Hire or Develop a World-Class CISO

Find a strategic and security-focused champion for your business.

Analyst Perspective

Create a plan to become the security leader of tomorrow

The days are gone when the security leader can stay at a desk and watch the perimeter. The rapidly increasing sophistication of technology, and of attackers, has changed the landscape so that a successful information security program must be elastic, nimble, and tailored to the organization’s specific needs.

The Chief Information Security Officer (CISO) is tasked with leading this modern security program, and this individual must truly be a Chief Officer, with a finger on the pulses of the business and security processes at the same time. The modern, strategic CISO must be a master of all trades.

A world-class CISO is a business enabler who finds creative ways for the business to take on innovative processes that provide a competitive advantage and, most importantly, to do so securely.

Cameron Smith
Research Lead, Security & Privacy
Info-Tech Research Group

Executive Summary

Info-Tech Insight
The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

Your challenge

This Info-Tech blueprint will help you hire and develop a strategic CISO

• Security without strategy is a hacker’s paradise.
• The outdated model of information security is tactical, where security acts as a watchdog and responds.
• The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

Around one in five organizations don’t have an individual with the sole responsibility for security¹

¹ Navisite

Info-Tech Insight
Assigning security responsibilities to departments other than security can lead to conflicts of interest.

Common obstacles

It can be difficult to find the right CISO for your organization

• The smaller the organization, the less likely it will have a CISO or equivalent position.
• Because there is a shortage of qualified candidates, qualified CISOs can demand high salaries and many CISO positions will go unfilled.
• It is easier for larger companies to attract top CISO talent, as they generally have more resources available.

Source: Navisite

Only 36% of small businesses have a CISO (or equivalent position).

48% of mid-sized businesses have a CISO.

90% of large organizations have a CISO.

Source: Navisite

Strategic versus tactical

CISOs should provide leadership based on a strategic vision ¹

¹ Journal of Computer Science and Information Technology

Info-Tech has identified three key behaviors of the world-class CISO

To determine what is required from tomorrow’s security leader, Info-Tech examined the core behaviors that make a world-class CISO. These are the three areas that a CISO engages with and excels in.

Later in this blueprint, we will review the competencies and skills that are required for your CISO to perform these behaviors at a high level.

Align

Aligning security enablement with business requirements

Enable

Enabling a culture of risk management

Manage

Managing talent and change

Info-Tech Insight
Through these three overarching behaviors, you can enable a security culture that is aligned to the business and make security elastic, flexible, and nimble to maintain the business processes.

Info-Tech’s approach

Info-Tech’s methodology to Develop or Hire a World-Class CISO

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

CISO Core Competency Evaluation Tool

Assess the competency levels of a current or prospective CISO and identify areas for improvement.

Stakeholder Power Map Template

Visualize the importance of various stakeholders and their concerns.

Stakeholder Management Strategy Template

Document a plan to manage stakeholders and track actions.

Key deliverable:

CISO Development Plan Template

The CISO Development Plan Template is used to map specific activities and time frames for competency development to address gaps and achieve your goal.

Strategic competencies will benefit the organization and the CISO

Career development should not be seen as an individual effort. By understanding the personal core competencies that Info-Tech has identified, the individual wins by developing relevant new skills and the organization wins because the CISO provides increased value.

Measured value of a world-class CISO

Organizations with a CISO saw an average of $145,000 less in data breach costs.¹

However, we aren’t talking about hiring just any CISO. This blueprint seeks to develop your CISO’s competencies and reach a new level of effectiveness.

Organizations invest a median of around $375,000 annually in their CISO.² The CISO would have to be only 4% more effective to represent $15,000 more value from this position. This would offset the cost of an Info-Tech workshop, and this conservative estimate pales in comparison to the tangible and intangible savings as shown below.

Your specific benefits will depend on many factors, but the value of protecting your reputation, adopting new and secure revenue opportunities, and preventing breaches cannot be overstated. There is a reason that investment in information security is on the rise: Organizations are realizing that the payoff is immense and the effort is worthwhile.

¹ IBM Security
² Heidrick & Struggles International, Inc.

Case Study

In the middle of difficulty lies opportunity

SOURCE
Kyle Kennedy
CISO, CyberSN.com

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 6 to 10 calls over the course of 3 to 6 months.

Phase 1

Launch

Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment

Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies

Phase 3
3.1 Identify Resources to Address Competency Gaps
3.2 Plan Approach to Improve Stakeholder Relationships

Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress

This phase will walk you through the following activities:

• Review and understand the core competencies of a world-class CISO.
• Launch your diagnostic survey.
• Evaluate current business satisfaction with IT security.
• Determine the competencies that are valuable to your IT security program’s needs.

Hire or Develop a World-Class CISO

Case study

Mark Lester
InfoSec Manager, SC Ports Authority

An organization hires a new Information Security Manager into a static and well-established IT department.

Situation: The organization acknowledges the need for improved information security, but there is no framework for the Security Manager to make successful changes.

Follow this case study throughout the deck to see this organization’s results

Step 1.1

Understand the Core Competencies of a World-Class CISO

Activities

Review core competencies the security leader must develop to become a strategic business partner

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step
Analysis and understanding of the eight strategic CISO competencies required to become a business partner

Launch

Core competencies

Info-Tech has identified eight core competencies affecting the CISO’s progression to becoming a strategic business partner.

1.1 Understand the core competencies a CISO must focus on to become a strategic business partner

< 1 hour

Over the next few slides, review each world-class CISO core competency. In Step 1.2, you will determine which competencies are a priority for your organization.

1.1 Understand the core competencies (continued)

1.1 Understand the core competencies (continued)

1.1 Understand the core competencies (continued)

Step 1.2

Evaluate satisfaction and alignment between the business and IT security

Activities

• Conduct the Information Security Business Satisfaction and Alignment diagnostic
• Use your results as input into the CISO Core Competency Evaluation Tool

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step
Determine current gaps in satisfaction and alignment between information security and your organization.

If seeking to hire/develop a CISO: Your diagnostic results will help develop a profile of the ideal CISO candidate to use as a hiring and interview guide.

If developing a current CISO, use your diagnostic results to identify existing competency gaps and target them for improvement.

For the CISO seeking to upgrade capabilities: Use the core competencies guide to self-assess and identify competencies that require improvement.

Launch

1.2 Get started by conducting Info-Tech’s Information Security Business Satisfaction and Alignment diagnostic

The primary goal of IT security is to protect the organization from threats. This does not simply mean bolting everything down, but it means enabling business processes securely. To do this effectively requires alignment between IT security and the overall business.

• Once you have completed the diagnostic, call Info-Tech to review your results with one of our analysts.
• The results from this assessment will provide insights to inform your entries in the CISO Core Competency Evaluation Tool.

Call an analyst to review your results and provide you with recommendations.

Info-Tech Insight
Focus on the high-priority competencies for your organization. You may find a candidate with perfect 10s across the board, but a more pragmatic strategy is to find someone with strengths that align with your needs. If there are other areas of weakness, then target those areas for development.

1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

• Your diagnostic results will indicate where your information security program is aligned well or poorly with your business.
• For example, the diagnostic may show significant misalignment between information security and executives over the level of external compliance. The CISO behavior that would contribute to solving this is aligning security enablement with business requirements.
  • This misalignment may be due to a misunderstanding by either party. The competencies that will contribute to resolving this are communication, technical knowledge, and business acumen.
  • This mapping method is what will be used to determine which competencies are most important for your needs at the present moment.

Download the CISO Core Competency Evaluation Tool

1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

1. Starting on Tab 2: CISO Core Competencies, use your understanding of each competency from section 1.1 along with the definitions described in the tool.
   • For each competency, assign a degree of importance using the drop-down menu in the second column from the right.
   • Importance ratings will range from not at all important at the low end to critically important at the high end.
   • Your importance score will be influenced by several factors, including:
     • The current alignment of your information security department.
     • Your organizational security posture.
     • The size and structure of your organization.
     • The existing skills and maturity within your information security department.

Download the CISO Core Competency Evaluation Tool

1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

2. Still on Tab 2. CISO Core Competencies, you will now assign a current level of effectiveness for each competency.
   • This will range from foundational at a low level of effectiveness up to capable, then inspirational, and at the highest rating, transformational.
   • Again, this rating will be very specific to your organization, depending on your structure and your current employees.
   • Fundamentally, these scores will reflect what you want to improve in the area of information security. This is not an absolute scale, and it will be influenced by what skills you want to support your goals and direction as an organization.

Download the CISO Core Competency Evaluation Tool

Phase 2

Assess

Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment

Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies

Phase 3
3.2 Plan Approach to Improve Stakeholder Relationships

Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress

This phase will walk you through the following activities:

• Use the CISO Core Competency Evaluation Tool to create and implement an interview guide.
• Assess and analyze the core competencies of your prospective CISOs. Or, if you are a current CISO, use the CISO Core Competency Evaluation Tool as a self-analysis and identify areas for personal development.
• Evaluate the influence, impact, and support of key executive business stakeholders using the CISO Stakeholder Power Map Template.

Hire or Develop a World-Class CISO

Case study

Mark Lester
InfoSec Manager, SC Ports Authority

The new Security Manager engages with employees to learn the culture.

Outcome: Understand what is important to individuals in order to create effective collaboration. People will engage with a project if they can relate it to something they value.

Follow this case study throughout the deck to see this organization’s results

Step 2.1

Identify key stakeholders for the CISO and assess current relationships

Activities

Evaluate the power, impact, and support of key stakeholders

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step

• Power map of executive business stakeholders
• Evaluation of each stakeholder in terms of influence, impact, and current level of support

Assess

Identify key stakeholders who own business processes that intersect with security processes

Info-Tech Insight
Most organizations don’t exist for the sole purpose of doing information security. For example, if your organization is in the business of selling pencils, then information security is in business to enable the selling of pencils. All the security in the world is meaningless if it doesn’t enable your primary business processes. The CISO must always remember the fundamental goals of the business.

The above insight has two implications:

1. The CISO needs to understand the key business processes and who owns them, because these are the people they will need to collaborate with. Like any C-level, the CISO should be one of the most knowledgeable people in the organization regarding business processes.
2. Each of these stakeholders stands to win or lose depending on the performance of their process, and they can act to either block or enable your progress.
   • To work effectively with these stakeholders, you must learn what is important to them, and pose your initiatives so that you both benefit.

When people are not receptive to the CISO, it’s usually because the CISO has not been part of the discussion when plans were being made. This is the heart of proactivity.

You need to be involved from the start … from the earliest part of planning.

The job is not to come in late and say “No” ... the job is to be involved early and find creative and intelligent ways to say “Yes.”

The CISO needs to be the enabling security asset that drives business.

– Elliot Lewis, CEO at Keyavi Data

Evaluate the importance of business stakeholders and the support necessary from them

The CISO Stakeholder Power Map Template is meant to provide a visualization of the CISO’s relationships within the organization. This should be a living document that can be updated throughout the year as relationships develop and the structure of an organization changes.

At a glance, this tool should show:

• How influential each stakeholder is within the company.
• How supportive they currently are of the CISO’s initiatives.
• How strongly each person is impacted by IT security activities.

Once this tool has been created, it provides a good reference as the CISO works to develop lagging relationships. It shows the landscape of influence and impact within the organization, which may help to guide the CISO’s strategy in the future.

Download the CISO Stakeholder Power Map Template

Evaluate the importance of business stakeholders and the support necessary from them

1. Identify key stakeholders.
   1. Focus on owners of important business processes.
2. Evaluate and map each stakeholder in terms of:
   1. Influence (up/down)
   2. Support (left/right)
   3. Impact (size of circle)
   4. Involvement (color of circle)
3. Decide whether the level of support from each stakeholder needs to change to facilitate success.

Info-Tech Insight
Some stakeholders must work closely with your incoming CISO. It is worth consideration to include these individuals in the interview process to ensure you will have partners that can work well together. This small piece of involvement early on can save a lot of headache in the future.

Where can you find your desired CISO?

Once you know which competencies are a priority in your new CISO, the next step is to decide where to start looking. This person may already exist in your company.

Ready to start looking for your ideal candidate? You can use Info-Tech’s Chief Information Security Officer job description template.

Use the CISO job description template

Alternatives to hiring a CISO

Small organizations are less able to muster the resources required to find and retain a CISO,

Why would an organization consider a vCISO?

• A vCISO can provide services that are flexible, technical, and strategic and that are based on the specific requirements of the organization.
• They can provide a small organization with program maturation within the organization’s resources.
• They can typically offer depth of experience beyond what a small business could afford if it were to pursue a full-time CISO.

Source: InfoSec Insights by Sectigo Store

Why would an organization not consider a vCISO?

• The vCISO’s attention is divided among their other clients.
• They won’t feel like a member of your organization.
• They won’t have a deep understanding of your systems and processes.

Source: Georgia State University

Step 2.2

Assess CISO candidates and evaluate their current competency

Activities

Assess CISO candidates in terms of desired core competencies

or

Self-assess your personal core competencies

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO

or

• Current CISO seeking to upgrade capabilities

and

• Any key stakeholders or collaborators you choose to include in the assessment process

Outcomes of this step

• You have assessed your requirements for a CISO candidate.
• The process of hiring is under way, and you have decided whether to hire a CISO, develop a CISO, or consider a Counselor Seat as another option.

Assess

2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to assess your CISO candidate

Download the CISO Core Competency Evaluation Tool

Info-Tech Insight
The most important competencies should be your focus. Unless you are lucky enough to find a candidate that is perfect across the board, you will see some areas that are not ideal. Don’t forget the importance you assigned to each competency. If a candidate is ideal in the most critical areas, you may not mind that some development is needed in a less important area.

2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to evaluate your candidates

After deciding the importance of and requirements for each competency in Phase 1, assess your CISO candidates.

Your first pass on this tool will be to look at internal candidates. This is the develop a CISO option.

1. In the previous phase, you rated the Importance and Current Effectiveness for each competency in Tab 2. CISO Core Competencies. In this step, use Tab 3. Gap Analysis to enter a Minimum Level and a Desired Level for each competency. Keep in mind that it may be unrealistic to expect a candidate to be fully developed in all aspects.
2. Next, enter a rating for your candidate of interest for each of the eight competencies.
3. This scorecard will generate an overall suitability score for the candidate. The color of the output (from red to green) indicates the suitability, and the intensity of the color indicates the importance you assigned to that competency.

Download the CISO Core Competency Evaluation Tool

2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to evaluate your candidates

• If the internal search does not identify a suitable candidate, you will want to expand your search.
• Repeat the scoring process for external candidates until you find your new CISO.
• You may want to skip your external search altogether and instead contact Info-Tech for more information on our Counselor Seat options.

Download the CISO Core Competency Evaluation Tool

Phase 3

Plan

Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment

Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies

Phase 3
3.1 Identify Resources to Address Competency Gaps
3.2 Plan Approach to Improve Stakeholder Relationships

Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress

This phase will walk you through the following activities:

• Create a plan to develop your competency gaps.
• Construct and consider your organizational model.
• Create plan to cultivate key stakeholder relationships.

Hire or Develop a World-Class CISO

Case study

Mark Lester
InfoSec Manager, SC Ports Authority

The new Security Manager changes the security culture by understanding what is meaningful to employees.

Outcome: Engage with people on their terms. The CISO must speak the audience’s language and express security terms in a way that is meaningful to the audience.

Follow this case study throughout the deck to see this organization’s results

Step 3.1

Identify resources for your CISO to remediate competency gaps

Activities

Create a plan to remediate competency gaps

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO
• The newly hired CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step

• Identification of core competency deficiencies
• A plan to close the gaps

Plan

3.1 Close competency gaps with Info-Tech’s Cybersecurity Workforce Development Training

Resources to close competency gaps

Info-Tech’s Cybersecurity Workforce Training develops critical cybersecurity skills missing within your team and organization. The leadership track provides the same deep coverage of technical knowledge as the analyst track but adds hands-on support and has a focus on strategic business alignment, program management, and governance.

The program builds critical skills through:

• Standardized curriculum with flexible projects tailored to business needs
• Realistic cyber range scenarios
• Ready-to-deploy security deliverables
• Real assurance of skill development

Info-Tech Insight
Investing in a current employee that has the potential to be a world-class CISO may take less time, effort, and money than finding a unicorn.

Learn more on the Cybersecurity Workforce Development webpage

3.1 Identify resources for your CISO to remediate competency gaps

< 2 hours

3.1 Identify resources for your CISO to remediate competency gaps (continued)

< 2 hours

Info-Tech Insight
Surround yourself with great people. Insecure leaders surround themselves with mediocre employees that aren’t perceived as a threat. Great leaders are supported by great teams, but you must choose that great team first.

3.1 Identify resources for your CISO to remediate competency gaps (continued)

< 2 hours

3.1 Identify resources for your CISO to remediate competency gaps (continued)

< 2 hours

3.1 Identify resources for your CISO to remediate competency gaps (continued)

< 2 hours

3.1 Create the CISO’s personal development plan

• Use Info-Tech’s CISO Development Plan Template to document key initiatives that will close previously identified competency gaps.
• The CISO Development Plan Template is used to map specific actions and time frames for competency development, with the goal of addressing competency gaps and helping you become a world-class CISO. This template can be used to document:
  • Core competency gaps
  • Security process gaps
  • Security technology gaps
  • Any other career/development goals
• If you have a coach or mentor, you should share your plan and report progress to that person. Alternatively, call Info-Tech to speak with an executive advisor for support and advice.
  • Toll-Free: 1-888-670-8889

What you will need to complete this exercise

• CISO Core Competency Evaluation Tool results
• Information Security Business Satisfaction and Alignment diagnostic results
• Insights gathered from business stakeholder interviews

Step 3.2

Plan an approach to improve your relationships

Activities

• Review engagement strategies for different stakeholder types
• Create a stakeholder relationship development plan

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO
• The newly hired CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step

• Stakeholder relationship strategy deliverable

Plan

Where should the CISO sit?

Where the CISO sits in the organization can have a big impact on the security program.

• Organizations with CISOs in the C-suite have a fewer security incidents.¹
• Organizations with CISOs in the C-suite generally have better IT ability.¹
• An organization whose CISO reports to the CIO risks conflict of interest.¹
• 51% of CISOs believe their effectiveness can be hampered by reporting lines.²
• Only half of CISOs feel like they are in a position to succeed.²

A formalized security organizational structure assigns and defines the roles and responsibilities of different members around security. Use Info-Tech’s blueprint Implement a Security Governance and Management Program to determine the best structure for your organization.

Who the CISO reports to, by percentage of organizations³

Download the Implement a Security Governance and Management Program blueprint

1. Journal of Computer Science and Information
2. Proofpoint
3. Heidrick & Struggles International, Inc

3.2 Make a plan to manage your key stakeholders

Managing stakeholders requires engagement, communication, and relationship management. To effectively collaborate and gain support for your initiatives, you will need to build relationships with your stakeholders. Take some time to review the stakeholder engagement strategies for different stakeholder types.

When building relationships, I find that what people care about most is getting their job done. We need to help them do this in the most secure way possible.

I don’t want to be the “No” guy, I want to enable the business. I want to find to secure options and say, “Here is how we can do this.”

– James Miller, Information Security Director, Xavier University

Download the CISO Stakeholder Management Strategy Template

Key players – Engage

Info-Tech Insight
Listen to your key players. They understand what is important to other business stakeholders, and they can provide valuable insight to guide your future strategy.

Mediators – Satisfy

Info-Tech Insight
Don’t dictate to stakeholders. Make them feel like valued contributors by including them in development and decision making. You don’t have to incorporate all their input, but it is essential that they feel respected and heard.

Noisemakers – Inform

Spectators – Monitor

3.2 Create the CISO’s stakeholder management strategy

Develop a strategy to manage key stakeholders in order to drive your personal development plan initiatives.

• The purpose of the CISO Stakeholder Management Strategy Template is to document the results of the power mapping exercise, create a plan to proactively manage stakeholders, and track the actions taken.
• Use this in concert with Info-Tech’s CISO Stakeholder Power Map Template to help visualize the importance of key stakeholders to your personal development. You will document:
  • Stakeholder role and type.
  • Current relationship with the stakeholder.
  • Level of power/influence and degree of impact.
  • Current and desired level of support.
  • Initiatives that require the stakeholder’s engagement.
  • Actions to be taken – along with the status and results.

