Endpoint Management Selection Guide

Streamline your organizational approach to selecting a right-sized endpoint management platform.

Endpoint Management Selection Guide

Streamline your organizational approach toward the selection of a right-sized endpoint management platform.

EXECUTIVE BRIEF

Analyst Perspective

Revolutionize your endpoint management with a proper tool selection approach

The endpoint management market has an ever-expanding and highly competitive landscape. The market has undergone tremendous evolution in past years, from device management to application deployments and security management. The COVID-19 pandemic forced organizations to service employees and end users remotely while making sure corporate data is safe and user satisfaction doesn't get negatively affected. In the meantime, vendors were forced to leverage technology enhancements to satisfy such requirements.

That being said, endpoint management solutions have become more complex, with many options to manage operating systems and run applications for relevant user groups. With the work-from-anywhere model, customer support is even more important than before, as a remote workforce may face more issues than before, or enterprises may want to ensure more compliance with policies.

Moreover, the market has become more complex, with lots of added capabilities. Some features may not be beneficial to corporations, and with a poor market validation, businesses may end up paying for some capabilities that are not useful.

In this blueprint, we help you quickly define your requirements for endpoint management and narrow down a list to find the solutions that fulfill your use cases.

Mahmoud Ramin, PhD
Senior Research Analyst, Infrastructure and Operations
Info-Tech Research Group

Executive Summary

Your Challenge

Endpoint management solutions are becoming increasingly essential – deploying the right devices and applications to the right users and zero-touch provisioning are indispensable parts of a holistic strategy for improving customers' experience. However, selecting the right-sized platform that aligns with your requirements is a big challenge.

Following improvements in end-user computation strategies, selection of the right endpoint management solution is a crucial next step in delivering concrete business value.

Common Obstacles

Despite the importance of selecting the right endpoint management platform, many organizations struggle to define an approach to picking the most appropriate vendor and rolling out the solution in an effective and cost-efficient manner. There are many options available, which can cause business and IT leaders to feel lost.

The endpoint management market is evolving quickly, making the selection process tedious. On top of that, IT has a hard time defining their needs and aligning solution features with their requirements.

Info-Tech's Approach

Determine what you require from an endpoint management solution.

Review the market space and product offerings, and compare the capabilities of key players.

Create a use case – use top-level requirements to determine use cases and short-list vendors.

Conduct a formal process for interviewing vendors, using Info-Tech's templates to select the best platform for your requirements.

Info-Tech Insight

Investigate vendors' roadmaps to figure out which of the candidate platforms can fulfill your long-term requirements without any unnecessary investment in features that are not currently useful for you. Make sure you don't purchase capabilities that you will never use.

What are endpoint management platforms?

Our definition: Endpoint management solutions are platforms that enable IT with appropriate provisioning, security, monitoring, and updating endpoints to ensure that they are in good health. Typical examples of endpoints are laptops, computers, wearable devices, tablets, smart phones, servers, and the Internet of Things (IoT).

First, understand differences between mobile management solutions

• Endpoint management solutions monitor and control the status of endpoints. They help IT manage and control their environment and provide top-notch customer service.
• These solutions ensure a seamless and efficient problem management, software updates and remediations in a secure environment.
• Endpoint management solutions have evolved very quickly to satisfy IT and user needs:
• Mobile Device Management (MDM) helps with controlling features of a device.
• Enterprise Mobile Management (EMM) controls everything in a device.
• Unified Endpoint Management (UEM) manages all endpoints.

Endpoint management includes:

• Device management
• Device configuration
• Device monitoring
• Device security

Info-Tech Insight

As endpoint management encompasses a broad range of solution categories including MDM, EMM, and UEM, look for your real requirements. Don't pay for something that you won't end up using.

As UEM covers all of MDM and EMM capabilities, we overview market trends of UEM in this blueprint to give you an overall view of market in this space.

Your challenge: Endpoint management has evolved significantly over the past few years, which makes software selection overwhelming

Additional challenges occur in securing endpoints

A rise in the number of attacks on cloud services creates a need to leverage endpoint management solutions

MarketsandMarkets predicted that global cloud infrastructure services would increase from US$73 billion in 2019 to US$166.6 billion in 2024 (2019).

A study by the Ponemon Institute showed that 68% of respondents believe that security attacks increased over the past 12 months (2020).

The study reveals that over half of IT security professionals who participated in the survey believe that organizations are not very efficient in securing their endpoints, mainly because they're not efficient in detecting attacks.

IT professionals would like to link endpoint management and security platforms to unify visibility and control, to determine potential risks to endpoints, and to manage them in a single solution.

Businesses will continue to be compromised by the vulnerabilities of cloud services, which pose a challenge to organizations trying to maintain control of their data.

Trends in endpoint management have been undergoing a tremendous change

In 2020, about 5.2 million users subscribed to mobile services, and smartphones accounted for 65% of connections. This will increase to 80% by 2025.
Source: Fortune Business Insights, 2021

Info-Tech's methodology for selecting a right-sized endpoint management platform

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

The endpoint management purchase process should be broken into segments:

1. Endpoint management vendor shortlisting with this buyer's guide
2. Structured approach to selection
3. Contract review

Info-Tech's approach

Complementary research:

Create a quick business case and requirements document to align stakeholders to your vision with Info-Tech's Rapid Application Selection Framework.
See what your peers are saying about these vendors at SoftwareReviews.com.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Phase 1

Understand core features and build your business case

This phase will walk you through the following activity:

Define use cases and core features for meeting business and technical goals

This phase involves the following participants:

• CIO
• IT manager
• Infrastructure & Applications directors

MDM solutions function at the level of corporate devices. Something else was needed to enable personal device management.

Major components of EMM solutions

Mobile Application Management (MAM)

Allows organizations to control individual applications and their associated data. It restricts malicious apps and enables in-depth application management, configuration, and removal.

Containerization

Enables separation of work-related data from private data. It provides encrypted containers on personal devices to separate the data, providing security on personal devices while maintaining users' personal data.

Mobile Content Management (MCM)

Helps remote distribution, control, management, and access to corporate data.

Mobile Security Management (MSM)

Provides application and data security on devices. It enables application analysis and auditing. IT can use MSM to provide strong passwords to applications, restrict unwanted applications, and protect devices from unsecure websites by blacklisting them.

Mobile Expense Management (MEM)

Enables mobile data communication expenses auditing. It can also set data limits and restrict network connections on devices.

Identity Management

Sets role-based access to corporate data. It also controls how different roles can use data, improving application and data security. Multifactor authentication can be enforced through the identity management featured of an EMM solution.

Unified endpoint management: Control all endpoints in a single pane of glass

IT admins used to provide customer service such as installation, upgrades, patches, and account administration via desktop support. IT support is not on physical assistance over end users' desktops anymore.

The rise of BYOD enhanced the need to be able to control sensitive data outside corporate network connection on all endpoints, which was beyond the capability of MDM and EMM solutions.

• It's now almost impossible for IT to be everywhere to support customers.
• This created a need to conduct tasks simultaneously from one single place.
• UEM enables IT to run, manage, and control endpoints from one place, while ensuring that device health and security remain uncompromised.
• UEM combines features of MDM and EMM while extending EMM's capabilities to all endpoints, including computers, laptops, tablets, phones, printers, wearables, and IoT.

Info-Tech Insight

Organizations once needed to worry about company connectivity assets such as computers and laptops. To manage them, traditional client management tools like Microsoft Configuration Manager would be enough.

With the increase in the work-from-anywhere model, it is very hard to control, manage, and monitor devices that are not connected to a VPN. UEM solutions enable IT to tackle this challenge and have full visibility into and management of any device.

UEM platforms help with saving costs and increasing efficiency

UEM helps corporates save on their investments as it consolidates use-case management in a single console. Businesses don't need to invest in different device and application management solutions.

From the employee perspective, UEM enables them to work on their own devices while enforcing security on their personal data.

• Security and privacy are very important criteria for organizations. With the rapid growth of the work-from-anywhere model, corporate security is a huge concern for companies.
• Working from home has forced companies to invest a lot in data security, which has led to high UEM demand. UEM solutions streamline security management by consolidating device management in a single platform.
• With the fourth-generation industrial revolution, we're experiencing a significant rise in the use of IoT devices. UEM solutions are very critical for managing, configuring, and securing these devices.
• There will be a huge increase in cyber threats due to automation, IoT, and cloud services. The pandemic has sped up the adoption of such services, forcing businesses to rethink their enterprise mobility strategies. They are now more cautious about security risks and remediations. Businesses need UEM to simplify device management on multiple endpoints.
• With UEM, IT environment management gets more granular, while giving IT better visibility on devices and applications.

UEM streamlines mundane admin tasks and simplifies user issues.

Even with a COPE or COBO provisioning model, without any IT intervention, users can decide on when to install relevant updates. It also may lead to shadow IT.

Endpoint management, and UEM more specifically, enables IT to enforce administration over user devices, whether they are corporate or personally owned. This is enabled without interfering with private/personal data.

Where it's going: The future state of UEM

Despite the fast evolution of the UEM market, many organizations do not move as fast as technological capabilities. Although over half of all organizations have at least one UEM solution, they may not have a good strategy or policies to maximize the value of technology (Tech Orchard, 2022). As opposed to such organizations, there are others that use UEM to transform their endpoint management strategy and move service management to the next level. That integration between endpoint management and service management is a developing trend (Ivanti, 2021).

• SaaS tools like Office 365 are built to be used on multiple devices, including multiple computers. Further, the pandemic saw 47% of organizations significantly increase their use of BYOD (Cybersecurity Insiders, 2021).
• Over 2022, 78% of people worked remotely for at least some amount of time during the week (Tech Orchard, 2022).
• 84% of organizations believe that cybersecurity threat alarms are becoming very overwhelming, and almost half of companies believe that the best way to tackle this is through consolidating platforms so that everything will be visible and manageable through a single pane of glass (Cybersecurity Insiders, 2022).
• The UEM market was worth $3.39 billion in 2020. It is expected to reach $53.65 billion by 2030, with an annual growth rate of 31.7% (Datamation, 2022). This demonstrates how dependent IT is becoming on endpoint management solutions.

Only 27% of organizations have "fully deployed" UEM "with easy management across all endpoints"
Source: IT Pro Today, 2018.

Endpoint Management Key Trends

• Commoditization of endpoint management features. Although their focus is the same, some UEM solutions have unique features.
• New endpoint management paradigms have emerged. Endpoint management has evolved from client management tools (CMT) and MDM into UEM, also known as "modern management" (Ivanti, 2022).
• One pane of glass for the entire end-user experience. Endpoint management vendors are integrating their solution into their ITSM, ITOM, digital workspace, and security products.
• AI-powered insights. UEM tools collect data on endpoints and user behavior. Vendors are using their data to differentiate themselves: Products offer threat reports, automated compliance workflows, and user experience insights. The UEM market is ultimately working toward autonomous endpoint management (Microsoft, 2022).
• Web apps and cloud storage are the new normal. Less data is stored locally. Fewer apps need to be patched on the device. Apps can be accessed on different devices more easily. However, data can more easily be accessed on BYOD and on new operating systems like Chrome OS.
• Lighter device provisioning tools. Instead of managing thick images, UEM tools use lighter provisioning packages. Once set up, Autopilot and UEM device enrollment should take less time to manage than thick images.
• UEM controls built around SaaS. Web apps and the cloud allow access from any device, even unmanaged BYOD. UEM tools allow IT to apply the right level of control for the situation – mobile application management, mobile content management, or mobile device management.
• Work-from-anywhere and 5G result in more devices outside of your firewalls. Cloud-based management tools are not limited by your VPN connection and can scale up more easily than traditional, on-prem tools.

Understand endpoint management table stakes features

Determine high-level use cases to help you narrow down to specific features

Support the organization's operating systems:
Many UEM vendors support the most dominant operating systems, Windows and Mac; however, they are usually stronger in one particular OS than the other. For instance, Intune supports both Windows and Mac, although there are some drawbacks with MacOS management by Intune. Conversely, Jamf is mainly for MacOS and iOS management. Enterprises look to satisfy their end users' needs. The more UEM vendors support different systems, the more likely enterprises will pick them. Although, as mentioned, in some instances, enterprises may need to select more than one option, depending on their requirements.

Support BYOD and remote environments:
With the impact of the pandemic on work model, 60-70% of workforce would like to have more flexibility for working remotely (Ivanti, 2022). BYOD is becoming the default, and SaaS tools like Office 365 are built to be used on multiple devices, including multiple computers. As BYOD can boost productivity (Samsung Insights, 2016), you may be interested in how your prospective UEM solution will enable this capability with remote wipe (corporate wipe capability vs. wiping the whole device), data and device tracking, and user activity auditing.

Understand endpoint management table stakes features

Determine high-level use cases to help you narrow down to specific features

Integration with the enterprise's IT products:
To get everything in a single platform and to generate better metrics and dashboards, vendors provide integrations with ticketing and monitoring solutions. Many large vendors have strong integrations with multiple ITSM and ITAM platforms to streamline incident management, request management, asset management, and patch management.

Support security and compliance policies:
With the significant boost in work-from-anywhere, companies would like to enable endpoint security more than ever. This includes device threat detection, malware detection, anti-phishing, and more. All UEMs provide these, although the big difference between them is how well they enable security and compliance, and how flexible they are when it comes to giving conditional access to certain data.

Provide a fully automated vs manual deployment:
Employees want to get their devices faster, IT wants to deploy devices faster, and businesses want to enable employees faster to get them onboard sooner. UEMs have the capability to provide automated and manual deployment. However, the choice of solution depends on enterprise's infrastructure and policies. Full automation of deployment is very applicable for corporate devices, while it may not be a good option for personally owned devices. Define your user groups and provisioning models, and make sure your candidate vendors satisfy requirements.

Plan a proper UEM selection according to your requirements

1. Identify IT governance, policy, and process maturity
   Tools cannot compensate for your bad processes. You should improve deploying and provisioning processes before rolling out a UEM. Automation of a bad process only wraps the process in a nicer package – it does not fix the problem.
   Refer to InfoTech's Modernize and Transform Your End-User Computing Strategy for more information on improving endpoint management procedures.
2. Consider supported operating systems, cloud services, and network infrastructure in your organization
   Most UEMs support all dominant operating systems, but some solutions have stronger capability for managing a certain OS over the other.
3. Define enterprise security requirements
   Investigate security levels, policies, and requirements to align with the security features you're expecting in a UEM.
4. Selection and implementation of a UEM depends on use case. Select a vendor that supports your use cases
   Identify use cases specific to your industry.
   For example, UEM use cases in Healthcare:
   • Secure EMR
   • Enforce HIPAA compliance
   • Secure communications
   • Enable shared device deployment

Activity: Define use cases and core features for meeting business and technical goals

1-2 hours

1. Brainstorm with your colleagues to discuss your challenges with endpoint management.
2. Identify how these challenges are impacting your ability to meet your goals for managing and controlling endpoints.
3. Define high-level goals you wish to achieve in the first year and in the longer term.
4. Identify the use cases that will support your overall goals.
5. Document use cases in the UEM Requirements Workbook.

Input

• List of challenges and goals

Output

• Use cases to be used for determining requirements

Materials

• Whiteboard/flip charts
• Laptop to record output

Participants

• CIO
• IT manager
• Infrastructure & Applications directors

Download the UEM Requirements Workbook

Phase 2

Discover the endpoint management market space and select the right vendor

This phase will walk you through the following activity:
Define top-level features for meeting business and technical goals
This phase involves the following participants:

• CIO
• IT manager
• Infrastructure & Applications directors
• Project managers

Elicit and prioritize granular requirements for your endpoint management platform

Understanding business needs through requirements gathering is the key to defining everything about what is
being purchased. However, it is an area where people often make critical mistakes.

Risks of poorly scoped requirements

• Fail to be comprehensive and miss certain areas of scope.
• Focus on how the solution should work instead of what it must accomplish.
• Have multiple levels of confusing and inconsistent detail in the requirements.
• Drill down all the way to system-level detail.
• Add unnecessary constraints based on what is done today rather than focusing on what is needed for tomorrow.
• Omit constraints or preferences that buyers think are "obvious."

Best practices

• Get a clear understanding of what the system needs to do and what it is expected to produce.
• Test against the principle of MECE – requirements should be "mutually exclusive and collectively exhaustive."
• Explicitly state the obvious and assume nothing.
• Investigate what is sold on the market and how it is sold. Use language that is consistent with that of the market and focus on key differentiators – not table stakes.
• Contain the appropriate level of detail – the level should be suitable for procurement and sufficient for differentiating vendors.

