Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management

Approach vendor risk impact assessments from all perspectives.

Analyst Perspective

Organizations must comprehensively understand the impacts vendors may cause through different potential actions.

The risks from the vendor market have become more prevalent as the technologies and organizational strategies shift to a global direction. With this shift in risk comes a necessary perspective change to align with the greater likelihood of an incident occurring from vendors' (or one of their downstream support vendor's) negative actions.

Organizational leadership must become more aware of the increasing risks that engaging vendors impose. To do so, they need to make informed decisions, which can only be provided by engaging expert resources in their organizations to compile a comprehensive look at potential risk impacts.

Frank Sewell

Research Director, Vendor Management
Info-Tech Research Group

Executive Summary

Info-Tech Insight

Organizations must evolve their risk assessments to be more adaptive to respond to changes in the global market. Ongoing monitoring and continual assessment of vendors’ risks is crucial to avoiding negative impacts.

Info-Tech’s multi-blueprint series on vendor risk assessment

There are many individual components of vendor risk beyond cybersecurity.`

This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

Out of Scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

The world is constantly changing

The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

Below are some things no one expected to happen in the last few years:

62%

of IT professionals are more concerned about being a victim of ransomware than they were a year ago.

Info-Tech Tech Trends Survey 2022

82%

of Microsoft non-essential employees shifted to working from home in 2020, joining the 18% already remote.

Info-Tech Tech Trends Survey 2022

89%

of organizations invested in web conferencing technology to facilitate collaboration.

Info-Tech Tech Trends Survey 2022

Looking at Risk in a New Light:

the 6 Pillars of Vendor Risk Management

Vendor Risk

• Financial

• Strategic

• Operational

• Security

• Reputational

• Regulatory

• Organizations must review their risk appetite and tolerance levels, considering their complete landscape.
• Changing regulations, acquisitions, and events that affect global supply chains are current realities, not unlikely scenarios.
• Prepare your vendor risk management for success using due diligence and scenario- based “What If” discussions to bring all the relevant parties to the table and educate your whole organization on risk factors.

Strategic risks on a global scale

Odds are at least one of these is currently affecting your strategic plans

• Vendor Acquisitions
• Global Pandemic
• Global Shortages
• Gas Prices
• Poor Vendor Performance
• Travel Bans
• War
• Natural Disasters
• Supply Chain Disruptions
• Security Incidents

Make sure you have the right people at the table to identify and plan to manage impacts.

Assess internal and external operational risk impacts

Two sides of the same coin

Internal

• Poorly vetted supplemental staff
• Bad system configurations
• Lack of relevant skills
• Poor vendor performance
• Failure to follow established processes
• Weak contractual accountability
• Unsupportable or end-of-life system components

External

• Cyberattacks
• Supply Chain Issues
• Geo-Political Disruptions
• Vendor Acquisitions
• N-Party Non-Compliance
• Vendor Fraud

Operational risk is the risk of losses caused by flawed or failed processes, policies, systems, or events that disrupt business operations.

Identify and manage security risk impacts on your organization

Due diligence will enable successful outcomes

• Poor vendor performance
• Vendor acquisition
• Supply chain disruptions and shortages
• N-party risk
• Third-party risk

What your vendor associations say about you

Regulatory compliance

Consider implementing vendor management initiatives and practices in your organization to help gain compliance with your expanding vendor landscape.

Your organizational risks may be monitored but are your n-party vendors?

Review your expectations with your vendors and hold them accountable

Regulatory entities are looking beyond your organization’s internal compliance these days. Instead, they are more and more diving into your third-party and downstream relationships, particularly as awareness of downstream breaches increases globally.

• Are you assessing your vendors regularly?
• Are you validating those assessments?
• Do your vendors have a map of their downstream support vendors?
• Do they have the mechanisms to hold those downstream vendors accountable to your standards?

Identify and manage risks

Regulatory

Regulatory agencies are putting more enforcement around ESG practices across the globe. As a result, organizations will need to monitor the changing regulations and validate that their vendors and n-party support vendors are adhering to these regulations or face penalties for non-compliance.

Security-Data protection

Data protection remains an issue. Organizations should ensure that the data their vendors obtain remains protected throughout the vendor’s lifecycle, including post-termination. Otherwise, they could be monitoring for a data breach in perpetuity.

Mergers and acquisitions

More prominent vendors continuously buy smaller companies to control the market in the IT industry. Organizations should put protections in their contracts to ensure that an IT vendor’s acquisition does not put them in a relationship with someone that could cause them an issue.

Identify and manage risks

Poor vendor performance

Consider the impact of a vendor that fails to perform midway through the implementation. Organizations need to be able to manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after bad performance.

Supply chain disruptions and global shortages

Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Incorporate forecasting of product and ongoing business continuity planning into your strategic plans to adapt as events unfold.

Poorly configured systems

Failing to ensure that your vendor-supported systems are properly configured and that your vendors are meeting your IT change control and configuration standards is more commonplace than expected. Proper oversight and management of your support vendors is crucial to ensure they are meeting expectations in this regard.

What to look for

Identify potential risk impacts

• Is there a record of complaints against the vendor from their employees or customers?
• Is the vendor financially sound, with the resources to support your needs?
• Has the vendor been cited for regulatory compliance issues in the past?
• Does the vendor have a comprehensive list of their n-party vendor partners?
  • Are they willing to accept appropriate contractual protections regarding them?
• Does the vendor self-audit, or do they use a vetted third-party audit firm to issue a SOC report annually?
• Does the vendor operate in regions known for instability?
• Is the vendor willing to make concessions on contractual protections, or are they only offering one-sided agreements with as-is warranties?

Prepare your vendor risk management for success

Due diligence will enable successful outcomes.

1. Obtain top-level buy-in; it is critical to success.
2. Build enterprise risk management (ERM) through incremental improvement.
3. Focus initial efforts on the “big wins” to prove the process works.
4. Use existing resources.
5. Build on any risk management activities that already exist in the organization.
6. Socialize ERM throughout the organization to gain additional buy-in.
7. Normalize the process long term with ongoing updates and continuing education for the organization.

(Adapted from COSO)

How to assess third-party risk

1. Review organizational risks

   Understand the organizations risks to prepare for the “What If” game exercise.

2. Identify and understand potential risks

   Play the “What If” game with the right people at the table.

3. Create a risk profile packet for leadership

   Pull all the information together in a presentation document.

4. Validate the risks

   Work with leadership to ensure that the proposed risks are in line with their thoughts.

5. Plan to manage the risks

   Lower the overall risk potential by putting mitigations in place.

6. Communicate the plan

   It is important not only to have a plan but also to socialize it in the organization for awareness.

7. Enact the plan

   Once the plan is finalized and socialized, put it in place with continued monitoring for success.

Adapted from Harvard Law School Forum on Corporate Governance

Insight summary

Risk impacts often come from unexpected places and have significant consequences.

Knowing who your vendors are using for their support and supply chain could be crucial in eliminating the risk of non-compliance for your organization.

Having a plan to identify and validate the regulatory compliance of your vendors is a must for any organization to avoid penalties.

Insight 1

Organizations’ strategic plans need to be adaptable to avoid vendors’ negative actions causing an expedited shift in priorities.

For example, Philips’ recall of ventilators impacted its products and the availability of its competitors’ products as demand overwhelmed the market.

Insight 2

Organizations often fail to understand how n-party vendors could place them in non-compliance.

Even if you know your complete third-party vendor landscape, you may not be aware of the downstream vendors in play. Ensure that you get visibility into this space as well, and hold your direct vendors accountable for the actions of their vendors.

Insight 3

Organizations need to know where their data lives and ensure it is protected.

Make sure you know which vendors are accessing/storing your data, where they are keeping it, and that you can get it back and have the vendors destroy it when the relationship is over. Without adequate protections throughout the lifecycle of the vendor, you could be monitoring for breaches in perpetuity.

Insight summary

Assessing financial impacts is an ongoing, educative, and collaborative multidisciplinary process that vendor management initiatives are uniquely designed to coordinate and manage for organizations.

Operational risk impacts often come from unexpected places and have unforeseen impacts. Knowing where your vendors place in critical business processes and those vendors' business continuity plans concerning your organization should be a priority for those managing the vendors.

Insight 4

Organizations need to learn how to assess the likelihood of potential risks in the rapidly changing online environments and recognize how their partnerships and subcontractors’ actions can affect their brand.

For example, do you understand how a simple news article raises your profile for short-term and long-term adverse events?

Insight 5

Organizations fail to plan for vendor acquisitions appropriately.

Vendors routinely get acquired in the IT space. Does your organization have appropriate safeguards from inadvertently entering a negative relationship? Do you have plans for replacing critical vendors purchased in such a manner?

Insight 6

Vendors are becoming more and more crucial to organizations’ overall operations, and most organizations have a poor understanding of the potential impacts they represent.

Is your vendor solvent? Do they have enough staff to accommodate your needs? Has their long-term planning been affected by changes in the market? Are they unique in their space?

Identifying vendor risk

Who should be included in the discussion?

• While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
• Getting input from operational experts at your organization will enhance your business's long-term potential for success.
• Involving those who directly manage vendors and understand the market will aid operational experts in determining the forward path for relationships with your current vendors and identifying emerging potential strategic partners.
• Make sure security, risk, and compliance are all at the table. These departments all look at risk from different angles for the business and give valuable insight collectively.
• Organizations have a wealth of experience in their marketing departments that can help identify real-world scenarios of negative actions.

See the blueprint Build an IT Risk Management Program

Review your risk management plans for new risks on a regular basis.

Keep in mind Risk =
Likelihood x Impact
(R=L*I).

Impact (I) tends to remain the same, while Likelihood (L) is becoming closer to 100% as threat actors become more prevalent.

Managing vendor risk impacts

How could your vendors impact your organization?

• Review vendors’ downstream connections to understand thoroughly who you are in business with
• Institute continuous vendor lifecycle management
• Develop IT risk governance and change control
• Introduce continual risk assessment to monitor the relevant vendor markets
• Monitor and schedule contract renewals and new service/module negotiations
• Perform business alignment meetings to reassess relationships
• Ensure strategic alignment in contracts
• Review vendors’ business continuity plans and disaster recovery testing
• Re-evaluate corporate policies frequently
• Monitor your company’s and associated vendors’ online presence
• Be adaptable and allow for innovations that arise from the current needs
  • Capture lessons learned from prior incidents to improve over time, and adjust your plans accordingly

Organizations must review their risk appetite and tolerance levels, considering their complete landscape.

Changing regulations, acquisitions, new security issues, and events that affect global supply chains are current realities, not unlikely scenarios.

Ongoing Improvement

Incorporating lessons learned.

• Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
• When that happens, follow your incident response plans and act accordingly.
• An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
• Use the lessons learned document to devise, incorporate, and enact a better risk management process.

Sometimes disasters occur despite our best plans to manage them.

When this happens, it is important to document the lessons learned and improve our plans going forward.

The "what if" game

1-3 hours

Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

1. Break into smaller groups (if too small, continue as a single group).
2. Use the Comprehensive Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
3. Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

Download the Comprehensive Risk Impact Tool

High risk example from tool

Note: Even though a few items are “scored” they have not been added to the overall weight, signaling that the company has noted but does not necessarily hold them against the vendor.

How to mitigate:

• Contractually insist that the vendor have a third-party security audit performed annually with the stipulation that they will not denigrate below your acceptable standards.
• At renewal negotiate better contractual terms and protections for your organization.

Low risk example from tool

Summary

Seek to understand all potential risk impacts to better prepare your organization for success.

• Organizations need to understand and map out their entire vendor landscape.
• Understand where all your data lives and how you can control it throughout the vendor lifecycle.
• Organizations need to be realistic about the likelihood of potential risks in the changing global world.
• Those organizations that consistently follow their established risk-assessment and due-diligence processes are better positioned to avoid penalties.
• Understand how your vendors prioritize your organization in their business continuity processes.
• Bring the right people to the table to outline potential risks in the market and your organization.
• Socialize the third-party vendor risk management process throughout the organization to heighten awareness and enable employees to help protect the organization.
• Organizations need to learn how to assess the likelihood of potential risks in the changing global markets and recognize how their partnerships and subcontracts affect their brand.
• Incorporate lessons learned from prior incidents into your risk management process to build better plans for future issues.

Organizations must evolve their risk assessments to be more meaningful to respond to global changes in the market.

Organizations should increase the resources dedicated to monitoring the market as regulatory agencies continue to hold them more and more accountable.

Bibliography

Olaganathan, Rajee. “Impact of COVID-19 on airline industry and strategic plan for its recovery with special reference to data analytics technology.” Global Journal of Engineering and Technology Advances, vol 7, no 1, 2021, pp. 033-046.

Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012.

Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.

Weak Cybersecurity is taking a toll on Small Businesses (tripwire.com)

SecureLink 2022 White Paper SL_Page_EA+PAM (rocketcdn.me)

Shared Assessments Member Poll March 2021 "Guide: Evolving Work Environments Impact of Covid-19 on Profile and Management of Third Parties“

“Cybersecurity only the tip of the iceberg for third-party risk management”. Help Net Security, April 21, 2021. Accessed: 2022-07-29.

“Third-Party Risk Management (TPRM) Managed Services”. Deloitte, 2022. Accessed: 2022-07-29.

“The Future of TPRM: Third Party Risk Management Predictions for 2022”. OneTrust, December 20th2021. Accessed 2022-07-29.

“Third Party Vendor definition”. Law Insider, Accessed 2022-07-29.

“Third Party Risk”. AWAKE Security, Accessed 2022-07-29.

Glidden, Donna. "Don't Underestimate the Need to Protect Your Brand in Publicity Clauses", Info-Tech Research Group, June 2022.

Greenaway, Jordan. "Managing Reputation Risk: A start-to-finish guide", Transmission Private, July 2022. Accessed June 2022.

Jagiello, Robert D, and Thomas T Hills. “Bad News Has Wings: Dread Risk Mediates Social Amplification in Risk Communication. ”Risk analysis : an official publication of the Society for Risk Analysis vol. 38,10 (2018): 2193-2207.doi:10.1111/risa.13117

Kenton, Will. "Brand Recognition", Investopedia, August 2021. Accessed June 2022. Lischer, Brian. "How Much Does it Cost to Rebrand Your Company?", Ignyte, October 2017. Accessed June 2022.

"Powerful Examples of How to Respond to Negative Reviews", Review Trackers, February 2022. Accessed June 2022.

"The CEO Reputation Premium: Gaining Advantage in the Engagement Era", Weber Shadwick, March 2015. Accessed on June 2022.

"Valuation of Trademarks: Everything You Need to Know",UpCounsel, 2022. Accessed June 2022.

Related Info-Tech Research

Identify and Manage Financial Risk Impacts on Your Organization

• Vendor management practices educate organizations on potential financial impacts that vendors may incur and suggest systems to help manage them.
• Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

Identify and Manage Reputational Risk Impacts on Your Organization

• Vendor management practices educate organizations on potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
• Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

Identify and Manage Strategic Risk Impacts on Your Organization

• Vendor management practices educate organizations on potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
• Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Risk Impact Tool.

Regulatory guidance and industry standards

• International Organization for Standardization (ISO)
• FOREIGN CORRUPT PRACTICES ACT (FCPA)
• Sarbanes–Oxley Act (SOX)
• National Institute of Standards & Technology (NIST)
• Control Objectives for Information and Related Technologies (COBIT)
• EU General Data Protection Regulation 2016/679 (“GDPR”);
• UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (UKGDPR)
• Swiss Federal Act on Data Protection(Swiss FDPA) – coming September 1, 2023
• IR35 (UK Off-Payroll compliance)
Technology Code of Practice (UK)
• Modern Slavery Act 2015 (UK)
• Defense Federal Acquisition Regulation Supplement (DFARS)
• Cybersecurity Maturity Model Certification (CMMC)
• Payment Card Industry Data Security Standard (PCI DSS)
• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health Act (HITECH)

Accelerate Business Growth and Valuation By Building Brand Awareness

Develop and deploy comprehensive, multi-touchpoint brand awareness strategies to become the trusted brand that buyers think of first.

EXECUTIVE BRIEF

Analyst perspective

Building brand awareness

Achieving high brand awareness in a given market and becoming the benchmark for buyers

is what every brand wants to achieve, as it is a guarantee of success. Building brand awareness,

even though its immediate benefits are often difficult to see and measure, is essential for companies that want to stand out from their competitors and continue to grow in a sustainable way. The return on investment (ROI) may take longer, but the benefits are also greater than those achieved through short-term initiatives with the expectation of immediate, albeit often limited, results.

Brands that are familiar to their target market have greater credibility, generate more sales,

and have a more loyal customer base. CMOs that successfully execute brand awareness programs

build brand equity and grow company valuation.

Nathalie Vezina
Marketing Research Director
SoftwareReviews Advisory

Executive summary

Brand leaders know that brand awareness is essential to the success of all marketing and sales activities. Brands that fail to invest in brand awareness are likely to face some, if not all these problems:

• Lack of brand visibility and compelling storytelling.
• Inability to reach the target audience.
• Low engagement on digital platforms and with ads.
• Difficulties generating and converting leads, or closing/winning sales/deals, and facing a high cost per acquisition.
• Low/no interest or brand recognition, trust level, and customer retention rate.
• Inability to justify higher pricing.

Convincing stakeholders of the benefits of strong brand awareness can be difficult when the positive outcomes are hard to quantify, and the return on investment (ROI) is often long-term. Among the many obstacles brand leaders must overcome are:

• Lack of longer-term corporate vision, focusing all efforts and resources on short-term growth strategies for a quick ROI.
• Insufficient market and target buyers' information and understanding of the brand's key differentiator.
• Misalignment of brand message, and difficulties creating compelling content that resonates with the target audience, generates interest, and keeps them engaged.
• Limited or no resources dedicated to the development of the brand.

Inspired by top-performing businesses and best practices, this blueprint provides the guidance and tools needed to successfully build awareness and help businesses grow. By following these guidelines, brand leaders can expect to:

• Gain market intelligence and a clear understanding of the buyer's needs, your competitive advantage, and key differentiator.
• Develop a clear and compelling value proposition and a human-centric brand messaging driven by the brand's values.
• Increase online presence and brand awareness to attract and engage with buyers.
• Develop a long-term brand strategy and execution plan.

"A brand is the set of expectations, memories, stories, and relationships that, taken together, account for a consumer's decision to choose one product or service over another."

– Seth Godin

What is brand awareness?

The act of making a brand visible and memorable.

Brand awareness is the degree to which buyers are familiar with and recognize the attributes and image of a particular brand, product, or service. The higher the level of awareness, the more likely the brand is to come into play when a target audience enters the " buying consideration" phase of the buyer's journey.

Brand awareness also plays an important role in building equity and increasing business valuation. Brands that are familiar to their target market have greater credibility, drive more sales and have a more loyal customer base.
Building brand awareness allows increasing:

• Brand visibility, perception, recognition, and reputation
• Interactions and engagement with the target audience
• Digital advertising performance and ROI
• Conversion rates and sales wins
• Revenue and profitability
• Market share and share of voice (SOV)
• Talents, partners, and investors attraction and retention
• Brand equity, business growth, and market valuation

"Products are made in a factory, but brands are created in the mind."
Source: Walter Landor

Capitalizing on a powerful brand

A longer-term approach for an increased and more sustainable ROI.

Market leader position

Developing brand awareness is essential to increase the visibility and traction of a brand.

Several factors may cause a brand to be not well-known. One reason might be that the brand recently launched, such as a startup. Another reason could be that the brand has rebranded or entered a new market.

