures from 2019, third quarter net sales for 2020 increased by 15% and comparable sales increased by 17%.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

Enable Omnichannel Commerce That Delights Your Customers – Project Overview

Phase 1

Identify Critical Drivers for Your Omnichannel Commerce Strategy

1.1 Assess Personas and Scenarios

1.2 Create Key Drivers and Metrics

Enable Omnichannel Commerce That Delights Your Customers

Step 1.1

Assess Personas and Scenarios

This step will walk you through the following activities:

1.1.1 Build key customer personas for your commerce strategy.

1.1.2 Create commerce scenarios (journey maps) that you need to enable.

Identify Critical Drivers for Your Omnichannel Commerce Strategy

This step involves the following participants:

• Business stakeholders (Sales, Marketing)
• IT project team

Outcomes of this step:

• Critical customer personas
• Key traditional and e-commerce scenarios

Use customer personas to picture who will be using your commerce channels and guide scenario design and key drivers

What Are Personas?

Personas are detailed descriptions of the targeted audience of your e-commerce presence. Effective personas:

• Express and focus on the major needs and expectations of the most important user groups.
• Give a clear picture of the typical user’s behavior.
• Aid in uncovering universal features and functionality.
• Describe real people with backgrounds, goals, and values.

Source: Usability.gov, n.d.

Why Are Personas Important?

Personas help:

• Focus the development of commerce platform features on the immediate needs of the intended audience.
• Detail the level of customization needed to ensure content is valuable to the user.
• Describe how users may behave when certain audio and visual stimulus are triggered from the website.
• Outline the special design considerations required to meet user accessibility needs.

Key Elements of a Persona:

• Persona Group (e.g. executives)
• Demographics (e.g. nationality, age, language spoken)
• Purpose of Using Commerce Channels (e.g. product search versus ready to transact)
• Typical Behaviors and Tendencies (e.g. goes to different websites when cannot find products in 20 seconds)
• Technological Environment of User (e.g. devices, browsers, network connection)
• Professional and Technical Skills and Experiences (e.g. knowledge of websites, area of expertise)

Use Info-Tech’s guidelines to assist in the creation of personas

How many personas should I create?

The number of personas that should be created is based on the organizational coverage of your commerce strategy. Here are some questions you should ask:

• Do the personas cover a majority of your revenues or product lines?
• Is the number manageable for your project team to map out?

How do I prioritize which personas to create?

The identified personas should generate the most revenue – or provide a significant opportunity – for your business. Here are some questions that you should ask:

• Are the personas prioritized based on the revenue they generate for the business?
• Is the persona prioritization process considering both the present and future revenues the persona is generating?

Sample: persona for e-commerce platform

Example

Persona quote: “After I call the company about the widget, I would usually go onto the company’s website and look at further details about the product. How am I supposed to do so when it is so hard to find the company’s website on everyday search engines, such as Google, Yahoo, or Bing?”

Michael is a middle-aged manager working in the financial district. He wants to buy the company’s widgets for use in his home, but since he is distrusting of online shopping, he prefers to call the company’s call center first. Afterwards, if Michael is convinced by the call center representative, he will look at the company’s website for further research before making his purchase.

Michael does not have a lot of free time on his hands, and tries to make his free time as relaxing as possible. Due to most of his work being client-facing, he is not in front of a computer most of the time during his work. As such, Michael does not consider himself to be skilled with technology. Once he makes the decision to purchase, Michael will conduct online transactions and pay most delivery costs due to his shortage of time.

Needs:

• Easy-to-find website and widget information.
• Online purchasing and delivery services.
• Answer to his questions about the widget.
• To maintain contact post-purchase for easy future transactions.

Info-Tech Tip

The quote attached to a persona should be from actual quotes that your customers have used when you reviewed your voice of the customer (VoC) surveys or focus groups to drive home the impact of their issues with your company.