Review Info-Tech's blueprint Improve Requirements Gathering to improve your requirements gathering process.

Consider the perspective of each stakeholder to ensure functionality needs are met

Best of breed vs. "good enough" is an important discussion and will feed your success

Costs can be high when customizing an ill-fitting module or creating workarounds to solve business problems, including loss of functionality, productivity, and credibility.

• Start with use cases to drive the initial discussion, then determine which features are mandatory and which are nice-to-haves. Mandatory features will help determine high success for critical functionality and identify where "good enough" is an acceptable state.
• Consider the implications of implementation and all use cases of:
• Buying an all-in-one solution.
• Integration of multiple best-of-breed solutions.
• Customizing features that were not built into a solution.
• Be prepared to shelve a use case for this solution and look to alternatives for integration where mandatory features cannot meet highly specialized needs that are outside of traditional endpoint management solutions.

Pros and Cons

Evaluate software category leaders through vendor rankings and awards

SoftwareReviews
evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions. Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.	The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions. Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

Speak with category experts to dive deeper into the vendor landscape

SoftwareReviews

• Fact-based reviews of business software from IT professionals.
• Product and category reports with state-of-the-art data visualization.
• Top-tier data quality backed by a rigorous quality assurance process.
• User-experience insight that reveals the intangibles of working with a vendor.

CLICK HERE to ACCESS

Comprehensive software reviews
to make better IT decisions

We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

SoftwareReviews is powered by Info-Tech

Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today's technology.
With the insight of our expert analysts, our members receive unparalleled support in their buying journey.

Get to Know the Key Players in the Endpoint Management Landscape

The following slides provide a top-level overview of the popular players you will encounter in the endpoint management shortlisting process in alphabetical order.

Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF, and NPS scores are pulled from live data as of January 2023.

Secure business units and enhance connection by simplifying the digital workplace

A good option for enterprises that want a single-pane-of-glass UEM that is easy to use, with a modern-looking dashboard, high threat-management capability, and high-quality customer support.

CISCO Meraki

Est. 1984 | CA, USA | NASDAQ: CSCO

DOWNLOAD REPORT

Screenshot of CISCO Meraki's dashboard. Source: Cisco

Transform work experience and support every endpoint with a unified view to ensure users are productive

A tool that enables you to access corporate resources on personal devices. It is adaptable to your budget. SoftwareReviews reports that 75% of organizations have received a discount at initial purchase or renewal, which makes it a good candidate if looking for a negotiable option.

Citrix Endpoint Management

Est. 1989 | TX, USA | Private

DOWNLOAD REPORT

Screenshot of Citrix Endpoint Management's dashboard. Source: Citrix

Scale remote users, enable BYOD, and drive a zero-trust strategy with IBM's modern UEM solution

A perfect option to boost cybersecurity. Remote administration and installation are made very easy and intuitive on the platform. It is very user friendly, making implementation straightforward. It comes with four licensing options: Essential, Deluxe, Premier, and Enterprise. Check IBM's website for information on pricing and offerings.

IBM MaaS360

Est. 1911 | NY, USA | NYSE: IBM

DOWNLOAD REPORT

Screenshot of IBM MaaS360's dashboard. Source: IBM

Get complete device visibility from asset discovery to lifecycle management and remediation

A powerful tool for patch management with a great user interface. You can automate patching and improve cybersecurity, while having complete visibility into devices. According to SoftwareReviews, 100% of survey participants plan to renew their contract with Ivanti.

Ivanti Neurons

Est. 1985 | CA, USA | Private

DOWNLOAD REPORT

Screenshot of Ivanti Neurons UEM's dashboard. Source: Ivanti

Improve your end-user productivity and transform enterprise Apple devices

An Apple-focused UEM with a great interface. Jamf can manage and control macOS and iOS, and it is one of the best options for Apple products, according to users' sentiments. However, it may not be a one-stop solution if you want to manage non-Apple products as well. In this case, you can use Jamf in addition to another UEM. Jamf has some integrations with Microsoft, but it may not be sufficient if you want to fully manage Windows endpoints.

Jamf PRO

Est. 2002 | MN, USA | NASDAQ: JAMF

DOWNLOAD REPORT

Screenshot of Jamf PRO's dashboard. Source: Jamf

Apply automation of traditional desktop management, software deployment, endpoint security, and patch management

A strong choice for patch management, software deployment, asset management, and security management. There is a free version of the tool available to try get an understanding of the platform before purchasing a higher tier of the product.

ManageEngine Endpoint Central

Est. 1996 | India | Private

DOWNLOAD REPORT

Screenshot of ME Endpoint Central's dashboard. Source: ManageEngine

Get device management and security in a single platform with a combination of Microsoft Intune and Configuration Manager

A solution that combines Intune and ConfigMgr's capabilities into a single endpoint management suite for enrolling, managing, monitoring, and securing endpoints. It's a very cost-effective solution for enterprises in the Microsoft ecosystem, but it also supports other operating systems.

Microsoft Endpoint Manager

Est. 1975 | NM, USA | NASDAQ: MSFT

DOWNLOAD REPORT

Screenshot of MS Endpoint Manager's dashboard. Source: Microsoft

Simplify and consolidate endpoint management into a single solution and secure all devices with real-time, "over-the-air" modern management across all use cases

A strong tool for managing and controlling mobile devices. It can access all profiles through Google and Apple, and it integrates with various IT management solutions.

VMware Workspace ONE

Est. 1998 | CA, USA | NYSE: VMW

DOWNLOAD REPORT

Screenshot of Workspace ONE's dashboard. Source: VMware

Review your use cases to start your shortlist

Your Info-Tech analysts can help you narrow down the list of vendors that will meet your requirements.

Next steps will include:

1. Reviewing your requirements
2. Checking out SoftwareReviews
3. Shortlisting your vendors
4. Conducting demos and detailed proposal reviews
5. Selecting and contracting with a finalist!

Activity: Define high-level features for meeting business and technical goals

Input

• List of endpoint management use cases
• List of prioritized features

Output

• Vendor evaluation
• Final list of candidate vendors

Materials

• Whiteboard/flip charts
• Laptop
• UEM Requirements Workbook

Participants

• CIO
• IT manager
• Infrastructure & Applications directors
• Project managers

Activity: Define top-level features for meeting business and technical goals

As there are many solutions in the market that share capabilities, it is imperative to closely evaluate how well they fulfill your endpoint management requirements.
Use the UEM Requirements Workbook to identify your desired endpoint solution features and compare vendor solution functionality based on your desired features.

1. Refer to the output of the previous activity, the identified use cases in the spreadsheet.
2. List the features you want in an endpoint solution for your devices that will fulfill these use cases. Record those features in the second column ("Detailed Feature").
3. Prioritize each feature (must have, should have, nice to have, not required).
4. Send this list to candidate vendors.
5. When you finish your investigation, review the spreadsheet to compare the various offerings and pros and cons of each solution.

Info-Tech Insight

The output of this activity can be used for a detailed evaluation of UEM vendors. The next steps will be vendor briefing and having further discussion on technical capabilities and conducting demos of solutions. Info-Tech's blueprint, The Rapid Application Selection Framework, takes you to these next steps.

Download the UEM Requirements Workbook

Leverage Info-Tech's research to plan and execute your endpoint management selection and implementation

Use Info-Tech Research Group's blueprints for selection and implementation processes to guide your own planning.

• Assess
• Prepare
• Govern & Course Correct

Ensure your implementation team has a high degree of trust and communication

If external partners are needed, dedicate an internal resource to managing the vendor and partner relationships.

Communication

Teams must have some type of communication strategy. This can be broken into:

• Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
• Ceremonies: Injecting awards and continually emphasizing delivery of value can encourage relationship building and constructive motivation.
• Escalation: Voicing any concerns and having someone responsible for addressing those concerns.

Proximity

Distributed teams create complexity because communication can break down more easily. This can be mitigated by:

• Location: Placing teams in proximity can close the barrier of geographical distance and time zone differences.
• Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
• Communication Tools: Having the right technology (e.g. video conference) can help bring teams closer together virtually.

Trust

Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:

Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.

• Role Clarity: Having a clear definition of what everyone's role is.

Implementation with a partner typically results in higher satisfaction

Align your implementation plans with both the complexity of the solution and internal skill levels

Be clear and realistic in your requirements to the vendor about the level of involvement you need to be successful.

Primary reasons to use a vendor:

• Lack of skilled resources: For solutions with little configuration change happening after the initial installation, the ramp-up time for an individual to build skills for a single event is not practical.
• Complexity of solution: Multiple integrations, configurations, modules, and even acquisitions that haven't been fully integrated in the solution you choose can make it difficult to complete the installation and rollout on time and on budget. Troubleshooting becomes even more complex if multiple vendors are involved.
• Data migration: Decide what information will be valuable to transfer to the new solution and which will not benefit your organization. Data structure and residency can both be factors in the complexity of this exercise.

Source: SoftwareReviews, January 2020 to January 2023, N= 20,024 unique reviews

To ensure your SOW is mutually beneficial, download the blueprint Improve Your Statements of Work to Hold Your Vendors Accountable.

Consider running a proof of concept if concerns are expressed about the feasibility of the chosen solution

Proofs of concept (PoCs) can be time consuming, so make good choices on where to spend the effort

Create a PoC charter that will enable a quick evaluation of the defined use cases and functions. These key dimensions should form the PoC.

1. Objective – Giving an overview of the planned PoC will help to focus and clarify the rest of this section. What must the PoC achieve? Objectives should be specific, measurable, attainable, relevant, and time bound. Outline and track key performance indicators.
2. Key Success Factors – These are conditions that will positively impact the PoC's success.
3. Scope – High-level statement of scope. More specifically, state what is in scope and what is out of scope.
4. Project Team – Identify the team's structure, e.g. sponsors, subject matter experts.
5. Resource Estimation – Identify what resources (time, materials, space, tools, expertise, etc.) will be needed to build and socialize your prototype. How will they be secured?

To create a full proof of concept plan, download the Proof of Concept Template and see the instructions in Phase 3 of the blueprint Exploit Disruptive Infrastructure Technology.

Selecting a right-sized endpoint management platform

This selection guide allows organizations to execute a structured methodology for picking a UEM platform that aligns with their needs. This includes:

• Identifying and prioritizing key business and technology drivers for an endpoint management selection business case.
• Defining key use cases and requirements for a right-sized UEM platform.
• Reviewing a comprehensive market scan of key players in the UEM marketspace.

This formal UEM selection initiative will map out requirements and identify technology capabilities to fill the gap for better endpoint management. It also allows a formal roll-out of a UEM platform that is highly likely to satisfy all stakeholder needs.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

Contact your account representative for more information

workshops@infotech.com
1-888-670-8889

Summary of Accomplishment

Knowledge Gained

• What endpoint management is
• Historical origins and evolution of endpoint management platforms
• Current trends and future state of endpoint management platforms

Processes Optimized

• Identifying use cases
• Gathering requirements
• Reviewing market key players and their capabilities
• Selecting a UEM tool that fulfills your requirements

UEM Solutions Analyzed

• CISCO Meraki
• Citrix Endpoint Management
• IBM MaaS360
• Ivanti Neurons UEM
• Jamf Pro
• ManageEngine Endpoint Central
• Microsoft Endpoint Manager
• VMware Workspace ONE

Related Info-Tech Research

Modernize and Transform Your End-User Computing Strategy

This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

Best Unified Endpoint Management (UEM) Software | SoftwareReviews

Compare and evaluate Unified Endpoint Management vendors using the most in-depth and unbiased buyer reports available. Download free comprehensive 40+ page reports to select the best Unified Endpoint Management software for your organization.

The Rapid Application Selection Framework

This blueprint walks you through a process for a fast and efficient selection of your prospective application. You will be enabled to use a data-driven approach to select the right application vendor for your needs, shatter stakeholder expectations with truly rapid application selections, boost collaboration and crush the broken telephone with concise and effective stakeholder meetings, and lock in hard savings.

Bibliography

"BYOD Security Report." Cybersecurity Insiders, 2021. Accessed January 2023.
"Cloud Infrastructure Services Market." MarketsAnd Markets, 2019. Accessed December 2022.
Evans, Alma. "Mastering Mobility Management: MDM Vs. EMM Vs. UEM." Hexnode, 2019. Accessed November 2022.
"Evercore-ISI Quarterly Enterprise Technology Spending Survey." Evercore-ISI, 2022. Accessed January 2023.
"5G Service Revenue to Reach $315 Billion Globally in 2023." Jupiter Research, 2022. Accessed January 2023.
Hein, Daniel. "5 Common Unified Endpoint Management Use Cases You Need to Know." Solutions Review, 2020. Accessed January 2023.
"Mobile Device Management Market Size, Share & COVID-19 Impact Analysis." Fortune Business Insights, 2021. Accessed December 2022.
Ot, Anina. "The Unified Endpoint Management (UEM) Market." Datamation, 14 Apr. 2022. Accessed Jan. 2023.
Poje, Phil. "CEO Corner: 4 Trends in Unified Endpoint Management for 2023." Tech Orchard, 2022. Accessed January 2023.
"The Future of UEM November 2021 Webinar." Ivanti, 2021. Accessed January 2023.
"The Third Annual Study on the State of Endpoint Security Risk." Ponemon Institute, 2020. Accessed December 2022.
"The Ultimate Guide to Unified Endpoint Management (UEM)." MobileIron. Accessed January 2023.
"Trends in Unified Endpoint Management." It Pro Today, 2018. Accessed January 2023.
Turek, Melanie. "Employees Say Smartphones Boost Productivity by 34 Percent: Frost & Sullivan Research." Samsung Insights, 3 Aug. 2016.
"2023 State of Security Report." Cybersecurity Insiders, 2022. Accessed January 2023.
Violino, Bob. "Enterprise Mobility 2022: UEM Adds User Experience, AI, Automation." Computerworld, 2022. Accessed January 2023.
Violino, Bob. "How to Choose the Right UEM Platform." Computerworld, 2021. Accessed January 2023.
Violino, Bob. "UEM Vendor Comparison Chart 2022." Computerworld, 2022. Accessed January 2023.
Wallent, Michael. "5 Endpoint Management Predictions for 2023." Microsoft, 2022. Accessed January 2023.
"What Is the Difference Between MDM, EMM, and UEM?" 42Gears, 2017. Accessed November 2022.

Get the Most Out of Your SAP

In today’s connected world, the continuous optimization of enterprise applications to realize your digital strategy is key.

EXECUTIVE BRIEF

Analyst Perspective

Focus optimization on organizational value delivery.

	Chad Shortridge Senior Research Director, Enterprise Applications Info-Tech Research Group
	Lisa Highfield Research Director, Enterprise Applications Info-Tech Research Group

Enterprise resource planning (ERP) is a core tool that the business leverages to accomplish its goals. An ERP that is doing its job well is invisible to the business. The challenges come when the tool is no longer invisible. It has become a source of friction in the functioning of the business.

SAP systems are expensive, benefits can be difficult to quantify, and issues with the products can be difficult to understand. Over time, technology evolves, organizational goals change, and the health of these systems is often not monitored. This is complicated in today’s digital landscape with multiple integrations points, siloed data, and competing priorities.

Too often organizations jump into selecting replacement systems without understanding the health of their systems. We can do better than this.

IT leaders need to take a proactive approach to continually monitor and optimize their enterprise applications. Strategically re-align business goals, identify business application capabilities, complete a process assessment, evaluate user adoption, and create an optimization plan that will drive a cohesive technology strategy that delivers results.

Executive Summary

Info-Tech Insight

SAP ERP environments are changing, but we cannot stand still on our optimization efforts. Understand your product(s), processes, user satisfaction, integration points, and the availability of data to business decision makers. Examine these areas to develop a personalized SAP optimization roadmap that fits the needs of your organization. Incorporate these methodologies into an ongoing optimization strategy aimed at enabling the business, increasing productivity, and reducing costs.

Insight summary

Continuous assessment and optimization of your SAP ERP systems is critical to the success of your organization.

• Applications and the environments in which they live are constantly evolving.
• This blueprint provides business and application managers with a method to complete a health assessment of their ERP systems to identify areas for improvement and optimization.
• Put optimization practices into effect by:
  • Aligning and prioritizing key business and technology drivers.
  • Identifying ERP process classification and performing a gap analysis.
  • Measuring user satisfaction across key departments.
  • Evaluating vendor relations.
  • Understanding how data plays into the mix.
  • Pulling it all together into an optimization roadmap.