To become the trusted brand that buyers think of first in their target markets, it is critical for these brands to develop and deploy comprehensive, multi-touchpoint brand awareness strategies.

A relationship leading to loyalty

A longer-term brand awareness strategy helps build a strong relationship between the brand and the buyer, fostering a lasting and rewarding alliance.

It also enables brands to reach and engage with their target audience effectively by using compelling storytelling and meaningful content.

Adopting a more human-centric approach and emphasizing shared values makes the brand more attractive to buyers and can drive sales and gain loyalty.

Sustainable business growth

For brands that are not well established in their target market, short-term tactics that focus on immediate benefits can be ineffective. In contrast, long-term brand awareness strategies provide a more sustainable ROI (return on investment).

Investing in building brand awareness can impact a business's ability to interact with its target audience, generate leads, and increase sales. Moreover, it can significantly contribute to boosting the business's brand equity and market valuation.

"Quick wins may work in the short term, but they're not an ideal substitute for long-term tactics and continued success."
Source: Forbes

Impacts of low brand awareness on businesses

Unfamiliar brands, despite their strong potential, won't thrive unless they invest in their notoriety.

Brands that choose not to invest in longer-term awareness strategies and rely solely on short-term growth tactics in hopes of an immediate gain will see their ability to grow diminished and their longevity reduced due to a lack of market presence and recognition.

Symptoms of a weakening brand include:

• High marketing spending and limited result
• Low market share or penetration
• Low sales, revenue, and gross margin
• Weak renewal rate, customer retention, and loyalty
• Difficulties delivering on the brand promise, low/no trust in the brand
• Limited brand equity, business valuation, and sustainability
• Unattractive brand to partners and investors

"Your brand is the single most important investment you can make in your business."
Source: Steve Forbes

Most common obstacles to increasing brand awareness

Successfully building brand awareness requires careful preparation and planning.

• Limited market intelligence
• Unclear competitive advantage/key differentiator
• Misaligned and inconsistent messaging and storytelling
• Lack of long-term vision
• and low prioritization
• Limited resources to develop and execute brand awareness building tactics
• Unattractive content that does not resonate, generates little or no interest and engagement

Investing in the notoriety of the brand

Become the top-of-mind brand in your target market.

To stand out, be recognized by their target audience, and become major players in their industry, brands must adopt a winning strategy that includes the following elements:

• In-depth knowledge and understanding of the market and audience
• Strengthening digital presence and activities
• Creating and publishing content relevant to the target audience
• Reaching out through multiple touchpoints
• Using a more human-centric approach
• Ensure consistency in all aspects of the brand, across all media and channels

How far are you from being the brand buyers think of first in your target market?

Brand awareness pyramid

Based on David Aaker's brand loyalty pyramid

Tactics for building brand awareness

Focus on effective ways to gain brand recognition in the minds of buyers.

Brand recognition requires in-depth knowledge of the target market, the creation of strong brand attributes, and increased presence and visibility.

Understand the market and audience you're targeting

Be prepared. Act smart.

To implement a winning brand awareness-building strategy, you must:

• Be aware of your competitor's strengths and weaknesses, as well as yours.
• Find out who is behind the keyboard, and the user experience they expect to have.
• Plan and continuously adapt your tactics accordingly.
• Make your buyer the hero.

Identify the brands' uniqueness

Find your "winning zone" and how your brand uniquely addresses buyers' pain points.

Focus on your key differentiator

A brand has found its "winning zone" or key differentiator when its value proposition clearly shows that it uniquely solves its buyers' specific pain points.

Align with your target audience's real expectations and successfully interact with them by understanding their persona and buyer's journey. Know:

• How you uniquely address their pain points.
• Their values and what motivates them.
• Who they see as authorities in your field.
• Their buying habits and trends.
• How they like brands to engage with them.

Give your brand a voice

Define and present a consistent voice across all channels and assets.

The voice reflects the personality of the brand and the emotion to be transmitted. That's why it's crucial to establish strict rules that define the language to use when communicating through the brand's voice, the type of words, and do's and don'ts.

To be recognizable it is imperative to avoid inconsistencies. No matter how many people are behind the brand voice, the brand must show a unique, distinctive personality. As for the tone, it may vary according to circumstances, from lighter to more serious.

Up to 80% Increased customer recognition when the brand uses a signature color scheme across multiple platforms
Source: startup Bonsai
23% of revenue increase is what consistent branding across channels leads to.
Source: Harvard Business Review

When we close our eyes and listen, we all recognize Ella Fitzgerald's rich and unique singing voice.

We expect to recognize the writing of Stephen King when we read his books. For the brand's voice, it's the same. People want to be able to recognize it.

Adopt a more human-centric approach

If your brand was a person, who would it be?

Human attributes

Physically attractive

• Brand identity
• Logo and tagline
• Product design

Intellectually stimulating

• Knowledge and ideas
• Continuous innovation
• Thought leadership

Sociable

• Friendly, likeable and fun
• Confidently engage with audience through multiple touchpoints
• Posts and shares meaningful content
• Responsive

Emotionally connected

• Inspiring
• Powerful influencer
• Triggers emotional reactions

Morally sound

• Ethical and responsible
• Value driven
• Deliver on its promise

Personable

• Honest
• Self-confident and motivated
• Accountable

0.05 Seconds is what it takes for someone to form an opinion about a website, and a brand.
Source: 8ways

90% of the time, our initial gut reaction to products is based on color alone.
Source: startup Bonsai

56% of the final b2b purchasing decision is based on emotional factors.
Source: B@B International

Put values at the heart of the brand-buyers relationship

Highlight values that will resonate with your audience.

Brands that focus on the values they share with their buyers, rather than simply on a product or service, succeed in making meaningful emotional connections with them and keep them actively engaged.

Shared values such as transparency, sustainability, diversity, environmental protection, and social responsibility become the foundation of a solid relationship between a brand and its audience.

The key is to know what motivates the target audience.

86% of consumers claim that authenticity is one of the key factors they consider when deciding which brands they like and support.
Source: Business Wire

56% of the final decision is based on having a strong emotional connection with the supplier.
Source: B2B International

64% of today's customers are belief-driven buyers; they want to support brands that "can be a powerful force for change."
Source: Edelman

"If people believe they share values with a company, they will stay loyal to the brand."
– Howard Schultz
Source: Lokus Design

Double-down on digital

Develop your digital presence and reach out to your target audiences through multiple touchpoints.

Beyond engaging content, reaching the target audience requires brands to connect and interact with their audience in multiple ways so that potential buyers can form an opinion.

With the right message consistently delivered across multiple channels, brands increase their reach, create a buzz around their brand and raise awareness.

73% of today's consumers confirm they use more than one channel during a shopping journey
Source: Harvard Business Review

Platforms

• Website and apps
• Social media
• Group discussions

Multimedia

• Webinars
• Podcasts
• Publication

Campaign

• Ads and advertising
• Landing pages
• Emails, surveys drip campaigns

Network

• Tradeshows, events, sponsorships
• Conferences, speaking opportunities
• Partners and influencers

Use social media to connect

Reach out to the masses with a social media presence.

Social media platforms represent a cost-effective opportunity for businesses to connect and influence their audience and tell their story by posting relevant and search-engine-optimized content regularly on their account and groups. It's also a nice gateway to their website.

Building a relationship with their target buyer through social media is also an easy way for businesses to:

• Understand the buyers.
• Receive feedback on how the buyers perceive the brand and how to improve it.
• Show great user experience and responsiveness.
• Build trust.
• Create awareness.

75% of B2B buyers and 84% of C-Suite executives use social media when considering a purchase
Source: LinkedIn Business

92% of B2B buyers use social media to connect with leaders in the sales industry.
Source: Techjury

With over 4.5 billion social media users worldwide, and 13 new users signing up to their first social media account every second, social media is fast becoming a primary channel of communication and social interaction for many.
Source: McKinsey

Become the expert subject matter

Raise awareness with thought leadership content.

Thought leadership is about building credibility
by creating and publishing meaningful, relevant content that resonates with a target audience.
Thought leaders write and publish all kinds of relevant content such as white papers, ebooks, case studies, infographics, video and audio content, webinars, and research reports.
They also participate in speaking opportunities, live presentations, and other high-visibility forums.
Well-executed thought leadership strategies contribute to:

• Raise awareness.
• Build credibility.
• Be recognized as a subject expert matter.
• Become an industry leader.

60% of buyers say thought leadership builds credibility when entering a new category where the brand is not already known.
Source: Edelman | LinkedIn

70% of people would rather learn about a company through articles rather than advertising.
Source: Brew Interactive

57% of buyers say that thought leadership builds awareness for a new or little-known brand.
Source: Edelman | LinkedIn

To achieve best results

• Know the buyers' persona and journey.
• Create original content that matches the persona of the target audience and that is close to their values.
• Be Truthful and insightful.
• Find the right tone and balance between being human-centric, authoritative, and bold.
• Be mindful of people's attention span and value their time.
• Create content for each phase of the buyer's journey.
• Ensure content is SEO, keyword-loaded, and add calls-to-action (CTAs).
• Add reason to believe, data to support, and proof points.
• Address the buyers' pain points in a unique way.

Avoid

• Focusing on product features and on selling.
• Publishing generic content.
• Using an overly corporate tone.

Promote personal branding

Rely on your most powerful brand ambassadors and influencers: your employees.

The strength of personal branding is amplified when individuals and companies collaborate to pursue personal branding initiatives that offer mutual benefits. By training and positioning key employees as brand ambassadors and industry influencers, brands can boost their brand awareness through influencer marketing strategies.

Personal branding, when well aligned with business goals, helps brands leverage their key employee's brands to:

• Increase the organization's brand awareness.
• Broaden their reach and circle of influence.
• Show value, gain credibility, and build trust.
• Stand out from the competition.
• Build employee loyalty and pride.
• Become a reference to other businesses.
• Increase speaking opportunities.
• Boost qualified leads and sales.

About 90% of organizations' employee network tends to be completely new to the brand.
Source: Everyone Social

8X more engagement comes from social media content shared by employees rather than brand accounts.
Source: Entrepreneur

561% more reach when brand messages are shared by employees on social media, than the same message shared by the Brand's social media.
Source: Entrepreneur

"Personal branding is the art of becoming knowable, likable and trustable."
Source: Founder Jar, John Jantsch

Invest in B2B influencer marketing

Broaden your reach and audiences by leveraging the voice of influencers.

Influencers are trusted industry experts and analysts who buyers can count on to provide reliable information when looking to make a purchase.

Influencer marketing can be very effective to reach new audiences, increase awareness, and build trust. But finding the right influencers with the level of credibility and visibility brands are expecting can sometimes be challenging.

Search for influencers that have:

• Relevance of audience and size.
• Industry expertise and credibility.
• Ability to create meaningful content (written, video, audio).
• Charismatic personality with values consistent with the brand.
• Frequent publications on at least one leading media platform.

76% of people say that they trust content shared by people over a brand.
Source: Adweek

44% increased media mention of the brand using B2B influencer marketers.
Source: TopRank Marketing

Turn your customers into brand advocates

Establish customer advocacy programs and deliver a great customer experience.

Retain your customers and turn them into brand advocates by building trust, providing an exceptional experience, and most importantly, continuously delivering on the brand promise.

Implement a strong customer advocacy program, based on personalized experiences, the value provided, and mutual exchange, and reap the benefits of developing and growing long-term relationships.

92% of individuals trust word-of-mouth recommendations, making it one of the most trust-rich forms of advertising.
Source: SocialToaster

Word-of-mouth (advocacy) marketing increases marketing effectiveness by 54%
Source: SocialToaster

Make your brand known and make it stick in people's minds

Building and maintaining high brand awareness requires that each individual within the organization carry and deliver the brand message clearly and consistently across all media whether in person, in written communications, or otherwise.

To achieve this, brand leaders must first develop a powerful, researched narrative that people will embrace and convey, which requires careful preparation.

Target market and audience intel

• Target market Intel
• Buyer persona and journey/pain points
• Uniqueness and positioning

Brand attributes

• Values at the heart of the relationship
• Brand's human attributes

Brand visibly and recall

• Digital and social media presence
• Thought leadership
• Personal branding
• Influencer marketing

Brand awareness building plan

• Long-term awareness and multi-touchpoint approach
• Monitoring and optimization

Short and long-term benefits of increasing brand awareness

Brands are built over the long term but the rewards are high.

• Stronger brand perception
• Improved engagement and brand associations
• Enhanced credibility, reputation, and trust
• Better connection with customers
• Increased repeat business
• High-quality leads
• Higher and faster conversion rate
• More sales closed/ deals won
• Greater brand equity
• Accelerated growth

"Strong brands outperform their less recognizable competitors by as much as 73%."
Source: McKinsey

Brand awareness building

Building brand awareness, even though immediate benefits are often difficult to see and measure, is essential for companies to stand out from their competitors and continue to grow in a sustainable way.

To successfully raise awareness, brands need to have:

• A longer-term vision and strategy.
• Market Intelligence, a clear value proposition, and key differentiator.
• Consistent, well-aligned messaging and storytelling.
• Digital presence and content.
• The ability to reach out through multiple touchpoints.
• Necessary resources.

Without brand awareness, brands become less attractive to buyers, talent, and investors, and their ability to grow, increase their market value, and be sustainable is reduced.

Brand awareness building methodology

Define brands' personality and message

• Gather market intel and analyze the market.
• Determine the value proposition and positioning.
• Define the brand archetype and voice.
• Craft a compelling brand message and story.
• Get all the key elements of your brand guidelines.

Start building brand awareness

• Achieve strategy alignment and readiness.
• Create and manage assets.
• Deploy your tactics, assets, and workflows.
• Establish key performance indicators (KPIs).
• Monitor and optimize on an ongoing basis.

Toolkit

• Market and Influencing Factors Analysis
• Recognition Survey and Best Practices
• Buyer Personas and Journeys
• Purpose, Mission, Vision, Values
• Value Proposition and Positioning
• Brand Message, Voice, and Writing Style
• Brand Strategy and Tactics
• Asset Creation and Management
• Strategy Rollout Plan

Short and long-term benefits of increasing brand awareness

Increase:

• Brand perception
• Brand associations and engagement
• Credibility, reputation, and trust
• Connection with customers
• Repeat business
• Quality leads
• Conversion rate
• Sales closed / deals won
• Brand equity and growth

It typically takes 5-7 brand interactions before a buyer remembers the brand.
Source: Startup Bonsai

Who benefits from this brand awareness research?

This research is being designed for:
Brand and marketing leaders who:

• Know that brand awareness is essential to the success of all marketing and sales activities.
• Want to make their brand unique, recognizable, meaningful, and highly visible.
• Seek to increase their digital presence, connect and engage with their target audience.
• Are looking at reaching a new segment of the market.

This research will also assist:

• Sales with qualified lead generation and customer retention and loyalty.
• Human Resources in their efforts to attract and retain talent.
• The overall business with growth and increased market value.

This research will help you:

• Gain market intelligence and a clear understanding of the target audience's needs and trends, competitive advantage, and key differentiator.
• The ability to develop clear and compelling, human-centric messaging and compelling story driven by brand values.
• Increase online presence and brand awareness activities to attract and engage with buyers.
• Develop a long-term brand awareness strategy and deployment plan.

This research will help them:

• Increase campaign ROI.
• Develop a longer-term vision and benefits of investing in longer-term initiatives.
• Build brand equity and increase business valuation.
• Grow your business in a more sustainable way.

SoftwareReviews' brand awareness building methodology

Insight summary

Brands to adapt their strategies to achieve longer-term growth
Brands must adapt and adjust their strategies to attract informed buyers who have access to a wealth of products, services, and brands from all over. Building brand awareness, even though immediate benefits are often difficult to see and measure, has become essential for companies that want to stand out from their competitors and continue to grow in a sustainable way.

A more human-centric approach
Brand personalities matter. Brands placing human values at the heart of the customer-brand relationship will drive interest in their brand and build trust with their target audience.

Stand out from the crowd
Brands that develop and promote a clear and consistent message across all platforms and channels, along with a unique value proposition, stand out from their competitors and get noticed.

A multi-touchpoints strategy
Engage buyers with relevant content across multiple media to address their pain points. Analyze touchpoints to determine where to invest your efforts.

Going social
Buyers expect brands to be active and responsive in their interactions with their audience. To build awareness, brands are expected to develop a strong presence on social media by regularly posting relevant content, engaging with their followers and influencers, and using paid advertising. They also need to establish thought leadership through content such as white papers, case studies, and webinars.

Thought leaders wanted
To enhance their overall brand awareness strategy, organizations should consider developing the personal brand of key executives. Thought leadership can be a valuable method to gain credibility, build trust, and drive conversion. By establishing thought leadership, businesses can increase brand mentions, social engagement, website traffic, lead generation, return on investment (ROI), and Net Promoter Score (NPS).

Save time and money with SoftwareReviews' branding advice

Collaborating with SoftwareReviews analysts for inquiries not only provides valuable advice but also leads to substantial cost savings during branding activities, particularly when partnering with an agency.

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with a SoftwareReviews Marketing Analyst to help implement our best practices in your organization.

Your engagement managers will work with you to schedule analyst calls.

Brand awareness building tools

Each step of this blueprint comes with tools to help you build brand awareness.

Brand Awareness Tool Kit

This kit includes a comprehensive set of tools to help you better understand your target market and buyers, define your brand's personality and message, and develop an actionable brand awareness strategy, workflows, and rollout plan.

The set includes these templates: Market and Influencing Factors Analysis Recognition Survey and Best Practices Buyer Personas and Journeys Purpose, Mission, Vision, and Values Value Proposition and Positioning Brand Message, Voice, and Writing Style Brand Strategy and Tactics Asset Creation and Management Strategy Rollout Plan

Get started!

Know your target market and audience, deploy well-designed strategies based on shared values, and make meaningful connections with people.

Phase 1

Define brands' personality and message

Phase 2

Start building brand awareness

Phase 1

Define brands' personality and message

Steps

1.1 Gather market intelligence and analyze the market.
1.2 Develop and document the buyer's persona and journey.
1.3 Uncover the brand mission, vision statement, core values, positioning, and value proposition.
1.4 Define the brand's archetype and tone of voice, then craft a compelling brand messaging.

Phase outcome

• Target market and audience are identified and documented.
• A clear value proposition and positioning are determined.
• The brand personality, voice, and messaging are developed.
• All the key elements of the brand guidelines are in place. and ready to use, along with the existing logo, typography, color palette, and imagery..

Build brands' personality and message

Step 1.1 Gather market intelligence and analyze the market.

Total duration: 2.5-8 hours

Objective

Analyze and document your competitive landscape, assess your strengths, weaknesses, opportunities,
and threats, gauge the buyers' familiarity with your brand, and identify the forces of influence.

Output

This exercise will allow you to understand your market and is essential to developing your value proposition.

Participants

• Head of branding and key stakeholders

MarTech
May require you to:

• Register to a Survey Platform.
• Use, setup, or install platforms like CRM and/or Marketing Automation Platform.

Tools

• Market Analysis Template
• Brand Recognition Survey Questionnaire and List Template and Survey Emails Best Practices Guidelines
• External and Internal Factors Analysis Template

Consult SoftwareReviews website to find the best survey and MarTech platforms or contact one of our analysts for more personalized assistance and guidance

Brand performance diagnostic

Have you considered diagnosing your brand's current performance before you begin building brand awareness?

Audit your brand using the Diagnose Brand Health to Improve Business Growth blueprint.Collect and interpret qualitative and quantitative brand performance measures.

