Develop Infrastructure & Operations Policies and Procedures

Document what you need to document and forget the rest.

Table of contents

Project Rationale

Project Outlines

• Phase 1: Identify Policy and Procedure Gaps
• Phase 2: Develop Policies
• Phase 3: Document Effective Procedures

Bibliography

ANALYST PERSPECTIVE

Document what you need to document now and forget the rest.

Our understanding of the problem

This Research Is Designed For:

• Infrastructure Managers
• Chief Technology Officers
• IT Security Managers

This Research Will Help You:

• Address policy gaps
• Develop effective procedures and procedure documentation to support policy compliance

This Research Will Also Assist:

• Chief Information Officers
• Enterprise Risk and Compliance Officers
• Chief Human Resources Officers
• Systems Administrators and Engineers

This Research Will Help Them:

• Understand the importance of a coherent approach to policy development
• Understand the importance of Infrastructure & Operations policies
• Support Infrastructure & Operations policy development and enforcement

Info-Tech Best Practice

This blueprint supports templates for key policies and procedures that help Infrastructure & Operations teams to govern and manage internal operations. For security policies, see the NIST SP 800-171 aligned Info-Tech blueprint, Develop and Deploy Security Policies.

Executive Summary

Situation

• Time and money are wasted dealing with mistakes or missteps that should have been addressed by procedures or policies.
• Standard operating procedures are less effective without a policy to provide a clear mandate and direction.

Complication

• Existing policies were written, approved, signed – and forgotten for years because no one has time to maintain them.
• Adhering to policies is rarely a priority, as compliance often feels like an impediment to getting work done.
• Processes aren’t measured or audited to assess policy compliance, which makes enforcing the policies next to impossible.

Resolution

• Start with a comprehensive policy framework to help you identify policy gaps. Prioritize and address those policy gaps.
• Create effective policies that are reasonable, measurable, auditable, and enforceable.
• Create and document procedures to support policy changes.

Info-Tech Insight

1. Document what you need to document and forget the rest.
   Always check if a previously approved policy exists before you create a new one. You may only need to create new guidelines or standards rather than approve a new policy.
2. Support policies with documented procedures.
   Build procedures that embed policy adherence in daily operations. Find opportunities to automate policy adherence (e.g. removing local admin rights from user computers).

What are policies, procedures, and processes?

A policy is a governing document that states the long-term goals of the organization and in broad strokes outlines how they will be achieved (e.g. a Data Protection Policy).

In the context of policies, a procedure is composed of the steps required to complete a task (e.g. a Backup and Restore Procedure). Procedures are informed by required standards and recommended guidelines. Processes, guidelines, and standards are three pillars that support the achievement of policy goals.

A process is higher level than a procedure – a set of tasks that deliver on an organizational goal.

Better policies and procedures reduce organizational risk and, by strengthening the ability to execute processes, enhance the organization’s ability to execute on its goals.

Document to improve governance and operational processes

Deliver value

Build, deliver, and support Infrastructure assets in a consistent way, which ultimately reduces costs associated with downtime, errors, and rework. A good manual process is the foundation for a good automated process.

Simplify Training

Use documentation for knowledge transfer. Routine tasks can be delegated to less-experienced staff.

Maintain compliance

Comply with laws and regulations. Policies are often required for compliance, and formally documented and enforced policies help the organization maintain compliance by mandating required due diligence, risk reduction, and reporting activities.

Provide transparency

Build an open kitchen. Other areas of the organization may not understand how Infra & Ops works. Your documentation can provide the answer to the perennial question: “Why does that take so long?”

Info-Tech Best Practice

Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

Document what you need to document – and forget the rest

Half of all organizations believe their policy suite is insufficient. (Info-Tech myPolicies Survey Data (N=59))

Too much documentation and a lack of documentation are both ineffective. (Info-Tech myPolicies Survey Data (N=59))

77% of IT professionals believe their policies require improvement. (Kaspersky Lab)

Presenting: A COBIT-aligned policy suite

We’ve developed a suite of effective policy templates for every Infra & Ops manager based on Info-Tech’s IT Management & Governance Framework.

Info-Tech Best Practice

Look for these symbols as you work through the deck. Prioritize and focus on the policies you work on first based on the value of the policy to the enterprise and the existing gaps in your governance structure.

Use these icons to help direct you as you navigate this research

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Accelerate policy development with a Guided Implementation

Your trusted advisor is just a call away.

• Identify Policy and Procedure Gaps (Calls 1-2)
  Assess current policies, operational challenges, and gaps. Mitigate significant risks first.
• Create and Review Policies (Calls 2-4)
  Modify and review policy templates with an Info-Tech analyst.
• Create and Review Procedures (Calls 4-6)
  Workflow procedures, using templates wherever possible. Review documentation best practices.

Contact Info-Tech to set up a Guided Implementation with a dedicated advisor who will walk you through every stage of your policy development project.

Develop Infrastructure & Operations Policies and Procedures

Phase 1

Identify Policy and Procedure Gaps

PHASE 1: Identify Policy and Procedure Gaps

Step 1.1: Review and right-size the existing policy set

This step will walk you through the following activities:

• Identify gaps in your existing policy suite
• Document challenges to core Infrastructure & Operations processes
• Identify documentation that can close gaps
• Prioritize your documentation effort

This step involves the following participants:

• Infrastructure & Operations Manager
• Infrastructure Supervisors

Results & Insights

• Results: A review of the existing policy suite and identification of opportunities for improvement.
• Insights: Not all gaps necessarily require a fresh policy. Repurpose, refresh, or supplement existing documentation wherever appropriate.

Conduct a policy review

You’ve got time to review your policy suite. Make the most of it.

1. Start with organizational requirements.
   • What initiatives are on the go? What policies or procedures do you have a mandate to create?
2. Weed out expired and dated policies.
   • Gather your existing policies. Identify when each one was published or last reviewed.
   • Decide whether to retire, merge, or update expired or obviously dated policy.
3. Review policy statements.
   • Check that the organization is adequately supporting policy statements with SOPs, standards, and guidelines. Ensure role-related information is up to date.
4. Document and bring any gaps forward to the next activity. If no action is required, indicate that you have completed a review and submit the findings for approval.

But they just want one policy...

• Existing policies may address what you’re trying to do with a new policy. Using or modifying an existing policy avoids overlap and contradiction and saves you the effort required to create, communicate, approve, and maintain a new policy.
• Review the suite to validate that you’re addressing the most important challenges first.

Brainstorm improvements for core Infrastructure & Operations processes

Supplement the list of gaps from your policy review with process challenges.

1. Write out key Infra & Ops–related processes – one piece of flipchart paper per process. You can work through all of these processes or cherry-pick the processes you want to improve first.
2. With participants, write out in point form how you currently execute on these processes (e.g. for Asset Management, you might be tagging hardware, tracking licenses, etc.)
3. Work through a “Start – Stop – Continue” exercise. Ask participants: What should we start doing? What must we stop doing? What do we do currently that’s valuable and must continue? Write ideas on sticky notes.
4. Once you’ve worked through the “Start – Stop – Continue” exercise for all processes, group similar suggestions for improvements.

Asset Management: Manage hardware and software assets across their lifecycle to protect assets and manage costs.

Availability and Capacity Management: Balance current and future availability, capacity, and performance needs with cost-to-serve.

Business Continuity Management: Continue operation of critical business processes and IT services.

Change Management: Deliver technical changes in a controlled manner.

Configuration Management: Define and maintain relationships between technical components.

Problem Management: Identify incident root cause.

Operations Management: Coordinate operations.

Release and Patch Management: Deliver updates and manage vulnerabilities in a controlled manner.

Service Desk: Respond to user requests and all incidents.

PHASE 1: Identify Policy and Procedure Gaps

Step 1.2: Create an action plan to address policy gaps

This step will walk you through the following activities:

• Identify challenges and gaps that can be addressed via documentation
• Prioritize high-value, high-risk gaps

This step involves the following participants:

• Infrastructure & Operations Manager
• Infrastructure Supervisors

Results & Insights

• Results: An action plan to tackle policy and procedures gaps, aligned with business requirements and business value.
• Insights: Not all documentation is equally valuable. Prioritize documentation that delivers value and mitigates risk.

Support policies with procedures, standards, and guidelines

Use a working definition for each type of document.

Policy: Directives, rules, and mandates that support the overarching, long-term goals of the organization.

• Standards: Prescriptive, uniform requirements.
• Procedures: Specific, detailed, step-by-step instructions for completing a task.
• Guidelines: Non-enforceable, recommended best practices.

Info-Tech Best Practice

Take advantage of your Info-Tech advisory membership by scheduling review sessions with an analyst. We provide high-level feedback to ensure your documentation is clear, concise, and consistent and aligns with the governance objectives you’ve identified.

Answer the following questions to decide if governance documentation can help close gaps

1(c) 30 minutes

Documentation supports knowledge sharing, process consistency, compliance, and transparency. Ask the following questions:

1. What is the purpose of the documentation?
   Procedures support task completion. Policies set direction and manage organizational risk.
2. Should it be enforceable?
   Policies and standards are enforceable; guidelines are not. Procedures are enforceable in that they should support policy enforcement.
3. What is the scope?
   To document a task, create a procedure. Set overarching rules with policies. Use standards and guidelines to set detailed rules and best practices.
4. What’s the expected cadence for updates?
   Policies should be revisited and revised less frequently than procedures.

Info-Tech Best Practice

Reinvent the wheel? I don’t think so!

Always check to see if a gap can be addressed with existing tools before drafting a new policy

• Is there an existing policy that could be supported with new or updated procedures, technical standards, or guidelines?
• Is there a technical control you can deploy that would enforce the terms of an existing, approved policy?
• It may be simpler to amend an existing policy instead of creating a new one.

Some problems can’t be solved by better documentation (or by documentation alone). Consider additional strategies that address people, process, and technology.

Tackle high-value, high-risk gaps first

1(d) 30 minutes

Prioritize your documentation effort.

1. List each proposed piece of documentation on the board.
2. Assign a score to the risk posed to the business by the lack of documentation and to the expected benefit of completing the documentation. Use a scoring scale between 1 and 3 such as the one on the right.
3. Prioritize documentation that mitigates risks and maximizes benefits.
4. If you need to break ties, consider effort required to develop, implement, and enforce policies or procedures.

Example Scoring Scale

Info-Tech Insight

Documentation pulls resources away from other important programs and projects, so ultimately it must be a demonstrably higher priority than other work. This exercise is designed to align documentation efforts with business goals.

Phase 1: Review accomplishments

Policy pillars: Standards, Procedures, Guidelines

Summary of Accomplishments

• Identified gaps in the existing policy suite and identified pain points in existing Infra & Ops processes.
• Developed a list of policies and procedures that can address existing gaps and prioritized the documentation effort.

Develop Infrastructure & Operations Policies and Procedures

Phase 2

Develop Policies

PHASE 2: Develop Policies

Step 2.1: Modify policy templates and gather feedback

This step will walk you through the following activities:

• Modify policy templates

This step involves the following participants:

• Infrastructure & Operations Manager
• Technical Writer

Results & Insights

• Results: Your own COBIT-aligned policies built by modifying Info-Tech templates.
• Insights: Effective policies are easy to read and navigate.

Write Good-er: Be Clear, Consistent, and Concise

Effective policies adhere to the three Cs of documentation.

1. Be clear. Make it as easy as possible for a user to learn how to comply with your policy.
2. Be consistent. Write policies that complement each other, not contradict each other.
3. Be concise. Make it as quick and easy as possible to read and understand your policy.

Info-Tech Best Practice

To download the full suite of templates all at once, click the “Download Research” button on the research landing page on the website.

Use the three Cs: Be Clear

Understanding makes compliance possible. Create policy with the goal of making compliance as easy as possible. Use positive, simple language to convey your intentions and rationale to your audience. Staff will make an effort adhere to your policy when they understand the need and are able to comply with the terms.

1. Choose a skilled writer. Select a writer who can write clearly and succinctly.
2. Default to simple language and define key terms. Define scope and key terms upfront. Avoid using technical terms outside of technical documentation; if they’re necessary be sure to define them as well.
3. Use active, positive language. Where possible, tell people what they can do, not what they can’t.
4. Keep the structure simple. Complicated documents are less likely to be understood and read. Use short sentences and paragraphs. Lists are a helpful way to summarize important information. Guide your reader through the document with appropriately named section headers, tables of contents, and numeration.
5. Add a process for handling exceptions. Refer to procedures, standards, and guidelines documentation. Try to keep these links as static as possible. Also, refer to a process for handling exceptions.
6. Manage the integrity of electronic documents. When published electronically, the policy should have restricted editing access or should be published in a non-editable format. Access to the procedure and policy storage database for employees should be read-only.

Info-Tech Insight

Highly effective policies are easy to navigate. Your policies should be “skimmable.” Very few people will fully read a policy before accepting it. Make it easy to navigate so the reader can easily find the policy statements that apply to them.

Use the three Cs: Be Consistent

Ensure that policies are aligned with other organizational policies and procedures. It detracts from compliance if different policies prescribe different behavior in the same situation. Moreover, your policies should reflect the corporate culture and other company standards. Use your policies to communicate rules and get employees aligned with how your company works.

1. Use standard sentences and paragraphs. Policies are usually expressed in short, standard sentences. Lists should also be used when necessary or appropriate.
2. Remember the three Ws. When writing a policy, always be sure to clearly state what the rule is, when it should be applied, and who needs to follow it. Policies should clearly define their scope of application and whether directives are mandatory or recommended.
3. Use an outline format. Using a numbered or outline format will make a document easier to read and will make content easier to look up when referring back to the document at a later time.
4. Avoid amendments. Avoid the use of information that is quickly outdated and requires regular amendment (e.g. names of people).
5. Reference a set of supplementary documents. Codify your tactics outside of the policy document, but make reference to them within the text. This makes it easier to ensure consistency in the behavior prescribed by your policies.

"One of the issues is the perception that policies are rules and regulations. Instead, your policies should be used to say ‘this is the way we do things around here.’" (Mike Hughes CISA CGEIT CRISC, Principal Director, Haines-Watts GRC)

Use the three Cs: Be Concise

Reading and understanding policies shouldn’t be challenging, and it shouldn’t significantly detract from productive time. Long policies are more difficult to read and understand, increasing the work required for employees to comply with them. Put it this way: How often do you read the Terms and Conditions of software you’ve installed before accepting them?

1. Be direct. The quicker you get to the point, the easier it is for the reader to interpret and comply with your policy.
2. Your policy is a rule, not a recipe. Your policy should outline what needs to be accomplished and why – your standards, guidelines, and SOPs address the how.
3. Keep policies short. Nobody wants to read a huge policy book, so keep your policies short.
4. Use additional documentation where needed. In addition to making consistency easier, this shortens the length of your policies, making them easier to read.
5. Policy still too large? Modularize it. If you have an extremely large policy, it’s likely that it’s too widely scoped or that you’re including statements that should be part of procedure documentation. Consider breaking your policy into smaller, focused, more digestible documents.

"If the policy’s too large, people aren’t going to read it. Why read something that doesn’t apply to me?" (Carole Fennelly, Owner and Principal, cFennelly Consulting)

"I always try to strike a good balance between length and prescriptiveness when writing policy. Your policies … should be short and describe the problem and your approach to solving it. Below policies, you write standards, guidelines, and SOPs." (Michael Deskin, Policy and Technical Writer, Canadian Nuclear Safety Commission)

Customize policy documents

Use the policies templates to support key Infrastructure & Operations programs.

INPUT: List of prioritized policies

OUTPUT: Written policy drafts ready for review

Materials: Policy templates

Participants: Policy writer, Signing authority

No policy template will be a perfect fit for your organization. Use Info-Tech’s research to develop your organization’s program requirements. Customize the policy templates to support those requirements.

1. Work through policies from highest to lowest priority as defined in Phase 1.
2. Follow the instructions written in grey text to customize the policy. Follow the three Cs when you write your policy.
3. When your draft is finished, prepare to request signoff from your signing authority by reviewing the draft with an Info-Tech analyst.
4. Complete the highest ranked three or four draft policies. Review all these policies with relevant stakeholders and include all relevant signing authorities in the signoff process.
5. Rinse and repeat. Iterate until all relevant polices are complete.

Request, Incident, and Problem Management

An effective, timely service desk correlates with higher overall end-user satisfaction across all other IT services. (Info-Tech Research Group, 2016 (N=25,998))

Use the following template to create a policy that outlines the goals and mandate for your service and support organization:

• IT Triage and Support Policy

Support the program and associated policy statements using Info-Tech’s research:

• Standardize the Service Desk
• Incident and Problem Management
• Design & Build a User-Facing Service Catalog

Embrace Standardization

• Outline the support and service mandate with the policy. Support the policy with the methodology in Info-Tech’s research.
• Over time, organizations without standardized processes face confusion, redundancies, and cost overruns. Standardization avoids wasting energy and effort building new solutions to solved issues.
• Standard processes for IT services define repeatable approaches to work and sandbox creative activities.
• Create tickets for every task and categorize them using a standard classification system. Use the resulting data to support root-cause analysis and long-term trend management.
• Create a single point of contact for users for all incidents and requests. Escalate and resolve tickets faster.
• Empower end users and technicians with knowledge bases that help them solve problems without intervention.

Change, Release, and Patch Management

Slow turnaround, unauthorized changes, and change-related incidents are all too familiar to many managers.

Use the following templates to create policies that define effective patch, release, and change management:

• Change Management Policy
• Release and Patch Management Policy
• Change Control – Freezes & Risk Evaluation Policy

Ensure the policy is supported by using the following Info-Tech research:

• Optimize Change Management

Embrace Change

• IT system owners resist change management when they see it as slow and bureaucratic.
• At the same time, an increasingly interlinked technical environment may cause issues to appear in unexpected places. Configuration management systems are often not kept up to date, so preventable conflicts get missed.
• No process exists to support the identification and deployment of critical security patches. Tracking down users to find a maintenance window takes significant, dedicated effort and intervention from the management team.
• Create a unified change management process that reduces risk and is balanced in its approach toward deploying changes, while also maintaining throughput of patches, fixes, enhancements, and innovation.

IT Asset Management (ITAM)

A proactive, dynamic ITAM program will pay dividends in support, contract management, appropriate provisioning, and more.

Start by outlining the requirements for effective asset management:

• Hardware Asset Management Policy
• Software Asset Management Policy

Support ITAM policies with the following Info-Tech research:

• Implement IT Asset Management

Leverage Asset Data

• Create effective, directional policies for your asset management program that provide a mandate for action. Support the policies with robust procedures, capable staff, and right-fit technology solutions.
• Poor management of assets generally leads to higher costs due to duplicated purchases, early replacement, loss, and so on.
• Visibility into asset location and ownership improves security and accountability.
• A centralized repository of asset data supports request fulfilment and incident management.
• Asset management is an ongoing program, not a one-off project, and must be resourced accordingly. Organizations often implement an asset management program and let it stagnate.

"Many of the large data breaches you hear about… nobody told the sysadmin the client data was on that server. So they weren’t protecting and monitoring it." (Carole Fennelly, Owner and Principal, cFennelly Consulting)

Business Continuity Management (BCM)

Streamline the traditional approach to make BCM practical and repeatable.

Set the direction and requirements for effective BCM:

• Business Continuity Management Policy

Support the BCM policy with the following Info-Tech research:

• Create a Right-Sized Disaster Recovery Plan
• Develop a Business Continuity Plan

Build Organizational Resilience

• Evidence of disaster recovery and business continuity planning is increasingly required to comply with regulations, mitigate business risk, and meet customer demands.
• IT leaders are often asked to take the lead on business continuity, but overall accountability for business continuity rests with the board of directors, and each business unit must create and maintain its business continuity plan.
• Set an organizational mandate for BCM with the policy.
• Divide the business continuity mandate into manageable parcels of work. Follow Info-Tech’s practical methodology to tackle key disaster recovery and business continuity planning activities one at a time.

Info-Tech Best Practice

Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

Availability, Capacity, and Operations Management

What was old is new again. Use time-tested techniques to manage and plan cloud capacity and costs.

Set the direction and requirements for effective availability and capacity management:

• Availability and Capacity Management Policy
• System Maintenance Policy – NIST

Support the policy with the following Info-Tech research:

• Develop an Availability and Capacity Management Plan
• Improve IT Operations Management
• Develop an IT Infrastructure Services Playbook

Mature Service Delivery

• Hybrid IT deployments – managing multiple locations, delivery models, and service providers – are the future of IT. Hybrid deployments significantly complicate capacity planning and operations management.
• Effective operations management practices develop structured processes to automate activities and increase process consistency across the IT organization, ultimately improving IT efficiency.
• Trying to add mature service delivery can feel like playing whack-a-mole. Systematically improve your service capabilities using the tactical, iterative approach outlined in Improve IT Operations Management.

Enhance your overall security posture with a defensible, prescriptive policy suite

Align your security policy suite with NIST Special Publication 800-171.

Security policies support the organization’s larger security program. We’ve created a dedicated research blueprint and a set of templates that will help you build security policies around a robust framework.

• Start with a security charter that aligns the security program with organizational objectives.
• Prioritize security policies that address significant risks.
• Work with technical and business stakeholders to adapt Info-Tech’s NIST SP 800-171–aligned policy templates (at right) to reflect your organizational objectives.

Review and download Info-Tech's blueprint Develop and Deploy Security Policies.

Info-Tech Best Practice

Customize Info-Tech’s policy framework to align your policy suite to NIST SP 800-171. Given NIST’s requirements for the control of confidential information, organizations that align their policies to NIST standards will be in a strong governance position.

PHASE 2: Develop Policies

Step 2.2: Implement, enforce, measure, and maintain new policies

This step will walk you through the following activities:

• Gather stakeholder feedback
• Identify preventive and detective controls
• Identify required supports
• Seek policy approval
• Establish roles and responsibilities for policy maintenance

This step involves the following participants:

• Infrastructure & Operations Manager
• Infrastructure Supervisors
• Technical Writer
• Policy Stakeholders

Results & Insights

• Results: Well-supported policies that have received signoff.
• Insights: If you’re not prepared to enforce the policy, you might not actually need a policy. Use the policy statements as guidelines or standards, create and implement procedures, and build a culture of compliance. Once you can confidently execute on required controls, seek signoff.

Gather feedback from users to assess the feasibility of the new policies

2(b) Review period: 1-2 weeks

Once the policies are drafted, roundtable the drafts with stakeholders.

INPUT: Draft policies

OUTPUT: Reviewed policy drafts ready for approval

Materials: Policy drafts

Participants: Policy stakeholders

1. Form a test group of users who will be affected by the policy in different ways. Keep the group to around five staff.
2. Present new policies to the testers. Allow them to read the documents and attempt to comply with the new policies in their daily routines.
3. Collect feedback from the group.
   • Consider using interviews, email surveys, chat channels, or group discussions.
   • Solicit ideas on how policy statements could be improved or streamlined.
4. Make reasonable changes to the first draft of the policies before submitting them for approval. Policies will only be followed if they’re realistic and user friendly.

Info-Tech Best Practice

Allow staff the opportunity to provide input on policy development. Giving employees a say in policy development helps avoid obstacles down the road. This is especially true if you’re trying to change behavior rather than lock it in.

Develop mechanisms for monitoring and enforcement

Brainstorm preventive and detective controls.

INPUT: Draft policies

OUTPUT: Reviewed policy drafts ready for approval

Materials: Policy drafts

Participants: Policy stakeholders

Preventive controls are designed to discourage or pre-empt policy breaches before they occur. Training, approvals processes, and segregation of duties are examples of preventive controls. (Ohio University)

Detective controls help enforce the policy by identifying breaches after they occur. Forensic analysis and event log auditing are examples of detective controls. (Ohio University)

Not all policies require the same level of enforcement. Policies that are required by law or regulation generally require stricter enforcement than policies that outline best practices or organizational values.

Identify controls and enforcement mechanisms that are in line with policy requirements. Build control and enforcement into procedure documentation as needed.

Suggestions:

1. Have staff sign off on policies. Disclose any monitoring/surveillance.
2. Ensure consequences match the severity of the infraction. Document infractions and ensure that enforcement is applied consistently across all infractions.
3. Automatic controls shouldn’t get in the way of people’s ability to do their jobs. Test controls with users before you roll them out widely.