What you will need to complete this exercise

• Completed CISO Stakeholder Power Map
• Security Business Satisfaction and Alignment Diagnostic results

Download the CISO Stakeholder Management Strategy Template

Phase 4

Execute

Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment

Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies

Phase 3
3.1 Identify Resources to Address Competency Gaps
3.2 Plan Approach to Improve Stakeholder Relationships

Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress

This phase will walk you through the following activities:

• Populate the CISO Development Plan Template with appropriate targets and due dates.
• Set review and reassess dates.
• Review due dates with CISO.

Hire or Develop a World-Class CISO

Case study

Mark Lester
InfoSec Manager, SC Ports Authority

The new Security Manager leverages successful cultural change to gain support for new security investments.

Outcome: Integrating with the business on a small level and building on small successes will lead to bigger wins and bigger change.

Step 4.1

Decide next actions and support your CISO moving forward

Activities

• Complete the Info-Tech CISO Development Plan Template
• Create a stakeholder relationship development plan

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO
• The newly hired CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step

Next actions for each of your development initiatives

Execute

Establish a set of first actions to set your plan into motion

The CISO Development Plan Template provides a simple but powerful way to focus on what really matters to execute your plan.

• By this point, the CISO is working on the personal competency development while simultaneously overseeing improvements across the security program, managing stakeholders, and seeking new business initiatives to engage with. This can be a lot to juggle effectively.
• Disparate initiatives like these can hinder progress by creating confusion.
• By distilling your plan down to Subject > Action > Outcome, you immediately restore focus and turn your plans into actionable items.
• The outcome is most valuable when it is measurable. This makes progress (or lack of it) very easy to track and assess, so choose a meaningful metric.

Download the CISO Development Plan Template

4.1 Create a CISO development plan to keep all your objectives in one place

Use Info-Tech’s CISO Development Plan Template to create a quick and simple yet powerful tool that you can refer to and update throughout your personal and professional development initiatives. As instructed in the template, you will document the following:

Info-Tech Insight
A good plan doesn’t require anything that is outside of your control. Good measurable outcomes are behavior based rather than state based.
“Increase the budget by 10%” is a bad goal because it is ultimately reliant on someone else and can be derailed by an unsupportive executive. A better goal is “reduce spending by 10%.” This is something more within the CISO’s control and is thus a better performance indicator and a more achievable goal.

4.1 Create a CISO development plan to keep all your objectives in one place

Below you will find sample content to populate your CISO Development Plan Template. Using this template will guide your CISO in achieving the goals identified here.

The template itself is a metric for assessing the development of the CISO. The number of targets achieved by the due date will help to quantify the CISO’s progress.

You may also want to include improvements to the organization’s security program as part of the CISO development plan.

Check out the First 100 Days as CISO blueprint for guidance on bringing improvements to the security program

4.1 Use your action plan to track development progress and inform stakeholders

• As you progress toward your goals, continually update the CISO development plan. It is meant to be a living document.
• The Next Action Required should be updated regularly as you make progress so you can quickly jump in and take meaningful actions without having to reassess your position every time you open the plan. This is a simple but very powerful method.
• To view your initiatives in customizable ways, you can use the drop-down menu on any column header to sort your initiatives (i.e. by due date, completed status, area for development). This allows you to quickly and easily see a variety of perspectives on your progress and enables you to bring upcoming or incomplete projects right to the top.

Step 4.2

Regularly reassess to track development and progress

Activities

Create a calendar event for you and your CISO, including which items you will reassess and when

This step involves the following participants:

• CEO or other executive seeking to hire/develop a CISO
• The newly hired CISO

or

• Current CISO seeking to upgrade capabilities

Outcomes of this step

Scheduled reassessment of the CISO’s competencies

Execute

4.2 Regularly evaluate your CISO’s progress

< 1 day

As previously mentioned, your CISO development plan is meant to be a living document. Your CISO will use this as a companion tool throughout project implementation, but periodically it will be necessary to re-evaluate the entire program to assess your progress and ensure that your actions are still in alignment with personal and organizational goals.

Info-Tech recommends performing the following assessments quarterly or twice yearly with the help of our executive advisors (either over the phone or onsite).

1. Sit down and re-evaluate your CISO core competencies using the CISO Core Competency Evaluation Tool.
2. Analyze your relationships using the CISO Stakeholder Power Map Template.
3. Compare all of these against your previous results to see what areas you have strengthened and decide if you need to focus on a different area now.
4. Consider your CISO Development Plan Template and decide whether you have achieved your desired outcomes. If not, why?
5. Schedule your next reassessment, then create a new plan for the upcoming quarter and get started.

Summary of Accomplishment

Knowledge Gained

• Understanding of the competencies contributing to a successful CISO
• Strategic approach to integrate the CISO into the organization
• View of various CISO functions from a variety of business and executive perspectives, rather than just a security view

Process Optimized

• Hiring of the CISO
• Assessment and development of stakeholder relationships for the CISO
• Broad planning for CISO development

Deliverables Completed

• IT Security Business Satisfaction and Alignment Diagnostic
• CISO Core Competency Evaluation Tool
• CISO Stakeholder Power Map Template
• CISO Stakeholder Management Strategy Template
• CISO Development Plan Template

If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation

Contact your account representative for more information

workshop@infotech.com
1-888-670-8889

Related Info-Tech Research

Build an Information Security Strategy
Your security strategy should not be based on trying to blindly follow best practices but on a holistic risk-based assessment that is risk aware and aligns with your business context.

The First 100 Days as CISO
Every CISO needs to follow Info-Tech’s five-step approach to truly succeed in their new position. The meaning and expectations of a CISO role will differ from organization to organization and person to person, but the approach to the new position will be relatively the same.

Implement a Security Governance and Management Program
Business and security goals should be the same. Businesses cannot operate without security, and security's goal is to enable safe business operations.

Research Contributors

• Mark Lester, Information Security Manager, South Carolina State Ports Authority
• Kyle Kennedy, CISO, CyberSN.com
• James Miller, Information Security Director, Xavier University
• Elliot Lewis, Vice President Security & Risk, Info-Tech Research Group
• Andrew Maroun, Enterprise Security Lead, State of California
• Brian Bobo, VP Enterprise Security, Schneider National
• Candy Alexander, GRC Security Consultant, Towerall Inc.
• Chad Fulgham, Chairman, PerCredo
• Ian Parker, Head of Corporate Systems Information Security Risk and Compliance, Fujitsu EMEIA
• Diane Kelly, Information Security Manager, Colorado State Judicial Branch
• Jeffrey Gardiner, CISO, Western University
• Joey LaCour, VP & Chief Security, Colonial Savings
• Karla Thomas, Director IT Global Security, Tower Automotive
• Kevin Warner, Security and Compliance Officer, Bridge Healthcare Providers
• Lisa Davis, CEO, Vicinage
• Luis Brown, Information Security & Compliance Officer, Central New Mexico Community College
• Peter Clay, CISO, Qlik
• Robert Banniza, Senior Director IT Center Security, AMSURG
• Tim Tyndall, Systems Architect, Oregon State

Bibliography

Dicker, William. "An Examination of the Role of vCISO in SMBs: An Information Security Governance Exploration." Dissertation, Georgia State University, May 2, 2021. Accessed 30 Sep. 2022.

Heidrick & Struggles. "2022 Global Chief Information Security Officer (CISO) Survey" Heidrick & Struggles International, Inc. September 6, 2022. Accessed 30 Sep. 2022.

IBM Security. "Cost of a Data Breach Report 2022" IBM. August 1, 2022. Accessed 9 Nov. 2022.

Mehta, Medha. "What Is a vCISO? Are vCISO Services Worth It?" Infosec Insights by Sectigo, June 23, 2021. Accessed Nov 22. 2022.

Milica, Lucia. “Proofpoint 2022 Voice of the CISO Report” Proofpoint. May 2022. Accessed 6 Oct. 2022.

Navisite. "The State of Cybersecurity Leadership and Readiness" Navisite. November 9, 2021. Accessed 9 Nov. 2022.

Shayo, Conrad, and Frank Lin. “An Exploration of the Evolving Reporting Organizational Structure for the Chief Information Security Officer (CISO) Function” Journal of Computer Science and Information Technology, vol. 7, no. 1, June 2019. Accessed 28 Sep. 2022.

Applications Priorities 2023

Applications are the engine of the business: keep them relevant and modern

What we are facing today is transforming the ways in which we work, live, and relate to one another. Applications teams and portfolios MUST change to meet this reality.

Economic, social, and regulatory conditions have changed livelihoods, businesses, and marketplaces. Modern tools and technologies have acted as lifelines by minimizing operating and delivery costs, and in the process, establishing a strong foundation for growth and maturity.

As organizations continue to strengthen business continuity, disaster recovery, and system resilience, activities to simply "keep the lights on" are not enough. Be pragmatic in the prioritization and planning of your applications initiatives, and use your technologies as a foundation for your growth.

Your applications must meet the top business goals of your CXOs

• Ensure service continuity
• Improve customer experience
• Make data-driven decisions
• Maximize stakeholder value
• Manage risk

Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022, n=568.

Select and align your applications priorities to your business goals and objectives

Applications are critical components in any business strategic plan. They can directly influence an organization's internal and external brand and reputation, such as their:

• Uniqueness, competitiveness, and innovativeness in the industry.
• Ability to be dynamic, flexible, and responsive to changing expectations, business conditions, and technologies.

Therefore, business leaders are continuously looking for innovative ways to better position their application portfolios to satisfy their goals and objectives, i.e. applications priorities. Given the scope and costs often involved, these priorities must be carefully crafted to clearly state achievable business outcomes that satisfy
the different needs of very different customers, stakeholders, and users.

Today's business applications are good but leave room for improvement

72%
Average business application satisfaction score among IT leadership in 1582 organizations.

Source: CIO Business Vision, August 2021 to July 2022, N=190.

Five Applications Priorities for 2023

In this report, we explore five priorities for emerging and leading-edge technologies and practices that can improve on capabilities needed to meet the Ambitions of your organization.

Strengthen your foundations to better support your applications priorities

These key capabilities are imperative to the success of your applications strategy.

KPI and Metrics

Easily attainable and insightful measurements to gauge the progress of meeting strategic objectives and goals (KPIs), and the performance of individual teams, practices and processes (metrics).

BUSINESS ALIGNMENT

Gain an accurate understanding and interpretation of stakeholder, end-user, and customer expectations and priorities. These define the success of business products and services considering the priorities of individual business units and teams.

EFFICIENT DELIVERY & SUPPORT PRACTICE

Software delivery and support roles, processes, and tools are collaborative, well equipped and resourced, and optimized to meet changing stakeholder expectations.

Data Management & Governance

Ensuring data is continuously reliable and trustworthy. Data structure and integrations are defined, governed, and monitored.

Product & Service Ownership

Complete inventory and rationalization of the product and service portfolio, prioritized backlogs, roadmaps, and clear product and service ownership with good governance. This helps ensure this portfolio is optimized to meet its goals and objectives.

Strengthen your foundations to better support your applications priorities (cont'd)

These key capabilities are imperative to the success of your applications strategy.

Organizational Change Management

Manage the adoption of new and modified processes and technologies considering reputational, human, and operational concerns.

IT Operational Management

Continuous monitoring and upkeep of products and services to assure business continuity, and system reliability, robustness and disaster recovery.

Architectural Framework

A set of principles and standards that guides the consistent, sustainable and scalable growth of enterprise technologies. Changes to the architecture are made in collaboration with affected parties, such as security and infrastructure.

Application Security

The measures, controls, and tactics at the application layer that prevent vulnerabilities against external and internal threats and ensure compliance to industry and regulatory security frameworks and standards.

There are many factors that can stand in your team's way

Expectations on your applications team have increased, while the gap between how stakeholders and applications teams perceive effectiveness remains wide. This points to a need to clarify the requirements to deliver valuable and quality applications and address the pressures challenging your teams.

1. Attracting and retaining talent
2. Maximizing the return on technology
3. Confidently shifting to digital
4. Addressing competing priorities
5. Fostering a collaborative culture
6. Creating high-throughput teams

CIOs agree that at least some improvement is needed across key IT activities

Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022, n=568.

Pressure Point 1:
Attracting and Retaining Talent

Recent environmental pressures impacted traditional working arrangements and showed more workplace flexibility is often possible. At the same time, many employees' expectations about how, when, and where they choose to work have also evolved. Recruitment and retention are reflections of different sides of the same employee value proposition coin. Organizations that fail to reinvent their approach to attracting and retaining talent by focusing on candidate and employee experience risk turnover, vacancies, and lost opportunities that can negatively impact the bottom line.

Address the underlying challenges

• Lack of employee empowerment and few opportunities for learning and development.
• Poor coworker and manager relationships.
• Compensation and benefits are inadequate to maintain desired quality of life.
• Unproductive work environment and conflicting balance of work and life.
• Unsatisfactory employee experience, including lack of employee recognition
  and transparency of organizational change.

While workplace flexibility comes with many benefits, longer work hours jeopardize wellbeing.
62% of organizations reported increased working hours, while 80% reported an increase in flexibility.
Source: McLean & Company, 2022; n=394.

Be strategic in how you fill and train key IT skills and capabilities

• Cybersecurity
• Big Data/Analytics
• Technical Architecture
• DevOps
• Development
• Cloud

Source: Harvey Nash Group, 2021; n=2120.

Pressure Point 2:
Maximizing the Return of Technology

Recent environmental pressures impacted traditional working arrangements and showed more workplace flexibility is often possible. At the same time, many employees' expectations about how, when, and where they choose to work have also evolved. Recruitment and retention are reflections of different sides of the same employee value proposition coin. Organizations that fail to reinvent their approach to attracting and retaining talent by focusing on candidate and employee experience risk turnover, vacancies, and lost opportunities that can negatively impact the bottom line.

Address the underlying challenges

• Inability to analyze, propose, justify, and communicate modernization solutions in language the stakeholders understand and in a way that shows they clearly support business priorities and KPIs and mitigate risks.
• Little interest in documenting and rationalizing products and services through business-IT collaboration.
• Lack of internal knowledge of the system and loss of vendor support.
• Undefined, siloed product and service ownership and governance, preventing solutions from working together to collectively deliver more value.
• Little stakeholder appetite to invest in activities beyond "keeping the lights on."

Only 64% of applications were identified as effective by end users.
Effective applications are identified as at least highly important and have high feature and usability satisfaction.
Source: Application Portfolio Assessment, August 2021 to July 2022; N=315.

"Regardless of the many definitions of modernization floating around, the one characteristic that we should be striving for is to ensure our applications do an outstanding job of supporting the users and the business in the most effective and efficient manner possible."
Source: looksoftware.

Pressure Point 3:
Confidently Shifting to Digital

"Going digital" reshapes how the business operates and drives value by optimizing how digital and traditional technologies and tactics work together. This shift often presents significant business and technical risks to business processes, enterprise data, applications, and systems which stakeholders and teams are not aware of or prepared to accommodate.

Address the underlying challenges

• Differing perspectives on digital can lead to disjointed transformation initiatives, oversold benefits, and a lack of synergy among digital technologies and processes.
• Organizations have difficulty adapting to new technologies or rethinking current business models, processes, and ways of working because of the potential human, ethical, and reputational impacts and restrictions from legacy systems.
• Management lacks a framework to evaluate how their organization manages and governs business value delivery.
• IT is not equipped or resourced to address these rapidly changing business, customer, and technology needs.
• The wrong tools and technologies were chosen to support the shift to digital.

The shift to digital processes is starting, but slowly.
62% of respondents indicated that 1-20% of their processes were digitized during the past year.
Source: Tech Trends and Priorities 2023; N=500

Resistance to change and time/budget constraints are top barriers preventing companies from modernizing their applications.
Source: Konveyor, 2022; n=600.

Pressure Point 4:
Addressing Competing Priorities

Enterprise products and services are not used, operated, or branded in isolation. The various parties involved may have competing priorities, which often leads to disagreements on when certain business and technology changes should be made and how resources, budget, and other assets should be allocated. Without a broader product vision, portfolio vision, and roadmap, the various dependent or related products and services will not deliver the same level of value as if they were managed collectively.

Address the underlying challenges

• Undefined product and service ownership and governance, including escalation procedures when consensus cannot be reached.
• Lack of a unified and grounded set of value and quality definitions, guiding principles, prioritization standards, and broad visibility across portfolios, business capabilities, and business functions.
• Distrust between business units and IT teams, which leads to the scaling of unmanaged applications and fragmented changes and projects.
• Decisions are based on opinions and experiences without supporting data.

55% of CXOs stated some improvement is necessary in activities to understand business goals.
Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568.

CXOs are moderately satisfied with IT's performance as a business partner (average score of 69% among all CXOs). This sentiment is similarly felt among CIOs (64%).
Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568.

Pressure Point 5:
Fostering a Collaborative Culture

Culture impacts business results, including bottom-line revenue and productivity metrics. Leaders appreciate the impact culture can have on applications initiatives and wish to leverage this. How culture translates from an abstract concept to something that is measurable and actionable is not straightforward. Executives need to clarify how the desired culture will help achieve their applications strategy and need to focus on the items that will have the most impact.

Address the underlying challenges

• Broad changes do not consider the unique subcultures, personalities, and behaviors of the various teams and individuals in the organization.
• Leaders mandate cultural changes without alleviating critical barriers and do not embody the principles of the target state.
• Bureaucracy and politics restrict changes and encourage the status quo.
• Industry standards, technologies, and frameworks do not support or cannot be tailored to fit the desired culture.
• Some teams are deliberately excluded from the scoping, planning, and execution of key product and service delivery and management activities.

Agile does not solve team culture challenges.
43% of organizations cited organizational culture as a significant barrier to adopting and scaling Agile practices.
Source: Digital.ai, 2021.

"Providing a great employee experience" as the second priority (after recruiting) highlights the emphasis organizations are placing on helping employees adjust after having been forced to change the way work gets done.
Source: McLean & Company, 2022; N=826.

Use your applications priorities to help address your pressure points

Success can be dependent on your ability to navigate around or alleviate your pressure points. Design and market your applications priorities to bring attention to your pressure points and position them as key risk factors to their success.

Digital Experience (DX)

PRIORITY 1

• Deliver Valuable User, Customer, Employee, and Brand Experiences

Delivering valuable digital experiences requires the adoption of good management, governance, and operational practices to accommodate stakeholder, employee, customer, and end-user expectations of digital experiences (e.g. product management, automation, and iterative delivery). Technologies are chosen based on what best enables, delivers, and supports these expectations.

Introduction

Digital transformation is not just about new tools and technologies. It is also about delivering a valuable digital experience

What is digital experience (DX)?

Digital experience (DX) refers to the interaction between a user and an organization through digital products and services. Digital products and services are tools, systems, devices, and resources that gather, store, and process data; are continuously modernized; and embody eight key attributes that are described on the following slide. DX is broken down into four distinct perspectives*:

• Customer Experience – The immediate perceptions of transactions and interactions experienced through a customer's journey in the use of the organization's digital
  products and services.
• End-User Experience – Users' emotions, beliefs, and physical and psychological responses
  that occur before, during, or after interacting with a digital product or service.
• Brand Experience – The broader perceptions, emotions, thoughts, feelings and actions the public associate with the organization's brand and reputation or its products and services. Brand experience evolves over time as customers continuously engage with the brand.
• Employee Experience – The satisfaction and experience of an employee through their journey with the organization, from recruitment and hiring to their departure. How an employee embodies and promotes the organization brand and culture can affect their performance, trust, respect, and drive to innovate and optimize.

Digital products and services have a common set of attributes

Digital transformation is not just about new tools and technologies. It is also about delivering a valuable digital experience

• Digital products and services must keep pace with changing business and end-user needs as well as tightly supporting your maturing business model with continuous modernization. Focus your continuous modernization on the key characteristics that drive business value.
• Fit for purpose: Functionalities are designed and implemented for the purpose of satisfying the end user's needs and solving their problems.
• User-centric: End users see the product as rewarding, engaging, intuitive, and emotionally satisfying. They want to come back to it.
• Adaptable: The product can be quickly tailored to meet changing end-user and technology needs with reusable and customizable components.
• Accessible: The product is available on demand and on the end user's preferred interface.
  End users have a seamless experience across all devices.
• Private and secured: The end user's activity and data are protected from unauthorized access.
• Informative and insightful: The product delivers consumable, accurate, and trustworthy real-time data that is important to the end user.
• Seamless application connection: The product facilitates direct interactions with one or more other products through an uninterrupted user experience.
• Relationship and network building: The product enables and promotes the connection and interaction of people.

