Present Security to Executive Stakeholders

Learn how to communicate security effectively to obtain support from decision makers.

Analyst Perspective

Build and deliver an effective security communication to your executive stakeholders.

As a security leader, you’re tasked with various responsibilities to ensure your organization can achieve its goals while its most important assets are being protected. However, when communicating security to executive stakeholders, challenges can arise in determining what topics are pertinent to present. Changes in the security threat landscape coupled with different business goals make identifying how to present security more challenging. Having a communication framework for presenting security to executive stakeholders will enable you to effectively identify, develop, and deliver your communication goals while obtaining the support you need to achieve your objectives. Ahmad Jowhar Research Specialist, Security & Privacy Info-Tech Research Group

Executive Summary

Info-Tech Insight

Security presentations are not a one-way street. The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

Your challenge

As a security leader, you need to communicate security effectively to executive stakeholders in order to obtain support for your security objectives.

• When it comes to presenting security to executive stakeholders, many security leaders find it challenging to convey the necessary information in order to obtain support for security objectives.
• This is attributed to various factors, such as an increase in the threat landscape, changes to industry regulations and standards, and new organizational goals that security has to align with.
• Furthermore, with the limited time to communicate with executive stakeholders, both in frequency and duration, identifying the most important information to address can be challenging.

76% of security leaders struggle in conveying the effectiveness of a cybersecurity program.

62% find it difficult to balance the risk of too much detail and need-to-know information.

41% find it challenging to communicate effectively with a mixed technical and non-technical audience.

Source: Deloitte, 2022

Common obstacles

There is a disconnect between security leaders and executive stakeholders when it comes to the security posture of the organization:

• Executive stakeholders are not confident that their security leaders are doing enough to mitigate security risks.
• The issue has been amplified, with security threats constantly increasing across all industries.
• However, security leaders don’t feel that they are in a position to make themselves heard.
• The lack of organizational security awareness and support from cross-functional departments has made it difficult to achieve security objectives (e.g. education, investments).
• Defining an approach to remove that disconnect with executive stakeholders is of utmost importance for security leaders, in order to improve their organization’s security posture.

9% of boards are extremely confident in their organization’s cybersecurity risk mitigation measures.

77% of organizations have seen an increase in the number of attacks in 2021.

56% of security leaders claimed their team is not involved when leadership makes urgent security decisions.

Source: EY, 2021

Info-Tech’s methodology for presenting security to executive stakeholders

Develop a structured process for communicating security to your stakeholders

Security presentations are not a one-way street
The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

Identifying your goals is the foundation of an effective presentation
Defining your drivers and goals for communicating security will enable you to better prepare and deliver your presentation, which will help you obtain your desired outcome.

Harness the power of data
Leveraging data and analytics will help you provide quantitative-based communication, which will result in a more meaningful and effective presentation.

Take your audience on a journey
Developing a storytelling approach will help engage with your audience.

Win your audience by building a rapport
Establishing credibility and trust with executive stakeholders will enable you to obtain their support for security objectives.

Tactical insight
Conduct background research on audience members (i.e. professional background) to help understand how best to communicate with them and overcome potential objections.

Tactical insight
Verifying your objectives at the end of the communication is important, as it ensures you have successfully communicated to executive stakeholders.

Project deliverables

This blueprint is accompanied by a supporting deliverable which includes five security presentation templates.

Report on Security Initiatives Template showing how to inform executive stakeholders of security initiatives.		Security Metrics Template showing how to inform executive stakeholders of current security metrics that would help drive future initiatives.
Security Incident Response & Recovery Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.		Security Funding Request Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.

Key template:

Template showing how to inform executive stakeholders of proactive security and risk initiatives.

Blueprint benefits

Measure the value of this blueprint

* The financial figure depicts the annual salary of a CISO in 2022

Source: Chief Information Security Officer Salary.” Salary.com, 2022

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Phase 1

Identify communication goals

This phase will walk you through the following activities:

• Understanding the different drivers for communicating security to executive stakeholders
• Identifying different communication goals

This phase involves the following participants:

• Security leader

1.1. Identify drivers for communicating to executive stakeholders

As a security leader, you meet with executives and stakeholders with diverse backgrounds, and you aim to showcase your organization’s security posture along with its alignment with the business’ goals.

However, with the constant changes in the security threat landscape, demands and drivers for security could change. Thus, understanding potential drivers that will influence your communication will assist you in developing and delivering an effective security presentation.

39% of organizations had cybersecurity on the agenda of their board’s quarterly meeting.

Source: EY, 2021.

Info-Tech Insight

Not all security presentations are the same. Keep your communication strategy and processes agile.

Know your drivers for security presentations

By understanding the influences for your security presentations, you will be able to better plan what to present to executive stakeholders.

• These meetings, which are usually held once per quarter, provide you with less than one hour of presentation time.
• Hence, it is crucial to know why you need to present security and whether these drivers are similar across the other presentations.

Understanding drivers will also help you understand how to present security to executive stakeholders.

• These drivers will shape the structure of your presentation and help determine your approach to communicating your goals.
• For example, financial-based presentations that are driven by budget requests might create a sense of urgency or assurance about investment in a security initiative.

Identify your communication drivers, which can stem from various initiatives and programs, including:

• Results from internal or external audit reports.
• Upcoming budget meetings.
• Briefing newly elected executive stakeholders on security.

When it comes to identifying your communication drivers, you can collaborate with subject matter experts, like your corporate secretary or steering committees, to ensure the material being communicated will align with some of the organizational goals.

Examples of drivers for security presentations

Audit
Upcoming internal or external audits might require updates on the organization’s compliance

Organizational restructuring
Restructuring within an organization could require security updates

Merger & Acquisition
An M&A would trigger presentations on organization’s current and future security posture

Cyber incident
A cyberattack would require an immediate presentation on its impact and the incident response plan

Ad hoc
Provide security information requested by stakeholders

1.2. Define your goals for communicating to executives

After identifying drivers for your communication, it’s important to determine what your goals are for the presentation.

• Communication drivers are mainly triggers for why you want to present security.
• Communication goals are the potential outcomes you are hoping to obtain from the presentation.
• Your communication goals would help identify what data and metrics to include in your presentation, the structure of your communication deck, and how you deliver your communication to executive stakeholders.

Identifying your communication goals could require the participation of the security team, IT leadership, and other business stakeholders.

• As a group, brainstorm the security goals that align with your business goals for the coming year.
  • Aim to have at least two business goals that align with each security goal.
• Identify what benefits and value the executive stakeholders will gain from the security goal being presented.
  • E.g. Increased security awareness, updates on organization's security posture.
• Identify what the ask is for this presentation.
  • E.g. Approval for increasing budget to support security initiatives, executive support to implement internal security programs.

Info-Tech Insight

There can be different reasons to communicate security to executive stakeholders. You need to understand what you want to get out of your presentation.

Examples of security presentation goals

Educate
Educate the board on security trends and/or latest risks in the industry

Update
Provide updates on security initiatives, relevant security metrics, and compliance posture

Inform
Provide an incident response plan due to a security incident or deliver updates on current threats and risks

Investment
Request funding for security investments or financial updates on past security initiatives

Ad hoc
Provide security information requested by stakeholders

Phase 2

Collect information to support goals

This phase will walk you through the following activities:

• Understanding what types of data to include in your security presentations
• Defining where and how to retrieve data

This phase involves the following participants:

• Security leader
• Network/security analyst

2.1 Identify data to collect

After identifying drivers and goals for your communication, it’s important to include the necessary data to justify the information being communicated.

• Leveraging data and analytics will assist in providing quantitative-based communication, which will result in a more meaningful and effective presentation.
• The data presented will showcase the visibility of an organization’s security posture along with potential risks and figures on how to mitigate those risks.
• Providing analysis of the quantitative data presented will also showcase further insights on the figures, allow the audience to better understand the data, and show its relevance to the communication goals.

Identifying data to collect doesn’t need to be a rigorous task; you can follow these steps to help you get started:

• Work with your security team to identify the main type of data applicable to the communication goals.
  • E.g. Financial data would be meaningful to use when communicating a budget presentation.
• Identify supporting data linked to the main data defined.
  • E.g. If a financial investment is made to implement a security initiative, then metrics on improvements to the security posture will be relevant.
• Show how both the main and supporting data align with the communication goals.
  • E.g. Improvement in security posture would increase alignment with regulation standards, which would result in additional contracts being awarded and increased revenue.

Info-Tech Insight

Understand how to present your information in a way that will be meaningful to your audience, for instance by quantifying security risks in financial terms.

Examples of data to present

Educate
Number of organizations in industry impacted by data breaches during past year; top threats and risks affecting the industries

Update
Degree of compliance with standards (e.g. ISO-27001); metrics on improvement of security posture due to security initiatives

Inform
Percentage of impacted clients and disrupted business functions; downtime; security risk likelihood and financial impact

Investment
Capital and operating expenditure for investment; ROI on past and future security initiatives

Ad hoc
Number of security initiatives that went over budget; phishing test campaign results

2.2 Plan how to retrieve the data

Once the data that is going to be used for the presentation has been identified, it is important to plan how the data can be retrieved, processed, and shared.

• Most of the data leveraged for security presentations are structured data, which are highly organized data that are often stored in a relational and easily searchable database.
  • This includes security log reports or expenditures for ongoing and future security investments.
• Retrieving the data, however, would require collaboration and cooperation from different team members.
• You would need to work with the security team and other appropriate stakeholders to identify where the data is stored and who the data owner is.

Once the data source and owner has been identified, you need to plan how the data would be processed and leveraged for your presentation

• This could include using queries to retrieve the relevant information needed (e.g. SQL, Microsoft Excel).
• Verify the accuracy and relevance of the data with other stakeholders to ensure it is the most appropriate data to be presented to the executive stakeholders.

Info-Tech Insight

Using a data-driven approach to help support your objectives is key to engaging with your audience.

Plan where to retrieve the data

Identifying the relevant data sources to retrieve your data and the appropriate data owner enables efficient collaboration between departments collecting, processing, and communicating the data and graphics to the audience.

Examples of where to retrieve your data

Phase 3

Develop communication

This phase will walk you through the following activities:

• Identifying a communication strategy for presenting security
• Identifying security templates that are applicable to your presentation

This phase involves the following participants:

• Security leader

3.1 Plan communication: Know who your audience is

• When preparing your communication, it's important to understand who your target audience is and to conduct background research on them.
• This will help develop your communication style and ensure your presentation caters to the expected audience in the room.

Examples of two profiles in a boardroom

3.1.1 Know what your audience cares about

• Understanding what your executive stakeholders value will equip you with the right information to include in your presentations.
• Ensure you conduct background research on your audience to assist you in knowing what their potential interests are.
• Your background research could include:
  • Researching the audience’s professional background through LinkedIn.
  • Reviewing their comments from past executive meetings.
  • Researching current security trends that align with organizational goals.
• Once the values and risks have been identified, you can document them in notes and share the notes with subject matter experts to verify if these values and risks should be shared in the coming meetings.

A board’s purpose can include the following:

• Sustaining and expanding the organization’s purpose and ability to execute in a competitive market.
• Determining and funding the organization’s future and direction.
• Protecting and increasing shareholder value.
• Protecting the company’s exposure to risks.

Examples of potential values and risks

• Business impact
• Financial impact
• Security and incidents

Info-Tech Insight
Conduct background research on audience members (e.g. professional background on LinkedIn) to help understand how best to communicate to them and overcome potential objections.

Understand your audience’s concerns

• Along with knowing what your audience values and cares about, understanding their main concerns will allow you to address those items or align them with your communication.
• By treating your executive stakeholders as your project sponsors, you would build a level of trust and confidence with your peers as the first step to tackling their concerns.
• These concerns can be derived from past stakeholder meetings, recent trends in the industry, or strategic business alignments.
• After capturing their concerns, you’ll be equipped with the necessary understanding on what material to include and prioritize during your presentations.

Examples of potential concerns for each profile of executive stakeholders

Build your presentation to tackle their main concerns

Your presentation should be well-rounded and compelling when it addresses the board’s main concerns about security.

Checklist:

• Research your target audience (their backgrounds, board composition, dynamics, executive team vs. external group).
• Include value and risk language in your presentation to appeal to your audience.
• Ensure your content focuses on one or more of the board’s main concerns with security (e.g. business impact, investments, or risk).
• Include information about what is in it for them and the organization.
• Research your board’s composition and skillsets to determine their level of technical knowledge and expertise. This helps craft your presentation with the right amount of technology vs. business-facing information.

Info-Tech Insight
The executive stakeholder’s main concerns will always boil down to one important outcome: providing a level of confidence to do business through IT products, services, and systems – including security.

3.1.2 Take your audience through a security journey

• Once you have defined your intended target and their potential concerns, developing the communication through a storytelling approach will be the next step to help build a compelling presentation.
• You need to help your executive stakeholders make sense of the information being conveyed and allow them to understand the importance of cybersecurity.
• Taking your audience through a story will allow them to see the value of the information being presented and better resonate with its message.
• You can derive insights for your storytelling presentation by doing the following:
  • Provide a business case scenario on the topic you are presenting.
  • Identify and communicate the business problem up front and answer the three questions (why, what, how).
  • Quantify the problems in terms of business impact (money, risk, value).

Info-Tech Insight
Developing a storytelling approach will help keep your audience engaged and allow the information to resonate with them, which will add further value to the communication.

Identify the purpose of your presentation

You should be clear about your bottom line and the intent behind your presentation. However, regardless of your bottom line, your presentation must focus on what business problems you are solving and why security can assist in solving the problem.

Examples of communication goals

Info-Tech Insight
Nobody likes surprises. Communicate early and often. The board should be pre-briefed, especially if it is a difficult subject. This also ensures you have support when you deliver a difficult message.

Gather the right information to include in your boardroom presentation

Once you understand your target audience, it’s important to tailor your presentation material to what they will care about.

Typical IT boardroom presentations include:

• Communicating the value of ongoing business technology initiatives.
• Requesting funds or approval for a business initiative that IT is spearheading.
• Security incident response/Risk/DRP.
• Developing a business program or an investment update for an ongoing program.
• Business technology strategy highlights and impacts.
• Digital transformation initiatives (value, ROI, risk).

Info-Tech Insight
You must always have a clear goal or objective for delivering a presentation in front of your board of directors. What is the purpose of your board presentation? Identify your objective and outcome up front and tailor your presentation’s story and contents to fit this purpose.

Info-Tech Insight
Telling a good story is not about the message you want to deliver but the one the executive stakeholders want to hear. Articulate what you want them to think and what you want them to take away, and be explicit about it in your presentation. Make your story logically flow by identifying the business problem, complication, the solution, and how to close the gap. Most importantly, communicate the business impacts the board will care about.

Structure your presentation to tell a logical story

To build a strong story for your presentation, ensure you answer these three questions:

Examples:

Scenario 1: The company has experienced a security incident.

Intent: To inform/educate the board about the security incident.

Scenario 2: Security is recommending investments based on strategic priorities.

Intent: To reach a decision with the board – approve investment proposal.

Time plays a key role in delivering an effective presentation

What you include in your story will often depend on how much time you have available to deliver the message.

Consider the following:

• Presenting to executive stakeholders often means you have a short window of time to deliver your message. The average executive stakeholder presentation is 15 minutes, and this could be cut short due to other unexpected factors.
• If your presentation is too long, you risk overwhelming or losing your audience. You must factor in the time constraints when building your board presentation.
• Your executive stakeholders have a wealth of experience and knowledge, which means they could jump to conclusions quickly based on their own experiences. Ensure you give them plenty of background information in advance. Provide your presentation material, a brief, or any other supporting documentation before the meeting to show you are well prepared.
• Be prepared to have deep conversations about the topic, but respect that the executive stakeholders might not be interested in hearing the tactical information. Build an elevator pitch, a one-pager, back-up slides that support your ask and the story, and be prepared to answer questions within your allotted presentation time to dive deeper.

Navigating through Q&A

Use the Q&A portion to build credibility with the board.

• It is always better to say, “I’m not certain about the answer but will follow up,” than to provide false or inaccurate information on the spot.
• When asked challenging or irrelevant questions, ensure you have an approach to deflect them. Questions can often be out of scope or difficult to answer in a group. Find what works for you to successfully navigate through these questions:
  • “Let’s work with the sub-committee to find you an answer.”
  • “Let’s take that offline to address in more detail.”
  • “I have some follow-up material I can provide you to discuss that further after our meeting.”
• And ensure you follow up! Make sure to follow through on your promise to provide information or answers after the meeting. This helps build trust and credibility with the board.

Info-Tech Insight
The average board presentation is 15 minutes long. Build no more than three or four slides of content to identify the business problem, the business impacts, and the solution. Leave five minutes for questions at the end, and be prepared with back-up slides to support your answers.

Storytelling checklist

Checklist:

• Tailor your presentation based on how much time you have.
• Find out ahead of time how much time you have.
• Identify if your presentation is to inform/educate or reach a decision.
• Identify and communicate the business problem up front and answer the three questions (why, what, how).
• Express the problem in terms of business impact (risk, value, money).
• Prepare and send pre-meeting collateral to the members of the board and executive team.
• Include no more than 5-6 slides for your presentation.
• Factor in Q&A time at the end of your presentation window.
• Articulate what you want them to think and what you want them to take away – put it right up front and remind them at the end.
• Have an elevator speech handy – one or two sentences and a one-pager version of your story.
• Consider how you will build your relationship with the members outside the boardroom.