Support the policy before seeking approval

A policy is only as strong as its supporting pillars.

Create Standards

Standards are requirements that support policy adherence. Server builds and images, purchase approval criteria, and vulnerability severity definitions can all be examples of standards that improve policy adherence.

Where reasonable, use automated controls to enforce standards. If you automate the control, consider how you’ll handle exceptions.

Create Guidelines

If no standards exist – or best practices can’t be monitored and enforced, as standards require – write guidelines to help users remain in compliance with the policy.

Create Procedures: We’ll cover procedure development and documentation in Phase 3.

Info-Tech Insight

In general, failing to follow or strictly enforce a policy creates a risk for the business. If you’re not confident a policy will be followed or enforced, consider using policy statements as guidelines or standards as an interim measure as you update procedures and communicate and roll out changes that support adherence and enforcement.

Seek approval and communicate the policy

Policies ultimately need to be accepted by the business.

• Once the drafts are completed, identify who is in charge of approving the policies.
• Ensure all stakeholders understand the importance, context, and repercussions of the policies.
• The approvals process is about appropriate oversight of the drafted policies. For example:
  • Do the policies satisfy compliance and regulatory requirements?
  • Do the policies work with the corporate culture?
  • Do the policies address the underlying need?

If the draft is rejected:

• Acquire feedback and make revisions.
• Resubmit for approval.

If the draft is approved:

• Set the effective date and a review date.
• Begin communication, training, and implementation.

• Employees must know that there are new policies and understand the steps they must take to comply with the policies in their work.
• Employees must be able to interpret, understand, and know how to act upon the information they find in the policies.
• Employees must be informed on where to get help or ask questions and from whom to request policy exceptions.

"A lot of board members and executive management teams… don’t understand the technology and the risks posed by it." (Carole Fennelly, Owner and Principal, cFennelly Consulting)

Identify policy management roles and responsibilities

Discuss and assign roles and responsibilities for ongoing policy management.

"Whether at the level of a government, a department, or a sub-organization: technology and policy expertise complement one another and must be part of the conversation." (Peter Sheingold, Portfolio Manager, Cybersecurity, MITRE Corporation)

Phase 2: Review accomplishments

Effective Policies: Clear, Consistent, and Concise

Summary of Accomplishments

• Built priority policies based on templates aligned with the IT Management & Governance Framework and COBIT 5.
• Reviewed controls and policy supports.
• Assigned roles and responsibilities for ongoing policy maintenance.

Develop Infrastructure & Operations Policies and Procedures

Phase 3

Document Effective Procedures

PHASE 3: Document Effective Procedures

Step 3.1: Scope and outline procedures

This step will walk you through the following activities:

• Prioritize SOP documentation
• Draft workflows using a tabletop exercise
• Modify templates, as applicable

This step involves the following participants:

• Infrastructure & Operations Manager
• Technical Writer
• Infrastructure Supervisors

Results & Insights

• Results: An action plan for SOP documentation and an outline of procedure workflows.
• Insights: Don’t let tools get in the way of documentation – low-tech solutions are often the most effective way to build and analyze workflows.

Prioritize your SOP documentation effort

Build SOP documentation that gets used and doesn’t just check a box.

1. Review the list of procedure gaps from Phase 1. Are any other procedures needed? Are some of the procedures now redundant?
2. Establish the scope of the proposed procedures. Who are the stakeholders? What policies do they support?
3. Run a basic prioritization exercise using a three-point scale. Higher scores mean greater risks or greater benefits. Score the risk of the undocumented procedure to the business (e.g. potential effect on data, productivity, goodwill, health and safety, or compliance). Score the benefit to the business of documenting the procedure (e.g. throughput improvements or knowledge transfer).
4. Different procedures require different formats. Decide on one or more formats that can help you effectively document the procedure:
   • Flowcharts: Depict workflows and decision points. Provide an at-a-glance view that is easy to follow. Can be supported by checklists and diagrams where more detail is required.
   • Checklists: A reminder of what to do, rather than how to do it. Keep instructions brief.
   • Diagrams: Visualize objects, topologies, and connections for reference purposes.
   • Tables: Establish relationships between related categories.
   • Prose: Use full-text instructions where other documentation strategies are insufficient.

Modify the following Info-Tech templates for larger SOPs

Support these processes...	...with these blueprints...	...to create SOPs using these templates.
	Create a Right-Sized Disaster Recovery Plan	DRP Summary
	Implement IT Asset Management	HAM SOP and SAM SOP
	Optimize Change Management	Change Management SOP
	Standardize the Service Desk	Service Desk SOP

Use tabletop planning or whiteboards to draft workflows

3(b) 30 minutes

Tabletop planning is a paper-based exercise in which your team walks through a particular process and maps out what happens at each stage.

OUTPUT: Steps in the current process for one SOP

Materials: Tabletop, pen, and cue cards

Participants: Process owners, SMEs

1. For this exercise, choose one particular process to document.
2. Document each step of the process on cue cards, which can be arranged on the table in sequence.
3. Be sure to include task ownership in your steps.
4. Map out the process as it currently happens – we’ll think about how to improve it later.
5. Keep focused. Stay on task and on time.

Example:

• Step 3: PM reviews new defects daily
• Step 4: PM assigns defects to tech leads
• Step 5: Assigned resource updates status – frequency is based on ticket priority

Info-Tech Insight

Don’t get weighed down by tools. Relying on software or other technological tools can detract from the exercise. Use simple tools such as cue cards to record steps so that you can easily rearrange steps or insert steps based on input from the group.

Collaborate to optimize the SOP

Review the tabletop exercise. What gaps exist in current processes?
How can the processes be made better? What are the outputs and checkpoints?

OUTPUT: Identify steps to optimize the SOP

Materials: Tabletop, pen, and cue cards

Participants: Process owners, SMEs

Example:

• Step 3: PM reviews new defects daily
• NEW STEP: Schedule 10-minute daily defect reviews with PM and tech leads to evaluate ticket priority
• Step 4: PM assigns defects to tech leads
• Step 5: Assigned resource updates status – frequency is based on ticket priority
  • Step 5 Subprocess: Ticket status update
  • Step 5 Output: Ticket status moved to OPEN by assigned resource – acknowledges receipt by assigned resource

A note on colors: Use white cards to record steps. Record gaps on yellow cards (e.g. a process step not documented) and risks on red cards (e.g. only one person knows how to execute a step) to highlight your gaps/to-dos and risks to be mitigated or accepted.

If it’s necessary to clarify complex process flows during the exercise, you can also use green cards for decision diamonds, purple for document/report outputs, and blue for subprocesses.

PHASE 3: Document Effective Procedures

Step 3.2: Document effective procedures

This step will walk you through the following activities:

• Document workflows, checklists, and diagrams
• Establish a cadence for document review and updates

This step involves the following participants:

• Infrastructure Manager
• Technical Writer

Results & Insights

• Results: Improved SOP documentation and document management practices.
• Insights: It’s possible to keep up with changes if you put the right cues and accountabilities in place. Include document review in project and change management procedures and hold staff accountable for completion.

Document workflows with flowcharting software

Suggestions for workflow documentation

• Whether you draft the workflow on a whiteboard or using cue cards, the first iteration is usually messy. Clean up the flow as you document the results of the exercise.
• Make the workflow as simple as possible and no simpler. Eliminate any decision points that aren’t strictly necessary to complete the procedure.
• Use standard flowchart shapes (see next slide).
• Use links to connect to related documentation.
• Review the documented workflow with participants.

Download the following workflow examples:

• XMPL Recovery Workflows
• Workflow Library

Establish flowcharting standards

If you don’t have existing flowchart standards, then keep it simple and stick to basic flowcharting conventions as described below.

	Start, End, and Connector: Traditional flowcharting standards reserve this shape for connectors to other flowcharts or other points in the existing flowchart. Unified Modeling Language (UML) also uses the circle for start and end points.
	Start and End: Traditional flowcharting standards use this for start and end. However, Info-Tech recommends using the circle shape to reduce the number of shapes and avoid confusion with other similar shapes.
	Process Step: Individual process steps or activities (e.g. create ticket or escalate ticket). If it’s a series of steps, then use the subprocess symbol and flowchart the subprocess separately.
	Subprocess: A series of steps. For example, a critical incident SOP might reference a recovery process as one of the possible actions. Marking it as a subprocess, rather than listing each step within the critical incident SOP, streamlines the flowchart and avoids overlap with other flowcharts (e.g. the recovery process).
	Decision: Represents decision points, typically with Yes/No branches, but you could have other branches depending on the question (e.g. a “Priority?” question could branch into separate streams for Priority 1, 2, 3, 4, and 5 issues).
	Document/Report Output: For example, the output from a backup process might include an error log.

Support workflows with checklists and diagrams

Diagrams

• Diagrams are a visual representation of real-world phenomena and the connections between them.
• Be sure to use standard shapes. Clearly label elements of the diagram. Use standard practices, including titles, dates, authorship, and versioning.
• IT systems and interconnections are layered. Include physical, logical, protocol, and data flow connections.

Examples:

• XMPL Recovery Workflows
• Workflow Library

Checklists

• Checklists are best used as short-form reminders on how to complete a particular task.
• Remember the audience. If the process will be carried out by technical staff, there’s technical background material you won’t need to spell out in detail.

Examples:

• Employee Termination Process Checklist
• XMPL Systems Recovery Playbook

Establish a cadence for documentation review and maintenance

Lock-in the work with strong document management practices.

• Identify documentation requirements as part of project planning.
• Require a manager or supervisor to review and approve SOPs.
• Check documentation status as part of change management.
• Hold staff accountable for documentation.

"It isn’t unusual for us to see infrastructure or operations documentation that is wildly out of date. We’re talking months, even years. Often it was produced as one big effort and then not reliably maintained." (Gary Patterson, Consultant, Quorum Resources)

Only a quarter of organizations update SOPs as needed

Info-Tech Best Practice

Use Info-Tech’s research Create Visual SOP Documents to further evaluate document management practices and toolsets.

Phase 3: Review accomplishments

Workflow documentation: Cue cards into flowcharts

Summary of Accomplishments

• Identified priority procedures for documentation activities.
• Created procedure documentation in the appropriate format and level of granularity to support Infra & Ops policies.
• Published and maintained procedure documentation.

Research contributors and experts

Carole Fennelly, Owner
cFennelly Consulting

Carole Fennelly provides pragmatic cyber security expertise to help organizations bridge the gap between technical and business requirements. She authored the Center for Internet Security (CIS) Solaris and Red Hat benchmarks, which are used globally as configuration standards to secure IT systems. As a consultant, Carole has defined security strategies, and developed policies and procedures to implement them, at numerous Fortune 500 clients. Carole is a Certified Information Security Manager (CISM), Certified Security Compliance Specialist (CSCS), and Certified HIPAA Professional (CHP).

Marko Diepold, IT Audit Manager
audit2advise

Marko is an IT Audit Manager at audit2advise, where he delivers audit, risk advisory, and project management services. He has worked as a Security Officer, Quality Manager, and Consultant at some of Germany’s largest companies. He is a CISA and is ITIL v3 Intermediate and ITGCP certified.

Research contributors and experts

Martin Andenmatten, Founder & Managing Director
Glenfis AG

Martin is a digital transformation enabler who has been involved in various fields of IT for more than 30 years. At Glenfis, he leads large Governance and Service Management projects for various customers. Since 2002, he has been the course manager for ITIL® Foundation, ITIL® Service Management, and COBIT training. He has published two books on ISO 20000 and ITIL.

Myles F. Suer, CIO Chat Facilitator
CIO.com/Dell Boomi

Myles Suer, according to LeadTails, is the number 9 influencer of CIOs. He is also the facilitator for the CIOChat, which has executive-level participants from around the world in such industries as banking, insurance, education, and government. Myles is also the Industry Solutions Marketing Manager at Dell Boomi.

Research contributors and experts

Peter Sheingold, Portfolio Manager
Cybersecurity, Homeland Security Center, The MITRE Corporation

Peter leads tasks that involve collaboration with the Department of Homeland Security (DHS) sponsors and MITRE colleagues and connect strategy, policy, organization, and technology. He brings a deep background in homeland security and strategic analysis to his work with DHS in the immigration, border security, and cyber mission spaces. Peter came to MITRE in 2005 but has worked with DHS from its inception.

Robert D. Austin, Professor
Ivey Business School

Dr. Austin is a professor of Information Systems at Ivey Business School and an affiliated faculty member at Harvard Medical School. Before his appointment at Ivey, he was a professor of Innovation and Digital Transformation at Copenhagen Business School, and, before that, a professor of Technology and Operations Management at the Harvard Business School.

Research contributors and experts

Ron Jones, Director of IT Infrastructure and Service Management
DATA Communications

Ron is a senior IT leader with over 20 years of management experiences from engineering to IT Service Management and operations support. He is known for joining organizations and leading enhanced process efficiency and has improved software, hardware, infrastructure, and operations solution delivery and support. Ron has worked for global and Canadian firms including BlackBerry, DoubleClick, Cogeco, Infusion, Info-Tech Research Group, and Data Communications Management.

Scott Genung, Executive Director of Networking, Infrastructure, and Service Operations
University of Chicago

Scott is an accomplished IT executive with 26 years of experience in technical and leadership roles. In his current role, Scott provides strategic leadership, vision, and oversight for an IT portfolio supporting 31,000 users consisting of services utilized by campuses located in North America, Asia, and Europe; oversees the University’s Command Center; and chairs the UC Cyberinfrastructure Alliance (UCCA), a group of research IT providers that collectively deliver services to the campus and partners.

Research contributors and experts

Steve Weil, CISSP, CISM, CRISC, Information Security Director, Cybersecurity Principal Consultant
Point B

Steve has 20 years of experience in information security design, implementation, and assessment. He has provided information security services to a wide variety of organizations, including government agencies, hospitals, universities, small businesses, and large enterprises. With his background as a systems administrator, security consultant, security architect, and information security director, Steve has a strong understanding of both the strategic and tactical aspects of information security. Steve has significant hands-on experience with security controls, operating systems, and applications. Steve has a master's degree in Information Science from the University of Washington.

Tony J. Read, Senior Program/Project Lead & Interim IT Executive
Read & Associates

Tony has over 25 years of international IT leadership experience, within high tech, computing, telecommunications, finance, banking, government, and retail industries. Throughout his career, Tony has led and successfully implemented key corporate initiatives, contributing millions of dollars to the top and bottom line. He established Read & Associates in 2002, an international IT management and program/project delivery consultancy practice whose aim is to provide IT value-based solutions, realizing stakeholder economic value and network advantage. These key concepts are presented in his new book: The IT Value Network: From IT Investment to Stakeholder Value, published by J. Wiley, NJ.

Related Info-Tech research

• Develop and Deploy Security Policies
• Develop an Availability and Capacity Management Plan
• Improve IT Operations Management
• Develop an IT Infrastructure Services Playbook
• Create a Right-Sized Disaster Recovery Plan
• Develop a Business Continuity Plan
• Implement IT Asset Management
• Optimize Change Management
• Standardize the Service Desk
• Incident and Problem Management
• Design & Build a User-Facing Service Catalog

Bibliography

“About Controls.” Ohio University, ND. Web. 2 Feb 2018.

England, Rob. “How to implement ITIL for a client?” The IT Skeptic. Two Hills Ltd, 4 Feb. 2010. Web. 2018.

“Global Corporate IT Security Risks: 2013.” Kaspersky Lab, May 2013. Web. 2018.

“Information Security and Technology Policies.” City of Chicago, Department of Innovation and Technology, Oct. 2014. Web. 2018.

ISACA. COBIT 5: Enabling Processes. International Systems Audit and Control Association. Rolling Meadows, IL.: 2012.

“IT Policy & Governance.” NYC Information Technology & Telecommunications, ND. Web. 2018.

King, Paula and Kent Wada. “IT Policy: An Essential Element of IT Infrastructure”. EDUCAUSE Review. May-June 2001. Web. 2018.

Luebbe, Max. “Simplicity.” Site Reliability Engineering. O’Reilly Media. 2017. Web. 2018.

Swartout, Shawn. “Risk assessment, acceptance, and exception with a process view.” ISACA Charlotte Chapter September Event, 2013. Web. 2018.

“User Guide to Writing Policies.” Office of Policy and Efficiency, University of Colorado, ND. Web. 2018.

“The Value of Policies and Procedures.” New Mexico Municipal League, ND. Web. 2018.

Modernize and Transform Your End-User Computing Strategy

Support the workforce of the future.

EXECUTIVE BRIEF

Analyst Perspective

Focus beyond the device

It’s easy to think that if we give end users nice devices, then they will be more engaged and they will be happy with IT. If only it were that easy.

Info-Tech Research Group has surveyed over 119,000 people through its CIO Business Vision diagnostic. The results show that a good device is necessary but not enough for high satisfaction with IT. Once a user has a decent device, the other aspects of the user’s experience has a higher impact on their satisfaction with IT.

After all, if a person is trying to run apps designed in the 1990s, if they are struggling to access resources through an underperforming VPN connection, or if they can’t get help when their devices and apps aren’t working, then it doesn’t matter that you gave them a state-of-the-art MacBook or Microsoft Surface.

As you build out your end-user computing strategy to reflect the new reality of today’s workforce, ensure you focus on shifting user support left, modernizing apps to support how users need to work, and ensuring that your network and collaboration tools can support the increased demands. End-user computing teams need to focus beyond the device.

Ken Weston, ITIL MP, PMP, Cert.APM, SMC

Research Director, Infrastructure and Operations Info-Tech Research Group

Mahmoud Ramin, PhD

Senior Research Analyst, Infrastructure and Operations Info-Tech Research Group

Executive Summary

Your Challenge

IT needs to answer these questions:

• What types of computing devices, provisioning models, and operating systems (OSes) should be offered to end users?
• How will IT support devices?
• What are the policies and governance surrounding how devices are used?
• What actions are we taking and when?
• How do end-user devices support larger corporate priorities and strategies?

Your answers need to balance choice, risk, and cost.

Common Obstacles

Management paradigms have shifted:

• OSes, device management, and IT asset management (ITAM) practices have changed.
• Users expect full capabilities on any personal device.
• Virtual desktops are switching to the cloud.
• Low-code/no-code platforms allow the business to manage their own apps or comanage with IT.
• Work-from-anywhere is the default.
• Users have higher customer service expectations.

Take end-user computing beyond the OS.

Info-Tech's Approach

This blueprint will help you:

• Identify desired benefits that align to IT and corporate priorities and strategies.
• Perform a persona analysis.
• Define a vision for end-user computing.
• Define the standard device and app offerings.
• Improve the supporting services surrounding devices.
• Develop a roadmap for implementing your strategy.

A good device is necessary for satisfaction with IT but it’s not enough.

If a user has a prestigious tablet but the apps aren’t built well, they can’t get support on it, or they can’t connect to the internet, then that device is useless. Focus on supportability, use cases, connection, policy – and device.

Your challenge

This blueprint will help you build a strategy that answers these questions:

• What types of computing devices should be offered to end users?
• What provisioning models will be used?
• What operating systems are supported?
• How will IT support devices?
• What are the policies and governance surrounding how devices are used?
• What actions are we taking and when?
• How do end-user devices support larger corporate priorities and strategies?

Definition: End-User Computing (EUC)

End-user computing (EUC) is the domain of information and technology that deals with the devices used by workers to do their jobs. EUC has five focus areas: devices, user support, use cases, policy & governance, and fitness for use.

A good end-user computing strategy will effectively balance:

User Choice

Cost

Risk

The right balance will be unique for every organization.

Strike the right balance

The discussion is larger than desktop support

If IT is an influencer, then you get to drive this conversation. If IT is not an influencer, then you need to support whatever option the business wants.

Good devices are necessary for overall IT satisfaction

BUT

Good devices are not enough for high satisfaction

A bad device can ruin a person’s satisfaction with IT

Info-Tech’s CIO Business Vision has shown that when someone is dissatisfied with their device, their satisfaction with IT overall is only 40.92% on average.

When a person is satisfied with their device, their average satisfaction increases by approximately 30 percentage points to 70.22%. (Info-Tech Research Group, CIO Business Vision, 2021; N=119,383)

Improvements in the service desk, business apps, networks and communication infrastructure, and IT policy all have a higher impact on increasing satisfaction.

For every one-point increase in satisfaction in those areas, respondents’ overall satisfaction with IT increased by the respective percentage of a point. (Info-Tech Research Group, CIO Business Vision, 2021; N=119,409)

End-User Paradigms Have Shifted

Take end-user computing beyond the device

Operating System - OS

Only Windows

• More choices than ever before

Endpoint Management System - UEM

Group Policy & Client Management

• Modern & Unified Endpoint Management

Personal Devices - BYOD

Limited to email on phones

• Full capabilities on any device

IT Asset Management - ITAM

Hands-on with images

• Zero-touch with provisioning packages

Virtual Desktops - DaaS

Virtual Desktop Infrastructure in the Data Center

• Desktop-as-a-Service in the cloud

Business-Managed Apps - BMA

Performed by IT

• Performed by the Business and IT

Work-From-Anywhere - WFA

Rare

• Default

Customer Satisfaction - C Sat

Phone calls and transactional interactions

• Self-serve & managing entire experience

Don’t limit your focus to only Windows and Macs

Android is the OS with the largest market share

Users and IT have more choices than ever before

Operating System - OS

Only Windows

• More choices than ever before

Microsoft is still the dominant player in end-user computing, but Windows has only a fraction of the share it once had.

IT needs to revisit their device management practices. Modern management tools such as unified endpoint management (UEM) tools are better suited than traditional client management tools (CMT) for a cross-platform world.

IT must also revisit their application portfolios. Are business apps supported on Android and iOS or are they only supported on Windows? Is there an opportunity to offer more options to end users? Are end users already running apps and handling sensitive data on Android and iOS through software-as-a-service and bring-your-own-device (BYOD) capabilities in Office 365 and Google apps?

OS market share is partly driven by the digital divide

If someone must choose between a smartphone and a computer, they go with a smartphone

IT can’t expect everyone to be fluent on Windows and Mac, have a computer at home, or even have home broadband.

Of US adults aged 18-29:

• 96% have a smartphone (the rest have cellphones).
• Only 70% of US adults aged 18-29 have a home broadband connection.

Further, only 59% of US adults making less than $30,000/year have a laptop or desktop. (“Mobile Technology” and “Digital Divide,” Pew Research, 2021.)

Globally, people are likelier to have a cell subscription than they are to have access to broadband.

Embrace new device management paradigms

Endpoint Management System - UEM

Group Policy & Client Management

• Modern & Unified Endpoint Management

Evaluate enterprise mobility management and unified endpoint management to better support a remote-first, cross-platform reality.

Client Management Tool (CMT)

CMTs such as Microsoft Endpoint Configuration Manager (ConfigMgr, aka SCCM) can be used to distribute apps, apply patches, and enforce group policy.

Enterprise Mobility Management (EMM)

EMM tools allow you to manage multiple device platforms through mobile device management (MDM) protocols. These tools enforce security settings, allow you to push apps to managed devices, and monitor patch compliance through reporting.

EMM tools often support mobile application management (MAM) and mobile content management (MCM). Most EMM tools can manage devices running Windows, Mac OS, iOS, and Android, although there are exceptions.

Unified Endpoint Management (UEM)

UEM solutions combine CMT and EMM for better control of remote computers running Windows or Macs. Examples include:

• Windows devices comanaged by Intune and ConfigMgr.
• Mac devices managed by Jamf Pro.
• Mac devices comanaged by Jamf Pro and Intune.

Most UEM tools can manage devices running Windows, Mac OS, iOS, and Android, allowing IT to manage all end-user devices from a unified tool set (although there are exceptions).

Mobile Application Management (MAM)

MAM provides the ability to package an app with security settings, distribute app updates, and enforce app updates. Some capabilities do not require apps to be enrolled in an EMM or UEM solution.

Mobile Content Management (MCM)

MCM tools distribute files to remote devices. Many MCM solutions allow for security settings to be applied, such as encrypting the files or prohibiting data from leaving the secure container. Examples include OneDrive, Box, and Citrix ShareFile.

Adopt modern management with EMM and UEM – better toolsets for today’s state of EUC

Sacrifice your Group Policy Objects to better manage Windows computers

IT asset management practices are shifting

IT Asset Management - ITAM

Hands-on with images

• Zero-touch with provisioning packages

Supply chain issues are making computers longer to procure, meaning users are waiting longer for computers (Cision, 2021). The resulting silicon chip shortage is expected to last until at least 2023 (Light Reading, 2021).