1.1.1 Activity: Build personas for your key customers that you’ll need to support via traditional and e-commerce channels

1 hour

1. In two to four groups, list all the major, target customer personas that need to be built. In doing so, consider the people who interact with your e-commerce site (or other channels) most often.
2. Build a demographic profile for each customer persona. Include information such as age, geographic location, occupation, and annual income.
3. Augment the persona with a psychographic profile. Consider the goals and objectives of each customer persona and how these might inform buyer behaviors.
4. Introduce your group’s personas to the entire group, in a round-robin fashion, as if you are introducing your persona at a party.
5. Summarize the personas in a persona map. Rank your personas according to importance and remove any duplicates.
6. Use Info-Tech’s Create Personas to Drive Omnichannel Requirements Template to assist.

Info-Tech Insight

Persona building is typically used for understanding the external customer; however, if you need to gain a better understanding of the organization’s internal customers (those who will be interacting with the e-commerce platform), personas can also be built for this purpose. Examples of useful internal personas are sales managers, brand managers, and customer service directors.

1.1.1 Activity: Build personas for your key customers that you’ll need to support via traditional and e-commerce channels (continued)

Input

• Customer demographics and psychographics

Output

• List of prioritized customer personas

Materials

• Whiteboard
• Markers

Participants

• Project team

Build use-case scenarios to model the transactional customer journey and inform drivers for your commerce strategy

A use-case scenario is a story or narrative that helps explore the set of interactions that a customer has with an organization. Scenario mapping will help identify key business and technology drivers as well as more granular functional requirements for POS or e-commerce platform selection.

A GOOD SCENARIO…

• Describes specific task(s) that need to be accomplished.
• Describes user goals and motivations.
• Describes interactions with a compelling but not overwhelming amount of detail.
• Can be rough, as long as it provokes ideas and discussion.

SCENARIOS ARE USED TO...

• Provide a shared understanding about what a user might want to do and how they might want to do it.
• Help construct the sequence of events that are necessary to address in your user interface(s).

TO CREATE GOOD SCENARIOS…

• Keep scenarios high level, not granular, in nature.
• Identify as many scenarios as possible. If you’re time constrained, try to develop two to three key scenarios per persona.
• Sketch each scenario out so that stakeholders understand the goal of the scenario.

1.1.2 Exercise: Build commerce user scenarios to understand what you want your customers to do from a transactional viewpoint

1 hour

Example

Simplified E-Commerce Workflow Purchase Products

Step 1.2

Create Key Drivers and Metrics

This step will walk you through the following activities:

• Create the business drivers you need to enable with your commerce strategy.
• Enumerate metrics to track the efficacy of your commerce strategy.

Identify Critical Drivers for Your Omnichannel Commerce Strategy

This step involves the following participants:

• Business stakeholders (Sales, Marketing)
• IT project team

Outcomes of this step:

• Business drivers for the commerce strategy
• Metrics and key performance indicators for the commerce strategy

1.2 Finish elaboration of your scenarios and map them to your personas: identify core business drivers for commerce

1.5 hours

1. List all commerce scenarios required to satisfy the immediate needs of your personas.
   1. Does the use-case scenario address commonly felt user challenges?
   2. Can the scenario be used by those with changing behaviors and tendencies?
2. Look for recurring themes in use-case scenarios (for example, increasing average transaction cost through better product recommendations) and identify business drivers: drivers are common thematic elements that can be found across multiple scenarios. These are the key principles for your commerce strategy.
3. Prioritize your use cases by leveraging the priorities of your business drivers.

Example

1.2 Finish elaboration of your scenarios and map them to your personas: identify core business drivers for commerce (continuation)

Input

• User personas

Output

• List of use cases
• Alignment of use cases to business objectives

Materials

• Whiteboard
• Markers

Participants

• Business Analyst
• Developer
• Designer

Show the benefits of commerce solution deployment with metrics aimed at both overall efficacy and platform adoption

The ROI and perceived value of the organization’s e-commerce and POS solutions will be a critical indication of the success of the suite’s selection and implementation.

Info-Tech Insight

Even if e-commerce metrics are difficult to track right now, the implementation of a dedicated e-commerce platform brings access to valuable customer intelligence from data that was once kept in silos.

Phase 2

Map Drivers to the Right Channels and Technologies

2.1 Build the Commerce Channel Matrix

2.2 Review Technology and Trends Primer

Enable Omnichannel Commerce That Delights Your Customers

Step 2.1

Build the Commerce Channel Matrix

This step will walk you through the following activities:

• Based on your business drivers, create a blended mix of e-commerce channels that will suit your organization’s and customers’ needs.