3.1.3 Build a compelling communication document

Once you’ve identified your communication goals, data, and plan to present to your stakeholders, it’s important to build the compelling communication document that will attract all audiences.

A good slide design increases the likelihood that the audience will read the content carefully.

• Bad slide structure (flow) = Audience loses focus
  • You can have great content on a slide, but if a busy audience gets confused, they’ll just close the file or lose focus. Structure encompasses horizontal and vertical logic.
• Good visual design = Audience might read more
  • Readers will probably skim the slides first. If the slides look ugly, they will already have a negative impression. If the slides are visually appealing, they will be more inclined to read carefully. They may even use some slides to show others.
• Good content + Good structure + Visual appeal = Good presentation
  • A presentation is like a house. Good content is the foundation of the house. Good structure keeps the house strong. Visual appeal differentiates houses.

Slide design best practices

Leverage these slide design best practices to assist you in developing eye-catching presentations.

• Easy to read: Assume reader is tight on time. If a slide looks overwhelming, the reader will close the document.
• Concise and clear: Fewer words = more skim-able.
• Memorable: Use graphics and visuals or pithy quotes whenever you can do so appropriately.
• Horizontal logic: Good horizontal logic will have slide titles that cascade into a story with no holes or gaps.
• Vertical logic: People usually read from left to right, top to bottom, or in a Z pattern. Make sure your slide has an intuitive flow of content.
• Aesthetics: People like looking at visually appealing slides, but make sure your attempts to create visual appeal do not detract from the content.

Your presentation must have a logical flow

Vertical logic should be intuitive

The audience is unsure where to look and in what order.	The audience knows to read the heading first. Then look within the pie chart. Then look within the white boxes to the right.

Horizontal and vertical logic checklists

Make it easy to read

Unnecessary coloring makes it hard on the eyes Margins for title at top is too small Content is not skim-able (best to break up the slide)	Increase skim-ability: Emphasize the subheadings Bold important words Make it easier on the eyes: Declutter and add sections Have more white space

Be concise and clear

1. Write your thoughts down
   • This gets your content documented.
   • Don’t worry about clarity or concision yet.
2. Edit for clarity
   • Make sure the key message is very clear.
   • Find your thesis statement.
3. Edit for concision
   • Remove unnecessary words.
   • Use the active voice, not passive voice (see below for examples).

Be memorable

Easy to read, but hard to remember the stats.	The visuals make it easier to see the size of the problem and make it much more memorable. Remember to: Have some kind of visual (e.g. graphs, icons, tables). Divide the content into sections. Have a bit of color on the page.

Aesthetics

This draft slide is just content from the outline document on a slide with no design applied yet.	Have some kind of visual (e.g. graphs, icons, tables) as long as it’s appropriate. Divide the content into sections. Have a bit of color on the page. Bold or italicize important text.

Why use visuals?

How graphics affect us

Cognitively

• Engage our imagination
• Stimulate the brain
• Heighten creative thinking
• Enhance or affect emotions

Emotionally

• Enhance comprehension
• Increase recollection
• Elevate communication
• Improve retention

Visual clues

• Help decode text
• Attract attention
• Increase memory

Persuasion

• 43% more effective than text alone

Source: Management Information Systems Research Center

Presentation format

Often stakeholders prefer to receive content in a specific format. Make sure you know what you require so that you are not scrambling at the last minute.

• Is there a standard presentation template?
• Is a hard-copy handout required?
• Is there a deadline for draft submission?
• Is there a deadline for final submission?
• Will the presentation be circulated ahead of time?
• Do you know what technology you will be using?
• Have you done a dry run in the meeting room?
• Do you know the meeting organizer?

Checklist to build compelling visuals in your presentation

Leverage this checklist to ensure you are creating the perfect visuals and graphs for your presentation.

Checklist:

• Do the visuals grab the audience’s attention?
• Will the visuals mislead the audience/confuse them?
• Do the visuals facilitate data comparison or highlight trends and differences in a more effective manner than words?
• Do the visuals present information simply, cleanly, and accurately?
• Do the visuals display the information/data in a concentrated way?
• Do the visuals illustrate messages and themes from the accompanying text?

3.2 Security communication templates

Once you have identified your communication goals and plans for building your communication document, you can start building your presentation deck. These presentation templates highlight different security topics depending on your communication drivers, goals, and available data. Info-Tech has created five security templates to assist you in building a compelling presentation. These templates provide support for presentations on the following five topics: Security Initiatives Security & Risk Update Security Metrics Security Incident Response & Recovery Security Funding Request Each template provides instructions on how to use it and tips on ensuring the right information is being presented. All the templates are customizable, which enables you to leverage the sections you need while also editing any sections to your liking.

Download the Security Presentation Templates

Security template example

It’s important to know that not all security presentations for an organization are alike. However, these templates would provide a guideline on what the best practices are when communicating security to executive stakeholders.

Below is an example of instructions to complete the “Security Risk & Update” template. Please note that the security template will have instructions to complete each of its sections.

The first slide following the title slide includes a brief executive summary on what would be discussed in the presentation. This includes the main security threats that would be addressed and the associated risk mitigation strategies.	This slide depicts a holistic overview of the organization’s security posture in different areas along with the main business goals that security is aligning with. Ensure visualizations you include align with the goals highlighted.

Security template example (continued)

This slide displays any top threats and risks an organization is facing. Each threat consists of 2-3 risks and is prioritized based on the negative impact it could have on the organization (i.e. red bar = high priority; green bar = low priority). Include risks that have been addressed in the past quarter, and showcase any prioritization changes to those risks.

This slide follows the “Top Threats & Risks” slide and focuses on the risks that had medium or high priority. You will need to work with subject matter experts to identify risk figures (likelihood, financial impact) that will enable you to quantify the risks (Likelihood x Financial Impact). Develop a threshold for each of the three columns to identify which risks require further prioritization, and apply color coding to group the risks.

Security template example (continued)

This slide showcases further details on the top risks along with their business impact. Be sure to include recommendations for the risks and indicate whether further action is required from the executive stakeholders.	The last slide of the “Security Risk & Update” template presents a timeline of when the different initiatives to mitigate security risks would begin. It depicts what initiatives will be completed within each fiscal year and the total number of months required. As there could be many factors to a project’s timeline, ensure you communicate to your executive stakeholders any changes to the project.

Phase 4

Deliver communication

This phase will walk you through the following activities:

• Identifying a strategy to deliver compelling presentations
• Ensuring you follow best practices for communicating and obtaining your security goals

This phase involves the following participants:

• Security leader

4.1 Deliver a captivating presentation

You’ve gathered all your data, you understand what your audience is expecting, and you are clear on the outcomes you require. Now, it’s time to deliver a presentation that both engages and builds confidence.

Follow these tips to assist you in developing an engaging presentation:

• Start strong: Give your audience confidence that this will be a good investment of their time. Establish a clear direction for what’s going to be covered and what the desired outcome is.
• Use your time wisely: Odds are, your audience is busy, and they have many other things on their minds. Be prepared to cover your content in the time allotted and leave sufficient time for discussion and questions.
• Be flexible while presenting: Do not expect that your presentation will follow the path you have laid out. Anticipate jumping around and spending more or less time than you had planned on a given slide.

Keep your audience engaged with these steps

• Be ready with supporting data. Don’t make the mistake of not knowing your content intimately. Be prepared to answer questions on any part of it. Senior executives are experts at finding holes in your data.
• Know your audience. Who are you presenting to? What are their specific expectations? Are there sensitive topics to be avoided? You can’t be too prepared when it comes to understanding your audience.
• Keep it simple. Don’t assume that your audience wants to learn the details of your content. Most just want to understand the bottom line, the impact on them, and how they can help. More is not always better.
• Focus on solving issues. Your audience members have many of their own problems and issues to worry about. If you show them how you can help make their lives easier, you’ll win them over.

Info-Tech Insight
Establishing credibility and trust with executive stakeholders is important to obtaining their support for security objectives.

Be honest and straightforward with your communication

• Be prepared. Being properly prepared means not only that your update will deliver the value that you expect, but also that you will have confidence and the flexibility you require when you’re taken off track.
• Don’t sugarcoat it. These are smart, driven people that you are presenting to. It is neither beneficial nor wise to try to fool them. Be open and transparent about problems and issues. Ask for help.
• No surprises. An executive stakeholder presentation is not the time or the place for a surprise. Issues seen as unexpected or contentious should always be dealt with prior to the meeting with those most impacted.

Hone presentation skills before meeting with the executive stakeholders

Checklist for presentation logistics

Optimize the timing of your presentation:

• Less is more: Long presentations are detrimental to your cause – they lead to your main points being diluted. Keep your presentation short and concise.
• Keep information relevant: Only present information that is important to your audience. This includes the information that they are expecting to see and information that connects to the business.
• Expect delays: Your audience will likely have questions. While it is important to answer each question fully, it will take away from the precious time given to you for your presentation. Expect that you will not get through all the information you have to present.

Script your presentation:

• Use a script to stay on track: Script your presentation before the meeting. A script will help you present your information in a concise and structured manner.
• Develop a second script: Create a script that is about half the length of the first script but still contains the most important points. This will help you prepare for any delays that may arise during the presentation.
• Prepare for questions: Consider questions that may be asked and script clear and concise answers to each.
• Practice, practice, practice: Practice your presentation until you no longer need the script in front of you.

Checklist for presentation logistics (continued)

Other considerations:

• After the introduction of your presentation, clearly state the objective – don’t keep people guessing and consequently lose focus on your message.
• After the presentation is over, document important information that came up. Write it down or you may forget it soon after.
• Rather than create a long presentation deck full of detailed slides that you plan to skip over during the presentation, create a second, compact deck that contains only the slides you plan to present. Send out the longer deck after the presentation.

Checklist for delivering a captivating presentation

Leverage this checklist to ensure you are prepared to develop and deliver an engaging presentation.

Checklist:

• Start with a story or something memorable to break the ice.
• Go in with the end state in mind (focus on the outcome/end goal and work back from there) – What’s your call to action?
• Content must compliment your end goal, filter out any content that doesn’t compliment the end goal.
• Be prepared to have less time to speak. Be prepared with shorter versions of your presentation.
• Include an appendix with supporting data, but don’t be data heavy in your presentation. Integrate the data into a story. The story should be your focus.

Checklist for delivering a captivating presentation (continued)

• Be deliberate in what you want to show your audience.
• Ensure you have clean slides so the audience can focus on what you’re saying.
• Practice delivering your content multiple times alone and in front of team members or your Info-Tech counselor, who can provide feedback.
• How will you handle being derailed? Be prepared with a way to get back on track if you are derailed.
• Ask for feedback.
• Record yourself presenting.

4.2 Obtain and verify support on security goals

Once you’ve delivered your captivating presentation, it’s imperative to communicate with your executive stakeholders.

• This is your opportunity to open the floor for questions and clarify any information that was conveyed to your audience.
• Leverage your appendix and other supporting documents to justify your goals.
• Different approaches to obtaining and verifying your goals could include:
  • Acknowledgment from the audience that information communicated aligns with the business’s goals.
  • Approval of funding requests for security initiatives.
  • Written and verbal support for implementation of security initiatives.
  • Identifying next steps for information to communicate at the next executive stakeholder meeting.

Info-Tech Insight
Verifying your objectives at the end of the presentation is important, as it ensures you have successfully communicated to executive stakeholders.

Checklist for obtaining and verify support on security goals

Follow this checklist to assist you in obtaining and verifying your communication goals.

Checklist:

• Be clear about follow-up and next steps if applicable.
• Present before you present: Meet with your executive stakeholders before the meeting to review and discuss your presentation and other supporting material and ensure you have executive/CEO buy-in.
• “Be humble, but don’t crumble” – demonstrate to the executive stakeholders that you are an expert while admitting you don’t know everything. However, don’t be afraid to provide your POV and defend it if need be. Strike the right balance to ensure the board has confidence in you while building a strong relationship.
• Prioritize a discussion over a formal presentation. Create an environment where they feel like they are part of the solution.

Summary of Accomplishment

Problem Solved

A better understanding of security communication drivers and goals

• Understanding the difference between communication drivers and goals
• Identifying your drivers and goals for security presentation

A developed a plan for how and where to retrieve data for communication

• Insights on what type of data can be leveraged to support your communication goals
• Understanding who you can collaborate with and potential data sources to retrieve data from

A solidified communication plan with security templates to assist in better presenting to your audience

• A guideline on how to prepare security presentations to executive stakeholders
• A list of security templates that can be customized and used for various security presentations

A defined guideline on how to deliver a captivating presentation to achieve your desired objectives

• Clear message on best practices for delivering security presentations to executive stakeholders
• Understanding how to verify your communication goals have been obtained

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Related Info-Tech Research

Build an Information Security Strategy
This blueprint will walk you through the steps of tailoring best practices to effectively manage information security.

Build a Security Metrics Program to Drive Maturity
This blueprint will assist you in identifying security metrics that can tie to your organizational goals and build those metrics to achieve your desired maturity level.

Bibliography

Bhadauriya, Amit S. “Communicating Cybersecurity Effectively to the Board.” Metricstream. Web.
Booth, Steven, et al. “The Biggest Mistakes Made When Presenting Cyber Security to Senior Leadership or the Board, and How to Fix Them.” Mandiant, May 2019. Web.
Bradford, Nate. “6 Slides Every CISO Should Use in Their Board Presentation.” Security Boulevard, 9 July 2020. Web.
Buckalew, Lauren, et al. “Get the Board on Board: Leading Cybersecurity from the Top Down.” Newsroom, 2 Dec. 2019. Web.
Burg, Dave, et al. “Cybersecurity: How Do You Rise above the Waves of a Perfect Storm?” EY US - Home, EY, 22 July 2021. Web.
Carnegie Endowment for International Peace. Web.
“Chief Information Security Officer Salary.” Salary.com, 2022. Web.
“CISO's Guide to Reporting to the Board - Apex Assembly.” CISO's Guide To Reporting to the Board. Web.
“Cyber Security Oversight in the Boardroom” KPMG, Jan. 2016. Web.
“Cybersecurity CEO: My 3 Tips for Presenting in the Boardroom.” Cybercrime Magazine, 31 Mar. 2020. Web.
Dacri , Bryana. Do's & Don'ts for Security Professionals Presenting to Executives. Feb. 2018. Web.
Froehlich, Andrew. “7 Cybersecurity Metrics for the Board and How to Present Them: TechTarget.” Security, TechTarget, 19 Aug. 2022. Web.
“Global Board Risk Survey.” EY. Web.
“Guidance for CISOs Presenting to the C-Suite.” IANS, June 2021. Web.
“How to Communicate Cybersecurity to the Board of Directors.” Cybersecurity Conferences & News, Seguro Group, 12 Mar. 2020. Web.
Ide, R. William, and Amanda Leech. “A Cybersecurity Guide for Directors” Dentons. Web.
Lindberg, Randy. “3 Tips for Communicating Cybersecurity to the Board.” Cybersecurity Software, Rivial Data Security, 8 Mar. 2022. Web.
McLeod, Scott, et al. “How to Present Cybersecurity to Your Board of Directors.” Cybersecurity & Compliance Simplified, Apptega Inc, 9 Aug. 2021. Web.
Mickle, Jirah. “A Recipe for Success: CISOs Share Top Tips for Successful Board Presentations.” Tenable®, 28 Nov. 2022. Web.
Middlesworth, Jeff. “Top-down: Mitigating Cybersecurity Risks Starts with the Board.” Spiceworks, 13 Sept. 2022. Web.
Mishra, Ruchika. “4 Things Every CISO Must Include in Their Board Presentation.” Security Boulevard, 17 Nov. 2020. Web.
O’Donnell-Welch, Lindsey. “CISOs, Board Members and the Search for Cybersecurity Common Ground.” Decipher, 20 Oct. 2022. Web.

Bibliography

“Overseeing Cyber Risk: The Board's Role.” PwC, Jan. 2022. Web.
Pearlson, Keri, and Nelson Novaes Neto. “7 Pressing Cybersecurity Questions Boards Need to Ask.” Harvard Business Review, 7 Mar. 2022. Web.
“Reporting Cybersecurity Risk to the Board of Directors.” Web.
“Reporting Cybersecurity to Your Board - Steps to Prepare.” Pondurance ,12 July 2022. Web.
Staynings, Richard. “Presenting Cybersecurity to the Board.” Resource Library. Web.
“The Future of Cyber Survey.” Deloitte, 29 Aug. 2022. Web.
“Top Cybersecurity Metrics to Share with Your Board.” Packetlabs, 10 May 2022. Web.
Unni, Ajay. “Reporting Cyber Security to the Board? How to Get It Right.” Cybersecurity Services Company in Australia & NZ, 10 Nov. 2022. Web.
Vogel, Douglas, et al. “Persuasion and the Role of Visual Presentation Support.” Management Information Systems Research Center, 1986.
“Welcome to the Cyber Security Toolkit for Boards.” NCSC. Web.

