The State of Black Professionals in Tech

Keep inclusion at the forefront to gain the benefits from diversity.

Analysts' Perspective

The experience of Black professionals in technology is unique.

Diversity in tech is not a new topic, and it's not a secret that technology organizations struggle to attract and retain Black employees. Ever since the early '90s, large tech organizations have been dealing with public critique of their lack of diversity. This topic is close to our hearts, but unfortunately while improvements have been made, progress is quite slow.

In recent years, current events have once again brought diversity to the forefront for many organizations. In addition, the pandemic along with talent trends such as "the great resignation" and "quiet quitting" and preparations for a recession have not only impacted diversity at large but also Black professionals in technology. Our previous research has focused on the wider topic of Recruiting and Retaining People of Color in Tech, but we've found that the experiences of persons of color are not all the same.

This study focuses on the unique experience of Black professionals in technology. Over 600 people were surveyed using an online tool; interviews provided additional insights. We're excited to share our findings with you.

Allison Straker Research Director Info-Tech Research Group	Ugbad Farah Research Director Info-Tech Research Group

Demographics

In October 2021, we launched a survey to understand what the Black experience is like for people in technology. We wanted and received a variety of responses which would help us to understand how Black technology professionals experienced their working world. We received responses from 633 professionals, providing us with the data for this report.

For more information on our survey demographics please see the appendix at this end of this report.

26% of our respondents either identified as Black or felt the world sees them as Black.

Professionals from various countries responded to the survey:

• Most respondents were born in the US (52%), Canada (14%), India (14%), or Nigeria (4%).
• Most respondents live in the US (56%), Canada (25%), Nigeria (2%), or the United Kingdom (2%).

Companies with more diversity achieve more revenue from innovation

Organizations do better and are more innovative when they have more diversity, a key ingredient in an organization's secret sauce.
Organizations also benefit from engaged employees, yet we've seen that organizations struggle with both. Just having a certain number of diverse individuals is not enough. When it comes to reaping the benefits of diversity, organizations can flourish when employees feel safe bringing their whole selves to work.

Companies with higher employee engagement experience 19.2% higher earnings.

However, those with lower employee engagement experience 32.7% lower earnings.
(DecisionWise, 2020)

If your workforce doesn't reflect the community it serves, your business may be missing out on the chance to find great employees and break into new and growing markets, both locally and globally.
Diversity makes good business sense.
(Business Development Canada, 2023)

A study about Black professionals

Why is this about Black professionals and not other diverse groups?

While there are a variety of diversity dimensions, it's important to understand what makes up a "multicultural workforce." There is more to diversity than gender, race, and ethnicity. Organizations need to understand that there is diversity within these groups and Black professionals have their own unique experience when it comes to entering and navigating tech that needs to be addressed.

(Brookfield Institute for Innovation and Entrepreneurship, 2019)

The solutions that apply to Black professionals are not only beneficial for Black employees but for all. While all demographics are unique, the solutions in this report can support many.

Unsatisfied and underrepresented

Less Black professionals responded as "satisfied" in their IT careers. The question is: How do we mend the Gap?

Percentage of IT Professionals Who Reported Being Very Satisfied in Their Current Role

• All Other Professionals: 34%
• Black Professionals: 23%

Black workers are underrepresented in most professional roles, especially computer and math Occupations

The gap in satisfaction

What's Important?

Our research suggests that the differences in satisfaction among ethnic groups are related to differences in value systems. We asked respondents to rank what's important, and we explored why.

Non-Black professionals rated autonomy and their manager working relationships as most important.

For Black professionals, while those were important, #1 was promotion and growth opportunities, ranked #7 by all other professionals. This is a significant discrepancy.

Recognition of my work/accomplishments also was viewed significantly differently, with Black professionals ranking it low on the list at #7 and all other professionals considering it very important at #3.

All Other Professionals		Black Professionals

Maslow's Hierarchy of Needs applies to job satisfaction

In Maslow's hierarchy, it is necessary for people to achieve items lower on the hierarchy before they can successfully pursue the higher tiers.

Too many Black professionals in tech are busy trying to achieve some of the lower parts of the hierarchy; it is stopping them from achieving elements higher up that can lead to job satisfaction.

This can stop them from gaining esteem, importance, and ultimately, self-actualization. The barriers that impact safety and social belonging happen on a day-to-day basis, and so the day-to-day lives of Black professionals in tech can look very different from their counterparts.

There are barriers that hinder and solutions that support employees

There are various barriers that increase the likelihood for Black professionals to focus on the lower end of the needs hierarchy:	These are among some of the solutions that, when layered, can support Black professionals in tech in moving up the needs hierarchy. Focusing on these actions can support Black professionals in achieving much needed job satisfaction.

What does this mean?

The minority experience is not a monolith

The barriers that Black professionals encounter aren't limited to the same barriers as their colleagues, and too often this means that they aren't in a position to grow their careers in a way that leads to job satisfaction.

There is a 11% gap between the satisfaction of Black professionals and their peers.

Early Steps:
Take time to understand the Black experience.

As leaders, it's important to be aware that employee goals vary depending on the barriers they're battling with.

Intermediate:
If Black employees don't have strong relationships, networks, and mentorships it becomes increasingly difficult to navigate the path to upward mobility.

As a leader, you can look for opportunities to bridge the gap on these types of conversations.

Advanced:
Black professionals in tech are not advancing like their counterparts.

Creating clear career paths will not only benefit Black employees but also support your entire organization.

Key metrics:

• Engagement
• Committed Executive Leadership
• Development Opportunities
• Organizational Programs

Black respondents are significantly more likely to report barriers to their career advancement

Common barriers

Black professionals, like their colleagues, encounter barriers as they try to advance their careers. The barriers both groups encounter include microaggressions, racism, ageism, accessibility issues, sexual orientation, bias due to religion, lack of a career-supported network, gender bias, family status bias, and discrimination due to language/accents.

What tops the list

Microaggressions and racism are at the top of these barriers, but Black professionals also deal with other barriers that their colleagues may experience, such as gender-based bias, accessibility issues, religion, and more.

One of these barriers alone can be difficult to deal with but when they are compounded it can be very difficult to navigate through the working environment in tech.

What are microaggressions?

Microaggression

A statement, action, or incident regarded as an instance of indirect, subtle, or unintentional discrimination against members of a marginalized group such as a racial or ethnic minority.

(Oxford Languages, 2023)

Why are they significant?

These things may seem innocent enough but the messaging that is received and the lasting impression is often far from it.

Our research shows that racism and discrimination contribute to poor mental health among Black professionals.

Examples

• You're so articulate!
• How do you always have different hair, can I touch it?
• Where are you really from?
• I don't see color.
• I believe the most qualified person should get the job; everyone can succeed in this society if they work hard enough.

"The experience of having to question whether something happened to you because of your race or constantly being on edge because your environment is hostile can often leave people feeling invisible, silenced, angry, and resentful."
Dr. Joy Bradford,
clinical Psychologist, qtd. In Pfizer

It takes some time to get in the door

For too many Black respondents, It took Longer than their peers to Find Technology Jobs.

Both groups had some success finding jobs in "no time" – however, there was a difference. Thirty-four percent of "all others" found their jobs quickly, while the numbers were less for Black professionals, at 26%. There was also a difference at the opposite end of the spectrum. For 29% of Black professionals, it took seven months or longer to find their IT job, while that number is only 19% for their peers.

.

This points to the need for improvements in recruitment and career advancement.

29% of Black respondents said that it took them 7 months or longer to find their technology job.

Compared to 19% of all other professionals that selected the same response.

And once they're in, it's difficult to advance

Black Professionals are not Advancing as Quickly as their Colleagues. Especially when you look at their Experience.

Our research shows that compared to all other ethnicities; Black participants were 55% more likely to report that they had no career advancement/promotion in their career. There is a bigger percentage of Black professionals who have never received a promotion; there's also a large number of Black professionals who have been working a significant amount time in the same role without a promotion.

.Career Advancement

Black participants were 55% more likely to report that they had had no career advancement/promotion in their career.

No advancement

There's a high cost to lack of engagement

When employees feel disillusioned with things like career advancement and microaggressions, they often become disengaged. When you continuously have to steel yourself against microaggressions, racism, and other barriers, it prevents you from bringing your whole self to the office. The barriers can lead to what's been coined as "emotional tax." An emotional tax is the experience of feeling different from colleagues because of your inherent diversity and the associated negative effects on health, wellbeing, and the ability to thrive at work.

(DecisionWise, 2020)

"I've conditioned myself for the corporate world, I don't bring my authentic self to work."
Anonymous Interview Subject

Lack of engagement also costs the organization in terms of turnover, something many organizations today are struggling with how to address. Organizations want to increase the ability of the workforce to remain in the organization. For Black employees, this gets harder when they're not engaged and they're the only one. When the emotional tax gets to be too much, this can lead to turnover. Turnover not only costs companies billions in profits, it also negatively impacts leadership diversity. It's difficult to imagine career growth when you don't see anyone that looks like you at the top. It is a challenge to see your future when there aren't others that you can relate to at top levels in the organization, leading to one of our interview subjects to muse, "How long can I last?"

"Being Black in tech can be hard on your mental health. Your mind is constantly wondering, 'how long can I last?' "
Anonymous Interview Subject

Fewer Black professionals feel like they can be their authentic selves at work

Authentic vs. Successes

For many Black professionals, "code-switching," or altering the way one speaks and acts depending on context, becomes the norm to make others more comfortable. Many feel that being authentic and succeeding in the workplace are mutually exclusive.

Programs and Resources

We asked respondents "What's in place to build an inclusive culture at your company?" Most respondents (51% and 45%) reported that there were employee resource groups at their organizations.

Do you feel you can be your authentic self at work?

What can be done?

There are various actions that organizations can take to help address barriers.

It's important to ensure these are not put in as band-aid solutions but that they are carefully thought out and layered.

Our findings demonstrate that remote work, career development, and DEI programs along with mentorship and diverse leadership are strong enablers of professional satisfaction. An unfortunate consequence, if professionals are not nurtured, is that we risk losing much needed talent to self-employment or to other organizations.

There are several solutions

Respondents were asked to distribute points across potential solutions that could lead to job satisfaction. The ratings showed that there were common solutions that could be leveraged across all groups.

Respondents were asked what solutions were valuable for their career development.

All groups were mostly aligned on the order of the solutions that would lead to career satisfaction; however, Black professionals rated the importance of employee resource groups as higher than their colleagues did.

Mentorship and sponsorship are seen as key for all employees, as is of course training.

However, employee resource groups (ERGs) were rated significantly higher for Black professionals and discussions around diversity were higher for their colleagues. This may be because other groups feel a need to learn more about diversity, whereas Black professionals live this experience on a day-to day basis, so it's not as critical for them.

Double the number of satisfied Black professionals through mentorship and sponsorship

Mentorship and sponsorship help to close the job satisfaction gap for Black IT professionals. The percentage of satisfied Black employees almost doubles when they have a mentor or sponsorship, moving the satisfaction rate to closer to all other colleagues.

As leaders, you likely benefit from a few different advisors, and your staff should be able to benefit in the same way.

They can have their own personal board of advisors, both inside and outside of your organization, helping them to navigate the working world in IT.

To support your staff, provide guidance and coaching to internal mentors so that they can best support employees, and ensure that your organizational culture supports relationship building and trust.

While all are critical, coaching, mentoring, and sponsorship are not the same

Coaching

Performance-driven guidance geared to support the employee with on-the-job performance. This could be a short-term relationship.

Mentorship

A relationship where the mentor provides guidance, information, and expertise to support the long-term career development of the mentee.

Sponsorship

The act of advocating on the behalf of another for a position, promotion, development opportunity, etc. over a longer period.

For more information on setting up a mentorship program, see Optimize the Mentoring Program to Build a High Performing Learning Organization.

On why mentorship and sponsorship are important:

"With some degree of mentorship or sponsorship, it means that your ability to thrive or to have a positive experience in organizations increases substantially. Mentorship and sponsorship are very often the lynchpin of someone being successful and sticking with an organization. Sponsorship is an endorsement to other high-level stakeholders who very often are the gatekeepers of opportunity. Sponsors help to shepherd you through the gate."

Carlos Thomas Executive Councilor, Info-Tech Research Group

What is an employee resource group?

IT Professionals rated ERGs as the third top driver of success at work

Employee resource groups enable employees to connect in their workplace based on shared characteristics or life experiences.

ERGs generally focus on providing support, enhancing career development, and contributing to personal development in the work environment. Some ERGs provide advice to the organization on how they can support their diverse employees.

As leaders, you should support and encourage the formation of ERGs in your organization.

What each ERG does will vary according to the needs of employees in your organization. Your role is to enable the ERGs as they are created and maintained.

On setting up and leveraging employee resource groups:

"Employee resource groups, when leveraged in an authentically intentional way, can be the some of the most impactful stakeholders in the development and implementation of the organizational diversity, equity, and inclusion strategy. ERGs are essential to the development of policies, programs, and initiatives that address the needs of equity-seeking groups and are key to driving organizational culture and employee wellbeing, in addition to hiring and recruitment. ERGs must be set up for success by having adequate resources to do the work, which includes adequate budgets, executive sponsorship, training, support, and capacity to do the work. According to a Great Place To Work survey (2021), 50% of ERGs identified the need for adequate resources as a challenge for carrying out the work.:"

CINNAMON CLARK PRACTICE LEAD, DIVERSITY, EQUITY AND INCLUSION services, MCLEAN & CO

There is a gap when it comes to diversity in leadership

Representation at leadership levels is especially stagnant.

Black Americans comprise 13.6% of the US population
(2022 data from the US Census Bureau)

And yet only 5.9% of the country's CEOs are Black, with only 6 (1%) at the top of Fortune 500 companies.
(2021 data from the Bureau of Labor Statistics and Fortune.com)

I've never worked for a company that has Black executives. It's difficult to envision long-term growth with an organization when you don't see yourself represented in leadership.
– Anonymous Interview Subject

Having diversity in your leadership team doubles satisfaction

Our research shows that Black professionals are more satisfied in their role when they see leaders that look like them.

Satisfaction of other professionals is not as impacted by diversity in leadership as for Black professionals. Satisfaction doubles in organizations that have a diverse leadership team.

To reap the benefits from diversity, we need to ensure diversity is not just in entry or mid-level positions and provide employees an opportunity to see diversity in their company's leadership.

On the need for diversity in leadership:

"As a Black professional leader, it's not lost on me that I have a responsibility. I have to demonstrate authenticity, professionalism, and exemplary behavior that others can mimic. And I must also showcase that there are possibilities for those coming up in their career. I feel very grateful that I can bestow onto others my knowledge, my experience, my journey, and the tips that I've used to help bring me to be where I am. (Having Black leaders in an organization) demonstrates that there is talent across the board, that there are all types of women and people with proficiencies. What it brings to the table is a difference in thoughts and experience. A person like myself, sitting at the table, can bring a unique perspective on employee behavior and employee impact. CCL is an organization focused on equity, diversity, and inclusion; for sure having me at the table and others that look like me at the table demonstrates to the public an organization that's practicing what it preaches."

C. Fara Francis CIO, Center for creative leadership

Work from home

While all groups have embraced the work-from-home movement, many Black professionals find it reduces the impact of racial incidents in the workplace.

Percentage of employees who experienced positive changes in motivation after working remotely.

I have to guard and protect myself from experiencing and witnessing racism every day. I am currently working remotely, and I can say for certain my mood and demeanor have improved. Not having to decide if I should address a racist comment or action has made my day easier.
Source: Slate, 2022

Remote work significantly led to feelings of better chances for career advancement

Survey respondents were asked about the positive and negative changes they saw in their interactions and experiences with remote work. Black employees and their colleagues replied similarly, with mostly positive experiences.

While both groups enjoyed better chances for career advancement, the difference was significantly higher for Black professionals.

Reasons for Self-Employment:

More Black professionals have chosen self-employment than their colleagues.

The biggest reasons for both groups in choosing self-employment were for better pay, career growth, and work/life balance.

While the desire for better pay was the highest reason for both groups, for engaged employees salary is a lower priority than other concerns (Adecco Group's Global Workforce of the Future report). Consider salary in conjunction with career growth, work/life balance, and the variety in the work that your employees have.

If we don't consider our Black employees, not only do we risk them leaving the organization, but they may decide to just work for themselves.