SAP enterprise resource planning (ERP) systems facilitate the flow of information across business units. It allows for the seamless integration of systems and creates a holistic view of the enterprise to support decision making. In many organizations, the SAP system is considered the lifeblood of the enterprise. Problems with this key operational system will have a dramatic impact on the ability of the enterprise to survive and grow. ERP implementation should not be a one-and-done exercise. There needs to be ongoing optimization to enable business processes and optimal organizational results.

SAP enterprise resource planning (ERP)

What is SAP?

SAP ERP systems facilitate the flow of information across business units. They allow for the seamless integration of systems and create a holistic view of the enterprise to support decision making.

In many organizations, the ERP system is considered the lifeblood of the enterprise. Problems with this key operational system will have a dramatic impact on the ability of the enterprise to survive and grow.

An ERP system:

• Automates processes, reducing the amount of manual, routine work.
• Integrates with core modules, eliminating the fragmentation of systems.
• Centralizes information for reporting from multiple parts of the value chain to a single point.

SAP use cases:

Product-Centric

Suitable for organizations that manufacture, assemble, distribute, or manage material goods.

Service-Centric

Suitable for organizations that provide and manage field services and/or professional services.

SAP Fast Facts

Product Description

• SAP has numerous ERP products. Products can be found under ERP, Finance, Customer Relations and Experience, Supply Chain Management, Human Resources, and Technology Platforms.
• SAP offers on-premises and cloud solutions for its ERP. In 2011, SAP released the HANA in-memory database. SAP ECC 6.0 reaches the end of life in 2027 (2030 extended support).
• Many organizations are facing mandatory transformation. This is an excellent opportunity to examine ERP portfolios for optimization opportunities.
• Now is the time to optimize to ensure you are prepared for the journey ahead.

Vendor Description

• SAP SE was founded in 1972 by five former IBM employees.
• The organization is focused on enterprise software that integrates all business processes and enables data processing in real-time.
• SAP stands for Systems, Applications, and Products in Data Processing.
• SAP offers more than 100 solutions covering all business functions.
• SAP operates 65 data centers at 35 locations in 16 countries.

SAP by the numbers

Only 72% of SAP S/4HANA clients were satisfied with the product’s business value in 2022. This was 9th out of 10 in the enterprise resource planning category.

Source: SoftwareReviews

As of 2022, 65% of SAP customers have not made the move to S/4HANA. These customers will continue to need to optimize the current ERP to meet the demanding needs of the business.

Source: Statista

Organizations will need to continue to support and optimize their SAP ERP portfolios. As of 2022, 42% of ASUG members were planning a move to S/4HANA but had not yet started to move.

Source: ASUG

Your challenge

This research is designed to help organizations who need to:

• Understand the multiple deployment models and the roadmap to successfully navigate a move to S/4HANA.
• Build a business case to understand the value behind a move.
• Map functionality to ensure future compatibility.
• Understand the process required to commercially navigate a move to S/4HANA.
• Avoid a costly audit due to missed requirements or SAP whiteboarding sessions.

HANA used to be primarily viewed as a commercial vehicle to realize legacy license model discounts. Now, however, SAP has built a roadmap to migrate all customers over to S/4HANA. While timelines may be delayed, the inevitable move is coming.

30-35% of SAP customers likely have underutilized assets. This can add up to millions in unused software and maintenance.

– Upperedge

SAP challenges and dissatisfaction

Finance, IT, Sales, and other users of the ERP system can only optimize ERP with the full support of each other. The cooperation of the departments is crucial when trying to improve ERP technology capabilities and customer interaction.

Info-Tech Insight

While technology is the key enabler of building strong customer experiences, there are many other drivers of dissatisfaction. IT must stand shoulder-to-shoulder with the business to develop a technology framework for ERP.

Where are applications leaders focusing?

Big growth numbers Year-over-year call topic requests	Other changes Year-over-year call topic requests
We are seeing applications leaders’ priorities change year over year, driven by a shift in their approach to problem solving. Leaders are moving from a process-centric approach to a collaborative approach that breaks down boundaries and brings teams together.	Software development lifecycle topics are tactical point solutions. Organizations have been “shifting left” to tackle the strategic issues such as product vision and Agile mindset to optimize the whole organization.

The S/4HANA journey

Optimization can play a role in your transition to S/4HANA.

• The business does not stop. Satisfy ongoing needs for business enablement.
• Build out a collaborative SAP optimization team across the business and IT.
• Engage the business to understand requirements.
• Discover applications and processes.
• Explore current-state capabilities and future-state needs.
• Evaluate optimization opportunities. Are there short-term wins? What are the long-term goals?
• Navigate the path to S/4HANA and develop some timelines and stage gates.
• Set your course and optimization roadmap.
• Capitalize on the methodologies for an ongoing optimization effort that can be continued after the S/4HANA go-live date.

Many organizations may be coming up against changes to their SAP ERP application portfolio.

Some challenges organizations may be dealing with include:

• Heavily customized instances
• Large volumes of data
• Lack of documentation
• Outdated business processes
• Looming end of life

Application optimization is risky without a plan

Avoid these common pitfalls:

• Not pursuing optimization because you are migrating to S/4HANA.
• Not considering how this plays into the short-, medium-, and long-term ERP strategy.
• Not considering application optimization as a business and IT partnership, which requires the continuous formal engagement of all participants.
• Not having a good understanding of your current state, including integration points and data.
• Not adequately accommodating feedback and changes after digital applications are deployed and employed.
• Not treating digital applications as a motivator for potential future IT optimization efforts and incorporating digital assets in strategic business planning.
• Not involving department leads, management, and other subject-matter experts to facilitate the organizational change digital applications bring.

“[A] successful application [optimization] strategy starts with the business need in mind and not from a technological point of view. No matter from which angle you look at it, modernizing a legacy application is a considerable undertaking that can’t be taken lightly. Your best approach is to begin the journey with baby steps.”

– Medium

Info-Tech’s methodology for getting the most out of your ERP

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Get the Most Out of Your SAP Workbook

Identify and prioritize your SAP optimization goals.

Application Portfolio Assessment

Assess IT-enabled user satisfaction across your SAP portfolio.

Key deliverable:

SAP Optimization Roadmap

Complete an assessment of processes, user satisfaction, data quality, and vendor management.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.

Guided Implementation

Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.

Workshop

We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.

Consulting

Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is 8 to 12 calls over the course of 4 to 6 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com1-888-670-8889

Phase 1

Map Current-State Capabilities

This phase will guide you through the following activities:

• Align your organizational goals
• Gain a firm understanding of your current state
• Inventory ERP and related applications
• Confirm the organization’s capabilities

This phase involves the following participants:

• CFO
• Department Leads – Finance, Procurement, Asset Management
• Applications Director
• Senior Business Analyst
• Senior Developer
• Procurement Analysts

Step 1.1

Identify Stakeholders and Build Your Optimization Team

Activities

1.1.1 Identify stakeholders critical to success

1.1.2 Map your SAP optimization stakeholders

1.1.3 Determine your SAP optimization team

This step will guide you through the following activities:

• Identify ERP drivers and objectives
• Explore ERP challenges and pain points
• Discover ERP benefits and opportunities
• Align the ERP foundation with the corporate strategy

This step involves the following participants:

• Stakeholders
• Project sponsors and leaders

Outcomes of this step

• Stakeholder map
• SAP Optimization Team

ERP optimization stakeholders

• Understand the roles necessary to get the most out of your SAP.
• Understand the role of each player within your project structure. Look for listed participants on the activities slides to determine when each player should be involved.

Info-Tech Insight

Do not limit project input or participation. Include subject-matter experts and internal stakeholders at stages within the project. Such inputs can be solicited on a one-off basis as needed. This ensures you take a holistic approach to create your ERP optimization strategy.

1.1.1 Identify SAP optimization stakeholders

1 hour

1. Hold a meeting to identify the SAP optimization stakeholders.
2. Use next slide as a guide.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Understand how to navigate the complex web of stakeholders in ERP

Identify which stakeholders to include and what their level of involvement should be during requirements elicitation based on relevant topic expertise.

Large-scale ERP projects require the involvement of many stakeholders from all corners and levels of the organization, including project sponsors, IT, end users, and business stakeholders. Consider the influence and interest of stakeholders in contributing to the requirements elicitation process and involve them accordingly.

EXAMPLE: Stakeholder involvement during selection

Activity 1.1.2 Map your SAP optimization stakeholders

1 hour

1. Use the list of SAP optimization stakeholders.
2. Map each stakeholder on the quadrant based on their expected influence and involvement in the project.
3. [Optional] Color code the users using the scale below to quickly identify the group that the stakeholder belongs to.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Map the organization’s stakeholders

The SAP optimization team

Consider the core team functions when putting together the project team. Form a cross-functional team (i.e. across IT, Marketing, Sales, Service, Operations) to create a well-aligned ERP optimization strategy. Don’t let your project team become too large when trying to include all relevant stakeholders. Carefully limiting the size of the project team will enable effective decision making while still including functional business units such as Marketing, Sales, Service, and Finance as well as IT.

1.1.3 Determine your SAP optimization team

1 hour

1. Have the project manager and other key stakeholders discuss and determine who will be involved in the SAP optimization project.

• The size of the team will depend on the initiative and size of your organization.
• Key business leaders in key areas and IT representatives should be involved.

Note: Depending on your initiative and the size of your organization, the size of this team will vary.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Step 1.2

Build an SAP Strategy Model

Activities

1.2.1 Explore environmental factors and technology drivers

1.2.2 Consider potential barriers and challenges

1.2.3 Discuss enablers of success

1.2.4 Develop your SAP optimization goals

This step will guide you through the following activities:

• Identify ERP drivers and objectives
• Explore ERP challenges and pain points
• Discover ERP benefits and opportunities
• Align the ERP foundation with the corporate strategy

This step involves the following participants:

• SAP Optimization Team

Outcomes of this step

• ERP business model
• Strategy alignment

Align your SAP strategy with the corporate strategy

ERP projects are more successful when the management team understands the strategic importance and the criticality of alignment. Time needs to be spent upfront aligning business strategies with ERP capabilities. Effective alignment between IT and the business should happen daily. Alignment doesn’t just need to occur just at the executive level but at each level of the organization.

ERP Business Model Template

Conduct interviews to elicit the business context

Stakeholder Interviews

Begin by conducting interviews of your executive team. Interview the following leaders:

1. Chief Information Officer
2. Chief Executive Officer
3. Chief Financial Officer
4. Chief Revenue Officer/Sales Leader
5. Chief Operating Officer/Supply Chain & Logistics Leader
6. Chief Technology Officer/Chief Product Officer

INTERVIEWS MUST UNCOVER

1. Your organization’s top three business goals
2. Your organization’s top ten business initiatives
3. Your organization’s mission and vision

Understand the ERP drivers and organizational objectives

Info-Tech Insight

One of the biggest drivers for ERP adoption is the ability to make quicker decisions from timely information. This driver is a result of external considerations. Many industries today are highly competitive, uncertain, and rapidly changing. To succeed under these pressures, there needs to be timely information and visibility into all components of the organization.

1.2.1 Explore environmental factors and technology drivers

30 minutes

1. Identify business drivers that are contributing to the organization’s need for ERP.
2. Understand how the company is running today and what the organization’s future will look like. Try to identify the purpose for becoming an integrated organization. Use a whiteboard or flip charts and markers to capture key findings.
3. Consider external considerations, organizational drivers, technology drivers, and key functional requirements.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Create a realistic ERP foundation by identifying the challenges and barriers the project will bestow

There are several different factors that may stifle the success of an ERP implementation. Organizations that are creating an ERP foundation must scan their current environment to identify internal barriers and challenges.

Common Internal Barriers

ERP Business Model

What does success look like?

Top 15 critical success factors for ERP system implementation

Source: Epizitone and Olugbara, 2020; CC BY 4.0

Info-Tech Insight

Complement your ability to deliver on your critical success factors with the capabilities of your implementation partner to drive a successful ERP implementation.

“Implementation partners can play an important role in successful ERP implementations. They can work across the organizational departments and layers creating a synergy and a communications mechanism.” – Ayogeboh Epizitone, Durban University of Technology

1.2.2 Consider potential barriers and challenges

1-3 hours

• Open tab “1.2 Strategy & Goals,” in the Get the Most Out of Your SAP Workbook.
• Identify barriers to ERP optimization success.
• Review the ERP critical success factors and how they relate to your optimization efforts.
• Discuss potential barriers to successful ERP optimization.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

1.2.3 Discuss enablers of success

1-3 hours

1. Open tab “1.2 Strategy & Goals,” in the Get the Most Out of Your SAP Workbook.
2. Identify barriers to ERP optimization success.
3. Review the ERP critical success factors and how they relate to your optimization efforts.
4. Discuss potential barriers to successful ERP optimization.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

The Business Value Matrix

Rationalizing and quantifying the value of SAP

Benefits can be realized internally and externally to the organization or department and have different drivers of value.

• Financial benefits refer to the degree to which the value source can be measured through monetary metrics and are often quite tangible.
• Human benefits refer to how an application can deliver value through a user’s experience.
• Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations.
• Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.

Organizational Goals

• Increased Revenue

Application functions that are specifically related to the impact on your organization’s ability to generate revenue and deliver value to your customers.

• Reduced Costs

Reduction of overhead. The ways in which an application limits the operational costs of business functions.

• Enhanced Services

Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.

• Reach Customers

Application functions that enable and improve the interaction with customers or produce market information and insights.

Business Value Matrix

Link SAP capabilities to organizational value

1.2.4 Define your SAP optimization goals

30 minutes

1. Discuss the ERP business model and ERP critical success factors.
2. Through the lens of corporate goals and objectives think about supporting ERP technology. How can the ERP system bring value to the organization? What are the top things that will make this initiative a success?
3. Develop five to ten optimization goals that will form the basis for the success of this initiative.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Step 1.3

Inventory Current System State

Activities

1.3.1 Inventory SAP applications and interactions

1.3.2 Draw your SAP system diagram

1.3.3 Inventory your SAP modules and business capabilities (or business processes)

1.3.4 Define your key SAP optimization modules and business capabilities

This step will guide you through the following activities:

• Inventory of applications
• Mapping interactions between systems

This step involves the following participants:

• SAP Optimization Team
• Enterprise Architect
• Data Architect

Outcomes of this step

• Systems inventory
• Systems diagram

1.3.1 Inventory SAP applications and interfaces

1-3+ hours

1. Enter your SAP systems, SAP extended applications, and integrated applications within scope.
2. Include any abbreviated names or nicknames.
3. List the application type or main function.
4. List the modules the organization has licensed.
5. List any integrations.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

ERP Data Flow

Be sure to include enterprise applications that are not included in the ERP application portfolio. Popular systems to consider for POIs include billing, directory services, content management, and collaboration tools.

ERP – enterprise resource planning

Email – email system such as Microsoft Exchange

Calendar – calendar system such as Microsoft Outlook

WEM – web experience management

ECM – enterprise content management

When assessing the current application portfolio that supports your ERP, the tendency will be to focus on the applications under the ERP umbrella. These relate mostly to marketing, sales, and customer service. Be sure to include systems that act as input to, or benefit due to outputs from, ERP or similar applications.

1.3.2 Draw your SAP system diagram

1-3+ hours

1. From the SAP application inventory, diagram your network.

Include:

• Any internal or external systems
• Integration points
• Data flow

Download the Get the Most Out of Your SAP Workbook

Sample SAP and integrations map

Business capability map (Level 0)

In business architecture, the primary view of an organization is known as a business capability map. A business capability defines what a business does to enable value creation, rather than how.

Business capabilities:

• Represent stable business functions.
• Are unique and independent of each other.
• Will typically have a defined business outcome.

A business capability map provides details that help the business architecture practitioner direct attention to a specific area of the business for further assessment.

ERP process mapping

The operating model

An operating model is a framework that drives operating decisions. It helps to set the parameters for the scope of ERP and the processes that will be supported. The operating model will serve to group core operational processes. These groupings represent a set of interrelated, consecutive processes aimed at generating a common output. From your developed processes and your SAP license agreements you will be able to pinpoint the scope for investigation including the processes and modules.

APQC Framework

Help define your inventory of sales, marketing, and customer services processes.

Source: APQC

If you do not have a documented process model, you can use the APQC Framework to help define your inventory of sales business processes. APQC’s Process Classification Framework is a taxonomy of cross-functional business processes intended to allow the objective comparison of organizational performance within and among organizations.

APQC’s Process Classification Framework

The value stream

Value stream defined:

Value streams connect business goals to the organization’s value realization activities in the marketplace. Those activities are dependent on the specific industry segment in which an organization operates.