Signals

DX is critical for business growth and maturity, but the organization may not be ready

A good DX has become a key differentiator that gives organizations an advantage over their competition and peers. Shifts in working environments; employee, customer, and stakeholder expectations; and the advancements in modern technologies have raised the importance of adopting and transitioning to digital processes and tools to stay relevant and responsive to changing business and technology conditions.

Applications teams are critical to ensuring the successful delivery and operation of these digital processes and tools. However, they are often under-resourced and challenged to meet their DX goals.

• 7% of both business and IT respondents think IT has the resources needed to keep up with digital transformation initiatives and meet deadlines (Cyara, 2021).
• 43% of respondents said that the core barrier to digital transformation is a lack of skilled resources (Creatio, 2021).

	of organizations stated that at least 1% of processes were shifted from being manually completed to digitally completed in the last year. 29% of organizations stated at least 21% were shifted. Source: Tech Trends and Priorities 2023; N=500.
	of organizations recognized digital transformation is important for competitive advantage. 94% stated it is important to enhance customer experience, and 91% stated it will have a positive impact on revenue. Source: Cyara, 2021.

Drivers

Brand and reputation

Customers are swayed by the innovations and advancements in digital technologies and expect your applications team to deliver and support them. Your leaders recognize the importance of these expectations and are integrating them into their business strategy and brand (how the organization presents itself to its customers, employees and the public). They hope that their actions will improve and shape the company's reputation (public perception of the company) as effective, customer-focused, and forward-thinking.

Worker productivity

As you evolve and adopt more complex tools and technology, your stakeholders will expect more from business units and IT teams. Unfortunately, teams employing manual processes and legacy systems will struggle to meet these expectations. Digital products and services promote the simplification of complex operations and applications and help the business and your teams better align operational practices with strategic goals and deliver valuable DX.

Organization modernization

Legacy processes, systems, and ways of working are no longer suitable for meeting the strategic digital objectives and DX needs stakeholders expect. They drive up operational costs without increased benefits, impede business growth and innovation, and consume scarce budgets that could be used for other priorities. Shifting to digital tools and technologies will bring these challenges to light and demonstrate how modernization is an integral part of DX success.

Benefits & Risks

Benefits

• Flexibility & Satisfaction
• Adoption
• Reliability

Employees and customers can choose how they want to access, modify, and consume digital products and services. They can be tailored to meet the specific functional needs, behaviors, and habits of the end user.

The customer, end user, brand, and employee drive selection, design, and delivery of digital products and services. Even the most advanced technologies will fail if key roles do not see the value in their use.

Digital products and services are delivered with technical quality built into them, ensuring they meet the industry, regulatory, and company standards throughout their lifespan and in various conditions.

Risks

• Legacy & Lore
• Bureaucracy & Politics
• Process Inefficiencies
• No Quality Standards

Some stakeholders may not be willing to change due to their familiarity and comfort of business practices.

Competing and conflicting priorities of strategic products and services undermine digital transformation and broader modernization efforts.

Business processes are often burdened by wasteful activities. Digital products and services are only as valuable as the processes they support.

The performance and support of your digital products and services are hampered due to unmanageable technical debt because of a deliberate decision to bypass or omit quality good practices.

Address your pressure points to fully realize the benefits of this priority

Success can be dependent on your ability to address your pressure points.

Recommendations

Build a digital business strategy

A digital business strategy clearly articulates the goals and ambitions of the business to adopt digital practices, tools, and technologies. This document:

• Looks for ways to transform the business by identifying what technologies to embrace, what processes to automate, and what new business models to create.
• Unifies digital possibilities with your customer experiences.
• Establishes accountability with the executive leadership.
• States the importance of cross-functional participation from senior management across the organization.

Related Research:

• Define Your Digital Business Strategy

Learn, understand, and empathize with your users, employees, and customers

• To create a better product, solution, or service, understanding those who use it, their needs, and their context is critical.
• A great experience design practice can help you balance those goals so that they are in harmony with those of your users.
• IT leaders must find ways to understand the needs of the business and develop empathy on a much deeper level. This empathy is the foundation for a thriving business partnership.

Related Research:

• Apply Design Thinking to Build Empathy With the Business
• Implement and Mature Your User Experience Design Practice

Recommendations

Center product and service delivery decisions and activities on DX and quality

User, customer, employee, and brand are integral perspectives on the software development lifecycle (SDLC) and the management and governance practices supporting digital products and services. It ensures quality standards and controls are consistently upheld while maintaining alignment with various needs and priorities. The goal is to come to a consensus on a universal definition and approach to embed quality and DX-thinking throughout the delivery process.

Related Research:

• Modernize Your SDLC
• Make the Case for Product Delivery
• Build a Software Quality Assurance Program

Instill collaborative delivery practices

Today's rapidly scaling and increasingly complex digital products and services create mounting pressure on delivery teams to release new features and changes quickly and with sufficient quality. This pressure is further compounded by the competing priorities of individual stakeholders and the nuances among different personas of digital products and services.

A collaborative delivery practice sets the activities, channels, and relationships needed to deliver a valuable and quality product or service with cross-functional awareness, accountability, and agreement.

Related Research:

• Implement Agile Practices That Work
• Implement DevOps Practices That Work
• Build Your BizDevOps Playbook

Recommendations

Continuously monitor and modernize your digital products and services

Today's modern digital products and services are tomorrow's shelfware. They gradually lose their value, and the supporting technologies will become obsolete. Modernization is a continuous need.

Data-driven insights help decision makers decide which products and services to retire, upgrade, retrain on, or maintain to meet the demands of the business.

Enhancements focusing on critical business capabilities strengthen the case for investment and build trust with all stakeholders.

Related Research:

• Application Portfolio Assessment: End User Feedback
• Application Portfolio Management Foundations
• Modernize Your Applications

CASE STUDY
Mastercard in Asia

Focus on the customer journey

Chief Marketing Officer M.V. Rajamannar (Raja) wanted to change Mastercard's iconic "Priceless" ad campaign (with the slogan "There are some things money can't buy. For everything else there's Mastercard."). The main reasons were that the campaign relied on one-way communication and targeted end customers, even though Mastercard doesn't issue cards directly to customers; partner banks do. To drive the change in campaign, Raja and his team created a digital engine that leveraged digital and social media. Digital engine is a seven-step process based on insights gleaned from data and real-time optimization.

1. Emotional spark: Using data to understand customers' passion points, Mastercard builds videos and creatives to ignite an emotional spark and give customers a reason to engage. For example, weeks before New Year's Eve, Mastercard produced a video with Hugh Jackman to encourage customers to submit a story about someone who deeply mattered to them. The authors of the winning story would be flown to reunite with those both distant and dear.
2. Engagement: Mastercard targets the right audience with a spark video through social media to encourage customers to share their stories.
3. Offers: To help its partner banks and merchants in driving their business, the company identifies the best offers to match consumers' interests. In the above campaign, Mastercard's Asia-Pacific team found that Singapore was a favorite destination for Indian customers, so they partnered with Singapore's Resorts World Sentosa with an attractive offer.
4. Real-time optimization: Mastercard optimizes, in real time, a portfolio of several offers through A/B testing and other analysis.
5. Amplification: Real-time testing provides confidence to Mastercard about the potential success of these offers and encourages its bank and merchant partners to co-market and co-fund these campaigns.
6. Network effects: A few weeks after consumers submitted their stories about distant loved ones, Mastercard selected winners, produced videos of them surprising their friends and families, and used these videos in social media to encourage sharing.
7. Incremental transactions: These programs translate into incremental business for banks who issue cards, for merchants where customers spend money, and for Mastercard, which gets a portion of every transaction.

Source: Harvard Business Review Press

CASE STUDY
Mastercard in Asia (cont'd)

Focus on the customer journey

1. Emotional Spark
   Drives genuine personal stories
2. Engagement
   Through Facebook
   and social media
3. Offers
   From merchants
   and Mastercard assets
4. Optimization
   Real-time testing of offers and themes
5. Amplification
   Paid and organic programmatic buying
6. Network Effects
   Sharing and
   mass engagement
7. Incremental Transactions
   Win-win for all parties

CASE STUDY
Mastercard in Asia (cont'd)

The Mastercard case highlights important lessons on how to engage customers:

• Have a broad message. Brands need to connect with consumers over how they live and spend their time. Organizations need to go beyond the brand or product message to become more relevant to consumers' lives. Dove soap was very successful in creating a conversation among consumers with its "Real Beauty" campaign, which focused not on the brand or even the product category, but on how women and society view beauty.
• Shift from storytelling to story making. To break through the clutter of advertising, companies need to move from storytelling to story making. A broader message that is emotionally engaging allows for a two-way conversation.
• Be consistent with the brand value. The brand needs to stand for something, and the content should be relevant to and consistent with the image of the brand. Pepsi announced an award of $20 million in grants to individuals, businesses, and nonprofits that promote a new idea to make a positive impact on community. A large number of submissions were about social causes that had nothing to do with Pepsi, and some, like reducing obesity, were in conflict with Pepsi's product.
• Create engagement that drives business. Too much entertainment in ads may engage customers but detract from both communicating the brand message and increasing sales. Simply measuring the number of video views provides only a partial picture of a program's success.

Intelligent Automation

PRIORITY 2

• Extend Automation Practices with AI and ML

AI and ML are rapidly growing. Organizations see the value of machines intelligently executing high-performance and dynamic tasks such as driving cars and detecting fraud. Senior leaders see AI and ML as opportunities to extend their business process automation investments.

Introduction

Intelligent automation is the next step in your business process automation journey

What is intelligent automation (IA)?

Intelligent automation (IA) is the combination of traditional automation technologies, such as business process management (BPM) and robotic process automation (RPA), with AI and ML. The goal is to further streamline and scale decision making across various business processes by:

• Removing human interactions.
• Addressing decisions that involve complex variables.
• Automatically adapting processes to changing conditions.
• Bridging disparate automation technologies into an integrated end-to-end value delivery pipeline.

"For IA to succeed, employees must be involved in the transformation journey so they can experience firsthand the benefits of a new way of working and creating business value," (Cognizant).

What is the difference between IA and hyperautomation?

"Hyperautomation is the act of automating everything in an organization that can be automated. The intent is to streamline processes across an organization using intelligent automation, which includes AI, RPA and other technologies, to run without human intervention. … Hyperautomation is a business-driven, disciplined approach that organizations use to rapidly identify, vet, and automate as many business and IT processes as possible" (IBM, 2021).

Note that hyperautomation often enables IA, but teams solely adopting IA do not need to abide to its automation-first principles.

IA is a combination of various tools and technologies

What tools and technologies are involved in IA?

• Artificial intelligence (AI) & Machine Learning (ML) – AI systems perform tasks mimicking human intelligence such as learning from experience and problem solving. AI is making its own decisions without human intervention. Machine learning systems learn from experience and without explicit instructions. They learn patterns from data then analyze and make predictions based on past behavior and the patterns learned. AI is a combination of technologies and can include machine learning.
• Intelligent Business Process Management System (iBPMS) – Combination of BPM tools with AI and other intelligence capabilities.
• Robotic Process Automation (RPA) – Robots leveraging an application's UI rather than programmatic access. Automate rules-based, repetitive tasks performed by human workers with AI/ML.
• Process Mining & Discovery – Process mining involves reading system event logs and application transactions and applying algorithmic analysis to automatically identify and map inferred business processes. Process discovery involves unintrusive virtual agents that sit on a user's desktop and record and monitor how they interact with applications to perform tasks and processes. Algorithms are then used to map and analyze the processes.
• Intelligent Document Processing – The conversion of physical or unstructured documents into a structured, digital format that can be used in automation solutions. Optical character recognition (OCR) and natural language processing (NPL) are common tools used to enable this capability.
• Advanced Analytics – The gathering, synthesis, transformation, and delivery of insightful and consumable information that supports data-driven decision making. Data is queried from various disparate sources and can take on a variety of structured and unstructured formats.

Signals

Process automation is an executive priority and requires organizational buy-in

Stakeholders recognize the importance of business process automation and AI and are looking for ways to deliver more value using these technologies.

• 90% of executives stated automating business workflows post-COVID-19 will ensure business continuity (Kofax, 2022).
• 88% of executives stated they need to fast-track their end-to-end digital transformation (Kofax, 2022).

However, the advertised benefits to vendors of enabling these desired automations may not be easily achievable because of:

• Manual and undocumented business processes.
• Fragmented and inaccessible systems.
• Poor data quality, insights, and security.
• The lack of process governance and management practice.

	of CXOs stated staff sufficiency, skill and engagement issues as a minor IT pain point compared to 51% of CIOs stated this issue as a major pain point. Source: CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568.
	of organizations have already invested in AI or machine learning. Source: Tech Trends and Priorities 2023; N=662

Drivers

Quality & throughput

Products and services delivered through an undefined and manual process risk the creation of preventable and catchable defects, security flaws and holes, missing information, and other quality issues. IA solutions consistently reinforce quality standards the same way across all products and services while tailoring outputs to meet an individual's specific needs. Success is dependent on the accurate interpretation and application of quality standards and the user's expectations.

Worker productivity

IA removes the tedious, routine, and mundane tasks that distract and restrict employees from doing more valuable, impactful, and cognitively focused activities. Practical insights can also be generated through IA tools that help employees make data-driven decisions, evaluate problems from different angles, and improve the usability and value of the products and services they produce.

Good process management practices

Automation magnifies existing inefficiencies of a business process management practice, such as unclear and outdated process documentation and incorrect assumptions. IA reinforces the importance of good business process optimization practices, such as removing waste and inefficiencies in a thoughtful way, choosing the most appropriate automation solution, and configuring the process in the right way to maximize the solution's value.

Benefits & Risks

Benefits

• Documentation
• Hands-Off
• Reusability

All business processes must be mapped and documented to be automated, including business rules, data entities, applications, and control points.

IA can be configured and orchestrated to automatically execute when certain business, process, or technology conditions are met in an unattended or attended manner.

IA is applicable in use cases beyond traditional business processes, such as automated testing, quality control, audit, website scraping, integration platform, customer service, and data transfer.

Risks

• Data Quality & Bias
• Ethics
• Recovery & Security
• Management

The accuracy and relevance of the decisions IA makes are dependent on the overall quality of the data
used to train it.

Some decisions can have significant reputational, moral, and ethical impacts if made incorrectly.
The question is whether it is appropriate for a non-human to make that decision.

IA is composed of technologies that can be compromised or fail. Without the proper monitoring, controls,
and recovery protocols, impacted IA will generate significant business and IT costs and can potentially harm customers, employees, and the organization.

Low- and no-code capabilities ease and streamline IA development, which makes it susceptible to becoming unmanageable. Discipline is needed to ensure IA owners are aware of the size and health of the IA portfolio.

Address your pressure points to fully realize the benefits of this priority

Success can be dependent on your ability to address your pressure points.

Recommendations

Build your business process automation playbook and practice

Formalize your business process automation practice with a good toolkit and a repeatable set of tactics and techniques.

• Clarify the problem being solved with IA.
• Optimate your processes. Apply good practices to first optimize (opti-) and then automate (-mate) key business processes.
• Deliver minimum viable automations (MVAs). Maximize the learning of automation solutions and business operational changes through small, strategic automation use cases.

Related Research:

• Build a Winning Business Process Automation Playbook

Explore the various IA tooling options

Each IA tool will address a different problem. Which tool to choose is dependent on a variety of factors, such as functional suitability, technology suitability, delivery and support capabilities, alignment to strategic business goals, and the value it is designed to deliver.

Related Research:

• Build Your First RPA Bot
• Build a Chatbot Proof of Concept

Recommendations

Introduce AI and ML thoughtfully and with a plan

Despite the many promises of AI, organizations are struggling to fully realize its potential. The reasons boil down to a lack of understanding of when these technologies should and shouldn't be used, as well as a fear of the unknown. The plan to adopt AI should include:

• Understanding of what AI really means in practice.
• Identifying specific applications of AI in the business.
• Understanding the type of AI applicable for the situation.

Related Research:

• Get Started with Artificial Intelligence
• Create an Architecture for AI

Mitigate AI and ML bias

Biases can be introduced into an IA system at any stage of the development process, from the data you collect, to the way you collect it, to which algorithms are used and what assumptions were made. In most cases, AI and ML bias is a is a social, political, and business problem.

While bias may not be intentional nor completely prevented or eliminated, early detection, good design, and other proactive preventative steps can be taken to minimize its scope and impact.

Related Research:

• Mitigate Machine Bias

CASE STUDY
University Hospitals

Challenge

University Hospitals Cleveland (UH) faces the same challenge that every major hospital confronts regarding how to deliver increasingly complex, high-quality healthcare to a diverse population efficiently and economically. In 2017, UH embarked on a value improvement program aiming to improve quality while saving $400 million over a five-year period.

In emergency department (ED) and inpatient units, leaders found anticipating demand difficult, and consequently units were often over-staffed when demand was low and under-staffed when demand was high. Hospital leaders were uncertain about how to reallocate resources based on capacity needs.

Solution

UH turned to Hospital IQ's Census Solution to proactively manage capacity, staff, and flow in the ED and inpatient areas.

By applying AI, ML, and external data (e.g. weather forecasts) to the hospital's own data (including EMR data and hospital policies), the solution helped UH make two-day census forecasts that managers used to determine whether to open or close in-patient beds and, when necessary, divert low-acuity patients to other hospitals in the system to handle predicted patient volume.

Source: University Hospitals

Results

ED boarding hours have declined by 10% and the hospital has seen a 50% reduction in the number of patients who leave the hospital without
being seen.

UH also predicts in advance patients ready for discharge and identifies roadblocks, reducing the average length of stay by 15%. UH is able to better manage staff, reducing overtime and cutting overall labor costs.

The hospital has also increased staff satisfaction and improved patient safety by closing specific units on weekends and increasing the number of rooms that can be sterilized.

Proactive Application Management

PRIORITY 3

• Strengthen Applications to Prevent and Minimize the Impact of Future Issues

Application management is often viewed as a support function rather than an enabler of business growth. Focus and investments are only placed on application management when it becomes a problem. The lack of governance and practice accountability leaves this practice in a chaotic state: politics take over, resources are not strategically allocated, and customers are frustrated. As a result, application management is often reactive and brushed aside for new development.

Introduction

What is application management?

Application management ensures valuable software is successfully delivered and is maintained for continuous and sustainable business operations. It contains a repeatable set of activities needed to rationalize and roadmap products and services while balancing priorities of new features and maintenance tasks.

Unfortunately, application management is commonly perceived as a practice that solely addresses issues, updates, and incidents. However, application management teams are also tasked with new value delivery that was not part of the original release.

Why is an effective application maintenance (reactive) practice not good enough?

Application maintenance is the "process of modifying a software system or its components after delivery to correct faults, improve performance or other attributes, or adapt to a changed environment or business process," (IEEE, 1998). While it is critical to quickly fix defects and issues when they occur, reactively addressing them is more expensive than discovering them early and employing the practices to prevent them.

Even if an application is working well, its framework, architecture, and technology may not be compatible with the possible upcoming changes stakeholders and vendors may want to undertake. Applications may not be problems now, but they soon can be.

What motivates proactive application changes?

Proactive application management must be disciplined and applied strategically

Proactive application management practices are critical to maintaining business continuity. They require continuous review and modification so that applications are resilient and can address current and future scenarios. Depending on the value of the application, its criticality to business operations, and its susceptibility to technology change, a more proactive management approach may be warranted. Stakeholders can then better manage resources and budget according to the needs of specific products.

Reactive Management

Run-to-Failure

Fix and enhance the product when it breaks. In most cases, a plan is in place ahead of a failure, so that the problem can be addressed without significant disruption and costs.

Preventive

Regularly inspect and optimize the product to reduce the likelihood that it will fail in the future. Schedule inspections based on a specific timeframe or usage threshold.

Predictive

Predict failures before they happen using performance and usage data to alert teams when products are at risk of failure according to specified conditions.

Reliability and Risk Based

Analyze all possible failure scenarios for each component of the product and create tailored delivery plans to improve the stability, reliability, and value of each product.