Most professionals believe their organizations are committed to diversity, equity, and inclusion

38% of all respondents believe their organizations are very committed to DEI
49% believe they are somewhat committed
9% feel they are not committed
4% are unsure

Make sure supports are in place to help your employees grow in their careers:

Leadership
IT Leadership Career Planning Research Center

Diversity and Inclusion Tactics
IT Diversity & Inclusion Tactics

Employee Development Planning
Implement an IT Employee Development Plan

Belief in your organization's diversity, equity, and inclusion efforts isn't consistent across groups: Make sure actions are seen as genuine

While organization's efforts are acknowledged, Black professionals aren't as optimistic about the commitment as their peers. Make sure that your programs are reaching the various groups you want to impact, to increase the likelihood of satisfaction in their roles.

SATISFACTION INCREASES IN BOTH BLACK AND NON-BLACK PROFESSIONALS

When they believe in their company's commitment to diversity, equity. and inclusion.

Of those who believe in their organization's commitment, 61% of Black professionals and 67% of non-Black professionals are very satisfied in their roles.

Recommendations

It's important to understand the current landscape:

• The barriers that Black employees often face.
• The potential solutions that can help close the gap in employee satisfaction.

We recognize that resolving this is not easy. Although senior executives are recognizing that a diverse set of experiences, perspectives, and backgrounds is crucial to fostering innovation and competing on the global stage, organizations often don't take the extra step to actively look for racialized talent, and many people still believe that race doesn't play an important part in an individual's ability to access opportunities.

Look at a variety of solutions that you can implement within your organization; layering solutions is the key to driving business diversity. Always keep in mind that diversity is not a monolith, that the experiences of each demographic varies.

Info-Tech resources

• Recruit IT Talent
• Recruit and Retain People of Color in IT
• Recruit and Retain People of Color in IT Webinar

Appendix

About the research

Diversity in tech survey

As part of the research process for the State of Black Tech Report, Info-Tech Research Group conducted an open online survey among its membership and wider community of professionals. The survey was fielded from October 2021 to April 2022, collecting 633 responses.

Current Position

Education and Experience

Education was fairly consistent across both groups, with a few exceptions: more Black professionals had secondary school (9% vs. 4%) and more Black professionals had Doctorate degrees (4% vs. 2%).

We had more non-Black respondents with 20+ years of experience (31% vs. 19%) and more Black respondents with less than 1 year of experience (8% vs. 5%) – the rest of the years of experience were consistent across the two groups.

It is important to recognize that people are often seen by "the world" as belonging to a different race or set of races than what they personally identify as. Both aspects impact a professional's experience in the workplace.

Bibliography

Barton, LeRon. “I’m Black. Remote Work Has Been Great for My Mental Health.” Slate, 15 July 2022.

“Black or African American alone, percent.” U.S. Census Bureau QuickFacts: United States. Accessed 14 February 2023.

Boyle, Matthew. “More Workers Ready to Quit Over ‘Window Dressing’ Racism Efforts.” Bloomberg.com, 9 June 2022.

Boyle, Matthew. “Remote Work Has Vastly Improved the Black Worker Experience.” Bloomberg.com, 5 October 2021.

Cooper, Frank, and Ranjay Gulati. “What Do Black Executives Really Want?” Harvard Business Review, 18 November 2021.

“Emotional Tax.” Catalyst. Accessed 1 April 2022.

“Employed Persons by Detailed Occupation, Sex, Race, and Hispanic or Latino Ethnicity” U.S. Bureau of Labor Statistics. Accessed February 14, 2023.

“Equality in Tech Report - Welcome.” Dice, 9 March 2022. Accessed 23 March 2022.

Erb, Marcus. "Leaders Are Missing the Promise and Problems of Employee Resource Groups." Great Place To Work, 30 June 2021.

Gawlak, Emily, et al. “Key Findings - Being Black In Corporate America.” Coqual, Center for Talent Innovation (CTI), 2019.

“Global Workforce of the Future Research.” Adecco, 2022. Accessed 4 February 2023.

Gruman, Galen. “The State of Ethnic Minorities in U.S. Tech: 2020.” Computerworld, 21 September 2020. Accessed 31 May 2022.

Hancock, Bryan, et al. “Black Workers in the US Private Sector.” McKinsey, 21 February 2021. Accessed 1 April 2022.

“Hierarchy Of Needs Applied To Employee Engagement.” Proactive Insights, 12 February 2020.

Hobbs, Cecyl. “Shaping the Future of Leadership for Black Tech Talent.” Russell Reynolds Associates, 27 January 2022. Accessed 3 August 2022.

Hubbard, Lucas. “Race, Not Job, Predicts Economic Outcomes for Black Households.” Duke Today, 16 September 2021. Accessed 30 May 2022.

Knight, Marcus. “How the Tech Industry Can Be More Inclusive to the Black Community.” Crunchbase, 23 February 2022.

“Maslow’s Hierarchy of Needs in Employee Engagement (Pre and Post Covid 19).” Vantage Circle HR Blog, 30 May 2022.

McDonald, Autumn. “The Racism of the ‘Hard-to-Find’ Qualified Black Candidate Trope (SSIR).” Stanford Social Innovation Review, 1 June 2021. Accessed 13 December 2021.

McGlauflin, Paige. “The Fortune 500 Features 6 Black CEOs—and the First Black Founder Ever.” Fortune, 23 May 2022. Accessed 14 February 2023.

“Microaggression." Oxford English Dictionary, Oxford Languages, 2023.

Reed, Jordan. "Understanding Racial Microaggression and Its Effect on Mental Health." Pfizer, 26 August 2020.

Shemla, Meir “Why Workplace Diversity Is So Important, And Why It’s So Hard To Achieve.” Forbes, 22 August 2018. Accessed 4 February 2023.

“The State of Black Women in Corporate America.” Lean In and McKinsey & Company, 2020. Accessed 14 January 2022.

Van Bommel, Tara. “The Power of Empathy in Times of Crisis and Beyond (Report).” Catalyst, 2021. Accessed 1 April 2022.

Vu, Viet, Creig Lamb, and Asher Zafar. “Who Are Canada’s Tech Workers?” Brookfield Institute for Innovation and Entrepreneurship, January 2019. Accessed on Canadian Electronic Library, 2021. Web.

Warner, Justin. “The ROI of Employee Engagement: Show Me the Money!” DecisionWise, 1 January 2020. Web.

White, Sarah K. “5 Revealing Statistics about Career Challenges Black IT Pros Face.” CIO (blog), 9 February 2023. Accessed 5 July 2022.

Williams, Joan C. “Stop Asking Women of Color to Do Unpaid Diversity Work.” Bloomberg.com, 14 April 2022.

Williams, Joan C., Rachel Korn, and Asma Ghani. “A New Report Outlines Some of the Barriers Facing Asian Women in Tech.” Fast Company, 13 April 2022.

Wilson, Valerie, Ethan Miller, and Melat Kassa. “Racial representation in professional occupations.” Economic Policy Institute, 8 June 2021.

“Workplace Diversity: Why It’s Good for Business.” Business Development Canada (BDC.ca), 6 Feb. 2023. Accessed 4 February 2023.

Domino – Maintain, Commit to, or Vacate?

Lotus Domino still lives, and you have options for migrating away from or remaining with the platform.

Executive Summary

Info-Tech Insight

“HCL announced that they have somewhere in the region of 15,000 Domino customers worldwide, and also claimed that that number is growing. They also said that 42% of their customers are already on v11 of Domino, and that in the year or so since that version was released, it’s been downloaded 78,000 times. All of which suggests that the Domino platform is, in fact, alive and well.”
– Nigel Cheshire in Team Studio

Your Challenge

You have a Domino/Notes footprint embedded within your business units and business processes. This is taxing your support organization; you are meeting resistance from the business, and you are now asked to help the organization migrate away from the Lotus Notes platform. The Lotus Notes platform was long used by technology and businesses as a multipurpose solution that, over the years, became embedded within core business applications and processes.

Common Obstacles

For organizations that are struggling to understand their options for the Domino platform, the depth of business process usage is typically the biggest operational obstacle. Migrating off the Domino platform is a difficult option for most organizations due to business process and application complexity. In addition, migrating clients have to resolve the challenges with more than one replaceable solution.

Info-Tech Approach

The most common tactic is for the organization to better understand their Domino migration options and adopt an application rationalization strategy for the Domino applications entrenched within the business. Options include retiring, replatforming, migrating, or staying with your Domino platform.

Review

Is “Lotus” Domino still alive?

Problem statement

The number of member engagements with customers regarding the Domino platform has, as you might imagine, dwindled in the past couple of years. While many members have exited the platform, there are still many members and organizations that have entered a long exit program, but with how embedded Domino is in business processes, the migration has slowed and been met with resistance. Some organizations had replatformed the applications but found that the replacement target state was inadequate and introduced friction because the new solution was not a low-code/business-user-driven environment. This resulted in returning the Domino platform to production and working through a strategy to maintain the environment.

This research is designed for:

• IT strategic direction decision-makers
• IT managers responsible for an existing Domino platform
• Organizations evaluating migration options for mission-critical applications running on Domino

This research will help you:

1. Evaluate migration options.
2. Assess the fit and purpose.
3. Consider strategies for overcoming potential challenges.
4. Determine the future of this platform for your organization.

The “everything may work” scenario

Adopt and expand

Believe it or not, Domino and Notes are still options to consider when determining a migration strategy. With HCL still committed to the platform, there are options organizations should seek to better understand rather than assuming SharePoint will solve all. In our research, we consider:

Importance to current business processes

• Importance of use
• Complexity in migrations
• Choosing a new platform

Available tools to facilitate

• Talent/access to skills
• Economies of scale/lower cost at scale
• Access to technology

Info-Tech Insight

With multiple options to consider, take the time to clearly understand the application rationalization process within your decision making.

• Archive/retire
• Application migration
• Application replatform
• Stay right where you are

Eliminate your bias – consider the advantages

“There is a lot of bias toward Domino; decisions are being made by individuals who know very little about Domino and more importantly, they do not know how it impacts business environment.”

– Rob Salerno, Founder & CTO, Rivet Technology Partners

Domino advantages include:

Modern Cloud & Application

• No-code/low-code technology

Business-Managed Application

• Business written and supported
• Embrace the business support model
• Enterprise class application

Leverage the Application Taxonomy & Build

• A rapid application development platform
• Develop skill with HCL training

HCL Domino is a supported and developed platform

Why consider HCL?

• Consider scheduling a Roadmap Session with HCL. This is an opportunity to leverage any value in the mission and brand of your organization to gain insights or support from HCL.
• Existing Domino customers are not the only entities seeking certainty with the platform. Software solution providers that support enterprise IT infrastructure ecosystems (backup, for example) will also be seeking clarity for the future of the platform. HCL will be managing these relationships through the channel/partner management programs, but our observations indicate that Domino integrations are scarce.
• HCL Domino should be well positioned feature-wise to support low-code/NoSQL demands for enterprises and citizen developers.

Visualize Your Application Roadmap

1. Focus on the application portfolio and crafting a roadmap for rationalization.
   • The process is intended to help you determine each application’s functional and technical adequacy for the business process that it supports.
2. Document your findings on respective application capability heatmaps.
   • This drives your organization to a determination of application dispositions and provides a tool to output various dispositions for you as a roadmap.
3. Sort the application portfolio into a disposition status (keep, replatform, retire, consolidate, etc.)
   • This information will be an input into any cloud migration or modernization as well as consolidation of the infrastructure, licenses, and support for them.

Our external support perspective

by Darin Stahl

Member Feedback

• Some members who have remaining Domino applications in production – while the retire, replatform, consolidate, or stay strategy is playing out – have concerns about the challenges with ongoing support and resources required for the platform. In those cases, some have engaged external services providers to augment staff or take over as managed services.
• While there could be existing support resources (in house or on retainer), the member might consider approaching an external provider who could help backstop the single resource or even provide some help with the exit strategies. At this point, the conversation would be helpful in any case. One of our members engaged an external provider in a Statement of Work for IBM Domino Administration focused on one-time events, Tier 1/Tier 2 support, and custom ad hoc requests.
• The augmentation with the managed services enabled the member to shift key internal resources to a focus on executing the exit strategies (replatform, retire, consolidate), since the business knowledge was key to that success.
• The member also very aggressively governed the Domino environment support needs to truly technical issues/maintenance of known and supported functionality rather than coding new features (and increasing risk and cost in a migration down the road) – in short, freezing new features and functionality unless required for legal compliance or health and safety.
• There obviously are other providers, but at this point Info-Tech no longer maintains a market view or scan of those related to Domino due to low member demand.

Domino database assessments

Consider the database.

• Domino database assessments should be informed through the lens of a multi-value database, like jBase, or an object system.
• The assessment of the databases, often led by relational database subject matter experts grounded in normalized databases, can be a struggle since Notes databases must be denormalized.

Key/Value		Column
Use case: Heavily accessed, rarely updated, large amounts of data Data Model: Values are stored in a hash table of keys. Fast access to small data values, but querying is slow Processor friendly Based on amazon's Dynamo paper Example: Project Voldemort used by LinkedIn		Use case: High availability, multiple data centers Data Model: Storage blocks of data are contained in columns Handles size well Based on Google's BigTable Example: Hadoop/Hbase used by Facebook and Yahoo
Document		Graph
Use case: Rapid development, Web and programmer friendly Data Model: Stores documents made up of tagged elements. Uses Key/Value collections Better query abilities than Key/Value databases. Inspired by Lotus Notes. Example: CouchDB used by BBC		Use case: Best at dealing with complexity and relationships/networks Data model: Nodes and relationships. Data is processed quickly Inspired by Euler and graph theory Can easily evolve schemas Example: Neo4j

Understand your options

Archive/Retire

Store the application data in a long-term repository with the means to locate and read it for regulatory and compliance purposes.

Migrate

Migrate to a new version of the application, facilitating the process of moving software applications from one computing environment to another.

Replatform

Replatforming is an option for transitioning an existing Domino application to a new modern platform (i.e. cloud) to leverage the benefits of a modern deployment model.

Stay

Review the current Domino platform roadmap and understand HCL’s support model. Keep the application within the Domino platform.

Archive/retire

Retire the application, storing the application data in a long-term repository.

Abstract

The most common approach is to build the required functionality in whatever new application/solution is selected, then archive the old data in PDFs and documents.

Typically this involves archiving the data and leveraging Microsoft SharePoint and the new collaborative solutions, likely in conjunction with other software-as-a-service (SaaS) solutions.

Advantages

• Reduce support cost.
• Consolidate applications.
• Reduce risk.
• Reduce compliance and security concerns.
• Improve business processes.

Considerations

• Application transformation
• eDiscovery costs
• Legal implications
• Compliance implications
• Business process dependencies

Info-Tech Insights

Be aware of the costs associated with archiving. The more you archive, the more it will cost you.

Application migration

Migrate to a new version of the application

Abstract

An application migration is the managed process of migrating or moving applications (software) from one infrastructure environment to another.

This can include migrating applications from one data center to another data center, from a data center to a cloud provider, or from a company’s on-premises system to a cloud provider’s infrastructure.

Advantages

• Reduce hardware costs.
• Leverage cloud technologies.
• Improve scalability.
• Improve disaster recovery.
• Improve application security.

Considerations

• Data extraction, starting from the document databases in NSF format and including security settings about users and groups granted to read and write single documents, which is a powerful feature of Lotus Domino documents.
• File extraction, starting from the document databases in NSF format, which can contain attachments and RTF documents and embedded files.
• Design of the final relational database structure; this activity should be carried out without taking into account the original structure of the data in Domino files or the data conversion and loading, from the extracted format to the final model.
• Design and development of the target-state custom applications based on the new data model and the new selected development platform.

Application replatform

Transition an existing Domino application to a new modern platform

Abstract

This type of arrangement is typically part of an application migration or transformation. In this model, client can “replatform” the application into an off-premises hosted provider platform. This would yield many benefits of cloud but in a different scaling capacity as experienced with commodity workloads (e.g. Windows, Linux) and the associated application.

Two challenges are particularly significant when migrating or replatforming Domino applications:

• The application functionality/value must be reproduced/replaced with not one but many applications, either through custom coding or a commercial-off-the-shelf/SaaS solution.
• Notes “databases” are not relational databases and will not migrate simply to an SQL database while retaining the same business value. Notes databases are essentially NoSQL repositories and are difficult to normalize.

