Drive Technology Adoption

The project is over. The new technology is implemented. Now how do we make sure it's used?

Executive Summary

Your Challenge

Technology endlessly changes and evolves. Similarly, business directions and requirements change, and these changes need to be supported by technology. Improved functionality and evolvement of systems, along with systems becoming redundant or unsupported, means that maintaining a static environment is virtually impossible.

Enormous amounts of IT budget are allocated to these changes each year. But once the project is over, how do you manage that change and ensure the systems are being used? Planning your technology adoption is vital.

Common Obstacles

The obstacles to technology adoption can be many and various, covering a broad spectrum of areas including:

• Reluctance of staff to let go of familiar processes and procedures.
• Perception that any change will add complications but not add value, thereby hampering enthusiasm to adopt.
• Lack of awareness of the change.
• General fear of change.
• Lack of personal confidence.

Info-Tech’s Approach

Start by identifying, understanding, categorizing, and defining barriers and put in place a system to:

• Gain an early understanding of the different types of users and their attitudes to technology and change.
• Review different adoption techniques and analyze which are most appropriate for your user types.
• Use a “Follow the Leader” approach, by having technical enthusiasts and champions to show the way.
• Prevent access to old systems and methods.

Info-Tech Insight

For every IT initiative that will be directly used by users, consider the question, “Will the final product be readily accepted by those who are going to use it?” There is no point in implementing a product that no one is prepared to use. Gaining user acceptance is much more than just ticking a box in a project plan once UAT is complete.

The way change should happen is clear

Prosci specializes in change. Its ADKAR model outlines what’s required to bring individuals along on the change journey.

AWARENESS

• Awareness means more than just knowing there’s a change occurring,
• it means understanding the need for change.

DESIRE

• To achieve desire, there needs to be motivation, whether it be from an
• organizational perspective or personal.

KNOWLEDGE

• Both knowledge on how to train during the transition and knowledge
• on being effective after the change are required. This can only be done
• once awareness and desire are achieved.

ABILITY

• Ability is not knowledge. Knowing how to do something doesn’t necessarily translate to having the skills to do it.

REINFORCEMENT

• Without reinforcement there can be a tendency to revert.

When things go wrong

New technology is not being used

The project is seen as complete. Significant investments have been made, but the technology either isn’t being used or is only partially in use.

Duplicate systems are now in place

Even worse. The failure to adopt the new technology by some means that the older systems are still being used. There are now two systems that fail to interact; business processes are being affected and there is widespread confusion.

Benefits not being realized

Benefits promised to the business are not being realized. Projected revenue increases, savings, or efficiencies that were forecast are now starting to be seen as under threat.

There is project blowout

The project should be over, but the fact that the technology is not being used has created a perception that the implementation is not complete and the project needs to continue.

Info-Tech Insight

People are far more complicated than any technology being implemented.

Consider carefully your approach.

Why does it happen?

POOR COMMUNICATION

There isn’t always adequate communications about what’s changing in the workplace.

FEAR

Fear of change is natural and often not rational. Whether the fear is about job loss or not being able to adapt to change; it needs to be managed.

TRAINING

Training can be insufficient or ineffective and when this happens people are left feeling like they don’t have the skills to make the change.

LACK OF EXECUTIVE SUPPORT

A lack of executive support for change means the change is seen as less important.

CONFLICTING VIEWS OF CHANGE

The excitement the project team and business feels about the change is not necessarily shared throughout the business. Some may just see the change as more work, changing something that already works, or a reason to reduce staff levels.

LACK OF CONFIDENCE

Whether it’s a lack of confidence generally with technology or concern about a new or changing tool, a lack of confidence is a huge barrier.

BUDGETARY CONSTRAINTS

There is a cost with managing people during a change, and budget must be allocated to allow for it.

Communications

Info-Tech Insight

Since Sigmund Freud there has been endless work to understand people’s minds.
Don’t underestimate the effect that people’s reactions to change can have on your project.

Communication plans are designed to properly manage change. Managing change can be easier when we have the right tools and information to adapt to new circumstances. The Kubler-Ross change curve illustrates the expected steps on the path to acceptance of change. With the proper communications strategy, each can be managed appropriately

Analyst perspective

Paul Binns – Principal Research Advisor, Info-Tech

The rapidly changing technology landscape in our world has always meant that an enthusiasm or willingness to embrace change has been advantageous. Many of us have seen how the older generation has struggled with that change and been left behind.

In the work environment, the events of the past two years have increased pressure on those slow to adopt as in many cases they couldn't perform their tasks without new tools. Previously, for example, those who may have been reluctant to use digital tools and would instead opt for face-to-face meetings, suddenly found themselves without an option as physical meetings were no longer possible. Similarly, digital collaboration tools that had been present in the market for some time were suddenly more heavily used so everyone could continue to work together in the “online world.”

At this stage no one is sure what the "new normal" will be in the post-pandemic world, but what has been clearly revealed is that people are prepared to change given the right motivation.

“Technology adoption is about the psychology of change.”
Bryan Tutor – Executive Counsellor, Info-Tech

The Fix

• Categorize Users
  • Gain a clear understanding of your user types.
• Identify Adoption Techniques
  • Understand the range of different tools and techniques available.
• Match Techniques To Categories
  • Determine the most appropriate techniques for your user base.
• Follow-the-Leader
  • Be aware of the different skills in your environment and use them to your advantage.
• Refresh, Retrain, Restrain
  • Prevent reversion to old methods or systems.

Categories

Client-Driven Insight

Consider your staff and industry when looking at the Everett Rogers curve. A technology organization may have less laggards than a traditional manufacturing one.

In Everett Rogers’ book Diffusion of Innovations 5th Edition (Free Press, 2005), Rogers places adopters of innovations into five different categories.

Category 1: The Innovator – 2.5%

Innovators are technology enthusiasts. Technology is a central interest of theirs, either at work, at home, or both. They tend to aggressively pursue new products and technologies and are likely to want to be involved in any new technology being implemented as soon as possible, even before the product is ready to be released.

For people like this the completeness of the new technology or the performance can often be secondary because of their drive to get new technology as soon as possible. They are trailblazers and are not only happy to step out of their comfort zone but also actively seek to do so.

Although they only make up about 2.5% of the total, their enthusiasm, and hopefully endorsement of new technology, offers reassurance to others.

Info-Tech Insight

Innovators can be very useful for testing before implementation but are generally more interested in the technology itself rather than the value the technology will add to the business.

Category 2: The Early Adopter – 13.5%

Whereas Innovators tend to be technologists, Early Adopters are visionaries that like to be on board with new technologies very early in the lifecycle. Because they are visionaries, they tend to be looking for more than just improvement – a revolutionary breakthrough. They are prepared to take high risks to try something new and although they are very demanding as far as product features and performance are concerned, they are less price-sensitive than other groups.

Early Adopters are often motivated by personal success. They are willing to serve as references to other adopter groups. They are influential, seen as trendsetters, and are of utmost importance to win over.

Info-Tech Insight

Early adopters are key. Their enthusiasm for technology, personal drive, and influence make them a powerful tool in driving adoption.

Category 3: The Early Majority – 34%

This group is comprised of pragmatists. The first two adopter groups belong to early adoption, but for a product to be fully adopted the mainstream needs to be won over, starting with the Early Majority.

The Early Majority share some of the Early Adopters’ ability to relate to technology. However, they are driven by a strong sense of practicality. They know that new products aren’t always successful. Consequently, they are content to wait and see how others fare with the technology before investing in it themselves. They want to see well-established references before adopting the technology and to be shown there is no risk.

Because there are so many people in this segment (roughly 34%), winning these people over is essential for the technology to be adopted.

Category 4: The Late Majority – 34%

The Late Majority are the conservatives. This group is generally about the same size as the Early Majority. They share all the concerns of the Early Majority; however, they are more resistant to change and are more content with the status quo than eager to progress to new technology. People in the Early Majority group are comfortable with their ability to handle new technology. People in the Late Majority are not.

As a result, these conservatives prefer to wait until something has become an established standard and take part only at the end of the adoption period. Even then, they want to see lots of support and ensure that there is proof there is no risk in them adopting it.

Category 5: The Laggard – 16%

This group is made up of the skeptics and constitutes 16% of the total. These people want nothing to do with new technology and are generally only content with technological change when it is invisible to them. These skeptics have a strong belief that disruptive new technologies rarely deliver the value promised and are almost always worried about unintended consequences.

Laggards need to be dealt with carefully as their criticism can be damaging and without them it is difficult for a product to become fully adopted. Unfortunately, the effort required for this to happen is often disproportional to the size of the group.

Info-Tech Insight

People aren’t born laggards. Technology projects that have failed in the past can alter people’s attitudes, especially if there was a negative impact on their working lives. Use empathy when dealing with people and respect their hesitancy.

Adoption Techniques

Different strokes for different folks

Technology adoption is all about people; and therefore, the techniques required to drive that adoption need to be people oriented.

The following techniques are carefully selected with the intention of being impactful on all the different categories described previously.

There are multitudes of different methods to get people to adopt new technology, but which is the most appropriate for your situation? Generally, it’s a combination.

Train the Trainer

Use your staff to get your message across.

Abstract

This technique involves training key members of staff so they can train others. It is important that those selected are strong communicators, are well respected by others, and have some expertise in technology.

Advantages

• Cost effective
• Efficient dissemination of information
• Trusted internal staff

Disadvantages

• Chance of inconsistent delivery
• May feel threatened by co-worker

Best to worst candidates

• Early Adopter: Influential trendsetters. Others receptive of their lead.
• Innovator: Comfortable and enthusiastic about new technology, but not necessarily a trainer.
• Early Majority: Tendency to take others’ lead.
• Late Majority: Risk averse and tend to follow others, only after success is proven.
• Laggard: Last to adopt usually. Unsuitable as Trainer.

Marketing

Marketing should be continuous throughout the change to encourage familiarity.

Abstract

Communication is key as people are comfortable with what is familiar to them. Marketing is an important tool for convincing adopters that the new product is mainstream, widely adopted and successful.

Advantages

• Wide communication
• Makes technology appear commonplace
• Promotes effectiveness of new technology

Disadvantages

• Reliant on staff interest
• Can be expensive

Best to worst candidates

• Early Majority: Pragmatic about change. Marketing is effective encouragement.
• Early Adopter: Receptive and interested in change. Marketing is supplemental.
• Innovator: Actively seeks new technology. Does not need extensive encouragement.
• Late Majority: Requires more personal approach.
• Laggard: Resistant to most enticements.

One-on-One

Tailored for individuals.

Abstract

One-on-one training sometimes is the only way to train if you have staff with special needs or who are performing unique tasks.
It is generally highly effective but inefficient as it only addresses individuals.

Advantages

• Tailored to specific need(s)
• Only relevant information addressed
• Low stress environment

Disadvantages

• Expensive
• Possibility of inconsistent delivery
• Personal conflict may render it ineffective

Best to worst candidates

• Laggard: Encouragement and cajoling can be used during training.
• Late Majority: Proof can be given of effectiveness of new product.
• Early Majority: Effective, but not cost efficient.
• Early Adopter: Effective, but not cost-efficient.
• Innovator: Effective, but not cost-efficient.

Group Training

Similar roles, attitudes, and abilities.

Abstract

Group training is one of the most common methods to start people on their journey toward new technology. Its effectiveness with the two largest groups, Early Majority and Late Majority, make it a primary tool in technology adoption.

Advantages

• Cost effective
• Time effective
• Good for team building

Disadvantages

• Single method may not work for all
• Difficult to create single learning pace for all

Best to worst candidates

• Early Majority: Receptive. The formality of group training will give confidence.
• Late Majority: Conservative attitude will be receptive to traditional training.
• Early Adopter: Receptive and attentive. Excited about the change.
• Innovator: Will tend to want to be ahead or want to move ahead of group.
• Laggard: Laggards in group training may have a negative impact.

Force

The last resort.

Abstract

The transition can’t go on forever.

At some point the new technology needs to be fully adopted and if necessary, force may have to be used.

Advantages

• Immediate full transition
• Fixed delivery timeline

Disadvantages

• Alienation of some staff
• Loss of faith in product if there are issues

Best to worst candidates

• Laggard: No choice but to adopt. Forces the issue.
• Late Majority: Removes issue of reluctance to change.
• Early Majority: Content, but worried about possible problems.
• Early Adopter: Feel less personal involvement in change process.
• Innovator: Feel less personal involvement in change process.

Contests

Abstract

Contests can generate excitement and create an explorative approach to new technology. People should not feel pressured. It should be enjoyable and not compulsory.

Advantages

• Rapid improvement of skills
• Bring excitement to the new technology
• Good for team building

Disadvantages

• Those less competitive or with lower skills may feel alienated
• May discourage collaboration

Best to worst candidates

• Early Adopter: Seeks personal success. Risk taker. Effective.
• Innovator: Enthusiastic to explore limits of technology.
• Early Majority: Less enthusiastic. Pragmatic. Less competitive.
• Late Majority: Conservative. Not enthusiastic about new technology.
• Laggard: Reluctant to get involved.

Incentives

Incentives don’t have to be large.

Abstract

For some staff, merely taking management’s lead is not enough. Using “Nudge” techniques to give that extra incentive is quite effective. Incentivizing staff either financially or through rewards, recognition, or promotion is a successful adoption technique for some.

Advantages

Encouragement to adopt from receiving tangible benefit

Draws more attention to the new technology

Disadvantages

Additional expense to business or project

Possible poor precedent for subsequent changes

Best to worst candidates

Early Adopter: Desire for personal success makes incentives enticing.

Early Majority: Prepared to change, but extra incentive will assist.

Late Majority: Conservative attitude means incentive may need to be larger.

Innovator: Enthusiasm for new technology means incentive not necessary.

Laggard: Sceptical about change. Only a large incentive likely to make a difference.

Champions

Strong internal advocates for your new technology are very powerful.

Abstract

Champions take on new technology and then use their influence to promote it in the organization. Using managers as champions to actively and vigorously promote the change is particularly effective.

Advantages

• Infectious enthusiasm encourages those who tend to be reluctant
• Use of trusted internal staff

Disadvantages

• Removes internal staff from regular duties
• Ineffective if champion not respected

Best to worst candidates

• Early Majority: Champions as references of success provide encouragement.
• Late Majority: Management champions in particular are effective.
• Laggard: Close contact with champions may be effective.
• Early Adopter: Receptive of technology, less effective.
• Innovator: No encouragement or promotion required.

Herd Mentality

Follow the crowd.

Abstract

Herd behavior is when people discount their own information and follow others. Ideally all adopters would understand the reason and advantages in adopting new technology, but practically, the result is most important.

Advantages

• New technology is adopted without question
• Increase in velocity of adoption

Disadvantages

• Staff may not have clear understanding of the reason for change and resent it later
• Some may adopt the change before they are ready to do so

Best to worst candidates

• Early Majority: Follow others’ success.
• Late Majority: Likely follow an established proven standard.
• Early Adopter: Less effective as they prefer to set trends rather than follow.
• Innovator: Seeks new technology rather than following others.
• Laggard: Suspicious and reluctant to change.

Proof of Concepts

Gain early input and encourage buy-in.

Abstract

Proof of concept projects give early indications of the viability of a new initiative. Involving the end users in these projects can be beneficial in gaining their support

Advantages

Involve adopters early on

Valuable feedback and indications of future issues

Disadvantages

If POC isn’t fully successful, it may leave lingering negativity

Usually, involvement from small selection of staff

Best to worst candidates

• Innovator: Strong interest in getting involved in new products.
• Early Adopter: Comfortable with new technology and are influencers.
• Early Majority: Less interest. Prefer others to try first.
• Late Majority: Conservative attitude makes this an unlikely option.
• Laggard: Highly unlikely to get involved.

Match techniques to categories

What works for who?

Follow the leader

Engage your technology enthusiasts early to help refine your product, train other staff, and act as champions. A combination of marketing and group training will develop a herd mentality. Finally, don’t neglect the laggards as they can prevent project completion.

Info-Tech Insight

Although there are different size categories, none can be ignored. Consider your budget when dealing with smaller groups, but also consider their impact.

Refresh, retrain, restrain

We don’t want people to revert.

Don’t assume that because your staff have been trained and have access to the new technology that they will keep using it in the way they were trained. Or that they won’t revert back to their old methods or system.

Put in place methods to remove completely or remove access to old systems. Schedule refresh training or skill enhancement sessions and stay vigilant.

Research Authors

Paul Binns

Principal Research Advisor, Info-Tech Research Group

With over 30 years in the IT industry, Paul brings to his work his experience as a Strategic Planner, Consultant, Enterprise Architect, IT Business Owner, Technologist, and Manager. Paul has worked with both small and large companies, local and international, and has had senior roles in government and the finance industry.

Scott Young

Principal Research Advisor, Info-Tech Research Group

Scott Young is a Director of Infrastructure Research at Info-Tech Research Group. Scott has worked in the technology field for over 17 years, with a strong focus on telecommunications and enterprise infrastructure architecture. He brings extensive practical experience in these areas of specialization, including IP networks, server hardware and OS, storage, and virtualization.

Related Info-Tech Research

User Group Analysis Workbook

Use Info-Tech’s workbook to gather information about user groups, business processes, and day-to-day tasks to gain familiarity with your adopters.

Governance and Management of Enterprise Software Implementation

Use our research to engage users and receive timely feedback through demonstrations. Our iterative methodology with a task list focused on the business’ must-have functionality allows staff to return to their daily work sooner.

Quality Management User Satisfaction Survey

This IT satisfaction survey will assist you with early information to use for categorizing your users.

Master Organizational Change Management Practices

Using a soft, empathetic approach to change management is something that all PMOs should understand. Use our research to ensure you have an effective OCM plan that will ensure project success.

Bibliography

Beylis, Guillermo. “COVID-19 accelerates technology adoption and deepens inequality among workers in Latin America and the Caribbean.” World Bank Blogs, 4 March 2021. Web.

Cleland, Kelley. “Successful User Adoption Strategies.” Insight Voices, 25 Apr. 2017. Web.

Hiatt, Jeff. “The Prosci ADKAR ® Model.” PROSCI, 1994. Web.

Malik, Priyanka. “The Kübler Ross Change Curve in the Workplace.” whatfix, 24 Feb. 2022. Web.

Medhaugir, Tore. “6 Ways to Encourage Software Adoption.” XAIT, 9 March 2021. Web.

Narayanan, Vishy. “What PwC Australia learned about fast tracking tech adoption during COVID-19” PWC, 13 Oct. 2020. Web.

Sridharan, Mithun. “Crossing the Chasm: Technology Adoption Lifecycle.” Think Insights, 28 Jun 2022. Web.

Integrate Physical Security and Information Security

Securing information security, physical security, or personnel security in silos may not secure much

Analyst Perspective

Ensure integrated security success with close and continual collaboration

From physical access control systems (PACS) such as electronic locks and fingerprint biometrics to video surveillance systems (VSS) such as IP cameras to perimeter intrusion detection and prevention to fire and life safety and beyond: physical security systems pose unique challenges to overall security. Additionally, digital transformation of physical security to the cloud and the convergence of operational technology (OT), internet of things (IoT), and industrial IoT (IIoT) increase both the volume and frequency of security threats.

These threats can be safety, such as the health impact when a gunfire attack downed wastewater pumps at Duke Energy Substation, North Carolina, US, in 2022. The threats can also be economic, such as theft of copper wire, or they can be reliability, such as when a sniper attack on Pacific Gas & Electric’s Metcalf Substation in California, US, damaged 17 out of 21 power transformers in 2013.

Considering the security risks organizations face, many are unifying physical, cyber, and information security systems to gain the long-term overall benefits a consolidated security strategy provides.

Ida Siahaan

Research Director, Security and Privacy Practice
Info-Tech Research Group

Executive Summary

Info-Tech Insight

An integrated security architecture, including people, process, and technology, will improve your overall security posture. These benefits are leading many organizations to consolidate their siloed systems into a single platform across physical security, cybersecurity, HR, legal, and compliance.

Existing information security models are not comprehensive

Current security models do not cover all areas of security, especially if physical systems and personnel are involved and safety is also an important property required.

