Right-Size the Service Desk for Small Enterprise

Turn your help desk into a customer-centric service desk.

Analyst Perspective

Small enterprises have many of the same issues as large ones, but with far fewer resources. Focus on the most important aspects to improve customer service.

The service desk is a major function within IT. Small enterprises with constrained resources need to look at designing a service desk that enables consistency in supporting the business and finds the right balance of documentation.

Evaluate documentation to ensure there is always redundancy built in to cover absences. Determining coverage will be an important factor, especially if vendors will be brought into the organization to assist during shortages. They will not have the same level of knowledge as teammates and may have different requirements for documentation.

It is important to be customer centric, thinking about how services are delivered and communicated with a focus on providing self-serve at the appropriate level for your users and determining what information the business needs for expectation-setting and service level agreements, as well as communications on incidents and changes.

And finally, don’t discount the value of good reporting. There are many reasons to document issues besides just knowing the volume of workload and may become more important as the organization evolves or grows. Stakeholder reporting, regulatory reporting, trend spotting, and staff increases are all good reasons to ensure minimum documentation standards are defined and in use.

Sandi Conrad Principal Research Director Info-Tech Research Group

Table of Contents

Insight summary

Help desk to service desk

Blueprint deliverables

Standard Operating Procedures	Maturity Assessment	Categorization scheme	Improvement Initiative
Create a standard operating procedure to ensure the support team has a consistent understanding of how they need to engage with the business.

Blueprint benefits

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is six to ten calls over the course of three to four months.

The current state discussion will determine the path.

The service desk is the cornerstone for customer satisfaction

N=63, small enterprise organizations from the End-User Satisfaction Diagnostic, at December 2021 Dissatisfied was classified as those organizations with an average score less than 7. Satisfied was classified as those organizations with an average score greater or equal to 8.

End users who were satisfied with service desk effectiveness rated all other IT processes 36% higher than dissatisfied end users. End users who were satisfied with service desk timeliness rated all other IT processes 34% higher than dissatisfied end-users.

Improve the service desk with a Start, Stop, Continue assessment

Complete a maturity assessment to create a baseline and areas of focus

The Service Desk Maturity Assessment tool helps organizations assess their service desk process maturity and focus the project on the activities that matter most. The tool will help guide improvement efforts and measure your progress. The second tab of the tool walks through a qualitative assessment of your service desk practices. Questions will prompt you to evaluate how you are executing key activities. Select the answer in the drop-down menus that most closely aligns with your current state. The third tab displays your rate of process completeness and maturity. You will receive a score for each phase, an overall score, and advice based on your performance. Document the results of the efficiency assessment in the Service Desk Improvement Initiative. The tool is intended for periodic use. Review your answers each year and devise initiatives to improve the process performance where you need it most.

Define your vision for the support structure

Use this vision for communicating with the business and your IT team

Consider service improvements and how those changes can be perceived by the organization. For example, offering multiple platforms, such as adding Macs to end-user devices, could translate to “Providing the right IT solutions for the way our employees want to work.”

Facilitate service desk operations with an ITSM tool

You don’t need to spend a fortune. Many solutions are free or low-cost for a small number of users, and you don’t necessarily have to give up functionality to save money. Encourage users to submit requests through email or self-serve to keep organized. Ensure that reporting will provide you with the basics without effort, but ensure report creation is easy enough if you need to add more. Consider tools that do more than just store tickets. ITSM tools for small enterprises can also assist with: Equipment and software license management Self-serve for password reset and improving the experience for end users to submit tickets Software deployment Onboarding and offboarding workflows Integration with monitoring tools Info-Tech Insight Buying rather than building allows you the greatest flexibility and can provide enterprise-level functionality at small-enterprise pricing. Use Info-Tech’s IT Service Management Selection Guide to create a business case and list of requirements for your ITSM purchase.

Logos contain links

ITSM implementations are the perfect time to fix processes

Define roles looking to balance between customer service and getting things done

First contact – customer service, general knowledge Answers phones, chats, responds to email, troubleshooting, creates knowledge articles for end users. Analyst – experienced troubleshooter, general knowledge Answers phone when FC isn’t available, responds to email, troubleshooting, creates knowledge articles for first contact, escalates to other technicians or vendors. Analyst – experienced troubleshooter, specialist Answers phones only when necessary, troubleshooting, creates knowledge articles for anyone in IT, consults with peers, escalates to vendors. Engineer – deep expertise, specialist Answers phones only when necessary, troubleshooting, creates knowledge articles for anyone in IT, consults with peers, escalates to vendors. Vendor, Managed Service Providers Escalation point per contract terms, must meet SLAs, communicate regularly with analysts and management as appropriate. Who escalates and who manages them?

Note roles in the Incident Management and Service Desk – Standard Operating Procedure Template

Keep customers happy and technicians calm by properly managing your queue

If ticket volume is too high or too dispersed to effectively have teams self-select tickets, assign a queue manager to review tickets throughout the day to ensure they’re assigned and on the technician’s schedule. This is particularly important for technicians who don’t regularly work out of the ticketing system. Follow up on approaching or missed SLAs.

• Separate incidents (break fix) and service requests: Prioritize incidents over service requests to focus on getting users doing business as soon as possible. Schedule service requests for slower times or assign to technicians who are not working the front lines.
• First in/first out…mostly: We typically look to prioritize incidents over service requests and only prioritize incidents if there are multiple people or VIPs affected. Where everything is equal, deal with the oldest first. Pause occasionally to deal with quick wins such as password resets.
• Update ticket status and notes: Knowing what tickets are in progress and which ones are waiting on information or parts is important for anyone looking to pick up the next ticket. Make sure everyone is aware of the benefits of keeping this information up to date, so technicians know what to work on next without duplicating each other’s work.
• Implement solutions quickly by using knowledge articles: Continue to build out the knowledge base to be able to resolve end-user issues quickly, check to see if additional information is needed before escalating tickets to other technicians.
• Encourage end users to create tickets through the portal: Issues called in are automatically moved to the front of the queue, regardless of urgency. Make it easy for users to report issues using the portal and save the phone for urgent issues to allow appropriate prioritization of tickets.
• Create a process to add additional resources on a regular basis to keep control of the backlog: A few extra hours once a week may be enough if the team is focused without interruptions.
• Determine what backlog is acceptable to your users: Set that as a maximum time to resolve. Ideally, set up automated escalations for tickets that are approaching target SLAs, and build flexibility into schedules to have an “all hands on deck” option if the volume gets too high.

Info-Tech Insight

Make sure your queue manager has an accurate escalation list and has the authority to assign tickets and engage with the technical team to manage SLAs; otherwise, SLAs will never be consistently managed.

Best practices for ticket handling

Accurate data leads to good decisions. If working toward adding staff members, reducing recurring incidents, gaining access to better tools, or demonstrating value to the business, tickets will enable reporting and dashboards to manage your day-to-day business and provide reports to stakeholders. Provide an easy way for end users to electronically submit tickets and encourage them to do so. This doesn’t mean you shouldn’t still accept phone calls, but that should be encouraged for time sensitive issues. Create and update tickets, but not at the expense of good customer service. Agents can start the ticket but shouldn’t spend five minutes creating the ticket when they should be troubleshooting the problem. Update the ticket when the issue is resolved or needs to be escalated. If agents are escalating, they should make sure all relevant information is passed along to the next technician. Update user of ETA if issue cannot be resolved quickly. Update categories to reflect the actual issue and resolution. Reference or link to the knowledge base article as the documented steps taken to resolve the incident. Validate incident is resolved with client. Automate this process with ticket closure after a certain time. Close or resolve the ticket on time.

Ticket templates (or quick tickets) for common incidents can lead to fast creation, data input, and categorizations. Templates can reduce the time it takes to create tickets from two minutes to 30 seconds.

Create a right-sized self-service portal

Review tickets and talk to the team to find out the most frequent requests and the most frequent incidents that could be solved by the end user if there were clear instructions. Check with your user community to see what they would like to see in the portal.

Use customer satisfaction surveys to monitor service levels

Transactional surveys are tied to specific interactions and provide a means of communication to help users communicate satisfaction or dissatisfaction with single interactions. Keep it simple: One question to rate the service with opportunity to add a comment is enough to understand the sentiment and potential issues, and it will be more likely that the user will fill it out. Follow up: Feedback will only be provided if customers think it’s being read and actioned. Set an alert to receive notification of any negative feedback and follow up within one or two business days to show you’re listening.

Relationship surveys can be run annually to obtain feedback on the overall customer experience. Inform yourself of how well you are doing or where you need improvement in the broad services provided. Provide a high-level perspective on the relationship between the business and IT. Help with strategic improvement decisions. Should be sent over a duration of time and to the entire customer base after they’ve had time to experience all the services provided by the service desk. This can be done on an annual basis. For example: Info-Tech’s End User Satisfaction Diagnostic. Included in your membership.

Keep categorizations simple

Asset categorization provides reports that are straightforward and useful for IT and that are typically used where the business isn’t demanding complex reports.

Too many options can cause confusion; too few options provide little value. Try to avoid using “miscellaneous” – it’s not useful information. Test your tickets against your new scheme to make sure it works for you. Effective classification schemes are concise, easy to use correctly, and easy to maintain.

Build out the categories with these questions: What kind of asset am I working on? (type) What general asset group am I working on? (category) What particular asset am I working on? (sub-category) Create resolution codes to further modify the data for deeper reporting. This is typically a separate field, as you could use the same code for many categories. Keep it simple, but make sure it’s descriptive enough to understand the type of work happening in IT. Create and define simple status fields to quickly review tickets and know what needs to be actioned. Don’t stop the clock for any status changes unless you’re waiting on users. The elapsed time is important to measure from a customer satisfaction perspective. Info-Tech Insight Think about how you will use the data to determine which components need to be included in reports. If components won’t be used for reporting, routing, or warranty, reporting down to the component level adds little value.

Need to make quick progress? Use Info-Tech Research Group’s Service Desk Asset-Based Categories template.

1.1 Build or review your categories

Input: Existing tickets

Output: Categorization scheme

Materials: Whiteboard/Flip charts, Markers, Sample categorization scheme

Participants: CIO, Service desk manager, Technicians

Discuss:

• How can you use categories and resolution information to enhance reporting?
• What level of detail do you need to be able to understand the data and take action? What level of detail is too much?
• Are current status fields allowing you to accurately assess pending work at a glance?

Draft:

1. Start with existing categories and review, identifying duplicates and areas of inconsistency.
2. Write out proposed resolution codes and status fields and critically assess their value.
3. Test categories and resolution codes against a few recent tickets.
4. Record the ticket categorization scheme in the Incident Management and Service Desk – Standard Operating Procedure.

Download the Incident Management and Service Desk – Standard Operating Procedure Template

Separate tickets into service requests and incidents

		INCIDENTS	SERVICE REQUESTS
	PRIORITIZATION	Incidents will be prioritized based on urgency and impact to the organization.	Service requests will be scheduled and only increase in prioritization if there is an issue with the request process (e.g. new hire start).
	SLAs	Did incidents get resolved according to prioritization rules? REPONSE & RESOLUTION	Did service requests get completed on time? SCHEDULING & FULFILMENT
	TRIAGE & ROOT CAUSE ANALYSIS	Incidents will typically need triage at the service desk unless something is set up to go directly to a specialist.	Service requests don’t need triage and can be routed automatically for approvals and fulfillment.

“For me, the first key question is, is this keeping you from doing business? Is this a service request? Is it actually something that's broken? Well, okay. Now let's have the conversation about what's broken and keeping you from doing business.” (Anonymous CIO)

Determine how service requests will be fulfilled

• Identify standard requests, meaning any product approved for use and deployment in the organization.
• Determine whether this should be published and how. Consider a service catalog with the ability to create tickets right from the request page. If there is an opportunity to automate fulfillment, build that into your workflow and project plans.
• Create workflows for complicated requests such as onboarding, and build them into a template in the service desk tool. This will allow you to reduce the administrative work to deploy tasks.
• Who will fulfill requests? There may be a need for more than one technician to be able to fulfill if volume dictates, but it’s important to determine what will be done by each level to quickly assign those tickets for scheduling. Define what will be done by each group of technicians.
• Determine reasonable SLAs for most service requests. Identify which ones will not meet “normal” SLAs. As you build out a service catalog or automate fulfillment, SLAs can be refined.

Info-Tech Insight

Service requests are not as urgent as incidents and should be scheduled.

Set the SLA based on time to fulfill, plus a buffer to schedule around more urgent service requests.

1.2 Identify service requests and routing needs

2-3 hours

Input: Ticket data, Existing workflow diagrams

Output: Workflow diagrams

Materials: Whiteboard/Flip charts, Markers, Visio

Participants: CIO, Service desk manager, Technicians

Identify:

1. Create your list of typical service requests and identify the best person to fulfill, based on complexity, documentation, specialty, access rights.
2. Review service requests which include multiple people or departments, such as onboarding and offboarding
3. Draw existing processes.
4. Discuss challenges and critique existing process.
5. Document proposed changes and steps that will need to be taken to improve the process.

Download the Incident Management and Service Desk – Standard Operating Procedure Template

Incident management

1.3 Activity: Identify critical systems

1 hour

Input: Ticket data, Business continuity plan

Output: Service desk SOP

Materials: Whiteboard/Flip charts, Markers

Participants: CIO, Service desk manager, Technicians

Discuss and document:

1. Create a list of the most critical systems, and identify and document the escalation path.
2. Review inventory of support documents for critical systems and identify any that require runbooks to ensure quick resolution in the event of an outage or major performance issue. Refer to the blueprint Incident Management for Small Enterprise to prioritize and document runbooks as needed.
3. Review vendor agreements to determine if SLAs are appropriate to support needs. If there is a need for adjustments, determine options for modifying or renegotiating SLAs.

Download the Incident Runbook Prioritization Tool

Prioritization scheme

Focus primarily on incidents. Service requests should always be medium urgency, unless there is a valid reason to move one to high level. Separate major outages from all other tickets as these are a major factor in business impact. Decide how many levels of severity are appropriate for your organization. Build a prioritization matrix, breaking down priority levels by impact and urgency. Build out the definitions of “impact” and “urgency” to complete the prioritization matrix. Run through examples of each priority level to make sure everyone is on the same page.

Document escalation rules and contacts

Depending on the size of the team, escalations may be mostly to internal technical colleagues or could be primarily to vendors.

• Ensure the list of escalation rules and contacts is accurate and available, adding expected SLAs for quick reference
• If tickets are being escalated but shouldn’t be, ensure knowledge articles and training materials are up to date
• Follow up on all external escalations, ensuring SLAs are respected
• Publish an escalation path for clients if service is not meeting their needs (for internal and external providers) and automate escalations for tickets breaching SLAs

User doesn’t know who will fix the issue but expects to see it done in a reasonable time.	If issue cannot be resolved right away, set expectations for resolution time. Document information so next technician doesn’t need to ask the same questions. Escalate to the right technician the first time.	Check notes to catch up on the issue. Run tests if necessary. Contact user to troubleshoot and fix. Meet SLAs or update client on new ETA. Provide complete information to vendor. Monitor resolution. Follow up with vendor if delays. Update client as needed.	Vendor will provide support according to agreement. Encourage vendor to provide regular updates to IT. Review vendor performance regularly. IT will validate issue is resolved and close ticket.	Validate user is happy with the experience

Define, measure, and report on service level agreements

Determine what communications are most important and who will do them

	PROACTIVE, PLANNED CHANGES	From: Service Desk Messaging provided by engineer or director, sent to all employees; proactive planning with business unit leaders.
	OUTAGES & UPDATES	From: Service Desk Use templates to send out concise messaging and updates hourly, with input from technical team working on restoring services to all; director to liaise with business stakeholders.
	UPDATES TO SERVICES, SELF-SERVE	From: Director Send announcements no more than monthly about new services and processes.
	REGULAR STAKEHOLDER COMMUNICATIONS	From: Director Monthly reporting to business and IT stakeholders on strategic and project goals, manage escalations.