Proactive Management

Signals

Applications begin to degrade as soon as they are used

Today's applications are tomorrow's shelfware. They gradually lose their value, stability, robustness, and compatibility with other enterprise technologies. The longer these applications are left unattended or simply "keeping the lights on," the more risks they will bring to the application portfolio, such as:

• Discovery and exploitation of security flaws and gaps.
• Increasing the lock-in to specific vendor technologies.
• Inconsistent application performance across various workloads.

These impacts are further compounded by the continuous work done on a system burdened with technical debt. Technical debt describes the result of avoided costs that, over time, cause ongoing business impacts. Left unaddressed, technical debt can become an existential threat that risks your organization's ability to effectively compete and serve its customers. Unfortunately, most organizations have a significant, growing, unmanageable technical debt portfolio.

	of respondents stated they saw an increase in perceived change in technical debt during the past three years. A quarter of respondents indicated that it stayed the same. Source: McKinsey Digital, 2020.
US $4.35 Million	is the average cost of a data breach in 2022. This figure represents a 2.6% increase from last year. The average cost has climbed 12.7% since 2020. Source: IBM, 2022; N=537.

Drivers

Technical debt

Historical decisions to meet business demands by deferring key quality, architectural, or other software delivery activities often lead to inefficient and incomplete code, fragile legacy systems, broken processes, data quality problems, and the other contributors to technical debt. The impacts for this challenge is further heightened if organizations are not actively refactoring and updating their applications behind the scenes. Proactive application management is intended to raise awareness of application fragility and prioritize comprehensive refactoring activities alongside new feature development.

Long-term application value

Applications are designed, developed, and tested against a specific set of parameters which may become less relevant over time as the business matures, technology changes, and user behaviors and interactions shift. Continuous monitoring of the application system, regular stakeholder and user feedback, and active technology trend research and vendor engagement will reveal tasks to prepare an application for future value opportunities or stability and resilience concerns.

Security and resiliency

Innovative approaches to infiltrating and compromising applications are becoming prevailing stakeholder concerns. The loopholes and gaps in existing application security protocols, control points, and end-user training are exploited to gain the trust of unsuspecting users and systems. Proactive application management enforces continuous security reviews to determine whether applications are at risk. The goal is to prevent an incident from happening by hardening or complementing measures already in place.

Benefits & Risks

Benefits

• Consistent Performance
• Robustness
• Operating Costs

Users expect the same level of performance and experience from their applications in all scenarios. A proactive approach ensures the configurations meet the current needs of users and dependent technologies.

Proactively managed applications are resilient to the latest security concerns and upcoming trends.

Continuous improvements to the underlying architecture, codebase, and interfaces can minimize the cost to maintain and operate the application, such as the transition to a loosely coupled architecture and the standardization of REST APIs.

Risks

• Stakeholder Buy-In
• Delayed Feature Releases
• Team Capacity
• Discipline

Stakeholders may not see the association between the application's value and its technical quality.

Updates and enhancements are system changes much like any application function. Depending
on the priority of these changes, new functions may be pushed off to a future release cycle.

Applications teams require dedicated capacity to proactively manage applications, but they are often occupied meeting other stakeholder demands.

Overinvesting in certain application management activities (such as refactoring, re-architecture, and redesign) can create more challenges. Knowing how much to do is important.

Address your pressure points to fully realize the benefits of this priority

Success can be dependent on your ability to address your pressure points.

Recommendations

Reinforce your application maintenance practice

Maintenance is often viewed as a support function rather than an enabler of business growth. Focus and investments are only placed on maintenance when it becomes a problem.

• Justify the necessity of streamlined maintenance.
• Strengthen triaging and prioritization practices.
• Establish and govern a repeatable process.

Ensure product issues, incidents, defects, and change requests are promptly handled to minimize business and IT risks.

Related Research:

• Streamline Application Maintenance

Build an application management practice

Apply the appropriate management approaches to maintain business continuity and balance priorities and commitments among maintenance and new development requests.

This practice serves as the foundation for creating exceptional customer experience by emphasizing cross-functional accountability for business value and product and service quality.

Related Research:

• Streamline Application Management

Recommendations

Manage your technical debt

Technical debt is a type of technical risk, which in turn is business risk. It's up to the business to decide whether to accept technical debt or mitigate it. Create a compelling argument to stakeholders as to why technical debt should be a business priority rather than just an IT one.

• Define and identify your technical debt.
• Conduct a business impact analysis.
• Identify opportunities to better manage technical debt.

Related Research:

• Manage Your Technical Debt

Gauge your application's health

Application portfolio management is nearly impossible to perform without an honest and thorough understanding of your portfolio's alignment to business capabilities, business value, total cost of ownership, end-user reception and satisfaction, and technical health.

Develop data-driven insights to help you decide which applications to retire, upgrade, retrain on, or maintain to meet the demands of the business.

Related Research:

• Application Portfolio Management Foundations

Recommendations

Adopt site reliability engineering (SRE) and DevOps practices

Site reliability engineering (SRE) is an operational model for running online services more reliably by a team of dedicated reliability-focused engineers.

DevOps, an operational philosophy promoting development and operations collaboration, can bring the critical insights to make application management practices through SRE more valuable.

Related Research:

• Implement DevOps Practices That Work
• Site Reliability Engineering: What Is It? Why Is It Important for Online Businesses?
• SLOs in Site Reliability Engineering

CASE STUDY
Government Agency

Goal

A government agency needed to implement a disciplined, sustainable application delivery, planning, and management process so their product delivery team could deliver features and changes faster with higher quality. The goal was to ensure change requests, fixes, and new features would relieve requester frustrations, reduce regression issues, and allow work to be done on agreeable and achievable priorities organization-wide. The new model needed to increase practice efficiency and visibility in order to better manage technical debt and focus on value-added solutions.

Solution

This organization recognized a number of key challenges that were inhibiting its team's ability to meet its goals:

• The product backlog had become too long and unmanageable.
• Delivery resources were not properly allocated to meet the skills and capabilities needed to successfully meet commitments.
• Quality wasn't defined or enforced, which generated mounting technical debt.
• There was a lack of clear metrics and defined roles and responsibilities.
• The business had unrealistic and unachievable expectations.

Source: Info-Tech Workshop

Key practices implemented

• Schedule quarterly business satisfaction surveys.
• Structure and facilitate regular change advisory board meetings.
• Define and enforce product quality standards.
• Standardize a streamlined process with defined roles.
• Configure management tools to better handle requests.

Multisource Systems

PRIORITY 4

• Manage an Ecosystem Composed of In-House and Outsourced Systems

Various market and company factors are motivating a review on resource and system sourcing strategies. The right sourcing model provides key skills, resources, and capabilities to meet innovation, time to market, financial, and quality goals of the business. However, organizations struggle with how best to support sourcing partners and to allocate the right number of resources to maximize success.

Introduction

A multisource system is an ecosystem of integrated internally and externally developed applications, data, and infrastructure. These technologies can be custom developed, heavily configured vendor solutions, or they may be commercial off-the-shelf (COTS) solutions. These systems can also be developed, supported, and managed by internal staff, in partnership with outsourced contractors, or be completely outsourced. Multisource systems should be configured and orchestrated in a way that maximizes the delivery of specific value drivers for the targeted audience.

Successfully selecting a sourcing approach is not a simple RFP exercise to choose the lowest cost

Defining and executing a sourcing approach can be a significant investment and risk because of the close interactions third-party services and partners will have with internal staff, enterprise applications and business capabilities. A careful selection and design is necessary.

The selection of a sourcing partner is not simple. It involves the detailed inspection and examination of different candidates and matching their fit to the broader vision of the multisource system. In cases where control is critical, technology stack and resource sourcing consolidation to a few vendors and partners is preferred. In other cases, where worker productivity and system flexibility are highly prioritized, a plug-and-play best-of-breed approach is preferred.

Sourcing needs to be driven by your department and system strategies

How does the department want to be perceived?

The image that your applications department and teams want to reflect is frequently dependent on the applications they deliver and support, the resources they are composed of, and the capabilities they provide.

Therefore, choosing the right sourcing approach should be driven by understanding who the teams are and want to be (e.g. internal builder, an integrator, a plug-in player), what they can or want to do (e.g. custom-develop or implement), and what they can deliver or support (e.g. cloud or on-premises) must be established.

What value is the system delivering?

Well-integrated systems are the lifeblood of your organization. They provide the capabilities needed to deliver value to customers, employees, and stakeholders. However, underlying system components may not be sourced under a unified strategy, which can lead to duplicate vendor services and high operational costs.

The right sourcing approach ensures your partners address key capabilities in your system's delivery and support, and that they are positioned to maximize the value of critical and high-impact components.

Signals

Business demand may outpace what vendors can support or offer

Outsourcing and shifting to a buy-over-build applications strategy are common quick fixes to dealing with capacity and skills gaps. However, these quick fixes often become long-term implementations that are not accounted for in the sourcing selection process. Current application and resource sourcing strategies must be reviewed to ensure that vendor arrangements meet the current and upcoming demands and challenges of the business, customers, and enterprise technologies, such as:

• Pressure from stakeholders to lower operating costs while maintaining or increasing quality and throughput.
• Technology lock-in that addresses short-term needs but inhibits long-term growth and maturity.
• Team capacity and talent acquisition not meeting the needs of the business.

	of respondents stated they outsourced software development fully or partly in the last 12 months (2021). Source: Coding Sans, 2021.
	of respondents stated they were at least somewhat satisfied with the result of outsourcing software development. Source: Coding Sans, 2021.

Drivers

Business-managed applications

Employees are implementing and building applications without consulting, notifying, or heeding the advice of IT. IT is often ill-equipped and under-resourced to fight against shadow IT. Instead, organizations are shifting the mindset of "fight shadow IT" to "embrace business-managed applications," using good practices in managing multisource systems. A multisource approach strikes the right balance between user empowerment and centralized control with the solutions and architecture that can best enable it.

Unique problems to solve

Point solutions offer features to address unique use cases in uncommon technology environments. However, point solutions are often deployed in siloes with limited integration or overlap with other solutions. The right sourcing strategy accommodates the fragmented nature of point solutions into a broader enterprise system strategy, whether that be:

• Multisource best of breed – integrate various technologies that provide subsets of the features needed for supporting business functions.
• Multisource custom – integrate systems built in-house with technologies developed by external organizations.
• Vendor add-ons and integrations – enhance an existing vendor's offering by using their system add-ons as upgrades, new add-ons, or integrations.

Vendor services

Some vendor services in a multisource environment may be redundant, conflicting, or incompatible. Given that multisource systems are regularly changing, it is difficult to identify what services are affected, what would be needed to fill the gap of the removed solution, or which redundant services should be removed.

A multisource approach motivates the continuous rationalization of your vendor services and partners to determine the right mixture of in-house and outsourced resources, capabilities, and technologies.

Benefits & Risks

Benefits

• Business-Focused Solution
• Flexibility
• Cost Optimization

Multisource systems can be designed to support an employee's ability to select the tools they want and need.

The environment is architected in a loosely coupled approach to allow applications to be easily added, removed, and modified with minimized impact to other integrated applications.

Rather than investing in large solutions upfront, applications are adopted when they are needed and are removed when little value is gained. Disciplined application portfolio management is necessary to see the full value of this benefit.

Risks

• Manageable Sprawl
• Policy Adherence
• Integration & Compatibility

The increased number and diversity of applications in multisource system environments can overwhelm system managers who do not have an effective application portfolio management practice.

Fragmented application implementations risk inconsistent adherence to security and other quality policies, especially in situations where IT is not involved.

Application integration can quickly become tangled, untraceable, and unmanageable because of varying team and vendor preferences for specific integration technologies and techniques.

Address your pressure points to fully realize the benefits of this priority

Success can be dependent on your ability to address your pressure points.

Recommendations

Define the goals of your applications department and product vision

Understanding the applications team's purpose and image is critical in determining how the system they are managing and the skills and capacities they need should be sourced.

Changing and conflicting definitions of value and goals make it challenging to convey an agreeable strategy of the multisource system. An achievable vision and practical tactics ensure all parties in the multisource system are moving in the same direction.

Related Research:

• Build an Application Department Strategy
• Deliver On Your Digital Product Vision

Develop a sourcing partner strategy

Almost half of all sourcing initiatives do not realize projected savings, and the biggest reason is the choice of partner (Zhang et al., 2018). Making the wrong choice means inferior products, higher costs and the loss of both clients and reputation.

Choosing the right sourcing partner involves understanding current skills and capacities, finding the right matching partner based on a desired profile, and managing a good working relationship that sees short-term gains and supports long-term goals.

Related Research:

• Select a Sourcing Partner for Your Application Development Team
• Drive Successful Sourcing Outcomes with a Robust RFP Process
• Jump Start Your Vendor Management Initiative

Recommendations

Strengthen enterprise integration practices

Integration strategies that are focused solely on technology are likely to complicate rather than simplify because little consideration is given on how other systems and processes will be impacted. Enterprise integration needs to bring together business process, applications, and data – in that order.

Kick-start the process of identifying opportunities for improvement by mapping how applications and data are coordinated to support business activities.

Related Research:

• Build Effective Enterprise Integration on the Back of Business Process
• Build an Application Integration Strategy
• Build a Data Integration Strategy

Manage your solution architecture and application portfolio

Haphazardly implementing and integrating applications can generate significant security, performance, and data risks. A well-thought-through solution architecture is essential in laying the architecture quality principles and roadmap on how the multisource system can grow and evolve in a sustainable and maintainable way.

Good application portfolio management complements the solution architecture as it indicates when low-value and unused applications should be removed to reduce system complexity.

Related Research:

• Enhance Your Solution Architecture Practices
• Application Portfolio Management Foundations

Recommendations

Embrace business-managed applications

Multisource systems bring a unique opportunity to support the business and end users' desire to implement and develop their own applications. However, traditional models of managing applications may not accommodate the specific IT governance and management practices required to operate business-managed applications:

• A collaborative and trusting business-IT relationship is key.
• The role of IT must be reimagined.
• Business must be accountable for its decisions.

Related Research:

• Embrace Business-Managed Applications

CASE STUDY
Cognizant

Situation

• Strives to be primarily an industry-aligned organization that delivers multiple service lines in multiple geographies.
• Cognizant seeks to carefully consider client culture to create a one-team environment.
• Value proposition is a consultative approach bringing thought leadership and mutually adding value to the relationship vs. the more traditional order-taker development partner.
• Wants to share in solution development to facilitate shared successes. Geographic alignment drives knowledge of the client and their challenges, not just about time zone and supportability.
• Offers one of the largest offshore capabilities in the world, supported by local and nearshore resources to drive local knowledge.
• Today's clients don't typically want a black box, they are sophisticated and want transparency around the process and solution, to have a partner.
• Clients do want to know where the work is being delivered from, how it's being done.

Source: interview with Jay MacIsaac, Cognizant.

Approach

• Best relationship comes where teams operate as one.
• Clients are seeking value, not a development black box.
• Clients want to have a partner they can engage with, not just an order taker.
• Want to build a one-team culture with shared goals and deliver business value.
• Seek a partner that will add to their thinking not echo it.

Results

• Cognizant is continuing to deliver double-digit growth and continues to strive for top quartile performance.
• Growth in the client base has seen the company grow to over 340,000 associates worldwide.

Digital Organization as a Platform

PRIORITY 5

• Create a Common Digital Interface to Access All Products and Services

A digital platform enables organizations to leverage a flexible, reliable, and scalable foundation to create a valuable DX, ease delivery and management efforts, maximize existing investments, and motivate the broader shift to digital. This approach provides a standard to architect, integrate, configure, and modernize the applications that compose the platform.

Introduction

What is digital organization as a platform (DOaaP)?

Digital organization as a platform (DOaaP) is a collection of integrated digital services, products, applications, and infrastructure that is used as a vehicle to meet and exceed an organization's digital strategies. It often serves as an accessible "place for exchanges of information, goods, or services to occur between producers and consumers as well as the community that interacts
with said platform" (Watts, 2020).

DOaaP involves a strategy that paves the way for organizations to be digital. It helps organizations use their assets (e.g. data, processes, products, services) in the most effective ways and become more open to cooperative delivery, usage, and management. This opens opportunities for innovation and cross-department collaborations.

How is DOaaP described?

1. Open and Collaborative
   • Open organization: open data, open APIs, transparency, and user participation.
   • Collaboration, co-creation, crowdsourcing, and innovation
2. Accessible and Connected
   • Digital inclusion
   • Channel ubiquity
   • Integrity and interoperability
   • Digital marketplace
3. Digital and Programmable
   • Digital identity
   • Policies and processes as code
   • Digital products and services
   • Enabling digital platforms

Digital organizations follow a common set of principles and practices

Customer-centricity

Digital organizations are driven by customer focus, meeting and exceeding customer expectations. It must design its services with a "digital first" principle, providing access through every expected channel and including seamless integration and interoperability with various departments, partners, and third-party services. It also means creating trust in its ability to provide secure services and to keep privacy and ethics as core pillars.

Leadership, management, and strategies

Digital leadership brings customer focus to the enterprise and its structures and organizes efficient networks and ecosystems. Accomplishing this means getting rid of silos and a siloed mentality and aligning on a digital vision to design policies and services that are efficient, cost-effective, and provide maximum benefit to the user. Asset sharing, co-creation, and being open and transparent become cornerstones of a digital organization.

Infrastructure

Providing digital services across demographics and geographies requires infrastructure, and that in turn requires long-term vision, smart investments, and partnerships with various source partners to create the necessary foundational infrastructure upon which to build digital services.

Digitization and automation

Automation and digitization of processes and services, as well as creating digital-first products, lead to increased efficiency and reach of the organization across demographics and geographies. Moreover, by taking a digital-first approach, digital organizations future-proof their services and demonstrate their commitment to stakeholders.

Enabling platforms

DOaaP embraces open standards, designing and developing organizational platforms and ecosystems with a cloud-first mindset and sound API strategies. Developer experience must also take center stage, providing the necessary tools and embracing Agile and DevOps practices and culture become prerequisites. Cybersecurity and privacy are central to the digital platform; hence they must be part of the design and development principles and practices.

Signals

The business expects support for digital products and services

Digital transformation continues to be a high-priority initiative for many organizations, and they see DOaaP as an effective way to enable and exploit digital capabilities. However, DOaaP unleashes new strategies, opportunities, and challenges that are elusive or unfamiliar to business leaders. Barriers in current business operating models may limit DOaaP success, such as:

• Department and functional silos
• Dispersed, fragmented and poor-quality data
• Ill-equipped and under-skilled resources to support DOaaP adoption
• System fragmentation and redundancies
• Inconsistent integration tactics employed across systems
• Disjointed user experience leading to low engagement and adoption

DOaaP is not just about technology, and it is not the sole responsibility of either IT or business. It is the collective responsibility of the organization.

	of organizations plan to unlock new value through digital. 50% of organizations are planning major transformation over the next three years. Source: Nash Squared, 2022.
	of organizations are undertaking digital expansion projects focused on scaling their business with technology. This result is up from 57% in 2021. Source: F5 Inc, 2022.

Drivers

Unified brand and experience

Users should have the same experience and perception of a brand no matter what product or service they use. However, fragmented implementation of digital technologies and inconsistent application of design standards makes it difficult to meet this expectation. DOaaP embraces a single design and DX standard for all digital products and services, which creates a consistent perception of your organization's brand and reputation irrespective of what products and services are being used and how they are accessed.

Accessibility

Rapid advancement of end-user devices and changes to end-user behaviors and expectations often outpace an organization's ability to meet these requirements. This can make certain organization products and services difficult to find, access and leverage. DOaaP creates an intuitive and searchable interface to all products and services and enables the strategic combination of technologies to collectively deliver more value.

Justification for modernization

Many opportunities are left off the table when legacy systems are abstracted away rather than modernized. However, legacy systems may not justify the investment in modernization because their individual value is outweighed by the cost. A DOaaP initiative motivates decision makers to look at the entire system (i.e. modern and legacy) to determine which components need to be brought up to a minimum digital state. The conversation has now changed. Legacy systems should be modernized to increase the collective benefit of the entire DOaaP.

Benefits & Risks

Benefits

• Look & Feel
• User Adoption
• Shift to Digital

A single, modern, customizable interface enables a common look and feel no matter what and how the platform is being accessed.