Map Drivers to the Right Channels and Technologies

This step involves the following participants:

• Business stakeholders (Sales, Marketing)
• IT project team

Outcomes of this step:

• Commerce channel map

Pick the transactional channels that align with your customer personas and enable your target scenarios and drivers

Info-Tech Insight

Your channel selections should be driven by customer personas and scenarios. For example, social media may be extensively employed by some persona types (i.e. millennials) but see limited adoption in other demographics or use cases (i.e. B2B).

2.1 Activity: Build your commerce channel matrix

30 minutes

1. Inventory which transactional channels are currently used by your firm (segment by product lines if variation exists).
2. Interview product leaders, sales leaders, and marketing managers to determine if channels support transactional capabilities or are used for marketing and service delivery.
3. Review your customer personas, scenarios, and drivers and assess which of the channels you will use in the future to sell products and services. Document below.

Example: Commerce Channel Map

Input

• Personas, scenarios, and driver

Output

• Channel map

Materials

• Whiteboard
• Markers

Participants

• Project team

Step 2.2

Review Technology and Trends Primer

This step will walk you through the following activities:

• Review the scope of e-commerce and POS solutions and understand key drivers impacting e-commerce and traditional commerce.

Map Drivers to the Right Channels and Technologies

This step involves the following participants:

• Business stakeholders (Sales, Marketing)
• IT project team

Outcomes of this step:

• Understanding of key technologies
• Understanding of key trends

Application spotlight: e-commerce platforms

How It Enables Your Strategy

• Modern e-commerce platforms provide capabilities for end-to-end orchestration of online commerce experiences, from product site deployment to payment processing.
• Some e-commerce platforms are purpose-built for business-to-business (B2B) commerce, emphasizing customer portals and EDI features. Other e-commerce vendors place more emphasis on business-to-consumer (B2C) capabilities, such as product catalog management and executing transactions at scale.
• There has been an increasing degree of overlap between traditional web experience management solutions and the e-commerce market; for example, in 2018, Adobe acquired Magento to augment its overall web experience offering within Adobe Experience Manager.
• E-commerce platforms typically fall short when it comes to order fulfilment and logistics; this piece of the puzzle is typically orchestrated via an ERP system or logistics management module.
• This research provides a starting place for defining e-commerce requirements and selection artefacts.

Key Trends

• E-commerce vendors are rapidly supporting a variety of form factors and integration with other channels such as social media. Mobile is sufficiently popular that some vendors and industry commentators refer to it as “m-commerce” to differentiate app-based shopping experiences from those accessed through a traditional browser.
• Hybrid commerce is driving more interplay between e-commerce solutions and POS.

E-Commerce KPIs

Strong e-commerce applications can improve:

• Bounce Rates
• Exit Rates
• Lead Conversion Rates
• Cart Abandonment Rates
• Re-Targeting Efficacy
• Average Cart Size
• Average Cart Value
• Customer Lifetime Value
• Aggregate Reach/Impressions

Familiarize yourself with the e-commerce market

How it got here

Initial Traction as the Dot-Com Era Came to Fruition

Unlike some enterprise application markets, such as CRM, the e-commerce market appeared almost overnight during the mid-to-late nineties as the dot-com explosion fueled the need to have reliable solutions for executing transactions online.

Early e-commerce solutions were less full-fledged suites than they were mediums for payment processing and basic product list management. PayPal and other services like Digital River were pioneers in the space, but their functionality was limited vis-à-vis tools such as web content management platforms, and their ability to amalgamate and analyze the data necessary for dynamic personalization and re-targeting was virtually non-existent.

Rapidly Expanding Scope of Functional Capabilities as the Market Matured

As marketers became more sophisticated and companies put an increased focus on customer experience and omnichannel interaction, the need arose for platforms that were significantly more feature rich than their early contemporaries. In this context, vendors such as Shopify and Demandware stepped into the limelight, offering far richer functionality and analytics than previous offerings, such as asset management, dynamic personalization, and the ability to re-target customers who abandoned their carts.