1.4 Create communications plan

2 hours

Input: Sample past communications

Output: Communications templates

Materials: Whiteboard/flip charts, Markers

Participants: CIO, Service desk manager, Technicians

Determine where templates are needed to ensure quick and consistent communications. Review sample templates and modify to suit your needs:

1. Proactive, planned changes
2. Outages and updates
3. Updates to services, self-serve
4. Regular stakeholder communications

Download the communications templates

What else can you do to improve service?

Review the next few pages to see if you need additional blueprints to help you:

• Evaluate staffing and training needs to ensure the right number of resources are available and they have the skills they need for your environment.
• Create self-service for end users to get quick answers and create tickets.
• Create a knowledge base to ensure backup for technical expertise.
• Develop customer service skills through training.
• Perform ticket analysis to better understand your technical environment.

Create your roadmap with high-level requirements

Determine what tasks and projects need to be completed to meet your improvement goals. Create a high-level project plan and balance with existing resources.

Bibliography

Taylor, Sharon and Ivor Macfarlane. ITIL Small Scale Implementation. Office of Government Commerce, 2005.

“Share, Collaborate, and Communicate on One Consistent Platform.” Liferay, n.d. Accessed 19 July 2022.

Rodela, Jimmy. “A Beginner’s Guide to Customer Self-Service.” The Ascent, 18 May 2022. Web.

Foster Data-Driven Culture With Data Literacy

Data literacy is an essential part of a data-driven culture, bridging the data knowledge gaps across all levels of the organization.

Analyst Perspective

Data literacy is the missing link to becoming a data-driven organization.

“Digital transformation” and “data driven” are two terms that are inseparable. With organizations accelerating in their digital transformation roadmap implementation, organizations need to invest in developing data skills with their people. Talent is scarce and the demand for data skills is huge, with 70% of employees expected to work heavily with data by 2025. There is no time like the present to launch an organization-wide data literacy program to bridge the data knowledge gap and foster a data-driven culture.

Data literacy training is as important as your cybersecurity training. It impacts all levels of the organization. Data literacy is critical to success with digital transformation and AI analytics.

Annabel Lui

Principal Advisory Director, Data & Analytics Practice
Info-Tech Research Group

Executive Summary

Info-Tech Insight

By thoughtfully designing a data literacy training program for the audience's own experience, maturity level, and learning style, organizations build the data-driven and engaged culture that helps them to unlock their data's full potential and outperform other organizations.

Your Challenge

Data literacy is the missing link to drive business outcomes from data.

• Having a data-driven culture as an organization’s mission statement without implementing a data literacy program is like making an empty promise and leaving the value unrealized and unattainable.
• A study conducted by the Data Literacy Project clearly indicates that organizations with aggressive data literacy programs will outperform those who do not have such programs. By 2030, data literacy will be one of the most sought-after skill sets. All employees require data literacy skills.
• Everyone has a role in data. From employees who are actively involved in data collection to operational teams who create reports with analytics tools and finally to executives who use data to make business decisions – they all require continuous data literacy training in a data-driven organization. Because of differences in maturity, data literacy strategies cannot be one-size-fits-all.

“Data literacy is the ability to read, work with, analyze, and communicate with data. It's a skill that empowers all levels of workers to ask the right questions of data and machines, build knowledge, make decisions, and communicate meaning to others.” – Qlik, n.d.

75% of organizational employees have access to data tools – only 21% demonstrated confidence in their data skills.

Source: Accenture, 2020.

89% of C-level executives expect team members to explain how data has informed their decisions, but only 11% employees are fully confident in their ability to read, analyze, work with, and communicate with data

Source: Qlik, 2022.

Data debt or data asset?

Manage your data as strategic assets.

“[Data debt is] when you have undocumented, unused, incomplete, and inconsistent data,” according to Secoda (2023). “When … data debt is not solved, data teams could risk wasting time managing reports no one uses and producing data that no one understands.”

Signs of data debt when considering investing in data literacy:

• Lack of definition and understanding of data terms, therefore they don’t speak the same language. Without data literacy, an organization will not succeed in becoming a data-driven organization.
• Putting data literacy as a low priority. Organization sees this as “another” training to put on the list and keeps it on the back burner.
• Data literacy is not seen as the number one skill set needed in the organization. However, anyone who works with data requires data skills.
• End users are not trained on self-serve features and tools.
• Focusing on a minority group of people rather than everyone in the organization or seeing it as a one-off exercise.
• Delays or failure to deliver digital transformation projects due to lack of data skills and data access issues.

66%

of organizations say a backlog of data debt is impacting new data management initiatives.

40%

of organizations say individuals within the business do not trust data insights.

30%

of organizations are unable to become data-driven.

Source: Experian, 2020

Info-Tech’s Approach

Data literacy is critical to success with digital transformation and AI analytics.

The Info-Tech difference:

1. More than just technical training. Data literacy program isn’t just about data but rather encompasses aspects of business, IT, and data.
2. More than a one-off exercise. To keep literacy skills alive, the program must be routine and sustainable, tailored to different needs across all levels of the organization.
3. More than one delivery format. Different delivery methods need to be considered to suit various learning styles.

Data needs to be processed

Data – facts – are organized, processed, and given meaning to become insights.

Image source: Welocalize, 2020.

Data represents a discrete fact or event without relation to other things (e.g. it is raining). Data is unorganized and not useful on its own.

Information organizes and structures data so that it is meaningful and valuable for a specific purpose (i.e. it answers questions). Information is a refined form of data.

When information is combined with experience and intuition, it results in knowledge. It is our personal map/model of the world.

Knowledge set with context generates insight. We become knowledgeable as a result of reading, researching, and memorizing (i.e. accumulating information).

Wisdom means the ability to make sound judgments. Wisdom synthesizes knowledge and experiences into insights.

Investment in data literacy is a game changer.

Data literacy is the ability to collect, manage, evaluate, and apply data in a critical manner.

A data-driven culture is “an operating environment that seeks to leverage data whenever and wherever possible to enhance business efficiency and effectiveness” (Forbes).

Info-Tech Insight

Data-driven culture refers to a workplace where decisions are made based on data evidence, not on gut instinct.

Info-Tech’s methodology for building a data literacy program

Insight Summary

“In a world of more data, the companies with more data-literate people are the ones that are going to win.”

– Miro Kazakoff, senior lecturer, MIT Sloan, in MIT Sloan School of Management, 2021

Overarching insight

By thoughtfully designing a data literacy training program personalized to each audience's maturity level, learning style, and experience, organizations can develop and grow a data-driven culture that unlocks the data's full potential for competitive differentiation.

Module 1 insight

We can learn a lot from each other. Literacy works both ways – business data stewards learn to “speak data” while IT data custodians understand the business context and value. Everyone should strive to exchange knowledge.

Module 2 insight

Avoid traditional classroom teaching – create a data literacy program that is learner-centric to allow participants to learn and experiment with data.

Aligning program design to those learning styles will make participants more likely to be receptive to learning a new skill.

Module 3 insight

A data literacy program isn’t just about data but rather encompasses aspects of business, IT, and data. With executive support and partnership with business, running a data literacy program means that it won’t end up being just another technical training. The program needs to address why, what, how questions.

Tactical insight

A lot of programs don’t include the fundamentals. To get data concepts to stick, focus on socializing the data/information/knowledge/wisdom foundation.

Tactical insight

Many programs speak in abstract terms. We present case studies and tangible use cases to personalize training to the audience’s world and showcase opportunities enabled through data.

Key performance indicators (KPIs) for your data literacy program

How do you know if your data literacy program is successful? Here are some useful KPIs:

Program Adoption Metrics

• Percentage of employees attending data literacy training
• Percentage of participants who report gains in data management knowledge after training sessions
• Maturity assessment result
• Survey and diagnostic feedback before and after training
• Trend analysis of overall data literacy program

Operational Metrics

• Number of requests for analytics/reporting services
• Number of reports created by users
• Speed and quality of business decisions
• User satisfaction with reports and analytics services
• Improved business performance (customer satisfaction)
• Improved valuation of organization data

A data-driven culture builds tools and skills, builds users’ trust in the quality of data across sources, and raises the skills and understanding among the frontlines by encouraging everyone to leverage data for critical thinking and innovation.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of the project."

Diagnostics and consistent frameworks are used throughout all four options.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Phase 1

Define Data Literacy Objectives

Foster Data-Driven Culture With Data Literacy

This phase will walk you through the following activities:

• Understand the organization’s needs.
• Create vision and objective for data literacy program.

This phase involves the following participants:

• Data governance sponsor
• Data owners
• Data stewards
• Data custodians

1.1 Gauge your organization’s current data culture

Conduct data culture survey or diagnostic.

1. Identify members of the data user base, data consumers, and other key stakeholders for surveying.
2. Conduct an information session to introduce Info-Tech’s Data Culture Diagnostic survey. Explain the objective and importance of the survey and its role in helping to understand the organization’s current data culture and inform the improvement of that culture.
3. Roll out the Info-Tech Data Culture Diagnostic survey to the identified users and stakeholders.
4. Debrief and document the results and scorecard in the Data Strategy Stakeholder Interview Guide and Findings document.

Contact your Info-Tech Account Representative for details on launching a Data Culture Diagnostic.

1.2 Define data literacy objectives

1. Understand the organization’s needs by identifying opportunities and challenges relating to data. Document the described real-life examples.
2. Categorize the list and identify areas where data literacy can address the business problem.
3. Create a vision statement for the data literacy program, ensuring that it covers all levels of the organization.
4. Articulate the intended targets and goals in planning for a data literacy program.

Quick wins for improving data literacy

Data collected through Info-Tech’s Data Culture Diagnostic suggests three ways to improve data literacy:

87%

think more can be done to define and document commonly used terms with methods such as a business data glossary.

68%

think they can have a better understanding of the meaning of all data elements that are being captured or managed.

86%

feel that they can have more training in terms of tools as well as on what data is available at the organization.

Source: Info-Tech Research Group's Data Culture Diagnostic, 2022; N=2,652

Quick Wins

• Create a business data glossary to document and define common terms.
• Provide easy access to the business data glossary and procedures on how data is captured and managed.
• Launch an organization-wide data literacy program.

Delivering value is a means and the goal

Start with real business problems in a hands-on format to demonstrate the value of data.

Identify business problem:

• Business decisions without facts are just guesses.
• Management spends a lot of time finding and fixing data.
• Unknown challenges on data assets and risk.
• Incomplete view of customer/client and industry.
• Not ready for modern data opportunities (e.g. artificial intelligence).

Create an objective

Treat data as a strategic asset to gain insight into our customers for all levels of organization.

The solution: Data-driven culture powered by people who speak data.

• Data dictionary
• Data literacy
• Trusted single source
• Access to analytics tools
• Decision making

"According to Forrester, 91% of organizations find it challenging to improve the use of data insights for decision-making – even though 90% see it as a priority. Why the disconnect? A lack of data literacy."

– Alation, 2020

Fundamental data literacy

Data literacy is more than just a technical training or a one-off exercise.

Info-Tech provides various topics suited for a data literacy program that can accommodate different data skill requirements and encompasses relevant aspects of business, IT, and data.

Info-Tech Research Group’s Data Literacy Program

Use discovery and diagnostics to understand users’ comfort level and maturity with data.

Data lunch 'n' learn

• The power and value of data
• Everyone is a data steward
• Becoming data literate
• Data 101
• The future is data

1 hour

Speak data

• What is data
• Meet the data team
• Day in the life of a steward
• How data impacts you
• Tools of the trade

1/2 day

Your data story

• Ask the right questions
• Find the top five data elements
• Understand your data
• Present your data story
• Lessons from COVID-19

1/2 day

Phase 2

Assess Learning Style and Align to Program Design

Foster Data-Driven Culture With Data Literacy

This phase will walk you through the following activities:

• Identify your audience.
• Assess learning styles and align them to the data program design.
• Determine the right delivery method.

This phase involves the following participants:

• Data governance sponsor
• Data owners
• Data stewards
• Data custodians

Avoid common pitfalls

75%

feel that training was too long to remember or to apply in their day-to-day work.

21%

find training had insufficient follow-up to help them apply on the job.

Source: Grovo, 2018.

1. Information Overload

   Trying to cover too much useful information results in overwhelm and does not deliver on key training objectives.

2. Limited Implementation

   Learning is only the beginning. The real results are obtained when learning is followed by practice, which turns new knowledge into reliable habits.

3. Lack of Organizational Alignment

   Implementing training without a clear link to organizational objectives leaves you unable to clearly communicate its value, undermines your ability to secure buy-in from attendees and executives, and leaves you unable to verify that the training is actually improving effectiveness.

2.1 Understand learning style

1. Create persona and identify the audiences and their roles in data across all levels of the organization.
2. Identify the data program initiatives and assign the best delivery method to each initiative.
3. Assign participants to each program initiative based on their skill gap and learning style.

You and data

Is data an integral part of your work?

Do you feel comfortable finding and using data in your organization?

• Many people feel intimidated by data and therefore miss out on what data can do for them.
• Often the obstacle is language. If you don’t understand the semantics around data, you will not feel confident to contribute to discussions around data.
• You use data every day but need additional vocabulary to understand how to handle it properly.
• Data literacy is the ability to “speak data” and to understand what data means (i.e. how to read charts and graphs, draw valid conclusions, and recognize when data is misinterpreted or used inappropriately to be misleading).
• The business often doesn’t understand its role in data governance and how it informs and assists IT in responsible data management.

Info-Tech Insight

IT and data professionals need to understand the business as much as business needs to talk about data. Bidirectional learning and feedback improves the synergy between business and IT.

Create personas

Persona creation is a way to brainstorm ideas for the data literacy program.

Choose a data role (e.g. data steward, data owner, data scientist).

Describe the persona based on goals, priorities, tenures, preferred learning style, type of work with data.

Identify data skill and level of skills required.

Consider these other ways to brainstorm:

• Review current in-flight projects.
• Analyze types of data requests.
• Understand needs by department.
• Share learnings in a community of practice.

Program design

Categorize into six data skill areas

Not everyone needs the same level of skill sets

Map the personas to the program

Bridging the data knowledge gap.

• Each component will promote the value of data to all levels of employees when demonstrating the right way for data to be understood, managed, and consumed in the organization.
• Categorizing the data literacy program into six areas and levels of skill sets will provide clarity into which areas to focus on.
• The program is intended to be implemented in stages, allowing the audience to learn and adopt the new skills. Leveraging in-flight projects for rolling out training will have a higher success because the need is already built into the project.

Align program design to learning styles

Info-Tech Insight

Tailor your data literacy program to meet your organization’s needs, filling your range of knowledge gaps and catering to different levels of users.

When it comes to rolling out a data literacy program, there is no one-size-fits-all solution. Your data literacy program is intended to spread knowledge throughout your organization. It should target everyone from executive leadership to management to subject matter experts across all functions of the business.