There are two types of value streams: core value streams and support value streams.

• Core value streams are mostly externally facing. They deliver value to either an external or internal customer and they tie to the customer perspective of the strategy map.
• Support value streams are internally facing and provide the foundational support for an organization to operate.

An effective method for ensuring all value streams have been considered is to understand that there can be different end-value receivers.

Process mapping hierarchy

Source: APQC

APQC provides a process classification framework. It allows organizations to effectively define their processes and manage them appropriately.

APQC’s Process Classification Framework

Cross-industry classification framework

Info-Tech Insight

Focus your initial assessment on the level 1 processes that matter to your organization. This allows you to target your scant resources on the areas of optimization that matter most to the organization and minimize the effort required from your business partners. You may need to iterate the assessment as challenges are identified. This allows you to be adaptive and deal with emerging issues more readily and become a more responsive partner to the business.

SAP modules and process enablement

Cloud/Hardware Fiori Analytics Integrations Extended Solutions

R&D Engineering Enterprise Portfolio and Project Management Product Development Foundation Enterprise Portfolio and Project Management Product Lifecycle Management Product Compliance Enterprise Portfolio and Project Management Product Safety and Stewardship Engineering Record Sourcing and Procurement Procurement Analytics Sourcing & Contract Management Operational Procurement Invoice Management Supplier Management Supply Chain Inventory Delivery & Transportation Warehousing Order Promising Asset Management Maintenance Operations Resource Scheduling Env, Health and Safety Maintenance Management

Finance Financial Planning and Analysis Accounting and Financial Close Treasury Management Financial Operations Governance, Risk & Compliance Commodity Management Human Resources Core HR Payroll Timesheets Organization Management Talent Management Sales Sales Support Order and Contract Management Agreement Management Performance Management Service Service Operations and Processes Basic Functions Workforce Management Case Management Professional Services Service Master Data Management Service Management

Beyond the core

1.3.3 Inventory your SAP modules and business capabilities

1-3+ hours

1. Look at the major functions or processes within the scope of ERP.
2. From the inventory of current systems, choose the submodules or processes that you want to investigate and are within scope for this optimization initiative.
3. Use tab 1.3 “SAP Capabilities” in Get the Most Out of Your SAP Workbook for a list of common SAP Level 1 and Level 2 modules/business capabilities.
4. List the top modules, capabilities, or processes that will be within the scope of this optimization initiative.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

1.3.4 Define your key SAP optimization modules and business capabilities

1-3+ hours

1. Look at the major functions or processes within the scope of ERP.
2. From the inventory of current systems, choose the submodules or processes for this optimization initiative. Base this on those that are most critical to the business, those with the lowest levels of satisfaction, or those that perhaps need more knowledge around them.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Step 1.4

Define Optimization Timeframe

Activities

1.4.1 Define SAP key dates and SAP optimization roadmap timeframe and structure

This step will guide you through the following activities:

• Defining key dates related to your optimization initiative
• Identifying key building blocks for your optimization roadmap

This step involves the following participants:

• SAP Optimization Team
• Vendor Management

Outcomes of this step

• Optimization Key Dates
• Optimization Roadmap Timeframe and Structure

1.4.1 Optimization roadmap timeframe and structure

1-3+ hours

1. Record key items and dates relevant to your optimization initiatives, such as any products reaching end of life or end of contract or budget proposal submission deadlines.
2. Enter the expected Optimization Initiative Start Date.
3. Enter the Roadmap Length. This is the total amount of time you expect to participate in the SAP optimization initiative.
4. This includes short-, medium- and long-term initiatives.
5. Enter your Roadmap Date markers: how you want dates displayed on the roadmap.
6. Enter Column time values: what level of granularity will be helpful for this initiative?
7. Enter the sprint or cycle timeframe; use this if following Agile.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Step 1.5

Understand SAP Costs

Activities

1.5.1 Document costs associated with SAP

This step will walk you through the following activities:

• Define your SAP direct and indirect costs
• List your SAP expense line items

This step involves the following participants:

• Finance Representatives
• SAP Optimization Team

Outcomes of this step

• Current SAP and related costs

1.5.1 Document costs associated with SAP

1-3 hours

Before you can make changes and optimization decisions, you need to understand the high-level costs associated with your current application architecture. This activity will help you identify the types of technology and people costs associated with your current systems.

1. Identify the types of technology costs associated with each current system:
1. System Maintenance
2. Annual Renewal
3. Licensing
2. Identify the cost of people associated with each current system:
1. Full-Time Employees
2. Application Support Staff
3. Help Desk Tickets

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Phase 2

Assess Your Current State

This phase will walk you through the following activities:

• Determine process relevance
• Perform a gap analysis
• Perform a user satisfaction survey
• Assess software and vendor satisfaction

This phase involves the following participants:

• SAP Optimization Team
• Users across functional areas of your ERP and related technologies

Step 2.1

Assess SAP Capabilities

Activities

2.1.1 Rate capability relevance to organizational goals

2.1.2 Complete an SAP application portfolio assessment

2.1.3 (Optional) Assess SAP process maturity

This step will guide you through the following activities:

• Capability relevance
• Process gap analysis
• Application Portfolio Assessment

This step involves the following participants:

• SAP Users

Outcomes of this step

• SAP Capability Assessment

Benefits of the Application Portfolio Assessment

	Assess the health of the application portfolio Get a full 360-degree view of the effectiveness, criticality, and prevalence of all relevant applications to get a comprehensive view of the health of the applications portfolio. Identify opportunities to drive more value from effective applications, retire nonessential applications, and immediately address at-risk applications that are not meeting expectations.
	Provide targeted department feedback Share end-user satisfaction and importance ratings for core IT services, IT communications, and business enablement to focus on the right end-user groups or lines of business, and ramp up satisfaction and productivity.
	Gain insight into the state of data quality Data quality is one of the key issues causing poor CRM user satisfaction and business results. This can include the relevance, accuracy, timeliness, or usability of the organization’s data. Targeted, open-ended feedback around data quality will provide insight into where optimization efforts should be focused.

2.1.1 Complete a current-state assessment (via the Application Portfolio Assessment)

3 hours

Option 1: Use Info-Tech’s Application Portfolio Assessment to generate your user satisfaction score. This tool not only measures application satisfaction but also elicits great feedback from users regarding the support they receive from the IT team around SAP.

1. Download the ERP Application Inventory Tool.
2. Complete the “Demographics” tab (tab 2).
3. Complete the “Inventory” tab (tab 3).
1. Complete the inventory by treating each module within your SAP system as an application.
2. Treat every department as a separate column in the department section. Feel free to add, remove, or modify department names to match your organization.
3. Include data quality for all applications applicable.

Option 2: Create a survey manually.

1. Use tab (Reference) 2.1 “APA Questions” as a guide for creating your survey.
2. Send out surveys to end users.
3. Modify tab 2.1, “SAP Assessment,” if required.

Record Results

Record this information in the Get the Most Out of Your SAP Workbook.

Download the ERP Application Inventory Tool

Download the Get the Most Out of Your SAP Workbook

Sample Report from Application Portfolio Assessment.

2.1.2 (Optional) Assess SAP process and technical maturity

1-3 hours

1. As with any ERP system, the issues encountered may not be related to the system itself but processes that have developed over time.
2. Use this opportunity to interview key stakeholders to learn about deeper capability processes.

• Identify key stakeholders.
• Hold sessions to document deeper processes.
• Discuss processes and technical enablement in each area.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Process Maturity Assessment

Step 2.2

Review Your Satisfaction With the Vendor/Product and Willingness for Change

Activities

2.2.1 Rate your vendor and product satisfaction

2.2.2 Review SAP product scores (if applicable)

2.2.3 Evaluate your product satisfaction

2.2.4 Check your business process change tolerance

This step will guide you through the following activities:

• Rate your vendor and product satisfaction
• Compare with survey data from SoftwareReviews

This step involves the following participants:

• SAP Product Owner(s)
• Procurement Representative
• Vendor Contracts Manager

Outcomes of this step

• Quantified satisfaction with vendor and product

2.2.1 Rate your vendor and product satisfaction

30 minutes

Use Info-Tech’s vendor satisfaction survey to identify optimization areas with your ERP product(s) and vendor(s).

1. Option 1 (recommended): Conduct a satisfaction survey using SoftwareReviews. This option allows you to see your results in the context of the vendor landscape.
2. Option 2: Use the Get the Most Out of Your SAP Workbook to review your satisfaction with your SAP software.

Record this information in the Get the Most Out of Your SAP Workbook.

SoftwareReviews’ Enterprise Resource Planning Category

Download the Get the Most Out of Your SAP Workbook

2.2.2 Review SAP product scores (if applicable)

30 minutes

1. Download the scorecard for your SAP product from the SoftwareReviews website. (Note: Not all products are represented or have sufficient data, so a scorecard may not be available.)
2. Use the Get the Most Out of Your SAP Workbook tab 2.2 “Vend. & Prod. Sat” to record the scorecard results.
3. Use your Get the Most Out of Your SAP Workbook to flag areas where your score may be lower than the product scorecard. Brainstorm ideas for optimization.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

SoftwareReviews’ Enterprise Resource Planning Category

2.2.3 How does your satisfaction compare with your peers?

Use SoftwareReviews to explore product features, vendor experience, and capability satisfaction.

Source: SoftwareReviews ERP Mid-Market, April 2022	Source: SoftwareReviews ERP Enterprise, April 2022

2.2.4 Check your business process change tolerance

1 hours

1. As a group, review the level 0 business capabilities on the previous slide.
2. Assess the department’s willingness for change and the risk of maintaining the status quo.
3. Color-code the level 0 business capabilities based on:

• Green – Willing to follow best practices
• Yellow – May be challenging or unique business model
• Red – Low tolerance for change

Download Get the Most Out of Your SAP Workbook for additional process levels

Heat map representing desire for best practice or those having the least tolerance for change

Determine the areas of risk to conform to best practice and minimize customization. These will be areas needing focus from the vendor supporting change and guiding best practice. For example: Must be able to support our unique process manufacturing capabilities and enhance planning and visibility to detailed costing.

Phase 3

Identify Key Optimization Opportunities

This phase will walk you through the following activities:

• Identify key optimization areas
• Create an optimization roadmap

This phase involves the following participants:

• SAP Optimization Team

Assessing application business value

In this context…business value is

the value of the business outcome that the application produces. Additionally, it is how effective the application is at producing that outcome.

Business value is not

the user’s experience or satisfaction with the application.

First, the authorities on business value need to define and weigh their value drivers that describe the priorities of the organization. This will allow the applications team to apply a consistent, objective, and strategically aligned evaluation of applications across the organization.

Brainstorm IT initiatives to enable high areas of opportunity to support the business

Brainstorm ERP optimization initiatives in each area. Ensure you are looking for all-encompassing opportunities within the context of IT, the business, and SAP systems.

Capabilities are what the system and business does that creates value for the organization. Optimization initiatives are projects with a definitive start and end date, and they enhance, create, maintain, or remove capabilities with the goal of increasing value.

Info-Tech Insight

Enabling a high-performing organization requires excellent management practices and continuous optimization efforts. Your technology portfolio and architecture are important, but we must go deeper. Taking a holistic view of ERP technologies in the environments in which they operate allows for the inclusion of people and process improvements – this is key to maximizing business results. Using a formal ERP optimization initiative will drive business-IT alignment, identify IT automation priorities, and dig deep into continuous process improvement.

Address process gaps:

• ERP and related technologies are invaluable to the goal of organizational enablement, but they must have supported processes driven by business goals.
• Identify areas where capabilities need to be improved and work toward optimization.

Support user satisfaction:

• The best technology in the world won’t deliver business results if it’s not working for the users who need it.
• Understand concerns, communicate improvements, and support users in all roles.

Improve data quality:

• Data quality is unique to each business unit and requires tolerance, not perfection.
• Implement data quality initiatives that are aligned with overall business objectives and aimed at addressing data practices and the data itself.

Proactively manage vendors:

• Vendor management is a critical component of technology enablement and IT satisfaction.
• Assess your current satisfaction against that of your peers and work toward building a process that is best fit for your organization.

Step 3.1

Prioritize Optimization Opportunities

Activities

3.1.1 Prioritize optimization capability areas

This step will guide you through the following activities:

• Explore existing process gaps
• Identify the impact of processes on user satisfaction
• Identify the impact of data quality on user satisfaction
• Review your overall product satisfaction and vendor management

This step involves the following participants:

• SAP Optimization Team

Outcomes of this step

• Application optimization plan

The Business Value Matrix

Rationalizing and quantifying the value of SAP

Benefits can be realized internally and externally to the organization or department and have different drivers of value.

• Financial benefits refer to the degree to which the value source can be measured through monetary metrics and are often quite tangible.
• Human benefits refer to how an application can deliver value through a user’s experience.
• Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations.
• Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.

Organizational Goals

• Increased Revenue

Application functions that are specifically related to the impact on your organization’s ability to generate revenue and deliver value to your customers.

• Reduced Costs

Reduction of overhead. The ways in which an application limits the operational costs of business functions.

• Enhanced Services

Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.

• Reach Customers

Application functions that enable and improve the interaction with customers or produce market information and insights.

Business Value Matrix

Prioritize SAP optimization areas that will bring the most value to the organization

Review your ERP capability areas and rate them according to relevance to organizational goals. This will allow you to eliminate optimization ideas that may not bring value to the organization.

3.1.1 Prioritize and rate optimization capability areas

1-3 hours

1. From the SAP capabilities, discuss areas of scope for the SAP optimization initiative.
2. Discuss the four areas of the business value matrix and identify how each module, along with organizational goals, can bring value to the organization.
3. Rate each of your SAP capabilities for the level of importance to your organization. The levels of importance are:

• Crucial
• Important
• Secondary
• Unimportant
• Not applicable

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Step 3.2

Discover Optimization Initiatives

Activities

3.2.1 Discover product and vendor satisfaction opportunities

3.2.2 Discover capability and feature optimization opportunities

3.2.3 Discover process optimization opportunities

3.2.4 Discover integration optimization opportunities

3.2.5 Discover data optimization opportunities

3.2.6 Discover SAP cost-saving opportunities

This step will guide you through the following activities:

• Explore existing process gaps
• Identify the impact of processes on user satisfaction
• Identify the impact of data quality on user satisfaction
• Review your overall product satisfaction and vendor management

This step involves the following participants:

• SAP Optimization Team

Outcomes of this step

• Application optimization plan

Satisfaction with SAP product

Improving vendor management

Create a right-size, right-fit strategy for managing the vendors relevant to your organization.

Info-Tech Insight

A vendor management initiative (VMI) is an organization’s formalized process for evaluating, selecting, managing, and optimizing third-party providers of goods and services.

The amount of resources you assign to managing vendors depends on the number and value of your organization’s relationships. Before optimizing your vendor management program around the best practices presented in Info-Tech’s Jump Start Your Vendor Management Initiative blueprint, assess your current maturity and build the process around a model that reflects the needs of your organization.

Note: Info-Tech uses VMI interchangeably with the terms “vendor management office (VMO),” “vendor management function,” “vendor management process,” and “vendor management program.”

Jump Start Your Vendor Management Initiative

3.2.1 Discover product and vendor satisfaction

1-2 hours

1. Use tab 3.1 “Optimization Priorities” and tab 2.2 “Vend. & Prod. Sat” to review the capabilities and features of your SAP system.
2. Answer the following questions:
1. Document overall product satisfaction.
2. How does your satisfaction compare with your peers?
3. Is the overall system fit for use?
4. Do you have a proactive vendor management strategy in place?
5. Is the product dissatisfaction at the point that you need to evaluate if it is time to replace the product?
6. Could your vendor or Systems Integrator help you achieve better results?
3. Review the Value Effort Matrix for each initiative.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Examples from Application Portfolio Assessment

3.2.2 Discover capability and feature optimization opportunities

1-2 hours

1. Use tab 3.1 “Optimization Priorities” and tab 2.2 “Vend. & Prod. Sat” to review the capabilities and features of your SAP system.
2. Answer the following questions:
1. What capabilities and features are performing the worst?
2. Do other organizations and users struggle with these areas?
3. Why is it not performing well?
4. Is there an opportunity for improvement?
5. What are some optimization initiatives that could be undertaken?
3. Review the Value Effort Matrix for each initiative.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Process optimization: the hidden goldmine

In ~90% of SAP business process analysis reports, SAP identified significant potential for improving the existing SAP implementation, i.e. the large majority of customers are not yet using their SAP Business Suite to the full extent.