As the market has matured, there has also been a series of acquisitions of some players (for example, Demandware by Salesforce) and IPOs of others (i.e. Shopify). Traditional payment-oriented services like PayPal still fill an important niche, while newer entrants like Square seek to disrupt both the e-commerce market and point-of-sale solutions to boot.

Familiarize yourself with the e-commerce market

Where it’s going

Support for a Proliferation of Form Factors and Channels

Modern e-commerce solutions are expanding the number of form factors (smartphones, tablets) they support via both responsive design and in-app capabilities. Many platforms now also support embedded purchasing options in non-owned channels (for example, social media). With the pandemic leading to a heightened affinity for online shopping, the importance of fully using these capabilities has been further emphasized.

AI and Machine Learning

E-commerce is another customer experience domain ripe for transformation via the potential of artificial intelligence. Machine learning algorithms are being used to enhance the effectiveness of dynamic personalization of product collateral, improve the accuracy of product recommendations, and allow for more effective re-targeting campaigns of customers who did not make a purchase.

Merger of Online Commerce and Traditional Point-of-Sale

Many e-commerce vendors – particularly the large players – are now going beyond traditional e-commerce and making plays into brick-and-mortar environments, offering point-of-sale capabilities and the ability to display product assets and customizations via augmented reality – truly blending the physical and virtual shopping experience.

Emphasis on Integration with the Broader Customer Experience Ecosystem

The big names in e-commerce recognize they don’t live on an island: out-of-the-box integrations with popular CRM, web experience, and marketing automation platforms have been increasing at a breakneck pace. Support for digital wallets has also become increasingly popular, with many vendors integrating contactless payment technology (i.e. Apple Pay) directly into their applications.

E-Commerce Vendor Snapshot: Part 1

Mid-Market E-Commerce Solutions

E-Commerce Vendor Snapshot: Part 2

Large Enterprise and Full-Suite E-Commerce Platforms

Speak with category experts to dive deeper into the vendor landscape

• Fact-based reviews of business software from IT professionals.
• Product and category reports with state-of-the-art data visualization.
• Top-tier data quality backed by a rigorous quality assurance process.
• User-experience insight that reveals the intangibles of working with a vendor.

Software Reviews is powered by Info-Tech

Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today’s technology. The insights of our expert analysts provide unparalleled support to our members at every step of their buying journey.

CLICK HERE to access SoftwareReviews Comprehensive software reviews to make better IT decisions.

We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

Evaluate software category leaders through vendor rankings and awards

SoftwareReviews

The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

Leading B2B E-Commerce Platforms

As of February 2022

Data Quadrant

Emotional Footprint

Leading B2C E-Commerce Platforms

As of February 2022

Data Quadrant

Emotional Footprint

Application spotlight: point-of-sale solutions

How It Enables Your Strategy

• Point-of-sale solutions provide capabilities for cash register/terminal management, transaction processing, and lightweight inventory management.
• Many POS vendors also offer products that have the ability to create orders from EDI, phone, or fax channels.
• An increasing emphasis has been placed on retail analytics by POS vendors – providing reporting and analysis tools to help with inventory planning, promotion management, and product recommendations.
• Integration of POS systems with a central customer data warehouse or other system of record for customer information allows for the ability to build richer customer profiles and compare shopping habits in physical stores against other transactional channels that are offered.
• POS vendors often offer (or integrate with) loyalty management solutions to track, manage, and redeem loyalty points. See this note on loyalty management systems.
• Legacy and/or homegrown POS systems tend to be an area of frustration for customer experience management modernization.

Key Trends

• POS solutions are moving from “cash-register-only” solutions to encompass mobile POS form factors like smartphones and tablets. Vendors such as Square have experienced tremendous growth in opening up the market via “mPOS” platforms that have lower costs to entry than the traditional hardware needed to support full-fledged POS solutions.
• This development puts robust POS toolsets in the hands of small and medium businesses that otherwise would be priced out of the market.