Discussion method

Delivery Method

• Interactive format between instructor and learner
• Instructor empowers and motivates learner through dialogues and exercises

The imaginative learner

The imaginative learner group likes to engage in feelings and spend time on reflection. This type of learner desires personal meaning and involvement. They focus on personal values for themselves and others and make connections quickly.

For this group of learners, their question is: why should I learn this?

Learning characteristics

• Seek meaning
• Need to be personally involved
• Learn by listening and sharing ideas
• Function through social interaction

Information method

Delivery Method

• Instructor does most of the talking in the training
• Instructor is teaching the content, delivering the training content, and demonstrating

Analytical learner

The analytical learner group likes to listen, to think about information, and to come up with ideas. They are interested in acquiring facts and delving into concepts and processes. They can learn effectively and enjoy doing independent research.

For this group of learners, their question is: what should I learn?

Learning characteristics

• Seek and examine the facts
• Need to know what experts think
• Interested in ideas and concepts
• Critique information and collect data
• Function by adapting to experts

Coaching method

Delivery Method

• Learning has on-the-job training or learning through role-play exercises
• Instructor is coaching and facilitating learner

Common sense learner

The common sense learner group likes thinking and doing. They are satisfied when they can carry out experiments, build and design, and create usability. They like tinkering and applying useful ideas.

For this group of learners, their question is: how should I learn?

Learning characteristics

• Seek usability
• Need to know how things work
• Learn by testing theories using practical methods
• Use factual data to build concepts
• Enjoy hands-on experience

Self-discovery method

Delivery Method

• Interactive format between instructor and learner
• Instructor provides evaluation and remedial instruction

Common sense learner

The dynamic learner group learns through doing and experiencing. They are continually looking for hidden possibilities and researching ideas to make original adjustments. They learn through trial and error and self-discovery.

For this group of learners, their question is: what if I learn this?

Learning characteristics

• Seek hidden possibilities
• Need to know what can be done with things
• Learn by trial and error
• Enjoy variety and excel in being flexible

Delivery method considerations

There are four common ways to learn a new skill: by watching, conceptualizing, doing, and experiencing. The following are some suggestions on ways to implement your data literacy program through different delivery methods.

Phase 3

Map Out Data Literacy Roadmap and Milestones

Foster Data-Driven Culture With Data Literacy

This phase will walk you through the following activities:

• Complete a roadmap exercise.
• Set key performance metrics and milestones.

This phase involves the following participants:

• Data governance sponsor
• Data owners
• Data stewards
• Data custodians

3.1 Build the data literacy roadmap and milestones

1-3 hours

1. Gather the data literacy objectives and list of program initiatives with their assigned groups.
2. Discuss each program initiative with the data literacy creation team, assigning content owners and estimating effort required to build the content.

For the Gantt chart:

• Input the roadmap start year.
• List each data literacy topic and delivery method.
• Populate the planned start and end dates for the prepopulated list of program initiatives.

Data literacy journey mapping

Making it sustainable

• Deliver the literacy program in stages to make it easier for the audience to consume the content.
• Allow opportunities to apply the learnings at work.
• Map out the data literacy trainings as they get delivered and identify gaps, if any. Continue to refine and adjust the program and delivery method for better outcome.
• Set clear goals and KPIs measurement up front.
• Conduct Info-Tech Research Group’s Data Culture Diagnostics to set the baseline and repeat the assessment in 12 to 18 months.
• Assign champions to lead change and influence end users to adopt better processes.

Research contributors

Info-Tech’s Data Literacy Program

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Related Info-Tech Research

Establish Data Governance

Deliver measurable business value.

Build a Robust and Comprehensive Data Strategy

Key to building and fostering a data-driven culture.

Create a Data Management Roadmap

Streamline your data management program with our simplified framework.

Bibliography

About Learning. “4MAT overview.” About Learning., 16 Aug. 2001. Web.

Accenture. “The Human Impact of Data Literacy,” Accenture, 2020. Web.

Anand, Shivani. “IDC Reveals India Data and Content Technologies Predictions for 2022 and onwards; Focus on Data Literacy for an Elevated data Culture.” IDC, 14 Mar. 2022. Web.

Belissent, Jennifer, and Aaron Kalb. “Data Literacy: The Key to Data-Driven Decision Making.” Alation, April 2020. Web.

Brown, Sara. “How to build data literacy in your company.” MIT Sloan School of Management, 9 Feb 2021. Web.

---. “How to build a data-driven company.” MIT Sloan School of Management, 24 Sept. 2020. Web.

Domo. “Data Never Sleeps 9.0.” Domo, 2021. Web.

Dykes, Brent. “Creating A Data-Driven Culture: Why Leading By Example Is Essential.” Forbes, 26 Oct. 2017. Web.

Experian. “10 signs you are sitting on a pile of data debt.” Experian, 2020. Accessed 25 June 2021. Web.

Experian. “2019 Global Data Management Research.” Experian, 2019. Web.

Knight, Michelle. “Data Literacy Trends in 2023: Formalizing Programs.” Dataversity, 3 Jan. 2023. Web.

Ghosh, Paramita. “Data Literacy Skills Every Organization Should Build.” Dataversity, 2 Nov. 2022. Web.

Johnson, A., et al., “How to Build a Strategy in a Digital World,” Compact, 2018, vol. 2. Web.

LifeTrain. “Learning Style Quiz.” EMTrain, Web.

Lambers, E., et al. “How to become data literate and support a data-drive culture.” Compact, 2018, vol. 4. Web.

Marr, Benard. “Why is data literacy important for any business?” Bernard Marr & Co., 16 Aug. 2022. Web.

Marr, Benard. “8 simple ways to enhance your data literacy skills.” Bernard Marr & Co., 16 Aug. 2022. Web/

Mendoza, N.F. “Data literacy: Time to cure data phobia” Tech Republic, 27 Sept. 2022. Web.

Mizrahi, Etai. “How to stay ahead of data debt and downtime?” Secoda, 17 April 2023. Web.

Needham, Mass., “IDC FutureScape: Top 10 Predictions for the Future of Intelligence.” IDC, 5 Dec. 2022. Web.

Paton, J., and M.A.P. op het Veld. “Trusted Analytics.” Compact, 2017, vol. 2. Web.

Qlik. “Data Literacy to be Most In-Demand Skill by 2030 as AI Transforms Global Workplaces.” Qlik., 16 Mar 2022. Web.

Qlik. “What is data literacy?” Qlik, n.d. Web.

Reed, David. Becoming Data Literate. Harriman House Publishing, 1 Sept. 2021. Print.

Salomonsen, Summer. “Grovo’s First-Time Manager Microlearning® Program Will Help Your New Managers Thrive in 2018.” Grovos Blog, 5 Dec. 2018. Web.

Webb, Ryan. “More Than Just Reporting: Uncovering Actionable Insights From Data.” Welocalize, 1 Sept. 2020. Web.

Annual CIO Survey Report 2024

An inaugural look at what's on the minds of CIOs.

1. Firmographics

• Region
• Title
• Organization Size
• IT Budget Size
• Industry

Firmographics

The majority of CIO responses came from North America. Contributors represent regions from around the world.

n=354

Firmographics

A typical CIO respondent held a C-level position at a small to mid-sized organization.

Half of CIOs hold a C-level position, 10% are VP-level, and 20% are director level

38% of respondents are from an organization with above 1,000 employees

Firmographics

A typical CIO respondent held a C-level position at a small to mid-sized organization.

40% of CIOs report an annual budget of more than $10 million

A range of industries are represented, with 29% of respondents in the public sector or financial services

2. Key Factors

• IT Maturity
• Disruptive Factors
• IT Spending Plans
• Talent Shortage

Two in three respondents say IT can deliver outcomes that Support or Optimize the business

Most CIOs are concerned with cybersecurity disruptions, and one in four expect a budget increase of above 10%

How likely is it that the following factors will disrupt your business in the next 12 months?

Looking ahead to 2024, how will your organization's IT spending change compared to spending in 2023?

3. Adoption of Emerging Technology

• Fastest growing tech for 2024 and beyond

CIOs plan the most new spend on AI in 2024 and on mixed reality after 2024

Top five technologies for new spending planned in 2024:

1. Artificial intelligence - 35%
2. Robotic process automation or intelligent process automation - 24%
3. No-code/low-code platforms - 21%
4. Data management solutions - 14%
5. Internet of Things (IoT) - 13%

Top five technologies for new spending planned after 2024:

1. Mixed reality - 20%
2. Blockchain - 19%
3. Internet of Things (IoT) - 17%
4. Robotics/drones - 16%
5. Robotic process automation or intelligent process automation - 14%

n=301

Info-Tech Insight
Three in four CIOs say they have no plans to invest in quantum computing, more than any other technology with no spending plans.

4. Adoption of AI

• Interest in generative AI applications
• Tasks to be completed with AI
• Progress in deploying AI

CIOs are most interested in industry-specific generative AI applications or text-based

Rate your business interest in adopting the following generative AI applications:

There is interest across all types of generative AI applications. CIOs are least interested in visual media generators, rating it just 2.4 out of 5 on average.

n=251

Info-Tech Insight
Examples of generative AI solutions specific to the legal industry include Litigate, CoCounsel, and Harvey.

By the end of 2024, CIOs most often plan to use AI for analytics and repetitive tasks

Most popular use cases for AI by end of 2024:

1. Business analytics or intelligence - 69%
2. Automate repetitive, low-level tasks - 68%
3. Identify risks and improve security - 66%
4. IT operations - 62%
5. Conversational AI or virtual assistants - 57%

Fastest growing uses cases for AI in 2024:

1. Automate repetitive, low-level tasks - 39%
2. IT operations - 38%
3. Conversational AI or virtual assistants - 36%
4. Business analytics or intelligence - 35%
5. Identify risks and improve security - 32%

n=218

Info-Tech Insight
The least popular use case for AI is to help define business strategy, with 45% saying they have no plans for it.

One in three CIOs are running AI pilots or are more advanced with deployment

How far have you progressed in the use of AI?

Info-Tech Insight
Almost half of CIOs say ChatGPT has been a catalyst for their business to adopt new AI initiatives.

5. AI Risk

• Perceived impact of AI
• Approach to third-party AI tools
• AI features in business applications
• AI governance and accountability

Six in ten CIOs say AI will have a positive impact on their organization

What overall impact do you expect AI to have on your organization?

The majority of CIOs are waiting for professional-grade generative AI tools

Which of the following best describes your organization's approach to third-party generative AI tools (such as ChatGPT or Midjourney)?

Info-Tech Insight
Business concerns over intellectual property and sensitive data exposure led OpenAI to announce ChatGPT won't use data submitted via its API for model training unless customers opt in to do so. ChatGPT users can also disable chat history to avoid having their data used for model training (OpenAI).

One in three CIOs say they are accountable for AI, and the majority are exploring it cautiously

Who in your organization is accountable for governance of AI?

More than one-third of CIOs say no AI governance steps are in place today

What AI governance steps does your organization have in place today?

Among organizations that plan to invest in AI in 2024, 30% still say there are no steps in place for AI governance. The most popular steps to take are to publish clear explanations about how AI is used, and to conduct impact assessments (n=170).

Among all CIOs, including those that do not plan to invest in AI next year, 37% say no steps are being taken toward AI governance today (n=243).

6. Contribute to Info-Tech's Research Community

• Volunteer to be interviewed
• Attend LIVE in Las Vegas

It's not too late; take the Future of IT online survey

Contribute to our tech trends insights

If you haven't already contributed to our Future of IT online survey, we are keeping the survey open to continue to collect insights and inform our research reports and agenda planning process. You can take the survey today. Those that complete the survey will be sent a complimentary Tech Trends 2024 report.

Complete an interview for the Future of IT research project

Help us chart the future course of IT

If you are receiving this for completing the Future of IT online survey, thank you for your contribution. If you are interested in further participation and would like to provide a complementary interview, please get in touch at brian.Jackson@infotech.com. All interview subjects must also complete the online survey.

If you've already completed an interview, thank you very much, and you can look forward to seeing more impacts of your contribution in the near future.

Methodology

All data in this report is from Info-Tech's Future of IT online survey 2023 edition.

A CIO focus for the Future of IT

Data in this report represents respondents to the Future of IT online survey conducted by Info-Tech Research Group between May 11 and July 7, 2023.

Only CIO respondents were selected for this report, defined as those who indicated they are the most senior member of their organization's IT department.

This data segment reflects 355 total responses with 239 completing every question on the survey.

Further data from the Future of IT online survey and the accompanying interview process will be featured in Info-Tech's Tech Trends 2024 report this fall and in forthcoming Priorities reports including Applications, Data & EA, CIO, Infrastructure, and Security.

Navigate the Digital ID Ecosystem to Enhance Customer Experience

Beyond the hype: How it can help you become more customer-focused?

Executive Summary

Info-Tech Insight

Focusing on customer touchpoints and transforming them is key to excellent user experience and increasing their lifetime value (LTV) to them and to your organization. Digital ID is that tool of transformation.

Analyst Perspective

Digital Identity Ecosystem and vital ingredients of adoption

What is digital identity?

Definitions may vary, depending on the focus.

“Digital identity (ID) is a set of attributes that links a physical person with their online interactions. Digital ID refers to one’s online persona - an online footprint. It touches important aspects of one’s everyday life, from financial services to health care and beyond.” - DIACC Canada

“Digital identity is a digital representation of a person. It enables them to prove who they are during interactions and transactions. They can use it online or in person.” - UK Digital Identity and Attributes Trust Framework

“Digital identity is an electronic representation of an entity (person or other entity such as a business) and it allows people and other entities to be recognized online.” - Australia Trusted Digital Identity Framework

A digital identity is primarily an electronic form of identity representing an entity uniquely , while abstracting all other identity attributes of the entity. In addition to an electronic form, it may also exist in a physical form (identity certificate), linked through an identifier representing the same entity.

Digital identity has many dimensions*, and in turn categories

Info-Tech Insight

Digital ID has taken different meanings for different people, serving different purposes in different environments. Based on various aspects of Digital Identification, it can be categorized in several types. However, most of the time when people refer to a form of identification as Digital ID, they refer to a verified id with built-in trust either from the government OR the eco-system.

* Please refer to Taxonomy for the definition of each of the dimensions

Understanding a digital identity ecosystem is key to formulating your approach to adopt it

Info-Tech Insight

Digital identity ecosystems comprise many entities playing different roles, and sometimes more than one. In addition, variations in approach by jurisdictions drive how many active players are in the ecosystem for that jurisdiction.

For example, in countries like Estonia and India, government plays the role of trust and governance authority as well as ID provider, but didn’t start with any Digital ID wallet. In contrast, in Ukraine, Diia App is primarily a Digital ID Wallet. Similarly, in the US, different states are adopting private Digital ID Wallet providers like Apple.

Digital ID ecosystem’s sustainability lies in the key principles it is built on

Social, economic, and legal alignment with target stakeholders
Transparent governance and operation
Legally auditable and enforceable
Robust and Resilient – High availability
Security – At rest, in progress, and in transit
Privacy and Control with users
Omni-channel Convenience – User and Operations
Minimum data transfer between entities
Technical interoperability enabled through open standards and protocol
Scalable and interoperable at policy level
Cost effective – User and operations
Inclusive and accessible

Info-Tech Insight

A transparent, resilient, and auditable digital ID system must be aligned with socio-economic realities of the target stakeholders. It not only respects their privacy and security of their data by minimizing the data transfer between entities, but also drives desired customer experience by providing an omni-channel, interoperable, scalable, and inclusive ecosystem while still being cost-effective for the collaborators.