3.2.3 Discover process optimization opportunities

1-2 hours

1. Use exercise 2.13 and tab 2.1 “SAP Current State Assessment” to assess process optimization opportunities.
2. List underperforming capabilities around process.
3. Answer the following:
1. What is the state of the current processes?
2. Is there an opportunity for process improvement?
3. What are some optimization initiatives that could be undertaken in this area?

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Integration provides long-term usability

Balance the need for secure, compliant data availability with organizational agility.

Common integration and consolidation scenarios

For more information: Implement a Multi-site ERP

3.2.4 Discover integration optimization opportunities

1-2 hours

1. Use tab 1.3.1 “SAP Application Inventory” to discuss integrations and how they are related to capability areas that are not performing well.
2. List capabilities that might be affected by integration issues. Think about exercise 3.2.1 and discuss how integrations could be affecting overall product satisfaction.
3. Answer the following:
1. Are there some areas where integration could be improved?
2. Is there an opportunity for process improvement?
3. What are some optimization initiatives that could be undertaken in this area?

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

System and data optimization

Consolidating your business and technology requires an overall system and data migration plan.

Info-Tech Insight

Have an overall data migration plan before beginning your systems consolidation journey to S/4HANA.

Use a data strategy that fixes the enterprise-wide data management issues

Your data management must allow for flexibility and scalability for future needs.

IT has several concerns around ERP data and wide dissemination of that data across sites. Large organizations can benefit from building a data warehouse or at least adopting some of the principles of data warehousing. The optimal way to deal with the issue of integration is to design a metadata-driven data warehouse that acts as a central repository for all ERP data. They serve as the storage facility for millions of transactions, formatted to allow analysis and comparison.

Key considerations:

• Technical: At what stage does data move to the warehouse? Can processes be automated to dump data or to do a scheduled data movement?
• Process: Data integration requires some level of historical context for all data. Ensure that all data has multiple metadata tags to future-proof the data.
• People: Who will be accessing the data and what are the key items that users will need to adapt to the data warehouse process?

Info-Tech Insight

Data warehouse solutions can be expensive. See Info-Tech’s Build a Data Warehouse on a Solid Foundation for guidance on what options are available to meet your budget and data needs.

Optimizing SAP data, additional considerations

Data Optimization

Organizations are faced with challenges associated with changing data landscapes.

Data migrations should not be taken lightly. It requires an overall data governance to assure data integrity for the move to S/4HANA and beyond.

Have a solid plan before engaging S/4HANA Migration Cockpit.

Develop a Master Data Management Strategy and Roadmap

• Master data management (MDM) is complex in practice and requires investments in governance, technology, and planning.
• Develop a MDM strategy and initiative roadmap using Info-Tech’s MDM framework, which takes data governance, architecture, and other critical data capabilities into consideration.

Establish Data Governance

• Ensure your data governance program delivers measurable business value by aligning the associated data governance initiatives with the business architecture.
• Data governance must continuously align with the organization’s enterprise governance function. It should not be perceived as a pet project of IT but rather as an enterprise-wide, business-driven initiative.

3.2.5 Discover data optimization opportunities

1-2 hours

1. Use your APA or user satisfaction survey to understand issues related to data.
   Note: Data issues happen for a number of reasons:

• Poor underlying data in the system
• More than one source of truth
• Inability to consolidate data
• Inability to measure KPIs effectively
• Reporting that is cumbersome or non-existent

1. What are some underlying issues?
2. Is there an opportunity for data improvement?
3. What are some optimization initiatives that could be undertaken in this area?

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

SAP cost savings

SAP cost savings does not have to be complicated.

Look for quick wins:

• Evaluate user licensing:
• Ensure you are not double paying for employees or paying for employees who are no longer with the organization.
• Verify user activity – if users are accessing the system very infrequently it does not make sense to license them as full users.
• Audit your user classifications – ensure title positions and associated licenses are up to date.
• Curb data sprawl.
• Consolidate applications.

30-35% of SAP customers likely have underutilized assets. This can add up to millions in unused software and maintenance.

-Riley et al.

20% Only 20 percent of companies manage to capture more than half the projected benefits from ERP systems.

-McKinsey

	Explore the Secrets of SAP Software Contracts to Optimize Spend and Reduce Compliance Risk
	Secrets of SAP S/4HANA Licensing

License Optimization

With the relatively slow uptake of the S/4HANA platform, the pressure is immense for SAP to maintain revenue growth.

SAP’s definitions and licensing rules are complex and vague, making it extremely difficult to purchase with confidence while remaining compliant.

Without having a holistic negotiation strategy, it is easy to hit a common obstacle and land into SAP’s playbook, requiring further spend.

Price Benchmarking & Negotiation

• Use price benchmarking and negotiation intelligence to secure a market-competitive price.
• Understand negotiation tactics that can be used to better your deal.

Secrets of SAP S/4HANA Licensing:

• Build a business case to evaluate S/4HANA.
• Understand the S/4HANA roadmap and map current functionality to ensure compatibility.

SAP’s 2025 Support End of Life Date Delayed…As Predicted Here First

• The math simply did not add up for SAP.
• Extended support post 2027 is a mixed bag.

3.2.6 Discover SAP cost-saving opportunities

1-2 hours

1. Use tab 1.5 “Current Costs” as an input for this exercise.
2. Look for opportunities to cut SAP costs, both quick-wins and long-term strategy.
3. Review Info-Tech’s SAP vendor management resources to understand cost-saving strategies:
   • Secrets of SAP S/4HANA Licensing
   • Explore the Secrets of SAP Software Contracts to Optimize Spend and Reduce Compliance Risk
4. List cost-savings initiatives and opportunities.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Other optimization opportunities

There are many opportunities to improve your SAP portfolio. Choose the ones that are right for your business:

• Artificial intelligence (AI) (and management of the AI lifecycle)
• Machine learning (ML)
• Augment business interactions
• Automatically execute sales pipelines
• Process mining
• SAP application monitoring
• Be aware of the SAP product roadmap
• Implement and take advantage of SAP tools and product offerings

Phase 4

Build Your Optimization Roadmap

This phase will walk you through the following activities:

• Review the different options to solve the identified pain points
• Build out a roadmap showing how you will get to those solutions
• Build a communication plan that includes the stakeholder presentation

This phase involves the following participants:

• Primary stakeholders in each value stream supported by the ERP
• ERP applications support team

Get the Most Out of Your SAP

Step 4.1

4.1 Build Your Optimization Roadmap

Activities

4.1.1 Pick your path

4.1.2 Pick the right SAP migration path

4.1.3 Build a roadmap

4.1.4 Build a visual roadmap

This step will walk you through the following activities:

• Review the different options to solve the identified pain points then build out a roadmap of how to get to that solution.

This step involves the following participants:

• Primary stakeholders in each value stream supported by the ERP
• ERP applications support team

Outcomes of this step

• A strategic direction is set
• An initial roadmap is laid out

Choose the right path for your organization

There are several different paths you can take to achieve your ideal future state. Make sure to pick the one that suits your needs as defined by your current state.

Explore the options for achieving your ideal future state

Option: Optimize your current system

Look for process, workflow, data usage, and vendor relation improvements.

MAINTAIN CURRENT SYSTEM

Keep the system but look for optimization opportunities.

Your existing application portfolio satisfies both functionality and integration requirements. The processes surrounding it likely need attention, but the system should be considered for retention.

Maintaining your current system entails adjusting current processes and/or adding new ones and involves minimal cost, time, and effort.

Alternative 1: Optimize your current system

MAINTAIN CURRENT SYSTEM

• Keep your SAP system running
• Invest in resolving current challenges
• Automate manual processes where appropriate
• Improve/modify current system
• Evaluate current system against requirements/processes
• Reimplement functionality

Alternative Overview

Option: Augment your current system

Use augmentation to resolve your existing technology and data pain points.

AUGMENT CURRENT SYSTEM

Add to the system.

Your existing application is for the most part functionally rich but may need some tweaking. Spend time and effort enhancing your current system.

You will be able to add functions by leveraging existing system features. Augmentation requires limited investment and less time and effort than a full system replacement.

Alternative 2: Augment current solution

AUGMENT CURRENT SYSTEM

Maintain core system.

Invest in SAP modules or extended functionality.

Add functionality with bolt-on targeted “best of breed” solutions.

Invest in tools to make the SAP portfolio and ecosystem work better.

Alternative Overview

Option: Consolidate systems

Consolidate and integrate your current systems to address your technology and data pain points.

CONSOLIDATE AND INTEGRATE SYSTEMS

Get rid of one system, combine two, or connect many.

Your ERP application portfolio consists of multiple apps serving the same functions.

Consolidating your systems eliminates the need to manage multiple pieces of software that provide duplicate functionality. Reducing the number of ERP applications makes integration and data sharing simpler.

Alternative 3: Consolidate systems

AUGMENT CURRENT SYSTEM

Get rid of old disparate on-premise solutions.

Consolidate into an up-to-date ERP solution.

Standardize across the organization.

Alternative Overview

Option: Upgrade System

Upgrade your system to address gaps in your existing processes and various pain points.

REPLACE CURRENT SYSTEM

Move to a new SAP solution

You’re transitioning from an end-of-life legacy system. Your existing system offers poor functionality and poor integration. It would likely be more cost- and time-efficient to replace the application and its surrounding processes altogether. You are satisfied with SAP overall and want to continue to leverage your SAP relationships and investments.

Alternative 4: Upgrade System

UPGRADE SYSTEM

Upgrade your current SAP systems with SAP product replacements.

Invest in SAP with the appropriate migration path for your organization.

Alternative Overview

Option: Replace your current system

Replace your system to address gaps in your existing processes and various pain points.

REPLACE CURRENT SYSTEM

Start from scratch.

You’re transitioning from an end-of-life legacy system. Your existing system offers poor functionality and poor integration. It would likely be more cost and time efficient to replace the application and its surrounding processes all together.

Alternative 5: Replace SAP with another ERP solution

AUGMENT CURRENT SYSTEM

Get rid of old disparate on-premises solutions.

Consolidate into an up-to-date ERP solution.

Standardize across the organization.

Alternative Overview

Activity 4.1.1: Pick your path

1.5 hours

For each given path selected, identify:

• Advantage
• Disadvantages
• Initial Investment ($)
• Risk
• Change Management
• Operating Costs ($)
• Alignment With ERP Objectives
• Key Considerations
• Timeframe

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Pick the right SAP migration path for your organization

There are three S/4HANA paths you can take to achieve your ideal future state. Make sure to pick the one that suits your needs as defined by your current state and meets your overall long-term roadmap.

SAP S/4 HANA offerings can be confusing

What is the cloud, how is it deployed, and how is service provided?

A workload-first approach will allow you to take full advantage of the cloud’s strengths

• Under all but the most exceptional circumstances good cloud strategies will incorporate different service models. Very few organizations are “IaaS shops” or “SaaS shops,” even if they lean heavily in a one direction.
• These different service models (including non-cloud options like colocation and on-premises infrastructure) each have different strengths. Part of your cloud strategy should involve determining which of the services makes the most sense for you.
• Own the cloud by understanding which cloud (or non-cloud!) offering makes the most sense for you, given your unique context.

See Info-Tech’s Define Your Cloud Vision for more information.

Cloud service models

• This research focuses on five key service models, each of which has its own strengths and weaknesses. Moving right from “on-prem” customers gradually give up more control over their environments to cloud service providers.
• An entirely premises-based environment means that the customer is responsible for everything ranging from the dirt under the datacenter to application-level configurations. Conversely, in a SaaS environment, the provider is responsible for everything but those top-level application configurations.
• A managed service provider or other third-party can manage any or of the components of the infrastructure stack. A service provider may, for example, build a SaaS solution on top of another provider’s IaaS or offer configuration assistance with a commercially available SaaS.

Info-Tech Insight

Not all workloads fit well in the cloud. Many environments will mix service models (e.g. SaaS for some workloads, some in IaaS, some on-premises) and this can be perfectly effective. It must be consistent and intentional, however.

Option: Best Practice Quick Win

S/4HANA Cloud, Essentials

New Implementation

This is a public cloud solution for new clients adopting SAP that are mostly looking for full functionality within best practice.

Consider a full greenfield approach. Even for mid-size existing customers looking for a best-practice overhaul.

Functionality is kept to the core. Any specialties or unique needs would be outside the core.

Regional localization is still being expanded and must be evaluated early if you are a global company.

Option: Augment Best Practice

S/4HANA Cloud, Extended Edition

New Implementation With Client Specifics

No longer available to new customers from January 25, 2022, though available for renewals.

Replacement is called SAP Extended Services for SAP S/4HANA Cloud, private edition.

This offering is a grey area, and the extended offerings are being defined.

New S/4HANA Cloud extensibility is being offered to early adopters, allowing for customization within a separate system landscape (DTP) and aiming for an SAP Central Business Configuration solution for the cloud. A way of fine-tuning to meet customer-specific needs.

Option: Augment Best Practice (Cont.)

S/4HANA Cloud, Private Edition

New Implementation With Client Specifics

This is a private cloud solution for existing or new customers needing more uniqueness, though still looking to adopt best practice.

Still considered a new implementation with data migration requirements that need close attention.

This offering is trying to move clients to the S/4HANA Cloud with close competition with the Any Premise product offering. Providing client specific scalability while allowing for standardization in the cloud and growth in the digital strategy. All customizations and ABAP functionality must be revisited or revamped to fit standardization.

Option: Own Full Solution

S/4HANA Any Premise

Status Quo Migration to S/4HANA

This is for clients looking for a quick transition to S/4HANA with minimal risks and without immediate changes to their operations.

Though knowing the direction with SAP is toward its cloud solution, this may be a long costly path to getting the that end state.

The Any Premise version carries over existing critical ABAP functionalities, and the SAP GUI can remain as the user interface.

Activity 4.1.2 (Optional) Evaluate optimization initiatives

1 hour

1. If there is an opportunity to optimize the current SAP environment or prepare for the move to a new platform, continue with this step.
2. Valuate your optimization initiatives from tab 3.2 “Optimization Initiatives.”

Consider: relevance to achieving goals, number of users, importance to role, satisfaction with features, usability, data quality

Value Opportunities: increase revenue, decrease costs, enhanced services, reach customers

Additional Factors:

• Current to Future Risk Profile
• Number of Departments to Benefit
• Importance to Stakeholder Relations
• Resources: Do we have resources available and the skillset?
• Cost
• Overall Effort Rating
• "Gut Check: Is it achievable? Have we done it or something similar before? Are we willing to invest in it?"

Prioritize

• Relative priority
• Determine if this will be included in your optimization roadmap
• Decision to proceed
• Next steps

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

Activity 4.1.3 Roadmap building blocks: SAP migration

1 hour

Migration paths: Determine your migration path and next steps using the Activity 4.1.1 “SAP System Options.”

1. Identify initiatives and next steps.
2. For each item on your roadmap, assign an owner who will be accountable to the completion of the roadmap item.
3. Wherever possible, assign a start date, month, or quarter. The more specific you can be the better.
4. Identify completion dates to create a sense of urgency. If you are struggling with start dates, it can help to start with a finish date and “back in” to a start date based on estimated efforts.
5. Include periphery tasks such as communication strategy.

Record this information in the Get the Most Out of Your SAP Workbook.

Note: Your roadmap should be treated as a living document that is updated and shared with the stakeholders on a regular schedule.

Download the Get the Most Out of Your SAP Workbook

Activity 4.1.4 Roadmap building blocks: SAP optimization

1 hour

Optimization initiatives: Determine which if any to proceed with.

1. Identify initiatives.
2. For each item on your roadmap, assign an owner who will be accountable to the completion of the roadmap item.
3. Wherever possible, assign a start date, month, or quarter. The more specific you can be the better.
4. Identify completion dates to create a sense of urgency. If you are struggling with start dates, it can help to start with a finish date and “back in” to a start date based on estimated efforts.
5. Include periphery tasks such as communication strategy.

Record this information in the Get the Most Out of Your SAP Workbook.

Note: Your roadmap should be treated as a living document that is updated and shared with the stakeholders on a regular schedule.

Download the Get the Most Out of Your SAP Workbook

SAP optimization roadmap

Data strategy optimization

Activity 4.1.5 (Optional) Build a visual SAP roadmap

1 hour

1. For some, a visual representation of a roadmap is easier to comprehend. Consider taking the roadmap built in 4.1.4 and creating a visual.

Record this information in the Get the Most Out of Your SAP Workbook.