POS KPIs

Strong POS applications can improve:

• Customer Data Collection
• Inventory or Cash Shrinkage
• Cost per Transaction
• Loyalty Program Administration Costs
• Cycle Time for Transaction Execution

Point-of-Sales Vendor Snapshot: Part 1

Mid-Market POS Solutions

Point-of-Sales Vendor Snapshot: Part 2

Large Enterprise POS Platforms

Leading Retail POS Systems

As of February 2022

Data Quadrant

Emotional Footprint

Summary of Accomplishment

Knowledge Gained

• Commerce channel framework
• Customer affinities
• Commerce channel overview
• Commerce-enabling technologies

Processes Optimized

• Persona definition for commerce strategy
• Persona channel shortlist

Deliverables Completed

• Customer personas
• Commerce user scenarios
• Business drivers for traditional commerce and e-commerce
• Channel matrix for omnichannel commerce

Bibliography

“25 Amazing Omnichannel Statistics Every Marketer Should Know (Updated for 2021).” V12, 29 June 2021. Accessed 12 Jan. 2022.

“Amazon Go.” Amazon, n.d. Web.

Andersen, Derek. “33 Statistics Retail Marketers Need to Know in 2021.” Invoca, 19 July 2021. Accessed 12 Jan. 2022.

Andre, Louie. “115 Critical Customer Support Software Statistics: 2022 Market Share Analysis & Data.” FinancesOnline, 14 Jan. 2022. Accessed 25 Jan. 2022.

Chuang, Courtney. “The future of support: 5 key trends that will shape customer care in 2022.” Intercom, 10 Jan. 2022. Accessed 11 Jan. 2022.

Cramer-Flood, Ethan. “Global Ecommerce Update 2021.” eMarketer, 13 Jan. 2021. Accessed 12 Jan. 2022.

Cramer-Flood, Ethan. “Spotlight on total global retail: Brick-and-mortar returns with a vengeance.” eMarketer, 3 Feb. 2022. Accessed 12 Apr. 2022.

Fox Rubin, Ben. “Amazon now operates seven different kinds of physical stores. Here's why.” CNET, 28 Feb. 2020. Accessed 12 Jan. 2022.

Krajewski, Laura. “16 Statistics on Why Omnichannel is the Future of Your Contact Center and the Foundation for a Top-Notch Competitive Customer Experience.” Business 2 Community, 10 July 2020. Accessed 11 Jan. 2022.

Manoff, Jill. “Fun and convenience: CEO Nany Green on Old Navy’s priorities for holiday.” Glossy, 8 Dec. 2020. Accessed 12 Jan. 2022.

Meola, Andrew. “Rise of M-Commerce: Mobile Ecommerce Shopping Stats & Trends in 2021.” Insider, 30 Dec. 2020. Accessed 12 Jan. 2022.

“Outdoor apparel retailer Icebreaker uses AI to exceed shopper expectations.” Salesforce, n.d.(a). Accessed 20 Jan. 2022.

“Personas.” Usability.gov., n.d. Web. 28 Aug. 2018.

“PetSmart – Why Commerce Cloud?” Salesforce, n.d.(b). Web. 30 April 2018.

Toor, Meena. “Customer expectations: 7 Types all exceptional researchers must understand.” Qualtrics, 3 Dec. 2020. Accessed 11 Jan. 2022.

Westfall, Leigh. “Omnichannel vs. multichannel: What's the difference?” RingCentral, 10 Sept. 2021. Accessed 11 Jan. 2022.

“Worldwide ecommerce will approach $5 trillion this year.” eMarketer, 14 Jan. 2021. Accessed 12 Jan. 2022.

Prepare an Actionable Roadmap for Your PMO

Turn planning into action with a realistic PMO timeline.

EXECUTIVE BRIEF

Analyst Perspective

Prepare an actionable roadmap for your PMO.

We all have junk drawers somewhere in our homes, and we probably try not to think about what’s going on in there. We’re just happy that they close and that the contents are concealed from anyone living in or passing through the house.

What goes in these junk drawers? Things that don’t have a home, things you don’t know what to do with, and things you don’t have the time or desire to deal with. Eventually, the drawer gets full, and it doesn’t serve you anymore because you can’t add anything else to it. Instead of cleaning the drawer and keeping the things you need, you throw everything away in one sweep. One day you will start the process again.