Research Contributors

• Fred Donatucci, New-Indy Containerboard, VP, Information Technology
• Christian Rasmussen, St John Ambulance, Chief Information Officer
• Stephen Rondeau, ZimVie, SVP, Chief Information Officer

Make the Case for Legacy Application Modernization

Revamp your business potential to improve agility, security, and user experience while reducing costs.

Analyst Perspective

An old application may have served us reliably, but it can prevent us from pursuing future business needs.

Legacy systems remain well-embedded in the fabric of many organizations' application portfolios. They were often custom-built to meet the needs of the business. Typically, these are core tools that the business leverages to accomplish its goals.

A legacy application becomes something we need to address when it no longer supports our business goals, is no longer supportable, bears an unsustainable ownership cost, or poses a threat to the organization's cybersecurity or compliance.

When approaching your legacy application strategy, you must navigate a complex web of business, stakeholder, software, hardware, resourcing, and financial decisions. To complicate matters, the full scope of required effort is not immediately clear. Years of development are embedded in these legacy applications, which must be uncovered and dealt with appropriately.

IT leaders require a proactive approach for evaluating the current state, developing a legacy application strategy, and executing in an agile manner. When coupled with a business case and communications strategy, the organization will have a clear decision-making framework that will maximize business outcomes and deliver value where needed.

Ricardo de Oliveira
Research Director, Enterprise Applications
Info-Tech Research Group

Executive Summary

Info-Tech Insight
Legacy modernization is a process, not a single event. Your modernization approach requires you to understand your landscape and decide on a path that minimizes business continuity risks, keeps investments under control, and is prepared for surprises but always has your final state in mind.

An approach to making the case for legacy application modernization

Understand Assess the challenges, lay out the reasons, define your legacy, and prepare to remove the barriers to modernization.
Assess Determine the benefits by business capability. Leverage APM foundations to select the candidate applications and prioritize.
Define Use the prioritized application list to drive the next steps to modernization.

Legacy application modernization is perceived as necessary to remain competitive

The 2022 State CIO Survey by NASCIO shows that legacy application modernization jumped from fifth to second in state CIO priorities.

"Be patient and also impatient. Patient because all states have a lot of legacy tech they are inheriting and government is NOT easy. But also, impatient because there is a lot to do - make your priorities clear but also find out what the CIO needs to accomplish those priorities."

Source: NASCIO, 2022

US government agencies feel pressured to deal with legacy applications

In fiscal year 2021, the US government planned to spend over $100 billion on information technology. Most of that was to be used to operate and maintain existing systems, including legacy applications, which can be both more expensive to maintain and more vulnerable to hackers. The Government Accountability Office (GAO) identified:

• 10 critical federal IT legacy systems
• In operation between 8 and 51 years
• Collectively cost $337 million per year to operate and maintain

Source: U.S. Government Accountability Office, 2021

Example: In banking, modern platforms are essential

Case Study

Delta takes off with a modernized blend of mainframes and cloud

INDUSTRY: Transportation
SOURCE: CIO Magazine, 2023

Phase 1: Make the Case for Legacy Application Modernization

Phase 1
1.1 Understand your challenges
1.2 Define legacy applications
1.3 Assess your barriers
1.4 Find the impacted capabilities
1.5 Define candidate applications
1.6 Now, Next, Later

This phase will walk you through the following activities:

• Understand your challenges with modernization
• Define legacy applications in your context
• Assess your barriers to modernization
• Find the impacted capabilities and their benefits
• Define candidate applications and dispositions

This phase involves the following participants:

• Application group leaders
• Individual application owners

Decide if You Are Ready for SAFe

Approach the Scaled Agile Framework (SAFe) with open eyes and an open wallet.

Analyst Perspective

Ensure that SAFe is the right move before committing.

Waterfall is dead. Or obsolete at the very least.

Organizations cannot wait months or years for product, service, application, and process changes. They need to embrace business agility to respond to opportunities more quickly and deliver value sooner. Agile established values and principles that have promoted smaller cycle times, greater connections between teams, improved return on investment (ROI) prioritization, and improved team empowerment.

Where organizations continue to struggle is matching localized Scrum teams with enterprise initiatives. This struggle is compounded by legacy executive planning cycles, which undermine Agile team authority. SAFe has provided a series of frameworks to help organizations deal with these issues. It combines enterprise planning and alignment with cross-team collaboration.

Don't rely on popularity or marketing to make your scaled Agile decision. SAFe is a highly disruptive transformation, and it requires extensive training, coaching, process changes, and time to implement. Without the culture shift to an Agile mindset at all levels, SAFe becomes a mirror of Waterfall processes dressed in SAFe names. Furthermore, SAFe itself will not fix problems with communication, requirements, development, testing, release, support, or governance. You will still need to fix these problems within the SAFe framework to be successful.

Hans Eckman
Principal Research Director, Applications Delivery and Management
Info-Tech Research Group

Executive Summary

Info-Tech Insight
SAFe is a highly disruptive enterprise transformation, and it won't solve your organizational delivery challenges by itself. Start with an open mind, and understand what is needed to support a multi-year cultural transition. Decide how far and how fast you are willing to transform, and make sure that you have the right transformation and coaching partner in place. There is no right software development lifecycle (SDLC) or methodology. Find or create the methodology that best aligns to your needs and goals.

Agile's Four Core Values

"...while there is value in the items on the right, we value the items on the left more."
- The Agile Manifesto

STOP! If you're not Agile, don't start with SAFe.

Successful SAFe requires an Agile mindset at all levels.

Be aware of common myths around Agile and SAFe

SAFe does not...

1...solve development and communication issues.

2...ensure that you will finish requirements faster.

3...mean that you do not need planning and documentation.

"Without proper planning, organizations can start throwing more resources at the work, which spirals into the classic Waterfall issues of managing by schedule."
– Kristen Morton, Associate Implementation Architect,
OneShield Inc. (Info-Tech Interview)

Info-Tech Insight
Poor culture, processes, governance, and leadership will disrupt any methodology. Many drivers for SAFe could be solved by improving and standardizing development and release management within current methodologies.

Review the drivers that are motivating your organization to adopt and scale Agile practices

Functional groups have their own drivers to adopt Agile development processes, practices, and techniques (e.g. to improve collaboration, decrease churn, or increase automation). Their buy-in to scaling Agile is just as important as the buy-in of stakeholders.

If a group's specific needs and drivers are not addressed, its members may develop negative sentiments toward Agile development. These negative sentiments can affect their ability to see the benefits of Agile, and they may return to their old habits once the opportunity arises.

It is important to find opportunities in which both business objectives and functional group drivers can be achieved by scaling Agile development. This can motivate teams to continuously improve and adhere to the new environment, and it will maintain business buy-in. It can also be used to justify activities that specifically address functional group drivers.

Examples of Motivating Drivers for Scaling Agile

• Improve artifact handoffs between development and operations.
• Increase collaboration among development teams.
• Reveal architectural and system risks early.
• Expedite the feedback loop from support.
• Improve capacity management.
• Support development process innovation.
• Create a safe environment to discuss concerns.
• Optimize value streams.
• Increase team engagement and comradery.

Don't start with scaled Agile!

Scaling Agile is a way to optimize product management and product delivery in application lifecycle management practices. Do not try to start with SAFe when the components are not yet in place.

Scale Agile delivery to improve cross-functional dependencies and releases

Top Business Concerns When Scaling Agile

1 Organizational Culture: The current culture may not support team empowerment, learning from failure, and other Agile principles. SAFe also allows top-down decisions to persist.

2 Executive Support: Executives may not dedicate resources, time, and effort into removing obstacles to scaling Agile because of lack of business buy-in.

3 Team Coordination: Current collaboration structures may not enable teams and stakeholders to share information freely and integrate workflows easily.

4 Business Misalignment: Business vision and objectives may be miscommunicated early in development, risking poorly planned and designed initiatives and low-quality products.

Extending collaboration is the key to success.

Uniting stakeholders and development into a single body is the key to success. Assess the internal and external communication flow and define processes for planning and tracking work so that everyone is aware of how to integrate, communicate, and collaborate.

The goal is to enable faster reaction to customer needs, shorter release cycles, and improved visibility of the project's progress with cross-functional and diverse conversations.

Advantages of successful SAFe implementations

Once SAFe is complete and operational, organizations have seen measurable benefits:

• Multiple frameworks to support different levels of SAFe usage
• Deliberate and consistent planning and coordination
• Coordinating dependencies within value streams
• Reduced time to delivery
• Focus on customers and end users
• Alignment to business goals and value streams
• Increased employee engagement

Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
"Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

Source: "Benefits," Scaled Agile, 2023

Recognize the difference between Scrum teams and the Scaled Agile Framework (SAFe)

SAFe provides a framework that aligns Scrum teams into coordinated release trains driven by top-down prioritization.

Develop Your Agile Approach for a Successful Transformation

Source: Scaled Agile, Inc.

Info-Tech's IT Management & Governance Framework

Info-Tech Insight
SAFe is an enterprise, culture, and process transformation that impacts all IT services. Some areas of Info-Tech's IT Management & Governance Framework have higher impacts and require special attention. Plan to include transformation support for each of these topics during your SAFe implementation. SAFe will not fix broken processes on its own.

Without adopting an Agile mindset, SAFe becomes Waterfall with SAFe terminology

Source: Scaled Agile, Inc.

Info-Tech Insight
When first implementing SAFe, organizations reproduce their organizational design and Waterfall delivery structures with SAFe terms:

• Delivery Manager = Release Train Engineer
• Stakeholder/Sponsor = Product Manager
• Release = Release Train
• Project/Program = Project or Portfolio

SAFe isn't without risks or challenges

Risks and Causes of Failed SAFe Transformations

• SAFe conflicts with legacy cultures and delivery processes.
• SAFe promotes continued top-down decisions, undermining team empowerment.
• Scaled product families are required to define proper value streams.
• Team empowerment and autonomy are reduced.
• SAFe activities are poorly executed.
• There are high training and coaching costs.
• Implementation takes a long time.
• End-to-end delivery management tools aligned to SAFe are required.
• Legacy delivery challenges are not specifically solved with SAFe.
• SAFe is designed to work for large-scale development teams.

Challenges

• Adjusting to a new set of terms for common roles, processes, and activities
• Executing planning cycles
• Defining features and epics at the right level
• Completing adequate requirements
• Defining value streams
• Coordinating releases and release trains
• Providing consistent quality

Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
"Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

Focus on your core competencies instead

Before undertaking an enterprise transformation, consider improving the underlying processes that will need to be fixed anyway. Fixing these areas while implementing SAFe compounds the effort and disruption.

Product Delivery

• Agile/DevOps Research Center
• Develop Your Agile Approach for a Successful Transformation
  • Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.
• Implement DevOps Practices That Work
  • Streamline business value delivery through the strategic adoption of DevOps practices.

Product Management

• Product Lifecycle Management Research Center
• Make the Case for Product Delivery
  • Align your organization on the practices to deliver what matters most.
• Deliver on Your Digital Product Vision
  • Build a product vision your organization can take from strategy through execution.
• Deliver Digital Products at Scale
  • Deliver value at the scale of your organization through defining enterprise product families.
• Introduce Program Management to Your Organization
  • Use programs to align projects to your strategic goals.
• Optimize IT Project Intake, Approval, and Prioritization
  • Decide which IT projects to approve and when to start them.
• Manage Requirements in an Agile Environment
  • Agile and requirements management are complementary, not competitors.
• Build a Software Quality Assurance Program
  • Build quality into every step of your SDLC.
• Automate Testing to Get More Done
  • Drive software delivery throughput and quality confidence by extending your automation test coverage.
• Application Portfolio Management Foundations
  • Ensure your application portfolio delivers the best possible return on investment.

"But big-bang transitions are hard. They require total leadership commitment, a receptive culture, enough talented and experienced agile practitioners to staff hundreds of teams without depleting other capabilities, and highly prescriptive instruction manuals to align everyone's approach."
– "Agile at Scale," Harvard Business Review

Insight Summary

Overarching insight
SAFe is a highly disruptive enterprise transformation, and it will not solve your organizational delivery challenges by itself. Start with an open mind, and understand what is needed to support a multi-year cultural transition. Decide how far and fast you are willing to transform and make sure that you have the right transformation and coaching partner in place.

SAFe conflicts with core Agile principles.
The popularity of SAFe is largely due to its structural resemblance to enterprise portfolio and project planning with top-down prioritization and decision-making. This directly conflicts with Agile's purpose and principles of empowerment and agility.

SAFe and Agile will not solve enterprise delivery challenges.
Poor culture, processes, governance, and leadership will disrupt any methodology. Many issues with drivers for SAFe could be solved by improving development and release management within current methodologies.

Most organizations should not be using a pure SAFe framework
Few organizations are capable of, or should be, applying a pure SAFe framework. Successful organizations have adopted and modified SAFe frameworks to best fit their needs, teams, value streams, and maturity.

Without an Agile mindset, SAFe will be executed as Waterfall stages using SAFe terminology.
Groups that "Do Agile" are not likely to embrace the behavioral changes needed to make any scaled framework effective. SAFe becomes a series of Waterfall PIs using SAFe terminology.

Your transformation does not start with SAFe.
Start your transition to scaled Agile with a maturity assessment for current delivery practices. Fixing broken process, tools, and teams must be at the heart of your initiative.

Blueprint Deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key Deliverable

SAFe Transformation Playbook

Build a transformation and organizational change management plan to guide your transition. Define clear ownership for every critical step.

Scaled Agile Readiness Assessment

Conduct the Agile readiness survey. Without an Agile mindset, SAFe will follow Waterfall or WaterScrumFall practices.

Case Study

Spotify's approach to Agile at scale

INDUSTRY: Digital Media
SOURCE: Unified Communications and Collaborations

Spotify's Scaling Agile Initiative

With rapid user adoption growth (over 15 million active users in under six years), Spotify had to find a way to maintain an Agile mindset across 30+ teams in three different cities, while maintaining the benefits of cross-functional collaboration and flexibility for future growth.

Spotify's Approach

Spotify found a fit-for-purpose way for the organization to increase team autonomy without losing the benefits of cross-team communication from economics of scale. Spotify focused on identifying dependencies that block or slow down work through a mix of reprioritization, reorganization, architectural changes, and technical solutions. The organization embraced dependencies that led to cross-team communication and built in the necessary flexibility to allow Agile to grow with the organization.

Spotify's scaling Agile initiative used interview processes to identify what each team depended on and how those dependencies blocked or slowed the team.

Squad refers to an autonomous Agile release team in this case study.

Case Study

Suncorp instilled dedicated communication streams to ensure cross-role collaboration and culture.

INDUSTRY: Insurance
SOURCE: Agile India, International Conference on Agile and Lean Software Development, 2014

Case Study

Nationwide embraces DevOps and improves software quality.

INDUSTRY: Insurance
SOURCE: Agile India, International Conference on Agile and Lean Software Development, 2014

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is one to four calls over the course of one to six weeks.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Supporting Your Agile Journey

Enable Product Agile Delivery Executive Workshop	Develop Your Agile Approach	Spread Best Practices with an Agile Center of Excellence	Implement DevOps Practices That Work	Enable Organization-Wide Collaboration by Scaling Agile
Align and prepare your IT leadership teams. Audience: Senior and IT delivery leadership Size: 8-16 people Time: 7 hours	Tune Agile team practices to fit your organization culture. Audience: Agile pilot teams and subject matter experts (SMEs) Size: 10-20 people Time: 4 days	Leverage Agile thought leadership to expand your best practices. Audience: Agile SMEs and thought leaders Size: 10-20 people Time: 4 days	Build a continuous integration and continuous delivery pipeline. Audience: Product owners (POs) and delivery team leads Size: 10-20 people Time: 4 days	Execute a disciplined approach to rolling out Agile methods. Audience: Agile steering team and SMEs Size: 3-8 people Time: 3 hours

Sample agendas are included in the following sections for each of these topics.

Your Product Transformation Journey

Phase 1

Determine if SAFe Is Right for Your Organization

Phase 1
1.1 Understand where SAFe fits into your delivery methodologies and SDLCs
1.2 Determine if you are ready for SAFe (fit for purpose)

This phase will walk you through the following activities:

• 1.1.1 Define your primary drivers for SAFe.
• 1.1.2 Create your own list of pros and cons of SAFe.
• 1.2.1 Assess your Agile readiness.
• 1.2.2 Define enablers and blockers for scaling Agile delivery.
• 1.2.3 Estimate your SAFe implementation risk.
• 1.2.4 Start your SAFe implementation plan.

This phase involves the following participants:

• Senior leadership
• IT leadership
• Project Management Office
• Delivery managers
• Product managers/owners
• Agile thought leaders and coaches
• Compliance teams leads

Step 1.1

Understand where SAFe fits into your delivery methodologies and SDLCs

Activities
1.1.1 Define your primary drivers for SAFe
1.1.2 Create your own list of pros and cons of SAFe

This step involves the following participants:

• IT leadership
• Delivery managers
• Project management office
• Product owners and managers
• Development team leads
• Portfolio managers
• Architects

Outcomes of this step:

• List of primary drivers for SAFe
• List of pros and cons of SAFe

Agile's Four Core Values

"...while there is value in the items on the right, we value the items on the left more."
– The Agile Manifesto

STOP! If you're not Agile, don't start with SAFe.