Source: Adapted from Canada PCTF, UK Trust framework, European Commission, Australia TDIF, and others

Focus on key success factors to drive the digital ID adoption

Digital ID success factors

Legislative regulatory framework – Removes uncertainty
Security & Privacy Assurance- builds trust
Smooth user experience – Drives preferences
Transparent ecosystem – Drives inclusivity
Multi-channel – Drive consistent experience online / offline
Inter-operability thorough open standards
Digital literacy – Education and awareness
Multi-purpose & reusable – Reduce consumer burden
Collaborative ecosystem –Build network effect

Source: Adapted from Canada PCTF, UK digital identity & attributes trust framework , European eIDAS, and others

Info-Tech Insight

Driving adoption of Digital ID requires affirmative actions from all ecosystem players including governing authorities, identity providers, and identity consumers (relying parties).

These nine success factors can help drive sustainable adoption of the Digital ID.

Among many responsibilities the ecosystem players have, identity governance is the key to sustainability

Digital identity provision Creating identity attributes Create a reusable identity and attribute service Create a digital identity Assess and manage quality of an identity and attributes Making identity provision inclusive and accessible Digital identity resolution Enabling inclusive access to products and services through digital identity Authenticate and authorize identity subjects before permitting access to their identity and attributes Digital identity governance Manage digital identity and attributes Make Identity service interoperable, and sharable Recover digital identity and attribute accounts Notifying users on accessing identity or making changes on more attributes Report and audit – exclusion, accessibility Retiring an identity or attribute service Respond to complaints and disputes Enterprise risk management and governance

Privacy and security Use encryption Privacy compliance framework Consumer Privacy Protection laws (CPPA, GDPR etc.) Acquiring and managing user consents & agreements Prohibited processing of personal data Security controls and governance Information management Record management Archival Disposal (on expiry or to comply with regulations) CIA (confidentiality, integrity, availability) Fraud management Fraud monitoring and reporting Fraud intelligence and analysis Sharing threat indicators Legal, policies and procedures for fraud management Incident response Respond to fraud incidents Respond to a service delivery incident Responding to data breaches Performing and participating in investigation

Global evolution of digital ID is following the socio-economic aspirations of countries

Source: Adapted from the book: Identification Revolution: Can Digital ID be harnessed for Development? (Gelb & Metz), 2018

Info-Tech Insight

The world became global a long time ago; however, it sustained economic progress without digital IDs for most of the world's population.

With the pandemic, when political rhetoric pointed to the demand for localized supply chains, economies became irreversibly digital. In this digital economy, the digital ID ecosystem is the fulcrum of sustainable growth.

At a time in overlapping jurisdictions, multiple digital IDs can exist. For example, one is issued by a local municipality, one by the province, and another by the national government.

Global footprint of digital ID is evolving rapidly, but varies in approach

Info-Tech Insight

Countries’ approach to the digital ID is rooted in their socio-economic environment and global aspirations.

Emerging economies with large underserved populations prioritize fast implementation of digital ID through centralized systems.

Developed economies with smaller populations, low trust in government, and established ID systems prioritize developing trust frameworks to drive decentralized full-scale implementation.

There is no right way except the one which follows Digital ID principles and aligns with a country’s and its people’s aspirations.

Estonia's e-identity is the key to its digital agenda 2030

India’s Aadhaar is the foundation of its digital journey through “India stack”

Ukraine’s Diia is a resilient act to preserve their identities during threat to their existence

Canada’s PCTF (Pan Canadian Trust Framework) driving the federated digital identity ecosystem

Regulatory Accountability: Treasury Board of Canada Secretariat (TBS); Canadian Digital Service (CDS); Office of CIO Standard Setting: Digital Identification and Authentication Council of Canada (DIACC)

Frameworks: Treasury Board Directive on Identity Management Pan Canadian Trust Framework (PCTF) Voilà Verified Trustmark Program: ISO aligned compliance certification program on PCTF Governing / Certificate Authority: Trustmark Oversight Board (TOB) and DIACC accredited assessor Operational Governance: Federated between identity providers and identity consumers Identity Providers: Public and Private Sector Other entities involved: Digital ID Lab (Voila Verified Auditor); Kuma (Accredited Assessor)

82% People supportive of Digital ID. 2/3 Canadians prefer public-private partnership for Pan-Canadian digital ID framework. >40% Canadians prefer completing various tasks and transactions digitally. 75% Canadians are willing to share personal information for better experience. >80% Trust government, healthcare providers, and financial institutions with their personal information. Source: DIACC Survey 2021

Uniqueness Although a few provinces in Canada started their Digital ID journey already, federally, Canada lacked an approach. Now Canada is developing a federated Digital ID ecosystem driven through the Pan-Canadian Trust Framework (PCTF) led by a non-profit (DIACC) formed with public and private partnership.

Australia’s digital id is pivotal to its vision to become one of the Top-3 digital governments globally by 2025*

* Australia Digital Government Strategy 2021

UK switches gear to the Trust Framework approach to build a public-private digital ID ecosystem

Government: Ministry of Digital Infrastructure / Department of Digital, Culture, Media, and Sport Governing Body / Certificate Authority / Operational Governance: TBD Approach: Trust Framework-based UK Digital Identity and attributes trust framework (UKDIATF) Identity providers: Transitioning from “GOV.UK Verify” to a federated digital identity system aligned with “Trust Framework” – enabling both government (“One Login for Government”) and private sector identity providers.

Uniqueness UK embarked its Digital ID journey through Gov.UK Verify but decided to scrap it recently. It is now preparing to build a trust framework-based federated digital ID ecosystem with roles like schema-owners and orchestration service providers for private sector and drive the collaboration between industry players.

Digital ID will transform all industries, though financial services and e-governance will gain most

USE CASE

Car rental

INDUSTRY: Travel & Tourism

Source: Info-Tech Research Group

USE CASE

e-Governance public distribution service

INDUSTRY: Government

Source: Info-Tech Research Group

USE CASE

Real-estate investment and sale

INDUSTRY: Asset Management

Source: Info-Tech Research Group

1 Global News (https://globalnews.ca/news/9437913/homeowner-impersonators-lined-32-fraud-cases-ontario-bc/)

2 UK Finance Lobby Group (https://www.ukfinance.org.uk/system/files/Half-year-fraud-update-2021-FINAL.pdf)

Adopting digital ID benefits everybody – governments, id providers, id consumers, and end users

Digital ID will transform all industries, though financial services and e-governance will gain most

Digital ID brings end users choice, convenience, control, and cost-saving, driving overall experience

Digital id benefits identity consumers by enhancing multiple dimensions of their value streams

Before embarking on the digital identity adoption journey, assess your readiness

Legislative coverage

Does your target jurisdiction have adequate legislative framework to enable uses of digital identities in your industry?

Trust framework

If the Digital ID ecosystem in your target jurisdiction is trust framework-based, do you have adequate understanding of it?

Customer touch-points

Do you have exact understanding of value stream and customer touch-points where you interact with user identity?

Relevant identity attributes

Do you have exact understanding of the identity attributes that your business processes need to deliver customer value?

Regulatory compliance

Do you have required systems to ensure your compliance with industry regulations around customer PII and identity?

Interoperability with IMS

Is your existing identity management system interoperable with Open-source Digital Identity ecosystem?

Enterprise governance

Have you established an integrated enterprise governance framework covering business processes, technical systems, and risk management?

Communication strategy

Do have a clear strategy (mode, method, means) to communicate with your target customer and persuade them to adopt digital identity?

Security operations center

Do you have security operations center coordinating detection, response, resolution, and communication of potential data breaches?

Ten steps to adopt to enhance the customer experience

Understand and manage the risks and challenges of digital identity adoption

Recommendations to help you realize the potential of digital identity into your value streams

Taxonomy – Digital ID ecosystem

(Alphabetical order)

Continues..

Attributes: An identity attribute is a statement or information about a specific aspect of entity’s identity ,substantiating they are who they claim to be, own, or have.

Attribute (or Credential) provider: An attribute or credential provider could be an organization which issues the primary attribute or credential to a subject or entity. They are also responsible for identity-attribute binding, credential maintenance, suspension, recovery, and authentication.

Attribute (or Credential) service provider: An attribute service provider could be an organization which originally vetted user’s credentials and certified a specific attribute of their identity. It could also be a software, such as digital wallet, which can store and share a user’s attribute with a third party once consented by the user. (Source: UK Govt. Trust Framework)

Attribute binding: This is a process an attribute service providers uses to link the attributes they created to a person or an organization through an identifier. This process makes attributes useful and valuable for other entities using these attributes. For example, when a new employee joins a company, they are given a unique employee number (an identifier), which links the person with their job title and other aspects (attributes) of his job. (Source: UK Govt. Trust Framework)

Authentication service provider: An organization which is responsible for creating and managing authenticators and their lifecycle (issuance, suspension, recovery, maintenance, revocation, and destruction of authenticators). (Source: DIACC)

Authenticator: Information or biometric characteristics under the control of an individual that is a specific instance of something the subject has, knows, or does. E.g. private signing keys, user passwords, or biometrics like face, fingerprints. (Source: Canada PCTF)

Authentication (identity verification): The process of confirming or denying that the identity presented relates to the subject who is making the claim by comparing the credentials presented with the ones presented during identity proofing.

Authorization: The process of validating if the authenticated entity has permission to access a resource (service or product).

Biometrics attributes: Human attributes like retina (iris), fingerprint, heartbeat, facial, handprint, thumbprint, voice print.

Centralized identity: Digital identities which are fully governed by a centralized government entity. It may have enrollment or registration agencies, private or public sector, to issue the identities, and the technical system may still be decentralized to keep data federated.

Certificate Authority (CA or accredited assessors): An organization or an entity that conducts assessments to validate the framework compliance of identity or attribute providers (such as websites, email addresses, companies, or individual persons) serving other users, and binding them to cryptographic keys through the issuance of electronic documents known as digital certificates.

Taxonomy – Digital ID ecosystem

(Alphabetical order)

Continues..

Collective (non-resolvable) attributes: Nationality, domicile, citizenship, immigration status, age group, disability, income group, membership, (outstanding) credit limit, credit score range.

Contextual identity: A type of identity which establishes an entity’s existence in a specific context – real or virtual. These can be issued by public or private identity providers and are governed by the organizational policies. E.g. employee ID, membership ID, social media ID, machine ID.

Credentials: A physical or a digital representation of something that establishes an entity’s eligibility to do something for which it is seeking permission, or an association/affiliation with another, generally well-known entity. E.g. Passport, DL, password. In the context of Digital Identity, every identity needs to be attached with a credential to ensure that the subject of the identity can control how and by whom that identity can be used.

Cryptographic hash function: A hash function is a one-directional mathematical operation performed on a message of any length to get a unique, deterministic, and fixed size numerical string (the hash) which can’t be reverse engineered to get the input data without deploying disproportionate resources. It is the foundation of modern security solutions in DLT / blockchain as they help in verifying the integrity and authenticity of the message.

Decentralized identity (DID) or self-sovereign identity: This is a way to give back the control of identity to the subject whose identity it is, using an identity wallet in which they collect verified information about themselves from certified issuers (such as the government). By controlling what information is shared from the wallet to requesting third parties (e.g. when registering for a new online service), the user can better manage their privacy, such as only presenting proof that they’re over 18 without needing to reveal their date of birth. Source: (https://www.gsma.com/identity/decentralised-identity)

Digital identity wallet: A type of digital wallet refers to a secure, trusted software applications (native mobile app, mobile web apps, or Rivas-hosted web applications) based on common standards, allowing a user to store and use their identity attributes, identifiers, and other credentials without loosing or sharing control of them. This is different than Digital Payment Wallets used for financial transactions. (Source: https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf)

Digital identity: A digital identity is primarily an electronic form of identity representing an entity uniquely , while abstracting all other identity attributes of the entity. In addition to an electronic form, it may also exist in a physical form (identity certificate), linked through an identifier representing the same entity. E.g. Estonia eID , India Aadhar, digital citizenship ID.

Digital object architecture: DOA is an open architecture for interoperability among various information systems, including ID wallets, identity providers, and consumers. It focuses on digital objects and comprises three core components: the identifier/resolution system, the repository system, and the registry system. There are also two protocols that connect these components. (Source: dona.net)

Digital signature: A digital signature is an electronic, encrypted stamp of authentication on digital information such as email messages, macros, or electronic documents. A signature confirms that the information originated from the signer and has not been altered. (Source: Microsoft)

Taxonomy – Digital ID ecosystem

(Alphabetical order)

Continues..

Entity (or Subject): In the context of identity, an entity is a person, group, object, or a machine whose claims need to be ascertained and identity needs to be established before his request for a service or products can be fulfilled. An entity can also be referred to as a subject whose identity needs to be ascertained before delivering a service.

Expiry: This is another dimension of an identity and determines the validity of an ID. Most of the identities are longer term, but there can be a few like digital tokens and URLs which can be issued for a few hours or even minutes. There are some which can be revoked after a pre-condition is met.

Federated identity: Federated identity is an agreement between two organizations about the definition and use of identity attributes and identifiers of a consumer entity requesting a service. If successful, it allows a consumer entity to get authenticated by one organization (identity provider) and then authorized by another organization. E.g. accessing a third-party website using Google credentials.

Foundational identity: A type of identity which establishes an entity’s existence in the real world. These are generally issued by public sector / government agencies, governed by a legal farmwork within a jurisdiction, and are widely accepted at least in that jurisdiction. E.g. birth certificate, citizenship certificate.

Governance: This is a dimension of identity that covers the governance model for a digital ID ecosystem. While traditionally it has been under the sovereign government or a federated structure, in recent times, it has been decentralized through DLT technologies or trust-framework based. It can also be self-sovereign, where individuals fully control their data and ID attributes.

Identifier: A digital identifier is a string of characters that uniquely represents an entity’s identity in a specific context and scope even if one or more identity attributes of the subject change over time. E.g. driver’s license, SSN, SIN, email ID, digital token, user ID, device ID, cookie ID.

Identity: An identity is an instrument used by an entity to provide the required information about itself to another entity in order to avail a service, access a resource, or exercise a privilege. An identity formed by 1-n identity attributes and a unique identifier.

Identity and access management (IAM): IAM is a set of frameworks, technologies, and processes to enable the creation, maintenance, and use of digital identity, ensuring that the right people gain access to the right materials and records at the right time. (Source: https://iam.harvard.edu/)

Identity consumer (Relying party): An organization, or an entity relying on identity provider to mitigate IT risks around knowing its customers before delivering the end-user value (product/service) without deteriorating end-user experience. E.g. Canada Revenue Agency using SecureKey service and relying on Banking institutions to authenticate users; Telecom service providers in India relying on Aadhaar identity system to authenticate the customer's identity.

Identity form: A dimension of identity that defines its forms depending on the scope it wants to serve. It can be a physical card for offline uses, a virtual identifier like a number, or an app/account with multiple identity attributes. Cryptographic keys and tokens can also be forms of identity.

Taxonomy – Digital ID ecosystem

(Alphabetical order)

Continues...