IT departments are delaying purchases, delaying refreshes, and/or purchasing more to reserve devices before they need them.

Remote work has increased by 159% over the past 12 years (NorthOne, 2021). New hires and existing users can’t always go into the office to get a new computer.

IT departments are paying vendors to hold onto computers and then drop-ship them directly to the end user. The devices are provisioned using zero touch (e.g. Autopilot, Apple Device Manager, or another tool). Since zero-touch provisioning tools do not support images, teams have had to switch to provisioning packages.

The pandemic saw an increase in spending on virtual desktops

Virtual desktops offered powerful tools for supporting remote devices and personal computers without compromising sensitive data

Virtual Desktops - DaaS

Virtual Desktop Infrastructure in the Data Center

• Desktop-as-a-Service in the cloud

The pandemic helped cloud-based virtual desktop infrastructure (VDI)

Citrix saw subscription revenue increase 71% year over year in 2020 (Citrix 2020 Annual Report, p. 4). VMware saw subscription and SaaS revenue increase 38% from January 2020 to 2021 – while on-premises licensing revenue decreased by 5% (VMware Annual Report 2021, p. 40).

IT no longer needs to manage the underlying infrastructure

Microsoft and AWS are offering desktops as a service (i.e. cloud-based virtual desktops). IT needs to manage only the device, not the underlying virtual desktop infrastructure. This is in addition to Citrix’s and VMware’s cloud offerings, where IT doesn’t need to manage the underlying infrastructure that supports VDI.

Visit the blueprint Implement Desktop Virtualization and Transition to Everything as a Service to get started.

Work-from-anywhere (WFA) is now the default

COVID-19 forced this shift

Work-From-Anywhere - WFA

Rare

• Default

Be prepared to support a hybrid workforce, where people are sometimes working remotely and sometimes working in the office.

• Device provisioning and deployment need to be rethought. In-person deployment is not always possible. IT should evaluate tools such as zero-touch provisioning.
• Service desks need better monitoring and management tools. End-user experience management (EUEM) can allow you to better identify where network issues are occurring – in your data center, at the user’s house, in the cloud, or somewhere in between. Remote control tools can then allow your tier 1 to remediate issues on the user’s device.
• Apps and devices need to be usable from anywhere. Environments that rely on desktops and on-premises apps need to be rearchitected for a remote-first workforce.
• Users are living inside video conferencing tools. With the impact of the COVID-19 pandemic, there are about 145 million daily users of Microsoft Teams, almost twice the number of users in 2020 (MUO, 2021). Ensure they have the training and expertise to effectively use these tools.

“More technical troubleshooting due to users working from home a lot more. It can be more difficult to talk users through fixes when they are off site if you cannot remotely assist so more emphasis on the communication skill which was already important.” (Service Desk Institute, 2021)

Visit the Hybrid Workplace Research Center to better support a hybrid workforce.

BYOD fully includes personal computers

It’s no longer about whether IT will allow BYOD

Stop pretending BYOD doesn’t happen

Personal Devices - BYOD

Limited to email on phones

• Full capabilities on any device

• BYOD (including BYOPC) is turned on by default. SaaS tools like Office 365 are built to be used on multiple devices, including multiple computers. Further, the pandemic saw 47% of organizations significantly increase their use of BYOD (Cybersecurity Insiders, 2021; N=271).
• BYOD can boost productivity. When employees can use smartphones for work, they report that it increases their productivity by 34 percent (Samsung Insights, 2016).
• BYOD is hard to support, so most organizations don’t. Only 22% of organizations provide full support for mobile devices, while 20% provide no support, 25% provide ad hoc support, and 26% provide limited support (Cybersecurity Insiders, 2021). If smartphones and tablets are heavily ingrained in business processes, then migrating to BYOD can overload the service desk.
• Securely enable employees. Mobile application management (MAM), mobile content management (MCM), and Office 365 have gotten smarter at protecting corporate data.

Action Item: Identify how IT can provide more support to personally owned computers, tablets, and smartphones.

58% of working Americans say their work devices are “awful to work on." (PCMag, 2021)

But only 22% of organizations provide full support to BYOD. (Cybersecurity Insiders, 2021)

IT must either provide better devices or start fully supporting users on personal PCs.

Build governance practices for low-code development platforms

Managing 1,000 different apps built out on low-code business process management platforms is hard, but it’s not nearly as hard as managing 1,000 unique SaaS apps or access databases

Business-Managed Apps - BMA

Performed by IT

• Performed by the Business and IT

Pros - Opportunities

• Offers DIY to users
• Business can build them quickly
• IT has central visibility
• IT can focus on the platform

Cons - Threats

• Sensitive data can get exposed
• Users may have issues with continuity and backup
• Responding to platform changes will be potentially challenging
• Support may be difficult after the app creator leaves

Action Item: Build a governance framework that describes the roles and responsibilities involved in business-owned apps. Identify the user’s role and end-user computing’s role in supporting low-code apps.

Visit the blueprint Embrace Business-Managed Apps to learn how to build a governance framework for low-code development platforms.

Visit the Low-Code Business Process Management SoftwareReviews category to compare different platforms.

Update your customer service practices

End users expect self-service and help from tier 1

Re-evaluate how you support both corporate-issued and personal-owned computers and mobile devices

Customer Satisfaction - C Sat

Phone calls and transactional interactions

• Self-serve & managing entire experience

Microsoft’s 2019 “Global State of Customer Service” report shows that people have high expectations:

• 31% of people expect call agents to have a “deep understanding of the caller’s relationship with the company”
• 11% expect self-service capabilities

End users have the same expectations of IT, the service desk, and end-user computing teams:

• Users expect any IT person with whom they are talking to have a deep understanding of their devices, apps, open tickets, and closed tickets.
• Users expect tier 1 to be able to resolve their incidents and requests without escalating to tier 2 or tier 3 end-user computing specialists.

Most Important Aspects of Customer Service

Resolving issue in one interaction - 35%

Knowledgeable agent - 31%

Finding information myself - 11%

Not repeating information - 20%

(Microsoft, 2019)

Desktop engineering needs to shift left

Revisit what work can only be done by tier 2 and tier 3 teams

Shifting left involves shifting resolution of incidents and service requests down from more costly resources to the first line of support and to end users themselves through self-service options

• Tier 1 needs up-to-date information on the end users’ devices and open tickets.
• Users should be able to request apps and download those apps through a self-service portal, a software catalog, or an app store.
• Tier 1 needs to be empowered to remote wipe devices, see troubleshooting and diagnostics information, and resolve incidents without needing to escalate.

Action Item: Apply shift-left enablement to train tier 1 agents on troubleshooting more incidents and fulfilling more service requests. Build top-notch self-service capabilities for end users.

Work with your service desk on the blueprint Optimize the Service Desk with a Shift-Left Strategy.

Windows 11 is coming

Prepare to make the jump

The sooner you start, the easier the migration will be

• Begin planning hardware refreshes. Old computers that do not have a TPM 2.0 chip are not currently supported on Windows 11 (“Enable TPM 2.0,” Microsoft, 2021). If you have old computers that will not support the jump to Windows 11– especially given the supply chain disruptions and silicon chip shortages – it is time to consider computer upgrades.
• The end of Windows 10 is coming. Windows 10’s retirement date is currently October 14, 2025 (“Windows 10 Home and Pro,” Microsoft, 2021). If you want to continue running Windows 10 on older computers beyond that time, you will need to pay for extended support or risk those computers being more easily breached.
• Begin testing your apps internally. Run Windows 11 within IT and test whether your apps will work on Windows 11.
• Pilot Windows 11 with IT-friendlies. Find users that are excited for Windows 11 and will not mind a bit of short-term pain.
• What is your risk appetite? Risk-averse organizations will want to wait until Microsoft, DISA, and/or Center for Internet Security have published security configuration best practices.

Info-Tech’s approach

Master the ever-expanding puzzle of end-user computing

User Group Analysis

Supported Devices and Apps

Fitness for Use

Device Support

The Info-Tech difference:

1. Balance user choice, risk mitigation, and cost optimization. The right balance will be unique for every organization.
2. Standardize the nonstandard. Anticipate your users’ needs by having power options and prestigious options ready to offer.
3. Consider multiple personas when building your standards, training, and migrations. Early Adopters, Late Adopters, VIP Users, Road Warriors, and Hoarders – these five personas will exist in one form or another throughout your user groups.

Modernize and Transform Your End-User Computing Strategy

Focus on the Big Picture

End-User Paradigms Have Shifted

Take end-user computing beyond the device

Operating System - OS

Only Windows

• More choices than ever before

Endpoint Management System - UEM

Group Policy & Client Management

• Modern & Unified Endpoint Management

Personal Devices - BYOD

Limited to email on phones

• Full capabilities on any device

IT Asset Management - ITAM

Hands-on with images

• Zero-touch with provisioning packages

Virtual Desktops - DaaS

Virtual Desktop Infrastructure in the Data Center

• Desktop-as-a-Service in the cloud

Business-Managed Apps - BMA

Performed by IT

• Performed by the Business and IT

Work-From-Anywhere - WFA

Rare

• Default

Customer Satisfaction - C Sat

Phone calls and transactional interactions

• Self-serve & managing entire experience

Don't just focus on the device!

Improvements in the service desk, business apps, networks and communication infrastructure, and IT policy have a higher impact on increasing satisfaction.

Impact of End-User Satisfaction of IT by Area Compared to Devices

Devices (x1.0)

IT Policy (x1.09)

Network & Communications Infrastructure (x1.41)

Business Apps (x1.51)

Service Desk (x1.54)

(Info-Tech Research Group, CIO Business Vision, 2021; n=119,409)

Build your strategy with these components...

End-User Group Analysis

• Work location
• Information interactions
• Apps
• Data and files
• Business capabilities
• Current offering
• Pain points
• Desired gains

Supported Devices & Apps

• Primary computing device offerings
• Power computing device offering
• Prestigious device offerings
• Secondary computing device offerings
• Provisioning models
• Standard apps
• Peripherals

Device Support

• Self-service
• Service Desk
• Specialists

Fitness for Use

• Organizational policies
• Security policies

Vision

...to answer these questions:

1. What devices will people have?
2. How will you support these devices?
3. How will you govern these devices?

Balance choice, risk, and cost

The right balance will be unique for every organization. Get the balance right by aligning your strategy's goals to senior leadership’s most important priorities.

• User choice
• Risk
• Cost

+ Standardize the non-standard

Have a more prestigious option ready for users, such as VIPs, who want more than the usual offerings. This approach will help you to proactively anticipate your users' needs.

+Consider multiple personas when building your standards, training, and migrations

These five personas will exist in one form or another throughout your user groups.

• Early Adopters
• Late Adopters
• VIP Users
• Road Warriors
• Hoarders

Use our approach to answer these questions:

What computers will people have?

Types of computing devices

• Power desktop
• Power laptop
• Desktop
• Laptop
• Virtual Desktop
• Thin Client Device
• Pro Tablet
• Tablet
• Smartphone

Corporate-Issued Approaches

• Kiosk – Shared, Single Purpose
• Pooled – Shared, Multipurpose
• Persistent – Individual
• Personally Owned

Supported Operating Systems

• Windows
• Mac
• Chrome OS
• Linux
• iOS/iPad OS
• Android

How will you support these devices?

Device Management

• Manual
• CMT
• EMM
• UEM
• Pooled Virtual Desktop Manager

Supporting Practices

• Self-Service
• Tier 1 Support
• Specialist Support

How will you govern these devices?

Corporate Policies

• Personal Use Allowed?
• Management and Security Policies
• Personal Device Use Allowed?
• Supported Apps and Use Cases
• Who Is Allowed to Purchase?
• Prohibited Apps and Use Cases
• Device Entitlement
• Stipends and/or Reimbursement to Users

Use our blueprint to improve your EUC practices

1. Devices
   • Corporate-issued devices
   • Standard offerings
2. User Support
   • Self-service
   • Tier 1 support
3. Use Cases
   • Providing value
   • Business apps
4. Policy & Governance
   • Personal device use
   • IT policy
5. Fitness for Use
   • Securing devices
   • Patching

Info-Tech’s methodology for end-user computing strategy

Insight summary

Once users are satisfied with devices, focus on the bigger picture

If end users are dissatisfied with devices, they will also be dissatisfied with IT. But if you don’t also focus on apps and supportability, then giving users better devices will only marginally increase satisfaction with IT.

Bring it back to stakeholder priorities

Before you build your vision statement, make sure it resonates with the business by identifying senior leadership’s priorities and aligning your own goals to them.

Balance choice, risk, and cost

The balance of user choice, risk mitigation, and cost optimization is unique for each company. Get the balance right by aligning your strategy’s goals to senior leadership’s most important priorities.

Communicate early and often with users

Expect users to become anxious when you start targeting their devices. Address this anxiety by bringing them into the conversation early in the planning – they will see that their concerns are being addressed and may even feel a sense of ownership over the strategy.

Standardize the nonstandard

When users such as VIP users want more than the standard offering, have a more prestigious option available. This approach will help you to proactively anticipate your users’ needs.

Consider multiple personas when building your standards, training, and migrations

Early Adopters, Late Adopters, VIP Users, Road Warriors, and Hoarders – these five personas will exist in one form or another throughout your user groups.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

User Group Analysis Workbook

Use these worksheets to guide your analysis.

End-User Computing Ideas Catalog

Compare options for your end-user computing environment.

Standard End-User Entitlements and Offerings

Define your supported offerings and publish this document in your service catalog.

Policy Templates

Use these templates as a starting point for addressing policy gaps.

Key deliverable:

End-User Computing Strategy

Document your strategy using this boardroom-ready template.

Blueprint benefits

IT Benefits

• Deliver immediate value to end users.
• Provide the best service based on the user persona.
• Provide better device coverage.
• Use fewer tools to manage a less diverse but equally effective array of end-user computing devices.
• Provide more managed devices that will help to limit risk.
• Have better visibility into the end-user computing devices and apps.

Business Benefits

• Conduct corporate business under one broad strategy.
• Provide support to IT for specific applications and devices.
• Take advantage of more scalable economies for providing more advantageous technologies.
• Experience less friction between end users and the business and higher end-user satisfaction.

Measure the value of this blueprint

Your end-user computing strategy is an investment

Track the returns on your investment, even if those returns are soft benefits and not cost reductions

User Satisfaction

• Satisfaction with device
• Satisfaction with business apps
• Satisfaction with service desk timeliness
• Satisfaction with service desk effectiveness
• Satisfaction with IT Employee engagement

Total Cost

• Spend on each type of device
• Cost of licenses for management tools, operating systems, and apps
• Cost of support agreements # of support tickets per device per employee
• Time spent supporting devices per tier or support team
• Time spent per OS/app release

Risk Mitigation

• # of devices that are end-of-life
• % of devices in compliance
• # of unmanaged devices
• # of devices that have not checked in to management tool

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 8 to 10 calls over the course of 4 to 6 months.

Phase 1: Set the Direction

• Call #1: Review trends in end-user computing and discuss your current state.
• Call #2: Perform a user group analysis.
• Call #3: Identify desired benefits and map to stakeholder drivers.

Phase 2: Define the Offering

• Call #4: Define standard offerings.
• Call #5: Select provisioning models.
• Call #6: Outline supporting services and opportunities to shift end-user computing support left.
• Call #7: Identify gaps in governance and policies.

Phase 3: Build the Roadmap

• Call #8: Develop initiatives.
• Call #9: Plan migration and build roadmap.

EUC Strategy Workshop Overview

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

Phase 1

Set the Direction

Set the Direction

1.1 Identify Desired Benefits

1.2 Perform a User Group Analysis

1.3 Define the Vision

Define the Offering

2.1 Define the Standard Offerings

2.2 Outline Supporting Services

2.3 Define Governance and Policies

Build the Roadmap

3.1 Develop Initiatives

This phase will walk you through the following activities:

• Current-state analysis
• Goals cascade
• Persona analysis

This phase involves the following participants:

• End-User Computing Team
• IT Leadership

Set a direction that will create value for IT, stakeholders, and end users

Use your insights to build your strategy

Start by downloading Info-Tech’s End-User Computing Strategy Template

1. Perform a stop-start-continue exercise for how IT supports end-user devices.
2. Perform a goals cascade to identify how the end-user computing strategy can align with and support senior leaders’ priorities and strategic objectives.
3. Perform a user group analysis to identify what IT can do to provide additional value to end users.
4. Use the results to define a vision for your end-user computing strategy and in-scope benefits.

Download the End-User Computing Strategy Template.

Step 1.1

Identify Desired Benefits

Activities

1.1.1 Assess the current state of end-user computing

1.1.2 Perform a SWOT analysis

1.1.3 Map benefits to stakeholder drivers and priorities

Optional: Identify current total cost of ownership

This step requires the following inputs:

• Current approach for end-user computing
• List of strengths and weaknesses of the current approach

This step involves the following participants:

• CIO
• End-User Computing Team
• IT Leadership
• End-User Computing Manager

Outcomes of this step

• Defined success metrics that are tied to business value
• Vision statement, mission statement, and guiding principles

Review your current state for each end-user computing practice

1. Devices
   • Corporate-issued devices
   • Standard offerings
2. User Support
   • Self-service
   • Tier 1 support
3. Use Cases
   • Providing value
   • Business apps
4. Policy & Governance
   • Personal device use
   • IT policy
5. Fitness for Use
   • Securing devices
   • Patching

1.1.1 Assess the current state of end-user computing

Discuss IT’s strengths and challenges

Review your success in responding to the trends highlighted in the executive brief.

• Start by reviewing the trends in the executive brief. Identify which trends you would like to focus on.
• Review the domains below. Discuss:
  • Your current approach
  • Strengths about this approach
  • Challenges faced with this approach
• Document the results in the “Current-State Assessment” section of your End-User Computing Strategy.

1. Devices
   • Corporate-issued devices
   • Standard offerings
2. User Support
   • Self-service
   • Tier 1 support
3. Use Cases
   • Providing value
   • Business apps
4. Policy & Governance
   • Personal device use
   • IT policy
5. Fitness for Use
   • Securing devices
   • Patching

Download the End-User Computing Strategy Template.

Consider these aspects of end-user computing in your assessment

Devices: As shown in the executive brief, devices are necessary for satisfaction in IT. In your current-state assessment, outline the principal means by which users are provided with a desktop and computing.

• Corporate-issued devices: Document the types of devices (e.g. laptops, desktops, smartphones) and operating systems that IT currently supports.
  • Strengths: Highlight user satisfaction with your current offerings by referencing recent relationship surveys.
  • Challenges: Document corporate-issued devices where stakeholders and users are not satisfied, platforms that stakeholders would like IT to support, etc.
• Standard offerings: Name the high-level categories of devices that you offer to end users (e.g. standard device, power device).
  • Strengths: Outline steps that IT has taken to improve the portfolio of standard offerings and to communicate the offerings.
  • Challenges: Identify areas to improve the standard offerings.

User support: Examine how the end-user computing team enables a high-quality customer service experience. Especially consider self-service and tier 1 support.

• Self-service: Describe the current state of your self-service capabilities (e.g. name of the self-service portal, number of apps in the app store).
  • Strengths: Outline successes with your self-service capabilities (e.g. use of self-service tools, recently deployed tools, newly supported platforms).
  • Challenges: Identify gaps in self-service capabilities.
• Tier 1 support: Document the number of end-user computing incidents and service requests that are resolved at tier 1 as well as the number of incidents and service requests that are resolvable without escalation.
  • Strengths: Identify technologies that make first contact resolution possible. Outline other items that support tier 1 resolution of end-user computing tickets, such as knowledgebase articles and training programs.
  • Challenges: Document areas in which tier 1 resolution of end-user computing tickets is not feasible.

Considerations (cont’d.)

Use cases: Reflect on how IT and end-user computing supports users’ most important use cases. Consider these aspects:

• Providing value: Identify the number of user groups for which you have completed a user group analysis. Outline your major approaches for capturing feedback, such as relationship surveys.
  • Strengths: Document any successful initiatives around stakeholder relationships and requirements gathering. You can also highlight successful metrics, such as high satisfaction scores from a team, department, or division.
  • Challenges: Identify where there are dissatisfied stakeholders and gaps in product offerings and where additional work around value generation is required.
• Business apps: Outline your major business apps and your approach to improvement for these apps. If you need assistance gathering feedback from end users and stakeholders, you can use Info-Tech’s Application Portfolio Assessment.
  • Strengths: Show the EUC team’s successes in supporting critical business apps (e.g. facilitating user acceptance testing, deploying via endpoint management tool).
  • Challenges: Name business apps that are not meeting stakeholder needs. Consider if end users are dissatisfied with an app, if IT is unable to adequately monitor and support a business app, etc.

Policy and governance: Document the current state of policies governing the use of end-user computing devices, both corporate-issued and personally owned. Review Step 2.3 for a list of policy questions to address and for links to policy templates.

• Personal device use: Explain which users are allowed to use personally owned devices, what use cases are supported, and which types of devices are supported. Also, highlight explicit prohibitions.
  • Strengths: Highlight major accomplishments with BYOD, utilization metrics, etc. Consider including any platforms or apps that support BYOD (e.g. Microsoft Office 365).
  • Challenges: Identify where there are gaps in your support for personal devices. Examples can include insufficient management tools, lack of feedback from end users on BYOD support, undefined policies and governance, and inadequate support for personal devices.

Considerations (cont’d.)

IT policies: List your current policy documents. Include policies that relate to end-user computing, such as security policy documents; acceptable use policy documents; purchasing policies; documents governing entitlements to computers, tablets, smartphones, and prestigious devices; and employee monitoring policy documents.

• Strengths: Outline the effectiveness of these policies, user compliance to these policies, and your success in enforcing these policies.
• Challenges: Identify where you have gaps in user compliance, gaps in enforcing policies, many exceptions to a policy, etc.

Fitness for use: Reflect on your ability to secure users, enterprise data, and computers. Document your current capabilities to ensure devices are adequately secured and risks adequately mitigated.

• Securing devices: Describe your current approach to implementing security baselines, protecting data, and ensuring compliance.
  • Strengths: Highlight your accomplishments with ensuring devices meet your security standards and are adequately managed.
  • Challenges: Identify areas that are not adequately protected, where IT does not have enough visibility, and devices on which IT cannot enforce security standards.
• Patching: Describe your current approach to distributing OS patches, distributing app patches, and ensuring patch compliance.
  • Strengths: Outline steps that IT has taken to improve release and deployment practices (e.g. user acceptance testing, deployment rings).
  • Challenges: When is IT unable to push a patch to a device? Outline when devices cannot receive a patch, when IT is unable to ensure patches are installed, and when patches are disruptive to end users.

1.1.2 Perform a SWOT analysis

Summarize your current-state analysis

To build a good strategy, you need to clearly understand the challenges you face and opportunities you can leverage.

• Summarize IT’s strengths. These are positive aspects internal to IT.
• Summarize IT’s challenge. What internal IT weakness should the strategy address?
• Identify high-level opportunities. Summarize positive factors that are external to IT (e.g. within the larger organization, strong vendor relationships).
• Document threats. What external factors present a risk to the strategy?

Record your SWOT analysis in the “Current-State Assessment” section of your End-User Computing Strategy Template.

Download the End-User Computing Strategy Template.

1.1.3 Map benefits to stakeholder drivers and priorities

Use a goals cascade to identify benefits that will resonate with the business

Identify how end-user computing will support larger organizational strategies, drivers, and priorities

1. Identify stakeholders. Focus on senior leaders – user groups will be addressed in Step 1.2.
2. For each stakeholder, identify three to five drivers or strategic priorities. Use the drivers as a starting point to:
   1. Increase productivity
   2. Mitigate risks
   3. Optimize costs
3. Map the benefits you brainstormed in Step 1.1 to the drivers. It’s okay to have benefits map to multiple drivers.
4. Re-evaluate benefits that don’t map to any drivers. Consider removing them.

Record this table on the “Goals Cascade” slide in the “Vision and Desired Benefits” section of your End-User Computing Strategy Template.

Use the CEO-CIO Alignment Program to identify which business benefits are most important.

