Improve Service Desk Ticket Queue Management

Strong queue management is the foundation to good customer service

Analyst Perspective

Secure your foundation before you start renovating.

Service Desk and IT leaders who are struggling with low efficiency, high backlogs, missed SLAs, and poor service desk metrics often think they need to hire more resources or get a new ITSM tool with better automation and AI capabilities. However, more often than not, the root cause of their challenges goes back to the fundamentals.

Strong ticket queue management processes are critical to the success of all other service desk processes. You can’t resolve incidents and fulfill service requests in time to meet SLAs without first getting the ticket to the right place efficiently and then managing all tickets in the queue effectively. It sounds simple, but we see a lot of struggles around queue management, from new tickets sitting too long before being assigned, to in-progress tickets getting buried in favor of easier or higher-priority tickets, to tickets jumping from queue to queue without progress, to a seemingly insurmountable backlog.

Once you have taken the time to clearly structure your queues, assign resources, and define your processes for routing tickets to and from queues and resolving tickets in the queue, you will start to see response and resolution time decrease along with the ticket backlog. However, accountability for queue management is often overlooked and is really key to success.

Natalie Sansone, PhD
Senior Research Analyst, Infrastructure & Operations
Info-Tech Research Group

Executive Summary

Your Challenge

• Tickets come into the service desk via multiple channels (email, phone, chat, portal) and aren’t consolidated into a single queue, making it difficult to know what to prioritize.
• New tickets sit in the queue for too long before being assigned while assigned tickets sit for too long without progress or in the wrong queue, leading to slow response and resolution times.
• Tickets quickly pile up in the queues, get lost or buried, or jump between queues without finding the right home, leading to a seemingly insurmountable backlog and breached SLAs.

Common Obstacles

• All tickets pile into the same queue, making it difficult to view, manage, or know who’s working on what.
• There are no defined rules or processes for how tickets should be assigned and routed, meaning they often take too long to get to the right place.
• Technicians have no guidelines as to how to prioritize their work, and no easy way to organize their tickets or queue to know what to work on next.
• Nobody has authority or accountability for queue management, meaning everyone has eyes only on their own tickets while others fall through the cracks.

Info-Tech’s Approach

• Clearly define your queue structure, organize the queues by content, then assign resources to relevant queues depending on their role and expertise.
• Define and document queue management processes, from initial triage to how to prioritize work on assigned tickets. Ensure everyone who handles tickets is clear on their responsibilities.
• Establish clear ownership and accountability for queue management.
• Once processes have been defined, identify opportunities to build in automation to improve efficiency.

Info-Tech Insight

If everybody is managing the queue, then nobody is. Without clear ownership and accountability over each and every queue it becomes too easy for everyone to assume someone else is handling or monitoring a ticket when in fact nobody is. Assign a Queue Manager to each queue and ensure someone is responsible for monitoring ticket movement across all the queues.

Timeliness is essential to customer satisfaction

And timeliness can’t be achieved without good queue management practices.

As soon as that ticket comes in, the clock starts ticking…

A host of different factors influence service desk response time and resolution time, including process optimization and documentation, workflow automation, clearly defined prioritization and escalation rules, and a comprehensive and easily accessible knowledgebase.

However, the root cause of poor response and resolution time often comes down to the basics like ticket queue management. Without clearly defined processes and ownership for assigning and actioning tickets from the queue in the most effective order and manner, customer satisfaction will suffer.

For every 12-hour delay in response time*, CSAT drops by 9.6%.

*to email and web support tickets
Source: Freshdesk, 2021

A Freshworks analysis of 107 million service desk interactions found the relationship between CSAT and response time is stronger than resolution time - when customers receive prompt responses and regular updates, they place less value on actual resolution time.

A queue is simply a line of people (or tickets) waiting to be helped

When customers reach out to the service desk for help, their messages are converted into tickets that are stored in a queue, waiting to be actioned appropriately.

Ticket Queue

Email/web
Ideally, the majority of tickets come into the ticket queue through email or a self-service portal, allowing for appropriate categorization, prioritization, and assignment.

Phone
For IT teams with a high volume of support requests coming in through the phone, reducing wait time in queue may be a priority.

Chat
Live chat is growing in popularity as an intake method and may require routing and distribution rules to prevent long or multiple queues.

Queue Management

Queue management is a set of processes and tools to direct and monitor tickets or manage ticket flow. It involves the following activities:

• Review incoming tickets
• Categorize and prioritize tickets
• Route or assign appropriately
• View or update ticket status
• Monitor resource workload
• Ensure tickets are being actioned in time
• Proactively identify SLA breaches

Ineffective queue management can bury you in backlog

Ticket backlog with poor queue management

Without a clear and efficient process or accountability for moving incoming tickets to the right place, tickets will be worked on randomly, older tickets will get buried, the backlog will grow, and SLAs will be missed.

Ticket backlog with good queue management

With effective queue management and ownership, tickets are quickly assigned to the right resource, worked on within the appropriate SLO/SLA, and actively monitored, leading to a more manageable backlog and good response and resolution times.

A growing backlog will quickly lead to dissatisfied end users and staff

Failing to efficiently move tickets from the queue or monitor tickets in the queue can quickly lead to tickets being buried and support staff feeling buried in tickets.

Common challenges with queue management include:

• Tickets come in through multiple channels and aren’t consolidated into a single queue
• New tickets sit unassigned for too long, resulting in long response times
• Tickets move around between multiple queues with no clear ownership
• Assigned tickets sit too long in a queue without progress and breach SLA
• No accountability for queue ownership and monitoring
• Technicians cherry pick the easiest tickets from the queue
• Technicians have no easy way to organize their queue to know what to work on next

This leads to:

• Long response times
• Long resolution times
• Poor workload distribution and efficiency
• High backlog
• Disengaged, frustrated staff
• Dissatisfied end users

Info-Tech Insight

A growing backlog will quickly lead to frustrated and dissatisfied customers, causing them to avoid the service desk and seek alternate methods to get what they need, whether going directly to their favorite technician or their peers (otherwise known as shadow IT).

Dig yourself out with strong queue management

Strong queue management is the foundation to good customer service.

Build a mature ticket queue management process that allows your team to properly prioritize, assign, and work on tickets to maximize response and resolution times.

A mature queue management process will:

• Reduce response time to address tickets.
• Effectively prioritize tickets and ensure everyone knows what to work on next.
• Ensure tickets get assigned and routed to the right queue and/or resource efficiently.
• Reduce overall resolution time to resolve tickets.
• Enable greater accountability for queue management and monitoring of tickets.
• Improve customer and employee satisfaction.

As queue management maturity increases:
Response time decreases
Resolution time decreases
Backlog decreases
End-user satisfaction increases

Ten Tips to Effectively Manage Your Queue

The remaining slides in this deck will review these ten pieces of advice for designing and managing your ticket queues effectively and efficiently.

1. Define your optimal queue structure
2. Design and assign resources to relevant queues
3. Define and document queue management processes
4. Clearly define queue management responsibilities for every team member
5. Establish clear ownership & accountability over all queues
6. Always keep ticket status and documentation up to date
7. Shift left to reduce queue volume
8. Build-in automation to improve efficiency
9. Configure your ITSM tool to support and optimize queue management processes
10. Don’t lose visibility of the backlog

#1: Define your optimal queue structure

There is no one right way to do queue management; choose the approach that will result in the highest value for your customers and IT staff.

Sample queue structures

*Queues may be defined by skillset, role, ticket category, priority, or a hybrid.

Triage and Assign

• All incoming tickets are assigned to an appropriate queue based on predefined criteria.
• Queue assignment may be done through automated workflows based on specific fields within the ticket, or manually by a
• Queue Manager, dedicated coordinator, or Tier 1 staff.
• Queues may be defined based on:
• Skillset/team (e.g. Infrastructure, Security, Apps, etc.)
• Ticket category (e.g. Network, Office365, Hardware, etc.)
• Priority (e.g. P1, P2, P3, P4, P5)
• Resources may be assigned to multiple queues.

Define your optimal queue structure (cont.)

Tiered generalist model

• All incidents and service requests are routed to Tier 1 first, who prioritize and, if appropriate, conduct initial triage, troubleshooting, and resolution on a wide range of issues.
• More complex or high-priority tickets are escalated to resources at Tier 2 and/or Tier 3, who are specialists working on projects in addition to support tickets.

Unassigned queue

• Very small teams may work from an unassigned queue if there are processes in place to monitor tickets and workload balance.
• Typically, these teams work by resolving the oldest tickets first regardless of complexity (also known as First In, First Out or FIFO). However, this doesn’t allow for much flexibility in terms of priority of the request or customer.

#2: Design and assign resources to relevant queues

Once you’ve defined your overall structure, define the content of each queue.

Info-Tech Insight

Start small; don’t create a queue for every possible ticket type. Remember that someone needs to be accountable for each of these queues, so only build what you can monitor.

#3 Define and document queue management processes

A clear, comprehensive, easily digestible SOP or workflow outlining the steps for handling new tickets and working tickets from the queue will help agents deliver a consistent experience.

Process recommendations

As you define queue management processes, keep the following advice in mind:

Rotate triage role

The triage role is critical but difficult. Consider rotating your Tier 1 resources through this role, or your service desk team if you’re a very small group.

Limit and prioritize channels

You decide which channels to enable and prioritize, not your users. Phone and chat are very interrupt-driven and should be reserved for high-priority issues if used. Your users may not understand that but can learn over time with training and reinforcement.

Prioritize first

Priority matrixes are necessary for consistency but there are always circumstances that require judgment calls. Think about risk and expected outcome rather than simply type of issue alone. And if the impact is bigger than the initial classification, change it.

Define VIP treatment

In some organizations, the same issue can be more critical if it happens to a certain user role (e.g. client facing, c-suite). Identify and flag VIP users and clearly define how their tickets should be prioritized.

Consider time zone

If users are in different time zones, take their current business hours into account when choosing which ticket to work on.

Info-Tech Insight

Think of your service desk as an emergency room. Patients come in with different symptoms, and the triage nurse must quickly assess these symptoms to decide who the patient should see and how soon. Some urgent cases will need to see the doctor immediately, while others can wait in another queue (the waiting room) for a while before being dealt with. Some cases who come in through a priority channel (e.g. ambulance) may jump the queue. Checklists and criteria can help with this decision making, but some degree of judgement is also required and that comes with experience. The triage role is sometimes seen as a junior-level role, but it actually requires expertise to be done well.

For more detailed process guidance, see Standardize the Service Desk

Info-Tech’s blueprint Standardize the Service Desk will help you standardize and document core service desk processes and functions, including:

• Service desk structure, roles, and responsibilities
• Metrics and reporting
• Ticket handling and ticket quality
• Incident and critical incident management
• Ticket categorization
• Prioritization and escalation
• Service request fulfillment
• Self-service considerations
• Building a knowledgebase

#4 Clearly define queue management responsibilities for every team member

This may be one of the most critical yet overlooked keys to queue management success. Define the following:

Who will have overall accountability?

Someone must be responsible for monitoring all incoming and open tickets as well as assigned tickets in every queue to ensure they are routed and fulfilled appropriately. This person must have authority to view and coordinate all queues and Queue Managers.

Who will manage each queue?

Someone must be responsible for managing each queue, including assigning resources, balancing workload, and ensuring SLOs are met for the tickets within their queue. For example, the Apps Manager may be the Queue Manager for all tickets assigned to the Apps team queue.

Who is responsible for assigning tickets?

Will you have a triage team who monitors and assigns all incoming tickets? What are their specific responsibilities (e.g. prioritize, categorize, attempt troubleshooting, assign or escalate)? If not, who is responsible for assigning new tickets and how is this done? Will the triage role be a rotating role, and if so, what will the schedule be?

What are everyone’s responsibilities?

Everyone who is assigned tickets should understand the ticket handling process and their specific responsibilities when it comes to queue management.

#5 Establish clear ownership & accountability over all queues

If everyone is accountable, then no one is accountable. Ownership for each queue and all queues must be clearly designated.

You may have multiple queue manager roles: one for each queue, and one who has visibility over all the queues. Typically, these roles make up only part of an individual’s job. Clearly define the responsibilities of the Queue Manager role; sample responsibilities are on the right.

Info-Tech Insight

Lack of authority over queues – especially those outside Tier 1 of the service desk – is one of the biggest pitfalls we see causing aging tickets and missed SLAs. Every queue needs clear ownership and accountability with everyone committed to meeting the same SLOs.

The Queue Manager or Coordinator is accountable for ensuring tickets are routed to the correct resources service level objectives or agreements are met.

Specific responsibilities may include:

• Monitors queues daily
• Ensures new tickets are assigned to appropriate resources for resolution
• Verifies tickets have been routed and assigned correctly and reroutes if necessary
• Reallocates tickets if assigned resource is suddenly unavailable or away
• Ensures ticket handling process is met, ticket status is up to date and correct, and ticket documentation is complete
• Escalates tickets that are aging or about to breach
• Ensures service level objectives or agreements are met
• Facilitates resource allocation based on workload
• Coordinates tickets that require collaboration across workgroups to ensure resolution is achieved within SLA
• Associates child and parent tickets
• Prepares reports on ticket status and volume by queues
• Regularly reviews reports to identify and act on issues and make improvements or changes where needed
• Identifies opportunities for improvement

#6 Always keep ticket status and documentation up to date

Anyone should be able to quickly understand the status and progress on a ticket without needing to ask the technician working on it. This means both the ticket status and documentation must be continually and accurately updated.

Ticket Documentation
Ticket descriptions and documentation must be kept accurate and up to date. This ensures that if the ticket is escalated or assigned to a new person, or the Queue Manager or Service Desk Manager needs to know what progress has been made on a ticket, that person doesn’t need to waste time with back-and-forth communication with the technician or end user.

Ticket Status
The ticket status field should change as the ticket moves toward resolution, and must be updated every time the status changes. This ensures that anyone looking at the ticket queue can quickly learn and communicate the status of a ticket, tickets don’t get lost or neglected, metrics are accurate (such as time to resolve), and SLAs are not impacted if a ticket is on hold.

Common ticket statuses include:

• New/open
• Assigned
• In progress
• Declined
• Canceled
• Pending/on hold
• Resolved
• Closed
• Reopened

For more guidance on ticket handling and documentation, download Info-Tech’s blueprint: Standardize the Service Desk.

• For ticket handling and documentation, see Step 1.4
• For ticket status fields, see Step 2.2.

#7 Shift left to reduce queue volume

Enable processes such as knowledge management, self-service, and problem management to prevent tickets from even coming into the queue.

Shift left means enabling fulfilment of repeatable tasks and requests via faster, lower-cost delivery channels, self-help tools, and automation.

Shift to Level 1

• Identify tickets that are often escalated beyond Tier 1 but could be resolved by Level 1 if they were given the tools, training, resources, or access they need to do so.
• Provide tools to succeed at resolving those defined tasks (e.g. knowledge article, documentation, remote tools).
• Embed knowledge management in resolution workflows.

Shift to End User

• Build a centralized, easily accessible self-service portal where users can search for solutions to resolve their issues without having to submit a ticket.
• Communicate and train users on how to use the portal regularly update and improve it.

Automate & Eliminate

• Identify processes or tasks that could be automated to eliminate work.
• Invest in problem management and event management to fix the root problem of recurring issues and prevent a problem from occurring in the first place, thereby preventing future tickets.

#8 Build in automation to improve efficiency

Manually routing every ticket can be time-consuming and prone to errors. Once you’ve established the process, automate wherever possible.

Automation rules can be used to ensure tickets are assigned to the right person or queue, to alert necessary parties when a ticket is about to breach or has breached SLA, or to remind technicians when a ticket has sat in a queue or at a particular status for too long.

This can improve efficiency, reduce error, and bring greater visibility to both high-priority tickets and aging tickets in the backlog.

However, your processes, queues, and responsibilities must be clearly defined before you can build in automation.

For more guidance on implementing automation and AI within your service desk, see these blueprints:

For examples of rules, triggers, and fields you can automate to improve the efficiency of your queue management processes, see the next slide.

Sample automation rules

Criteria or triggers you can automate actions based on:

• Ticket type
• Specific field in a ticket web form
• Ticket form that was used (e.g. specific service request form from the portal)
• Ticket category
• Ticket priority
• Keyword in an email subject line
• Keywords or string in a chat
• Requester name or email
• Requester location
• Requester/ticket language
• Requester VIP status
• Channel ticket was received through
• SLAs or time-based automations
• Agent skill
• Agent status or capacity

Fields or actions those triggers can automate

• Priority
• Category
• Ticket routing
• Assigned agent
• Assigned queue
• SLA/due date
• Notifications/communication

Sample Automation Rules

• When ticket is about to breach, send alert to Queue Manager and Service Desk Manager.
• When ticket comes from VIP user, set urgency to high.
• When ticket status has been set to “open” for ten hours, send an alert to Queue Manager.
• When ticket status has been set to “on hold” for five days, send a reminder to assignee.
• When ticket is categorized as “Software-ERP,” send to ERP queue.
• When ticket is prioritized as P1/critical, send alert to emergency response team.
• When ticket is prioritized as P1 and hasn’t been updated for one hour, send an alert to Incident Manager.
• When an in-progress ticket is reassigned to a new queue, alert Queue Manager.
• When ticket has not been resolved within seven days, flag as aging ticket.

#9 Configure your ITSM tool to support and optimize queue management processes

Configure your tool to support your needs; don’t adjust your processes to match the tool.

• Most ITSM tools have default queues out of the box and the option to create as many custom queues, filters, and views as you need. Custom queues should allow you to name the queue, decide which tickets will be sent to the queue, and what columns or information are displayed in the queue.
• Before you configure your queues and dashboards, sit down with your team to decide what you need and what will best enable each agent to manage their workload.
• Decide which queues each role should have access to – most should only need to see their own queue and their team’s queue.
• Configure which queues or views new tickets will be sent to.
• Configure automation rules defined earlier (e.g. automate sending certain tickets to specific queues or sending notifications to specific parties when certain conditions are met).
• Configure dashboards and reports on queue volume and ticket status data relevant to each team to help them manage their workload, increase visibility, and identify issues or actions.

Info-Tech Insight

It can be overwhelming to support agents when their view is a long and never-ending queue. Set the default dashboard view to show only those tickets assigned to the viewer to make it appear more manageable and easier to organize.

Configure queues to maximize productivity

Info-Tech Insight

The queue should quickly give your team all the information they need to prioritize their work, including ticket status, priority, category, due date, and updated timestamps. Configuration is important - if it’s confusing, clunky, or difficult to filter or sort, it will impact response and resolution times and can lead to missed tickets. Give your team input into configuration and use visuals such as color coding to help agents prioritize their work – for example, VIP tickets may be clearly flagged, critical or high priority tickets may be highlighted, tickets about to breach may be red.

#10 Don’t lose visibility of the backlog

Be careful not to focus so much on assigning new tickets that you forget to update aging tickets, leading to an overwhelming backlog and dissatisfied users.