Advantages

• Leverage cloud technologies.
• Improve scalability.
• Align to a SharePoint platform.
• Improve disaster recovery.
• Improve application security.

Considerations

• Application replatform resource effort
• Network bandwidth
• New platform terms and conditions
• Secure connectivity and communication
• New platform security and compliance
• Degree of complexity

Info-Tech Insights

There is a difference between a migration and a replatform application strategy. Determine which solution aligns to the application requirements.

Stay with HCL

Stay with HCL, understanding its future commitment to the platform.

Abstract

Following the announced acquisition of IBM Domino and up until around December 2019, HCL had published no future roadmap for the platform. The public-facing information/website at the time stated that HCL acquired “the product family and key lab services to deliver professional services.” Again, there was no mention or emphasis on upcoming new features for the platform. The product offering on their website at the time stated that HCL would leverage its services expertise to advise clients and push applications into four buckets:

1. Replatform
2. Retire
3. Move to cloud
4. Modernize

That public-facing messaging changed with release 11.0, which had references to IBM rebranded to HCL for the Notes and Domino product – along with fixes already inflight. More information can be found on HCL’s FAQ page.

Advantages

• Known environment
• Domino is a supported platform
• Domino is a developed platform
• No-code/low-code optimization
• Business developed applications
• Rapid application framework

Understand your tools

Many tools are available to help evaluate or migrate your Domino Platform. Here are a few common tools for you to consider.

• SWING Software
  • Lotus Notes application archiving with Seascape for Notes: Seascape for Notes and Lotus Notes migration
  • Lotus Notes to SharePoint Migration
• Rivit MigrateMe
• SkyBow Notes to SharePoint
• CIMtrek: CIMtrek SharePoint Migrator and Migrating Lotus Notes Applications to the Cloud Using the CIMtrek migration tools [PDF]
• 4WS.Platform

Notes Archiving & Notes to SharePoint

Summary of Vendor

“SWING Software delivers content transformation and archiving software to over 1,000 organizations worldwide. Our solutions uniquely combine key collaborative platforms and standard document formats, making document production, publishing, and archiving processes more efficient.”*

Tools

Lotus Notes Data Migration and Archiving: Preserve historical data outside of Notes and Domino

Lotus Note Migration: Replacing Lotus Notes. Boost your migration by detaching historical data from Lotus Notes and Domino.

Headquarters

Croatia

Best fit

• Application archive and retire
• Migration to SharePoint

* swingsoftware.com

Domino Migration to SharePoint

Summary of Vendor

“Providing leading solutions, resources, and expertise to help your organization transform its collaborative environment.”*

Tools

Notes Domino Migration Solutions: Rivit’s industry-leading solutions and hardened migration practice will help you eliminate Notes Domino once and for all.

Rivive Me: Migrate Notes Domino applications to an enterprise web application

Headquarters

Canada

Best fit

• Application Archive & Retire
• Migration to SharePoint

* rivit.ca

Lotus Notes to M365

Summary of Vendor

“More than 300 organizations across 40+ countries trust skybow to build no-code/no-compromise business applications & processes, and skybow’s community of customers, partners, and experts grows every day.”*

Tools

SkyBow Studio: The low-code platform fully integrated into Microsoft 365

Headquarters:

Switzerland

Best fit

• Application Archive & Retire
• Migration to SharePoint

* skybow.com | About skybow

Notes to SharePoint Migration

Summary of Vendor

“CIMtrek is a global software company headquartered in the UK. Our mission is to develop user-friendly, cost-effective technology solutions and services to help companies modernize their HCL Domino/Notes® application landscape and support their legacy COBOL applications.”*

Tools

CIMtrek SharePoint Migrator: Reduce the time and cost of migrating your IBM® Lotus Notes® applications to Office 365, SharePoint online, and SharePoint on premises.

Headquarters

United Kingdom

Best fit

• Application replatform
• Migration to SharePoint

* cimtrek.com | About CIMtrek

Domino replatform/Rapid application selection framework

Summary of Vendor

“4WS.Platform is a rapid application development tool used to quickly create multi-channel applications including web and mobile applications.”*

Tools

4WS.Platform is available in two editions: Community and Enterprise.
The Platform Enterprise Edition, allows access with an optional support pack.

4WS.Platform’s technical support provides support services to the users through support contracts and agreements.

The platform is a subscription support services for companies using the product which will allow customers to benefit from the knowledge of 4WS.Platform’s technical experts.

Headquarters

Italy

Best fit

• Application replatform

* 4wsplatform.org

Activity

Understand your Domino options

Application Rationalization Exercise

Info-Tech Insight

Application rationalization is the perfect exercise to fully understand your business-developed applications, their importance to business process, and the potential underlying financial impact.

This activity involves the following participants:

• IT strategic direction decision-makers.
• IT managers responsible for an existing Domino platform
• Organizations evaluating platforms for mission-critical applications.

Outcomes of this step:

• Completed Application Rationalization Tool

Application rationalization exercise

Use this Application Rationalization Tool to input the outcomes of your various application assessments

In the Application Entry tab:

• Input your application inventory or subset of apps you intend to rationalize, along with some basic information for your apps.

In the Business Value & TCO Comparison tab, determine rationalization priorities.

• Input your business value scores and total cost of ownership (TCO) of applications.
• Review the results of this analysis to determine which apps should require additional analysis and which dispositions should be prioritized.

In the Disposition Selection tab:

• Add to or adapt our list of dispositions as appropriate.

In the Rationalization Inputs tab:

• Add or adapt the disposition criteria of your application rationalization framework as appropriate.
• Input the results of your various assessments for each application.

In the Disposition Settings tab:

• Add or adapt settings that generate recommended dispositions based on your rationalization inputs.

In the Disposition Recommendations tab:

• Review and compare the rationalization results and confirm if dispositions are appropriate for your strategy.

In the Timeline Considerations tab:

• Enter the estimated timeline for when you execute your dispositions.

In the Portfolio Roadmap tab:

• Review and present your roadmap and rationalization results.

Follow the instructions to generate recommended dispositions and populate an application portfolio roadmap.

Info-Tech Insight

Watch out for misleading scores that result from poorly designed criteria weightings.

Related Info-Tech Research

Build an Application Rationalization Framework

Manage your application portfolio to minimize risk and maximize value.

Embrace Business-Managed Applications

Empower the business to implement their own applications with a trusted business-IT relationship.

Satisfy Digital End Users With Low- and No-Code

Extend IT, automation, and digital capabilities to the business with the right tools, good governance, and trusted organizational relationships.

Maximize the Benefits from Enterprise Applications with a Center of Excellence

Optimize your organization’s enterprise application capabilities with a refined and scalable methodology.

Drive Successful Sourcing Outcomes With a Robust RFP Process

Leverage your vendor sourcing process to get better results.

Research Authors

Darin Stahl, Principal Research Advisor,
Info-Tech Research Group

Darin is a Principal Research Advisor within the Infrastructure practice, leveraging 38+ years of experience. His areas of focus include IT operations management, service desk, infrastructure outsourcing, managed services, cloud infrastructure, DRP/BCP, printer management, managed print services, application performance monitoring, managed FTP, and non-commodity servers (zSeries, mainframe, IBM i, AIX, Power PC).

Troy Cheeseman, Practice Lead,
Info-Tech Research Group

Troy has over 24 years of experience and has championed large enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) startups.

Research Contributors

Rob Salerno, Founder & CTO, Rivit Technology Partners

Rob is the Founder and Chief Technology Strategist for Rivit Technology Partners. Rivit is a system integrator that delivers unique IT solutions. Rivit is known for its REVIVE migration strategy which helps companies leave legacy platforms (such as Domino) or move between versions of software. Rivit is the developer of the DCOM Application Archiving solution.

Bibliography

Cheshire, Nigel. “Domino v12 Launch Keeps HCL Product Strategy On Track.” Team Studio, 19 July 2021. Web.

“Is LowCode/NoCode the best platform for you?” Rivit Technology Partners, 15 July 2021. Web.

McCracken, Harry. “Lotus: Farewell to a Once-Great Tech Brand.” TIME, 20 Nov. 2012. Web.

Sharwood, Simon. “Lotus Notes refuses to die, again, as HCL debuts Domino 12.” The Register, 8 June 2021. Web.

Woodie, Alex. “Domino 12 Comes to IBM i.” IT Jungle, 16 Aug. 2021. Web.

Network Segmentation

Protect your network by controlling the conversations within it.

Executive Summary

Info-Tech Insight

Executive Summary

Info-Tech Insight

The aim of networking is communication, but unfettered communication can be a liability. Appropriate segmentation in networks, blocking communications where they are not required or desired, restricts lateral movement within the network, allowing for better risk mitigation and management.

Network segmentation

How do you execute on network segmentation?

Identify risks by understanding access across the network

Understand the network space

Info-Tech Insight

The more granular you are in the definition of the network space, the more granular you can be in your segmentation. The unfortunate corollary to this is that the difficulty of managing your end solution grows with the granularity of your segmentation.

Create appropriate policy

Prioritize the potential segmentation

Info-Tech Insight

Be sure to keep this exercise relative so that a clear ranking occurs. If it turns out that everything is a priority, then nothing is a priority. When ranking things relative to others in the exercise, we ensure clear “winners” and “losers.”

Assess risk and prioritize action

1-3 hours

1. Define a list of users and services that define the network space to be addressed. If the lists are too long, use an exercise like affinity diagramming to appropriately group them into a smaller subset.
2. Create a matrix from the lists (put users and services along the rows and columns). In the intersecting points, label how the traffic should be treated (e.g. Permissive, Restricted, Rejected).
3. Examine the matrix and assess the intersections for risk using the lens of impact and likelihood of an adverse event. Label the intersections for risk level with one of green (low impact/likelihood), yellow (medium impact/likelihood), or red (high impact/likelihood).
4. Find commonalities within the medium/high areas and list the users or services as priorities to be addressed.

Design segmentation

Segmentation comes in many flavors; decide which is right for the specific circumstance.

Decide on which methods work for your circumstances

You always have options…

There are multiple lenses to look through when making the decision of what the correct segmentation method might be for any given user group or service. A potential subset could include:

• Effort to deploy
• Cost of the solution
• Skills required to operate
• Granularity of the segmentation
• Adaptability of the solution
• Level of automation in the solution

Info-Tech Insight

Network segmentation within an organization is rarely a one-size-fits-all proposition. Be sure to look at each situation that has been identified to need segmentation and align it with an appropriate solution. The overall number of solutions deployed has to maintain a balance between that appropriateness and the effort to manage multiple environments.

Framework to examine segmentation methods

To assess we need to understand.

To assess when technologies or methodologies are appropriate for a segmentation use case, we need to understand what those options are. We will be examining potential segmentation methods and concepts within the following framework:

WHAT

A description of the segmentation technology, method, or concept.

WHY

Why would this be used over other choices and/or in what circumstances?

HOW

A high-level overview of how this option could or would be deployed.

Notional assessments will be displayed in a sidebar to give an idea of Effort, Cost, Skills, Granularity, Adaptability, and Automation.

Air gap

… And never the twain shall meet.

– Rudyard Kipling, “The Ballad of East and West.”

WHAT

Air gapping is a strategy to protect portions of a network by segmenting those portions and running them on completely separate hardware from the primary network. In an air gap scenario, the segmented network cannot have connectivity to outside networks. This difference makes air gapping a very specific implementation of parallel networks (which are still segmented and run on separate hardware but can be connected through a control point).

WHY

Air gap is a traditional choice when environments need to be very secure. Examples where air gaps exist(ed) are:

• Operational technology (OT) networks
• Military networks
• Critical infrastructure

HOW

Most networks are not overprovisioned to a level that physical segmentation can be done without purchasing new equipment. The major steps required for constructing an air gap include:

• Design segmentation
• Purchase and install new hardware
• Cable to new hardware

Info-Tech Insight

An air gapped network is the ultimate in segmentation and security … as long as the network does not require connectivity. It is unfortunately rare in today’s world that a network will stand on its own without any need for external connectivity.

VLAN

Do what you can, with what you’ve got…

– Theodore Roosevelt

WHAT

Virtual local area networks (VLANs) are a standard feature on today’s firewalls, routers, and manageable switches. This configuration option allows for network traffic to be segmented into separate virtual networks (broadcast domains) on existing hardware. This segmentation is done at layer 2 of the OSI model. All traffic will share the same hardware but be partitioned based on “tags” that the local device applies to the traffic. Because of these tags, traffic is handled separately at layer 2 of the OSI model, but traffic can pass between segments at layer 3 (e.g. IP layer).

WHY

VLANs are commonly used because most existing deployments already have the technology available without extra licensing. VLANs are also potentially used as foundational components in more complex segmentation strategies such as static or dynamic overlays.

HOW

VLANs allow for segmentation of a device at the port level. VLAN strategies are generally on a location level (e.g. most VLAN deployments are local to a site, though the same structure may be used among sites). To deploy VLANs you must:

• Define VLAN segments
• Assign ports appropriately

Info-Tech Insight

VLANs are tried and true segmentation workhorses. The fact that they are already included in modern manageable solutions means that there is very little reason to not have some level of segmentation within a network.

Micro-segmentation

Everyone is against micromanaging, but macro managing means you’re working on the big picture but don’t understand the details.

– Henry Mintzberg

WHAT

Micro-segmentation is used to secure and control network traffic between workloads. This is a foundational technology when implementing zero trust or least-privileged access network designs. Segmentation is done at or directly adjacent to the workload (on the system or its direct network connectivity) through firewall or similar policy controls. The controls are set to only allow the network communication required to execute the workload and is limited to appropriate endpoints. This restrictive design restricts all traffic (including east-west) and reduces the attack surface.

WHY

Micro-segmentation is primarily used:

• In server-to-server communication.
• When lateral movement by bad actors is identified as a concern.

HOW

Micro-segmentation can be deployed at different places within the connectivity depending on the technologies used:

• Workload/server (e.g. server firewall)
• VM network overlay (e.g. VMware NSX)
• Network port (e.g. ACL, firewall, ACI)
• Cloud native (e.g. Azure Firewall)

Info-Tech Insight

Micro-segmentation is necessary in the data center to limit lateral movement. Just be sure to be thorough in defining required communication as this technology works on allowlists, not traditional blocklists.

Static overlay

Adaptability is key.

– Marc Andreessen

WHAT

Static overlays are a form of virtual segmentation that allows multiple network segments to exist on the same device. Most of these solutions will also allow for these segments to expand across multiple devices or sites, creating overlay virtual networks on top of the existing physical networks. The static nature of the solution is because the ports that participate in the overlays are statically assigned and configured. Connectivity between devices and sites is done through encapsulation and may have a dynamic component of the control plane handled through routing protocols.

WHY

Static overlays are commonly deployed when the need is to segment different use cases or areas of the organization consistently across sites while allowing easy access within the segments between sites. This could be representative of segmenting a department like Finance or extending a layer 2 segment across data centers.

HOW

Static overlays are can segment and potentially extend a layer 2 or layer 3 network. These solutions could be executed with technologies such as:

• VXLAN (Virtual eXtensible LAN)
• MPLS (Multi Protocol Label Switching)
• VRF (Virtual Routing & Forwarding)

Info-Tech Insight

Static overlays are commonly deployed by telecommunications providers when building out their service offerings due to the multitenancy requirements of the network.

Dynamic overlay

Never tell people how to do things. Tell them what to do and they will surprise you with their ingenuity.

– George S. Patton

WHAT

A dynamic overlay segmentation solution has the ability to make security or traffic decisions based on policy. Rather than designing and hardcoding the network architecture, the policy is architected and the network makes decisions based on that policy. Differing levels of control exist in this space, but the underlying commonality is that the segmentation would be considered “software defined” (SDN).

WHY

Dynamic overlay solutions provide the most flexibility of the presented solutions. Some use cases such as BYOD or IoT devices may not be easily identified or controlled through static means. As a general rule of thumb, the less static the network is, the more dynamic your segmentation solution must be.

HOW

Policy is generally applied at the network ingress. When applying policy, which policy to be applied can be identified through different methodologies such as:

• Authentication (e.g. 802.1x)
• Device agents
• Device profiling

Info-Tech Insight

Dynamic overlays allow for more flexibility through its policy-based configurations. These solutions can provide the highest value when positioned where we have less control of the points within a network (e.g. BYOD scenarios).