Sample end-user computing benefits

Optional: Identify current total cost of ownership

Be mindful of hidden costs, such as those associated with supporting multiple devices and maintaining a small fleet of corporate devices to ensure business continuity with BYOD.

• Use the Hardware Asset Management Budgeting Tool to forecast spend on devices (and infrastructure) based on project needs and devices nearing end of life.
• Use the Mobile Strategy TCO Calculator to estimate the total cost of all the different aspects of your mobile strategy, including:
  • Training
  • Management platforms
  • Custom app development
  • Travel and roaming
  • Stipends and taxes
  • Support
• Revisit these calculators in Phase 2. Use the TCO calculator when considering different approaches to mobility and end-user computing.

Insert the results into your End-User Computing Strategy Template.

Download the HAM Budgeting Tool.

Download the Mobile Strategy TCO Calculator.

Step 1.2

Perform a User Group Analysis

Activities

1.2.1 Organize roles based on how they work

1.2.2 Organize users into groups

1.2.3 Document the current offerings

1.2.4 Brainstorm pain points and desired gains for each user group

This step requires the following inputs:

• List of roles and technologies
• User feedback
• List of personas

This step involves the following participants:

• End-User Computing Team
• IT Leadership
• End-User Computing Manager

Outcomes of this step

• List of user groups and use cases for each group
• List of current offerings for each user group
• Value analysis for each user group

Gather the information you need

Use the Application Portfolio Assessment to run a relationship survey.

Dive deeper with the blueprint Improve Requirements Gathering.

List of Roles and Technology

Organization chart: Consult with HR or department leaders to provide a list of the different roles that exist in each department.

Identity access management tools: You can consult tools like Active Directory, but only if the data is clean.

Apps and devices used: Run a report from your endpoint management tool to see what devices and apps are used by one another. Supplement this report with a report from a network management tool to identify software as a service that are in use and/or consult with department leaders.

User Feedback

Relationship surveys: Tools like the End-User Application Satisfaction Diagnostic allow you to assess overall satisfaction with IT.

Focus groups and interviews: Gather unstructured feedback from users about their apps and devices.

User shadowing: Observe people as they use technology to identify improvement opportunities (e.g. shadow meetings, review video call recordings).

Ticket data: Identify apps or systems that users submit the most incidents about as well as high-volume requests that could be automated.

1.2.1 Organize roles based on how they work

Start by organizing roles into categories based on where they work and how they interact with information.

1. Define categories of where people work. Examples include:
   1. In office, at home, at client sites
   2. Stationary, sometimes mobile, always mobile
   3. Always in same location, sometimes in different locations, always in different locations within a site, mobile between sites
2. Define categories of how people interact with information. Examples include:
   1. Reads information, reads and writes information, creates information
   2. Cases, projects, relationships
3. Build a matrix. Use the location categories on one axis and the interaction categories on the other axis.
4. Place unique job roles on the matrix. Review each functional group’s organizational chart. It is okay if you don’t fill every spot. See the diagram on this page for an example.

1.2.2 Organize users into groups

Populate a user group worksheet for each in-scope group.

1. Within each quadrant, group similar roles together into “User Groups.” Consider similarities such as:
   1. Applications they use
   2. Data and files with which they interact
   3. Business capabilities they support
2. Document their high-level profile:
   1. Where they work
   2. Sensitivity of data they access
   3. Current device and app entitlements
3. Document the resulting user groups. Record each user group on a separate worksheet in the User Group Analysis Workbook.

Download the User Group Analysis Workbook.

1.2.3 Document the current offerings

For each user group, document:

• Primary and secondary computing devices: Their most frequently used computing devices.
• Acceptable use: Whether corporate-issued devices are personally enabled.
• BYOD: Whether this persona is authorized to use their personal devices.
• Standard equipment provided: Equipment that is offered to everyone in this persona.
• Additional devices and equipment offered: Equipment that is offered to a subset of this user group. These items can include more prestigious computers, additional monitors, and office equipment for users allowed to work remotely. This category can include items that require approval from budget owners.
• Top apps: What apps are most commonly used by this user group? What common nonstandard apps are used by this user group?

Standardize the nonstandard

When users such as VIP users want more than the standard offering, have a more prestigious option available. This approach will help you to proactively anticipate your users’ needs.

1.2.4 Brainstorm pain points and desired gains for each user group

Don’t focus only on their experiences with technology

Reference the common personas listed on the next page to help you brainstorm additional pain points and desired gains.

1. Brainstorm pain points. Answer these questions for each role:
   1. What do people find tedious about their day-to-day jobs?
   2. What takes the most effort for them to do?
   3. What about their current toolset makes this user frustrated?
   4. What makes working difficult? Consider their experiences working from a home office, attending meetings virtually or in person, and working in the office.
   5. What challenges does that role have with each process?
2. Brainstorm desired gains from their technology. Answer these questions for each role:
   1. For your end-user computing vision to become a reality for this persona, what outcomes or benefits are required?
   2. What benefits will this persona expect an end-user computing strategy to have?
   3. What improvements does this role desire?
   4. What unexpected benefits or outcomes would surprise this role?
   5. What would make this role’s day-to-day easier?
   6. What location-specific benefits are there (e.g. outcomes specific to working in the office or at home)?

Record each user group’s pain points and desired gains on their respective worksheet.

For additional questions you can ask, visit this Strategyzer blog post by Alexander Osterwalder.

Info-Tech Insight

Identify out-of-scope benefits?

If that desired gain is required for the vision to be achieved for a specific role, you have two options:

• Bring the benefit in scope. Ensure your metrics are updated.
• Bring this user group out of scope. End-user computing improvements will not be valuable to this role without that benefit.

Forcing a user group to use an unsatisfactory tool will severely undermine your chance of success, especially in the project’s early stages.

Consider these common personas when brainstorming challenges and desired gains

What unique challenges will these personas face within each of your user groups? What improvements would each of these personas expect out of an end-user computing strategy?

Early Adopters

• Like trying new ways of working and using the latest technology.
• Very comfortable solving their own issues.
• Enjoy exploring and creating new ways of handling challenges.

Late Adopters

• Prefer consistent ways of working, be it tech or business processes.
• React to tech issues with anxiety and need assistance to get issues fixed.

VIP

• Has a prestigious job and would like to use technology that communicates their status.
• Does not like to resolve their own issues.

Road Warriors

• Always on the go, running between work meetings and appointments.
• Value flexibility and want devices, apps, and tech support that can be used anywhere at any time.

Hoarders

• Want to keep all their devices, data, and apps.
• Will stall when they need to migrate devices or uninstall apps and become unresponsive any time there is a risk of losing something.

Step 1.3

Define the Vision

Activities

1.3.1 Prioritize which benefits you want to achieve

1.3.2 Identify how you will track performance

1.3.3 Craft a vision statement that demonstrates what you’re trying to create

1.3.4 Craft a mission statement for your end-user computing team

1.3.5 Define guiding principles

This step requires the following inputs:

• Goals cascade
• List of benefits
• List of critical success factors (CSFs)

This step involves the following participants:

• End-User Computing Manager
• CIO
• Help Desk Manager
• Infrastructure Manager

Outcomes of this step

• End-User computing KPIs and metrics
• Vision statement
• Mission statement

1.3.1 Prioritize which benefits you want to achieve

Use the MoSCoW sorting technique

Select benefits that appear multiple times in the goals cascade from Activity 1.1.3 as well as your challenges from your current-state assessment.

1. Record which benefits are “Must Haves.” Select benefits that are most important to your highest-priority stakeholders.
2. Record which benefits are “Should Haves.” These benefits are important but not critical.
3. Record which benefits are “Could Haves.” These are low-priority benefits.
4. Record the remaining benefits under “Won’t Have.” These benefits are out-of-scope but can be revisited in the future.

Record the output in your End-User Computing Strategy Template under “Benefit Prioritization” in the “Vision and Desired Benefits” section.

Sample output:

1.3.2 Identify how you will track performance

1. List each unique high-priority benefit from Activity 1.3.1 as a critical success factor (CSF).
2. For each CSF, identify key performance indicators (KPIs) that you can use to track how well you’re progressing on the CSF.
   1. Articulate that KPI as a SMART goal (specific, measurable, achievable, realistic, and timebound).
3. For each KPI, identify the metrics you will use to calculate it.
4. Identify how and when you will:
   1. Capture the current state of these metrics.
   2. Update changes to the metrics.
   3. Re-evaluate the CSFs.
   4. Communicate the progress to the project team and to stakeholders.

Record this information in your End-User Computing Strategy Template.

Sample output:

1.3.3 Craft a vision statement that demonstrates what you’re trying to create

The vision statement communicates a desired future state of the IT organization. The statement is expressed in the present tense. It seeks to articulate the desired role of IT and how IT will be perceived.

Strong IT vision statements have the following characteristics:

• Describes a desired future
• Focuses on ends, not means
• Communicates promise
• Is:
  • Concise; no unnecessary words
  • Compelling
  • Achievable
  • Inspirational
  • Memorable

Sample IT Vision Statements:

• To support an exceptional employee experience by providing best-in-class end-user devices.
• Securely enable access to corporate apps and data from anywhere, at any time, on any device.
• Enable business and digital transformation through secure and powerful virtualization technology.
• IT is a cohesive, proactive, and disciplined team that delivers innovative technology solutions while demonstrating a strong customer-oriented mindset.

1.3.4 Craft a mission statement for your end-user computing team

The IT mission statement specifies the function’s purpose or reason for being. The mission should guide each day’s activities and decisions. The mission statement should use simple and concise terminology and speak loudly and clearly, generating enthusiasm for the organization.

Strong IT mission statements have the following characteristics:

• Articulate the IT function’s purpose and reason for existence
• Describe what the IT function does to achieve its vision
• Define the customers of the IT function
• Can be described as:
  • Compelling
  • Easy to grasp
  • Sharply focused
  • Inspirational
  • Memorable
  • Concise

Sample IT Mission Statements:

• To provide infrastructure, support, and innovation in the delivery of secure, enterprise-grade information technology products and services that enable and empower the workforce at [Company Name].
• To help fulfill organizational goals, the IT department is committed to empowering business stakeholders with technology and services that facilitate effective processes, collaboration, and communication.
• The mission of the information technology (IT) department is to build a solid, comprehensive technology infrastructure; to maintain an efficient, effective operations environment; and to deliver high-quality, timely services that support the business goals and objectives of [Company Name].
• The IT group is customer-centered and driven by its commitment to management and staff. It oversees services in computing, telecommunications, networking, administrative computing, and technology training.

1.3.5 Define guiding principles

Select principles that align with your stakeholders’ goals and objectives

Use these examples as a starting point:

Phase 2

Define the Offering

Set the Direction

1.1 Identify Desired Benefits

1.2 Perform a User Group Analysis

1.3 Define the Vision

Define the Offering

2.1 Define the Standard Offerings

2.2 Outline Supporting Services

2.3 Define Governance and Policies

Build the Roadmap

3.1 Develop Initiatives

This phase will walk you through the following activities:

• Defining standard device entitlements and provisioning models for end-user devices and equipment
• Shifting end-user computing support left
• Identifying policy gaps

This phase involves the following participants:

• End-User Computing Team
• IT Leadership

Step 2.1

Define the Standard Offerings

Activities

2.1.1 Identify the provisioning models for each user group

2.1.2 Define the standard device offerings

2.1.3 Document each user group’s entitlements

This step requires the following inputs:

• Standard End-User Entitlements and Offerings Template
• List of persona groups
• Primary computing devices
• Secondary computing devices
• Supporting operating systems
• Applications and office equipment

This step involves the following participants:

• End-User Computing Manager
• CIO
• Help Desk Manager
• Infrastructure Manager

Outcomes of this step

• End-user device entitlements and offerings standard

This step will walk you through defining standard offerings

You will define the base offering for all users in each user group as well as additional items that users can request (but that require additional approvals).

1. Primary Computing Device
   • The main device used by a worker to complete their job (e.g. laptop for knowledge workers, kiosk or shared tablet for frontline workers).
2. Secondary Computing Devices
   • Additional devices that supports a worker (e.g. a smartphone, tablet, personal computer).
3. Provisioning Models
   • Whether the equipment is corporate-issued versus personally owned and whether personal use of corporate resources is allowed.
4. Apps
   • The software used by the worker. Apps can be locally installed, cloud-based (e.g. SaaS), and/or virtualized and running remotely.
5. Peripherals
   • Additional equipment provisioned to the end user (e.g. monitors, docking station, mice, keyboards).

There is always a challenge of determining who gets what and when

The goal is balancing cost, risk, and employee engagement

The right balance will be different for every organization

• IT can’t always say no to new ideas from the business. For example, if the organization wants to adopt Macs, rather than resisting IT should focus on identifying how Macs can be safely implemented.
• Smartphones may not be necessary for a job, but they can be a valid employee perk. Not every employee may be entitled to the perk. There may be resentment between employees of the same level if one of the employees has a corporate-issued, business-only phone for their job function.
• The same laptop model may not work for everyone. Some employees may need more powerful computers. Some employees may want more prestigious devices. Other employees may require a suite of apps that is only available on non-Windows operating systems.

Action Item: Provide a defined set of standard options to the business to proactively address different needs.

A good end-user computing strategy will effectively balance:

• User Choice
• Risk
• Cost

Your standard offerings need to strike the right balance for your organization.

Review the End-User Computing Ideas Catalog

Compare pros and cons of computing devices and operating systems for better decision making

The catalog provides information about choices in:

• Provisioning models
• Operating systems
• Device form factors

Review the catalog to learn about items that can help your organization to achieve the desired vision from Phase 1.

As you review the catalog, think about these questions:

• What primary and secondary devices can you provide?
• What operating systems do these devices support?
• What are the provisioning models you will use, considering each model’s weaknesses and strengths?
• How can you more effectively balance user choice, risk, and cost?

Download the End-User Computing Ideas Catalog.

2.1.1 Identify the provisioning models for each user group

1. Review the definitions in the End-User Computing Ideas Catalog.
2. Build a table. List the major user groups along the top of the table and applications down the rows.
3. Brainstorm provisioning models that will be used for primary and secondary devices for each persona group.
4. Record your provisioning models in the Standard End-User Entitlements and Offerings Template.

Download the End-User Computing Ideas Catalog.

Download the Standard End-User Entitlements and Offerings Template.

Identify multiple device options

Offer standard, power, and prestigious offerings

Prioritize offering models and align them with your user groups.

• Standard device: This offering will work for most end users.
• Power device: This offering will provide additional RAM, processor speed, storage, etc., for users that require it. It is usually offered as an additional option that requires approval.
• Prestigious device: This offering will be provided to VIP users.
• Portable device: This offering is for employees within a user group that moves around more often than others. This type of offering is optional – consider having a separate user group for these users that get a more portable laptop as their standard device.

Standardize the nonstandard

When users such as VIP users want more than the standard offering, have a more prestigious option ready to offer. This approach will help you to proactively anticipate your users’ needs.

Who approves?

Generally, if it is a supported device, then the budget owner determines whether to allow the user to receive a more powerful or more prestigious device.

This decision can be based on factors such as:

• Business need – does the user need the device to do their job?
• Perk or benefit – is the device being offered to the end user as a means of increasing their engagement?

If IT gets this answer wrong, then it can result in shadow IT

Document your answer in the Device Entitlement Policy Template.

2.1.2 Define the standard device offerings

Consider all devices and their supporting operating systems.

1. On a flip chart or whiteboard, build a matrix of the supported form factors and operating systems.
2. For each cell, document the supported vendor and device model.
3. Identify where you will provide additional options.

2.1.3 Document each user groups’ entitlements

Not every persona needs to be entitled to every supported option

Use the Standard End-User Entitlements and Offerings Template as a starting point.

• Create a separate section in the document for each persona. Start by documenting the provisioning models for each type of device.
• Record the standard offering provided to members of each persona as well as additional items that can be provided with approval. Record this information for:
  • Primary computing devices
  • Secondary computing devices
• Optional: Document additional items that will be provided to members of each persona as well as additional items they can request, such as:
  • Apps
  • Office equipment

Download the Standard End-User Entitlements and Offerings Template.

Step 2.2

Outline Supporting Services

Activities

2.2.1 Review device management tools and capabilities

2.2.2 Identify common incidents and requests for devices

2.2.3 Record how you want to shift resolution

2.2.4 Define which IT groups are involved in supporting practices

Define the Offering

This step requires the following inputs:

• Standard End-User Entitlements and Offerings Template
• List of supporting devices
• Common incidents and requests
• List of supporting practices

This step involves the following participants:

• End-User Computing Manager
• CIO
• Help Desk Manager
• Infrastructure Manager

Outcomes of this step

• List of IT groups who are involved in supporting devices
• Responsibilities of each group for requests and incidents

2.2.1 Review device management tools and capabilities

Document the tools that you use to manage each OS and identify gaps

If there are different approaches to managing the same OS (e.g. Windows devices that are co-managed versus Windows devices that are only managed by Intune), then list those approaches on separate rows.

Document the results on the “IT Management Tools” slide in the “IT Support” section of your End-User Computing Strategy Template.

2.2.2 Identify common incidents and requests for devices

Analyze your service desk ticket data. Look for the following information:

• The most common incidents and service requests around end-user devices and business apps
• Incident categories and service requests that almost always involve escalations

Record the level at which these tickets can be resolved today. Ensure you include these groups:

• Tier 0 (i.e. end-user self-service)
• Tier 1 (i.e. user’s first point of contact at the service desk)
• Desk-side support and field-support groups
• End-user computing specialist teams (e.g. desktop engineering, mobile device management teams)
• Other specialist teams (e.g. security, enterprise applications, DevOps)

Record the desired state. For each incident and request, to where do you want to shift resolution?

Record this chart on the “Current State of IT Support” slide in the “IT Support” section of your End-User Computing Strategy Template.

2.2.3 Record how you want to shift resolution

Identify opportunities to improve self-service and first contact resolution.

Starting with the chart you created in Activity 2.2.2, record the desired state. For each incident and request, to where do you want to shift resolution?

• Identify quick wins. Where will it take low effort to shift resolution? Denote these items with a “QW” for quick win.
• Identify high-value, high-effort shifts. Where do you want to prioritize shifting resolution? Base this decision on the desired benefits, guiding principles, and vision statement built in Phase 1. Denote these items with an “H” for high.
• Identify low-value areas. Where would shifting provide low value to end users and/or would have low alignment to the benefits identified in Phase 1? Denote these items with an “L” for low.
• Identify where no shift can occur. Some items cannot be shifted to self-service or to tier 1 due to governance considerations, security factors, or technical complexity. Denote these items with an “OoS” for out of scope.

Use the “Opportunities to Provide Self-Service and Articles” and “Desired State” slides in the “IT Support” section of your End-User Computing Strategy Template to document quick wins and high-value, high-effort shifts.

2.2.4 Define which IT groups are involved in supporting practices

Repeat activities 2.2.2 and 2.2.3 with the following list of tasks

IT Asset Management

• Purchasing devices
• Purchasing software licenses
• Imaging devices
• Deploying devices
• Deploying software
• Recovering devices
• Recovering software

Release Management

• Testing patches
• Testing app updates
• Testing OS updates
• User acceptance testing

Managing Service Catalogs

• Defining standard device offerings
• Defining standard software offerings
• Defining device and software entitlements
• Updating published catalog entries

Knowledge Management

• Writing internal KB articles
• Writing user-facing articles
• Training specialists
• Training service desk agents
• Training users

Portfolio Management

• Prioritizing app upgrades or migrations
• Prioritizing OS migrations
• Prioritizing end-user computing projects

Step 2.3

Define Governance and Policies

Activities

2.3.1 Answer these organizational policy questions

2.3.2 Answer these security policy questions

Define the Offering

This step requires the following inputs:

• List of supporting devices
• List of persona groups
• List of use cases

This step involves the following participants:

• End-User Computing Manager
• CIO
• Help Desk Manager
• Infrastructure Manager

Outcomes of this step

• End-user computing organizational and security policies

Focus on organizational policies and enforcement

Policies set expectations and limits for mobile employees

Enforcement refers to settings on the devices, management and security tools, and process steps.

• Policies define what should and should not be done with user-facing technology. These policies define expectations about user and IT behavior.
• Enforcement ensures that policies are followed. User policies must often be enforced through human intervention, while technology policies are often enforced directly through infrastructure before any people get involved.

Use the “Policies” section in the End-User Computing Strategy Template to document the answers in this section. Activities 2.3.2 and 2.3.3 present links to policy templates. Use these templates to help address any gaps in your current policy suite.

2.3.1 Answer these organizational policy questions

Identify if there are different expectations for certain user groups, where exceptions are allowed, and how these policies will be enforced.

Entitlements

• Who is entitled to receive and use prestigious computers?
• Who is entitled to receive and use a smartphone?
• What users are entitled to a stipend for personal device use?

Personal Device Use

• What use cases are supported and are not supported on personal devices?
• What level of visibility and control does IT need over personal devices?

Acceptable Use

• Are people allowed to use corporate resources for personal use?
• What are the guidelines around personal use?
• Are users allowed to install personal apps on their corporate-issued computers and/or mobile devices?

Purchasing and Reimbursement

• Who is allowed to purchase devices? Apps?
• When can users file a reimbursement request?

Employee Monitoring

• What user information is monitored?
• When can that information be used and when can it not be used?

Use the “Policies” section of the End-User Computing Strategy Template to document these answers.

Identify organizational policy gaps

Use these templates as a starting point

Entitlements

Download the Mobile Device Connectivity & Allowance Policy template.

Purchasing & Reimbursement

Download the Purchasing Policy template.

Download the Mobile Device Reimbursement Policy template.

Download the Mobile Device Reimbursement Agreement template.

Acceptable Use

Download the General Security – User Acceptable Use Policy template.

Personal Device Use

Download the BYOD Acceptable Use Policy template.

Download the Mobile Device Remote Wipe Waiver template.

Employee Monitoring

Download the General Security – User Acceptable Use Policy template.

Visit the Reduce and Manage Your Organization’s Insider Threat Risk blueprint to address this gap.

2.3.2 Answer these security policy questions

Identify if there are different expectations for certain user groups, where exceptions are allowed, and how these policies will be enforced.

Use Cases

• What data and use cases are subject to stricter security measures?
• Are certain use cases or data prohibited on personal devices?
• Are there restrictions around where certain use cases are performed and by whom?

Patching

• Are users expected to apply OS and app updates and patches? Or does IT automate patching?

Physical Security

• What does the user need to do to secure their equipment?
• If a device is lost or stolen, who does the user contact to report the lost or stolen device?

Cybersecurity

• How will IT enforce security configuration baselines?
• What does the user need to do (or not do) to secure their device?
• Are certain users allowed to have local admin rights?
• What happens when a device doesn’t comply with the required security configuration baseline?

Use the “Policies” section of the End-User Computing Strategy Template to document these answers.

Identify security policy gaps

Use these templates as a starting point

Use Cases

Download the General Security – User Acceptable Use Policy template.

Visit the Discover and Classify Your Data blueprint to address this gap.

Patching

Download the General Security – User Acceptable Use Policy template.

Physical and Cyber Security

Download the General Security – User Acceptable Use Policy template.

Visit the Develop and Deploy Security Policies blueprint to address this gap.

For help defining your own security configuration baselines for each operating system, reference best practice documentation such as:

National Institute of Standards and Technology’s National Checklist Program.

Center for Internet Security’s solutions.

Microsoft’s security baseline settings for Windows 10 and 11 Configuration Service Providers.

Phase 3

Build the Roadmap

Set the Direction

1.1 Identify Desired Benefits

1.2 Perform a User Group Analysis

1.3 Define the Vision

Define the Offering

2.1 Define the Standard Offerings

2.2 Outline Supporting Services

2.3 Define Governance and Policies

Build the Roadmap

3.1 Develop Initiatives

This phase will walk you through the following activities:

• Defining initiatives for each EUC domain
• Building a customer journey map for any end-user computing migrations
• Building a roadmap for EUC initiatives

This phase involves the following participants:

• End-User Computing Team

Step 3.1

Develop Initiatives

Activities

3.1.1 Identify initiatives for each EUC practice

3.1.2 Build out the user’s migration journey map

3.1.3 Build out a list of initiatives

Build the Roadmap

This step requires the following inputs:

• User group workbook
• Migration initiatives

This step involves the following participants:

• Infrastructure Director
• Head of End-User Computing
• End-User Computing Team
• Project Manager (if applicable)

Outcomes of this step

• End-user computing roadmap
• Migration plan

3.1.1 Identify the gaps in each EUC area

Build a high-level profile of the changes you want to make

For each of the five areas, build a profile for the changes you want to implement. Record:

1. The owner of the area
2. The objective that you want to accomplish
3. The desired benefits from focusing on that area
4. Any dependencies to the work
5. Risks that can cause the objective and benefits to not be achieved

Identify the initiatives involved in each area.