The junk drawer is like your project management office (PMO). The PMO is given projects that are barely scoped, projects that don’t have clear sponsors, and ad hoc administrative tasks you don’t have the time or desire to deal with. Inevitably, your PMO is out of capacity. This happens rather quickly, since it’s understaffed. You question its purpose because you made it a junk drawer. You even think about closing it. One day you will start the process again.

Use this blueprint to stop the madness. Learn how to properly define, staff, and plan a roadmap of a PMO that will actually serve your organization.

Ugbad Farah, PMP
Senior Research Analyst, PPM
Info-Tech Research Group

Your challenge

This research is designed to help organizations that are facing these challenges:

• No visibility into projects
• The organization views the PMO as unnecessary overhead
• The PMO is not properly staffed to support the organization’s needs
• Project managers/staff aren’t providing information or following processes
• Leadership and sponsors are disengaged

IT is responsible for many different business services. The data from Info-Tech’s IT Staffing diagnostic shows that 11.5% of staff time is spent on projects and project portfolio management. (Source: Info-Tech IT Staffing Benchmark Report)

PMOs can’t do everything and be all things to all people. Define limits with a strong mandate and effective staffing. Make sure you have the skills and capacity to support required PMO functions.

Project management chaos

PMOs get pulled into the day-to-day project and resourcing issues, making it difficult to focus on running a portfolio:

1. Teammates seem unphased by overdue tasks and missed milestones.
2. Fire drills may happen more often than planned projects.
3. Resources are allocated and then redirected to something more urgent.
4. Communication that’s stuck in silos, leading to confusion about priorities.
5. Due dates mysteriously shift without explanation.
6. Project teams are more focused on the due date than adoption and outcomes.

Common obstacles

IT and PMO leaders face several challenges.

• Many people see the PMO as nothing more than the “project document police,” i.e. a source of red tape rather than a helpful support system. This impacts staffing and hiring.
• The PMO is often misunderstood as a center for project management governance, when it also needs to facilitate the communication of project data from project teams to decision makers to ensure that appropriate decisions get made around resourcing, approval of new projects, etc.
• Accountability is something that is not clearly defined for many activities that flow through the PMO. Business leaders, project workers, and project managers are rarely as aligned as they need to be.

The Reality

68% — Sixty-eight percent of stakeholders see their PMOs as sources of unnecessary bureaucratic red tape. (Source: KeyedIn, 2014)

50% — Fifty percent of PMOs close within the first three years due to such things as poorly defined mandates and poor leadership. (Source: KeyedIn, 2014)

Info-Tech’s approach

Prepare an Actionable Roadmap for Your PMO

The Info-Tech difference:

1. Get a departmental job description first. Defining your PMO may not be as simple as it seems. Explore the boundaries of portfolio, project, resource, and organizational change management before jumping ahead with processes and tools.
2. The staffing plan should come before your long-term plan. Get buy-in around your definition of the roles needed to run your PMO before articulating a long-term plan. Too often, plans have been accepted without the commensurate level of staffing. Our approach gives you a chance to put hiring on the roadmap as a predecessor to accountability.
3. Keep your eye on the ball. Build your PMO around the operational imperative to recognize completed projects as an early milestone in broader changes. In other words, projects exist to create change.

Prepare an Actionable Roadmap for your PMO

Turn planning into action with a realistic PMO timeline.

50% of PMOs close within the first 3 years.