Define how your segments will communicate

No segment is an island…

Network segmentation allows for protection of devices, users, or data through the act of separating the physical or virtual networks they are on. Counter to this protective stance, especially in today’s networks, these devices, users, or data tend to need to interact with each other outside of the neat lines we draw for them. Proper network segmentation has to allow for the transfer of assets between networks in a safe and secure manner.

Info-Tech Insight

The solutions used to facilitate the controlled communication between segments has to consider the friction to the users. If too much friction is introduced, people will try to find a way around the controls, potentially negating the security that is intended with the solution.

Potential access methods

A ship in harbor is safe, but that is not what ships are built for.

– John A. Shedd

Operate and optimize

Security is not static. Monitor and iterate on policies within the environment.

Monitor for efficacy, compliance, and the unknown

Monitor to ensure your intended results and to identify new potential risks.

Monitoring network segments

A combination of passive and active monitoring is required to ensure that:

• The rules that have been deployed are working as expected.
• Appropriate proof of compliance is in place for auditing and insurance purposes.
• Environments are being monitored for unexpected traffic.

Active monitoring goes beyond the traditional gathering of information for alerts and dashboards and moves into the space of synthetic users and anomaly detection. Using these strategies helps to ensure that security is enforced appropriately and responses to issues are timely.

"We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever."

– Dr. Larry Ponemon, Chairman Ponemon Institute, at SecureWorld Boston

Info-Tech Insight

Using solutions like network detection and response (NDR) will allow for monitoring to take advantage of advanced analytical techniques like artificial intelligence (AI) and machine learning (ML). These technologies can help identify anomalies that a human might miss.

Monitoring options

It’s not what you look at that matters, it’s what you see.

– Henry David Thoreau

Gather feedback, assess the situation, and iterate

Take input from operating the environment and use that to optimize the process and the outcome.

Optimize through iteration

Output from monitoring must be fed back into the process of maintaining and optimizing segmentation. Network segmentation should be viewed as an ongoing process as opposed to a singular structured project.

Monitoring can and will highlight where and when the segmentation design is successful and when new traffic flows arise. If these inputs are not fed back through the process, designs will become stagnant and admins or users will attempt to find ways to circumvent solutions for ease of use.

"I think it's very important to have a feedback loop, where you're constantly thinking about what you've done and how you could be doing it better. I think that's the single best piece of advice: constantly think about how you could be doing things better and questioning yourself."

– Elon Musk, qtd. in Mashable, 2012

Info-Tech Insight

The network environment will not stay static; flows will change as often as required for the business to succeed. Take insights from monitoring the environment and integrate them into an iterative process that will maintain relevance and usability in your segmentation.

Bibliography

Andreessen, Marc. “Adaptability is key.” BrainyQuote, n.d.
Barry Schwartz. The Paradox of Choice: Why More Is Less. Harper Perennial, 18 Jan. 2005.
Capers, Zach. “GetApp’s 2022 Data Security Report—Seven Startling Statistics.” GetApp,
19 Sept. 2022.
Cisco Systems, Inc. “Cybersecurity resilience emerges as top priority as 62 percent of companies say security incidents impacted business operations.” PR Newswire, 6 Dec. 2022.
“Dynamic Network Segmentation: A Must-Have for Digital Businesses in the Age of Zero Trust.” Forescout Whitepaper, 2021. Accessed Nov. 2022.
Eaves, Johnothan. “Segmentation Strategy - An ISE Prescriptive Guide.” Cisco Community,
26 Oct. 2020. Accessed Nov. 2022.
Kambic, Dan, and Jason Fricke. “Network Segmentation: Concepts and Practices.” Carnegie Mellon University SEI Blog, 19 Oct. 2020. Accessed Nov. 2022.
Kang, Myong H., et al. “A Network Pump.” IEEE Transactions on Software Engineering, vol. 22 no. 5, May 1996.
Kipling, Rudyard. “The Ballad of East and West.” Ballads and Barrack-Room Ballads, 1892.
Mintzberg, Henry. “Everyone is against micro managing but macro managing means you're working at the big picture but don't know the details.” AZ Quotes, n.d.
Murphy, Greg. “A Reimagined Purdue Model For Industrial Security Is Possible.” Forbes Magazine, 18 Jan. 2022. Accessed Oct. 2022.
Patton, George S. “Never tell people how to do things. Tell them what to do and they will surprise you with their ingenuity.” BrainyQuote, n.d.
Ponemon, Larry. “We discovered in our research […].” SecureWorld Boston, n.d.
Roosevelt, Theodore. “Do what you can, with what you've got, where you are.” Theodore Roosevelt Center, n.d.
Sahoo, Narendra. “How Does Implementing Network Segmentation Benefit Businesses?” Vista Infosec Blog. April 2021. Accessed Nov. 2022.
“Security Outcomes Report Volume 3.” Cisco Secure, Dec 2022.
Shedd, John A. “A ship in harbor is safe, but that is not what ships are built for.” Salt from My Attic, 1928, via Quote Investigator, 9 Dec. 2023.
Singleton, Camille, et al. “X-Force Threat Intelligence Index 2022” IBM, 17 Feb. 2022.
Accessed Nov. 2022.
Stone, Mark. “What is network segmentation? NS best practices, requirements explained.” AT&T Cyber Security, March 2021. Accessed Nov. 2022.
“The State of Breach and Attack Simulation and the Need for Continuous Security Validation: A Study of US and UK Organizations.” Ponemon Institute, Nov. 2020. Accessed Nov. 2022.
Thoreau, Henry David. “It’s not what you look at that matters, it’s what you see.” BrainyQuote, n.d.
Ulanoff, Lance. “Elon Musk: Secrets of a Highly Effective Entrepreneur.” Mashable, 13 April 2012.
“What Is Microsegmenation?” Palo Alto, Accessed Nov. 2022.
“What is Network Segmentation? Introduction to Network Segmentation.” Sunny Valley Networks, n.d.

It’s “day two” in the cloud. Now what?

EXECUTIVE BRIEF

Analysts’ Perspective

	Andrew Sharp Research Director Infrastructure & Operations Practice	It’s “day two” in the cloud. Now what? Just because you’re in the cloud doesn’t mean everyone is on the same page about how cloud operations work – or should work. You have an opportunity to implement new ways of working. But if people can’t see the bigger picture – the organizing framework of your cloud operations – it will be harder to get buy-in to realize value from your cloud services. Use Info-Tech’s methodology to build out and visualize a cloud operations organizing framework that defines cloud work and aligns it to the right areas.
	Nabeel Sherif Principal Research Director Infrastructure & Operations Practice
	Emily Sugerman Research Analyst Infrastructure & Operations Practice
	Scott Young Principal Research Director Infrastructure & Operations Practice

Executive Summary

Info-Tech Insight

Define your target cloud operations state first, then plan how to get there. If you begin by trying to reconstruct on-prem operations in the cloud, you will build an operations model that is the worst of both worlds.

Your Challenge

Traditional IT capabilities, activities, organizational structures, and culture need to adjust to leverage the value of cloud, optimize spend, and manage risk.

• As key applications leave for the cloud, I&O teams are still expected to manage access, spend, and security but may have little or no visibility or control over the applications themselves.
• The automation and self-service capabilities of cloud aren’t delivering the speed the business expected because teams don’t work together effectively.
• Business leaders purchase their own cloud solutions because, from their point of view, IT’s processes are cumbersome and ineffective.
• Accounting practices and governance mechanisms haven’t adjusted to enable new development practices and technologies.
• Security and cost management requirements may not be accounted for by teams acquiring or developing solutions.
• All of this contributes to frustration, missed work, wasteful spending, and unacceptable risk.

Obstacles, by the numbers:

85% of respondents reported security in the cloud was a serious concern.

73% reported balancing responsibilities between a central cloud team and business units was a top concern.

The average organization spent 13% more than they’d budgeted on cloud – even when budgets were expected to increase by 29% in the next year.

32% of all cloud spend was estimated to be wasted spend.

56% of operations professionals said their primary focus is cloud services.

81% of security professionals thought it was difficult to get developers to prioritize bug fixes.

42% of security professionals felt bugs were being caught too late in the development process.

1. Flexera 2022 State of the Cloud Report. 2. GitLab DevSecOps 2021 Survey

Cloud operations are different, but IT departments struggle to change

• There’s no sense of urgency in the organization that change is needed, particularly from teams that aren’t directly involved in operations. It can be challenging to make the case that change is needed.
• Beware “analysis paralysis”! With so many options, philosophies, approaches, and methodologies, it’s easy to be overwhelmed by choice and fail to make needed changes.
• The solution to the problem requires organizational changes beyond the operations team, but you don’t have the authority to make those changes directly. Operations can influence the solution, but they likely can’t direct it.
• Behavior, culture, and organizations take time and work to change. Progress is usually evolutionary – but this can also mean it feels like it’s happening too slowly.
• It’s not just cloud, and it probably never will be. You’ll need to account for operating both on-premises and cloud technologies for the foreseeable future.

Follow Info-Tech’s Methodology

1. Ensure alignment with the risks and drivers of the business and understand your organization’s strengths and gaps for a cloud operations world.

2. Understand the balance of different types of deliveries you’re responsible for in the cloud.

3. Reduce risk by reinforcing the key operational pillars of cloud operations to your workstreams.

4. Identify “work areas,” decide which area is responsible for what tasks and how work areas should interact in order to best facilitate desired business outcomes.

Info-Tech Insight

Start by designing operations around the main workflow you have for cloud services; i.e. If you mostly build or host in cloud, build the diagram to maximize value for that workflow.

Operating Framework Elements

Proper design of roles and responsibilities for each cloud workflow category will help reduce risk by reinforcing the key operational pillars of cloud operations.

We base this on a composite of the well-architected frameworks established by the top global cloud providers today.

Workflow Categories

• Build
• Host
• Consume

Key Pillars

• Performance
• Reliability
• Cost Effectiveness
• Security
• Operational Excellence

Risks to Mitigate

• Changes to Support Model
• Changes to Security & Governance
• Changes to Skills & Roles
• Replicating Old Habits
• Misaligned Stakeholders

Cloud Operations Design

Info-Tech’s Methodology

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

Cloud Maturity Assessment Assess the intensity and cloud maturity of your IT operations for each of the key cloud workstreams: Consume, Host, and Build		Communication Plan Identify stakeholders, what’s in it for them, what the impact will be, and how you will communicate over the course of the change.
Cloud Operations Design Sketchbook Capture the diagram as you build it.		Roadmap Tool Build a roadmap to put the design into action.

Key deliverable:

Cloud Operations Organizing Framework

The Cloud Operations Organizing Framework is a communication tool that introduces the cloud operations diagram and establishes its context and justification.

Project Outline

Project benefits

Calculate the value of Info-Tech’s Methodology

The value of the project is the delivery of organizational change that improves the way you manage cloud services

1. Average wasted cloud spend across all organizations, from the 2022 Flexera State of the Cloud Report

Understand your cloud vision and strategy before you redesign operations

Guide your operations redesign with an overarching cloud vision and strategy that aligns to and enables the business’s goals.

Cloud Vision		Cloud Strategy
It is difficult to get or maintain buy-in for changes to operations without everyone on the same page about the basic value proposition cloud offers your organization. Do the workload and risk analysis to create a defensible cloud vision statement that boils down into a single statement: “This is how we want to use the cloud.”	Once you have your basic cloud vision, take the next step by documenting a cloud strategy. Establish your steering committee with stakeholders from IT, business, and leadership to work through the essential decisions around vision and alignment, people, governance, and technology. Your cloud operations design should align to a cloud strategy document that provides guidelines on establishing a cloud council, preparing staff for changing skills, mitigating risks through proper governance, and setting a direction for migration, provisioning, and monitoring decisions.

Key Insights

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Phase 1:

Establish context

Phase Outcomes:

Define current maturity and which workstreams are important to your organization.

Understand new operating approaches and which apply to your workstream balance.

Identify a new target state for IT operations.

Before you get started

Set yourself up for success with these three steps:

• This methodology and the related slides are intended to be executed via intensive, collaborative working sessions using the rest of this slide deck.
• Ensure the working sessions are successful by working through these steps before you start work on defining your cloud operations.

Create a working folder

15 minutes

Create a central repository to support transparency and collaboration. It’s an obvious step, but one that’s often forgotten.

1. Download all the documents associated with this blueprint to a shared repository accessible to all participants. Keep separate folders for templates and work-in-progress.
2. Share the link to the repository with all attendees. Include links to the repository in any meeting invites you set up as working sessions for the project.
3. Use the repository for all the work you do in the activities listed in this blueprint.

Step 1.1: Identify goals and challenges, workstreams, and cloud maturity

Participants

• Operations Design Working Group, which may include:
  • Cloud owners
  • Platform/Applications Team leads
  • Infra & Ops managers

Outcomes

• Identify your current cloud maturity and areas in need of improvement.
• Define the advantages you expect to realize from cloud services and any obstacles you have to overcome to meet those objectives.
• Identify the reasons why redesigning cloud operations is necessary.
• Develop organization design principles.

“Start small: Begin with a couple services. Then, based on the feedback you receive from Operations and the business, modify your approach and keep increasing your footprint.” – Nenad Begovic

Cloud changes operational activities, tactics, and goals

As you adopt cloud services, the operations core mission remains . . .

• IT operations are expected to deliver stable, efficient, and secure IT services.

. . . but operational activities are evolving.

• Core IT operational processes remain relevant, such as incident or capacity management, but opportunities to automate or outsource operations tasks will change how that work is done.
• As you rely more on automation and outsourcing, the team may see less direct execution in its day-to-day work and more solution design and validation.
• Outsourcing frees the team from operational toil but reduces the direct control over your end-to-end solution and increases your reliance on your vendor.
• Pay-as-you-go pricing models present opportunities for streamlined delivery and cost rationalization but require you to rethink how you do cost and asset management.
• It’s very easy for the business to buy a SaaS solution without consulting IT, which can lead to duplicated functionality, integration challenges, security threats, and more.

Design a model for cloud operations that helps you achieve value from your cloud environment.

“As operating models shift to the cloud, you still need the same people and processes. However, the shift is focused on a higher level of operations. If your people no longer focus on server uptime, then their success metrics will change. When security is no longer protected by the four walls of a datacenter, your threat profile changes.”

(Microsoft, “Understand Cloud Operating Models,” 2022)

Operational responsibilities are shared with a range of stakeholders

When using a vendor-operated public cloud, IT exists in a shared responsibility model with the cloud service provider, one that is further differentiated by the type of cloud service model in use: broadly, software-as a service (SaaS), platform-as-a-service (PaaS), or infrastructure-as-a-service (IaaS).

Your IT operations organization may still reflect a structure where IT retains control over the entire infrastructure stack from facilities to application and defines their operational roles and processes accordingly.

If the organization chooses a co-location facility, they outsource facility responsibility to a third-party provider, but much of the rest of the traditional IT operating model remains the same. The operations model that worked for an entirely premises-based environment is very different from one that is made up of, for instance, a portfolio of SaaS applications, where your control is limited to the top of the infrastructure stack at the application layer.

Once an organization migrates workloads to the cloud, IT gives up an increasing amount of control to the vendor, and its traditional operational roles & responsibilities necessarily change.

Align operations with customer value

• Decisions about operational design should be made with customer value in mind. Remember that cloud adoption should be an enabler of adaptability in the face of changing business needs!
• Think about how the operations team is indispensable to the value received by your customer. Think about the types of changes that can add to the value your customers receive.
• A focus on value will help you establish and explain the rationale and urgency required to deliver on needed changes. If you can’t explain how the changes you propose will help deliver value, your proposal will come across as change for the sake of change.

Info-Tech Insight

Work that is invisible to the customer can still be essential to delivering customer value. A lot of operations work is invisible to your organization’s customers but required to deliver stability, security, efficiency, and more.

A new consumption model means a different mix of activities

Evolving to cloud-optimal operations also means re-assessing and adapting your team’s approach to achieving cloud maturity, especially with respect to how automation and standardization can be leveraged to best achieve optimization in cloud.

Info-Tech Insight

Cloud is a different way of consuming IT resources and applications and requires a different operational approach than traditional IT.

In most cases, cloud operations involves less direct execution and more service validation and monitoring.

The Service Models in cloud correspond to the way your organization delivers IT

Define how you plan to use cloud services

Your cloud operations will include different tasks, teams, and workflows, depending on whether you consume cloud services, build them, or host on them.