Document these profiles and initiatives in the “Roadmap” section of your End-User Computing Strategy Template.

1. Devices
   • Corporate-issued devices
   • Standard offerings
2. User Support
   • Self-service
   • Tier 1 support
3. Use Cases
   • Providing value
   • Business apps
4. Policy & Governance
   • Personal device use
   • IT policy
5. Fitness for Use
   • Securing devices
   • Patching

Your initiatives may require a user migration

Plan the user’s migration journey

Consider each user group’s and each persona’s unique needs and challenges throughout the migration.

1. Preparing to migrate: The user may need to schedule the migration with IT and back up files.
2. Migrating: IT executes the migration (e.g. updates the OS, changes management tools).
3. Getting assistance: When a user experiences an error during the migration, how will they get help from IT?
4. Post-migration: How will IT and the user know that the migration was successful one week later?

Understand the three migration approaches

Online

Users execute the migrate on their own (e.g. Microsoft’s consumer migration to Windows 10).

In person

Users come in person, select a device, and perform the migration with a specialist. If the device needs support, they return to the same place (e.g. buying a computer from a store).

Hybrid

Users select a device. When the device is ready, they can schedule time to pick up the device and perform the migration with a specialist (e.g. purchasing an iPhone in advance from Apple’s website with in-store pick-up).

Be prepared to support remotely

Migrations to the new tool may fail. IT should check in with the user to confirm that the device successfully made the migration.

3.1.2 Build out the user’s migration journey map

Contemplate a roadmap to plan for end-user computing initiatives

• As a group, brainstorm migration initiatives.
• For each of the four phases, identify:
  • User activities: actions we need the user to do
  • IT activities: actions and processes that IT will perform internally
  • User touchpoints with IT: how the user will interact with the IT group
  • Opportunities: ideas for how IT can provide additional value to the end user in this phase.
• Use the example in the End-User Computing Strategy Template as a starting point.

Download the End-User Computing Strategy Template.

Embed requirements gathering throughout your roadmap

Use a combination of surveys, focus groups, and interviews

You’re doing more than eliciting opinions – you’re performing organizational change management.

• Use surveys to profile the demand for specific requirements. When a project is announced, develop surveys to gauge what users consider must-have, should-have, and could-have requirements.
• Interviews should be used with high-value targets. Those who receive one-on-one face time can help generate good requirements and allow for effective communication around requirements.
• Focus groups are used to get input from multiple people in a similar role. This format allows you to ask a few open-ended questions to groups of about five people.

The benefits of interviews and focus groups:

• Foster direct engagement: IT is able to hear directly from stakeholders about what they are looking to do with a solution and the level of functionality that they expect from it.
• Offer greater detail: With interviews, greater insight can be gained by leveraging information that traditional surveys wouldn’t uncover. Face-to-face interactions provide thorough answers and context that helps inform requirements.
• Remove ambiguity: Face-to-face interactions allow opportunities to follow up on ambiguous answers. Clarify what stakeholders are looking for and expect in a project.
• Enable stakeholder management: Interviews are a direct line of communication with project stakeholders. They provide input and insight and help to maintain alignment, plan next steps, and increase awareness within the IT organization.

Activity instructions:

1. Early requirements ideation: Identify who you want to interview through one-on-one meetings and focus groups.
2. Requirements validation and prioritization: Identify which user groups you plan to survey and when.
3. Usability testing: Plan to include usability testing during each phase. Build it into your release practices.

3.1.3 Build out a list of initiatives

Download a copy of the Roadmap Tool

On tab “1. Setup”:

• Update category 1 to be all the EUC areas (i.e. Devices, User Support).
• Update category 2 and category 3 with meaningful items (e.g. operating system, device model, persona group).

Use tab “2. Data Entry” to record your list of initiatives.

• Each initiative should have its own row. Write a high-level summary under “Roadmap Item” and include more detail under “Description and Rationale.”
• Enter each initiative’s effort, priority, and timeline for beginning. These are mandatory fields for tab “3. Roadmap” to work properly.

Use tab “3. Roadmap” to visualize your data. You will have to press “Refresh All” under Data in the ribbon for the PivotChart to update.

Copy the roadmap visual on tab “3. Roadmap” into your End-User Computing Strategy Template. You can also copy the list of initiatives over into the document.

Download the Roadmap Tool.

Summary of Accomplishment

Problem Solved

You built a strategy to improve the balance between user enablement, risk mitigation, and cost optimization. Throughout the blueprint, you identified opportunities to provide additional value to end users and stakeholders during these activities:

• Goals cascade
• User group analysis
• Definition of standard device types and platforms
• IT support shift-left analysis
• Policy gap analysis
• Roadmapping

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Identify User Groups

Identify each user group based on the business processes, tasks, and applications they use.

Define Standard Device Offerings

Record your provisioning models for each user group and the primary and secondary devices, apps, and peripherals that each group receives.

Related Info-Tech Research

Simplify Remote Deployment With Zero-Touch Provisioning

This project helps you align your zero-touch approach with stakeholder priorities and larger IT strategies. You will be able to build your zero-touch provisioning and patching plan from both the asset lifecycle and the end-user perspective to create a holistic approach that emphasizes customer service. Tailor deployment plans to more easily scope and resource deployment projects.

Implement Hardware Asset Management

This project will help you analyze the current state of your HAM program, define assets that will need to be managed, and build and involve the ITAM team from the beginning to help embed the change. It will also help you define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.

Govern Office 365

This project will help you conduct a goals exercise and capability assessment for Office 365. You will be able to refine governance objectives, build out controls, formalize governance, build out one pagers, and finalize a communication plan.

Research Contributors and Experts

• Steve Fox, Deputy IT Director, Virginia State Corporation Commission
• Mazen Joukhadar, TransForm Shared Service Organization
• Nathan Schlaud, PMO Senior Director, RPC Inc.
• Rebecca Mountjoy, Infrastructure Systems Manager, BlueScope Buildings
• DJ Robins, Director of Information Technology, Mohawk MedBuy
• Jason Jenkins, Tech. Specialist, Michal Baker Corp.
• Brad Wells, IT Infrastructure Solutions Architect, London Police Service
• Danelle Peddell, Director, Project Management Office, Emco Corporation
• John Annand, Principal Research Director, Info-Tech Research Group
• Allison Kinnaird, Research Director and Research Lead, Info-Tech Research Group
• Sandi Conrad, Principal Research Director, Info-Tech Research Group
• Andrew Kum-Seun, Senior Research Analyst, Info-Tech Research Group
• Mark Tauschek, Vice President IT Infrastructure & Operations Research, Info-Tech Research Group

A special thank-you to 6 anonymous contributors

Bibliography

“2020 Annual Report and Proxy.” Citrix, 2020. Accessed Oct. 2021.

“2021 BYOD Security Report.” Cybersecurity Insiders, 2021. Web.

Anderson, Arabella. “12 Remote Work Statistics to Know in 2022.” NorthOne, 2021. Accessed Oct. 2021.

Bayes, Scarlett. “ITSM: 2021 & Beyond.” Service Desk Institute, 14 April 2021, p. 14. Web.

Belton, Padraig. “Intel: Chip shortage will extend to at least 2023.” Light Reading, 22 Oct. 2021. Web.

Beroe Inc. “Demand for PC Components Saw a Surge Due to COVID-19, Says Beroe Inc.” Cision PR Newswire, 2 Sept. 2021. Web.

Devaraj, Vivekananthan. “Reference Architecture: Remote PC Access.” Citrix, 2021. Accessed Aug. 2021.

“Elements of the Project Charter and Project Scope Statement.” A Guide to PMBOK, 7th edition, PMI, 2021. Accessed Sept. 2021.

Elliott, Christopher. “This Is How The Pandemic Improved Customer Service.” Forbes, 2021. Accessed Oct. 2021.

“Enable TMP 2.0 on your PC.” Microsoft, Support, Aug. 2021. Web.

“End User Computing Trends to Look Out for in 2021.” Stratodesk, 30 Oct. 2020. Accessed September 2021.

“Global State of Customer Service: The Transformation of Customer Service from 2015 to Present Day.” Microsoft, 2019. Web.

Goodman, Elizabeth et al. “Observing the User Experience” A Practitioner's Guide to User Research, 2nd edition. Elsevier, 2012. Accessed Sept. 2021.

Govindarajulu, Chittibabu. “An Instrument to Classify End-Users Based On the User Cube” Informing Science, June 2002. Accessed September 2021.

Griffith, Eric. “Remote Employees to Bosses: Our PCs Suck!” PCMag, 11 Oct. 2021. Web.

Hutchings, Jeffrey D., and Craig A. de Ridder. “Impact of Remote Working on End User Computing Solutions and Services.” Pillsbury, 2021. Accessed Sept. 2021

“ITIL4 Create, Deliver, and Support.” Axelos, 2020. Accessed Sept. 2021.

“ITIL4 Drive Stakeholder Value” Axelos, 2020. Accessed Sept. 2021.

Mcbride, Neil, and Trevor Wood-Harper. “Towards User-Oriented Control of End-User Computing in Large Organizations” Journal of Organizational and End User Computing, vol. 14, no. 1, pp. 33-41, 2002. Accessed September 2021.

““Microsoft Endpoint Configuration Manager Documentation.” Microsoft Docs, Microsoft, 2021. Accessed Sept. 2021.

“Microsoft Intune documentation.” Microsoft Docs, Microsoft. Accessed Sept. 2021.

“Mobile Cellular Subscriptions (per 100 People).” The World Bank, International Telecommunication Union (ITU) World Telecommunication/ICT Indicators Database, 2020. Web.

Morgan, Jacob. “The Employee Experience Advantage: How to Win the War for Talent by Giving Employees the Workspaces they Want, the Tools they Need, and a Culture They Can Celebrate.” Wiley, 2017. Accessed Sept. 2021.

Murphy, Anna. “How the pandemic has changed customer support forever.” Intercom, 2021. Accessed Sept. 2021.

“Operating System Market Share Worldwide, Jan 2021-Jan 2022.” StatCounter GlobalStats, 2022. Web.

“Operating System Market Share Worldwide, Jan-Dec 2011.” StatCounter GlobalStats, 2012. Web.

Pereira, Karla Susiane, et al. “A Taxonomy to Classify Risk End-User Profile in Interaction with the Computing Environment.” In: Tryfonas T. (eds.) Human Aspects of Information Security, Privacy, and Trust. HAS 2016. Lecture Notes in Computer Science, vol. 9750. Accessed Sept. 2021.

Perrin, Andrew. “Mobile Technology and Home Broadband 2020.” Pew Research Center, 3 June 2021. Web.

Quan-Haase, Anabel. “Technology and Society: Social Networks, Power, and Inequality” Oxford University Press, 2012. Accessed Aug. 2021.

Reed, Karin, and Joseph Allen. “Suddenly Virtual: Making Remote Meetings Work.” Wiley, 2021. Accessed Aug. 2021.

Rockart, John F., and Lauren S. Flannery. “The management of end user computing.” Communications of the ACM, vol. 26, no. 10, Oct. 1983. Accessed September 2021.

Turek, Melanie. “Employees Say Smartphones Boost Productivity by 34 Percent: Frost & Sullivan Research.” Samsung Insights, 3 Aug. 2016. Web.

Vladimirskiy, Vadim. “Windows 365 vs. Azure Virtual Desktop (AVD) – Comparing Two DaaS Products.” Nerdio, 2021. Accessed Aug. 2021.

“VMware 2021 Annual Report.” VMware, Financial Document Library, 2021. Web.

VMworld 2021, Oct. 2021.

Vogels, Emily A. “Digital divide persists even as americans with lower incomes make gains in tech adoption.” Pew Research Center, 22 June 2021. Web.

“What is End-User computing?” VMware, 2021. Accessed Aug. 2021.

“Windows 10 Home and Pro.” Microsoft, Docs, 2021. Web.

Zibreg, Christian. “Microsoft 365 Now Boasts Over 50 Million Subscribers.” MUD, 29 April 2021. Web.

Achieve IT Spend & Staffing Transparency

Lay a foundation for meaningful conversations with the business.

Analyst Perspective

Take the first step in your IT spend journey.

Talking about money is hard. Talking to the CEO, CFO, and other business leaders about money is even harder, especially if IT is seen as just a cost center, is not understood by stakeholders, or is simply taken for granted. In times of economic hardship, already lean IT operations are tasked with becoming even leaner.

When there's little fat to trim, making IT spend decisions without understanding the spend's origin, location, extent, and purpose can lead to mistakes that weaken, not strengthen, the organization.

The first step in optimizing IT spend decisions is setting a baseline. This means having a comprehensive and transparent view of all technology spend, organization-wide. This baseline is the only way to have meaningful, data-driven conversations with stakeholders and approvers around what IT delivers to the business and the implications of making changes to IT funding.

Before stepping forward in your IT financial management journey, know exactly where you're standing today.

Jennifer Perrier
Principal Research Director, ITFM Practice
Info-Tech Research Group

Executive Summary

Info-Tech Insight
Create transparency in your IT financial data to power both collaborative and informed technology spend decisions.

IT spend has grown alongside IT complexity

Growth creates change ... and challenges

IT has become more integral to business operations and achievement of strategic goals, driving complexity in how IT funds are allocated and managed.

ITFM capabilities haven't grown with IT spend

IT still needs to prove itself.

Increased integration with the core business has made it a priority for the head of IT to be well-versed in business language and practice, specifically in the areas of measurement and financial management.

However, IT staff across all industries aren't very confident in how well IT is doing in managing its finances via three core processes:

• Accounting of costs and budgets.
• Optimizing costs to gain the best return on investment.
• Demonstrating IT's value to the business.

Recent data from 4,137 respondents to Info-Tech's IT Management & Governance Diagnostic shows that while most IT staff feel that these three financial management processes are important, notably fewer feel that IT management is effective at executing them.

IT leadership's capabilities around fundamental cost data capture appear to be lagging, not to mention the essential value-added capabilities around optimizing costs and showing how IT contributes to business value.

Source: IT Management & Governance Diagnostic, Info-Tech Research Group, 2022.

Take the perspective of key IT stakeholders as a first step in ITFM capability improvement

Other business unit leaders need to deliver on their own specific and unique accountabilities. Create true IT spend transparency by accounting for these multiple perspectives.

Exactly how is IT spending all that money we give them?
Many IT costs, like back-end infrastructure and apps maintenance, can be invisible to the business.

Why doesn't my department get more support from IT?
Some business needs won't align with spend priorities, while others seem to take more than their fair share.

Does the amount we spend on each IT service make sense?
IT will get little done or fall short of meeting service level requirements without appropriate funding.

I know what IT costs us, but what is it really worth?
Questions about value arise as IT investment and spend increase. How to answer these questions is critical.

At the end of the day, telling IT's spend story to the business is a significant challenge if you don't understand your audience, have a shared vocabulary, or use a repeatable framework.

Mapping your IT spend against a reusable framework helps generate transparency

A framework makes transparency possible by simplifying methods, creating common language, and reducing noise.

However, the best methodological framework won't work if the materials and information plugged into it are weak. With IT spend, the materials and information are your staff and your vendor financial data. To achieve true transparency, inputs must have the following three characteristics:

A framework is an organizing principle. When it comes to better understanding your IT spend, the things being organized by a framework are your method and your data.

If your IT spend information is transparent, you have an excellent foundation for having the right conversations with the right people in order to make strategically impactful decisions.

Info-Tech's approach enables meaningful dialogue with stakeholders about IT spend

Investing time in preparing and mapping your IT spend data enables better IT governance

While other IT spend transparency methods exist, Info-Tech's is designed to be straightforward and tactical.

Put your data to work instead of being put to work by your data.

Introducing Info-Tech's methodology for creating transparency on technology spend

Insight Summary

Overarching insight
Take the perspective of key stakeholders and lay out your organization's complete IT spend footprint in terms they understand to enable meaningful conversations and start evolving your IT financial management capability.

Phase 1 insight
Your IT spend transparency efforts are only useful if you actually do something with the outcomes of those efforts. Be clear about where you want your IT transparency journey to take you.

Phase 2 insight
Your IT spend transparency efforts are only as good as the quality of your inputs. Take the time to properly source, clean, and organize your data.

Phase 3 insight
Map your IT staff spend data first. It involves work but is relatively straightforward. Practice your mapping approach here and carry forward your lessons learned.

Phase 4 insight
The importance of good, usable data will become apparent when mapping your IT vendor spend. Apply consistent and meaningful vendor labels to enable true aggregation and insight.

Phase 5 insight
Communicating your final IT spend transparency mapping with executive stakeholders is your opportunity to debut IT financial management as not just an IT issue but an organization-wide concern.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

Use this tool in Phases 1-4

IT Spend & Staffing Transparency Workbook

Input your IT staff and vendor spend data to generate visual outputs for analysis and presentation in your communications.

Key deliverable:

IT Spend & Staffing Transparency Executive Presentation

Create a showcase for your newly-transparent IT staff and vendor spend data and present it to key business stakeholders.

Use this tool in Phase 5

IT and business blueprint benefits

Measure the value of this blueprint

You will know that your IT spend and staffing transparency effort is succeeding when:

• Your understanding of where technology funds are really being allocated is comprehensive.
• You're having active and meaningful dialogue with key stakeholders about IT spend issues.
• IT spend transparency is a permanent part of your IT financial management toolkit.

In phase 1 of this blueprint, we will help you identify initiatives where you can leverage the outcomes of your IT spend and staffing transparency effort.

In phases 2, 3, and 4, we will guide you through the process of mapping your IT staff and vendor spend data so you can generate your own IT spend metrics based on reliable sources and verifiable facts.

Win #1: Knowing how to reliably source the financial data you need to make decisions.

Win #2: Getting your IT spend data in an organized format that you can actually analyze.

Win #3: Having a framework that puts IT spend in a language stakeholders understand.

Win #4: Gaining a practical starting point to mature ITFM practices like cost optimization.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

Info-Tech recommends the following calls in your Guided Implementation.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between four to six calls over the course of two to three months.

Want even more help with your IT spend transparency effort?

Let us fast-track your IT spend journey.

The path to IT financial management maturity starts with knowing exactly where your money is going. To streamline this effort, Info-Tech offers an IT Spend & Staffing Benchmarking service that provides full transparency into where your money is going without any heavy lifting on your part.

This unique service features:

• A client-proven approach to meet your IT spend transparency goals.
• Vendor and staff spend mapping that reveals business consumption of IT.
• Industry benchmarking to compare your spending and staffing to that of your peers.
• Results in a fraction of the time with much less effort than going it alone.
• Expert review of results and ongoing discussions with Info-Tech analysts.

If you'd like Info-Tech to pave the way to IT spend transparency, contact your account manager for more information - we're happy to talk anytime.

Phase 1

Know Your Objectives

This phase will walk you through the following activities:

• Establish IT spend and staffing transparency uses and objectives
• Assess your readiness to tackle IT spend and staffing transparency

This phase involves the following participants:

• Head of IT
• IT financial lead
• Other members of IT management

Phase 1: Know your objectives

Envision what transparency can do.

You're at the very beginning of your IT spend transparency journey. In this phase you will:

• Set your objectives for making your IT spend and staffing transparent.
• Assess your readiness to tackle the exercise and gauge how much work you'll need to do in order to do it well.

"I've heard this a lot lately from clients: 'I've got my hands on this data, but it's not structured in a way that will allow me to make any decisions about it. I have these journal entries and they have some accounting codes, GL descriptors, cost objects, and some vendors, but it's not enough detail to make any decisions about my services, my applications, my asset spend.'"
- Angie Reynolds, Principal Research Director, ITFM Practice, Info-Tech Research Group

Transparency positively enables both business outcomes and the practice of business ethics

However, transparency's real superpower is in how it provides fact-based context.

• More accurate and relevant data for decision-making.
• Better managed and more impactful financial outcomes.
• Increased inclusion of people in the decisions that affect them.
• Clearer accountabilities for organizational efficiency and effectiveness goals.
• Concrete proof that business priorities and decisions are being acted on and implemented.
• Greater trust and respect between IT and the business.
• Demonstration of integrity in how funds are being used.

IT spend transparency efforts are only useful if you actually do something with the outputs

Identify in advance how you plan to leverage IT spend transparency outcomes.

CFO expense view

• Demonstrate actual IT costs at the right level of granularity.
• Update/change the categories finance uses to track IT spend.
• Adjust the expected CapEx/OpEx ratio.

CXO business view

• Calculate consumption of IT resources by department.
• Implement a showback/chargeback mechanism.
• Change the funding conversation about proposed IT projects.

CIO service view

• Calculate the total cost to deliver a specific IT service.
• Adjust the IT service spend-to-value ratio as per business priorities.
• Rightsize IT service levels to reflect true value to the business.

CEO innovation view

• Formalize the organization's position on use of cloud/outsourcing.
• Reduce the portion of spend dedicated to "keeping the lights on."
• Develop a plan for boosting commitment to innovation investment.

When determining your end objectives, think about the real questions IT is being asked by the business and how IT spend transparency will help you answer them.

CFO: Financial accounting perspective

IT spend used to be looked at from a strictly financial accounting perspective - this is the view of the CFO and the finance department. Their question, "exactly how is IT spending all that money we give them," is really about how money is distributed across different asset classes. This question breaks down into other questions that IT leaders needs to ask themselves in order to provide answers:

• How should I classify my IT costs? What are the standard categories you need to have that are meaningful to folks crunching the corporate numbers? If you're too detailed, it won't make sense to them. If you pick outmoded categories, you'll have to adjust in the future as IT evolves, which makes tracking year-over-year spend patterns harder.
• What information should I include in my plans and reports? This is about two things. One is about communicating with the finance department in language that reduces back-and-forth and eliminates misinterpretation. The other is about aligning with the categories the finance department uses to track financial data in the general ledger.
• How do I justify current spend? This is about clarity and transparency. Specifically itemizing spend into categories that are meaningful for your audience does a lot of justification work for you since you don't have to re-explain what everything means.
• How do I justify a budget increase? In a declining economy, this question may not be appropriate. However, establishing a baseline puts you in a better position to discuss spend requirements based on past performance and to focus the conversation.

Exactly how is IT spending all that money we give them?

CIO: IT operations management perspective

As the CIO role was adopted, IT spend was viewed from the IT operations management perspective. Optimizing the IT delivery model is a critical step to reducing time to provision services. For the IT leader, the questions they need to ask themselves are:

• What's the impact of cloud adoption on speed of delivery? Leveraging a SaaS solution can reduce time to deployment as well as increase your ability to scale; however, integration with other functionality will still be a challenge that will incur costs.
• Where can I improve spend efficiency? This is about optimizing spend in your IT delivery model. What service levels does the business require and what's the most cost-effective way to meet those levels without incurring significant technical debt?
• Is my support model optimized? By reviewing where support staff are focused and which services are using most of your resources, you can investigate underlying drivers of your staffing requirements. If staff costs in support of a business function are high, perhaps the portfolio of applications needs to be reviewed.
• How does our spend compare to others? Benchmarking against peers is a useful input, but reflects common practice, not best practice. For example, if you need to invest in IT security, your entire industry is lagging on this front, and you happen to be doing slightly better than most, then bringing forth this benchmark won't help you make the case. Starting with year-over-year internal benchmarking is essential - establish your categories, establish your baseline, and track it consistently.

Does the amount we spend on each IT service make sense?