The toolkit includes the following templates:

• Surveys and interviews questions and lists
• External and internal factor analysis
• Digital and financial metrics analysis

Also included is an executive presentation template to communicate the results to key stakeholders and recommendations to fix the uncovered issues.

Build brands' personality and message

Step 1.2 Develop and document the buyer's persona and journey.

Total duration: 4-8 hours

Objective

Gather existing and desired customer insights and conduct market research to define and personify your buyers' personas and their buying behaviors.

Output

Provide people in your organization with clear direction on who your target buyers are and guidance on how to effectively reach and engage with them throughout their journey.
Participants

• Head of branding
• Key stakeholders from sales and product marketing

MarTech
May require you to:

• Register to an Online Survey Platform (free version or subscription).
• Use, setup, or installation of platforms like CRM and/or Marketing Automation Platform.

Tools

• Buyer Personas and Journeys Presentation Template
• Ideal Customer Profile (ICP) Workbook
• Buyer Persona and Journey Interview Guide and Data Capture

Consult SoftwareReviews website to find the best survey platform for your needs or contact one of our analysts for more personalized assistance and guidance

Buyer Personas and Journeys

A well-defined buyer persona and journey is a great way for brands to ensure they are effectively reaching and engaging their ideal buyers through a personalized buying experience.

When properly documented, it provides valuable insights about the ideal customers, their needs, challenges, and buying decision processes allowing the development of initiatives that correspond to the target buyers.

Build brands' personality and message

Step 1.3 Uncover the brand mission, vision statement, core values, value proposition, and positioning.

Total duration: 4-5.5 hours

Objective
Define the "raison d'être" and fundamental principles of your brand, your positioning in the marketplace, and your unique competitive advantage.

Output
Allows everyone in an organization to understand and align with the brand's raison d'être beyond the financial dimension, its current positioning and objectives, and how it intends to achieve them.
It also serves to communicate a clear and appealing value proposition to buyers.

Participants

• Head of branding
• Chief Executive Officer (CEO)
• Key stakeholders

Tools

• Brand Purpose, Mission, Vision, and Values Template
• Value Proposition and Positioning Statement Template

Build brands' personality and message

Steps 1.4 Define the brand's archetype and tone of voice, and craft a compelling brand messaging.

Total duration: 5-8 hours

Objective

Define your unique brand voice and develop a set of guidelines, brand story, and messaging to ensure consistency across your digital and non-digital marketing and communication assets.
Output

A documented brand personality and voice, as well as brand story and message, will allow anyone producing content or communicating on behalf of your brand to do it using a unique and recognizable voice, and convey the right message.

Participants

• Head of branding
• Content specialist
• Chief Executive Officer and other key stakeholders

Tools

• Brand Voice Guidelines Template
• Writing Style Guide Template
• Brand Messaging Template
• Writer Checklist Template

Important Tip!

A consistent brand voice leads to remembering and trusting the brand. It should stand out from the competitors' voices and be meaningful to the target audience. Once the brand voice is set, avoid changing it.

Phase 2

Start building brand awareness

Steps

2.1 Achieve strategy alignment and readiness.
2.2 Create assets and workflows, and deploy tactics.
2.3 Establish key performance indicators (KPIs), monitor, and optimize on an ongoing basis.

Phase outcome

• A comprehensive and actionable brand awareness strategy, with tactics, KPIs, and metrics, is set and ready to execute.
• A progressive and effective deployment plan with deliverables, timelines, workflows, and checklists is in place.
• Resources are assigned.

Start building brand awareness

Step 2.1 Achieve strategy readiness and alignment.

Total duration: 4-5 hours

Objective

Now that you have all the key elements of your brand guidelines in place, in addition to your existing logo, typography, color palette, and imagery, you can begin to build brand awareness.

Start planning to build brand awareness by developing a comprehensive and actionable brand awareness strategy with tactics that align with the company's purpose and objectives. The strategy should include achievable goals and measurables, budget and staffing considerations, and a good workload assessment.

Output

A comprehensive long-term, actionable brand awareness strategy with KPIs and measurables.

Participants

• Head of branding
• Key stakeholders

Tools

• Brand Awareness Strategy and Tactics Template

Understanding the difference between strategies and tactics

Strategies and tactics can easily be confused, but although they may seem similar at times, they are in fact quite different.

Strategies and tactics are complementary.

A strategy is a plan to achieve specific goals, while a tactic is a concrete action or set of actions used to implement that strategy.

To be effective, brand awareness strategies should be well thought-out, carefully planned, and supported by a series of tactics to achieve the expected outcomes.

Start building brand awareness

Step 2.2 Create assets and workflows and deploy tactics.

Total duration: 3.5-4.5 hours

Objective

Build a long-term rollout with deliverables, milestones, timelines, workflows, and checklists. Assign resources and proceed to the ongoing development of assets. Implement, manage, and continuously communicate the strategy and results to key stakeholders.

Output

Progressive and effective development and deployment of the brand awareness-building strategy and tactics.

Participants

• Head of branding

Tools

• Asset Creation and Management List
• Campaign Workflows Template
• Brand Awareness Strategy Rollout Plan Template

Band Awareness Strategy Rollout Plan
A strategy rollout plan typically includes the following:

• Identifying a cross-functional team and resources to develop the assets and deploy the tactics.
• Listing the various assets to create and manage.
• A timeline with key milestones, deadlines, and release dates.
• A communication plan to keep stakeholders informed and aligned with the strategy and tactics.
• Ongoing performance monitoring.
• Constant adjustments and improvements to the strategy based on data collected and feedback received.

Start building brand awareness

Step 2.3 Establish key performance indicators (KPIs), monitor, and optimize on an ongoing basis.

Total duration: 3.5-4.5 hours

Objective

Brand awareness is built over a long period of time and must be continuously monitored in several ways. Measuring and monitoring the effectiveness of your brand awareness activities will allow you to constantly adjust your tactics and continue to build awareness.

Output

This step will provide you with a snapshot of your current level of brand awareness and interactions with the brand, and allow you to set up the tools for ongoing monitoring and optimization.

Participants

• Head of branding
• Digital marketing manager

MarTech
May require you to:

• Register to an Online Survey Platform(free version or subscription), or
• Use, setup, or installation of platforms like CRM and/or Marketing Automation Platform.
• Use Google Analytics or other tracking tools.
• Use social media and campaign management tools.

Tools

• Brand Awareness Strategy and Tactics Template

Consult SoftwareReviews website to find the best survey, brand monitoring and feedback, and MarTech platforms, or contact one of our analysts for more personalized assistance and guidance

Measuring brand strategy performance
There are two ways to measure and monitor your brand's performance on an ongoing basis.

• By registering to brand monitoring and feedback platforms and tools like Meltwater, Hootsuite, Insights, Brand24, Qualtrics, and Wooltric.
• Manually, using native analytics built in the platforms you're already using, such as Google and Social Media Analytics, or by gathering customer feedback through surveys, or calculating CAC, ROI, and more in spreadsheets.

SoftwareReviews can help you choose the right platform for your need. We also equip you with manual tools, available with the Diagnose Brand Health to Improve Business Growthblueprint to measure:

• Surveys and interviews questions and lists.
• External and internal factor analysis.
• Digital and financial metrics analysis.
• Executive presentation to report on performance.

Related SoftwareReviews research

Create a Buyer Persona and Journey Get deeper buyer understanding and achieve product-market fit, with easier access to market and sales Reduce time and resources wasted chasing the wrong prospects. Increase open and click-through rates. Perform more effective sales discovery. Increase win rate.	Diagnose Brand Health to Improve Business Growth Have a significant and well-targeted impact on business success and growth by knowing how your brand performs, identifying areas of improvement, and making data-driven decisions to fix them. Increase brand awareness and equity. Build trust and improve customer retention and loyalty. Achieve higher and faster growth.

Bibliography

Aaker, David. "Managing Brand Equity." Simon & Schuster, 1991.
"6 Factors for Brands to Consider While Designing Their Communication." Lokus Design, 23 Sept. 2022.
"20 Advocacy Marketing Statistics You Need to Know." Social Toaster, n.d.
Bazilian, Emma. "How Millennials and Baby Boomers Consume User-Generated Content And what brands can learn from their preferences." Adweek, January 2, 2017.
B2B International, a Gyro: company, B2B Blog - Why Human-To-Human Marketing Is the Next Big Trend in a Tech-Obsessed World.
B2B International, a Gyro: company, The State of B2B Survey 2019 - Winning with Emotions: How to Become Your Customer's First Choice.
Belyh, Anastasia. "Brand Ambassador 101:Turn Your Personal Brand into Cash." Founder Jar, December 6, 2022.
Brand Master Academy.com.
Businesswire, a Berkshire Hathaway Company, "Stackla Survey Reveals Disconnect Between the Content Consumers Want & What Marketers Deliver." February 20, 2019.
Chamat, Ramzi. "Visual Design: Why First Impressions Matter." 8 Ways, June 5, 2019.
Cognism. "21 Tips for Building a LinkedIn Personal Brand (in B2B SaaS)."
Curleigh, James. "How to Enhance and Expand a Global Brand." TED.
"2019 Edelman Trust Barometer." Edelman.
Erskine, Ryan. "22 Statistics That Prove the Value of Personal Branding." Entrepreneur, September 13, 2016.
Forbes, Steve. "Branding for Franchise Success: How To Achieve And Maintain Brand Consistency Across A Franchise Network?" Forbes, 9 Feb. 2020.
Godin, Seth. "Define: Brand." Seth's Blog, 30 Dec. 2009,
Houragan, Stephen. "Learn Brand Strategy in 7 Minutes (2023 Crash Course)." YouTube.
Jallad, Revecka. "To Convert More Customers, Focus on Brand Awareness." Forbes, October 22, 2019.
Kingsbury, Joe, et al. "2021 B2B Thought Leadership Impact Study." Edelman, 2021.
Kunsman, Todd. "The Anatomy of an Employee Influencer." EveryoneSocial, September 8, 2022.
Landor, Walter. A Brand New World: The Fortune Guide to the 21st Century. Time Warner Books, 1999.
Liedke, Lindsay. "37+ Branding Statistics For 2023: Stats, Facts & Trends." Startup Bonsai, January 2, 2023.
Millman, Debbie. "How Symbols and Brands Shape our Humanity." TED, 2019.
Nenova, Velina. "21 Eye-Opening B2B Marketing Statistics to Know in 2023." Techjury, February 9, 2023.
Perrey, Jesko et al., "The brand is back: Staying relevant in an accelerating age." McKinsey & Company, May 1, 2015.
Schaub, Kathleen. "Social Buying Meets Social Selling: How Trusted Networks Improve the Purchase Experience." LinkedIn Business, April 2014.
Sopadjieva, Emma et al. "A Study of 46,000 Shoppers Shows That Omnichannel Retailing Works." Harvard Business Review, January 3, 2017.
Shaun. "B2B Brand Awareness: The Complete Guide 2023." B2B House. 2023.
TopRank Marketing, "2020 State of B2B Influencer Marketing Research Report." Influencer Marketing Report.

Create an Agile-Friendly Project Gating and Governance Approach

Use Info-Tech’s Agile Gating Framework as a guide to gating your Agile projects using a “trust but verify” approach.

Table of Contents

Analyst Perspective

Executive Summary

Phase 1: Establish Your Gating and Governance Purpose

Phase 2: Understand and Adapt Info-Tech’s Agile Gating Framework

Phase 3: Complete Your Agile Gating Framework

Where Do I Go Next?

Bibliography

Facilitator Slides

Analyst Perspective

Make your gating and governance process Agile friendly by following a “trust but verify” approach

Most project gating and governance approaches are designed for traditional (Waterfall) delivery methods. However, Agile delivery methods call for a different way of working that doesn’t align well with these approaches.

Applying traditional project gating and governance to Agile projects is like trying to fit a square peg in a round hole. Not only will it make Agile project delivery less efficient, but in the extreme, it can lead to outright project failure and even derail your organization’s Agile transformation.

If you want Agile to successfully take root in your organization, be prepared to rethink your current gating and governance practices. This document presents a framework that you can use to rework your approach to provide both effective oversight and support for your Agile projects.

Alex Ciraco Principal Research Director, Application Delivery and Management Info-Tech Research Group

Executive Summary

Imposing a traditional governance approach on an Agile project can eliminate the advantages that Agile delivery methods offer. Make sure to rework your project gating and governance approach to be Agile friendly.

Info-Tech’s methodology for Creating an Agile-Friendly Project Gating and Governance Approach

Key Deliverables

Agilometer Tool Create your customized Agilometer tool to determine project support and oversight needs.		Gates 3 and 3A Checklists Create your customized checklists for projects at Gates 3 and 3A.
Agile-Friendly Project Status Report Create your Agile-friendly project status report to monitor progress.		Artifact Mapping Tool Map your traditional gating artifacts to their Agile replacements.

Create an Agile-Friendly Project Gating and Governance Approach

Phase 1

Establish your gating and governance purpose

This phase will walk you through the following activities:

• Understand why gating and governance are so important to your organization.
• Compare and contrast traditional to Agile delivery.
• Identify what form traditional gating takes in your organization.

This phase involves the following participants:

• PMO/Gating Body
• Delivery Managers
• Delivery Teams
• Other Interested Parties

Agile gating–related facts and figures

Traditional gating approaches can undermine an Agile project

Present Security to Executive Stakeholders

Learn how to communicate security effectively to obtain support from decision makers.

Analyst Perspective

Build and deliver an effective security communication to your executive stakeholders.

As a security leader, you’re tasked with various responsibilities to ensure your organization can achieve its goals while its most important assets are being protected. However, when communicating security to executive stakeholders, challenges can arise in determining what topics are pertinent to present. Changes in the security threat landscape coupled with different business goals make identifying how to present security more challenging. Having a communication framework for presenting security to executive stakeholders will enable you to effectively identify, develop, and deliver your communication goals while obtaining the support you need to achieve your objectives. Ahmad Jowhar Research Specialist, Security & Privacy Info-Tech Research Group

Executive Summary

Info-Tech Insight

Security presentations are not a one-way street. The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

Your challenge

As a security leader, you need to communicate security effectively to executive stakeholders in order to obtain support for your security objectives.

• When it comes to presenting security to executive stakeholders, many security leaders find it challenging to convey the necessary information in order to obtain support for security objectives.
• This is attributed to various factors, such as an increase in the threat landscape, changes to industry regulations and standards, and new organizational goals that security has to align with.
• Furthermore, with the limited time to communicate with executive stakeholders, both in frequency and duration, identifying the most important information to address can be challenging.

76% of security leaders struggle in conveying the effectiveness of a cybersecurity program.

62% find it difficult to balance the risk of too much detail and need-to-know information.

41% find it challenging to communicate effectively with a mixed technical and non-technical audience.

Source: Deloitte, 2022

Common obstacles

There is a disconnect between security leaders and executive stakeholders when it comes to the security posture of the organization:

• Executive stakeholders are not confident that their security leaders are doing enough to mitigate security risks.
• The issue has been amplified, with security threats constantly increasing across all industries.
• However, security leaders don’t feel that they are in a position to make themselves heard.
• The lack of organizational security awareness and support from cross-functional departments has made it difficult to achieve security objectives (e.g. education, investments).
• Defining an approach to remove that disconnect with executive stakeholders is of utmost importance for security leaders, in order to improve their organization’s security posture.

9% of boards are extremely confident in their organization’s cybersecurity risk mitigation measures.

77% of organizations have seen an increase in the number of attacks in 2021.

56% of security leaders claimed their team is not involved when leadership makes urgent security decisions.

Source: EY, 2021

Info-Tech’s methodology for presenting security to executive stakeholders

Develop a structured process for communicating security to your stakeholders

Security presentations are not a one-way street
The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

Identifying your goals is the foundation of an effective presentation
Defining your drivers and goals for communicating security will enable you to better prepare and deliver your presentation, which will help you obtain your desired outcome.

Harness the power of data
Leveraging data and analytics will help you provide quantitative-based communication, which will result in a more meaningful and effective presentation.

Take your audience on a journey
Developing a storytelling approach will help engage with your audience.

Win your audience by building a rapport
Establishing credibility and trust with executive stakeholders will enable you to obtain their support for security objectives.

Tactical insight
Conduct background research on audience members (i.e. professional background) to help understand how best to communicate with them and overcome potential objections.

Tactical insight
Verifying your objectives at the end of the communication is important, as it ensures you have successfully communicated to executive stakeholders.

Project deliverables

This blueprint is accompanied by a supporting deliverable which includes five security presentation templates.

Report on Security Initiatives Template showing how to inform executive stakeholders of security initiatives.		Security Metrics Template showing how to inform executive stakeholders of current security metrics that would help drive future initiatives.
Security Incident Response & Recovery Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.		Security Funding Request Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.

Key template:

Template showing how to inform executive stakeholders of proactive security and risk initiatives.

Blueprint benefits

Measure the value of this blueprint

* The financial figure depicts the annual salary of a CISO in 2022

Source: Chief Information Security Officer Salary.” Salary.com, 2022

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Phase 1

Identify communication goals

This phase will walk you through the following activities:

• Understanding the different drivers for communicating security to executive stakeholders
• Identifying different communication goals

This phase involves the following participants:

• Security leader

1.1. Identify drivers for communicating to executive stakeholders

As a security leader, you meet with executives and stakeholders with diverse backgrounds, and you aim to showcase your organization’s security posture along with its alignment with the business’ goals.

However, with the constant changes in the security threat landscape, demands and drivers for security could change. Thus, understanding potential drivers that will influence your communication will assist you in developing and delivering an effective security presentation.

39% of organizations had cybersecurity on the agenda of their board’s quarterly meeting.

Source: EY, 2021.

Info-Tech Insight

Not all security presentations are the same. Keep your communication strategy and processes agile.

Know your drivers for security presentations

By understanding the influences for your security presentations, you will be able to better plan what to present to executive stakeholders.

• These meetings, which are usually held once per quarter, provide you with less than one hour of presentation time.
• Hence, it is crucial to know why you need to present security and whether these drivers are similar across the other presentations.

Understanding drivers will also help you understand how to present security to executive stakeholders.

• These drivers will shape the structure of your presentation and help determine your approach to communicating your goals.
• For example, financial-based presentations that are driven by budget requests might create a sense of urgency or assurance about investment in a security initiative.

Identify your communication drivers, which can stem from various initiatives and programs, including:

• Results from internal or external audit reports.
• Upcoming budget meetings.
• Briefing newly elected executive stakeholders on security.

When it comes to identifying your communication drivers, you can collaborate with subject matter experts, like your corporate secretary or steering committees, to ensure the material being communicated will align with some of the organizational goals.

Examples of drivers for security presentations

Audit
Upcoming internal or external audits might require updates on the organization’s compliance

Organizational restructuring
Restructuring within an organization could require security updates

Merger & Acquisition
An M&A would trigger presentations on organization’s current and future security posture

Cyber incident
A cyberattack would require an immediate presentation on its impact and the incident response plan

Ad hoc
Provide security information requested by stakeholders

1.2. Define your goals for communicating to executives

After identifying drivers for your communication, it’s important to determine what your goals are for the presentation.

• Communication drivers are mainly triggers for why you want to present security.
• Communication goals are the potential outcomes you are hoping to obtain from the presentation.
• Your communication goals would help identify what data and metrics to include in your presentation, the structure of your communication deck, and how you deliver your communication to executive stakeholders.

Identifying your communication goals could require the participation of the security team, IT leadership, and other business stakeholders.