Download the Get the Most Out of Your SAP Workbook

SAP strategy roadmap

Implementations Partners

• Able to consult, migrate, implement, and manage the SAP S/4HANA business suite across industries.
• Able to transform the enterprise’s core business system to achieve the desired outcome.
• Capable in strategic planning, building business cases, developing roadmaps, cost and time analysis, deployment model (on-prem, cloud, hybrid model), database conversion, database and operational support, and maintenance services.

Info-Tech Insight

It is becoming a common practice for implementation partners to engage in a two- to three-month Discovery Phase or Phase 0 to prepare an implementation roadmap. It is important to understand how this effort is tied to the overall service agreement.

Summary of Accomplishment

Get the Most Out of Your SAP

ERP technology is critical to facilitating an organization’s flow of information across business units. It allows for seamless integration of systems and creates a holistic view of the enterprise to support decision making. ERP implementation should not be a one-and-done exercise. There needs to be an ongoing optimization to enable business processes and optimal organizational results.

Get the Most Out of Your SAP allows organizations to proactively implement continuous assessment and optimization of their enterprise resource planning system, including:

• Alignment and prioritization of key business and technology drivers.
• Identification of processes, including classification and gap analysis.
• Measurement of user satisfaction across key departments.
• Improved vendor relations.
• Data quality initiatives.

This formal SAP optimization initiative will drive business-IT alignment, identify IT automation priorities, and dig deep into continuous process improvement.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Research Contributors

	Ben Dickie Research Practice Lead Info-Tech Research Group Ben Dickie is a Research Practice Lead at Info-Tech Research Group. His areas of expertise include customer experience management, CRM platforms, and digital marketing. He has also led projects pertaining to enterprise collaboration and unified communications.
	Scott Bickley Practice Lead and Principal Research Director Info-Tech Research Group Scott Bickley is a Practice Lead and Principal Research Director at Info-Tech Research Group focused on vendor management and contract review. He also has experience in the areas of IT asset management (ITAM), software asset management (SAM), and technology procurement along with a deep background in operations, engineering, and quality systems management.
	Andy Neil Practice Lead, Applications Info-Tech Research Group Andy is a Senior Research Director, Data Management and BI, at Info-Tech Research Group. He has over 15 years of experience in managing technical teams, information architecture, data modeling, and enterprise data strategy. He is an expert in enterprise data architecture, data integration, data standards, data strategy, big data, and the development of industry standard data models.

Bibliography

Armel, Kate. "New Article: Data-Driven Estimation, Management Lead to High Quality." QSM: Quantitative Software Management, 14 May 2013. Accessed 4 Feb. 2021.

Enterprise Resource Planning. McKinsey, n.d. Accessed 13 Apr. 2022.

Epizitone, Ayogeboh. Info-Tech Interview, 10 May 2021.

Epizitone, Ayogeboh, and Oludayo O. Olugbara. “Principal Component Analysis on Morphological Variability of Critical Success Factors for Enterprise Resource Planning.” International Journal of Advanced Computer Science and Applications (IJACSA), vol. 11, no. 5, 2020. Web.

Gheorghiu, Gabriel. "The ERP Buyer’s Profile for Growing Companies." Selecthub, 2018. Accessed 21 Feb. 2021.

Karlsson, Johan. "Product Backlog Grooming Examples and Best Practices." Perforce, 18 May 2018. Accessed 4 Feb. 2021.

Lichtenwalter, Jim. “A look back at 2021 and a look ahead to 2022.” ASUG, 23 Jan. 2022. Web.

“Maximizing the Emotional Economy: Behavioral Economics." Gallup, n.d. Accessed 21 Feb. 2021.

Mell, Peter, and Timothy Grance. “The NIST Definition of Cloud Computing.” National Institute of Standards and Technology. Sept. 2011. Web.

Norelus, Ernese, Sreeni Pamidala, and Oliver Senti. "An Approach to Application Modernization: Discovery and Assessment Phase," Medium, 24 Feb 2020. Accessed 21 Feb. 2021.

“Process Frameworks." APQC, n.d. Accessed 21 Feb. 2021.

“Quarterly number of SAP S/4HANA subscribers worldwide, from 2015 to 2021.” Statista, n.d. Accessed 13 Apr. 2022.

Riley, L., C.Hanna, and M. Tucciarone. “Rightsizing SAP in these unprecedented times.” Upperedge, 19 May 2020.

Rubin, Kenneth S. Essential Scrum: A Practical Guide to the Most Popular Agile Process. Pearson Education, 2012.

“SAP S/4HANA Product Scorecard Report.” SoftwareReviews, n.d. Accessed 18 Apr. 2022.

Saxena, Deepak, and Joe Mcdonagh. "Evaluating ERP Implementations: The Case for a Lifecycle-based Interpretive Approach." The Electronic Journal of Information Systems Evaluation, vol. 22, no. 1, 2019, pp. 29-37. Accessed 21 Feb. 2021.

Smith, Anthony. "How To Create A Customer-Obsessed Company Like Netflix." Forbes, 12 Dec. 2017. Accessed 21 Feb. 2021.

Drive Technology Adoption

The project is over. The new technology is implemented. Now how do we make sure it's used?

Executive Summary

Your Challenge

Technology endlessly changes and evolves. Similarly, business directions and requirements change, and these changes need to be supported by technology. Improved functionality and evolvement of systems, along with systems becoming redundant or unsupported, means that maintaining a static environment is virtually impossible.

Enormous amounts of IT budget are allocated to these changes each year. But once the project is over, how do you manage that change and ensure the systems are being used? Planning your technology adoption is vital.

Common Obstacles

The obstacles to technology adoption can be many and various, covering a broad spectrum of areas including:

• Reluctance of staff to let go of familiar processes and procedures.
• Perception that any change will add complications but not add value, thereby hampering enthusiasm to adopt.
• Lack of awareness of the change.
• General fear of change.
• Lack of personal confidence.

Info-Tech’s Approach

Start by identifying, understanding, categorizing, and defining barriers and put in place a system to:

• Gain an early understanding of the different types of users and their attitudes to technology and change.
• Review different adoption techniques and analyze which are most appropriate for your user types.
• Use a “Follow the Leader” approach, by having technical enthusiasts and champions to show the way.
• Prevent access to old systems and methods.

Info-Tech Insight

For every IT initiative that will be directly used by users, consider the question, “Will the final product be readily accepted by those who are going to use it?” There is no point in implementing a product that no one is prepared to use. Gaining user acceptance is much more than just ticking a box in a project plan once UAT is complete.

The way change should happen is clear

Prosci specializes in change. Its ADKAR model outlines what’s required to bring individuals along on the change journey.

AWARENESS

• Awareness means more than just knowing there’s a change occurring,
• it means understanding the need for change.

DESIRE

• To achieve desire, there needs to be motivation, whether it be from an
• organizational perspective or personal.

KNOWLEDGE

• Both knowledge on how to train during the transition and knowledge
• on being effective after the change are required. This can only be done
• once awareness and desire are achieved.

ABILITY

• Ability is not knowledge. Knowing how to do something doesn’t necessarily translate to having the skills to do it.

REINFORCEMENT

• Without reinforcement there can be a tendency to revert.

When things go wrong

New technology is not being used

The project is seen as complete. Significant investments have been made, but the technology either isn’t being used or is only partially in use.

Duplicate systems are now in place

Even worse. The failure to adopt the new technology by some means that the older systems are still being used. There are now two systems that fail to interact; business processes are being affected and there is widespread confusion.

Benefits not being realized

Benefits promised to the business are not being realized. Projected revenue increases, savings, or efficiencies that were forecast are now starting to be seen as under threat.

There is project blowout

The project should be over, but the fact that the technology is not being used has created a perception that the implementation is not complete and the project needs to continue.

Info-Tech Insight

People are far more complicated than any technology being implemented.

Consider carefully your approach.

Why does it happen?

POOR COMMUNICATION

There isn’t always adequate communications about what’s changing in the workplace.

FEAR

Fear of change is natural and often not rational. Whether the fear is about job loss or not being able to adapt to change; it needs to be managed.

TRAINING

Training can be insufficient or ineffective and when this happens people are left feeling like they don’t have the skills to make the change.

LACK OF EXECUTIVE SUPPORT

A lack of executive support for change means the change is seen as less important.

CONFLICTING VIEWS OF CHANGE

The excitement the project team and business feels about the change is not necessarily shared throughout the business. Some may just see the change as more work, changing something that already works, or a reason to reduce staff levels.

LACK OF CONFIDENCE

Whether it’s a lack of confidence generally with technology or concern about a new or changing tool, a lack of confidence is a huge barrier.

BUDGETARY CONSTRAINTS

There is a cost with managing people during a change, and budget must be allocated to allow for it.

Communications

Info-Tech Insight

Since Sigmund Freud there has been endless work to understand people’s minds.
Don’t underestimate the effect that people’s reactions to change can have on your project.

Communication plans are designed to properly manage change. Managing change can be easier when we have the right tools and information to adapt to new circumstances. The Kubler-Ross change curve illustrates the expected steps on the path to acceptance of change. With the proper communications strategy, each can be managed appropriately

Analyst perspective

Paul Binns – Principal Research Advisor, Info-Tech

The rapidly changing technology landscape in our world has always meant that an enthusiasm or willingness to embrace change has been advantageous. Many of us have seen how the older generation has struggled with that change and been left behind.

In the work environment, the events of the past two years have increased pressure on those slow to adopt as in many cases they couldn't perform their tasks without new tools. Previously, for example, those who may have been reluctant to use digital tools and would instead opt for face-to-face meetings, suddenly found themselves without an option as physical meetings were no longer possible. Similarly, digital collaboration tools that had been present in the market for some time were suddenly more heavily used so everyone could continue to work together in the “online world.”

At this stage no one is sure what the "new normal" will be in the post-pandemic world, but what has been clearly revealed is that people are prepared to change given the right motivation.

“Technology adoption is about the psychology of change.”
Bryan Tutor – Executive Counsellor, Info-Tech

The Fix

• Categorize Users
  • Gain a clear understanding of your user types.
• Identify Adoption Techniques
  • Understand the range of different tools and techniques available.
• Match Techniques To Categories
  • Determine the most appropriate techniques for your user base.
• Follow-the-Leader
  • Be aware of the different skills in your environment and use them to your advantage.
• Refresh, Retrain, Restrain
  • Prevent reversion to old methods or systems.

Categories

Client-Driven Insight

Consider your staff and industry when looking at the Everett Rogers curve. A technology organization may have less laggards than a traditional manufacturing one.

In Everett Rogers’ book Diffusion of Innovations 5th Edition (Free Press, 2005), Rogers places adopters of innovations into five different categories.

Category 1: The Innovator – 2.5%

Innovators are technology enthusiasts. Technology is a central interest of theirs, either at work, at home, or both. They tend to aggressively pursue new products and technologies and are likely to want to be involved in any new technology being implemented as soon as possible, even before the product is ready to be released.

For people like this the completeness of the new technology or the performance can often be secondary because of their drive to get new technology as soon as possible. They are trailblazers and are not only happy to step out of their comfort zone but also actively seek to do so.

Although they only make up about 2.5% of the total, their enthusiasm, and hopefully endorsement of new technology, offers reassurance to others.

Info-Tech Insight

Innovators can be very useful for testing before implementation but are generally more interested in the technology itself rather than the value the technology will add to the business.

Category 2: The Early Adopter – 13.5%

Whereas Innovators tend to be technologists, Early Adopters are visionaries that like to be on board with new technologies very early in the lifecycle. Because they are visionaries, they tend to be looking for more than just improvement – a revolutionary breakthrough. They are prepared to take high risks to try something new and although they are very demanding as far as product features and performance are concerned, they are less price-sensitive than other groups.

Early Adopters are often motivated by personal success. They are willing to serve as references to other adopter groups. They are influential, seen as trendsetters, and are of utmost importance to win over.

Info-Tech Insight

Early adopters are key. Their enthusiasm for technology, personal drive, and influence make them a powerful tool in driving adoption.

Category 3: The Early Majority – 34%

This group is comprised of pragmatists. The first two adopter groups belong to early adoption, but for a product to be fully adopted the mainstream needs to be won over, starting with the Early Majority.

The Early Majority share some of the Early Adopters’ ability to relate to technology. However, they are driven by a strong sense of practicality. They know that new products aren’t always successful. Consequently, they are content to wait and see how others fare with the technology before investing in it themselves. They want to see well-established references before adopting the technology and to be shown there is no risk.

Because there are so many people in this segment (roughly 34%), winning these people over is essential for the technology to be adopted.

Category 4: The Late Majority – 34%

The Late Majority are the conservatives. This group is generally about the same size as the Early Majority. They share all the concerns of the Early Majority; however, they are more resistant to change and are more content with the status quo than eager to progress to new technology. People in the Early Majority group are comfortable with their ability to handle new technology. People in the Late Majority are not.

As a result, these conservatives prefer to wait until something has become an established standard and take part only at the end of the adoption period. Even then, they want to see lots of support and ensure that there is proof there is no risk in them adopting it.

Category 5: The Laggard – 16%

This group is made up of the skeptics and constitutes 16% of the total. These people want nothing to do with new technology and are generally only content with technological change when it is invisible to them. These skeptics have a strong belief that disruptive new technologies rarely deliver the value promised and are almost always worried about unintended consequences.

Laggards need to be dealt with carefully as their criticism can be damaging and without them it is difficult for a product to become fully adopted. Unfortunately, the effort required for this to happen is often disproportional to the size of the group.

Info-Tech Insight

People aren’t born laggards. Technology projects that have failed in the past can alter people’s attitudes, especially if there was a negative impact on their working lives. Use empathy when dealing with people and respect their hesitancy.

Adoption Techniques

Different strokes for different folks

Technology adoption is all about people; and therefore, the techniques required to drive that adoption need to be people oriented.

The following techniques are carefully selected with the intention of being impactful on all the different categories described previously.

There are multitudes of different methods to get people to adopt new technology, but which is the most appropriate for your situation? Generally, it’s a combination.

Train the Trainer

Use your staff to get your message across.

Abstract

This technique involves training key members of staff so they can train others. It is important that those selected are strong communicators, are well respected by others, and have some expertise in technology.

Advantages

• Cost effective
• Efficient dissemination of information
• Trusted internal staff

Disadvantages

• Chance of inconsistent delivery
• May feel threatened by co-worker

Best to worst candidates

• Early Adopter: Influential trendsetters. Others receptive of their lead.
• Innovator: Comfortable and enthusiastic about new technology, but not necessarily a trainer.
• Early Majority: Tendency to take others’ lead.
• Late Majority: Risk averse and tend to follow others, only after success is proven.
• Laggard: Last to adopt usually. Unsuitable as Trainer.

Marketing

Marketing should be continuous throughout the change to encourage familiarity.

Abstract

Communication is key as people are comfortable with what is familiar to them. Marketing is an important tool for convincing adopters that the new product is mainstream, widely adopted and successful.

Advantages

• Wide communication
• Makes technology appear commonplace
• Promotes effectiveness of new technology

Disadvantages

• Reliant on staff interest
• Can be expensive

Best to worst candidates

• Early Majority: Pragmatic about change. Marketing is effective encouragement.
• Early Adopter: Receptive and interested in change. Marketing is supplemental.
• Innovator: Actively seeks new technology. Does not need extensive encouragement.
• Late Majority: Requires more personal approach.
• Laggard: Resistant to most enticements.

One-on-One

Tailored for individuals.

Abstract

One-on-one training sometimes is the only way to train if you have staff with special needs or who are performing unique tasks.
It is generally highly effective but inefficient as it only addresses individuals.

Advantages

• Tailored to specific need(s)
• Only relevant information addressed
• Low stress environment

Disadvantages

• Expensive
• Possibility of inconsistent delivery
• Personal conflict may render it ineffective

Best to worst candidates

• Laggard: Encouragement and cajoling can be used during training.
• Late Majority: Proof can be given of effectiveness of new product.
• Early Majority: Effective, but not cost efficient.
• Early Adopter: Effective, but not cost-efficient.
• Innovator: Effective, but not cost-efficient.

Group Training

Similar roles, attitudes, and abilities.

Abstract

Group training is one of the most common methods to start people on their journey toward new technology. Its effectiveness with the two largest groups, Early Majority and Late Majority, make it a primary tool in technology adoption.

Advantages

• Cost effective
• Time effective
• Good for team building

Disadvantages

• Single method may not work for all
• Difficult to create single learning pace for all

Best to worst candidates

• Early Majority: Receptive. The formality of group training will give confidence.
• Late Majority: Conservative attitude will be receptive to traditional training.
• Early Adopter: Receptive and attentive. Excited about the change.
• Innovator: Will tend to want to be ahead or want to move ahead of group.
• Laggard: Laggards in group training may have a negative impact.