Align to the well-architected framework

• Each cloud provider has defined a well-architected framework (WAF) that defines effective deployment and operations for their services.
• WAFs embody a set of best practices and design principles to leverage the cloud in a more efficient, secure, and cost-effective manner.
• While each vendor’s WAF has its own definitions and nuances, they collectively share a set of key principles, or “pillars,” that define the desired outcome of any cloud deployment.
• These pillars address the key areas of risk when migrating to a public cloud platform.

“In order to accelerate public cloud adoption, you need to focus on infrastructure-as-code and script everything you can. Unlike traditional operations, CloudOps focuses on creating scripts: a script for task A, a script for task B, etc.”

– Nenad Begovic

Pillars

• Reliability
• Security
• Cost Optimization
• Operational Excellence
• Performance Efficiency

General Best Practice Capability Areas

• Host
• Network
• Data
• Identity Management
• Cost/Subscription Management

Assess cloud maturity

2 hours

1. Download a copy of the Cloud Maturity Assessment Tool.
2. As a group, work through:
   • The balance of your operations activities from a Host/Build/Consume perspective. What are you responsible for delivering now? How do you expect things will change in the future?
   • Which workstreams to focus on. Are there activity categories that are critical or non-critical or that don’t represent a significant portion of overall work? Conversely, are there workstreams that you feel are subject to particular risk when moving to cloud?
3. Fill out the Maturity Quiz tab in the Cloud Maturity Assessment Tool for the workstreams you have chosen to focus on.

Download theCloud Maturity Assessment Tool

Identify the drivers for organizational redesign

Whiteboard Activity

An absolute must-have in any successful redesign is a shared understanding and commitment to changing the status quo.

Without a clear and urgent call to action, the design changes will be seen as change for the sake of change and therefore entirely safe to ignore.

Take up the following questions as a group:

1. What kind of organizational change is needed?
2. Why do we think the need for this change is urgent?
3. What do we think will happen if no change occurs? What’s the worst-case scenario?

Record your answers so you can reference and use them in the communication materials you’ll create in Phase 2.

“We know, for example, that 70 percent of change programs fail to achieve their goals, largely due to employee resistance and lack of management support. We also know that when people are truly invested in change it is 30 percent more likely to stick.”

– Ewenstein, Smith, Sologar

McKinsey (2015)

Consider the value of change from advantage and obstacle perspectives

Consider what you intend to achieve and the obstacles to overcome to help identify the changes required to achieve your desired future state.

Review risks and challenges

Changes to Support Model

• Have we identified who is on the cloud ops team?
• Do we know where we are procuring skills (internal IT vs. third party) and for how long?
• Do we know where we are in the migration process?

Changes to security & governance

• Have we identified how our attack surface changes in the cloud?
• Do we have guardrails in place to govern self-provisioning users?
• Are we managing cost overage risks?

Replicating old habits

• Have we made concrete plans to leverage cloud capabilities to standardize and automate outputs?
• Are we simply reproducing existing systems in the cloud?

Changes to Skills & Roles

• Is our staff excited to learn new skills and technologies? Are our specialists prepared to acquire generalist skills to support cloud services?
• Do we have training plans created and aligned to our technology roadmap?
• Do we know what head count we need?

Misaligned stakeholders

• Have we identified our key stakeholders and teams? Have we considered what changes will impact them and how?
• Are we meeting regularly and collaborating effectively with our peers, or are we siloed?

Review cloud objectives and obstacles

Whiteboard Activity

1 hour

1. With your working group, review why you’re using cloud in the first place. What advantages do you expect to realize by adopting cloud services? If we achieve what we’ve set out to do, what should that look and feel like to us, our organization, and our organization’s customers?
   • You should have identified cloud drivers and objectives in your cloud vision and strategy – leverage and validate what you already have!
2. Next, identify obstacles that are preventing you from fully realizing the value of cloud services.
3. Finally, brainstorm initial ideas for change. What could we start doing that could help us better use cloud in the future? Are there changes to how we need to organize ourselves to collaborate more effectively?

Commonly cited advantages and obstacles

Establish organization design principles

You’ve established a need for organizational change. What will that change look like?

Design principles are concise, direct statements that describe how you will design your organization to achieve key objectives and address key challenges.

This is a critically important step for several reasons:

• A set of clear, concise statements that describe what the design should achieve provides parameters that will help you create and evaluate different design options.
• A focused, facilitated discussion to create those statements will help uncover conflicting assumptions between key stakeholders.
• A comprehensive description of the various ways the organization should change makes it easier to identify misaligned or incompatible objectives.
• A description of what your organization should look like in the future will help you identify where changes will be required .

Examples of design principles:

1. We will create a path to review and publish effective application/platform patterns.
2. A single governing body should have oversight into all cloud costs.
3. Development must happen only on approved cloud platforms.
4. Application teams must address operational issues that derive from the applications they’ve created.
5. Security practices should be embedded into approved cloud platforms and be automatically applied wherever possible.
6. Focus is on improving developer experience on cloud platforms.

Info-Tech Insight

Design principles will often change as the organization’s strategy evolves.

Align design principles to your objectives

Developing design principles starts with your key objectives. What do we absolutely have to get right to deliver value through cloud services?

Once you have your direction set, work through the points in the star model to establish how you will meet your objectives and deliver value. Each point in the star is an important element in your design – taken together, it paints a holistic picture of your future-state organization.

The changes you choose to implement that affect capabilities, structure, processes, rewards, and people should be self-reinforcing. Each point in the star is connected to, and should support, the other points.

“There is no one-size-fits-all organization design that all companies – regardless of their particular strategy needs – should subscribe to.”

– Jay Galbraith, “The Star Model”

Establish design principles

Track your findings in the table on the next slide.

1. Review the cloud objectives and challenges from the previous activity. As a group, decide from that list: what are the key objectives you are trying to achieve? What are the things you absolutely must get right to get value from cloud services?
2. Work through the following questions as a group:
   • What capabilities or technologies do we need to adopt or leverage differently?
   • How must our structure change? How will power shift in the new structure?
   • Will our new structure require changes to processes or information sharing?
   • How must we change how we motivate or reward employees?
   • What new skills or knowledge is required? How will we acquire those skills or knowledge?

Design principles (example)

Step 1.2: Evaluate new ways of working

Participants

Cloud Operations Design Working Group

Outcomes

Shared understanding of the horizon of work possibilities:

• Ways to work
• Ways to govern and learn

Consider the different approaches on the following slides, how they change operational work, and decide which approaches are the right fit for you.

Evaluate new ways of working

Cut through the hype

Leverage patterns to think about new ways of approaching operations work

Patterns are strategies, approaches, and philosophies that can help you imagine new ways of working in your own organization.

• The following slides provide an overview of organizing patterns that are applicable to cloud operations.
• These are strategies that have been applied successfully elsewhere. Review what they can and cannot do and decide whether they are something you can use in your own organizational design.
• Not every pattern will apply to every organization. For example, an organization which typically consumes SaaS applications will likely have very little need for SRE approaches and techniques.

Ways to work

• What work do we do? What skills do we need?
• How do we create and support systems?

Ways to govern and learn

• How do we set and enforce rules?
• How do we create and share knowledge?

Explore Applicable Patterns

What is DevOps?

“Look for obstacles constantly and treat them as opportunities to experiment and learn.” – Jez Humble, et al. Lean Enterprise: How High Performance Organizations Innovate at Scale

1 DevOps, SRE, and Platform Engineering

What is Site Reliability Engineering (SRE)?

“Hope is not a strategy” – Benjamin Treynor Sloss, Site Reliability Engineering: How Google Runs Production Systems

1 SRE vs Platform Engineering

2. Lakhani, Usman. “ISite Reliability Engineering: What Is It? Why Is It Important for Online Businesses?,” 2020.

3. Sloss, “Introduction,” 2017

What4 is Platform Engineering?

“Platform engineers can act as a shield between developers and the infrastructure”

– Carlos Schults, “What is Platform Engineering? The Concept Behind the Term”

1 DevOps, SRE, and Platform Engineering

What is a Cloud Center of Excellence?

You need a strong core to grow a cloud culture.

What is a Cloud Community of Practice?

“We have to stop optimizing for programmers and start optimizing for users”

– Jeff Atwood

Reinforce what we mean by patterns

Review the implications of each pattern for organizational design

1. Gustavo Franco and Matt Brown, “How SRE teams are organized and how to get started.”

Review the implications of each pattern for organizational design

Evolve your organization to meet the needs of increased adoption

Your operating model should evolve as you increase adoption of cloud services.

Adapted from Microsoft, “Get Started: Align your organization,” 2021

Choose new ways of working that make sense for your team

1 hour

Consider if, and how, the approaches to management and governance you’ve just reviewed can offer value to your organization.

1. List the organizing/managing ideas listed in the previous slides in the table below.
2. Define why it’s for you. What benefits do you expect to realize? What challenges do you expect this will help you overcome? How does this align with your key benefits and drivers for moving to cloud?
3. List risks or challenges to adoption. Why will it be hard to do? What could get in the way of adoption? Why might it not be a good fit?
4. Identify next steps to adopt proposed practices.

Step 1.3: Identify cloud work

Participants

• Operations Design Working Group

Outcomes

• Identify core work required to deliver value in key cloud workstreams.

“At first, for many people, the cloud seems vast. But what you actually do is carve out space.”

–DevOps Manager

Identify work

Before you can identify roles and responsibilities, you have to confirm what work you do as an organization and how that work enables you to meet your goals.

• A comprehensive approach that connects the work you do to your organizational goals will help you identify work that’s falling through the cracks.
• Identifying work is an opportunity to look at the tasks you regularly execute and ensure they actually drive value.
• Working through the exercise as a group will help you develop a common language around the work you do.
• To make the evident obvious: you can’t decide who should be responsible for something if you don’t know about it in the first place.

Defining work can be a lot of … work! We recommend you start by identifying work for the workstream you do most – Build, Consume, or Host – to focus your efforts. You can repeat the exercise as needed.

Map work in workstream diagrams

The five Well-Architected Framework pillars. These are principles/directions/guideposts that should inform all cloud work.

The work being done to achieve the workstream target. These are roughly aligned with the three streams on the right.

Workstream Target: A concise statement of the value you aim to achieve through this workstream. All work should help deliver value (directly or indirectly).

Define the scope of the exercise

Whiteboard Activity

20 minutes

Over the next few exercises, you’ll do a deep dive into the work you do in one specific workstream. In this exercise, we’ll decide on a workstream to focus on first.

1. Are you primarily building, hosting on, or consuming cloud services? Start with the workstream where you’re doing the most work.
2. If this isn’t sufficient to narrow your focus, look at the workstream that is most closely tied to mission critical applications, or that is most in need of review in terms of what work is done and who does it.
3. You can narrow the scope further if there’s a very specific sub-area that differs from the rest (e.g. managing your O365 environment vs. managing all SaaS applications).

Create a workstream target statement

Whiteboard Activity

30 minutes

In this activity, come up with a short sentence to describe what all this work you do is building toward. The target statement helps align participants on why work is being done and helps focus the activity on work that is most important to achieving the target statement.

Start with this common workstream target statement:

“Deliver valuable, secure, available, reliable, and efficient cloud services.”

Now, review and adjust the target statement by working through the questions below:

1. Return to the earlier exercises in Phase 1.1 where you reviewed your key objectives for cloud services. Does the target statement align with what you’d identified previously?
2. Who is the customer for the work you do? Would they see the target differently than you’ve described it?
3. Can you be more specific? Are there value drivers that are more specific to your industry, organization, business functions, or products that are key to the value your customers receive from this workstream?

Identify cloud work

1-2 hours

1. Use the workstream diagram template in the Cloud Operations Design Sketchbook, or draw the template out on a whiteboard and use sticky notes to identify work.
2. Identify the workstream at the top of the slide. Update the template value statement on the right with the value statement you created in the previous exercise.
3. Review one or more of the examples in the Cloud Operations Design Sketchbook to get a sense of the level of detail required for this exercise.

Activity instructions continue on the next slide.

Some notes to the facilitator:

• Working directly from the Cloud Operations Design Sketchbook will save you time with transcription. Sharing the document with participants (e.g. via OneDrive) will allow you to collaborate and edit the document together in real-time.
• Don’t worry about being too tidy for the moment, just get the information written down and you can clean up the diagram later.

Identify cloud work (cont’d)

4. Work together to identify work, documenting one work item per box. This should focus on future state, so record work whether it’s actually done today or not. Your space is limited on the sheet, so focus on work that is indispensable to delivering the value statement. Use the lists on the right as a reminder of key IT practice areas.

5. As much as possible, align the work items to the appropriate row (Govern & Align, Design & Execute, or Validate, Support & Monitor). You can overlap boxes between rows if needed.

Have you captured work related to:

Info-Tech Insight

Cloud work is not just applications that have been approved by IT. Consider how unsanctioned software purchased by the business will be integrated and managed.

Identify cloud work (cont’d)

6. If you have decided to adopt any of the new ways of working outlined in Step 1.2 (e.g. DevOps, SRE, etc.) review the next slide for examples of the type of work that frequently needs to be done in each of those work models. Add any additional work items as needed.

7. Consolidate boxes and clean up the diagram (e.g. remove duplicate work items, align boxes, clarify language).

8. Do a final review. Is all the work in the diagram truly aligned with the value statement? Is the work identified aligned with the design principles from Step 1.1?

If you used a whiteboard for this exercise, transcribe the output to a copy of the Cloud Operations Design Sketchbook, and repeat the exercise for other key workstreams. You will use this diagram in Phase 2.

Examples of work

Examples of work in the "Host" workstream:

• Bulk patch servers
• Add a server
• Add capacity
• Develop a new server template
• Incident management

Examples of work in the "Build" workstream:

• Provision a production server
• Provision a test environment
• Test recovery procedures
• Add capacity for a service
• Publish a new pattern
• Manage capacity/performance for a service
• Identify wasted spend across services
• Identify performance bottlenecks
• Review and shut down idle/unneeded services

Examples of work in the "Consume" workstream:

• Conduct vendor risk assessments
• Develop a standard evaluation matrix to compare solutions to existing or potential in-house offerings
• Onboard a solution
• Offboard a solution
• Conduct a renewal
• Review and negotiate a contract
• Rationalize software titles

Phase 2:

Design the organization and communicate changes

Phase Outcomes:

Draft your cloud operations diagram, identify key messages and impacts to communicate to your stakeholders, and build out the Cloud Operations Organizing Framework communication deck.

Step 2.1: Identify groups and responsibilities

Participants

• Operations Design Working Group

Outcomes

• Cloud Operations Diagram
• Success Indicators
• Roadmap

“No-one ever solved a problem by restructuring.”

– Anonymous

Visualize your cloud operations

Create a visual to help you abstract, analyze, and clarify your vision for the future state of your organization in order to align and instruct stakeholders.

Create a visual, high-level view of your organization to help you answer questions such as:

• “What work do we do? What are the roles and responsibilities of different teams?”
• “How do we interact between work areas?”
• “How has our organization changed already, and what additional changes may be needed?”
• “How do we make technology decisions?”
• “How do we provide services?”
• “How might this change be received by people on the ground?”

Decide whether to centralize or decentralize

Specialization & Focus: A group or work unit developing a focused concentration of skills, expertise, and activities aligned with an area of focus (such as the ones at right).

Decentralization: Operational teams that report to a decentralized IT or business function, either directly or via a “dotted line” relationship.

Decentralization and Specialization can:

• Duplicate work.
• Localize decision-making authority, which can increase agility and responsiveness.
• Transfer authority and accountability to local and typically smaller teams, clarifying responsibilities and encouraging staff to take ownership for service delivery.
• Enable the team to focus on complex and rapidly changing technologies or processes.
• Create islands of expertise, which can get in the way of collaboration, innovation, and decision making across groups and work units and make oversight difficult.
• Complicate the transfer of resources and knowledge between groups.

“The concept of organization design is simple in theory but highly complex in practice. Like any strategic decision, it involves making multiple trade-offs before choosing what is best suited to a business context.”

– Nitin Razdan & Arvind Pandit

Identify key work areas

Balance specialization with effective collaboration

• Much is said about breaking down organizational silos. But at some level, silos are inevitable – any company with more than one employee will have to divide work up somehow.
• Dividing up work is a delicate balancing act – ensuring individuals and groups are able to do work that is related, meaningful, and that allows autonomy while allowing for effective collaboration between groups that need to work together to achieve business goals.