• As a group, brainstorm the security goals that align with your business goals for the coming year.
  • Aim to have at least two business goals that align with each security goal.
• Identify what benefits and value the executive stakeholders will gain from the security goal being presented.
  • E.g. Increased security awareness, updates on organization's security posture.
• Identify what the ask is for this presentation.
  • E.g. Approval for increasing budget to support security initiatives, executive support to implement internal security programs.

Info-Tech Insight

There can be different reasons to communicate security to executive stakeholders. You need to understand what you want to get out of your presentation.

Examples of security presentation goals

Educate
Educate the board on security trends and/or latest risks in the industry

Update
Provide updates on security initiatives, relevant security metrics, and compliance posture

Inform
Provide an incident response plan due to a security incident or deliver updates on current threats and risks

Investment
Request funding for security investments or financial updates on past security initiatives

Ad hoc
Provide security information requested by stakeholders

Phase 2

Collect information to support goals

This phase will walk you through the following activities:

• Understanding what types of data to include in your security presentations
• Defining where and how to retrieve data

This phase involves the following participants:

• Security leader
• Network/security analyst

2.1 Identify data to collect

After identifying drivers and goals for your communication, it’s important to include the necessary data to justify the information being communicated.

• Leveraging data and analytics will assist in providing quantitative-based communication, which will result in a more meaningful and effective presentation.
• The data presented will showcase the visibility of an organization’s security posture along with potential risks and figures on how to mitigate those risks.
• Providing analysis of the quantitative data presented will also showcase further insights on the figures, allow the audience to better understand the data, and show its relevance to the communication goals.

Identifying data to collect doesn’t need to be a rigorous task; you can follow these steps to help you get started:

• Work with your security team to identify the main type of data applicable to the communication goals.
  • E.g. Financial data would be meaningful to use when communicating a budget presentation.
• Identify supporting data linked to the main data defined.
  • E.g. If a financial investment is made to implement a security initiative, then metrics on improvements to the security posture will be relevant.
• Show how both the main and supporting data align with the communication goals.
  • E.g. Improvement in security posture would increase alignment with regulation standards, which would result in additional contracts being awarded and increased revenue.

Info-Tech Insight

Understand how to present your information in a way that will be meaningful to your audience, for instance by quantifying security risks in financial terms.

Examples of data to present

Educate
Number of organizations in industry impacted by data breaches during past year; top threats and risks affecting the industries

Update
Degree of compliance with standards (e.g. ISO-27001); metrics on improvement of security posture due to security initiatives

Inform
Percentage of impacted clients and disrupted business functions; downtime; security risk likelihood and financial impact

Investment
Capital and operating expenditure for investment; ROI on past and future security initiatives

Ad hoc
Number of security initiatives that went over budget; phishing test campaign results

2.2 Plan how to retrieve the data

Once the data that is going to be used for the presentation has been identified, it is important to plan how the data can be retrieved, processed, and shared.

• Most of the data leveraged for security presentations are structured data, which are highly organized data that are often stored in a relational and easily searchable database.
  • This includes security log reports or expenditures for ongoing and future security investments.
• Retrieving the data, however, would require collaboration and cooperation from different team members.
• You would need to work with the security team and other appropriate stakeholders to identify where the data is stored and who the data owner is.

Once the data source and owner has been identified, you need to plan how the data would be processed and leveraged for your presentation

• This could include using queries to retrieve the relevant information needed (e.g. SQL, Microsoft Excel).
• Verify the accuracy and relevance of the data with other stakeholders to ensure it is the most appropriate data to be presented to the executive stakeholders.

Info-Tech Insight

Using a data-driven approach to help support your objectives is key to engaging with your audience.

Plan where to retrieve the data

Identifying the relevant data sources to retrieve your data and the appropriate data owner enables efficient collaboration between departments collecting, processing, and communicating the data and graphics to the audience.

Examples of where to retrieve your data

Phase 3

Develop communication

This phase will walk you through the following activities:

• Identifying a communication strategy for presenting security
• Identifying security templates that are applicable to your presentation

This phase involves the following participants:

• Security leader

3.1 Plan communication: Know who your audience is

• When preparing your communication, it's important to understand who your target audience is and to conduct background research on them.
• This will help develop your communication style and ensure your presentation caters to the expected audience in the room.

Examples of two profiles in a boardroom

3.1.1 Know what your audience cares about

• Understanding what your executive stakeholders value will equip you with the right information to include in your presentations.
• Ensure you conduct background research on your audience to assist you in knowing what their potential interests are.
• Your background research could include:
  • Researching the audience’s professional background through LinkedIn.
  • Reviewing their comments from past executive meetings.
  • Researching current security trends that align with organizational goals.
• Once the values and risks have been identified, you can document them in notes and share the notes with subject matter experts to verify if these values and risks should be shared in the coming meetings.

A board’s purpose can include the following:

• Sustaining and expanding the organization’s purpose and ability to execute in a competitive market.
• Determining and funding the organization’s future and direction.
• Protecting and increasing shareholder value.
• Protecting the company’s exposure to risks.

Examples of potential values and risks

• Business impact
• Financial impact
• Security and incidents

Info-Tech Insight
Conduct background research on audience members (e.g. professional background on LinkedIn) to help understand how best to communicate to them and overcome potential objections.

Understand your audience’s concerns

• Along with knowing what your audience values and cares about, understanding their main concerns will allow you to address those items or align them with your communication.
• By treating your executive stakeholders as your project sponsors, you would build a level of trust and confidence with your peers as the first step to tackling their concerns.
• These concerns can be derived from past stakeholder meetings, recent trends in the industry, or strategic business alignments.
• After capturing their concerns, you’ll be equipped with the necessary understanding on what material to include and prioritize during your presentations.

Examples of potential concerns for each profile of executive stakeholders

Build your presentation to tackle their main concerns

Your presentation should be well-rounded and compelling when it addresses the board’s main concerns about security.

Checklist:

• Research your target audience (their backgrounds, board composition, dynamics, executive team vs. external group).
• Include value and risk language in your presentation to appeal to your audience.
• Ensure your content focuses on one or more of the board’s main concerns with security (e.g. business impact, investments, or risk).
• Include information about what is in it for them and the organization.
• Research your board’s composition and skillsets to determine their level of technical knowledge and expertise. This helps craft your presentation with the right amount of technology vs. business-facing information.

Info-Tech Insight
The executive stakeholder’s main concerns will always boil down to one important outcome: providing a level of confidence to do business through IT products, services, and systems – including security.

3.1.2 Take your audience through a security journey

• Once you have defined your intended target and their potential concerns, developing the communication through a storytelling approach will be the next step to help build a compelling presentation.
• You need to help your executive stakeholders make sense of the information being conveyed and allow them to understand the importance of cybersecurity.
• Taking your audience through a story will allow them to see the value of the information being presented and better resonate with its message.
• You can derive insights for your storytelling presentation by doing the following:
  • Provide a business case scenario on the topic you are presenting.
  • Identify and communicate the business problem up front and answer the three questions (why, what, how).
  • Quantify the problems in terms of business impact (money, risk, value).

Info-Tech Insight
Developing a storytelling approach will help keep your audience engaged and allow the information to resonate with them, which will add further value to the communication.

Identify the purpose of your presentation

You should be clear about your bottom line and the intent behind your presentation. However, regardless of your bottom line, your presentation must focus on what business problems you are solving and why security can assist in solving the problem.

Examples of communication goals

Info-Tech Insight
Nobody likes surprises. Communicate early and often. The board should be pre-briefed, especially if it is a difficult subject. This also ensures you have support when you deliver a difficult message.

Gather the right information to include in your boardroom presentation

Once you understand your target audience, it’s important to tailor your presentation material to what they will care about.

Typical IT boardroom presentations include:

• Communicating the value of ongoing business technology initiatives.
• Requesting funds or approval for a business initiative that IT is spearheading.
• Security incident response/Risk/DRP.
• Developing a business program or an investment update for an ongoing program.
• Business technology strategy highlights and impacts.
• Digital transformation initiatives (value, ROI, risk).

Info-Tech Insight
You must always have a clear goal or objective for delivering a presentation in front of your board of directors. What is the purpose of your board presentation? Identify your objective and outcome up front and tailor your presentation’s story and contents to fit this purpose.

Info-Tech Insight
Telling a good story is not about the message you want to deliver but the one the executive stakeholders want to hear. Articulate what you want them to think and what you want them to take away, and be explicit about it in your presentation. Make your story logically flow by identifying the business problem, complication, the solution, and how to close the gap. Most importantly, communicate the business impacts the board will care about.

Structure your presentation to tell a logical story

To build a strong story for your presentation, ensure you answer these three questions:

Examples:

Scenario 1: The company has experienced a security incident.

Intent: To inform/educate the board about the security incident.

Scenario 2: Security is recommending investments based on strategic priorities.

Intent: To reach a decision with the board – approve investment proposal.

Time plays a key role in delivering an effective presentation

What you include in your story will often depend on how much time you have available to deliver the message.

Consider the following:

• Presenting to executive stakeholders often means you have a short window of time to deliver your message. The average executive stakeholder presentation is 15 minutes, and this could be cut short due to other unexpected factors.
• If your presentation is too long, you risk overwhelming or losing your audience. You must factor in the time constraints when building your board presentation.
• Your executive stakeholders have a wealth of experience and knowledge, which means they could jump to conclusions quickly based on their own experiences. Ensure you give them plenty of background information in advance. Provide your presentation material, a brief, or any other supporting documentation before the meeting to show you are well prepared.
• Be prepared to have deep conversations about the topic, but respect that the executive stakeholders might not be interested in hearing the tactical information. Build an elevator pitch, a one-pager, back-up slides that support your ask and the story, and be prepared to answer questions within your allotted presentation time to dive deeper.

Navigating through Q&A

Use the Q&A portion to build credibility with the board.

• It is always better to say, “I’m not certain about the answer but will follow up,” than to provide false or inaccurate information on the spot.
• When asked challenging or irrelevant questions, ensure you have an approach to deflect them. Questions can often be out of scope or difficult to answer in a group. Find what works for you to successfully navigate through these questions:
  • “Let’s work with the sub-committee to find you an answer.”
  • “Let’s take that offline to address in more detail.”
  • “I have some follow-up material I can provide you to discuss that further after our meeting.”
• And ensure you follow up! Make sure to follow through on your promise to provide information or answers after the meeting. This helps build trust and credibility with the board.

Info-Tech Insight
The average board presentation is 15 minutes long. Build no more than three or four slides of content to identify the business problem, the business impacts, and the solution. Leave five minutes for questions at the end, and be prepared with back-up slides to support your answers.

Storytelling checklist

Checklist:

• Tailor your presentation based on how much time you have.
• Find out ahead of time how much time you have.
• Identify if your presentation is to inform/educate or reach a decision.
• Identify and communicate the business problem up front and answer the three questions (why, what, how).
• Express the problem in terms of business impact (risk, value, money).
• Prepare and send pre-meeting collateral to the members of the board and executive team.
• Include no more than 5-6 slides for your presentation.
• Factor in Q&A time at the end of your presentation window.
• Articulate what you want them to think and what you want them to take away – put it right up front and remind them at the end.
• Have an elevator speech handy – one or two sentences and a one-pager version of your story.
• Consider how you will build your relationship with the members outside the boardroom.

3.1.3 Build a compelling communication document

Once you’ve identified your communication goals, data, and plan to present to your stakeholders, it’s important to build the compelling communication document that will attract all audiences.

A good slide design increases the likelihood that the audience will read the content carefully.

• Bad slide structure (flow) = Audience loses focus
  • You can have great content on a slide, but if a busy audience gets confused, they’ll just close the file or lose focus. Structure encompasses horizontal and vertical logic.
• Good visual design = Audience might read more
  • Readers will probably skim the slides first. If the slides look ugly, they will already have a negative impression. If the slides are visually appealing, they will be more inclined to read carefully. They may even use some slides to show others.
• Good content + Good structure + Visual appeal = Good presentation
  • A presentation is like a house. Good content is the foundation of the house. Good structure keeps the house strong. Visual appeal differentiates houses.

Slide design best practices

Leverage these slide design best practices to assist you in developing eye-catching presentations.

• Easy to read: Assume reader is tight on time. If a slide looks overwhelming, the reader will close the document.
• Concise and clear: Fewer words = more skim-able.
• Memorable: Use graphics and visuals or pithy quotes whenever you can do so appropriately.
• Horizontal logic: Good horizontal logic will have slide titles that cascade into a story with no holes or gaps.
• Vertical logic: People usually read from left to right, top to bottom, or in a Z pattern. Make sure your slide has an intuitive flow of content.
• Aesthetics: People like looking at visually appealing slides, but make sure your attempts to create visual appeal do not detract from the content.

Your presentation must have a logical flow

Vertical logic should be intuitive

The audience is unsure where to look and in what order.	The audience knows to read the heading first. Then look within the pie chart. Then look within the white boxes to the right.

Horizontal and vertical logic checklists

Make it easy to read

Unnecessary coloring makes it hard on the eyes Margins for title at top is too small Content is not skim-able (best to break up the slide)	Increase skim-ability: Emphasize the subheadings Bold important words Make it easier on the eyes: Declutter and add sections Have more white space

Be concise and clear

1. Write your thoughts down
   • This gets your content documented.
   • Don’t worry about clarity or concision yet.
2. Edit for clarity
   • Make sure the key message is very clear.
   • Find your thesis statement.
3. Edit for concision
   • Remove unnecessary words.
   • Use the active voice, not passive voice (see below for examples).

Be memorable

Easy to read, but hard to remember the stats.	The visuals make it easier to see the size of the problem and make it much more memorable. Remember to: Have some kind of visual (e.g. graphs, icons, tables). Divide the content into sections. Have a bit of color on the page.

Aesthetics

This draft slide is just content from the outline document on a slide with no design applied yet.	Have some kind of visual (e.g. graphs, icons, tables) as long as it’s appropriate. Divide the content into sections. Have a bit of color on the page. Bold or italicize important text.

Why use visuals?

How graphics affect us

Cognitively

• Engage our imagination
• Stimulate the brain
• Heighten creative thinking
• Enhance or affect emotions

Emotionally

• Enhance comprehension
• Increase recollection
• Elevate communication
• Improve retention

Visual clues

• Help decode text
• Attract attention
• Increase memory

Persuasion

• 43% more effective than text alone

Source: Management Information Systems Research Center

Presentation format

Often stakeholders prefer to receive content in a specific format. Make sure you know what you require so that you are not scrambling at the last minute.

• Is there a standard presentation template?
• Is a hard-copy handout required?
• Is there a deadline for draft submission?
• Is there a deadline for final submission?
• Will the presentation be circulated ahead of time?
• Do you know what technology you will be using?
• Have you done a dry run in the meeting room?
• Do you know the meeting organizer?

Checklist to build compelling visuals in your presentation

Leverage this checklist to ensure you are creating the perfect visuals and graphs for your presentation.

Checklist:

• Do the visuals grab the audience’s attention?
• Will the visuals mislead the audience/confuse them?
• Do the visuals facilitate data comparison or highlight trends and differences in a more effective manner than words?
• Do the visuals present information simply, cleanly, and accurately?
• Do the visuals display the information/data in a concentrated way?
• Do the visuals illustrate messages and themes from the accompanying text?

3.2 Security communication templates

Once you have identified your communication goals and plans for building your communication document, you can start building your presentation deck. These presentation templates highlight different security topics depending on your communication drivers, goals, and available data. Info-Tech has created five security templates to assist you in building a compelling presentation. These templates provide support for presentations on the following five topics: Security Initiatives Security & Risk Update Security Metrics Security Incident Response & Recovery Security Funding Request Each template provides instructions on how to use it and tips on ensuring the right information is being presented. All the templates are customizable, which enables you to leverage the sections you need while also editing any sections to your liking.

Download the Security Presentation Templates

Security template example

It’s important to know that not all security presentations for an organization are alike. However, these templates would provide a guideline on what the best practices are when communicating security to executive stakeholders.

Below is an example of instructions to complete the “Security Risk & Update” template. Please note that the security template will have instructions to complete each of its sections.

The first slide following the title slide includes a brief executive summary on what would be discussed in the presentation. This includes the main security threats that would be addressed and the associated risk mitigation strategies.	This slide depicts a holistic overview of the organization’s security posture in different areas along with the main business goals that security is aligning with. Ensure visualizations you include align with the goals highlighted.

Security template example (continued)

This slide displays any top threats and risks an organization is facing. Each threat consists of 2-3 risks and is prioritized based on the negative impact it could have on the organization (i.e. red bar = high priority; green bar = low priority). Include risks that have been addressed in the past quarter, and showcase any prioritization changes to those risks.

This slide follows the “Top Threats & Risks” slide and focuses on the risks that had medium or high priority. You will need to work with subject matter experts to identify risk figures (likelihood, financial impact) that will enable you to quantify the risks (Likelihood x Financial Impact). Develop a threshold for each of the three columns to identify which risks require further prioritization, and apply color coding to group the risks.

Security template example (continued)

This slide showcases further details on the top risks along with their business impact. Be sure to include recommendations for the risks and indicate whether further action is required from the executive stakeholders.	The last slide of the “Security Risk & Update” template presents a timeline of when the different initiatives to mitigate security risks would begin. It depicts what initiatives will be completed within each fiscal year and the total number of months required. As there could be many factors to a project’s timeline, ensure you communicate to your executive stakeholders any changes to the project.

Phase 4

Deliver communication

This phase will walk you through the following activities:

• Identifying a strategy to deliver compelling presentations
• Ensuring you follow best practices for communicating and obtaining your security goals

This phase involves the following participants:

• Security leader

4.1 Deliver a captivating presentation

You’ve gathered all your data, you understand what your audience is expecting, and you are clear on the outcomes you require. Now, it’s time to deliver a presentation that both engages and builds confidence.

Follow these tips to assist you in developing an engaging presentation:

• Start strong: Give your audience confidence that this will be a good investment of their time. Establish a clear direction for what’s going to be covered and what the desired outcome is.
• Use your time wisely: Odds are, your audience is busy, and they have many other things on their minds. Be prepared to cover your content in the time allotted and leave sufficient time for discussion and questions.
• Be flexible while presenting: Do not expect that your presentation will follow the path you have laid out. Anticipate jumping around and spending more or less time than you had planned on a given slide.

Keep your audience engaged with these steps

• Be ready with supporting data. Don’t make the mistake of not knowing your content intimately. Be prepared to answer questions on any part of it. Senior executives are experts at finding holes in your data.
• Know your audience. Who are you presenting to? What are their specific expectations? Are there sensitive topics to be avoided? You can’t be too prepared when it comes to understanding your audience.
• Keep it simple. Don’t assume that your audience wants to learn the details of your content. Most just want to understand the bottom line, the impact on them, and how they can help. More is not always better.
• Focus on solving issues. Your audience members have many of their own problems and issues to worry about. If you show them how you can help make their lives easier, you’ll win them over.

Info-Tech Insight
Establishing credibility and trust with executive stakeholders is important to obtaining their support for security objectives.

Be honest and straightforward with your communication

• Be prepared. Being properly prepared means not only that your update will deliver the value that you expect, but also that you will have confidence and the flexibility you require when you’re taken off track.
• Don’t sugarcoat it. These are smart, driven people that you are presenting to. It is neither beneficial nor wise to try to fool them. Be open and transparent about problems and issues. Ask for help.
• No surprises. An executive stakeholder presentation is not the time or the place for a surprise. Issues seen as unexpected or contentious should always be dealt with prior to the meeting with those most impacted.