Successful SAFe requires an Agile mindset at all levels.

Be aware of common myths around Agile and SAFe

SAFe does not...

1...solve development and communication issues.

2...ensure that you will finish requirements faster.

3...mean that you do not need planning and documentation.

"Without proper planning, organizations can start throwing more resources at the work, which spirals into the classic Waterfall issues of managing by schedule."
– Kristen Morton, Associate Implementation Architect,
OneShield Inc. (Info-Tech Interview)

Info-Tech Insight
SAFe only provides a framework and steps where these issues can be resolved.

The importance of values and principles

Modern development practices (such as Agile, Lean, and DevOps) are based on values and principles. This supports the move away from command-and-control management to self-organizing teams.

Values

• Values represent your team's core beliefs and capture what you want to instill in your team.

Principles

• Principles represent methods for solving a problem or deciding.
• Given that principles are rooted in specifics, they can change more frequently because they are both fallible and conducive to learning.

Consider the guiding principles of your application team

Teams may have their own perspectives on how they deliver value and their own practices for how they do this. These perspectives can help you develop guiding principles for your own team to explain your core values and cement your team's culture. Guiding principles can help you:

• Enable the appropriate environment to foster collaboration within current organizational, departmental, and cultural constraints
• Foster the social needs that will engage and motivate your team in a culture that suits its members
• Ensure that all teams are driven toward the same business and team goals, even if other teams are operating differently
• Build organizational camaraderie aligned with corporate strategies

Info-Tech Insight
Following methodologies by the book can be detrimental if they do not fit your organization's needs, constraints, and culture. The ultimate goal of all teams is to deliver value. Any practices or activities that drive teams away from this goal should be removed or modified.

Review the drivers that are motivating your organization to adopt and scale Agile practices

Functional groups have their own drivers to adopt Agile development processes, practices, and techniques (e.g. to improve collaboration, decrease churn, or increase automation). Their buy-in to scaling Agile is just as important as the buy-in of stakeholders.

By not addressing a group's specific needs and drivers, the resulting negative sentiments of its members toward Agile development can affect their ability to see the benefits of Agile and they may return to old habits once the opportunity arises.

Find opportunities in which both business objectives and functional group drivers can be achieved with scaling Agile development. This alignment can motivate teams to continuously improve and adhere to the new environment, and it will maintain business buy-in. This assessment can also be used to justify activities that specifically address functional group drivers.

Examples of Motivating Drivers for Scaling Agile

• Improve artifact hand-offs between development and operations.
• Increase collaboration among development teams.
• Reveal architectural and system risks early.
• Expedite the feedback loop from support.
• Improve capacity management.
• Support development process innovation.
• Create a safe environment to discuss concerns.
• Optimize value streams.
• Increase team engagement and comradery.

Exercise 1.1.1 Define your primary drivers for SAFe

30 minutes

• Brainstorm a list of drivers for scaling Agile.
• Build a value canvas to help capture and align team expectations.
• Identify jobs or functions that will be impacted by SAFe.
• List your current pains and gains.
• List the pain relievers and gain creators.
• Identify the deliverable needed for a successful transformation.
• Complete your SAFe value canvas in your SAFe Transformation Playbook.

Enter the results in your SAFe Transformation Playbook.

SAFe Value Canvas Template

Case Study

A public utilities organization steadily lost stakeholder engagement, diminishing product quality.

INDUSTRY: Public Utilities
SOURCE: Info-Tech Expert Interview

Challenge

• The goal of a public utilities organization was to adopt Agile so it could quickly respond to changes and trim costs.
• The organization decided to scale Agile using a structured approach. It began implementation with IT teams that were familiar with Agile principles and leveraged IT seniors as Agile champions. To ensure that Agile principles were widespread, the organization decided to develop a training program with vendor assistance.
• As Agile successes began to be seen, the organization decided to increase the involvement of business teams gradually so it could organically grow the concept within the business.

Results

• Teams saw significant success with many projects because they could easily demonstrate deliverables and clearly show the business value. Over time, the teams used Agile for large projects with complex processing needs.
• Teams continued to deliver small projects successfully, but business engagement waned over time. Some of the large, complex applications they delivered using Agile lacked the necessary functionality and appropriate controls and, in some cases, did not have the ability to scale due to a poor architectural framework. These applications required additional investment, which far exceeded the original cost forecasts.

While Agile and product development are intertwined, they are not the same!

Delivering products does not necessarily require an Agile mindset. However, Agile methods help to facilitate the journey because product thinking is baked into them.

Recognize the difference between Scrum teams and the Scaled Agile Framework (SAFe)

SAFe provides a framework that aligns Scrum teams into coordinated release trains driven by top-down prioritization.

Develop Your Agile Approach for a Successful Transformation

Without adopting an Agile mindset, SAFe becomes Waterfall with SAFe terminology

Info-Tech Insight
When first implementing SAFe, organizations reproduce their organizational design and Waterfall delivery structures with SAFe terms:

• Delivery Manager = Release Train Engineer
• Stakeholder/Sponsor = Product Manager
• Release = Release Train
• Project/Program = Project or Portfolio

Advantages of successful SAFe implementations

Once SAFe is complete and operational, organizations have seen measurable benefits:

• Multiple frameworks to support different levels of SAFe usage
• Deliberate and consistent planning and coordination
• Coordinating dependencies within value streams
• Reduced time to delivery
• Focus on customers and end users
• Alignment to business goals and value streams
• Increased employee engagement

Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
"Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

Source: "Benefits," Scaled Agile, 2023

SAFe isn't without risks or challenges

Risks and Causes of Failed SAFe Transformations

• SAFe conflicts with legacy cultures and delivery processes.
• SAFe promotes continued top-down decisions, undermining team empowerment.
• Scaled product families are required to define proper value streams.
• Team empowerment and autonomy are reduced.
• SAFe activities are poorly executed.
• There are high training and coaching costs.
• Implementation takes a long time.
• End-to-end delivery management tools aligned to SAFe are required.
• Legacy delivery challenges are not specifically solved with SAFe.
• SAFe is designed to work for large-scale development teams.

Challenges

• Adjusting to a new set of terms for common roles, processes, and activities
• Executing planning cycles
• Defining features and epics at the right level
• Completing adequate requirements
• Defining value streams
• Coordinating releases and release trains
• Providing consistent quality

Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023; "Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

Exercise 1.1.2 Create your own list of the pros and cons of SAFe

1 hour

Enter the results in your SAFe Transformation Playbook

Focus on your core competencies instead

Before undertaking an enterprise transformation, consider improving the underlying processes that will need to be fixed anyway. Fixing these areas while implementing SAFe compounds the effort and disruption.

Product Delivery

• Agile/DevOps Research Center
• Develop Your Agile Approach for a Successful Transformation
  • Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.
• Implement DevOps Practices That Work
  • Streamline business value delivery through the strategic adoption of DevOps practices.

Product Management

• Product Lifecycle Management Research Center
• Make the Case for Product Delivery
  • Align your organization on the practices to deliver what matters most.
• Deliver on Your Digital Product Vision
  • Build a product vision your organization can take from strategy through execution.
• Deliver Digital Products at Scale
  • Deliver value at the scale of your organization through defining enterprise product families.
• Introduce Program Management to Your Organization
  • Use programs to align projects to your strategic goals.
• Optimize IT Project Intake, Approval, and Prioritization
  • Decide which IT projects to approve and when to start them.
• Managing Requirements in an Agile Environment
  • Agile and requirements management are complementary, not competitors.
• Build a Software Quality Assurance Program
  • Build quality into every step of your SDLC.
• Automate Testing to Get More Done
  • Drive software delivery throughput and quality confidence by extending your automation test coverage.
• Application Portfolio Management Foundations
  • Ensure your application portfolio delivers the best possible return on investment.

"But big-bang transitions are hard. They require total leadership commitment, a receptive culture, enough talented and experienced agile practitioners to staff hundreds of teams without depleting other capabilities, and highly prescriptive instruction manuals to align everyone's approach."
- "Agile at Scale," Harvard Business Review

Step 1.2

Determine if you are ready for SAFe (fit for purpose)

Activities
1.2.1 Assess your Agile readiness
1.2.2 Define enablers and blockers for scaling Agile delivery
1.2.3 Estimate your SAFe implementation risk
1.2.4 Start your SAFe implementation plan

This step involves the following participants:

• IT leadership
• Delivery managers
• Project management office
• Product owners and managers
• Development team leads
• Portfolio managers
• Architects

Outcomes of this step:

• Agile Readiness Assessment results
• Enablers and blockers for scaling Agile
• SAFe implementation risk
• SAFe implementation plan

Use CLAIM to guide your Agile journey

Conduct the Agile Readiness Assessment Survey

Without an Agile mindset, SAFe will follow Waterfall or WaterScrumFall practices.

• Start your journey with a clear understanding of the level of Agile and product maturity throughout your organization.
• Each area that lacks strength should be evaluated further and added to your journey map.

Exercise 1.2.1 Assess your Agile readiness

1 hour

• Open and complete the Agile Readiness Assessment in your playbook or the Excel tool provided.
• Discuss each area's high and low scores to reach a consensus.
• Record your results in your SAFe Transformation Playbook.

Enter the results in Scaled Agile Readiness Assessment.

Exercise 1.2.2 Define enablers and blockers for scaling Agile delivery

1 hour

• Identify and mitigate blockers for scaling Agile in your organization.
  • Identify enablers who will support successful SAFe transformation.
  • Identify blockers who will make the transition to SAFe more difficult.
  • For each blocker, define at least one mitigating step.

Enter the results in your SAFe Transformation Playbook

Estimate your SAFe implementation risk

Exercise 1.2.3 Estimate your SAFe implementation risk

30 minutes

• Determine which description best matches your overall organizational state.
• Enter the results in your SAFe Transformation Playbook.
• Change the text to bold in the cell you selected to describe your current state and/or add a border around the cell.

Enter the results in SAFe Transformation Playbook.

Interpret your SAFe implementation risks

Analyze your highlighted selections and patterns in the rows and columns. Use these factors to inform your SAFe implementation steps and timing.

Build your implementation plan

Build a transformation and organizational change management plan to guide your transition. Define clear ownership for every critical step.

Plan your transformation.

• Align stakeholders and thought leaders.
• Select an implementation partner.
• Insert critical steps.

Build your SAFe framework.

• Define your target SAFe framework.
• Customize your SAFe framework.
• Establish SAFe governance and reporting.
• Insert critical steps.

Implement SAFe practices.

• Define product families and value streams.
• Conduct SAFe training for:
  • Executive leadership
  • Agile SAFe coaches
  • Practitioners
• Insert critical steps.

For additional help with OCM, please download Master Organizational Change Management Practices.

Exercise 1.2.4 Start your SAFe implementation plan

30 minutes

• Using the high-level SAFE implementation framework, begin building out the critical steps.
• Record the results in your SAFe Transformation Playbook.
• Your playbook is an evergreen document to help guide your implementation. It should be reviewed often.

Enter the results in your SAFe Transformation Playbook

Select an implementation partner

Finding the right SAFe implementation partner is critical to your transformation success.

• Using your previous assessment, align internal and external resources to support your transformation.
• Select a partner who has experience in similar organizations and is aligned with your delivery goals.
• Plan to transition support to internal teams when SAFe practices have stabilized and moved into continuous improvement.
• Augment your transformation partner with internal coaches.
• Plan for a multiyear engagement before SAFe benefits are realized.

Summary of Accomplishments

Your journey begins.

Implementing SAFe is a long, expensive, and difficult process. For some organizations, SAFe provides the balance of leadership-driven prioritization and control with shorter release cycles and time to value. The key is making sure that SAFe is right for you and you are ready for SAFe. Few organizations fit perfectly into one of the SAFe frameworks. Instead, consider fine-tuning and customizing SAFe to meet your needs and gradual transformation.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.

Below are sample activities that will be conducted by Info-Tech analysts with your team:

Scaled Agile Delivery Readiness Assessment
This assessment will help identify enablers and blockers in your organizational culture using our CLAIM+G organization transformation model.

SAFE Value Canvas
Use a value campus to define jobs, pains, gains, pain relievers, gain creators, and needed deliverables to help inform and guide your SAFe transformation.

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Bibliography

"6 Biggest SAFe Agile Implementation Mistakes to Avoid." Triumph Strategic Consulting, 27 July 2017.

"The 7 Must-Haves for Achieving Scaling Agile Success." The 7 Must-Haves for Achieving Scaling Agile Success.

Ageling, Willem-Jan. "11 Most Common Reasons to Use Scaled Agile Framework (SAFE) and How to Do This With Unscaled Scrum." Medium, Serious Scrum, 26 Jan. 2020.

Agile India, International Conference on Agile and Lean Software Development, 2014.

"Air France - KLM - Agile Adoption with SAFe." Scaled Agile, 28 Nov. 2022.

"Application Development Trends 2019 - Global Survey Report." OutSystems.

"Benefits of SAFe: How It Benefits Organizations." Scaled Agile, 13 Mar. 2023.

Berkowitz, Emma. "The Cost of a SAFe(r) Implementation: CPRIME Blog." Cprime, 30 Jan. 2023.

"Chevron - Adopting SAFe with Remote Workforce." Scaled Agile, 28 Nov. 2022.

"Cisco It - Adopting Agile Development with SAFe." Scaled Agile, 13 Sept. 2022.

"CMS - Business Agility Transformation Using SAFe." Scaled Agile, 13 Sept. 2022.

Crain, Anthony. "4 Biggest Challenges in Moving to Scaled Agile Framework (SAFe)." TechBeacon, 25 Jan. 2019.

"The Essential Role of Communications ." Project Management Institute .

Gardiner, Phil. "SAFe Implementation: 4 Tips for Getting Started." Applied Frameworks, 20 Jan. 2022.

"How Do I Start Implementing SAFe?" Agility in Mind, 29 July 2022.

"How to Masterfully Screw Up Your SAFe Implementation." Wibas Artikel-Bibliothek, 6 Sept. 2022.

"Implementation Roadmap." Scaled Agile Framework, 14 Mar. 2023.

Islam, Ayvi. "SAFe Implementation 101 - The Complete Guide for Your Company." //Seibert/Media, 22 Dec. 2020.

"Johnson Controls - SAFe Implementation Case Study." Scaled Agile, 28 Nov. 2022.

"The New Rules and Opportunities of Business Transformation." KPMG.

"Nokia Software - SAFe Agile Transformation." Scaled Agile, 28 Nov. 2022.

Pichler, Roman. "What Is Product Management?" Romanpichler, 2014.

"Product Documentation." ServiceNow.

"Pros and Cons of Scaled Agile Framework." PremierAgile.

"Pulse of the Profession Beyond Agility." Project Management Institute.

R, Ramki. "Pros and Cons of Scaled Agile Framework (SAFe)." Medium, 3 Mar. 2019.

R, Ramki. "When Should You Consider Implementing SAFe (Scaled Agile Framework)?" Medium, Medium, 3 Mar. 2019.

Rigby, Darrell, Jeff Sutherland, and Andy Noble. "Agile at Scale: How to go from a few teams to hundreds." Harvard Business Review, 2018.

"SAFe Implementation Roadmap." Scaled Agile Framework, Scaled Agile, Inc., 14 Mar. 2023.

"SAFe Partner Cprime: SAFe Implementation Roadmap: Scaled Agile." Cprime, 5 Apr. 2023.

"SAFe: The Good, the Bad, and the Ugly." Project Management Institute.

"Scaled Agile Framework." Wikipedia, Wikimedia Foundation, 29 Mar. 2023.

"Scaling Agile Challenges and How to Overcome Them." PremierAgile.

"SproutLoud - a Case Study of SAFe Agile Planning." Scaled Agile, 29 Nov. 2022.

"Story." Scaled Agile Framework, 13 Apr. 2023.

Sutherland , Jeff. "Scrum: How to Do Twice as Much in Half the Time." Tedxaix, YouTube, 7 July 2014.

Venema, Marjan. "6 Scaled Agile Frameworks - Which One Is Right for You?" NimbleWork, 23 Dec. 2022.

Warner, Rick. "Scaled Agile: What It Is and Why You Need It." High-Performance Low-Code for App Development, OutSystems, 25 Oct. 2019.

Watts, Stephen, and Kirstie Magowan. "The Scaled Agile Framework (SAFE): What to Know and How to Start." BMC Blogs, 9 Sept. 2020.

"What Is SAFe? The Scaled Agile Framework Explained." CIO, 9 Feb. 2021.

"Why Agile Transformations Fail: Four Common Culprits." Planview.

"Why You Should Use SAFe (and How to Find SAFe Training to Help)." Easy Agile.

Y., H. "Story Points vs. 'Ideal Days.'" Cargo Cultism, 19 Aug. 2010.

Bibliography

Enable Organization-Wide Collaboration by Scaling Agile

Ambler, Scott W. "Agile Architecture: Strategies for Scaling Agile Development." Agile Modeling, 2012.

- - -. "Comparing Approaches to Budgeting and Estimating Software Development Projects." AmbySoft.

- - -. "Agile and Large Teams." Dr. Dobb's, 17 Jun 2008.