Why “work areas”?

Why don’t we just use teams, groups, squads, or departments, or some other more common term for groups of people working together?

• We are not yet at the point of deciding who in the organization should be aligned to which areas in the design.
• Describing work areas as teams can shift the conversation to the organizational chart – to who does the work, rather than what needs to be done.

That’s not the goal of this exercise. If the conversation gets stuck on what you do today, it can get in the way of thinking about what you need to do in the future.

Create a future-state cloud operations diagram

1-3 hours

1. Review the example cloud operations diagram example in your copy of the Cloud Operations Design Sketchbook.
2. Identify key work areas (e.g. applications, infrastructure, platform engineering, DevOps, security). Add the name of each work area in one of the larger boxes.
   • Go back to your design principles. Did you define any work areas in your design principles that should be represented here?
   • If you have several groups or teams with similar responsibilities, consider lumping them together in one box (e.g. applications teams, 3x DevOps teams).
3. Copy the tasks from any workstream diagrams you’ve created to the same slide as the organization design diagram. Keep the workstream diagram intact, as you’ll want to be able to refer back to it later.

Activity instructions continue on the next slide.

Cloud operations diagram (cont’d)

1-3 hours

4. As a group, move the work boxes from the workstream diagram into the appropriate work area.

• Don’t worry about being too tidy for the moment – clean up the diagram when the exercise is done.
• Make adjustments to the wording of the work boxes if needed.

5. Use the space between work areas to describe how work areas must interact to achieve organizational goals. For example:

• What information should be shared between groups?
• What information sharing channels may be used?
• What processes will be handed-off between groups and how?
• How often will teams interact?
• Will interactions be formal or informal?

Create a current-state operations diagram

1 -2 hours

This exercise can be done by one person, then reviewed with the working group at a later time.

This current state diagram helps clarify the changes that may need to happen to get to your future state.

1. Color code the work boxes for each work area. For example, if you have a “DevOps” work area, make all the work boxes assigned to “DevOps” the same color.
2. On a separate slide, sketch your existing organization indicating your current teams.
3. Copy the tasks from the future-state diagram to this current-state chart. Align the tasks to the appropriate groups.
4. Review the chart with the working group. Discuss: are there teams that are doing work today that will also be done by different teams? Are there groups that may merge into one team? What types of changes may be required?

Check for biases to make better choices

Use the strategies below to spot and address flaws in your team’s thinking about your future-state design.

Framework above adapted from Kahneman, Lovallo, and Sibony (2011)

Be specific with metrics

Thinking of ways you could measure success can help uncover what success actually means to you.

Work collectively to generate success indicators for each key cloud initiative. Success indicators are metrics, with targets, aligned to goals, and if you are able to measure them accurately, they should help you report your progress toward your objectives.

For example, if your driver is “faster access to resources” you might consider indicators like developer satisfaction, project completion time, average time to provision, etc.

There are several reasons you may not publicize these metrics. They may be difficult to calculate or misconstrued as targets, warping behavior in unexpected ways. But managed properly, they have value in measuring operational success!

Define success indicators

Whiteboard Activity

45 minutes

1. On a whiteboard, draw a table with key objectives for the design across the top.
   • What cloud objectives should the redesign help you achieve? Refer back to the design principles from Phase 1.
   • Think about the redesign itself. How will you measure whether the project itself is proceeding according to plan? Consider metrics such as employee engagement scores and satisfaction scores from key stakeholders.
2. Consider whether the metrics are feasible to track. Record your decisions in your copy of the Cloud Operations Organizing Framework deck.

Populate a roadmap

Tool Activity

45 minutes

1. In the Roadmap Tool, populate the data entry tab with the initiatives you will take to support changes toward the new cloud operations organizing framework.
2. Input each of the tasks in the data entry tab and provide a description and rationale behind the task (as needed).
3. Assign an effort, priority, and cost level to each task (high, medium, low).
4. Assign an owner to each task – someone who can take points and shepherd the task to completion.
5. Identify the timeline for each task based on the priority, effort, and cost (short, medium, and long term).
6. Highlight risk for each task if it will be deferred.
7. Track the progress of each task with the status column.

Download the Roadmap Tool

Step 2.2: Communicate changes

Participants

• Operations Design Working Group

Outcomes

• Build a communication plan for key stakeholders
• Complete the communication deck Cloud Operations Organizing Framework
• Build a roadmap

“Words, words, words.”

– Shakespeare

Communicate changes

Which stakeholders will be affected by the changes?

Decision makers: Who do you ultimately need to convince to proceed with any changes you’ve outlined?

Peers: How will managers of other areas be affected by the changes you’re proposing? If you are you suggesting changes to the way that they, or their teams, do their work, you will have to present a compelling case that there’s value in it for them.

Staff: Are you dictating changes or looking for feedback on the path forward?

Source: The Qualities of Leadership: Leading Change

Follow these guidelines for good communication

“We tend to use a lot of jargon in our discussions, and that is a sure fire way to turn people away. We realized the message wasn’t getting out because the audience wasn’t speaking the same language. You have to take it down to the next level and help them understand where the needs are.”

– Jeremy Clement, Director of Finance, College of Charleston

Create a communication plan

1 hour

Fill out the table below.

Stakeholder group: Identify key stakeholders who may be impacted by changes to the operations team. This might include IT leadership, management, and staff.

Benefits: What’s in it for them?

Impact: What are we asking in return?

How: What mechanisms or channels will you use to communicate?

When: When (and how often) will you get the message out?

Download the Communication Plan Template

Support the transition with a plan to acquire skills

Identify the preferred way to acquire needed skill sets: contracting, outsourcing, training, or hiring.

• Some cloud projects will change the demand for some skills in the organization, and not all skills should be cultivated internally. Uncertainty about future skills and jobs will cause anxiety for your team and can lead to employee exit.
• Use Info-Tech’s research to conduct a demand analysis to identify which new and critical skills should be acquired via training or hiring (rather than outsourcing or contracting).
• Create a roadmap to clarify when training needs to be completed, a budget plan that accounts for training costs, and role descriptions that paint a picture of future work.
• Within the confines of a collective agreement, managers may be required to retrain staff into new roles before those staff are required to do work in their new jobs. Failing to plan can be more consequential.
• Remember that in cloud, a wealth of automation opportunities present a great option for offloading tasks as well!

Info-Tech Insight

Identify skills requirements and gaps as early as possible to avoid skills gaps later. Whether you plan to acquire skills via training or cross-training, hiring, contracting, or outsourcing, effectively building skills takes time. Use Info-Tech’s methodology to address skills gaps in a prioritized and rational way.

Involve HR for implementation

Your HR team should help you work through:

• Which staff and managers will move to which roles, and any headcount changes.
• Job descriptions, performance metrics, career paths, compensation, and succession planning.
• Organizational change management and implementation plans.

When do you need to involve HR?

Related Info-Tech Research

Bibliography

“2021 GitLab DevSecOps Survey.” Gitlab, 2021.
“2022 State of the Cloud Report.” Flexera, 2022.
“DevOps.” Atlassian, ND. Web. 21 July 2022.
Atwood, Jeff. “The 2030 Self-Driving Car Bet.” Coding Horror, 4 Mar 2022. Web. 5 Aug 2022.
Campbell, Andrew. “What is an operating model?” Operational Excellence Society, 12 May 2016. Web. 13 July 2022.
“DevOps.” Atlassian, ND. Web. 21 July 2022.
Ewenstein, Boris, Wesley Smith, Ashvin Sologar. “Changing change management” McKinsey, 1 July 2015. Web. 8 April 2022.
Franco, Gustavo and Matt Brown. “How SRE teams are organized, and how to get started.” Google Cloud Blog, 26 June 2019. Web. July 13 2022.
“Get started: Build a cloud operations team.” Microsoft, 10 May 2021.
ITIL Foundation: ITIL 4 Edition. Axelos, 2019.
Humble, Jez, Joanne Molesky, and Barry O’Reilly. Lean Enterprise: How High Performance Organizations Innovate at Scale. O’Reilly Media, 2015.
Franco, Gustavo and Matt Brown. “How SRE teams are organized and how to get started.” 26 June 2019. Web. 21 July 2022.
Galbraith, Jay. “The Star Model”. ND. Web. 21 July 2022.
Kahnemanm Daniel, Dan Lovallo, and Olivier Sibony. “Before you make that big decision.” Harv Bus Rev. 2011 Jun; 89(6): 50-60, 137. PMID: 21714386.
Kesler, Greg. “Star Model of Organizational Design.” YouTube, 1 Oct 2018. Web Video. 21 Jul 2022.
Lakhani, Usman. “Site Reliability Engineering: What Is It? Why Is It Important for Online Businesses?” Info-Tech. Web. 25 May 2020.
Mansour, Sherif. “Product Management: The role and best practices for beginners.” Atlassian Agile Coach, n.d.
Murphy, Annie, Jamie Kirwin, Khalid Abdul Razak. “Operating Models: Delivering on strategy and optimizing processes.” EY, 2016.
Shults, Carlos. “What is Platform Engineering? The Concept Behind the Term.” liatrio, 3 Aug 2021. Web. 5 Aug 2022.
Sloss, Benjamin Treynor. Site Reliability Engineering – Part I: Introduction. O’Reilly Media, 2017.
“SRE vs. Platform Engineering.” Ambassador Labs, 8 Feb 2021.
“The Qualities of Leadership: Leading Change.” Cornelius & Associates, n.d. Web.
“Understand cloud operating models.” Microsoft, 02 Sept. 2022.
Velichko, Ivan. “DevOps, SRE, and Platform Engineering.” 15 Mar 2022.

Research Contributors and Experts

Take a Realistic Approach to Disaster Recovery Testing

Reduce costly downtime with a right-sized testing program that improves IT resilience.

Analyst Perspective

Reduce costly downtime with a right-sized testing program that improves IT resilience.

Most businesses make significant investments in disaster recovery and technology resilience. Redundant sites and systems, monitoring, intrusion prevention, backups, training, documentation: it all costs time and money.

But does this investment deliver expected value? Specifically, can you deliver service continuity in a way that meets business requirements?

You can’t know the answer without regularly testing recovery processes and systems. And more than just validation, testing helps you deliver service continuity by finding and addressing gaps in your plans and training your staff on recovery procedures.

Use the insights, tools, and templates in this research to create a streamlined and effective resilience testing program that helps validate recovery capabilities and enhance service reliability, availability, and continuity.

Andrew Sharp

Research Director, Infrastructure & Operations
Info-Tech Research Group

Executive Summary

Info-Tech Insight

If you treat testing as a pass/fail exercise, you aren’t meeting the end goal of improving organizational resilience. Focus on identifying gaps and risks so you can address them before a real disaster hits.

Process and Outputs

This research is accompanied by templates to help you achieve your goals faster.

1 - Establish the business rationale for DR testing.
2 - Review a range of options for testing.
3 - Prioritize tests that are most valuable to your business.
4 - Create a disaster recovery test plan.
5 - Establish a Test Program to support a regular testing cycle.

Outputs:

Orange activity slides like the one on the left provide directions to help you make key decisions.

Key Deliverable:

Disaster Recovery Test Plan Template

Build a plan for your first disaster recovery test.

This document provides a complete example you can use to quickly build your own plan, including goals, milestones, participants, the test-day schedule, and findings from the after-action review.

Why test?

Testing helps you avoid costly downtime

• In a disaster scenario, speed matters. Immediately after an outage, the impact on the organization is small, but impact increases rapidly the longer the outage continues.
• A quick and reliable response and recovery can protect the organization from significant losses.
• A DRP testing and maintenance program helps ensure you’re ready to recover when you need to, rather than figuring it out as you go.

“Routine testing is vital to survive a disaster… that’s when muscle memory sets in. If you don’t test your DR plan it falls [in importance], and you never see how routine changes impact it.”

– Jennifer Goshorn
Chief Administrative Officer
Gunderson Dettmer LLP

Info-Tech members estimated even one day of system downtime could lead to significant revenue losses.

Average estimated potential loss* in thousands of USD due to a 24-hour outage (N=41)

*Data aggregated from 41 business impact analyses (BIAs) conducted with Info-Tech advisory assistance. BIAs evaluate potential revenue loss due to a full day of system downtime, at the worst possible time.

Run tests to enhance disaster recovery plans

Testing improves organizational resilience

• Identify and address gaps in your plans before a real disaster strikes.
• Cross-train staff on systems recovery.
• Go beyond testing technology to test recovery processes.
• Establish a culture that centers resilience in everyday decision-making.

Testing keeps DR documentation ready for action

• Update documentation ahead of tests to prepare for the testing exercise.
• Update documentation after testing to incorporate any lessons learned.

Testing validates that investments in resilience deliver value

• Confirm your organization can meet defined recovery time objectives (RTOs) and recovery point objectives (RPOs).
• Provide proof of testing for auditors, prospective customers, and insurance applications

Overcome testing challenges

Despite the value of effective recovery testing, most IT organizations struggle to test recovery plans

Common challenges

• Key resources don’t have time for testing exercises.
• You don’t have the technology to support live recovery testing.
• Tests are done ad hoc and lessons learned are lost.
• A lack of business support for test exercises as the value isn’t understood.
• Tests are always artificially simple because RTOs and RPOs must be met to satisfy customer or auditor inquiries

Overcome challenges with a realistic approach:

• Start small with tabletop and recovery tests for specific systems.
• Include recovery tests in operational tasks (e.g. restore systems when you have a maintenance window).
• Create testing plans for larger testing exercises.
• Build on successful tests to streamline testing exercises in the future.
• Don’t make testing a pass-fail exercise. Focus on identifying gaps and risks so you can address them before a real disaster hits.

Go beyond traditional testing

Different test techniques help validate recovery against different threats

• There are many threats to service continuity, including ransomware, severe weather events, geopolitical conflict, legacy systems, staff turnover, and day-to-day outages caused by human error, software updates, hardware failures, or network outages.
• At its core, disaster recovery planning is about recovery. A plan for service recovery will help you mitigate against many threats at once. The testing approaches on the right will help you validate different aspects of that recovery process.
• This research will provide an overview of the approaches outlined on the right and help you prioritize tests that are most valuable to your organization.

00 Identify a working group

30 minutes

Identify a group of participants who can fill the following roles and inform the discussions around testing in this research. A single person could fill multiple roles and some roles could be filled by multiple people. Many participants will be drawn from the larger DRP team.

Start by updating your disaster recovery plan (DRP)

Use Info-Tech’s Create a Right-Sized Disaster Recovery Plan research to identify recovery objectives based on business impact and outline recovery processes. Both are tremendously valuable inputs to your test plans.

Overall Business Continuity Plan

01 Confirm: why test at all?

15-30 minutes

Identify the value recovery testing for your organization. Use language appropriate for a nontechnical audience. Start with the list below and add, modify, or delete bullet points to reflect your own organization.

Drivers for testing – Examples:

• Improve service continuity.
• Identify and address gaps in recovery plans before a real disaster strikes.
• Cross-train staff on systems recovery to minimize single points of failure.
• Identify how we coordinate across teams during a major systems outage.
• Exercise both recovery processes and technology.
• Support a culture that centers system resilience in everyday decision-making.
• Keep recovery documentation up-to-date and ready for action.
• Confirm that our stated recovery objectives can be met.
• Provide proof of testing for auditors, prospective customers, and insurance applications.
• We require proof of testing to pass audits and renew cybersecurity insurance.

Info-Tech Insight

Time-strapped technical staff will sometimes push back on planning and testing, objecting that the team will “figure it out” in a disaster. But the question isn’t whether recovery is possible – it’s whether the recovery aligns with business needs. If your plan is to “MacGyver” a solution on the fly, you can’t know if it’s the right solution for your organization.

Think about what and how you test

Find gaps and risks with tabletop testing

In a tabletop planning exercise, the team walks through a disaster scenario to outline the recovery workflow, and risks or gaps that could disrupt that workflow.

Tabletops are particularly effective because:

• It enables you to play out a wider range of scenarios than technology-based testing (e.g. full-scale, parallel) due to cost and complexity factors.
• It is non-intrusive, so it can be executed more easily than other testing methodologies.
• The exercise translates into recovery documentation: you create a workflow as you go.
• A major site or service recovery scenario will review all aspects of the recovery process and create the backbone of your recovery plan.