Hone presentation skills before meeting with the executive stakeholders

Checklist for presentation logistics

Optimize the timing of your presentation:

• Less is more: Long presentations are detrimental to your cause – they lead to your main points being diluted. Keep your presentation short and concise.
• Keep information relevant: Only present information that is important to your audience. This includes the information that they are expecting to see and information that connects to the business.
• Expect delays: Your audience will likely have questions. While it is important to answer each question fully, it will take away from the precious time given to you for your presentation. Expect that you will not get through all the information you have to present.

Script your presentation:

• Use a script to stay on track: Script your presentation before the meeting. A script will help you present your information in a concise and structured manner.
• Develop a second script: Create a script that is about half the length of the first script but still contains the most important points. This will help you prepare for any delays that may arise during the presentation.
• Prepare for questions: Consider questions that may be asked and script clear and concise answers to each.
• Practice, practice, practice: Practice your presentation until you no longer need the script in front of you.

Checklist for presentation logistics (continued)

Other considerations:

• After the introduction of your presentation, clearly state the objective – don’t keep people guessing and consequently lose focus on your message.
• After the presentation is over, document important information that came up. Write it down or you may forget it soon after.
• Rather than create a long presentation deck full of detailed slides that you plan to skip over during the presentation, create a second, compact deck that contains only the slides you plan to present. Send out the longer deck after the presentation.

Checklist for delivering a captivating presentation

Leverage this checklist to ensure you are prepared to develop and deliver an engaging presentation.

Checklist:

• Start with a story or something memorable to break the ice.
• Go in with the end state in mind (focus on the outcome/end goal and work back from there) – What’s your call to action?
• Content must compliment your end goal, filter out any content that doesn’t compliment the end goal.
• Be prepared to have less time to speak. Be prepared with shorter versions of your presentation.
• Include an appendix with supporting data, but don’t be data heavy in your presentation. Integrate the data into a story. The story should be your focus.

Checklist for delivering a captivating presentation (continued)

• Be deliberate in what you want to show your audience.
• Ensure you have clean slides so the audience can focus on what you’re saying.
• Practice delivering your content multiple times alone and in front of team members or your Info-Tech counselor, who can provide feedback.
• How will you handle being derailed? Be prepared with a way to get back on track if you are derailed.
• Ask for feedback.
• Record yourself presenting.

4.2 Obtain and verify support on security goals

Once you’ve delivered your captivating presentation, it’s imperative to communicate with your executive stakeholders.

• This is your opportunity to open the floor for questions and clarify any information that was conveyed to your audience.
• Leverage your appendix and other supporting documents to justify your goals.
• Different approaches to obtaining and verifying your goals could include:
  • Acknowledgment from the audience that information communicated aligns with the business’s goals.
  • Approval of funding requests for security initiatives.
  • Written and verbal support for implementation of security initiatives.
  • Identifying next steps for information to communicate at the next executive stakeholder meeting.

Info-Tech Insight
Verifying your objectives at the end of the presentation is important, as it ensures you have successfully communicated to executive stakeholders.

Checklist for obtaining and verify support on security goals

Follow this checklist to assist you in obtaining and verifying your communication goals.

Checklist:

• Be clear about follow-up and next steps if applicable.
• Present before you present: Meet with your executive stakeholders before the meeting to review and discuss your presentation and other supporting material and ensure you have executive/CEO buy-in.
• “Be humble, but don’t crumble” – demonstrate to the executive stakeholders that you are an expert while admitting you don’t know everything. However, don’t be afraid to provide your POV and defend it if need be. Strike the right balance to ensure the board has confidence in you while building a strong relationship.
• Prioritize a discussion over a formal presentation. Create an environment where they feel like they are part of the solution.

Summary of Accomplishment

Problem Solved

A better understanding of security communication drivers and goals

• Understanding the difference between communication drivers and goals
• Identifying your drivers and goals for security presentation

A developed a plan for how and where to retrieve data for communication

• Insights on what type of data can be leveraged to support your communication goals
• Understanding who you can collaborate with and potential data sources to retrieve data from

A solidified communication plan with security templates to assist in better presenting to your audience

• A guideline on how to prepare security presentations to executive stakeholders
• A list of security templates that can be customized and used for various security presentations

A defined guideline on how to deliver a captivating presentation to achieve your desired objectives

• Clear message on best practices for delivering security presentations to executive stakeholders
• Understanding how to verify your communication goals have been obtained

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Related Info-Tech Research

Build an Information Security Strategy
This blueprint will walk you through the steps of tailoring best practices to effectively manage information security.

Build a Security Metrics Program to Drive Maturity
This blueprint will assist you in identifying security metrics that can tie to your organizational goals and build those metrics to achieve your desired maturity level.

Bibliography

Bhadauriya, Amit S. “Communicating Cybersecurity Effectively to the Board.” Metricstream. Web.
Booth, Steven, et al. “The Biggest Mistakes Made When Presenting Cyber Security to Senior Leadership or the Board, and How to Fix Them.” Mandiant, May 2019. Web.
Bradford, Nate. “6 Slides Every CISO Should Use in Their Board Presentation.” Security Boulevard, 9 July 2020. Web.
Buckalew, Lauren, et al. “Get the Board on Board: Leading Cybersecurity from the Top Down.” Newsroom, 2 Dec. 2019. Web.
Burg, Dave, et al. “Cybersecurity: How Do You Rise above the Waves of a Perfect Storm?” EY US - Home, EY, 22 July 2021. Web.
Carnegie Endowment for International Peace. Web.
“Chief Information Security Officer Salary.” Salary.com, 2022. Web.
“CISO's Guide to Reporting to the Board - Apex Assembly.” CISO's Guide To Reporting to the Board. Web.
“Cyber Security Oversight in the Boardroom” KPMG, Jan. 2016. Web.
“Cybersecurity CEO: My 3 Tips for Presenting in the Boardroom.” Cybercrime Magazine, 31 Mar. 2020. Web.
Dacri , Bryana. Do's & Don'ts for Security Professionals Presenting to Executives. Feb. 2018. Web.
Froehlich, Andrew. “7 Cybersecurity Metrics for the Board and How to Present Them: TechTarget.” Security, TechTarget, 19 Aug. 2022. Web.
“Global Board Risk Survey.” EY. Web.
“Guidance for CISOs Presenting to the C-Suite.” IANS, June 2021. Web.
“How to Communicate Cybersecurity to the Board of Directors.” Cybersecurity Conferences & News, Seguro Group, 12 Mar. 2020. Web.
Ide, R. William, and Amanda Leech. “A Cybersecurity Guide for Directors” Dentons. Web.
Lindberg, Randy. “3 Tips for Communicating Cybersecurity to the Board.” Cybersecurity Software, Rivial Data Security, 8 Mar. 2022. Web.
McLeod, Scott, et al. “How to Present Cybersecurity to Your Board of Directors.” Cybersecurity & Compliance Simplified, Apptega Inc, 9 Aug. 2021. Web.
Mickle, Jirah. “A Recipe for Success: CISOs Share Top Tips for Successful Board Presentations.” Tenable®, 28 Nov. 2022. Web.
Middlesworth, Jeff. “Top-down: Mitigating Cybersecurity Risks Starts with the Board.” Spiceworks, 13 Sept. 2022. Web.
Mishra, Ruchika. “4 Things Every CISO Must Include in Their Board Presentation.” Security Boulevard, 17 Nov. 2020. Web.
O’Donnell-Welch, Lindsey. “CISOs, Board Members and the Search for Cybersecurity Common Ground.” Decipher, 20 Oct. 2022. Web.

Bibliography

“Overseeing Cyber Risk: The Board's Role.” PwC, Jan. 2022. Web.
Pearlson, Keri, and Nelson Novaes Neto. “7 Pressing Cybersecurity Questions Boards Need to Ask.” Harvard Business Review, 7 Mar. 2022. Web.
“Reporting Cybersecurity Risk to the Board of Directors.” Web.
“Reporting Cybersecurity to Your Board - Steps to Prepare.” Pondurance ,12 July 2022. Web.
Staynings, Richard. “Presenting Cybersecurity to the Board.” Resource Library. Web.
“The Future of Cyber Survey.” Deloitte, 29 Aug. 2022. Web.
“Top Cybersecurity Metrics to Share with Your Board.” Packetlabs, 10 May 2022. Web.
Unni, Ajay. “Reporting Cyber Security to the Board? How to Get It Right.” Cybersecurity Services Company in Australia & NZ, 10 Nov. 2022. Web.
Vogel, Douglas, et al. “Persuasion and the Role of Visual Presentation Support.” Management Information Systems Research Center, 1986.
“Welcome to the Cyber Security Toolkit for Boards.” NCSC. Web.

Research Contributors

• Fred Donatucci, New-Indy Containerboard, VP, Information Technology
• Christian Rasmussen, St John Ambulance, Chief Information Officer
• Stephen Rondeau, ZimVie, SVP, Chief Information Officer

Define Your Cloud Vision

Define your cloud vision before it defines you

Analyst perspective

Use the cloud’s strengths. Mitigate its weaknesses.

The cloud isn’t magic. It’s not necessarily cheaper, better, or even available for the thing you want it to do. It’s not mysterious or a cure-all, and it does take a bit of effort to systematize your approach and make consistent, defensible decisions about your cloud services. That’s where this blueprint comes in.

Your cloud vision is the culmination of this effort all boiled down into a single statement: “This is how we want to use the cloud.” That simple statement should, of course, be representative of – and built from – a broader, contextual strategy discussion that answers the following questions: What should go to the cloud? What kind of cloud makes sense? Should the cloud deployment be public, private, or hybrid? What does a migration look like? What risks and roadblocks need to be considered when exploring your cloud migration options? What are the “day 2” activities that you will need to undertake after you’ve gotten the ball rolling?

Taken as a whole, answering these questions is difficult task. But with the framework provided here, it’s as easy as – well, let’s just say it’s easier.

Jeremy Roberts

Research Director, Infrastructure and Operations

Info-Tech Research Group

Executive Summary

Your Challenge

• You are both extrinsically motivated to move to the cloud (e.g. by vendors) and intrinsically motivated by internal digital transformation initiatives.
• You need to define the cloud’s true value proposition for your organization without assuming it is an outsourcing opportunity or will save you money.
• Your industry, once cloud-averse, is now normalizing the use of cloud services, but you have not established a basic cloud vision from which to develop a strategy at a later point.

Common Obstacles

• Organizations jump to the cloud before defining their cloud vision and without any clear plan for realizing the cloud’s benefits.
• Many organizations have a foot in the cloud already, but these decisions have been made in an ad hoc rather than systematic fashion.
• You lack a consistent framework to assess your workloads’ suitability for the cloud.

Info-Tech's Approach

• Evaluate workloads’ suitability for the cloud using Info-Tech’s methodology to select the optimal migration (or non-migration) path based on the value of cloud characteristics.
• Codify risks tied to workloads’ cloud suitability and plan mitigations.
• Build a roadmap of initiatives for actions by workload and risk mitigation.
• Define a cloud vision to share with stakeholders.

Info-Tech Insight: 1) Base migration decisions on cloud characteristics. If your justification for the migration is simply getting your workload out of the data center, think again. 2) Address the risks up front in your migration plan. 3) The cloud changes roles and calls for different skill sets, but Ops is here to stay.

Your challenge

This research is designed to help organizations who need to:

• Identify workloads that are good candidates for the cloud.
• Develop a consistent, cost-effective approach to cloud services.
• Outline and mitigate risks.
• Define your organization’s cloud archetype.
• Map initiatives on a roadmap.
• Communicate your cloud vision to stakeholders so they can understand the reasons behind a cloud decision and differentiate between different cloud service and deployment models.
• Understand the risks, roadblocks, and limitations of the cloud.

“We’re moving from a world where companies like Oracle and Microsoft and HP and Dell were all critically important to a world where Microsoft is still important, but Amazon is now really important, and Google also matters. The technology has changed, but most of the major vendors they’re betting their business on have also changed. And that’s super hard for people..” –David Chappell, Author and Speaker

Common obstacles

These barriers make this challenge difficult to address for many organizations:

• Organizations jump to the cloud before defining their cloud vision and without any clear plan for realizing the cloud’s benefits.
• Many organizations already have a foot in the cloud, but the choice to explore these solutions was made in an ad hoc rather than systematic fashion. The cloud just sort of happened.
• The lack of a consistent assessment framework means that some workloads that probably belong in the cloud are kept on premises or with hosted services providers – and vice versa.
• Securing cloud expertise is remarkably difficult – especially in a labor market roiled by the global pandemic and the increasing importance of cloud services.

Standard cloud challenges

30% of all cloud spend is self-reported as waste. Many workloads that end up in the cloud don’t belong there. Many workloads that do belong in the cloud aren’t properly migrated. (Flexera, 2021)

44% of respondents report themselves as under-skilled in the cloud management space. (Pluralsight, 2021)

Info-Tech’s approach

Goals and drivers

• Service model
  • What type of cloud makes the most sense for workload archetypes? When does it make sense to pick SaaS over IaaS, for example?
• Delivery model
  • Will services be delivered over the public cloud, a private cloud, or a hybrid cloud? What challenges accompany this decision?

• Migration Path
  • What does the migration path look like? What does the transition to the cloud look like, and how much effort will be required? Amazon’s 6Rs framework captures migration options: rehosting, repurchasing, replatforming, and refactoring, along with retaining and retiring. Each workload should be assessed for its suitability for one or more of these paths.

• Support model
  • How will services be provided? Will staff be trained, new staff hired, a service provider retained for ongoing operations, or will a consultant with cloud expertise be brought on board for a defined period? The appropriate support model is highly dependent on goals along with expected outcomes for different workloads.

Highlight risks and roadblocks

Formalize cloud vision

Document your cloud strategy

The Info-Tech difference:

1. Determine the hypothesized value of cloud for your organization.
2. Evaluate workloads with 6Rs framework.
3. Identify and mitigate risks.
4. Identify cloud archetype.
5. Plot initiatives on a roadmap.
6. Write action plan statement and goal statement.

What is the cloud, how is it deployed, and how is service provided?

Cloud Characteristics

1. On-demand self-service: the ability to access reosurces instantly without vendor interaction
2. Broad network access: all services delivered over the network
3. Resource pooling: multi-tenant environment (shared)
4. Rapid elasticity: the ability to expand and retract capabilities as needed
5. Measured service: transparent metering

Service Model:

1. Software-as-a-Service: all but the most minor configuration is done by the vendor
2. Platform-as-a-Service: customer builds the application using tools provided by the provider
3. Infrastructure-as-a-Service: the customer manages OS, storage, and the application

Delivery Model

1. Public cloud: accessible to anyone over the internet; multi-tenant environment
2. Private cloud: provisioned for a single organization with multiple units
3. Hybrid cloud: two or more connected clouds; data is portage across them
4. Community cloud: provisioned for a specific group of organizations

(National Institute of Standards and Technology)

A workload-first approach will allow you to take full advantage of the cloud’s strengths

• Under all but the most exceptional circumstances, good cloud strategies will incorporate different service models. Very few organizations are “IaaS shops” or “SaaS shops,” even if they lean heavily in one direction.
• These different service models (including non-cloud options like colocation and on-premises infrastructure) each have different strengths. Part of your cloud strategy should involve determining which of the services makes the most sense for you.
• Own the cloud by understanding which cloud (or non-cloud!) offering makes the most sense for you given your unique context.

Migration paths

In a 2016 blog post, Amazon introduced a framework for understanding cloud migration strategies. The framework presented here is slightly modified – including a “relocate” component rather than a “retire” component – but otherwise hews close to the standard.

These migration paths reflect organizational capabilities and desired outcomes in terms of service models – cloud or otherwise. Retention means keeping the workload where it is, in a datacenter or a colocation service, or relocating to a colocation or hosted software environment. These represent the “non-cloud” migration paths.

In the graphic on the right, the paths within the red box lead to the cloud. Rehosting means lifting and shifting to an infrastructure environment. Migrating a virtual machine from your VMware environment on premises to Azure Virtual machines is a quick way to realize some benefits from the cloud. Migrating from SQL Server on premises to a cloud-based SQL solution looks a bit more like changing platforms (replatforming). It involves basic infrastructure modification without a substantial architectural component.

Refactoring is the most expensive of the options and involves engaging the software development lifecycle to build a custom solution, fundamentally rewriting the solution to be cloud native and take advantage of cloud-native architectures. This can result in a PaaS or an IaaS solution.

Finally, repurchasing means simply going to market and procuring a new solution. This may involve migrating data, but it does not require the migration of components.

Migration Paths

Retain (Revisit)

• Keep the application in its current form, at least for now. This doesn’t preclude revisiting it in the future.

Relocate

• Move the workload between datacenters or to a hosted software/colocation provider.

Rehost

• Move the application to the cloud (IaaS) and continue to run it in more or less the same form as it currently runs.

Replatform

• Move the application to the cloud and perform a few changes for cloud optimizations.

Refactor

• Rewrite the application, taking advantage of cloud-native architectures.

Repurchase

• Replace with an alternative, cloud-native application and migrate the data.

Support model

Support models by characteristic

IT services, including cloud services, can be delivered and managed in multiple ways depending on the nature of the workload and the organization’s intended path forward. Three high-level options are presented here and may be more or less valuable based on the duration of the expected engagement with the service (temporary or permanent), the skills specialization required, and the flexibility necessary to complete the job.

By way of example, a highly technical, short-term project with significant flexibility requirements might be a good fit for an expensive consultant, whereas post-implementation maintenance of a cloud email system requires relatively little specialization and flexibility and would therefore be a better fit for internal management.

There is no universally applicable rule here, but there are some workloads that are generally a good fit for the cloud and others that are not as effective, with that fit being conditional on the appropriate support model being employed.

Risks, roadblocks, and strategy components

No two cloud strategies are exactly alike, but all should address 14 key areas. A key step in defining your cloud vision is an assessment of these strategy components. Lower maturity does not preclude an aggressive cloud strategy, but it does indicate that higher effort will be required to make the transition.

Cloud archetypes – a cloud vision component

Once you understand the value of the cloud, your workloads’ general suitability for cloud, and your proposed risks and mitigations, the next step is to define your cloud archetype.

Your organization’s cloud archetype is the strategic posture that IT adopts to best support the organization’s goals. Info-Tech’s model recognizes seven archetypes, divided into three high-level archetypes.

After consultation with your stakeholders, and based on the results of the suitability and risk assessment activities, define your archetype. The archetype feeds into the overall cloud vision and provides simple insight into the cloud future state for all stakeholders.

The cloud vision itself is captured in a “vision statement,” a short summary of the overall approach that includes the overall cloud archetype.

Info-Tech’s methodology for defining your cloud vision

Insight summary

The cloud may not be right for you – and that’s okay!

Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud first isn’t always the way to go.

Not all clouds are equal

It’s not “should I go to the cloud?” but “what service and delivery models make sense based on my needs and risk tolerance?” Thinking about the cloud as a binary can force workloads into the cloud that don’t belong (and vice versa).

Bottom-up is best

A workload assessment is the only way to truly understand the cloud’s value. Work from the bottom up, not the top down, understand what characteristics make a workload cloud suitable, and strategize on that basis.

Your accountability doesn’t change

You are still accountable for maintaining available, secure, functional applications and services. Cloud providers share some responsibility, but the buck stops where it always has: with you.

Don’t customize for the sake of customization

SaaS providers make money selling the same thing to everyone. When migrating a workload to SaaS, work with stakeholders to pursue standardization around a selected platform and avoid customization where possible.

Best of both worlds, worst of both worlds

Hybrid clouds are in fashion, but true hybridity comes with additional cost, administration, and other constraints. A convoy moves at the speed of its slowest member.

The journey matters as much as the destination

How you get there is as important as what “there” actually is. Any strategy that focuses solely on the destination misses out on a key part of the value conversation: the migration strategy.