Ambler, Scott W. and Mark Lines. Disciplined Agile Delivery: A Practitioner's Guide to Agile Software Delivery in the Enterprise. IBM Press, 2012.

Ambler, Scott W., and Mark Lines. "Scaling Agile Software Development: Disciplined Agility at Scale." Disciplined Agile Consortium White Paper Series, 2014.

AmbySoft. "2014 Agile Adoption Survey Results." Scott W. Ambler + Associates, 2014.

Bersin, Josh. "Time to Scrap Performance Appraisals?" Forbes Magazine, 5 June 2013. Accessed 30 Oct. 2013..

Cheese, Peter, et al. " Creating an Agile Organization." Accenture, Oct. 2009. Accessed Nov. 2013..

Croxon, Bruce, et al. "Dinner Series: Performance Management with Bruce Croxon from CBC's 'Dragon's Den.'" HRPA Toronto Chapter. Sheraton Hotel, Toronto, ON, 12 Nov. 2013. Panel discussion.

Culbert, Samuel. "10 Reasons to Get Rid of Performance Reviews." Huffington Post Business, 18 Dec. 2012. Accessed 28 Oct. 2013.

Denning, Steve. "The Case Against Agile: Ten Perennial Management Objections." Forbes Magazine, 17 Apr. 2012. Accessed Nov. 2013.

Estis, Ryan. "Blowing up the Performance Review: Interview with Adobe's Donna Morris." Ryan Estis & Associates, 17 June 2013. Accessed Oct. 2013.

Heikkila et al. "A Revelatory Case Study on Scaling Agile Release Planning." EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), 2010.

Holler, Robert, and Ian Culling. "From Agile Pilot Project to Enterprise-Wide Deployment: Five Sure-Fire Ways To Fail When You Scale." VersionOne, 2010.

Kniberg, Henrik, and Anders Ivarsson, "Scaling Agile @ Spotify," Unified Communications and Collaborations, 2012.

Narayan, Sriram. "Agile IT Organization Design: For Digital Transformation and Continuous Delivery." Addison-Wesley Professional, 2015.

Shrivastava, NK, and Phillip George. "Scaling Agile." RefineM, 2015.

Sirkia, Rami, and Maarit Laanti. "Lean and Agile Financial Planning." Scaled Agile Framework Blog, 2014.

Scaled Agile Framework (SAFe). "Agile Architecture." Scaled Agile Inc., 2015.

VersionOne. 9th Annual: State of Agile Survey. VersionOne, LLC, 2015.

Appendix A: Supporting Info-Tech Research

Transformation topics and supporting research to make your journey easier, with less rework

Supporting research and services

Improving IT Alignment

Build a Business-Aligned IT Strategy
Success depends on IT initiatives clearly aligned to business goals, IT excellence, and driving technology innovation.

Make Your IT Governance Adaptable
Governance isn't optional, so keep it simple and make it flexible.

Create an IT View of the Service Catalog
Unlock the full value of your service catalog with technical components.

Application Portfolio Management Foundations
Ensure your application portfolio delivers the best possible return on investment.

Shifting Toward Agile DevOps

Agile/DevOps Research Center
Access the tools and advice you need to be successful with Agile.

Develop Your Agile Approach for a Successful Transformation
Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.

Implement DevOps Practices That Work
Streamline business value delivery through the strategic adoption of DevOps practices.

Perform an Agile Skills Assessment
Being Agile isn't about processes, it's about people.

Define the Role of Project Management in Agile and Product-Centric Delivery
Projects and products are not mutually exclusive.

Shifting Toward Product Management

Make the Case for Product Delivery
Align your organization on the practices to deliver what matters most.

Deliver on Your Digital Product Vision
Build a product vision your organization can take from strategy through execution.

Deliver Digital Products at Scale
Deliver value at the scale of your organization through defining enterprise product families.

Mature and Scale Product Ownership
Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

Build a Value Measurement Framework
Focus product delivery on business value- driven outcomes.

Improving Value and Delivery Metrics

Build a Value Measurement Framework
Focus product delivery on business value-driven outcomes.

Create a Holistic IT Dashboard
Mature your IT department by measuring what matters.

Select and Use SDLC Metrics Effectively
Be careful what you ask for, because you will probably get it.

Reduce Time to Consensus With an Accelerated Business Case
Expand on the financial model to give your initiative momentum.

Improving Governance, Prioritization, and Value

Make Your IT Governance Adaptable
Governance isn't optional, so keep it simple and make it flexible.

Maximize Business Value From IT Through Benefits Realization
Embed benefits realization into your governance process to prioritize IT spending and confirm the value of IT.

Drive Digital Transformation With Platform Strategies
Innovate and transform your business models with digital platforms.

Succeed With Digital Strategy Execution
Building a digital strategy is only half the battle: create a systematic roadmap of technology initiatives to execute the strategy and drive digital transformation.

Build a Value Measurement Framework
Focus product delivery on business value-driven outcomes.

Create a Holistic IT Dashboard
Mature your IT department by measuring what matters.

Improving Requirements Management and Quality Assurance

Requirements Gathering for Small Enterprises
Right-size the guidelines of your requirements gathering process.

Improve Requirements Gathering
Back to basics: great products are built on great requirements.

Build a Software Quality Assurance Program
Build quality into every step of your SDLC.

Automate Testing to Get More Done
Drive software delivery throughput and quality confidence by extending your automation test coverage.

Manage Your Technical Debt
Make the case to manage technical debt in terms of business impact.

Create a Business Process Management Strategy
Avoid project failure by keeping the "B" in BPM.

Build a Winning Business Process Automation Playbook
Optimize and automate your business processes with a user-centric approach.

Improving Release Management

Optimize Applications Release Management
Build trust by right-sizing your process using appropriate governance.

Streamline Application Maintenance
Effective maintenance ensures the long-term value of your applications.

Streamline Application Management
Move beyond maintenance to ensure exceptional value from your apps.

Optimize IT Change Management
Right-size IT change management to protect the live environment.

Manage Your Technical Debt
Make the case to manage technical debt in terms of business impact.

Improve Application Development Throughput
Drive down your delivery time by eliminating development inefficiencies and bottlenecks while maintaining high quality.

Improving Business Relationship Management

Embed Business Relationship Management in IT
Show that IT is worthy of Trusted Partner status.

Mature and Scale Product Ownership
Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

Improving Security

Build an Information Security Strategy
Create value by aligning your strategy to business goals and business risks.

Develop and Deploy Security Policies
Enhance your overall security posture with a defensible and prescriptive policy suite.

Simplify Identity and Access Management
Leverage risk- and role-based access control to quantify and simplify the identity and access management (IAM) process.

Improving and Supporting Business-Managed Applications

Embrace Business-Managed Applications
Empower the business to implement their own applications with a trusted business-IT relationship.

Enhance Your Solution Architecture Practices
Ensure your software systems solution is architected to reflect stakeholders' short- and long-term needs.

Satisfy Digital End Users With Low- and No-Code
Extend IT, automation, and digital capabilities to the business with the right tools, good governance, and trusted organizational relationships.

Build Your First RPA Bot
Support RPA delivery with strong collaboration and management foundations.

Automate Work Faster and More Easily With Robotic Process Automation
Embrace the symbiotic relationship between the human and digital workforce.

Improving Business Intelligence, Analytics, and Reporting

Modernize Data Architecture for Measurable Business Results
Enable the business to achieve operational excellence, client intimacy, and product leadership with an innovative, agile, and fit-for-purpose data architecture practice.

Build a Reporting and Analytics Strategy
Deliver actionable business insights by creating a business-aligned reporting and analytics strategy.

Build Your Data Quality Program
Quality data drives quality business decisions.

Design Data-as-a-Service
Journey to the data marketplace ecosystems.

Build a Robust and Comprehensive Data Strategy
Learn about the key to building and fostering a data-driven culture.

Build an Application Integration Strategy
Level the table before assembling the application integration puzzle or risk losing pieces.

Appendix B: SDLC Transformation Steps

Waterfall SDLC

Valuable product delivered at the end of an extended project lifecycle, frequently in years

• Business is separated from the delivery of technology it needs. Only one-third of the product is actually valuable (ITRG, N=40,000).
• In Waterfall, a team of experts in specific disciplines hand off different aspects of the lifecycle.
• Document sign-offs are required to ensure integration between silos (Business, Development, and Operations) and individuals.
• A separate change-request process lays over the entire lifecycle to prevent changes from disrupting delivery.
• Tools are deployed to support a specific role (e.g. BA) and seldom integrated (usually requirements <-> test).

Wagile/Agifall/WaterScrumFall SDLC

Valuable product delivered in multiple releases

• Business is more closely integrated by a business product owner, who is accountable for day-to-day delivery of value for users.
• The team collaborates and develops cross-functional skills as they define, design, build, and test code over time.
• Sign-offs are reduced but documentation is still focused on satisfying project delivery and operations policy requirements.
• Change is built into the process to allow the team to respond to change dynamically.
• Tools start to be integrated to streamline delivery (usually requirements and Agile work management tools).

Agile SDLC

Valuable product delivered iteratively: frequency depends Ops' capacity

• Business users are closely integrated through regularly scheduled demos (e.g. every two weeks).
• Team is fully cross-functional and collaborates to plan, define, design, build, and test the code, supported by specialists.
• Documentation is focused on future development and operations needs.
• Change is built into the process to allow the team to respond to change dynamically.
• Automation is explored for application development (e.g. automated regression testing).

Agile With DevOps SDLC

High frequency iterative delivery of valuable product (e.g. every two weeks)

• Business users are closely integrated through regularly scheduled demos.
• Development and operations teams collaborate to plan, define, design, build, test, and deploy code, supported by automation.
• Documentation is focused on supporting users, future changes, and operational support.
• Change is built into the process to allow the team to respond to change dynamically.
• Test, build, deploy process is fully automated. (Service desk is still separated.)

DevOps SDLC

Continuous integration and delivery

• Business users are closely integrated through regularly scheduled demos.
• Fully integrated DevOps team collaborates to plan, define, design, build, test, deploy, and maintain code.
• Documentation is focused on future development and use adoption.
• Change is built into the process to allow the team to respond to change dynamically.
• Development and operations toolchain are fully integrated.

Fully integrated product SDLC

Agile + DevOps + continuous delivery of valuable product on demand

• Business users are fully integrated with the teams through dedicated business product owner.
• Cross-functional teams collaborate across the business and technical life of the product.
• Documentation supports internal and external needs (business, users, operations).
• Change is built into the process to allow the team to respond to change dynamically.
• Toolchain is fully integrated (including service desk).

Appendix C: Understanding Agile Scrum Practices and Ceremonies

Cultural advantages of Agile

Agile* SDLC

With shared ownership instead of silos, we are able to deliver value at the end of every iteration (aka sprint)

Key Elements of the Agile SDLC

• You are not "one and done." There are many short iterations with constant feedback.
• There is an empowered product owner. This is a single authoritative voice who represents stakeholders.
• There is a fluid product backlog. This enables prioritization of requirements "just-in-time."
• There is a cross-functional, self-managing team. This team makes commitments and is empowered by the organization to do so.
• There is working, tested code at the end of each sprint: Value becomes more deterministic along sprint boundaries.
• Stakeholders are allowed to see and use the functionality and provide necessary feedback.
• Feedback is being continuously injected back into the product backlog. This shapes the future of the solution.
• There is continuous improvement through sprint retrospectives.
• The virtuous cycle of sprint-demo-feedback is internally governed when done right.

* There are many Agile methodologies to choose from, but Scrum is by far the most widely used (and is shown above).

Understand the Scrum process

The scrum process coordinates multiple stakeholders to deliver on business priorities.

Understand the ceremonies part of the scrum process

Scrum vs. Kanban: Key differences

Scrum vs. Kanban: When to use each

Scrum

Related or grouped changes are delivered in fixed time intervals.

Use when:

• Coordinating the development or release of related items
• Maturing a product or service
• Coordinating interdependencies between work items

Kanban

Independent items are delivered as soon as each is ready.

Use when:

• Completing work items from ticketing or individual requests
• Completing independent changes
• Releasing changes as soon as possible

Appendix D: Improving Product Management

Product delivery realizes value for your product family

While planning and analysis are done at the family level, work and delivery are done at the individual product level.

Manage and communicate key milestones

Successful product-delivery managers understand and define key milestones in their product-delivery lifecycles. These milestones need to be managed along with the product backlog and roadmap.

Info-Tech Best Practice
Product management is not just about managing the product backlog and development cycles. Teams need to manage key milestones, such as learning milestones, test releases, product releases, phase gates, and other organizational checkpoints.

A backlog stores and organizes product backlog items (PBIs) at various stages of readiness

A well-formed backlog can be thought of as a DEEP backlog:

Detailed Appropriately: PBIs are broken down and refined as necessary.

Emergent: The backlog grows and evolves over time as PBIs are added and removed.

Estimated: The effort that a PBI requires is estimated at each tier.

Prioritized: A PBI's value and priority are determined at each tier.

Source: Perforce, 2018

Backlog tiers facilitate product planning steps

Ranging from the intake of an idea to a PBI ready for development; to enter the backlog, each PBI must pass through a given quality filter.

Each activity is a variation of measuring value and estimating effort in order to validate and prioritize a PBI.

A PBI successfully completes an activity and moves to the next backlog tier when it meets the appropriate criteria. Quality filters should exist between each tier.

Use quality filters to ensure focus on the most important PBIs

Expand the concepts of defining "ready" and "done" to include the other stages of a PBI's journey through product planning.

Info-Tech Best Practice
A quality filter ensures that quality is met and the appropriate teams are armed with the correct information to work more efficiently and improve throughput.

Define product value by aligning backlog delivery with roadmap goals

In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

Product roadmaps guide delivery and communicate your strategy

In "Deliver on Your Digital Product Vision," we demonstrate how a product roadmap is core to value realization. The product roadmap is your communicated path. As a product owner, you use it to align teams and changes to your defined goals, as well as your product to enterprise goals and strategy.

Info-Tech Insight
The quality of your product backlog - and your ability to realize business value from your delivery pipeline - is directly related to the input, content, and prioritization of items in your product roadmap.

Info-Tech's approach

Operationally align product delivery to enterprise goals

The Info-Tech Difference

Create a common definition of what a product is and identify the products in your inventory.

Use scaling patterns to build operationally aligned product families.

Develop a roadmap strategy to align families and products to enterprise goals and priorities.

Use products and families to assess value realization.

Passwordless Authentication

Know when you've been beaten!

Executive Summary

Your Challenge

• The IT world is an increasingly dangerous place.
• Every year literally billions of credentials are compromised and exposed on the internet.
• The average employee has between 27 and 191 passwords to manage.
• The line between business persona and personal persona has been blurred into irrelevancy.
• You need a method of authenticating users that is up to these challenges

Common Obstacles

• Legacy systems aside (wouldn't that be nice) this still won't be easy.
• Social inertia – passwords worked before, so surely, they can still work today! Besides, users don't want to change.
• Analysis paralysis – I don't want to get this wrong! How do I choose something that is going to be at the core of my infrastructure for the next 10 years?
• Identity management – how can you fix authentication when people have multiple usernames?

Info-Tech's Approach

• Inaction is not an option.
• Most commercial, off-the-shelf apps are moving to a SaaS model, so start your efforts with them.
• Your existing vendors already have technologies you are underusing or ignoring – stop that!
• Your users want this change – they just might not know it yet…
• Much like zero trust network access, the journey is more important than the destination. Incremental steps on the path toward passwordless authentication will still yield significant benefits.

Info-Tech Insight

Users have been burdened with unrealistic expectations when it comes to their part in maintaining enterprise security. Given the massive rise in the threat landscape, it is time for Infrastructure to adopt a user-experience-based approach if we want to move the needle on improving security posture.

Password Security Fallacy

"If you buy the premise…you buy the bit."
Johnny Carson

We've had plenty of time to see this coming.

Why haven't we done something?

• Passwords are a 1970s construct.
• End-users are complexity averse.
• Credentials are leaked all the time.
• New technologies will defeat even the most complex passwords.

Build the case, both to business stakeholders and end users, that "password" is not a synonym for "security."

Be ready for some objection handling!

Image courtesy of Microsoft

RSA Conference, 2004
San Francisco, CA

"There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
Bill Gates

What about "strong" passwords?

There has been a password arms race going on since 1988

A massive worm attack against ARPANET prompted the initial research into password strength

Password strength can be expressed as a function of randomness or entropy. The greater the entropy the harder for an attacker to guess the password.

Table: Modern password security for users
Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects

From this research, increasing password complexity (length, special characters, etc.) became the "best practice" to secure critical systems.

How many passwords??

XKCD Comic #936 (published in 2011)

Image courtesy of Randall Munroe XKCD Comics (CC BY-NC 2.5)

It turns out that humans however are really bad at remembering complex passwords.

An Intel study (2016) suggested that the average enterprise employee needed to remember 27 passwords. A more recent study from LastPass puts that number closer to 191.

PEBKAC
Problem Exists Between Keyboard and Chair

Increasing entropy is the wrong way to fight this battle – which is good because we'd lose anyway.

Over the course of a single year, researchers at the University of California, Berkeley identified and tracked nearly 2 billion compromised credentials.

3.8 million were obtained via social engineering, another 788K from keyloggers. That's approx. 250,000 clear text credentials harvested every week!