01 Define DEFINE THE RIGHT KIND OF PMO Establish the purpose of your PMO. Identify organizational needs to fill in gaps instead of duplicating efforts. LOGICAL FALLACY “If we approve more work, we'll get more done.” A properly run portfolio reconciles demand (project requests) to supply (available people) and drives throughput by approving the amount of projects that can get done.	02 Staff STAFF THE PMO FOR RESILIENCE Analyze the staffing requirements for your PMOs mandate. Create purpose-built role descriptions. FALSE ASSUMPTION “Our best project manager should run the PMO.” Your best project manager should be running projects and, no, they shouldn't do both.	03 Plan PREPARE AN ACTIONABLE ROADMAP The difference in a winning PMO is determined by a roadmap or plan created at the beginning. Leaders should understand the full scope of the plan before committing their teams to the project. COMMON MISTAKE “We'll get great at project management now and worry about portfolio management later.” Too often, PMOs focus on project management rigor and plan to do portfolio management after that's done. But few successfully maintain the process long enough to get there. If you start with portfolio management, leadership might soften their demands for project management rigor.	04 Execute ALIGN TO STRATEGIC PLAN Use the power of organizational change management to ensure success and adoption. Iterate through the finer points of planning and execution to deploy the kind of PMO defined in step 1, with the people described in step 2, and the strategic roadmap articulated in step 3. PROJECT MYOPIA “Let's focus on delivering the project on time so we can move on to our next project.” Don't forget why the idea got approved in the first place. The goal is to sustain beneficial business outcomes well beyond the completion of your project.

Info-Tech’s methodology for Preparing an Actionable Roadmap for Your PMO

Insight summary

Overarching insight

There is a gap in the perception of the actual role of the PMO in many organizations by different stakeholder groups. Many people see the PMO police that produce red tape rather than a helpful support system. Those that need to present a coherent plan to leadership championing the need for a PMO often have an uphill battle.

Phase 1 insight

Determine the PMO’s role and needs and then determine your staff needs based on that PMO.

PMO leaders are all too often set up to fail, left to make successes out of PMOs that:

1. have poorly defined mandates;
2. lack the proper resourcing to support the services the organization requires; or
3. lack executive leadership, vision, and backing.

Phase 2 insight

Staff the PMO according to its actual role and needs. Don’t rush to the assumption that PMO staff starts with accomplished project managers.

Many organizations have PMOs of one person, and it is simply not a long-term recipe for success. People in this situation have a lot of weight on their shoulders and feel like they are being set up to fail. It is very challenging for anyone to run a PMO alone without support or administrative help.

Phase 3 insight

The difference in a winning PMO is determined by a roadmap or plan created at the beginning.

When you are determining what your PMO will provide in the future, it is important to align the ambition of the PMO with the maturity of the business. Too often, a lot of effort is spent trying to convince businesses of the value of a PMO.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

PMO Role Definition Tool				PMO Project Charter Template
Blank Job Description Template		Sample Job Descriptions		PMO Job Description Builder Workbook

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

PMO Strategic Plan

PMO MS Project Plan Sample

Organizational Change Impact Analysis Tool

Benefits

IT Benefits

• Determine how you can fill gaps and not duplicate efforts to bring value to your organization.
• Ensure that key PMO capabilities like portfolio management, project management, and organizational change management are in balance.
• Staffing is purpose-driven. Avoid putting good people in the wrong role.

Business Benefits

• Intake and governance have a primary focus and are not merely afterthoughts of someone primarily focused on project management methodology.
• Avoid unrealistic commitments by ensuring better upfront analysis of ability to execute.
• Ensure appropriately mandated sponsor management.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 8 to 12 calls over the course of 4 to 6 months.

What does a typical GI on this topic look like?

Phase 1

• Call #1: Scope requirements, objectives, and your specific challenges.
• Call #2: Assess current state and determine PMO role/type.
• Call #3: Complete job description survey.

Phase 2

• Call #4: Analyze survey results and complete FTE analysis.
• Call #5: Discuss necessary roles and create job descriptions.

Phase 3

• Call #6: Discuss business goals and priorities.
• Call #7: Identify and prioritize initiatives on roadmap.
• Call #8: Discuss governance and organizational change.
• Call #9: Summarize results in strategic plan and discuss next steps.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com1-888-670-8889

Prepare an Actionable Roadmap for Your PMO

Phase 1

Define the Right Kind of PMO

A PMO may not simply be an office of project managers

Project management offices are evolving and taking on activities that differ from company to company.

Organizations are confused about what a PMO is, whether they should have one, and what it should do

PMBOK

The responsibilities of a PMO can range from providing project management support functions to the direct management of one or more projects. The PMO is an organizational body assigned with various responsibilities related to the centralized and coordinated management of those projects under its domain.

The PMO may play a role in supporting strategic alignment and delivering organizational value, integrating data and information for organizational strategic projects, and evaluating how higher-level strategic objectives are being fulfilled.