Identity infrastructure provider: Organizations involved in creating and maintaining technological infrastructure required to manage the lifecycle of digital identities, attributes, and credentials. They implement functions like security, privacy, resiliency, and user experience as specified in the digital identity policy and trust framework.

Identity proofing: A process of asserting the identification of a subject at a useful identity assurance level when the subject provides evidence to a credential service provider (CSP), reliably identifying themselves. (Source: NIST Special Publication 800-63A)

Identity provider (Attestation authority): An organization or an entity validating the foundation or contextual claims of a subject and establishing identifier(s) for a subject. E.g. DMV (US) and MTA (Canada) issuing drivers’ licenses; Google / Facebook issuing authentication tokens for their users logging in on other websites.

Identity validation: The process of confirming or denying the accuracy of identity information of a subject as established by an authorized party. It doesn’t ensure that the presenter is using their own identity.

Identity verification (Authentication): The process of confirming or denying that the identity presented relates to the subject who is making the claim by comparing the credentials presented with the ones presented during identity proofing.

Internationalized resource identifier (IRI): IRIs are equivalent to URIs except that IRIs also allow non-ascii characters in the address space, while URIs only allow us-ascii encoding. (Source: w3.org)

Jurisdiction: A dimension of identity that covers the physical area or virtual space where an identity is legally acceptable for the purpose defined under law. It can be global, like it is for passport, or it can be local within a municipality for specific services. For unverified digital IDs, it can be the social network.

Multi-factor Authentication (MFA): Multi-factor authentication is a layered approach to securing digital assets (data and applications), where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. These factors can be a combination of (i) something you know like a password/PIN; (ii) something you have like a token on mobile device; and (iii) something you are like a biometric. (Adapted from https://www.cisa.gov/publication/multi-factor-authentication-mfa)

Oauth (Open authorization): OAuth is a standard authorization protocol and used for access delegation. It allows internet users to access websites by using credentials managed by a third-party authorization server / Identity Provider. It is designed for HTTP and allows access tokens to be issued by an authorization server to third-party websites. E.g. Google, Facebook, Twitter, LinkedIn use Oauth to delegate access.

OpenID: OpenID is a Web Authentication Protocol and implements reliance authentication mechanism. It facilitates the functioning of federated identity by allowing a user to use an existing account (e.g. Google, Facebook, Yahoo) to sign into third-party websites without needing to create new credentials. (Source: https://openid.net/).

Taxonomy – Digital ID ecosystem

(Alphabetical order)

Continues...

Personally identifiable information (PII): PII is a set of attributes which can be used, through direct or indirect means, to infer the real-world identity of the individual whose information is input. E.g. National ID (SSN/SIN/Aadhar) DL, name, date of birth, age, address, age, identifier, university credentials, health condition, email, domain name, website URI (web resolvable) , phone number, credit card number, username/password, public key / private key. (Source: https://www.dol.gov)

Predicates: The mathematical or logical operations such as equality or greater than on attributes (e.g. prove your salary is greater than x or your age is greater than y) to prove a claim without sharing the actual values.

Purpose: This dimension of a digital id defines for what purpose digital id can be used. It can be one or many of these – authentication, authorization, activity linking, historical record keeping, social interactions, and machine connectivity for IoT use cases.

Reliance authentication: Relying on a third-party authentication before providing a service. It is a method followed in a federated entity system.

Risk-based authentication: A mechanism to protect against account compromise or identity theft. It correlates an authentication request with transitional facts like requester’s location, past frequency of login, etc. to reduce the risk of potential fraud.

Scheme in trust framework: A specific set of rules (standard and custom) around the use of digital identities and attributes as agreed by one or more organizations. It is useful when those organizations have similar products, services, business processes. (Source: UK Govt. Trust Framework). E.g. Many credit unions agree on how they will use the identity in loan origination and servicing.

Selective disclosure (Assertion): A way to present one’s identity by sharing only a limited amount information that is critical to make an authentication / authorization decision. E.g. when presenting your credentials, you could share something proving you are 18 years or above, but not share your name, exact age, address, etc.

Trust: A dimension of an identity, which essentially is a belief in the reliability, truth, ability, or strength of that identity. While in the physical world all acceptable form of identities come with a verified trust, in online domain, it can be unverified. Also, where an identity is only acceptable as per the contract between two entities, but not widely.

Trust framework: The trust framework is a set of rules that different organizations agree to follow to deliver one or more of their services. This includes legislation, standards, guidance, and the rules in this document. By following these rules, all services and organizations using the trust framework can describe digital identities and attributes they’ve created in a consistent way. This should make it easier for organizations and users to complete interactions and transactions or share information with other trust framework participants. (Source: UK Govt. Trust Framework)

Taxonomy – Digital ID ecosystem

(Alphabetical order)

Continues...

Uniform resource identifier (URI): A universal name in registered name spaces and addresses referring to registered protocols or name spaces.

Uniform resource locator (URL): A type of URI which expresses an address which maps onto an access algorithm using network protocols. (Source: https://www.w3.org/)

Uniform resource name (URN): A type of URI that includes a name within a given namespace but may not be accessible on the internet.

Usability: A dimension of identity that defines how many times it can be used. While most of the identities are multi-use, a few digital identities are in token form and can be used only once to authenticate oneself.

Usage mode: A dimension of identity that defines the service mode in which a digital ID can be used. While all digital IDs are made for online usage, many can also be used in offline interactions.

Verifiable credentials: This W3C standard specification provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy-respecting, and machine-verifiable. (Source: https://www.w3.org/TR/vc-data-model/)

X.509 Certificates: X.509 certificates are standard digital documents that represent an entity providing a service to another entity. They're issued by a certification authority (CA), subordinate CA, or registration authority. These certificates play an important role in ascertaining the validity of an identity provider and in turn the identities issued by it. (Source: https://learn.microsoft.com/en-us/azure/iot-hub/reference-x509-certificates)

Zero-knowledge proofs: A method by which one party (the prover) can prove to another party (the verifier) that something is true, without revealing any information apart from the fact that this specific statement is true. (Source: 1989 SIAM Paper)

Zero-trust security: A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. It evaluates each access request as if it is a fraud attempt, and grants access only if it passes the authentication and authorization test. (Source: Adapted from NIST, SP 800-207: Zero Trust Architecture, 2020)

Related Info-Tech Research

Build a Zero Trust Roadmap
Leverage an iterative and repeatable process to apply zero trust to your organization.

Assess and Govern Identity Security
Strong identity security and governance are the keys to the zero-trust future.

Adopt Design Thinking in Your Organization
Innovation needs design thinking to ensure customer remains at the center of everything the organization does.

Social Media
Leveraging Social Media to connect with your customers and educate them to drive the value proposition of your efforts.

IT Diversity & Inclusion Tactics
Equip your teams to create an inclusive environment and mobilize inclusion efforts across the organization.

Research Contributors and Experts

	David Wallace Executive Counselor https://tymansgrpup.com/profiles/david-wallace
	Erik Avakian Technical Counselor, Data Architecture and Governance https://tymansgrpup.com/profiles/erik-avakian
	Matthew Bourne Managing Partner, Public Sector Global Services https://tymansgrpup.com/profiles/matthew-bourne
	Mike Tweedie Practice Lead, CIO Research Development https://tymansgrpup.com/profiles/mike-tweedie
	Aaron Shum Vice President, Security & Privacy https://tymansgrpup.com/profiles/aaron-shum

Works Cited

India Aadhaar PMJDY (https://pmjdy.gov.in/account)
Theis, S., Rusconi, G., Panggabean, E., Kelly, S. (2020). Delivering on the Potential of Digitized G2P: Driving Women’s Financial Inclusion and Empowerment through Indonesia’s Program Keluarga Harapan. Women’s World Banking.
DIACC Canada (https://diacc.ca/the-diacc/)
UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
Australia Trusted Digital Identity Framework (https://www.digitalidentity.gov.au/tdif#changes)
eIDAS (https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation)
Europe Digital Wallet – POTENTIAL (https://www.digital-identity-wallet.eu/)
Canada PCTF (https://diacc.ca/trust-framework/)
Identification Revolution: Can Digital ID be harnessed for Development? (Gelb & Metz), 2018
e-Estonia website (https://e-estonia.com/solutions/e-identity/id-card/)
Aadhaar Dashboard (https://uidai.gov.in/)
DIACC Website (https://diacc.ca/the-diacc/)
Australia Digital ID website (https://www.digitalidentity.gov.au/tdif#changes)
UK Policy paper - digital identity & attributes trust framework (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
Ukraine Govt. website (https://ukraine.ua/invest-trade/digitalization/)
Singapore SingPass Website (https://www.tech.gov.sg/products-and-services/singpass/)
Norway BankID Website (https://www.bankid.no/en/private/about-us/)
Brazil National ID Card website (https://www.gov.br/casacivil/pt-br/assuntos/noticias/2022/julho/nova-carteira-de-identidade-nacional-modelo-unico-a-partir-de-agosto)
Indonesia Coverage in Professional Security Magazine (https://www.professionalsecurity.co.uk/products/id-cards/indonesian-cards/)
Philippine ID System (PhilSys) website (https://www.philsys.gov.ph/)
China coverage on eGovReview (https://www.egovreview.com/article/news/559/china-announces-plans-national-digital-ids)
Thales Group Website - DHS’s Automated Biometric Identification System IDENT (https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/customer-cases/ident-automated-biometric-identification-system)
FranceConnect (https://franceconnect.gouv.fr/)
Germany: Office for authorization cert. (https://www.personalausweisportal.de/Webs/PA/DE/startseite/startseite-node.html)
Italian Digital Services Authority (https://www.spid.gov.it/en/)
Monacco Mconnect (https://mconnect.gouv.mc/en)
Estonia eID (https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf)
E-Residency Dashboard (https://www.e-resident.gov.ee/dashboard)
Unique ID authority of India (https://uidai.gov.in/aadhaar_dashboard/india.php)
State of Aadhaar (https://www.stateofaadhaar.in/)
World Bank (https://documents1.worldbank.org/curated/en/219201522848336907/pdf/Private-Sector-Economic-Impacts-from-Identification-Systems.pdf)
WorldBank - ID4D 2022 Annual Report (https://documents.worldbank.org/en/publication/documents-reports/documentdetail/099437402012317995/idu00fd54093061a70475b0a3b50dd7e6cdfe147)
Ukraine Govt. Website for Invest and trade (https://ukraine.ua/invest-trade/digitalization/)
Diia Case study prepared for the office of Canadian senator colin deacon (https://static1.squarespace.com/static/63851cbda1515c69b8a9a2b9/t/6398f63a9d78ae73d2fd5725/1670968891441/2022-case-study-report-diia-mobile-application.pdf)
Canadian Digital Identity Research (https://diacc.ca/wp-content/uploads/2022/04/DIACC-2021-Research-Report-ENG.pdf)
Voilà Verified Trustmark (https://diacc.ca/voila-verified/)
Digital Identity, 06A Federation Onboarding Guidance paper, March 2022 (https://www.digitalidentity.gov.au/sites/default/files/2022-04/TDIF%2006A%20Federation%20Onboarding%20Guidance%20-%20Release%204.6%20%28Doc%20Version%201.2%29.pdf)
UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
A United Nations Estimate of KYC/AML (https://www.imf.org/Publications/fandd/issues/2018/12/imf-anti-money-laundering-and-economic-stability-straight)
India Aadhaar PMJDY (https://pmjdy.gov.in/account)
Global News (https://globalnews.ca/news/9437913/homeowner-impersonators-lined-32-fraud-cases-ontario-bc/)
UK Finance Lobby Group (https://www.ukfinance.org.uk/system/files/Half-year-fraud-update-2021-FINAL.pdf) McKinsey Digital ID report ( https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/digital-identification-a-key-to-inclusive-growth) International Peace Institute ( https://www.ipinst.org/2016/05/information-technology-and-governance-estonia#7)
E-Estonia Report (https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf)
2022 Budget Statement (https://diacc.ca/2022/04/07/2022-budget-statement/)
World Bank ID4D - Private Sector Economic Impacts from Identification Systems 2018 (https://documents1.worldbank.org/curated/en/219201522848336907/Private-Sector-Economic-Impacts-from-Identification-Systems.pdf)
DIACC Canada (https://diacc.ca/the-diacc/)
UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
https://www.gsma.com/identity/decentralised-identity
https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf
Microsoft Digital signatures and certificates (https://support.microsoft.com/en-us/office/digital-signatures-and-certificates-8186cd15-e7ac-4a16-8597-22bd163e8e96)
https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf
https://www.dona.net/digitalobjectarchitecture
IAM (https://iam.harvard.edu/)
NIST Special Publication 800-63A (https://pages.nist.gov/800-63-3/sp800-63a.html)
https://www.cisa.gov/publication/multi-factor-authentication-mfa
https://openid.net/
U.S. DEPARTMENT OF LABOR (https://www.dol.gov/)
UK govt. trust framework (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
https://www.w3.org/
Verifiable Credentials Data Model v1.1 (https://www.w3.org/TR/vc-data-model/)
https://learn.microsoft.com/en-us/azure/iot-hub/reference-x509-certificates

Security Priorities 2022

The pandemic has changed how we work

disruptions to the way we work caused by the pandemic are here to stay.

The pandemic has introduced a lot of changes to our lives over the past two years, and this is also true for various aspects of how we work. In particular, a large workforce moved online overnight, which shifted the work environment rapidly.

People changed how they communicate, how they access company information, and how they connect to the company network. These changes make cybersecurity a more important focus than ever.

Although changes like the shift to remote work occurred in response to the pandemic, they are largely expected to remain, regardless of the progression of the pandemic itself. This report will look into important security trends and the priorities that stemmed from these trends.

30% more professionals expect transformative permanent change compared to one year ago.

47% of professionals expect a lot of permanent change; this remains the same as last year. (Source: Info-Tech Tech Trends 2022 Survey; N=475)

The cost of a security breach is rising steeply

The shift to remote work exposes organizations to more costly cyber incidents than ever before.

Remote work is here to stay, and the cost of a breach is higher when remote work is involved.

The cost comes not only directly from payments but also indirectly from reputational loss. (Source: IBM, 2021)

Security teams can participate in the solution

The numbers are clear: in 2022, when we face a threat environment like WE’VE never EXPERIENCED before, good security is worth the investment

Breaches are 34% less costly when mature zero trust is implemented.

A fully staffed and well-prepared security team could save the cost through quick responses. (Source: IBM, 2021)

Top security priorities and constraints in 2022

Survey results

As part of its research process for the 2022 Security Priorities Report, Info-Tech Research Group surveyed security and IT leaders (N=97) to ask their top security priorities as well as their main obstacles to security success in 2022:

Top Priorities Survey respondents were asked to force-rank their security priorities. Among the priorities chosen most frequently as #1 were talent management, addressing ransomware threats, and securing hybrid/remote work.

Top Obstacles Talent management is both the #1 priority and the top obstacle facing security leaders in 2022. Unsurprisingly, the ever-changing environment in a world emerging from a pandemic and budget constraints are also top obstacles.

We know the priorities…

But what are security leaders actually working on?

This report details what we see the world demanding of security leaders in the coming year.

Setting aside the demands – what are security leaders actually working on?

Many organizations are still mastering the foundations of a mature cybersecurity program. This is a good idea! Most breaches are still due to gaps in foundational security, not lack of advanced controls.

We know the priorities…

But what are security leaders actually working on?

One industry plainly stands out from the rest. Government organizations are proportionally much more active in security than other industries, and for good reason: they are common targets. Manufacturing and professional services are proportionally less interested in security. This is concerning, given the recent targeting of supply chain and personal data holders by ransomware gangs.

5 Security Priorities for 2022

People

1. Acquiring and Retaining Talent
   Create a good working environment for existing and potential employees. Invest time and effort into talent issues to avoid being understaffed.
2. Securing a Remote Workforce
   Create a secure environment for users and help your people build safe habits while working remotely.

Process

3. Securing Digital Transformation
   Build in security from the start and check in frequently to create agile and secure user experiences.

Technology

4. Adopting Zero Trust
   Manage access of sensitive information based on the principle of least privilege.
5. Protecting Against and Responding to Ransomware
   Put in your best effort to build defenses but also prepare for a breach and know how to recover.

Acquire and Retain Talent

Priority 01

Security talent was in short supply before the pandemic, and it's even worse now.

Executive summary

Background

Cybersecurity talent has been in short supply for years, but this shortage has inflected upward since the pandemic.

The Great Resignation contributed to the existing talent gap. The pandemic has changed how people work as well as how and where they choose work. More and more senior workers are retiring early or opting for remote working opportunities.

The cost to acquire cybersecurity talent is huge, and the challenge doesn’t end there. Retaining top talent can be equally difficult.

Current situation

• A 2021 survey by ESG shows that 76% of security professional agree it’s difficult to recruit talent, and 57% said their organization is affected by this talent shortage.
• (ISC)2 reports there are 2.72 million unfilled job openings and an increasing workforce gap (2021).

2.72 million unfilled cybersecurity openings (Source: (ISC)2, 2021)

IT leaders must do more to attract and retain talent in 2022

• Over 70% of IT professionals are considering quitting their jobs (TalentLMS, 2021). Meanwhile, 51% of surveyed cybersecurity professionals report extreme burnout during the last 12 months and many of them have considered quitting because of it (VMWare, 2021).
• Working remotely makes it easier for people to look elsewhere, lowering the barrier to leaving.
• This is a big problem for security leaders, as cybersecurity talent is in very short supply. The cost of acquiring and retaining quality cybersecurity staff in 2022 is significant, and many organizations are unwilling or unable to pay the premium.
• Top talent will demand flexible working conditions – even though remote work comes with security risk.
• Most smart, talented new hires in 2022 are demanding to work remotely most of the time.

Talent will be 2022’s #1 strength and #1 weakness

Recommended Actions

Talent acquisition and retention plan

Use this template to explain the priorities you need your stakeholders to know about.

Provide a brief value statement for the initiative.

Address a top priority and a top obstacle with a plan to attract and retain top organizational and cybersecurity talent.

Initiative Description: Provide secure remote work capabilities for staff. Work with HR to refine a hiring plan that addresses geographical and compensation gaps with cybersecurity and general staff. Survey staff engagement to identify points of friction and remediate where needed. Define a career path and growth plan for staff.		Description must include what IT will undertake to complete the initiative.
Primary Business Benefits: Reduction in costs due to turnover and talent loss	Other Expected Business Benefits: Productivity due to good morale/ engagement Improved corporate culture	Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.
Risks: Big organizational and cultural changes Increased attack surface of remote/hybrid workforce		Related Info-Tech Research: Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan Build an IT Employee Engagement Program

Secure a Remote Workforce

Priority 02

Trends suggest remote work is here to stay. Addressing the risk of insecure endpoints can no longer be deferred.

Executive summary

Remote work poses unique challenges to cybersecurity teams. The personal home environment may introduce unauthorized people and unknown network vulnerabilities, and the organization loses nearly all power and influence over the daily cyber hygiene of its users.

In addition, the software used for enabling remote work itself can be a target of cybersecurity criminals.

Current situation

• 70% of workers in technical services work from home.
• Employees of larger firms and highly paid individuals are more likely to be working outside the office.
• 80% of security and business leaders find that remote work has increased the risk of a breach.
(Source: StatCan, 2021)

70% of tech workers work from home (Source: Statcan, 2021)

Remote work demands new security solutions

The security perimeter is finally gone The data is outside the datacenter. The users are outside the office. The endpoints are … anywhere and everywhere. Organizations that did not implement digital transformation changes following COVID-19 experience higher costs following a breach, likely because it is taking nearly two months longer, on average, to detect and contain a breach when more than 50% of staff are working remotely (IBM, 2021). In 2022 the cumulative risk of so many remote connections means we need to rethink how we secure the remote/hybrid workforce.

Security Distributed denial of service DNS hijacking Weak VPN protocols Identity One-time verification allowing lateral movement

Network Risk perimeter stops at corporate network edge Split tunneling Authentication Weak authentication Weak password Access Man-in-the-middle attack Cross-site scripting Session hijacking

Recommended Actions

Roadmap to securing remote/hybrid workforce

Use this template to explain the priorities you need your stakeholders to know about.

Provide a brief value statement for the initiative.

The corporate network now extends to the internet – ensure your security plan has you covered.

Initiative Description: Reassess enterprise security strategy to include the WFH attack surface (especially endpoint visibility). Ensure authentication requirements for remote workers are sufficient (e.g. MFA, strong passwords, hardware tokens for high-risk users/connections). Assess the value of zero trust networking to minimize the blast radius in the case of a breach. Perform penetration testing annually.		Description must include what IT will undertake to complete the initiative.
Primary Business Benefits: Reduced cost of security incidents/reputational damage	Other Expected Business Benefits: Improved ability to attract and retain talent Increased business adaptability	Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.
Risks: Potential disruption to traditional working patterns Cost of investing in WFH versus risk of BYOD		Related Info-Tech Research: Build an Information Security Strategy Develop a Security Awareness and Training Program That Empowers End Users Checklist for Securing Remote Workers

Secure Digital Transformation

Priority 03

Digital transformation could be a competitive advantage…or the cause of your next data breach.

Executive summary

Background

Digital transformation is occurring at an ever-increasing rate these days. As Microsoft CEO Satya Nadella said early in the pandemic, “We’ve seen two years’ worth of digital transformation in two months.”

We have heard similar stories from Info-Tech members who deployed rollouts that were scheduled to take months over a weekend instead.

Microsoft’s own shift to rapidly expand its Teams product is a prime example of how quickly the digital landscape has changed. The global adaption to a digital world has largely been a success story, but rapid change comes with risk, and there is a parallel story of rampant cyberattacks like we have never seen before.

Insight

There is an adage that “slow is smooth, and smooth is fast” – the implication being that fast is sloppy. In 2022 we’ll see a pattern of organizations working to catch up their cybersecurity with the transformations we all made in 2020.

$1.78 trillion expected in digital transformation investments (Source: World Economic Forum, 2021)

An ounce of security prevention versus a pound of cure

The journey of digital transformation is a risky one.

Recommended Actions

Securing digital transformation

Use this template to explain the priorities you need your stakeholders to know about.

Provide a brief value statement for the initiative.

Ensure your investment in digital transformation is appropriately secured.

Initiative Description: Engage security with digital transformation and relevant governance structures (steering committees) to ensure security considerations are built into digital transformation planning. Incorporate security stage gates in project management procedures. Establish a vendor security assessment program.		Description must include what IT will undertake to complete the initiative.
Primary Business Benefits: Increased likelihood of digital transformation success	Other Expected Business Benefits: Ability to make informed decisions for the field rep strategy Reduced long-term cost of digital transformation	Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.
Risks: Potential increased up front cost (reduced long-term cost) Potential slowed implementation with security stage gates in project management		Related Info-Tech Research: Build a Vendor Security Assessment Service Implement a Security Governance and Management Program

Adopt Zero Trust

Priority 04

Governments are recognizing the importance of zero trust strategies. So should your organization.

Why now for zero trust?

John Kindervag modernized the concept of zero trust back in 2010, and in the intervening years there has been enormous interest in cybersecurity circles, yet in 2022 only 30% of organizations report even beginning to roll out zero trust capabilities (Statista, 2022).

Why such little action on a revolutionary and compelling model?

Zero trust is not a technology; it is a principle. Zero trust adoption takes concerted planning, effort, and expense, for which the business value has been unclear throughout most of the last 10 years. However, several recent developments are changing that:

• Securing technology has become very hard! The size, complexity, and attack surface of IT environments has grown significantly – especially since the pandemic.
• Cyberattacks have become rampant as the cost to deploy harmful ransomware has become lower and the impact has become higher.
• The shift away from on-premises datacenters and offices created an opening for zero trust investment, and zero trust technology is more mature than ever before.

The time has come for zero trust adoption to begin in earnest.

97% will maintain or increase zero trust budget (Source: Statista, 2022)

Traditional perimeter security is not working

Zero trust directly addresses the most prevalent attack vectors today

A hybrid workforce using traditional VPN creates an environment where we are exposed to all the risks in the wild (unknown devices at any location on any network), but at a stripped-down security level that still provides the trust afforded to on-premises workers using known devices.

What’s more, threats such as ransomware are known to exploit identity and remote access vulnerabilities before moving laterally within a network – vectors that are addressed directly by zero trust identity and networking. Ninety-three percent of surveyed zero trust adopters state that the benefits have matched or exceeded their expectations (iSMG, 2022).

Top reasons for building a zero trust program in 2022

The business case for zero trust is clearer than ever

Prior obstacles to Zero Trust are disappearing

A major obstacle to zero trust adoption has been the sheer cost, along with the lack of business case for that investment. Two factors are changing that paradigm in 2022:

The May 2021 US White House Executive Order for federal agencies to adopt zero trust architecture finally placed zero trust on the radar of many CEOs and board members, creating the business interest and willingness to consider investing in zero trust.

In addition, the cost of adopting zero trust is quickly being surpassed by the cost of not adopting zero trust, as cyberattacks become rampant and successful zero trust deployments create a case study to support investment.

The cost to remediate a ransomware attack more than doubled from 2020 to 2021. Widespread adoption of zero trust capabilities could keep that number from doubling again in 2022. (Source: Sophos, 2021)

The cost of a data breach is on average $1.76 million less for organizations with mature zero trust deployments.

That is, the cost of a data breach is 35% reduced compared to organizations without zero trust controls. (Source: IBM, 2021)

Recommended Actions

Zero trust roadmap

Use this template to explain the priorities you need your stakeholders to know about.

Provide a brief value statement for the initiative.

Develop a practical roadmap that shows the business value of security investment.

Initiative Description: Define desired business and security outcomes from zero trust adoption. Assess zero trust readiness. Build roadmaps for zero trust: Identity Networking Devices Data		Description must include what IT will undertake to complete the initiative.
Primary Business Benefits: Increased security posture and business agility	Other Expected Business Benefits: Reduced impact of security events Reduced cost of managing complex control set More secure business transformation (i.e. cloud/digital)	Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.
Risks: Learning curve of implementation (start small and slow) Transition from current control set to zero trust model		Related Info-Tech Research: Determine Your Zero Trust Readiness

Protect Against and Respond to Ransomware

Priority 05

Ransomware is still the #1 threat to the safety of your data.

Executive summary

Background

• Ransomware attacks have transformed in 2021 and show no sign of slowing in 2022. There is a new major security breach every week, despite organizations spending over $150 billion in a year on cybersecurity (Nasdaq, 2021).
• Ransomware as a service (RaaS) is commonplace, and attackers are doubling down by holding encrypted data ransom and also demanding payment under threat to disclose exfiltrated data – and they are making good on their threats.
• The global cost of ransomware is expected to rise to $265 billion by 2031 (Cybersecurity Ventures, 2021).
• We expect to see an increase in ransomware incidents in 2022, both in severity and volume – multiple attacks and double extortion are now the norm.
• High staff turnover increases risk because new employees are unfamiliar with security protocols.

150% increase ransomware attacks in 2020 (Source: ENISA)

This is a new golden age of ransomware

Many leaders still don’t know what a ransomware recovery would look like

Recommended Actions

Prevent and respond to ransomware

Use this template to explain the priorities you need your stakeholders to know about.

Provide a brief value statement for the initiative.

Determine your current readiness, response plan, and projects to close gaps.

Initiative Description: Execute a systematic assessment of your current security and ransomware recovery capabilities. Perform tabletop activities and live recoveries to test data recovery capabilities. Train staff to detect suspicious communications and protect their identities.		Description must include what IT will undertake to complete the initiative.
Primary Business Benefits: Improved productivity and brand protection	Other Expected Business Benefits: Reduced downtime and disruption Reduced cost due to incidents (ransom payments, remediation)	Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.
Risks: Friction with existing staff		Related Info-Tech Research: Create a Ransomware Incident Response Plan Defend Against the Evolving Threat of Ransomware

Deepfakes: Dark-horse threat for 2022

Deepfake video

How long has it been since you’ve gone a full workday without having a videoconference with someone?

We have become inherently trustful that the face we see on the screen is real, but the technology required to falsify that video is widely available and runs on commercially available hardware, ushering in a genuinely post-truth online era.

Criminals can use deepfakes to enhance social engineering, to spread misinformation, and to commit fraud and blackmail.

Deepfake audio

Many financial institutions have recently deployed voiceprint authentication. TD describes its VoicePrint as “voice recognition technology that allows us to use your voiceprint – as unique to you as your fingerprint – to validate your identity” over the phone.

However, hackers have been defeating voice recognition for years already. There is ripe potential for voice fakes to fool both modern voice recognition technology and the accounts payable staff.

Bibliography

“2021 Ransomware Statistics, Data, & Trends.” PurpleSec, 2021. Web.

Bayern, Macy. “Why 60% of IT security pros want to quit their jobs right now.” TechRepublic, 10 Oct. 2018. Web.

Bresnahan, Ethan. “How Digital Transformation Impacts IT And Cyber Risk Programs.” CyberSaint Security, 25 Feb. 2021. Web.

Clancy, Molly. “The True Cost of Ransomware.” Backblaze, 9 Sept. 2021.Web.

“Cost of a Data Breach Report 2021.” IBM, 2021. Web.

Cybersecurity Ventures. “Global Ransomware Damage Costs To Exceed $265 Billion By 2031.” Newswires, 4 June 2021. Web.

“Digital Transformation & Cyber Risk: What You Need to Know to Stay Safe.” Ponemon Institute, June 2020. Web.

“Global Incident Response Threat Report: Manipulating Reality.” VMware, 2021.

Granger, Diana. “Karmen Ransomware Variant Introduced by Russian Hacker.” Recorded Future, 18 April 2017. Web.

“Is adopting a zero trust model a priority for your organization?” Statista, 2022. Web.

“(ISC)2 Cybersecurity Workforce Study, 2021: A Resilient Cybersecurity Profession Charts the Path Forward.” (ISC)2, 2021. Web.

Kobialka, Dan. “What Are the Top Zero Trust Strategies for 2022?” MSSP Alert, 10 Feb. 2022. Web.

Kost, Edward. “What is Ransomware as a Service (RaaS)? The Dangerous Threat to World Security.” UpGuard, 1 Nov. 2021. Web.

Lella, Ifigeneia, et al., editors. “ENISA Threat Landscape 2021.” ENISA, Oct. 2021. Web.

Mello, John P., Jr. “700K more cybersecurity workers, but still a talent shortage.” TechBeacon, 7 Dec. 2021. Web.

Naraine, Ryan. “Is the ‘Great Resignation’ Impacting Cybersecurity?” SecurityWeek, 11 Jan. 2022. Web.

Oltsik, Jon. “ESG Research Report: The Life and Times of Cybersecurity Professionals 2021 Volume V.” Enterprise Security Group, 28 July 2021. Web.

Osborne, Charlie. “Ransomware as a service: Negotiators are now in high demand.” ZDNet, 8 July 2021. Web.

Osborne, Charlie. “Ransomware in 2022: We’re all screwed.” ZDNet, 22 Dec. 2021. Web.

“Retaining Tech Employees in the Era of The Great Resignation.” TalentLMS, 19 Oct. 2021. Web.

Rubin, Andrew. “Ransomware Is the Greatest Business Threat in 2022.” Nasdaq, 7 Dec. 2021. Web.

Samartsev, Dmitry, and Daniel Dobrygowski. “5 ways Digital Transformation Officers can make cybersecurity a top priority.“ World Economic Forum, 15 Sept. 2021. Web.

Seymour, John, and Azeem Aqil. “Your Voice is My Passport.” Presented at black hat USA 2018.

Solomon, Howard. “Ransomware attacks will be more targeted in 2022: Trend Micro.” IT World Canada, 6 Jan. 2022. Web.

“The State of Ransomware 2021.” Sophos, April 2021. Web.

Tarun, Renee. “How The Great Resignation Could Benefit Cybersecurity.” Forbes Technology Council, Forbes, 21 Dec. 2021. Web.

“TD VoicePrint.” TD Bank, n.d. Web.

“Working from home during the COVID-19 pandemic, April 202 to June 2021.” Statistics Canada, 4 Aug. 2021. Web.

“Zero Trust Strategies for 2022.” iSMG, Palo Alto Networks, and Optiv, 28 Jan. 2022. Web.

Manage Exponential Value Relationships

Are you ready to manage outcome-based agreements?

Analyst Perspective

Outcome-based agreements require a higher degree of mutual trust.

Exponential IT brings with it an exciting new world of cutting-edge technology and increasingly accelerated growth of business and IT. But adopting and driving change through this paradigm requires new capabilities to grow impactful and meaningful partnerships with external vendors who can help implement technologies like artificial intelligence and virtual reality. Building outcome-based partnerships involves working very closely with vendors who, in many cases, will have just as much to lose as the organizations implementing these new technologies. This requires a greater degree of trust between parties than a standard vendor relationship. It also drastically increases the risks to both organizations; as each loses some control over data and outcomes, they must trust that the other organization will follow through on commitments and obligations. Outcome-based partnerships build upon traditional vendor management practices and create the potential for organizations to embrace emerging technology in new ways. Kim Osborne Rodriguez Research Director, CIO Advisory Info-Tech Research Group

Executive Summary

Info-Tech Insight

Outcome-based partnerships require a higher degree of trust than traditional vendor relationships. Build trust by sharing risks and rewards.

Vendor relationships can be worth billions of dollars

Positive vendor relationships directly impact the bottom line, sometimes to the tune of billions of dollars annually.

• Organizations typically spend 40% to 80% of their total budget on external suppliers.
• Greater supplier trust translates directly to greater business profits, even in traditional vendor relationships.1
• Based on over a decade of data from vehicle manufacturers, greater supplier relationships nearly doubled the unit profit margin on vehicles, contributing over $20 billion to Toyota’s annual profits based on typical sales volume.2
• Having positive vendor relationships can be instrumental in times of crisis – when scarcity looms, vendors often choose to support their best customers.3,4 For example, Toyota protected itself from the losses many original equipment manufacturers (OEMs) faced in 2020 and showed improved profitability that year due to increased demand for vehicles which it was able to supply as a result of top-ranked vendor relationships.

1 PR Newswire, 2022.
2 Based on 10 years of data comparing Toyota and Nissan, every 1-point increase in the company’s Working Relations Index was correlated with a $15.77 net profit increase per unit. Impact on Toyota annual profits is based on 10.5 million units sold in 2021 and 2022.
3 Interview with Renee Stanley, University of Texas at Arlington. Conducted 17 May 2023.
4 Plante Moran, 2020.

Sources: Macrotrends, Plante Moran 2022, Nissan 2022 and 2023, and Toyota 2022. Profit per car is based on total annual profit divided by total annual sales volume.

Outcome-based relationships are a new paradigm

In a new model where organizations are procuring autonomous capabilities, outcomes will govern vendor relationships.

An outcome-based relationship requires a higher level of mutual trust than traditional vendor relationships. This requires shared reward and shared risk.

Don’t forget about traditional vendor management relationships! Not all vendor relationships can (or should) be outcome-based.

Case study

INDUSTRY: Technology

SOURCE: Press Release

Microsoft and OpenAI partner on Azure, Teams, and Microsoft Office suite

In January 2023, Microsoft announced a $10 billion investment in OpenAI, allowing OpenAI to continue scaling its flagship large language model, ChatGPT, and giving Microsoft first access to deploy OpenAI’s products in services like GitHub, Microsoft Office, and Microsoft Teams.

Shared risk

Issues with OpenAI’s platforms could have a debilitating effect on Microsoft’s own reputation – much like Google’s $100 billion stock loss following a blunder by its AI platform Bard – not to mention the financial loss if the platform does not live up to the hype.

Shared reward

This was a particularly important strategic move by Microsoft, as its main competitors develop their own AI models in a race to the top. This investment also gave OpenAI the resources to continue scaling and evolving its services much faster than it would be capable of on its own. If OpenAI’s products succeed, there is a significant upside for both companies.

Adapt your approach to vendor relationships

Both traditional vendors and exponential relationships are important.

Use Info-Tech’s research to Jump Start Your Vendor Management Initiative.

Common obstacles

Exponential relationships require new approaches to vendor management as businesses autonomize:

• Autonomization refers to the shift toward autonomous business capabilities which leverage technologies such as AI and quantum computing to operate independently of human interaction.
• The speed and complexity of technology advancement requires that businesses move quickly and confidently to develop strong relationships and deliver value.
• We are seeing businesses shift from procuring products and services to procuring autonomous business capabilities (sometimes called “as a service,” or aaS). This shift can drive exponential value but also increases complexity and risk.
• Exponential IT requires a shift in emphasis toward more mature relationship and risk management strategies, compared to traditional vendor management.

The shift from technology service agreements to business capability agreements needs a new approach

Eighty-seven percent of organizations are currently experiencing talent shortages or expect to within a few years.

Source: McKinsey, “Mind the [skills] gap”, 2021.

Sixty-three percent of IT leaders plan to implement AI in their organizations by the end of 2023.

Source: Info-Tech Research Group survey, 2022

Insight summary

Assess your readiness for exponential value relationships

Key deliverable:

Exponential Relationships Readiness Assessment

Determine your readiness to build exponential value relationships.

Measure the value of this blueprint

Save thousands of dollars by leveraging this research to assess your readiness, before you lose millions from a relationship gone bad.

Our research indicates that most organizations would take months to prepare this type of assessment without using our research. That’s over 80 person-hours spent researching and gathering data to support due diligence, for a total cost of thousands of dollars. Doesn’t your staff have better things to do?

Start by answering a few brief questions, then return to this slide at the end to see how much your answers have changed.

Use Info-Tech’s research to Exponential Relationships Readiness Assessment.

Establish a baseline

Gauge the effectiveness of this research by asking yourself the following questions before and after completing your readiness assessment:

How to use this research

Five tips to get the most out of your readiness assessment.

1. Each category consists of five competencies, with a maximum of five points each. The maximum score on this assessment is 100 points.
2. Effectiveness levels range from basic (level 1) to advanced (level 5). Level 1 is generally considered the baseline for most effectively operating organizations. If your organization is struggling with level 1 competencies, it is recommended to improve maturity in those areas before pursuing exponential relationships.
3. This assessment is qualitative; complete the assessment to the best of your ability, based on the scoring rubric provided. If you fall between levels, use the lower one in your assessment.
4. The scoring rubric may not perfectly fit the processes and practices within every organization. Consider the spirit of the description and score accordingly.
5. Other industry- and region-specific competencies may be required to succeed at exponential relationships. The competencies in this assessment are a starting point, and internal validation and assessments should be conducted to uncover additional competencies and skills.

Financial management

Manage your budget and spending to stay on track throughout your relationship.

“Most organizations underestimate the amount of time, money, and skill required to build and maintain a successful relationship with another organization. The investment in exponential relationships is exponential in itself – as are the returns.”

– Jennifer Perrier, Principal Research Director,
Info-Tech Research Group

This step involves the following participants:

• Executive leadership team, including CIO
• CFO
• Vendor management leader
• Other internal stakeholders of vendor relationships

Activities:

• Assess your ability to manage scope and budget in exponential IT relationships.

Successfully manage complex finances

Stay on track and keep your relationship running smoothly.

Why is this important?

• Finance is at the core of most business – it drives decision making, acts as a constraint for innovation and optimization, and plays a key role in assessing options (such as return on investment or payback period).
• Effectively managing finances is a critical success factor in developing strong relationships. Each organization must be able to manage their own budget and spending in order to balance the risk and reward in the relationship. Often, these risks and rewards will come in the form of profit and loss or revenue and spend.

Build it into your practice:

1. Ensure your financial decision-making practices are aligned with the organizational and relationship strategy. Do metrics and criteria reflect the organization’s goals?
2. Develop strong accounting and financial analysis practices – this includes the ability to conduct financial due diligence on potential vendors.
3. Develop consistent methodology to track and report on the desired outcomes on a regular basis.

Build your ability to manage finances

The five competencies needed to manage finances in exponential value relationships are:

Relationship management

Drive exponential value by becoming a customer of choice.

“The more complex the business environment becomes — for instance, as new technologies emerge or as innovation cycles get faster — the more such relationships make sense. And the better companies get at managing individual relationships, the more likely it is that they will become “partners of choice” and be able to build entire portfolios of practical and value-creating partnerships.”

(“Improving the management of complex business partnerships.” McKinsey, 2019)

This step involves the following participants:

• Executive leadership team, including CIO
• Vendor management leader
• Other internal stakeholders of vendor relationships

Activities:

• Assess your ability to manage relationships in exponential IT relationships.

Take your relationships to the next level

Maintaining positive relationships is key to building trust.

Why is this important?

• All relationships will experience challenges, and the ability to resolve these issues will rely heavily on the relationship management skills and soft skills of the leadership within each organization.
• Based on a 20-year study of vendor relationships in the automotive sector, business-to-business trust is a function of reasonable demands, follow-through, and information sharing.

(Source: Plante Moran, 2020)

Build it into your practice:

1. Develop the soft skills necessary to promote psychological safety, growth mindset, and strong and open communication channels.
2. Be smart about sharing information – you don’t need to share everything, but being open about relevant information will enhance trust.
3. Both parties need to work hard to develop trust necessary to build a true relationship. This will require increased access to decision-makers, clearly defined guardrails, and the ability for unsatisfied parties to leave.

Build your ability to manage relationships

The five competencies needed to manage relationships in exponential partnerships are:

Performance management

Outcomes management focuses on results, not methods.

According to Jennifer Robinson, senior editor at Gallup, “This approach focuses people and teams on a concrete result, not the process required to achieve it. Leaders define outcomes and, along with managers, set parameters and guidelines. Employees, then, have a high degree of autonomy to use their own unique talents to reach goals their own way.” (Forbes, 2023)

In the context of exponential relationships, vendors can be given a high degree of autonomy provided they meet their objectives.

This step involves the following participants:

• Executive leadership team, including CIO
• Vendor management leader
• Other internal stakeholders of vendor relationships

Activities:

• Assess your ability to manage outcomes in exponential IT relationships.

Manage outcomes to drive mutual success

Build trust by achieving shared objectives.

Why is this important?

• Relationships are based on shared risk and shared reward for all parties. In order to effectively communicate the shared rewards, you must first understand and communicate your objectives for the relationship, then measure outcomes to ensure all parties are benefiting.
• Effectively managing outcomes reduces the risk that one party will choose to leave based on a perception of benefits not being achieved. Parties may still leave the agreement, but decisions should be based on shared facts and issues should be communicated and addressed early.

Build it into your practice:

1. Clearly articulate what you hope to achieve by entering an outcome-based relationship. Each party should outline and agree to the goals, objectives, and desired outcomes from the relationship.
2. Document how rewards will be shared among parties. What type of rewards are anticipated? Who will benefit and how?
3. Develop consistent methodology to track and report on the desired outcomes on a regular basis. This might consist of a vendor scorecard or a monthly meeting.

Build your ability to manage outcomes

The five competencies needed to manage outcomes in exponential value relationships are:

Risk management

Exponential IT means exponential risk – and exponential rewards.

One of the key differentiators between traditional vendor relationships and exponential relationships is the degree to which risk is shared between parties. This is not possible in all industries, which may limit companies’ ability to participate in this type of exponential relationship.

This step involves the following participants:

• Executive leadership team, including CIO
• Vendor management leader
• Risk management leader
• Other internal stakeholders of vendor relationships

Activities:

• Assess your ability to manage risk in exponential IT relationships.

Relationships come with a lot of hidden risks

Successfully managing complex risks can be the difference between a spectacular success and company-ending failure.

Why is this important?

• Relationships inherently involve a loss of control. You are relying on another party to fulfill their part of the agreement, and you depend on the success of the outcome. Loss of control comes with significant risks.
• Sharing in risk is what differentiates an outcome-based relationship from a traditional vendor relationship; vendors must have skin in the game.
• Organizations must consider many different types of risk when considering a relationship with a vendor: fraud, security, human rights, labor relations, ESG, and operational risks. Remember that risk is not inherently bad; some risk is necessary.

Build it into your practice:

1. Build or hire the necessary risk expertise needed to properly assess and evaluate the risks of potential vendor relationships. This includes intellectual property, ESG, legal/regulatory, cybersecurity, data security, and more.
2. Develop processes and procedures which clearly communicate and report on risk on a regular basis.

Info-Tech Insight

Some highly regulated industries (such as finance) are prevented from transferring certain types of risk. In these industries, it may be much more difficult to form vendor relationships.

Don’t forget about third-party ESG risk

Customers care about ESG. You should too.

Protect yourself against third-party ESG risks by considering the environmental and social impacts of your vendors.

Third-party ESG risks can include the following:

• Environmental risk: Vendors with unsustainable practices such as carbon emissions or waste generation of natural resource depletion can negatively impact the organization’s environmental goals.
• Social risk: Unsafe or illegal labor practices, human rights violations, and supply chain management issues can reflect negatively on organizations that choose to work with vendors who engage in such practices.
• Governance risk: Vendors who engage in illegal or unethical behaviors, including bribery and corruption or data and privacy breaches can impact downstream customers.

Working with vendors that have a poor record of ESG carries a very real reputational risk for organizations who do not undertake appropriate due diligence.

A global survey of nearly 14,000 customers revealed that…

Source: EY Future Consumer Index, 2021

Seventy-seven percent of customers believe companies have a responsibility to manufacture sustainably.

Sixty-eight percent of customers believe businesses should ensure their suppliers meet high social and environmental standards.

Fifty-five percent of customers consider the environmental impact of production in their purchasing decisions.

Build your ability to manage risk

The five competencies needed to manage risk in exponential value relationships are:

Contract management

Contract management is a critical part of vendor management.

Well-managed contracts include clearly defined pricing, performance-based outcomes, clear roles and responsibilities, and appropriate remedies for failure to meet requirements. In outcome-based relationships, contracts are generally used as a secondary method of enforcing performance, with relationship management being the primary method of addressing challenges and ensuring performance.

This step involves the following participants:

• Executive leadership team, including CIO
• Vendor management leader
• Risk management leader
• Other internal stakeholders of vendor relationships

Activities:

• Assess your ability to manage risk in exponential IT relationships.

Build your ability to manage contracts

The five competencies needed to manage contracts in exponential value relationships are:

Activity 1: Assess your readiness for exponential relationships

1-3 hours

1. Gather key stakeholders from across your organization to participate in the readiness assessment exercise.
2. As a group, review the core competencies from the previous four sections and determine where your organization’s effectiveness lies for each competency. Record your responses in the Exponential Relationships Readiness Assessment tool.

Download the Exponential Relationships Readiness Assessment tool.

Understand your assessment

This step involves the following participants:

• Executive leadership team, including CIO
• Vendor management leader
• Other internal stakeholders of vendor relationships

Activities:

• Create an action plan.

Understand the results of your assessment

Consider the following recommendations based on your readiness assessment scores:

• The chart to the right shows sample results. The bars indicate the recommended scores, and the line indicates the readiness score.
• Three or more categories below the recommended scores, or any categories more than five points below the recommendation: outcome-based relationships are not recommended at this time.
• Two or more categories below the recommended scores: Proceed with caution and limit outcome-based relationships to low-risk areas. Continue to mature capabilities.
• One category below the recommended scores: Evaluate the risks and benefits before engaging in higher-risk vendor relationships. Continue to mature capabilities.
• All categories at or above the recommended scores: You have many of the core capabilities needed to succeed at exponential relationships! Continue to evaluate and refine your vendor relationships strategy, and identify any additional competencies needed based on your industry or region.

Activity 2: Create an action plan

1 hour

1. Gather the stakeholders who participated in the readiness assessment exercise.
2. As a group, review the results of the readiness assessment. Where there any surprise? Do the results reflect your understanding of the organization’s maturity?
3. Determine which areas are likely to limit the organization’s relationship capability, based on lowest scoring areas and relative importance to the organization.
4. Break out into groups and have each group identify three actions the organization could take to mature the lowest scoring areas.
5. Bring the group back together and prioritize the actions. Note who will be accountable for each next step.

Related Info-Tech Research

Jump Start Your Vendor Management Initiative
Create and implement a vendor management framework to begin obtaining measurable results in 90 days.

Elevate Your Vendor Management Initiative
Transform your VMI from tactical to strategic to maximize its impact and value

Evaluate Your Vendor Account Team to Optimize Vendor Relations
Understand the value of knowing your account team’s influence in the organization, and your influence, to drive results.

Related Info-Tech Research

Build an IT Risk Management Program
Mitigate the IT risks that could negatively impact your organization.

Build an IT Budget
Effective IT budgets are more than a spreadsheet. They tell a story.

Adopt an Exponential IT Mindset
Thrive through the next paradigm shift..

Author

Kim Osborne Rodriguez Research Director, CIO Advisory Info-Tech Research Group

Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach, with a track record of supporting successful projects. Kim holds a Bachelor’s degree in Honours Mechatronics Engineering and an option in Management Sciences from the University of Waterloo.

Research Contributors and Experts

	Jack Hakimian Senior Vice President Info-Tech Research Group Jack has more than 25 years of technology and management consulting experience. He has served multibillion-dollar organizations in multiple industries including financial services and telecommunications. Jack also served several large public sector institutions. He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master’s degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management.		Michael Tweedie Practice Lead, CIO Strategy Info-Tech Research Group Mike Tweedie brings over 25 years as a technology executive. He’s led several large transformation projects across core infrastructure, application and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management. Mike holds a Bachelor’s degree in Architecture from Ryerson University.
	Scott Bickley Practice Lead, VCCO Info-Tech Research Group Scott Bickley is a Practice Lead & Principal Research Director at Info-Tech Research Group, focused on Vendor Management and Contract Review. He also has experience in the areas of IT Asset Management (ITAM), Software Asset Management (SAM), and technology procurement along with a deep background in operations, engineering, and quality systems management. Scott holds a B.S. in Justice Studies from Frostburg State University. He also holds active IAITAM certification designations of CSAM and CMAM and is a Certified Scrum Master (SCM).		Donna Bales Principal Research Director Info-Tech Research Group Donna Bales is a Principal Research Director in the CIO Practice at Info-Tech Research Group, specializing in research and advisory services in IT risk, governance, and compliance. She brings over 25 years of experience in strategic consulting and product development and has a history of success in leading complex, multistakeholder industry initiatives. Donna has a bachelor’s degree in economics from the University of Western Ontario.

Research Contributors and Experts

Jennifer Perrier Principal Research Director Info-Tech Research Group Jennifer has 25 years of experience in the information technology and human resources research space, joining Info-Tech in 1998 as the first research analyst with the company. Over the years, she has served as a research analyst and research manager, as well as in a range of roles leading the development and delivery of offerings across Info-Tech’s product and service portfolio, including workshops and the launch of industry roundtables and benchmarking. She was also Research Lead for McLean & Company, the HR advisory division of Info-Tech, during its start-up years. Jennifer’s research expertise spans the areas of IT strategic planning, governance, policy and process management, people management, leadership, organizational change management, performance benchmarking, and cross-industry IT comparative analysis. She has produced and overseen the development of hundreds of publications across the full breadth of both the IT and HR domains in multiple industries. In 2022, Jennifer joined Info-Tech’s IT Financial Management Practice with a focus on developing financial transparency to foster meaningful dialogue between IT and its stakeholders and drive better technology investment decisions.

Phil Bode Principal Research Director Info-Tech Research Group Phil has 30+ years of experience with IT procurement-related topics: contract drafting and review, negotiations, RFXs, procurement processes, and vendor management. Phil has been a frequent speaker at conferences, a contributor to magazine articles in CIO Magazine and ComputerWorld, and quoted in many other magazines. He is a co-author of the book The Art of Creating a Quality RFP. Phil has a Bachelor of Science in Business Administration with a double major of Finance and Entrepreneurship and a Bachelor of Science in Business Administration with a major of Accounting, both from the University of Arizona.

Research Contributors

Erin Morgan Assistant Vice President, IT Administration University of Texas at Arlington

Renee Stanley Assistant Director IT Procurement and Vendor Management University of Texas at Arlington

Note: Additional contributors did not wish to be identified.

Bibliography

Andrea, Dave. “Plante Moran’s 2022 Working Relations Index® (WRI) Study shows supplier relations can improve amid industry crisis.” Plante Moran, 25 Aug 2022. Accessed 18 May 2023.
Andrea, Dave. “Trust between suppliers and OEMs can better prepare you for the next crisis.” Plante Moran, 9 Sept 2020. Accessed 17 May 2023.
Cleary, Shannon, and Carolan McLarney. “Organizational Benefits of an Effective Vendor Management Strategy.” IUP Journal of Supply Chain Management, Vol. 16, Issue 4, Dec 2019.
De Backer, Ruth, and Eileen Kelly Rinaudo. “Improving the management of complex business partnerships.” McKinsey, 21 March 2019. Accessed 9 May 2023 .
Dennean, Kevin et al. “Let's chat about ChatGPT.” UBS, 22 Feb 2023. Accessed 26 May 2023.
F&I Tools. “Nissan Worldwide Vehicle Sales Report.” Factory Warranty List, 2022. Accessed 18 May 2023.
Gomez, Robin. “Adopting ChatGPT and Generative AI in Retail Customer Service.” Radial, 235, April 2023. Accessed 10 May 2023.
Harms, Thomas and Kristina Rogers. “How collaboration can drive value for you, your partners and the planet.” EY, 26 Oct 2021. Accessed 10 May 2023.
Hedge & Co. “Toyota, Honda finish 1-2; General Motors finishes at 3rd in annual Supplier Working Relations Study.” PR Newswire, 23 May 2022. Accessed 17 May 2023.
Henke Jr, John W., and T. Thomas. "Lost supplier trust, lost profits." Supply Chain Management Review, May 2014. Accessed 17 May 2023.
Information Services Group, Inc. “Global Demand for IT and Business Services Continues Upward Surge in Q2, ISG Index™ Finds.” BusinessWire, 7 July 2021. Accessed 8 May 2023.
Kasanoff, Bruce. “New Study Reveals Costs Of Bad Supplier Relationships.” Forbes, 6 Aug 2014. Accessed 17 May 2023.
Macrotrends. “Nissan Motor Gross Profit 2010-2022.” Macrotrends. Accessed 18 May 2023.
Macrotrends. “Toyota Gross Profit 2010-2022.” Macrotrends. Accessed 18 May 2023.
McKinsey. “Mind the [skills] gap.” McKinsey, 27 Jan 2021. Accessed 18 May 2023.
Morgan, Blake. “7 Examples of How Digital Transformation Impacted Business Performance.” Forbes, 21 Jul 2019. Accessed 10 May 2023.
Nissan Motor Corporation. “Nissan reports strong financial results for fiscal year 2022.” Nissan Global Newsroom, 11 May 2023. Accessed 18 May 2023.

Bibliography

“OpenAI and Microsoft extend partnership.” Open AI, 23 Jan 2023. Accessed 26 May 2023.
Pearson, Bryan. “The Apple Of Its Aisles: How Best Buy Lured One Of The Biggest Brands.“ Forbes, 23 Apr 2015. Accessed 23 May 2023.
Perifanis, Nikolaos-Alexandros and Fotis Kitsios. “Investigating the Influence of Artificial Intelligence on Business Value in the Digital Era of Strategy: A Literature Review.” Information, 2 Feb 2023. Accessed 10 May 2023.
Scott, Tim and Nathan Spitse. “Third-party risk is becoming a first priority challenge.” Deloitte. Accessed 18 May 2023.
Stanley, Renee. Interview by Kim Osborne Rodriguez, 17 May 2023.
Statista. “Toyota's retail vehicle sales from 2017 to 2021.” Statista, 27 Jul 2022. Accessed 18 May 2023.
Tlili, Ahmed, et al. “What if the devil is my guardian angel: ChatGPT as a case study of using chatbots in education.” Smart Learning Environments, 22 Feb 2023. Accessed 9 May 2023.
Vitasek, Kate. “Outcome-Based Management: What It Is, Why It Matters And How To Make It Happen.” Forbes, 12 Jan 2023. Accessed 9 May 2023.

Develop Infrastructure & Operations Policies and Procedures

Document what you need to document and forget the rest.

Table of contents

Project Rationale

Project Outlines

• Phase 1: Identify Policy and Procedure Gaps
• Phase 2: Develop Policies
• Phase 3: Document Effective Procedures

Bibliography

ANALYST PERSPECTIVE

Document what you need to document now and forget the rest.

Our understanding of the problem

This Research Is Designed For:

• Infrastructure Managers
• Chief Technology Officers
• IT Security Managers

This Research Will Help You:

• Address policy gaps
• Develop effective procedures and procedure documentation to support policy compliance

This Research Will Also Assist:

• Chief Information Officers
• Enterprise Risk and Compliance Officers
• Chief Human Resources Officers
• Systems Administrators and Engineers

This Research Will Help Them:

• Understand the importance of a coherent approach to policy development
• Understand the importance of Infrastructure & Operations policies
• Support Infrastructure & Operations policy development and enforcement

Info-Tech Best Practice

This blueprint supports templates for key policies and procedures that help Infrastructure & Operations teams to govern and manage internal operations. For security policies, see the NIST SP 800-171 aligned Info-Tech blueprint, Develop and Deploy Security Policies.

Executive Summary

Situation

• Time and money are wasted dealing with mistakes or missteps that should have been addressed by procedures or policies.
• Standard operating procedures are less effective without a policy to provide a clear mandate and direction.

Complication

• Existing policies were written, approved, signed – and forgotten for years because no one has time to maintain them.
• Adhering to policies is rarely a priority, as compliance often feels like an impediment to getting work done.
• Processes aren’t measured or audited to assess policy compliance, which makes enforcing the policies next to impossible.

Resolution

• Start with a comprehensive policy framework to help you identify policy gaps. Prioritize and address those policy gaps.
• Create effective policies that are reasonable, measurable, auditable, and enforceable.
• Create and document procedures to support policy changes.

Info-Tech Insight

1. Document what you need to document and forget the rest.
   Always check if a previously approved policy exists before you create a new one. You may only need to create new guidelines or standards rather than approve a new policy.
2. Support policies with documented procedures.
   Build procedures that embed policy adherence in daily operations. Find opportunities to automate policy adherence (e.g. removing local admin rights from user computers).

What are policies, procedures, and processes?

A policy is a governing document that states the long-term goals of the organization and in broad strokes outlines how they will be achieved (e.g. a Data Protection Policy).

In the context of policies, a procedure is composed of the steps required to complete a task (e.g. a Backup and Restore Procedure). Procedures are informed by required standards and recommended guidelines. Processes, guidelines, and standards are three pillars that support the achievement of policy goals.

A process is higher level than a procedure – a set of tasks that deliver on an organizational goal.

Better policies and procedures reduce organizational risk and, by strengthening the ability to execute processes, enhance the organization’s ability to execute on its goals.

Document to improve governance and operational processes

Deliver value

Build, deliver, and support Infrastructure assets in a consistent way, which ultimately reduces costs associated with downtime, errors, and rework. A good manual process is the foundation for a good automated process.

Simplify Training

Use documentation for knowledge transfer. Routine tasks can be delegated to less-experienced staff.

Maintain compliance

Comply with laws and regulations. Policies are often required for compliance, and formally documented and enforced policies help the organization maintain compliance by mandating required due diligence, risk reduction, and reporting activities.

Provide transparency

Build an open kitchen. Other areas of the organization may not understand how Infra & Ops works. Your documentation can provide the answer to the perennial question: “Why does that take so long?”

Info-Tech Best Practice

Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

Document what you need to document – and forget the rest

Half of all organizations believe their policy suite is insufficient. (Info-Tech myPolicies Survey Data (N=59))

Too much documentation and a lack of documentation are both ineffective. (Info-Tech myPolicies Survey Data (N=59))

77% of IT professionals believe their policies require improvement. (Kaspersky Lab)

Presenting: A COBIT-aligned policy suite

We’ve developed a suite of effective policy templates for every Infra & Ops manager based on Info-Tech’s IT Management & Governance Framework.

Info-Tech Best Practice

Look for these symbols as you work through the deck. Prioritize and focus on the policies you work on first based on the value of the policy to the enterprise and the existing gaps in your governance structure.

Use these icons to help direct you as you navigate this research

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Accelerate policy development with a Guided Implementation

Your trusted advisor is just a call away.

• Identify Policy and Procedure Gaps (Calls 1-2)
  Assess current policies, operational challenges, and gaps. Mitigate significant risks first.
• Create and Review Policies (Calls 2-4)
  Modify and review policy templates with an Info-Tech analyst.
• Create and Review Procedures (Calls 4-6)
  Workflow procedures, using templates wherever possible. Review documentation best practices.

Contact Info-Tech to set up a Guided Implementation with a dedicated advisor who will walk you through every stage of your policy development project.

Develop Infrastructure & Operations Policies and Procedures

Phase 1

Identify Policy and Procedure Gaps

PHASE 1: Identify Policy and Procedure Gaps

Step 1.1: Review and right-size the existing policy set

This step will walk you through the following activities:

• Identify gaps in your existing policy suite
• Document challenges to core Infrastructure & Operations processes
• Identify documentation that can close gaps
• