Make Your IT Governance Adaptable

Governance isn't optional, so keep it simple and make it flexible.

Table of Contents

Make Your IT Governance Adaptable

Governance isn't optional, so keep it simple and make it flexible.

EXECUTIVE BRIEF

Analyst Perspective

Governance will always be part of the fabric of your organization. Make it adaptable so it doesn’t constrain your success.

Far too often, the purpose of information and technology (I&T) governance is misunderstood. Instead of being seen as a way to align the organization’s vision to its investment in information and technology, it has become so synonymous with compliance and control that even mentioning the word “governance” elicits a negative reaction.

Success in modern digital organizations depends on their ability to adjust for velocity and uncertainty, requiring a dynamic and responsive approach to governance – one that is embedded and automated in your organization to enable new ways of working, innovation, and change.

Evolutionary theory describes adaptability as the way an organism adjusts to fit a new environment, or changes to its existing environment, to survive. Applied to organizations, adaptable governance is critical to the ability to survive and succeed.

If your governance doesn’t adjust to enable your changing business environment and customer needs, it will quickly become misaligned with your goals and drive you to failure.

It is critical that people build an approach to governance that is effective and relevant today while building in adaptability to keep it relevant tomorrow.

Valence Howden
Principal Research Director, Info-Tech Research Group

Executive Summary

Your Challenge

• People don’t understand the value of governance, seeing it as a hindrance to productivity and efficiency.
• Governance is delegated to people and practices that don’t have the ability or authority to make decisions.
• Decisions are made within committees that don’t meet frequently enough to support business velocity.
• It is difficult to allocate time and resources to build or execute governance effectively

Common Obstacles

• You are unable to clearly communicate how governance adds value to your organization.
• Your IT governance approach no longer aligns with or supports your organizational direction, goals, and work practices.
• Governance is seen and performed as a bureaucratic control-based exercise.
• Governance activities are not transparent.
• The governance committee gets too deeply involved with project deep dives and daily management, derailing its effectiveness and ability to produce value.

Info-Tech’s Approach

• Use Info-Tech’s IT governance models to identify a base model similar to the way you are organized. Confirm your current and future placement in governance execution.
• Adjust the model based on industry needs, your principles, regulatory requirements, and your future direction.
• Identify where to embed or automate decision making and compliance and what is required to do so effectively.
• Implement your governance model for success.

Info-Tech Insight

IT governance must be embedded and automated, where possible, to effectively meet the needs and velocity of digital organizations and modern practices and to drive success and value.

What is governance?

IT governance is a critical and embedded practice that ensures that information and technology investments, risks, and resources are aligned in the best interests of the organization and produce business value.

Effective governance ensures that the right technology investments are made at the right time to support and enable your organization’s mission, vision, and goals.

Why is this necessary?

• Governance is not simply a committee or an activity that you perform at a specific point in time; it is a critical and continuously active practice that drives the success of your organization. It is part of your organization’s DNA and is just as unique, with some attributes common to all (IT governance elements), some specific to your family (industry refinements), and some specific to you (individual organization).
• Your approach to governance needs to change over time in order to remain relevant and continue to enable value and success, but organizations rarely want to change governance once it’s in place.
• To meet the speed and flow of practices like Lean, DevOps, and Agile, your IT governance needs to be done differently and become embedded into the way your organization works. You must adjust your governance model based on key moments of change – organizational triggers – to maintain the effectiveness of your model.

Info-Tech Insight

Build an optimal model quickly and implement the core elements using an iterative approach to ensure the changes provide the most value.

The Technology Value Trinity

Delivery of Business Value & Strategic Needs

• DIGITAL & TECHNOLOGY STRATEGY
  The identification of objectives and initiatives necessary to achieve business goals.
• IT OPERATING MODEL
  The model for how IT is organized to deliver on business needs and strategies.
• INFORMATION & TECHNOLOGY GOVERNANCE
  The governance to ensure the organization and its customers get maximum value from the use of information and technology.

All three elements of the Technology Value Trinity work in harmony to deliver business value and meet strategic needs. As one changes, the others need to change as well.

• Digital and IT Strategy tells you what you need to achieve to be successful.
• IT Operating Model and Organizational Design is the alignment of resources to deliver on your strategy and priorities.
• Information & Technology Governance is the confirmation that IT’s goals and strategy align with the business’ strategy. It is the mechanism by which you continuously prioritize work to ensure that what you deliver is in line with the strategy. This oversight involves evaluating, directing, and monitoring the delivery of outcomes to ensure that the use of resources results in achieving the organization’s goals.

Too often strategy, operating model and organizational design, and governance are considered separate practices. As a result, “strategic documents” end up being wish lists, and projects continue to be prioritized based on who shouts the loudest rather than on what is in the best interest of the organization.

Where information & technology governance fits within an organization

I&T governance hasn’t achieved its purpose

Governance is the means by which IT ensures that information and technology delivery and spend is aligned to business goals and delivers business outcomes. However, most CEOs continue to perceive IT as being poorly aligned to the business’ strategic goals, which indicates that governance is not implemented or executed properly.

For I&T governance to be effective you need a clear understanding of the things that drive your organization and its success. This understanding becomes your guiding star, which is critical for effective governance. It also requires participation by all parts of the organization, not just IT.

Info-Tech CIO/CEO Alignment Diagnostics (N=124)

43% of CEOs believe that business goals are going unsupported by IT.

60% of CEOs believe that improvement is required around IT’s understanding of business goals.

80% of CIOs/CEOs are misaligned on the target role for IT.

30% of business stakeholders are supporters (N=32,536) of their IT departments

Common causes of poor governance

Key causes of poor or misaligned governance

1. Governance and its value to your organization is not well understood, often being confused or integrated with more granular management activities.
2. Business executives fail to understand that IT governance is a function of the business and not the IT department.
3. Poor past experiences have made “governance” a bad word in the organization. People see it as a constraint and barrier that must be circumvented to get work done.
4. There is misalignment between accountability and authority throughout the organization, and the wrong people are involved in governance practices.
5. There is an unwillingness to change a governance approach that has served the organization well in the past, leading to challenges when the organization starts to change practices and speed of delivery.
6. There is a lack of data and data-related capabilities required to support good decision making and the automation of governance decisions.
7. The goals and strategy of the organization are not known or understood, leaving nothing for IT governance to orient around.

Key symptoms of ineffective governance committees

1. No actions or decisions are generated. The committee produces no value and makes no decisions after it meets. The lack of value output makes the usefulness of the committee questionable.
2. Resources are overallocated. There is a lack of clear understanding of capacity and value in work to be done, leading to consistent underestimation of required resources and poor resource allocation.
3. Decisions are changed outside of committee. Decisions made or initiatives approved by the committee are later changed when the proper decision makers are involved or the right information becomes available.
4. Governance decisions conflict with organizational direction. This shows an obvious lack of alignment and behavioral disconnect that work against organizational success. It is often due to not accounting for where power really exists within the structure.
5. Consistently poor outcomes are produced from governance direction. Committee members’ lack of business acumen, relevant data, or understanding of organizational goals results in decisions that fail to drive successful measured outcomes.

Mature your governance by transitioning from ad hoc to automated

Organizations should look to progress in their governance stages. Ad hoc and controlled governance practices tend to be more rigid, making these a poor fit for organizations requiring higher velocity delivery or using more agile and adaptive practices.

The goal as you progress through these stages is to delegate governance and empower teams based on your fit and culture, enabling teams where needed to make optimal decisions in real time, ensuring that they are aligned with the best interests of the organization.

Automate governance for optimal velocity while mitigating risks and driving value.

This puts your organization in the best position to be adaptive, able to react effectively to volatility and uncertainty.

Stages of governance

Make Governance Adaptable and Automated to Drive Success and Value

Governance adaptiveness ensures the success of digital organizations and modern practice implementation.

THE PROBLEM

• The wrong people are making decisions.
• Organizations don't understand what governance is or why it's done.
• Governance scope and design is a bad fit, damaging the organization.
• People think governance is optional.

THE SOLUTION

ESTABLISH YOUR GUIDING PRINCIPLES

Define and establish the guiding principle that drive your organization toward success.

• Mission & Vision
• Business Goals & Success Criteria
• Operating Model & Work Practices
• Governance Scope
• Principles

SELECT AND REFINE YOUR MODEL

Use Info-Tech's IT Governance Models to identify a base model similar to the way you are organized. Confirm your current and future placement in governance execution.

IDENTIFY MODEL UPDATE TRIGGERS

Adjust the model based on industry needs, your principles, regulatory requirements, and future direction.

• Principles
  Select principles that allow the organization to be adaptive while still ensuring the governance continues to stay on course with pursuing its guiding star.
• Responsibilities
  Decide on the governance responsibilities related to Oversight Level, Strategic Alignment, Value Delivery, Risk Optimization, Resource Optimization, and Performance Management.
• Structure
  Determine at which structured level governance is appropriate: Enterprise, Strategic, Tactical, or Operational.
• Processes
  Establish processes that will enable governance to occur such as: Embed the processes required for successful governance.
• Membership
  Identify the Responsibility & Accountability of those who should be involved in governance processes, policies, guidelines, and responsibilities.
• Policies
  Confirm any governing policies that need to be adhered to and considered to manage risk.

DETERMINE AUTOMATION OPTIONS AND DECISION RULES

Identify where to embed or automate decision making and compliance and what is required to do so effectively.

STAGES OF GOVERNANCE

Traditional (People- and document-centric)

1. AD HOC GOVERNANCE
   Governance that is not well defined or understood within the organization. It occurs out of necessity but often not by the right people or bodies.
2. CONTROLLED GOVERNANCE
   Governance focused on compliance and hierarchy-based, authority-driven control of decisions. Levels of Authority are defined and often driven by regulatory requirements.

Adaptive (Data Centric)

3. AGILE GOVERNANCE
   Governance that is flexible to support different needs and quick responses in the organization. Driven by principles and delegated throughout the company.
4. AUTOMATED GOVERNANCE
   Governance that is entrenched and automated into the organizational processes and product/service design. Empowered and fully delegated governance to maintain fit and drive organizational success and survival.

KEY INSIGHT

Governance must actively adapt to changes in your organization, environment, and practices or it will drive you to failure.

Developing governance principles

Governance principles support the move from controlled to automated governance by providing guardrails that guide your decisions. They provide the ethical boundaries and cultural perspectives that contextualize your decisions and keep you in line with organizational values. Determining principles are global in nature.

Find your guiding star

Your mission and vision define your goals and objectives. These are reinforced by your guiding principles, including ethical considerations, your culture, and expected behaviors. They provide the boundaries and guardrails for enabling adaptive governance, ensuring you continue to move in the right direction for organizational success.

To paraphrase Lewis Carroll, “If you don't know where you want to get to, it doesn't much matter which way you go.” Once you know what matters, where value resides, and which considerations are necessary to make decisions, you have consistent directional alignment that allows you to delegate empowered governance throughout the organization, taking you to the places you want to go.

Understand governance versus management

Don’t blur the lines between governance and management; each has a unique role to play. Confusing them results in wasted time and confusion around ownership.

Governance I&T governance defines WHAT should be done and sets direction through prioritization and decision making, monitoring overall IT performance. Governance aligns with the mission and vision of the organization to guide IT.

Management Management focuses on HOW to do things to achieve the WHAT. It is responsible for executing on, operating, and monitoring activities as determined by I&T governance. Management makes decisions for implementation based on governance direction.

Data is critical to automating governance

Documents and subjective/non-transparent decisions do not create sufficient structure to allow for the true automation of governance. Data related to decisions and aggregated risk allow you to define decision logic and rules and algorithmically embed them into your organization.

People- and Document-Centric

Governance drives activities through specific actors (individuals/committees) and unstructured data in processes and documents that are manually executed, assessed, and revised. There are often constraints caused by gaps or lack of adequate and integrated information in support of good decisions.

Data-Centric

Governance actors provide principles, parameters, and decision logic that enable the creation of code, rulesets, and algorithms that leverage organizational data. Attestation is automatic – validated and managed within the process, product, or service.

Info-Tech’s Approach

Define your context and build your model

ESTABLISH YOUR GUIDING PRINCIPLES

Define and establish the guiding principle that drive your organization toward success.

• Mission & Vision
• Business Goals & Success Criteria
• Operating Model & Work Practices
• Governance Scope
• Principles

SELECT AND REFINE YOUR MODEL

Use Info-Tech's IT Governance Models to identify a base model similar to the way you are organized. Confirm your current and future placement in governance execution.

MODEL UPDATE TRIGGERS

Adjust the model based on industry needs, your principles, regulatory requirements, and future direction.

• Principles
  Select principles that allow the organization to be adaptive while still ensuring the governance continues to stay on course with pursuing its guiding star.
• Responsibilities
  Decide on the governance responsibilities related to Oversight Level, Strategic Alignment, Value Delivery, Risk Optimization, Resource Optimization, and Performance Management.
• Structure
  Determine at which structured level governance is appropriate: Enterprise, Strategic, Tactical, or Operational.
• Processes
  Establish processes that will enable governance to occur such as: Embed the processes required for successful governance.
• Membership
  Identify the Responsibility & Accountability of those who should be involved in governance processes, policies, guidelines, and responsibilities.
• Policies
  Confirm any governing policies that need to be adhered to and considered to manage risk.

AUTOMATION OPTIONS AND DECISION RULES

Identify where to embed or automate decision making and compliance and what is required to do so effectively.

The Info-Tech Difference

Define your context and build your model

1. Quickly identify the organizational needs driving governance and your guiding star.
2. Select and refine a base governance model based on our templates.
3. Define and document the key changes in your organization that will trigger a need to update or revise your governance.
4. Determine where you might be able to automate aspects of your governance.
5. Design your decision rules where appropriate to support automated and adaptive governance.

How to use this research

Where are you in your governance optimization journey?

Related Research:

If you are looking for details on specific associated practices, please see our related research:

1. I need to establish data governance.
2. I need to manage my project portfolio, from intake to confirmation of value.
3. I need better risk information to support decision making.
4. I need to ensure I am getting the expected outcomes and benefits from IT spend.
5. I need to prioritize my product backlog or service portfolio.

Info-Tech’s methodology for building and embedding adaptive governance

Insight summary

Value

To remain valuable, I&T governance must actively adapt to changes in your organization, environment, and practices, or it will drive you to failure instead of success.

Focus

I&T governance does not focus on the IT department. Rather, its intent is to ensure your organization makes sound decisions around investment in and use of information and technology.

Maturity

Your governance approach progresses in stages from ad hoc to automated as your organization matures. Your stage depends on your organizational needs and ways of working.

Good governance

Good governance does not equate to control and does not stifle innovation.

Automation

Automating governance must be done in stages, based on your capabilities, level of maturity, and amount of usable data.

Strategy

Establish the least amount of governance required to allow you to achieve your goals.

Guiding star

If you don’t establish a guiding star to align the different stakeholders in your organization, governance practices will create conflict and confusion.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Blueprint benefits

IT Benefits

• Stronger, traceable alignment of IT decisions and initiatives to business needs.
• Improved ability for IT to meet the changing demands and velocity of the business.
• Better support and enablement of innovation – removing constraints and barriers.
• Optimized governance that supports and enables modern work practices.
• Increased value generation from IT initiatives and optimal use of IT resources.
• Designed adaptability to ensure you remain in alignment as your business and IT environments change.

Business Benefits

• Clear transparent focus of IT initiatives on generating strategic business value.
• Improved ability to measure the value and contribution of IT to business goals.
• Alignment and integration of business/IT strategy.
• Optimized development and use of IT capabilities to meet business needs.
• Improved integration with corporate/enterprise governance.

Executive Brief Case Study

INDUSTRY Manufacturing
SOURCE Info-Tech analyst experience

Improving the governance approach and delegating decision making to support a change in business operation

Challenge

The large, multi-national organization has locations across the world but has two primary headquarters, in Europe and the United States.

Market shifts drove an organizational shift in strategy, leading to a change in operating models, a product focus, and new work approaches across the organization.

Much of the implementation and execution was done in isolation, and effectiveness was slowed by poor integration and conflicting activities that worked against each other.

The product owner role was not well defined.

Solution

After reviewing the organization’s challenges and governance approach, we redefined and realigned its organizational and regional goals and identified outcomes that needed to be driven into their strategies.

We also reviewed their span of control and integration requirements and properly defined decisions that could be made regionally versus globally, so that decisions could be made to support new work practices.

We defined the product and service owner roles and the decisions each needed to make.

Results

We saw an improvement in the alignment of organizational activities and the right people and bodies making decisions.

Work and practices were aimed at the same key outcomes and alignment between teams toward organizational goal improved.

Within one year, the success rate of the organization’s initiatives increased by 22%, and the percentage of product-related decisions made by product owners increased by 50%.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 5 and 8 calls over the course of 2 to 3 months.

What does a typical GI on this topic look like?

Phase 1: Identify Your Governance Needs

• Call #1: Confirm your organization’s mission and vision and review your strategy and goals.
• Call #2: Identify considerations and governance needs. Develop your guiding star and governing principles.

Phase 2: Select and Refine Your Model

• Call #3: Select your base model and optimize it to meet your governance needs.
• Call #4: Define your adjustment triggers and develop your implementation plan.

Phase 3: Embed and Automate

• Call #5: Identify decisions and standards you can automate and where to embed them.
• Call #6: Confirm levels of authority and data requirements. Establish your approach and update the implementation plan.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com1-888-670-8889

Make Your IT Governance Adaptable

Phase 1

Identify your Governance Needs

This phase will walk you through the following activities:

Identify the organization’s goals, mission, and vision that will guide governance.

Define the scope of your governance model and the principles that will guide how it works.

Account for organizational attitudes, behaviors, and culture related to governance and finalize your context.

This phase involves the following participants:

• Senior IT leadership
• Governance leads

Step 1.1

Define Your Guiding Star

Activities

• 1.1.1 Document and interpret your strategy, mission, and vision
• 1.1.2 Document and interpret the business and IT goals and outcomes
• 1.1.3 Identify your operating model and work processes

This step will walk you through the following activities:

Review your business and IT strategy, mission, and vision to ensure understanding of organizational direction.

Identify the business and IT goals that governance needs to align.

Confirm your operating model and any work practices that need to be accounted for in your model.

This step involves the following participants:

• Senior IT leadership
• Governance leads

Outcomes of this step

Identified guiding star outcomes to align governance outcomes with

Defined operating model type and work style that impact governance design

Identify Your Governance Needs

Govern by intent

Find the balance for your designed governance approach

Organic governance occurs during the formation of an organization and shifts with challenges, but it is rarely transparent and understood. It changes your culture in uncontrolled ways.	Intentional governance is triggered by changes in organizational needs, working approaches, goals, and structures. It is deliberate and changes your culture to enable success.

Info-Tech Insight

Your approach to governance needs to be designed, even if your execution of governance is adaptable and delegated.

What is your guiding star?

Your guiding star is a combination of your organization’s mission, vision, and strategy and the goals that have been defined to meet them.

It provides you with a consistent focal point around which I&T-related activities and projects orbit, like planets around a star.

It generates the gravity that governance uses to keep things from straying too far away from the goal of achieving relevant value.

1. Mission & Vision
2. Business Goals & Success Criteria
3. Operating Model & Work Practices
4. Governance Scope
5. Principles

1.1.1 Document and interpret your strategy, mission, and vision

Input: Business strategy, IT strategy, Mission and vision statements

Output: Updated Governance Workbook, Documented strategic outcomes and organizational aims that governance needs to achieve

Materials: Whiteboard/flip charts, Governance Workbook

Participants: IT senior leadership

1. Gather your available business, digital, and IT strategy, mission, and vision information and document everything in your Governance Workbook. It’s ok if you don’t have all of it.
2. Review and your mission and vision as a group. Discuss and document key points, including:
   • Which activities do you perform as an organization that embody your vision?
   • What key decisions and behaviors are required to ensure that your mission and vision are achievable?
   • What do you require from leadership to enable you to govern effectively?
   • What are the implications of the mission and vision on how the organization needs to work? What are the implications on decisions around opportunities and risks?

Download the Governance Workbook

1.1.2 Document and interpret the business and IT goals and outcomes

60 minutes

Input: Business strategy, Business and IT goals and related initiatives

Output: Required success outcomes for goals, Links between IT and business goals that governance needs to align

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. Document the business and IT goals that have been created to achieve the mission and vision.
2. Discuss if there are any gaps between the goals and the mission and vision. Ask yourself – if we accomplish these goals will we have successfully achieved the mission?
3. For each goal, define what successful achievement of the goal looks like. Starting with one goal or objective, ask:
   • How would I know I am on the right path and how will I know I have gotten there?
   • How would I know if I am not on the right path and what does a bad result look like?
Document your success criteria.
4. Brainstorm some examples of decisions that support or constrain the achievement of your goals.
5. Repeat this exercise for your remaining goals.
6. As a group, map IT goals to business goals.

What is your operating model and why is it important?

An IT operating model is a visual representation of the way your IT organization needs to be designed and the capabilities it requires to deliver on the business mission, strategic objectives, and technological ambitions.

The model is critical in the optimization and alignment of the IT organization’s structure in order to deliver the capabilities required to achieve business goals. It is a key determinant of how governance needs to be designed and where it is implemented.

1.1.3 Identify your operating model and work practices

60 minutes

Input: Organizational structure, Operating model (if available)

Output: Confirmed operating approach, Defined work practices

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. Identify the way your organization functions:
   • How do we currently operate? Are we centralized, decentralized or a hybrid? Are we focused on delivering products and services? Do we provide service ourselves or do we use vendors for delivery?
   • Can we achieve our mission, goals, and strategies, if we continue to operate this way? What would we have to change in how we operate to be successful in the future?
2. Identify your governance needs. Do we need to be more structured or more flexible to support our future ways of working?
   • If you operate in a more traditional way, consider whether you are implementing or moving toward more modern practices (e.g. Agile, DevOps, enterprise service management). Do you need to make more frequent but lower-risk decisions?
   • Is your organization ready to delegate governance culturally and in terms of business understanding? Is there enough available information to support adaptive decisions and actions?
3. Document your operating style, expected changes in work style, and cultural readiness. You will need to consider the implications on design.

Step 1.2

Define Scope and Principles

Activities

• 1.2.1 Determine the proper scope for your governance
• 1.2.2 Confirm your determining governing principles
• 1.2.3 Develop your specific governing principles

This step will walk you through the following activities:

Identify what is included and excluded within the scope of your governance.

Develop the determining and specific principles that provide guardrails for governance activities and decisions.

This step involves the following participants:

• Senior IT leadership
• Governance leads

Outcomes of this step

Documented governance scope and principles to apply

Identify Your Governance Needs

Define the context for governance

Based on the goals and principles you defined and the operating model you selected, confirm where oversight will be necessary and at what level. Focus on the necessity to expedite and clear barriers to the achievement of goals and on the ownership of risks and compliance. Some key considerations:

• Where in the organization will you need to decide on work that needs to be done?
• What type of work will you need to do?
• In what areas could there be conflicts in prioritization/resource allocation to address?
• Who is accountable for risks to the organization and its objectives?
• Where are your regional or business-unit-specific concerns that require focused local attention?
• Are we using more agile, rapid delivery methods to produce work?

Understand your governance scope

Your governance scope helps you define the boundaries of what your governance model and practices will cover. This includes key characteristics of your organization that impact what governance needs to address.

Sample Considerations

• Organizational Span
  • The geographical area the organization operates within. Regional laws and requirements will affect governance delegation and standards/policy development.
• Level of Regulation
  • Higher levels of regulation create more standards and controls for risk and compliance, impacting how authority can be delegated or automated.
• Sourcing Model
  • Changing technology sourcing introduces additional vendor governance requirements and may impact compliance and audit.
• Risk Posture
  • The appetite for risk organizationally, and in pockets, impacts the level of uncertainty you are willing to work within and impact decision-making authority positioning.
• Size
  • The size of your organization impacts the approach to governance, practice implementation, and delegation of authority.
• What Is Working Today?
  • Which elements of your current governance approach should be retained, and what are the biggest pain points that need to be addressed?

1.2.1 Determine the proper scope for your governance

60 minutes

Input: Context information from Activity 1.1, Scoping areas

Output: Defined scope and span of control

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. Determine the scope/span of control required for your governance by:
   • Reviewing your key IT capabilities. Identify the ones where the responsibilities and decisions require oversight to ensure they meet the needs of the organization.
   • Identify what works well or poorly in your current governance approach.
   • Discuss and document the level and type of knowledge and business understanding required.
   • Identify and document any regulations, standards, or laws that apply to your organization/industry and how broadly they have to be applied.
   • Identify the organization’s risk appetite, where known, and areas where acceptable thresholds of risk have been defined. Where are key risk and opportunity decisions made? Who owns risk in your organization?
   • Identify and document the perceived role of the IT group in your organization (e.g. support, innovator, partner) and sourcing model (e.g. insource, outsource).
   • Is there sufficient information and data available in your organization to support effective decision making?

How should your governance be structured?

Organizations often have too many governance bodies, creating friction without value. Where that isn’t the case, the bodies are often inefficient, with gaps or overlaps in accountability and authority. Structure your governance to optimize its effectiveness, designing with the intent to have the fewest number of governing bodies to be effective, but no less than is necessary.

Start with your operating model.

• Understand what’s different about your governance based on whether your organization in centralized, distributed, or a different model (e.g. hybrid, product).
• Identify and include governance structures that are mandatory due to regulation or industry.
• Based on your context, identify how many of your governance activities should be performed together.

Determine whether your governance should be controlled or adaptive.

• Do you have the capability to distribute governance and is your organization empowered enough culturally?
• Do you have sufficient standards and data to leverage? Do you have the tools and capabilities?
• Identify governance structures that are required due to regulation or industry.

Info-Tech Insight

Your approach to governance needs to be designed and structured, even if your execution of governance is adaptable and delegated.

Identify and Refine your Principles

Confirm your defining principles based on your selection of controlled or adaptive governance. Create specific principles to clarify boundaries or provide specific guidance for teams within the organization.

Determining Principle: Delegate and empower.

Specific Principle: Decisions should be made at the lowest reasonable level of the organization with clarity.

Rationale: To govern effectively with the velocity required to address business needs, governance needs to be executed deeper into the organization and organizational goals need to be clearly understood everywhere.

Implication: Decision making needs to be delegated throughout the organization, so information and data requirements need to be identified, decision-making approach and principles need to be shared, and authority needs to be delegated clearly.

1.2.2 Confirm your determining governance principles

30-45 minutes

Input: Governance Framework Model– Governance Principles

Output: Governance workbook - Finalized list of determining principles

Materials: Whiteboard/flip charts, Governance Workbook

Participants: IT senior leadership

1. Review the IT governance principles in your Governance Workbook.
2. Within your IT senior leadership team (or IT governance working group) assign one or two principles to teams of two to three participants. Have each team identify what this would mean for your organization. Answering the questions:
   • In what ways do our current governance practices support this?
   • What are some examples of changes that would need to be made to make this a reality?
   • How would applying this principle improve your governance?
3. Have each team present their results and compile the findings and implications in the Governance Workbook to use for future communication of the change.

Specific governing principles

Specific governing principles are refined principles derived from a determining principle, when additional specificity and detail is necessary. It allows you to define an approach for specific behaviors and activities. Multiple specific principles may underpin the determining one.

Specific Principles – Related principles that may be required to ensure the implications of the determining principal are addressed within the organization. They may be specific to individual areas and may be addressed in policies. Implications – The implications of this principle on the organization, specific to how and where governance is executed and the level of information and authority that would be necessary. Rationale – The reason(s) driving the determining principle. Determining Principle – A core overarching principle – a defining aspect of your governance model.

1.2.3 Develop your specific governing principles

30 minutes

Input: Updated determining principles

Output: List of specific principles linked to determining principles

Materials: Whiteboard/flip charts, Governance Workbook

Participants: IT senior leadership

1. Confirm the determining principles for your governance model based on your previous discussions.
2. Identify where to apply the principles. This is based on:
   1. Your governance scope (how much is within your span of control)
   2. The amount of data you have available
   3. Your cultural readiness for delegation
3. Create specific principles to support the determining principles:
   1. Document the rationale driving the determining principles.
   2. Identify the implications.
   3. Create specific principles that will support the success in achieving the goals of each determining principle.
4. Document all information on the “Governance guiding star” slide in the Governance Workbook.

Download the Governance Workbook

Step 1.3

Adjust for Culture and Finalize Context

Activities

• 1.3.1 Identify and address the impact of attitude, behavior, and culture
• 1.3.2 Finalize your context

This step will walk you through the following activities:

Identify your organizational attitude, behavior, and culture related to governance.

Identify positives that can be leveraged and develop means to address negatives.

Finalize the context that your model will leverage and align to.

This step involves the following participants:

• Senior IT leadership
• Governance leads

Outcomes of this step

Downloaded tool ready to select the base governance model for your organization

Identify Your Governance Needs

Understanding attitude, behavior, and culture

What people think and feel. It can be seen in their demeanor and how they react to change initiatives, colleagues, and users. This manifests in the belief that governance is a constraint that needs to be avoided or ignored – often with unintended consequences.

New Results'.">

Any form of organizational change involves adjusting people’s attitudes to create buy-in and commitment.

You need to identify and address attitudes that can lead to negative behaviors and actions or that are counter-productive.

Understanding attitude, behavior, and culture

What people do. This is influenced by attitude and the culture of the organization. In governance, this manifests as people’s willingness to be governed, who pushes back, and who tries to bypass it.

To implement change within IT, especially at a tactical and strategic level, organizational behavior needs to change.

This is relevant because people gravitate toward stability and will resist change in an active or passive way unless you can sell the need, value, and benefit of changing their behavior and way of working.

Understanding attitude, behavior, and culture

The accepted and understood ways of working in an organization. The values and standards that people find normal and what would be tacitly identified to new resources. In governance terms, this is how decisions are really made and where responsibility really exists rather than what is identified formally.

The impact of the organizational or corporate “attitude” on employee behavior and attitude is often not fully understood.

Culture is an invisible element, which makes it difficult to identify, but it has a strong impact and must be addressed to successfully embed governance models. In the case of automating governance, cultural readiness for automation is a critical success factor.

1.3.1 Identify and address the impact of attitude, behavior, and culture

45 minutes

Input: Senior leadership knowledge

Output: Updated Governance Workbook

Materials: Governance Workbook

Participants: IT senior leadership

1. Break into three groups. Each group will discuss and document the positive and negative aspects of one of attitude, behavior, or culture related to governance in your organization.
2. Each group will present and explain their list to the group.
3. Add any additional suggestions in each area that are identified by the other groups.
4. Identify the positive elements of attitude, behavior, and culture that would help with changing or implementing your updated governance model.
5. Identify any challenges that will need to be addressed for the change to be successful.
6. As a group, brainstorm some mitigations or solutions to these challenges. Document them in the Governance Workbook to be incorporated into the implementation plan.

Download the Governance Workbook

Attitude, behavior, and culture

Evaluate the organization across the three contexts. The positive items represent opportunities for leveraging these characteristics with the implementation of the governance model, while the negative items must be considered and/or mitigated.

1.3.2 Finalize your governance context

30 minutes

Input: Documented governance principles and scope from previous exercises

Output: Finalized governance context in the Governance Workbook

Materials: Whiteboard/flip charts, Governance Workbook

Participants: IT senior leadership

1. Use the information that has been gathered throughout this section to update and finalize your IT governance context.
2. Document it in your Governance Workbook.

Download the Governance Workbook

Make Your IT Governance Adaptable

Phase 2

Select and Refine Your Governance Model

This phase will walk you through the following activities:

Select a base governance model and refine it to suit your organization.

Identify scenarios and changes that will trigger updates to your governance model.

Build your implementation plan.

This phase involves the following participants:

• Senior IT leadership
• Governance resources

Step 2.1

Choose and Adapt Your Model

Activities

• 2.1.1 Choose your base governance model
• 2.1.2 Confirm and adjust the structure of your model
• 2.1.3 Define the governance responsibilities
• 2.1.4 Validate the governance mandates and membership
• 2.1.5 Update your committee processes
• 2.1.6 Adjust your associated policies
• 2.1.7 Adjust and confirm your governance model

This step will walk you through the following activities:

Review and selecting your base governance model.

Adjust the structure, responsibilities, policies, mandate, and membership to best support your organization.

This step involves the following participants:

• Senior IT leadership
• Governance leads

Outcomes of this step

Downloaded tool ready to select the base governance model for your organization

Select and Refine Your Governance Model

Your governance framework has six key components

GOVERNANCE FRAMEWORK

• GUIDELINES
  The key behavioral factors that ground your governance framework
• MEMBERSHIP
  Formalization of who has authority and accountability to make specific governance decisions
• RESPONSIBILITIES
  The definition of which decisions and outcomes your governance structure and each governance body is accountable for
• STRUCTURE
  Which governance bodies and roles are in place to articulate where decisions are made in the organization
• PROCESS
  Identification of the how your governance will be executed, how decisions are made, and the inputs, outputs, and connections to related processes
• POLICY
  Set of principles established to address risk and drive expected and required behavior

4 layers of governance bodies

There are traditionally 4 layers of governance in an enterprise, and organizations have governing bodies or individuals at each level

2.1.1 Choose your base governance model

30 minutes

Input: Governance models templates

Output: Selected governance model

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. Download Info-Tech’s base governance models (Controlled Governance Models Template and IT Governance Program Overview) and review them to find a template that most closely matches your context from Phase 1. You can start with a centralized, decentralized, or product/service hybrid IT organization. Remove unneeded models.
2. If you do not have documented governance today, start with a controlled model as your foundation. Continue working through this phase if you have a documented governance framework you wish to optimize using our best practices or move to Phase 3 if you are looking to automate or embed your governance activities.