COBIT

The PMO can be responsible for portfolio maintenance, setting a standard approach for project and program and portfolio management.

OPM

The PMO is an organizational body assigned with various responsibilities related to the centralized and coordinated management of those projects under its domain.

In an effort to set a standard, the governance frameworks have over complicated it for most of us.

Use Info-Tech’s framework to create the PMO that works for your organization

Determine the Services Your PMO Will Provide Manage your PMO services in alignment with your mandate and your organization’s needs. Establish Your PMO’s Mandate Figure out the purpose of your PMO and write it down so it’s clear to your leadership. Align your mandate to the organization’s needs. Ensure Organizational Needs Are Being Met Before you can decide on what your PMO will do, find out who’s doing what in your organization so you can fill gaps instead of duplicating efforts.

Hierarchy of PMO Needs

Info-Tech Insight

Consider the principles of Maslow’s Hierarchy of Needs, which view the lower tiers of the hierarchy as fundamentally required to validate the pursuit of the higher tiers.

Step 1.1

Get a Common Understanding of Your PMO Options

Activities

• 1.1.1 Review PMO Types
• 1.1.2 SWOT Analysis

This step will walk you through the following activities:

• Review Info-Tech’s PMO Types
• Complete a Strengths, Weaknesses, Opportunities, and Threats Analysis

This step involves the following participants:

• PMO director and/or portfolio manager
• PMO staff/stakeholders
• Project managers

Outcomes of this step

• Current state analysis

People mistake the PMO as only an office with project managers

It sounded simple enough, but no one could really explain what it meant.

PMOs are often born out of necessity or desperation. A traumatic event happens, and leadership decides that it wouldn’t have happened had there been a “Project Management Office.” The phrase itself is often quite reassuring and offers the hope of some sort of sanity and order.

People may not really be able to explain what a PMO is, but they do have a common understanding that it should solve all project management issues. But simply prescribing the “PMO” as a remedy for every organizational alignment is not going to be sufficient. There are different types of PMOs and more importantly there are different types of organizations.

Google and the Google logo are trademarks of Google LLC.

The PMI has described what a PMO could be

The PMI does not have a standard for PMOs like it does for things like project, program, and portfolio management. Its PMO definitions should be used as more of a reference point than a best practice.

But what should it do?

• Supportive: Provides a consultative role to projects by supplying templates, best practices, training, access to information, and lessons learned from previous projects.
• Controlling: Provides support and requires compliance through various means.
• Directive: Takes control of the projects by directly executing them.

The PMI described three types of PMOs. These three types are well known in the industry, but they are essentially characteristics and do little to help people understand the functions and services of a PMO. There continue to be questions about the role a PMO should play in an organization and how it’s supposed to add value.

Thousands of practitioners came together at the 2012 PMI Symposium and expanded upon PMBOK’s PMO types

1. Managing
   Manages the work in projects and programs.
2. Consulting
   Serves as an experience-based consultative body to project managers.
3. Project Repository
   Repository of previous project documentation, lessons learned, etc.
4. Enterprise PMO
   Provides PMO services to the organization.
5. Center of Excellence
   Creates the standard and methodologies and provides tools.
6. Managerial
   Manages the project and program managers, and eventually, other project resources.
7. Delivery
   Manages the project and programs.

1.1.1 Leverage Info-Tech’s PMO types to anchor yourself

We have narrowed it down to five types of PMOs.

ePMO	IT PMO	PMO	CMO	CoE
Enterprise Highest level PMO, typically responsible to align project and program work to strategy-significant projects or programs for the entire organization. Could include both IT and business units.	IT IT PMOs provide project-related support for IT project portfolios. For many organizations PMOs originate in IT departments because of the structure required for technology-related projects.	Project/Program Provides project-related tactical service as an entity to support a specific project or program. Can be dismantled when program is done.	Change Change management offices (CMO) help build change management capabilities and enable change readiness in organizations.	Excellence These centers differ in size and mode of organization, depending on their subject and scope. They support project work by providing the organizations with standard methodologies and tools.

What is your definition of a PMO?

Use this model to clearly show what is in and out of scope.