02 Run a tabletop exercise

2 hours

Tabletop testing is part of our core DRP methodology, Create a Right-Sized Disaster Recovery Plan. This exercise can be run using cue cards, sticky notes, or on a whiteboard; many of our facilitators find building the workflow directly in flowchart software to be very effective.

Use our Recovery Workflow Template as a starting point.

Some tips for running your first tabletop exercise:

1. Ahead of the exercise, decide on a scenario, identify participants, and book a meeting time.
   • For your first walkthrough of a DR scenario, we often recommend a scenario that considers a site failure requiring failover to a DR site.
   • For the first exercise, focus on technical aspects of recovery before bringing in members of the business. The technical team may need space to discuss the appropriate steps in the recovery process before you bring in business liaisons to discuss user acceptance testing (UAT).
   • A complete failover considers all systems, the viability of your second site, and can help identify parts of the process that require additional exercises.
2. Review the scenario with participants. Then, discuss and document the recovery process, starting with initial notification of an event.
   • Record steps in the process on white cards or boxes.
   • On yellow and red cards, document gaps and risks in people process and technology requirements.
3. Once you’ve walked through the process, return to the start.
   • Record the time required to complete each step. Consider identifying who is responsible for key steps. Identify any additional gaps and risks.
4. Clean up and record the results of the workflow. Save a copy with your DRP documentation.

Move from tabletop testing to functional exercises

See how your plans fare in the real world

In live exercises, some portion of your recovery plans are executed in a way that mimics a real recovery scenario. Some advantages of live testing:

• See how standby systems behave. A tabletop exercise can miss small issues that can make or break the recovery process. For example, connectivity or integration issues on a new subnet might be difficult to predict prior to actually running services in that environment.
• Hands-on practice: Familiarize the team with the steps, commands, and interfaces of your recovery toolset.
• Manage the pressure of the DR scenario: Nothing’s quite like the real thing, but a live exercise may be the closest your team can get to a disaster situation without experiencing it firsthand.

Examples of live exercises

Run local tests ahead of releases

Think small

Most unacceptable downtime is caused by localized issues, such as hardware or software failures, rather than widespread destructive events. Regular local testing can help validate the recovery plan for local issues and improve overall service continuity.

Make local testing a standard step in maintenance work and new deployments to embed resilience considerations in day-to-day activities. Run the same tests in both your primary and your DR environment.

Some examples of localized tests:

• Review backup logs and check for errors.
• Restore files or whole systems from backup.
• Run application-based tests as part of release management, including unit, regression, and performance tests.
  • Ensure application tests are run for both the primary and DR environment.
  • For a deep-dive on application testing, see Info-Tech’s research Automate Testing to Get More Done.

Info-Tech Insight

Local tests will vary between different services, and local test design is usually best left to the system SMEs. At the same time, centralize reporting to understand where tests are being done.

Investigate whether your IT Service Management or ticketing system can create recurring tasks or work orders to schedule, document, and track test exercises. Tasks can be pre-populated with checklists and documentation to support the test and provide a record of completed tests to support oversight and reporting.

Have the business validate recovery

If your business doesn’t think a system’s recovered, it’s not recovered.

User acceptance testing (UAT) after system recovery is a key step in the recovery process. Like any step in the process, there’s value in testing it before it actually needs to be done. Assign responsibility for building UATs to the person who will be responsible for executing them.

An acceptance test script might look something like the checklist below.

• Does the application open?
• Does the interface look right?
• Do you see any unusual notifications or warnings?
• Can you conduct a key transaction with dummy data?
• Can you run key reports?

“I cannot stress how important it is to assign ownership of responsibilities in a test; this is the only way to truly mitigate against issues in a test.”

– Robert Nardella
IT Service Management
Certified z/OS Mainframe Professional

Info-Tech Insight

Build test scripts and test transactions ahead of time to minimize the amount of new work required during a recovery scenario.

Beyond the Basics: Full Failover Testing

• A failover test – a full failover of your production environment to a secondary environment – is what many IT and businesspeople think about when they think of disaster recovery testing.
• A full test can validate previous local or tabletop tests, identify additional gaps and risks, and provide hands-on training experience with recovery processes and technologies.
• Setting a date for failover testing can also inject some urgency into otherwise low-priority (but high importance) disaster recovery planning and documentation exercises, which need to be completed prior to the test.
• Despite these benefits, full failover tests carry significant risk and require a great deal of effort and cost. Typically, only businesses that already have an active-active environment capable of supporting in-scope production systems are able to run a full environment failover.
• This is especially true the first time you test. While in theory a DR plan should be ready to go at any time, there will be documents to update, gaps to address, and risks to mitigate before you go ahead with the test.

Full Failover Testing

What you get:

• Provide hands-on experience with recovery processes and technology.
• Confirm that site failover works in practice as you assumed in tabletop or local testing exercises.
• Identify critical gaps you might have missed without a full failover test.

What you need:

• An active-active secondary site, with sufficient standby equipment, data, and licensed standby software to support production.
• A completed tabletop exercise and documented recovery workflow.
• A documented test plan, backout plan, and formal sign-off.
• An off-hours downtime window.
• Time from technical SMEs and business resources, both for creating the plan and executing the test.

Beyond the Basics: Site Reliability Engineering

• Site reliability engineering (SRE) is an application of skills and approaches from software engineering to improve system resilience.
• SRE is focused on “availability, latency, performance, efficiency, change management, monitoring, emergency response, and capacity planning” across a set portfolio of services (Sloss, 2017).
• In many organizations, SRE is implemented as a team that supports separate applications teams.
• Applications must have defined and granular resilience requirements, translated into service objectives. The SRE team and applications teams will work together to meet these objectives.
• Site reliability engineers (the folks that do SRE, and often also abbreviated as SREs) are expected to build solutions and processes to ensure services remain stable and performant, not just respond when they fail. For example, Google allows their SREs to spend just half their time on incident response, with the rest of their time focused on development and automation tasks.

Site Reliability Testing

What you get:

• Improved reliability and reduced frequency and impact of downtime.
• Increased use of automation to address problems before they cause an incident.
• Granular resilience objectives.

What you need:

• Systems running on software-defined infrastructure.
• Specialized skills in programming, infrastructure-as-code.
• Business & product owners able to define and fund acceptable and appropriate resilience objectives.
• Technical experts able to translate product requirements into technical design requirements.

Beyond the Basics: Chaos Engineering

• Chaos engineering, a term and approach first popularized by the team at Netflix, aims to improve the resilience of particularly large and distributed systems by simulating system failures and evaluating performance against a baseline.
• Experiments simulate a variety of real-world events that could cause outages (e.g. network slowdowns or server failures). Experiments run continuously, and the recommendation is to run them in production where feasible while minimizing the impact on customers.
• Tools to help you run chaos testing exist, including open-source toolkits like Chaos Monkey or Mangle and paid software as a service (SaaS) solutions like Gremlin.
• Deciding whether the long-term benefits of tests that can degrade production are worth the potential risk of system slowdowns or outages is a business or product decision. Technical considerations aside, if the business owner of a particular system doesn’t see the value of continuous testing outweighing the introduced risk, this approach to testing isn’t going to happen.

Chaos Engineering

What you get:

• Confidence that systems can weather volatile and unpredictable conditions in a production environment.
• An embedded resilience culture.

What you need:

• High-maturity IT incident, monitoring and event practices.
• Standby/resilient systems to minimize downtime impact.
• Business buy-in for introducing risk into the production environment.
• Specialized skills to identify, develop, and run tests that degrade production performance in a controlled way.
• Budget and time to act on issues identified through testing.

Beyond the Basics: Security Event Simulations

• Ransomware is driving demands for proof of recovery testing from customers, executives, auditors, and insurance companies. Systems recovery is part of ransomware recovery, but recovering from a breach includes detection, analysis, containment, and eradication of the attack vector before systems recovery can begin.
• Beyond technical recovery, internal legal and communications teams will have a role, as will your insurance provider, consultants specialized in ransomware recovery, or professional ransom negotiators.
• A tabletop exercise focused on ransomware incident response is a key first step. You can find Info-Tech’s methodology for a ransomware tabletop in Phase 3 of Build Resilience Against Ransomware Attacks.
• Live testing approaches can offer hands-on experience and further insight into how your systems are vulnerable to malware. A variety of open source and proprietary tools can simulate ransomware and help you identify problems, though it’s important to understand the limitations of different simulators (Allon, 2022).
• A “red team” exercise simulates an adversarial attack against your processes and systems. A specialized penetration tester will often take on the role of the red team and provide a report of identified gaps and risks after the engagement.

Security Event Simulation

What you get:

• Hands-on experience managing and recovering from a ransomware attack in a controlled environment.
• A better understanding of gaps in your response process.

What you need:

• A completed ransomware tabletop exercise and mature security incident response processes.
• For Ransomware Simulators: An air-gapped sandbox environment hosting a copy of your production systems and security tools, and time from your technical SMEs.
• For Red Team Exercises: A trusted provider, scope for your testing plans, and time from your security incident response team.

Prioritize tests by asking these three questions

1. Will the scope of this test deliver sufficient value?

• Yes, these are critical systems with low tolerance for downtime or data loss.
• Yes, major changes or new systems require validation of DR capabilities.
• Yes, there’s high probability of an outage, or recent experience of an outage.
• •Yes, we have audit requirements or customer demands for testing.

2. Are we ready for this test?

• Yes, recovery plans and recovery objectives are documented.
• Yes, key technical and business resources have time to commit to testing exercises.
• Yes, technology is currently able to support proposed tests.

3. Is it easy to do?

• Yes, effort required to complete the test is low (i.e. minimal work, few participants).
• Yes, the risks related to testing are low.
• Yes, it won’t cost much.

Info-Tech Insight

More complex, challenging, risky, or costly tests, such as full failover tests, can deliver value. But do the high-value, low-effort stuff first!

03 Brainstorm and prioritize test ideas

30-60 minutes

Even if you have an idea of what you need to test and how you want to run those tests, this brainstorming exercise can generate useful ideas for testing that might otherwise have been missed.

1. Review the slides above to develop ideas on how and what you want to test. These slides may be enough to kickstart a brainstorming process. Don’t debate or discount ideas at this point. Write down these ideas in a space where all participants can see them (e.g. whiteboard or shared screen).

The next steps will help you prioritize the list – if needed – to tests that are highest value and lowest effort.

1. Discuss where you have the greatest need to test. Assign a score of 0 – 3 for each test, with a score of 3 being high-need and a score of zero being low-need. Consider whether:
   • These applications have a low tolerance for downtime.
   • There’s a high chance of an outage, or recent experience with an outage.
   • There’s a need to train or cross-train staff on recovery for the system(s) in question.
   • Major changes require a review or validation of DR capabilities.
   • Audit requirements or customer/executive demands can be met via testing.
2. Discuss which tests will require the least effort to complete – where readiness is high and tests are easier to do. Assign a score between 0 and 3 for each test, with a score of 3 being least effort and a score of 0 being high effort. Consider whether:
   • Recovery plans and recovery objectives are documented for these systems.
   • Technical experts are available to work on testing exercises.
   • For active testing, standby/sandbox systems are available and capable of supporting proposed tests.
   • The effort required to complete the test is low (e.g. minimal new work, few participants).
   • The risks related to testing are low.
   • You will need to secure additional funding.
3. Sum together the assigned scores for each test. Higher scores should be the highest priority, but of course use your judgement to validate the results and select one or two tests to execute in the coming year.

“There are different levels of testing and it is very progressive. I do not recommend my clients to do anything, unless they do it in a progressive fashion. Don’t try to do a live failover test with your users, right out of the box.”

– Steve Tower
Principal Consultant
Prompta Consulting Group

04 Build a test plan

3-5 days

Building a test plan helps the test run smoothly and can uncover issues with the underlying DRP as you dig into the details.

The test coordinator will own the plan document but will rely on the sponsor to confirm scope and goals, technical SMEs to develop system recovery plans, and business liaisons to create UAT scripts.

Download Info-Tech’s Disaster Recovery Test Plan Template. Use the structure of the template to build your own document, deleting example data as you go. Consider saving a separate copy of this document as an example and working from a second copy.

Key sections of the document include:

• Goals, scenario, and scope of the test.
• Assumptions, constraints, risks, and mitigation strategies.
• Test participants.
• Key pre-test milestones, and test-day schedule.
• After-action review.

Download the Disaster Recovery Test Plan Template

05 Run an after-action review

30-60 minutes

Take time after test exercises – especially large-scale tests with many participants – to consider what went well, what didn’t, and where you can improve future testing exercises. Track lessons learned and next steps at the bottom of your test plan.

1. Start with a short (5-10 minute) debrief of the test and allow participants to ask questions. Confirm:
   • Did we meet the goals we set for the exercise, including RTOs and RPOs?
   • What was done well? What issues, gaps, and risks were identified?
2. Work through variations of the following questions:
   • Was the test plan effective, and was the test well organized?
   • Was the documentation effective? Where did we follow the plan as documented, and where did we deviate from the plan?
   • Was our communication/collaboration during the test effective?
   • Have gaps and issues found during the test been reported to the testing coordinator? Could some of the issues uncovered apply more broadly to other IT services as well?
   • What could we test next, based on what was discovered?
   • Are there other tools or approaches that could be useful?

Follow a testing cycle

All tests are expected to drive actions to improve resilience, as appropriate. Experience from previous tests will be applied to future testing exercises.

Use your experience to simplify testing

The fifth testing exercise should be easier than the first

Outputs and lessons learned from testing should help you run future tests.

• With past experience under their belt, participants should have a better understanding of their role, and of their peers’ roles, and the goal of the exercise.
• Facilitators will be more comfortable facilitating the exercise, and everyone should be more confident in the steps required to recover their systems.
• Gather feedback from participants through after-action reviews to identify what worked and what didn’t.
• Documentation from previous tests can provide a template for future tests.
• Gaps identified in previous tests can provide ideas for future tests.

Info-Tech Insight

Testing should get easier over time. But if you’re easily passing every test, it’s a sign that you’re ready to run more challenging tests.

06 Create a test program summary

2-4 hours

Regular testing allows you to build on prior tests and helps keep plans current despite changes to your environment.

Keeping a regular testing schedule requires expertise, a process to coordinate your efforts, and a level of governance to provide oversight and ensure testing continues to deliver value. Create a call to action using Info-Tech’s Disaster Recovery Testing Program Summary Template.

The result is a summary document that:

• Identifies key takeaways and testing goals
• Presents key elements of the testing program
• Outlines the testing cycle
• Lists expected milestones for the next year
• Identifies participants
• Recommends next steps

“It is extremely important in the early stages of development to concentrate the focus on actual recoverability and data protection, enhancing these capabilities over time into a fully matured program that can truly test the recovery, and not simply focusing on the testing process itself.”

– Joe Starzyk
Senior Business Development Executive
IBM Global Services

Research Contributors and Experts

• Bernard A. Jones, Business Continuity & Disaster Recovery Expert
• Robert Nardella, IT Service Management, Certified z/OS Mainframe Professional
• Larry Liss, Chief Technology Officer, Blank Rome LLP
• Jennifer Goshorn, Chief Administrative and Chief Compliance Officer, Gunderson Dettmer LLP
• Paul Kirvan, FBCI, CISA, Independent IT Consultant/Auditor, Paul Kirvan Associates
• Steve Tower, Principal Consultant, Prompta Consulting Group
• Joe Starzyk, Senior Business Development Executive, IBM Global Services
• Thomas Bronack, Enterprise Resiliency and Corporate Certification Consultant, DCAG
• Paul S. Randal, CEO & Owner, SQLskills.com
• Tom Baumgartner, Disaster Recovery Analyst, Catholic Health

Bibliography

Alton, Yoni. “Ransomware simulators – reality or a bluff?” Palo Alto Blog, 2 May 2022. Accessed 31 Jan 2023.
https://www.paloaltonetworks.com/blog/security-operations/ransomware-simulators-reality-or-a-bluff/

Brathwaite, Shimon. “How to Test your Business Continuity and Disaster Recovery Plan,” Security Made Simple, 13 Nov 2022. Accessed 31 Jan 2023.
https://www.securitymadesimple.org/cybersecurity-blog/how-to-test-your-business-continuity-and-disaster-recovery-plan

The Business Continuity Institute. Good Practice Guidelines: 2018 Edition. The Business Continuity Institute, 2017.

Emigh, Jacqueline. “Disaster Recovery Testing: Ensuring Your DR Plan Works,” Enterprise Storage Forum, 28 May 2019. Accessed 31 Jan 2023.
Disaster Recovery Testing: Ensuring Your DR Plan Works | Enterprise Storage Forum

Gardner, Dana. "Case Study: Strategic Approach to Disaster Recovery and Data Lifecycle Management Pays off for Australia's SAI Global." ZDNet. BriefingsDirect, 26 Apr 2012. Accessed 31 Jan 2023.
http://www.zdnet.com/article/case-study-strategic-approach-to-disaster-recovery-and-data-lifecycle-management-pays-off-for-australias-sai-global/.

IBM. “Section 11. Testing the Disaster Recovery Plan.” IBM, 2 Aug 2021. Accessed 31 Jan 2023. Section 11. Testing the disaster recovery plan - IBM Documentation Lutkevich, Ben and Alexander Gillis. “Chaos Engineering”. TechTarget, Jun 2021. Accessed 31 Jan 2023.
https://www.techtarget.com/searchitoperations/definition/chaos-engineering

Monperrus, Martin. “Principles of Antifragility.” Arxiv Forum, 7 June 2017. Accessed 31 Jan 2023.
https://arxiv.org/ftp/arxiv/papers/1404/1404.3056.pdf

“Principles of Chaos Engineering.” Principles of Chaos Engineering, 2019 March. Accessed 31 Jan 2023.
https://principlesofchaos.org/

Sloss, Benjamin Treynor. “Introduction.” Site Reliability Engineering. Ed. Betsy Beyer. O’Reilly Media, 2017. Accessed 31 Jan 2023.
https://sre.google/sre-book/introduction/

Build an ITSM Tool Implementation Plan

Plan ahead with a step-by-step approach to ensure the tool delivers business value.

EXECUTIVE BRIEF

Analyst perspective

Take control of the wheel or you might end up in a ditch.

An ITSM tool implementation is a complex project with direct impact on IT’s ability to support the business. With that level of risk, you need to take control early on.

Yes, your vendor will support or execute the technical implementation, but they depend on you to tell them how to configure ITSM parameters and workflows that affect user interface, the ability to manage incidents, and governance over assets and IT changes.

If you leave the configuration completely to the vendor, at best you might get the same setup as in your old tool (and not realize the benefits that leadership is expecting). At worst you end up with default values that don’t fit your process needs, i.e., confusion and not realizing expected benefits.

A successful implementation requires early planning from a wide range of resources including ITSM tool experts (supported by the vendor), process experts, and a project manager to methodically step through the hundreds of parameters you will need to define before implementation.

Frank Trovato
Research Director, Infrastructure and Operations
Info-Tech Research Group

Executive Summary

Info-Tech Insight

As with any large project, a key step is tackling it one bite at a time – but also understanding the size of the whole meal. This is where organizations often fail with ITSM implementations: not understanding upfront the volume of work required for a successful implementation.

Your Challenge

Organizations implementing a new ITSM tool often face these pitfalls:

• Selecting the Wrong Resources: You need ITSM technology and process experts, because this is not just a technology project but also a process improvement opportunity. You will need to configure ITSM parameters and workflows in the new tool – which directly affects processes. Take advantage of that opportunity to fix pain points. For example, if your existing ticket categories are not effective, implement a better categorization scheme rather than just configure the same old, ineffective scheme.
• Over-Reliance on the Vendor to Optimize Your Tool: Yes, the vendor will typically install and set up the tool but they will not fix your processes for you. On installation day, if you are not prepared with the categories, ticket templates, and so on that you wish to configure, your vendor will just go with the default or migrate your old parameters from your old ITSM tool.
• Not Preparing for Data Migration: Data migration is complex. You need to determine what data to migrate, if any, and how that data will be mapped to the new environment. That takes planning and must be defined well before the vendor is ready to implement your tool.
• Insufficient IT and End-User Training: A link to the ITSM tool manual is not enough. Staff and users need training on how your processes will be executed in the new tool.

A survey of implementation challenges for ServiceNow’s customers

26% Resistance to change

43% Lacked a clear roadmap

38% Planning for resources

Source: Acorio, 2019

Info-Tech’s approach

Divide the implementation project into controllable phases for an effective implementation.

STOP: Use this blueprint after you have selected an ITSM solution

Leverage our SoftwareReviews service and related blueprints to assist with ITSM tool selection, and then use this blueprint to plan the implementation.

Info-Tech’s methodology to build an ITSM Tool Implementation Plan

Insight summary

Blueprint deliverables

This blueprint includes tools and templates to help you accomplish your goals:

ITSM Tool Implementation Checklist Identify the most common decisions you will need to make and prepare for your implementation project.	ITSM Tool Project Charter Template Review and edit the template to suit your project requirements
	ITSM Tool Deployment Plan Template Prioritize and prepare tool rollout plan
	ITSM Tool Training Schedule Use the checklist to create your new tool training roadmap

Blueprint benefits

Measured value from using this blueprint

Use this guide as an example to calculate your total cost savings from the ITSM tool implementation project.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 6 to 8 calls over the course of 3 to 6 months.

Phase 1

Identify Stakeholders, Scope, and Preliminary Timeline

This phase will walk you through the following steps:

1. Define scope
2. Define roles and responsibilities
3. Identify preliminary timeline

Step 1.1

Define scope

Activities

This step will walk you through the following activities:

• Define the scope of the implementation project
• Establish the future processes and functionalities the tool will support

This step involves the following participants:

• CIO
• IT Director/Manager
• Service Manager
• Project Manager and the project team

Outcomes of this step

• Specifying the implementation project
• Identifying the business units that are needed to support the project
• Defining the ongoing and future service management processes the tool will support

1.1.1 Use the Project Charter Template to capture scope, stakeholders, and timeline as outlined in Phase 1

Follow the instructions in Phase 1 (step 1.1, 1.2, and 1.3) to gather information needed to create a project charter to define project parameters.

Specific subsections are listed below and described in more detail in the remainder of this phase.

1. Project Overview: Includes deliverables, scope, milestones, and success metrics.
2. Governance and Management: Includes roles, responsibilities, and resource requirements.
3. Project Risks, Assumptions, and Constraints: Includes risks and mitigation strategies as well as any assumptions and constraints.
4. Project Sign-Off: Includes IT and executive sign-off (if required).

Download the ITSM Tool Implementation Project Charter Template

1.1.2 Leverage the Implementation Checklist to guide your preparation

The checklist tabs align to each phase of this blueprint.

• Phase 1 (Tab 1) – Identify Stakeholders, Scope, and Preliminary Timeline
• Phase 2 (Tab 2) – Prepare to Implement Incident Management and Service Request Modules
• Phase 3 (Tabs 3+4) – Prepare to Implement Additional ITSM Modules (e.g. Change Management)
• Phase 4 (deployment section in each tab) – Create a Deployment Plan (Communication, Training, Rollout)

Download the ITSM Tool Implementation Checklist

1.1.3 Review goals that drove the ITSM tool purchase

Identify the triggers for the selection and implementation of your new ITSM tool.

Whether this is your first ITSM tool or a replacement for your old tool, the project was likely triggered by pain points that must be addressed by the new tool to improve your service desk. Having a clear understanding of these pain points throughout the implementation of your new tool will help to prevent them from reoccurring.

Common ITSM pain points include:

1. Poor communication with end users on ticket status.
2. Lack of SLA automation to escalate issues to the appropriate channels.
3. Poor self-service options for end users to perform simple requests on their own.
4. Undeveloped knowledgebase for users to find answers to common issues.
5. Lack of reporting or mistrust in reporting data.
6. Lack of automation, including ticket templates.
7. Overcomplicated ticket categories resulting in categories being misused.
8. Overconfiguration prevents future upgrades.
9. Lack of integration with other tools.

If you haven't already selected an ITSM tool, leverage the IT Service Management Selection Guide to select the right tool.

Download the IT Service Management Selection Guide

1.1.4 Plan to interview staff to support organizational change management

Identify challenges with the existing tool and processes as well as potential objections to the new tool.

Incorporate this feedback in the implementation to drive buy-in and a successful rollout.

Implementing a new ITSM tool will force changes in how IT staff do their work:

• At a minimum, it means learning a new interface.
• It could also mean leveraging features that improve IT operations but could change the process or tasks for the staff.
• Their input on the current tool and process challenges can be critical for the project.
• Solving at least some of their challenges can help bring them onboard to use this tool properly and follow associated process changes.

Info-Tech Insight

Keep management in the loop through every stage of the implementation process. They are the ones who are paying for the software, so they need to be informed throughout implementation and feel that their needs and feedback are being heard to prevent pushback further into the implementation.

1.1.5 Identify the modules and features you will plan to implement

Consider these factors when deciding what modules and features you want to implement:

• Specific ITSM modules based on the recommended order and any unique business requirements
• Key features that drove the tool purchase and address key issues
• High-level process changes needed to address challenges and realize expected benefits from the new ITSM tool (e.g. if a key goal was automated ticket routing based on categories, then the project needs to include developing a good categorization scheme)

Recommended order for implementation:

1. Incident Management and Service Request

This is the core of service management and typically has the highest impact on the organization. Include knowledgebase development as part of this implementation.

2. Change Management

A foundational component of service management, it allows organizations to minimize disruptions to IT services when making changes to services and critical systems.

3. Asset Management

A foundational component of service management, it allows organizations to track their assets’ locations, how they are used, and when changes are made to them.

1.1.6 Determine if data migration is required

If you are switching from a previous ITSM tool, carefully weigh the pros and cons as well as the necessity of migrating historical transactional data before deciding to import it into the new tool.

Importing your old transactional data will allow you to track metrics over time, which can be valuable for data analysis and reporting purposes.

However, ask yourself what the true value of your data is before you import it.

You will not get value out of migrating the old data if:

• You have incomplete or inaccurate data (a high percentage of incidents did not have tickets created in the old system).
• The categorization of your old tickets was not useful or was used inconsistently.
• You plan on changing the ticket categorization in the new system.

“Don’t debate whether you can import your old data until you’ve made sure that you should.”

– Barry Cousins, Practice Lead at Info-Tech Research Group

Info-Tech Insight

If you decide to migrate your data, keep in mind that it can be a complex process and proper time should be budgeted for planning, structuring the data, and importing and testing it.

Step 1.2

Define roles and responsibilities

Activities

This step involves the following participants:

• CIO
• IT Director/Manager
• Service Manager
• Project Manager and the project team

Outcomes of this step

• Decision on whether to hire professional services for the implementation
• Clearly defined roles and responsibilities for the project

1.2.1 Identify key internal roles and responsibilities

Review the tasks outlined in the Implementation Checklist to help you identify appropriate roles and specific staff that will be needed to execute this project.

RACI = Responsible, Accountable, Consulted, and Informed

Assign individuals to roles through each step of the implementation project in the governance and management chart in the Project Charter Template.

Download the Project Charter Template

1.2.2 Key external roles and responsibilities

Determine whether you will engage professional services for the implementation.

Step 1.3

Identify preliminary timeline

Activities

This step involves the following participants:

• CIO
• IT Director/Manager
• Service Manager
• Project Manager and the project team

Outcomes of this step

• Specifying the target dates for the implementation project

1.3.1 Identify preliminary internal target dates

Identify high-level start and end dates based on the following:

• Existing process maturity
• Process changes required (to address process issues or to realize targeted benefits from the new tool)
• Data migration requirements (if any)
• Information to prepare for the implementation (review the Checklist Tool)
• Vendor availability to support implementation
• Executive mandates that have established specific milestone dates

Create an initial project schedule:

• Review the remaining phases of this blueprint for more details on the implementation planning steps.
• Review and update the Checklist Tool to suit your implementation goals and requirements.
• Assign task owners and target dates in the Checklist Tool.

Note: This is a preliminary schedule. Monitor progress as well as requirement changes, and adjust the scope or schedule as needed.

Update the columns in the Checklist Tool to plan and keep track of your implementation project.

1.3.2 Identify target dates for vendor involvement

Plan when you'll be ready for the vendor and identify the key points for when the vendor will come in.

Are dates already scheduled for tool installation/configuration/customization?

If yes:

• Clarify vendor expectations for those target dates (i.e. what do you have to have prepared in advance?).
• Determine options to adjust dates if needed.

If no:

• Defer scheduling until you have reviewed and updated the Implementation Checklist. The checklist will help you determine your readiness for vendor involvement.

Consider if the vendor will implement the ITSM tool in one go or if they will help setup the tool in stages. Keep in mind that ITSM implementation projects typically take anywhere from 9 weeks to 16 months and plan accordingly depending on the maturity of your processes and the modules and features you plan to implement.

Use your internal target dates to estimate when you'll be ready for the vendor to set up the tool and implement the setting that you've defined.

Phase 2

Prepare to Implement Incident Management and Service Request Modules

This phase will walk you through the following steps:

• Review your existing solution and challenges
• Plan ticket management and workflow implementation
• Plan data migration, knowledgebase setup, and integrations
• Plan the module rollout

Additional Info-Tech Research

The Implementation Checklist Tool summarizes what you need to prepare for the implementation. If you need more assistance with developing the underlying ITSM processes, use the tools, templates, and guidance in these blueprints.

Standardize the Service Desk

Build core elements of service desk operations, including incident management and service request workflows, ticket categorization schemes, and ticket prioritization rules.

Optimize the Service Desk With a Shift-Left Strategy

Implement tools such as an improved knowledgebase and self-service portal to enable lower tier support staff and end users to resolve incidents or fulfill service requests.

Incident and Problem Management

Develop a critical incident management workflow and create standard operating procedures for problem management.

Step 2.1

Review your existing solution and challenges

Activities

This step involves the following participants:

1. Service Manager and Service Desk Team
2. Project Manager and Core Project Team
3. Subject Matter Experts and Tool Administrator, if applicable

2.1.1 Configure your tool, don’t customize it

Your tool may require at least some basic configurations to align with your processes, but in most cases customization of the tool is not recommended.

Case Study

Consider the consequences of over-customizing your solution.

INDUSTRY: Education

SOURCE: IT Director

2.1.2 Review your existing process to identify opportunities for improvement

Documenting your existing processes is an effective method for also reviewing those processes and identifying inefficiencies. Take advantage of this project to fix your process issues.

1. Document your existing workflows for incident management and service requests.
2. Review your workflows to identify opportunities to optimize through process refinement (e.g. clarifying escalation guidelines) or by leveraging features in your new ITSM tool (e.g. improved workflow automation).
3. Similarly, review the challenges identified through stakeholder interviews: is there an opportunity address those challenges through process changes or leveraging your new ITSM tool?
4. Address those challenge and issues as you execute the tasks outlined in the Implementation Checklist Tool. For example, if inconsistent ticket routing was identified as a challenge due to a vague categorization scheme, that’s a driver to review and update your scheme rather than just carry forward your existing scheme.

Regardless of your existing ITSM maturity, this is an opportunity to review and optimize existing processes. Even the most-mature organizations can typically find an area to improve.

Case Study

Reviewing and defining processes before the implementation can be a project in itself.

INDUSTRY: Defense

SOURCE: Anonymous

Step 2.2

Plan ticket management and workflow implementation

Activities

This step involves the following participants:

1. Service Manager and Service Desk Team
2. Project Manager and Core Project Team
3. Subject Matter Experts and Tool Administrator, if applicable

Outcomes of this step

Tool is designed and configured to support service desk processes and organization needs.

Checklist overview

The ITSM Tool Implementation Checklist will help you estimate resources required to support demand, based on your ticket volume.

TAB 2	TAB 3	TAB 4
Incident and Service Modules Checklist	Change Management Modules	Asset Management Modules

How to follow this section:

The following slides contain a table that explains why each task in the module matters and what needs to be considered. Complete the checklist modules referring to this section.

2.2.1 Define ticket classification values

Ticket classification improves reporting, workflow automation, and problem identification.

Review your existing ticket classification values to identify what to carry forward, drop, or change. For example, if your categorization scheme has become too complex, this is your opportunity to fix it; don’t perpetuate ineffective classification in the new tool.

2.2.2 Define ticket templates for common incident types and service requests

Ticket templates are the backbone of automation. A common complaint is that tickets take too much time. However, a little planning can reduce the time it takes to create a ticket to less than a minute.