Controlled Governance Models Template

Adaptive Governance Models Template

2.1.2 Confirm and adjust the structure of your model

30-45 minutes

Input: Selected base governance model, Governance context/scope

Output: Updated governance bodies and relationships

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. Validate your selected governance body structural model.
   • Are there any governing bodies you must maintain that should replace the ones listed? In part or in full?
   • Are there any missing bodies? Look at alternative committees for examples.
   • Document the adjustments.
2. Are there any governing bodies that are not required?
   • Based on your size and needs, can they be done within one committee?
   • Is the capability or data not in place to perform the work?
   • Document the required changes.

There are five key areas of governance responsibility

STRATEGIC ALIGNMENT Ensures that technology investments and portfolios are aligned with the organization’s needs. VALUE DELIVERY Reviews the outcomes of technology investments and portfolios to ensure benefits realization. RISK MANAGEMENT Defines and owns the risk thresholds and register to ensure that decisions made are in line with the posture of the organization.

RESOURCE MANAGEMENT Ensures that people, financial knowledge, and technology resources are appropriately allocated across the organization. PERFORMANCE MEASUREMENT Monitors and directs the performance or technology investments to determine corrective actions and understand successes.

2.1.3 Define the governance responsibilities

Ensure you have the right responsibilities in the right place

45-60 minutes

Input: Selected governance base model, Governance context

Output: Updated responsibilities and activities, Updated activities for selected governance bodies, New or removed governing bodies

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. Based on your context and model, review the responsibilities identified for each committee and confirm that they align with the mandate and the stated outcome.
2. Identify and highlight any responsibilities and activities that would not be involved in informing and enabling the mandate of the committee.
3. Adjust the wording of confirmed responsibilities and activities to reflect your organizational language.
4. Review each highlighted “bad fit” activity and move it to a committee whose mandate it would support or remove it if it’s not performed in your organization.
5. If an additional committee is required, define the mandate and scope, then include any additional responsibilities that might have been a bad fit elsewhere

2.1.4 Validate the governance mandates and membership

30 minutes

Input: Selected governance base model, Updated structure and responsibilities

Output: Adjusted mandates and refined committee membership

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. Review the mandate and membership slides in your selected governance model.
2. Adjust the mandate to ensure that it aligns to and conveys:
   1. The outcome that the committee is meant to generate for the organization.
   2. Its scope/span of control.
3. Discuss the type of information members would require for the committee to be successful in achieving its mandate.
4. Document the member knowledge requirement in the mandate slide of the model template.

Determine the right membership for your governance

One of the biggest benefits of governance committees is the perspective provided by people from various parts of the organization, which helps to ensure technology investments are aligned with strategic goals. However, having too many people – or the wrong people – involved prevents the committee from being effective. Avoid this by following these principles.

Three principles for selecting committee membership

1. Determine membership based on responsibilities and required knowledge.
   Organizations often make the mistake of creating committees and selecting members before defining what they will do. This results in poor governance because members don’t have the knowledge required to make decisions. Define the mandate of the committee to determine which members are the right fit.
2. Ensure members are accountable and authorized to make the decisions.
   Effective governance requires the members to have the authority and accountability to make decisions. This ensures meetings achieve their outcome and produce value, which improves the committee’s chances of survival.
3. Select leaders who see the big picture.
   Often committee decisions and responsibilities become tangled in the web of organizational politics. Include people, often C-level, whose attendance is critical and who have the requisite knowledge, mindset, and understanding to put business needs ahead of their own.

2.1.5 Update your committee processes

20 minutes

Input: Selected governance base model, Updated structure and responsibilities

Output: Updated committee processes

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. Review the committee details based on the changes you have made in goals, mandate, and responsibilities.
2. Identify and document changes required to the committee outputs (outcomes) and adjust the consumer of the outputs to match.
3. Review the high-level process steps required to get to the modified output. Add required activities or remove unnecessary ones. Review the process flow. Does it make sense? Are there unnecessary steps?
4. Review and update inputs required for the process steps and update the information/data sources.
5. Adjust the detailed process steps to reflect the work that needs to be done to support each high-level process step that changed.

2.1.6 Adjust your associated policies

20 minutes

Input: Selected governance base model, Updated structure and responsibilities

Output: Adjusted mandates and refined committee membership

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. Review the policies associated with the governing bodies in your base model. Identify the policies that apply to your organization, those that are missing, and those that are not necessary.
2. Confirm the policies that you require.
3. Make sure the policies and policy purposes (or risks and related behaviors the policy addresses) are matched to the governance committee that has responsibilities in that area. Move policies to the right committee.

2.1.7 Adjust and confirm your governance model

1. Confirm the adjustment of governance bodies, structure, and input/output linkages.
2. Confirm revisions to decisions and responsibilities.
3. Confirm policy and regulation/standards associations.
4. Select related governance committee charters from the provided set and revise the charters to reflect the elements defined in your updated model.
5. Finalize your governance model.

Step 2.2

Identify and Document Your Governance Triggers

Activities

• 2.2.1 Identify and document update triggers
• 2.2.2 Embed triggers into the review cycle

This step will walk you through the following activities:

Identify scenarios that will create a need to review or change your governance model.

Update your review/update approach to receiving trigger notifications.

This step involves the following participants:

• Senior IT leadership
• Governance leads

Outcomes of this step

Downloaded tool ready to select the base governance model for your organization

Select and Refine Your Governance Model

What are governance triggers

Governance triggers are organizational or environmental changes within or around an organization that are inflection points that start the review and revision of governance models to maintain their fit with the organization. This is the key to adaptive governance design.

2.2.1 Identify and document update triggers

30 minutes

Input: Governance Workbook

Output: Updated workbook with defined and documented governance triggers, points of origin, and integration

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. Open the Governance Workbook to the “Triggers” slides.
2. Review the list of governance triggers. Retain the ones that apply to your organization, remove those you feel are unnecessary, and add any change scenarios you feel should be included.
3. Identify where you would receive notifications of these changes and the related processes or activities that would generate these notifications, if applicable.
4. Document any points of integration required between governance processes and the source process. Highlight any where the integration is not currently in place.

2.2.2 Embed triggers into the review cycle

30 minutes

Input: Governance model

Output: Review cycle update

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. Identify which triggers impact the entire governance model and which impact specific committees.
2. Add an activity for triggered review of the impacted governance model into your governance committee process.

Step 2.3

Build Your Implementation Approach

Activities

• 2.3.1 Identify and document your implementation plan
• 2.3.2 Build your roadmap
• 2.3.3 Build your sunshine diagram

This step will walk you through the following activities:

Transfer changes to the Governance Implementation Plan Template.

Determine the timing for the implementation phases.

This step involves the following participants:

• Senior IT leadership
• Governance process owner

Outcomes of this step

Implementation plan for adaptive governance framework model

2.3.1 Identify and document your implementation plan

60 minutes

Input: Governance model, Guiding principles, Update triggers, Cultural factors and mitigations

Output: Implementation roadmap

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. As a group, discuss the changes required to implement the governance model, the cultural items that need to be addressed, and the anticipated timing.
2. Document the implementation activities and consolidate them into groupings/themes based on similarities or shared outcomes.
3. Name the grouped themes for clarity and identify key dependencies between activities in each area and across themes.
4. Identify and document your approach (e.g. continuous, phased) and high-level timeline for implementation.
5. Document the themes and initiatives in the Governance Implementation Plan.

Download the Governance Implementation Plan

Illustrate the implementation plan using roadmaps

Info-Tech recommends two different methods to roadmap the initiatives in your Governance Implementation Plan.

Gantt Chart This type of roadmap depicts themes, related initiatives, the associated goals, and exact start and end dates for each initiative. This diagram is useful for outlining a larger number of activities and initiatives and has an easily digestible and repeatable format.

Sunshine Diagram This type of roadmap depicts themes and their associated initiatives. The start and end dates for the initiatives are approximated based on years or phases. This diagram is useful for highlighting key initiatives on one page.

2.3.2 Build your roadmap

Input: Governance themes and initiatives

Output: roadmap visual

Materials: Governance Roadmap Workbook, Governance Workbook

Participants: CIO, IT senior leadership

1. Open the Governance Implementation Plan and review themes and initiatives.
2. Open the Governance Roadmap Workbook.
3. Discuss whether the implementation roadmap should be developed as a Gantt chart, a sunshine diagram, or both.
   For the Gantt chart:
   • Input the roadmap start year and date.
   • Change the months and year in the Gantt chart to reflect the same roadmap start year.
   • Input and populate the planned start and end dates for the list of high-priority initiatives.

Develop your Gantt chart in the Governance Roadmap Workbook

2.3.3 Build your sunshine diagram

30 minutes

Input: Governance themes and initiatives

Output: Sunshine diagram visual

Materials: Whiteboard/flip charts, Markers, Governance Implementation Plan

Participants: CIO, IT senior leadership

1. Review your list of themes and initiatives.
2. Build a model with “rays” radiating out from a central theme or objective.
3. Using curved arcs, break the grid into timeline periods or phases.
4. Complete your sunshine diagram in the Governance Implementation Plan.

Customize your sunshine diagram in the Governance Implementation Plan

Make Your IT Governance Adaptable

Phase 3

Embed and Automate

This phase will walk you through the following activities:

Identify which decisions you are ready to automate.

Identify standards and policies that can be embedded and automated.

Identify integration points.

Confirm data requirements to enable success.

This phase involves the following participants:

• IT senior leadership
• Governance process owner
• Product and service owners
• Policy owners

Step 3.1

Identify Decisions to Embed and Automate

Activities

• 3.1.1 Review governance decisions and standards and the required level of authority
• 3.1.2 Build your decision logic
• 3.1.3 identify constraints and mitigation approaches
• 3.1.4 Develop decision rules and principles

This step will walk you through the following activities:

Identify your key decisions.

Develop your decision logic.

Confirm decisions that could be automated.

Identify and address constraints.

Develop decision rules and principles.

This step involves the following participants:

• IT senior leadership

Outcomes of this step

Developed decision rules, rulesets, and principles that can be leveraged to automate governance

Defined integration points

Embed and Automate

What is decision automation?

Decision automation is the codifying of rules that connect the logic of how decisions are made with the data required to make those decisions. This is then embedded and automated into processes and the design of products and services.

• It is well suited to governance where the same types of decisions are made on a recurring basis, using the same set of data. It requires clean, high-quality data to be effective.
• Improvements in artificial intelligence (AI) and machine learning (ML) have allowed the creation of scenarios where a hybrid of rules and learning can improve decision outcomes.

Key Considerations

• Data Availability
• Legality
• Contingencies
• Decision Transparency
• Data Quality
• Auditability

How complexity impacts decisions

Decision complexity impacts the type of rule(s) you create and the amount of data required. It also helps define where or if decisions can be automated.

1. SIMPLE
   Known and repeatable with consistent and familiar outcomes – structured, causal, and easy to standardize and automate.
2. COMPLICATED
   Less known and outcomes are not consistently repeatable. Expertise can drive standards and guidelines that can be used to automate decisions.
3. COMPLEX
   Unknown and new, highly uncertain in terms of outcomes, impact, and data. Requires more exploration and data. Difficult to automate but can be built into the design of products and services.
4. CHAOTIC
   Unstructured and unknown situation. Requires adaptive and immediate action without active data – requires retained human governance
(Based on Dave Snowden’s Cynefin framework)

Governance Automation Criteria Checklist

The Governance Automation Criteria Checklist provides a view of key considerations for determining whether a governing activity or decision is a good candidate for automation.

The criteria identify key qualifiers/disqualifiers to make it easier to identify eligibility.

Download the Governance Automation Criteria Checklist

Governance Automation Worksheet

The Governance Automation Worksheet provides a way to document your governance and systematically identify information about the decisions to help determine if automation is possible.

From there, decision rules, logic, and rulesets can be designed in support of building a structure flow to allow for automation.

Download the Governance Automation Worksheet

3.1.1 Review governance decisions and standards and the required level of authority

30 minutes

Input: Automation Criteria Checklist, Governance Automation Worksheet, Updated governance model

Output: Documented decisions and related authority, Selected options for automation, Updated Governance Automation Worksheet

Materials: Whiteboard/flip charts, Governance Automation Worksheet

Participants: IT senior leadership

1. Identify the decisions that are made within each committee in your updated governance model and document them in the Governance Automation Worksheet.
2. Confirm the level of authority required to make each decision.
3. Review the automation checklist to confirm whether each decision is positioned well for automation.
4. Select and document the decisions that are the strongest options for automation/embedding and document them in the Governance Automation Worksheet.

What are decision rules?

Decision rules provide specific instructions and constraints that must be considered in making decisions and are critical for automating governance.

They provide the logical path to assess governance inputs to make effective decisions with positive business outputs.

Inputs would include key information such as known risks, your defined prioritization matrix, portfolio value scoring, and compliance controls.

Individual rules can be leveraged in different places.

Some decision rule types are listed here.

1. Statement Rules
   Natural expression of logical progression, written through logical elements
2. Decision Tree Rules
   Decision tree with two axes that overlap to generate a decision
3. Sequential Rules
   A sequence of decisions that move from one step to the next
4. Expression Rule
   A particular set of rules triggered by a particular rule condition being met
5. Truth table rules
   Combines many decision factors into one place; produces different outputs

What are decision rulesets

Rulesets are created to make complex decisions. Individual rule types are combined to create rulesets that are applied together to generate effective decisions. One rule will provide contextual information required for additional rules to execute in a Rule-Result-Rule-Result-Rule-Decision flow.

3.1.2 Build your decision logic

30 minutes

Input: Governance Automation Worksheet

Output: Documented decision logic to support selected decision types and data requirements

Materials: Whiteboard/flip charts

Participants: IT senior leadership

1. For each selected decision, identify the principles that drive the considerations around the decision.
2. For each decision, develop the decision logic by defining the steps and information inputs involved in making the decision and documenting the flow from beginning to end.
3. Determine whether this is one specific decision or a combination of different decisions (in sequence or based on decisions).
4. Name your decision rule.

3.1.3 Identify constraints and mitigation approaches

1. Document constraints to automation of decisions related to:
   • Availability of decision automation tools
   • Decision authority change requirements
   • Data constraints
   • Knowledge requirements
   • Process adjustment requirements
   • Product/service design levels
2. Brainstorm and identify approaches to mitigate constraints and score based on likelihood of success.
3. Identify mitigation owners and initial timeline expectations.
4. Document the constraints and mitigations in the Governance Workbook on the constraints and mitigations slide.

3.1.4 Develop decision rules and principles

1.5-2 hours

Input: Governance Automation Worksheet

Output: Defined decision integration points, Confirmed data availability sets, Decision rules, rulesets, and principles with control indicators

Materials: Whiteboard/flip charts, Governance Automation Worksheet

Participants: IT senior leadership

1. Review the decision logic for those decisions that you have confirmed for automation. Identify the processes where the decision should be executed.
2. Associate each decision with specific process steps or stages or how it would be included in software/product design.
3. For each selected decision, identify the availability of data required to support the decision logic and the level of complexity and apply governing principles.
4. Create the decision rules and identify data gaps.
5. Define the decision flow and create rulesets as needed.
6. Confirm automation requirements and define control indicators.

Step 3.2

Plan Validation and Verification

Activities

• 3.2.1 Define verification approach for embedded and automated governance
• 3.2.2 Define validation approach for embedded and automated governance

This step will walk you through the following activities:

Define how decision outcomes will be measured.

Determine how the effectiveness of automated governance will be reported.

This step involves the following participants:

• IT senior leadership

Outcomes of this step

Tested and verified automation of decisions

Embed and Automate

Decision rule relationship through to verification

3.2.1 Define verification approach for embedded and automated governance

60 minutes

Input: Governance rules and rulesets as defined in the Governance Automation Worksheet, Defined decision outcomes

Output: A defined measurement of effective decision outcomes, Approach to automate and/or report the effectiveness of automated governance

Materials: Whiteboard/flip charts

Participants: IT senior leadership

Verify

1. Confirm expected outcome of rules.
2. Select a sampling of new required decisions or recently performed decisions related to areas of automation.
3. Run the decisions through the decision rules or rule groupings that were developed and compare to parallel decisions made using the traditional approach. (These must be segregated activities.)
4. Review the outcome of the rules and adjust based on the output. Identify areas of adjustment. Confirm that the automation meets your requirements.

3.2.2 Define validation approach for embedded and automated governance

60 minutes

Input: Governance rules and rulesets as defined in the Governance Automation Worksheet, Defined decision outcomes

Output: Defined assurance and attestation requirements, Key control indicators that can be automated

Materials: Whiteboard/flip charts

Participants: IT senior leadership

Validate

1. Develop an approach to measure automated decisions. Align success criteria to current governance KPIs and metrics.
2. If no such metrics exist, define expected outcome. Define key risk indicators based on the expected points of automation.
3. Establish quality assurance checkpoints within the delivery lifecycles to adjust for variance.
4. Create triggers back to rule owners to drive changes and improvements to rules and rule groupings.