• The CIA triad (confidentiality, integrity, availability) is a well-known information security model that focuses on technical policies related to technology for protecting information assets.
• The US Government’s Five Pillars of Information Assurance includes CIA, authentication, and non-repudiation, but it does not cover people and processes comprehensively.
• The AAA model, created by the American Accounting Association, has properties of authentication, authorization, and accounting but focuses only on access control.
• Donn Parker expanded the CIA model with three more properties: possession, authenticity, and utility. This model, which includes people and processes, is known as the Parkerian hexad. However, it does not cover physical and personnel security.

CIA Triad

Parkerian Hexad

Sources: Parker, 1998; Pender-Bey, 2012; Cherdantseva and Hilton, 2015

Adopt an integrated security model

The security ecosystem is shifting from segregation to integration

Sources: Cisco, n.d.; Preparing for Technology Convergence in Manufacturing, Info-Tech Research Group, 2018

Physical security includes:

• Securing physical access,
  e.g. facility access control, alarms, surveillance cameras
• Securing physical operations
  (operational technology – OT), e.g. programmable logic controllers (PLCs), SCADA

Info-Tech Insight

Why is integrating physical and information security gaining more and more traction? Because the supporting technologies are becoming more matured. This includes, for example, migration of physical security devices to IP-based network and open architecture.

Reactive responses to physical security incidents

April 1995

Target: Alfred P. Murrah Federal Building, Oklahoma, US. Method: Bombing. Impact: Destroyed structure of 17 federal agencies, 168 casualties, over 800 injuries. Result: Creation of Interagency Security Committee (ISC) in Executive Order 12977 and “Vulnerability Assessment of Federal Facilities” standard.
(Source: Office of Research Services, 2017)

April 2013

Target: Pacific Gas & Electric’s Metcalf Substation, California, US. Method: Sniper attack. Impact: Out of 21 power transformers, 17 were damaged. Result: Creation of Senate Bill No. 699 and NERC- CIP-014 standard.
(Source: T&D World, 2023)

Sep. 2022

Target: Nord Stream gas pipelines connecting Russia to Germany, Baltic sea. Method: Detonations. Impact: Methane leaks (~300,000 tons) at four exclusive economic zones (two in Denmark and two in Sweden). Result: Sweden’s Security Service investigation.
(Source: CNBC News, 2022)

Dec. 2022

Target: Duke Energy Substation, North Carolina, US. Method: Gunfire. Impact: Power outages of ~40,000 customers and wastewater pumps in sewer lift stations down. Result: State of emergency was declared.
(Source: CBS News, 2022)

Info-Tech Insight

When it comes to physical security, we have been mostly reactive. Typically the pattern starts with physical attacks. Next, the impacted organization mitigates the incidents. Finally, new government regulatory measures or private sector or professional association standards are put in place. We must strive to change our pattern to become more proactive.

Physical security market forecast and top physical security challenges

Physical security market forecast
(in billions USD)

A forecast by MarketsandMarkets projected growth in the physical security market, using historical data from 2015 until 2019, with a CAGR of 6.4% globally and 5.2% in North America.

Source: MarketsandMarkets, 2022

Top physical security challenges

An Ontic survey (N=359) found that threat data management (40%) was the top physical security challenge in 2022, up from 33% in 2021, followed by physical security threats to the C-suite and company leadership (35%), which was a slight increase from 2021. An interesting decrease is data protection and privacy (32%), which dropped from 36% in 2021.

Source: Ontic Center for Protective Intelligence, 2022

Info-Tech Insight

The physical security market is growing in systems and services, especially the integration of threat data management with cybersecurity.

Top physical security initiatives and operations integration investments

We know the physical security challenges and how the physical security market is growing, but what initiatives are driving this growth? These are the top physical security initiatives and top investments for physical security operations integration:

Top physical security initiatives

A survey by Brivo asked 700 security professionals about their top physical security initiatives. The number one initiative is integrating physical security systems. Other initiatives with similar concerns included data and cross-functional integration.

Source: Brivo, 2022

Top investments for physical security operations integration

An Ontic survey (N=359) on areas of investment for physical security operations integration shows the number one investment is on access control systems with software to identify physical threat actors. Another area with similar concern is integration of digital physical security with cybersecurity.

Source: Ontic Center for Protective Intelligence, 2022

Evaluate security integration opportunities with these guiding principles

Opportunity focus

• Identify the security integration problems to solve with visible improvement possibilities
• Don’t choose technology for technology’s sake
• Keep an eye to the future
• Use strategic foresight

Piece by piece

• Avoid taking a big bang approach
• Test technologies in multiple conditions
• Run inexpensive pilots
• Increase flexibility
• Build a technology ecosystem

Buy-in

• Collaborate with stakeholders
• Gain and sustain support
• Maintain transparency
• Increase uptake of open architecture

Key Recommendations:

Focus on your master plan

Build a technology ecosystem

Engage stakeholders

Info-Tech Insight

When looking for a quick win, consider learning the best internal or external practice. For example, in 1994 IBM reorganized its security operation by bringing security professionals and non-security professionals in one single structure, which reduced costs by approximately 30% in two years.

Sources: Create and Implement an IoT Strategy, Info-Tech Research Group, 2022; Baker and Benny, 2013; Erich Krueger, Omaha Public Power District (contributor); Doery Abdou, March Networks Corporate (contributor)

Case Study

4Wall Entertainment – Asset Owner

4Wall Entertainment is quite mature in integrating its physical and information security; physical security has always been under IT as a core competency.

4Wall Entertainment is a provider of entertainment lighting and equipment to event venues, production companies, lighting designers, and others, with a presence in 18 US and UK locations.

After many acquisitions, 4Wall Entertainment needed to standardize its various acquired systems, including physical security systems such as access control. In its integrated security approach, IT owns the integrated security, but they interface with related entities such as HR, finance, and facilities management in every location. This allows them to obtain information such as holidays, office hours, and what doors need to be accessed as inputs to the security system and to get sponsorship in budgeting.

In the past, 4Wall Entertainment tried delegating specific physical security to other divisions, such as facilities management and HR. This approach was unsuccessful, so IT took back the responsibility and accountability.

Currently, 4Wall Entertainment works with local vendors, and its biggest challenge is finding third-party vendors that can provide nationwide support.

In the future, 4Wall Entertainment envisions physical security modernization such as camera systems that allow more network accessibility, with one central system to manage and IoT device integration with SIEM and MDR.

Results

Lessons learned in integrating security from 4Wall Entertainment include:

• Start with forming relationships with related divisions such as HR, finance, and facilities management to build trust and encourage sponsorship across management.
• Create policies, procedures, and standards to deploy in various systems, especially when acquiring companies with low maturity in security.
• Select third-party providers that offer the required functionalities, good customer support, and standard systems interoperability.
• Close skill gaps by developing training and awareness programs for users, especially for newly acquired systems and legacy systems, or by acquiring expertise from consulting services.
• Complete cost-benefit analysis for solutions on legacy systems to determine whether to keep them and create interfacing with other systems, upgrade them, or replace them entirely with newer systems.
• Delegate maintenance of specific highly regulated systems, such as fire alarms and water sprinklers, to facilities management.

Tracking progress of physical and information security integration

Physical security is often part of facilities management. As a result, there are interdependencies with both internal departments (such as IT, information security, and facilities) and external parties (such as third-party vendors). IT leaders, security leaders, and operational leaders should keep the big picture in mind when designing and implementing integration of physical and information security. Use this checklist as a tool to track your security integration journey.

Plan

• Engage stakeholders and justify value for the business.
• Define roles and responsibilities.
• Establish/update governance for integrated security.
• Identify integrated elements and compliance obligations.

Enhance

• Determine the level of security maturity and update security strategy for integrated security.
• Assess and treat risks of integrated security.
• Establish/update integrated physical and information security policies and procedures.
• Update incident response, disaster recovery, and business continuity plan.

Monitor & Optimize

• Identify skill requirements and close skill gaps for integrating physical and information security.
• Design and deploy integrated security architecture and controls.
• Establish, monitor, and report integrated security metrics on effectiveness and efficiency.

Benefits of the security integration framework

Today’s matured technology makes security integration possible. However, the governance and management of single integrated security presents challenges. These can be overcome using a multi-phased framework that enables a modular, incremental, and repeatable integration process, starting with planning to justify the value of investment, then enhancing the integrated security based on risks and open architecture. This is followed by using metrics for monitoring and optimization.

1. Modular

   • Implementing a consolidated security strategy is complex and involves the integration of process, software, data, hardware, and network and infrastructure.
   • A modular framework will help to drive value while putting in appropriate guardrails.

2. Incremental

   • Integration of physical security and information security involves many components such as security strategy, risk management, and security policies.
   • An incremental framework will help track, manage, and maintain each step while providing appropriate structure.

3. Repeatable

   • Integration of physical security and information security is a journey that can be approached with a pilot program to evaluate effectiveness.
   • A repeatable framework will help to ensure quick time to value and enable immediate implementation of controls to meet operational and security requirements.

Potential risks of the security integration framework

Just as medicine often comes with side effects, our Integration of Physical and Information Security Framework may introduce risks too. However, as John F. Kennedy, thirty-fifth president of the United States, once said, "There are risks and costs to a program of action — but they are far less than the long-range cost of comfortable inaction."

Plan Phase

• Lack of transparency in the integration process can lead to lack of trust among stakeholders.
• Lack of support from leadership results in unclear governance or lack of budget or human resources.
• Key stakeholders leave the organization during the engagement and their replacements do not understand the organization’s operation yet.

Enhance Phase

• The risk assessment conducted focuses too much on IT risk, which may not always be applicable to physical security systems nor OT systems.
• The integrated security does not comply with policies and regulations.

Monitor and Optimize Phase

• Lack of knowledge, training, and awareness.
• Different testing versus production environments.
• Lack of collected or shared security metrics.

Data

• Data quality issues and inadequate data from physical security, information security, and other systems, e.g. OT, IoT.
• Too much data from too many tools are complex and time consuming to process.

Develop an integration of information security, physical security, and personnel security that meets your organization’s needs

Integrate security in people, process, and technology to improve your overall security posture

Having siloed systems running security is not beneficial. Many organizations are realizing the benefits of consolidating into a single platform across physical security, cybersecurity, HR, legal, and compliance.

Plan and engage stakeholders

Assemble the right team to ensure the success of your integrated security ecosystem, decide the governance model, and clearly define the roles and responsibilities.

Enhance strategy and risk management

Strategically, we want a physical security system that is interoperable with most technologies, flexible with minimal customization, functional, and integrated, despite the challenges of proprietary configurations, complex customization, and silos.

Monitor and optimize

Find the most optimized architecture that is strategic, realistic, and based on risk. Next, perform an evaluation of the security systems and program by understanding what, where, when, and how to measure and to report the relevant metrics.

Focus on master plan

Identify the security integration problems to solve with visible improvement possibilities, and don’t choose technology for technology’s sake. Design first, then conduct market research by comparing products or services from vendors or manufacturers.

Build a technology ecosystem

Avoid a big bang approach and test technologies in multiple conditions. Run inexpensive pilots and increase flexibility to build a technology ecosystem.

Deliverables

Each step of this framework is accompanied by supporting deliverables to help you accomplish your goals:

Integrate Physical Security and Information Security Requirements Gathering Tool

Map organizational goals to IT goals, facilities goals, OT goals (if applicable), and integrated security goals. Identify your security integration elements and compliance.

Integrate Physical Security and Information Security RACI Chart Tool

Identify various security integration stakeholders across the organization and assign tasks to suitable roles.

Key deliverable:

Integrate Physical Security and Information Security Communication Deck

Present your findings in a prepopulated document that summarizes the work you have completed.

Plan

Planning is foundational to engage stakeholders. Start with justifying the value of investment, then define roles and responsibilities, update governance, and finally identify integrated elements and compliance obligations.

Plan

Engage stakeholders

• To initiate communication between the physical and information security teams and other related divisions, it is important to identify the entities that would be affected by the security integration and involve them in the process to gain support from planning to delivery and maintenance.
• Possible stakeholders:
  • Executive leadership, Facilities Management leader and team, IT leader, Security & Privacy leader, compliance officer, Legal, Risk Management, HR, Finance, OT leader (if applicable)
• A successful security integration depends on aligning your security integration initiatives and migration plan to the organization’s objectives by engaging the right people to communicate and collaborate.

Info-Tech Insight

It is important to speak the same language. Physical security concerns safety and availability, while information security concerns confidentiality and integrity. Thus, the two systems have different goals and require alignment.

Similarly, taxonomy of terminologies needs to be managed,¹ e.g. facility management with an emergency management background may have a different understanding from a CISO with an information security background when discussing the same term. For example:

In emergency management prevention means “actions taken to eliminate the impact of disasters in order to protect lives, property and the environment, and to avoid economic disruption.”²

In information security prevention is “preventing the threats by understanding the threat environment and the attack surfaces, the risks, the assets, and by maintaining a secure system.”³

Sources: ¹ Owen Yardley, Omaha Public Power District (contributor); ² Translation Bureau, Government of Canada, n.d.; ³ Security Intelligence, 2020

Map organizational goals to integrated security goals

1. As a group, brainstorm organization goals.
   • Review relevant corporate, IT, and facilities strategies.
2. Record the most important business goals in the “Goals Cascade” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool. Try to limit the number of business goals to no more than ten goals. This limitation will be critical to helping focus on your integrated security goals.
3. For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.

Download the Integrate Physical Security and Information Security Requirements Gathering Tool.

Record organizational goals

Refer to the Integration of Physical and Information Security Framework when filling in the table.

1. Record your identified organizational goals in the “Goals Cascade” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.
2. For each organizational goal, identify IT alignment goals.
3. For each organizational goal, identify OT alignment goals (if applicable).
4. For each organizational goal, identify Facilities alignment goals.
5. For each organizational goal, select an integrated security goal from the drop-down menu.

Justify value for the business

Facilities in most cases have a team that is responsible for physical security installations such as access key controllers. Whenever there is an issue, they contact the provider to fix the error. However, with smart buildings and smart devices, the threat surface grows to include information security threats, and Facilities may not possess the knowledge and skills required to deal with them. At the same time, delegating physical security to IT may add more tasks to their already-too-long list of responsibilities. Consolidating security to a focused security team that covers both physical and information security can help.1 We need to develop the security integration business case beyond physical security "gates, guns, and guards" mentality.2

An example of a cost-benefit analysis for security integration:

Sources: 1 Andrew Amaro, KLAVAN Security Services (contributor); 2 Baker and Benny, 2013;
Industrial Control System Modernization, Info-Tech Research Group, 2023; Lawrence Berkeley National Laboratory, 2021

Plan

Define roles and responsibilities

Many factors impact an organization’s level of effectiveness as it relates to integration of physical and information security. How the team interacts, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, we need to identify stakeholders that are:

• Responsible: The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
• Accountable: The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor.
• Consulted: The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs).
• Informed: The person(s) who is updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

Download the Integrate Physical Security and Information Security RACI Chart Tool

Define RACI chart

Define Responsible, Accountable, Consulted, Informed (RACI) stakeholders.

1. Customize the Work Units to best reflect your operation with applicable stakeholders.
2. Customize the Action rows as required.

Sources: ISC, 2015; ISC, 2021

Info-Tech Insight

The roles and responsibilities should be clearly defined. For example, IT Security should be responsible for the installation and configuration of all physical access controllers and devices, and facility managers should be responsible for the physical maintenance including malfunctioning such as access device jammed or physically broken.

Plan

Establish/update governance for integrated security

HR & Finance

HR provides information such as new hires and office hours as input to the security system. Finance assists in budgeting.

Security & Privacy

The security and privacy team will need to evaluate solutions and enforce standards on various physical and information security systems and to protect data privacy.

Business Leaders

Business stakeholders will provide clarity for their strategy and provide input into how they envision security furthering those goals.

IT Executives

IT stakeholders will be a driving force, ensuring all necessary resources are available and funded.

Facilities/ Operations

Operational plans will include asset management, monitoring, and support to meet functional goals and manage throughout the asset lifecycle.

Infrastructure & Enterprise Architects

Each solution added to the environment will need to be chosen and architected to meet business goals and security functions.

Info-Tech Insight

Assemble the right team to ensure the success of your integrated security ecosystem and decide the governance model, e.g. security steering committee (SSC) or a centralized single structure.

Adapted from Create and Implement an IoT Strategy, Info-Tech Research Group, 2022

What does the SSC do?

Ensuring proper governance over your security program is a complex task that requires ongoing care and feeding from executive management to succeed.

Your SSC should aim to provide the following core governance functions for your security program:

1. Define Clarity of Intent and Direction

   How does the organization’s security strategy support the attainment of the business, IT, facilities management, and physical and information security strategies? The SSC should clearly define and communicate strategic linkage and provide direction for aligning security initiatives with desired outcomes.

2. Establish Clear Lines of Authority

   Security programs contain many important elements that need to be coordinated. There must be clear and unambiguous authority, accountability, and responsibility defined for each element so lines of reporting/escalation are clear and conflicting objectives can be mediated.

3. Provide Unbiased Oversight

   The SSC should vet the organization’s systematic monitoring processes to ensure there is adherence to defined risk tolerance levels and that monitoring is appropriately independent from the personnel responsible for implementing and managing the security program.

4. Optimize Security Value Delivery

   Optimized value delivery occurs when strategic objectives for security are achieved and the organization’s acceptable risk posture is attained at the lowest possible cost. This requires constant attention to ensure controls are commensurate with any changes in risk level or appetite.

Adapted from Improve Security Governance With a Security Steering Committee , Info-Tech Research Group, 2018

Plan

Identify integrated elements and compliance obligations

To determine what elements need to be integrated, it’s important to scope the security integration program and to identify the consequences of integration for compliance obligations.

INTEGRATED ELEMENTS

What are my concerns?

Process integrations

Determine which processes need to be integrated and how

• Examples: Security prevention, detection, and response; risk assessment

Software and data integration

Determine which software and data need to be integrated and how

• Examples: Threat management tools, SIEM, IDPS, security event logs

Hardware integration

Determine which hardware needs to be integrated and how

• Examples: Sensors, alarms, cameras, keys, locks, combinations, and card readers

Network and infrastructure

Determine which network and infrastructure components need to be integrated and how

• Example: Network segmentation for physical access controllers.

COMPLIANCE

How can I address my concerns?

Regulations

Adhere to mandatory laws, directives, industry standards, specific contractual obligations, etc.

• Examples: NERC CIP (North American Utilities), Network and Information Security (NIS) Directive (EU), Health and Safety at Work etc Act 1974 (UK), Occupational Safety and Health Act, 1970 (US), Emergency Management Act, 2007 (Canada)

Standards

Adhere to voluntary standards and obligations

• Examples: NIST Cybersecurity Framework (CSF), The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard (US), Cybersecurity Maturity Model Certification (CMMC), Service Organization Control (SOC 1 and 2)

Guidelines

Adopt guidelines that can improve the integrated security program

• Examples: Best Practices for Planning and Managing Physical Security Resources (US Interagency Security Committee), Information Security Manual - Guidelines for Physical Security (Australian Cyber Security Centre), 1402-2021-Guide for Physical Security of Electric Power Substations (IEEE)

Record integrated elements

Refer to the “Scope” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool when filling in the following elements.

1. Record your integrated elements, i.e. process integration, software and data integration, hardware integration, network and infrastructure, and physical scope of your security integration, in the “Scope” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.
2. For each of your scoping give the rationale for including them in the Comments column. Careful attention should be paid to any elements that are not in scope.

Record your compliance obligations

Refer to the “Compliance Obligations” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.

1. Identify your compliance obligations. These can include both mandatory and voluntary obligations. Mandatory obligations include:
   • Laws
   • Government regulations
   • Industry standards
   • Contractual agreements
   Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your integrated security, include those that include physical security requirements.
2. Record your compliance obligations, along with any notes, in your copy of the Integrate Physical Security and Information Security Requirements Gathering Tool.
3. Refer to the “Compliance DB” tab for lists of standards/regulations/ guidelines.

Remediate third-party compliance gaps

If you have third-party compliance gaps, there are four primary ways to eliminate them:

1. Find a New, Compliant Partner

   Terminate existing contract and find another organization to partner with.

2. Bring the Capability In-House

   Expense permitting, this may be the best way to protect yourself.

3. Demand Compliance

   Tell the third party they must become compliant. Make sure you set a deadline.

4. Accept Noncompliance and Assume the Risk

   Sometimes remediation just isn’t cost effective and you have no choice.

Follow Contracting Best Practices to Mitigate the Risk of Future Third-Party Compliance Gaps

1. Perform Initial Due Diligence: Request proof of third-party compliance prior to entering into a contract.
2. Perform Ongoing Due Diligence: Request proof of third-party contractor compliance annually.
3. Contract Negotiation: Insert clauses requesting periodic assertions of compliance.

View a sample contract provided by the US Department of Health and Human Services.

Source: Take Control of Compliance Improvement to Conquer Every Audit, Info-Tech Research Group, 2015

Pitfalls to avoid when planning security integration

• No Resources Lineups

  Integration of security needs support from leadership, proper planning, and clear and consistent communication across the organization.

• Not Addressing Holistic Security

  Create policies and procedures and follow standards that are holistic and based on threats and risks, e.g. consolidated access control policies.

• Lack of Governance

  While the IT department is a critical partner in cybersecurity, the ownership of such a role sits squarely in the organizational C-suite, with regular reporting to the board of directors (if applicable).

• Overlooking Business Continuity Effort

  IT and physical security are integral to business continuity and disaster recovery strategies.

• Not Having Relevant Training and Awareness

  Provide a training and awareness program based on relevant attack vectors. Trained employees are key assets to the development of a safe and secure environment. They must form the base of your security culture.

• Overbuilding or Underbuilding

  Select third-party providers that offer systems interoperability with other security tools. The intent is to promote a unified approach to security to avoid a cumbersome tooling zoo.

Sources: Real Time Networks, 2022; Andrew Amaro, KLAVAN Security Services (contributor)

Enhance

Enhancing is the development of an integrated security strategy, policies, procedures, BCP, DR, and IR based on the organization’s risks.

Enhance

Determine the level of security maturity and update the security strategy

• Before updating your security strategies, you need to understand the organization’s business strategies, IT strategies, facilities strategies, and physical and information security strategies. The goal is to align your integrated security strategies to contribute to your organization’s success.
• The integrated security leaders need to understand the direction of the organization. For example:
  • Growth expectation
  • Expansions or mergers anticipation
  • Product or service changes
  • Regulatory requirements
• Wise security investments depend on aligning your security initiatives to the organization’s objectives by supporting operational performance and ensuring brand protection and shareholder values.

Sources: Amy L. Meger, Platte River Power Authority (contributor); Baker and Benny, 2013; IFSEC Global, 2023; Security Priorities 2023, Info-Tech Research Group, 2023; Build an Information Security Strategy, Info-Tech Research Group, 2020; ISC, n.d.

Understanding security maturity

Maturity models are very effective for determining security states. This table provides examples of general descriptions for physical and information security maturity levels.

Determine which framework is suitable and select the description that most accurately reflects the ideal state for security in your organization.

Sources: ¹ Fennelly, 2013; ² Build an Information Security Strategy, Info-Tech Research Group, 2020

Enhance

Assess and treat integrated security risks

The risk assessment conducted consists of analyzing existing inherent risks, existing pressure to the risks such as health and safety laws and codes of practice, new risks from the integration process, risk tolerance, and countermeasures.

• Some organizations already integrate security into corporate security that consists of risk management, compliance, governance, information security, personnel security, and physical security. However, some organizations are still separating security components, especially physical security and information security, which limits security visibility and the organization’s ability to complete a comprehensive risks assessment.
• Many vendors are also segregating physical security and information security solutions because their tools do well only on certain aspects. This forces organizations to combine multiple tools, creating a complex environment.
• Additionally, risks related to people such as mental health issues must be addressed properly. The prevalence of hybrid work post-pandemic makes this aspect especially important.
• Assess and treat risks based on the organization’s requirements, including its environments. For example, the US federal facility security organization is required to conduct risk assessments at least every five years for Level I (lowest risk) and Level II facilities and at least every three years for Level III, IV, and V (highest risk) facilities.

Sources: EPA, n.d.; America's Water Infrastructure Act (AWIA), 2018; ISC, 2021

“In 2022, 95% of US companies are consolidating into a single platform across physical security, cybersecurity, HR, legal and compliance.”

Source: Ontic Center for Protective Intelligence, 2022; N=359

Example risk levels

The risk assessment conducted is based on a combination of physical and information security factors such as certain facilities factors. The risk level can be used to determine the baseline level of protection (LOP). Next, the baseline LOP is customized to the achievable LOP. The following is an example for federal facilities determined by Interagency Security Committee (ISC).

Source: ISC, 2021

Example assets

It is important to identify the organization’s requirements, including its environments (IT, IoT, OT, facilities, etc.), and to measure and evaluate its risks and threats using an appropriate risk framework and tools with the critical step of identifying assets prior to acquiring solutions.

Info-Tech Insight

Certain exceptions must be identified in risk assessment. Usually physical barriers such as gates and intrusion detection sensors are considered as countermeasures,1 however, under certain assessment, e.g. America's Water Infrastructure Act (AWIA),2 physical barriers are also considered assets and as such must also be assessed.

Compromising a fingerprint scanner

An anecdotal example of why physical security alone is not sufficient.

Image by Rawpixel.com on Freepik

Lessons learned from using fingerprints for authentication:

• Fingerprint scanners can be physically circumvented by making a copy an authorized user’s fingerprint with 3D printing or even by forcefully amputating an authorized user’s finger.
• Authorized users may not be given access when the fingerprint cannot be recognized, e.g. if the finger is covered by bandage due to injury.
• Integration with information security may help detect unauthorized access, e.g. a fingerprint being scanned in a Canadian office when the same user was scanned at a close time interval from an IP in Europe will trigger an alert of a possible incident.

Info-Tech Insight

In an ideal world, we want a physical security system that is interoperable with all technologies, flexible with minimal customization, functional, and integrated. In the real world, we may have physical systems with proprietary configurations that are not easily customized and siloed.

Source: Robert Dang, Info-Tech Research Group

Use case: Microchip implant

Microchip implants can be used instead of physical devices such as key cards for digital identity and access management. Risks can be assessed using quantitative or qualitative approaches. In this use case a qualitative approach is applied to impact and likelihood, and a quantitative approach is applied to revenue and cost.

Asset: Microchip implant

Benefits

Risks

Sources: Business Insider, 2018; BBC News, 2022; ISC, 2015

Enhance

Update integrated security policies and procedures

Global policies with local implementation

This model works for corporate groups with a parent company. In this model, global security policies are developed by a parent company and local policies are applied to the unique business that is not supported by the parent company.

Update of existing security policies

This model works for organizations with sufficient resources. In this model, integrated security policies are derived from various policies. For example, physical security in smart buildings/devices (sensors, automated meters, HVAC, etc.) and OT systems (SCADA, PLCs, RTUs, etc.) introduce unique risk exposures, necessitating updates to security policies.

Customization of information security policies

This model works for smaller organizations with limited resources. In this model, integrated security policies are derived from information security policies. The issue is when these policies are not applicable to physical security systems or other environments, e.g. OT systems.

Sources: Kris Krishan, Waymo (contributor); Isabelle Hertanto, Info-Tech Research Group (contributor); Physical and Environmental Security Policy Template, Info-Tech Research Group, 2022.

Enhance

Update BCP, DR, IR

• Physical threats such as theft of material, vandalism, loitering, and the like are also part of business continuity threats.
• These threats can be carried out by various means such as vehicles breaching perimeter security, bolt cutters used for cutting wire and cable, and ballistic attack.
• Issues may occur when security operations are owned separately by physical security or information security, thus lacking consistent application of best practices.
• To overcome this issue, organizations need to update BCP, DR, and IR holistically based on a cost-benefit analysis and the level of security maturity, which can be defined based on the suitable framework.

Sources: IEEE, 2021; ISC, 2021

“The best way to get management excited about a disaster plan is to burn down the building across the street.”

Source: Dan Erwin, Security Officer, Dow Chemical Co., in Computerworld, 2022

Optimize

Optimizing means working to make the most effective and efficient use of resources, starting with identifying skill requirements and closing skill gaps, followed by designing and deploying integrated security architecture and controls, and finally monitoring and reporting integrated security metrics.

Optimize

Identify skill requirements and close skill gaps

• The pandemic changed how people work and where they choose to work, and most people still want a hybrid work model. Our survey in July 2022 (N=516) found that 55.8% of employees have the option to work offsite 2-3 days per week, 21.0% can work offsite 1 day per week, and 17.8% can work offsite 4 days per week.
• The investment (e.g. on infrastructure and networks) to initiate remote work was huge, and the costs didn’t end there; organizations needed to maintain the secure remote work infrastructure to facilitate the hybrid work model.
• Moreover, roles are evolving due to convergence and modernization. These new roles require an integrative skill set. For example, the grid security and ops team might consist of an IT security specialist, a SCADA technician/engineer, and an OT/IIOT security specialist, where OT/IIOT security specialist is a new role.

Strategic investment in internal security team

Internal security governance and management using in-house developed tools or off-the-shelf solutions, e.g. security information and event management (SIEM).

Security management using third parties

Internal security management using third-party security services, e.g. managed security service providers (MSSPs).

Outsourcing security management

Outsourcing the entire security functions, e.g. using managed detection and response (MDR).

Sources: Info-Tech Research Group’s Security Priorities 2023, Close the InfoSec Skills Gap, Build an IT Employee Engagement Program, and Grid Modernization

Select the right certifications

What are the options?

• One issue in security certification is the complexity of relevancy in topics with respect to roles and levels.
• The European Union Agency for Cybersecurity (ENISA) takes the approach of analyzing existing certifications of ICS/SCADA professionals' cybersecurity skills by orientation, scope, and supporting bodies that are grouped into specific certifications, relevant certifications, and safety certifications (ENISA, 2015).
• This approach can also be applied to integrated security certifications.

Physical security certification

• Examples: Industrial Security Professional Certification (NCMS-ISP); Physical Security Professional (ASIS-PSP); Physical Security Certification (CDSE-PSC); ISC I-100, I-200, I-300, and I-400

Cyber physical system security certification

• Examples: Certified SCADA Security Architect (CSSA), EC-Council ICS/SCADA Cybersecurity Training Course

Information security certification

• Examples: Network and Information Security (NIS) Driving License, ISA/IEC 62443 Cybersecurity Certificate Program, GIAC Global Industrial Cyber Security Professional (GICSP)

Safety Certifications

• Examples: Board of Certified Safety Professionals (BCSP), European Network of Safety and Health Professional Organizations (ENSHPO)

Optimize

Design and deploy integrated security architecture and controls

• A survey by Brivo found that 38% of respondents have partly centralized security platforms, 25% have decentralized platforms, and 36% have centralized platforms (Brivo, 2022; N=700).
• If your organization’s security program is still decentralized or partly centralized and your organization is planning to establish an integrated security program, then the recommendation is to perform a holistic risk assessment based on probability and impact assessments on threats and vulnerabilities.
• The impacted factors, for example, are customers served, criticality of services, equipment present inside the building, personnel response time for operational recovery and the mitigation of hazards, and costs.
• Frameworks such as Sherwood Applied Business Security Architecture (SABSA), Control Objectives for Information and Related Technologies (COBIT), and The Open Group Architecture Framework (TOGAF) can be used to build security architecture that aligns security goals with business goals.
• Finally, analyze the security design against the design criteria.

Sources: ISA and Honeywell Integrated Security Technology Lab, n.d.; IEEE, 2021

“As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one.”

Source: FedTech magazine, 2009

Analyze architecture design

Cloud, on-premises, or hybrid? During the pandemic, many enterprises were under tight deadlines to migrate to the cloud. Many did not refactor data and applications correctly for cloud platforms during migration, with the consequence of high cloud bills. This happened because the migrated applications cannot take advantage of on-premises capabilities such as autoscaling. Thus, in 2023, it is plausible that enterprises will bring applications and data back on-premises.

Below is an example of a security design analysis of platform architecture. Design can be assessed using quantitative or qualitative approaches. In this example, a qualitative approach is applied using high-level advantages and disadvantages.

Info-Tech Insight

It is important for organizations to find the most optimized architecture to support them, for example, a hybrid architecture of cloud and on-premises based on operations and cost-effectiveness. To help design a security architecture that is strategic, realistic, and based on risk, see Info-Tech’s Identify the Components of Your Cloud Security Architecture research.

Sources: InfoWorld, 2023; Identify the Components of Your Cloud Security Architecture , Info-Tech Research Group, 2021

Analyze equipment design

Below is an example case of a security design analysis of electronic security systems. Design can be assessed using quantitative or qualitative approaches. In this example a qualitative approach is applied using advantages and disadvantages.

Info-Tech Insight

Once the design has been analyzed, the next step is to conduct market research to analyze the solutions landscape, e.g. to compare products or services from vendors or manufacturers.

Sources: IEEE, 202; IEC, n.d.; IEC, 2013

Analyze off-the-shelf solutions

Criteria to consider when comparing solutions:

Visibility and Asset Management

Passively monitoring data using various protocol layers, actively sending queries to devices, or parsing configuration files of physical security devices, OT, IoT, and IT environments on assets, processes, and connectivity paths.

Threat Detection, Mitigation, and Response (+ Hunting)

Automation of threat analysis (signature-based, specification-based, anomaly-based, flow-based, content-based, sandboxing) not only in IT but also in relevant environments, e.g. physical, IoT, IIoT, and OT on assets, data, network, and orchestration with threat intelligence sharing and analytics.

Risk Assessment and Vulnerability Management

Risk scoring approach (qualitative, quantitative) based on variables such as behavioral patterns and geolocation. Patching and vulnerability management.

Usability, Architecture, Cost

The user and administrative experience, multiple deployment options, extensive integration capabilities, and affordability.

Source: Secure IT/OT Convergence, Info-Tech Research Group, 2022

Optimize

Establish, monitor, and report integrated security metrics

Security metrics serve various functions in a security program.1 For example:

• As audit requirements. For integrated security, the requirements are derived from mandatory or voluntary compliance, e.g. NERC CIP.
• As an indicator of maturity level. For integrated security, maturity level is used to measure the state of security, e.g. C2M2, CMMC.
• As a measurement of effectiveness and efficiency. Security metrics consist of operational metrics, financial metrics, etc.

Safety

Physical security interfaces with the physical world. Thus, metrics based on risks related to safety are crucial. These metrics motivate personnel by making clear why they should care about security.
Source: EPRI, 2017

Business Performance

The impact of security on the business can be measured with various metrics such as operational metrics, service level agreements (SLAs), and financial metrics.
Source: BMC, 2022

Technology Performance

Early detection leads to faster remediation and less damage. Metrics such as maximum tolerable downtime (MTD) and mean time to recovery (MTR) indicate system reliability.
Source: Dark Reading, 2022

Security Culture

Measure the overall quality of security culture with indicators such as compliance and audit, vulnerability management, and training and awareness.

Info-Tech Insight

Security failure can be avoided by evaluating the security systems and program. Security evaluation requires understanding what, where, when, and how to measure and to report the relevant metrics.

Related Info-Tech Research

Secure IT/OT Convergence

The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.

Hence, IT and OT need to collaborate, starting with communication to build trust and to overcome their differences and followed by negotiation on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.

Preparing for Technology Convergence in Manufacturing

Information technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication.

Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration.

Build an Information Security Strategy

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations.

This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap.

Bibliography

"1402-2021 - IEEE Guide for Physical Security of Electric Power Substations." IEEE, 2021. Accessed 25 Jan. 2023.

"2022 State of Protective Intelligence Report." Ontic Center for Protective Intelligence, 2022. Accessed 16 Jan. 2023.

"8 Staggering Statistics: Physical Security Technology Adoption." Brivo, 2022. Accessed 5 Jan. 2023.

"America's Water Infrastructure Act of 2018." The United States' Congress, 2018. Accessed 19 Jan. 2023.

Baker, Paul and Daniel Benny. The Complete Guide to Physical Security. Auerbach Publications. 2013

Bennett, Steve. "Physical Security Statistics 2022 - Everything You Need to Know." WebinarCare, 4 Dec. 2022. Accessed 30 Dec. 2022.

"Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide." Interagency Security Committee (ISC), Dec. 2015. Accessed 23 Jan. 2023.

Black, Daniel. "Improve Security Governance With a Security Steering Committee." Info-Tech Research Group, 23 Nov. 2018. Accessed 30 Jan. 2023.

Borg, Scott. "Don't Put Up Walls Between Your Security People." FedTech Magazine, 17 Feb. 2009. Accessed 15 Dec. 2022.

Burwash, John. “Preparing for Technology Convergence in Manufacturing.” Info-Tech Research Group, 12 Dec. 2018. Accessed 7 Dec. 2022.

Carney, John. "Why Integrate Physical and Logical Security?" Cisco. Accessed 19 Jan. 2023.

"Certification of Cyber Security Skills of ICS/SCADA Professionals." European Union Agency for Cybersecurity (ENISA), 2015. Accessed 27 Sep. 2022.

Cherdantseva, Yulia and Jeremy Hilton. "Information Security and Information Assurance. The Discussion about the Meaning, Scope and Goals." Organizational, Legal, and Technological Dimensions of IS Administrator, Almeida F., Portela, I. (eds.), pp. 1204-1235. IGI Global Publishing, 2013.

Cobb, Michael. "Physical security." TechTarget. Accessed 8 Dec. 2022.

“Conduct a Drinking Water or Wastewater Utility Risk Assessment.” United States Environmental Protection Agency (EPA), n.d. Web.

Conrad, Sandi. "Create and Implement an IoT Strategy." Info-Tech Research Group, 28 July 2022. Accessed 7 Dec. 2022.

Cooksley, Mark. "The IEC 62443 Series of Standards: A Product Manufacturer's Perspective." YouTube, uploaded by Plainly Explained, 27 Apr. 2021. Accessed 26 Aug. 2022.

"Cyber and physical security must validate their value in 2023." IFSEC Global, 12 Jan. 2023. Accessed 20 Jan. 2023.

"Cybersecurity Evaluation Tool (CSET®)." Cybersecurity and Infrastructure Security Agency (CISA). Accessed 23 Jan. 2023.

"Cybersecurity Maturity Model Certification (CMMC) 2.0." The United States' Department of Defense (DOD), 2021. Accessed 29 Dec. 2022.

“Cyber Security Metrics for the Electric Sector: Volume 3.” Electric Power Research Institute (EPRI), 2017.

Czachor, Emily. "Mass power outage in North Carolina caused by gunfire, repairs could take days." CBS News, 5 Dec. 2022. Accessed 20 Jan. 2023.

Dang, Robert, et al. “Secure IT/OT Convergence.” Info-Tech Research Group, 9 Dec. 2022. Web.

"Emergency Management Act (S.C. 2007, c. 15)." The Government of Canada, 2007. Accessed 19 Jan. 2023.

"Emergency management vocabulary." Translation Bureau, Government of Canada. Accessed 19 Jan. 2023.

Fennelly, Lawrence. Effective physical security. Butterworth-Heinemann, 2013.

Ghaznavi-Zadeh, Rassoul. "Enterprise Security Architecture - A Top-down Approach." The Information Systems Audit and Control Association (ISACA). Accessed 25 Jan. 2023.

"Good Practices for Security of Internet of Things." European Union Agency for Cybersecurity (ENISA), 2018. Accessed 27 Sep. 2022.

"Health and Safety at Work etc Act 1974." The United Kingdom Parliament. Accessed 23 Jan. 2023.

Hébert, Michel, et al. “Security Priorities 2023.” Info-Tech Research Group, 1 Feb. 2023. Web.

"History and Initial Formation of Physical Security and the Origin of Authority." Office of Research Services (ORS), National Institutes of Health (NIH). March 3, 2017. Accessed 19 Jan. 2023.

"IEC 62676-1-1:2013 Video surveillance systems for use in security applications - Part 1-1: System requirements - General." International Electrotechnical Commission (IEC), 2013. Accessed 9 Dec. 2022.

"Incident Command System (ICS)." ICS Canada. Accessed 17 Jan. 2023.

"Information Security Manual - Guidelines for Physical Security." The Australian Cyber Security Centre (ACSC), Dec. 2022. Accessed 13 Jan. 2023.

"Integrated Physical Security Framework." Anixter. Accessed 8 Dec. 2022.

"Integrating Risk and Security within a TOGAF® Enterprise Architecture." TOGAF 10, The Open Group. Accessed 11 Jan. 2023.

Latham, Katherine. "The microchip implants that let you pay with your hand." BBC News, 11 Apr. 2022. Accessed 12 Jan. 2023.

Linthicum, David. "2023 could be the year of public cloud repatriation." InfoWorld, 3 Jan. 2023. Accessed 10 Jan. 2023.

Ma, Alexandra. "Thousands of people in Sweden are embedding microchips under their skin to replace ID cards." Business Insider, 14 May 2018. Accessed 12 Jan. 2023.

Mendelssohn, Josh and Dana Tessler. "Take Control of Compliance Improvement to Conquer Every Audit." Info-Tech Research Group, 25 March 2015. Accessed 27 Jan. 2023.

Meredith, Sam. "All you need to know about the Nord Stream gas leaks - and why Europe suspects 'gross sabotage'." CNBC, 11 Oct. 2022. Accessed 20 Jan. 2023.

Nicaise, Vincent. "EU NIS2 Directive: what’s changing?" Stormshield, 20 Oct. 2022. Accessed 17 Nov. 2022.

"NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations." The National Institute of Standards and Technology (NIST), 13 Jul. 2022. Accessed 27 Jan. 2023.

"North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Series." NERC. Accessed 23 Jan. 2023.

"North America Physical Security Market - Global Forecast to 2026." MarketsandMarkets, June 2021. Accessed 30 Dec. 2022.

"NSTISSI No. 4011 National Training Standard For Information Systems Security (InfoSec) Professionals." The United States Committee on National Security Systems (CNSS), 20 Jun. 1994. Accessed 23 Jan. 2023.

"Occupational Safety and Health Administration (OSH) Act of 1970." The United States Department of Labor. Accessed 23 Jan. 2023.

Palter, Jay. "10 Mistakes Made in Designing a Physical Security Program." Real Time Networks, 7 Sep. 2022. Accessed 6 Jan. 2023.

Parker, Donn. Fighting Computer Crime. John Wiley & Sons, 1998.

Pathak, Parag. "What Is Threat Management? Common Challenges and Best Practices." Security Intelligence, 2020. Accessed 5 Jan. 2023.

Pender-Bey, Georgie. "The Parkerian Hexad." Lewis University, 2012. Accessed 24 Jan. 2023.

Philippou, Oliver. "2023 Trends to Watch: Physical Security Technologies." Omdia. Accessed 20 Jan. 2023.

Phinney, Tom. "IEC 62443: Industrial Network and System Security." ISA and Honeywell Integrated Security Technology Lab. Accessed 30 Jan. 2023.

"Physical Security Market, with COVID-19 Impact Analysis - Global Forecast to 2026." MarketsandMarkets, Jan. 2022. Accessed 30 Dec. 2022.

"Physical Security Professional (PSP)" ASIS International. Accessed 17 Jan. 2023.

"Physical Security Systems (PSS) Assessment Guide" The United States' Department of Energy (DOE), Dec. 2016. Accessed 23 Jan. 2023.

"Policies, Standards, Best Practices, Guidance, and White Papers." Interagency Security Committee (ISC). Accessed 23 Jan. 2023.

"Profiles, Add-ons and Specifications." ONVIF. Accessed 9 Dec. 2022.

"Protective Security Policy Framework (PSPF)." The Australian Attorney-General's Department (AGD). Accessed 13 Jan. 2023.

"Satellites detect methane plume in Nord Stream leak." The European Space Agency (ESA), 6 oct. 2022. Accessed 23 Jan. 2023.

""Satellites detect methane plume in Nord Stream leak." The European Space Agency (ESA), 6 oct. 2022. Accessed 23 Jan. 2023.

Satgunananthan, Niru. "Challenges in Security Convergence?" LinkedIn, 8 Jan. 2022. Accessed 20 Dec. 2022.

Sooknanan, Shastri and Isaac Kinsella. "Identify the Components of Your Cloud Security Architecture." Info-Tech Research Group, 12 March 2021. Accessed 26 Jan. 2023.

"TC 79 Alarm and electronic security systems." International Electrotechnical Commission (IEC), n.d. Accessed 9 Dec. 2022.

"The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard." Interagency Security Committee (ISC), 2021. Accessed 26 Jan. 2023.

"The Short Guide to Why Security Programs Can Fail." CyberTalk, 23 Sep. 2021. Accessed 30 Dec. 2022.

Verton, Dan. "Companies Aim to Build Security Awareness." Computerworld, 27 Nov. 2022. Accessed 26 Jan. 2023.

"Vulnerability Assessment of Federal Facilities." The United States' Department of Justice, 28 Jun. 1995. Accessed 19 Jan. 2023.

"What is IEC 61508?" 61508 Association. Accessed 23 Jan. 2023.

Wolf, Gene. "Better Include Physical Security With Cybersecurity." T&D World 5 Jan. 2023. Accessed 19 Jan. 2023.

Wood, Kate, and Isaac Kinsella. “Build an Information Security Strategy.” Info-Tech Research Group, 9 Sept. 2020. Web.

Woolf, Tim, et al. "Benefit-Cost Analysis for Utility-Facing Grid Modernization Investments: Trends, Challenges, and Considerations." Lawrence Berkeley National Laboratory, Feb. 2021. Accessed 15 Nov. 2022.

"Work Health and Safety Act 2011." The Australian Government. Accessed 13 Jan. 2023.

Wu, Jing. “Industrial Control System Modernization: Unlock the Value of Automation in Utilities.” Info-Tech Research Group, 6 April 2023. Web.

Research Contributors and Experts

Amy L. Meger, IGP

Information and Cyber Governance Manager
Platte River Power Authority

Andrew Amaro

Chief Security Officer (CSO) & Founder
KLAVAN Security

Bilson Perez

IT Security Manager
4Wall Entertainment

Dan Adams

VP of Information Technology
4Wall Entertainment

Doery Abdou

Senior Manager
March Networks Corporate

Erich Krueger

Manager of Security Engineering
Omaha Public Power District

Kris Krishan

Head of IT
Waymo

Owen Yardley

Director, Facilities Security Preparedness
Omaha Public Power District

Understand the Difference Between Backups and Archives

They are not the same, and confusing the two concepts could be expensive

Analyst Perspective

Backups and archives are not interchangeable, but they can complement each other.

Backups and archives are two very different operations that are quite often confused or misplaced. IT and business leaders are tasked with protecting corporate data from a variety of threats. They also must conform to industry, geographical, and legal compliance regulations. Backup solutions keep the data safe from destruction. If you have a backup, why do you also need an archive? Archive solutions hold data for a long period of time and can be searched. If you have an archive, why do you also need a backup solution? Backups and archives used to be the same. Remember when you would keep the DAT tape in the same room as the argon gas fire suppression system for seven years? Now that's just not feasible. Some situations require a creative approach or a combination of backups and archives.

Understand the difference between archives and backups and you will understand why the two solutions are necessary and beneficial to the business.

P.J. Ryan
Research Director, Infrastructure & Operations
Info-Tech Research Group

Executive Summary

Info-Tech Insight

Keep in mind that backups are for recovery while archives are for discovery. Backups and archives are often confused but understanding the differences can result in significant savings of time and money. Backing up and archiving may be considered IT tasks but recovery and discovery are capabilities the business wants and is willing to pay for.

Archive

Tips & Tricks – Archiving

• Archiving will move older data to an alternate location. This will free up storage space in the production environment.
• Archiving solutions index the data to allow for easier searchability. This will aid in common business searches as well as assist with any potential legal searches.
• Archiving allows companies to hold onto data for historical purposes as well as for specific retention periods in compliance with industry and regional regulations such as SOX, GDPR, FISMA, as well as others (msp360.com).

Backup

Tips & Tricks – Backups

• Production data should be backed up on a regular basis, ideally once a day or more frequently if possible.
• Backups are intended to restore data when it gets deleted, over-written, or otherwise compromised. Most restore requests are from the last 24 to 48 hours, so it may be advantageous to keep a backup readily available on disk for a quick restore when needed.
• Some vendors and industry subject matter experts advocate the use of a 3-2-1 rule when it comes to backups:
  • Keep three copies of your production data
  • In at least two separate locations (some advocate two different formats), and
  • One copy should be offsite (nakivo.com)

Cold Storage

• Cold storage refers to a storage option offered by some cloud vendors. In the context of the discussion between backups and archives, it can be an option for a dedicated backup solution for a specific period. Cost is low and the data is protected from destruction.
• If an app has been replaced and all data transferred to the replacement solution but for some reason the company wishes to hold onto the data, you want a backup, not an archive. Extract the data, convert it into MongoDB or a similar solution, and drop it into cheap cloud storage (cold storage) for less than $5 per TB/month.

Case Study

Understanding the difference between archives and backups could save you a lot of time and money

INDUSTRY: Manufacturing | SOURCE: Info-Tech Research

Understanding the difference between an archive and a backup was the first step in solving their challenge.

A leading manufacturing company found themselves in a position where they had to decide between archiving or doing nothing.

The company had completed several acquisitions and ended up with multiple legacy applications that had been merged or migrated into replacement solutions. These legacy applications were very important to the original companies and although the data they held had been migrated to a replacement solution, executives felt they should hold onto these applications for a period of time, just in case.

Some of the larger applications were archived using a modern archiving solution, but when it came to the smaller applications, the cost to add them to the archiving solution greatly exceeded the cost to just keep them running and maintain the associated infrastructure.

A research advisor from Info-Tech Research Group joined a call with the manufacturing company and discussed their situation. The difference between archives and backups was explained and through the course of the conversation it was discovered that the solution was a modified backup. The application data had already been preserved through the migration, so data could be accessed in the production environment. The requirement to keep the legacy application up and running was not necessary but in compliance with the request to keep the information, the data could be exported from the legacy application into a non-sequential database, compressed, and stored in cloud-based cold storage for less than five dollars per terabyte per month. The manufacturing company’s staff realized that they could apply this same approach to several of their legacy applications and save tens of thousands of dollars in the process.

Understand the Difference Between Backups and Archives

Info-Tech Insight

Archives and backups are not the same, and there is a use case for each. Sometimes minor adjustments may be required to make the use case work. Understanding the basics of backups and archives can lead to significant savings at a monetary and effort level.

Additional Guidance

Case Study

Using tape backups as an archive solution could result in an expensive discovery and retrieval exercise.

INDUSTRY: Healthcare | SOURCE: Zasio Enterprises Inc.

“Do not commingle archive data with backup or disaster recovery tapes.”

A court case in the United States District Court for the District of Nevada involving Guardiola and Renown Health in 2015 is a good example of why using a backup solution to solve an archiving challenge is a bad idea.

Renown Health used a retention policy that declared any email older than six months of age as inactive and moved that email to a backup tape. Renown Health was ordered by the court to produce emails from a period of time in the past. Renown estimated that it would cost at least $248,000 to produce those emails, based on the effort involved to restore data from each tape and search for the email in question. Renown Health argued that this long and expensive process would result in undue costs.

The court reviewed the situation and ruled against Renown Health and ordered them to comply with the request (Zasio.com).

A proper archiving solution would have provided a quick and low-cost method to retrieve the emails in question.

Backups and archives are complementary to each other

• Archives are still production data, but the data does not change. A backup is recommended for the archived data, but the frequency of the backups can be lowered.
• Backups protect you if a disaster strikes by providing a copy of the production data that was compromised or damaged. Archives allow you to access older data that may have just been forgotten, not destroyed or compromised. Archives could also protect you in a legal court case by providing data that is older but may prove your argument in court.

Archives and backups are not the same.

Backups copy your data. Archives move your data. Backups facilitate recovery. Archives facilitate discovery.

Is it a backup or archive?

• You want to preserve older data for legal and compliance reasons, so you put extra effort into keeping your tape backups safe and secure for seven years. That’s a big mistake that may cost you time and money. You want an archive solution.
• You replace your older application and migrate all data to the new system, but you want to hold onto the old data, just in case. That’s a backup, not an archive.
• A long serving senior executive recently left the company. You want to preserve the contents of the executive's laptop in case it is needed in the future. That’s a backup.

Considerations When Choosing Between Solutions

Related Info-Tech Research

	Establish an Effective Data Protection Plan Give data the attention it deserves by building a strategy that goes beyond backup.
	Modernize Enterprise Storage Current and emerging storage technologies are disrupting the status quo – prepare your infrastructure for the exponential rise in data and its storage requirements.
	Data Archiving Policy

Bibliography

“Backup vs. archiving: Know the difference.” Open-E. Accessed 05 Mar 2022.Web.

G, Denis. “How to build retention policy.” MSP360, Jan 3, 2020. Accessed 10 Mar 2022.

Ipsen, Adam. “Archive vs Backup: What’s the Difference? A Definition Guide.” BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.

Kang, Soo. “Mitigating the expense of E-discovery; Recognizing the difference between back-ups and archived data.” Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.

Mayer, Alex. “The 3-2-1 Backup Rule – An Efficient Data Protection Strategy.” Naviko. Accessed 12 Mar 2022.

“What is Data-Archiving?” Proofpoint. Accessed 07 Mar 2022.

Microsoft Teams Cookbook

Recipes for best practices and use cases for Microsoft Teams.

Table of contents

Executive Brief

Section 1: Teams for IT

Section 2: Teams for End Users

Executive Summary

Situation

Remote work calls for leveraging your Office 365 license to utilize Teams – but IT is unsure about best practices for governance and permissions.

Without a framework or plan for governing the rollout of Teams, IT risks overlooking secure use of Teams, the phenomenon of “teams sprawl,” and not realizing how Teams integrates with Office 365 more broadly.

Complication

Teams needs to be rolled out quickly, but IT has few resources to help train end users with Teams best practices.

With teams, channels, chats, meetings, and live events to choose from, end users may get frustrated with lack of guidance on how to use Teams’ many capabilities.

Resolution

Use Info-Tech’s Microsoft Teams Cookbook to successfully implement and utilize Teams. This cookbook includes recipes for:

• IT best practices concerning governance of the creation process and Teams rollout.
• End-user best practices for Teams functionality and common use cases.

Key Insights

Teams is not a standalone app

Successful utilization of Teams occurs when conceived in the broader context of how it integrates with Office 365. Understanding how information flows between Teams, SharePoint Online, and OneDrive for Business, for instance, will aid governance with permissions, information storage, and file sharing.

IT should paint the first picture for team creation

No initial governance for team creation can lead to “teams sprawl.” While Teams was built to allow end users’ creativity to flow in creating teams and channels, this can create problems with a cluttered interface and keeping track of information. To prevent end-user dissatisfaction here, IT’s initial Teams rollout should offer a basic structure for end users to work with first, limiting early teams sprawl.

The Teams admin center can only take you so far with permissions

Knowing how Teams integrates with other Office 365 apps will help with rolling out sensitivity labels to protect important information being accidentally shared in Teams. Of course, technology only does so much – proper processes to train and hold people accountable for their actions with data sharing must be implemented, too.

Related Info-Tech Research

Establish a Communication and Collaboration System Strategy

Don’t waste your time deploying yet another collaboration tool that won’t get used.

Modernize Communication and Collaboration Infrastructure

Your legacy telephony infrastructure is dragging you down – modern communications and collaboration technology will dramatically improve productivity.

Migrate to Office 365 Now

One small step to cloud, one big leap to Office 365. The key is to look before you leap.

Section 1: Teams for IT

Governance best practices and use cases for IT

From determining prerequisites to engaging end users.

IT fundamentals

• Creation process
• Teams rollout

Use cases

• Retain and search for legal/regulatory compliance
• Add an external user to a team
• Delete/archive a team

Overview: Creation process

IT needs to be prepared to manage other dependent services when rolling out Teams. See the figure below for how Teams integrates with these other Office 365 applications.

Which Microsoft 365 license do I need to access Teams?

• Microsoft 365 Business Essentials
• Microsoft 365 Business Premium
• Office 365 Enterprise, E1, E3, or E5
• Office 365 Enterprise E4 (if purchased prior to its retirement)

Please note: To appeal to the majority of Info-Tech’s members, this blueprint refers to Teams in the context of Office 365 Enterprise licenses.

Assign admin roles

You will already have at least one global administrator from setting up Office 365.

Global administrators have almost unlimited access to settings and most of the data within the software, so Microsoft recommends having only two to four IT and business owners responsible for data and security.

Info-Tech Best Practice

Configure multifactor authentication for your dedicated Office 365 global administrator accounts and set up two-step verification.

Once you have organized your global administrators, you can designate your other administrators with “just-enough” access for managing Teams. There are four administrator roles:

Prepare the network

There are three prerequisites before Teams can be rolled out:

• UDP ports 3478 through 3481 are opened.
• You have a verified domain for Office 365.
• Office 365 has been rolled out, including Exchange Online and SharePoint Online.

Microsoft then recommends the following checklist to optimize your Teams utilization:

• Optimize calls and performance using the Call Quality Dashboard.
• Assess network requirements in the Network Planner in the Teams admin center.
• Ensure all computers running Teams client can resolve external DNS queries.
• Check adequate public IP addresses are assigned to the NAT pools to prevent port exhaustion.
• Route to local or regional Microsoft data centers.
• Whitelist all Office 365 URLs to move through security layers, especially IDS/IPS.
• Split tunnel Teams traffic so it bypasses your organization’s VPN.

Info-Tech Best Practice

For online support and walkthroughs, utilize Advisor for Teams. This assistant can be found in the Teams admin center.

Team Creation

You can create and manage Teams through the Teams PowerShell module and the Teams admin center. Only the global administrator and Teams service administrator have full administrative capabilities in this center.

Governance over team creation intends to prevent “teams sprawl” – the phenomenon whereby end users create team upon team without guidance. This creates a disorganized interface, with issues over finding the correct team and sharing the right information.

Prevent teams sprawl by painting the first picture for end users:

1. Decide what kind of team grouping would best fit your organization: by department or by project.
2. Start with a small number of teams before letting end users’ creativity take over. This will prevent initial death by notifications and support adoption.
3. Add people or groups to these teams. Assign multiple owners for each team in case people move around at the start of rollout or someone leaves the organization.
4. Each team has a general channel that cannot be removed. Use it for sharing an overview of the team’s goals, onboarding, and announcements.

Info-Tech Best Practice

For smaller organizations that are project-driven, organize teams by projects. For larger organizations with established, siloed departments, organize by department; projects within departments can become channels.

Integrations with SharePoint Online

Teams does not integrate with SharePoint Server.

Governance of Teams is important because of how tightly it integrates with other Office 365 apps, including SharePoint Online.

A poor rollout of Teams will have ramifications in SharePoint. A good rollout will optimize these apps for the organization.

Teams and SharePoint integrate in the following ways:

• Each team created in Teams automatically generates a SharePoint team site behind it. All documents and chat shared through a team are stored in that team’s SharePoint document library.
• As such, all files shared through Teams are subject to SharePoint permissions.
• Existing SharePoint folders can be tied to a team without needing to create a new one.
• If governance over resource sharing in Teams is poor, information can get lost, duplicated, or cluttered throughout both Teams and SharePoint.

Info-Tech Best Practice

End users should be encouraged to integrate their teams and channels with existing SharePoint folders and, where no folder exists, to create one in SharePoint first before then attaching a team to it.

Permissions

Within the Teams admin center, the global or Teams service administrator can manage Teams policies.

Typical Teams policies requiring governance include:

• The extent end users can discover or create private teams or channels
• Messaging policies
• Third-party app use

Chosen policies can be either applied globally or assigned to specific users.

Info-Tech Best Practice

If organizations need to share sensitive information within the bounds of a certain group, private channels help protect this data. However, inviting users into that channel will enable them to see all shared history.

External and guest access

Within the security and compliance center, the global or Teams service administrator can set external and guest access.

External access (federation) – turned on by default.

• Lets you find, call, and chat with users in other domains. External users will have no access to the organization’s teams or team resources.

Guest access – turned off by default.

• Lets you add individual users with their own email address. You do this when you want external users to access teams and team resources. Approved guests will be added to the organization’s active directory.

If guest access is enabled, it is subject to Azure AD and Office 365 licensing and service limits. Guests will have no access to the following, which cannot be changed:

• OneDrive for Business
• An organization’s calendar/meetings
• PSTN
• Organization’s hierarchical chart
• The ability to create, revise, or browse a team
• Upload files to one-on-one chat

Info-Tech Best Practice

Within the security and compliance center, you can allow users to add sensitivity labels to their teams that can prevent external and guest access.

Expiration and archiving

To reduce the number of unused teams and channels, or delete information permanently, the global or Teams service administrator can implement an Office 365 group expiration and archiving policy through the Teams admin center.

If a team has an expiration policy applied to it, the team owner will receive a notification for team renewal 30 days, 15 days, and 1 day before the expiry date. They can renew their team at any point within this time.

• To prevent accidental deletion, auto-renewal is enabled for a team. If the team owner is unable to manually respond, any team that has one channel visit from a team member before expiry is automatically renewed.
• A deleted Office 365 group is retained for 30 days and can be restored at any point within this time.

Alternatively, teams and their channels (including private) can be archived. This will mean that all activity for the team ceases. However, you can still add, remove, and update roles of the members.

Retention and data loss prevention

Retention policies can be created and managed in the Microsoft 365 Compliance Center or the security and compliance center PowerShell cmdlets. This can be applied globally or to specific users.

By default, information shared through Teams is retained forever.

However, setting up retention policies ensures data is retained for a specified time regardless of what happens to that data within Teams (e.g. user deletes).

Info-Tech Best Practice

To prevent external or guest users accessing and deleting sensitive data, Teams is able to block this content when shared by internal users. Ensure this is configured appropriately in your organization:

• For guest access in teams and channels
• For external access in meetings and chat

Please note the following limitations of Teams’ retention and data loss prevention:

• Organization-wide retention policies will need to be manually inputted into Teams. This is because Teams requires a retention policy that is independent of other workloads.
• As of May 2020, retention policies apply to all information in Teams except private channel messages. Files shared in private channels, though, are subject to retention policies.
• Teams does not support advanced retention settings, such as a policy that pertains to specific keywords or sensitive information.
• It will take three to seven days to permanently delete expired messages.

Teams telephony

Teams has built-in functionality to call any team member within the organization through VoIP.

However, Teams does not automatically connect to the PSTN, meaning that calling or receiving calls from external users is not immediately possible.

Bridging VoIP calls with the PSTN through Teams is available as an add-on that can be attached to an E3 license or as part of an E5 license.

There are two options to enable this capability:

• Enable Phone System. This allows for call control and PBX capabilities in Office 365.
• Use direct routing. You can use an existing PSTN connection via a Session Border Controller that links with Teams (Amaxra).

Steps to implement Teams telephony:

1. Ensure Phone System and required (non-Microsoft-related) services are available in your country or region.
2. Purchase and assign Phone System and Calling Plan licenses. If Calling Plans are not available in your country or region, Microsoft recommends using Direct Routing.
3. Get phone numbers and/or service numbers. There are three ways to do this:
   • Get new numbers through the Teams admin center.
   • If you cannot get new numbers through the Teams admin center, you can request new numbers from Microsoft directly.
   • Port or transfer existing numbers. To do this, you need to send Microsoft a letter of authorization, giving them permission to request and transfer existing numbers on your behalf.
4. To enable service numbers, including toll-free numbers, Microsoft recommends setting up Communications Credits for your Calling Plans and Audio Conferencing.

Overview: Teams rollout

1. From Skype (and Slack) to Teams
2. Gain stakeholder purchase
3. Employ a phased deployment
4. Engage end users

Skype for Business is being retired; Microsoft offers a range of transitions to Teams.

Combine the best transition mode with Info-Tech’s adoption best practices to successfully onboard and socialize Teams.

From Skype to Teams

Skype for Business Online will be retired on July 31, 2021. Choose from the options below to see which transition mode is right for your organization.

Skype for Business On-Premises will be retired in 2024. To upgrade to Teams, first configure hybrid connectivity to Skype for Business Online.

Islands mode (default)

• Skype for Business and Teams coexist while Teams is rolled out.
• Recommended for phased rollouts or when Teams is ready to use for chat, calling, and meetings.
• Interoperability is limited. Teams and Skype for Business only transfer information if an internal Teams user sends communications to an external Skype for Business user.

Teams only mode (final)

• All capabilities are enabled in Teams and Skype for Business is disabled.
• Recommended when end users are ready to switch fully to Teams.
• End users may retain Skype for Business to join meetings with non-upgraded or external parties. However, this communication is only initiated from the Skype for Business external user.

Collaboration first mode

• Skype for Business and Teams coexist, but only Teams’ collaboration capabilities are enabled. Teams communications capabilities are turned off.
• Recommended to leverage Skype for Business communications yet utilize Teams for collaboration.

Meetings first mode

• Skype for Business and Teams coexist, but only Teams’ meetings capabilities are enabled.
• Recommended for organizations that want to leverage their Skype for Business On-Premises’ Enterprise Voice capability but want to benefit from Teams’ meetings through VoIP.

From Slack to Teams

The more that’s left behind in Slack, the easier the transition. As a prerequisite, pull together the following information:

• Usage statistics of Slack workspaces and channels
• What apps end users utilize in Slack
• What message history you want to export
• A list of users whose Slack accounts can map on to required Microsoft accounts

Test content migration

Your Slack service plan will determine what you can and can’t migrate. By default, public channels content can be exported. However, private channels may not be exportable, and a third-party app is needed to migrate Direct Messages.

Files migration

Once you have set up your teams and channels in Teams, you can programmatically copy files from Slack into the target Teams channel.

Apps migration

Once you have a list of apps and their configurations used in Slack’s workspaces, you can search in Teams’ app store to see if they’re available for Teams.

User identity migration

Slack user identities may not map onto a Microsoft account. This will cause migration issues, such as problems with exporting text content posted by that user.

Info-Tech Best Practice

Avoid data-handling violations. Determine what privacy and compliance regulations (if any) apply to the handling, storage, and processing of data during this migration.

Gain stakeholder purchase

Change management is a challenging aspect of implementing a new collaboration tool. Creating a communication and adoption plan is crucial to achieving universal buy-in for Teams.

To start, define SMART objectives and create a goals cascade.

Sample list of stakeholder-specific benefits from improving collaboration

Use these activities to define what pain points stakeholders face and how Teams can directly mitigate those pain points.

Employ a phased deployment

Info-Tech Best Practice

Deploy Teams over a series of phases. As such, if you are already using Skype for Business, choose one of the coexistence phases to start.

1. Identify and pilot Teams with early adopters that will become your champions. These champions should be formally trained, be encouraged to help and train their colleagues, and be positively reinforced for their efforts.
2. Iron out bugs identified with the pilot group and train middle management. Enterprise collaboration tool adoption is strongly correlated with leadership adoption.
   1. Top-level management
      Control and direct overall organization.
   2. Middle management
      Execute top-level management’s plans in accordance with organization’s norms.
   3. First-level management
      Execute day-to-day activities.
3. Use Info-Tech’s one-pager marketing template to advertise the new tool to stakeholders. Highlight how the new tool addresses specific pain points. Address questions stemming from fear and uncertainty to avoid employees’ embarrassment or their rejection of the tool.

1. Extend the pilot to other departments and continue this process for the whole organization.

(Source: Rationalize Your Collaboration Tools (coming soon), Tools:GANTT Chart and Marketing Materials, Activities: 3.2A – 3.2B)

Info-Tech Insight

Be in control of setting and maintaining expectations. Aligning expectations with reality and the needs of employees will lower onboarding resistance.

Engage end users

Short-term best practices

Launch day:

• Hold a “lunch and learn” targeted training session to walk end users through common use cases.
• Open a booth or virtual session (through Teams!) and have tool representatives available to answer questions.
• Create a game to get users exploring the new tool – from scavenger hunts to bingo.

Launch week:

• Offer incentives for using the tool and helping others, including small gift cards.
• Publicize achievements if departments hit adoption milestones.

Long-term best practices

• Make available additional training past launch week. End users should keep learning new features to improve familiarity.
• Distribute frequent training clips, slowly exposing end users to more complex ways of utilizing Teams.
• Continue to positively reinforce and recognize those who use Teams well. This could be celebrating those that help others use the tool, how active certain users are, and attendance at learning events.

Info-Tech Best Practice

Microsoft has a range of training support that can be utilized. From instructor-led training to “Coffee in the Cloud” sessions, leverage all the support you can.

Use case #1: Retain and search data for legal/regulatory compliance

Scenario:

Your organization requires you to retain data and documents for a certain period of time; however, after this period, your organization wishes to delete or archive the data instead of maintaining it indefinitely. Within the timeframe of the retention policy, the admin may be asked to retrieve information that has been requested through a legal channel.

Purpose:

• Maintain compliance with the legal and regulatory standards to which the organization is subject.

Jobs:

• Ensure the data is retained for the approved time period.
• Ensure the policy applies to all relevant data and users.

Solution: Retention Policies

• Ensure that your organization has an Office 365 E3 or higher license.
• Set the desired retention policy through the Security & Compliance Center or PowerShell by deciding which teams, channels, chats, and users the policies will apply to and what will happen once the retention period ends.
• Ensure that matching retention policies are applied to SharePoint and OneDrive, since this is where files shared in Teams are stored.
• Be aware that Teams retention policies cannot be applied to messages in private channels.

Solution: e-Discovery

• If legally necessary, place users or Teams on legal hold in order to retain data that would be otherwise deleted by your organization’s retention policies.
• Perform e-discovery on Teams messages, files, and summaries of meetings and calls through the Security & Compliance Center.
• See Microsoft’s chart on the next slide for what is e-discoverable.

Content subject to e-discovery

E-discovery does not capture audio messages and read receipts in MS Teams.

Since files shared in private channels are stored separately from the rest of a team, follow Microsoft’s directions for how to include private channels in e-discovery. (Source: “Conduct an eDiscovery investigation of content in Microsoft Teams,” Microsoft, 2020.)

Use case #2: Add external person to a team

Scenario:

A team in your organization needs to work in an ongoing way with someone external to the company. This user needs access to the relevant team’s work environment, but they should not be privy to the goings-on in the other parts of the organization.

Jobs:

This external person needs to be able to:

• Attend meetings
• Join calls
• Chat with individual team members
• View and collaborate on the team’s files

Solution:

• If necessary, set a data loss prevention policy to prevent your users from sharing certain types of information or files with external users present in your organization’s Teams chats and public channels.
• Ensure that your Microsoft license includes DLP protection. However:
  • DLP cannot be applied to private channel messages.
  • DLP cannot block messages from external Skype for Business users nor external users who are not in “Teams only” mode.
• Ensure that you have a team set up for the project that you wish the external user to join. The external user will be able to see all the channels in this team, unless you create a private channel they are restricted from.
• Complete Microsoft’s “Guest Access Checklist” to enable guest access in Teams, if it isn’t already enabled.
• As admin, give the external user guest access through the Teams admin center or Azure AD B2B collaboration. (If given permission, team owners can also add guests through the Teams client).
• Decide whether to set a policy to monitor and audit external user activity.

Use case #3: Delete/archive a team

Scenario:

In order to avoid teams sprawl, organizations may want IT to periodically delete or archive unused teams within the Teams client in order to improve the user interface.

Alternately, if you are using a project-based approach to organizing Teams, you may wish to formalize a process to archive a team once the project is complete.

Delete:

• Determine if the team owner anticipates the team will need to be restored one day.
• Ensure that deletion does not contradict the organization’s retention policy.
• If not, proceed with deletion. Find the team in the Teams admin center and delete.
• Restore a deleted team within 30 days of its initial deletion through PowerShell.

Archive:

• Determine if the team owner anticipates the team will need to be restored one day.
• Find the relevant team in the Teams admin center and change its status to “Archived.”
• Restore the archived team if the workspace becomes relevant once again.

Info-Tech Best Practice

Remind end users that they can hide teams or channels they do not wish to see in their Teams interface. Knowing a team can be hidden may impact a team owner’s decision to delete it.

Section 2: Teams for End Users

Best practices for utilizing teams, channels, chat, meetings, and live events

From Teams how-tos to common use cases for end users.

End user basics

• Teams, channels, and chat
• Meetings and live events

Common use cases: Workspaces

• WS#1: Departments
• WS#2: A cross-functional committee
• WS#3: An innovation day event
• WS#4: A non-work-related social event
• WS#5: A project team with a defined end time

Common use cases: Meetings

• M#1: Job interview with an external candidate
• M#2: Quarterly board meeting
• M#3: Weekly recurring team meeting
• M#4: Morning stand-up/scrum
• M#5: Phone call between two people

Overview: Teams, channels, and chat

Teams

• Team: A workspace for a group of collaborative individuals.
  • Public channel: A focused area where all members of a team can meet, communicate, and share ideas and content.
  • Private channel: Like a public channel but restricted to a subset of team members, defined by channel owner.

Chat

• Chat: Two or more users collected into a common conversation thread.

For any Microsoft Teams newcomer, the differences between teams, channels, and chat can be confusing.

Use Microsoft’s figure (left) to see how these three mediums differ in their role and function.

Best practices: Workspaces 1/2

When does a Group Chat become a Channel?

• When it’s appropriate for the conversation to have a gallery – an audience of members who may not be actively participating in the discussion.
• When control over who joins the conversation needs to be centrally governed and not left up to anyone in the discussion.
• When the discussion will persist over a longer time period.
• When the number of participants approaches 100.

When does a Channel become a Team?

• When a team approaches 30 private channels, many of those private channels are likely candidates to become their own team.
• When the channel membership needs to extend beyond the boundary of the team membership.

Best practices: Workspaces 2/2

When does a Team become a Channel?

• When a team’s purpose for existing can logically be subsumed by another team that has a larger scope.

When does a Channel become a Group Chat?

• When a conversation within a channel between select users does not pertain to that channel’s scope (or any other existing channel), they should move the conversation to a group chat.
• However, this is until that group chat desires to form a channel of its own.

Create a new team

Team owner: The person who creates the team. It is possible for the team owner to then invite other members of the team to become co-owners to distribute administrative responsibilities.

Team members: People who have accepted their invitation to be a part of the team.

NB: Your organization can control who has permission to set up a team. If you can’t set a up a team, contact your IT department.

Create a new team

Decide from these two options:

• Building a team from scratch, which will create a new group with no prior history imported (steps 4.1–4.3).
• Creating a team from an existing group in Office 365, including an already existing team (steps 4.4–4.6).

NB: You cannot create a team from an existing group if:

• That group has 5,000 members or more.
• That group is in Yammer.

Decide if you want you new team from scratch to be private or public. If you set up a private team, any internal or external user you invite into the team will have access to all team history and files shared.

'.">

Create a new team

Decide from these two options:

• Building a team from scratch, which will create a new group with no prior history imported (steps 4.1–4.3).
• Creating a team from an existing group in Office 365, including an already existing team (steps 4.4–4.6).

NB: You cannot create a team from an existing group if:

• That group has 5,000 members or more.
• That group is in Yammer.

Configure your new team settings, including privacy, apps, tabs, and members.

'.">

Create a new channel

	On the right-hand side of the team name, click “More options.” Then, from the drop-down menu, click “Add channel.”	Name your channel, give a description, and set your channel’s privacy.
	To manage subsequent permissions, on the right-hand side of the channel name, click “More options.” Then, from the drop-down menu, click “Manage channel.”	Adding and removing members from channels: Only members in a team can see that team’s channels. Setting channel privacy as “standard” means that the channel can be accessed by anyone in a team. Unless privacy settings for a channel are set as “private” (from which the channel creator can choose who can be in that channel), there is no current way to remove members from channels. It will be up to the end user to decide which channels they want to hide.

Link team/channel to SharePoint folder

Need to find the SharePoint URL? ', 'Click to access the folder's SharePoint URL.'">

Create a chat

Overview: Meetings and live events

Teams Meetings: Real-time communication and collaboration between a group, limited to 250 people.

Teams Live Events: designed for presentations and webinars to a large audience of up to 10,000 people, in which attendees watch rather than interact.

Depending on the use case, end users will have to determine whether they need to hold a meeting or a live event.

Use Microsoft’s table (left) to see what license your organization needs to perform meetings and live events.

Best practices: Meetings

When should an Ad Hoc Call become a Scheduled Meeting?

• When the participants need time to prepare content for the call.
• When an answer is not required immediately.
• When bringing a group of people together requires logistical organizing.

When should a Scheduled Meeting become an Ad Hoc Call?

• When the participants can meet on short notice.
• When a topic under discussion requires creating alignment quickly.

When should a Live Event be created?

• When the expected attendance exceeds 250 people.
• If the event does not require collaboration and is mostly a presenter conveying information.

Create a scheduled meeting

Create an ad hoc meeting

Tip: Use existing channels to host the chatrooms for your online meetings

When you host a meeting online with Microsoft Teams, there will always be a chatroom associated with the meeting. While this is a great place for meeting participants to interact, there is one particular downside.

Problem: The never-ending chat. Often the activity in these chatrooms can persist long after the meeting. The chatroom itself becomes, unofficially, a channel. When end users can’t keep up with the deluge of communication, the tools have failed them.

Solution: Adding an existing channel to the meeting. This ensures that discussion activity is already hosted in the appropriate venue for the group, during and after the meeting. Furthermore, it provides non-attendees with a means to catch up on the discussion they have missed.

In section two of this cookbook, we will often refer to this tactic.

Don’t have a channel for the chat session of your online meeting? Perhaps you should!

If your meeting is with a group of individuals that will be collaborating frequently, they may need a workspace that persists beyond the meeting.

Guests can still attend the meeting, but they can’t chat!

If there are attendees in your meeting that do not have access to the channel you select to host the chat, they will not see the chat discussion nor have any ability to use this function.

This may be appropriate in some cases – for example, a vendor providing a briefing as part of a regular team meeting.

However, if there are attendees outside the channel membership that need to see the meeting chat, consider another channel or simply default to not assigning one.

Meeting settings explained

Show device settings. For settings concerning audio, video, and whether viewing is private.

Show meeting notes. Use to take notes throughout the meeting. The notes will stay attached to this event.

Show meeting details. Find meeting information for: a dial-in number, conference ID, and link to join.

Enter full screen.

Show background effects. Choose from a range of video backgrounds to hide/blur your location.

Turn on the captions (preview). Turn on live speech-to-text captions.

Keypad. For dialing a number within the meeting (when enabled as an add-on with E3 or as part of E5).

Start recording. Recorded and saved using Microsoft Stream.

End meeting.

Turn off incoming video. To save network bandwidth, you can decline receiving attendee’s video.

Click “More options” to access the meetings settings.

Screen share. In the tool tray, select “Share” to share your screen. Select particular applications if you only want to share certain information; otherwise, you can share your whole desktop.

System audio share. To share your device’s audio while screen sharing, checkbox the “Include system audio” option upon clicking “Share.”

If you didn’t click that option at the start but now want to share audio during screen share, click the “Include systems audio” option in the tool tray along the top of the screen.

Give/take control of screen share. To give control, click “Give control” in the tool tray along the top of the screen when sharing content. Choose from the drop-down who you would like to give control to. In the same spot, click “Take back control” when required.

To request control, click “Request control” in the same space when viewing someone sharing their content. Click “Release control” once finished.

Start whiteboarding

1. You’ll first need to enable Microsoft Whiteboard in the Microsoft 365 admin center. Ask your relevant admin to do so if Whiteboard is not already enabled.
2. Once enabled, click “Share” in a meeting. This feature only appears if you have 3+ participants in the meeting.
3. Under the “Whiteboard” section in the bottom right, click “Microsoft Whiteboard.”
4. Click the pen icons to the right of the screen to begin sketching.

NB: Anonymous, federated, or guest users are currently not supported to start, view, or ink a whiteboard in a Teams meeting.

Will the whiteboard session be recorded if the meeting is being recorded?

No. However, the final whiteboard will be available to all meeting attendees after the meeting, under “Board Gallery” in the Microsoft Whiteboard app. Attendees can then continue to work on the whiteboard after the meeting has ended.

Create a live event

As the organizer, you can invite other people to the event who will be the “producers” or “presenters.” Producers: Control the live event stream, including being able to start and stop the event, share their own and others’ video, share desktop or window, and select layout. Presenters: Present audio, video, or a screen.

Live event settings explained

When you join the live event as a producer/presenter, nothing will be immediately broadcast. You’ll be in a pre-live state. Decide what content to share and in what order. Along the bottom of the screen, you can share your video and audio, share your screen, and mute incoming attendees. Once your content is ready to share along the bottom of the screen, add it to the screen on the left, in order of viewing. This is your queue – your “Pre-live” state. Then, click “Send now.” This content will now move to the right-hand screen, ready for broadcasting. Once you’re ready to broadcast, click “Start.” Your state will change from “Pre-live” to “Live.” Along the top right of the app will be a tools bar.

Workspace #1: Departments

Scenario: Most of your organization’s communication and collaboration occurs within its pre-existing departmental divisions.

Conventional communication channels:

• Oral communication: Employees work in proximity to each other and communicate in person, by phone, in department meetings
• Email: Department-wide announcements
• Memos: Typically posted/circulated in mailboxes

Solution: Determine the best way to organize your organization’s departments in Teams based on its size and your requirements to keep information private between departments.

Option A:

• Create a team for the organization/division.
• Create channels for each department. Remember that all members of a team can view all public channels created in that team and the default General channel.
• Create private channels if you wish to have a channel that only select members of that team can see. Remember that private channels have some limitations in functionality.

Option B:

• Create a new team for each department.
• Create channels within this team for projects or topics that are recurring workflows for the department members. Only department members can view the content of these channels.

Option C:

• Post departmental memos and announcements in the General channel.
• Use “Meet now” in channels for ad hoc meetings. For regular department meetings, create a recurring Teams calendar event for the specific department channel (Option A) or the General channel (Option B). Remember that all members of a team can join a public channel meeting.

Workspace #2: A cross-functional committee

Scenario: Your organization has struck a committee composed of members from different departments. The rest of the organization should not have access to the work done in the committee.

Purpose: To analyze a particular organizational challenge and produce a plan or report; to confidentially develop or carry out a series of processes that affect the whole organization.

Jobs: Committee members must be able to:

• Attend private meetings.
• Share files confidentially.

Solution:

Ingredients:

• Private team

Construction:

• Create a new private team for the cross-functional committee.
• Add only committee members to the team.
• Create channels based on the topics likely to be the focal point of the committee work.
• Decide how you will use the mandatory General channel. If the committee is small and the work limited in scope, this channel may be the main communication space. If the committee is larger or the work more complex, use the General channel for announcements and move discussions to new topic-related channels.
• Schedule recurring committee meetings in the Teams calendar. Add the relevant channel to the meeting invite to keep the meeting chat attached to this team and channel (as meeting organizer, put your name in the meeting invite notes, as the channel will show as the organizer in the Outlook invite).
• Remember that all members of this team will have access to these meetings and be able to view that they are occurring.

Workspace #3: An innovation day event

Scenario: The organization holds a yearly innovation day event in which employees form small groups and work on a defined, short-term problem or project.

Purpose: To develop innovative solutions and ideas.

Jobs:

• Convene small groups.
• Work toward time-sensitive goals.
• Communicate synchronously.
• Share files.

Solution:

Ingredients:

• Public team
• Channel tabs
• Whiteboard
• Planner

Construction:

• Create a team for the innovation day event.
• Add channels for each project working group.
• Communicate to participants the schedule for the day and their assigned channel.
• Use the General channel for announcements and instructions throughout the day. Ensure someone moderates the General channel for participants’ questions.
• Pre-populate the channel tabs with files the participants need to work with. To add a scrum board, refer to M#4 (Morning stand-up/Scrum) in this slide deck.
• For breakouts, instruct participants to use the “meet now” feature in their channel and how to use the Whiteboard during these meetings.
• Arrange to have your IT admin archive the team after a certain point so the material is still viewable but not editable.

Workspace #4: A non-work-related social event

Scenario: Employees within the organization wish to organize social events around shared interests: board game clubs, book clubs, TV show discussion groups, trivia nights, etc.

Purpose: To encourage cohesion among coworkers and boost morale.

Jobs:

• Schedule the event.
• Invite participants.
• Prepare the activity.
• Host and moderate the discussion.

Solution:

Ingredients:

• Public team
• Private channels
• Screen-sharing

Construction:

• Create a public team for the social event so that interested people can find and join it.
• Example: Trivia Night
  • Schedule the event in the Teams calendar.
  • Publish the link to the Trivia Night team where other employees will see it.
  • Create private channels for each trivia team so they cannot see the other competitors’ discussions. Add yourself to each private channel so you can see their answers.
  • As the host, begin a meeting in the General channel. Pose the trivia questions live or present the questions on PowerPoint via screen-sharing.
  • Ask each team to post its answers to its private channel.
• To avoid teams sprawl, ask your IT admin to set a deletion policy for the team, as long as this request does not contradict your organization’s policies on data retention. If the team becomes moribund, it can be set to auto-delete after a certain period of time.

Workspace #5: A project team with a defined end time

Scenario: Within a department/workplace team, employees are assigned to projects with defined end times, after which they will be assigned to a new project.

Purpose: To complete project-based work that fulfills business needs.

Jobs:

• Oral communication with team members.
• Synchronous and asynchronous work on project files.
• The ability to attend scheduled meetings and ad hoc meetings.
• The ability to access shared resources related to the project.

Solution:

If your working group already has its own team within Teams:

• Create a new public or private channel for the project. Remember that some functionality is not available in private channels (such as Microsoft Planner).
• Use the channel for the project team’s meetings (scheduled in Teams calendar or through Meet Now).
• Add a tab that links to the team’s project folder in SharePoint.

If your workplace team does not already have its own team in Teams:

• Determine if there is a natural fit for this project as a new channel in an existing team. Remember that all team members will be able to see the channel if it is public and that all relevant project members need to belong to the Team to participate in the channel.
• If necessary, create a new team for the project. Add the project members.
• Create channels based on the type of work that comprises the project.
• Use the channel for the project team’s meetings (scheduled in Teams calendar or through Meet Now)
• Add a tab to link to the team’s project folder in SharePoint.

Info-tech Best Practice

Hide the channel after the project concludes to de-clutter your Teams user interface.

Meeting #1: Job interview with external candidate

Scenario: The organization must interview a slate of candidates to fill an open position.

Purpose:

• Select the most qualified candidate for the job.

Jobs:

• Create a meeting, ensuring the candidate and other attendees know when and where the meeting will happen.
• Ensure the meeting is secure to protect confidential information.
• Ensure the meeting is accessible, allowing the candidate to present themselves through audio and/or visual means.
• Create a professional environment for the meeting to take place.
• Engender a space for the candidate to share their CV, research, or other relevant file.
• The interview must be transcribed and recorded.

Solution:

Ingredients:

• Private Teams meeting
• Screen-sharing
• Microsoft Stream

Construction:

• Create a Teams meeting, inviting the candidate with their email, alongside other internal attendees. The Teams meeting invite will auto-generate a link to the meeting itself.
• The host can control who joins the meeting through settings for the “lobby.”
• Through the Teams meeting, the attendees will be able to use the voice and video chat functionality.
• All attendees can opt to blur their backgrounds to maintain a professional online presence.
• The candidate can share their screen, either specific applications or their whole desktop, during the Teams meeting.
• A Teams meeting can be recorded and transcribed through Stream. After the meeting, the transcript can be searched, edited, and shared

NB: The external candidate does not need the Teams application. Through the meeting invite, the external candidate will join via a web browser.

Meeting #2: Quarterly board meeting

Scenario: Every quarter, the organization holds its regular board meeting.

Purpose: To discuss agenda items and determine the company’s future direction.

Jobs:

• Attendance and minutes must be taken.
• Votes must be recorded.
• In-camera sessions must occur.
• External experts must be included.

• Follow-up items must be assigned.
• Reports must be submitted.

Solution:

Ingredients:

• Teams calendar invite
• Planner; Forms
• Private channel
• Microsoft Stream

Construction:

• Guest Invite: Invites can be sent to any non-domain-joined email address to join a private, invitation-only channel within the team controlled by the board chair.
• SharePoint & Flow: Documents are emailed to the Team addresses, which kicks off an MS Flow routine to collect review notes.
• Planner: Any board member can assign tasks to any employee.
• Forms/Add-On: Chair puts down the form of the question and individual votes are tracked.
• Teams cloud meeting recording: Recording available through Stream. Manual edits can be made to VTT caption file. Greater than acceptable transcription error rate.
• Meeting Log: Real-time attendance is viewable but a point-in-time record needs admin access.

NB: The external guests do not need the Teams application. Through the meeting invite, the guests will join via a web browser.

Meeting #3: Weekly team meeting

Scenario: A team meets for a weekly recurring meeting. The meeting is facilitated by the team lead (or manager) who addresses through agenda items and invites participation from the attendees.

Purpose: The purpose of the meeting is to:

• Share information verbally
• Present content visually
• Achieve consensus
• Build team morale

Jobs: The facilitator must:

• Determine participants
• Book room
• Book meeting in calendar

Solution:

Ingredients:

• Meeting Place: A channel in Microsoft Teams (must be public) where all members of the meeting make up the entirety of the audience.
• Calendar Recurrence: A meeting is booked through Teams and appears in all participants’ Outlook calendar.
• Collaboration Space: Participants join the meeting through video or audio and can share screens and contribute text, images, and links to the meeting chat.

Construction:

• Ensure your team already has a channel created for it. If not, create one in the appropriate team.
• Create the meeting using the calendar view within Microsoft Teams:
  • Set the meeting’s name, attendees, time, and recurrence.
  • Add the team channel that serves as the most appropriate workplace for the meeting. (Any discussion in the meeting chat will be posted to this channel.)

NB: Create the meeting in the Teams calendar, not Outlook, or you will not be able to add the Teams channel. As meeting organizer, put your name in the meeting invite notes, as the channel will show as the organizer in the Outlook invite.

Meeting #4: Morning stand-up/scrum

Scenario: Each morning, at 9am, members of the team meet online.

Purpose: After some pleasantries, the team discusses what tasks they each plan to complete in the day.

Jobs: The team leader (or scrum master) must:

• Place all tasks on a scrum board, each represented by a sticky note denoting the task name and owner.
• Move the sticky notes through the columns, adjusting assignments as needed.
• Sort tasks into the following columns: “Not Started,” “In Progress,” and “Done.”

Solution:

Ingredients:

• Meeting Place: A channel in Microsoft Teams (must be public) where all members of the meeting make up the entirety of the audience.
• Scrum Board: A tab within that channel where a persistent scrum board has been created and is visible to all team members.

Meeting Place Construction:

• Create the meeting using the calendar view in Teams.
• Set the meeting’s name, attendees, time, and work-week daily recurrence (see left).
• Add the channel that is the most appropriate workplace for the meeting. Any meeting chat will be posted to this channel rather than a separate chat.

Scrum Board Construction:

• Add a tab to the channel using Microsoft Planner as the app. (You can use other task management apps such as Trello, but the identity integration of first-party Office 365 tools may be less hassle.)
• Create a new (or import an existing) Plan to the channel. This will be used as the focal point.

Meeting #5: Weekly team meeting

Scenario: An audio-only conversation that could be a regularly scheduled event but is more often conducted on an ad-hoc basis.

Purpose: To quickly share information, achieve consensus, or clarify misunderstandings.

Jobs:

• Dial recipient
• See missed calls
• Leave/check voicemail
• Create speed-dial list
• Conference call

Solution:

Ingredients:

• Audio call begun through Teams chat.

Construction:

• Voice over IP calls between users in the same MS Teams tenant can begin in multiple ways:
  • A call can be initiated through any appearance of a user’s profile picture: hover over user’s profile photo in the Chat list and select the phone icon.
  • Enter your last chat with a user and click phone icon in upper-right corner.
  • Go to the Calls section and type the name in the “Make a call” text entry form.
• Voicemail: Voicemail, missed calls, and call history are available in the Calls section.
• Speed dial: Speed dial lists can be created in the Calls section.
• Conference call: Other users can be added to an ongoing call.

NB: Microsoft Teams can be configured to provide an organization’s telephony for external calls, but this requires an E5 license. Additional audio-conferencing licenses are required to call in to a Teams meeting over a phone.

Bibliography 1/4

Section 1: Teams for IT › Creation Process

Overview: Creation process

• “How do I get access to Microsoft Teams?” Microsoft, n.d., support.office.com/en-us/article/how-do-i-get-access-to-microsoft-teams-fc7f1634-abd3-4f26-a597-9df16e4ca65b. Accessed 11 May 2020.
• “Logical architecture for Microsoft Teams and related services.” Microsoft, 6 Mar. 2020, docs.microsoft.com/en-us/microsoftteams/teams-architecture-solutions-posters. Accessed 9 May 2020.
• “Plan for governance in Teams.” Microsoft, 10 Aug. 2018, docs.microsoft.com/en-us/MicrosoftTeams/plan-teams-governance. Accessed 30 Apr. 2020.

Assign admin roles

• “Use Microsoft Teams administrator roles to manage Teams.” Microsoft, 19 Sep. 2018, docs.microsoft.com/en-us/microsoftteams/using-admin-roles. Accessed 9 May 2020.

Prepare the network

• “Prepare your organization's network for Microsoft Teams.” Microsoft, 28 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/prepare-network. Accessed 9 May 2020.

Team creation

• “Best practices for organizing teams in Microsoft Teams.” Microsoft, 13 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/best-practices-organizing. Accessed 9 May 2020.
• “Create your first teams and channels in Microsoft Teams.” Microsoft, 27 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/get-started-with-teams-create-your-first-teams-and-channels. Accessed 9 May 2020.

Integrations with SharePoint Online

• “Configure Teams with three tiers of protection.” Microsoft, 7 May 2020, docs.microsoft.com/en-us/microsoft-365/solutions/configure-teams-three-tiers-protection?view=o365-worldwide. Accessed 9 May 2020.
• “File collaboration in SharePoint with Microsoft 365.” Microsoft, 21 Apr. 2020, docs.microsoft.com/en-us/sharepoint/deploy-file-collaboration. Accessed 9 May 2020.

Permissions

• “Manage app permission policies in Microsoft Teams.” Microsoft, 21 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/teams-app-permission-policies. Accessed 9 May 2020.
• “Manage messaging policies in Teams.” Microsoft, 27 Apr. 2020, docs.microsoft.com/en-us/MicrosoftTeams/messaging-policies-in-teams. Accessed 30 Apr. 2020.
• “Sensitivity labels for Microsoft Teams.” Microsoft, 22 Apr. 2020, docs.microsoft.com/en-us/MicrosoftTeams/sensitivity-labels. Accessed 9 May 2020.

Bibliography 2/4

Section 1: Teams for IT › Creation Process (cont'd.)

External and guest access

• “Add a guest to Teams.” Microsoft, 22 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/add-guests. Accessed 30 Apr. 2020.
• “Communicate with users from other organizations in Microsoft Teams.” Microsoft, 22 Apr. 2020, docs.microsoft.com/en-us/MicrosoftTeams/communicate-with-users-from-other-organizations. Accessed 30 Apr. 2020.
• “Guest access in Microsoft Teams.” Microsoft, 22 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/guest-access. Accessed 9 May 2020.
• “Manage external access in Microsoft Teams.” Microsoft, 22 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/manage-external-access. Accessed 9 May 2020.
• “Microsoft Teams guest access checklist.” Microsoft, 27 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/guest-access-checklist. Accessed 30 Apr. 2020.
• “Turn on or turn off guest access to Microsoft Teams.” Microsoft, 27 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/set-up-guests. Accessed 9 May 2020.
• “What the guest experience is like.” Microsoft, 27 Apr. 2020, docs.microsoft.com/en-us/MicrosoftTeams/guest-experience. Accessed 4 May 2020.

Expiration and archiving

• “Archive or delete a team in Microsoft Teams.” Microsoft, 27 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/archive-or-delete-a-team?view=o365-worldwide. Accessed 29 Apr. 2020.
• “Microsoft 365 group expiration policy.” Microsoft, 6 May 2020, docs.microsoft.com/en-us/microsoft-365/admin/create-groups/office-365-groups-expiration-policy?view=o365-worldwide. Accessed 9 May 2020.
• “Team expiration and renewal in Microsoft Teams.” Microsoft, 6 Feb. 2020, docs.microsoft.com/en-us/microsoftteams/team-expiration-renewal. Accessed 9 May 2020.

Retention and data loss prevention

• “Data loss prevention and Microsoft Teams.” Microsoft, 21 Apr. 2020, docs.microsoft.com/en-us/microsoft-365/compliance/dlp-microsoft-teams?view=o365-worldwide. Accessed 9 May 2020.
• “Retention policies in Microsoft Teams.” Microsoft, 5 May 2020, docs.microsoft.com/en-us/microsoftteams/retention-policies. Accessed 9 May 2020.

Teams telephony

• “Here's what you get with Phone System in Office 365.” Microsoft, 26 Feb. 2020, docs.microsoft.com/en-us/microsoftteams/here-s-what-you-get-with-phone-system. Accessed 9 May 2020.
• O’Donnell, J.P. “The killer feature in Microsoft Teams your business should be using.” Amaxra, n.d., www.amaxra.com/blog/the-killer-feature-in-microsoft-teams-your-business-should-be-using. Accessed 4 May 2020.
• “Set up Phone System in your organization.” Microsoft, 27 Apr. 2020, docs.microsoft.com/en-us/MicrosoftTeams/deploy-audio-conferencing-teams-landing-page. Accessed 4 May. 2020.
• “What is Phone System in Office 365?” Microsoft, 29 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/what-is-phone-system-in-office-365. Accessed 9 May 2020.

Bibliography 3/4

Section 1: Teams for IT › Teams Rollout

From Skype to Teams

• “FAQ — Upgrading from Skype for Business to Microsoft Teams.” Microsoft, 27 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/faq-journey. Accessed 9 May 2020.
• “Teams and Skype interoperability.” Microsoft, 21 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/teams-skype-interop. Accessed 9 May 2020.
• “Understand Microsoft Teams and Skype for Business coexistence and interoperability.” Microsoft, 3 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/teams-and-skypeforbusiness-coexistence-and-interoperability. Accessed 9 May 2020.

From Slack to Teams

• “Migrate from Slack to Microsoft Teams.” Microsoft, 14 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/migrate-slack-to-teams. Accessed 9 May 2020.

Teams adoption

• “365 adoption guide” Microsoft, 22 Jan. 2020, query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqTOD. Accessed 9 May 2020.

Section 1: Teams for IT › Use Cases

• Acharya, Ansuman. “Microsoft Teams launches eDiscovery for calling and meetings.” Microsoft Tech Community, 2 Jul. 2018, techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-teams-launches-ediscovery-for-calling-and-meetings/ba-p/210947. Accessed 30 Apr. 2020.
• “Conduct an eDiscovery investigation of content in Microsoft Teams.” Microsoft, 27 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/ediscovery-investigation?view=o365-worldwide#overview, Accessed 29 Apr. 2020.
• “Teams cloud meeting recording: Compliance and eDiscovery for meeting recordings.” Microsoft, 27 Apr. 2020, docs.microsoft.com/en-us/MicrosoftTeams/cloud-recording#compliance-and-ediscovery-for-meeting-recordings. Accessed 29 Apr. 2020.

Bibliography 4/4

Section 2: Teams for End Users › Teams, Channels, Chat

• “Limits and specifications for Microsoft Teams.” Microsoft, 29 Apr. 2020, docs.microsoft.com/en-us/MicrosoftTeams/limits-specifications-teams. Accessed 4 May 2020.
• “Location of data in Microsoft Teams.” Microsoft, 27 Apr. 2020, docs.microsoft.com/en-us/MicrosoftTeams/location-of-data-in-teams. Accessed 4 May 2020.
• “Manage the Whiteboard in Microsoft Teams.” Microsoft, 1 Oct. 2019, docs.microsoft.com/en-us/microsoftteams/manage-whiteboard. Accessed 9 May 2020.
• [Microsoft Teams admin documentation.] Microsoft, n.d., docs.microsoft.com/en-us/MicrosoftTeams/teams-overview. Accessed 29 Apr. 2020.
• “Overview of teams and channels in Microsoft Teams.” Microsoft, 9 Mar. 2020, docs.microsoft.com/en-us/MicrosoftTeams/teams-channels-overview. Accessed 4 May 2020.
• “Private channels in Microsoft Teams.” Microsoft, 24 Feb. 2020, docs.microsoft.com/en-us/MicrosoftTeams/private-channels. Accessed 30 Apr. 2020.

Section 2: Teams for End Users › Meetings and Live Events

• “Admin quick start – Meetings and live events in Microsoft Teams.” Microsoft, 7 Apr. 2020, docs.microsoft.com/en-us/microsoftteams/quick-start-meetings-live-events. Accessed 21 Apr. 2020.
• “Get started with Microsoft Teams live events.” Microsoft, n.d., support.office.com/en-us/article/get-started-with-microsoft-teams-live-events-d077fec2-a058-483e-9ab5-1494afda578a#bkmk_roles. Accessed 29 Apr. 2020.
• “Schedule a Teams live event.” Microsoft, n.d., support.microsoft.com/en-us/office/schedule-a-teams-live-event-7a9ce97c-e1cd-470f-acaf-e6dfc179a0e2. Accessed 29 Apr. 2020.
• “Search the audit log for events in Microsoft Teams.” Microsoft, 12 Mar. 2018, docs.microsoft.com/en-us/microsoftteams/audit-log-events?view=o365-worldwide. Accessed 30 Apr. 2020.

Section 2: Teams for End Users › Use Cases

• “Understand calling in Microsoft Teams.” Microsoft, n.d., docs.microsoft.com/en-us/microsoftteams/tutorial-calling-in-teams. Accessed 9 May 2020.

Improve Your IT Recruitment Process

Train your IT department to get involved in the recruitment process to attract and select the best talent.

Own the IT recruitment process

Train your IT department to get involved in the recruitment process to attract and select the best talent.

Follow this blueprint to:

• Define and communicate the unique benefits of working for your organization to potential candidates through a strong employer brand.
• Learn best practices around creating effective job postings.
• Target your job posting efforts on the areas with the greatest ROI.
• Create and deliver an effective, seamless, and positive interview and offer process for candidates.
• Acclimate new hires and set them up for success.

Get involved at key moments of the candidate experience to have the biggest impact

RECRUIT QUALITY STAFF

Hiring talent is critical to organizational success

Talent is a priority for the entire organization:

Respondents rated “recruitment” as the top issue facing organizations today (McLean & Company 2022 HR Trends Report).

37% of IT departments are outsourcing roles to fill internal skill shortages (Info-Tech Talent Trends 2022 Survey).

Yet bad hires are alarmingly common:

Hiring is one of the least successful business processes, with three-quarters of managers reporting that they have made a bad hire (Robert Half, 2021).

48% of survey respondents stated improving the quality of hires was the top recruiting priority for 2021 (Jobvite, 2021).

Workshop overview

Enhance Your Recruitment Strategies

The way you position the organization impacts who is likely to apply to posted positions.

Develop a strong employee value proposition

What is an employee value proposition?

And what are the key components?

The employee value proposition is your opportunity to showcase the unique benefits and opportunities of working at your organization, allowing you to attract a wider pool of candidates.

Creating a compelling EVP that presents a picture of your employee experience, with a focus on diversity, will attract a wide pool of diverse candidates to your team. This can lead to many internal and external benefits for your organization.

How to collect information on your EVP

Existing Employee Value Proposition: If your organization or IT department has an existing employee value proposition, rather than starting from scratch, we recommend leveraging that and moving to the testing phase to see if the EVP still resonates with staff and external parties.

Employee Engagement Results: If your organization does an employee engagement survey, review the results to identify the areas in which the IT organization is performing well. Identify and document any key comment themes in the report around why employees enjoy working for the organization or what makes your IT department a great place to work.

Social Media Sites. Prepare for the good, the bad, and the ugly. Social media websites like Glassdoor and Indeed make it easier for employees to share their experiences at an organization honestly and candidly. While postings on these sites won’t relate exclusively to the IT department, they do invite participants to identify their department in the organization. You can search these to identify any positive things people are saying about working for the organization and potentially opportunities for improvement (which you can use as a starting point in the retention section of this report).

1.1 Gather feedback

1. Download the Improve Your IT Recruitment Workbook.
2. On tab 1.1, brainstorm the top five things you value most about working at the organization. Ask yourself what would fall in each category and identify any key themes. Be sure to take note of any specific quotes you have.
3. Brainstorm limitations that the organization currently has in each of those areas.

Download the Recruitment Workbook

1.2 Build key messages

1. Go to tab 1.2 in your workbook
2. Identify themes from activity 1.1 that would be considered current strengths of you organization.
3. Identify themes from activity 1.2 that are aspirational elements of your organization.
4. Identify up to four key statements to focus on for the EVP, ensuring that your EVP speaks to at least one of the five categories above.
5. Integrate these into one overall statement.

Examples below.

Sample EVPs

Sources: Built In, 2021; Workology, 2022

Ensure your EVP resonates with employees and prospects

Test your EVP with internal and external audiences.

Want to learn more?

Recruit IT Talent

• Improve candidate experience to hire top IT talent.

Recruit and Retain More Women in IT

• Gender diversity is directly correlated to IT performance.

Recruit and Retain People of Color in IT

• Good business, not just good philanthropy.

Enhance Your Recruitment Strategies

The way you position the organization impacts who is likely to apply to posted positions.

Market your EVP to potential candidates: Employer Brand

Employer brand includes how you market the EVP internally and externally – consistency is key

The employer brand is the perception internal and external stakeholders hold of the organization and exists whether it has been curated or not. Curating the employer brand involves marketing the organization and employee experience. Grounding your employer brand in your EVP enables you to communicate and market an accurate portrayal of your organization and employee experience and make you desirable to both current and potential employees.

The unique offering an employer provides to employees in return for their effort, motivating them to join or remain at the organization. The perception internal and external stakeholders hold of the organization.

Alignment between the EVP, employer brand, and corporate brand is the ideal branding package. An in-sync marketing strategy ensures stakeholders perceive and experience the brand the same way, creating brand ambassadors.

Ensure your branding material creates a connection

How you present your employer brand is just as important as the content. Ideally, you want the viewer to connect with and personalize the material for the message to have staying power. Use Marketing’s expertise to help craft impactful promotional materials to engage and excite the viewer.

Visuals

Images are often the first thing viewers notice. Use visuals that connect to your employer brand to engage the viewer’s attention and increase the likelihood that your message will resonate. However, if there are too many visuals this may detract from your content – balance is key!

Language

Wordsmithing is often the most difficult aspect of marketing. Your message should be accurate, informative, and engaging. Work with Marketing to ensure your wording is clever and succinct – the more concise, the better.

Composition

Integrate visuals and language to complete your marketing package. Ensure that the text and images are balanced to draw in the viewer.

Case Study: Using culture to drive your talent pool

This case study is happening in real time. Please check back to learn more as Goddard continues to recruit for the position.

Recruiting at NASA

Goddard Space Center is the largest of NASA’s space centers with approximately 11,000 employees. It is currently recruiting for a senior technical role for commercial launches. The position requires consulting and working with external partners and vendors.

NASA is a highly desirable employer due to its strong culture of inclusivity, belonging, teamwork, learning, and growth. Its culture is anchored by a compelling vision, “For the betterment of Humankind,” and amplified by a strong leadership team that actively lives their mission and vision daily.

Firsthand lists NASA as #1 on the 50 most prestigious internships for 2022.

Rural location and no flexible work options add to the complexity of recruiting

The position is in a rural area of Eastern Shore Virginia with a population of approximately 60,000 people, which translates to a small pool of candidates. Any hire from outside the area will be expected to relocate as the senior technician must be onsite to support launches twice a month. Financial relocation support is not offered and the position is a two-year assignment with the option of extension that could eventually become permanent.

“Looking for a Talent Unicorn: a qualified, experienced candidate with both leadership skills and deep technical expertise that can grow and learn with emerging technologies.”

Steve Thornton

Acting Division Chief, Solutions Division, Goddard Space Flight Center, NASA

Case Study: Using culture to drive your talent pool

A good brand overcomes challenges.

Culture takes the lead in NASA's job postings, which attract a high number of candidates. Postings begin with a link to a short video on working at NASA, its history, and how it lives its vision. The video highlights NASA's diversity of perspectives, career development, and learning opportunities.

NASA's company brand and employer brand are tightly intertwined, providing a consistent view of the organization.

The employer vision is presented in the best place to reach NASA's ideal candidate: usajobs.gov, the official website of the United States Government and the “go-to” for government job listings. NASA also extends its postings to other generic job sites as well as LinkedIn and professional associations.

Interview with Robert Leahy

Chief Information Officer, Goddard Space Flight Center, NASA

2.1 Assess your organization’s employer brand

1. Go to tab 2.1 in the Improve Your IT Recruitment Workbook.
2. Put yourself in the shoes of someone on the outside looking in. If they were to look up your organization, what impression would they be given about what is like to work there?
3. Run a Google search on your organization with key words “jobs,” “culture,” and “working environment” to see what a potential candidate would see when they begin researching your organization.

You can use sites like:

• Glassdoor
• Indeed company pages
• LinkedIn company pages
• Social media
• Your own website

Want to learn more?

Recruit IT Talent

• Improve candidate experience to hire top IT talent.

Recruit and Retain More Women in IT

• Gender diversity is directly correlated to IT performance.

Recruit and Retain People of Color in IT

• Good business, not just good philanthropy.

Enhance Your Recruitment Strategies

The way you position the organization impacts who is likely to apply to posted positions.

Create engaging job ads to attract talent to the organization

We have a job description; can I just post that on Indeed?

A job description is an internal document that includes sections such as general job information, major responsibilities, key relationships, qualifications, and competencies. It communicates job expectations to incumbents and key job data to HR programs.

A job ad is an externally facing document that advertises a position with the intent of attracting job applicants. It contains key elements from the job description as well as information on the organization and its EVP.

Write an Effective Job Ad

• Ensure that your job ad speaks to the audience you are targeting through the language you use.
  • E.g. If you are hiring for a creative role, use creative language and formatting. If you are writing for students, emphasize growth opportunities.
• Highlight the organization’s EVP.
• Paint an accurate picture of key aspects of the role but avoid the nitty gritty as it may overwhelm applicants.
• Link to your organization’s website and social media platforms so applicants can easily find more information.

A job description informs a job ad, it doesn’t replace it. Don’t be lulled into using a job description as a posting when there’s a time crunch to fill a position. Refer to job postings as job advertisements to reinforce that their purpose is to attract attention and talent.

An effective job posting contains the following elements:

Bottom Line: A truly successful job posting ferrets out those hidden stars that may be over cautious and filters out hundreds of applications from the woefully under qualified.

The do’s and don’ts of an inclusive job ad

*Source: Ladders, 2013

Before posting the job ad complete the DEI job posting validation checklist

*Source: Recruit and Retain People of Color in IT

3.1 Review and update your job ads

1. Download the Job Ad Template.
2. Look online or ask HR for an example of a current job advertisement you are using.

• If you don’t have one, you can use a job description as a starting point.

Want to learn more?

Recruit IT Talent

• Improve candidate experience to hire top IT talent.

Recruit and Retain More Women in IT

• Gender diversity is directly correlated to IT performance.

Recruit and Retain People of Color in IT

• Good business, not just good philanthropy.

Enhance Your Recruitment Strategies

Focus on key programs and tactics to improve the effectiveness of your sourcing approach.

Get involved with sourcing to get your job ad seen

To meet growing expectations, organizations need to change the way they source

Focus on key programs and tactics to improve the effectiveness of your sourcing approach

Internal Talent Mobility (ITM) Program

Social Media Program

Employee Referral Program

Alumni Program

Campus Recruiting Program

Other Sourcing Tactics

Take advantage of your current talent with an internal talent mobility program

What is it?

Positioning the right talent in the right place, at the right time, for the right reasons, and supporting them appropriately.

Leverage social media to identify and connect with talent

“It is all about how we can get someone’s attention and get them to respond. People are becoming jaded.”

– Katrina Collier, Social Recruiting Expert, The Searchologist

Reap the rewards of an employee referral program

Avoid the Like Me Bias: Continually evaluate the diversity of candidates sourced from the employee referral program. Unless your workforce is already diverse, referrals can hinder diversity because employees tend to recommend people like themselves.

Tap into your network of former employees

Make use of a campus recruiting program

Info-Tech Insight

Target schools that align with your culture and needs. Do not just focus on the most prestigious schools: they are likely more costly, have more intense competition, and may not actually provide the right talent.

Identify opportunities to integrate non-traditional techniques

Partner with other organizational functions to build skills and leverage existing knowledge

Use knowledge that already exists in the organization to improve talent sourcing capabilities.

To successfully partner with other departments in your organization:

• Acknowledge that they are busy. Like IT, they have multiple competing priorities.
• Present your needs and prioritize them. Create a list of what you are looking for and then be willing to just pick your top need. Work with the other department to decide what needs can and cannot be met.
• Present the business case. Emphasize how partnering is mutually beneficial. For example, illustrate to Marketing that promoting a strong brand with candidates will improve the organization’s overall reputation because often, candidates are customers.
• Be reasonable and patient. You are asking for help, so be moderate in your expectations and flexible in working with your partner.

Info-Tech Insight

Encourage your team to seek out, and learn from, employees in different divisions. Training sessions with the teams may not always be possible but one-on-one chats can be just as effective and may be better received.

5.1 Review the effectiveness of existing sourcing programs

1. As a group review the description of each program as defined on previous slides. Ensure that everyone understands the definitions.
2. In your workbook, look for the cell Internal Talent Mobility under the title; you will find five rows with the following

• This program is formally structured and documented.
• This program is consistently applied across the organization.
• Talent is sourced this way on an ad hoc basis.
• Our organization currently does not source talent this way.
• There are metrics in place to assess the effectiveness of this program.

Want to learn more?

Recruit IT Talent

• Improve candidate experience to hire top IT talent.

Recruit and Retain More Women in IT

• Gender diversity is directly correlated to IT performance.

Recruit and Retain People of Color in IT

• Good business, not just good philanthropy.

Enhance Your Recruitment Strategies

Interviews are the most often used yet poorly executed hiring tool.

Create a high-quality interview process to improve candidate assessment

Everyone believes they’re a great interviewer; self-assess your techniques, and “get real” to get better

If you…

• Believe everything the candidate says.
• Ask mostly hypothetical questions: "What would you do in a situation where…"
• Ask gimmicky questions: "If you were a vegetable, what vegetable would you be?"
• Ask only traditional interview questions: "What are your top three strengths?”
• Submit to a first impression bias.
• Have not defined what you are looking for before the interview.
• Ignore your gut feeling in an attempt to be objective.
• Find yourself loving a candidate because they are just like you.
• Use too few or too many interviewers in the process.
• Do not ask questions to determine the motivational fit of the candidate.
• Talk more than the interviewee.
• Only plan and prepare for the interview immediately before it starts.

…then stop. Use this research!

Most interviewers are not effective, resulting in many poor hiring decisions, which is costly and counter-productive

Most interviewers are not effective…

• 82% of organizations don’t believe they hire highly talented people (Trost, 2022).
• Approximately 76% of managers and HR representatives that McLean & Company interviewed agreed that the majority of interviewers are not very effective.
• 66% of hiring managers come to regret their interview-based hiring decisions (DDI, 2021).

…because, although everyone knows interviewing is a priority, most don’t make it one.

• Interviewing is often considered an extra task in addition to an employee’s day-to-day responsibilities, and these other responsibilities take precedence.
• It takes time to effectively design, prepare for, and conduct an interview.
• Employees would rather spend this time on tasks they consider to be an immediate priority.

Even those interviewers who are good at interviewing, may not be good enough.

• Even a good interviewer can be fooled by a great interviewee.
• Some interviewees talk the talk, but don’t walk the walk. They have great interviewing abilities but not the skills required to be successful in the specific position for which they are interviewing.
• Even if the interviewer is well trained and prepared to conduct a strong interview, they can get caught up with an interviewee that seems very impressive on the surface, and end up making a bad hire.

Preparing the Perfect Interview

Step 5: Define decision rights

Establish decision-making authority and veto power to mitigate post-interview conflicts over who has final say over a candidate’s status.

Follow these steps to create a positive interview experience for all involved.

Step 1: Define the ideal candidate profile; determine the attributes of the ideal candidate and their relative importance

Define the attributes of the ideal candidate…

Caution: Evaluating for “organizational or cultural fit” can lead to interviewers falling into the trap of the “like me” bias, and excluding diverse candidates.

…then determine the importance of the attributes.

The job description is not enough; meet with stakeholders to define and come to a consensus on the ideal candidate profile

Definition of the Ideal Candidate

• The Hiring Manager has a plan for the new hire and knows the criteria that will best fulfill that mandate.
• The Executive team may have specific directives for what the ideal candidate should look like, depending on the level and critical nature of the position.
• Industry standards, which are defined by regulatory bodies, are available for some positions. Use these to identify skills and abilities needed for the job.
• Competitor information such as job descriptions and job reviews could provide useful data about a similar role in other organizations.
• Exit interviews can offer insight into the most challenging aspects of the job and identify skills or abilities needed for success.
• Current employees who hold the same or a similar position can explain the nuances of the day-to-day job and what attributes are most needed on the team.

“The hardest work is accurately defining what kind of person is going to best perform this job. What are their virtues? If you’ve all that defined, the rest is not so tough.”

– VP, Financial Services

Use a scorecard to document the ideal candidate profile and help you select a superstar

1. Download the Workbook and go to tab 6.1.
2. Document the desired attributes for each category of assessment: Competencies, Experiences, Fit, and Motivation. You can find an Attribute Library on the next tab.
   
3. Rank each attribute by level of priority: Required, Asset, or Nice-to-Have.
   
4. Identify deal breakers that would automatically disqualify a candidate from moving forward.

To identify questions for screening interviews, use the Screening Interview Template

A screening interview conducted by phone should have a set of common questions to identify qualified candidates for in-person interviews.

The Screening Interview Template will help you develop a screening interview by providing:

• Common screening questions that can be modified based on organizational needs and interview length.
• Establishing an interview team.
• A questionnaire format so that the same questions are asked of all candidates and responses can be recorded.

Once completed, this template will help you or HR staff conduct candidate screening interviews with ease and consistency. Always do screening interviews over the phone or via video to save time and money.

Info-Tech Insight

Determine the goal of the screening interview – do you want to evaluate technical skills, communication skills, attitude, etc.? – and create questions based on this goal. If evaluating technical skill, have someone with technical competency conduct the interview.

Step 2: Choose interview types and techniques that best assess the ideal candidate attributes listed on the position scorecard

There is no best interview type or technique for assessing candidates, but there could be a wrong one depending on the organization and job opening.

• Understanding common interviewing techniques and types will help inform your own interviewing strategy and interview development.
• Each interview technique and type has its own strengths and weakness and can be better suited for a particular organizational environment, type of job, or characteristic being assessed.

No matter which interview types or techniques you use, aim for it to be as structured as possible to increase its validity

The validity of the interview increases as the degree of interview structure increases.

Components of a highly structured interview include:

1. Interview questions are derived from a job analysis (they are job related).
2. Interview questions are standardized (all applicants are asked the same questions).
3. Prompting, follow-up questioning, probing, and/or elaboration on questions are limited. Try to identify all prompts, follow-ups, and probes beforehand and include them in the interview guide so that all candidates get the same level of prompting and probing.
4. Interview questions focus on behaviors or work samples rather than opinions or self-evaluations.
5. Interviewer access to ancillary information (e.g. resumes, letters of reference, test scores, transcripts) is controlled. Sometimes limiting access to these documents can limit interviewer biases.
6. Questions from the candidate are not allowed until after the interview. This allows the interviewer to stay on track and not go off the protocol.
7. Each answer is rated during the interview using a rating scale tailored to the question (this is preferable to rating dimensions at the end of the interview and certainly preferable to just making an overall rating or ranking at the end).
8. Rating scales are “anchored” with behavioral examples to illustrate scale points (e.g. examples of a “1,” “3,” or “5” answer).
9. Total interview score is obtained by summing across scores for each of the questions.

The more of these components your interview has, the more structured it is, and the more valid it will be.

Step 3: Prepare interview questions to assess the attributes you are looking for in a candidate

The purpose of interviewing is to assess, not just listen. Questions are what help you do this.

Preparing questions in advance allows you to:

• Match each question to a position requirement (included in your scorecard) to ensure that you assess all required attributes. Everything assessed should be job relevant!
• Determine each question’s weighting, if applicable.
• Give each candidate a chance to speak to all their job-relevant attributes.
• Keep records should an unselected candidate decide to contest the decision.

If you don’t prepare in advance:

• You’ll be distracted thinking about what you are going to ask next and not be fully listening.
• You likely won’t ask the same questions of all candidates, which impacts the ability to compare across candidates and doesn’t provide a fair process for everyone.
• You likely won’t ask the questions you need to elicit the information needed to make the right decision.
• You could ask illegal questions (see Acquire the Right Hires with Effective Interviewing for a list of questions not to ask in an interview).

Use the Interview Question Planning Guide tab in the Candidate Interview Strategy and Planning Guide to prepare your interview questions.

Use these tips to draft interview questions:

• Use job analysis output, in particular the critical incident technique, to develop structured interview questions.
• Search online or in books for example interview questions for the target position to inform interview question development. Just remember that candidates access these too, so be sure to ask for specific examples, include probing questions, and adapt or modify questions to change them.
• Situational questions: The situation should be described in sufficient detail to allow an applicant to visualize it accurately and be followed by “what would you do?” Scoring anchors should reflect effective, typical, and ineffective behaviors.
• Behavioral questions: Should assess a behavioral dimension (e.g. meeting deadlines) and apply to a variety of situations that share the underlying dimension (e.g. at work or school). Scoring anchors should be applicable to a variety of situations and reflect effective, typical, and ineffective behavior.

Conduct an effective screening interview by listening to non-verbal cues and probing

Follow these steps to conduct an effective screening interview:

When you have a shortlist of candidates to invite to an in-person interview, use the Candidate Communication Template to guide you through proper phone and email communications.

Don’t just prepare top-level interview questions; also prepare probing questions to probe to gain depth and clarity

Use probing to drill down on what candidates say as much as possible and go beyond textbook answers.

Conduct effective interviews and assessments

Mitigate inherent biases of assessors by integrating formal assessments with objective anchors and clear criteria to create a more inclusive process.

Consider leveraging behavioral interview questions in your interview to reduce bias.

• In the past, companies were pushing the boundaries of the conventional interview, using unconventional questions to find top talent, e.g. “what color is your personality?” The logic was that the best people are the ones who don’t necessarily show perfectly on a resume, and they were intent on finding the best.
• However, many companies have stopped using these questions after extensive statistical analysis revealed there was no correlation between candidates’ ability to answer them and their future performance on the job.
• Asking behavioral interview questions based on the competency needs of the role is the best way to uncover if the candidates will be able to execute on the job.

Assessments are created by people that have biases. This often means that assessments can be biased, especially with preferences towards a Western perspective. Even if the same assessments are administered, the questions will be interpreted differently by candidates with varying cultural backgrounds and lived experiences. If assessments do not account for this, it ultimately leads to favoring the answers of certain demographic groups, often ones similar to those who developed the assessment.

Creating an interview question scorecard

Attribute you are evaluating Probing questions prepared Area to take notes

Exact question you will ask Place to record score Anchored scale with definitions of a poor, ok and great answer

Step 4: Assemble an interview team

HR and the direct reporting supervisor should always be part of the interview. Make a good impression with a good interview team.

The must-haves:

• The Future Manager should always be involved in the process. They should be comfortable with the new hire’s competencies and fit.
• Human Resources should always be involved in the process – they maintain consistency, legality, and standardization. It’s their job to know the rules and follow them. HR may coordinate and maintain policy standards and/or join in assessing the candidate.
• There should always be more than just one interviewer, even if it is not at the same time. This helps keep the process objective, allows for different opinions, and gives the interviewee exposure to multiple individuals in the company. But, try to limit the number of panel members to four or less.

“At the end of the day, it’s the supervisor that has to live with the person, so any decision that does not involve the supervisor is a very flawed process.” – VP, Financial Services

The nice-to-haves:

• Future colleagues can offer benefits to both the interviewee and the colleague by:
  • Giving the candidate some insight into what their day-to-day job would be.
  • Relaxing the candidate; allowing for a less formal, less intimidating conversation.
  • Introducing potential teammates for a position that is highly collaborative.
  • Offering the interviewer an excellent professional development opportunity – a chance to present their understanding of what they do.
• Executives should take part in interviewing for executive hiring, individuals that will report to an executive, or for positions that are extremely important. Executive time is scarce and expensive, so only use it when absolutely necessary.

Record the interview team details in the Candidate Interview Strategy and Planning Guide template.

Assign interviewers roles inside and outside the actual interview

Define Interview Process Roles

Who Should… Contact candidates to schedule interviews or communicate decisions?

Who Should… Be responsible for candidate welcomes, walk-outs, and hand-offs between interviews?

Who Should… Define and communicate each stakeholder’s role?

Who Should… Chair the preparation and debrief meetings and play the role of the referee when trying to reach a consensus?

Define Interview Roles

• Set a role for each interviewer so they know what to focus on and where they fit into the process (e.g. Interviewer A will assess fit). Don’t ad hoc the process and allow everyone to interview based on their own ideas.
• Consider interviewer qualifications and the impact of the new employee on each interviewer, when deciding the roles of each interviewer (i.e. who will interview for competency and who will interview for fit).
  • For example, managers may be most impacted by technical competencies and should be the interviewer to evaluate the candidate for technical competency.

“Unless you’ve got roles within the panel really detailed and agreed upon, for example, who is going to take the lead on what area of questions, you end up with a situation where nobody is in charge or accountable for the final interview assessment." – VP, Financial Services

Info-Tech Insight

Try a Two Lens Assessment: One interviewer assesses the candidate as a project leader while another assesses them as a people leader for a question such as “Give me an example of when you exercised your leadership skills with a junior team member.”

Step 5: Set decision rights in stone and communicate them in advance to manage stakeholder expectations and limit conflict

All interviewers must understand their decision-making authority prior to the interview. Misunderstandings can lead to resentment and conflict.

The decisions being made can include whether or not to move a candidate onto the next phase of the hiring process or a final hiring decision. Deciding decision rights in advance defines accountability for an effective interview process.

Create your interview team, assessments, and objective anchor scale

1. Download the Behavioral Interview Question Library as a reference.
2. On tab 9 of your workbook, document all the members of the team and their respective roles in the interview process. Fill in the decision-making authority section to ensure every team member is held accountable to their assigned tasks and understands how their input will be used.
3. For each required attribute in the Ideal Candidate Scorecard, chose one to two questions from the library that can properly evaluate that attribute.
4. Copy and paste the questions and probing questions into the Interview Guide Template.
5. Create an objective anchor scale and clearly define what a poor, ok, and great answer to each question is.

Download the Behavioral Interview Question Library

Conduct an effective, professional, and organized in-person interview

The subsequent slides provide additional detail on these eight steps to conducting an effective interview.

Avoid these common biases and mistakes

Common Biases

Like-me effect: An often-unconscious preference for, and unfairly positive evaluation of, a candidate based on shared interests, personalities, and experiences, etc.

Status effect: Overrating candidates based on the prestige of previously held positions, titles, or schools attended.

Recency bias: Placing greater emphasis on interviews held closer to the decision-making date.

Contrast effect: Rating candidates relative to those who precede or follow them during the interview process, rather than against previously determined data.

Solution

Assess candidates by using existing competency-based criteria.

Common Mistakes

Negative tone: Starting the interview on a negative or stressful note may derail an otherwise promising candidate.

Poor interview management: Letting the candidate digress may leave some questions unanswered and reduce the interview value.

Reliance of first impressions: Basing decisions on first impressions undermines the objectivity of competency-based selection.

Failure to ask probing questions: Accepting general answers without asking follow-up questions reduces the evidentiary value of the interview.

Solution

Follow the structured interview process you designed and practiced.

Ask the questions in the order presented in the interview guide, and probe and clarify as needed

When listening to candidate responses, watch for tone, body language, and red flags

Increase hiring success: Give candidates a positive perception of the organization in the interview

Great candidates want to work at great organizations.

When the interviewer makes a positive impression on a candidate and provides a positive impression of the organization it carries forward after they are hired.

In addition, better candidates can be referred over the course of time due to higher quality networking.

As much as choosing the right candidate is important to you, make sure the right candidate wants to choose you and work for your organization.

Interview advice seems like common sense, but it’s often not heeded, resulting in poor interviews

Don’t…

“To the candidate, if you are meeting person #3 and you’re hearing questions that person #1 and #2 asked, the company doesn’t look too hot or organized.” – President, Recruiting Firm

Practice behavioral interviews

1. In groups of at least three:

• Assign one person to act as the manager conducting the interview, a second person to act as the candidate, and a third to observe.
• The observer will provide feedback to the manager at the end of the role play based on the information you just learned.
• Observers – please give feedback on the probing questions and body language.

• How did it go?
• Were you able to get the candidate to speak in specifics rather than generalities? What tips do you have for others?
• What didn’t go so well? Any surprises?
• What would you do differently next time?
• If this was a real hiring situation, would the information you got from just that one question help you make a hiring decision for the role?

Download the Behavioral Interview Question Library

Record best practices, effective questions, and candidate insights for future use and current strategy

Results and insights gained from evaluations need to be recorded and assessed to gain value from them going forward.

• To optimize evaluation, all feedback should be forwarded to a central point so that the information can be shared with all stakeholders. HR can serve in this role.
• Peer evaluations should be shared shortly after the interview. Immediate feedback that represents all the positive and negative responses is instructional for interviewers to consider right away.
• HR can take a proactive approach to sharing information and analyzing and improving the interview process in order to collaborate with hiring departments for better talent management.
• Collecting information about effective and ineffective interview questions will guide future interview revision and development efforts.

Evaluations Can Inform Strategic Planning and Professional Development

Strategic Planning

• Survey data can be used to inform strategic planning initiatives in recruiting.
• Use the information to build a case to the executive team for training, public relations initiatives, or better candidate management systems.

Professional Development

• Survey data from all evaluations should be used to inform future professional development initiatives.
• Interview areas where all team members show weaknesses should be training priorities.
• Individual weaknesses should be integrated into each professional development plan.

Want to learn more?

Recruit IT Talent

• Improve candidate experience to hire top IT talent.

Recruit and Retain More Women in IT

• Gender diversity is directly correlated to IT performance.

Recruit and Retain People of Color in IT

• Good business, not just good philanthropy.

Develop a Comprehensive Onboarding Plan

Drive employee engagement and retention with a robust program that acclimates, guides, and develops new hires.

Onboarding should pick up where candidate experience leaves off

Do not confuse onboarding with orientation

Onboarding ≠ Orientation

Onboarding is more than just orientation. Orientation is typically a few days of completing paperwork, reading manuals, and learning about the company’s history, strategic goals, and culture. By contrast, onboarding is three to twelve months dedicated to welcoming, acclimating, guiding, and developing new employees – with the ideal duration reflecting the time to productivity for the role.

A traditional orientation approach provides insufficient focus on the organizational identification, socialization, and job clarity that a new hire requires. This is a missed opportunity to build engagement, drive productivity, and increase organizational commitment. This can result in early disengagement and premature departure.

Effective onboarding positively impacts the organization and bottom line

Over the long term, effective onboarding has a positive impact on revenue and decreases costs.

The benefits of onboarding:

• Save money and frustration
  • Shorten processing time, reduce administrative costs, and improve compliance.
• Boost revenue
  • Help new employees become productive faster – also reduce the strain on existing employees who would normally be overseeing them or covering a performance shortfall.
• Drive engagement and reduce turnover
  • Quickly acclimate new hires to your organization’s environment, culture, and values.
• Reinforce culture and employer brand
  • Ensure that new hires feel a connection to the organization’s culture.

Onboarding drives new hire engagement from day one

When building an onboarding program, retain the core aims: acclimate, guide, and develop

We recommend a three-to-twelve-month onboarding program, with the performance management aspect of onboarding extending out to meet the standard organizational performance management cycle.

Info-Tech Insight

The length of the onboarding program should align with the average time to productivity for the role(s). Consider the complexity of the role, the industry, and the level of the new hire when determining program length.

For example, call center workers who are selling a straight-forward product may only require a three-month onboarding, while senior leaders may require a year-long program.

Watch for signs that you aren’t effectively acclimating, guiding, and developing new hires

Our primary and secondary research identified the following as the most commonly stated reasons why employees leave organizations prematurely. These issues will be addressed throughout the next section.

“Onboarding is often seen as an entry-level HR function. It needs to rise in importance because it’s the first impression of the organization and can be much more powerful than we sometimes give it credit for. It should be a culture building and branding program.” – Doris Sims, SPHR, The Succession Consultant, and Author, Creative Onboarding Programs

Use the onboarding tabs in the workbook to evaluate and redesign the onboarding program

1. On tab 10, brainstorm challenges that face the organization's current onboarding program. Identify if they fall into the "acclimate," "guide," or "develop" category. Next, record the potential impact of this challenge on the overall effectiveness of the onboarding program.
2. On tab 11, record each existing onboarding activity. Then, identify if that activity will be kept or if it should be retired. Next, document if the activity fell into the "acclimate," "guide," or "develop" category.
3. On tab 12, document gaps that currently exist in the onboarding program. Modify the timeline along the side of the tab to ensure it reflects the timeline you have identified.
4. On tab 13, document the activities that will occur in the new onboarding program. This should be a combination of current activities that you want to retain and new activities that will be added to address the gaps noted on tab 12. For each activity, identify if it will fall in the acclimate, guide, or develop section. Add any additional notes. Before moving on, make sure that there are no categories that have no activities (e.g. no guide activities).

Review the administrative aspects of onboarding and determine how to address the challenges

	Sample challenges	Potential solutions
	Some paperwork cannot be completed digitally (e.g. I-9 form in the US).	Where possible, complete forms with digital signatures (e.g. DocuSign). Where not possible, begin the process earlier and mail required forms to employees to sign and return, or scan and email for the employee to print and return.
	Required compliance training material is not available virtually.	Seek online training options where possible. Determine the most-critical training needs and prioritize the replication of materials in audio/video format (e.g. recorded lecture) and distribute virtually.
	Employees may not have access to their equipment immediately due to shipping or supply issues.	Delay employee start dates until you can set them up with the proper equipment and access needed to do their job.
	New hires can’t get answers to their questions about benefits information and setup.	Schedule a meeting with an HR representative or benefits vendor to explain how benefits will work and how to navigate employee self-service or other tools and resources related to their benefits.

Info-Tech Insight

One of the biggest challenges for remote new hires is the inability to casually ask questions or have conversations without feeling like they’re interrupting. Until they have a chance to get settled, providing formal opportunities for questions can help address this.

Review how company information is shared during onboarding and how to address the challenges

	Sample challenges	Potential solutions
	Key company information such as organizational history, charts, or the vision, mission, and values cannot be clearly learned by employees on their own.	Have the new hire’s manager call to walk through the important company information to provide a personal touch and allow the new hire to ask questions and get to know their new manager.
	Keeping new hires up to date on crisis communications is important, but too much information may overwhelm them or cause unnecessary stress.	Sharing the future of the organization is a critical part of the company information stage of onboarding and the ever-changing nature of the COVID-19 crisis is informing many organizations’ future right now. Be honest but avoid over-sharing plans that may change.
	New hires can’t get answers to their questions about benefits information and setup.	Schedule a meeting with an HR representative or benefits vendor to explain how benefits will work and how to navigate employee self-service or other tools and resources related to their benefits.

Review the socialization aspects of onboarding and determine how to address the challenges

	Sample challenges	Potential solutions
	Team introductions via a team lunch or welcome event are typically done in person.	Provide managers with a calendar of typical socialization events in the first few weeks of onboarding and provide instructions and ideas for how to schedule replacement events over videoconferencing.
	New hires may not have a point of contact for informal questions or needs if their peers aren’t around them to help.	If it doesn’t already exist, create a virtual buddy program and provide instructions for managers to select a buddy from the new hire’s team. Explain that their role is to field informal questions about the company, team, and anything else and that they should book weekly meetings with the new hire to stay in touch.
	New hires will not have an opportunity to learn or become a part of the informal decision-making networks at the organization.	Hiring managers should consider key network connections that new hires will need by going through their own internal network and asking other team members for recommendations.
	New hires will not be able to casually meet people around the office.	Provide the employee with a list of key contacts for them to reach out to and book informal virtual coffee chats to introduce themselves.

Adapt the Guide phase of onboarding to a virtual environment

	Sample challenges	Potential solutions
	Performance management (PM) processes have been paused given the current crisis.	Communicate to managers that new hires still need to be onboarded to the organization’s performance management process and that goals and feedback need to be introduced and the review process outlined even if it’s not currently happening.
	Goals and expectations differ or have been reprioritized during the crisis.	Ask managers to explain the current situation at the organization and any temporary changes to goals and expectations as a result of new hires.
	Remote workers often require more-frequent feedback than is mandated in current PM processes.	Revamp PM processes to include daily or bi-weekly touchpoints for managers to provide feedback and coaching for new hires for at least their first six months.
	Managers will not be able to monitor new hire work as effectively as usual.	Ensure there is a formal approach for how employees will keep their managers updated on what they're working on and how it's going, for example, daily scrums or task-tracking software.

For more information on adapting performance management to a virtual environment, see Info-Tech’s Performance Management for Emergency Work-From-Home research.

Take an inventory of training and development in the onboarding process and select critical activities

Categorize the different types of formal and informal training in the onboarding process into the following three categories. For departmental and individual training, speak to managers to understand what is required on a department and role basis:

In a crisis, not every training can be translated to a virtual environment in the short term. It’s also important to focus on critical learning activities versus the non-critical. Prioritize the training activities by examining the learning outcomes of each and asking:

• What organizational training does every employee need to be a productive member of the organization?
• What departmental or individual training do new hires need to be successful in their role?

Lower priority or non-critical activities can be used to fill gaps in onboarding schedules or as extra activities to be completed if the new hire finds themselves with unexpected downtime to fill.

Determine how onboarding training will be delivered virtually

Who will facilitate virtual training sessions?

• For large onboarding cohorts, consider live delivery via web conferencing where possible. This will create a more engaging training program and will allow new hires to interact with and ask questions of the presenter.
• For individual new hires or small cohorts, have senior leaders or key personnel from across the organization record different trainings that are relevant for their role.
• For example, training sessions about organizational culture can be delivered by the CEO or other senior leader, while sales training could be delivered by a sales executive.

If there is a lack of resources, expertise, or time, outsource digital training to a content provider or through your LMS.

What existing or free tools can be leveraged to immediately support digital training?

• Laptops and PowerPoint to record training sessions that are typically delivered in-person
• YouTube/Vimeo to host recorded lecture-format training
• Company intranet to host links and files needed to complete training
• Web conferencing software to host live training/orientation sessions (e.g. Webex)
• LMS to host and track completion of learning content

Want to learn more?

Recruit IT Talent

• Improve candidate experience to hire top IT talent.

Recruit and Retain More Women in IT

• Gender diversity is directly correlated to IT performance.

Recruit and Retain People of Color in IT

• Good business, not just good philanthropy.

Adapt Your Onboarding Process to a Virtual Environment

• Develop short-term solutions with a long-term outlook to quickly bring in new talent.

Bibliography

2021 Recruiter Nation Report. Survey Analysis, Jobvite, 2021. Web.

“5 Global Stats Shaping Recruiting Trends.” The Undercover Recruiter, 2022. Web.

Barr, Tavis, Raicho Bojilov, and Lalith Munasinghe. "Referrals and Search Efficiency: Who Learns What and When?" The University of Chicago Press, Journal of Labor Economics, vol. 37, no. 4, Oct. 2019. Web.

“How to grow your team better, faster with an employee referral program.” Betterup, 10 Jan. 2022. Web.

“Employee Value Proposition: How 25 Companies Define Their EVP.” Built In, 2021. Web.

Global Leadership Forecast 2021. Survey Report, DDI World, 2021. Web.

“Connecting Unemployed Youth with Organizations That Need Talent.” Harvard Business Review, 3 November 2016. Web.

Ku, Daniel. “Social Recruiting: Everything You Need To Know for 2022.” PostBeyond, 26 November 2021. Web.

Ladders Staff. “Shedding light on the job search.” Ladders, 20 May 2013. Web.

Merin. “Campus Recruitment – Meaning, Benefits & Challenges.” HR Shelf, 1 February 2022. Web.

Mobile Recruiting. Smart Recruiters, 2020. Accessed March 2022.

Roddy, Seamus. “5 Employee Referral Program Strategies to Hire Top Talent.” Clutch, 22 April 2020. Web.

Sinclair, James. “What The F*dge: That's Your Stranger Recruiting Budget?” LinkedIn, 11 November 2019. Web.