CXO: Business unit perspective

As business requests have increased, so too has the importance of the business unit perspective. Each business function has a unique mandate to fulfill in the organization and also competes with other business functions for IT resources. By understanding business consumption of IT, organizations can bring transparency and drive a different dialog with their business partners. Every IT leader should find out the answers to these questions:

• Which business units consume the most IT resources? By understanding consumption of IT by business function, IT organizations can clearly articulate which business units are getting the highest share of IT resources. This will bring much needed clarity when it comes to IT spend prioritization and investment.
• Which business units are underserved by IT? By providing full transparency into where all IT spend is consumed, organizations can determine if certain business functions may need increased attention in an upcoming budget cycle. Knowing which levers to pull is critical in aligning IT activities with delivering business value.
• How do I best communicate spend data internally? Different audiences need information presented to them differently. This is not just about the language - it's also about the frequency, format, and channel you use. Ask your audiences directly what methods of communication stand the best chance of you being seen and heard.
• Where do I need better business sponsorship for IT projects? If a lot of IT spend is going toward one or two business units, the leaders of those units need to be active sponsors of IT projects and associated spend that will benefit all users.

Why doesn't my business unit get more support from IT?

CEO: Strategic vs. operations perspective

With a business view now available, evaluating IT spend from a strategic standpoint is critical. Simply put, how much is being spent keeping the lights on (KTLO) in the organization versus supporting business or organizational growth versus net-new business innovations? This view is not about what IT costs but rather how it is being prioritized to drive revenue, operating margin, or market share. Here are the questions IT leaders should be asking themselves along with the organization's executive leadership and the CEO:

• Why is KTLO spend so high? This question is a good gauge of where the line is drawn between operations and strategy. Many IT departments want to reduce time spent on maintenance and redeploy resource investment toward strategic projects. This reallocation must include retiring or eliminating technologies to free up funds.
• What should our operational spend priorities be? Maintenance and basic operations aren't going anywhere. The issue is what is necessary and what could be done more wisely. Are you throwing good money after bad on a high-maintenance legacy system?
• Which projects and investments should we prioritize? The answer to this question should tightly align with business strategic goals and account for the lion's share of growth and innovation spend.
• Are we spending enough on innovative initiatives? This is the ultimate dialogue between business partners, the CEO, and IT that needs to take place, yet often doesn't.

I know what IT costs us, but what is it really worth?

Be clear about where you want your IT spend transparency journey to take you in real life

Transparent IT spend data will allow you to have conversations you couldn't have before. Consider this example of how telling an IT spend story could evolve.

I want to ...
Analyze the impact of the cloud on IT operating expenditure to update finance's expectations of a realistic IT CapEx/OpEx ratio now and into the future.

To address the problem of ...

• Many of our key software vendors have eliminated on-premises products and only offer software as an OpEx service.
• Assumptions that modern IT solutions are largely on-premises and can be treated as capitalizable assets are out-of-date and don't reflect IT financial realities.

And will use transparency to ...

• Provide the CFO with specific, accurate, and annotated OpEx by product/service and vendor for all cloud-based and on-premises solutions.
• Facilitate a realistic calculation of CapEx/OpEx distribution based on actuals, as well as let us develop defendable projections of OpEx into the future based on typical annual service fee increases and anticipated growth in the number of users/licenses.

1.1 Establish ITFM objectives that leverage IT spend transparency

Duration: One hour

1. Consider the problems or issues commonly voiced by the business about IT, as well as your own ongoing challenges in communicating with stakeholders. Document these problems/issues as questions or statements as spoken by a person. To help structure your brainstorming, consider these general process domains and examples:
   1. Spend tracking and reporting. E.g. Why is IT's OpEx so high? We need you to increase IT's percentage of CapEx.
   2. Service levels and business continuity. E.g. Why do we need to hire more service desk staff? There are more of them in IT than any other role.
   3. Project and operations resourcing. E.g. Why can't IT just buy this new app we want? It's not very expensive.
   4. Strategy and innovation. E.g. Did output increase or decrease last quarter per input unit? IT should be able to run those reports for us.
2. For each problem/issue noted, identify:
   1. The source(s) of the question/concern (e.g. CEO, CFO, CXO, CIO).
   2. The financial process involved (e.g. accurate costing, verification of costs, building a business case to invest).
3. For each problem/issue, identify a broader project-style initiative where having transparent IT spend data is a valuable input. One initiative may apply to multiple problems/issues. For each initiative:
   1. Give it a working title.
   2. State the goal for the initiative with reference to ITFM aspirations.
   3. Identify key stakeholders (these will likely overlap with the problem/issue source).
   4. Set general time frames for resolution.

Document your outputs on the slide immediately following the instruction slides for this exercise. Examples are included.

1.1 Establish ITFM objectives that leverage IT spend transparency

ITFM initiatives that leverage transparency

Your organization's governance culture will affect how you approach transparency

IT's current maturity around ITFM practice will also affect your approach to transparency

1.2 Assess your readiness to tackle IT spend transparency

Duration: One hour

Note: This assessment is general in nature. It's intended to help you identify and prepare for potential challenges in your IT spend and staffing transparency effort.

1. Rate your agreement with the "Data & Information" and "Experience, Expertise, & Support" statements listed on the slide immediately following the two instruction slides for this exercise. For each statement, indicate the extent to which you agree or disagree, where:
   1. 1 = Strongly disagree
   2. 2 = Disagree
   3. 3 = Neither agree nor disagree
   4. 4 = Agree
   5. 5 = Strongly agree
2. Add up your numerical scores for all statements, where the highest possible score is 65.
3. Assess your general readiness against the following guidelines:
   1. 50-65: Ready. The transparency exercise will involve work, but should be straightforward since you have the data, skills, tools, processes, and support to do it.
   2. 40-49: Ready, with caveats. The transparency exercise is doable but will require some preparatory legwork and investigation on your part around data sourcing, organization, and interpretation.
   3. 30-39: Challenged. The transparency exercise will present some obstacles. Expect to encounter data gaps, inconsistencies, errors, roadblocks, and frustrations that will need to be resolved.
   4. Less than 30: Not ready. You don't have the data, skills, tools, processes, and/or support to do the data transparency exercise. Take time to develop a stronger foundation of financial literacy and governance before tackling it.

Document your outputs on the slide immediately following the two instruction slides for this exercise.

1.2 Assess your readiness to tackle IT spend transparency

IT spend transparency readiness assessment

Rating scale:
1 = Strongly Disagree; 2 = Disagree; 3 = Neither agree nor disagree; 4 = Agree; 5 = Strongly agree
Assessment scale:
Less than 30 = Not ready; 30-39 = Challenged; 40-49 = Ready with caveats; 50-65 = Ready

Take a closer look at the statements you rated 1, 2, or 3. These will be areas of challenge no matter what your total score on the assessment scale.

Phase 1: Know your objectives

Achievement summary

You've now completed the first two steps on your IT spend transparency journey. You have:

• Set your objectives for making your IT spend and staffing transparent.
• Assessed your readiness to tackle the exercise and know how much work you'll need to do in order to do it well.

"Mapping to a transparency model is labor intensive. You can do it once and never revisit it again, but we would never advise that. What it does is play well into an IT financial management maturity roadmap."
- Monica Braun, Research Director, ITFM Practice, Info-Tech Research Group

Phase 2

Gather Required Data

This phase will walk you through the following activities:

• Gather, clean, and organize your data
• Build your industry-specific business views

This phase involves the following participants:

• Head of IT
• IT financial lead
• Other members of IT management

Phase 2: Gather required data

Finish your preparation.

You're now ready to do the final preparation for your IT spend and staffing transparency journey. In this phase you will:

• Gather your IT spend and staffing data and information.
• Clean and organize your data to streamline mapping.
• Identify your baseline data points.

"Some feel like they don't have all the data, so they give up. Don't. Every data point counts."
- Rex Ding, Research Specialist, ITFM Practice, Info-Tech Research Group

Your IT spend transparency efforts are only as good as the quality of your inputs

Aim for a comprehensive, complete, and accurate set of data and information.

Start by understanding what's included in technology spend

In scope:

• All network, telecom, and data center equipment.
• All end-user productivity software and devices (e.g. laptops, peripheral devices, cell phones).
• Information security.
• All acquisition, development, maintenance, and management of business and operations software.
• All systems used for the storage and management of business assets, data, records, and information.
• All managed IT services.
• Third-party consulting services.
• All identifiable spend from the business for the above.

Expand your thinking: Total tech spend goes beyond what's under IT's operational umbrella

"Technology" means all technology in the organization regardless of where it lives, who bought it, who owns it, who runs it, or who uses it.

IT may have low or no visibility into technologies that exist in the broader business environment beyond IT. Accept that you won't gain 100% visibility right now. However, do get started and be persistent.

Where to look for non-IT technology ...

• Highly specialized business functions - niche tools that are probably used by only a few people.
• Power users and the "underserved" - cloud-based workflow, communication, and productivity tools they got on their own.
• Operational technology - network-connected industrial, building, or physical security sensors and control systems.
• Recently acquired/merged entities - inherited software.

Who might get you what you need ...

• Business unit and team leaders - identification of what they use and copies of their spend records and/or contracts.
• Finance - a report of the "software" expenditure category to spot unrecognized technologies and their owners.
• Vendors - copies of contracts if not forthcoming internally.
• Your service desk - informal knowledge gained about unknown technologies at play in the course of doing their job.

The IT spend and staffing transparency exercise is an opportunity to kick-start a technology discovery process that will give you and the business a true picture of your technology profile, use, and spend.

Seek out data at the right level of granularity with the right supporting information

Key data and information to seek out:

• Credits applied to appropriate debits that show net expense, or detailed descriptions of credits with no matching debit.
• Cash-based accounting (not accrual accounting). If accrual, will need to determine how to simplify the data for your uses.
• Vendor names, asset classes, descriptors, and departments.
• A total spend amount (CapEx + OpEx) that:
  • Aligns with the spend period.
  • Passes your gut check for total IT spend.
  • Includes annual amounts for multi-year contracts (e.g. one year of a three-year Microsoft enterprise agreement).
  • Includes technology spend from the business (e.g. OT that IT supports).
• Insights on large projects.
• Consolidated recurring payments, salaries and benefits, and other small expenses.

Look for these data descriptors in your files:

• Cost center/accounting unit
• Cost center/department description
• GL ACCT
• CL account description
• Activity description
• Status
• Program/business function/project description
• Accounting period
• Transaction amount
• Vendor/vendor name
• Product/product name

Avoid data that's hard to use or problematic as it will slow you down and bring limited benefits

Spend data that's out of scope:

• Depreciation/amortization.
• Gain or loss of asset write-off.
• Physical security (e.g. key cards, cameras, motion sensors, floodlights).
• Printer consumables costs.
• Heating and cooling costs (for data centers).

Challenging data formats:

• Large raw data files with limited or no descriptors.
• Major accounts (hardware and software) combined in the same line item.
• Line items (especially software) with no vendor reference information.
• PDF files or screenshots that you can't extract data from readily. Use Excel or CSV files whenever possible.

Getting at the data you need can be easy or hard – it all depends

This is where your governance culture and ITFM maturity start to come into play.

There may be some data or information you can't get without a Herculean effort. Don't worry about it too much - these items are usually relatively minor and won't significantly affect the overall picture.

Commit to finding out what you don't know

Many IT leaders don't have visibility into other departments' technology spend. In some cases, the fact that spend is even happening may be a complete surprise.

Near-term visibility fix ...

• Ask your finance department for a report on all technology-related spend categories. "Software" is a broad category that finance departments tend to track. Scan the report for items that don't look familiar and confirm the originating department or approver.
• Check in with the procurement office. See what technology-related contracts they have on record and which departments "own" them. Get copies of those contracts if possible.
• Contact individual department heads or technology spend approvers. Devise your contact shortlist based on what you already know or learned from finance and procurement. Position your outreach as a discovery process that supports your transparency effort. Avoid coming across as though you're judging their spend or planning to take over their technologies.

Long-term visibility fix ...

• Develop your relationships with other business unit leaders. This will help open the lines of communication permanently.
• Establish a cross-functional central technology office or group. The main task of this unit is to set and manage technology standards organization-wide, including standards for tracking and documenting technology costs and asset lifecycle factors.
• Ensure IT is formally involved in all technology spend proposals and plans. This gives IT the opportunity to assess them for security compliance, IT network/system interoperability, manageability, and IT support requirements prior to purchase.
• Ensure IT is notified of all technology financial transactions. This includes contracts, invoices, and payments for all one-time purchases, subscription fees, and maintenance costs.

Finally, note any potential anomalies in the IT spend period you're looking at

No two years have the exact same spend patterns. One-time spend for a big capital project, for example, can dramatically alter your overall spend landscape.

Look for the following anomalies:

• New or ongoing capital implementations or projects that span more than one fiscal year.
• Completed projects that have recently transitioned, or are transitioning, from CapEx (decreasing) to OpEx (increasing).
• A major internal reorganization or merger, acquisition, or divestiture event.
• Crises, disasters, or other rare emergencies.
• Changes in IT funding sources (e.g. new or expiring grants).

These anomalies often explain why IT spend is unusually high in certain areas. There's often a good business reason.

In many cases, doing a separate spend transparency exercise for these anomalous projects or events can isolate their costs from other spend so their true nature and impact can be better understood.

2.1 Gather your input data and information

Duration: Variable

1. Develop a complete list of the spending and staffing data and information you need to complete the transparency mapping exercise. For each required item, note the following:
   1. Description of data needed (i.e. type, timeframe, and format).
   2. Ideal timeframe or deadline for receipt.
   3. Probable source(s) and contact(s).
   4. Additional facilitation/support required.
   5. Person on your transparency team responsible for obtaining it.
2. Set up a data and information repository to store all files as soon as they're received. Ideally, you'll want all data/information files to be in an electronic format so that everything can be stored in one place. Avoid paper documents if possible.
3. Conduct your outreach to obtain the input data and information on your list. This could include delegating it to a subordinate, sending emails, making phone calls, booking meetings, and so on.
4. Review the data and information received to confirm that it's the right type of data, at the correct level of granularity, for the right timeframe, in a usable format, and is generally accurate.
5. Enter documentation about your data and information sources in tab "1. Data & Information Sources" in the IT Spend & Staffing Transparency Workbook to reflect what you needed and where you got it in order to make the discovery process easier in the future.
6. In the same tab in the IT Spend & Staffing Transparency Workbook, document any significant events that occurred that directly or indirectly impacted the selected year's spend values. These could include mergers/acquisitions/divestitures, major reorganizations or changes in leadership, significant shifts in product offerings or strategic direction, large capital projects, legal/regulatory changes, natural disasters, or changes in the economy.

Download the IT Spend & Staffing Transparency Workbook

2.1 Gather your input data and information

Tidy up your data before beginning any spend mapping

Most organizations aren't immaculate in their tech spend documentation and tracking practices. This creates data rife with gaps that lives in hard-to-use formats.

The more preparation you do to approach the "good data" intersection point in the diagram below, the easier your mapping effort will be and the more useful and insightful your final findings.

Make your data "un-unique" to reduce the number of line items and make it manageable

There's a good chance that the IT spend data you've received is in the form of tens of thousands of unique line items. Use the checklist below to help you roll it up.

Warning: Never overwrite your original data. Insert new columns/rows and put your alternate information in these instead.

Step 1: Standardize vendor names

• Start with known large vendors.
• Select a standard name for the vendor.
• Brainstorm possible variations on the vendor name, including abbreviations and shortforms.
• Search for the vendor in your data and document the new standardized vendor name in the appropriate row.
• Repeat the above for all vendors.
• Sort the new vendor name column from A-Z. Look for instances where names remain unique or are missing entirely. Reconcile if needed and fill in missing data.

Step 2: Consolidate vendor spend

• Sort the new vendor name column from A-Z. Start with vendors that have the most line items.
• Add together related spend items from a given vendor. Create a new row for the consolidated spend item and flag it as consolidated. Keep the following item types in separate rows:
  • Hardware vs. software spend for the same vendor.
  • Cloud vs. on-premises spend for the same vendor.
• Repeat the above for all vendors.
• Consider breaking out separate rows for overly consolidated line items that contain too many different types of IT spend.

2.2 Clean and organize your data

Duration: Variable

1. Check to ensure that you have all data and information required to conduct the IT spend transparency exercise.
2. Conduct an initial scan to assess the data's current state of hygiene and overall usability. Flag anything of concern and follow up with the data/information provider to fix or reconcile any issues.
3. Normalize your data to make it easier to work with. This includes selecting data format standards and changing anything that doesn't conform to those standards. This includes items such as date conventions, currencies, and so on.
4. Standardize product and vendor naming/references throughout to enable searching, sorting, and grouping. For example, Microsoft Office may be variably referred to as "Microsoft", "Office", "Office 365", and "Office365" throughout your data. Pick one descriptor for the product/vendor and replace all related references with that descriptor.
5. Consolidate and aggregate your data. Ideally, the data you received from your sources has already been simplified; however, you may need to further organize it to reduce the number of individual line items to a more manageable number. The transparency exercise uses relatively high-level categories, so combine data sets and aggregate where feasible without losing appropriate granularity.
6. Archive any original copies of files that have been modified or replaced with consolidated/aggregated versions for future reference if needed.

2.2 Clean and organize your data

Select IT spend "buckets" for the CXO Business View as your final preparatory step

Every organization has both industry-agnostic and industry-specific lines of business that are the direct beneficiaries of IT spend.

Common shared business functions:

• Human resources.
• Finance and accounting.
• Sales/customer service.
• Marketing and advertising.
• Legal services and regulatory compliance.
• Information technology.

It may seem odd to see IT on the business functions list since the purpose of this exercise is to map IT spend. For business view purposes, IT spend refers to what IT spends on itself to support its own internal operations.

Examples of industry-specific functions:

• Manufacturing: Product research and development; production operations; supply chain management.
• Retail banking: Core banking services; loan, mortgage and credit services; investment and wealth management services.
• Hospitals: Patient intake and admissions; patient diagnosis; patient treatment; patient recovery and ongoing care.
• Insurance: Actuarial analysis; policy creation; underwriting; claims processing.

See the Appendix of this blueprint for definitions of shared business functions plus sample industry-specific business view categories.

Define your CXO Business View categories to set yourself up well for future ITFM analyses

The CXO Business View buckets you set up today are tools you can and should reuse in your overall approach to ITFM governance. Spend some time to get them right.

Stay high-level

Getting too granular invites administrative headaches and overhead. Keep things high-level and general:

• Limit the number of direct stakeholders represented: This will reduce communication overhead and ensure you're dealing only with people who have real decision-making authority.
• Look to your org. chart: Note the departments or business units listed across the top of the chart that have one executive or top-ranking senior manager accountable for them. These business units often translate as-is into a tidy CXO Business View category.

Limit your number of buckets

Tracking IT spend across more than 8-10 shared and industry-specific business categories is impractical.

• Simplify your options: Too many buckets gets confusing and invites time-wasting doubt.
• Reduce future rework: Business structures will change, which means recategorizing spend data. Using a forklift is a lot easier than using tweezers.
• Stick to major business units: Create separate "Business Other" and "Industry Other" catch-all categories to track IT spend for smaller functions that fall outside of major business unit structures.

Be clear on what's in and what's out of your categories to keep everyone on the same page

Clear lines of demarcation between CXO Business View categories reduce confusion, doubt, and wheel-reinvention when deciding where to allocate IT spend.

Ensure clear boundaries

Mutual exclusivity is key when defining categories in any taxonomical structure.

• Avoid overlaps: Each high-level business function category should have few or no core function or process overlaps with another business function category. Aim for clear vertical separation.
• Be encompassing: When defining a category, list all the business capabilities and sub-functions included in that category. For example, if defining the finance and accounting function, remember to specify its less obvious accountabilities, like enterprise asset management if appropriate.

Identify exclusions

Listing what's out can be just as informative and clarifying as listing what's in.

• Beware odd bedfellows: Minor business groups are often tucked under a bigger organizational entity even though the two use different processes and technologies. Separate them if appropriate and state this exclusion in the bigger entity's definition.
• Draw a line: If a process crosses business function categories, state which sub-steps are out of scope.
• Document your decisions: This helps ensure you allocate IT spend the same way every time.

2.3 Build your industry-specific business views

Duration: Two hours

1. Confirm your list of high-level shared business services (human resources, finance and accounting, etc.) as provided in Info-Tech's IT Spend & Staffing Transparency Workbook. Rename them if needed to match the nomenclature used in your organization.
2. Set and define your additional list of high-level, industry-specific business categories that are unique to or define your industry. See the slides immediately following this exercise for tips on developing these categories, as well as the appendix of this blueprint for some examples of industry-specific categories and definitions.
3. Create "Business Other" and "Industry Other" categories to capture minor groups and activities supported by IT that fall beyond the major shared and industry-specific business functions you've shortlisted. Briefly note the business groups/activities that fall under these categories.
4. Edit/enter your shared and industry-specific business function categories and their definitions on tab "2. Business View Definitions" in the IT Spend & Staffing Transparency Workbook.

Download the IT Spend & Staffing Transparency Workbook

2.3 Build your industry-specific business views

Lock in key pieces of baseline data

Calculating core IT spend metrics relies on a few key numbers. Settle these first based on known data before diving into detailed mapping.

These baseline data will allow you to calculate high-level metrics like IT spend as a percent of revenue and year-over-year percent change in IT spend, as well as more granular metrics like IT staff spend per employee for a specific IT service.

Baseline data checklist

• IT spend analysis period (date range).
• Currency used.
• Organizational revenue.
• Organizational OpEx.
• Total current year IT spend.
• Total current year IT CapEx and IT OpEx.
• Total previous-year IT spend.
• Total projected next-year IT spend.
• Number of organizational employees.
• Number of IT employees.

You may have discovered some things you didn't know about during the mapping process. Revisit your baseline data when your mapping is complete and make adjustments where needed.

2.4 Enter your baseline data

Duration: One hour

1. Navigate to tab "3. Baseline Data" in the IT Spend & Staffing Transparency Workbook. Using the data you've gathered, enter the following information to set your baseline data for future calculations:
   1. Your IT spend analysis date range. This can be concrete dates, a fiscal year abbreviation, etc.
   2. The currency you will be using throughout the workbook. It's important that all monetary values entered are in the same currency.
   3. Your organization's total revenue and total operating expenditure (OpEx) for the spend analysis data range you've specified. Revenue includes all sources of funding/income.
   4. Your total IT OpEx and total IT capital expenditure (CapEx). The workbook will add your OpEx and CapEx values for you to arrive at a total IT spend value.
   5. Total IT spend for the year prior to the current IT spend analysis date range, as well as anticipated total IT spend for the year following.
   6. Total IT staff spend (salaries, benefits, training, travel, and fees for employees and contractors in a staff augmentation role) for the spend analysis date range.
   7. The total number of organizational employees and total number of IT employees. These are typically full-time equivalent (FTE) values and include contractors in a staff augmentation role.
2. Make note of any issues that have influenced the values you entered.

Download the IT Spend & Staffing Transparency Workbook

2.4 Enter your baseline data

Phase 2: Gather required data

Achievement summary

You've now completed all preparation steps for your IT spend transparency journey. You have:

• Gathered your IT spend and staffing data and information.
• Cleaned and organized your data to streamline mapping.
• Identified your baseline data points.

"As an IT person, you're not speaking the same language at all as the accounting department. There's almost always a session of education that's required first."
- Angie Reynolds, Principal Research Director, ITFM Practice, Info-Tech Research Group

Phase 3

Map Your IT Staff Spend

This phase will walk you through the following activities:

• Mapping your IT staff spend across the four views of the ITFM Cost Model
• Validating your mapping

This phase involves the following participants:

• Head of IT
• IT financial lead
• Other members of IT management

Phase 3: Map your IT staff spend

Allocate your workforce costs across the four views.

Now it's time to tackle the first part of your hands-on spend mapping effort, namely IT staff spend. In this phase you will:

• Allocate your IT staff spend across the four views of the ITFM Cost Model.
• Validate your mapping to ensure that it's accurate and complete.

"We're working towards the truth. We know the answer, but it's how to get it. Take Data & BI. For some organizations, four FTEs is too many. Are these people really doing Data & BI? Look at the big picture and see if something's missing."
- Rex Ding, Research Specialist, ITFM Practice, Info-Tech Research Group

Staffing costs comprise a significant percent of OpEx

Staffing is the first thing that comes to mind when it comes to spend. Intentionally bring it out of the shadows to promote constructive conversations.