Step 3.3

Update Implementation Plan

Activities

• 3.3.1 Finalize the implementation plan

This step will walk you through the following activities:

Review implications and mitigations to make sure all have been considered.

Finalize the implementation plan and roadmap.

This step involves the following participants:

• Senior IT leadership

Outcomes of this step

Completed Governance implementation plan and roadmap

Embed and Automate

3.3.1 Finalize the implementation plan

30 minutes

Input: Governance workbook, Updated governance model, Draft implementation plan and roadmap

Output: Finalized implementation plan and roadmap

Materials: Whiteboard/flip charts, Governance Implementation Plan

Participants: IT senior leadership

1. Document automation activities within phases in a governance automation theme in the Governance Implementation Plan.
2. Review timelines in the implementation plan and where automation fits within the roadmap.
3. Updated the implementation plan and roadmap.

Governance Implementation Plan

Summary of Accomplishment

Problem Solved

Through this project we have:

• Improved your governance model to ensure a better fit for your organization, while creating adaptivity for the future.
• Ensured your governance operates as an enabler of success with the proper bodies and levels of authority established.
• Established triggers to ensure your governance model is actively adjusted to maintain its fit.
• Developed a plan to embed and automate governance.
• Created decision rules and principles and identified where to embed them within your practices.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

Related Info-Tech Research

Improve IT Governance to Drive Business Results

Avoid bureaucracy and achieve alignment with a minimalist approach. Align with your organizational context.

Establish Data Governance

Establish data trust and accountability with strong governance.

Maximize Business Value From IT Through Benefits Realization

Embed value and alignment confirmation into your governance to ensure you optimize IT value achievement for resource spend.

Build a Better Product Owner

Strengthen the product/service owner role in your organization by focusing on core capabilities and proper alignment.

Research contributors and experts

Sidney Hodgson Senior Director, Industry Info-Tech Research Group Sidney has over 30 years of experience in IT leadership roles as CIO of three organizations in Canada and the US as well as international consulting experience in the US and Asia. Sid has a breadth of knowledge in IT governance, project management, strategic and operational planning, enterprise architecture, business process re-engineering, IT cost reduction, and IT turnaround management.

David Tomljenovic Principal Research Advisor, Industry Info-Tech Research Group David brings extensive experience from the Financial Services sector, having worked 25 years on Bay Street. Most recently he was a Corporate Finance and Strategy Advisor for Infiniti Labs (Toronto/Hong Kong), Automotive, and Smart City Accelerator, where he provided financial and mergers & acquisitions advisory services to accelerator participants with a focus on early-stage fundraising activities.

Research contributors and experts

Cole Cioran Practice Lead, Applications and Agile Development Info-Tech Research Group Over the past 25 years, Cole has developed software; designed data, infrastructure, and software solutions; defined systems and enterprise architectures; delivered enterprise-wide programs; and managed software development, infrastructure, and business systems analysis practices.

Crystal Singh Research Director, Applications – Data and Information Management Info-Tech Research Group Crystal brings a diverse and global perspective to her role, drawing from her professional experiences in various industries and locations. Prior to joining Info-Tech, Crystal led the Enterprise Data Services function at Rogers Communications, one of Canada’s leading telecommunications companies.

Research contributors and experts

Carlene McCubbin Practice Lead, CIO Info-Tech Research Group Carlene covers key topics in organization and leadership and specializes in governance, organizational design, relationship management, and human capital development. She led the development of Info-Tech’s Organization and Leadership practice.

Denis Goulet Senior Workshop Director Info-Tech Research Group Denis is a transformational leader and experienced strategist who focuses on helping clients communicate, relate, and adapt for success. Having developed Governance Model and IT strategies in organizations ranging from small to billion-dollar multi-nationals, he firmly believes in a collaborative value-driven approach to work.

Bibliography

“2020 State of Data Governance and Automation Report.” Erwin.com, 28 Jan. 2020. Web.

“Adaptive IT Governance.” Google search, 15 Nov. 2020.

“Adaptive IT Governance Framework.” CIO Index, 3 Nov. 2011. Accessed 15 Nov. 2020.

“Agile Governance Made Easy.” Agilist, n.d. Accessed 15 Nov. 2020.

“Automating Governance — Our Work.” Humanising Machine Intelligence, n.d. Accessed 15 Nov. 2020.

“Automation – Decisions.” IBM, 2020. Accessed 15 Oct. 2020.

Chang, Charlotte. “Accelerating Agile through effective governance.” Medium, 22 Sept. 2020. Web.

“COBIT 5: Enabling Processes.” ISACA, 2012. Web. Oct. 2016.

COBIT 2019. ISACA, Dec. 2018. Web.

Curtis, Blake. “The Value of IT Governance.” ISACA, 29 June 2020. Accessed 15 Nov. 2020.

De Smet, Aaron. “Three Keys to Faster, Better Decisions.” McKinsey & Company, 1 May 2019. Accessed 15 Nov. 2020.

“Decision Rules and Decision Analysis.” Navex Global, 2020. Web.

“Decisions Automation with Business Rules Management Solution.” Sumerge, 4 Feb. 2020. Accessed 15 Nov. 2020.

“DevGovOps – Key factors for IT governance for enterprises in a DevOps world.” Capgemini, 27 Sept. 2019. Web.

Eisenstein, Lena. “IT Governance Checklist.” BoardEffect, 19 Feb. 2020. Accessed 15 Nov. 2020.

“Establishing Effective IT and Data Governance.” Chartered Professional Accountants Canada, n.d. Accessed 15 Nov. 2020.

Gandzeichuk, Ilya. “Augmented Analytics: From Decision Support To Intelligent Decision-Making.” Forbes, 8 Jan. 2020. Accessed 15 Nov. 2020.

Georgescu, Vlad. “What Is IT Governance? Understanding From First Principles.” Plutora, 18 Oct. 2019. Web.

Goodwin, Bill. “IT Governance in the Era of Shadow IT.” ComputerWeekly, 5 Aug. 2014. Accessed 15 Nov. 2020.

“Governance of IT, OT and IOT.” ISACA Journal, 2019. Web.

Gritsenko, Daria, and Matthew Wood. “Algorithmic Governance: A Modes of Governance Approach.” Regulation & Governance, 10 Nov. 2020. Web.

Hansert, Philipp. “Adaptive IT Governance with Clausmark’s Bee4IT.” Bee360, 25 Oct. 2019. Accessed 15 Nov. 2020.

Havelock, Kylie. “What Does Good Product Governance Look Like?” Medium. 8 Jan. 2020. Web.

Haven, Dolf van der. “Governance of IT with ISO 38500 - A More Detailed View” LinkedIn article, 24 Oct. 2016. Accessed 15 Nov. 2020.

Hong, Sounman, and Sanghyun Lee. “Adaptive Governance and Decentralization: Evidence from Regulation of the Sharing Economy in Multi-Level Governance.” Government Information Quarterly, vol. 35, no. 2, April 2018, pp. 299–305. Web.

ISACA. “Monthly Seminar & Networking Dinner: CIO Dashboard.” Cvent, Feb. 2012. Accessed 15 Nov. 2020.

ISO/IEC 38500, ISO, 2018 and ongoing.

“IT Governance.” Kenway Consulting, n.d. Accessed 15 Nov. 2020.

“IT Governance in the Age of COVID 19.” Union of Arab Banks Webinar, 19-21 Oct. 2020. Accessed 15 Nov. 2020.

Jaffe, Dennis T. “Introducing the Seven Pillars of Governance.” Triple Pundit, 15 Nov. 2011. Accessed 15 Nov. 2020.

Janssen, Marijn, and Haiko van der Voort. “Agile and Adaptive Governance in Crisis Response: Lessons from the COVID-19 Pandemic.” International Journal of Information Management, vol. 55, December 2020. Web.

Jodya, Tiffany. “Automating Enterprise Governance within Delivery Pipelines.” Harness.io, 14 May 2020. Web.

Kumar, Sarvesh. “AI-Based Decision-Making Automation.” Singular Intelligence, 17 June 2019. Web.

“Lean IT Governance.” Disciplined Agile, n.d. Accessed 15 Nov. 2020.

Lerner, Mark. “Government Tech Projects Fail by Default. It Doesn’t Have to Be This Way.” Belfer Center for Science and International Affairs, 21 Oct. 2020. Accessed 15 Nov. 2020.

Levstek, Aleš, Tomaž Hovelja, and Andreja Pucihar. “IT Governance Mechanisms and Contingency Factors: Towards an Adaptive IT Governance Model.” Organizacija, vol. 51, no. 4, Nov. 2018. Web.

Maccani, Giovanni, et al. “An Emerging Typology of IT Governance Structural Mechanisms in Smart Cities.” Government Information Quarterly, vol. 37, no. 4, Oct. 2020. Web.

Magowan, Kirstie. “IT Governance vs IT Management: Mastering the Differences.” BMC Blogs, 18 May 2020. Accessed 15 Nov. 2020.

Mazmanian, Adam. “Is It Time to Rethink IT Governance? ” Washington Technology, 26 Oct. 2020. Accessed 15 Nov. 2020.

Mukherjee, Jayanto. “6 Components of an Automation (DevOps) Governance Model.” Sogeti, n.d. Accessed 15 Nov. 2020.

Ng, Cindy. “The Difference Between Data Governance and IT Governance.” Inside Out Security, updated 17 June 2020. Web.

Pearson, Garry. “Agile or Adaptive Governance Required?” Taking Care of the Present (blog), 30 Oct. 2020. Accessed 15 Nov. 2020.

Peregrine, Michael, et al. “The Long-Term Impact of the Pandemic on Corporate Governance.” Harvard Law School Forum on Corporate Governance, 16 July 2020. Web.

Raymond, Louis, et al. “Determinants and Outcomes of IT Governance in Manufacturing SMEs: A Strategic IT Management Perspective.” International Journal of Accounting Information Systems, vol. 35, December 2019. Web.

Rentrop, Christopher. “Adaptive IT Governance – Foundation of a Successful Digitalization.” Business IT Cooperation Coordination Controlling (blog). May 2, 2018. Web.

Schultz, Lisen, et al. “Adaptive Governance, Ecosystem Management, and Natural Capital.” Proceedings of the National Academy of Sciences, vol. 112, no. 24, 2015, pp. 7369–74. Web.

Selig, Gad J. Implementing IT Governance: A Practical Guide to Global Best Practices in IT Management. Van Haren Publishing, 2008. Accessed 15 Nov. 2020.

Sharma, Chiatan. “Rule Governance for Enterprise-Wide Adoption of Business Rules: Why Does a BRMS Implementation Need a Governance Framework?” Business Rules Journal, vol. 13, no. 4, April 2012. Accessed 15 Nov. 2020.

Smallwood, Robert. “Information Governance, IT Governance, Data Governance – What’s the Difference?” The Data Administration Newsletter, 3 June 2020. Accessed 15 Nov. 2020.

Snowden, Dave. "Cynefin – weaving sense-making into the fabric of our world", Cognitive Edge, 20 October 2020.

“The Place of IT Governance in the Enterprise Governance.” Institut de la Gouvernance des Systemes d’Information, 2005. Accessed 15 Nov. 2020.

Thomas, Mark. “Demystifying IT Governance Roles in a Dynamic Business Environment.” APMG International, 29 Oct. 2020. Webinar. Accessed 15 Nov. 2020.

“The Four Pillars of Governance Best Practice.” The Institute of Directors in New Zealand, 4 Nov. 2019. Web.

Wang, Cancan, Rony Medaglia, and Lei Zheng. “Towards a Typology of Adaptive Governance in the Digital Government Context: The Role of Decision-Making and Accountability.” Government Information Quarterly, vol. 35, no. 2, April 2018, pp. 306–22.

Westland, Jason. “IT Governance: Definitions, Frameworks and Planning.” ProjectManager.com, 17 Dec. 2019. Web.

Wilkin, Carla L., and Jon Riddett. “IT Governance Challenges in a Large Not-for-Profit Healthcare Organization: The Role of Intranets.” Electronic Commerce Research vol. 9, no. 4, 2009, pp. 351-74. Web.

Zalnieriute, Monika, et al. “The Rule of Law and Automation of Government Decision Making.” Modern Law Review, 25 Feb. 2019. Web.

AI Governance

A Framework for Building Responsible, Ethical, Fair, and Transparent AI

Are you ready for AI?

Business leaders must manage the associated risks as they scale their use of AI

Regulations and risk assessment tools

Governments around the world are developing AI assessment methodologies and legislation for AI. Here are a couple of examples:

• Responsible use of artificial intelligence (AI) guiding principles (Canada):
  1. understand and measure the impact of using AI by developing and sharing tools and approaches
  2. be transparent about how and when we are using AI, starting with a clear user need and public benefit
  3. provide meaningful explanations about AI decision-making, while also offering opportunities to review results and challenge these decisions
  4. be as open as we can by sharing source code, training data, and other relevant information, all while protecting personal information, system integration, and national security and defense
  5. provide sufficient training so that government employees developing and using AI solutions have the responsible design, function, and implementation skills needed to make AI-based public services better
• The Algorithmic Impact Assessment tool (Canada) is used to determine the impact level of an automated decision-system. It defines 48 risk and 33 mitigation questions. Assessment scores consider factors such as systems design, algorithm, decision type, impact, and data.
• The National AI Initiative Act of 2020 (DIVISION E, SEC. 5001) (US) became law on January 1, 2021. This is a program across the entire Federal government to accelerate AI research and application.
• Bill C-27, Artificial Intelligence and Data Act (AIDA) (Canada), when passed, would be the first law in Canada regulating the use of artificial intelligence systems.
• The EU Artificial Intelligence Act (EU) assigns applications of AI to three risk categories: applications and systems that create an unacceptable risk, such as government-run social scoring; high-risk applications, such as a CV-scanning tool that ranks job applicants; and lastly, applications not explicitly listed as high-risk.
• The FEAT Principles Assessment Methodology was created by the Monetary Authority of Singapore (MAS) in collaboration with other 27 industry partners for financial institutions to promote fairness, ethics, accountability, and transparency (FEAT) in the use of artificial intelligence and data analytics (AIDA).

AI policies around the world

Source of data: OECD.AI (2021), powered by EC/OECD (2021), database of national AI policies, accessed on 7/09/2022, https://oecd.ai.

The need for AI governance

“To adopt AI, organizations will need to review and enhance their processes and governance frameworks to address new and evolving risks.” (Canadian RegTech Association, Safeguarding AI Use Through Human-Centric Design, 2020)

To ensure responsible, transparent, and ethical AI systems, organizations will need to review existing risk control frameworks and update them to include AI risk management and impact assessment frameworks and processes. As ML and AI technologies are constantly evolving, the AI governance and AI risk management frameworks will need to evolve to ensure the appropriate safeguards and controls are in place. This applies not only to the machine learning models and AI system custom built by the organization’s data science and AI team, but it also includes AI-powered vendor tools and technologies. The vendors should be able to explain how AI is used in their products, how the model was trained, and what data was used to train the model. AI governance enables management, monitoring, and control of all AI activities within an organization.

Key concepts

Info-Tech Research Group defines the key terms used in this document as follows:

Machine learning systems learn from experience and without explicit instructions. They learn patterns from data, then analyze and make predictions based on past behavior and the patterns learned.

Artificial intelligence is a combination of technologies and can include machine learning. AI systems perform tasks that mimic human intelligence, such as learning from experience and problem solving. Most importantly, AI makes its own decisions without human intervention.

We use the definition of data ethics by Open Data Institute: “Data ethics is a branch of ethics that considers the impact of data practices on people, society and the environment. The purpose of data ethics is to guide the values and conduct of data practitioners in data collection, sharing and use.”

Algorithmic or machine bias is systematic and repeatable errors in a computer system that create unfair outcomes, such as privileging one arbitrary group of users over others. Algorithmic bias is not a technical problem. It’s a social and political problem, and in the context of implementing AI for business benefits, it’s a business problem.

Download the blueprint Mitigate Machine Bias blueprint for detailed discussion on bias, fairness, and transparency in AI systems

Key concepts – explainable, transparent and trustworthy

AI Governance Framework

Monitoring Monitoring compliance and risk of AI/ML systems/models in production Tools & Technologies Tools and technologies to support AI governance framework implementation Model Governance Ensures accountability and traceability for AI/ML models

Organization Structure, roles, and responsibilities of the AI governance organization Operating Model How AI governance operates and works with other organizational structures to deliver value Risk and Compliance Alignment with corporate risk management and ensuring compliance with regulations and assessment frameworks Policies/Procedures/ Standards Policies and procedures to support implementation of AI governance

Select a Marketing Management Suite

A best-fit solution balances needs, cost, and capability.

Table of contents

1. Project Rationale
2. Execute the Project/DIY Guide
   • 2.1. Launch the MMS Project and Collect Requirements
   • 2.2. Shortlist Marketing Management Suites
   • 2.3. Select Vendor and Communicate Decision to Stakeholders
3. Appendices

ANALYST PERSPECTIVE

Navigate the complexity of a vast ecosystem by taking a structured approach to marketing management suite (MMS) selection.

“Marketing applications are in high demand, but it is difficult to select a suite that is right for your organization. Market offerings have grown from 50 vendors to over 800 in the past five years. Much of the process of identifying an appropriate vendor is not about the vendor at all, but rather about having a comprehensive understanding of internal needs. There are instances where a smaller-point solution is necessary to satisfy requirements and a full marketing management suite is an overinvestment.

Likewise, a partner with differentiating features such as AI-driven workflows and a mobile software development kit can act as a powerful extension of an overall customer experience management strategy. It is crucial to make the right decision; missing the mark on an MMS selection will have a direct impact on the business’ bottom line.”

Ben Dickie
Research Director, Enterprise Applications
Info-Tech Research Group

Phase milestones

Launch the MMS Project and Collect Requirements — Phase 1

• Understand the MMS market space.
• Assess organizational and project readiness for MMS selection.
• Structure your MMS selection and implementation project by refining your MMS roadmap.
• Align organizational use-case fit with market use cases.
• Collect, prioritize, and document MMS requirements.

Shortlist MMS Tool — Phase 2

• Review MMS market leaders and players within your aligned use case.
• Review MMS vendor profiles and capabilities.
• Shortlist MMS vendors based on organizational fit.

Select an MMS — Phase 3

• Submit request for proposal (RFP) to shortlisted vendors.
• Evaluate vendor responses and develop vendor demonstration scripts.
• Score vendor demonstrations and select the final product.

Stop! Are you ready for this project?

Executive summary

Situation

The MMS market is a landscape of vendors offering campaign management, multichannel support, analytics, and publishing tools. Many vendors specialize in some of these areas but not all. Sometimes multiple products are necessary – but determining which feature sets the organization truly needs can be a challenging task. The right technology stack is critical in order to bring automation to marketing initiatives.

Complication

• The first challenge is deciding whether to implement a full marketing suite or a point solution.
• The number of marketing suites and point solutions has increased from 50 to more than 800 just in the past five years.
• IT is receiving a growing number of marketing analytics requests and must be prepared to speak intelligently about marketing management vendor selection.

Resolution

• Leverage Info-Tech’s comprehensive three-phase approach to MMS selection projects: assess your organization’s preparedness to go into the selection stage, move through technology selection, and present decisions to stakeholders.
• Conduct an MMS project preparedness assessment to ensure you maximize the value of your time, effort, and spend.
• Determine whether your organization’s needs will best be met by a marketing management suite or a point solution.
• Determine which use case your organization fits into and review the relevant vendor landscape, common capability, and areas of product differentiation. Consult Info-Tech’s market analysis to shortlist vendors for your RFP process.
• Take advantage of traceable and auditable selection tools to run an effective evaluation and selection process. Be prepared to answer the retroactive question “Why this MMS?” with documentation of your selection process and outputs.

Info-Tech Insight

1. The new MMS market. Selecting a marketing management solution has become increasingly difficult, with the number of players in the marketplace ballooning to meet buyer demand.
2. Direct translation to revenue. Picking the wrong marketing solution has a direct impact on the bottom line. However, the right MMS can lead to a 7.3x greater year-over-year increase in annual revenue.
3. Don’t buy best-of-breed; buy best-for-you. Base your vendor selection on your requirements and use case, not on the vendor’s overall performance.

MMS is a key piece of the CRM puzzle

In order to optimize cross-sell opportunities and marketing effectiveness, there needs to be a master customer database, which belongs in the customer relationship management (CRM) suite.

“When it comes to marketing automation capabilities, using CRM is like building a car from a kit. All the parts are there, but you need the time and skill to put it all together. Using marketing automation is like buying the car you want or need, with all the features you want already installed and some gas in the tank, ready to drive. In either case, you still need to know how to drive and where you want to go.” (Mac McIntosh, Marketo Inc.)

A master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for MMS success. This is particularly true for real-time capability effectiveness and to minimize customer fatigue.

Understand what an MMS can do for you

Take time to learn the capabilities of modern marketing applications. Understanding the “art of the possible” will help you to get the most out of your MMS.

Review Info-Tech’s vendor profiles of the MMS market to identify vendors that meet your requirements

Use Info-Tech’s MMS implementation methodology as a starting point for your organization’s MMS selection

Contact your account representative or email Workshops@InfoTech.com for more information.

Professional services provider engages Info-Tech to guide it through its MMS selection journey

Info-Tech offers various levels of support to best suit your needs

Select a Marketing Management Suite – project overview

	1. Launch the MMS Project and Collect Requirements	2. Shortlist Marketing Management Suites	3. Select Vendor and Communicate Decision to Stakeholders
Best-Practice Toolkit	1.1 Assess the value and identify your organization’s fit for MMS technology. 1.2 Build your procurement team and project customer experience management (CXM) strategy. 1.3 Identify your MMS requirements.	2.1 Produce your shortlist	3.1 Select your MMS 3.2 Present selection
Guided Implementations	Understand CXM strategy and identify your fit for MMS technology. Identify staffing needs. Plan requirements gathering steps.	Discuss use-case fit assessment results. Discuss vendor landscape.	Create a procurement strategy. Discuss executive presentation. Conduct a proposal review.
Onsite Workshop	Module 1: Launch Your MMS Selection Project	Module 2: Analyze MMS Requirements and Shortlist Vendors	Module 3: Plan Your Procurement Process
	Phase 1 Outcome: Launch of MMS selection project	Phase 2 Outcome: Shortlist of vendors	Phase 3 Outcome: Selection of MMS

Use these icons to help direct you as you navigate this research

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

	This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.
	This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members who will come onsite to facilitate a workshop for your organization.
	This icon denotes a slide that pertains directly to the Info-Tech vendor profiles on marketing management technology. Use these slides to support and guide your evaluation of the MMS vendors included in the research.

Select a Marketing Management Suite

PHASE 1

Launch the MMS Project and Collect Requirements

Phase 1 outline

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Launch Your MMS Project and Collect Requirements

Proposed Time to Completion: 3 weeks

Phase 1 milestones

Launch the MMS Project and Collect Requirements — Phase 1

• Understand the MMS market space.
• Assess organizational and project readiness for MMS selection.
• Structure your MMS selection and implementation project by refining your MMS roadmap.
• Align organizational use-case fit with market use cases.
• Collect, prioritize, and document MMS requirements.

Shortlist MMS Tool — Phase 2

• Review MMS market leaders and players within your aligned use case.
• Review MMS vendor profiles and capabilities.
• Shortlist MMS vendors based on organizational fit.

Select an MMS — Phase 3

• Submit request for proposal (RFP) to shortlisted vendors.
• Evaluate vendor responses and develop vendor demonstration scripts.
• Score vendor demonstrations and select the final product.

Step 1.1: Understand the MMS market

This step will walk you through the following activities:

• MMS market overview

This step involves the following participants:

• Project team
• Project manager
• Project sponsor

Outcomes of this step

• An understanding of the evolution of the MMS market space and how it helps today’s organizations.
• An evaluation of new and upcoming trends sought by MMS clients.
• Verification of whether an MMS is a fit with your organization.

Speak the same language as the marketing department to deliver the most business value

Marketing Management Suite Glossary

MMS is a key piece of the customer experience ecosystem

A master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for MMS success. This is particularly true for real-time capability effectiveness and to minimize customer fatigue. If you have customer records in multiple places, you risk missing customer opportunities and potentially upsetting clients. For example, if a client has communicated preferences or disinterest through one channel, and this is not effectively recorded throughout the organization, another representative is likely to contact them in the same method again – possibly alienating the customer for good. A master database requires automatic synchronization with all point solutions, POS, billing systems, agencies, etc. If you don’t have up-to-the-minute information, you can’t score prospects effectively and you lose out on the benefits of the MMS.

Understanding the “art of the possible”

Expect the marketing department to drive suite adoption, but don’t count out the benefits MMS will also provide to IT

MMS adoption is driven by the need for better campaign execution and marketing intelligence. MMS technologies are adopted to create faster, easier, more intelligent, and more measurable campaigns and make managing complex channels easy and repeatable.

(Source: Info-Tech Research Group; N=23)

The key drivers for MMS are business-related, not IT-related. However, this does not mean that there are no benefits to IT. In fact, the IT department will see numerous benefits, including time and resource savings. Further, not having an MMS creates more work for your IT department. IT must serve as a valued partner for selection and implementation.

Additional benefits to IT driven by MMS

Marketing management suites are ideal for large organizations with multiple product lines in complex marketing environments. IT is often more centralized than its counterparts in the business, making it uniquely positioned to encourage greater coordination by helping the business units understand the shared goals and the benefits of working together to roll out suites for marketing workflow management, intelligence, and channel management.

Info-Tech Insight

Don’t forget that MMS technologies deliver on the overarching suite value proposition: a robust solution within one integrated offering. Without an MMS in play, organizations in need of this functionality are forced to piece together point solutions (or ad hoc management). This not only increases costs but also is an integration nightmare for IT.

Step 1.2: Structure the project

This step will walk you through the following activities:

• Determine if you are ready to kick off the MMS selection project.
• Align project goals with CXM strategy and business goals.

This step involves the following participants:

• Core project team
• Project manager
• Project sponsor

Outcomes of this step

• Assurance that you have completed adequate preparation, obtained stakeholder and sponsor buy-in, secured sufficient resources, and completed strategy and planning activities to move forward with selection.
• An approach to remedy organizational readiness to prepare for MMS selection.
• An understanding of stakeholder goals.

Identify the scope and purpose of your MMS selection process

Info-Tech Insights

Creating repeatable and streamlined marketing processes is a common overarching business objective that is driven by multiple factors. To ensure this objective is achieved, confirm that the primary drivers are following the implementation of the first automated marketing channels.

Activity: Understand your business’ goals for MMS by parsing your formal CXM strategy

INPUT: Stakeholder user stories

OUTPUT: Understanding of ideal outcomes from MMS implementation

MATERIALS: Whiteboard and marker or sticky notes

PARTICIPANTS: Project sponsor, Project stakeholders, Business analysts, Business unit reps

Instructions

1. Outline the purpose of the future MMS tool and the drivers behind this business decision with the project’s key stakeholders.
2. Document plans to ensure that these drivers are taken into consideration and realized following implementation. Example:

   Improve	Reduce/Eliminate	KPIs
   Multichannel marketing	Duplication of effort	Number of customer interaction channels supported
   Social integration	Process inefficiencies	Number of social signals received (likes, shares, etc.)
   …	…	…

If you do not have a well-defined CXM strategy, leverage Info-Tech’s research to Build a Strong Technology Foundation for Customer Experience Management.

Understanding marketing suites

This blueprint focuses on complete, integrated marketing management suites An integrated suite is a single product that is designed to assist with multiple marketing processes. Information from these suites is deeply connected to the core CRM. Changing a piece of information for one process will update all affected.

Understanding marketing point solutions

Determine if MMS is right for your organization

Info-Tech Insight

Using an MMS is ideal for organizations with multiple brands and product portfolios (e.g. consumer packaged goods). Ad hoc management and email marketing services are best for small organizations with a client base that requires only bare bones engagement.

Determine if you are ready to kick off your MMS selection and implementation project

Use Info-Tech’s MMS Readiness Assessment Checklist to determine if your organization has sufficient process and campaign maturity to warrant the investment in a consolidated marketing management suite. Sections of the Tool: Goals & Objectives Project Team Current State Understanding Future State Vision Business Process Improvement Project Metrics Executive Sponsorship Stakeholder Buy-In & Change Management Risk Management Cost & Budget

INFO-TECH DELIVERABLE Complete the MMS Readiness Assessment Checklist by following the instructions in Activity 1.2.3.

Activity: Determine if you are ready to kick off your MMS selection project

1.2.3 30 minutes

INPUT: MMS foundation, MMS strategy

OUTPUT: Readiness remediation approach, Validation of MMS project readiness

MATERIALS: Info-Tech’s MMS Readiness Assessment Checklist

PARTICIPANTS: Project sponsor, Core project team

Instructions

1. Download the MMS Readiness Assessment Checklist.
2. Review Section 1 of the checklist with the core project team and/or project sponsor, item by item. For completed items, tick the relative checkbox.
3. Once the whole checklist has been reviewed, document all incomplete items in the table under Section 1 in the first table column (“Incomplete Readiness Item”).
4. For each incomplete item, use your discretion to determine whether its completion is critical in preparation for MMS selection and implementation. This may vary given the complexity of your MMS project. If the item is critical to the project, indicate this with “Y” in the second column (“Criticality (Y/N)”).
5. For each critical item, reflect on the barriers that have prevented or are preventing its completion. Possible barriers include incomplete task dependencies, low value-to-effort determination, lack of organizational knowledge or resources, pressure of deadlines, etc. Document these barriers in the third column (“Barriers to Completion”).
6. Based on the barriers determined in Step 5, determine a remediation approach for each item. Document the approach in the fourth column (“Remediation Approach”).
7. For each remediation activity, designate a due date and remediation owner. Document this in the fifth column (“Due Date & Owner”).
8. Carry out the remediation of critical tasks and return to this blueprint to kickstart your selection and implementation project.

Step 1.3: Gather MMS requirements

This step will walk you through the following activities:

• Understand your MMS use case.
• Elicit and capture your MMS requirements.
• Prioritize your solution requirements.

This step involves the following participants:

• Core project team
• Project manager
• Business analysts
• Procurement subject-matter experts (SMEs)

Outcomes of this step

• Project alignment with MMS market use case.
• Inventory of categorized and prioritized MMS business requirements.

Understand the dominant use-case scenarios for MMS across organizations

Activity: Understand which type of MMS you need

1.3.1 30 minutes

INPUT: Use-case breakdown

OUTPUT: Project use-case alignments

Materials: Whiteboard, markers

Participants: Project manager, Core project team (optional)

Instructions

1. Familiarize your team with Info-Tech’s MMS use-case breakdown from the previous slide.
2. Determine which use case is best aligned with your organization’s MMS project objectives. If you need assistance with this, consider the relevance of the cases studies and statements on the following slides.
3. If your team agrees with most or all statements under a given use case, this indicates strong alignment towards that use case. It is possible for an organization to align with more than one use case. Your use-case alignment will guide you in creating a vendor shortlist later in this project.

Use Info-Tech’s vendor research and use-case scenarios to support your organization’s vendor analysis

The use-case view of vendor and product performance provides multiple opportunities for vendors to fit into your application architecture depending on their product and market performance. The use cases selected are based on market research and client demand.

Determining your use case is crucial for:

1. Selecting an application that is the right fit
2. Establishing a business case for MMS

The following slides illustrate how the three most common use cases (marketing automation, marketing intelligence, and social marketing) align with business needs. As shown by the case studies, the right MMS can result in great benefits to your organization.

Use-case alignment and business need

Marketing Automation

Marketing Need	Manage customer experience across multiple channels	Manage multiple campaigns simultaneously	Integrate web-enabled devices (IoT) into marketing campaigns	Run and track email marketing campaigns

The Portland Trail Blazers utilize an MMS to amplify their message with marketing automation technology

Use-case alignment and business need

Marketing Intelligence

Marketing Need	Capture marketing- and customer-related data from multiple sources	Analyze large quantities of marketing data	Visualize marketing-related data in a manner that is easy for decision makers to consume	Perform trend and predictive analysis

Chico’s FAS uses marketing intelligence to drive customer loyalty

Use-case alignment and business need

Social Marketing

Marketing Need	Understand customers' likes and dislikes	Manage and analyze social media channels like Facebook and Twitter	Foster a conversation around specific products	Engage international audiences through regional messaging apps

Bayer leverages MMS technology to cultivate a social presence

Leverage Info-Tech’s requirements gathering framework to serve as the basis for capturing your MMS requirements

REQUIREMENTS GATHERING Info-Tech’s requirements gathering framework is a comprehensive approach to requirements management that can be scaled to any size of project or organization. This framework ensures that the application created will capture the needs of all stakeholders and deliver business value. Develop and right-size a proven standard operating procedure for requirements gathering with Info-Tech’s blueprint Build a Strong Approach to Business Requirements Gathering.

Activity: Elicit and capture your MMS requirements

1.3.2 Varies

INPUT: MMS tool user expertise, MMS Requirements Picklist Tool

OUTPUT: A list of needs from the MMS tool user perspective

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: MMS users in the organization, MMS selection committee

Instructions

1. Identify stakeholders for the requirements gathering exercise. Consider holding one-on-one sessions or large focus groups with key stakeholders or the project sponsor to gather business requirements for an MMS.
2. Use the MMS Requirements Picklist Tool as a starting point for conducting the requirements elicitation session(s).
3. Begin by reading the instructions in the template and then move to the “Requirements” worksheet. Read each defined requirement in the worksheet and indicate in the “Requirement Status” column whether the requirement is a “Must,” “High,” or “Low.” Confirming the status is an important part of the exercise. The status will help filter vendors for final selection later on in the process.
4. Decide whether additional requirements are necessary by asking the MMS tool users. If so, add the requirements to the bottom of the “Requirements” worksheet and indicate their “Requirement Status.”

Download the MMS Requirements Picklist Tool to help with completing this activity.

Show the measurable benefits of MMS with metrics

The return on investment (ROI) and perceived value of the organization’s marketing solution will be a critical indication of the likelihood of success of the suite’s selection and implementation.

Info-Tech Insight

Even if marketing metrics are difficult to track right now, the implementation of an MMS brings access to valuable customer intelligence from data that was once kept in silos.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop

Book a workshop with our Info-Tech analysts:

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop. Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

1.2.1		Align the CXM strategy value proposition to MMS capabilities Our facilitator will help your team identify the IT CXM strategy and marketing goals. The analyst will then work with the team to map the strategy to technological drivers available in the MMS market.
1.3.2		Define the needs of MMS users Our facilitator will work with your team to identify user requirements for the MMS Requirements Picklist Tool. The analyst will facilitate a discussion with your team to prioritize identified requirements.

Select a Marketing Management Suite

PHASE 2

Shortlist Marketing Management Suites

Phase 2 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 2: Shortlist Marketing Management Suites

Proposed Time to Completion: 1-3 months

Phase 2 milestones

Launch the MMS Project and Collect Requirements — Phase 1

• Understand the MMS market space.
• Assess organizational and project readiness for MMS selection.
• Structure your MMS selection and implementation project by refining your MMS roadmap.
• Align organizational use-case fit with market use cases.
• Collect, prioritize, and document MMS requirements.

Shortlist MMS Tool — Phase 2

• Review MMS market leaders and players within your aligned use case.
• Review MMS vendor profiles and capabilities.
• Shortlist MMS vendors based on organizational fit.

Select an MMS — Phase 3

• Submit request for proposal (RFP) to shortlisted vendors.
• Evaluate vendor responses and develop vendor demonstration scripts.
• Score vendor demonstrations and select the final product.

Step 2.1: Analyze and shortlist MMS vendors

This step will walk you through the following activities:

• Review MMS vendor landscape.
• Take note of relevant point solutions.
• Shortlist vendors for the RFP process.

This step involves the following participants:

• Core project team

Outcomes of this step

• Understanding of Info-Tech’s use-case scenarios for MMS: marketing automation, marketing intelligence, and social marketing.
• Familiarity with the MMS vendor landscape.
• Shortlist of MMS vendors for RFP process.

Familiarize yourself with the MMS market: How it got here

Info-Tech Insight

As the market evolves, capabilities that were once cutting edge become default and new functionality becomes differentiating. Some features, like basic CRM integration, have become table stakes capabilities. Focus on advanced analytics features and omnichannel integration capabilities to get the best fit for your requirements.

Familiarize yourself with the MMS market: Where it’s going

Review Info-Tech’s vendor profiles of the MMS market to identify vendors that meet your requirements

Vendors & Products Evaluated

Table stakes are the minimum standard; without these, a product doesn’t even get reviewed

Take a holistic approach to vendor and product evaluation

Almost – or equally – as important as evaluating vendor feature capabilities is the need to evaluate vendor viability and non-functional aspects of the MMS. Include an evaluation of the following criteria in your vendor scoring methodology:

Info-Tech Insight

Evaluate vendor capabilities, not just product capabilities. An MMS is typically a long-term commitment; ensure that your organization is teaming up with a vendor or provider that you feel you can work well with and depend on.

Advanced features are the capabilities that allow for granular differentiation of market players and use-case performance

Advanced features are the capabilities that allow for granular differentiation of market players and use-case performance

Use the information in the MMS vendor profiles to streamline your vendor analysis process

Review the use-case scenarios relevant to your organization’s use case to identify a vendor’s fit to your organization’s MMS needs. L = Use-case leader P = Use-case player
Understand your organization’s size and whether it falls within the product’s market focus. Large enterprise: 2,000+ employees and revenue of $250M+ Small-medium enterprise: 30-2,000 employees and revenue of $25M-$250M
Review the differentiating features to identify where the application performs best.
Colors signify a feature’s performance.

Adobe Marketing Cloud

		FUNCTIONAL SPOTLIGHT Creative Cloud Integration: To make for a more seamless cross-product experience, projects can be sent between Marketing Cloud and Creative Cloud apps such as Photoshop and After Effects. Sensei: Adobe has revamped its machine learning and AI platform in an effort to integrate AI into all of its marketing applications. Sensei includes data from Microsoft in a new partnership program. Anomaly Detection: Adobe’s Anomaly Detection contextualizes data and provides a statistical method to determine how a given metric has changed in relation to previous metrics.
USE-CASE PERFORMANCE Marketing Automation Marketing Intelligence Social Marketing L L P	MARKET FOCUS Small-Medium Large Enterprise ✔

Adobe’s goal with Marketing Cloud is to help businesses provide customers with cohesive, seamless experiences by surfacing customer profiles in relevant situations quickly. Adobe Marketing Cloud has traditionally been used in the B2C space but has seen an increase in B2C use cases driven by the finance and technology sectors.

FEATURES

HubSpot

		FUNCTIONAL SPOTLIGHT Content Optimization System (COS): The fully integrated system stores assets and serves them to their designated channels at relevant times. The COS is integrated into HubSpot's marketing platform. Email Automation: HubSpot provides basic email that can be linked to a specific part of an organization’s marketing funnel. These emails can also be added to pre-existing automated workflows. Email Deliverability Tool: HubSpot identifies HTML or content that will be flagged by spam filters. It also validates links and minimizes email load times.
USE-CASE PERFORMANCE Marketing Automation Marketing Intelligence Social Marketing P P P	MARKET FOCUS Small-Medium ✔ Large Enterprise ✔

Hubspot’s primary focus has been on email marketing campaigns. It has put effort into developing solid “click not code” email marketing capabilities. Also, Hubspot has an official integration with Salesforce for expanded operations management and analytics capabilities.

FEATURES

IBM Marketing Cloud

		FUNCTIONAL SPOTLIGHT Watson: IBM is leveraging its popular Watson AI brand to generate marketing insights for automated campaigns. Weather Effects: Set campaign rules based on connections between weather conditions and customer behavior relative to zip code made by Watson. Real-Time Personalization: IBM has made efforts to remove campaign interaction latency and optimize live customer engagement by acting on information about what customers are doing in the current moment.
USE-CASE PERFORMANCE Marketing Automation Marketing Intelligence Social Marketing L L P	MARKET FOCUS Small-Medium ✔ Large Enterprise ✔

IBM has remained ahead of the curve by incorporating its well-known AI technology throughout Marketing Cloud. The application’s integration with the wide array of IBM products makes it a powerful tool for users already in the IBM ecosystem.

FEATURES

Marketo

		FUNCTIONAL SPOTLIGHT Content AI: Marketo has leveraged its investments in machine learning to intelligently fetch marketing assets and serve them to customers based on their interactions with a campaign. Email A/B Testing: To improve lead generation from email campaigns, Marketo features the ability to execute A/B testing for customized campaigns. Partnership with Google: Marketo is now hosted on Google’s cloud platform, enabling it to provide support for larger enterprise clients and improve GDPR compliance.
USE-CASE PERFORMANCE Marketing Automation Marketing Intelligence Social Marketing P P P	MARKET FOCUS Small-Medium ✔ Large Enterprise

Marketo has strong capabilities for lead management but has recently bolstered its analytics capabilities. Marketo is hoping to capture some of the analytics application market share by offering tools with varying complexity and to cater to firms with a wide range of analytics needs.

FEATURES

Oracle Marketing Cloud

		FUNCTIONAL SPOTLIGHT Data Visualization: To make for a more seamless cross-product experience, marketing projects can be sent between Marketing Cloud and Creative Cloud apps such as Dreamweaver. ID Graph: Use ID Graph to unite disparate data sources to form a singular profile of leads, making the personalization and contextualization of campaigns more efficient. Interest-Based Messaging: Pause a campaign to update a segment or content based on aggregated customer activity and interaction data.
USE-CASE PERFORMANCE Marketing Automation Marketing Intelligence Social Marketing P P P	MARKET FOCUS Small-Medium Large Enterprise ✔

Oracle Marketing Cloud is known for its balance between campaigns and analytics products. Oracle has taken the lead on expanding its marketing channel mix to include international options such as WeChat. Users already using Oracle’s CRM/CEM products will derive the most value from Marketing Cloud.

FEATURES

Salesforce Marketing Cloud

		FUNCTIONAL SPOTLIGHT Einstein: Salesforce is putting effort into integrating AI into all of its applications. The Einstein AI platform provides marketers with predictive analytics and insights into customer behavior. Mobile Studio: Salesforce has a robust mobile marketing offering that encompasses SMS/MMS, in-app engagement, and group messaging platforms. Journey Builder: Salesforce created Journey Builder, which is a workflow automation tool. Its user-friendly drag-and-drop interface makes it easy to automate responses to customer actions.
USE-CASE PERFORMANCE Marketing Automation Marketing Intelligence Social Marketing L P L	MARKET FOCUS Small-Medium ✔ Large Enterprise ✔

Salesforce Marketing Cloud is primarily used by organizations in the B2C space. It has strong Sales Cloud CRM integration. Pardot is positioning itself as a tool for sales teams in addition to marketers.

FEATURES

Salesforce Pardot

		FUNCTIONAL SPOTLIGHT Engagement Studio: Salesforce is putting marketing capabilities in the hands of sales reps by giving them access to a team email engagement platform. Einstein: Salesforce’s Einstein AI platform helps marketers and sales reps identify the right accounts to target with predictive lead scoring. Program Steps: Salesforce developed a distinct own workflow building tool for Pardot. Workflows are made of “Program Steps” that have the functionality to initiate campaigns based on insights from Einstein.
USE-CASE PERFORMANCE Marketing Automation Marketing Intelligence Social Marketing P P -	MARKET FOCUS Small-Medium ✔ Large Enterprise ✔

Pardot is Salesforce’s B2B marketing solution. Pardot has focused on developing tools that enable sales teams and marketers to work in lockstep in order to achieve lead-generation goals. Pardot has deep integration with Salesforce’s CRM and customer service management products.

FEATURES

SAP Hybris Marketing

		FUNCTIONAL SPOTLIGHT CMO Dashboard: The specialized dashboard is aimed at providing overviews for the executive level. It includes the ability to coordinate marketing activities and project budgets, KPIs, and timelines. Loyalty Management: SAP features in-app tools to manage campaigns specifically geared toward customer loyalty with digital coupons and iBeacons. Customer Segmentation: SAP’s predictive capabilities dynamically suggest relevant customer profiles for new campaigns.
USE-CASE PERFORMANCE Marketing Automation Marketing Intelligence Social Marketing P L P	MARKET FOCUS Small-Medium Large Enterprise ✔

SAP Hybris Marketing Cloud optimizes marketing strategies in real time with accurate attribution and measurements. SAP’s operations management capabilities are robust, including the ability to view consolidated data streams from ongoing marketing plans, performance targets, and budgets.

FEATURES

SAS Marketing Intelligence

		FUNCTIONAL SPOTLIGHT Activity Map: A user-friendly workflow builder that can be used to execute campaigns. Multiple activities can be simultaneously A/B tested within the Activity Map UI. The outcome of the test can automatically adjust the workflow. Spots: A native digital asset manager that can store property that is part of existing and future campaigns. Viya: A framework for fully integrating third-party data sources into SAS Marketing Intelligence. Viya assists with pairing on-premises databases with a cloud platform for use with the SAS suite.
USE-CASE PERFORMANCE Marketing Automation Marketing Intelligence Social Marketing P L	MARKET FOCUS Small-Medium Large Enterprise ✔

SAS has been a leading BI and analytics provider for more than 35 years. Rooted in statistical analysis of data, SAS products provide forward-looking strategic insights. Organizations that require extensive customer intelligence capabilities and the ability to “slice and dice” segments should have SAS on their shortlist.

FEATURES

Consider alternative MMS vendors not included in Info-Tech’s vendor profiles

1. Our clients must be talking about the solution.
2. Our analysts must believe the solution will play well within the evaluation.
3. The vendor must meet table stakes criteria.

Additional vendors in the MMS market:
See the next slides for suggested point solutions.

Leverage Info-Tech’s WXM and SMMP vendor landscapes to select platforms that fit with your CXM strategy

Web experience management (WXM) and social media management platforms (SMMP) act in concert with your MMS to execute complex campaigns.

Social Media Management Info-Tech’s SMMP selection guide enables you to find a solution that satisfies your objectives across marketing, sales, public relations, HR, and customer service. Create a unified framework for driving successful implementation and adoption of your SMMP that fully addresses CRM and marketing automation integration, end-user adoption, and social analytics with Info-Tech’s blueprint Select and Implement a Social Media Management Platform.

Web Experience Management Info-Tech’s approach to WXM ensures you have the right suite of tools for web content management, experience design, and web analytics. Put your best foot forward by conducting due diligence as the selection project advances. Ensure that your organization will see quick results with Info-Tech’s blueprint Select and Implement a Web Experience Management Solution.

Consider point solutions if a full suite is not required

Email Marketing

Consider point solutions if a full suite is not required

Search Engine Optimization (SEO)

Consider point solutions if a full suite is not required

Demand-Side Platform (DSP)

Consider point solutions if a full suite is not required

Customer Portal Software

Select a Marketing Management Suite

PHASE 3

Select Vendor and Communicate Decision to Stakeholders

Phase 3 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 3: Plan Your MMS Implementation

Proposed Time to Completion: 2 weeks

Phase 3 milestones

Launch the MMS Project and Collect Requirements — Phase 1

• Understand the MMS market space.
• Assess organizational and project readiness for MMS selection.
• Structure your MMS selection and implementation project by refining your MMS roadmap.
• Align organizational use-case fit with market use cases.
• Collect, prioritize, and document MMS requirements.

Shortlist MMS Tool — Phase 2

• Review MMS market leaders and players within your aligned use case.
• Review MMS vendor profiles and capabilities.
• Shortlist MMS vendors based on organizational fit.

Select an MMS — Phase 3

• Submit request for proposal (RFP) to shortlisted vendors.
• Evaluate vendor responses and develop vendor demonstration scripts.
• Score vendor demonstrations and select the final product.

Step 2.1: Analyze and shortlist MMS vendors

This step will walk you through the following activities:

• Build a response template to standardize potential vendor responses and streamline your evaluation process.
• Evaluate the RFPs you receive with a clear scoring process and evaluation framework.
• Build a demo script to evaluate product demonstrations by vendors.
• Select your solution.

This step involves the following participants:

• Core project team
• Procurement SMEs
• Project sponsor

Outcomes of this step

• Completed MMS RFP vendor response template
• Completed MMS demo script(s)
• Established product and vendor evaluation criteria
• Final MMS selection

Activity: Shortlist vendors for the RFP process

3.1.1 30 minutes

INPUT: Organizational use-case fit

OUTPUT: MMS vendor shortlist

Materials: Info-Tech’s MMS use cases, Info-Tech’s vendor profiles, Whiteboard, markers

Participants: Core project team

Instructions

1. Collectively with the core project team, determine any knock-out criteria for shortlisting MMS vendors. For example, if your team is executing on a strategy that favors mobile deployment, vendors who do not have a mobile offering may be off the table.
2. Based on the results in Activity 1.3.2, write a longlist of vendors. In most cases, this list will consist of all the vendors that fall into your organization’s use-case scenario. If your organization fits into more than one use case (e.g. your organization has both product-centric and service-centric MMS needs), look for the overlap of vendors between the use cases.
3. Review the profiles of the vendors that fall into your use-case scenario. Based on your knock-out criteria established in Step 1, eliminate any vendors as applicable.
4. Finalize and record your shortlist of MMS vendors.

Use Info-Tech’s MMS Request for Proposal Template to document and communicate your requirements to vendors

3.1.2 MMS Request for Proposal Template

Activity: Create an RFP to submit to MMS vendors

3.1.3 1-2 hours

INPUT: Business requirements document, Procurement procedures

OUTPUT: MMS RFP

Materials: Internal RFP tools or templates (if available), Info-Tech’s MMS Request for Proposal Template (optional)

Participants: Procurement SMEs, Project manager, Core project team (optional)

Instructions

1. Download Info-Tech’s MMS Request for Proposal Template or prepare internal best-practice RFP tools.
2. Build your RFP:
   1. Complete the statement of work and general information sections to provide organizational context to your longlisted vendors.
   2. Outline the organization’s procurement instructions for vendors, including due diligence, assessment criteria, and dates.
   3. Input the business requirements document as created in Activity 1.3.2.
   4. Create a scenario overview to provide vendors with an opportunity to give an estimate price.
3. Obtain approval for your RFP. Each organization has a unique procurement process; follow your own organization’s process as you submit your RFPs to vendors. Ensure compliance with your organization’s standards and gain approval for submitting your RFP.

Establish vendor evaluation criteria

Vendor demonstrations are an integral part of the selection process. Having clearly defined selection criteria will help with setting up relevant demos as well as inform the vendor scorecards.

EXAMPLE EVALUATION CRITERIA
Functionality (30%) Breadth of capability Tactical capability Operational capability	Ease of Use (25%) End-user usability Administrative usability UI attractiveness Self-service options
Cost (15%) Maintenance Support Licensing Implementation (internal and external costs)	Vendor (15%) Support model Customer base Sustainability Product roadmap Proof of concept Implementation model
Technology (15%) Configurability options Customization requirements Deployment options Security and authentication Integration environment Ubiquity of access (mobile)	Info-Tech Insight Base your vendor evaluations not on the capabilities of the solutions but instead on how the solutions align with your organization’s process automation requirements and considerations.

Vendor demonstrations

Examine how the vendor’s solution performs against your evaluation framework.

What is the value of a vendor demonstration?

Vendor demonstrations create a valuable opportunity for your organization to confirm that the vendor’s claims in the RFP are actually true.

A display of the vendor’s functional capabilities and its execution of the scenarios given in your demo script will help to support your assessment of whether a vendor aligns with your MMS requirements.

What should be included in a vendor demonstration?

1. Vendor’s display of its solution for the scenarios provided in the demo script.
2. Display of functional capabilities of the tool.
3. Briefing on integration capabilities.

Activity: Invite top performing vendors for product demonstrations

3.1.4 1-2 hours

INPUT: Business requirements document, Logistical considerations, Usage scenarios by functional area

OUTPUT: MMS demo script

Materials: Info-Tech’s MMS Vendor Demo Script

Participants: Procurement SMEs, Core project team

Instructions

1. Have your evaluation team (selected at the onset of the project) present to evaluate each vendor’s presentation. In some cases you may choose to bring in a subject matter expert (SME) to evaluate a specific area of the tool.
2. Outline the logistics of the demonstration in the Introduction section of the template. Be sure to outline the total length of the demo and the amount of time that should be dedicated to the following:
   • Product demonstration in response to the demo script
   • Showcase of unique product elements, not reflective of the demo script
   • Question and answer session
   • Breaks and other potential interruptions
3. Provide prompts for the vendor to display the capabilities by listing and describing usage scenarios by functional area. For example, when asking a vendor to demo financial and accounting management capabilities, you may break scenarios out by task (e.g. general ledger, accounts payable) or user role (e.g. finance manager, administrator).

Info-Tech Insight

Challenge vendor project teams during product demonstrations. Asking the vendor to make adjustments or customizations on the fly will allow you to get an authentic feel of product capability and flexibility, as well as of the degree of adaptability of the vendor project team. Ask the vendor to demonstrate how to do things not listed in your user scenarios, such as change system visualizations or design, change underlying data, add additional datasets, demonstrate analytics capabilities, or channel specific automation.

Use Info-Tech’s MMS Vendor Demo Script template to set expectations for vendor product demonstration

MMS Vendor Demo Script

Leverage Info-Tech’s vendor selection and negotiation models as the basis for a streamlined MMS selection process

Design a procurement process that is robust, ruthless, and reasonable. Rooting out bias during negotiation is vital to making unbiased vendor selections.

Vendor Selection Info-Tech’s approach to vendor selection gets you to design a procurement process that is robust, ruthless, and reasonable. This approach enables you to take control of vendor communications. Implement formal processes with an engaged team to achieve the right price, the right functionality, and the right fit for the organization with Info-Tech's blueprint Implement a Proactive and Consistent Vendor Selection Process.

Vendor Negotiation Info-Tech’s SaaS negotiation strategy focuses on taking control of implementation from the beginning. The strategy allows you to work with your internal stakeholders to make sure they do not team up with the vendor instead of you. Reach an agreement with your vendor that takes into account both parties’ best interests with Info-Tech’s blueprint Negotiate SaaS Agreements That Are Built to Last.

Step 3.2: Communicate decision to stakeholders

This step will walk you through the following activities:

• Collect project rationale documentation.
• Create a presentation to communicate your selection decision to stakeholders.

This step involves the following participants:

• Core project team
• Procurement SMEs
• Project sponsor
• Business stakeholders
• Relevant management

Outcomes of this step

• Completed MMS Selection Executive Presentation Template
• Affirmation of MMS selection by stakeholders

Inform internal stakeholders of the final decision

Ensure traceability from the selected tool to the needs identified in the first phase. Internal stakeholders must understand the reasoning behind the final selection and see the alignment to their defined requirements and needs.

Activity: Prepare a presentation deck to communicate the selection process and decision to internal stakeholders

3.2.1 1 week

INPUT: MMS tool selection committee expertise

OUTPUT: Decision to invest or not invest in an MMS tool

Materials: Note-taking materials, Whiteboard or flip chart, markers

Participants: MMS tool selection committee

Instructions

1. Download Info-Tech’s MMS Selection Executive Presentation Template.
2. Read the instructions on slide 2 of the template. Then, on slide 3, decide if any portion of the selection process should be removed from the communication. Discuss with the team and make adjustments to slide 3 as necessary.
3. Work with the MMS selection committee to populate the slides that remain after the adjustments. Follow the instructions on each slide to help complete the content.
4. Refer to the square brackets on each slide (e.g. [X.X]) to identify the activity numbers in this storyboard that correspond to the slide in the MMS Selection Executive Presentation Template. Use the outputs produced from the corresponding activities in this deck and populate each slide in the MMS Selection Executive Presentation Template.
5. Use the completed template to present to internal stakeholders.

Info-Tech Insight

Documenting the process of how the selection decision was made will avoid major headaches down the road. Without a documented process, internal stakeholders and even vendors can challenge and discredit the selection process.

Vendor participation

Vendors Who Briefed with Info-Tech Research Group

Professionals Who Contributed to Our Evaluation and Research

• Sara Camden, Digital Change Agent, Equifax
• Caren Carrasco, Lifecycle Marketing and Automation, Benjamin David Group
• 10 anonymous contributors participated in the vendor briefings

Works cited

Adobe Systems Incorporated. “Bayer builds understanding, socially.” Adobe.com, 2017. Web.

IBM Corporation, “10 Key Marketing Trends for 2017.” IBM.com, 2017. Web.

Marketo, Inc. “The Definitive Guide to Marketing Automation.” Marketo.com, 2013. Web.

Marketo, Inc. “NBA franchise amplifies its message with help from Marketo’s marketing automation technology.” Marketo.com, 2017. Web.

Salesforce Pardot. “Marketing Automation & Your CRM: The Dynamic Duo.” Pardot.com, 2017. Web.

SAS Institute Inc. “Marketing Analytics: How, why and what’s next.” SAS Magazine, 2013. Web.

SAS Institute Inc. “Give shoppers offers they’ll love.” SAS.com, 2017. Web.

Implement Risk-Based Vulnerability Management

Get off the patching merry-go-round and start mitigating risk!

Table of Contents

Table of Contents

Analyst Perspective

Vulnerabilities will always be present. Know the unknowns!

In this age of discovery, technology changes at such a rapid pace. New things are discovered, both in new technology and in old. The pace of change can often be very confusing as to where to start and what to do.

The ever-changing nature of technology means that vulnerabilities will always be present. Taking measures to address these completely will consume all your department’s time and resources. That, and your efforts will quickly become stale as new vulnerabilities are uncovered. Besides, what about the systems that simply can’t be patched? The key is to understand the vulnerabilities and the levels of risk they pose to your organization, to prioritize effectively and to look beyond patching.

A risk-based approach to vulnerability management will ensure you are prioritizing appropriately and protecting the business. Reduce the risk surface!

Vulnerability management is more than just systems and application patching. It is a full process that includes patching, compensating controls, segmentation, segregation, and heightened diligence in security monitoring.

Jimmy Tom Research Advisor – Security, Privacy, Risk, and Compliance Info-Tech Research Group

Executive Summary

Info-Tech Insight

Vulnerability management does not always equal patch management. There is more than one way to tackle the problem, particularly if a system cannot be easily patched or replaced. If a vulnerability cannot be completely remediated, steps to reduce the risk to a tolerable level must be taken.

Common obstacles

These barriers make vulnerability management difficult to address for many organizations: The value of vulnerability management is not well articulated in many organizations. As a result, investment in vulnerability scanning technology is often insufficient. Many organizations feel that a “patch everything” approach is the most effective path. Vulnerability management is commonly misunderstood as being a process that only supports patch management. There is often misalignment between SecOps and ITOps in remediation action and priority, affecting the timeliness of remediation.

CVSS Score Distribution From the National Vulnerability Database: (Source: NIST National Vulnerability Database Dashboard)

Leverage risk to sort, triage, and prioritize vulnerabilities

Reduce your risk surface to avoid cost to your business; everything else is table stakes.

Reduce the critical and high vulnerabilities below the risk threshold and operationalize the remediation of medium/low vulnerabilities by following your effective vulnerability management program cycles.

Identify vulnerability sources

An inventory of your scanning tool and vulnerability threat intelligence data sources will help you determine a viable strategy for addressing vulnerabilities. Defining roles and responsibilities ahead of time will ensure you are not left scrambling when dealing with vulnerabilities.

Triage and prioritize

Bring the vulnerabilities into context by assessing vulnerabilities based on your security posture and mechanisms and not just what your data sources report. This will allow you to gauge the true urgency of the vulnerabilities based on risk and determine an effective mitigation plan.

Remediate vulnerabilities

Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available.

Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

Measure and formalize

Upon implementation of the program, measure with metrics to ensure that the program is successful. Improve the program with each iteration of vulnerability mitigation to ensure continuous improvement.

Tactical Insight 1

All actions to address vulnerabilities should be based on risk and the organization’s established risk tolerance.

Tactical Insight 2

Reduce the risk surface down below the risk threshold.

The industry has shifted to a risk-based approach

Traditional vulnerability management is no longer viable.

“For those of us in the vulnerability management space, ensuring that money, resources, and time are strategically spent is both imperative and difficult. Resources are dwindling fast, but the vulnerability problem sure isn’t.” (Kenna Security)

“Using vulnerability scanners to identify unpatched software is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and mitigation actions that touch the entire ecosystem.” (Balbix)

“Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. It helps you understand vulnerability risks with threat context and insight into potential business impact.” (Tenable)

“A common mistake when prioritizing patching is equating a vulnerability’s Common Vulnerability Scoring System (CVSS) score with risk. Although CVSS scores can provide useful insight into the anatomy of a vulnerability and how it might behave if weaponized, they are standardized and thus don’t reflect either of the highly situational variables — namely, weaponization likelihood and potential impact — that factor into the risk the vulnerability poses to an organization.” (SecurityWeek)

Why a take risk-based approach?

Vulnerabilities, by the numbers

60% — In 2019, 60% of breaches were due to unpatched vulnerabilities.

74% — In the same survey, 74% of survey responses said they cannot take down critical applications and systems to patch them quickly. (Source: SecurityBoulevard, 2019)

Info-Tech Insight

Taking a risk-based approach will allow you to focus on mitigating risk, rather than “just patching” your environment.

The average cost of a breach in 2020 is $3.86 million, and “…the price tag was much less for mature companies and industries and far higher for firms that had lackluster security automation and incident response processes.” (Dark Reading)

Info-Tech’s vulnerability management methodology

Focus on developing the most efficient processes.

Vulnerability management isn’t “old school.”

The vulnerability management market is relatively mature; however, vulnerability management remains a very relevant and challenging topic.

Security practitioners are inundated with the advice they need to prioritize their vulnerabilities. Every vulnerability scanning vendor will proclaim their ability to prioritize the identified vulnerabilities.

Third-party prioritization methodology can’t be effectively applied across all organizations. Each organization is too unique with different constraints. No tool or service can account for these variables.

When patching is not possible, other options exist: configuration changes (hardening), defense-in-depth, compensating controls, and even elevated security monitoring are possible options.

Info-Tech Insight

Vulnerability management is not only patch management. Patching is only one aspect.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverable: Vulnerability Management SOP The Standard operating procedure (SOP) will comprise the end-to-end description of the program: roles & responsibilities, data flow, and expected outcomes of the program.	Vulnerability Management Policy Template for your vulnerability management policy.		Vulnerability Tracking Tool This tool offers a template to track vulnerabilities and how they are remedied.
	Vulnerability Scanning RFP Template Request for proposal template for the selection of a vulnerability scanning tool.		Vulnerability Risk Assessment Tool Methodology to assess vulnerability risk by determining impact and likelihood.

Blueprint benefits

Info-Tech’s process can save significant financial resources

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

What does a typical GI on this topic look like?

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Implement Risk-Based Vulnerability Management

Phase 1

Identify Vulnerability Sources

This phase will walk you through the following activities:

Establish a common understanding of vulnerability management, define the roles, scope, and information sources of vulnerability detection.

This phase involves the following participants:

• Security operations team
• IT Security Manager
• IT Director
• CISO

Step 1.1

Vulnerability Management Defined

Activities

None for this section

This step will walk you through the following activities:

Establish a common understanding of vulnerability management and its place in the IT organization.

This step involves the following participants:

• Security operations team
• IT Security Manager
• IT Director
• CISO

Outcomes of this step

Foundational knowledge of vulnerability management in your organization.

What is vulnerability management?

It’s more than just patching.

Effective vulnerability management

It’s not easy, but it’s much harder without a process in place. Effective vulnerability management requires a formal process for organizations to follow; without one, vulnerabilities are dealt with in an ad hoc fashion. Patching isn’t the only solution, but it’s the one that often draws focus. Responsibilities for the different aspects of vulnerability management are often unclear, such as for testing, remediation, and implementation. Identifying new threats without proper vulnerability scanning tools can be a near-impossible task. Determining which vulnerabilities are most urgent can be an inconsistent process, increasing the organizational risk. Measuring the effectiveness of your vulnerability remediation activities can help you better manage resources in SecOps and ITOps. Your staff will be spending the appropriate effort on vulnerabilities that warrant that level of attention.

You’re not just doing this for yourself. It’s also for your auditors. Many compliance and regulatory obligations require organizations to have thorough documentation of their vulnerability management practices.

Vulnerability management revolves around your asset security services

Vulnerabilities can be found primarily within your assets but also connect to your information risk management. These must be effectively managed as part of a holistic security program. Without management, vulnerabilities left unattended can be easy for attackers to exploit. It becomes difficult to identify the correct remediation option to mitigate against the vulnerabilities.

Vulnerability management works in tandem with SecOps and ITOps

Vulnerability Management Process Inputs/Outputs: Arrows denote direction of information feed

Vulnerability management serves as the input into a number of processes for remediation, including: Incident management, to deal with issues Release management, for patch management Change management, for change control IT asset management, to track version information, e.g. for patching Application security testing, for the verification of vulnerabilities A two-way data flow exists between vulnerability management and: Security risk management, for the overall risk posture of the organization Threat intelligence, as vulnerability management reveals only one of several threat vectors

For additional information please refer to Info-Tech’s research for each area:

Info-Tech’s Information Security Program Framework

Vulnerability management is a component of the Infrastructure Security section of Security Management

For more information, review our Build an Information Security Strategy blueprint, or speak to one of our analysts. Info-Tech Insight Vulnerability management is but one piece of the information security puzzle. Ensure that you have all the pieces!

Case Study

INDUSTRY: Manufacturing SOURCE: Cimpress, 2016

One organization is seeing immediate benefits by formalizing its vulnerability management program.

Step 1.2

Defining the scope and roles

Activities

• 1.2.1 Define the scope and boundary of your organization’s security program
• 1.2.2 Assign responsibility for vulnerability identification and remediation

This step will walk you through the following activities:

Define and understand the scope and boundary of the security program. For example, does it include OT? Define roles and responsibilities for vulnerability identification and remediation

This step involves the following participants:

• Security operations team
• IT Security Manager
• IT Director
• CISO

Outcomes of this step

Understand how far vulnerability management extends and what role each person in IT plays in the remediation of vulnerabilities

Determine the scope of your security program

This will help you adjust the depth and breadth of your vulnerability management program. Determining the scope will help you decide how much organizational risk the vulnerability management program will oversee. Scope can be defined along four aspects: Data Scope – What data elements in your organization does your security program cover? How is data classified? Physical Scope – What physical scope, such as geographies, does the security program cover? Organizational Scope – How are business units engaged with security initiatives? Does the scope cover all subsidiary organizations? IT Scope – What parts of the organization does IT cover? Does their coverage include operational technology (OT) and industrial control systems (ICS)?

1.2.1 Define the scope and boundary of your organization’s security program

Input: List of Data Scope, Physical Scope, Organization Scope, and IT Scope

Output: Defined scope and boundaries of the IT security program

Materials: Whiteboard/Flip Charts, Sticky Notes, Markers, Vulnerability Management SOP Template

Participants: Business stakeholders, IT leaders, Security team members

1. On a whiteboard, write the headers: Data Scope, Physical Scope, Organizational Scope, and IT Scope.
2. Give each group member a handful of sticky notes. Ask them to write down as many items as possible for the organization that could fall under one of the four scope buckets.
3. In a group, discuss the sticky notes and the rationale for including them. Discuss your security-related locations, data, people, and technologies, and define their scope and boundaries.

The goal is to identify what your vulnerability management program is responsible for and document it.

Consider the following:

How is data being categorized and classified? How are business units engaged with security initiatives? How are IT systems connected to each other? How are physical locations functioning in terms of information security management?

Download the Vulnerability Management SOP Template

Assets are part of the scope definition

An inventory of IT assets is necessary if there is to be effective vulnerability management.

Assign responsibility for vulnerability identification and remediation

Determine who is critical to effectively detecting and managing vulnerabilities. Some of the remediation steps will involve members of IT management to identify the true organizational risk of a vulnerability. Vulnerability remediation comes in different shapes and sizes. In addition to patching, this can include implementing compensating controls, server and application hardening, or the segregating of vulnerable systems. Who carries out each of these activities? Who coordinates the activities and tracks them to ensure completion? The people involved may be members outside of the security team, such as members from IT operations, infrastructure, and applications. The specific roles that each of these groups play should be clearly identified.

1.2.2 Assign responsibility for vulnerability identification and remediation

Input: Sample list of vulnerabilities and requisite actions from each group, High-level organizational chart with area functions

Output: Defined set of roles and responsibilities for member groups

Materials: Vulnerability Management SOP Template

Participants: CIO, CISO, IT Management representatives for each area of IT

1. Display the table of responsibilities that need to be assigned.
2. List all the positions within the IT security team.
3. Map these to the positions that require IT security team members.
4. List all positions that are part of the IT team.
5. Map these to the positions that require IT team members.

If your organization does not have a dedicated IT security team, you can perform this exercise by mapping the relevant IT staff to the different positions shown on the right.

Download the Vulnerability Management SOP Template

Step 1.3

Cloud considerations for vulnerability management

Activities

None for this section.

This step will walk you through the following activities:

Review cloud considerations for vulnerability management

This step involves the following participants:

• Security operations team
• IT Security Manager
• IT Director
• CISO

Outcomes of this step

Understand the various types of cloud offerings and the implications (and limitations) of vulnerability management in a cloud environment.

Cloud considerations

Cloud will change your approach to vulnerability management. There will be a heavy dependence on the cloud service provider to ensure that vulnerabilities in their foundational technologies have been addressed. Depending on the level of “as-a-Service,” customers will have varying degrees of control and visibility into the underlying operations. With vendor acquiescence, you can set your tool to scan a given cloud environment, depending on how much visibility you have into their environment based on the service you have purchased. Due to compliance obligations of their customers, there is a growing trend among cloud providers to allow more scanning of cloud environments. In the absence of customer scanning capability, vendors may offer attestation of vulnerability management and remediation.

For more information, see Info-Tech Research Group’s Document Your Cloud Strategy blueprint.

Cloud environment scanning

Cloud scanning is becoming a more common necessity but still requires special consideration.

An organization’s cloud environment is just an extension of its own environment. As such, cloud environments need to be scanned for vulnerabilities.

Step 1.4

Vulnerability detection

Activities

• 1.4.1 Develop a monitoring and review process of third-party vulnerability sources
• 1.4.2 Incident management and vulnerability management

This step will walk you through the following activities:

Create an inventory of your vulnerability monitoring capability and third-party vulnerability information sources.

Determine how incident management and vulnerability management interoperate.

This step involves the following participants:

• Security operations team
• IT Security Manager
• IT Director
• CISO

Outcomes of this step

Catalog of vulnerability information data sources. Understanding of the intersection of incident management and vulnerability management.

Vulnerability detection

Vulnerabilities can be identified through numerous mediums.

Info-Tech has determined the following to be the four most common ways to identify vulnerabilities.

Automate with a vulnerability scanning tool

Vulnerability scanning tool considerations

Select a vulnerability scanning tool with the features you need to be effective. Vulnerability scanning tool selection can be an exciting and confusing process. You will need to consider what features you desire in a tool and whether you want the tool to go beyond just scanning and reporting. In addition to vulnerability scanning, some tools will integrate with your IT service management (service desk ticketing system) tool and asset, configuration, and change management modules. This can facilitate the necessary workflow that the remediation process follows once a vulnerability is discovered. A number of vulnerability scanning tool vendors have started offering remediation as part of their software features. This includes the automation and orchestration functionality and configuration and asset management to track its remediation activities. A side benefit of the asset discovery feature in vulnerability scanning tools is that it can help enhance an organization’s asset inventory and license compliance, particularly in cases where end users are able to install software on their workstations.

For guidance on tool vendors Visit SoftwareReviews for information on vulnerability management tools and vendors.

Vulnerability scanning tool best practices

How often should scans be performed?

One-off scans provide snapshots in time. Repeated scans over time provide tracking for how systems are changing and how well patches are being applied and software is being updated.

The results of a scan (asset inventory, configuration data, and vulnerability data) are basic information needed to understand your security posture. This data needs to be as up to date as possible.

ANALYST PERSPECTIVE: Organizations should look for continuous scanning

Continuous scanning is the concept of providing continual scanning of your systems so any asset, configuration, or vulnerability information is up to date. Most vendors will advertise continuous scanning but you need to be skeptical of how this feature is met.

Continuous Scanning Methods

Vulnerability scanning tool best practices

Where to perform a scan.

Vulnerability scanning tool best practices

Pre-Scan Communication With Users

• It is always important to inform owners and users of systems that a scan will be happening.
• Although it is unlikely any performance issues will arise, it is important to notify end users of potential impact.
• Local admins or system owners may have controls in place that stop vulnerability scans and you need to inform the owners so that they can safelist the scanner you will be using.

Vulnerability Scanning Tool Tracking Metrics

• Vulnerability score by operating system, application, or organization division.
  • This provides a look at the widely accepted severity of the vulnerability as it relates across the organization’s systems.
• Most vulnerable applications and application version.
  • This provides insight into how outdated applications are creating risk exposure for an organization.
  • This will also provide metrics on the effectiveness of your patching program.
• Number of assets scanned within the last number of days.
  • This provides visibility into how often your assets are being scanned and thus protected.
• Number of unowned devices or unapproved applications.
  • This metric will track how many unowned devices or unapproved applications may be on your network. Unowned devices may be rogue devices or just consultant/contractor devices.

Third-party vulnerability information sources

IT security forums and mailing lists are another source of vulnerability information.

Proactively identify new vulnerabilities as they are announced.

By monitoring for vulnerabilities as they are announced through industry alerts and open-source mechanisms, it is possible to identify vulnerabilities beyond your scanning tool’s penetration tests.

Common sources: Vendor websites and mailing lists Vendors are the trusted sources for vulnerability and patch information on their products, particularly with new industry vulnerability disclosure requirements. Vendors are the most familiar with their products, downloads are most likely malware free, and additional information is often included. There are some issues: vendors won’t announce a vulnerability until a patch is created, which creates a potential unknown risk exposure; numerous vendor sites will have to be monitored continually. Third-party websites A non-vendor site providing information on vulnerabilities. They often will cover a specific technology or an industry section, becoming a potential “one-stop shop” for some. They will often provide vulnerability information that is augmented with different remediation recommendations faster than vendors. However, it’s more likely that malicious code could be downloaded and it will often not be comprehensive information on patching. Third-party mailing lists, newsgroups, live paid subscriptions, and live open-source feeds These are alerting and notification services for the detection and dissemination of vulnerability information. They provide information on the latest and most critical vulnerabilities, e.g. US-CERT Cybersecurity Alerts. Vulnerability databases These usually consist of dedicated databases on vulnerabilities. They perform the hard work of identifying and aggregating vulnerability and patch information into a central repository for end-user consumption. The commentary features on these databases provide excellent insight for practitioners, e.g. National Vulnerability Database (NVD).

Third-party vulnerability information sources

IT security forums and mailing lists are another source of vulnerability information.

Third-party sources for vulnerabilities

• Open Source Vulnerability Database (OSVDB)
  • An open-source database that is run independently of any vendors.
• Common Vulnerabilities and Exposures (CVE)
  • Free, international dictionary of publicly known information security vulnerabilities and exposures.
• National Vulnerability Database (NVD)
  • Through NIST, the NVD is the US government’s repository of vulnerabilities and includes product names, flaws, and any impact metrics.
  • The National Checklist Repository Program (NCRP), also provided by NIST, provides security checklists for configurations of operating systems and applications.
  • The Center for Internet Security, a separate entity unrelated to NIST, provides configuration benchmarks that are often referenced by the NCRP.
• Open Web Application Security Project (OWASP)
  • OWASP is another free project helping to expose vulnerabilities within software.
• US-CERT National Cyber Alert System (US-CERT Alerts)
  • Cybersecurity Alerts – Provide timely information about current security issues, vulnerabilities, and exploits.
  • Cybersecurity Tips – Provide advice about common security issues for the general public.
  • Cybersecurity Bulletins – Provide weekly summaries of new vulnerabilities. Patch information is provided when available.
• US-CERT Vulnerability Notes Database (US-CERT Vulnerability Notes)
  • Database of searchable security vulnerabilities that were deemed not critical enough to be covered under US-CERT Alerts. Note that the NVD covers both US-CERT Alerts and US-CERT Notes.
• Open Vulnerability Assessment Language (OVAL)
  • Coding language for security professionals to discuss vulnerability checking and configuration issues. Vulnerabilities are identified using tests that are disseminated in OVAL definitions (XML executables that can be used by end users).

1.4.1 Develop a monitoring and review process for third-party vulnerability sources

Input: Third-party resources list

Output: Process for review of third-party vulnerability sources

Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

Participants: IT Security Manager, SecOps team members, ITOps team members, CISO

1. Identify what third-party resources are useful and relevant.
2. Shortlist your third-party sources.
3. Identify what is the best way to receive information from a third party.
4. Document the method to receive or check information from the third-party source.
5. Identify who is responsible for maintaining third-party vulnerability information sources
6. Capture this information in the Vulnerability Management SOP Template.

Download the Vulnerability Management SOP Template

Incidents and vulnerability management

Incidents can also be a sources of vulnerabilities.

When any incident occurs, for example:

• A security incident, such as malware detected on a machine
• An IT incident, such as an application becomes unresponsive
• A crisis occurs, like a worker accident

There can be underlying vulnerabilities that need to be processed.

1.4.2 Incident management and vulnerability management

Input: Existing incident response processes, Existing crisis communications plans

Output: Alignment of vulnerability management program with existing incident management processes

Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

1. Inventory what incident response plans the organization has. These include:
   1. Information Security Incident Response Plan
   2. IT Incident Plan
   3. Problem Management Plan
   4. Crisis Management Plan
2. Identify what part of those plans contains the post-response recap or final analysis.
3. Formalize a communication process between the incident response plan and the vulnerability mitigation process.

Note: Most incident processes will cover some sort of root cause analysis and investigation of the incident. If a vulnerability of any kind is detected within this analysis it needs to be reported on and treated as a detected vulnerability, thus warranting the full vulnerability mitigation process.

Download the Vulnerability Management SOP Template

Implement Risk-Based Vulnerability Management

Phase 2

Triage & prioritize

This phase will walk you through the following activities:

Examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach, and prepare for remediation options.

This phase involves the following participants:

• IT Security Manager
• SecOps team members
• ITOps team members, including tiers 1, 2, and 3
• CISO
• CIO

Step 2.1

Triage vulnerabilities

Activities

• 2.1.1 Evaluate your identified vulnerabilities

This step will walk you through the following activities:

Review your vulnerability information sources and determine a methodology that will be used to consistently evaluate vulnerabilities as your scanning tool alerts you to them.

This step involves the following participants:

• IT Security Manager
• SecOps team members
• ITOps team members, including tiers 1, 2, and 3
• CISO
• CIO

Outcomes of this step

A consistent, documented process for the evaluation of vulnerabilities in your environment.

Triaging vulnerabilities

Use Info-Tech’s methodology to allocate urgencies to your vulnerabilities to assign the appropriate resources to each one.

When evaluating numerous vulnerabilities, use the following three factors to help determine the urgency of vulnerabilities:

• The intrinsic qualities of the vulnerability
• The business criticality of the affected asset
• The sensitivity of the data stored on the affected asset

Intrinsic qualities of the vulnerability — Vulnerabilities need to be examined for the inherent risk they pose specifically to the organization, which includes if an exploit has been identified or if the industry views this as a serious and likely threat.

Business criticality of the affected asset — Assets with vulnerabilities need to be assessed for their criticality to the business. Vulnerabilities on systems that are critical to business operations or customer interactions are usually top of mind.

Sensitivity of the data of the affected asset — Beyond just the criticality of the business, there must be consideration of the sensitivity of the data that may be compromised or modified as a result of any vulnerabilities.

Info-Tech Insight

This methodology allows you to determine urgency of vulnerabilities, but your remediation approach needs to be risk-based, within the context of your organization.

Triage your vulnerabilities, filter out the noise

Triaging enables your vulnerability management program to focus on what it should focus on. Use the Info-Tech Vulnerability Mitigation Process Template to define how to triage vulnerabilities as they first appear. Triaging is an important step in vulnerability management, whether you are facing ten to tens of thousands of vulnerability notifications. Many scanning tools already provide the capability to compare known vulnerabilities against existing assets through integration with the asset inventory. There are two major use cases for this process: For organizations that have identified vulnerabilities but do not know their own systems well enough. This can be due to a lack of a formal asset inventory. For proactive organizations that are regularly staying up to date with industry announcements regarding vulnerabilities. Once an alert has been made publicly, this process can assist in confirming if the vulnerability is relevant to the organization.

The Info-Tech methodology for initial triaging of vulnerabilities: Even if neither of these use cases apply to your organization, triaging still addresses the issues of false positives. Triaging provides a quick way to determine if vulnerabilities are relevant.

After eliminating the noise, evaluate your vulnerabilities to determine urgency

Consider the intrinsic risk to the organization.

• For a vulnerability to become a true threat to the organization, it must be exploited to cause damage. In today’s threat landscape, exploit kits are sold online that allow individuals with low technical knowledge to exploit a vulnerability.
• Not all vulnerabilities have an associated exploit, but this does not mean that these vulnerabilities can be left alone. In many cases, it is just a matter of time before an exploit is created.
• Another point to consider is that while exploits can exist theoretically, they may not be verified. Vulnerabilities always pose some level of risk, but if there are no known verified exploits, there is less risk attached.

• Common Vulnerability Scoring System (CVSS) is an open-source industry scoring method to assess the potential severity of vulnerabilities.
• CVSS takes into account: attack vector, complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact.
• Vulnerabilities that have a score of 4.0 or lower are classified as low vulnerabilities, while scores between 4.0 and 6.9 are put in the medium category. Scores of 7 or higher are in the high and critical categories. As we will review in the Risk Assessment section, you will want to immediately deal with high and critical vulnerabilities.

• Even though a vulnerability may appear to be part of an inconsequential asset, it is important to consider whether it can be leveraged to gain access to other areas of the network or system by an attacker.
• Another consideration should be whether the vulnerability can be exploited by remote or local access. Remote exploits pose a greater risk as this can mean that attackers can perform an exploit from any location. Local exploits carry less risk, although the risk of insider threats should be considered here as well.

2.1.1 Evaluate your identified vulnerabilities

Input: Visio workflow of Info-Tech’s vulnerability management process

Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

Using the criteria from the previous slide, Info-Tech has created a methodology to evaluate your vulnerabilities by examining their intrinsic qualities.

The methodology categorizes the vulnerabilities into high, medium, and low risk importance categorizations, before assigning final urgency scores in the later steps.

1. Review the evaluation process in the Vulnerability Management Workflow library.
2. Determine if this process makes sense for the organization; otherwise, change the flow to include any other considerations of process flows.
3. As this process is used to evaluate vulnerabilities, document vulnerabilities to an importance category. This can be done in the Vulnerability Tracking Tool or using a similar internal vulnerability tracking document, if one exists.

Download the Vulnerability Management SOP Template

Step 2.2

Determine high-level business criticality

Activities

• 2.2.1 Determine high-level business criticality
• 2.2.2 Determine your high-level data classifications

This step will walk you through the following activities:

Determining high-level business criticality and data classifications will help ensure that IT security is aligned with what is critical to the business. This will be very important when decisions are made around vulnerability risk and the urgency of remediation action.

This step involves the following participants:

• IT Security Manager
• SecOps team members
• CISO

Outcomes of this step

Understanding and consistency in how business criticality and business data is assessed by IT in the vulnerability management process.

Understanding business criticality is key to determining vulnerability urgency

Prioritize operations that are truly critical to the operation of the business, and understand how they would be impacted by an exploited vulnerability.

2.2.1 Determine high-level business criticality

Input: List of business operations, Insight into business operations impacts to the business