The entirety of the password ecosystem has significant vulnerabilities in multiple areas:

• Unencrypted server- and client-side storage
• Sharing
• Reuse
• Phishing
• Keylogging
• Question-based resets

Even the 36M encrypted credentials compromised every week are just going to be stored and cracked later.

Source: Google, University of California, Berkeley, International Computer Science Institute

Enabling Technologies

"Give me a place to stand, and a lever long enough, and I will move the world."
Archimedes

Technology gives us (too many) options

The time to prototype is NOW!

Chances are you are already paying for one or more of these technologies from a current vendor:

• SSO, password managers
• Conditional access
• Multifactor
• Hardware tokens
• Biometrics
• PINs

Address all three factors of authentication

• Something the user knows
• Something the user has
• Something the user is

Global Market of $12.8B
~16.7% CAGR
Source: Report Linker, 2022.

Focus your prototype efforts in four key testing areas

• Deployment
• User adoption/training
• Architecture (points of failure)
• Disaster recovery

Three factors for positive identification

Passwordless technologies focus on alternate authentication factors to supplement or replace shared secrets.

Something you know Shared secrets have well-known significant modern-day problems, but only when used in isolation. For end users, consider time-limited single use options, password managers, rate-limited login attempts, and reset rather than retrieval requests. On the system side, never forget strong cryptographic hashing along with a side of salt and pepper when storing passwords. Something you have A token (now known as a cryptographic identification device) such as a pass card, fob, smartphone, or USB key that is expected to be physically under the control of the user and is uniquely identifiable by the system. Easily decoupled in the event the token is lost, but potentially expensive and time-consuming to reprovision. Something you are or do Commonly referred to as biometrics, there are two primary classes. The first is measurable physical characteristics of the user such as a fingerprint, facial image, or retinal scan. The second class is a series of behavioral traits such as expected location, time of day, or device. These traits can be linked together in a conditional access policy. Unlike other authentication factors, biometrics DO NOT provide for exact matches and instead rely on a confidence interval. A balance must be struck against the user experience of false negatives and the security risk of a false positive.

Prototype testing criteria

Deployment

Does the solution support the full variety of end-user devices you have in use?

Can the solution be configured with your existing single sign-on or central identity broker?

User Experience

Users already want a better experience than passwords.

What new behavior are you expecting (compelling) from the user?

How often and under what conditions will that behavior occur?

Architecture

Where are the points of failure in the solution?

Consider technical elements like session thresholds for reauthorization, but also elements like automation and self-service.

Disaster Recovery

Understand the exact responsibilities Infra&Ops have in the event of a system or user failure.

As many solutions are based in the public cloud, manage stakeholder expectations accordingly.

Next Steps

"Move the goalposts…and declare victory."
Informal Fallacy (yet very effective…)

It is more a direction than a destination…

Get the easy wins in the bank and then lay the groundwork for the long campaign ahead.

You're not going to get to a passwordless world overnight. You might not even get there for many years. But an agile approach to the journey ensures you will realize value every step of the way:

• Start in the cloud:
• Choose a single sign-on platform such as Azure Active Directory, Okta, Auth0, AWS IAM, TruSONA, HYPR, or others. Document Your Cloud Strategy.
• Integrate the SaaS applications from your portfolio with your chosen platform.
• Establish visibility and rationalize identity management:
  • Accounts with elevated privileges present the most risk – evaluate your authentication factors for these accounts first.
  • There is elegance (and deployment success) in Simplifying Identity & Access Management.
• Pay your tech debt:
  • Legacy apps that don't even support SAML are going to have to be upgraded or isolated.
  • Recoding an application can easily take 6-12 months of work – prioritize this when Building an Application Rationalization Framework.

Fast IDentity Online (2) is now part of the web's DNA and is critical for digital transformation

• IoT
• Anywhere remote work
• Government identity services
• Digital wallets

Bibliography

"Backup Vs. Archiving: Know the Difference." Open-E. Accessed 05 Mar 2022.Web.
G, Denis. "How to Build Retention Policy." MSP360, Jan 3, 2020. Accessed 10 Mar 2022.
Ipsen, Adam. "Archive Vs. Backup: What's the Difference? A Definition Guide." BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.
Kang, Soo. "Mitigating the Expense of E-Discovery; Recognizing the Difference Between Back-Ups and Archived Data." Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.
Mayer, Alex. "The 3-2-1 Backup Rule – An Efficient Data Protection Strategy." Naviko. Accessed 12 Mar 2022.
Steel, Amber. "LastPass Reveals 8 Truths about Passwords in the New Password Exposé." LastPass Blog, 1 Nov. 2017. Web.
"The Global Passwordless Authentication Market Size Is Estimated to Be USD 12.79 Billion in 2021 and Is Predicted to Reach USD 53.64 Billion by 2030 With a CAGR of 16.7% From 2022-2030." Report Linker, 9 June 2022. Web.
"What Is Data-Archiving?" Proofpoint. Accessed 07 Mar 2022.

Build a Service Desk Consolidation Strategy

Manage the dark side of growth.

ANALYST PERSPECTIVE

A successful service desk consolidation begins and ends with people.

"It’s tempting to focus strategic planning on the processes and technology that will underpin the consolidated service desk. Consistent processes and a reliable tool will cement the consolidation, but they are not what will hold you back.

The most common barrier to a successful consolidation is workforce resistance to change. Cultural difference, perceived risks, and organizational inertia can hinder data gathering, deter collaboration, and impede progress from the start.

Building a consolidated service desk is first and foremost an exercise in organizational change. Garner executive support for the project, enlist a team of volunteers to lead the change, and communicate with key stakeholders early and often. The key is to create a shared vision for the project and engage those who will be most affected."

Sandi Conrad

Senior Director, Infrastructure Practice

Info-Tech Research Group

Our understanding of the problem

This Research is Designed For:

• CIOs who need to reduce support costs and improve customer service.
• IT leaders tasked with the merger of two or more IT organizations.
• Service managers implementing a shared service desk tool.
• Organizations rationalizing IT service management (ITSM) processes.

This Research Will Help You:

• Develop a shared vision for the consolidated service desk.
• Assess key metrics and report on existing service desk architecture.
• Design a target service desk architecture and assess how to meet the new requirements.
• Deploy a strategic roadmap to build the consolidated service desk architecture.

Executive summary

Situation

Every organization must grow to survive. Good growth makes an organization more agile, responsive, and competitive, which leads to further growth.

The proliferation of service desks is a hallmark of good growth when it empowers the service of diverse end users, geographies, or technologies.

Complication

Growth has its dark side. Bad growth within a business can hinder agility, responsiveness, and competitiveness, leading to stagnation.

Supporting a large number of service desks can be costly and inefficient, and produce poor or inconsistent customer service, especially when each service desk uses different ITSM processes and technologies.

Resolution

Manage the dark side of growth. Consolidating service desks can help standardize ITSM processes, improve customer service, improve service desk efficiency, and reduce total support costs. A consolidation is a highly visible and mission critical project, and one that will change the public face of IT. Organizations need to get it right.

Building a consolidated service desk is an exercise in organizational change. The success of the project will hinge on how well the organization engages those who will be most affected by the change. Build a guiding coalition for the project, create a shared vision, enlist a team of volunteers to lead the change, and communicate with key stakeholders early and often.

Use a structured approach to facilitate the development of a shared strategic vision, design a detailed consolidated architecture, and anticipate resistance to change to ensure the organization reaps project benefits.

Info-Tech Insight

1. Every step should put people first. It’s tempting to focus the strategy on designing processes and technologies for the target architecture. However, the most common barrier to success is workforce resistance to change.
2. A consolidated service desk is an investment, not a cost-reduction program. Focus on efficiency, customer service, and end-user satisfaction. Cost savings, and there will be many, should be seen as an indirect consequence of the pursuit of efficiency and customer service.

Focus the service desk consolidation project on improving customer service to overcome resistance to change

Emphasizing cost reduction as the most important motivation for the consolidation project is risky.

End-user satisfaction is a more reliable measure of a successful consolidation.

• Too many variables affect the impact of the consolidation on the operating costs of the service desk to predict the outcome reliably.
• Potential reductions in costs are unlikely to overcome organizational resistance to change.
• Successful service desk consolidations can increase ticket volume as agents capture tickets more consistently and increase customer service.

The project will generate many cost savings, but they will take time to manifest, and are best seen as an indirect consequence of the pursuit of customer service.

Info-Tech Insight

Business units facing a service desk consolidation are often concerned that the project will lead to a loss of access to IT resources. Focus on building a customer-focused consolidated service desk to assuage those fears and earn their support.

End users, IT leaders, and process owners recognize the importance of the service desk.

2nd out of 45

On average, IT leaders and process owners rank the service desk 2nd in terms of importance out of 45 core IT processes. Source: Info-Tech Research Group, Management and Governance Diagnostic (2015, n = 486)

42.1%

On average, end users who were satisfied with service desk effectiveness rated all other IT services 42.1% higher than dissatisfied end users. Source: Info-Tech Research Group, End-User Satisfaction Survey 2015, n = 133)

38.0%

On average, end users who were satisfied with service desk timeliness rated all other IT services 38.0% higher than dissatisfied end users. Source: Info-Tech Research Group, End-User Satisfaction Survey (2015, n = 133)

Overcome the perceived barriers from differing service unit cultures to pursue a consolidated service desk (CSD)

In most organizations, the greatest hurdles that consolidation projects face are related to people rather than process or technology.

In a survey of 168 service delivery organizations without a consolidated service desk, the Service Desk Institute found that the largest internal barrier to putting in place a consolidated service desk was organizational resistance to change.

Specifically, more than 56% of respondents reported that the different cultures of each service unit would hinder the level of collaboration such an initiative would require.

Service Desk Institute (n = 168, 2007)

Info-Tech Insight

Use a phased approach to overcome resistance to change. Focus on quick-win implementations that bring two or three service desks together in a short time frame and add additional service desks over time.

Avoid the costly proliferation of service desks that can come with organizational growth

Good and bad growth

Every organization must grow to survive, and relies heavily on its IT infrastructure to do that. Good growth makes an organization more agile, responsive, and competitive, and leads to further growth.

However, growth has its dark side. Bad growth hobbles agility, responsiveness, and competitiveness, and leads to stagnation.

As organizations grow organically and through mergers, their IT functions create multiple service desks across the enterprise to support:

• Large, diverse user constituencies.
• Rapidly increasing call volumes.
• Broader geographic coverage.
• A growing range of products and services.

A hallmark of bad growth is the proliferation of redundant and often incompatible ITSM services and processes.

Project triggers:

• Organizational mergers
• ITSM tool purchase
• Service quality or cost-reduction initiatives

Challenges arising from service desk proliferation:

Consolidate service desks to integrate the resources, processes, and technology of your support ecosystem

What project benefits can you anticipate?

• Consolidated Service Desk
  • End-user group #1
  • End-user group #2
  • End-user group #3
  • End-user group #4

A successful consolidation can significantly reduce cost per transaction, speed up service delivery, and improve the customer experience through:

• Single point of contact for end users.
• Integrated ITSM solution where it makes sense.
• Standardized processes.
• Staffing integration.

Standardized and consolidated service desks will optimize infrastructure, services, and resources benefits

• To set up a functioning service desk, the organization will need to invest resources to build and integrate tier 1, tier 2, and tier 3 capabilities to manage incidents and requests.
• The typical service desk (Figure 1) can address a certain number of tickets from all three tiers. If your tickets in a given tier are less than that number, you are paying for 100% of service costs but consuming only a portion of it.
• The consolidated model (Figure 2) reduces the service cost by reducing unused capacity.
• Benefits of consolidation include a single service desk solution, a single point of contact for the business, data integration, process standardization, and consolidated administration, reporting, and management.

Info-Tech’s approach to service desk consolidation draws on key metrics to establish a baseline and a target state

The foundation of a successful service desk consolidation initiative is a robust current state assessment. Given the project’s complexity, however, determining the right level of detail to include in the evaluation of existing service desks can be challenging.

The Info-Tech approach to service desk consolidation includes:

• Envisioning exercises to set project scope and garner executive support.
• Surveys and interviews to identify the current state of people, processes, technologies, and service level agreements (SLAs) in each service desk, and to establish a baseline for the consolidated service desk.
• Service desk comparison tools to gather the results of the current state assessment for analysis and identify current best practices for migration to the consolidated service desk.
• Case studies to illustrate the full scope of the project and identify how different organizations deal with key challenges.

The project blueprint walks through a method that helps identify which processes and technologies from each service desk work best, and it draws on them to build a target state for the consolidated service desk.

Inspiring your target state from internal tools and best practices is much more efficient than developing new tools and processes from scratch.

Info-Tech Insight

The two key hurdles that a successful service desk consolidation must overcome are organizational complexity and resistance to change.

Effective planning during the current state assessment can overcome these challenges.

Identify existing best practices for migration to the consolidated service desk to foster agent engagement and get the consolidated service desk up quickly.

A consolidation project should include the following steps and may involve multiple transition phases to complete

Phase 1: Develop a Shared Vision

• Identify stakeholders
• Develop vision
• Measure baseline

Phase 2: Design the Consolidation

• Design target state
• Assess gaps to reach target
• Assess logistics and cost

Phase 3: Plan the Transition

• Develop project plan and roadmap
• Communicate changes
• Make the transition
  • Evaluate and prepare for next transition phase (if applicable)
  • Evaluate and stabilize
    • CSI

Whether or not your project requires multiple transition waves to complete the consolidation depends on the complexity of the environment.

For a more detailed breakdown of this project’s steps and deliverables, see the next section.

Follow Info-Tech’s methodology to develop a service desk consolidation strategy

Service desk consolidation is the first of several optimization projects focused on building essential best practices

Info-Tech’s Service Desk Methodology aligns with the ITIL framework

Extend

Facilitate the extension of service management best practices to other business functions to improve productivity and position IT as a strategic partner.

Standardize

Build essential incident, service request, and knowledge management processes to create a sustainable service desk that meets business needs.

Improve

Build a continual improvement plan for the service desk to review and evaluate key processes and services, and manage the progress of improvement initiatives.

Adopt Lean

Build essential incident, service request, and knowledge management processes to create a sustainable service desk that boosts business value.

Select and Implement

Review mid-market and enterprise service desk tools, select an ITSM solution, and build an implementation plan to ensure your investment meets your needs.

Consolidate

Build a strategic roadmap to consolidate service desks to reduce end-user support costs and sustain end-user satisfaction.

Our Approach to the Service Desk

Service desk optimization goes beyond the blind adoption of best practices.

Info-Tech’s approach focuses on controlling support costs and making the most of IT’s service management expertise to improve productivity.

Complete the projects sequentially or in any order.

Info-Tech draws on the COBIT framework, which focuses on consistent delivery of IT services across the organization

Oxford University IT Service Desk successfully undertook a consolidation project to merge five help desks into one

CASE STUDY

Industry: Higher Education

Source: Oxford University, IT Services

Background

Until 2011, three disparate information technology organizations offered IT services, while each college had local IT officers responsible for purchasing and IT management.

ITS Service Desk Consolidation Project

Oxford merged the administration of these three IT organizations into IT Services (ITS) in 2012, and began planning for the consolidation of five independent help desks into a single robust service desk.

Complication

The relative autonomy of the five service desks had led to the proliferation of different tools and processes, licensing headaches, and confusion from end users about where to acquire IT service.

Oxford University IT at a Glance

• One of the world’s oldest and most prestigious universities.
• 36 colleges with 100+ departments.
• Over 40,000 IT end users.
• Roughly 350 ITS staff in 40 teams.
• 300 more distributed IT staff.
• Offers more than 80 services.

Help Desks:

• Processes → Business Services & Projects
• Processes → Computing Services
• Processes → ICT Support Team

"IT Services are aiming to provide a consolidated service which provides a unified and coherent experience for users. The aim is to deliver a ‘joined-up’ customer experience when users are asking for any form of help from IT Services. It will be easier for users to obtain support for their IT – whatever the need, service or system." – Oxford University, IT Services

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Build a Service Desk Consolidation Strategy – project overview

Info-Tech delivers: Use our tools and templates to accelerate your project to completion

• Service Desk Assessment Tool (Excel)
• Executive Presentation (PowerPoint)
• Service Desk Scorecard Comparison Tool (Excel)
• Service Desk Efficiency Calculator (Excel)
• Service Desk Consolidation Roadmap (Excel)
• Service Desk Consolidation TCO Tool (Excel)
• Communications and Training Plan (Word)
• Consolidation News Bulletin & FAQ Template (PowerPoint)

Measured value for Guided Implementations (GIs)

Engaging in GIs doesn’t just offer valuable project advice, it also results in significant cost savings.

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Insight breakdown

Phase 1 Insight

Don’t get bogged down in the details. A detailed current state assessment is a necessary first step for a consolidation project, but determining the right level of detail to include in the evaluation can be challenging. Gather enough data to establish a baseline and make an informed decision about how to consolidate, but don’t waste time collecting and evaluating unnecessary information that will only distract and slow down the project, losing management interest and buy-in.

How we can help

Leverage the Consolidate Service Desk Assessment Tool to gather the data you need to evaluate your existing service desks.

Phase 2 Insight

Select the target state that is right for your organization. Don’t feel pressured to move to a complete consolidation with a single point of contact if it wouldn’t be compatible with your organization’s needs and abilities, or if it wouldn’t be adopted by your end users. Design an appropriate level of standardization and centralization for the service desk and reinforce and improve processes moving forward.

How we can help

Leverage the Consolidate Service Desk Scorecard Tool to analyze the gap between your existing processes and your target state.

Phase 3 Insight

Getting people on board is key to the success of the consolidation, and a communication plan is essential to do so. Develop targeted messaging for each stakeholder group, keeping in mind that your end users are just as critical to success as your staff. Know your audience, communicate to them often and openly, and ensure that every communication has a purpose.

How we can help

Leverage the Communications Plan and Consolidation News Bulletin & FAQ Template to plan your communications.

Phase 1

Develop a Shared Vision

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Develop shared vision

Proposed Time to Completion (in weeks): 4-8

Step 1.1: Identify and engage key stakeholders

Discuss with an analyst:

• Build the project team and define their roles and responsibilities
• Identify key stakeholders and formulate an engagement plan

Then complete these activities…

• Assign project roles and responsibilities
• Identify key stakeholders
• Formalize an engagement plan and conduct interviews

With these tools & templates:

Stakeholder Engagement Workbook

Step 1.2: Develop a vision to give the project direction

Discuss with an analyst:

• Develop an executive visioning session plan to formulate and get buy-in for the goals and vision of the consolidation

Then complete these activities…

• Host an executive visioning exercise to define the scope and goals of the consolidation

With these tools & templates:

Consolidate Service Desk Executive Presentation

Step 1.3: Conduct a full assessment of each service desk

Discuss with an analyst:

• Use diagnostics results and the service desk assessment tool to evaluate the maturity and environment of each service desk
• Assess agent skills, satisfaction, roles and responsibilities

Then complete these activities…

• Analyze organizational structure
• Assess maturity and environment of each service desk
• Assess agent skills and satisfaction

With these tools & templates:

Consolidate Service Desk Assessment Tool

IT Skills Inventory and Gap Assessment Tool

Phase 1 Outcome:

• A common vision for the consolidation initiative, an analysis of existing service desk architectures, and an inventory of existing best practices.

Step 1.1: Get buy-in from key stakeholders

Phase 1

Develop a shared vision

1.1 Identify and engage key stakeholders

1.2 Develop a vision to give the project direction

1.3 Conduct a full assessment of each service desk

This step will walk you through the following activities:

• 1.1.1 Assign roles and responsibilities
• 1.1.2 Identify key stakeholders for the consolidation
• 1.1.3 Conduct stakeholder interviews to understand needs in more depth, if necessary

This step involves the following participants:

• Project Sponsor
• CIO or IT Director
• Project Manager
• IT Managers and Service Desk Manager(s)

Step Outcomes:

• A project team with clearly defined roles and responsibilities
• A list of key stakeholders and an engagement plan to identify needs and garner support for the change

Oxford consulted with people at all levels to ensure continuous improvement and new insights

CASE STUDY

Industry: Higher Education

Source: Oxford University, IT Services

Motivation

The merging of Oxford’s disparate IT organizations was motivated primarily to improve end-user service and efficiency.

Similarly, ITS positioned the SDCP as an “operational change,” not to save costs, but to provide better service to their customers.

"The University is quite unique in the current climate in that reduction in costs was not one of the key drivers behind the project. The goal was to deliver improved efficiencies and offer a single point of contact for their user base." – Peter Hubbard, ITSM Consultant Pink Elephant

Development

Oxford recognized early that they needed an open and collaborative environment to succeed.

Key IT and business personnel participated in a “vision workshop” to determine long- and short-term objectives, and to decide priorities for the consolidated service desk.

"Without key support at this stage many projects fail to deliver the expected outcomes. The workshop involved the key stakeholders of the project and was deemed a successful and positive exercise, delivering value to this stage of the project by clarifying the future desired state of the Service Desk." – John Ireland, Director of Customer Service & Project Sponsor

Deployment

IT Services introduced a Service Desk Consolidation Project Blog very early into the project, to keep everyone up-to-date and maintain key stakeholder buy-in.

Constant consultation with people at all levels led to continuous improvement and new insights.

"We also became aware that staff are facing different changes depending on the nature of their work and which toolset they use (i.e. RT, Altiris, ITSM). Everyone will have to change the way they do things at least a little – but the changes depend on where you are starting from!" – Jonathan Marks, Project Manager

Understand and validate the consolidation before embarking on the project

Define what consolidation would mean in the context of your organization to help validate and frame the scope of the project before proceeding.

What is service desk consolidation?

Service desk consolidation means combining multiple service desks into one centralized, single point of contact.

• Physical consolidation = personnel and assets are combined into a single location
• Virtual consolidation = service desks are combined electronically

Consolidation must include people, process, and technology:

1. Consolidation of some or all staff into one location
2. Consolidation of processes into a single set of standardized processes
3. One consolidated technology platform or ITSM tool

Consolidation can take the form of:

1. Merging multiple desks into one
2. Collapsing multiple desks into one
3. Connecting multiple desks into a virtual desk
4. Moving all desks to one connected platform

Service Desk 1 - Service Desk 2 - Service Desk 3

↓

Consolidated Service Desk

Info-Tech Insight

Consolidation isn’t for everyone.

Before you embark on the project, think about unique requirements for your organization that may necessitate more than one service desk, such as location-specific language. Ask yourself if consolidation makes sense for your organization and would achieve a benefit for the organization, before proceeding.

1.1 Organize and build the project team to launch the project

Solidify strong support for the consolidation and get the right individuals involved from the beginning to give the project the commitment and direction it requires.

Project Sponsor

• Has direct accountability to the executive team and provides leadership to the project team.
• Legitimatizes the consolidation and provides necessary resources to implement the project.
• Is credible, enthusiastic, and understands the organization’s culture and values.

Steering Committee

• Oversees the effort.
• Ensures there is proper support from the organization and provides resources where required.
• Resolves any conflicts.

Core Project Team

• Full-time employees drawn from roles that are critical to the service desk, and who would have a strong understanding of the consolidation goals and requirements.
• Ideal size: 6-10 full-time employees.
• May include roles defined in the next section.

Involve the right people to drive and facilitate the consolidation

Service desk consolidations require broad support and capabilities beyond only those affected in order to deal with unforeseen risks and barriers.

• Project manager: Has primary accountability for the success of the consolidation project.
• Senior executive project sponsor: Needed to “open doors” and signal organization’s commitment to the consolidation.
• Technology SMEs and architects: Responsible for determining and communicating requirements and risks of the technology being implemented or changed, especially the ITSM tool.
• Business unit leads: Responsible for identifying and communicating impact on business functions, approving changes, and helping champion change.
• Product/process owners: Responsible for identifying and communicating impact on business functions, approving changes, and helping champion change.
• HR specialists: Most valuable when roles and organizational design are affected, i.e. the consolidation requires staff redeployment or substantial training (not just using a new system or tool but acquiring new skills and responsibilities) or termination.
• Training specialists: If you have full-time training staff in the organization, you will eventually need them to develop training courses and material. Consulting them early will help with scoping, scheduling, and identifying the best resources and channels to deliver the training.
• Communications specialists (internal): Valuable in crafting communications plan, required if communications function owns internal communications.

Use a RACI table (e.g. in the following section) to clarify who is to be accountable, responsible, consulted, and informed.

Info-Tech Insight

The more transformational the change, the more it will affect the organizational chart – not just after the implementation but through the transition.

Take time early in the project to define the reporting structure for the project/transition team, as well as any teams and roles supporting the transition.

Assign roles and responsibilities

1.1.1 Use a RACI chart to assign overarching project responsibilities

Participants

• Project Sponsor
• IT Director, CIO
• Project Manager
• IT Managers and Service Desk Manager(s)

What You'll Need

• RACI chart

RACI = Responsible, Accountable, Consulted, Informed

The RACI chart will provide clarity for overarching roles and responsibilities during the consolidation.

1. Confirm and modify the columns to match the stakeholders in your organization.
2. Confirm and modify the roles listed as rows if there are obvious gaps or opportunities to consolidate rows.
3. Carefully analyze and document the roles as a group.

Identify key stakeholders to gather input from the business, get buy-in for the project, and plan communications

Identify the key stakeholders for the consolidation to identify the impact consolidation will have on them and ensure their concerns don’t get lost.

1. Use a stakeholder analysis to identify the people that can help ensure the success of your project.
2. Identify an Executive Sponsor
   • A senior-level project sponsor is someone who will champion the consolidation project and help sell the concept to other stakeholders. They can also ensure that necessary financial and human resources will be made available to help secure the success of the project. This leader should be someone who is credible, tactful, and accessible, and one who will not only confirm the project direction but also advocate for the project.

Why is a stakeholder analysis essential?

• Ignoring key stakeholders is an important cause of failed consolidations.
• You can use the opinions of the most influential stakeholders to shape the project at an early stage.
• Their support will secure resources for the project and improve the quality of the consolidation.
• Communicating with key stakeholders early and often will ensure they fully understand the benefits of your project.
• You can anticipate the reaction of key stakeholders to your project and plan steps to win their support.

Info-Tech Insight

Be diverse and aware. When identifying key stakeholders for the project, make sure to include a rich diversity of stakeholder expertise, geography, and tactics. Also, step back and add silent members to your list. The loudest voices and heaviest campaigners are not necessarily your key stakeholders.

Identify key stakeholders for the consolidation

1.1.2 Identify project stakeholders, particularly project champions

Participants

• CIO/IT Director
• Project Sponsor
• Project Manager
• IT Managers

What You’ll Need

• Whiteboard or flip chart and markers

Goal: Create a prioritized list of people who are affected or can affect your project so you can plan stakeholder engagement and communication.

• Use an influence/commitment matrix to determine where your stakeholders lie.
• High influence, high commitment individuals should be used in conjunction with your efforts to help bring others on board. Identify these individuals and engage with them immediately.
• Beware of the high influence, low commitment individuals. They should be the first priority for engagement.
• High commitment, low influence individuals can be used to help influence the low influence, low commitment individuals. Designate a few of these individuals as “champions” to help drive engagement on the front lines.

Outcome: A list of key stakeholders to include on your steering committee and your project team, and to communicate with throughout the project.

Overcome the value gap by gathering stakeholder concerns

Simply identifying and engaging your stakeholders is not enough. There needs to be feedback: talk to your end users to ensure their concerns are heard and determine the impact that consolidation will have on them. Otherwise, you risk leaving value on the table.

• Talk to the business end users who will be supported by the consolidated service desk.
• What are their concerns about consolidation?
• Which functions and services are most important to them? You need to make sure these won't get lost.
• Try to determine what impact consolidation will have on them.

According to the Project Management Institute, only 25% of individuals fully commit to change. The remaining 75% either resist or simply accept the change. Gathering stakeholder concerns is a powerful way to gain buy-in.

Collect relevant quantitative and qualitative data to assess key stakeholders’ perceptions of IT across the organization

Don’t base your consolidation on a hunch. Gather reliable data to assess the current state of IT.

Solicit direct feedback from the organization to gain critical insights into their perceptions of IT.

• CIO Business Vision: Understanding the needs of your stakeholders is the first and most important step in building a consolidation strategy. Use the results of this survey to assess the satisfaction and importance of different IT services.
• End-User Satisfaction: Solicit targeted department feedback on core IT service capabilities, IT communications, and business enablement. Use the results to assess the satisfaction of end users with each service broken down by department and seniority level.

We recommend completing at least the End-User Satisfaction survey as part of your service desk consolidation assessment and planning. An analyst will help you set up the diagnostic and walk through the report with you.

To book a diagnostic, or get a copy of our questions to inform your own survey, visit Info-Tech’s Benchmarking Tools, contact your account manager, or call toll-free 1-888-670-8889 (US) or 1-844-618-3192 (CAN).

Data-Driven Diagnostics:

End-User Satisfaction Survey

CIO Business Vision

Review the results of your diagnostics in step 1.3

Formalize an engagement plan to cultivate support for the change from key stakeholders

Use Info-Tech’s Stakeholder Engagement Workbook to formalize an engagement strategy

If a more formal engagement plan is required for this project, use Info-Tech’s Stakeholder Engagement Workbook to document an engagement strategy to ensure buy-in for the consolidation.

The engagement plan is a structured and documented approach for gathering requirements by eliciting input and validating plans for change and cultivating sponsorship and support from key stakeholders early in the project lifecycle.

The Stakeholder Engagement Workbook situates stakeholders on a grid that identifies which ones have the most interest in and influence on your project, to assist you in developing a tailored engagement strategy.

You can also use this analysis to help develop a communications plan for each type of stakeholder in step 3.2.

Conduct stakeholder interviews to understand needs in more depth, if necessary

1.1.3 Interview key stakeholders to identify needs

• If the consolidation will be a large and complex project and there is a need to understand requirements in more depth, conduct stakeholder interviews with “high-value targets” who can help generate requirements and promote communication around requirements at a later point.
• Choose the interview method that is most appropriate based on available resources.

Step 1.2: Develop a vision to give the project direction

Phase 1

Develop a shared vision

1.1 Get buy-in from key stakeholders

1.2 Develop a vision to give the project direction

1.3 Conduct a full assessment of each service desk

This step will walk you through the following activities:

• 1.2.1 Brainstorm desired attributes for the consolidated service desk to start formulating a vision
• 1.2.2 Develop a compelling vision and story of change
• 1.2.3 Create a vision for the consolidated service desk
• 1.2.4 Identify the purpose, goals, and guiding principles of the consolidation project
• 1.2.5 Identify anticipated benefits and associated KPIs
• 1.2.6 Conduct a SWOT analysis on the business

This step involves the following participants:

• Project Sponsor
• IT Director, CIO
• IT Managers and Service Desk Manager(s)
• Business Executives

Step outcomes

A shared vision for the consolidated service desk that:

• Defines the scope of the consolidation
• Encompasses the goals and guiding principles of the project
• Identifies key attributes of the consolidated service desk and anticipated benefits it will bring
• Is documented in an executive presentation

Hold an executive visioning session to kick off the project

A major change such as service desk consolidation requires a compelling vision to engage staff and motivate them to comprehend and support the change.

After identifying key stakeholders, gather them in a visioning session or workshop to establish a clear direction for the project.

An executive visioning session can take up to two days of focused effort and activities with the purpose of defining the short and long-term view, objectives, and priorities for the new consolidated service desk.

The session should include the following participants:

• Key stakeholders identified in step 1.1, including:
  • IT management and CIO
  • Project sponsor
  • Business executives interested in the project

The session should include the following tasks:

• Identify and prioritize the desired outcome for the project
• Detail the scope and definition of the consolidation
• Identify and assess key problems and opportunities
• Surface and challenge project assumptions
• Clarify the future desired state of the service desk
• Determine how processes, functions, and systems are to be included in a consolidation analysis
• Establish a degree of ownership by senior management

The activities throughout this step are designed to be included as part of the visioning session

Choose the attributes of your desired consolidated service desk

Understand what a model consolidated service desk should look like before envisioning your target consolidated service desk.

A consolidated service desk should include the following aspects:

• Handles all customer contacts – including internal and external users – across all locations and business units
• Provides a single point of contact for end users to submit requests for help
• Handles both incidents and service requests, as well as any additional relevant ITIL modules such as problem, change, or asset management
• Consistent, standardized processes and workflows
• Single ITSM tool with workflows for ticket handling, prioritization, and escalations
• Central data repository so that staff have access to all information needed to resolve issues quickly and deliver high-quality service, including:
  • IT infrastructure information (such as assets and support contracts)
  • End-user information (including central AD, assets and products owned, and prior interactions)
  • Knowledgebase containing known resolutions and workarounds

Consolidated Service Desk

• Service Desk 1
• Service Desk 2
• Service Desk 3
• Consolidated staff
• Consolidated ITSM tool
• Consolidated data repository

Brainstorm desired attributes for the consolidated service desk to start formulating a vision

1.2.1 Identify the type of consolidation and desired service desk attributes

Participants

• Project Sponsor
• IT Director, CIO
• IT Managers and Service Desk Manager(s)
• Other interested business executives

What You'll Need

• Whiteboard or flip chart and markers

Document

Document in the Consolidate Service Desk Executive Presentation, slide 6.

Brainstorm the model and attributes of the target consolidated service desk. You will use this to formulate a vision and define more specific requirements later on.

1. Identify the type of consolidation: virtual, physical, or hybrid (both)
2. Identify the level of consolidation: partial (some service desks consolidated) or complete (all service desks consolidated)

3. As a group, brainstorm and document a list of attributes that the consolidated service desk should have.

Examples:

• Single point of contact for all users
• One ITSM tool with consistent built-in automated workflows
• Well-developed knowledgebase
• Self-serve portal for end users with ability to submit and track tickets
• Service catalog

Develop a compelling vision and story of change

1.2.2 Use a vision table to begin crafting the consolidation vision

Participants

• Project Sponsor
• IT Director, CIO
• IT Managers and Service Desk Manager(s)
• Other interested business executives

What You'll Need

• Whiteboard or flip chart and markers

Document

Document in the Consolidate Service Desk Executive Presentation, slide 7.

Build desire for change.

In addition to standard high-level scope elements, consolidation projects that require organizational change also need a compelling story or vision to influence groups of stakeholders.

Use the vision table below to begin developing a compelling vision and story of change.

Develop a vision to inspire and sustain leadership and commitment

Vision can be powerful but is difficult to craft. As a result, vision statements often end up being ineffective (but harmless) platitudes.

A service desk consolidation project requires a compelling vision to energize staff and stakeholders toward a unified goal over a sustained period of time.

Great visions:

• Tell a story. They describe a journey with a beginning (who we are and how we got here) and a destination (our goals and expected success in the future).
• Convey an intuitive sense of direction (or “spirit of change”) that helps people act appropriately without being explicitly told what to do.
• Appeal to both emotion and reason to make people want to be part of the change.
• Balance abstract ideas with concrete facts. Without concrete images and facts, the vision will be meaninglessly vague. Without abstract ideas and principles, the vision will lack power to unite people and inspire broad support.
• Are concise enough to be easy to communicate and remember in any situation.

Info-Tech Insight

Tell a story. Stories pack a lot of information into few words. They are easy to write, remember, and most importantly – share. It’s worth spending a little extra time to get the details right.

Create a vision for the consolidated service desk

1.2.3 Tell a story to describe the consolidated service desk vision

Participants

• Project Sponsor
• IT Director, CIO
• IT Managers and Service Desk Manager(s)

What You'll Need

• Whiteboard or flip chart and markers
• Document in the Executive Presentation, slide 8.

Craft a vision of the future state of the service desk.

Tell a story.

Stories serve to give the consolidation real-world context by describing what the future state will mean for both staff and users of the service desk. The story should sum up the core of the experience of using the consolidated service desk and reflect how the service desk will fit into the life of the user.

Stories should include:

• Action describing the way things happen.
• Contextual detail that helps readers relate to the person in the story.
• Challenging ideas that contradict common belief and may be disruptive, but help suggest new directions.

Example:

Imagine if…

… users could access one single online service that allows them to submit a ticket through a self-service portal and service catalog, view the status of their ticket, and receive updates about organization-wide outages and announcements. They never have to guess who to contact for help with a particular type of issue or how to contact them as there is only one point of contact for all types of incidents and service requests.

… all users receive consistent service delivery regardless of their location, and never try to circumvent the help desk or go straight to a particular technician for help as there is only one way to get help by submitting a ticket through a single service desk.

… tickets from any location could be easily tracked, prioritized, and escalated using standardized definitions and workflows to ensure consistent service delivery and allow for one set of SLAs to be defined and met across the organization.

Discuss the drivers of the consolidation to identify the goals the project must achieve

Identifying the reasons behind the consolidation will help formulate the vision for the consolidated service desk and the goals it should achieve.

Service Desk Institute (n = 20, 2007)

A survey of 233 service desks considering consolidation found that of the 20 organizations that were in the planning stages of consolidation, the biggest driver was to improve service delivery and/or increase productivity.

This is in line with the recommendation that improved service quality should be the main consolidation driver over reducing costs.

Service Desk Institute (n = 43, 2007)

The drivers were similar among the 43 organizations that had already implemented a consolidated service desk, with improved service delivery and increased productivity again the primary driver.

Aligning with best practice was the second most cited driver.

Identify the purpose, goals, and guiding principles of the consolidation project

1.2.4 Document goals of the project

Participants

• Project Sponsor
• IT Director, CIO
• IT Managers and Service Desk Manager(s)

What You'll Need

• Whiteboard or flip chart and markers
• Document in the Executive Presentation, slide 9.

Use the results of your stakeholder analysis and interviews to facilitate a discussion among recommended participants and document the purpose of the consolidation project, the goals the project aims to achieve, and the guiding principles that must be followed.

Use the following example to guide your discussion:

Identify the anticipated benefits of the consolidation to weigh them against risks and plan future communications

The primary driver for consolidation of service desks is improved service delivery and increased productivity. This should relate to the primary benefits delivered by the consolidation, most importantly, improved end-user satisfaction.

A survey of 43 organizations that have implemented a consolidated service desk identified the key benefits delivered by the consolidation (see chart at right).

Source: Service Desk Institute (n = 43, 2007)

Info-Tech Insight

Cost reduction may be an important benefit delivered by the consolidation effort, but it should not be the most valuable benefit delivered. Focus communications on anticipated benefits for improved service delivery and end-user satisfaction to gain buy-in for the project.

Identify anticipated outcomes and benefits of consolidation

1.2.5 Use a “stop, start, continue” exercise to identify KPIs

What You'll Need

• Whiteboard or flip chart and markers

Participants

• Project Sponsor
• IT Director, CIO
• IT Managers and Service Desk Manager(s)

Document

Document in the Executive Presentation, slide 10

1. Divide the whiteboard into 3 columns: stop, start, and continue
2. Identify components of your service desk that:

• Are problematic and should be phased out (stop)
• Provide value but are not in place yet (start)
• Are effective and should be sustained, if not improved (continue)

Use a SWOT analysis to assess the service desk

• A SWOT analysis is a structured planning method that organizations can use to evaluate the strengths, weaknesses, opportunities, and threats involved in a project or business venture.
• Use a SWOT analysis to identify the organization’s current IT capabilities and classify potential disruptive technologies as the first step toward preparing for them.

Review these questions...

…to help you conduct your SWOT analysis on the service desk.

Conduct a SWOT analysis on the business

1.2.6 Conduct SWOT analysis

Participants

• Project Sponsor
• IT Director, CIO
• IT Managers and Service Desk Manager(s)

What You'll Need

• Whiteboard or flip chart and markers

Document

• Document in the Executive Presentation, slide 11

1. Break the group into two teams:

• Assign team A strengths and weaknesses.
• Assign team B opportunities and threats.

• Refer to the questions on the previous slide to help guide discussion

Frame your project in terms of people, process, technology

A framework should be used to guide the consolidation effort and provide a standardized basis of comparison between the current and target state.

Frame the project in terms of the change and impact it will have on:

• People
• Process
• Technology

Service desk consolidation will likely have a significant impact in all three categories by standardizing processes, implementing a single service management tool, and reallocating resources. Framing the project in this way will ensure that no aspect goes forgotten.

For each of the three categories, you will identify:

• Current state
• Target state
• Gap and actions required
• Impact, risks, and benefits
• Communication and training requirements
• How to measure progress/success

People

• Tier 1 support
• Tier 2 support
• Tier 3 support
• Vendors

Process

• Incident management
• Service request management
• SLAs

Technology

• ITSM tools
• Knowledgebase
• CMDB and other databases
• Technology supported

Complete the Consolidate Service Desk Executive Presentation

Complete an executive presentation using the decisions made throughout this step

Use the Consolidate Service Desk Executive Presentation to deliver the outputs of your project planning to the business and gain buy-in for the project.

1. Use the results of the activities throughout step 1.2 to produce the key takeaways for your executive presentation.
2. At the end of the presentation, include 1-2 slides summarizing any additional information specific to your organization.
3. Once complete, pitch the consolidation project to the project sponsor and executive stakeholders.
   • This presentation needs to cement buy-in for the project before any other progress is made.

Step 1.3: Conduct a full assessment of each service desk

Phase 1

Develop a shared vision

1.1 Get buy-in from key stakeholders

1.2 Develop a vision to give the project direction

1.3 Conduct a full assessment of each service desk

This step will walk you through the following activities:

• 1.3.1 Review the results of your diagnostic programs
• 1.3.2 Analyze the organizational structure of each service desk
• 1.3.3 Assess the overall maturity of each service desk
• 1.3.4 Map out roles and responsibilities of each service desk using organizational charts
• 1.3.5 Assess and document current information system environment

This step involves the following participants:

• CIO
• IT Directors
• Service Desk Managers
• Service Desk Technicians

Step outcomes

• A robust current state assessment of each service desk, including overall maturity, processes, organizational structure, agent skills, roles and responsibilities, agent satisfaction, technology and ITSM tools.

Oxford saved time and effort by sticking with a tested process that works

CASE STUDY

Industry: Higher Education

Source: Oxford University, IT Services

Oxford ITS instigated the service desk consolidation project in the fall of 2012.

A new ITSM solution was formally acquired in the spring 2014, and amalgamated workflows designed.

Throughout this period, at least 3 detailed process analyses occurred in close consultation with the affected IT units.

Responsibility for understanding each existing process (incident, services, change management, etc.) were assigned to members of the project team.

They determined which of the existing processes were most effective, and these served as the baseline – saving time and effort in the long run by sticking with tested processes that work.

Reach out early and often.

Almost from day one, the Oxford consolidation team made sure to consult closely with each relevant ITS team about their processes and the tools they used to manage their workflows.

This was done both in structured interviews during the visioning stage and informally at periodic points throughout the project.

The result was the discovery of many underlying similarities. This information was then instrumental to determining a realistic baseline from which to design the new consolidated service desk.

"We may give our activities different names or use different tools to manage our work but in all cases common sense has prevailed and it’s perhaps not so surprising that we have common challenges that we choose to tackle in similar ways." – Andrew Goff, Change Management at Oxford ITS

Review the results of your diagnostic programs to inform your current state assessment

1.3.1 Understand satisfaction with the service desk

Participants

• CIO/IT Director
• IT Manager
• Service Manager(s)

Document

• Record end-user satisfaction in the Consolidate Service Desk Assessment Tool, tab 4.

1. Set up an analyst call through your account manager to review the results of your diagnostic.

• Whatever survey you choose, ask the analyst to review the data and comments concerning:
  • Assessments of service desk timeliness/effectiveness
  • IT business enablement
  • IT innovation leadership

A robust current state assessment is the foundation of a successful consolidation

You can’t determine where you’re going without a clear idea of where you are now.

Before you begin planning for the consolidation, make sure you have a clear picture of the magnitude of what you plan on consolidating.

Evaluate the current state of each help desk being considered for consolidation. This should include an inventory of:

• Process:
  • Processes and workflows
  • Metrics and SLAs
• People:
  • Organizational structure
  • Agent workload and skills
  • Facility layout and design
• Technology:
  • Technologies and end users supported
  • Technologies and tools used by the service desk

Info-Tech Insight

A detailed current state assessment is a necessary first step for a consolidation project, but determining the right level of detail to include in the evaluation can be challenging. Gather enough data to establish a baseline and make an informed decision about how to consolidate, but don’t waste time collecting unnecessary information that will only distract and slow down the project.

Review ticket handling processes for each service desk to identify best practices

Use documentation, reports, and metrics to evaluate existing processes followed by each service desk before working toward standardized processes.

Analyze the organizational structure of each service desk

1.3.2 Discuss the structure of each service desk

Participants

• CIO
• Service Desk Manager(s)
• Service Desk Technicians

What You'll Need

• Consolidate Service Desk Assessment Tool

1. Facilitate a discussion among recommended participants to discuss the structure of each service desk. Decide which model best describes each service desk:

• The Gatekeeper Model: All calls are routed through a central call group whose sole responsibility is to link the customer to the right individual or group.
• The Call Sorting Model: All calls are sorted into categories using technology and forwarded to the right 2nd level specialist group.
• Tiered Structure (Specialist Model): All calls are sorted through a single specialist group, such as desktop support. Their job is to log the interaction, attempt resolution, and escalate when the problem is beyond their ability to resolve.
• Tiered Structure (Generalist Model): All calls are sorted through a single generalist group, whose responsibility is to log the interaction, attempt a first resolution, and escalate when the problem is beyond their ability to resolve.

2. Use a flip chart or whiteboard to draw the architecture of each service desk, using the example on the right as a guide.

Assess the current state of each service desk using the Consolidate Service Desk Assessment Tool

Assess the current state of each service desk

The Consolidate Service Desk Assessment Tool will provide insight into the overall health of each existing service desk along two vectors:

1. Process Maturity (calculated on the basis of a comprehensive survey)
2. Metrics (calculated on the basis of entered ticket and demographic data)

Together these answers offer a snapshot of the health, efficiency, performance, and perceived value of each service desk under evaluation.

This tool will assist you through the current state assessment process, which should follow these steps:

1. Send a copy of this tool to the Service Desk Manager (or other designated party) of each service desk that may be considered as part of the consolidation effort.
   • This will collect key metrics and landscape data and assess process maturity
2. Analyze the data and discuss as a group
3. Ask follow-up questions
4. Use the information to compare the health of each service desk using the scorecard tool

These activities will be described in more detail throughout this step of the project.

Gather relevant data to assess the environment of each service desk

Assess each service desk’s environment using the assessment tool

Send a copy of the Consolidate Service Desk Assessment Tool to the Service Desk Manager (or other designated party) of each service desk that will be considered as part of the consolidation.

Instruct them to complete tab 2 of the tool, the Environment Survey:

• Enter Profile, Demographic, Satisfaction, Technology, and Ticket data into the appropriate fields as accurately as possible. Satisfaction data should be entered as percentages.
• Notes can be entered next to each field to indicate the source of the data, to note missing or inaccurate data, or to explain odd or otherwise confusing data.

This assessment will provide an overview of key metrics to assess the performance of each service desk, including:

• Service desk staffing for each tier
• Average ticket volume and distribution per month
• # staff in IT
• # service desk staff
• # supported devices (PC, laptops, mobiles, etc.)
• # desktop images

Assess the overall maturity of each service desk

1.3.3 Use the assessment tool to measure the maturity of each service desk

Participants

• CIO
• Service Desk Manager(s)
• Service Desk Technicians

What You'll Need

• Consolidate Service Desk Assessment Tool

1. Assemble the relevant team for each service desk: process owners, functional managers, service desk manager, and relevant staff and technicians who work with the processes to be assessed. Each service desk team should meet to complete the maturity assessment together as a group.
2. Go to tab 3 (Service Desk Maturity Survey) of the Consolidate Service Desk Assessment Tool and respond to the questions in the following categories:

• Prerequisites (general questions)
• People
• Process
• Technology
• SLAs

Evaluate resource utilization and satisfaction to allocate resources effectively

Include people as part of your current state assessment to evaluate whether your resources are appropriately allocated to maximize effectiveness and agent satisfaction.

Skills Inventory

Use the IT Skills Inventory and Gap Assessment Tool to assess agent skills and identify gaps or overlaps.

Agent Satisfaction

Measure employee satisfaction and engagement to identify strong teams.

Roles and Responsibilities

Gather a clear picture of each service desk’s organizational hierarchy, roles, and responsibilities.

Agent Utilization

Obtain a snapshot of service desk productivity by calculating the average amount of time an agent is handling calls, divided by the average amount of time an agent is at work.

Conduct a skills inventory for each service desk

Evaluate agent skills across service desks

After evaluating processes, evaluate the skill sets of the agents tasked with following these processes to identify gaps or overlap.

Send the Skills Coverage Tool tab to each Service Desk Manager, who will either send it to the individuals who make up their service desk with instructions to rate themselves, or complete the assessment together with individuals as part of one-on-one meetings for discussing development plans.

IT Skills Inventory and Gap Assessment Tool will enable you to:

• List skills required to support the organization.
• Document and rate the skills of the existing IT staffing contingent.
• Assess the gaps to help determine hiring or training needs, or even where to pare back.
• Build a strategy for knowledge sharing, transfer, and training through the consolidation project.

Map out roles and responsibilities of each service desk using organizational charts

1.3.4 Obtain or draw organizational charts for each location

Clearly document service desk roles and responsibilities to rationalize service desk architecture.

Participants

• CIO, IT Director
• Service Desk Manager(s)
• Tier/Specialist Manager(s)

What You’ll Need

• Org. charts
• Flip chart or whiteboard and markers

1. Obtain or draw (on a whiteboard or flip chart) the organizational chart for each service desk to get a clear picture of the roles that fulfill each service desk. If there is any uncertainty or disagreement, discuss as a group to come to a resolution.
2. Discuss the roles and reporting relationships within the service desk and across the organization to establish if/where inefficiencies exist and how these might be addressed through consolidation.
3. If an up-to-date organizational chart is not in place, use this time to define the organizational structure as-is and consider future state.

Conduct an agent satisfaction survey to compare employee engagement across locations

Evaluate agent satisfaction

End-user satisfaction isn’t the only important satisfaction metric.

Agent satisfaction forms a key metric within the Consolidate Service Desk Assessment Tool, and it can be evaluated in a variety of ways. Choose the approach that best suits your organization and time restraints for the project.

Determine agent satisfaction on the basis of a robust (and anonymous) survey of service desk agents. Like the end-user satisfaction score, this measure is ideally computed as a percentage.

There are several ways to measure agent satisfaction:

1. If your organization runs an employee engagement survey, use the most recent survey results, separating them by location and converting them to a percentage.
2. If your organization does not currently measure employee engagement or satisfaction, consider one of Info-Tech and McLean & Company’s two engagement diagnostics:
   • Full Engagement Diagnostic – 81 questions that provide a comprehensive view into your organization's engagement levels
   • McLean & Company’s Pulse Survey – 15 questions designed to give a high-level view of employee engagement
3. For smaller organizations, a survey may not be feasible or make sense. In this case, consider gathering informal engagement data through one-on-one meetings.
4. Be sure to discuss and document any reasons for dissatisfaction, including pain points with the current tools or processes.