Organizations can motivate and encourage the adoption and use of all products and services through the platform and increase the adoption of underused technologies.

DOaaP motivates and supports the modernization of data, processes, and systems to meet the goals and objectives outlined in the broader digital transformation strategy.

Risks

• Data Quality
• System Stability
• Ability to Modernize
• Business Model Change

Each system may have a different definition of commonly used entities (e.g. customer), which can cause data quality issues when information is shared among these systems.

DOaaP can stress the performance of underlying systems due to the limitations of some systems to handle increased traffic.

Some systems cannot be modernized due to cost constraints, business continuity risks, vendor lock-in, legacy and lore, or other blocking factors.

Limited appetite to make the necessary changes to business operations in order to maximize the value of DOaaP technologies.

Address your pressure points to fully realize the benefits of this priority

Success can be dependent on your ability to address your pressure points.

Recommendations

Define your platform vision

Organizations realize that a digital model is the way to provide more effective services to their customers and end users in a cost-effective, innovative, and engaging fashion. DOaaP is a way to help support this transition.

However, various platform stakeholders will have different interpretations of and preferences for what this platform is intended to solve, what benefits it is supposed to deliver, and what capabilities it will deliver. A grounded vision is imperative to steer the roadmap and initiatives.

Related Research:

• Drive Digital Transformation with Platform Strategies
• Gov 2.0: Government as a Platform
• Deliver Digital Products at Scale

Assess and modernize your applications

Certain applications may not sufficiently support the compatibility, flexibility, and efficiency requirements of DOaaP. While workaround technologies and tactics can be employed to overcome these application challenges, the full value of the DOaaP may not be realized.

Reviewing the current state of the application portfolio will indicate the functional and value limitations of what DOaaP can provide and an indication of the scope of investment needed to bring applications up to a minimum state.

Related Research:

• Application Portfolio Management Foundations
• Modernize Your Applications

Recommendations

Understand and evaluate end-user needs

Technology has reached a point where it's no longer difficult for teams to build functional and valuable digital platforms. Rather, the difficulty lies in creating an interface and platform that people want to use and use frequently.

While it is important to increase the access and promotion of all products and services, orchestrating and configuring them in a way to deliver a satisfying experience is even more important. Applications teams must first learn about and empathize with the needs of end users.

Related Research:

• Use Experience Design to Drive Empathy With the Business
• Implement and Mature Your User Experience Design Practice

Architect your platform

Formalizing and constructing DOaaP just for the sake of doing so often results in an initiative that is lengthy and costly and ends up being considered a failure.

The build and optimization of the platform must be predicated on a thorough understanding of the DOaaP's goals, objectives, and priorities and the business capabilities and process they are meant to support and enable. The appropriate architecture and delivery practices can then be defined and employed.

Related Research:

• Enhance Your Solution Architecture Practices
• Build Your Data Practice and Platform

CASE STUDY
e-Estonia

Situation

The digital strategy of Estonia resulted in e-Estonia, with the vision of "creating a society with more transparency, trust, and efficiency." Estonia has addressed the challenge by creating structures, organizations, and a culture of innovation, and then using the speed and efficiency of digital infrastructure, apps, and services. This strategy can reduce or eliminate bureaucracy through transparency and automation.

Estonia embarked on its journey to making digital a priority in 1994-1996, focusing on a committed investment in infrastructure and digital literacy. With that infrastructure in place, they started providing digital services like an e-banking service (1996), e-tax and mobile parking (2002), and then went full steam ahead with a digital information interoperability platform in 2001, digital identity in 2002, e-health in 2008, and e-prescription in 2010. The government is now strategizing for AI.

Results

Source: e-Estonia

Practices employed

The e-Estonia digital government model serves as a reference for governments across the world; this is acknowledged by the various awards it has received, like #2 in "internet freedom," awarded by Freedom House in 2019; #1 on the "digital health index," awarded by the Bertelsmann Foundation in 2019; and #1 on "start-up friendliness," awarded by Index Venture in 2018.

References

"15th State of Agile Report." Digital.ai, 2021. Web.
"2022 HR Trends Report." McLean & Company, 2022.
"2022: State of Application Strategy Report." F5 Inc, 2022.
"Are Executives Wearing Rose-Colored Glasses Around Digital Transformation?" Cyara, 2021. Web.
"Cost of a Data Breach Report 2022." IBM, 2022. Web.
Dalal, Vishal, et al. "Tech Debt: Reclaiming Tech Equity." McKinsey Digital, Oct. 2020. Web.
"Differentiating Between Intelligent Automation and Hyperautomation." IBM, 15 October 2021. Web.
"Digital Leadership Report 2021." Harvey Nash Group, 2021.
"Digital Leadership Report 2022: The State of Digital." Nash Squared, 2022. Web.
Gupta, Sunil. "Driving Digital Strategy: A Guide to Reimagining Your Business." Harvard Business Review Press, 2018. Web.
Haff, Gordon. "State of Application Modernization Report 2022." Konveyor, 2022. Web.
"IEEE Standard for Software Maintenance: IEEE Std 1219-1998." IEEE Standard for Software Maintenance, 1998. Accessed Dec. 2015.
"Intelligent Automation." Cognizant, n.d. Web.
"Kofax 2022: Intelligent Automation Benchmark Study". Kofax, 2021. Web.
McCann, Leah. "Barco's Virtual Classroom at UCL: A Case Study for the Future of All University Classrooms?" rAVe, 2 July 2020, Web.
"Proactive Staffing and Patient Prioritization to Decompress ED and Reduce Length of Stay." University Hospitals, 2018. Web.
"Secrets of Successful Modernization." looksoftware, 2013. Web.
"State of Software Development." Coding Sans, 2021. Web.
"The State of Low-Code/No-Code." Creatio, 2021. Web.
"We Have Built a Digital Society and We Can Show You How." e-Estonia. n.d. Web.
Zanna. "The 5 Types of Experience Series (1): Brand Experience Is Your Compass." Accelerate in Experience, 9 February 2020. Web.
Zhang, Y. et al. "Effects of Risks on the Performance of Business Process Outsourcing Projects: The Moderating Roles of Knowledge Management Capabilities." International Journal of Project Management, 2018, vol. 36 no. 4, 627-639.

Research Contributors and Experts

Chris Harrington
Chief Technology Officer
Carolinas Telco Federal Credit Union

Chris Harrington is Chief Technology Officer (CTO) of Carolinas Telco Federal Credit Union. Harrington is a proven leader with over 20 years of experience developing and leading information technology and cybersecurity strategies and teams in the financial industry space.

Benjamin Palacio
Senior Information Technology Analyst County of Placer

Benjamin Palacio has been working in the application development space since 2007 with a strong focus on system integrations. He has seamlessly integrated applications data across multiple states into a single reporting solution for management teams to evaluate, and he has codeveloped applications to manage billions in federal funding. He is also a CSAC-credentialed IT Executive (CA, USA).

Scott Rutherford
Executive Vice President, Technology
LGM Financial Services Inc.

Scott heads the Technology division of LGM Financial Services Inc., a leading provider of warranty and financing products to automotive OEMs and dealerships in Canada. His responsibilities include strategy and execution of data and analytics, applications, and technology operations.

Robert Willatts
IT Manager, Enterprise Business Solutions and Project Services
Town of Newmarket

Robert is passionate about technology, innovation, and Smart City Initiatives. He makes customer satisfaction as the top priority in every one of his responsibilities and accountabilities as an IT manager, such as developing business applications, implementing and maintaining enterprise applications, and implementing technical solutions. Robert encourages communication, collaboration, and engagement as he leads and guides IT in the Town of Newmarket.

Randeep Grewal
Vice President, Enterprise Applications
Red Hat

Randeep has over 25 years of experience in enterprise applications, advanced analytics, enterprise data management, and consulting services, having worked at numerous blue-chip companies. In his most recent role, he is the Vice President of Enterprise Applications at Red Hat. Reporting to the CIO, he is responsible for Red Hat's core business applications with a focus on enterprise transformation, application architecture, engineering, and operational excellence. He previously led the evolution of Red Hat into a data-led company by maturing the enterprise data and analytics function to include data lake, streaming data, data governance, and operationalization of analytics for decision support.

Prior to Red Hat, Randeep was the director of global services strategy at Lenovo, where he led the strategy using market data to grow Lenovo's services business by over $400 million in three years. Prior to Lenovo, Randeep was the director of advanced analytics at Alliance One and helped build an enterprise data and analytics function. His earlier work includes seven years at SAS, helping SAS become a leader in business analytics, and at KPMG consulting, where he managed services engagements at Fortune 100 companies.

The First 100 Days As CIO

Partner with Info-Tech for success in this crucial period of transition.

Analyst Perspective

The first 100 days refers to the 10 days before you start and the first three months on the job.

“The original concept of ‘the first 100 days’ was popularized by Franklin Delano Roosevelt, who passed a battery of new legislation after taking office as US president during the Great Depression. Now commonly extended to the business world, the first 100 days of any executive role is a critically important period for both the executive and the organization.

But not every new leader should follow FDR’s example of an action-first approach. Instead, finding the right balance of listening and taking action is the key to success during this transitional period. The type of the organization and the mode that it’s in serves as the fulcrum that determines where the point of perfect balance lies. An executive facing a turnaround situation will want to focus on more action more quickly. One facing a sustaining success situation or a realignment situation will want to spend more time listening before taking action.” (Brian Jackson, Research Director, CIO, Info-Tech Research Group)

Executive summary

Situation

• You’ve been promoted from within to the role of CIO.
• You’ve been hired externally to take on the role of CIO.

Complication

Studies show that two years after a new executive transition, as many as half are regarded as failures or disappointments (McKinsey). First impressions are hard to overcome, and a CIO’s first 100 days are heavily weighted in terms of how others will assess their overall success. The best way to approach this period is determined by both the size and the mode of an organization.

Resolution

• Work with Info-Tech to prepare a 100-day plan that will position you for success.
• Collaborate to collect the details needed to identify the right mode for your organization and determine how it will influence your plan.
• Use Info-Tech’s diagnostic tools to align your vision with that of business executives and form a baseline for future reference.

Info-Tech Insight

1. Foundational understanding must be achieved before you start.
   Hit the ground running before day one by using company documents and initial discussions to pin down the company’s type and mode.
2. Listen before you act (usually).
   In most situations, executives benefit from listening to peers and staff before taking action.
3. Identify quick wins early and often.
   Fix problems as soon as you recognize them to set the tone for your tenure.

The First 100 Days: Roadmap

Concierge service overview

Organize a call with your executive advisor every two weeks during your first 100 days. Info-Tech recommends completing our diagnostics during this period. If you’re not able to do so, instead complete the alternative activities marked with (a).

Call 1

Before you start: Day -10 to Day 1

Interview your predecessor

Interviewing your predecessor can help identify the organization’s mode and type.

Before reaching out to your predecessor, get a sense of whether they were viewed as successful or not. Ask your manager. If the predecessor remains within the organization in a different role, understand your relationship with them and how you'll be working together.

During the interview, make notes about follow-up questions you'll ask others at the organization.

Ask these open-ended questions in the interview:

• Tell me about the team.
• Tell me about your challenges.
• Tell me about a major project your team worked on. How did it go?
• Who/what has been helpful during your tenure?
• Who/what created barriers for you?
• What do your engagement surveys reveal?
• Tell me about your performance management programs and issues.
• What mistakes would you avoid if you could lead again?
• Why are you leaving?
• Could I reach out to you again in the future?

Learn the corporate structure

Identify the organization’s corporate structure type based on your initial conversations with company leadership. The type of structure will dictate how much control you'll have as a functional head and help you understand which stakeholders you'll need to collaborate with.

To Do:

• Review the organization’s structure list and identify whether the structure is functional, prioritized, or a matrix. If it's a matrix organization, determine if it's a strong matrix (project manager holds more authority), weak matrix (functional manager holds more authority), or balanced matrix (managers hold equal authority).

This organization is a ___________________ type.

Presentation Deck, slide 6

Determine the mode of the organization: STARS

Based on your interview process and discussions with company leadership, and using Michael Watkins’ STARS assessment, determine which mode your organization is in: startup, turnaround, accelerated growth, realignment, or sustaining success.

Knowing the mode of your organization will determine how you approach your 100-day plan. Depending on the mode, you'll rebalance your activities around the three categories of assess, listen, and deliver.

To Do:

• Review the STARS table on the right.

Based on your situation, prioritize activities in this way:

• Startup: assess, listen, deliver
• Turnaround: deliver, listen, assess
• Accelerated Growth: assess, listen, deliver
• Realignment: listen, assess, deliver
• Sustaining success: listen, assess, deliver

This organization is a ___________________ type.

(Source: Watkins, 2013.)

Presentation Deck, slide 6

Determine the mode of the organization: STARS

Satya Nadella's listen, lead, and launch approach

CASE STUDY

Industry Software
Source Gregg Keizer, Computerworld, 2014

When Satya Nadella was promoted to the CEO role at Microsoft in 2014, he received a Glassdoor approval rating of 85% and was given an "A" grade by industry analysts after his first 100 days. What did he do right? Created a sense of urgency by shaking up the senior leadership team. Already understood the culture as an insider. Listened a lot and did many one-on-one meetings. Established a vision communicated with a mantra that Microsoft would be "mobile-first, cloud-first." Met his words with actions. He launched Office for iPad and made many announcements for cloud platform Azure.

Satya Nadella, CEO, Microsoft Corp. (Image source: Microsoft)

Listen to 'The First 100 Days' podcast – Alan Fong

Create a one-page introduction sheet to use in communications

As a new CIO, you'll have to introduce yourself to many people in the organization. To save time on communicating who you are as a person outside of the office, create a brief one-pager that includes a photo of you, where you were born and raised, and what your hobbies are. This helps make a connection more quickly so your conversations can focus on the business at hand rather than personal topics.

For your presentation deck, remove the personal details and just keep it professional. The personal aspects can be used as a one-pager for other communications. (Source: Personal interview with Denis Gaudreault, Country Lead, Intel.)

Presentation Deck, slide 5

Call 2

Day 1 to Day 15

Introduce yourself to your team

Prepare a 20-second pitch about yourself that goes beyond your name and title. Touch on your experience that's relevant to your new role or the industry you're in. Be straightforward about your own perceived strengths and weaknesses so that people know what to expect from you. Focus on the value you believe you'll offer the group and use humor and humility where you're comfortable. For example:

“Hi everyone, my name is John Miller. I have 15 years of experience marketing conferences like this one to vendors, colleges, and HR departments. What I’m good at, and the reason I'm here, is getting the right people, businesses, and great ideas in a room together. I'm not good on details; that's why I work with Tim. I promise that I'll get people excited about the conference, and the gifts and talents of everyone else in this room will take over from there. I'm looking forward to working with all of you.”

Have a structured set of questions ready that you can ask everyone.

For example:

• How well is the company performing based on expectations?
• What must the company do to sustain its financial performance and market competitiveness?
• How do you foresee the CIO contributing to the team?
• How have past CIOs performed from the perspective of the team?
• What would successful performance of this role look like to you? To your peers?
• What challenges and obstacles to success am I likely to encounter? What were the common challenges of my predecessor?
• How do you view the culture here and how do successful projects tend to get approved?
• What are your greatest challenges? How could I help you?

Get to know your sphere of influence: prepare to connect with a variety of people before you get down to work

Your ability to learn from others is critical at every stage in your first 100 days. Keep your sphere of influence in the loop as you progress through this period.

Write down the names, or at least the key people, in each segment of this diagram. This will serve as a quick reference when you're planning communications with others and will help you remember everyone as you're meeting lots of new people in your early days on the job.

• Everyone knows their networks are important.
• However, busy schedules can cause leaders to overlook their many audiences.
• Plan to meet and learn from all people in your sphere to gain a full spectrum of insights.

Presentation Deck, slide 29

Identify how your competitors are leveraging technology for competitive advantage

Competitor identification and analysis are critical steps for any new leader to assess the relative strengths and weaknesses of their organization and develop a sense of strategic opportunity and environmental awareness.

Today’s CIO is accountable for driving innovation through technology. A competitive analysis will provide the foundation for understanding the current industry structure, rivalry within it, and possible competitive advantages for the organization.

Surveying your competitive landscape prior to the first day will allow you to come to the table prepared with insights on how to support the organization and ensure that you are not vulnerable to any competitive blind spots that may exist in the evaluations conducted by the organization already.

You will not be able to gain a nuanced understanding of the internal strengths and weaknesses until you are in the role, so focus on the external opportunities and how competitors are using technology to their advantage.

Info-Tech Best Practice

For a more in-depth approach to identifying and understanding relevant industry trends and turning them into insights, leverage the following Info-Tech blueprints:

• Think Like a Futurist
• CIO Trend Report 2019

Presentation Deck, slide 9

Assess the external competitive environment

INPUT: External research

OUTPUT: Competitor array

1. Conduct a broad analysis of the industry as a whole. Seek to answer the following questions:
   1. Are there market developments or new markets?
   2. Are there industry or lifestyle trends, e.g. move to mobile?
   3. Are there geographic changes in the market?
   4. Are there demographic changes that are shaping decision making?
   5. Are there changes in market demand?
2. Create a competitor array by identifying and listing key competitors. Try to be as broad as possible here and consider not only entrenched close competitors but also distant/future competitors that may disrupt the industry.
3. Identify the strengths, weaknesses, and key brand differentiators that each competitor brings to the table. For each strength and differentiator, brainstorm ways that IT-based innovation enables each. These will provide a toolkit for deeper conversations with your peers and your business stakeholders as you move further into your first 100 days.

Complete the CEO-CIO Alignment Program

INPUT: CEO-CEO Alignment Program (recommended)

OUTPUT: Desired and target state of IT maturity, Innovation goals, Top priorities

Materials: Presentation Deck, slides 11-13

Participants: CEO, CIO

Introduce the concept of the CEO-CIO Alignment Program using slide 10 of your presentation deck and the brief email text below.

Talk to your advisory contact at Info-Tech about launching the program. More information is available on Info-Tech’s website.

Once the report is complete, import the results into your presentation:

• Slide 11, the CEO’s current and desired states
• Slide 12, IT innovation goals
• Slide 13, top projects and top departments from the CEO and the CIO

Include any immediate recommendations you have.

Hello CEO NAME,

I’m excited to get started in my role as CIO, and to hit the ground running, I’d like to make sure that the IT department is aligned with the business leadership. We will accomplish this using Info-Tech Research Group’s CEO-CIO Alignment Program. It’s a simple survey of 20 questions to be completed by the CEO and the CIO.

This survey will help me understand your perception and vision as I get my footing as CIO. I’ll be able to identify and build core IT processes that will automate IT-business alignment going forward and create an effective IT strategy that helps eliminate impediments to business growth.

Research shows that IT departments that are effectively aligned to business goals achieve more success, and I’m determined to make our IT department as successful as possible. I look forward to further detailing the benefits of this program to you and answering any questions you may have the next time we speak.

Regards,
CIO NAME

New KPIs for CEO-CIO Alignment — Recommended

Info-Tech CEO-CIO Alignment Program

Info-Tech's CEO-CIO Alignment Program is set up to build IT-business alignment in any organization. It helps the CIO understand CEO perspectives and priorities. The exercise leads to useful IT performance indicators, clarifies IT’s mandate and which new technologies it should invest in, and maps business goals to IT priorities.

Benefits

Master the Basics Cut through the jargon. Take a comprehensive look at the CEO perspective.	Target Alignment Identify how IT can support top business priorities. Address CEO-CIO differences.	Start on the Right Path Get on track with the CIO vision. Use correct indicators and metrics to evaluate IT from day one.

Additional materials are available on Info-Tech’s website.

The desired maturity level of IT — Alternative

Step 1: Where are we today? Determine where the CEO sees the current overall maturity level of the IT organization. Step 2: Where do we want to be as an organization? Determine where the CEO wants the IT organization to be in order to effectively support the strategic direction of the business.