Blueprint benefits

Cloud Vision Executive Presentation

This presentation captures the results of the exercises and presents a complete vision to stakeholders including a desired target state, a rubric for decision making, the results of the workload assessments, and an overall risk profile.

Cloud Vision Workbook

This workbook includes the standard cloud workload assessment questionnaire along with the results of the assessment. It also includes the milestone timeline for the implementation of the cloud vision.

Blueprint benefits

IT Benefits

• A consistent approach to the cloud takes the guesswork out of deployment decisions and makes it easier for IT to move on to the execution stage.
• When properly incorporated, cloud services come with many benefits, including automation, elasticity, and alternative architectures (micro-services, containers). The cloud vision project will help IT readers articulate expected benefits and work towards achieving them.
• A clear framework for incorporating organizational goals into cloud plans.

Business benefits

• Simple, well-governed access to high-quality IT resources.
• Access to the latest and greatest in technology to facilitate remote work.
• Framework for cost management in the cloud that incorporates OpEx and chargebacks/showbacks. A clear understanding of expected changes to cost modeling is also a benefit of a cloud vision.
• Clarity for stakeholders about IT’s response (and contribution to) IT strategic initiatives.

Measure the value of this blueprint

Don’t take our word for it:

• The cloud vision material in various forms has been offered for several years, and members have generally benefited substantially, both from cloud vision workshops and from guided implementations led by analysts.
• After each engagement, we send a survey that asks members how they benefited from the experience. Of 30 responses, the cloud vision research has received an average score of 9.8/10. Real members have found significant value in the process.
• Additionally, members reported saving between 2 and 120 days (for an average of 17), and financial savings ranged from $1,920 all the way up to $1.27 million, for an average of $170,577.90! If we drop outliers on both ends, the average reported value of a cloud vision engagement is $37, 613.
• Measure the value by calculating the time saved from using Info-Tech’s framework vs. a home-brewed cloud strategy alternative and by comparing the overall cost of a guided implementation or workshop with the equivalent offering from another firm. We’re confident you’ll come out ahead.

9.8/10 Average reported satisfaction

17 Days Average reported time savings

$37, 613 Average cost savings (adj.)

Executive Brief Case Study

Industry: Financial

Source: Info-Tech workshop

Anonymous financial institution

A small East Coast financial institution was required to develop a cloud strategy. This strategy had to meet several important requirements, including alignment with strategic priorities and best practices, along with regulatory compliance, including with the Office of the Comptroller of the Currency.

The bank already had a significant cloud footprint and was looking to organize and formalize the strategy going forward.

Leadership needed a comprehensive strategy that touched on key areas including the delivery model, service models, individual workload assessments, cost management, risk management and governance. The output had to be consumable by a variety of audiences with varying levels of technical expertise and had to speak to IT’s role in the broader strategic goals articulated earlier in the year.

Results

The bank engaged Info-Tech for a cloud vision workshop and worked through four days of exercises with various IT team members. The bank ultimately decided on a multi-cloud strategy that prioritized SaaS while also allowing for PaaS and IaaS solutions, along with some non-cloud hosted solutions, based on organizational circumstances.

Bank cloud vision

[Bank] will provide innovative financial and related services by taking advantage of the multiplicity of best-of-breed solutions available in the cloud. These solutions make it possible to benefit from industry-level innovations, while ensuring efficiency, redundancy, and enhanced security.

Bank cloud decision workflow

• SaaS
  • Platform?
    • Yes
      • PaaS
    • No
      • Hosted
    • IaaS
      • Other

Non-cloud

Cloud

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this crticial project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off imediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge the take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

Phase 1

• Call #1: Discuss current state, challenges, etc.
• Call #2: Goals, drivers, and current state.

Phase 2

• Call #3: Conduct cloud suitability assessment for selected workloads.

Phase 3

• Call #4: Generate and categorize risks.
• Call #5: Begin the risk mitigation conversation.

Phase 4

• Call #6: Complete the risk mitigation process
• Call #7: Finalize vision statement and cloud decision framework.

Workshop Overview

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

Understand the cloud

Build the foundations of your cloud vision

Phase 1

Phase 1

Understand the Cloud

Phase 1

1.1 Generate goals and drivers

1.2 Explore cloud characteristics

1.3 Create a current state summary

1.4 Select workloads for analysis

Phase 2

2.1 Conduct workload assessments

2.2 Determine workload future states

Phase 3

3.1 Generate risks and roadblocks

3.2 Mitigate risks and roadblocks

3.3 Define roadmap initiatives

Phase 4

4.1 Review and assign work items

4.2 Finalize cloud decision framework

4.3 Create cloud vision

This phase will walk you through the following activities:

1.1.1 Generate organizational goals

1.1.2 Define cloud drivers

1.1.3 Define success indicators

1.3.1 Record your current state

1.4.1 Select workloads for further assessment

This phase involves the following participants:

IT management, the core working group, security, infrastructure, operations, architecture, engineering, applications, non-IT stakeholders.

It starts with shared understanding

Stakeholders must agree on overall goals and what “cloud” means

The cloud is a nebulous term that can reasonably describe services ranging from infrastructure as a service as delivered by providers like Amazon Web Services and Microsoft through its Azure platform, right up to software as a service solutions like Jira or Salesforce. These solutions solve different problems – just because your CRM would be a good fit for a migration to Salesforce doesn’t mean the same system would make sense in Azure or AWS.

This is important because the language we use to talk about the cloud can color our approach to cloud services. A “cloud-first” strategy will mean something different to a CEO with a concept of the cloud rooted in Salesforce than it will to a system administrator who interprets it to mean a transition to cloud-hosted virtual machines.

Add to this the fact that not all cloud services are hosted externally by providers (public clouds) and the fact that multiple delivery models can be engaged at once through hybrid or multi-cloud approaches, and it’s apparent that a shared understanding of the cloud is necessary for a coherent strategy to take form.

This phase proceeds in four steps, each governed by the principle of shared understanding. The first requires a shared understanding of corporate goals and drivers. Step 2 involves coming to a shared understanding of the cloud’s unique characteristics. Step 3 requires a review of the current state. Finally, in Step 4, participants will identify workloads that are suitable for analysis as candidates for the cloud.

Step 1.1

Generate goals and drivers

Activities

1.1.1 Define organizational goals

1.1.2 Define cloud drivers

1.1.3 Define success indicators

Generate goals and drivers

Explore cloud characteristics

Create a current state summary

Select workloads for analysis

This step involves the following participants:

• IT management
• Core working group
• Security
• Applications
• Infrastructure
• Service management
• Leadership

Outcomes of this step

• List of organizational goals
• List of cloud drivers
• Defined success indicators

What can the cloud do for you?

The cloud is not valuable for its own sake, and not all users derive the same value

• The cloud is characterized by on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Any or all of those characteristics might be enough to make the cloud appealing, but in most cases, there is an overriding driver.
• Multiple paths may lead to the cloud. Consider an organization with a need to control costs by showing back to business units, or perhaps by reducing capital expenditure – the cloud may be the most appropriate way to effect these changes. Conversely, an organization expanding rapidly and with a need to access the latest and greatest technology might benefit from the elasticity and pooled resources that major cloud providers can offer.
• In these cases, the destination might be the same (a cloud solution) but the delivery model – public, private, or hybrid – and the decisions made around the key strategy components, including architecture, provisioning, and cost management, will almost certainly be different.
• Defining goals, understanding cloud drivers, and – crucially – understanding what success means, are all therefore essential elements of the cloud vision process.

1.1.1 Generate organizational goals

1-3 hours

Input

• Strategy documentation

Output

• Organizational goals

Materials

• Whiteboard (digital/physical)

Participants

• IT leadership
• Infrastructure
• Applications
• Security

1. As a group, brainstorm organizational goals, ideally based on existing documentation
   • Review relevant corporate and IT strategies.
   • If you do not have access to internal documentation, review the standard goals on the next slide and select those that are most relevant for you.
2. Record the most important business goals in the Cloud Vision Executive Presentation. Include descriptions where possible to ensure wide readability.
3. Make note of these goals. They should inform the answers to prompts offered in the Cloud Vision Workbook and should be a consistent presence in the remainder of the visioning exercise. If you’re conducting the session in person, leave the goals up on a whiteboard and make reference to them throughout the workshop.

Cloud Vision Executive Presentation

Standard COBIT 19 enterprise goals

1. Portfolio of competitive products and services
2. Managed business risk
3. Compliance with external laws and regulations
4. Quality of financial information
5. Customer-oriented service culture
6. Business service continuity and availability
7. Quality of management information
8. Optimization of internal business process functionality
9. Optimization of business process costs
10. Staff skills, motivation, and productivity
11. Compliance with internal policies
12. Managed digital transformation programs
13. Product and business innovation

1.1.2 Define cloud drivers

30-60 minutes

Input

• Organizational goals
• Strategy documentation
• Management/staff perspective

Output

• List of cloud drivers

Materials

• Sticky notes
• Whiteboard
• Markers

Participants

• IT leadership
• Infrastructure
• Applications
• Security

1. Cloud drivers sit at a level of abstraction below organizational goals. Keeping your organizational goals in mind, have each participant in the session write down how they expect to benefit from the cloud on a sticky note.
2. Solicit input one at a time and group similar responses. Encourage participants to bring forward their cloud goals even if similar goals have been mentioned previously. The number of mentions is a useful way to gauge the relative weight of the drivers.
3. Once this is done, you should have a few groups of similar drivers. Work with the group to name each category. This name will be the driver reported in the documentation.
4. Input the results of the exercise into the Cloud Vision Executive Presentation, and include descriptions based on the constituent drivers. For example, if a driver is titled “do more valuable work,” the constituent drivers might be “build cloud skills,” “focus on core products,” and “avoid administration work where possible.” The description would be based on these components.

Cloud Vision Executive Presentation

1.1.3 Define success indicators

1 hour

Input

• Cloud drivers
• Organizational goals

Output

• List of cloud driver success indicators

Materials

• Whiteboard
• Markers

Participants

• IT leadership
• Infrastructure
• Applications
• Security

1. On a whiteboard, draw a table with each of the cloud drivers (identified in 1.1.2) across the top.
2. Work collectively to generate success indicators for each cloud driver. In this case, a success indicator is some way you can report your progress with the stated driver. It is a real-world proxy for the sometimes abstract phenomena that make up your drivers. Think about what would be true if your driver was realized.
   1. For example, if your driver is “faster access to resources,” you might consider indicators like developer satisfaction, project completion time, average time to provision, etc.
3. Once you are satisfied with your list of indicators, populate the slide in the Cloud Vision Executive Presentation for validation from stakeholders.

Cloud Vision Executive Presentation

Step 1.2

Explore cloud characteristics

Activities

Understand the value of the cloud:

• Review delivery models
• Review support models
• Review service models
• Review migration paths

Understand the Cloud

Generate goals and drivers

Explore cloud characteristics

Create a current state summary

Select workloads for analysis

This step involves the following participants:

• Core working group
• Architecture
• Engineering
• Security

Outcomes of this step

• Understanding of cloud service models and value

Defining the cloud

Per NIST, the cloud has five fundamental characteristics. All clouds have these characteristics, even if they are executed in somewhat different ways between delivery models, service models, and even individual providers.

Cloud characteristics

On-demand self-service

Cloud customers are capable of provisioning cloud resources without human interaction (e.g. contacting sales), generally through a web console.

Broad network access

Capabilities are designed to be delivered over a network and are generally intended for access by a wide variety of platform types (cloud services are generally device-agnostic).

Resource pooling

Multiple customers (internal, in the case of private clouds) make use of a highly abstracted shared infrastructure managed by the cloud provider.

Rapid elasticity

Customers are capable of provisioning additional resources as required, pulling from a functionally infinite pool of capacity. Cloud resources can be spun-down when no longer needed.

Measured service

Consumption is metered based on an appropriate unit of analysis (number of licenses, storage used, compute cycles, etc.) and billing is transparent and granular.

Cloud delivery models

The NIST definition of cloud computing outlines four cloud delivery models: public, private, hybrid, and community clouds. A community cloud is like a private cloud, but it is provisioned for the exclusive use of a like-minded group of organizations, usually in a mutually beneficial, non-competitive arrangement. Universities and hospitals are examples of organizations that can pool their resources in this way without impacting competitiveness. The Info-Tech model covers three key delivery models – public, private, and hybrid, and an overarching model (multi-cloud) that can comprise more than one of the other models – public + public, public + hybrid, etc.

Public

The cloud service is provisioned for access by the general public (customers).

Private

A private cloud has the five key characteristics, but is provisioned for use by a single entity, like a company or organization.

Hybrid

Hybridity essentially refers to interoperability between multiple cloud delivery models (public +private).

Multi

A multi-cloud deployment requires only that multiple clouds are used without any necessary interoperability (Nutanix, 2019).

Public cloud

This is what people generally think about when they talk about cloud

• The public cloud is, well, public! Anyone can make use of its resources, and in the case of the major providers, capacity is functionally unlimited. Need to store exabytes of data in the cloud? No problem! Amazon will drive a modified shipping container to your datacenter, load it up, and “migrate” it to a datacenter.
• Public clouds offer significant variety on the infrastructure side. Major IaaS providers, like Microsoft and Amazon, offer dozens of services across many different categories including compute, networking, and storage, but also identity, containers, machine learning, virtual desktops, and much, much more. (See a list from Microsoft here, and Amazon here)
• There are undoubtedly strengths to the public cloud model. Providers offer the “latest and greatest” and customers need not worry about the details, including managing infrastructure and physical locations. Providers offer built-in redundancy, multi-regional deployments, automation tools, management and governance solutions, and a variety of leading-edge technologies that would not be feasible for organizations to run in-house, like high performance compute, blockchain, or quantum computing.
• Of course, the public cloud is not all sunshine and rainbows – there are downsides as well. It can be expensive; it can introduce regulatory complications to have to trust another entity with your key information. Additionally, there can be performance hiccups, and with SaaS products, it can be difficult to monitor at the appropriate (per-transaction) level.

Prominent examples include:

AWS

Microsoft

Azure

Salesforce.com

Workday

SAP

Private cloud

A lower-risk cloud for cloud-averse customers?

• A cloud is a cloud, no matter how small. Some IT shops deploy private clouds that make use of the five key cloud characteristics but provisioned for the exclusive use of a single entity, like a corporation.
• Private clouds have numerous benefits. Some potential cloud customers might be uncomfortable with the shared responsibility that is inherent in the public cloud. Private clouds allow customers to deliver flexible, measured services without having to surrender control, but they require significant overhead, capital expenditure, administrative effort, and technical expertise.
• According to the 2021 State of the Cloud Report, private cloud use is common, and the most frequently cited toolset is VMware vSphere, followed by Azure Stack, OpenStack, and AWS Outposts. Private cloud deployments are more common in larger organizations, which makes sense given the overhead required to manage such an environment.

Private cloud adoption

VMware and Microsoft lead the pack among private cloud customers, with Amazon and Red Hat also substantially present across private cloud environments.

Hybrid cloud

The best of both worlds?

Hybrid cloud architectures combine multiple cloud delivery models and facilitate some level of interoperability. NIST suggests bursting and load balancing as examples of hybrid cloud use cases. Note: it is not sufficient to simply have multiple clouds running in parallel – there must be a toolset that allows for an element of cross-cloud functionality.

This delivery model is attractive because it allows users to take advantage of the strengths of multiple service models using a single management pane. Bursting across clouds to take advantage of additional capacity or disaster recovery capabilities are two obvious use cases that appeal to hybrid cloud users.

But while hybridity is all the rage (especially given the impact Covid-19 has had on the workplace), the reality is that any hybrid cloud user must take the good with the bad. Multiple clouds and a management layer can be technically complex, expensive, and require maintaining a physical infrastructure that is not especially valuable (“I thought we were moving to the cloud to get out of the datacenter!”).

Before selecting a hybrid approach through services like VMware Cloud on AWS or Microsoft’s Azure Stack, consider the cost, complexity, and actual expected benefit.

Amazon, Microsoft, and Google dominate public cloud IaaS, but IBM is betting big on hybrid cloud:

With its acquisition of Red Hat in 2019 for $34 billion, Big Blue put its money where its mouth is and acquired a substantial hybrid cloud business. At the time of the acquisition, Red Hat’s CEO, Jim Whitehurst, spoke about the benefit IBM expected to receive:

“Joining forces with IBM gives Red Hat the opportunity to bring more open source innovation to an even broader range of organizations and will enable us to scale to meet the need for hybrid cloud solutions that deliver true choice and agility” (Red Hat, 2019).

Multi-cloud

For most organizations, the multi-cloud is the most realistic option.

Multi-cloud is popular!

Multi-cloud solutions exist at a different layer of abstraction from public, private, and even hybrid cloud delivery models. A multi-cloud architecture, as the name suggests, requires the user to be a customer of more than one cloud provider, and it can certainly include a hybrid cloud deployment, but it is not bound by the same rules of interoperability.

Many organizations – especially those with fewer resources or a lack of a use case for a private cloud – rely on a multi-cloud architecture to build applications where they belong, and they manage each environment separately (or occasionally with the help of cloud management platforms).

If your data team wants to work in AWS and your enterprise services run on basic virtual machines in Azure, that might be the most effective architecture. As the Flexera 2021 State of the Cloud Report suggests, this architecture is far more common than the more complicated bursting or brokering architectures characteristic of hybrid clouds.

NIST cloud service models

Software as a service

SaaS has exploded in popularity with consumers who wish to avail themselves of the cloud’s benefits without having to manage underlying infrastructure components. SaaS is simple, generally billed per-user per-month, and is almost entirely provider-managed.

Platform as a service

PaaS providers offer a toolset for their customers to run custom applications and services without the requirement to manage underlying infrastructure components. This service model is ideal for custom applications/services that don’t benefit from highly granular infrastructure control.

Infrastructure as a service

IaaS represents the sale of components. Instead of a service, IaaS providers sell access to components, like compute, storage, and networking, allowing for customers to build anything they want on top of the providers’ infrastructure.

Cloud service models

• This research focuses on five key service models, each of which has its own strengths and weaknesses. Moving right from “on-prem,” customers gradually give up more control over their environments to cloud service providers.
• An entirely premises-based environment means that the customer is responsible for everything ranging from the dirt under the datacenter to application-level configurations. Conversely, in a SaaS environment, the provider is responsible for everything but those top-level application configurations.
• A managed service provider or other third party can manage any or of the components of the infrastructure stack. A service provider may, for example, build a SaaS solution on top of another provider’s IaaS, or might offer configuration assistance with a commercially available SaaS.

Info-Tech Insight

Not all workloads fit well in the cloud. Many environments will mix service models (e.g. SaaS for some workloads, some in IaaS, some on-premises), and this can be perfectly effective. It must be consistent and intentional, however.

Organization has control

Organization or vendor may control

Vendor has control

Analytics folly

SaaS is good, but it’s not a panacea

Industry: Healthcare

Source: Info-Tech workshop

Situation

A healthcare analytics provider had already moved a significant number of “non-core workloads” to the cloud, including email, HRIS, and related services.

The company CEO was satisfied with the reduced effort required by IT to manage SaaS-based workloads and sought to extend the same benefits to the core analytics platform where there was an opportunity to reduce overhead.

Complication

Many components of the health analytics service were designed to run specifically in a datacenter and were not ready to be migrated to the cloud without significant effort/refactoring. SaaS was not an option because this was a core platform – a SaaS provider would have been the competition.

That left IaaS, which was expensive and would not bring the expected benefits (reduced overhead).