Force

The last resort.

Abstract

The transition can’t go on forever.

At some point the new technology needs to be fully adopted and if necessary, force may have to be used.

Advantages

• Immediate full transition
• Fixed delivery timeline

Disadvantages

• Alienation of some staff
• Loss of faith in product if there are issues

Best to worst candidates

• Laggard: No choice but to adopt. Forces the issue.
• Late Majority: Removes issue of reluctance to change.
• Early Majority: Content, but worried about possible problems.
• Early Adopter: Feel less personal involvement in change process.
• Innovator: Feel less personal involvement in change process.

Contests

Abstract

Contests can generate excitement and create an explorative approach to new technology. People should not feel pressured. It should be enjoyable and not compulsory.

Advantages

• Rapid improvement of skills
• Bring excitement to the new technology
• Good for team building

Disadvantages

• Those less competitive or with lower skills may feel alienated
• May discourage collaboration

Best to worst candidates

• Early Adopter: Seeks personal success. Risk taker. Effective.
• Innovator: Enthusiastic to explore limits of technology.
• Early Majority: Less enthusiastic. Pragmatic. Less competitive.
• Late Majority: Conservative. Not enthusiastic about new technology.
• Laggard: Reluctant to get involved.

Incentives

Incentives don’t have to be large.

Abstract

For some staff, merely taking management’s lead is not enough. Using “Nudge” techniques to give that extra incentive is quite effective. Incentivizing staff either financially or through rewards, recognition, or promotion is a successful adoption technique for some.

Advantages

Encouragement to adopt from receiving tangible benefit

Draws more attention to the new technology

Disadvantages

Additional expense to business or project

Possible poor precedent for subsequent changes

Best to worst candidates

Early Adopter: Desire for personal success makes incentives enticing.

Early Majority: Prepared to change, but extra incentive will assist.

Late Majority: Conservative attitude means incentive may need to be larger.

Innovator: Enthusiasm for new technology means incentive not necessary.

Laggard: Sceptical about change. Only a large incentive likely to make a difference.

Champions

Strong internal advocates for your new technology are very powerful.

Abstract

Champions take on new technology and then use their influence to promote it in the organization. Using managers as champions to actively and vigorously promote the change is particularly effective.

Advantages

• Infectious enthusiasm encourages those who tend to be reluctant
• Use of trusted internal staff

Disadvantages

• Removes internal staff from regular duties
• Ineffective if champion not respected

Best to worst candidates

• Early Majority: Champions as references of success provide encouragement.
• Late Majority: Management champions in particular are effective.
• Laggard: Close contact with champions may be effective.
• Early Adopter: Receptive of technology, less effective.
• Innovator: No encouragement or promotion required.

Herd Mentality

Follow the crowd.

Abstract

Herd behavior is when people discount their own information and follow others. Ideally all adopters would understand the reason and advantages in adopting new technology, but practically, the result is most important.

Advantages

• New technology is adopted without question
• Increase in velocity of adoption

Disadvantages

• Staff may not have clear understanding of the reason for change and resent it later
• Some may adopt the change before they are ready to do so

Best to worst candidates

• Early Majority: Follow others’ success.
• Late Majority: Likely follow an established proven standard.
• Early Adopter: Less effective as they prefer to set trends rather than follow.
• Innovator: Seeks new technology rather than following others.
• Laggard: Suspicious and reluctant to change.

Proof of Concepts

Gain early input and encourage buy-in.

Abstract

Proof of concept projects give early indications of the viability of a new initiative. Involving the end users in these projects can be beneficial in gaining their support

Advantages

Involve adopters early on

Valuable feedback and indications of future issues

Disadvantages

If POC isn’t fully successful, it may leave lingering negativity

Usually, involvement from small selection of staff

Best to worst candidates

• Innovator: Strong interest in getting involved in new products.
• Early Adopter: Comfortable with new technology and are influencers.
• Early Majority: Less interest. Prefer others to try first.
• Late Majority: Conservative attitude makes this an unlikely option.
• Laggard: Highly unlikely to get involved.

Match techniques to categories

What works for who?

Follow the leader

Engage your technology enthusiasts early to help refine your product, train other staff, and act as champions. A combination of marketing and group training will develop a herd mentality. Finally, don’t neglect the laggards as they can prevent project completion.

Info-Tech Insight

Although there are different size categories, none can be ignored. Consider your budget when dealing with smaller groups, but also consider their impact.

Refresh, retrain, restrain

We don’t want people to revert.

Don’t assume that because your staff have been trained and have access to the new technology that they will keep using it in the way they were trained. Or that they won’t revert back to their old methods or system.

Put in place methods to remove completely or remove access to old systems. Schedule refresh training or skill enhancement sessions and stay vigilant.

Research Authors

Paul Binns

Principal Research Advisor, Info-Tech Research Group

With over 30 years in the IT industry, Paul brings to his work his experience as a Strategic Planner, Consultant, Enterprise Architect, IT Business Owner, Technologist, and Manager. Paul has worked with both small and large companies, local and international, and has had senior roles in government and the finance industry.

Scott Young

Principal Research Advisor, Info-Tech Research Group

Scott Young is a Director of Infrastructure Research at Info-Tech Research Group. Scott has worked in the technology field for over 17 years, with a strong focus on telecommunications and enterprise infrastructure architecture. He brings extensive practical experience in these areas of specialization, including IP networks, server hardware and OS, storage, and virtualization.

Related Info-Tech Research

User Group Analysis Workbook

Use Info-Tech’s workbook to gather information about user groups, business processes, and day-to-day tasks to gain familiarity with your adopters.

Governance and Management of Enterprise Software Implementation

Use our research to engage users and receive timely feedback through demonstrations. Our iterative methodology with a task list focused on the business’ must-have functionality allows staff to return to their daily work sooner.

Quality Management User Satisfaction Survey

This IT satisfaction survey will assist you with early information to use for categorizing your users.

Master Organizational Change Management Practices

Using a soft, empathetic approach to change management is something that all PMOs should understand. Use our research to ensure you have an effective OCM plan that will ensure project success.

Bibliography

Beylis, Guillermo. “COVID-19 accelerates technology adoption and deepens inequality among workers in Latin America and the Caribbean.” World Bank Blogs, 4 March 2021. Web.

Cleland, Kelley. “Successful User Adoption Strategies.” Insight Voices, 25 Apr. 2017. Web.

Hiatt, Jeff. “The Prosci ADKAR ® Model.” PROSCI, 1994. Web.

Malik, Priyanka. “The Kübler Ross Change Curve in the Workplace.” whatfix, 24 Feb. 2022. Web.

Medhaugir, Tore. “6 Ways to Encourage Software Adoption.” XAIT, 9 March 2021. Web.

Narayanan, Vishy. “What PwC Australia learned about fast tracking tech adoption during COVID-19” PWC, 13 Oct. 2020. Web.

Sridharan, Mithun. “Crossing the Chasm: Technology Adoption Lifecycle.” Think Insights, 28 Jun 2022. Web.

Build a Security Metrics Program to Drive Maturity

Good metrics come from good goals.

ANALYST PERSPECTIVE

Metrics are a maturity driver.

"Metrics programs tend to fall into two groups: non-existent and unhelpful.

The reason so many security professionals struggle to develop a meaningful metrics program is because they are unsure of what to measure or why.

The truth is, for metrics to be useful, they need to be tied to something you care about – a state you are trying to achieve. In other words, some kind of goal. Used this way, metrics act as the scoreboard, letting you know if you’re making progress towards your goals, and thus, boosting your overall maturity."

– Logan Rohde, Research Analyst, Security Practice Info-Tech Research Group

Executive summary

Situation

• Many security leaders put off adding metrics to their program because they don't know where to start or how to assess what is worth measuring.

Complication

• Sometimes, this uncertainty causes the belief that their security programs are not mature enough for metrics to be worthwhile.
• Because metrics can become very technical and precise, it's easy to think they're inherently complicated (not true).

Resolution

• A metric, really, is just a measure of success against a given goal. Gradually, programs will achieve their goals and set new, more specific goals, and with them comes more specific metrics.
• It is not necessary to jump into highly technical metrics right away. A lot can be gained from metrics that track behaviors.
• A metrics program can be very simple and still effectively demonstrate the value of security to the organization. The key is to link your metrics to the goals or objectives the security team is pursuing, even if they are simple implementation plans (e.g. percentage of departments that have received security training).

Info-Tech Insight

1. Metrics lead to maturity, not vice versa
   • Tracking metrics helps you assess progress and regress in your security program. This helps you quantify the maturity gains you’ve made and continue to make informed strategic decisions.
2. The best metrics are tied to goals
   • Tying your metrics to goals ensures that you are collecting metrics for a specific purpose rather than just to watch the numbers change.

Our understanding of the problem

This Research is Designed For:

• CISO

This Research Will Help You:

• Understand the value of metrics.
• Right-size a metrics program based on your organization’s maturity and risk profile.
• Tie metrics to goals to create meaningful KPIs.
• Develop strategies to effectively communicate the right metrics to stakeholders.

This Research Will Also Assist:

• CIO
• Security Manager
• Business Professionals

This Research Will Help Them:

• Become informed on the metrics that matter to them.
• Understand that investment in security is an investment in the business.
• Feel confident in the progress of the organization’s security strategy.

Info-Tech’s framework integrates several best practices to create a best-of-breed security framework

Information Security Framework

Governance

• Context and Leadership
  • Information Security Charter
  • Information Security Organizational Structure
  • Culture and Awareness
• Evaluation and Direction
  • Security Risk Management
  • Security Policies
  • Security Strategy and Communication
• Compliance, Audit, and Review
  • Security Compliance Management
  • External Security Audit
  • Internal Security Audit
  • Management Review of Security

Management

• Prevention
  • Identity Security
    • Identity and Access Management
  • Data Security
    • Hardware Asset Management
    • Data Security & Privacy
  • Infrastructure Security
    • Network Security
    • Endpoint Security
    • Malicious Code
    • Application Security
    • Vulnerability Management
    • Cryptography Management
    • Physical Security
    • Cloud Security
  • HR Security
    • HR Security
  • Change and Support
    • Configuration and Change Management
    • Vendor Management
• Detection
  • Security Threat Detection
  • Log and Event Management
• Response and Recovery
  • Security Incident Management
  • Information Security in BCM
  • Security eDiscovery and Forensics
  • Backup and Recovery
• Measurement
  • Metrics Program
  • Continuous Improvement

Metrics help to improve security-business alignment

While business leaders are now taking a greater interest in cybersecurity, alignment between the two groups still has room for improvement.

Key statistics show that just...

5% of public companies feel very confident that they are properly secured against a cyberattack.

41% of boards take on cybersecurity directly rather than allocating it to another body (e.g. audit committee).

19% of private companies do not discuss cybersecurity with the board.

(ISACA, 2018)

Info-Tech Insight

Metrics help to level the playing field

Poor alignment between security and the business often stems from difficulties with explaining how security objectives support business goals, which is ultimately a communication problem.

However, metrics help to facilitate these conversations, as long as the metrics are expressed in practical, relatable terms.

Security metrics benefit the business

Executives get just as much out of management metrics as the people running them.

1. Metrics assuage executives’ fears
   • Metrics help executives (and security leaders) feel more at ease with where the company is security-wise. Metrics help identify areas for improvement and gaps in the organization’s security posture that can be filled. A good metrics program will help identify deficiencies in most areas, even outside the security program, helping to identify what work needs to be done to reduce risk and increase the security posture of the organization.
2. Metrics answer executives’ questions
   • Numbers either help ease confusion or signify other areas for improvement. Offering quantifiable evidence, in a language that the business can understand, offers better understanding and insight into the information security program. Metrics also help educate on types of threats, staff needed for security, and budget needs to decrease risk based on management’s threat tolerance. Metrics help make an organization more transparent, prepared, and knowledgeable.
3. Metrics help to continually prove security’s worth
   • Traditionally, the security team has had to fight for a seat at the executive table, with little to no way to communicate with the business. However, the new trend is that the security team is now being invited before they have even asked to join. This trend allows the security team to better communicate on the organization’s security posture, describe threats and vulnerabilities, present a “plan of action,” and get a pulse on the organization’s risk tolerance.

Common myths make security metrics seem challenging

Security professionals have the perception that metrics programs are difficult to create. However, this attitude usually stems from one of the following myths. In reality, security metrics are much simpler than they seem at first, and they usually help resolve existing challenges rather than create new ones.

Tie your metrics to goals to make them worthwhile

SMART metrics are really SMART goals.

Specific

Measurable

Achievable

Realistic

Timebound

Achievable: What is an achievable metric?

When we say that a metric is “achievable,” we imply that it is tied to a goal of some kind – the thing we want to achieve.

How do we set a goal?

1. Determine what outcome you are trying to achieve.
   • This can be small or large (e.g. I want to determine what existing systems can provide metrics, or I want a 90% pass rate on our monthly phishing tests).
2. Decide what indicates that you’ve achieved your goal.
   • At what point would you be satisfied with the progress made on the initiative(s) you’re working on? What conditions would indicate victory for you and allow you to move on to another goal?
3. Develop a key performance indicator (KPI) to measure progress towards that goal.
   • Now that you’ve defined what you’re trying to achieve, find a way to indicate progress in relative or relational terms (e.g. percentage change from last quarter, percentage of implementation completed, ratio of programs in place to those still needing implementation).

Info-Tech’s security metrics methodology is repeatable and iterative to help boost maturity

Security Metric Lifecycle

Start:

Review current state and decide on priorities.

Set a SMART goal for improvement.

Develop an appropriate KPI.

Use KPI to monitor program improvement.

Present metrics to the board.

Revise metrics if necessary.

Metrics go hand in hand with your security strategy

A security strategy is ultimately a large goal-setting exercise. You begin by determining your current maturity and how mature you need to be across all areas of information security, i.e. completing a gap analysis.

As such, linking your metrics program to your security strategy is a great way to get your metrics program up and running – but it’s not the only way.

Check out the following Info-Tech resource to get started today:

Build an Information Security Strategy

The value of security metrics goes beyond simply increasing security

This blueprint applies to you whether you need to develop a metrics program from scratch or optimize and update your current strategy.

Value of engaging in security metrics:

• Increased visibility into your operations.
• Improved accountability.
• Better communication with executives as a result of having hard evidence of security performance.
• Improved security posture through better understanding of what is working and what isn’t within the security program.

Value of Info-Tech’s security metrics blueprint:

• Doesn’t overwhelm you and allows you to focus on determining the metrics you need to worry about now without pressuring you to do it all at once.
• Helps you develop a growth plan as your organization and metrics program mature, so you continue to optimize.
• Creates effective communication. Prepares you to present the metrics that truly matter to executives rather than confusing them with unnecessary data. Pay attention to metric accuracy and reproducibility. No management wants inconsistent reporting.

Impact

Short term: Streamline your program. Based on your organization’s specific requirements and risk profile, figure out which metrics are best for now while also planning for future metrics as your organization matures.

Long term: Once the program is in place, improvements will come with increased visibility into operations. Investments in security will be encouraged when more evidence is available to executives, contributing to overall improved security posture. Potential opportunities for eventual cost savings also exist as there is more informed security spending and fewer incidents.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked-off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Link Security Metrics to Goals to Boost Maturity – Project Overview

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Phase 1

Link Security Metrics to Goals to Boost Maturity

Phase 1

1.1 Review current state and set your goals

1.2 Develop KPIs and prioritize your goals

1.3 Implement and monitor KPIs

This phase will walk you through the following activities:

• Current state assessment
• Setting SMART goals
• KPI development
• Goals prioritization
• KPI implementation

This phase involves the following participants:

• Security Team

Outcomes of this phase

• Goals-based KPIs
• Security Metrics Determination and Tracking Tool

Phase 1 outline

Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of two to three advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Link Security Metrics to Goals to Boost Maturity

Proposed Time to Completion: 2-4 weeks

Step 1.1: Setting Goals

Start with an analyst kick-off call:

• Determine current and target maturity for various security programs.
• Develop SMART Goals.

Then complete these activities…

• CMMI Assessment

Step 1.2 – 1.3: KPI Development

Review findings with analyst:

• Prioritize goals
• Develop KPIs to track progress on goals
• Track associated metrics

Then complete these activities…

• KPI Development

With these tools & templates:

• KPI Development Worksheet
• Security Metrics Determination and Tracking Tool

Phase 1 Results & Insights:

• Basic Metrics program

1.1 Review current state and set your goals

120 minutes

Let’s put the security program under the microscope.