Presentation Deck, slide 11

Tim Cook's powerful use of language

CASE STUDY

Industry Consumer technology
Source Carmine Gallo, Inc., 2019

Apple CEO Tim Cook, an internal hire, had big shoes to fill after taking over from the late Steve Jobs. Cook's ability to control how the company is perceived is a big credit to his success. How does he do it? His favorite five words are “The way I see it..." These words allow him to take a line of questioning and reframe it into another perspective that he wants to get across. Similarly, he'll often say, "Let me tell you the way I look at it” or "To put it in perspective" or "To put it in context." In your first two weeks on the job, try using these phrases in your conversations with peers and direct reports. It demonstrates that you value their point of view but are independently coming to conclusions about the situation at hand.

Tim Cook, CEO, Apple Inc. (Image source: Apple)

Listen to 'The First 100 Days' podcast – Denis Gaudreault

Inform your team that you plan to do an IT Management & Governance Diagnostic survey

Run the diagnostic program or use the alternative activities to complete your presentation

INPUT: IT Management & Governance Diagnostic (recommended)

OUTPUT: Process to improve first, Processes important to the business

Materials: Presentation Deck, slides 19-20

Participants: CIO, IT staff

Introduce the IT Management & Governance Diagnostic survey that will help you form your IT strategy.

Explain that you want to understand current IT capabilities and you feel a formal approach is best. You’ll also be using this approach as an important metric to track your department’s success. Tell them that Info-Tech Research Group will be conducting the survey and it’s important to you that they take action on the email when it’s sent to them.

Example email:

Hello TEAM,

I appreciate meeting each of you, and so far I’m excited about the talents and energy on the team. Now I need to understand the processes and capabilities of our department in a deeper way. I’d like to map our process landscape against an industry-wide standard, then dive deeper into those processes to understand if our team is aligned. This will help us be accountable to the business and plan the year ahead. Advisory firm Info-Tech Research Group will be reaching out to you with a simple survey that shouldn’t take too long to complete. It’s important to me that you pay attention to that message and complete the survey as soon as possible.

Regards,
CIO NAME

Call 3

Day 16 to Day 30

Leverage team interviews as a source of determining organizational culture

Info-Tech recommends that you hold group conversations with your team to uncover their opinions of the current organizational culture. This not only helps build transparency between you and your team but also gives you another means of observing behavior and reactions as you listen to team members’ characterizations of the current culture.

Note: It is inherently difficult for people to verbalize what constitutes a culture – your strategy for extracting this information will require you to ask indirect questions to solicit the highest value information.

Questions for Discussion:

• What about the current organizational environment do you think most contributes to your success?
• What barriers do you experience as you try to accomplish your work?
• What is your favorite quality that is present in our organization?
• What is the one thing you would most like to change about this organization?
• Do the organization's policies and procedures support your efforts to accomplish work or do they impede your progress?
• How effective do you think IT’s interactions are with the larger organization?
• What would you consider to be IT’s top three guiding principles?
• What kinds of people fail in this organization?

See Info-Tech’s Cultural Archetype Calculator.

Use the Competing Values Framework to define your organization’s cultural archetype

THE COMPETING VALUES FRAMEWORK (CVF):

CVF represents the synthesis of academic study of 39 indicators of effectiveness for organizations. Using a statistical analysis, two polarities that are highly predictive of differences in organizational effectiveness were isolated: Internal focus and integration vs. external focus and differentiation. Stability and control vs. flexibility and discretion. By plotting these dimensions on a matrix of competing values, four main cultural archetypes are identified with their own value drivers and theories of effectiveness.

Presentation Deck, slide 16

Create a cultural adjustment plan

Now that you've assessed the cultural archetype, you can plan an appropriate approach to shape the culture in a positive way. When new executives want to change culture, there are a few main options at hand:

Autonomous evolution: Encourage teams to learn from each other. Empower hybrid teams to collaborate and reward teams that perform well.

Planned and managed change: Create steering committee and project-oriented taskforces to work in parallel. Appoint employees that have cultural traits you'd like to replicate to hold responsibility for these bodies.

Cultural destruction: When a toxic culture needs to be eliminated, get rid of its carriers. Putting new managers or directors in place with the right cultural traits can be a swift and effective way to realign.

Each option boils down to creating the right set of incentives and deterrents. What behaviors will you reward and which ones will you penalize? What do those consequences look like? Sometimes, but not always, some structural changes to the team will be necessary. If you feel these changes should be made, it's important to do it sooner rather than later. (Source: “Enlarging Your Sphere of Influence in Your Organization,” MindTools Corporate, 2014.)

As you're thinking about shaping a desired culture, it's helpful to have an easy way to remember the top qualities you want to espouse. Try creating an acronym that makes it easy for staff to remember. For example: RISE could remind your staff to be Responsive, Innovative, Sustainable, and Engaging (RISE). Draw upon your business direction from your manager to help produce desired qualities (Source: Jennifer Schaeffer).

Presentation Deck, slide 17

Gary Davenport’s welcome “surprise”

CASE STUDY

Industry Telecom
Source Interview with Gary Davenport

After Gary Davenport was hired on as VP of IT at MTS Allstream, his first weekend on the job was spent at an all-executive offsite meeting. There, he learned from the CEO that the IT department had a budget reduction target of 25%, like other departments in the company. “That takes your breath away,” Davenport says. He decided to meet the CEO monthly to communicate his plans to reduce spending while trying to satisfy business stakeholders. His top priorities were: Stabilize IT after seven different leaders in a five-year period. Get the IT department to be respected. To act like business owners instead of like servants. Better manage finances and deliver on projects. During Davenport’s 7.5-year tenure, the IT department became one of the top performers at MTS Allstream.

Gary Davenport’s first weekend on the job at MTS Allstream included learning about a 25% reduction target. (Image source: Ryerson University)

Listen to 'The First 100 Days' podcast – David Penny & Andrew Wertkin

Initiate IT Management & Governance Diagnostic — Recommended

Info-Tech Management & Governance Diagnostic

Talk to your Info-Tech executive advisor about launching the survey shortly after informing your team to expect it. You'll just have to provide the names and email addresses of the staff you want to be involved. Once the survey is complete, you'll harvest materials from it for your presentation deck. See slides 19 and 20 of your deck and follow the instructions on what to include.

Benefits

Explore IT Processes Dive deeper into performance. Highlight problem areas.	Align IT Team Build consensus by identifying opposing views.	Ownership & Accountability Identify process owners and hold team members accountable.

Additional materials available on Info-Tech’s website.

Conduct a high-level analysis of current IT capabilities — Alternative

INPUT: Interviews with IT leadership team, Capabilities graphic on next slide

OUTPUT: High-level understanding of current IT capabilities

Run this activity if you're not able to conduct the IT Management & Governance Diagnostic.

Schedule meetings with your IT leadership team. (In smaller organizations, interviewing everyone may be acceptable.) Provide them a list of the core capabilities that IT delivers upon and ask them to rate them on an effectiveness scale of 1-5, with a short rationale for their score.

• 1. Not effective (NE)
• 2. Somewhat Effective (SE)
• 3. Effective (E)
• 4. Very Effective (VE)
• 5. Extremely Effective (EE)

Presentation Deck, slide 21

Use the following set of IT capabilities for your assessment

Quick wins: CEO-CIO Alignment Program

Complete this while waiting on the IT M&G survey results. Based on your completed CEO-CIO Alignment Report, identify the initiatives you can tackle immediately.

If you are here...	And want to be here...	Drive toward...	Innovate around...
Business Partner	Innovator	Leading business transformation	Emerging technologies Analytical capabilities Risk management Customer-facing tech Enterprise architecture
Trusted Operator	Business Partner	Optimizing business process and supporting business transformation	IT strategy and governance Business architecture Projects Resource management Data quality
Firefighter	Trusted Operator	Optimize IT processes and services	Business applications Service management Stakeholder management Work orders
Unstable	Firefighter	Reduce use disruption and adequately support the business	Network and infrastructure Service desk Security User devices

Call 4

Day 31 to Day 45

Inform your peers that you plan to do a CIO Business Vision survey to gauge your stakeholders’ satisfaction

Run the diagnostic program or use the alternative activities to complete your presentation

INPUT: CIO Business Vision survey (recommended)

OUTPUT: True measure of business satisfaction with IT

Materials: Presentation Deck, slide 30

Participants: CIO, IT staff

Meet the business leaders at your organization face-to-face if possible. If you can't meet in person, try a video conference to establish some rapport. At the end of your introduction and after listening to what your colleague has to say, introduce the CIO Business Vision Diagnostic.

Explain that you want to understand how to meet their business needs and you feel a formal approach is best. You'll also be using this approach as an important metric to track your department's success. Tell them that Info-Tech Research Group will be conducting the survey and it’s important to you that they take the survey when the email is sent to them.

Example email:

Hello PEER NAMES,

I'm arranging for Info-Tech Research Group to invite you to take a survey that will be important to me. The CIO Business Vision survey will help me understand how to meet your business needs. It will only take about 15 minutes of your time, and the top-line results will be shared with the organization. We will use the results to plan initiatives for the future that will improve your satisfaction with IT.

Regards,
CIO NAME

Gain feedback on your initial assessments from your IT team

There are two strategies for gaining feedback on your initial assessments of the organization from the IT team:

1. Review your personal assessments with the relevant members of your IT organization as a group. This strategy can help to build trust and an open channel for communication between yourself and your team; however, it also runs the risk of being impacted by groupthink.
2. Ask for your team to complete their own assessments for you to compare and contrast. This strategy can help extract more candor from your team, as they are not expected to communicate what may be nuanced perceptions of organizational weaknesses or criticisms of the way certain capabilities function.

Who you involve in this process will be impacted by the size of your organization. For larger organizations, involve everyone down to the manager level. In smaller organizations, you may want to involve everyone on the IT team to get an accurate lay of the land.

Areas for Review:

• Strategic Document Review: Are there any major themes or areas of interest that were not covered in my initial assessment?
• Competitor Array: Are there any initiatives in flight to leverage new technologies?
• Current State of IT Maturity: Does IT’s perception align with the CEO’s? Where do you believe IT has been most effective? Least effective?
• IT’s Key Priorities: Does IT’s perception align with the CEO’s?
• Key Performance Indicators: How has IT been measured in the past?

Info-Tech Best Practice

You need your team’s hearts and minds or you risk a short tenure. Overemphasizing business commitment by neglecting to address your IT team until after you meet your business stakeholders will result in a disenfranchised group. Show your team their importance.

Susan Bowen's talent maximization

CASE STUDY

Industry Infrastructure Services
Source Interview with Susan Bowen

Susan Bowen was promoted to be the president of Cogeco Peer 1, an infrastructure services firm, when it was still a part of Cogeco Communications. Part of her mandate was to help spin out the business to a new owner, which occurred when it was acquired by Digital Colony. The firm was renamed Aptum and Bowen was put in place as CEO, which was not a certainty despite her position as president at Cogeco Peer 1. She credits her ability to put the right talent in the right place as part of the reason she succeeded. After becoming president, she sought a strong commitment from her directors. She gave them a choice about whether they'd deliver on a new set of expectations – or not. She also asks her leadership on a regular basis if they are using their talent in the right way. While it's tempting for directors to want to hold on to their best employees, those people might be able to enable many more people if they can be put in another place. Bowen fully rounded out her leadership team after Aptum was formed. She created a chief operating officer and a chief infrastructure officer. This helped put in place more clarity around roles at the firm and put an emphasis on client-facing services.

Susan Bowen, CEO, Aptum (Image source: Aptum)

Listen to 'The First 100 Days' podcast – Susan Bowen

Initiate CIO Business Vision survey – new KPIs for stakeholder management — Recommended

Info-Tech CIO Business Vision

Be sure to effectively communicate the context of this survey to your business stakeholders before you launch it. Plan to talk about your plans to introduce it in your first meetings with stakeholders. When ready, let your executive advisor know you want to launch the tool and provide the names and email addresses of the stakeholders you want involved. After you have the results, harvest the materials required for your presentation deck. See slide 30 and follow the instructions on what to include.

Benefits

Key Stakeholders Clarify the needs of the business.	Credibility Create transparency.	Improve Measure IT’s progress.	Focus Find what’s important.

Additional materials are available on Info-Tech’s website.

Create a catalog of key stakeholder details to reference prior to future conversations — Alternative

Only conduct this activity if you’re not able to run the CIO Business Vision diagnostic.

Use the Organizational Catalog as a personal cheat sheet to document the key details around each of your stakeholders, including your CEO when possible.

The catalog will be an invaluable tool to keep the competing needs of your different stakeholders in line, while ensuring you are retaining the information to build the political capital needed to excel in the C-suite.

Note: It is important to keep this document private. While you may want to communicate components of this information, ensure your catalog remains under lock and (encryption) key.

Info-Tech Insight

While profiling your stakeholders is important, do not be afraid to profile yourself as well. Visualizing how your interests overlap with those of your stakeholders can provide critical information on how to manage your communications so that those on the receiving end are hearing exactly what they need.

Activity: Conduct interviews with your key business stakeholders — Alternative

1. Once you have identified your key stakeholders through your interviews with your boss and your IT team, schedule a set of meetings with those individuals.
2. Use the meetings to get to know your stakeholders, their key priorities and initiatives, and their perceptions of the effectiveness of IT.
   1. Use the probative questions to the right to elicit key pieces of information.
   2. Refer to the Organizational Catalog tool for more questions to dig deeper in each category. Ensure that you are taking notes separate from the tool and are keeping the tool itself secure, as it will contain private information specific to your interests.
3. Following each meeting, record the results of your conversation and any key insights in the Organizational Catalog. Refer to the following slide for more details.

Questions for Discussion:

• Be indirect about your personal questions – share stories that will elicit details about their interests, kids, etc.
• What are your most critical/important initiatives for the year?
• What are your key revenue streams, products, and services?
• What are the most important ways that IT supports your success? What is your satisfaction level with those services?
• Are there any current in-flight projects or initiatives that are a current pain point? How can IT assist to alleviate challenges?
• How is your success measured? What are your targets for the year on those metrics?

Presentation Deck, slide 34

Call 5

Day 46 to Day 60

Inform your team that you plan to do an IT staffing assessment

Introduce the IT Staffing Assessment that will help you get the most out of your team

INPUT: Email template

OUTPUT: Ready to launch diagnostic

Materials: Email template, List of staff, Sample of diagnostic

Participants: CIO, IT staff

Explain that you want to understand how the IT staff is currently spending its time by function and by activity. You want to take a formal approach to this task and also assess the team’s feelings about its effectiveness across different processes. The results of the assessment will serve as the foundation that helps you improve your team’s effectiveness within the organization.

Example email:

Hello PEER NAMES,

The feedback I've heard from the team since joining the company has been incredibly useful in beginning to formulate my IT strategy. Now I want to get a clear picture of how everyone is spending their time, especially across different IT functions and activities. This will be an opportunity for you to share feedback on what we're doing well, what we need to do more of, and what we're missing. Expect to receive an email invitation to take this survey from Info-Tech Research Group. It's important to me that you complete the survey as soon as you're can. Attached you’ll find an example of the report this will generate. Thank you again for providing your time and feedback.

Regards,
CIO NAME

Wayne Berger's shortcut to solve staffing woes

CASE STUDY

Industry Office leasing
Source Interview with Wayne Berger

Wayne Berger was hired to be the International Workplace Group (IWG) CEO for Canada and Latin America in 2014. Wayne approached his early days with the office space leasing firm as a tour of sorts, visiting nearly every one of the 48 office locations across Canada to host town hall meetings. He heard from staff at every location that they felt understaffed. But instead of simply hiring more staff, Berger actually reduced the workforce by 33%. He created a more flexible approach to staffing: Employees no longer just reported to work at one office; instead, they were ready to go to wherever they were most needed in a specific geographic area. He centralized all back-office functions for the company so that not every office had to do its own bookkeeping. Finally, he changed the labor profile to consist of full-time staff, part-time staff, and time-on-demand workers.

Wayne Berger, CEO, IWG Plc (Image source: IWG)

Listen to 'The First 100 Days' podcast – Wayne Berger

Initiate IT Staffing Assessment – new KPIs to track IT performance — Recommended

Info-Tech IT Staffing Assessment

Info-Tech’s IT Staffing Assessment provides benchmarking of key metrics against 4,000 other organizations. Dashboard-style reports provide key metrics at a glance, including a time breakdown by IT function and by activity compared against business priorities. Run this survey at about the 45-day mark of your first 90 days. Its insights will be used to inform your long-term IT strategy.

Benefits

Right-Size IT Headcount Find the right level for stakeholder satisfaction.	Allocate Staff Correctly Identify staff misalignments with priorities.	Maximize Teams Identify how to drive staff.

Additional materials are available on Info-Tech’s website.

Quick wins: Make recommendations based on IT Management & Governance Framework

Complete this exercise while waiting on the IT Staffing Assessment results. Based on your completed IT Management & Governance report, identify the initiatives you can tackle immediately. You can conduct this as a team exercise by following these steps:

1. Create a shortlist of initiatives based on the processes that were identified as high need but scored low in effectiveness. Think as broadly as possible during this initial brainstorming.
2. Write each initiative on a sticky note and conduct a high-level analysis of the amount of effort that would be required to complete it, as well as its alignment with the achievement of business objectives.
3. Draw the matrix below on a whiteboard and place each sticky note onto the matrix based on its potential impact and difficulty to address.

Call 6

Day 61 to Day 75

Run a start, stop, continue exercise with your IT staff — Alternative

This is an alternative activity to running an IT Staffing Assessment, which contains a start/stop/continue assessment. This activity can be facilitated with a flip chart or a whiteboard. Create three pages or three columns and label them Start, Stop, and Continue.

Hand out sticky notes to each team member and then allow time for individual brainstorming. Instruct them to write down their contributions for each category on the sticky notes. After a few minutes, have everyone stick their notes in the appropriate category on the board. Discuss as a group and see what themes emerge. Record the results that you want to share in your presentation deck (GroupMap).

Gather your team and explain the meaning of these categories:

Start: Activities you're not currently doing but should start doing very soon.

Stop: Activities you're currently doing but aren’t working and should cease.

Continue: Things you're currently doing and are working well.

Presentation Deck, slide 24

Determine the alignment of IT commitments with business objectives

INPUT: Interviews with IT leadership team

OUTPUT: High-level understanding of in-flight commitments and investments

Run this only as an alternative to the IT Management & Governance Diagnostic.

1. Schedule meetings with IT leadership to understand what commitments have been made to the business in terms of new products, projects, or enhancements.
2. Determine the following about IT’s current investment mix:
   1. What are the current IT investments and assets? How do they align to business goals?
   2. What investments in flight are related to which information assets?
   3. Are there any immediate risks identified for these key investments?
   4. What are the primary business issues that demand attention from IT consistently?
   5. What choices remain undecided in terms of strategic direction of the IT organization?
3. Document your key investments and commitments as well as any points of misalignment between objectives and current commitments as action items to address in your long-term plans. If they are small fixes, consider them during your quick-win identification.

Presentation Deck, slide 25

Determine the alignment of IT commitments with business objectives

Run this only as an alternative to the IT Staffing Assessment diagnostic.

Schedule meetings with IT leadership to understand what commitments have been made to the business in terms of new products, projects, or enhancements.

Determine the following about IT’s current investment mix:

• What are the current IT investments and assets?
• How do they align to business goals?
• What in-flight investments are related to which information assets?
• Are there any immediate risks identified for these key investments?
• What are the primary business issues that demand attention from IT consistently?
• What remains undecided in terms of strategic direction of the IT organization?

Document your key investments and commitments, as well as any points of misalignment between objectives and current commitments, as action items to address in your long-term plans. If they are small-effort fixes, consider them during your quick-win identification.

Presentation Deck, slide 25

Make a categorized vendor list by IT process

As part of learning the IT team, you should also create a comprehensive list of vendors under contract. Collaborate with the finance department to get a clear view of how much of the IT budget is spent on specific vendors. Try to match vendors to the IT processes they serve from the IT M&G framework.

You should also organize your vendors based on their budget allocation. Go beyond just listing how much money you’re spending with each vendor and categorize them into either “transactional” relationships or “strategic relationships.” Use the grid below to organize them. Ideally, you’ll want most relationships to be high spend and strategic (Source: Gary Davenport).