Results

The organization determined that there were no short-term gains from migrating to the cloud. Due to the nature of the application (its extensive customization, the fact that it was a core product sold by the company) any steps to reduce operational overhead were not feasible.

The CEO recognized that the analytics platform was not a good candidate for the cloud and what distinguished the analytics platform from more suitable workloads.

Migration paths

In a 2016 blog post, Amazon Web Services articulated a framework for cloud migration that incorporates elements of the journey as well as the destination. If workload owners do not choose to retain or retire their workloads, there are four alternatives. These alternatives all stack up differently along five key dimensions:

1. Value: does the workload stand to benefit from unique cloud characteristics? To what degree?
2. Effort: how much work would be required to make the transition?
3. Cost: how much money is the migration expected to cost?
4. Time: how long will the migration take?
5. Skills: what skills must be brought to bear to complete the migration?

Not all migration paths can lead to all destinations. Rehosting generally means IaaS, while repurchasing leads to SaaS. Refactoring and replatforming have some variety of outcomes, and it becomes possible to take advantage of new IaaS architectures or migrate workloads over fully to SaaS.

As part of the workload assessment process, use the five dimensions (expanded upon on the next slide) to determine what migration path makes sense. Preferred migration paths form an important part of the overall cloud vision process.

Retain (Revisit)

• Keep the application in its current form, at least for now. This doesn’t preclude revisiting it in the future.

Retire

• Get rid of the application completely.

Rehost

• Move the application to the cloud (IaaS) and continue to run it in more or less the same form as it currently runs.

Replatform

• Move the application to the cloud and perform a few changes for cloud optimizations.

Refactor

• Rewrite the application, taking advantage of cloud native architectures.

Repurchase

• Replace with an alternative, cloud-native application and migrate the data.

Migration paths – relative value

Where should you get your cloud skills?

Cloud skills are certainly top of mind right now. With the great upheaval in both work patterns and in the labor market more generally, expertise in cloud-related areas is simultaneously more valuable and more difficult to procure. According to Pluralsight’s 2021 “State of Upskilling” report, 44% of respondents report themselves under-skilled in the cloud management area, making cloud management the most significant skill gap reported on the survey.

Everyone left the office. Work as we know it is fundamentally altered for a generation or more. Cloud services shot up in popularity by enabling the transition. And yet there is a gap – a prominent gap – in skilling up for this critically important future. What is the cloud manager to do?

Per the framework presented here, that manager has three essential options. They may take somewhat different forms depending on specific requirements and the quirks of the local market, but the options are:

1. Train or hire internal resources: This might be easier said than done, especially for more niche skills, but makes sense for workloads that are critical to operations for the long term.
2. Engage a managed service provider: MSPs are often engaged to manage services where internal IT lacks bandwidth or expertise.
3. Hire a consultant: Consultants are great for time-bound implementation projects where highly specific expertise is required, such as a migration or implementation project.

Each model makes sense to some degree. When evaluating individual workloads for cloud suitability, it is critical to consider the support model – both immediate and long term. What makes sense from a value perspective?

Cloud decisions – summary

A key component of the Info-Tech cloud vision model is that it is multi-layered. Not every decision must be made at every level. At the workload level, it makes sense to select service models that make sense, but each workload does not need its own defined vision. Workload-level decisions should be guided by an overall strategy but applied tactically, based on individual workload characteristics and circumstances.

Conversely, some decisions will inevitably be applied at the environment level. With some exceptions, it is unlikely that cloud customers will build an entire private/hybrid cloud environment around a single solution; instead, they will define a broader strategy and fit individual workloads into that strategy.

Some considerations exist at both the workload and environment levels. Risks and roadblocks, as well as the preferred support model, are concerns that exist at both the environment level and at the workload level.

Step 1.3

Create a current state summary

Activities

1.3.1 Record your current state

Understand the Cloud

Generate goals and drivers

Explore cloud characteristics

Create a current state summary

Select workloads for analysis

This step involves the following participants: Core working group

Outcomes of this step

• Current state summary of cloud solutions

1.3.1 Record your current state

30 minutes

Input

• Knowledge of existing cloud workloads

Output

• Current state cloud summary for service, delivery, and support models

Materials

• Whiteboard

Participants

• Core working group
• Infrastructure team
• Service owners

1. On a whiteboard (real or virtual) draw a table with each of the cloud service models across the top. Leave a cell below each to list examples.
2. Under each service model, record examples present in your environment. The purpose of the exercise is to illustrate the existence of cloud services in your environment or the lack thereof, so there is no need to be exhaustive. Complete this in turn for each service model until you are satisfied that you have created an effective picture of your current cloud SaaS state, IaaS state, etc.
3. Input the results into their own slide titled “current state summary” in the Cloud Vision Executive Presentation.
4. Repeat for the cloud delivery models and support models and include the results of those exercises as well.
5. Create a short summary statement (“We are primarily a public cloud consumer with a large SaaS footprint and minimal presence in PaaS and IaaS. We retain an MSP to manage our hosted telephony solution; otherwise, everything is handled in house.”

Cloud Vision Executive Presentation

Step 1.4

Select workloads for current analysis

Activities

1.4.1 Select workloads for assessment

This step involves the following participants:

• Core working group

Outcomes of this step

• List of workloads for assessment

Understand the cloud

Generate goals and drivers

Explore cloud characteristics

Create a current state summary

Select workloads for analysis

1.4.1 Select workloads for assessment

30 minutes

Input

• Knowledge of existing cloud workloads

Output

• List of workloads to be assessed

Materials

• Whiteboard
• Cloud Vision Workbook

Participants

• Core working group
• IT management

1. In many cases, the cloud project is inspired by a desire to move a particular workload or set of workloads. Solicit feedback from the core working group about what these workloads might be. Ask everyone in the meeting to suggest a workload and record each one on a sticky note or white board (virtual or physical).
2. Discuss the results with the group and begin grouping similar workloads together. They will be subject to the assessments in the Cloud Vision Workbook, so try to avoid selecting too many workloads that will produce similar answers. It might not be obvious, but try to think about workloads that have similar usage patterns, risk levels, and performance requirements, and select a representative group.
3. You should embrace counterintuition by selecting a workload that you think is unlikely to be a good fit for the cloud if you can and subjecting it to the assessment as well for validation purposes.
4. When you have a list of 4-6 workloads, record them on tab 2 of the Cloud Vision Workbook.

Cloud Vision Workbook

Assess your cloud workloads

Build the foundations of your cloud vision

Phase 2

Phase 2

Evaluate Cloud Workloads

Phase 1

1.1 Generate goals and drivers

1.2 Explore cloud characteristics

1.3 Create a current state summary

1.4 Select workloads for analysis

Phase 2

2.1 Conduct workload assessments

2.2 Determine workload future states

Phase 3

3.1 Generate risks and roadblocks

3.2 Mitigate risks and roadblocks

3.3 Define roadmap initiatives

Phase 4

4.1 Review and assign work items

4.2 Finalize cloud decision framework

4.3 Create cloud vision

This phase will walk you through the following activities:

• Conduct workload assessments
• Determine workload future state

This phase involves the following participants:

• Subject matter experts
• Core working group
• IT management

Define Your Cloud Vision

Work from the bottom up and assess your workloads

A workload-first approach will help you create a realistic vision.

The concept of a cloud vision should unquestionably be informed by the nature of the workloads that IT is expected to provide for the wider organization. The overall cloud vision is no greater than the sum of its parts. You cannot migrate to the cloud in the abstract. Workloads need to go – and not all workloads are equally suitable for the transition.

It is therefore imperative to understand which workloads are a good fit for the cloud, which cloud service models make the most sense, how to execute the migration, what support should look like, and what risks and roadblocks you are likely to encounter as part of the process.

That’s where the Cloud Vision Workbook comes into play. You can use this tool to assess as many workloads as you’d like – most people get the idea after about four – and by the end of the exercise, you should have a pretty good idea about where your workloads belong, and you’ll have a tool to assess any net new or previously unconsidered workloads.

It’s not so much about the results of the assessment – though these are undeniably important – but about the learnings gleaned from the collaborative assessment exercise. While you can certainly fill out the assessment without any additional input, this exercise is most effective when completed as part of a group.

Introducing the Cloud Vision Workbook

• The Cloud Vision Workbook is an Excel tool that answers the age old question: “What should I do with my workloads?”
• It is divided into eight tabs, each of which offers unique value. Start by reading the introduction and inputting your list of workloads. Work your way through tabs 3-6, completing the suitability, migration, management, and risk and roadblock assessments, and review the results on tab 7.
• If you choose to go through the full battery of assessments for each workload, expect to answer and weight 111 unique questions across the four assessments. This is an intensive exercise, so carefully consider which assessments are valuable to you, and what workloads you have time to assess.
• Tab 8 hosts the milestone timeline and captures the results of the phase 3 risk and mitigation exercise.

Understand Cloud Vision Workbook outputs

Step 2.1

Conduct workload assessments

Activities

2.1.1 Conduct workload assessments

2.1.2 Interpret your results

Phase Title

Conduct workload assessments

Determine workload future state

This step involves the following participants:

• Core working group
• Workload subject matter experts

Outcomes of this step

• Completed workload assessments

2.1.1 Conduct workload assessments

2 hours per workload

Input

• List of workloads to be assessed

Output

• Completed cloud vision assessments

Materials

• Cloud Vision Workbook

Participants

• Core working group
• Service owners/workload SMEs

1. The Cloud Vision Workbook is your one stop shop for all things workload assessment. Open the tool to tab 2 and review the workloads you identified at the end of phase 1. Ensure that these are correct. Once satisfied, project the tool (virtually, if necessary) so that all participants can see the assessment questions.
2. Work through tabs 3-6, answering the questions and assigning a multiplier for each one. A higher multiplier increases the relative weight of the question, giving it a greater impact on the overall outcome.
3. Do your best to induce participants to offer opinions. Consensus is not absolutely necessary, but it is a good goal. Ask your participants if they agree with initial responses and occasionally take the opposite position (“I’m surprised you said agree – I would have thought we didn’t care about CapEx vs. OpEx”). Stimulate discussion.
4. Highlight any questions that you will need to return to or run by someone not present. Include a placeholder answer, as the tool requires all cells to be filled for computation.

Cloud Vision Workbook

2.1.2 Interpret your results

10 minutes

Input

• Completed cloud vision assessments

Output

• Shared understanding of implications

Materials

• Cloud Vision Workbook

Participants

• Core working group
• Service owners/workload SMEs

1. Once you’ve completed all 111 questions for each workload, you can review your results on tab 7. On tab 7, you will see four populated graphics: cloud suitability, migration path, “where should skills be procured?”, and risks and roadblocks. These represent the components of the overall cloud vision that you will present to stakeholders.
2. The “cloud suitability” chart captures the service model that the assessment judges to be most suitable for the workload. Ask those present if any are surprised by the output. If there is any disagreement, discuss the source of the surprise and what a more realistic outcome would be. Revisit the assessment if necessary.
3. Conduct a similar exercise with each of the other outputs. Does it make sense to refactor the workload based on its cloud suitability? Does the fact that we scored so highly on the “consultant” support model indicate something about how we handle upskilling internally? Does the profile of risks and roadblocks identified here align with expectations? What should be ranked higher? What about lower?
4. Once everyone is generally satisfied with the results, close the tool and take a break! You’ve earned it.

Cloud Vision Workbook

Understand the cloud strategy components

Each cloud strategy will take a slightly different form, but all should contain echoes of each of these components. This process will help you define your vision and direction, but you will need to take steps to execute on that vision. The remainder of the cloud strategy, covered in the related blueprint Document Your Cloud Strategy comprises these fourteen topics divided across three categories: people, governance, and technology. The workload assessment covers these under risks and roadblocks and highlights areas that may require specific additional attention. When interpreting the results, think of these areas as comprising things that you will need to do to make your vision a reality.

People

• Skills and roles
• Culture and adoption
• Governing bodies

Governance

• Architecture
• Integration and interoperability
• Operations management
• Cloud portfolio management
• Cloud vendor management
• Finance management
• Security
• Data controls

Technology

• Monitoring
• Provisioning
• Migration

Strategy component: People

People form the core of any good strategy. As part of your cloud vision, you will need to understand the implications a cloud transition will have on your staff and users, whether those users are internal or external.

Strategy component: Governance

Without guardrails, the cloud deployment will grow organically. This has strengths (people tend to adopt solutions that they select and deploy themselves), but these are more than balanced out by the drawbacks that come with inconsistency, poor administration, duplication of services, suboptimal costing, and any number of other unique challenges. The solution is to develop and deploy governance. The following list captures some of the necessary governance-related components of a cloud strategy.

Strategy component: Governance (cont.)

Strategy component: Technology

Good technology will never replace good people and effective process, but it remains important in its own right. A migration that neglects the undeniable technical components of a solid cloud strategy is doomed to mediocrity at best and failure at worst. Understanding the technical implications of the cloud vision – particularly in terms of monitoring, provisioning, and migration – makes all the difference. You can interpret the results of the cloud workload assessments by reviewing the details presented here.

Step 2.2

Determine workload future state

Activities

2.2.1 Determine workload future state

Conduct workload assessments

Determine workload future state

This step involves the following participants:

• IT management
• Core working group

Outcomes of this step

• Completed workload assessments
• Defined workload future state

2.2.1 Determine workload future state

1-3 hours

Input

• Completed workload assessments

Output

• Preliminary future state outputs

Materials

• Cloud Vision Workbook
• Cloud Vision Executive Presentation

Participants

• Core working group
• Service owners
• IT management

1. After you’ve had a chance to validate your results, refer to tab 7 of the tool, where you will find a blank notes section.
2. With the working group, capture your answers to each of the following questions:
   1. What service model is the most suitable for the workload? Why?
   2. How will we conduct the migration? Which of the six models makes the most sense? Do we have a backup plan if our primary plan doesn’t work out?
   3. What should the support model look like?
   4. What are some workload-specific risks and considerations that must be taken into account for the workload?
3. Once you’ve got answers to each of these questions for each of the workloads, include your summary in the “notes” section of tab 7.

Cloud Vision Executive Presentation

Paste the output into the Cloud Vision Executive Presentation

• The Cloud Vision Workbook output is a compact, consumable summary of each workload’s planned future state. Paste each assessment in as necessary.
• There is no absolutely correct way to present the information, but the output is a good place to start. Do note that, while the presentation is designed to lead with the vision statement, because the process is workload-first, the assessments are populated prior to the overall vision in a bottom-up manner.
• Be sure to anticipate the questions you are likely to receive from any stakeholders. You may consider preparing for questions like: “What other workloads fit this profile?” “What do we expect the impact on the budget to be?” “How long will this take?” Keep these and other questions in mind as you progress through the vision definition process.

Info-Tech Insight

Keep your audience in mind. You may want to include some additional context in the presentation if the results are going to be presented to non-technical stakeholders or those who are not familiar with the terms or how to interpret the outputs.

Identify and Mitigate Risks

Build the foundations of your cloud vision

PHASE 3

Phase 3

Identify and Mitigate Risks

Phase 1

1.1 Generate goals and drivers

1.2 Explore cloud characteristics

1.3 Create a current state summary

1.4 Select workloads for analysis

Phase 2

2.1 Conduct workload assessments

2.2 Determine workload future states

Phase 3

3.1 Generate risks and roadblocks

3.2 Mitigate risks and roadblocks

3.3 Define roadmap initiatives

Phase 4

4.1 Review and assign work items

4.2 Finalize cloud decision framework

4.3 Create cloud vision

This phase will walk you through the following activities:

• Generate risks and roadblocks
• Mitigate risks and roadblocks
• Define roadmap initiatives

This phase involves the following participants:

• Core working group
• Workload subject matter experts

You know what you want to do, but what do you have to do?

What questions remain unanswered?

There are workload-level risks and roadblocks, and there are environment-level risks. This phase is focused primarily on environment-level risks and roadblocks, or those that are likely to span multiple workloads (but this is not hard and fast rule – anything that you deem worth discussing is worth discussing). The framework here calls for an open forum where all stakeholders – technical and non-technical, pro-cloud and anti-cloud, management and individual contributor – have an opportunity to articulate their concerns, however specific or general, and receive feedback and possible mitigation.

Start by soliciting feedback. You can do this over time or in a single session. Encourage anyone with an opinion to share it. Focus on those who are likely to have a perspective that will become relevant at some point during the creation of the cloud strategy and the execution of any migration. Explain the preliminary direction; highlight any major changes that you foresee. Remind participants that you are not looking for solutions (yet), but that you want to make sure you hear any and every concern as early as possible. You will get feedback and it will all be valuable.

Before cutting your participants loose, remind them that, as with all business decisions, the cloud comes with trade-offs. Not everyone will have every wish fulfilled, and in some cases, significant effort may be needed to get around a roadblock, risks may need to be accepted, and workloads that looked like promising candidates for one service model or another may not be able to realize that potential. This is a normal and expected part of the cloud vision process.

Once the risks and roadblocks conversation is complete, it is the core working group’s job to propose and validate mitigations. Not every risk can be completely resolved, but the cloud has been around for decades – chances are someone else has faced a similar challenge and made it through relatively unscathed. That work will inevitably result in initiatives for immediate execution. Those initiatives will form the core of the initiative roadmap that accompanies the completed Cloud Vision Executive Presentation.

Step 3.1

Generate risks and roadblocks

Activities

3.1.1 Generate risks and roadblocks

3.1.2 Generate mitigations

Identify and mitigate risks

Generate risks and roadblocks

Mitigate risks and roadblocks

Define roadmap initiatives

This step involves the following participants:

• Core working group
• IT management
• Infrastructure
• Applications
• Security
• Architecture

Outcomes of this step

• List of risks and roadblocks

Understand risks and roadblocks

Risk

• Something that could potentially go wrong.
• You can respond to risks by mitigating them:
  • Eliminate: take action to prevent the risk from causing issues.
  • Reduce: take action to minimize the likelihood/severity of the risk.
  • Transfer: shift responsibility for the risk away from IT, towards another division of the company.
  • Accept: where the likelihood or severity is low, it may be prudent to accept that the risk could come to fruition.

Roadblock

• There are things that aren’t “risks” that we care about when migrating to the cloud.
• We know, for example, that a complicated integration situation will create work items for any migration – this is not an “unknown.”
• We respond to roadblocks by generating work items.

3.1.1 Generate risks and roadblocks

1.5 hours

Input

• Completed cloud vision assessments

Output

• List of risks and roadblocks

Materials

• Whiteboard
• Sticky notes

Participants

• Core working group
• Service owners/workload SMEs
• Anyone with concerns about the cloud

1. Gather your core working group – and really anyone with an intelligent opinion on the cloud – into a single meeting space. Give the group 5-10 minutes to list anything they think could present a difficulty in transitioning workloads to the cloud. Write each risk/roadblock on its own sticky note. You will never be 100% exhaustive, but don’t let anything your users care about go unaddressed.
2. Once everyone has had time to write down their risks and roadblocks, have everyone share one by one. Make sure you get them all. Overlap in risks and roadblocks is okay! Group similar concerns together to give a sort of heat map of what your participants are concerned about. (This is called “affinity diagramming.”)
3. Assign names to these categories. Many of these categories will align with the strategy components discussed in the previous phase (governance, security, etc.) but some will be specific whether by nature or by degree.
4. Sort each of the individual risks into its respective category, collapsing any exact duplicates, and leaving room for notes and mitigations (see the next slide for a visual).

Understand risks and roadblocks

Step 3.2

Mitigate risks and roadblocks

Activities

3.2.1 Generate mitigations

Identify and mitigate risks

Generate risks and roadblocks

Mitigate risks and roadblocks

Define roadmap initiatives

This step involves the following participants:

• Core working group

Outcomes of this step

• List of mitigations

Is the public cloud less secure?

This is the key risk-related question that most cloud customers will have to answer at some point: does migrating to the cloud for some services increase their exposure and create a security problem?

As with all good questions, the answer is “it depends.” But what does it depend on? Consider these cloud risks and potential mitigations:

1. Misconfiguration: An error grants access to unauthorized parties (as happened to Capital One in 2019). This can be mitigated by careful configuration management and third-party tooling.
2. Unauthorized access by cloud provider/partner employees: Though rare, it is possible that a cloud provider or partner can be a vector for a breach. Careful contract language, choosing to own your own encryption keys, and a hybrid approach (storing data on-premises) are some possible ways to address this problem.
3. Unauthorized access to systems: Cloud services are designed to be accessed from anywhere and may be accessed by malicious actors. Possible mitigations include risk-based conditional access, careful identity access management, and logging and detection.

“The cloud is definitely more secure in that you have much more control, you have much more security tooling, much more visibility, and much more automation. So it is more secure. The caveat is that there is more risk. It is easier to accidentally expose data in the cloud than it is on-premises, but, especially for security, the amount of tooling and visibility you get in cloud is much more than anything we’ve had in our careers on-premises, and that’s why I think cloud in general is more secure.” –Abdul Kittana, Founder, ASecureCloud

Breach bests bank

No cloud provider can protect against every misconfiguration

Industry: Finance

Source: The New York Times, CNET

Background

Capital One is a major Amazon Web Services customer and is even featured on Amazon’s site as a case study. That case study emphasizes the bank’s commitment to the cloud and highlights how central security and compliance were. From the CTO: “Before we moved a single workload, we engaged groups from across the company to build a risk framework for the cloud that met the same high bar for security and compliance that we meet in our on-premises environments. AWS worked with us every step of the way.”

Complication

The cloud migration was humming along until July 2019, when the bank suffered a serious breach at the hands of a hacker. That hacker was able to steal millions of credit card applications and hundreds of thousands of Social Security numbers, bank account numbers, and Canadian social insurance numbers.

According to investigators and to AWS, the breach was caused by an open reverse proxy attack against a misconfigured web app firewall, not by an underlying vulnerability in the cloud infrastructure.

Results

Capital One reported that the breach was expected to cost it $150 million, and AWS fervently denied any blame. The US Senate got involved, as did national media, and Capital One’s CEO issued a public apology, writing, “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”

It was a bad few months for IT at Capital One.

3.2.1 Generate mitigations

3-4.5 hours

Input

• Completed cloud vision assessments

Output

• List of risks and roadblocks

Materials

• Whiteboard
• Sticky notes

Participants

• Core working group
• Service owners/workload SMEs
• Anyone with concerns about the cloud

1. Recall the four mitigation strategies: eliminate, reduce, transfer, or accept. Keep these in mind as you work through the list of risks and roadblocks with the core working group. For every individual risk or roadblock raised in the initial generation session, suggest a specific mitigation. If the concern is “SaaS providers having access to confidential information,” a mitigation might be encryption, specific contract language, or proof of certifications (or all the above).
2. Work through this for each of the risks and roadblocks, identifying the steps you need to take that would satisfy your requirements as you understand them.
3. Once you have gone through the whole list – ideally with input from SMEs in particular areas like security, engineering, and compliance/legal – populate the Cloud Vision Workbook (tab 8) with the risks, roadblocks, and mitigations (sorted by category). Review tab 8 for an example of the output of this exercise.

Cloud Vision Workbook

Cloud Vision Workbook – mitigations

Step 3.3

Define roadmap initiatives

Activities

3.3.1 Generate roadmap initiatives

Identify and mitigate risks

Generate risks and roadblocks

Mitigate risks and roadblocks

Define roadmap initiatives

This step involves the following participants:

• Core working group

Outcomes of this step

• Defined roadmap initiatives

3.3.1 Generate roadmap initiatives

1 hour

Input

• List of risk and roadblock mitigations

Output

• List of cloud initiatives

Materials

• Cloud Vision Workbook

Participants

• Core working group

1. Executing on your cloud vision will likely require you to undertake some key initiatives, many of which have already been identified as part of your mitigation exercise. On tab 8 of the Cloud Vision Workbook, review the mitigations you created in response to the risks and roadblocks identified. Initiatives should generally be assignable to a party and should have a defined scope/duration. For example, “assess all net new applications for cloud suitability” might not be counted as an initiative, but “design a cloud application assessment” would likely be.
2. Design a timeline appropriate for your specific needs. Generally short-term (less than 3 months), medium-term (3-6 months), and long-term (greater than 6 months) will work, but this is entirely based on preference.
3. Review and validate the parameters with the working group. Consider creating additional color-coding (highlighting certain tasks that might be dependent on a decision or have ongoing components).

Cloud Vision Workbook

Bridge the gap and create the vision

Build the foundations of your cloud vision

Phase 4

Phase 4

Bridge the Gap and Create the Vision

Phase 1

1.1 Generate goals and drivers

1.2 Explore cloud characteristics

1.3 Create a current state summary

1.4 Select workloads for analysis

Phase 2

2.1 Conduct workload assessments

2.2 Determine workload future states

Phase 3

3.1 Generate risks and roadblocks

3.2 Mitigate risks and roadblocks

3.3 Define roadmap initiatives

Phase 4

4.1 Review and assign work items

4.2 Finalize cloud decision framework

4.3 Create cloud vision

This phase will walk you through the following activities:

• Assign initiatives and propose timelines
• Build a delivery model rubric
• Build a service model rubric
• Built a support model rubric
• Create a cloud vision statement
• Map cloud workloads
• Complete the Cloud Vision presentation

This phase involves the following participants:

• IT management, the core working group, security, infrastructure, operations, architecture, engineering, applications, non-IT stakeholders

Step 4.1

Review and assign work items

Activities

4.1.1 Assign initiatives and propose timelines

Bridge the gap and create the vision

Review and assign work items

Finalize cloud decision framework

Create cloud vision

This step involves the following participants:

• Core working group
• IT management

Outcomes of this step

• Populated cloud vision roadmap

4.1.1 Assign initiatives and propose timelines

1 hour

Input

• List of cloud initiatives

Output

• Initiatives assigned by responsibility and timeline

Materials

• Cloud Vision Workbook

Participants

• Core working group

1. Once the list is populated, begin assigning responsibility for execution. This is not a RACI exercise, so focus on the functional responsibility. Once you have determined who is responsible, assign a timeline and include any notes. This will form the basis of a more formal project plan.
2. To assign the initiative to a party, consider 1) who will be responsible for execution and 2) if that responsibility will be shared. Be as specific as possible, but be sure to be consistent to make it easier for you to sort responsibility later on.
3. When assigning timelines, we suggest including the end date (when you expect the project to be complete) rather than the start date, though whatever you choose, be sure to be consistent. Make use of the notes column to record anything that you think any other readers will need to be aware of in the future, or details that may not be possible to commit to memory.

Cloud Vision Workbook

Step 4.2

Finalize cloud decision framework

Activities

4.2.1 Build a delivery model rubric

4.2.2 Build a service model rubric

4.2.3 Build a support model rubric

Bridge the gap and create the vision

Review and assign work items

Finalize cloud decision framework

Create cloud vision

This step involves the following participants:

• Core working group

Outcomes of this step

• Cloud decision framework

4.2.1 Build a delivery model rubric

1 hour

Input

• List of cloud initiatives

Output

• Initiatives assigned by responsibility and timeline

Materials

• Cloud Vision Executive Presentation

Participants

• Core working group

1. Now that we have a good understanding of the cloud’s key characteristics, the relative suitability of different workloads for the cloud, and a good understanding of some of the risks and roadblocks that may need to be overcome if a cloud transition is to take place, it is time to formalize a delivery model rubric. Start by listing the delivery models on a white board vertically – public, private, hybrid, and multi-cloud. Include a community cloud option as well if that is feasible for you. Strike any models that do not figure into your vision.
2. Create a table style rubric for each delivery model. Confer with the working group to determine what characteristics best define workloads suitable for each model. If you have a hybrid cloud option, you may consider workloads that are highly dynamic; a private cloud hosted on-premises may be more suitable for workloads that have extensive regulatory requirements.
3. Once the table is complete, include it in the Cloud Vision Executive Presentation.

Cloud Vision Executive Presentation

Vision for the cloud future state (example)

Summary statement: Everything must go! Public cloud is a top priority. Anything that is not compatible (for whatever reason) with a public cloud deployment will be retained in a premises-based server closet (downgraded from a full datacenter). The private cloud does not align with the overall organizational vision, nor does a hybrid solution.

4.2.2 Build a service model rubric

1 hour

Input

• Output of workload assessments
• Output of risk and mitigation exercise

Output

• Service model rubric

Materials

• Whiteboard
• Cloud Vision Executive Presentation

Participants

• Core working group

1. This next activity is like the delivery model activity, but covers the relevant cloud service models. On a whiteboard, make a vertical list of the cloud service models (SaaS, PaaS, IaaS, etc.) that will be considered for workloads. If you have an order of preference, place your most preferred at the top, your least preferred at the bottom.
2. Describe the circumstances under which you would select each service model. Do your best to focus on differentiators. If a decision criterion appears for multiple service models, consider refining or excluding it. (For additional information, check out Info-Tech’s Reimagine IT Operations for a Cloud-First World blueprint.)
3. Create a summary statement to capture your overall service model position. See the next slide for an example. Note: this can be incorporated into your cloud vision statement, so be sure that it reflects your genuine cloud preferences.
4. Record the results in the Cloud Vision Executive Presentation.

Cloud Vision Executive Presentation

Vision for the cloud future state (example)

Summary statement: SaaS will be the primary service model. All workloads will migrate to the public cloud where possible. Anything that cannot be migrated to SaaS will be migrated to PaaS. IaaS is a transitory step.

4.2.3 Build a support model rubric

1 hour

Input

• Results of the cloud workload assessments

Output

• Support model rubric

Materials

• Whiteboard
• Cloud Vision Executive Presentation

Participants

• Core working group

1. The final rubric covered here is that for the support model. Where will you procure the skills necessary to ensure the vision’s proper execution? Much like the other rubric activities, write the three support models vertically (in order of preference, if you have one) on a whiteboard.
2. Next to each model, describe the circumstances under which you would select each support model. Focus on the dimensions: the duration of the engagement, specialization required, and flexibility required. If you have existing rules/practices around hiring consultants/MSPs, consider those as well.
3. Once you have a good list of decision criteria, form a summary statement. This should encapsulate your position on support models and should mention any notable criteria that will contribute to most decisions.
4. Record the results in the Cloud Vision Executive Presentation.

Cloud Vision Executive Presentation

Vision for the cloud future state (example)

Summary statement: Most workloads will be managed in house. A consultant will be employed to facilitate the transition to micro-services in a cloud container environment, but this will be transitioned to in-house staff. An MSP will continue to manage backups and telephony.

Step 4.3

Create cloud vision

Activities

4.3.1 Create a cloud vision statement

4.3.2 Map cloud workloads

4.3.3 Complete the Cloud Vision Presentation

Review and assign work items

Finalize cloud decision framework

Create cloud vision

This step involves the following participants:

• Core working group
• IT management

Outcomes of this step

Completed Cloud Vision Executive Presentation

4.3.1 Create a cloud vision statement

1 hour

Input

• List of cloud initiatives

Output

• Initiatives assigned by responsibility and timeline

Materials

• Cloud Vision Workbook

Participants

• Core working group

1. Now that you know what service models are appropriate, it’s time to summarize your cloud vision in a succinct, consumable way. A good vision statement should have three components:
   • Scope: Which parts of the organization will the strategy impact?
   • Goal: What is the strategy intended to accomplish?
   • Key differentiator: What makes the new strategy special?
2. On a whiteboard, make a chart with three columns (one column for each of the features of a good mission statement). Have the group generate a list of words to describe each of the categories. Ideally, the group will produce multiple answers for each category.
3. Once you’ve gathered a few different responses for each category, have the team put their heads down and generate pithy mission statements that capture the sentiments underlying each category.
4. Have participants read their vision statements in front of the group. Use the rest of the session to produce a final statement. Record the results in the Cloud Strategy Executive Presentation.

Example vision statement outputs

“IT at ACME Corp. hereby commits to providing clients and end users with an unparalleled, productivity-enabling technology experience, leveraging, insofar as it is possible and practical, cloud-based services.”

“At ACME Corp. our employees and customers are our first priority. Using new, agile cloud services, IT is devoted to eliminating inefficiency, providing cutting-edge solutions for a fast-paced world, and making a positive difference in the lives of our colleagues and the people we serve.”

“As a global leader in technology, ACME Corp. is committed to taking full advantage of new cloud services, looking first to agile cloud options to optimize internal processes wherever efficiency gaps exist. Improved efficiency will allow associates to spend more time on ACME’s core mission: providing an unrivalled customer experience.”

Scope

Goal

Key differentiator

4.3.2 Map cloud workloads

1 hour

Input

• List of workloads
• List of acceptable service models
• List of acceptable migration paths

Output

• Workloads mapped by service model/migration path

Materials

• Whiteboard
• Sticky notes

Participants

• Core working group

1. Now that you have defined your overall cloud vision as well as your service model options, consider aligning your service model preferences with your migration path preferences. Draw a table with your expected migration strategies across the top (retain, retire, rehost, replatform, refactor, repurchase, or some of these) and your expected service models across the side.
2. On individual sticky notes, write a list of workloads in your environment. In a smaller environment, this list can be exhaustive. Otherwise take advantage of the list you created as part of phase 1 along with any additional workloads that warrant discussion.
3. As a group, go through the list, placing the sticky notes first in the appropriate row based on their characteristics and the decision criteria that have already been defined, and then in the appropriate column based on the appropriate migration path. (See the next slide for an example of what this looks like.)
4. Record the results in the Cloud Vision Executive Presentation. Note: not every cell will be filled; some migration path/service model combinations are impossible or otherwise undesirable.

Cloud Vision Executive Presentation

Example cloud workload map

4.3.3 Complete the Cloud Vision Presentation

1 hour

Input

• List of cloud initiatives

Output

• Initiatives assigned by responsibility and timeline

Materials

• Cloud Vision Workbook

Participants

• Core working group

1. Open the Cloud Vision Executive Presentation to the second slide and review the templated executive brief. This comprises several sections (see the next slide). Populate each one:
   • Summary of the exercise
   • The cloud vision statement
   • Key cloud drivers
   • Risks and roadblocks
   • Top initiatives and next steps
2. Review the remainder of the presentation. Be sure to elaborate on any significant initiatives and changes (where applicable) and to delete any slides that you no longer require.

Cloud Vision Workbook

Sample cloud vision executive summary

• From [date to date], a cross-functional group representing IT and its constituents met to discuss the cloud.
• Over the course of the week, the group identified drivers for cloud computing and developed a shared vision, evaluated several workloads through an assessment framework, identified risks, roadblocks, and mitigations, and finally generated initiatives and next steps.
• From the process, the group produced a summary and a cloud suitability assessment framework that can be applied at the level of the workload.

Cloud Vision Statement

[Organization] will leverage public cloud solutions and retire existing datacenter and colocation facilities. This transition will simplify infrastructure administration, support, and security, while modernizing legacy infrastructure and reducing the need for additional capital expenditure.

Initiatives and next steps

• Close the datacenter and colocation site in favor of a SaaS-first cloud approach.
• Some workloads will migrate to infrastructure-as-a-service in the short term with the assistance of third-party consultants.

Document your cloud strategy

You did it!

Congratulations! If you’ve made it this far, you’ve successfully articulated a cloud vision, assessed workloads, developed an understanding (shared with your team and stakeholders) of cloud concepts, and mitigated risks and roadblocks that you may encounter along your cloud journey. From this exercise, you should understand your mission and vision, how your cloud plans will interact with any other relevant strategic plans, and what successful execution looks like, as well as developing a good understanding of overall guiding principles. These are several components of your overall strategy, but they do not comprise the strategy in its entirety.

How do you fix this?

First, validate the results of the vision exercise with your stakeholders. Socialize it and collect feedback. Make changes where you think changes should be made. This will become a key foundational piece. The next step is to formally document your cloud strategy. This is a separate project and is covered in the Info-Tech blueprint Document Your Cloud Strategy.

The vision exercise tells you where you want to go and offers some clues as to how to get there. The formal strategy exercise is a formal documentation of the target state, but also captures in detail the steps you’ll need to take, the processes you’ll need to refine, and the people you’ll need to hire.

A cloud strategy should comprise your organizational stance on how the cloud will change your approach to people and human resources, technology, and governance. Once you are confident that you can make and enforce decisions in these areas, you should consider moving on to Document Your Cloud Strategy. This blueprint, Define Your Cloud Vision, often serves as a prerequisite for the strategy documentation conversation(s).

Appendix

Summary of Accomplishment

Additional Support

Research Contributors

Related Info-Tech Research

Vendor Resources

Bibliography

Summary of Accomplishment

Problem Solved

You have now documented what you want from the cloud, what you mean when you say “cloud,” and some preliminary steps you can take to make your vision a reality.

You now have at your disposal a framework for identifying and evaluating candidates for their cloud suitability, as well as a series of techniques for generating risks and mitigations associated with your cloud journey. The next step is to formalize your cloud strategy using the takeaways from this exercise. You’re well on your way to a completed cloud strategy!

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Generate drivers for cloud adoption

Work with stakeholders to understand the expected benefits of the cloud migration and how these drivers will impact the overall vision.

Conduct workload assessments

Assess your individual cloud workloads for their suitability as candidates for the cloud migration.

Bibliography

“2021 State of the Cloud Report.” Flexera, 2021. Web.

“2021 State of Upskilling Report.” Pluralsight, 2021. Web.

“AWS Snowmobile.” Amazon Web Services, n.d. Web.

“Azure products.” Microsoft, n.d. Web.

“Azure Migrate Documentation.” Microsoft, n.d. Web.

Bell, Harold. “Multi-Cloud vs. Hybrid Cloud: What’s the Difference?” Nutanix, 2019. Web.

“Cloud Products.” Amazon Web Services, n.d. Web.

“COBIT 2019 Framework: Introduction and Methodology.” ISACA, 2019. Web.

Edmead, Mark T. “Using COBIT 2019 to Plan and Execute an Organization’s Transformation Strategy.” ISACA, 2020. Web.

Flitter, Emily, and Karen Weise. “Capital One Data Breach Compromises Data of Over 100 Million.” The New York Times, 29 July 2019. Web.

Gillis, Alexander S. “Cloud Security Posture Management (CSPM).” TechTarget, 2021. Web.

“’How to Cloud’ with Capital One.” Amazon Web Services, n.d. Web.

“IBM Closes Landmark Acquisition of Red Hat for $34 Billion; Defines Open, Hybrid Cloud Future.” Red Hat, 9 July 2019. Web.

Mell, Peter, and Timothy Grance. “The NIST Definition of Cloud Computing.” National Institute of Standards and Technology, Sept. 2011. Web.

Ng, Alfred. “Amazon Tells Senators it Isn't to Blame for Capital One Breach.” CNET, 2019. Web.

Orban, Stephen. “6 Strategies for Migrating Applications to the Cloud.” Amazon Web Services, 2016. Web.

Sullivan, Dan. “Cloud Access Security Broker (CASB).” TechTarget, 2021. Web.

“What Is Secure Access Service Edge (SASE)?” Cisco, n.d. Web.