Before program improvement can take place, it is necessary to look at where things are at presently (in terms of maturity) and where we need to get them to.

In other words, we need to perform a security program gap analysis.

Info-Tech Best Practice

The most thorough way of performing this gap analysis is by completing Info-Tech’s Build an Information Security Strategy blueprint, as it will provide you with a prioritized list of initiatives to boost your security program maturity.

Completing an abbreviated gap analysis...

• Security Areas
• Network Security
• Endpoint Security
• Vulnerability Management
• Identity Access Management
• Incident Management
• Training & Awareness
• Compliance, Audit, & Review
• Risk Management
• Business Alignment & Governance
• Data Security

1. Using the CMMI scale on the next slide, assess your maturity level across the security areas to the left, giving your program a score from 1-5. Record your assessment on a whiteboard.
2. Zone in on your areas of greatest concern and choose 3 to 5 areas to prioritize for improvement.
3. Set a SMART goal for improvement, using the criteria on goals slides.

Use the CMMI scale to contextualize your current maturity

Use the Capability Maturity Model Integration (CMMI) scale below to help you understand your current level of maturity across the various areas of your security program.

1. Initial
   • Incident can be managed. Outcomes are unpredictable due to lack of a standard operating procedure.
2. Repeatable
   • Process in place, but not formally implemented or consistently applied. Outcomes improve but still lack predictability.
3. Defined
   • Process is formalized and consistently applied. Outcomes become more predictable, due to consistent handling procedure.
4. Managed
   • Process shows signs of maturity and can be tracked via metrics. Moving towards a predictive approach to incident management.
5. Optimizing
   • Process reaches a fully reliable level, though improvements still possible. Regularity allows for process to be automated.

(Adapted from the “CMMI Institute Maturity Model”)

Base your goals around the five types of metrics

Choose goals that make sense – even if they seem simple.

The most effective metrics programs are personalized to reflect the goals of the security team and the business they work for. Using goals-based metrics allows you to make incremental improvements that can be measured and reported on, which makes program maturation a natural process.

Info-Tech Best Practice

Before setting a SMART goal, take a moment to consider your maturity for each security area, and which metric type you need to collect first, before moving to more ambitious goals.

Security Areas

• Network Security
• Endpoint Security
• Vulnerability Management
• Identity Access Management
• Incident Management
• Training & Awareness
• Compliance, Audit & Review
• Risk Management
• Business Alignment & Governance
• Data Security

Set SMART goals for your security program

Specific

Measurable

Achievable

Realistic

Timebound

Now that you have determined which security areas you’d like to improve, decide on a goal that meets the SMART criteria.

Examples of possible goals for various maturity levels:

1. Perform initial probe to determine number of systems capable of providing metrics by the end of the week.
2. Take baseline measurements each month for three months to determine organization’s baseline state.
3. Implement a vulnerability management program to improve baseline state by the end of the quarter.
4. Improve deployment of critical patches by applying 90% of them within the set window by the end of the year.
5. Demonstrate how vulnerability management affects broad organizational trends at quarterly report to senior leadership.

Compare the bolded text in these examples with the metric types on the previous slide

Record and assess your goals in the Security Metrics Determination and Tracking Tool

1.1 Security Metrics Determination and Tracking Tool

Use tab “2. Identify Security Goals” to document and assess your goals.

To increase visibility into the cost, effort, and value of any given goal, assess them using the following criteria:

• Initial Cost
• Ongoing Cost
• Initial Staffing
• Ongoing Staffing
• Alignment w/Business
• Benefit

Use the calculated Cost/Effort Rating, Benefit Rating, and Difference Score later in this project to help with goal prioritization.

Info-Tech Best Practice

If you have already completed a security strategy with Info-Tech resources, this work may likely have already been done. Consult your Information Security Program Gap Analysis Tool from the Build an Information Security Strategy research.

1.2 Develop KPIs and prioritize your goals

There are two paths to success.

At this time, it is necessary to evaluate the priorities of your security program.

Option 1: Progress to KPI Development

• If you would like practice developing KPIs for multiple goals to get used to the process, move to KPI development and then assess which goals you can pursue now based on resources available, saving the rest for later.

Option 2: Progress to Prioritization of Goals

• If you are already comfortable with KPI development and do not wish to create extras for later use, then prioritize your goals first and then develop KPIs for them.

Phase 1 Schematic

• Gap Analysis
• Set SMART Goals (You are here.)
  • Develop KPIs
• Prioritize Goals
• Implement KPI & Monitor
• Phase 2

Develop a key performance indicator (KPI)

Find out if you’re meeting your goals.

Terms like “key performance indicator” may make this development practice seem more complicated than it really is. A KPI is just a single metric used to measure success towards a goal. In relational terms (i.e. as a percentage, ratio, etc.) to give it context (e.g. % of improvement over last quarter).

KPI development is about answering the question: what would indicate that I have achieved my goal?

To develop a KPI follow these steps:

1. Review the case study on the following slides to get a sense of how KPIs can start simple and general and get more specific and complex over time.
2. Using the example to the right, sort your SMART goals from step 1.1 into the various metric types, then determine what success would look like for you. What outcome are you trying to achieve? How will you know when you’ve achieved it?
3. Fill out the KPI Development Worksheets to create sample KPIs for each of the SMART goals you have created. Ensure that you complete the accompanying KPI Checklist.

KPIs differ from goal to goal, but their forms follow certain trends

Explore the five metric types

1. Initial Probe

Focused on determining how many sources for metrics exist.

• Question: What am I capable of knowing?
• Goal: To determine what level of insight we have into our security processes.
• Possible KPI: % of systems for which metrics are available.
• Decision: Do we have sufficient resources available to collect metrics?

2. Baseline Testing

Focused on gaining initial insights about the state of your security program (what are the measurements?).

• Question: Does this data suggest areas for improvement?
• Goal: To create a roadmap for improvement.
• Possible KPI: % of systems that provide useful metrics to measure improvement.
• Decision: Is it necessary to acquire tools to increase, enhance, or streamline the metrics-gathering process?

Info-Tech Insight

Don't lose hope if you lack resources to move beyond these initial steps. Even if you are struggling to pull data, you can still draw meaningful metrics. The percent or ratio of processes or systems you lack insight into can be very valuable, as it provides a basis to initiate a risk-based discussion with management about the organization's security blind spots.

Explore the five metric types (cont’d)

3. Program Implementation

Focused on developing a basic program to establish basic maturity (e.g. implement an awareness and training program).

• Question: What needs to be implemented to establish basic maturity?
• Goal: To begin closing the gap between current and desired maturity.
• Possible KPI: % of implementation completed.
• Decision: Have we achieved a formalized and repeatable process?

4. Improvement

Focused on attaining operational targets to lower organizational risk.

• Question: What other related activities could help to support this goal (e.g. regular training sessions)?
• Goal: To have metrics operate above or below a certain threshold (e.g. lower phishing-test click rate to an average of 10% across the organization)
• Possible KPI: Phishing click rate %
• Decision: What other metrics should be tracked to provide insight into KPI fluctuations?

Info-Tech Insight

Don't overthink your KPI. In many cases it will simply be your goal rephrased to express a percentage or ratio. In others, like the example above, it makes sense for them to be identical.

5. Organizational Impact

Focused on studying several related KPIs (Key Performance Index, or KPX) in an attempt to predict risks.

• Question: What risks does the organization need to address?
• Goal: To provide high-level summaries of several metrics that suggest emerging or declining risks.
• Possible KPI: Likelihood of a given risk (based on the trends of the KPX).
• Decision: Accept the risk, transfer the risk, mitigate the risk?

Case study: Healthcare example

Let’s take a look at KPI development in action.

Meet Maria, the new CISO at a large hospital that desperately needs security program improvements. Maria’s first move was to learn the true state of the organization’s security. She quickly learned that there was no metrics program in place and that her staff were unaware what, if any, sources were available to pull security metrics from.

After completing her initial probe into available metrics and then investigating the baseline readings, she determined that her areas of greatest concern were around vulnerability and access management. But she also decided it was time to get a security training and awareness program up and running to help mitigate risks in other areas she can’t deal with right away.

Info-Tech Insight

There is very little variation in the kinds of goals people have around initial probes and baseline testing. Metrics in these areas are virtually always about determining what data sources are available to you and what that data actually shows. The real decisions start in determining what you want to do based on the measures you’re seeing.

Metric development example: Vulnerability Management

See examples of Maria’s KPI development on the next four slides...

Implementation

Goal: Implement vulnerability management program

KPI: % increase of insight into existing vulnerabilities

Associated Metric: # of vulnerability detection methods

Improvement

Goal: Improve deployment time for patches

KPI: % of critical patches fully deployed within target window

• Associated Metric 1: # of critical vulnerabilities not patched
• Associated Metric 2: # of patches delayed due to lack of staff
• Associated Metric X

Metric development example: Identity Access Management

Implementation

Goal: Implement MFA for privileged accounts

KPI: % of privileged accounts with MFA applied

Associated Metric: # of privileged accounts

Improvement

Goal: Remove all unnecessary privileged accounts

KPI: % of accounts with unnecessary privileges

• Associated Metric 1: # of privileged accounts
• Associated Metric 2: # of necessary privileged accounts
• Associated Metric X

Metric development example: Training and Awareness

Implementation

Goal: Implement training and awareness program

KPI: % of organization trained

Associated Metric: # of departments trained

Improvement

Goal: Improve time to report phishing

KPI: % of phishing cases reported within target window

• Associated Metric 1: # of phishing tests
• Associated Metric 2: # of training sessions
• Associated Metric X

Metric development example: Key Performance Index

Organizational Trends

Goal: Predict Data Breach Likelihood

• KPX 1: Insider Threat Potential
  • % of phishing cases reported within target window
    • Associated Metrics:
      • # of phishing tests
      • # of training sessions
  • % of critical patches fully deployed within target window
    • Associated Metrics:
      • # of critical vulnerabilities not patched
      • # of patches delayed due to lack of staff
  • % of accounts with unnecessary privileges
    • Associated Metrics:
      • # of privileged accounts
      • # of necessary privileged accounts
• KPX 2: Data Leakage Issues
  • % of incidents related to unsecured databases
    • Associated Metrics:
      • # of unsecured databases
      • # of business-critical databases
  • % of misclassified data
    • Associated Metrics:
      • # of misclassified data reports
      • # of DLP false positives
  • % of incidents involving data-handling procedure violations.
    • Associated Metrics:
      • # of data processes with SOP
      • # of data processes without SOP
• KPX 3: Endpoint Vulnerability Issues
  • % of unpatched critical systems
    • Associated Metrics:
      • # of unpatched systems
      • # of missed patches
  • % of incidents related to IoT
    • Associated Metrics:
      • # of IoT devices
      • # of IoT unsecure devices
  • % of incidents related to BYOD
    • Associated Metrics:
      • # of end users doing BYOD
      • # of BYOD incidents

Develop Goals-Based KPIs

1.2 120 minutes

Materials

• Info-Tech KPI Development Worksheets

Participants

• Security Team

Output

• List of KPIs for immediate and future use (can be used to populate Info-Tech’s KPI Development Tool).

It’s your turn.

Follow the example of the CISO in the previous slides and try developing KPIs for the SMART goals set in step 1.1.

• To begin, decide if you are starting with implementation or improvement metrics.
• Enter your goal in the space provided on the left-hand side and work towards the right, assigning a KPI to track progress towards your goal.
• Use the associated metrics boxes to record what raw data will inform or influence your KPI.
  • Associated metrics are connected to the KPI box with a segmented line. This is because these associated metrics are not absolutely necessary to track progress towards your goal.
  • However, if a KPI starts trending in the wrong direction, these associated metrics would be used to determine where the problem has occurred.
• If desired, bundle together several related KPIs to create a key performance index (KPX), which is used to forecast the likelihood of certain risks that would have a major business impact (e.g. potential for insider threat, or risk for a data breach).

Record KPIs and assign them to goals in the Security Metrics Determination and Tracking Tool

1.2 Security Metrics Determination and Tracking Tool

Document KPI metadata in the tool and optionally assign them to a goal.

Tab “3. Identify Goal KPIs” allows you to record each KPI and its accompanying metadata:

• Source
• Owner
• Audience
• KPI Target
• Effort to Collect
• Frequency of Collection
• Comments

Optionally, each KPI can be mapped to goals defined on tab “2. Identify Security Goals.”

Info-Tech Best Practice

Ensure your metadata is comprehensive, complete, and realistic. A different employee should be able to use only the information outlined in the metadata to continue collecting measurements for the program.

Complete Info-Tech’s KPI Development Worksheets

1.2 KPI Development Worksheet

Use these worksheets to model the maturation of your metrics program.

Follow the examples contained in this slide deck and practice creating KPIs for:

• Implementation metrics
• Improvement metrics
• Organizational trends metrics

As well as drafting associated metrics to inform the KPIs you create.

Info-Tech Best Practice

Keep your metrics program manageable. This exercise may produce more goals, metrics, and KPIs than you deal with all at once. But that doesn’t mean you can’t save some for future use.

Build an effort map to prioritize your SMART goals

1.2 120 minutes

Materials

• Whiteboard
• Sticky notes
• Laptop

Participants

• Security team
• Other stakeholders

Output

• Prioritized list of SMART goals

An effort map visualizes a cost and benefit analysis. It is a quadrant output that visually shows how your SMART goals were assessed. Use the calculated Cost/Effort Rating and Benefit Rating values from tab “2. Identify Security Goals” of the Security Metrics Determination and Tracking Tool to aid this exercise.

Steps:

1. Establish the axes and colors for your effort map:
   1. X-axis (horizontal) - Security benefit
   2. Y-axis (vertical) - Overall cost/effort
   3. Sticky color - Business alignment
2. Create sticky notes for each SMART goal and place them onto the effort map based on your determined axes.
   • Goal # Example Security Goal - Benefit (1-12) - Cost (1-12)

1.3 Implement and monitor the KPI to track goal progress

Let’s put your KPI into action!

Now that you’ve developed KPIs to monitor progress on your goals, it’s time to use them to drive security program maturation by following these steps:

1. Review the KPI Development Worksheets (completed in step 1.2) for your prioritized list of goals. Be sure that you are able to track all of the associated metrics you have identified.
2. Track the KPI and associated metrics using Info-Tech’s KPI Development Tool (see following slide).
3. Update the data as necessary according to your SMART criteria of your goal.

A Word on Key Risk Indicators...

The term key risk indicator (KRI) gets used in a few different ways. However, in most cases, KRIs are closely associated with KPIs.

1. KPIs and KRIs are the same thing
   • A KPI, at its core, is really a measure of risk. Sometimes it is more effective to emphasize that risk rather than performance (i.e. the data shows you’re not meeting your goal).
2. KRI is KPI going the wrong way
   • After achieving the desired threshold for an improvement goal, our new goal is usually to maintain such a state. When this balance is upset, it indicates that settled risk has once again become active.
3. KRI as a predictor of emerging risks
   • When organizations reach a highly mature state, they often start assessing how events external to the organization can affect the optimal performance of the organization. They monitor such events or trends and try to predict when the organization is likely to face additional risks.

Track KPIs in the Security Metrics Determination and Tracking Tool

1.3 Security Metrics Determination and Tracking Tool

Once a metric has been measured, you have the option of entering that data into tab “4. Track Metrics” of the Tool.

Tracking metric data in Info-Tech's tool provides the following data visualizations:

• Sparklines at the end of each row (on tab “4. Track Metrics”) for a quick sense of metric performance.
• A metrics dashboard (on tab “5. Graphs”) with three graph options in two color variations for each metric tracked in the tool, and an overall metric program health gauge.

Info-Tech Best Practice

Be diligent about measuring and tracking your metrics. Record any potential measurement biases or comments on measurement values to ensure you have a comprehensive record for future use. In the tool, this can be done by adding a comment to a cell with a metric measurement.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

Book a workshop with our Info-Tech analysts:

Workshops offer an easy way to accelerate your project. While onsite, our analysts will work with you and your team to facilitate the activities outlined in the blueprint.

Getting key stakeholders together to formalize the program, while getting started on data discovery and classification, allows you to kickstart the overall program.

In addition, leverage over-the-phone support through Guided Implementations included in advisory memberships to ensure the continuous improvement of the classification program even after the workshop.

Logan Rohde

Research Analyst – Security, Risk & Compliance Info-Tech Research Group

Ian Mulholland

Senior Research Analyst – Security, Risk & Compliance Info-Tech Research Group

Call 1-888-670-8889 for more information.

Phase 2

Adapt Your Reporting Strategy for Various Metric Types