Track metrics that give visibility into how quickly tickets are being resolved and how many aging tickets you have. Metrics may include:

• Ticket resolution time by priority, by workgroup
• Ticket volume by status (i.e. open, in progress, on hold, resolved)
• Ticket volume by age
• Ticket volume by queue and assignee

Regularly review reports on these metrics with the team.

Make it an agenda item to review aging tickets, on hold tickets, and tickets about to breach or past breach with the team.

Take action on aging tickets to ensure progress is being made.

Set rules to close tickets after a certain number of attempts to reach unresponsive users (and change ticket status appropriately).

Schedule times for your team to tackle aged tickets or tickets in the backlog.

Info-Tech Insight

It can be easy for high priority work to constantly push down low priority work, leaving the lower priority tickets to constantly be ignored and users to be frustrated. If you’re struggling with aging tickets, backlog, and tickets breaching SLA, experiment with your team and queue structure to figure out the best resource distribution to handle your workload. This could mean rotating people through the triage role to allow them time to work through the backlog, reducing the number of people doing triage during slower volume periods, or giving technicians dedicated time to work through tickets. For help with forecasting demand and optimizing resources, see Staff the Service Desk to Meet Demand.

Activity 1.1: Define ticket queues

1 hour

Map out your optimal ticket queue structure using the Service Desk Queue Structure Template. Follow the instructions in the template to complete it as a team.

The template includes several examples of service desk queue structures followed by space to build your own model of an optimal service desk queue structure and to document who is assigned to each queue and responsible for managing each queue.

Note:

The template is not meant to map out your entire service desk structure (e.g. tiers, escalation paths) or ticket resolution process, but simply the ticket queues and how a ticket moves between queues. For help documenting more detailed process workflows or service desk structure, see the blueprint Standardize the Service Desk.

Input

• Current queue structure and roles

Output

• Defined service desk ticket queues and assigned responsibilities

Materials

• Org chart
• ITSM tool for reference, if needed

Participants

• Service Desk Manager
• IT Director
• Queue Managers

Document in the Service Desk Queue Structure Template.

Related Info-Tech Research

Standardize the Service Desk

This project will help you build and improve essential service desk processes including incident management, request fulfillment, and knowledge management to create a sustainable service desk.

Optimize the Service Desk With a Shift-Left Strategy

This project will help you build a strategy to shift service support left to optimize your service desk operations and increase end-user satisfaction.

Improve Service Desk Ticket Intake

This project will help you streamline your ticket intake process and identify improvements to your intake channels.

Staff the Service Desk to Meet Demand

This project will help you determine your optimal service desk structure and staffing levels based on your unique environment, workload, and trends.

Works Cited

“What your Customers Really Want.” Freshdesk, 31 May 2021. Accessed May 2022.

AI Governance

A Framework for Building Responsible, Ethical, Fair, and Transparent AI

Are you ready for AI?

Business leaders must manage the associated risks as they scale their use of AI

Regulations and risk assessment tools

Governments around the world are developing AI assessment methodologies and legislation for AI. Here are a couple of examples:

• Responsible use of artificial intelligence (AI) guiding principles (Canada):
  1. understand and measure the impact of using AI by developing and sharing tools and approaches
  2. be transparent about how and when we are using AI, starting with a clear user need and public benefit
  3. provide meaningful explanations about AI decision-making, while also offering opportunities to review results and challenge these decisions
  4. be as open as we can by sharing source code, training data, and other relevant information, all while protecting personal information, system integration, and national security and defense
  5. provide sufficient training so that government employees developing and using AI solutions have the responsible design, function, and implementation skills needed to make AI-based public services better
• The Algorithmic Impact Assessment tool (Canada) is used to determine the impact level of an automated decision-system. It defines 48 risk and 33 mitigation questions. Assessment scores consider factors such as systems design, algorithm, decision type, impact, and data.
• The National AI Initiative Act of 2020 (DIVISION E, SEC. 5001) (US) became law on January 1, 2021. This is a program across the entire Federal government to accelerate AI research and application.
• Bill C-27, Artificial Intelligence and Data Act (AIDA) (Canada), when passed, would be the first law in Canada regulating the use of artificial intelligence systems.
• The EU Artificial Intelligence Act (EU) assigns applications of AI to three risk categories: applications and systems that create an unacceptable risk, such as government-run social scoring; high-risk applications, such as a CV-scanning tool that ranks job applicants; and lastly, applications not explicitly listed as high-risk.
• The FEAT Principles Assessment Methodology was created by the Monetary Authority of Singapore (MAS) in collaboration with other 27 industry partners for financial institutions to promote fairness, ethics, accountability, and transparency (FEAT) in the use of artificial intelligence and data analytics (AIDA).

AI policies around the world

Source of data: OECD.AI (2021), powered by EC/OECD (2021), database of national AI policies, accessed on 7/09/2022, https://oecd.ai.

The need for AI governance

“To adopt AI, organizations will need to review and enhance their processes and governance frameworks to address new and evolving risks.” (Canadian RegTech Association, Safeguarding AI Use Through Human-Centric Design, 2020)

To ensure responsible, transparent, and ethical AI systems, organizations will need to review existing risk control frameworks and update them to include AI risk management and impact assessment frameworks and processes. As ML and AI technologies are constantly evolving, the AI governance and AI risk management frameworks will need to evolve to ensure the appropriate safeguards and controls are in place. This applies not only to the machine learning models and AI system custom built by the organization’s data science and AI team, but it also includes AI-powered vendor tools and technologies. The vendors should be able to explain how AI is used in their products, how the model was trained, and what data was used to train the model. AI governance enables management, monitoring, and control of all AI activities within an organization.

Key concepts

Info-Tech Research Group defines the key terms used in this document as follows:

Machine learning systems learn from experience and without explicit instructions. They learn patterns from data, then analyze and make predictions based on past behavior and the patterns learned.

Artificial intelligence is a combination of technologies and can include machine learning. AI systems perform tasks that mimic human intelligence, such as learning from experience and problem solving. Most importantly, AI makes its own decisions without human intervention.

We use the definition of data ethics by Open Data Institute: “Data ethics is a branch of ethics that considers the impact of data practices on people, society and the environment. The purpose of data ethics is to guide the values and conduct of data practitioners in data collection, sharing and use.”

Algorithmic or machine bias is systematic and repeatable errors in a computer system that create unfair outcomes, such as privileging one arbitrary group of users over others. Algorithmic bias is not a technical problem. It’s a social and political problem, and in the context of implementing AI for business benefits, it’s a business problem.

Download the blueprint Mitigate Machine Bias blueprint for detailed discussion on bias, fairness, and transparency in AI systems

Key concepts – explainable, transparent and trustworthy

AI Governance Framework

Monitoring Monitoring compliance and risk of AI/ML systems/models in production Tools & Technologies Tools and technologies to support AI governance framework implementation Model Governance Ensures accountability and traceability for AI/ML models

Organization Structure, roles, and responsibilities of the AI governance organization Operating Model How AI governance operates and works with other organizational structures to deliver value Risk and Compliance Alignment with corporate risk management and ensuring compliance with regulations and assessment frameworks Policies/Procedures/ Standards Policies and procedures to support implementation of AI governance

CIO Priorities 2022

Info-Tech’s annual CIO priorities are formed from proprietary primary data and consultation with our internal experts with CIO stature

2022 Tech Trends Survey CIO Demographic N=123

Info-Tech’s Tech Trends 2022 survey was conducted between August and September 2021 and collected a total of 475 responses from IT decision makers, 123 of which were at the C-level. Fourteen countries and 16 industries are represented in the survey.

2022 IT Talent Trends Survey CIO Demographic N=44

Info-Tech’s IT Talent Trends 2022 survey was conducted between September and October 2021 and collected a total of 245 responses from IT decision makers, 44 of which were at the C-level. A broad range of countries from around the world are represented in the survey.

Internal CIO Panels’ 125 Years Of Combined C-Level IT Experience

Panels of former CIOs at Info-Tech focused on interpreting tech trends data and relating it to client experiences. Panels were conducted between November 2021 and January 2022.

CEO-CIO Alignment Survey Benchmark Completed By 107 Different Organizations

Info-Tech’s CEO-CIO Alignment program helps CIOs align with their supervisors by asking the right questions to ensure that IT stays on the right path. It determines how IT can best support the business’ top priorities and address the gaps in your strategy. In 2021, the benchmark was formed by 107 different organizations.

Build IT alignment

IT Management & Governance Diagnostic Benchmark Completed By 320 Different Organizations

Info-Tech’s Management and Governance Diagnostic helps IT departments assess their strengths and weaknesses, prioritize their processes and build an improvement roadmap, and establish clear ownership of IT processes. In 2021, the benchmark was formed by data from 320 different organizations.

Assess your IT processes

The CIO priorities are informed by Info-Tech’s trends research reports and surveys

Priority: “The fact or condition of being regarded or treated as more important than others.” (Lexico/Oxford)

Trend: “A general direction in which something is developing or changing.” (Lexico/Oxford)

Visit Info-Tech’s Trends & Priorities Research Center

The Five Priorities

Priorities to compete in the digital economy

1. Reduce Friction in the Hybrid Operating Model
2. Improve Your Ransomware Readiness
3. Support an Employee-Centric Retention Strategy
4. Design an Automation Platform
5. Prepare to Report on New Environmental, Social, and Governance Metrics

Reduce friction in the hybrid operating model

Priority 01 | APO07 Human Resources Management

Deliver solutions that create equity between remote workers and office workers and make collaboration a joy.

Hybrid work is here to stay

CIOs must deal with new pain points related to friction of collaboration

In 2020, CIOs adapted to the pandemic’s disruption to offices by investing in capabilities to enable remote work. With restrictions on gathering in offices, even digital laggards had to shift to an all-remote work model for non-essential workers.

Most popular technologies already invested in to facilitate better collaboration

• 24% Web Conferencing
• 23% Instant Messaging
• 20% Document Collaboration

In 2022, the focus shifts to solving problems created by the new hybrid operating model where some employees are in the office and some are working remotely. Without the ease of collaborating in a central hub, technology can play a role in reducing friction in several areas:

• Foster more connections between employees. Remote workers are less likely to collaborate with people outside of their department and less likely to spontaneously collaborate with their peers. CIOs should provide a digital employee experience that fosters collaboration habits and keeps workers engaged.
• Prevent employee attrition. With more workers reevaluating their careers and leaving their jobs, CIOs can help employees feel connected to the overall purpose of the organization. Finding a way to maintain culture in the new context will require new solutions. While conference room technology can be a bane to IT departments, making hybrid meetings effortless to facilitate will be more important.
• Provide new standards for mediated collaboration. Meeting isn’t as easy as simply gathering around the same table anymore. CIOs need to provide structure around how hybrid meetings are conducted to create equity between all participants. Business continuity processes must also consider potential outages for collaboration services so employees can continue the work despite a major outage.

Three in four organizations have a “hybrid” approach to work. (Tech Trends 2022 Survey)

In most organizations, a hybrid model is being implemented. Only 14.9% of organizations are planning for almost everyone to return to the office, and only 9.9% for almost everyone to work remotely.

Elizabeth Clark CIO, Harvard Business School "I want to create experiences that are sticky. That keep people coming back and engaging with their colleagues."

Listen to the Tech Insights podcast:
Frictionless hybrid working: How the Harvard Business School did it

Internal interpretation: Harvard Business School

• March 2020

  The pandemic disrupts in-class education at Harvard Business School. Their case study method of instruction that depends on in-person, high-quality student engagement is at risk. While students and faculty completed the winter semester remotely, the Dean and administration make the goal to restore the integrity of the classroom experience with equity for both remote and in-person students.

• May 2020

  A cross-functional task force of about 100 people work intensively, conducting seven formal experiments, 80 smaller tests, and hundreds of polling data points, and a technology and facilities solution is designed: two 4K video cameras capturing both the faculty and the in-class students, new ceiling mics, three 85-inch TV screens, and students joining the videoconference from their laptops. A custom Zoom room, combining three separate rooms, integrated all the elements in one place and integrated with the lecture capture system and learning management system.

• October 2020

  Sixteen classrooms are renovated to install the new solution. Students return to the classroom but in lower numbers due to limits on in-room capacity, but students rotate between the in-person and remote experience.

• September 2021

  Renovations for the hybrid solution are complete in 26 classrooms and HBS has determined this will be its standard model for the classroom. The case method of teaching is kept alive and faculty and students are thrilled with the results.

• November 2021

  HBS is adapting its solution for the classroom to its conference rooms and has built out eight different rooms for a hybrid experience. The 4K cameras and TV screens capture all participants in high fidelity as well as the blackboard.

The renovated classrooms integrate all students, whether they are participating remotely or in person. (Image courtesy of Harvard Business School.)

Implications: Organization, Process, Technology

External

• Organization – About half of IT practitioners in the Tech Trends 2022 survey feel that IT leaders, infrastructure and operations teams, and security teams were “very busy” in 2021. Capacity to adapt to hybrid work could be constrained by these factors.
• Process – Organizations that want employees to benefit from being back in the office will have to rethink how workers can get more value out of in-person meetings that also require videoconference participation with remote workers.
• Technology – Fifty-four percent of surveyed IT practitioners say the pandemic raised IT spending compared to the projections they made in 2020. Much of that investment went into adapting to a remote work environment.

Internal

• Organization – HBS added 30 people to its IT staff on term appointments to develop and implement its hybrid classroom solutions. Hires included instructional designers, support technicians, coordinators, and project managers.
• Process – Only 25 students out of the full capacity of 95 could be in the classroom due to COVID-19 regulations. On-campus students rotated through the classroom seats. An app was created to post last-minute seat availability to keep the class full.
• Technology – A Zoom room was created that combines three rooms to provide the full classroom experience: a view of the instructor, a clear view of each student that enlarges when they are speaking, and a view of the blackboard.

Resources Applied

Appetite for Technology

CIOs and their direct supervisors both ranked internal collaboration tools as being a “critical need to adopt” in 2021, according to Info-Tech’s CEO-CIO Alignment Benchmark Report.

Intent to Invest

Ninety-seven percent of IT practitioners plan to invest in technology to facilitate better collaboration between employees in the office and outside the office by the end of 2022, according to Info-Tech’s 2022 Tech Trends survey.

“We got so many nice compliments, which you don’t get in IT all the time. You get all the complaints, but it’s a rare case when people are enthusiastic about something that was delivered.” (Elizabeth Clark, CIO, Harvard Business School)

Harvard Business School

• IT staff were reassigned from other projects to prioritize building a hybrid classroom solution. A cloud migration and other portfolio projects were put on pause.
• The annual capital A/V investment was doubled. The amount of spend on conference rooms was tripled.
• Employees were hired to the media services team at a time when other areas of the organization were frozen.

Outcomes at Harvard Business School

The new normal at Harvard Business School

New normal: HBS has found its new default operating model for the classroom and is extending its solution to its operating environment.

Improved CX: The high-quality experience for students has helped avoid attrition despite the challenges of the pandemic.

Engaged employees: The IT team is also engaged and feels connected to the mission of the school.

A custom Zoom room brings together multiple different views of the classroom into one single experience for remote students. (Image courtesy of Harvard Business School.)

From Priorities to Action

Make hybrid collaboration a joy

Align with your organization’s goals for collaboration and customer interaction, with the target of high satisfaction for both customers and employees. Invest in capital projects to improve the fidelity of conference rooms, develop and test a new way of working, and increase IT capacity to alleviate pressure points.

Foster both asynchronous and synchronous collaboration approaches to avoid calendars filling up with videoconference meetings to get things done and to accommodate workers contributing from across different time zones.

“We’ll always have hybrid now. It’s opened people’s eyes and now we’re thinking about the future state. What new markets could we explore?” (Elizabeth Clark, CIO, Harvard Business School)

Take the next step

Run Better Meetings
Hybrid, virtual, or in person – set meeting best practices that support your desired meeting norms.

Prepare People Leaders for the Hybrid Work Environment
Set hybrid work up for success by providing people leaders with the tools they need to lead within the new model.

Hoteling and Hot-Desking: A Primer
What you need to know regarding facilities, IT infrastructure, maintenance, security, and vendor solutions for desk hoteling and hot-desking.

“Human Resources Management” gap between importance and effectiveness
Info-Tech Research Group Management and Governance Diagnostic Benchmark 2021

Improve your ransomware readiness

Priority 02 | APO13 Security Strategy

Mitigate the damage of successful ransomware intrusions and make recovery as painless as possible.

The ransomware crisis threatens every organization

Prevention alone won’t be enough against the forces behind ransomware.

Cybersecurity is always top of mind for CIOs but tends to be deprioritized due to other demands related to digital transformation or due to cost pressures. That’s the case when we examine our data for this report.

Cybersecurity ranked as the fourth-most important priority by CIOs in Info-Tech’s 2022 Tech Trends survey, behind business process improvement, digital transformation, and modernization. Popular ways to prepare for a successful attack include creating offline backups, purchasing insurance, and deploying new solutions to eradicate ransomware.

CIOs and their direct supervisors ranked “Manage IT-Related Security” as the third-most important top IT priority on Info-Tech’s CEO-CIO Alignment Benchmark for 2021, in support of business goals to manage risk, comply with external regulation, and ensure service continuity.

Most popular ways for organizations to prepare for the event of a successful ransomware attack:

• 25% Created offline backups
• 18% Purchased cyberinsurance
• 19% New tech to eradicate ransomware

Whatever priority an organization places on cybersecurity, when ransomware strikes, it quickly becomes a red alert scenario that disrupts normal operations and requires all hands on deck to respond. Sophisticated attacks executed at wide scale demonstrate that security can be bypassed without creating an alert. After that’s accomplished, the perpetrators build their leverage by exfiltrating data and encrypting critical systems.

CIOs can plan to mitigate ransomware attacks in several constructive ways:

• Business impact analysis. Determine the costs of an outage for specific periods and the system and data recovery points in time.
• Engage a partner for 24/7 monitoring. Gain real-time awareness of your critical systems.
• Review your identity access management (IAM) policies. Use of multi-factor authentication and limiting access to only the roles that need it reduces ransomware risk.

50% of all organizations spent time and money specifically to prevent ransomware in the past year. (Info-Tech Tech Trends 2022 Survey)

John Doe CIO, mid-sized manufacturing firm in the US "I want to create experiences that are sticky. That keep people coming back and engaging with their colleagues."

Listen to the Tech Insights podcast:
Close call with ransomware: a CIO recounts a near security nightmare

Internal interpretation: US-based, mid-sized manufacturing firm

• May 1, 2021

  A mid-sized manufacturing firm (“The Firm”) CIO gets a call from his head of security about odd things happening on the network. A call is made to Microsoft for support. Later that night, the report is that an unwanted crypto-mining application is the culprit. But a couple of hours later, that assessment is proven wrong when it’s realized that hundreds of systems are staged for a ransomware attack. All the attacker has to do is push the button.

• May 2, 2021

  The Firm disconnects all its global sites to cut off new pathways for the malware to infect. All normal operations cease for 24 hours. It launches its cybersecurity insurance process. The CIO engages a new security vendor, CrowdStrike, to help respond. Employees begin working from home if they can so they can make use of their own internet service. The Firm has cut off its public internet connectivity and is severed from cloud services such as Azure storage and collaboration software.

• May 4, 2021

  The hackers behind the attack are revealed by security forensics experts. A state-sponsored agency in Russia set up the ransomware and left it ready to execute. It sold the staged attack to a cybercriminal group, Doppel Spider. According to CrowdStrike, the group uses malware to run “big game hunting operations” and targets 18 different countries including the US and multiple industries, including manufacturing.

• May 10, 2021

  The Firm has totally recovered from the ransomware incident and avoided any serious breach or paying a ransom. The CIO worked more hours than at any other point in his career, logging an estimated 130 hours over the two weeks.

• November 2021

  The Firm never previously considered itself a ransomware target but has now reevaluated that stance. It has hired a service provider to run a security operations center on a 24/7 basis. It's implemented a more sophisticated detection and response model and implemented multi-factor authentication. It’s doubled its security spend in 2021 and will invest more in 2022.

“Now we take the approach that if someone does get in, we're going to find them out.” (John Doe, CIO, “The Firm”)

Implications: Organization, Process, Technology

External

• Organization – Organizations must consider how their employees play a role in preventing ransomware and plan for training to recognize phishing and other common traps. They must make plans for employees to continue their work if systems are disrupted by ransomware.
• Process – Backup processes across multiple systems should be harmonized to have both recent and common points to recover from. Work with the understanding IT will have to take systems offline if ransomware is discovered and there is no time to ask for permission.
• Technology – Organizations can benefit from security services provided by a forensics-focused vendor. Putting cybersecurity insurance in place not only provides financial protection but also guidance in what to do and which vendors to work with to prevent and recover from ransomware.

Internal

• Organization – The Firm was prepared with a business continuity plan to allow many of its employees to work remotely, which was necessary because the office network was incapacitated for ten days during recovery.
• Process – Executives didn’t seek to assign blame for the security incident but took it as a signal there were some new costs involved to stay in business. It initiated new outsource relationships and hired one more full-time employee to shore up security resources.
• Technology – New ransomware eradication software was deployed to 2,000 computers. Scripted processes automated much of the work, but in some cases full system rebuilds were required. Backup systems were disconnected from the network as soon as the malware was discovered.

Resources Applied

Consider the Alternative

Organizations should consider how much a ransomware attack on critical systems would cost them if they were down for a minimum of 24-48 hours. Plan to invest an amount at least equal to the costs of that downtime.

Ask for ID

Implementing across-the-board multi-factor authentication reduces chances of infection and is cheap, with enterprise solutions ranging from $2 to $5 per user on average. Be strict and deny access when connections don’t authenticate.

“You'll never stop everything from getting into the network. You can still focus on stopping the bad actors, but then if they do make it in, make sure they don't get far.” (John Doe, CIO, “The Firm”)

“The Firm” (Mid-Sized Manufacturer)

• During the crisis, The Firm paused all activities and focused solely on isolating and eliminating the ransomware threat.
• New outsourcing relationship with a vendor provides a 24/7 Security Operations Center.
• One more full-time employee on the security team.
• Doubled investment in security in 2021 and will spend more in 2022.

Outcomes at “The Firm” (Mid-Sized Manufacturer)

The new cost of doing business

Real-time security: While The Firm is still investing in prevention-based security, it is also developing its real-time detection and response capabilities. When ransomware makes it through the cracks, it wants to know as soon as possible and stop it.

Leadership commitment: The C-suite is taking the experience as a wake-up call that more investment is required in today’s threat landscape. The Firm rates security more highly as an overall organizational goal, not just something for IT to worry about.

The Firm now uses multi-factor authentication as part of its employee sign-on process. For employees, authenticating is commonly achieved by using a mobile app that receives a secret code from the issuer.

From Priorities to Action

Cybersecurity is everyone’s responsibility

In Info-Tech’s CEO-CIO Alignment Benchmark for 2021, the business goal of “Manage Risk” was the single biggest point of disagreement between CIOs and their direct supervisors. CIOs rank it as the second-most important business goal, while CEOs rank it as sixth-most important.

Organizations should align on managing risk as a top priority given the severity of the ransomware threat. The threat actors and nature of the attacks are such that top leadership must prepare for when ransomware hits. This includes halting operations quickly to contain damage, engaging third-party security forensics experts, and coordinating with government regulators.

Cybersecurity strategies may be challenged to be effective without creating some friction for users. Organizations should look beyond multi-layer prevention strategies and lean toward quick detection and response, spending evenly across prevention, detection, and response solutions.

Take the next step

Create a Ransomware Incident Response Plan
Don’t be the next headline. Determine your current readiness, response plan, and projects to close gaps.

Simplify Identity and Access Management
Select and implement IAM and produce vendor RFPs that will contain the capabilities you need, including multi-factor authentication.

Cybersecurity Series Featuring Sandy Silk
More from Info-Tech’s Senior Workshop Director Sandy Silk in this video series created while she was still at Harvard University.

Gap between CIOs and CEOs in points allocated to “Manage risk” as a top business goal

Support an employee-centric retention strategy

Priority 03 | ITRG02 Leadership, Culture & Values

Avoid being a victim of “The Great Resignation” by putting employees at the center of an experience that will engage them with clear career path development, purposeful work, and transparent feedback.

Defining an employee-first culture that improves retention

The Great resignation isn’t good for firms

In 2021, many workers decided to leave their jobs. Working contexts were disrupted by the pandemic and that saw non-essential workers sent home to work, while essential workers were asked to continue to come into work despite the risks of COVID-19. These disruptions may have contributed to many workers reevaluating their professional goals and weighing their values differently. At the same time, 2021 saw a surging economy and many new job opportunities to create a talent-hungry market. Many workers could have been motivated to take a new opportunity to increase their salary or receive other benefits such as more flexibility.

Annual turnover rate for all us employees on the rise

• 20% – Jan.-Aug. 2020, Dipped from 22% in 2019
• 25% Jan.-Aug. 2021, New record high
Data from Visier Inc.

When you can’t pay them, develop them

IT may be less affected than other departments by this trend. Info-Tech’s 2022 IT Talent Trends Report shows that on average, estimated turnover rate in IT is lower than the rest of the organization. Almost half of respondents estimated their organization’s voluntary turnover rate was 10% or higher. Only 30% of respondents estimate that IT’s voluntary turnover rate is in the same range. However, CIOs working in industries with the highest turnover rates will have to work to keep their workers engaged and satisfied, as IT skills are easily transferred to other industries.

49% ranked “enabling learning & development within IT” as high priority, more than any other single challenge. (IT Talent Trends 2022 Survey, N=227)

Jeff Previte Executive Vice-President of IT, CrossCountry Mortgage “We have to get to know the individual at a personal level … Not just talking about the business, but getting to know the person."

Listen to the Tech Insights podcast:
How a financial services company dodged ‘The Great Resignation’

Internal interpretation: CrossCountry Mortgage

• May 2019

  Jeff Previte joins Cleveland, Ohio-based CrossCountry Mortgage in the CIO role. The company faces a challenge with employee turnover, particularly in IT. The firm is a sales-focused organization and saw its turnover rate reach as high as 60%. Yet Previte recognized that IT had some meaningful goals to achieve and would need to attract – and retain – some higher caliber talent. His first objective in his new role was to meet with IT employees and business leadership to set priorities.

• July 2019

  Previte takes a “people-first” approach to leadership and meets his staff face-to-face to understand their personal situations. He sets to work on defining roles and responsibilities in the organization, spending about a fifth of his time on defining the strategy.

• June 2020

  Previte assigned his leadership team to McLean & Company’s Design an Impactful Employee Development Program. From there, the team developed a Salesforce tool called the Career Development Workbook. “We had some very passionate developers and admins that wanted to build a home-grown tool,” he says. It turns McLean & Company’s process into a digital tool employees can use to reflect on their careers and explore their next steps. It helps facilitate development conversations with managers.

• January 2021

  CrossCountry Mortgage changes its approach to career development activities. Going to external conferences and training courses is reduced to just 30% of that effort. The rest is by doing hands-on work at the company. Previte aligned with his executives and road-mapped IT projects annually. Based on employee’s interests, opportunities are found to carve out time from usual day-to-day activities to spend time on a project in a new area. When there’s a business need, someone internally can be ready to transition roles.

• June 2021

  In the two years since joining the company, Previte has reduced the turnover rate to just 12%. The IT department has grown to more adequately meet the needs of the business and employees are engaged with more opportunities to develop their careers. Instead of focusing on compensation, Previte focused more on engaging employees with a developmentally dedicated environment and continuous hands-on learning.

“It’s come down to a culture shift. Folks have an idea of where we’re headed as an organization, where we’re headed as an IT team, and how their role contributes to that.” (Jeff Previte, EVP of IT, CrossCountry Mortgage)

Implications: Organization, Process, Technology

External

• Organization – A high priority is being placed on improving IT’s maturity through its talent. Enabling learning and development in IT, enabling departmental innovation, and recruiting are the top three highest priorities according to IT Talent Trends 2022 survey responses.
• Process – Recruiting is more challenging for industries that operate primarily onsite, according to McLean & Company's 2022 HR Trends Report. They face more challenges attracting applications, more rejected offers, and more candidate ghosting compared to remote-capable industries.
• Technology – Providing a great employee experience through digital tools is more important as many organizations see a mix of workers in the office and at home. These tools can help connect colleagues, foster professional development, and improve the candidate experience.

Internal

• Organization – CrossCountry Mortgage faced a situation where IT employees did not have clarity on their roles and responsibilities. In terms of salary, it wasn’t offering at the high end compared to other employers in Cleveland.
• Process – To foster a culture of growth and development, CrossCountry Mortgage put in place a performance assessment system that encouraged reflection and goal setting, aided by collaboration with a manager.
• Technology – The high turnover rate was limiting CrossCountry Mortgage from achieving the level of maturity it needed to support the company’s goals. It ingrained its new PA process with a custom build of a Salesforce tool.

Resources Applied

Show me the money

Almost six in ten Talent Trends survey respondents identified salary and compensation as the reason that employees resigned in the past year. Organizations looking to engage employees must first pay a fair salary according to market and industry conditions.

Build me up

Professional development and opportunity for innovative work are the next two most common reasons for resignations. Organizations must ensure they create enough capacity to allow workers time to spend on development.

“Building our own solution created an element of engagement. There was a sense of ownership that the team had in thinking through this.” (Jeff Previte, CrossCountry Mortgage)

CrossCountry Mortgage

• Executive time: CIO spends 10-20% of his time on activities related to designing the approach.
• Leveraged memberships with Info-Tech Research Group and McLean & Company to define professional development process.
• Internal IT develops automated workflow in Salesforce.
• Hired additional IT staff to build out overall capacity and create time for development activities.

Outcomes at CrossCountry Mortgage

Engaged IT workforce

The Great Maturation: IT staff turnover rate dropped to 10-12% and IT talent is developing on the job to improve the department’s overall skill level. More IT staff on hand and more engaged workers mean IT can deliver higher maturity level results.

Alignment achieved: Connecting IT’s initiatives to the vision of the C-suite creates a clear purpose for IT in its initiatives. Staff understand what they need to achieve to progress their careers and can grow while they work.

Employees from CrossCountry Mortgage headquarters assist with a drive-thru distribution event for the Cleveland Food Bank on Dec. 17, 2021. (Image courtesy of CrossCountry Mortgage.)

From Priorities to Action

Staff retention is a leadership priority

The Great Resignation trend is bringing attention to employee engagement and staff retention. IT departments are busier than ever during the pandemic as they work overtime to keep up with a remote workforce and new security threats. At the same time, IT talent is among the most coveted on the market.

CIOs need to develop a people-first approach to improve the employee experience. Beyond compensation, IT workers need clarity in terms of their career paths, a direct connection between their work and the goals of the organization, and time set aside for professional development.

Info-Tech’s 2021 benchmark for “Leadership, Culture & Values” shows that most organizations rate this capability very highly (9) but see room to improve on their effectiveness (6.9).

Take the next step

IT Talent Trends 2022
See how IT talent trends are shifting through the pandemic and understand how themes like The Great Resignation has impacted IT.

McLean & Company’s Modernize Performance Management
Customize the building blocks of performance management to best fit organizational needs to impact individual and organizational performance, productivity, and engagement.

Redesign Your IT Organizational Structure
Define future-state work units, roles, and responsibilities that will enable the IT organization to complete the work that needs to be done.

“Leadership, Culture & Values” gap between importance and effectiveness
Info-Tech Research Group Management and Governance Diagnostic Benchmark 2021

Design an automation platform

Priority 04 | APO04 Innovation

Position yourself to buy or build a platform that will enable new automation opportunities through seamless integration.

Build it or buy it, but platform integration can yield great benefits

Necessity is the mother of innovation

When it’s said that digital transformation accelerated during the pandemic, what’s really meant is that processes that were formerly done manually became automated through software. In responses to the Tech Trends survey, CIOs say digital transformation was more of a focus during the pandemic, and eight in ten CIOs also say they shifted more than 20% of their organization’s processes to digital during the pandemic. Automating tasks through software can be called digitalization.

Most organizations became more digitalized during the pandemic. But how they pursued it depends on their IT maturity. For digital laggards, partnering with a technology services platform is the path of least resistance. For sophisticated innovators, they can consider building a platform to address the specific needs of their business process. Doing so requires the foundation of an existing “digital factory” or innovation arm where new technologies can be tested, proofs of concept developed, and external partnerships formed. Patience is key with these efforts, as not every investment will yield immediate returns and some will fail outright.

Build it or buy it, platform participants integrate with their existing systems through application programming interfaces (APIs). Organizations should determine their platform strategies based on maturity, then look to integrate the business processes that will yield the most gains.

What role should you play in the platform ecosystem?

68% of CIOs say digital transformation became much more of a focus for their organization during the pandemic (Info-Tech Tech Trends 2022 Survey)

Bob Crozier Chief Architect, Allianz Technology & Global Head of Blockchain, Allianz Technology SE "Smart contracts are really just workflows between counterparties."

Listen to the Tech Insights podcast:
How Allianz took a blockchain platform from pilot to 1 million transactions

Internal interpretation: Allianz Technology

• 2015

  After smart contracts are demonstrated on the Ethereum blockchain, Allianz and other insurers recognize the business value. There is potential to use the capability to administer a complex, multi-party contract where the presence of the reinsurer in the risk transfer ecosystem is required. Manual contracts could be turned into code and automated. Allianz organized an early proof of concept around a theoretical pandemic excessive loss contract.

• 2018

  Allianz Chief Architect Bob Crozier is leading the Global Blockchain Center of Competence for Allianz. They educate Allianz on the value of blockchain for business. They also partner with a joint venture between the Technology University of Munich and the state of Bavaria. A cohort of Masters students is looking for real business problems to solve with open-source distributed ledger technology. Allianz puts its problem statement in front of the group. A student team presents a proof of concept for an international motor insurance claims settlement and it comes in second place at a pitch day competition.

• 2019

  Allianz brings the concept back in-house, and its business leaders return to the concept. Startup Luther Systems is engaged to build a minimum-viable product for the solution, with the goal being a pilot involving three or four subsidiaries in different countries. The Blockchain Center begins communicating with 25 Allianz subsidiaries that will eventually deploy the platform.

• 2020

  Allianz is in build mode on its international motor insurance claims platform. It leverages its internal Dev/SecOps teams based in Munich and in India.

• May 2021

  Allianz goes live with its new platform on May 17, decommissioning its old system and migrating all live claims data onto the new blockchain platform. It sees 400 concurrent users go live across Europe.

• January 2022

  Allianz mines its one-millionth block to its ledger on Jan. 19, with each block representing a peer-to-peer transaction across its 25 subsidiaries in different countries. The platform has settled hundreds of millions of dollars.

Implications: Organization, Process, Technology

External

• Organization – To explore emerging technologies like blockchain, organizations need staff that are accountable for innovation and have leeway to develop proofs of concept. External partners are often required to bring in fresh ideas and move quickly towards an MVP.
• Process – According to the Tech Trends 2022 survey, 84% of CIOs consider automation a high-value digital capability, and 77% say identity verification is a high-value capability. A blockchain platform using smart contracts can deliver those.
• Technology – The Linux Foundation’s Hyperledger Fabric is an open-source blockchain technology that’s become popular in the financial industry for its method of forming consensus and its modular architecture. It’s been adopted by USAA, MasterCard, and PayPal. It also underpins the IBM Blockchain Platform and is supported by Azure Blockchain.

Internal

• Organization – Allianz is a holding company that owns Allianz Technology and 25 operating entities across Europe. It uses the technology arm to innovate on the business process and creates shared platforms that its entities can integrate with to automate across the value chain.
• Process – Initial interest in smart contracts on blockchain were funneled into a student competition, where a proof of concept was developed. Allianz partnered with a startup to develop an MVP, then developed the platform while aligning with its business units ahead of launch.
• Technology – Allianz built its blockchain platform on Hyperledger Fabric because it was a permissioned system, unlike other public permissionless blockchains such as Ethereum, and because its mining mechanism was much more energy efficient compared to other blockchains using Proof of Work consensus models.

Resources Applied

Time to innovate

Exploring emerging technology for potential use cases is difficult for staff tasked with running day-to-day operations. Organizations serious about innovation create a separate team that can focus on “moonshot” projects and connect with external partners.

Long-term ROI

Automation of new business processes often requires a high upfront initial investment for a long-term efficiency gain. A proof of concept should demonstrate clear business value that can be repeated often and for a long period.

“My next project has to deliver in the tens of millions of value in return. The bar is high and that’s what it should be for a business of our size.” (Bob Crozier, Allianz)

Allianz

• Several operating entities from different countries supplied subject matter expertise and helped with the testing process.
• Allianz Technology team has eight staff members. It is augmented by Luther Systems and the team at industry group B3i.
• Funding of less than $5 million to develop. Dev team continues to add improvements.
• Operating requires just one full-time employee plus infrastructure costs, mostly for public cloud hosting.

Outcomes at Allianz

From insurer to platform provider

Deliver your own SaaS: Allianz Technology built its blockchain-based claims settlement platform and its subsidiaries consume it as software as a service. The platform runs on a distributed architecture across Europe, with each node running the same version of the software. Operating entities can also integrate their own systems to the platform via APIs and further automate business processes such as billing.

Ready to scale: After processing one million transactions, the international claims settlement platform is proven and ready to add more participants. Crozier sees auto repair shops and auto manufacturers as the next logical users.

Allianz is a shareholder of the Blockchain Insurance Industry Initiative (B3i). It is providing a platform used by a group of insurance companies in the commercial and reinsurance space.

When should we use blockchain? THREE key criteria:

• Redundant processes
  Different entities follow the same process to achieve the desired outcome.
• Audit trail
  Accountability in the decision making must be documented.
• Reconciliation
  Parties need to be able to resolve disputes by tracing back to the truth.

From Priorities to Action

It’s a build vs. buy question for platforms

Allianz was able to build a platform for its group of European subsidiaries because of its established digital factory and commitment to innovation. Allianz Technology is at the “innovate” level of IT maturity, allowing it to create a platform that subsidiaries can integrate with via APIs. For firms that are lower on the IT maturity scale, buying a platform solution is the better path to automation. These firms will be concerned with integrating their legacy systems to platforms that can reduce the friction of their operating environments and introduce modern new capabilities.

From Info-Tech’s Build a Winning Business Process Automation Playbook

Take the next step

Accelerate Your Automation Processes
Integrate automation solutions and take the first steps to building an automation suite.

Build Effective Enterprise Integration on the Back of Business Process
From the backend to the frontlines – let enterprise integration help your business processes fly.

Evolve Your Business Through Innovation
Innovation teams are tasked with the responsibility of ensuring that their organizations are in the best position to succeed while the world is in a period of turmoil, chaos, and uncertainty.

“Innovation” gap between importance and effectiveness Info-Tech Research Group Management and Governance Diagnostic Benchmark 2021

Prepare to report on new environmental, social, and governance (ESG) metrics

Priority 05 | ITRG06 Business Intelligence and Reporting

Be ready to either lead or support initiatives to meet the criteria of new ESG reporting mandates and work toward disclosure reporting solutions.

Time to get serious about ESG

What does CSR or ESG mean to a CIO?

Humans are putting increasing pressure on the planet’s natural environment and creating catastrophic risks as a result. Efforts to mitigate these risks have been underway for the past 30 years, but in the decade ahead regulators are likely to impose more strict requirements that will be linked to the financial value of an organization. Various voluntary frameworks exist for reporting on environmental, social, and governance (ESG) or corporate social responsibility (CSR) metrics. But now there are efforts underway to unify and clarify those standards.

The most advanced effort toward a global set of standards is in the environmental area. At the United Nations’ COP26 summit in Scotland last November, the International Sustainability Standards Board (ISSB) announced its headquarters (Frankfurt) and three other international office locations (Montreal, San Francisco, and London) and its roadmap for public consultations. It is working with an array of voluntary standards groups toward a consensus.

In Info-Tech’s 2022 Tech Trends survey, two-thirds of CIOs say their organization is committed to reducing greenhouse gas emissions, yet only 40% say their organizational leadership is very concerned with reducing those emissions. CIOs will need to consider how to align organizational concern with internal commitments and new regulatory pressures. They may investigate new real-time reporting solutions that could serve as a competitive differentiator on ESG.

Standards informing the ISSB’s global set of climate standards

67% of CIOs say their organization is committed to reducing greenhouse gases, with one-third saying that commitment is public. (Info-Tech Tech Trends 2022 Survey)

40% of CIOs say their organizational leadership is very concerned with reducing greenhouse gas emissions.

David W. Dorman Chairman of the board, CVS Health “ESG is a question of what you do in the microcosm of your company to make sure there is a clear, level playing field – that there is a color-blind, gender-blind meritocracy available – that you are aware that not in every case can you achieve that without really focusing on it. It’s not going to happen on its own. That’s why our commitments have real dollars behind them and real focus behind them because we want to be the very best at doing them.”

Listen to the Tech Insights podcast:
CVS Health chairman David Dorman on healthcare's hybrid future

Internal interpretation: CVS Health

CVS Health established a new steering committee of senior leaders in 2020 to oversee ESG commitments. It designs its corporate social responsibility strategy, Transform Health 2030, by aligning company activities in four key areas: healthy people, healthy business, healthy planet, and healthy community. The strategy aligns with the United Nations’ Sustainable Development Goals. In alignment with these goals, CVS identifies material topics where the company has the most ability to make an impact. In 2020, its top three topics were:

1. Access to quality health care
2. Patient and customer safety
3. Data protection and privacy

Implications: Organization, Process, Technology

External

• Organization – Since the mid-2010s, younger investors have demonstrated reliance on ESG data when making investment decisions, resulting in the creation of voluntary standards that offered varied approaches. Organizations in ESG exchange-traded funds are outperforming the overall S&P 500 (S&P Global Market Intelligence).
• Process – Organizations are issuing ESG reports today despite the absence of clear rules to follow for reporting results. With regulators expected to step in to establish more rigid guidelines, many organizations will need to revisit their approach to ESG reports.
• Technology – Real-time reporting of ESG metrics will become a competitive advantage before 2030. Engineering a solution that can alert organizations to poor performance on ESG measures and allow them to respond could avert losing market value.

Internal

• Organization – CVS Health established an ESG Steering Committee in 2020 composed of senior leaders including its chief governance officers, chief sustainability officer, chief risk officer, and controller and SVP of investor relations. It is supported by the ESG Operating Committee.
• Process – CVS conducts a materiality assessment in accordance with Global Reporting Initiative standards to determine the most significant ESG impacts it can make and what topics most influence the decisions of stakeholders. It engages with various stakeholder groups on CSR topics.
• Technology – CVS technology initiatives during the pandemic focused on supporting patients and employees in collaborating on health care delivery using virtual solutions, providing rich digital experiences that are easily accessible while upholding high security and privacy standards.

Resources Applied

Lack of commitment

While 83% of businesses state support for the Sustainable Development Goals outlined by the Global Reporting Initiative (GRI), only 40% make measurable commitments to their goals.

Show your work

The GRI recommends organizations not only align their activities with sustainable development goals but also demonstrate contributions to specific targets in reporting on the positive actions they carry out. (GRI, “State of Progress: Business Contributions to the SDGS.”)

“We end up with a longstanding commitment to diversity because that’s what our customer base looks like.” (David Dorman, CVS Health)

CVS Health

• The MinuteClinic Virtual Collaboration solution was piloted in Houston, demonstrated success, and won additional $50,000 funding from the Pathway to Excellence Award to scale the program across the country (Wolters Kluwer Health, Inc.).
• The Next-Gen Authentication solution is provided by the vendor HYPR. It is deployed to ten million users and looking to scale to 30 million more. Pricing for enterprises is quoted at $1 per user, but volume pricing would apply to CVS (HYPR).

Outcomes at CVS Health

Delivering on hybrid healthcare solutions

iPads for collaboration: Healthcare practitioners in the MinuteClinic Virtual Collaboration initiative agreed that it improved the use of interprofessional teams, working well virtually with others, and improved access to professional resources (Wolters Kluwer Health, Inc.)

Remote healthcare: Saw a 400% increase in MinuteClinic virtual visits in 2020 (CVS Health).

Verified ID: The Next Generation Authentication platform allowed customers to register for a COVID-19 vaccination appointment. CVS has delivered more than 50 million vaccines (LinkedIn).

CVS Health is making use of digital channels to connect its customers and health practitioners to a services platform that can supplement visits to a retail or clinic location to receive diagnostics and first-hand care.

From Priorities to Action

Become your organization’s ESG Expert

The risks posed to organizations and wider society are becoming more severe, driving a transition from voluntary frameworks for ESG goals to a mandatory one that’s enforced by investors and governments. Organizations will be expected to tie their core activities to a defined set of ESG goals and maintain a balance sheet of their positive and negative impacts. CIOs should become experts in ESG disclosure requirements and recommend the steps needed to meet or exceed competitors’ efforts. If a leadership vacuum for ESG accountability exists, CIOs can either seek to support their peers that are likely to become accountable or take a leadership role in overseeing the area. CIOs should start working toward solutions that deliver real-time reporting on ESG goals to make reporting frictionless.

“If you don’t have ESG oversight at the highest levels of the company, it won’t wind up getting the focus. That’s why we review it at the Board multiple times per year. We have an annual report, we compare how we did, what we intended to do, where did we fall short, where did we exceed, and where we can run for daylight to do more.” (David Dorman, CVS Health)

Take the next step

ESG Disclosures: How Will We Record Status Updates on the World We Are Creating?
Prepare for the era of mandated environmental, social, and governance disclosures.

Private Equity and Venture Capital Growing Impact of ESG Report
Learn about how the growing impact of ESG affects both your organization and IT specifically, including challenges and opportunities, with expert assistance.

“Business Intelligence and Reporting” gap between importance and effectiveness
Info-Tech Research Group Management and Governance Diagnostic Benchmark 2021

The Five Priorities

Priorities to compete in the digital economy

1. Reduce Friction in the Hybrid Operating Model
2. Improve Your Ransomware Readiness
3. Support an Employee-Centric Retention Strategy
4. Design an Automation Platform
5. Prepare to Report on New Environmental, Social, and Governance Metrics

Contributing Experts

Elizabeth Clark CIO, Harvard Business School			Jeff Previte Executive Vice-President of IT, CrossCountry Mortgage
Bob Crozier Chief Architect, Allianz Technology & Global Head of Blockchain, Allianz Technology SE			David W. Dorman Chairman of the Board, CVS Health

Info-Tech’s internal CIO panel contributors

Bryan Tutor John Kemp Mike Schembri Janice Clatterbuck Sandy Silk Sallie Wright David Wallace Ken McGee Mike Tweedie Cole Cioran Kevin Tucker Angelina Atkins Yakov Kofner

Thank you for your support

Blockchain Research Institute

Bibliography – CIO Priorities 2022

“2020 Corporate Social Responsibility Report.” CVS Health, 2020, p. 127. Web.

“Adversary: Doppel Spider - Threat Actor.” Crowdstrike Adversary Universe, 2021. Accessed 29 Dec. 2021.

“Aetna CVS Health Success Story.” HYPR, n.d. Accessed 6 Feb. 2022.

Baig, Aamer. “The CIO agenda for the next 12 months: Six make-or-break priorities.” McKinsey Digital, 1 Nov. 2021. Web.

Ball, Sarah, Kristene Diggins, Nairobi Martindale, Angela Patterson, Anne M. Pohnert, Jacinta Thomas, Tammy Todd, and Melissa Bates. “2020 ANCC Pathway Award® winner.” Wolters Kluwer Health, Inc., 2021. Accessed 6 Feb. 2022.

“Canadian Universities Propose Designs for a Central Bank Digital Currency.” Bank of Canada, 11 Feb. 2021. Accessed 14 Dec. 2021.

“Carbon Sequestration in Wetlands.” MN Board of Water and Soil Resources, n.d. Accessed 15 Nov. 2021.

“CCM Honored as a NorthCoast 99 Award Winner.” CrossCountry Mortgage, 1 Dec. 2021. Web.

Cheek, Catherine. “Four Things We Learned About the Resignation Wave–and What to Do Next.” Visier Inc. (blog), 5 Oct. 2021. Web.

“Companies Using Hyperledger Fabric, Market Share, Customers and Competitors.” HG Insights, 2022. Accessed 25 Jan. 2022.

“IFRS Foundation Announces International Sustainability Standards Board, Consolidation with CDSB and VRF, and Publication of Prototype Disclosure Requirements.” IFRS, 3 Nov. 2021. Web.

“IT Priorities for 2022: A CIO Report.” Mindsight, 28 Oct. 2021. Web.

“Job Openings and Labor Turnover Survey.” Databases, Tables & Calculators by Subject, U.S. Bureau of Labor Statistics, 2022. Accessed 9 Feb. 2022.

Kumar, Rashmi, and Michael Krigsman. “CIO Planning and Investment Strategy 2022.” CXOTalk, 13 Sept. 2021. Web.

Leonhardt, Megan. “The Great Resignation Is Hitting These Industries Hardest.” Fortune, 16 Nov. 2021. Accessed 7 Jan. 2022.

“Most companies align with SDGs – but more to do on assessing progress.” Global Reporting Initiative (GRI), 17 Jan. 2022. Web.

Navagamuwa, Roshan. “Beyond Passwords: Enhancing Data Protection and Consumer Experience.” LinkedIn, 15 Dec. 2020.

Ojo, Oluwaseyi. “Achieving Digital Business Transformation Using COBIT 2019.” ISACA, 19 Aug. 2019. Web.

“Priority.” Lexico.com, Oxford University Press, 2021. Web.

Riebold, Jan, and Yannick Bartens. “Reinventing the Digital IT Operating Model for the ‘New Normal.’” Capgemini Worldwide, 3 Nov. 2020. Web.

Samuels, Mark. “The CIO’s next priority: Using the tech budget for growth.” ZDNet, 1 Sept. 2021. Accessed 1 Nov. 2021.

Sayer, Peter. “Exclusive Survey: CIOs Outline Tech Priorities for 2021-22.” CIO, 5 Oct. 2021. Web.

Shacklett, Mary E. “Where IT Leaders Are Likely to Spend Budget in 2022.” InformationWeek, 10 Aug. 2021. Web.

“Table 4. Quits Levels and Rates by Industry and Region, Seasonally Adjusted - 2021 M11 Results.” U.S. Bureau of Labor Statistics, Economic News Release, 1 Jan. 2022. Accessed 7 Jan. 2022.

“Technology Priorities CIOs Must Address in 2022.” Gartner, 19 Oct. 2021. Accessed 1 Nov. 2021.

Thomson, Joel. Technology, Talent, and the Future Workplace: Canadian CIO Outlook 2021. The Conference Board of Canada, 7 Dec. 2021. Web.

“Trend.” Lexico.com, Oxford University Press, 2021. Web.

Vellante, Dave. “CIOs signal hybrid work will power tech spending through 2022.” SiliconANGLE, 25 Sept. 2021. Web.

Whieldon, Esther, and Robert Clark. “ESG funds beat out S&P 500 in 1st year of COVID-19; how 1 fund shot to the top.” S&P Global Market Intelligence, April 2021. Accessed Dec. 2021.

Define a Release Management Process for Your Applications to Deliver Lasting Value

Use your releases to drive business value and enhance the benefits delivered by your move to Agile.

Analyst Perspective

Improving your release management strategy and practices is a key step to fully unlock the value of your portfolio.

As firms invest in modern delivery practices based around product ownership, Agile, and DevOps, organizations assume that’s all that is necessary to consistently deliver value. As organizations continue to release, they continue to see challenges delivering applications of sufficient and consistent quality.

Delivering value doesn’t only require good vision, requirements, and technology. It requires a consistent and reliable approach to releasing and delivering products and services to your customer. Reaching this goal requires the definition of standards and criteria to govern release readiness, testing, and deployment.

This will ensure that when you deploy a release it meets the high standards expected by your clients and delivers the value you have intended.

Dr. Suneel Ghei

Principal Research Director, Application Development

Info-Tech Research Group

Executive Summary

Your Challenge

• Your software platforms are a key enabler of your brand. When there are issues releasing, the brand suffers. Client confidence and satisfaction erode.
• Your organization has invested significant capital in creating a culture of product ownership, Agile, and DevOps. Yet the benefits from these investments are not yet fully realized.
• Customers have more choices than ever when it comes to products and services. They require features and capabilities delivered quickly, consistently, and of sufficient quality, otherwise they will look elsewhere.

Common Obstacles

• Development teams are moving faster but then face delays waiting for testing and deployment due to a lack of defined release cycle and process.
• Individual stages in your software development life cycle (SDLC), such as code collaboration, testing, and deployment, have become leaner, but the overall complexity has increased since many products and services are composed of many applications, platforms, and processes.
• The specifics of releasing products is (wrongly) classified as a technical concern and not a business concern, hindering the ability to prioritize improved release practices.

Info-Tech's Approach

• Develop a release management framework that efficiently and effectively orchestrates the different functions supporting a software’s release.
• Use the release management framework and turn release-related activities into non-events.
• Use principles of continuous delivery for converting your release processes from an overarching concern to a feature of a high-performing software practice.

Executive Summary

Info-Tech Insights

Turn release-related activities into non-events.

Eliminate the need for dedicating time for off-hour or weekend release activities. Use a release management framework for optimizing release-related tasks, making them predictable and of high quality.

Release management is NOT a part of the software delivery life cycle.

The release cycle runs parallel to the software delivery life cycle but is not tightly coupled with it. The act of releasing begins at the point requirements are confirmed and ends when user satisfaction is measurable. In contrast, the software delivery life cycle is focused on activities such as building, architecting, and testing.

All releases are NOT created equal.

Barring standard guiding principles, each release may have specific nuances that need to be considered as part of release planning.

Your release management journey

1. Optimize Applications Release Management - Set a baseline release management process and organization.
2. Modernize Your SDLC - Move your organization to Agile and increase throughput to feed releases.
3. Deliver on Your Digital Product Vision - Understand the practices that go into delivering products, including articulating your release plans.
4. Automate Testing to Get More Done - Create the ability to do more testing quickly and ensure test coverage.
5. Implement DevOps Practices That Work - Build in tools and techniques necessary for release deployment automation.
6. Define a Release Management Process to Deliver Lasting Value (We Are Here)

Define a Release Management Process for Your Applications to Deliver Lasting Value

Use your releases to drive business value and enhance the benefits delivered by your move to Agile.

Executive Brief

Your software delivery teams are expected to deliver value to stakeholders in a timely manner and with high quality

Software delivery teams must enable the organization to react to market needs and competitive changes to improve the business’ bottom line. Otherwise, the business will question the team’s competencies.

The business is constantly looking for innovative ways to do their jobs better and they need support from your technical teams.

The increased stress from the business is widening the inefficiencies that already exist in application release management, risking poor product quality and delayed releases.

Being detached from the release process, business stakeholders do not fully understand the complexities and challenges of completing a release, which complicates the team’s communication with them when issues occur.

IT Stakeholders Are Also Not Satisfied With Their Own Throughput

• Only 29% of IT employees find application development throughput highly effective.
• Only 9% of organizations were classified as having highly effective application development throughput.
• Application development throughput ranked 37th out of 45 core IT processes in terms of effectiveness.

(Info-Tech’s Management and Governance Diagnostic, N=3,930)

Your teams, however, struggle with core release issues, resulting in delayed delivery (and disappointed stakeholders)

Implementing tools on top of an inefficient pipeline can significantly magnify the existing release issues. This can lead to missed deadlines, poor product quality, and business distrust with software delivery teams.

COMMON RELEASE ISSUES

1. Local Thinking: Release decisions and changes are made and approved without consideration of the holistic system, process, and organization.
2. No Release Cadence: Lack of process governance and oversight generates unpredictable bottlenecks and load and ill-prepared downstream teams.
3. Mismanagement of Releases: Program management does not accommodate the various integrated releases completed by multiple delivery teams.
4. Poor Scope Management: Teams are struggling to effectively accommodate changes during the project.

The bottom line: The business’ ability to operate is dictated by the software delivery team’s ability to successfully complete releases. If the team performs poorly, then the business will do poorly as well. Application release management is critical to ensure business expectations are within the team’s constraints.

“As software becomes more embedded in the business, firms are discovering that the velocity of business change is now limited by how quickly they can deploy.” – Five Ways To Streamline Release Management, J.S. Hammond

Historically, managing releases has been difficult and complicated…

Typically, application release management has been hard to coordinate because…

• Software has multiple dependencies and coordinating their inclusion into a deployable whole was not planned.
• Teams many be spending too much time on features that are not needed any longer.
• Software development functions (such as application architecture, test-first or test-driven design, source code integration, and functional testing) are not optimized.
• There are no agreed upon service-level contracts (e.g. expected details in requirements, adequate testing, source control strategy) between development functions.
• The different development functions are not integrated in a holistic style.
• The different deployment environments have variability in their configuration, reducing the reliability of testing done in different environments.
• Minimum thresholds for acceptable quality of development functions are either too low (leading to adverse outcomes down stream) or too high (leading to unnecessary delays).

…but research shows being effective at application release management increases your throughput

Research conducted on Info-Tech's members shows overwhelming evidence that application throughput is strongly tied to an effective application release management approach.

(Info-Tech Management & Governance Diagnostic, since 2019; N=684 organizations)

An application release management framework is critical for effective and timely delivery of software

A well-developed application release management framework is transformative and changes...

Info-Tech Insight: Your application release management framework should turn a system release into a non-event. This is only possible through the development of a holistic, low-risk and standardized approach to releasing software, irrespective of their size or complexity.

Robust continuous “anything” requires proficiency in five core practices

A continuous anything evaluation should not be a “one-and-done” event. As part of ongoing improvements, keep evolving it to make it a fundamental component of a strong operational strategy.

Continuous Anything

• Automate where appropriate
  • Automation is not a silver bullet. All processes are not created equal; and therefore, some are not worthy of being automated.
• Control system variables
  • Deploying and testing in environments that are apple to apple in comparison reduces the risk of unintended outcomes from production release.
• Measure process outcomes
  • A process not open to being measured is a process bound to fail. If it can be measured, it should be, and insights found should be used for improving the system.
• Select smaller features batches
  • Smaller release packages reduce the chances of cognitive load associated with finding root causes for defects and issues that may result as post-production incidents.
• Reduction of cycle time
  • Identification of waste in each stage of the continuous anything process helps in lowering cost of operations and results in quicker generation of value for stakeholders.

Invest time in developing an application release management framework for your development team(s) with a continuous anything mindset

An application release management framework converts a set of features and make them ready for releasability in a low-risk, standardized, and high-quality process.

A continuous anything (integration, delivery, and deployment) mindset is based on a growth and improvement philosophy, where every event is considered a valid data point for investigation of process efficiency.

Diagram adapted from Continuous Delivery in the Wild, Pete Hodgson, Published by O'Reilly Media, Inc., 2020

Related Info-Tech Research

Streamline Application Maintenance

• Justify the necessity of streamlined maintenance. Gain a grounded understanding of stakeholder objectives and concerns and validate their achievability against the current state of the people, process, and technologies involved in application maintenance.
• Strengthen triaging and prioritization practices. Obtain a holistic picture of the business and technical impacts, risks, and urgencies of each accepted maintenance request to justify its prioritization and relevance within your backlog. Identify opportunities to bundle requests together or integrate them within project commitments to ensure completion.
• Establish and govern a repeatable process. Develop a maintenance process with well-defined stage gates, quality controls, and roles and responsibilities, and instill development best practices to improve the success of delivery.

“Releasability” (or release criteria) of a system depends upon the inclusion of necessary building blocks and proof that they were worked on

There is no standard definition of a system’s releasability. However, there are common themes around completions or assessments that should be investigated as part of a release:

• The range of performance, technical, or compliance standards that need to be assessed.
• The full range of test types required for business approval: unit tests, acceptance tests, security test, data migration tests, etc.
• The volume-criticality mix of defects the organization is willing to accept as a risk.
• The best source and version control strategy for the development team. This is mostly a function of the team's skill with using release branches and coordinating their work artifacts.
• The addition of monitoring points and measures required for evaluations and impact analysis.
• The documentation required for audit and compliance.
• External and internal dependencies and integrations.
• Validations, approvals, and sign-offs required as part of the business’ operating procedure.
• Processes that are currently carried out outside and should be moved into the pipeline.
• Manual processes that may be automated.
• Any waste activities that do not directly contribute to releasability that can be eliminated from the development process.
• Knowledge the team has regarding challenges and successes with similar software releases in the past.

Releasability of a system is different than governing principles for application release management

Governing principles are fundamental ways of doing something, which in this case is application release management, while releasability will generally have governing principles in addition to specific needs for a successful release.

Example of Governing Principles

• Approval from Senior Director is necessary before releasing to production
• Production deployments can only be done in off-hours
• We will try to automate processes whenever it is possible for us to do so
• We will use a collaborative set of metrics to measure our processes

Examples of Releasability Criteria

• For the upcoming release, add performance testing for Finance and Budget Teams’ APIs
• Audit and compliance documentation is required for this release
• Automation of manual deployment
• Use trunk-based source code management instead of feature-based

Regulated industries are not more stable despite being less nimble

A pervasive myth in industry revolves around the misperception that continuous anything and nimble and non-event application release management is not possible in large bureaucratic and regulated organizations because they are risk-averse.

"We found that external approvals were negatively correlated with lead-time, deployment frequency and restore time, and had no correlation with change failure rate. In short, approval by an external body (such as a manager or Change Approval Board) simply doesn’t work to increase the stability of production systems…However, it certainly slows things down. It is in fact worse than having no change approval process at all." – Accelerate by Gene Kim, Jez Humble, and Nicole Forsgren

Many organizations reduce risk in their product release by adopting a paternalistic stance by:

• Requiring manual sign-offs from senior personnel who are external to the organization.
• Increasing the number and level of authorization gates.
• Staying away from change and preferring to stick with what has worked in the past.

Despite the prevalence of these types of responses to risk, the evidence is that they do not work and are in fact counter-productive because they:

• Create blocks to frequent releases.
• Introduce procedural complexity to each release and in effect make them “bigger.”
• Prefer process over people (and trusting them). Increase non-value-add scrutiny and reporting.

There is a persistent misunderstanding about continuous anything being only an IT engineering practice

01

At the enterprise level, continuous anything focuses on:

• Visibility of final value being provided in a high-quality and expedited manner
• Ensuring efficiency in the organization’s delivery framework
• Ensuring adherence to established governance and risk mitigation strategy

02

Focus of this blueprint

At the product level, continuous anything focuses on:

• Reliability of the product delivery system
• Use of scientific evidence for continuous improvement of the product’s delivery system
• Orchestration of different artifacts into a single whole

03

At the functional level, continuous anything focuses on*:

• Local functional optimization (functions = software engineering, testing, application design)
• Automation of local functions
• Use of patterns for standardizing inputs and functional areas

*Where necessary, practices at this level have been mentioned.

Related Info-Tech Research

Implement DevOps Practices That Work

• Be DevOps, rather than do DevOps. DevOps is a philosophy, not an industry framework. Your organization’s culture must shift toward system-wide thinking, cross-function collaboration, and empathy.
• Culture, learning, automation, integrated teams, and metrics and governance (CLAIM) are all critical components of effective DevOps.

Automate Testing to Get More Done

• Optimize and automate SDLC stages to recover team capacity. Recognize that automation without optimization is a recipe for long-term pain. Do it right the first time.
• Optimization and automation are not one-hit wonders. Technical debt is a part of software systems and never goes away. The only remedy is constant vigilance and enhancements to the processes.

The seeds of a good release are sown even before work on it begins

Pre-release practices such as requirements intake and product backlog management are important because:

• A standard process for documentation of features and requirements helps reduce “cognitive dissonance” between business and technology teams. Clearly articulated and well-understood business needs are fundamental ingredients of a high-quality product.
• Product backlog management done right ensures the prioritized delivery of value to stakeholders. Features can become stale or get a bump in importance, depending upon evolving circumstances. Prioritizing the backlog is, therefore, critical for ensuring time, effort, and budget are spent on things that matter.

Drive Successful Sourcing Outcomes With a Robust RFP Process

Leverage your vendor sourcing process to get better results.

EXECUTIVE BRIEF

Drive Successful Sourcing Outcomes with a Robust RFP Process

Lack of RFP Process Causes... Stress Confusion Frustration Directionless Exhaustion Uncertainty Disappointment	Solution: RFP Process			Best value solutions Right-sized solutions Competitive Negotiations Better requirements that feed negotiations Internal alignment on requirements and solutions Vendor Management Governance Plan
	Requirements Risk Legal Support Security Technical Commercial Operational Vendor Management Governance	Templates, Tools, Governance RFP Template Your Contracts RFP Procedures Pricing Template Evaluation Guide Evaluation Matrix	Vendor Management Scorecards Classification Business Review Meetings Key Performance Indicators Contract Management Satisfaction Survey

Analyst Perspective

Consequences of a bad RFP

“A bad request for proposal (RFP) is the gift that keeps on taking – your time, your resources, your energy, and your ability to accomplish your goal. A bad RFP is ineffective and incomplete, it creates more questions than it answers, and, perhaps most importantly, it does not meet your organization’s expectations.”

Steven Jeffery
Principal Research Director, Vendor Management
Co-Author: The Art of Creating a Quality RFP
Info-Tech Research Group

Executive Summary

Your Challenge

• Most IT organizations are absent of standard RFP templates, tools, and processes.
• Many RFPs lack sufficient requirements from across the business (Legal, Finance, Security, Risk, Procurement, VMO).
• Most RFP team members are not adequately trained on RFP best practices.
• Most IT departments underestimate the amount of time required to perform an effective RFP.
• An ad hoc sourcing process is a common recipe for vendor performance failure.

Common Obstacles

• Lack of time
• Lack of resources
• Right team members not engaged
• Poorly defined requirements
• Too difficult to change supplier
• Lack of a process
• Lack of adequate tools/processes
• Lack of a vendor communications plan that includes all business stakeholders.
• Lack of consensus as to what the ideal result should look like.

Info-Tech’s Approach

• Establish a repeatable, consistent RFP process that maintains negotiation leverage and includes all key components.
• Create reusable templates to expedite the RFP evaluation and selection process.
• Maximize the competition by creating an equal and level playing field that encourages all the vendors to respond to your RFP.
• Create a process that is clear and understandable for both the business unit and the vendor to follow.
• Include Vendor Management concepts in the process.

Info-Tech Insight

A well planned and executed sourcing strategy that focuses on solid requirements, evaluation criteria, and vendor management will improve vendor performance.

Executive Summary

Your Challenge

Your challenge is to determine the best sourcing tool to obtain vendor information on capabilities, solution(s), pricing and contracting: RFI, RFP, eRFX.

Depending on your organization’s knowledge of the market, your available funding, and where you are in the sourcing process, there are several approaches to getting the information you need.

An additional challenge is to answer the question “What is the purpose of our RFX?”

If you do not have in-depth knowledge of the market, available solutions, and viable vendors, you may want to perform an RFI to provide available market information to guide your RFP strategy.

If you have defined requirements, approved funding, and enough time, you can issue a detailed, concise RFP.

If you have “the basics” about the solution to be acquired and are on a tight timeframe, an “enhanced RFI” may fit your needs.

This blueprint will provide you with the tools and processes and insights to affect the best possible outcome.

Executive Summary

Common Obstacles

• Lack of process/tools
• Lack of input from stakeholders
• Stakeholders circumventing the process to vendors
• Vendors circumventing the process to key stakeholders
• Lack of clear, concise, and thoroughly articulated requirements
• Waiting until the vendor is selected to start contract negotiations
• Waiting until the RFP responses are back to consider vendor management requirements
• Lack of clear communication strategy to the vendor community that the team adheres to

Many organizations underestimate the time commitment for an RFP

Why Vendors Don’t Like RFPs

Negative effects on your organization from a lack of RFP process

Stress, because roles and responsibilities aren’t clearly defined and communication is haphazard, resulting in strained relationships. Confusion, because you don’t know what the expected or desired results are. Directionless, because you don’t know where the team is going. Uncertainty, with many questions of your own and many more from other team members. Frustration, because of all the questions the vendors ask as a result of unclear or incomplete requirements. Exhaustion, because reviewing RFP responses of insufficient quality is tedious. Disappointment in the results your company realizes. (Source: The Art of Creating a Quality RFP)

Info-Tech’s approach

Develop an inclusive and thorough approach to the RFP Process

The Info-Tech difference:

1. The secret to managing an RFP is to make it as manageable and as thorough as possible. The RFP process should be like any other aspect of business – by developing a standard process. With a process in place, you are better able to handle whatever comes your way, because you know the steps you need to follow to produce a top-notch RFP.
2. The business then identifies the need for more information about a product/service or determines that a purchase is required.
3. A team of stakeholders from each area impacted gather all business, technical, legal, and risk requirements. What are the expectations of the vendor relationship post-RFP? How will the vendors be evaluated?
4. Based on the predetermined requirements, either an RFI or an RFP is issued to vendors with a predetermined due date.

Insight Summary

Overarching insight

Without a well defined, consistent RFP process, with input from all key stakeholders, the organization will not achieve the best possible results from its sourcing efforts.

Phase 1 insight

Vendors are choosing to not respond to RFPs due to their length and lack of complete requirements.

Phase 2 insight

Be clear and concise in stating your requirements and include, in addition to IT requirements, procurement, security, legal, and risk requirements.

Phase 3 insight

Consider adding vendor management requirements to manage the ongoing relationship post contract.

Tactical insight

Consider the RFP Evaluation Process as you draft the RFP, including weighting the RFP components. Don’t underestimate the level of effort required to effectively evaluate responses – write the RFP with this in mind.

Tactical insight

Provide strict, prescriptive instructions detailing how the vendor should submit their responses. Controlling vendor responses will increase your team’s efficiency in evaluations while providing ease of reference responses across multiple vendors.

Key deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverables: Info-Tech provides you with the tools you need to go to market in the most efficient manner possible, with guidance on how to achieve your goals.	Long-Form RFP Template For when you have complete requirements and time to develop a thorough RFP.		Short-Form RFP Template When the requirements are not as extensive, time is short, and you are familiar with the market.
	Lean RFP Template When you have limited time and some knowledge of the market and wish to include only a few vendors.		Excel-Form RFP Template When there are many requirements, many options, multiple vendors, and a broad evaluation team.

Blueprint benefits

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is seven to twelve calls over the course of four to six months.

What does a typical GI on this topic look like?

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com1-888-670-8889

Phase 1

Identify Need

Steps 1.1 Establish the need to either purchase goods/services (RFP) or acquire additional information from the market (RFI).

This phase involves the following participants:

• Business stakeholders
• IT
• Sourcing/Procurement
• Finance

Identify the need based on business requirements, changing technology, increasing vendor costs, expiring contracts, and changing regulatory requirements.

Outcomes of this phase

Agreement on the need to go to market to make a purchase (RFP) or to acquire additional information (RFI) along with a high-level agreement on requirements, rough schedule (is there time to do a full blown RFP or are you time constrained, which may result in an eRFP) and the RFP team is identified.

Identify the Need for Your RFP

An RFP is issued to the market when you are certain that you intend to purchase a product/service and have identified an adequate vendor base from which to choose as a result of: IT Strategy Changes in technology Marketplace assessment Contract expiration/renewal Changes in regulatory requirements Changes in the business’ requirements An RFI is issued to the market when you are uncertain as to available technologies or supplier capabilities and need budgetary costs for planning purposes. Be sure to choose the right RFx tool for your situation!

Phase 2

Define Your RFP Requirements

Steps 2.1 Define and classify the technical, business, financial, legal, and support and security requirements for your business.

This phase involves the following participants:

• IT
• Legal
• Finance
• Risk management
• Sourcing/Procurement
• Business stakeholders

Outcomes of this phase

A detailed list of required business, technical, legal and procurement requirements classified as to absolute need(s), bargaining and concession need(s), and “nice to haves.”

Define Business Requirements

Define RFP Requirements

Key things to consider when defining requirements

• Must be inclusive of the needs of all stakeholders: business, technical, financial, and legal
• Strive for clarity and completeness in each area of consideration.
• Begin defining your “absolute,” “bargaining,” “concession,” and ‘”dropped/out of scope” requirements to streamline the evaluation process.
• Keep the requirements identified as “absolute” to a minimum, because vendors that do not meet absolute requirements will be removed from consideration.
• Do you have a standard contract that can be included or do you want to review the vendor’s contract?
• Don’t forget Data Security!
• Begin defining your vendor selection criteria.
• What do you want the end result to look like?
• How will you manage the selected vendor after the contract? Include key VM requirements.
• Defining requirements can’t be rushed or you’ll find yourself answering many questions, which may create confusion.
• Collect all your current spend and budget considerations regarding the needed product(s) and service(s).

“Concentrate on the needs of the organization and not the wants of the individuals when creating requirements to avoid scope creep.” (Donna Glidden, ITRG Research Director)

Leverage the “ABCD” approach found in our Prepare for Negotiations More Effectively blueprint:
https://tymansgrpup.com/research/ss/prepare-for-negotiations-more-effectively

2.1 Prioritize your requirements

Input: List of all requirements from IT and IT Security, Business, Sourcing/Procurement, Risk Management, and Legal

Output: Prioritized list of RFP requirements approved by the stakeholder team

Materials: The RFP Requirements Worksheet

Participants: All stakeholders impacted by the RFP: IT, IT Security, the Business, Sourcing/ Procurement, Risk Management, Legal

1. Use this tool to assist you and your team in documenting the requirements for your RFP. Leverage it to collect and categorize your requirements in preparation for negotiations. Use the results of this tool to populate the requirements section of your RFP.
2. As a group, review each of the requirements and determine their priority as they will ultimately relate to the negotiations.
   • Prioritizing your requirements will set up your negotiation strategy and streamline the process.
   • By establishing the priority of each requirement upfront, you will save time and effort in the selection process.
3. Review RFP requirements with stakeholders for approval.

Download the RFP Requirements Worksheet

Phase 3

Gain Business Authorization

Steps 3.1 Obtain business authorization from the business, technology, finance and Sourcing/Procurement

This phase involves the following participants:

• Business stakeholders
• Technology and finance (depending upon the business)
• Sourcing/Procurement

Outcomes of this phase

Approval by all key stakeholders to proceed with the issuing of the RFP and to make a purchase as a result.

Gain Business Authorization

Gain Business Authorization

Gain authorization for your RFP from all relevant stakeholders Alignment of stakeholders Agreement on final requirements Financial authorization Commitment of resources Agreement on what constitutes vendor qualification Finalization of selection criteria and their prioritization Obtaining cross-function alignment will clear the way for contract, SOW, and budget approvals and not waste any of your and your vendor’s resources in performing an RFP that your organization is not ready to implement or invest financial and human resources in.

Phase 4

Create and Issue

Steps 4.1 Build your RFP 4.2 Decide RFI or not 4.3 Create your RFP 4.4 Receive & answer questions 4.5 Perform Pre-Proposal Conference 4.6 Evaluate responses

This phase involves the following participants:

• The RFP owner
• IT
• Business SMEs/stakeholders

Outcomes of this phase

RFP package is issued to vendors and includes the date of the Pre-Proposal Conference, which should be held shortly after RFP release and includes all parties.

SME’s/stakeholders participate in providing answers to RFP contact for response to vendors.

Create and Issue Your RFP/RFI

Six Steps to Perform RFI/RFP

Build your RFP with evaluation in mind

Easing evaluation frustrations

At the beginning of your RFP creation process consider how your requirements will impact the vendor’s response. Concentrate on the instructions you provide the vendors and how you wish to receive their responses. View the RFP through the lens of the vendors and envision how they are going to respond to the proposal.

Limiting the number of requirements included in the RFP will increase the evaluation team’s speed when reviewing vendors’ responses. This is accomplished by not asking questions for common features and functionality that all vendors provide. Don’t ask multiple questions within a question. Avoid “lifting” vendor-specific language to copy into the RFP as this will signal to vendors who their competition might be and may deter their participation. Concentrate your requirement questions to those areas that are unique to your solution to reduce the amount of time required to evaluate the vendors’ response.

Things to Consider When Creating Your RFP:

• Consistency is the foundation for ease of evaluation.
• Provide templates, such as an Excel worksheet, for the vendor’s pricing submissions and for its responses to close-ended questions.
• Give detailed instructions on how the vendor should organize their response.
• Limit the number of open-ended questions requiring a long narrative response to must-have requirements.
• Organize your requirements and objectives in a numerical outline and have the vendor respond in the same manner, such as the following:
  • 1
  • 1.1
  • 1.1.1

Increase your response quality

Inconsistent formatting of vendor responses prevents an apples-to-apples evaluation between vendor responses. Evaluation teams are frequently challenged and are unable to evaluate vendors’ responses equally against each other for the following reasons:

Six Steps to Perform RFI/RFP

Perform Request for Information

Don’t underestimate the importance of the RFI

As the name implies, a request for information (RFI) is a tool for collecting information from vendors about the companies, their products, and their services. We find RFIs useful when faced with a lot of vendors that we don’t know much about, when we want to benchmark the marketplace for products and services, including budgetary information, and when we have identified more potential vendors than we care to commit a full RFP to.

RFIs are simpler and less time-consuming than RFPs to prepare and evaluate, so it can make a lot of sense to start with an RFI. Eliminating unqualified vendors from further consideration will save your team from weeding through RFP responses that do not meet your objectives. For their part, your vendors will appreciate your efforts to determine up-front which of them are the best bets before asking them to spend resources and money producing a costly proposal.

While many organizations rarely use RFIs, they can be an effective tool in the vendor manager’s toolbox when used at the right time in the right way. RFIs can be deployed in competitive targeted negotiations.

A Lean RFP is a two-stage strategy that speeds up the typical RFP process. The first stage is like an RFI on steroids, and the second stage is targeted competitive negotiation.

Don’t rely solely on the internet to qualify vendors; use an RFI to acquire additional information before finalizing an RFP.

4.2.1 In a hurry? Consider a Lean RFP instead of an RFP

1. Create an RFI with all of the normal and customary components. Next, add a few additional RFP-like requirements (e.g. operational, technical, and legal requirements). Make sure you include a request for budgetary pricing and provide any significant features and functionality requirements so that the vendors have enough information to propose solutions. In addition, allow the vendors to ask questions through your single point of coordination and share answers with all of the vendors. Finally, notify the vendors that you will not be doing an RFP.
2. Review the vendors’ proposals and evaluate their proposals against your requirements along with their notional or budgetary pricing.
3. Have the evaluators utilize the Lean RFP Template to record their scores accordingly.
4. After collecting the scores from the evaluators, consolidate the scores together to discuss which vendors – we recommend two or three – you want to present demos.
5. Based on the vendors’ demos, the team selects at least two vendors to negotiate contract and pricing terms with intent of selecting the best-value vendor.
6. The Lean RFP shortens the typical RFP process, maintains leverage for your organization, and works great with low- to medium-spend items (however your organization defines them). You’ll get clarification on vendors’ competencies and capabilities, obtain a fair market price, and meet your internal clients’ aggressive timelines while still taking steps to protect your organization.

Download the Lean RFP Template

Download the RFP Evaluation Tool

4.2.1 In a hurry? Consider a Lean RFP instead of an RFP continued

Six Steps to Perform RFI/RFP

4.3.1 RFP Calendar

Input: List duration in days of key activities, RFP Calendar and Key Date Tool, For all vendor-inclusive meetings, include the dates on your RFP calendar and reference them in the RFP

Output: A timeline to complete the RFP that has the support of each stakeholder involved in the process and that allows for a complete and thorough vendor response.

Materials: RFP Calendar and Key Date Tool

Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

1. As a group, identify the key activities to be accomplished and the amount of time estimated to complete each task:
   1. Identify who is ultimately accountable for the completion of each task
   2. Determine the length of time required to complete each task
2. Use the RFP Calendar and Key Date Tool to build the calendar specific to your needs.
3. Include vendor-related dates in the RFP, i.e., Pre-Proposal Conference, deadline for RFP questions as well as response.

Download the RFP Calendar and Key Date Tool

Draft your RFP

Create a template for the vendors’ response

Dictating to the vendors the format of their response will increase your evaluation efficiency Narrative Response: Create either a Word or Excel document that provides the vendor with an easy vehicle for their response. This template should include the question identifier that ties the response back to the requirement in the RFP. Instruct vendors to include the question number on any ancillary materials they wish to include. Pricing Response: Create a separate Excel template that the vendors must use to provide their financial offer. This template should include pricing for hardware, software, training, implementation, and professional services, as well as placeholders for any additional fees. Always be flexible in accepting alternative proposals after the vendor has responded with the information you requested in the format you require.

4.3.2 Vendor Pricing Tool

Input: Identify pricing components for hardware, software, training, consulting/services, support, and additional licenses (if needed)

Output: Vendor Pricing Tool

Materials: RFP Requirements Worksheet, Pricing template

Participants: IT, Finance, Business stakeholders, Sourcing/Procurement, Vendor management

1. Using a good pricing template will prevent vendors from providing pricing offers that create a strategic advantage designed to prevent you from performing an apples-to-apples comparison.
2. Provide specific instructions as to how the vendor is to organize their pricing response, which should be submitted separate from the RFP response.
3. Configure and tailor pricing templates that are specific to the product and/or services.
4. Upon receipt of all the vendor’s responses, simply cut and paste their total response to your base template for an easy side-by-side pricing comparison.
5. Do not allow vendors to submit financial proposals outside of your template.

Download the Vendor Pricing Tool

Three RFP Templates

Choose the right template for the right sourcing initiative

• Short-Form

Use the Short-Form RFP Template for simple, non-complex solutions that are medium to low dollar amounts that do not require numerous requirements.

• Long-Form

We recommend the Long-Form RFP Template for highly technical and complex solutions that are high dollar and have long implementation duration.

• Excel-Form

Leverage the Excel-Form RFP Tool for requirements that are more specific in nature to evaluate a vendor’s capability for their solution. This template is designed to be complete and inclusive of the RFP process, e.g., requirements, vendor response, and vendor response evaluation scoring.

Like tools in a carpenters’ tool box or truck, there is no right or wrong template for any job. Take into account your organization culture, resources available, time frame, policies, and procedures to pick the right tool for the job. (Steve Jeffery, Principal Research Director, Vendor Management, Co-Author: The Art of Creating a Quality RFP, Info-Tech Research Group)

4.3.3 Short-Form RFP Template

1-2 hours

Input: List of technical, legal, business, and data security requirements

Output: Full set of requirements, prioritized, that all participants agree to

Materials: Short-Form RFP Template, Vendor Pricing Tool, Supporting exhibits

Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

• This is a less complex RFP that has relatively basic requirements and perhaps a small window in which the vendors can respond. As with the long-form RFP, exhibits are placed at the end of the RFP, an arrangement that saves both your team and the vendors time. Of course, the short-form RFP contains less-specific instructions, guidelines, and rules for vendors’ proposal submissions.
• We find that short-form RFPs are a good choice when you need to use something more than a request for quote (RFQ) but less than an RFP running 20 or more pages. It’s ideal, for example, when you want to send an RFP to only one vendor or to acquire items such as office supplies, contingent labor, or commodity items that don’t require significant vendor risk assessment.

Download the Short-Form RFP Template

4.3.4 Long-Form RFP Template

1-3 hours

Input: List of technical, legal, business, and data security requirements

Output: Full set of requirements, prioritized, that all stakeholders agree to

Materials: Long-Form RFP Template, Vendor Pricing Tool, Supporting exhibits

Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

• A long-form or major RFP is an excellent tool for more complex and complicated requirements. This template is for a baseline RFP.
• It starts with best-in-class RFP terms and conditions that are essential to maintaining your control throughout the RFP process. The specific requirements for the business, functional, technical, legal, and pricing areas should be included in the exhibits at the end of the template. That makes it easier to tailor the RFP for each deal, since you and your team can quickly identify specific areas that need modification. Grouping the exhibits together also makes it convenient for both your team to review and the vendors to respond.
• You can use this sample RFP as the basis for your template RFP, taking it all as is or picking and choosing the sections that best meet the mission and objectives of the RFP and your organization.

Download the Long-Form RFP Template

4.3.5 Excel-Form RFP Tool

Several weeks

Input: List of technical, legal, business, and data security requirements

Output: Full set of requirements, prioritized, that all stakeholders agree to

Materials: Excel-Form RFP Template, Vendor Pricing Tool, Supporting exhibits

Participants: IT management, Business stakeholder(s), Legal (as required), Risk management (as required), Sourcing/Procurement, Vendor management

• The Excel-Form RFP Tool is used as an alternative to the other RFP toolsets if you have multiple requirements and have multiple vendors to choose from.
• Requirements are written as a “statement” and the vendor can select from five answers as to their ability to meet the requirements, with the ability to provide additional context and materials to augment their answers, as needed.
• Requirements are listed separately in each tab, for example, Business, Legal, Technical, Security, Support, Professional Services, etc.

Download the Excel-Form RFP Template

Six Steps to Perform RFI/RFP

Answer Vendor Questions

Maintaining your equal and level playing field among vendors

Provide an adequate amount of time from the RFP issue date to the deadline for vendor questions. There may be multiple vendor staff/departments that need to read the RFP and then discuss their response approach and gather any clarifying questions, so we generally recommend three to five business days. There should be one point of contact for all Q&A, which should be submitted in writing via email only. Be sure to plan for enough time to get the answers back from the RFP stakeholders. After the deadline, collect all Q&A and begin the process of consolidating into one document.

Be sure to anonymize both vendor questions and your responses, so as not to reveal who asked or answered the question. Send the document to all RFP respondents via your sourcing tool or BCC in an email to the point of contact, with read receipt requested. That way, you can track who has received and opened the correspondence. Provide the answers a few days prior to the Pre-Proposal Conference to allow all respondents time to review the document and prepare any additional questions. Begin the preparation for the Pre-Proposal Conference.

Six Steps to Perform RFI/RFP

Conduct Pre-Proposal Conference

Maintain an equal and level playing field

• Consolidate all Q&A to be presented to all vendors during the Pre-Proposal Conference.
• If the Pre-Proposal Conference is conducted via conference call, be sure to record the session and advise all participants at the beginning of the call.
• Be sure to have key stakeholders present on the call to answer questions.
• Read each question and answer, after which ask if there are any follow up questions. Be sure to capture them and then add them to the Q&A document.
• Remind respondents that no further questions will be entertained during the remainder of the RFP response period.
• Send the updated and completed document to all vendors (even if circumstances prevented their attending the Pre-Proposal Conference). Use the same process as when you sent out the initial answers: via email, blind copy the respondents and request read/receipt.

“Using a Pre-Proposal Conference allows you to reinforce that there is a level playing field for all of the vendors…that each vendor has an equal chance to earn your business. This encourages and maximizes competition, and when that happens, the customer wins.” (Phil Bode, Principal Research Director, Co-Author: The Art of Creating a Quality RFP, Info-Tech Research Group)

Pre-Proposal Conference Agenda

Allow your executive or leadership sponsor to leave the Pre-Proposal Conference after they provide their comments to allow them to continue their day while demonstrating to the vendors the importance of the project.

Six Steps to Perform RFI/RFP

Evaluate Responses

Other important information

Consider separating the pricing component from the RFP responses before sending them to reviewers to maintain objectivity until after you have received all ratings on the proposals themselves. Each reviewer should set aside focused time to carefully read each vendor’s response Read the entire vendor proposal – they spent a lot time and money responding to your request, so please read everything. Remind reviewers that they should route any questions to the vendor through the RFP manager. Using the predetermined ranking system for each section, rate each section of the response, capturing any notes, questions, or concerns as you proceed through the document(s).

Use a proven evaluation method

Two proven methods to reviewing vendors’ proposals are by response and by objective

The first, by response, is when the evaluator reviews each vendor’s response in its entirety.

The second, reviewing by objective, is when the evaluator reviews each vendor’s response to a single objective before moving on to the next.

Maintain evaluation objectivity by reducing response evaluation biases

Evaluation teams can be naturally biased during their review of the vendors’ responses.

You cannot eliminate bias completely – the best you can do is manage it by identifying these biases with the team and mitigating their influence in the evaluation process.

Vendor The evaluator only trusts a certain vendor and is uncomfortable with any other vendor. Evaluate the responses blind of vendor names, if possible.		Account Representatives Relationships extend beyond business, and an evaluator doesn't want to jeopardize them. Craft RFP objectives that are vendor neutral.
Technical A vendor is the only technical solution the evaluator is looking for, and they will not consider anything else. Conduct fair and open solution demonstrations.		Price As humans, we can justify anything at a good price. Evaluate proposals without awareness of price.

Additional insights when evaluating RFPs

When your evaluation team includes a member of the C-suite or senior leadership, ensure you give them extra time to sufficiently review the vendor's responses.		When your questions require a definitive “Yes”/“True” or “No”/“False” responses, we recommend giving the maximum score for “Yes”/“True” and the minimum score for “No”/“False”.
Increase your efficiency and speed of evaluation by evaluating the mandatory requirements first. If a vendor's response doesn't meet the minimum requirements, save time by not reviewing the remainder of the response.		Group your RFP questions with a high-level qualifying question, then the supporting detailed requirements. The evaluation team can save time by not evaluating a response that does not meet a high-level qualifying requirement.

Establish your evaluation scoring scale

Define your ranking scale to ensure consistency in ratings Within each section of your RFP are objectives, each of which should be given its own score. Our recommended approach is to award on a scale of 0 to 5. With such a scale, you need to define every level. Below are the recommended definitions for a 0 to 5 scoring scale. Score Criteria for Rating 5 Outstanding – Complete understanding of current and future needs; solution addresses current and future needs 4 Competent – Complete understanding and adequate solution 3 Average – Average understanding and adequate solution 2 Questionable – Average understanding; proposal questionable 1 Poor – Minimal understanding 0 Not acceptable – Lacks understanding

Weigh the sections of your RFP on how important or critical they are to the RFP

Obtain Alignment on Weighting the Scores of Each Section There are many ways to score responses, ranging from extremely simple to highly complicated. The most important thing is that everyone responsible for completing scorecards is in total agreement about how the scoring system should work. Otherwise, the scorecards will lose their value, since different weighting and scoring templates were used to arrive at their scores. You can start by weighting the scores by section, with all sections adding up to 100%.

Example RFP Section Weights (Source: The Art of Creating a Quality RFP, Jeffery et al., 2019)

Protect your negotiation leverage with these best practices

Protect your organization's reputation within the vendor community with a fair and balanced process. Unless you regularly have the evaluators on your evaluation team, always assume that the team members are not familiar nor experienced with your process and procedures. Do not underestimate the amount of preparations required to ensure that your evaluation team has everything they need to evaluate vendors’ responses without bias. Be very specific about the expectations and time commitment required for the evaluation team to evaluate the responses. Explain to the team members the importance of evaluating responses without conflicts of interest, including the fact that information contained within the responses and all discussions within the team are considered company owned and confidential. Include examples of the evaluation and scoring processes to help the evaluators understand what they should be doing. Finally – don’t forget to the thank the evaluation team and their managers for their time and commitment in contributing to this essential decision.

Evaluation teams must balance commercial vs. technical requirements

Do not alter the evaluation weights after responses are submitted. Evaluation teams are always challenged by weighing the importance of price, budget, and value against the technical requirements of “must-haves” and super cool “nice-to-haves.” Encouraging the evaluation team not to inadvertently convert the nice-to-haves to must-haves will prevent scope creep and budget pressure. The evaluation team must concentrate on the vendors’ responses that drive the best value when balancing both commercial and technical requirements.

4.6.1 Evaluation Guidebook

1 hour

Input: RFP responses, Weighted Scoring Matrix, Vendor Response Scorecard

Output: One or two finalists for which negotiations will proceed

Materials: RFP Evaluation Guidebook

Participants: IT, Finance, Business stakeholders, Sourcing/Procurement, Vendor management

1. Info-Tech provides an excellent resource for your evaluation team to better understand the process of evaluating vendor response. The guidebook is designed to be configured to the specifics of your RFP, with guidance and instructions to the team.
2. Use this guidebook to provide instruction to the evaluation team as to how best to score and rate the RFP responses.
3. Specific definitions are provided for applying the numerical scores to the RFP objectives will ensure consistency among the appropriate numerical score.

Download the RFP Evaluation Guidebook

4.6.2 RFP Vendor Proposal Scoring Tool

1-4 hours

Input: Each vendor’s RFP response, A copy of the RFP (less pricing), A list of the weighted criteria incorporated into a vendor response scorecard

Output: A consolidated ranked and weighted comparison of the vendor responses with pricing

Materials: Vendor responses, RFP Evaluation Tool

Participants: Sourcing/Procurement, Vendor management

1. Using the RFP outline as a base, develop a scorecard to evaluate and rate each section of the vendor response, based on the criteria predetermined by the team.
2. Provide each stakeholder with the scorecard when you provide the vendor responses for them to review and provide the team with adequate time to review each response thoroughly and completely.
3. Do not, at this stage, provide the pricing. Allow stakeholders to review the responses based on the technical, business, operational criteria without prejudice as to pricing.
4. Evaluators should always be reminded that they are evaluating each vendor’s response against the objectives and requirements of the RFP. The evaluators should not be evaluating each vendor’s response against one another.
5. While the team is reviewing and scoring responses, review and consolidate the vendor pricing submissions into one document for a side-by-side comparison.

Download the RFP Evaluation Tool

4.6.3 Total Cost of Owners (TCO)

Input: Consolidated vendor pricing responses, Consolidated vendor RFP responses, Current spend within your organization for the product/service, if available, Budget

Output: A completed TCO model summarizing the financial results of the RFP showing the anticipated costs over the term of the agreement, taking into consideration the impact of renewals.

Materials: Vendor TCO Tool, Vendor pricing responses

Participants: IT, Finance, Business stakeholders, Sourcing/Procurement

• Use Info-Tech’s Vendor TCO Tool to normalize each vendor’s pricing proposal and account for the lifetime cost of the product.
• Fill in pricing information (the total of all annual costs) from each vendor's returned Pricing Proposal.
• The tool will summarize the net present value of the TCO for each vendor proposal.
• The tool will also provide the rank of each pricing proposal.

Download the Vendor TCO Tool

Conduct an evaluation team results meeting

Follow the checklist below to ensure an effective evaluation results meeting

• Schedule the evaluation team’s review meeting well in advance to ensure there are no scheduling conflicts.
• Collect the evaluation team’s scores in advance.
• Collate scores and provide an initial ranking.
• Do not reveal the pricing evaluation results until after initial discussions and review of the scoring results.
• Examine both high and low scores to understand why the team members scored the response as they did.
• Allow the team to discuss, debate, and arrive at consensus on the ranking.
• After consensus, reveal the pricing to examine if or how it changes the ranking.
• Align the team on the next steps with the applicable vendors.

4.6.4 Consolidated RFP Response Scoring

1-2 hours

Input: Vendor Response Scorecard from each stakeholder, Consolidated RFP responses and pricing, Any follow up questions or items requiring further vendor clarification.

Output: An RFP Response Evaluation Summary that identifies the finalists based on pre-determined criteria.

Materials: RFP Evaluation Tool from each stakeholder, Consolidated RFP responses and pricing.

Participants: IT, Finance, Business stakeholders, Sourcing/Procurement, Vendor management

1. Collect from the evaluation team all scorecards and any associated questions requiring further clarification from the vendor(s). Consolidate the scorecards into one for presentation to the team and key decision makers.
2. Present the final scores to the team, with the pricing evaluation, to determine, based on your needs, two or three finalists that will move forward to the next steps of negotiations.
3. Discuss any scores that are have large gaps, e.g., a requirement with a score of one from one evaluator and the same requirement with a score five from different evaluator.
4. Arrive at a consensus of your top one or two potential vendors.
5. Determine any required follow-up actions with the vendors and include them in the Evaluation Summary.

Download the Consolidated Vender RFP Response Evaluation Summary

4.6.5 Vendor Recommendation Presentation

1. Use the Vendor Recommendation Presentation to present your finalist and obtain final approval to negotiate and execute any agreements.
2. The Vendor Recommendation Presentation provides leadership with:
   1. An overview of the RFP, its primary goals, and key requirements
   2. A summary of the vendors invited to participate and why
   3. A summary of each component of the RFP
   4. A side-by-side comparison of key vendor responses to each of the key/primary requirements, with ranking/weighting results
   5. A summary of the vendor’s responses to key legal terms
   6. A consolidated summary of the vendors’ pricing, augmented by the TCO calculations for the finalist(s).
   7. The RFP team’s vendor recommendations based on its findings
   8. A summary of next steps with dates
   9. Request approval to proceed to next steps of negotiations with the primary and secondary vendor

Download the Vendor Recommendation Presentation

4.6.5 Vendor Recommendation Presentation

Caution: Configure templates and tools to align with RFP objectives

Templates and tools are invaluable assets to any RFP process

Phase 5

Negotiate Agreement(s)

Steps 5.1 Perform negotiation process

This phase involves the following participants:

• Procurement
• Vendor management
• Legal
• IT stakeholders
• Finance

Outcomes of this phase

A negotiated agreement or agreements that are a result of competitive negotiations.

Negotiate Agreement(s)

Negotiate Agreement

You should evaluate your RFP responses first to see if they are complete and the vendor followed your instructions. Then you should: Plan negotiation(s) with one or more vendors based on your questions and opportunities identified during evaluation. Select finalist(s). Apply selection criteria. Resolve vendors’ exceptions. Info-Tech Insight Be certain to include any commitments made in the RFP, presentations, and proposals in the agreement – dovetails to underperforming vendor.

Leverage Info-Tech's negotiation process research for additional information

Negotiate before you select your vendor: Negotiating with two or more vendors will maintain your competitive leverage while decreasing the time it takes to negotiate the deal. Perform legal reviews as necessary. Use sound competitive negotiations principles. Info-Tech Insight Providing contract terms in an RFP can dramatically reduce time for this step by understanding the vendor’s initial contractual position for negotiation.

Phase 6

Purchase Goods and Services

Steps 6.1 Purchase Goods & Services

This phase involves the following participants:

• Procurement
• Vendor management
• IT stakeholders

Outcomes of this phase

A purchase order that completes the RFP process.

The beginning of the vendor management process.

Purchase Goods and Services

Purchase Goods and Services

Prepare to purchase goods and services

Prepare to purchase goods and services by completing all items on your organization’s onboarding checklist. Have the vendor complete applicable tax forms. Set up the vendor in accounts payable for electronic payment (ACH) set-up. Then transact day-to-day business: Provide purchasing forecasts. Complete applicable purchase requisition and purchase orders. Be sure to reference the agreement in the PO.

Info-Tech Insight

As a customer, honoring your contractual obligations and commitments will ensure that your organization is not only well respected but considered a customer of choice.

Phase 7

Assess and Measure Performance

Steps 7.1 Assess and measure performance against the agreement

This phase involves the following participants:

• Vendor management
• Business stakeholders
• Senior leadership (as needed)
• IT stakeholders
• Vendor representatives & senior management

Outcomes of this phase

A list of what went well during the period – it’s important to recognize successes

A list of areas needing improvement that includes:

• A timeline for each item to be completed
• The team member(s) responsible

Purchase Goods and Services

Assess and Measure Performance

Measure to manage: the job doesn’t end when the contract is signed.

• Classify vendor
• Assess vendor performance
• Manage improvement
• Conduct periodic vendor performance reviews or quarterly business reviews
• Ensure contract compliance for both the vendor and your organization
• Build knowledgebase for future
• Re-evaluate and improve appropriately your RFP processes

Info-Tech Insight

To be an objective vendor manager, you should also assess and measure your company’s performance along with the vendor’s performance.

Summary of Accomplishment

Problem Solved

Upon completion of this blueprint, guided implementation, or workshop, your team should have a comprehensive, well-defined end-to-end approach to performing a quality sourcing event. Leverage Info-Tech’s industry-proven tools and templates to provide your organization with an effective approach to maintain your negotiation leverage, improve the ease with which you evaluate vendor proposals, and reduce your risk while obtaining the best market value for your goods and services.

Additionally, your team will have a foundation to execute your vendor management principles. These principles will assist your organization in ensuring you receive the perceived value from the vendor as a result of your competitive negotiations.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

Final Thoughts: RFP Do’s and Don’ts

Bibliography

“2022 RFP Response Trends & Benchmarks.” Loopio, 2022. Web.

Corrigan, Tony. “How Much Does it Cost to Respond to an RFP?” LinkedIn, March 2017. Accessed 10 Dec. 2019

“Death by RFP:7 Reasons Not to Respond.” Inc. Magazine, 2013. Web.

Jeffery, Steven, George Bordon, and Phil Bode. The Art of Creating a Quality RFP, 3rd ed. Info-Tech Research Group, 2019.

“RFP Benchmarks: How Much Time and Staff Firms Devote to Proposals.” MarketingProfs, 2020. Web.

“State of the RFP 2019.” Bonfire, 2019. Web.

“What Vendors Want (in RFPs).” Vendorful, 2020. Web.

Related Info-Tech Research

	Prepare for Negotiations More Effectively Negotiations are about allocating risk and money – how much risk is a party willing to accept at what price point? Using a cross-functional/cross-insight team structure for negotiation preparation yields better results. Soft skills aren’t enough and theatrical negotiation tactics aren’t effective.
	Understand Common IT Contract Provisions to Negotiate More Effectively Focus on the terms and conditions, not just the price. Too often, organizations focus on the price contained within their contracts, neglecting to address core terms and conditions that can end up costing multiples of the initial price. Lawyers can’t ensure you get the best business deal. Lawyers tend to look at general terms and conditions for legal risk and may not understand IT-specific components and business needs.
	Jump Start Your Vendor Management Initiative Vendor management must be an IT strategy. Solid vendor management is an imperative – IT organizations must develop capabilities to ensure that services are delivered by vendors according to service-level objectives and that risks are mitigated according to the organization's risk tolerance. Visibility into your IT vendor community. Understand how much you spend with each vendor and rank their criticality and risk to focus on the vendors you should be concentrating on for innovative solutions.

INFO-TECH RESEARCH GROUP

Develop a Security Operations Strategy

Transition from a security operations center to a threat collaboration environment.

Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2017 Info-Tech Research Group Inc.

ANALYST PERSPECTIVE

“A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Protect your assets by preparing for the inevitable; unify your prevention, detection, analysis, and response efforts and provide assurance to your stakeholders that you are making information security a top priority.”

Edward Gray,
Consulting Analyst, Security, Risk & Compliance
Info-Tech Research Group

Our understanding of the problem

Executive summary

Situation

• Current security practices are disjointed, operating independently with a wide variety of processes and tools to conduct incident response, network defense, and threat analysis. These disparate mitigations leave organizations vulnerable to the increasing number of malicious events.
• Threat management has become resource intensive, requiring continuous monitoring, collection, and analysis of massive volumes of security event data, while juggling business, compliance, and consumer obligations.

Complication

• There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
• The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
• Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of their security technology investments.
• It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
• There is limited communication between security functions due to a centralized security operations organizational structure.

Resolution

• A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
• This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

Info-Tech Insight

1. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
2. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
3. If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Data breaches are resulting in major costs across industries

Average data breach costs per compromised record hit an all-time high of $217 (in 2015); $74 is direct cost (e.g. legal fees, technology investment) and $143 is indirect cost (e.g. abnormal customer churn). (Source: Ponemon Institute, “2015 Cost of Data Breach Study: United States”)

(Source: The Network, “ Cisco 2017 Security Capabilities Benchmark Study”)

Persistent issues

• Organizational barriers separating prevention, detection, analysis, and response efforts.
  Siloed operations limit collaboration and internal knowledge sharing.
• Lack of knowledgeable security staff.
  Human capital is transferrable between roles and functions and must be cross-trained to wear multiple hats.
• Failure to evaluate and improve security operations.
  The effectiveness of operations must be frequently measured and (re)assessed through an iterative system of continuous improvement.
• Lack of standardization.
  Pre-established use cases and policies outlining tier-1 operational efforts will eliminate ad hoc remediation efforts and streamline operations.
• Failure to acknowledge the auditor as a customer.
  Many compliance and regulatory obligations require organizations to have comprehensive documentation of their security operations practices.

60% Of organizations say security operation teams have little understanding of each other’s requirements.

40% Of executives report that poor coordination leads to excessive labor and IT operational costs.

38-100% Increase in efficiency after closing operational gaps with collaboration.
(Source: Forbes, “The Game Plan for Closing the SecOps Gap”)

The solution

“Empower a few administrators with the best information to enable fast, automated responses.” – Ismael Valenzuela, IR/Forensics Technical Practice Manager, Foundstone® Services, Intel Security) Insufficient security personnel resourcing has been identified as the most prevalent challenge in security operations… When an emergency security incident strikes, weak collaboration and poor coordination among critical business functions will magnify inefficiencies in the incident response (IR) process, impacting the organization’s ability to minimize damage and downtime. The solution: optimize your SOC. Info-Tech has seen SOCs with five analysts outperform SOCs with 25 analysts through tools and process optimization. Sources: Ponemon. "2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” Syngress. Designing and Building a Security Operations Center.

Maintain a holistic security operations program

Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization.
Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operations, and technology infrastructure on a daily basis.	Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential.	Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs
	Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape.	Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort.

Info-Tech’s security operations blueprint ties together various initiatives

Design and Implement a Vulnerability Management Program	Vulnerability Management Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.	Deliverables Vulnerability Tracking Tool Vulnerability Scanning Tool RFP Template Penetration Test RFP Template Vulnerability Mitigation Process Template
Integrate Threat Intelligence Into Your Security Operations	Threat Intelligence Threat intelligence addresses the collection, analysis, and dissemination of external threat data. Analysts act as liaisons to their peers, publishing actionable threat alerts, reports, and briefings. Threat intelligence proactively monitors and identifies whether threat indicators are impacting your organization.	Maturity Assessment Tool Threat Intelligence RACI Tool Management Plan Template Threat Intelligence Policy Template Alert Template Alert and Briefing Cadence Schedule
Develop Foundational Security Operations Processes	Operations Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. Analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations.	Maturity Assessment Tool Event Prioritization Tool Efficiency Calculator SecOps Policy Template In-House vs. Outsourcing Decision-Making Tool SecOps RACI Tool TCO & ROI Comparison Calculator
Develop and Implement a Security Incident Management Program	Incident Response Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. IR teams coordinate root-cause analysis and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns.	Incident Management Policy Maturity Assessment Tool Incident Management RACI Tool Incident Management Plan Incident Runbook Prioritization Tool Various Incident Management Runbooks

This blueprint will…

…better protect your organization with an interdependent and collaborative security operations program.

Info-Tech integrates several best practices to create a best-of-breed security framework

Benefits of a collaborative and integrated operations program

Understand the cost of not having a suitable security operations program

A practical approach, justifying the value of security operations, is to identify the assets at risk and calculate the cost to the company should the information assets be compromised (i.e. assess the damage an attacker could do to the business).

Workshop Overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Develop a Security Operations Strategy

PHASE 1

Assess Operational Requirements

This step will walk you through the following activities:

• Determine why you need a sound security operations program.
• Understand Info-Tech’s threat collaboration environment.
• Evaluate your current security operation’s functions and capabilities.

Outcomes of this step

• A defined scope and motive for completing this project.
• Insight into your current security operations capabilities.
• A prioritized list of security operations initiatives based on maturity level.

Info-Tech Insight

Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.

Warm-up exercise: Why build a security operations program?

Estimated time to completion: 30 minutes

Info-Tech Best Practice

Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.

Decentralizing the SOC: Security as a function

Before you begin, remember that no two security operation programs are the same. While the end goal may be similar, the threat landscape, risk tolerance, and organizational requirements will differ from any other SOC. Determine what your DNA looks like before you begin to protect it.

Security operations must provide several fundamental functions: Real-time monitoring, detecting, and triaging of data from both internal and external sources. In-depth analysis of indicators and incidents, leveraging malware analysis, correlation and rule tweaking, and forensics and eDiscovery techniques. Network/host scanning and vulnerability patch management. Incident response, remediation, and reporting. Security operations must disseminate appropriate information/intelligence to relevant stakeholders. Comprehensive logging and ticketing capabilities that document and communicate events throughout the threat collaboration environment. Tuning and tweaking of technologies to ingest collected data and enhance the analysis process. Enhance overall organizational situational awareness by reporting on security trends, escalating incidents, and sharing adversary tools, tactics, and procedures.

At its core, a security operations program is responsible for the prevention, detection, analysis, and response of security events.

Optimized security operations can seamlessly integrate threat and incident management processes with monitoring and compliance workflows and resources. This integration unlocks efficiency.

Understand the levels of security operations

Take the time to map out what you need and where you should go. Security operations has to be more than just monitoring events – there must be a structured program.

Foundational		Operational		Strategic
Intrusion Detection Management Active Device and Event Monitoring Log Collection and Retention Reporting and Escalation Management Incident Management Audit Compliance Vendor Management Ticketing Processes Packet Capture and Analysis SIEM Firewall Antivirus Patch Management		Event Analysis and Incident Triage Security Log Management Vulnerability Management Host Hardening Static Malware Analysis Identity and Access Management Change Management Endpoint Management Business Continuity Management Encryption Management Cloud Security (if applicable)		SIEM with Defined Use Cases Big Data Security Analytics Threat Intelligence Network Flow Analysis VPN Anomaly Detection Dynamic Malware Analysis Use-Case Management Feedback and Continuous Improvement Management Visualization and Dashboarding Knowledge Portal Ticket Documentation Advanced Threat Hunting Control and Process Automation eDiscovery and Forensics Risk Management
——Security Operations Capabilities—–›

Understand security operations: Establish a unified threat collaboration environment

Design and Implement a Vulnerability Management Program	Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address threats impacting the organization’s brand, operations, and technology infrastructure. Managing incident escalation and response. Coordinating root-cause analysis and incident gathering. Facilitating post-incident lessons learned. Managing system patching and risk acceptance. Conducting vulnerability assessment and penetration testing. Monitoring in real-time and triaging of events. Escalating events to incident management team. Tuning and tweaking rules and reporting thresholds. Gathering and analyzing external threat data. Liaising with peers, industry, and government. Publishing threat alerts, reports, and briefings. Info-Tech Best Practice Ensure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next.
Integrate Threat Intelligence Into Your Security Operations
Develop Foundational Security Operations Processes
Develop and Implement a Security Incident Management Program

The threat collaboration environment is comprised of three core elements

Info-Tech Insight

The value of a SOC can be achieved with fewer prerequisites than you think. While it is difficult to cut back on process and technology requirements, human capital is transferrable between roles and functions and can be cross-trained to satisfy operational gaps.

	People. Effective human capital is fundamental to establishing an efficient security operations program, and if enabled correctly, can be the driving factor behind successful process optimization. Ensure you address several critical human capital components: Who is responsible for each respective threat collaboration environment function? What are the required operational roles, responsibilities, and competencies for each employee? Are there formalized training procedures to onboard new employees? Is there an established knowledge transfer and management program?
	Processes. Formal and informal mechanisms that bridge security throughout the collaboration environment and organization at large. Ask yourself: Are there defined runbooks that clearly outline critical operational procedures and guidelines? Is there a defined escalation protocol to transfer knowledge and share threats internally? Is there a defined reporting procedure to share intelligence externally? Are there formal and accessible policies for each respective security operations function? Is there a defined measurement program to report on the performance of security operations? Is there a continuous improvement program in place for all security operations functions? Is there a defined operational vendor management program?
	Technology. The composition of all infrastructure, systems, controls, and tools that enable processes and people to operate and collaborate more efficiently. Determine: Are the appropriate controls implemented to effectively prevent, detect, analyze, and remediate threats? Is each control documented with an assigned asset owner? Can a solution integrate with existing controls? If so, to what extent? Is there a centralized log aggregation tool such as a SIEM? What is the operational cost to effectively manage each control? Is the control the most up-to-date version? Have the most recent patches and configuration changes been applied? Can it be consolidated with or replaced by another control?

Conduct a preliminary maturity assessment before tackling this project

Design and Implement a Vulnerability Management Program	At a high level, assess your organization’s operational maturity in each of the threat collaboration environment functions. Determine whether the foundational processes exist in order to mature and streamline your security operations.
Integrate Threat Intelligence Into Your Security Operations
Develop Foundational Security Operations Processes
Develop and Implement a Security Incident Management Program

Assess the current maturity of your security operations program

	Prioritize the component most important to the development of your security operations program.
Each “security capability” covers a component of the overarching “security function.”	Assign a current and target maturity score to each respective security capability. (Note: The CMMI maturity scores are further explained on the following slide.)	Document any/all comments for future Info-Tech analyst discussions.

Assign each security capability a reflective and desired maturity score.

	Ad Hoc
	1		Initial/Ad Hoc: Activity is not well defined and is ad hoc, e.g. no formal roles or responsibilities exist, de facto standards are followed on an individual-by-individual basis.
	2		Developing: Activity is established and there is moderate adherence to its execution, e.g. while no formal policies have been documented, content management is occurring implicitly or on an individual-by-individual basis.
	3		Defined: Activity is formally established, documented, repeatable, and integrated with other phases of the process, e.g. roles and responsibilities have been defined and documented in an accessible policy, however, metrics are not actively monitored and managed.
	4		Managed and Measurable: Activity execution is tracked by gathering qualitative and quantitative feedback, e.g. metrics have been established to monitor the effectiveness of tier-1 SOC analysts.
	5		Optimized: Qualitative and quantitative feedback is used to continually improve the execution of the activity, e.g. the organization is an industry leader in the respective field; research and development efforts are allocated in order to continuously explore more efficient methods of accomplishing the task at hand.
	Optimized

Notes: Info-Tech seldom sees a client achieve a CMMI score of 4 or 5. To achieve a state of optimization there must be a subsequent trade-off elsewhere. As such, we recommend that organizations strive for a CMMI score of 3 or 4.

Ensure that your threat collaboration environment is of a sufficient maturity before progressing

Review the report cards for each of the respective threat collaboration environment functions. A green function indicates that you have exceeded the operational requirements to proceed with the security operations initiative. A yellow function indicates that your maturity score is below the recommended threshold; Info-Tech advises revisiting the attached blueprint. In the instance of a one-off case, the client can proceed with this security operations initiative. A red function indicates that your maturity score is well below the recommended threshold; Info-Tech strongly advises to not proceed with the security operations initiative. Revisit the recommended blueprint and further mature the specific function.

Are you ready to move on to the next phase?

Self-Assessment Questions

• Have you clearly defined the rationale for refining your security operations program?
• Have you clearly defined and prioritized the goals and outcomes of optimizing your security operations program?
• Have you assessed your respective people, process, and technological capabilities?
• Have you completed the Security Operations Preliminary Maturity Assessment Tool?
• Were all threat collaboration environment functions of a sufficient maturity level?

If you answered “yes” to the questions, then you are ready to move on to Phase 2: Develop Maturity Initiatives

Develop a Security Operations Strategy

PHASE 2

Develop Maturity Initiatives

This step will walk you through the following activities:

• Establish your goals, obligations, scope, and boundaries.
• Assess your current state and define a target state.
• Develop and prioritize gap initiatives.
• Define cost, effort, alignment, and security benefit of each initiative.
• Develop a security strategy operational roadmap.

Outcomes of this step

• A formalized understanding of your business, customer, and regulatory obligations.
• A comprehensive current and target state assessment.
• A succinct and consolidated list of gap initiatives that will collectively achieve your target state.
• A formally documented set of estimated priority variables (cost, effort, business alignment).
• A fully prioritized security roadmap that is in alignment with business goals and informed by the organization’s needs and limitations.

Info-Tech Insight

Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives

Align your security operations program with corporate goals and obligations

A common challenge for security leaders is learning to express their initiatives in terms that are meaningful to business executives.

Info-Tech Best Practice

Developing a security operations strategy is a proactive activity that enables you to get in front of any upcoming business projects or industry trends rather than having to respond reactively later on. Consider as many foreseeable variables as possible!

Determine your security operations program scope and boundaries

It is important to define all security-related areas of responsibility. Upon completion you should clearly understand what you are trying to secure.

This also includes what is not within scope. For some outsourced services or locations you may not be responsible for security. For some business departments you may not have control of security processes. Ensure that it is made explicit at the outset, what will be included and what will be excluded from security considerations.

Reference Info-Tech’s security strategy: goals, obligations, and scope activities

Explicitly understanding how security aligns with the core business mission is critical for having a strategic plan and fulfilling the role of business enabler.

Download and complete the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication. If previously completed, take the time to review your results. GOALS and OBLIGATIONS Proceed through each slide and brainstorm the ways that security operations supports business, customer, and compliance needs.

Goals & Obligations

PROGRAM SCOPE & BOUNDARIES Assess your current organizational environment. Document current IT systems, critical data, physical environments, and departmental divisions. If a well-defined corporate strategy does not exist, these questions can help pinpoint objectives: What is the message being delivered by the CEO? What are the main themes of investments and projects? What are the senior leaders measured on?

Program Scope & Boundaries

INFO-TECH OPPORTUNITY

For more information on how to complete the goals & obligations activity please reference Section 1.3 of Info-Tech’s Build an Information Security Strategy blueprint.

Complete the Information Security Requirements Gathering Tool

On tab 1. Goals and Obligations: Document all business, customer, and compliance obligations. Ensure that each item is reflective of the over-arching business strategy and is not security focused. In the second column, identify the corresponding security initiative that supports the obligation.
On tab 2. Scope and Boundaries: Record all details for what is in and out of scope from physical, IT, organizational, and data perspectives. Complete the affiliated columns for a comprehensive scope assessment. As a discussion guide, refer to the considerations slides prior to this in phase 1.3.
For the purpose of this security operations initiative please IGNORE the risk tolerance activities on tab 3.

Info-Tech Best Practice

A common challenge for security leaders is expressing their initiatives in terms that are meaningful to business executives. This exercise helps make explicit the link between what the business cares about and what security is trying to do.

Conduct a comprehensive security operations maturity assessment

The following slides will walk you through the process below.

Info-Tech Insight

Progressive improvements provide the most value to IT and your organization. Leaping from pre-foundation to complete optimization is an ineffective goal. Systematic improvements to your security performance delivers value to your organization, each step along the way.

Optimize your security operations workflow

Info-Tech consulted various industry experts and consolidated their optimization advice.

Self-assess your current-state capabilities and determine the appropriate target state

Info-Tech Best Practice

When customizing your gap initiatives consider your organizational requirements and scope while remaining realistic. Below is an example of lofty vs. realistic initiatives:
Lofty: Perform thorough, manual security analysis. Realistic: Leverage our SIEM platform to perform more automated security analysis through the use of log information.

Consolidate related gap initiatives to simplify and streamline your roadmap

Identify areas of commonality between gap initiative in order to effectively and efficiently implement your new initiatives.

1. After reviewing and documenting initiatives for each security control, begin sorting controls by commonality, where resources can be shared, or similar end goals and actions. Begin by copying all initiatives from tab 2. Current State Assessment into tab 5. Initiative List of the Security Operations Maturity Assessment Tool and then consolidating them.

Initiatives		Consolidated Initiatives
Document data classification and handling in AUP	—›	Document data classification and handling in AUP	Keep urgent or exceptional initiatives separate so they can be addressed appropriately.
Document removable media in AUP	—›	Define and document an Acceptable Use Policy	Other similar or related initiatives can be consolidated into one item.
Document BYOD and mobile devices in AUP	—›
Document company assets in Acceptable Use Policy (AUP)	—›



2. Review grouped initiatives and identify specific initiatives should be broken out and defined separately.
3. Record your consolidated gap initiatives in the Security Operations Maturity Assessment Tool, tab 6. Initiative Prioritization.

Understand your organizational maturity gap

After inputting your current and target scores and defining your gap initiatives in tab 2, review tab 3. Current Maturity and tab 4. Maturity Gap in Info-Tech’s Security Operations Maturity Assessment Tool. Automatically built charts and tables provide a clear visualization of your current maturity. Presenting these figures to stakeholders and management can help visually draw attention to high-priority areas and contextualize the gap initiatives for which you will be seeking support.

Info-Tech Best Practice

Communicate the value of future security projects to stakeholders by copying relevant charts and tables into an executive stakeholder communication presentation (ask an Info-Tech representative for further information).

Define cost, effort, alignment, and security benefit

Define low, medium, and high resource allocation, and other variables for your gap initiatives in the Concept of Operations Maturity Assessment Tool. These variables include: Define initial cost. One-time, upfront capital investments. The low cut-off would be a project that can be approved with little to no oversight. Whereas the high cut-off would be a project that requires a major approval or a formal capital investment request. Initial cost covers items such as appliance cost, installation, project based consulting fees, etc. Define ongoing cost. This includes any annually recurring operating expenses that are new budgetary costs, e.g. licensing or rental costs. Do not account for FTE employee costs. Generally speaking you can take 20-25% of initial cost as ongoing cost for maintenance and service. Define initial staffing in hours. This is total time in hours required to complete a project. Note: It is not total elapsed time, but dedicated time. Consider time required to research, document, implement, review, set up, fine tune, etc. Consider all staff hours required (2 staff at 8 hours means 16 hours total). Define ongoing staffing in hours. This is the ongoing average hours per week required to support that initiative. This covers all operations, maintenance, review, and support for the initiative. Some initiatives will have a week time commitment (e.g. perform a vulnerability scan using our tool once a week) versus others that may have monthly, quarterly, or annual time commitments that need to averaged out per week (e.g. perform annual security review requiring 0.4 hours/week (20 hours total based on 50 working weeks per year).

Info-Tech Best Practice When considering these parameters, aim to use already existing resource allocations. For example, if there is a dollar value that would require you to seek approval for an expense, this might be the difference between a medium and a high cost category.

Define cost, effort, alignment, and security benefit

Define Alignment with Business. This variable is meant to capture how well the gap initiative aligns with organizational goals and objectives. For example, something with high alignment usually can be tied to a specific organization initiative and will receive senior management support. You can either: Set low, medium, and high based on levels of support the organization will provide (e.g. High – senior management support, Medium – VP/business unit head support, IT support only) Attribute specific corporate goals or initiatives to the gap initiative (e.g. High – directly supports a customer requirement/key contract requirement; Medium – indirectly support customer requirement/key contract OR enables remote workforce; Low – security best practice). Define Security Benefit. This variable is meant to capture the relative security benefit or risk reduction being provided by the gap initiative. This can be represented through a variety of factors, such as: Reduces compliance or regulatory risk by meeting a control requirement Reduces availability and operational risk Implements a non-existent control Secures high-criticality data Secures at-risk end users

Info-Tech Best Practice Make sure you consider the value of AND/OR. For either alignment with business or security benefit, the use of AND/OR can become useful thresholds to rank similar importance but different value initiatives. Example: with alignment with business, an initiative can indirectly support a key compliance requirement OR meet a key corporate goal.

Info-Tech Insight

You cannot do everything – and you probably wouldn’t want to. Make educated decisions about which projects are most important and why.

Apply your variable criteria to your initiatives

A financial services organization defined its target security state and created an execution plan

Review your prioritized security roadmap

Review the final Gantt chart to review the expected start and end dates for your security initiatives as part of your roadmap.

In the Gantt chart, go through each wave in sequence and determine the planned start date and planned duration for each gap initiative. As you populate the planned start dates, take into consideration the resource constraints or dependencies for each project. Go back and revise the granular execution wave to resolve any conflicts you find.

Review considerations Does this roadmap make sense for our organization? Do we focus too much on one quarter over others? Will the business be going through any significant changes during the upcoming years that will directly impact this project?	This is a living management document You can use the same process on a per-case basis to decide where this new project falls in the priority list, and then add it to your Gantt chart. As you make progress, check items off of the list, and periodically use this chart to retroactively update your progress towards achieving your overall target state.

Consult an Info-Tech Analyst

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to successfully complete your project.	TJ Minichillo Senior Director – Security, Risk & Compliance Info-Tech Research Group Edward Gray Consulting Analyst – Security, Risk & Compliance Info-Tech Research Group Celine Gravelines Research Manager – Security, Risk & Compliance Info-Tech Research Group
If you are not communicating, then you are not secure.

Call 1-888-670-8889 or email workshops@infotech.com for more information.

Are you ready to move on to the next phase?

Self-Assessment Questions

• Have you identified your organization’s corporate goals along with your obligations?
• Have you defined the scope and boundaries of your security program?
• Have you determined your organization’s risk tolerance level?
• Have you considered threat types your organization may face?
• Are the above answers documented in the Security Requirements Gathering Tool?
• Have you defined your maturity for both your current and target state?
• Do you have clearly defined initiatives that would bridge the gap between your current and target state?
• Are each of the initiatives independent, specific, and relevant to the associated control?
• Have you indicated any dependencies between your initiatives?
• Have you consolidated your gap initiatives?
• Have you defined the parameters for each of the prioritization variables (cost, effort, alignment, and security benefit)?
• Have you applied prioritization parameters to each consolidated initiative?
• Have you recorded your final prioritized roadmap in the Gantt chart tab?
• Have you reviewed your final Gantt chart to ensure it aligns to your security requirements?

If you answered “yes” to the questions, then you are ready to move on to Phase 3: Define Operational Interdependencies

Develop a Security Operations Strategy

PHASE 3

Define Operational Interdependencies

This step will walk you through the following activities:

• Understand the current security operations process flow.
• Define the security operations stakeholders and their respective deliverables.
• Formalize an internal information sharing and collaboration plan.

Outcomes of this step

• A formalized security operations interaction agreement.
• A security operations service and product catalog.
• A structured operations collection plan.

Info-Tech Insight

If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Tie everything together with collaboration

If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Info-Tech Best Practice

Simple collaborative activities, such as a biweekly meeting, can unite prevention, detection, analysis, and response teams to help prevent siloed decision making.

Understand the security operations process flow

Process standardization and automation is critical to the effectiveness of security operations.

Document your security operations’ capabilities and tasks

Document your security operations’ functional capabilities and operational tasks to satisfy each capability.	What resources will you leverage to complete the specific task/capability? Identify your internal and external collection sources to satisfy the individual requirement.	Identify the affiliated product, service, or output generated from the task/capability.	Determine your escalation protocol. Who are the stakeholders you will be sharing this information with?
Capabilities The major responsibilities of a specific function. These are the high-level processes that are expected to be completed by the affiliated employees and/or stakeholders.		Tasks The specific and granular tasks that need to be completed in order to satisfy a portion of or the entire capability.

Download Info-Tech’s Security Operations RACI Chart & Program Plan.

Convert your results into actionable process flowcharts

Map each functional task or capability into a visual process-flow diagram.

The title should reflect the respective capability and product output. List all involved stakeholders (inputs and threat escalation protocol) along the left side. Ensure all relevant security control inputs are documented within the body of the process-flow diagram. Map out the respective processes in order to achieve the desired outcome. Segment each process within its own icon and tie that back to the respective input.

Title: Output #1

Download Info-Tech’s Security Operations RACI Chart & Program Plan.

Formalize the opportunities for collaboration within your security operations program

Security Operations Collaboration Plan

Security operations provides a single pane of glass through which the threat collaboration environment can manage its operations.

How to customize The security operations interaction agreement identifies opportunities for optimization through collaboration and cross-training. The document is composed of several components: Security operations program scope and objectives Operational capabilities and outputs on a per function basis A needs and requirements collection plan Escalation protocol and respective information-sharing guidance (i.e. a detailed cadence schedule) A security operations RACI chart

Info-Tech Best Practice

Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.

Assign responsibilities for the threat management process

Security Operations RACI Chart & Program Plan

Formally documenting roles and responsibilities helps to hold those accountable and creates awareness as to everyone’s involvement in various tasks.

How to customize Customize the header fields with applicable stakeholders. Identify stakeholders that are: Responsible: The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made. Accountable: The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor. Consulted: The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs). Informed: The person(s) who is updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

Download Info-Tech’s Security Operations RACI Chart & Program Plan.

Identify security operations consumers and their respective needs and requirements

Ensure your security operations program is constantly working toward satisfying a consumer need or requirement.

Info-Tech Best Practice

“In order to support a healthy constituency, network operations and security operations should be viewed as equal partners, rather than one subordinate to the other.” (Mitre world-class CISO)

Define the stakeholders, their respective outputs, and the underlying need

Security Operations Program Service & Product Catalog

Create an informal security operations program service and product catalog. Work your way backwards – map each deliverable to the respective stakeholders and functions.

Action/Output		Frequency			Stakeholders/Function
Document the key services and outputs produced by the security operations program. For example: Real-time monitoring Event analysis and incident coordination Malware analysis External information sharing Published alerts, reports, and briefings Metrics		Define the frequency for which each deliverable or service is produced or conducted. Leverage this activity to establish a state of accountability within your threat collaboration environment.			Identify the stakeholders or groups affiliated with each output. Remember to include potential MSSPs. Vulnerability Management Threat Intelligence Tier 1, 2, and 3 Analysts Incident Response MSSP Network Operations
Remember to include any target-state outputs or services identified in the maturity assessment.			Use this exercise as an opportunity to organize your security operations outputs and services.

Info-Tech Best Practice

Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment.

Internal information sharing helps to focus operational efforts

Organizations must share information internally and through secure external information sharing and analysis centers (ISACs).

Ensure information is shared in a format that relates to the particular end user. Internal consumers fall into two categories:

• Strategic Users — Intelligence enables strategic stakeholders to better understand security trends, minimize risk, and make more educated and informed decisions. The strategic intelligence user often lacks technical security knowledge; bridge the communication gap between security and non-technical decision makers by clearly communicating the underlying value and benefits.
• Operational Users — Operational users integrate information and indicators directly into their daily operations and as a result have more in-depth knowledge of the technical terms. Reports help to identify escalated alerts that are part of a bigger campaign, provide attribution and context to attacks, identify systems that have been compromised, block malicious URLs or malware signatures in firewalls, IDPS systems, and other gateway products, identify patches, reduce the number of incidents, etc.

Define the routine of your security operations program in a detailed cadence schedule

Security Operations Program Cadence Schedule Template

Design your meetings around your security operations program’s outputs and capabilities

How to customize Don’t operate in a silo. Formalize a cadence schedule to develop a state of accountability, share information across the organization, and discuss relevant trends. A detailed cadence schedule should include the following: Activity, output, or topic being discussed. Participants and stakeholders involved. Value and purpose of meeting. Duration and frequency of each meeting. Investment per participant per meeting.

Info-Tech Best Practice

Schedule regular meetings composed of key members from different working groups to discuss concerns, share goals, and communicate operational processes pertaining to their specific roles.

Apply a strategic lens to your security operations program

Frame the importance of optimizing the security operations program to align with that of the decision makers’ overarching strategy.

Strategies

1. Bridge the communication gap between security and non-technical decision makers. Communicate concisely in business-friendly terms.
2. Quantify the ROI for the given project.
3. Educate stakeholders – if stakeholders do not understand what a security operations program encompasses, it will be hard for them to champion the initiative.
4. Communicate the implications, value, and benefits of a security operations program.
5. Frame the opportunity as a competitive advantage, e.g. proactive security measures as a client acquisition strategy.
6. Address the increasing prevalence of threat actors. Use objective data to demonstrate the impact, e.g. through case studies, recent media headlines, or statistics.

(Source: iSIGHT, “ Definitive Guide to Threat Intelligence”)

Info-Tech Best Practice

Refrain from using scare tactics such as fear, uncertainty, and doubt (FUD). While this may be a short-term solution, it limits the longevity of your operations as senior management is not truly invested in the initiative.

Example: Align your strategic needs with that of management.

Identify assets of value, current weak security measures, and potential adversaries. Demonstrate how an optimized security operations program can mitigate those threats.

Develop a comprehensive measurement program to evaluate the effectiveness of your security operations