Where to source your vendor list:

• Finance department
• Infrastructure managers
• Vendor manager in IT

Further reading: Manage Your Vendors Before They Manage You

Presentation Deck, slide 26

Jennifer Schaeffer’s short-timeline turnaround

CASE STUDY

Industry Education
Source Interview with Jennifer Schaeffer

Jennifer Schaeffer joined Athabasca University as CIO in November 2017. She was entering a turnaround situation as the all-online university lacked an IT strategy and had built up significant technical debt. Armed with the mandate of a third-party consultant that was supported by the president, Schaeffer used a people-first approach to construct her strategy. She met with all her staff, listening to them carefully regardless of role, and consulted with the administrative council and faculty members. She reflected that feedback in her plan or explained to staff why it wasn’t relevant for the strategy. She implemented a “strategic calendaring” approach for the organization, making sure that her team members were participating in meetings where their work was assessed and valued. Drawing on Spotify as an inspiration, she designed her teams in a way that everyone was connected to the customer experience. Given her short timeline to execute, she put off a deep skills analysis of her team for a later time, as well as creating a full architectural map of her technology stack. The outcome is that 2.5 years later, the IT department is unified in using the same tooling and optimization standards. It’s more flexible and ready to incorporate government changes, such as offering more accessibility options.

Jennifer Schaeffer took on the CIO role at Athabasca University in 2017 and was asked to create a five-year strategic plan in just six weeks. (Image source: Athabasca University)

Listen to 'The First 100 Days' podcast – Eric Wright

Call 7

Day 76 to Day 90

Finalize your vision – mission – values statement

A clear statement for your values, vision, and mission will help crystallize your IT strategy and communicate what you're trying to accomplish to the entire organization.

Mission: This statement describes the needs that IT was created to meet and answers the basic question of why IT exists.

Vision: Write a statement that captures your values. Remember that the vision statement sets out what the IT organization wants to be known for now and into the future.

Values: IT core values represent the standard axioms by which the IT department operates. Similar to the core values of the organization as a whole, IT’s core values are the set of beliefs or philosophies that guide its strategic actions.

Further reading: IT Vision and Mission Statements Template

Presentation Deck, slide 42

John Chen's new strategic vision

CASE STUDY

Industry Mobile Services
Source Sean Silcoff, The Globe and Mail

John Chen, known in the industry as a successful turnaround executive, was appointed BlackBerry CEO in 2014 following the unsuccessful launch of the BlackBerry 10 mobile operating system and a new tablet. He spent his first three months travelling, talking to customers and suppliers, and understanding the company's situation. He assessed that it had a problem generating cash and had made some strategic errors, but there were many assets that could benefit from more investment. He was blunt about the state of BlackBerry, making cutting observations of the past mistakes of leadership. He also settled a key question about whether BlackBerry would focus on consumer or enterprise customers. He pointed to a base of 80,000 enterprise customers that accounted for 80% of revenue and chose to focus on that. His new mission for BlackBerry: to transform it from being a "mobile technology company" that pushes handset sales to "a mobile solutions company" that serves the mobile computing needs of its customers.

John Chen, CEO of BlackBerry, presents at BlackBerry Security Summit 2018 in New York City (Image source: Brian Jackson)

Listen to 'The First 100 Days' podcast – Erin Bury

Quick wins: Make recommendations based on the CIO Business Vision survey

Based on your completed CIO Business Vision survey, use the IT Satisfaction Scorecard to determine some initiatives. Focus on areas that are ranked as high importance to the business but low satisfaction. While all of the initiatives may be achievable given enough time, use the matrix below to identify the quick wins that you can focus on immediately. It’s important to not fail in your quick-win initiative.

• High Visibility, Low Risk: Best bet for demonstrating your ability to deliver value.
• Low Visibility, Low Risk: Worth consideration, depending on the level of effort required and the relative importance to the stakeholder.
• High Visibility, High Risk: Limit higher-risk initiatives until you feel you have gained trust from your stakeholders, demonstrating your ability to deliver.
• Low Visibility, High Risk: These will be your lowest value, quick-win initiatives. Keep them in a backlog for future consideration in case business objectives change.

Presentation Deck, slide 27

Create and communicate a post-100 plan

The last few slides of your presentation deck represent a roundup of all the assessments you’ve done and communicate your plan for the months ahead.

Slide 38. Based on the information on the previous slide and now knowing which IT capabilities need improvement and which business priorities are important to support, estimate where you'd like to see IT staff spend their time in the near future. Will you be looking to shift staff from one area to another? Will you be looking to hire staff?

Slide 39. Take your IT M&G initiatives from slide 19 and list them here. If you've already achieved a quick win, list it and mark it as completed to show what you've accomplished. Briefly outline the objectives, how you plan to achieve the result, and what measurement will indicate success.

Slide 40. Reflect your CIO Business Vision initiatives from slide 31 here.

Slide 41. Use this roadmap template to list your initiatives by roughly when they’ll be worked on and completed. Plan for when you’ll update your diagnostics.

Expert Contributors

	Alan Fong, Chief Technology Officer, Dealer-FX
	Andrew Wertkin, Chief Strategy Officer, BlueCat Networks David Penny, Chief Technology Officer, BlueCat Networks
	Susan Bowen, CEO, Aptum

	Erin Bury, CEO, Willful
	Denis Gaudreault, Country Manager, Intel Canada and Latin America
	Wayne Berger, CEO, IWG Plc

	Eric Wright, CEO, LexisNexis Canada
	Gary Davenport, past president of CIO Association” of Canada, former VP of IT, Enterprise Solutions Division, MTS AllStream
	Jennifer Schaeffer, VP of IT and CIO, Athabasca University

Bibliography

Beaudan, Eric. “Do you have what it takes to be an executive?” The Globe and Mail, 9 July 2018. Web.

Bersohn, Diana. “Go Live on Day One: The Path to Success for a New CIO.” PDF document. Accenture, 2015. Web.

Bradt, George. “Executive Onboarding When Promoted From Within To Follow A Successful Leader.” Forbes, 15 Nov. 2018. Web.

“CIO Stats: Length of CIO Tenure Varies By Industry.” CIO Journal, The Wall Street Journal. 15 Feb. 2017. Web.

“Enlarging Your Sphere of Influence in Your Organization: Your Learning and Development Guide to Getting People on Side.” MindTools Corporate, 2014.

“Executive Summary.” The CIO's First 100 Days: A Toolkit. PDF document. Gartner, 2012. Web.

Forbes, Jeff. “Are You Ready for the C-Suite?” KBRS, n.d. Web.

Gallo, Carmine. “Tim Cook Uses These 5 Words to Take Control of Any Conversation.” Inc., 9 Aug. 2019. Web.

Giles, Sunnie. “The Most Important Leadership Competencies, According to Leaders Around the World.” Harvard Business Review, 15 March 2016. Web.

Godin, Seth. “Ode: How to tell a great story.” Seth's Blog. 27 April 2006. Web.

Green, Charles W. “The horizontal dimension of race: Social culture.” Hope College Blog Network, 19 Oct. 2014. Web.

Hakobyan, Hayk. “On Louis Gerstner And IBM.” Hayk Hakobyan, n.d. Web.

Bibliography

Hargrove, Robert. Your First 100 Days in a New Executive Job, edited by Susan Youngquist. Kindle Edition. Masterful Coaching Press, 2011.

Heathfield, Susan M. “Why ‘Blink’ Matters: The Power of Your First Impressions." The Balance Careers, 25 June 2019. Web.

Hillis, Rowan, and Mark O'Donnell. “How to get off to a flying start in your new job.” Odgers Berndtson, 29 Nov. 2018. Web.

Karaevli, Ayse, and Edward J. Zajac. “When Is an Outsider CEO a Good Choice?” MIT Sloan Management Review, 19 June 2012. Web.

Keizer, Gregg. “Microsoft CEO Nadella Aces First-100-Day Test.” Computerworld, 15 May 2014. Web.

Keller, Scott, and Mary Meaney. “Successfully transitioning to new leadership roles.” McKinsey & Company, May 2018. Web.

Kress, R. “Director vs. Manager: What You Need to Know to Advance to the Next Step.” Ivy Exec, 2016. Web.

Levine, Seth. “What does it mean to be an ‘executive’.” VC Adventure, 1 Feb. 2018. Web.

Lichtenwalner, Benjamin. “CIO First 90 Days.” PDF document. Modern Servant Leader, 2008. Web.

Nawaz, Sabina. “The Biggest Mistakes New Executives Make.” Harvard Business Review, 15 May 2017. Web.

Pruitt, Sarah. “Fast Facts on the 'First 100 Days.‘” History.com, 22 Aug. 2018. Web.

Rao, M.S. “An Action Plan for New CEOs During the First 100 Days.” Training, 4 Oct. 2014. Web.

Reddy, Kendra. “It turns out being a VP isn't for everyone.” Financial Post, 17 July 2012. Web.

Silcoff, Sean. “Exclusive: John Chen’s simple plan to save BlackBerry.” The Globe & Mail, 24 Feb. 2014. Web.

Bibliography

“Start Stop Continue Retrospective.” GroupMap, n.d. Web.

Surrette, Mark. “Lack of Rapport: Why Smart Leaders Fail.” KBRS, n.d. Web.

“Understanding Types of Organization – PMP Study.” Simplilearn, 4 Sept. 2019. Web.

Wahler, Cindy. “Six Behavioral Traits That Define Executive Presence.” Forbes, 2 July 2015. Web.

Watkins, Michael D. The First 90 Days, Updated and Expanded. Harvard Business Review Press, 2013.

Watkins, Michael D. “7 Ways to Set Up a New Hire for Success.” Harvard Business Review, 10 May 2019. Web.

“What does it mean to be a business executive?” Daniels College of Business, University of Denver, 12 Aug. 2014. Web.

Yeung, Ken. “Turnaround: Marissa Mayer’s first 300 days as Yahoo’s CEO.” The Next Web, 19 May 2013. Web.

Define Your Virtual and Hybrid Event Requirements

Accelerate your event scoping and software selection process.

Analyst Perspective

When events go virtual, IT needs to cover its bases.

The COVID-19 pandemic imposed a dramatic digital transformation on the events industry. Though event ticket and registration software, mobile event apps, and onsite audio/visual technology were already important pieces of live events, the total transformation of events into online experiences presented major challenges to organizations whose regular business operations involve at least one annual mid-sized to large event (association meetings, conferences, trade shows, and more).

Many organizations worked to shift to online, or virtual events, in order to maintain business continuity. As time went on, and public gatherings began to restart, a shift to “hybrid” events began to emerge—events that accommodate both in-person and virtual attendance. Regardless of event type, this pivot to using virtual event software, or digital event technology, brings events more closely into IT’s areas of responsibility. If you don't begin with strategy, you risk fitting your event to technology, instead of the other way around.

If virtual and hybrid events are becoming standard forms of delivering content in your organization, use Info-Tech’s material to help define the scope of the event and your requirements, and to support your software selection process.

Emily Sugerman
Research Analyst, Infrastructure & Operations
Info-Tech Research Group

Executive Summary

Info-Tech Insight

If you don't begin with strategy, you will fit your event to technology, instead of the other way around.

Your challenge

The solution you have been using for online events does not meet your needs.

Though you do have some tools that support large meetings, it is not clear if you require a larger and more comprehensive virtual event solution. There is a need to determine what type of technology you might need to purchase versus leveraging what you already have.

It is difficult to quickly and practically identify core event requirements and how they translate into technical capabilities.

Maintaining or improving audience engagement is a perpetual challenge for virtual events.

Source: Virtual Event Tech Guide, 2022

Common obstacles

These barriers make this challenge difficult to address for many organizations.

Events with networking objectives are not always well served by webinars, which are traditionally more limited in their interactive elements.

Events that include the conducting of organizational/association business (like voting) may have bylaws that make selecting a virtual solution more challenging.

Maintaining attendee engagement is more challenging in a virtual environment.

Prior to the pandemic, your organization may not have been as experienced in putting on fully virtual events, putting more responsibility in your corner as IT. Navigating virtual events can also require technological competencies that your attendee userbase may not universally possess.

Technological limitations and barriers to access can exclude potential attendees just as much as bringing events online can open up attendance to new audiences.

Opportunity: Virtual events can significantly increase an event’s reach

Events held virtually during the pandemic noted significant increases in attendees.

“We had 19,000 registrations from all over the world, almost 50 times the number of people we had expected to host in Amsterdam. . . . Most of this year’s [2020] attendees would not have been able to participate in a physical GrafanaCon in Amsterdam. That was a huge win.” – Raj Dutt, Grafana Labs CEO[5]

[1] Kelly, 2020; [2] Price, 2020; [3] Stanford Digital Economy Lab, 2022; [4] Warren, 2022; [5] Fast Company, 2020

Info-Tech’s methodology for defining virtual/hybrid event requirements

Event planning phases

Apply project management principles to your virtual/hybrid event planning process.

Online event planning should follow the same established principles as in-person event planning.
Align the event’s concept and objectives with organizational goals.

Source: Adapted from Event Management Body of Knowledge, CC BY 4.0

Gather inputs to the planning processes

Acquire as much of this information as possible before you being the planning process.

Budget: Determine your organization’s budget for this event to help decide the scope of the event and the purchasing decisions you make as you plan.

Internal human resources: Identify who in your organization is usually involved in the organization of this event and if they are available to organize this one.

List of communication and collaboration tools: Acquire the list of the existing communication and collaboration tools you are currently licensed for. Ensure you know the following information about each tool:

• Type of license
• License limitations (maximum number of users)
• Internal or external-facing tool (or capable of both)
• Level of internal training and competency on the tool

Decision point: Relate event goals to organizational goals

What is driving the event?

Your organization may hold a variety of in-person events that you now wish, for various reasons, to hold fully or partially online. Each event likely has a slightly different set of goals.

Before getting into the details of how to transition your event online, return to the business/organizational goals the event is serving.

Ensure each event (and each component of each event) maps back to an organizational goal.

If a component of the event does not align to an organizational goal, assess whether it should remain as part of the event.

Common organizational goals

• Increase revenue
• Increase productivity
• Attract and retain talent
• Improve change management
• Carry out organizational mission
• Identify new markets
• Increase market share
• Improve customer service
• Launch new product/service

Common event goals

• Education/training
• Knowledge transfer
• Decision making
• Professional development
• Sales/lead generation
• Fundraising
• Entertainment
• Morale boosting
• Recognition of achievement

Decision point: Identify your organization’s digital event vision

What do you want the outcome of this event to be?

Attendee goals: Who are your attendees? Why do they attend this event? What attendee needs does your event serve? What is your event’s value proposition? Are they intrinsically or extrinsically motivated to attend?

Event goals: From the organizer perspective, why do you usually hold this event? Who are your stakeholders?

Organizational goals: How do the event goals map to your organizational goals? Is there a clear understanding of what the event’s larger strategic purpose is.

Common attendee goals

Education: our attendees need to learn something new that they cannot learn on their own.
Networking: our attendees need to meet people and make new professional connections.
Professional development: our attendees have certain obligations to keep credentials updated or to present their work publicly to advance their careers.
Entertainment: our attendees need to have fun.
Commerce: our attendees need to buy and sell things.

Decision point: Level of external event production

Will you be completely self-managed, reliant on external event production services, or somewhere in the middle?

You can review this after working through the other decision points and the scope becomes clearer.

Decision point: Assign event planning roles

Who will be involved in planning the event? Fill/combine these roles as needed.

Decision point: Assign event production roles

Who will be involved in running the event?

Decision point: Map attendee goals to event goals to organizational goals

Input: List of attendee benefits, List of event goals, List of organizational goals
Output: Ranked list of event goals as they relate to attendee needs and organizational goals
Materials: Whiteboard/flip charts
Participants: Planning team

1. Define attendee benefits:
   1. List the attendee benefits derived from your event (as many as possible).
   2. Rank attendee benefits from most to least important.
2. Define event goals:
   1. List your event goals (as many as possible).
   2. Draw a connecting line to your ranked list of attendee benefits.
   3. Identify if any event goals exist with no clear relationship to attendee benefits. Discuss whether this event goal needs to be re-envisioned. If it connects to no discernible attendee benefits, consider removing it. Otherwise, figure out what attendee benefits the event goal provides.
3. Define organizational goals:
   1. Acquire a list of your organization’s main strategic goals.
   2. Draw a connecting line from each event goal to the organizational goal it supports.
   3. If most of your event goals do not immediately seem to support an organizational goal, discuss why this is. Try to find the connection. If you cannot, discuss whether the event should proceed or be rethought.

Decision point: Break down your event into its constituent components

Identify your event archetype

Decompose the event into its component parts

Identify technical requirements that help meet event goals

Benefits:

• Clarify how formerly in-person events map to virtual archetypes.
• Ensure your virtual event planning is anchored to organizational goals from the outset.
• Streamline your virtual event tech stack planning later.

Decision point: Determine your event archetype

Analyze your event’s:

• Main goals.
• The components and activities that support those goals.
• How these components and activities fall into people- vs. content-centric activities, and real-time vs. asynchronous activities.

1. Conference
2. Trade show
3. Annual general meeting
4. Department meeting
5. Town hall
6. Workshop

Info-Tech Insight

Begin the digital event planning process by understanding how your event’s content is typically consumed. This will help you make decisions later about how best to deliver the content virtually.

Conference

Goals: Education/knowledge transfer; professional advancement; networking.

Major content

• Call for proposals/circulation of abstracts
• Keynotes or plenary address: key talk addressed to large audience
• Panel sessions: multiple panelists deliver address on common theme
• Poster sessions: staffed/unstaffed booths demonstrate visualization of major research on a poster
• Association meetings (see also AGM archetype): professional associations hold AGM as one part of a larger conference agenda

Community

• Formal networking (happy hours, social outings)
• Informal networking (hallway track, peer introductions)
• Business card exchange
• Pre- and post-event correspondence

Commercial Partners

• Booth reps: Publishing or industry representatives exhibit products/discuss collaboration

Trade show

Objectives: Information transfer; sales; lead generation.

Major content

• Live booth reps answer questions
• Product information displayed
• Promotional/information material distributed
• Product demonstrations at booths or onstage
• Product samples distributed to attendees

Community interactions

• Statements of intent to buy
• Lead generation (badge scanning) of booth visitors
• Business card exchange
• Pre- and post-event correspondence

Annual general meeting

Objectives: Transparently update members; establish governance and alignment.

Meeting events

• Updates provided to members on organization’s activities/finances
• Decisions made regarding organization’s direction
• Governance over organization established (elections)
• Speakers addressing large audience from stage
• In-camera sessions
• Translation of proceedings
• Real-time weighted voting
• Minutes taken during meeting

Administration

• Notice given of meeting within mandated time period
• Agenda circulated prior to meeting
• Distribution of proxy material
• Minutes distributed

Department meeting

Objectives: Information transfer of company agenda/initiatives; group decision making.

Major content

• Agenda circulated prior to meeting
• Updates provided from senior management/leadership to employees on organization’s initiatives and direction
• Employee questions and feedback addressed
• Group decision making
• Minutes taken during meeting
• Minutes or follow-up circulated

Town hall meeting

Objectives: Update public; answer questions; solicit feedback.

Major content

• Public notice of meeting announced
• Agenda circulated prior to meeting
• Speakers addressing large audience from stage
• Presentation of information pertinent to public interest
• Audience members line up to ask questions/provide feedback
• Translation of proceedings
• Recording of meeting archived

Workshop

Objectives: Make progress on objective; achieve consensus; knowledge transfer.

Major content

• Scheduling of workshop
• Agenda circulated prior to meeting
• Facilitator leads group activities
• Participants develop alignment on project
• Progress achieved on workshop project
• Feedback on workshop shared with facilitator

Decision point: Analyze your event’s purpose and value

Use the event archetypes to help you identify your event’s core components and value proposition.

1. Attendee types: Who typically attends your event? Exclusively internal participants? External participants? A mix of the two?
2. Communication: How do participants usually communicate with each other during this event? How do they communicate with the event organizers? Include both formal types of communication (listening to panel sessions) and informal (serendipitous conversations in the hallway).
3. Connection: What types of connections do your attendees need to experience? (networking with peers; interactions with booth reps; consensus building with colleagues).
4. Exchange of material: What kind of material is usually exchanged at this event and between whom? (Pamphlets, brochures, business cards, booth swag).
5. Engagement: How do you usually retain attendees' attention and make sure they remain engaged throughout the event?
6. Length: How long does the event typically last?
7. Location and setup: Where does the event usually take place and who is involved in its setup?
8. Success metrics: How do you usually measure your event's success?

Info-Tech Insight

Avoid trying to exactly reproduce the formerly in-person event online. Instead, identify the value proposition of each event component, then determine what its virtual expression could be.

Example: Trade show

Goals: Information transfer; sales; lead generation.

1. Identify event component(s)
2. Document its face-to-face expression(s)
3. Identify the expression’s value proposition
4. Translate the value proposition to a virtual component that facilitates overall event goal

Plan your metrics

Use the analytics and reporting features available in your event technology toolset to capture the data you want to measure. Decide how each metric will impact your planning process for the next event.

Examples of metrics:

• Number of overall participants/registrants: Did you have more or fewer registrants/attendees than previous iterations of the event? What is the difference between number of registrants and number of real attendees?
• Locations of participants: Where are people participating from? How many are attending for the first time? Are there new audiences you can pursue next time?
• Most/least popular sessions: How long did people stay in the sessions and the event overall?
• Most/least popular breakout rooms and discussion boards: Which topics should be repeated/skipped next time?
• Social media mentions: Which topics received the most engagement on social media?
• Surveys: What do participants report enjoying most? Least?
• Technical failures: Can your software report on failures? Identify what technical problems arose and prepare a plan to mitigate them next time.

Ensure the data you capture feeds into better planning for the next event

Determine compliance requirements

A greater event reach also means new data privacy considerations, depending on the location of your guests.

General Data Protection Regulation (GDPR)

Concerns over the collection of personal electronic data may not have previously been a part of your event planning considerations. However, now that your event is online, it’s wise to explore which data protection regulations apply to you. Remember, even if your organization is not located in the EU, if any of your attendees are European data subjects you may still be required to comply with GDPR, which involves the notification of data collected, allowing for opt-out options and the right to have data purged. The data must be collected for a specific purpose; if that purpose is expired, it can no longer be retained. You also have an obligation to report any breaches.

Accessibility requirements

What kind of accessibility laws are you subject to (AODA, WCAG2)? Regardless of compliance requirements, it is a good idea to ensure the online event follows accessibility best practices.

Decision point: Set event policies

What event policies need to be documented?
How will you communicate them to attendees?

Code of conduct

One trend in the large event and conference space in recent years has been the development of codes of conduct that attendees are required to abide by to continue participating in the event.
Now that your event is online, consider whether your code of conduct requires updating. Are there new types of appropriate/inappropriate online behavior that you need to define for your attendees?

Harassment reporting

If your organization has an event harassment reporting process, determine how this process will transfer over to the digital event.
Ensure the reporting process has an owner and a clear methodology to follow to deal with complaints, as well as a digital reporting channel (a dedicated email or form) that is only accessed by approved staff to protect sensitive information.

Develop a risk management plan

Plan for how you will mitigate technical risks during your virtual event
Provide presenters with a process to follow if technical problems arise.

• Presenter’s internet connection cuts out
• Attendees cannot log in to event platform
• Attendees cannot hear/see video feed
• What process will be followed when technical problems occur: ticketing system; chatbot; generic email accessible by all IT support assigned

Testing/Rehearsal

Test audio hardware: Ensure speakers use headphones/earbuds and mics (they do not have to be fancy/expensive). Relying on the computer/laptop mic can lead to more ambient noise and potential feedback problems.

Check lighting: Avoid backlighting. Reposition speakers so they are not behind windows. Ask them to open/close shades. Add lamps as needed.

Prevent interruptions: Before the event, ask panelists to turn phone and computer notifications to silent. Put a sign on the door saying Do not Disturb.

Control audience view of screenshare: If your presenters will be sharing their screens, teach them how this works on the platform they are using. Advise them to exit out of any other application that is not part of their presentation, so they do not share the wrong screen unintentionally. Advise them to remove anything from the desktop that they do not want the audience to see, in case their desktop becomes visible at any point.

Control audience view of physical environment: Before the event, advise participants to turn their cameras on and examine their backgrounds. Remove anything the audience should not be able to see.

Test network connectivity: Send the presenters a link to a speed test and check their internet speed.

Emergency contact: Exchange cell phone numbers for emergency backchannel conversations if problems arise on the day of the event.

Set expectations: Presenting to an online audience feels very different to a live crowd. Prepare presenters for a lack of applause and lack of ability to see their audience, and that this does not mean the presentation was unsuccessful.

Identify requirements

To determine what kind of technical requirements you need to build the virtual expression of your event, consult the Virtual Event Platform Requirements Tool.

1. If you have determined that the requirements you wish to use for the event exceed the capabilities of your existing communication and collaboration toolset, identify whether these gaps tip the scale toward purchasing a new tool. Use the requirement gaps to make the business case for purchasing a new tool.
2. Use the Virtual Event Platform Requirements Tool to create a list of requirements.
3. Consult the Software Reviews category for Virtual Event Platform Data Quadrant and Emotional Footprint reports.
4. Assemble your documentation for approvals and the Rapid Application Selection Process.

Download the Virtual/Hybrid Event Software Feature Analysis Tool

Rapid Application Selection Framework and Contract Review

Launch Info-Tech’s Rapid Application Selection Framework.

Using the requirements you’ve just gathered as a base, use Info-Tech’s complete framework to improve the efficiency and effectiveness of software selection.

Once you’ve selected a vendor(s), review the contract. Does it define an exit strategy? Does it define when your data will be deleted? Does it set service-level agreements that you find acceptable? Leverage Info-Tech’s contract review service once you have selected the virtual event solution and have received a contract from the vendor.

Further research

Run Better Meetings

Bibliography

Dutt, Raj. “7 Lessons from This Company’s First-Ever Virtual Conference.” Fast Company, 29 Jul 2020. Web.

Kelly, Samantha Murphy. “Microsoft Build Proves Splashy Tech Events Can Thrive Online.” CNN, 21 May 2020. Web.

“Phases.” Event Management Body of Knowledge (EMBOK), n.d. Web.

Price, Michael. “As COVID-19 Forces Conferences Online, Scientists Discover Upsides of Virtual Format.” Science, 28 Apr 2020. Web.

“Stanford HAI Spring Conference - Key Advances in Artificial Intelligence.” Stanford Digital Economy Lab, 2022. Web.

“Virtual Event Tech Guide 2022.” Skift Meetings, April 2022. Web.

Warren, Tom. “Microsoft Build 2022 Will Take Place May 24th–26th.” The Verge, 30 March 2022. Web.

Contributors

6 anonymous contributors

Select a Security Outsourcing Partner

Outsource the right functions to secure your business.

Analyst Perspective

Understanding your security needs and remaining accountable is the key to selecting the right partner.

The need for specialized security services is fast becoming a necessity to most organizations. However, resource challenges will always mean that organizations will still have to take practical measures to ensure that the time, quality, and service that they require from outsourcing partners have been carefully crafted and packaged to elicit the right services that cover all their needs and requirements.

Organizations must ensure that security partners are aligned not only with their needs and requirements, but also with the corporate culture. Rather than introducing hindrances to daily operations, security partners must support business goals and protect the organization’s interests at all times.

And as always, outsource only your responsibilities and do not outsource your accountability, as that will cost you in the long run.

Danny Hammond
Research Analyst
Security, Risk, Privacy & Compliance Practice
Info-Tech Research Group

Executive Summary

Info-Tech Insight

Mitigate security risks by developing an end-to-end process that ensures you are outsourcing your responsibilities and not your accountability.

Your Challenge

This research is designed to help organizations select an effective security outsourcing partner.

• A security outsourcing partner is a third-party service provider that offers security services on a contractual basis depending on client needs and requirements.
• An effective outsourcing partner can help an organization improve its security posture by providing access to more specialized security experts, tools, and technologies.
• One of the main challenges with selecting a security outsourcing partner is finding a partner that is a good fit for the organization's unique security needs and requirements.
• Security outsourcing partners typically have access to sensitive information and systems, so proper controls and safeguards must be in place to protect all sensitive assets.
• Without careful evaluation and due diligence to ensure that the partner is a good fit for the organization's security needs and requirements, it can be challenging to select an outsourcing partner.

Outsourcing is effective, but only if done right

• 83% of decision makers with in-house cybersecurity teams are considering outsourcing to an MSP (Syntax, 2021).
• 77% of IT leaders said cyberattacks were more frequent (Syntax, 2021).
• 51% of businesses suffered a data breach caused by a third party (Ponemon, 2021).

Common Obstacles

The problem with selecting an outsourcing partner isn’t a lack of qualified partners, it’s the lack of clarity about an organization's specific security needs.

• Most organizations do not have a clear understanding of their current security posture, their security goals, and the specific security services they require. Without a clear understanding of their needs, organizations may struggle to identify a partner that can meet their requirements.
• Breakdowns and lack of communication can be a significant obstacle, especially when clear lines of communication with partners, including regular check-ins, reporting, and incident response protocols, have not been clearly established.
• Ensuring that security partner's systems and processes integrate seamlessly with existing systems can be a challenge for most organizations. This is in addition to making sure that security partners have the necessary access and permissions to perform their services effectively.
• Adhering to security policies is rarely a priority to users, as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.

Source: IBM, 2022 Cost of a Data Breach; N=537.

Info-Tech’s methodology for selecting a security outsourcing partner

Determine your responsibilities

Determine what responsibilities you can outsource to a service partner. Analyze which responsibilities you should outsource versus keep in-house? Do you require a service partner based on identified responsibilities?

Scope your requirements

Refine the list of role-based requirements, variables, and features you will require. Use a well-known list of critical security controls as a framework to determine these activities and send out RFPs to pick the best candidate for your organization.

Manage your outsourcing program

Adopt a program to manage your third-party service security outsourcing. Trust your managed security service providers (MSSP) but verify their results to ensure you get the service level you were promised.

Select a Security Outsourcing Partner

Blueprint benefits

Insight summary

Overarching insight: You can outsource your responsibilities but not your accountability.

Determine what to outsource: Assess your responsibilities to determine which ones you can outsource. It is vital that an understanding of how outsourcing will affect the organization, and what cost savings, if any, to expect from outsourcing is clear in order to generate a list of responsibilities that can/should be outsourced.

Select the right partner: Create a list of variables to evaluate the MSSPs and determine which features are important to you. Evaluate all potential MSSPs and determine which one is right for your organization

Manage your MSSP: Align the MSSP to your organization. Adopt a program to monitor the MSSP which includes a long-term strategy to manage the MSSP.

Identifying security needs and requirements = Effective outsourcing program: Understanding your own security needs and requirements is key. Ensure your RFP covers the entire scope of your requirements; work with your identified partner on updates and adaptation, where necessary; and always monitor alignment to business objectives.

Measure the value of this blueprint

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Overall Impact: 8.9 /10

Overall Average Cost Saved: $22,950

Overall Average Days Saved: 9

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Build a Data Integration Strategy

Integrate your data or disintegrate your business.

ANALYST PERSPECTIVE

Integrate your data or disintegrate your business.

"Point-to-point integration is an evil that builds up overtime due to ongoing business changes and a lack of integration strategy. At the same time most businesses are demanding consistent, timely, and high-quality data to fuel business processes and decision making.

A good recipe for successful data integration is to discover the common data elements to share across the business by establishing an integration platform and a canonical data model.

Place yourself in one of our use cases and see how you fit into a common framework to simplify your problem and build a data-centric integration environment to eliminate your data silos."

Rajesh Parab, Director, Research & Advisory Services

Info-Tech Research Group

Our understanding of the problem

This Research Is Designed For:

• Data engineers feeling the pains of poor integration from inaccuracies and inefficiencies during the data integration lifecycle.
• Business analysts communicating the need for improved integration of data.
• Data architects looking to design and facilitate improvements in the holistic data environment.
• Data architects putting high-level architectural design changes into action.

This Research Will Also Assist:

• CIOs concerned with the costs, benefits, and the overall structure of their organization’s data flow.
• Enterprise architects trying to understand how improved integration will affect overall organizational architecture.

This Research Will Help You:

• Understand what integration is, and how it fits into your organization.
• Identify opportunities for leveraging improved integration for data-driven insights.
• Design a loosely coupled integration architecture that is flexible to changing needs.
• Determine the needs of the business for integration and design solutions for the gaps that fit the requirements.

This Research Will Help Them:

• Get a handle on the current data situation and how data interacts within the organization.
• Understand how data architecture affects operations within the enterprise.

Executive summary

Situation

• As organizations process more information at faster rates, there is increased pressure for faster and more efficient data integration.
• Data integration is becoming more and more critical for downstream functions of data management and for business operations to be successful. Poor integration holds back these critical functions.

Complication

• Investments in integration can be a tough sell for the business, and it is difficult to get support for integration as a standalone project.
• Evolving business models and uses of data are growing rapidly at rates that often exceed the investment in data management and integration tools. As a result, there is often a gap between data availability and the business’ latency demands.

Resolution

• Create a data-centric integration solution that supports the flow of data through the organization and meets the organization’s requirements for data accuracy, relevance, availability, and timeliness.
• Build your data-centric integration practice with a firm foundation in governance and reference architecture; use best-fit reference architecture patterns and the related technology and resources to ensure that your process is scalable and sustainable.
• The business’ uses of data are constantly changing and evolving, and as a result the integration processes that ensure data availability must be frequently reviewed and repositioned to continue to grow with the business.

Info-Tech Insight

1. Every IT project requires data integration.Any change in the application and database ecosystem requires you to solve a data integration problem.
2. Integration problem solving needs to start with business activity. After understanding the business activity, move to application and system integration to drive optimal data integration activities.
3. Integration initiatives need to be backed by requirements that depend on use cases. Info-Tech’s use cases will help identify organizational requirements and the ideal data-centric integration solution.

Your data is the foundation of your organization’s knowledge and ability to make decisions

Integrate the Data, Not the Applications

Data is one of the most important assets in a modern organization. Contained within an organization’s data are the customers, the products, and the operational details that make an organization function. Every organization has data, and this data might serve the needs of the business today.

However, the only constant in the world is change. Changes in addresses, amounts, product details, partners, and more occur at a rapid rate. If your data is isolated, it will quickly become stale. Getting up-to-date data to the right place at the right time is where data-centric integration comes in.

"Data is the new oil." – Clive Humby, Chief Data Scientist Source: Medium, 2016

Organizations are having trouble keeping up with the rapid increases in data growth and complexity

To keep up with increasing business demands and profitability targets and decreasing cost targets, organizations are processing and exchanging more data than ever before.

To get more value from their information, organizations are relying on more and more complex data sources. These diverse data sources have to be properly integrated to unlock the full potential of your data:

The most difficult integration problems are caused by semantic heterogeneity (Database Research Technology Group, n.d.).

80% of business decisions are made using unstructured data (Concept Searching, 2015).

85% of businesses are struggling to implement the correct integration solution to accurately interpret their data (KPMG, 2014).

Break Down Your Silos

Integrating large volumes of data from the many varied sources in an organization has incredible potential to yield insights, but many organizations struggle with creating the right structure for that blending to take place, and data silos form.

Data-centric integration capabilities can break down organizational silos. Once data silos are removed and all the information that is relevant to a given problem is available, problems with operational and transactional efficiencies can be solved, and value from business intelligence (BI) and analytics can be fully realized.

Data-centric integration is the solution you need to bring data together to break down data silos

On one hand…

Data has massive potential to bring insight to an organization when combined and analyzed in creative ways.

On the other hand…

It is difficult to bring data together from different sources to generate insights and prevent stale data.

How can these two ideas be reconciled?

Answer: Info-Tech’s Data Integration Onion Framework summarizes an organization’s data environment at a conceptual level, and is used to design a common data-centric integration environment.

Info-Tech’s Data Integration Onion Framework

Poor integration will lead to problems felt by the business and IT

The following are pains reported by the business due to poor integration:

59% Of managers said they experience missing data every day due to poor distribution results in data sets that are valuable to their central work functions. (Experian, 2016)

42% Reported accidentally using the wrong information, at least once a week. (Computerworld, 2017)

37% Of the 85% of companies trying to be more data driven, only 37% achieved their goal. (Information Age, 2019)

"I never guess. It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts." – Sir Arthur Conan Doyle, Sherlock Holmes

Poor integration can make IT less efficient as well:

90% Of all company generated data is “dark.” Getting value out of dark data is not difficult or costly. (Deloitte Insights, 2017)

5% As data sits in a database, up to 5% of customer data changes per month. (Data.com, 2016)

"Most traditional machine learning techniques are not inherently efficient or scalable enough to handle the data. Machine learning needs to reinvent itself for big data processing primarily in pre-processing of data." – J. Qiu et al., ‎2016

Understand the common challenges of integration to avoid the pains

There are three types of challenges that organizations face when integrating data:

1. Disconnect from the business

Poor understanding of the integration problem and requirements lead to integrations being built that are not effective for quality data.

50% of project rework is attributable to problems with requirements. (Info-Tech Research Group)

45% of IT professionals admit to being “fuzzy” about the details of a project’s business objectives. (Blueprint Software Systems Inc., 2012)

2. Lack of strategy

90% Of organizations will lack an integration strategy through to 2018. (Virtual Logistics, 2017)

Integrating data without a long-term plan is a recipe for point-to-point integration spaghettification:

3. Data complexity

Data architects and other data professionals are increasingly expected to be able to connect data using whatever interface is provided, at any volume, and in any format – all without affecting the quality of the data.

36% Of developers report problems integrating data due to different standards interpretations. (DZone, 2015)

These challenges lead to organizations building a data architecture and integration environment that is tightly coupled.

A loose coupling integration strategy helps mitigate the challenges and realize the benefits of well-connected data

Loose Coupling

Most organizations don’t have the foresight to design their architecture correctly the first time. In a perfect world, organizations would design their application and data architecture to be scalable, modular, and format-neutral – like building blocks.

Benefits of a loosely coupled architecture:

• Increased ability to support business needs by adapting easily to changes.
• Added ability to incorporate new vendors and new technology due to increased flexibility.
• Potential for automated, real-time integration.
• Elimination of re-keying/manual entry of data.
• Federation of data.

Vs. Tight Coupling

However, this is rarely the case. Most architectures are more like a brick wall – permanent, hard to add to and subtract from, and susceptible to weathering.

Problems with a tightly coupled architecture:

• Delays in combining data for analysis.
• Manual/Suboptimal DI in the face of changing business needs.
• Lack of federation.
• Lack of flexibility.
• Fragility of integrated platforms.
• Limited ability to explore new functionalities.

Present Security to Executive Stakeholders

Learn how to communicate security effectively to obtain support from decision makers.

Analyst Perspective

Build and deliver an effective security communication to your executive stakeholders.

As a security leader, you’re tasked with various responsibilities to ensure your organization can achieve its goals while its most important assets are being protected. However, when communicating security to executive stakeholders, challenges can arise in determining what topics are pertinent to present. Changes in the security threat landscape coupled with different business goals make identifying how to present security more challenging. Having a communication framework for presenting security to executive stakeholders will enable you to effectively identify, develop, and deliver your communication goals while obtaining the support you need to achieve your objectives. Ahmad Jowhar Research Specialist, Security & Privacy Info-Tech Research Group

Executive Summary

Info-Tech Insight

Security presentations are not a one-way street. The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

Your challenge

As a security leader, you need to communicate security effectively to executive stakeholders in order to obtain support for your security objectives.

• When it comes to presenting security to executive stakeholders, many security leaders find it challenging to convey the necessary information in order to obtain support for security objectives.
• This is attributed to various factors, such as an increase in the threat landscape, changes to industry regulations and standards, and new organizational goals that security has to align with.
• Furthermore, with the limited time to communicate with executive stakeholders, both in frequency and duration, identifying the most important information to address can be challenging.

76% of security leaders struggle in conveying the effectiveness of a cybersecurity program.

62% find it difficult to balance the risk of too much detail and need-to-know information.

41% find it challenging to communicate effectively with a mixed technical and non-technical audience.

Source: Deloitte, 2022

Common obstacles

There is a disconnect between security leaders and executive stakeholders when it comes to the security posture of the organization:

• Executive stakeholders are not confident that their security leaders are doing enough to mitigate security risks.
• The issue has been amplified, with security threats constantly increasing across all industries.
• However, security leaders don’t feel that they are in a position to make themselves heard.
• The lack of organizational security awareness and support from cross-functional departments has made it difficult to achieve security objectives (e.g. education, investments).
• Defining an approach to remove that disconnect with executive stakeholders is of utmost importance for security leaders, in order to improve their organization’s security posture.