• Total staffing costs stand out from other IT spend line items. This is because they're comparatively large, often comprising 30-50% of total IT costs.
• Standing out comes at a price. Staff costs are where business leadership looks first if they want cuts. If IT leadership doesn't bring forward ways to cut staffing costs as part of a broader cost-cutting mandate, it will be seen as ignorant of business priorities at best and outright insubordinate at worst.
• Staffing costs as a percentage of total costs vary between IT functions. On the business side, there's a lack of understanding about what functions IT staff serve and support and the real-world costs of obtaining (and keeping) needed IT skills. For example, IT security staffing costs as a percentage of that service's total OpEx will likely be higher than service desk staff given the scarcity and higher market value of the former. Trimming 20% of IT staffing costs from the IT security function has much different implications than cutting 20% of service desk staffing costs.

Staffing spend transparency can do a lot to change the conversation from one where the business thinks that IT management is just being self-protecting to one where they know that IT management is actually protecting the business.

Demonstrating the legitimate reasons behind IT staff spend is critical in both rationalizing past and current spend decisions as well as informing future decisions.

Info-Tech recommends that you map your IT staffing costs before all other IT costs

Mapping your IT staffing spend first is a good idea because:

• Staffing costs are usually documented more clearly, simply, and accurately than other IT costs.
• Gathering all your IT staffing data is usually a one-stop shop (i.e. the HR department).
• The comparative straightforwardness of mapping staff costs compared to other IT costs gives you the opportunity to:
  • Get familiar with the ITFM Cost Model views and categories.
  • Get the hang of the hands-on mapping process.
  • Determine the kinds of speed bumps and questions you'll encounter down the road when you tackle the more complicated mappings.

"Some companies will say software developer. Others say application development specialist or engineer. What are these things? You have to have conversations ..."
- Rex Ding, Research Specialist, ITFM Practice, Info-Tech Research Group

Understand the CFO Expense View: "Workforce" categories defined

For the staffing spend mapping exercise, we're defining the Workforce category here and will offer Vendor category definitions in the vendor spend mapping exercise later.

Workforce: The total costs of employing labor in the IT organization. This includes all salary/wages, benefits, travel/training, dues and memberships, and contractor pay. Managed services expenses associated with an external service provider should be excluded from Workforce and included in Contract Services.

Employee: A person employed by the IT organization on a permanent full-time or part-time basis. Costs include salary, benefits, training, travel and expenses, and professional dues and memberships. These relationships are managed under human resources and the bulk of spend transactions via payroll processes.

Contractor: A person serving in a non-permanent staff augmentation role. These relationships are typically managed under procurement or finance and spend transactions handled via invoicing and accounts payable processes. Labor costs associated with an external service provider are excluded.

Mapping your IT staff across the CFO Expense View is relatively cut-and-dried

The CFO Expense View is the most straightforward in terms of mapping IT staffing costs as it's made up of only two main categories: Workforce and Vendor.

In the CFO Expense View, all IT spend on staffing is allocated to the Workforce bucket under either Employee or Contractor.

What constitutes a Contractor can be confusing given increased use of long-term labor augmentation strategies, so being absolutely clear about this is imperative. For spend mapping purposes:

• Any staff members under independent contract where individuals are paid directly by your organization as opposed to indirectly via a service provider (e.g. staffing firm) are considered Workforce > Contractor.
• Any circumstances where you pay a third-party organization for labor is slotted under Vendor > Contract Services.

Understand the CIO Service View: Categories defined

We've provided definitions for the major categories that require clarification.

Applications Development: Purchase/development, testing, and deployment of application projects. Includes internally developed or packaged solutions.

Applications Maintenance: Software maintenance fees or maintaining current application functionality along with minor enhancements.

Hosting & Networks: Compute, storage, and network functionality for running/hosting applications and providing communications/connectivity for the organization.

End User: Procurement, provision, management, and maintenance (break/fix) of end-user devices (desktop, laptops, tablets, peripherals, and phones) as well as purchase/support and use of productivity software on these devices. The IT service desk is included here as well.

PPM & Projects: People, processes, and technologies dedicated to the management of IT projects and the IT project portfolio as a whole.

Data & BI: Strategy and oversight of the technology used to support data warehousing, business intelligence, and analytics.

IT Management: Senior IT leadership, IT finance, IT strategy and governance, enterprise architecture, process management, vendor management, talent management, and program and portfolio management oversight.

Security: Information security strategy and oversight, practices, procedures, compliance, and risk mitigation to protect and prevent unauthorized access to organizational data and technology assets.

Mapping your IT staff across the CIO Service View is a slightly harder exercise

The complexity of mapping staff across this view depends on how your IT department is organized and the degree of role specialization vs. generalization.

The CIO Service View mirrors how many IT departments are organized into teams or work groups. However, some partial percentage-based allocations are probably required, especially for smaller IT units with more generalized, cross-functional roles. For example:

• A systems administrator's costs may need to be allocated 80% to Hosting & Networks and 20% to Security.
• An app development team lead may spend about 40% of their time doing hands-on Development work and the other 60% on project management (i.e. PPM & Projects).

Info-Tech has found that allocating staffing costs for Data & BI raises the most doubts as it can be very entangled with Applications and other spend. Do the best you can.

Understand the CXO Expense View: Categories defined

Expand shared services and industry function categories as suits your organization.

Industry Functions: As listed and defined by you for your specific industry.

Human Resources: IT staff and specific application functionality in support of organizational human resource management.

Finance & Accounting: IT staff and specific application functionality in support of corporate finance and accounting.

Shared Services Other: IT staff and specific application functionality in support of all other shared enterprise functions.

Information Technology: IT staff and specific application functionality in support of IT performing its own internal IT operations functions.

Industry Other: IT staff and specific application functionality in support of all other industry-specific functions.

Mapping your IT staff across the CXO Business View warrants the most time

This view is probably the most difficult as many IT department roles are set up according to lines of IT service, not lines of business. Prepare to do a little math.

The CXO Expense View also requires percentage-based splitting of role spend, but to a greater extent.

• Start by mapping staff cost allocations for those roles that are at, or close to, 100% dedicated to a specific business function (if any).
• For IT roles that support organization-wide or multi-department functions, knowing the percent of employees that work in each relevant business unit and parceling IT staff spend by those same percentages may be easiest. For example, a general systems administrator's costs could be allocated as 4% to HR, 2% to finance, 25% to sales, 20% to production operations, and so on based on the percentage of employees in each of the supported business units.

Take a minute to figure out how you plan to map IT's indirect CXO Business View costs

Direct IT costs are those that are dedicated to a specific business unit or user group, such a marketing campaign management app, specialized devices used by a specific subset of workers in the field, or a business analyst embedded full-time in a sales organization.

VS

Indirect IT costs are pretty much everything else that's shared broadly across the organization and can't be tied to just one stakeholder or user group, such as network infrastructure, the service desk, and office productivity apps. These costs must be fairly and evenly distributed.

No indirect mapping method is perfect, but here's a suggestion:

• Take the respective headcount of all business functions sharing the IT resource/service in question.
• Calculate each business function's staff as a percentage of all organizational staff.
• Use this same percent of staff to calculate and allocate a business function's indirect staff and indirect vendor costs.

"There is always a conversation about indirect allocations. There's never been an organization I've heard of or worked for which has been able to allocate every technology cost directly to a business consumption or business unit."
Monica Braun, ITFM Research Director, Info-Tech Research Group

Example:

• A company of 560 employees has six HR staff (about 1.1% of total staff).
• Network admin staffing costs $143,000, so $1,573 (1.1%) would be allocated to HR.
• Internet services cost $40,000, so $440 (1.1%) would be allocated to HR.

Some indirect costs are shared by multiple business functions, but not all. In these cases, exclude non-participating business functions from the total number of organizational employees and re-calculate a new percent of staff for each participating business function.

Know where you're most likely to encounter direct vs. indirect IT staffing costs

Info-Tech has found that direct vs. indirect staffing spend is more commonly found in some areas than others. Use this insight to focus your work.

Direct IT staffing spend

Definition: Individuals or teams whose total time is formally dedicated to the support of one business unit/function.

• Data & BI (direct to one non-IT unit)
• IT Management (direct to IT)
  • Service planning & Architecture
  • Strategy & Governance
  • Financial Management
  • People & Resources

Hybrid IT staffing spend

Definition: Teams with a percent of time or entire FTEs formally dedicated to one business unit/function while the remainder of the time or team is generalized.

• Applications
  • Applications Development
  • Applications Maintenance
• IT Management
  • PPM & Projects

Indirect IT staffing spend

Definition: Individuals or teams whose total time is generalized to the support of multiple or all business units or functions.

• Infrastructure
  • Hosting & Networks
  • End Users
• Security

Indirect staff spend only comes into play in the CXO Business View. Thoroughly map the CIO Service View first and leverage its outcomes to inform your allocations to individual business and industry functions.

Understand the CEO Innovation View: Categories defined

Be particularly clear on your understanding of the difference between business growth and business innovation.

Business Innovation: IT spend/ activities focused on the development of new business capability, new products and services, and/or introduction of existing products/ services into new markets. It does not include expansion or update of existing capabilities.

Business Growth: IT spend/activities focused on the expansion, scaling, or modernization of an existing business capability, product/service, or market. This is specifically related to growth within a current market.

Keep the Lights On: IT spend/activities focused on keeping the organization running on a day-to-day basis. This includes all activities used to ensure the smooth operation of business functions and overall business continuity.

Important Note

Info-Tech analysts often skip mapping staff for the CEO Innovation View when delivering the IT Spend & Staffing Benchmarking Service.

This is because, for many organizations, either most IT staff spend is allocated to Keep the Lights On or any IT staff allocation to Business Growth and Business Innovation activities is untracked, undocumented, and difficult to parse out.

Mapping your IT staff across the CEO Innovation View is largely straightforward

Clear divisions between CapEx and OpEx can be your friend when it comes to mapping this view. Focus your efforts on parsing growth vs. innovation.

• The majority of IT staff costs are OpEx: And the majority of OpEx will land in the Keep the Lights On category. This is a comparatively simple mapping exercise. Know in advance that this will be the largest of the three buckets in the CEO Innovation View by a very wide margin, so don't be surprised if over 90% of IT staffing costs end up here.
• Most of the remaining IT staff costs will be tied to capital projects and investments: This means that they will land in either Business Growth or Business Innovation, with the majority typically sitting under Business Growth. Again, don't be surprised if the Business Innovation category holds less than 3% of total IT staffing spend.

Take your IT staff spend mapping to the next level with detailed time and headcount data

Overlay a broader assessment of your IT staff

Info-Tech's IT Staffing Assessment diagnostic can expand your view of what's really happening on the staffing front.

• Learn your true distribution of IT staff across the same IT services listed in the ITFM Cost Model's CIO Service View.
• Get other metrics such as degrees of seniority, manager span of control, and IT staff perception of their effectiveness.

Take action

1. Set it up: Contact your Info-Tech Account Manager and sign your team up to take the diagnostic.
2. Assess the findings: Review the output report, specifically how your staff says they spend their time versus what your organization chart's been telling you.
3. Apply the percentages: Use the FTE allocation percentages in the output report to guide how you distribute your staff spend across the CIO Service View.
4. Expand your analysis: Use your staff's feedback around perceived aids and obstacles to effectiveness in order to inform and defend your recommendations and decisions on how IT funds should be spent.

Consider these final tips for mapping your IT staffing costs before diving in

Mapping your IT staffing costs definitely requires some work. However, knowing the common stumbling blocks and being systematic will yield the best results.

Approach: Be efficient to be effective

Start with what you know best: Map the CFO Expense View first to plug in information you already have. Next, map the CIO Service View since it's most aligned to your organization chart.

Keep a list of questions: You'll need to seek clarifications. Note your questions, but don't reach out until you've done a first pass at the mapping - don't annoy people with a barrage of questions.

Delegate: Your managers and leads have a more accurate view of exactly what their staff do. Consider delegating the CIO Service View and CXO Business View to them or turn the mapping exercise into a series of collaborative leadership team activities.

Biggest challenge: Role/title ambiguity

• The Business Analyst role is often vague. These staffers are often jacks-of-all-trades in IT. You probably can't rely on a generic job description to figure out exactly which services and business functions BAs are spending their time on. Plan to ask a lot of questions.
• Other role titles may be completely inaccurate. Is the word "system" referring to apps, infrastructure, or both? Is the user experience specialist actually a programmer? Is a manager really managing anything? Know your organization's tendencies around meaningful job titling and set your workload expectations accordingly.

Key step - validate! If you see services or functions with low or no allocation, or something just doesn't look right, investigate. Someone's doing that work - take the time to figure out who.

3.1 Map your IT staffing costs

Duration: Variable

1. Navigate to tab "4. Staff Spend Mapping" in the IT Spend & Staffing Transparency Workbook. On one row, enter the name of an individual or group to be mapped, their role/title (if an individual), and their total known cost as per your collected data.
2. Under the CFO Expense View (columns F-G), enter the number of FTEs represented by the individual or group named and their status (i.e. Employee or Contractor).
3. Under the CIO Service View (columns L-AF), allocate the individual or group's spend as a percentage across all service categories. If the allocation for a service is 0%, leave the cell blank.
4. Under the CXO Business View (columns AI-BA), allocate the individual or group's spend as a percentage across all business function and industry-specific function categories. If the allocation for a function is 0%, leave the cell blank.
5. Under the CEO Innovation View (columns BD-BH), allocate the individual or group's spend as a percentage across Business Innovation, Business Growth, and Keep the Lights On. If the allocation for an investment type is 0%, leave the cell blank.
6. Repeat steps 2 to 5 for all other IT staff (as individuals or groups).
7. Follow up on and resolve any additional inquiries you need to make based on questions that arose during the mapping process.
8. Validate your mapping by:
   1. Identifying spend categories that have zero staff spend allocation. Additional percentage allocation splits for certain roles are probably required.
   2. Investigating spend categories that seem to have very high or very low spend allocations based on a gut check. Again, double-check your percentage allocation splits.
   3. Ensuring your amounts add up to your previously calculated total IT staff spend. A balance tracker is provided on tab "6. Tracker & General Outputs" of the IT Spend & Staffing Transparency Workbook.

Download the IT Spend & Staffing Transparency Workbook

3.1 Map your staffing costs

Phase 3: Map your IT staff spend

Achievement summary

You've now completed your IT staff spend mapping. You have:

• Allocated your IT staff spend across the four views of the ITFM Cost Model.
• Validated your mapping to ensure it's accurate and complete.

"Some want to allocate everybody to IT, but that's not how we do it. [In one CXO Business View mapping], a client allocated all their sand network people to the IT department. At the end of the process, the IT department itself accounted for 20% of total IT spend. We went back and reallocated those indirect staff costs across the business."
- Kennedy Confurius, Research Analyst, ITFM Practice, Info-Tech Research Group

Phase 4

Map Your IT Vendor Spend

This phase will walk you through the following activities:

• Mapping your IT vendor spend across the four views of the ITFM Cost Model
• Validating your mapping

This phase involves the following participants:

• Head of IT
• IT financial lead
• Other members of IT management

Phase 4: Map your IT vendor spend

Allocate your vendor costs across the four views.

Now you're ready to take on the second part of your spend mapping, namely IT vendor spend. In this phase you will:

• Allocate your IT vendor spend across the four views of the ITFM Cost Model.
• Validate your mapping to ensure it's accurate and complete.

"[One CIO] said that all technology spend runs through their IT group. But they didn't have hardware in their financial data file - no cellphones or laptops, no network or server expenses. They thought they had everything, but they didn't know what they didn't have. Assume it's out there somewhere."
- Kennedy Confurius, Research Analyst, ITFM Practice, Info-Tech Research Group

Tackle the non-staff side of IT spend

Info-Tech analysts find that mapping the IT vendor spend data is harder because the source data is often scattered and not meaningfully labeled.

• Be patient and systematic. As with mapping your IT staff spend data, the more organized you are from the outset and the more thoroughly you've prepared your data, the more straightforward the exercise will be.
  • Did you "un-unique" your data? If not, do that now before attempting mapping.
• Get comfortable with making some assumptions. You need to get through the exercise, so sometimes making a best guess and entering a value is better than diving down a rabbit hole. Your gut is probably right anyway. But only make assumptions around smaller line items that don't have a massive impact on your final numbers. Never assume anything when it comes to big-ticket items.
• Curb your urge to fix. Some of your buckets will start to get big, while others will barely budge. This is normal ... and interesting! Resist the urge to "balance" staffing spend in a bucket by loading it with apps and hardware for fear that the staffing spend looks too high and will be questioned. This exercise is about how things are, not how they look.

"A common financial data problem is no vendor names. I've noticed that, even if the vendor name is there, there are no descriptors. You cannot actually tell what type of service it is. Data security? Infrastructure? Networking? Ask yourself 'What did we purchase and what does it do?'"
- Aman Kumari, Research Specialist, ITFM Practice, Info-Tech Research Group

Understand the CFO Expense View: Vendor categories defined

These are the final definitions for this view. See the previous section for CFO Expense View > Workforce definitions used in the IT staffing cost mapping exercise.

Vendor: Provider of a good or service in exchange for payment.

Hardware: Costs of procuring, maintaining, and managing all IT hardware, including end-user devices, data center and networking equipment, cabling, and hybrid appliances for both on-premises and cloud-based providers.

Software: Costs for all software (applications, database, middleware, utilities, tools) used across the organization. This includes purchase, maintenance, and licensing costs.

Contract Services: Costs for all third-party services including managed service providers, consultants, and advisory services.

Cloud: Offsite hosting and delivery of an on-demand software or hardware computing function by a third-party provider, often on a subscription-type basis.

On-Prem: On-site hosting and delivery of a software or hardware computing function, often requiring upfront purchase cost and subsequent maintenance costs.

Managed Services: Costs for outsourcing the provision and maintenance of a technical process or function.

Consulting & Advisory: Costs for the third-party provision of professional or technical advice and expertise.

Know if a technology is cloud-based or on-premises before mapping

A technology may be one, the other, or both if multiple versions are in play. Financial records rarely indicate which, but on-premises vs. cloud matters in your planning.

On-Premises

• Check your CapEx. Any net-new purchases of software or hardware for the IT spend analysis year in question should appear on the CapEx side of the equation. After the first year of implementation/rollout, all ongoing maintenance and management costs should be found under OpEx.
• Focus on real in-year costs.
  • Don't try to map depreciation or amortization associated with CapEX. Instead, map any upfront purchase costs that occurred in the relevant IT spend analysis year.
  • Map any OpEX costs incurred from maintenance and management. For multi-year maintenance contracts, apply the percentage of fees paid for the relevant year.

Cloud

• Check your OpEx. Cloud services are typically fee-based, which means the costs often come in the form of regularly timed bills akin to a subscription.
• Differentiate new services from older ones. If the cloud service was initiated during the IT spend analysis year in question, there may be some one-time service setup and initiation fees that were legitimately slotted under CapEx. If the cloud service isn't new, then all costs should be OpEx.

Vendors are increasingly "retiring" on-premises software products. This means an older version may be on-prem, a newer one cloud, and you may have both in play.

Mapping built-in data, analytics, and security functions can raise doubts

With so many apps focused on capturing, manipulating, and protecting data, built-in analytics, reporting, and security functions blur CIO Service View bucket boundaries.

Applications vs. Data & BI

• In recent years, much more powerful analysis and report-generation features have been added to core enterprise applications. If analytics and reporting functionality is an extended feature of a database-driven application, such as ERP or CRM, then map it to one of the Applications buckets.
• If the sole purpose of the application is to store, manipulate, query, analyze, and/or visualize data, then log its costs under Data & BI. These would include technologies such as data warehouses, marts, cubes, and lakes; desktop data visualization tools; enterprise business intelligence platforms; and specialized reporting tools.

Applications vs. Security

• A similar conundrum exists for Security. So many tools today have built-in security functionality that cannot be unintegrated from the app they support. Don't even try to isolate native security functionality for spend mapping purposes - map it to Applications.
• If the tool is a special-purpose, standalone security tool or security platform, then map it to Security. These tools usually sit within, and are used/managed by, IT. They include firewalls; antivirus/anti-malware; intrusion prevention, detection and response; access control and authentication; encryption; and penetration testing and vulnerability assessment.

Putting spend in the right bucket does matter. However, if uncertainty persists, err on the side of consistency. For most organizations Applications Maintenance does end up being the biggest bucket.

When mapping the CXO Business View, do the biggest vendors first

Below is a suggested order of operations to clear through the majority of vendor spend as early as possible in the process.

After mapping the CXO Business View, your Other buckets might be getting a bit big

It's common for the Business Other and Industry Other categories to be quite large, and even the largest. This is okay, but plan to dig deeper and understand why.

As with staffing, CapEx vs. OpEx helps map the CEO Innovation View

Mapping to this view was optional for IT staffing. For hard technology vendor spend, mapping this view is key. Use the guidance below to determine what goes where.

Keep the Lights On
Spend usually triggered by a service deck ticket or work order, not a formal project. Includes:

• Daily maintenance and management.
• Repair or upgrade of existing technology to preserve business function/continuity.
• Purchase of "commodity" technology, such as standard-issue laptops and licenses for office productivity software.

Business Growth
Spend usually in the context of a formal project under a CapEx umbrella. Includes:

• Technology spend that directly supports business expansion of an existing product or service and/or market.
• Modernizing existing technology.
• Extension of, or investment in, existing infrastructure to ensure reliability and availability in response to growth-driven scaling of headcount and utilization.

Business Innovation
Spend is always in the context of a formal project and should be 100% CapEx in the first year after purchase. Includes:

• Technology spend that directly supports development and rollout of new products or service and/or entry into new markets.
• Use of existing technology or investment in net-new technology in direct support of a new business initiative, direction, or requirement.

In many organizations, most technology spend will be allocated to Keep the Lights On. This is normal but should generate conversations with the business about redirecting funds to growth and innovation.

Remember these top tips when mapping your technology vendor spend

The benefits of having tidy and organized data can't be overstated, as your source data will be in a more varied state for this phase of the mapping than with IT staffing data.

Approach: Move from macro to micro

• Start with the big enterprise apps: These will probably be in the top five of your vendor spend list and will likely have good info about how and by whom they're used. Get them out of the way.
• Clear out shared technologies. This will feature infrastructure and operations plus office productivity and communications spend. Portioning spend by department headcount for the CXO Business View is the hardest part. Get this forklift task out of the way too.
• Don't sweat the small stuff. Wasting hours chasing the details of a $500 line item isn't worth it when you have five-, six-, or even seven-figure line items to map.

Biggest challenge: Poor vendor labeling

• Vendor labels are often an inconsistent mess or missing entirely. Standardize and apply consistent vendor labels throughout your data so that you can aggregate your data into a workable form.
• Spend transactions with the same vendor can be scattered all over the place in your general ledger. Take the time to "un-unique" your data to save yourself tremendous grief later on.
• Start new go-forward labeling habits. Talk to finance about your new list of vendor naming standards and tagging spend as on-prem or cloud. Getting their cooperation with these are major wins.

Key step - validate! If you see services or functions with low or no allocation, or something just doesn't look right, investigate. There's probably a technology out there in the business doing that work.

4.1 Map your IT vendor spend

Duration: Variable

1. Navigate to tab "5. Vendor Spend Mapping" in the IT Spend & Staffing Transparency Workbook. On one row, enter a spend line item (vendor, product, etc.), a brief description, and the known amount of spend.
2. Under the CFO Expense View (columns F-P), allocate the line item's spend as a percentage across all asset-class categories. If the allocation for a line item is 0%, leave the cell blank.
3. Under the CIO Service View (columns S-AM), allocate the line item's spend as a percentage across all service categories. If the allocation for a service is 0%, leave the cell blank.
4. Under the CXO Business View (columns AP-BH), allocate the line item's spend as a percentage across all business function and industry-specific function categories. If the allocation for a function is 0%, leave the cell blank.
5. Under the CEO Innovation View (columns BK-BO), allocate the line item's spend as a percentage across Business Innovation, Business Growth, and Keep the Lights On. If the allocation for an investment type is 0%, leave the cell blank.
6. Repeat steps 2-5 for all spend line items.
7. Follow up on and resolve any additional inquiries you need to make based on questions that arose during the mapping process.
8. Validate your mapping by:
   1. Ensuring your amounts add up to your previously calculated total IT vendor spend. A balance tracker is provided on tab "6. Tracker & General Outputs" of the IT Spend & Staffing Transparency Workbook.
   2. Identifying spend categories that have zero spend allocation. Additional percentage allocation splits for certain line items are probably required.
   3. Investigating spend categories that seem to have very high or very low spend allocations based on a gut check. Again, double-check your percentage allocation splits.

Download the IT Spend & Staffing Transparency Workbook

4.1 Map your IT vendor spend

Phase 4: Map your IT vendor spend

Achievement summary

You've now completed your IT vendor spend mapping. You have:

• Allocated your IT vendor spend across the four views of the ITFM Cost Model.
• Validated your mapping to ensure it's accurate and complete.

"A lot of organizations log their spending by vendor name with no description of the goods or services they actually purchased from the vendor. It could be hardware, software, consulting services ... anything. Having a clear understanding of what's really in there is an essential aspect of the spend conversation."
- Rex Ding, Research Specialist, ITFM Practice, Info-Tech Research Group

Phase 5

Identify Implications for IT

This phase will walk you through the following activities:

• Analyzing the results of your IT staff and vendor spend mapping across the four views of the ITFM Cost Model
• Preparing an executive presentation of your transparent IT spend

This phase involves the following participants:

• Head of IT
• IT financial lead
• Other members of IT management

Phase 5: Identify implications for IT

Analyze and communicate.

You're now nearing the end of the first leg in your IT spend transparency journey. In this phase you will:

• Analyze the results of your IT spend mapping process.
• Revisit your transparency objectives.
• Prepare an executive presentation so you can share findings with other leaders in your organization.

"Don't plug in numbers just to make yourself look good or please someone else. The only way to improve is to look at real life."
- Monica Braun, Research Director, ITFM Practice, Info-Tech Research Group

You've mapped your IT spend data. Now what?

With mapped data in hand, now you can start to tell IT's spend story with stakeholders in the business.

Mapping your IT spend is a lot of work, but what you've achieved is impressive (applause!) as well as essential for growing your ITFM maturity. Now put your hard work to work.

• Consider benchmarking. While not covered in-depth here, benchmarking against yourself in a year-over-year approach as well as against external industry peers are very useful exercises in your technology spend analysis.
• Review your numbers and graphs. Your IT Spend & Staffing Transparency Workbook contains a series of data visualizations that will help you see the big picture as well as relationships between spend categories.
• Note the very big numbers, the very small numbers, and the things that just look odd. You'll want to investigate and understand these further.
• Prepare to communicate. Facilitating conversations with stakeholders in the business is the immediate objective of the IT spend and staffing transparency exercise. Decide where and with whom you want to start dialogue.

The slides that follow show sample data summaries and visualizations generated in the IT Spend & Staffing Transparency Workbook. We'll take a look at the metrics, tables, and graphs you now have available to you post-mapping and how you can potentially use them in conversations with different IT stakeholders.

Evaluate how you might use benchmarks before diving into your analysis

Benchmarking can be a useful input for contextualizing and interpreting your IT spend data. It's not essential at this point but should be part of your ITFM toolkit.

There are two basic types of benchmarking ...

Internal: Capturing a current-state set of data about an in-house operation to serve as a baseline. Over time, snapshots of the same data are taken and compared to the baseline to track and assess changes. Common uses for internal benchmarking include:

• Assessing the impact of a project or initiative.
• Measuring year-over-year performance.

External: Seeking out aggregated, current-state data about a peer-group operation to assess your own relative status or performance on the same operation. Common uses for external benchmarking include:

• Understanding common practices in the industry.
• Strategic and operational visioning, planning, and goal-setting.
• Putting together a business case for change or investment.

Both types of benchmarking benefit from some formality and rigor. Info-Tech can help you stand up an ITFM benchmarking approach as well as connect you with actual IT spend peer benchmarks via our IT Spend & Staffing Benchmarking service.

5.1 Analyze the results of your IT spend mapping

Duration: Variable

1. Review the guidance slides that follow the two instruction slides for this exercise to provide yourself with a grounding on how to interpret and analyze your mapped IT staff and vendor spend data.
2. Systematically review the data tables and graphs on the "Outputs" tabs 6 through 10 in the IT Spend & Staffing Transparency Workbook. There are several approaches you can take - use the one that works best for you. For example:
   1. Review each view in its entirety, one at a time.
   2. Review all workforce spend collectively across all four views, followed by all vendor spend across all four views (or vice versa).
3. Make note of any spend values that are comparatively high or low or strike you as odd or worth further investigation.
4. Craft a series of spend-related questions you want to answer for yourself and your stakeholders using the data.
   1. For example, you need to cut costs and apps maintenance is high. Your question could be, "Can we cut costs on applications maintenance staffing?"
   2. Alternatively, you can develop a series of statements (research hypotheses) that you seek to prove true or false with the data. This approach is useful for testing assumptions you've been making. For example, "We can cut spending on applications maintenance staff. True or false?"
5. Use the template provided on tab "11. Data Analysis" in the IT Spend & Staffing Transparency Workbook to document your findings and conclusions, along with the data that supports them.

Download the IT Spend & Staffing Transparency Workbook

5.1 Analyze the results of your IT spend mapping

High-level findings: Use these IT spend metrics to review and set big picture goals

Think of these metrics as key anchors in your long-term strategic planning efforts.

It's common for the business to want a sacrifice in IT OpEx in favor of CapEx

CapEx and OpEx approval mechanisms are often entirely separate. Different tax treatment for CapEx means that it's usually preferred by the business over OpEx.

OpEx is often seen as a sunk cost (i.e. an IT problem).

• Barring a major decision or event, OpEx on an individual item will generally trend upward over time, often by a few percent every year, in lockstep with inflation and growth in organizational headcount.
• A good portion of OpEx, however, is necessary for basic business continuity.

CapEx is usually seen as investment (i.e. a business growth opportunity).

• CapEx behaves quite differently than OpEx. On-the-books capitalized spend on an individual asset tends to trend downward over time due to depreciation or amortization.
• CapEx only tends to go up when a net-new capital project is initiated, and organizations often have more control over if, when, and how this spend happens.

Break down the OpEx/CapEx wall. Reference OpEx whenever you talk about CapEx. The best way to do this is via Total Cost of Ownership (TCO).

• Present data on long-term OpEx projections whenever a new capital project is proposed and ensure ongoing maintenance funds are secured.
• Educate your CFO about the impact of the cloud on OpEx. See if internal OpEx/CapEx ratio expectations can be adjusted to reflect this reality.

Spend by asset class offers the CFO a visual illustration of where the money's really gone

The major spend categories should look very familiar to your CFO. It's the minor sub-categories that sit underneath where you ultimately want to drive the conversation.

Traditional categories don't reflect IT reality anymore.

• Most finance departments have "software" accounts that contain apples and oranges, plus other dissimilar fruit.
• Software isn't just software anymore. Now it's on-premises (CapEx) or cloud (OpEx). The same distinction applies to traditional hardware due to the advent of managed services.
• The basic categories traditionally used to tag IT spend are out of date. This makes it hard for IT to have meaningful conversations with the CFO since they're not working from the same glossary.

"Software (on-premises)" and "hardware (cloud)" are more meaningful descriptors than "software" and "hardware." Shift the dialogue.

Start the migration from major categories to minor categories.

• Still give the CFO the traditional major categories they're looking for but start including minor category breakdowns into your communications. Most importantly, have a meeting to explain what these minor categories are and why they're important to managing IT effectively.
• Next, see if the CFO can formally split on-premises vs. cloud software on the books as a first step in making IT spend tracking more meaningful.

Employees vs. contractors warrants a specific conversation, plus a change in mindset

IT leaders often find it easier to get approval for contracted labor than to hire a permanent employee. However, the true value proposition for contractors does vary.

The decision to go with permanent employees or contractors depends on your ultimate goals.

• Contractors tend to be less expensive and provide more flexibility when adjusting to changing business needs. However, contractors may be less dedicated and take their skills and knowledge with them when they leave.
• Permanent employees bring additional costs like benefits and training. Plus, letting them go is a lot more complicated. However, they can also bring real value in a way a contractor can't when it comes to sustaining long-term strategic growth. They're assets in themselves.

Far too often, labor-sourcing decisions are driven by controlling near-term costs instead of generating and sustaining long-term value.

Introduce the cost-to-value ratio to your workforce spend conversations.

• Your mapped data will allow you to talk about comparative headcount and spend. This is a financial conversation devoid of context.
• Go beyond. Show how workforce spend has allowed stated goals to be achieved while controlling for costs. This is the true definition of value.

CFO Expense View: Shift the ITFM conversation

Now that you've mapped your IT spend data to the CFO Expense View, there are some questions you're better equipped to answer, namely:

• How should I classify my IT costs?
• What information should I include in my plans and reports?
• How do I justify current spend?
• How do I justify a budget increase?

You now have:

• A starting point for educating the CFO about IT spend realities.
• A foundation for creating a shared glossary of terms that works for both IT and the finance department and facilitates more meaningful conversations.
• Proof that there are major areas of IT spend, such as cloud software, that are distinctive and probably warrant their own financial category in the general ledger.
• A transparent record of IT spend that shows that you understand and care about financial issues, fostering the goodwill and trust that facilitates investment in IT.
• A starting point to change the ITFM conversation with the CFO from one focused on cost to one focused on value.

Exactly how is IT spending all that money we give them?

Exactly like this ...

The CIO Service View aligns with how IT organizes and manages itself – this is your view

The data mapped here is a critical input for IT's service planning and management program and should be integrated into your IT performance measurement activities.

Major service categories: These values give a high-level snapshot of your general IT service spend priorities. In most organizations, Applications dominates, making it a focus for cost optimization.

Minor service categories: The level of granularity for these values prove more practical when measuring performance and making service management decisions - not too big, not too small. While not reflected in this example, application maintenance is usually the largest relative consumer of IT spend in most organizations.

Data & BI and security: Isolating the exact spend for these services is challenging given that they're often entangled in applications and infrastructure spend respectively, and separate spend tracking for both is a comparatively recent practice.

Check the alignment of individual service spend against known business objectives

Some IT services are taken for granted by the business, while others are virtually invisible. This lack of visibility often translates into funding misalignments.

Is the amount of spend on a given service in parallel with the service's overall importance?

• Though often unstated, ensuring continuity of basic business operations is always the top priority. This means business apps, core infrastructure, end users, and security need to be appropriately funded - these should collectively comprise the majority of IT service spend.
• Strategy-supporting IT services, like data & BI, see high investment variability between organizations. If its strategic role/importance doesn't align with spend, flag it as an issue you'll need to reconcile with the business by increasing funding (important) or reducing service levels (unimportant).
• The strategic importance of IT as a whole is often reflected in the spend on IT management services. If spend is low, IT's probably seen as a support function, not a strategic one.

Identify the hot spots and pick your battles.

• Spend levels are just approximate gauges of where and how the business is willing to spend its money. Start with this simple gut check.
• Noting the areas of importance vs. spend misalignment will help you identify where negotiations with the business should probably happen.

A mature IT cost optimization practice is often approached from the service perspective

When optimizing IT costs, you have two OpEx levers to pull - vendor spend and staff spend. Isolating these two sources of IT service spend will help shortlist your options.

It's all about how much room you have to move.

• Any decision made about how a service is provisioned will push vendor and staff spend in clear, predictable, and often opposite directions (e.g. in-house and people-intensive services tend to see higher staff spend, while outsourced and tech-intensive services higher vendor spend).
• Service levels required by the business should be the driving factor behind service design and spend decisions. High service spend may reflect priority but may also indicate it's over-built and is ripe for a cost-optimization treatment.
• Service spend is a useful barometer for tracking the financial impact of any changes made to IT. Add simple unit-cost metrics like "service spend per organizational employee" and "service spend per FTE assigned to the service" to see if and how the dial has moved over time.

Grow your IT service management practice.

• The real power of the CIO Service View is laying the groundwork for next-level IT service management initiatives like developing a service catalog, negotiating service-level agreements, rolling out chargeback and showback mechanisms, and calculating IT's value to the business.
• Use service spend as a common denominator for both your IT service management and IT performance management programs. Better yet, integrate the two programs to ensure a single version of the truth.

CIO Service View: Optimize your cost-to-value ratio

Now that you've mapped your IT spend data to the CIO Service View, there are some questions you're better equipped to answer, namely:

• What's the impact of cloud adoption on speed of delivery?
• Where can I improve spend efficiency?
• Is my support model optimized?
• How does our spend compare to others?

You now have:

• Data that shows the financial impact of change decisions on service costs.
• Insight into the relationship between vendor spend and staff spend within a given IT service.
• The information you need to start developing service unit costing mechanisms.
• A tool for setting and right-sizing service-level agreements with the business.
• A more focused starting point for investigating IT cost-optimization opportunities.
• A baseline for benchmarking common IT services against your peers.

Does the amount we spend on each IT service make sense?

We have some good opportunities for optimization ...

The CXO Business View will spur conversations that may have never happened before

This view is a potential game changer as previously unknown technology spend is often revealed, triggering change in IT's relationship with business unit leaders.

The big beneficiaries of IT spend will leap out

The CXO Business View mapping does have a "shock and awe" quality to it given large spend disparities. They may be totally legitimate, but they're still eye-catching.

Share information, don't push recommendations.

• Have a series of one-on-one meetings with business unit leaders to present these numbers.
  • Approach initial meetings as information-sharing sessions only. The data is probably new to them, and they'll need time to reflect and ask questions.
  • Bring a list of the big-ticket spend items for that business unit to focus the conversation.
• Present these numbers at a broader leadership meeting.
  • It's critical for everyone to hear the same truth and learn about each other's technology needs and uses.
  • This is where recommendations for better aligning IT spend with business goals and cost-optimization strategies should surface. A group approach will bring technology haves and have-nots into the open, as well as provide a forum for collaborative solutioning.

If possible, slice the numbers by business unit headcount.

• IT spend per business unit employee is an attention-getting metric that can help gain entry to important conversations.
• Comparing per-employee spend across different business functions is not necessarily an apples-to-apples comparison, as units like HR may have few employees but serve the entire organization. Bring up these kinds of differences to provide context and avoid misinterpretations.

Questions will arise in how you calculated and allocated indirect IT spend

IT spend for things like core infrastructure and end-user services must be distributed fairly across multiple or all business units. Be prepared to explain your methods.

Be transparent in your transparency.

• Distributing indirect spend is imprecise by nature. You can't account for every unique circumstance. However, you can devise a logic-driven, general approach that's defensible, fair, and works for most people most of the time.
• Lay out your assumptions from the start. This is an important part of communicating transparently and can prevent unwanted descent into weedy rabbit holes.
  • List what you classified as indirect spend. Use the CFO Expense View and/or CIO Service View categories to aid your presentation of this information.
  • Point out known circumstances that didn't fit your general allocation method and how you handled them. Opting to ignore minor anomalies is reasonable but be sure to tell business unit leaders you did this and why.

Use questions about indirect IT staff spend distribution to engage stakeholders.

• As a percentage, the indirect IT staff spend allocation to a specific business unit may be higher than that for IT vendor spend since IT staff tend to operate more generally than the technologies they support.
• Leverage any pushback about indirect spend as an opportunity to engage the broader business leadership group. Let them arrive at a consensus of how they want it done and confirm buy-in.

CXO Business View: Bring the truth to light

Now that you've mapped your IT spend data to the CXO Business View, there are some questions you're better equipped to answer, namely:

• Which business units consume the most IT resources?
• Which business units are underserved by IT?
• How do I best communicate spend data internally?
• Where do I need better business sponsorship for IT projects?

You now have:

• A reason-based accounting of direct and indirect amounts spent on IT vendors and staff in support of each major business unit.
• Insight into the technology haves and have-nots in your organization and where opportunities to optimize costs may exist.
• Attention-getting numbers that will help you engage business-unit leaders in meaningful conversations about their use of IT resources and the value they receive.
• A mechanism to assess if a business unit's consumption of IT is appropriate and aligned with its purpose and mandate in the organization.
• A list of previously unknown business-side technologies that IT will investigate further.

Why doesn't my business unit get more support from IT?

Let's look at how you compare to the other departments ...

From the CEO's high-level perspective, IT spend is a collection of distinct financial islands

From IT's perspective, these islands are intimately connected, with events on one affecting what happens (or doesn't) on another. Focus on the bridges.

Focus more on unifying the view of technology spend than on the numbers

When talking to the CEO, seek to build mutual understanding and encourage a holistic approach to the organization's technology spend.

Use the numbers to get to the real issues.

• Clarify with the CEO what business innovation, business growth, and KTLO means to them and the role each plays in the organization's strategic and operational plans.
• Find out the role they think IT, and technology as a whole, has in realizing business plans. Only then can you look at the relative allocation of IT spend with them to see if the aspiration aligns with reality.
• Eventually, you'll need to discuss expectations around who pays the bills for operationally supporting capital technology investments over the long-term (i.e. IT or the business units that actually want and use it). You'll have concrete examples of business projects that consumed IT operations resources without a corresponding increase in IT's OpEx budget.

Focus your KTLO spend conversation on risk and trade-off.

• Every strategic conversation needs to look at the impact on ongoing operations. Every discussion about CapEx needs to investigate the long-term repercussions for OpEx. Look at the whole tech spend picture.
• Use risk to get KTLO/OpEx into the conversation. Be straightforward (i.e. "If we do/don't do this, then we can/can't do that"). Simply put, mitigating the risks that get in the way of having it all usually requires spending.

CEO Innovation View: Learn what's really expected of IT

Now that you've mapped your IT spend data to the CEO Innovation View, there are some questions you're better equipped to answer, namely:

• Why is KTLO spend so high?
• What should our operational spend priorities be?
• Which projects and investments should we prioritize?
• Are we spending enough on innovative initiatives?

You now have:

• A holistic, organization-wide view of total technology spend in support of different investment types, namely business innovation, business growth, and keeping things up and running.
• Data-driven examples that prove the impact of near-term capital spend on long-term operational expenses and the intimate relationship between the two types of spend.
• A way to measure the degree of alignment between the innovation and growth goals the organization has and how money is actually being spent to realize those goals.
• A platform to discuss how technology investment decision-making and governance can work better to realize organizational mandates and goals.

I know what IT costs us, but what is it really worth?

Here's how tech spend directly supports business objectives ...

Revisit your IT spend transparency objectives before crafting your executive presentation

Go back to exercise 1.1 to remind yourself why you undertook this effort in the first place, clear your head of all that data, and refocus on the big picture.

Review the real problems and issues you need to address and the key stakeholders.
This will guide what data you focus on or showcase with other business leaders. For example, if IT OpEx is perceived as high, be prepared to examine the CapEx/OpEx ratio as well as cloud-related spend's impact on OpEx.

Flag ITFM processes you'll develop as part of your ITFM maturity improvement plan.
You won't become a TCO math expert overnight, but being able to communicate your awareness of and commitment to developing and applying ITFM capabilities helps build confidence in you and the information you're presenting.

Use your first big presentation to debut ITFM.
ITFM as a formal practice and the changes you hope to make may be a novel concept for your business peers. Use your newfound IT spend and staffing transparency to gently wade into the topic instead of going for the deep dive.

Now it's time to present your transparent IT spend and staffing data to your executive

Pull out of analysis mode. You're starting to tell the IT spend story, and this is just the first chapter. Introduce your cast of characters and pique your audience's interest.

The goal of this first presentation is to showcase IT spend in general and make sure that everyone's getting the same information as everyone else.

Go broad, not deep
Defer any in-depth examinations until after you're sure you have everyone's attention. Only dive deep when you're ready to talk about specific plans via follow-up sessions.

Focus on the CXO
Given your audience, the CXO Business View may be the most interesting for them and will trigger the most questions and discussion. Plan to spend the largest chunk of your time here.

Avoid judgment
Let the numbers speak for themselves. Do point out what's high and what's low, but don't offer your opinion about whether it's good or bad. Let your audience draw their own conclusions.

Ask for impressions
Education and awareness are primary objectives. What comes up will give a good indication of what's known, what's news, who's interested, and where there's work to do.

Pick a starting point
Ask what they see as high-priority areas for both optimizing IT costs as well as improving the organization's approach to making IT spend decisions in general.

What to include in your presentation ...

• Purpose: Why you did the IT spend and staffing transparency exercise.
• Method: The models and processes you used to map the data.
• Data: Charts from the IT Spend & Staffing Transparency Workbook.
• Feedback: Space for your audience to voice their thoughts.
• Next steps: Discussion and summary of actions to come.

5.2 Develop an executive presentation

Duration: Two hours

1. Download the IT Staff & Spend Executive Presentation Template.
2. Copy and paste the IT spend output tables and graphs into the template. (Note: Pasting as an image will preserve formatting.)
3. Incorporate observations and insights about your analysis of your IT spend metrics.
4. Conduct an internal review of the final presentation to ensure it includes all the elements you need and is error free.
5. Book time to make your presentation to the executive team. Plan time after the presentation to field questions, engage in follow-up information sessions, and act on feedback.

Note: Refer to your organization's standards and norms for executive-level presentations and either adapt the Info-Tech template accordingly or use your own.

Download the IT Spend & Staffing Transparency Executive Presentation TemplateTemplate

Phase 5: Identify implications for IT

Achievement summary

You've done the hard part in starting your IT spend transparency journey. You have:

• Analyzed the results of your IT spend mapping process.
• Revisited your transparency objectives.
• Prepared an executive presentation so you can share findings with other leaders in your organization.

"Having internal conversations, especially if there is doubt, allows for accuracy and confidence in your model. I was showing someone the cost of a service he managed. He didn't believe the service was so expensive. We went through it: here are the people we allocated, the assets we allocated, and the software we allocated. It was right - that was the total cost. He was like, 'No way. Wow.' The costs were high, and the transparency is what allowed for a conversation on cost optimization."
- Monica Braun, Research Director, ITFM Practice, Info-Tech Research Group

Next Steps

Achieve IT Spend & Staffing Transparency

This final section will provide you with:

• An overall summary of accomplishment
• Recommended next steps
• A list of contributors to this research
• Some related Info-Tech resources to help you grow your ITFM practice

Summary of Accomplishment

Congratulations! You now have a fully transparent view of your IT spend.

You've now mapped the entirety of technology spend in your organization. You've:

1. Learned the key sources of spend data and information in your organization.
2. Set some standards for data organization and labeling.
3. Have a methodology for continuing to track and document spend in a transparent way.
4. Crafted an executive presentation that's a first step in having more meaningful and constructive conversations about IT spend with your key stakeholders.

What's next?

With a reliable baseline, you can look forward to more informed and defensible IT budgeting and cost optimization. Use your newly-transparent IT spend as a foundation for improving your financial data hygiene in the near term and evolving your overall ITFM governance maturity in the long-term.

If you would like additional support, have our analysts guide you through an Info-Tech full-service engagement or Guided Implementation.

Contact your account representative for more information.

1-888-670-8889

Research Contributors and Experts

Monica Braun
Research Director, ITFM Practice
Info-Tech Research Group

Dave Kish
Practice Lead, ITFM Practice
Info-Tech Research Group

Kennedy Confurius
Research Analyst, ITFM Practice
Info-Tech Research Group

Aman Kumari
Research Specialist, ITFM Practice
Info-Tech Research Group

Rex Ding
Research Specialist, ITFM Practice
Info-Tech Research Group

Angie Reynolds
Principal Research Director, ITFM Practice
Info-Tech Research Group

Related Info-Tech Research

Build Your IT Cost Optimization Roadmap

• Cost optimization often doesn't go beyond the cutting part, but cutting costs isn't strategic - it's reactive and can easily result in mistakes.
• True cost optimization is much more than this. Re-focus your efforts on optimizing your cost-to-value ratio and implementing a sustainable cost-optimization practice.

Build an IT Budget

• Budgetary approval is difficult because finance executives have a limited understanding of IT and use a different vocabulary.
• Detailed budgets must be constructed in a way that is transparent but at a level of appropriate detail in order to limit complexity and confusion.

Manage an IT Budget

• No one likes to be over budget, but being under budget isn't necessarily good either.
• Implement a budget management process that documents your planned budget and actual expenditures, tracks variances, and responds to those variances to stay on track.
• Control for under- or overspending using Info Tech's budget management tool and tactics.

APPENDIX

Sample shared business services

Sample industry-specific business services

Sample shared business functions

Sample industry-specific functions

Supply chain and capital-intensive industries.

Sample industry-specific functions

Financial services and insurance industries.

Sample industry-specific functions

Healthcare industry

Sample industry-specific functions

Gaming and hospitality industries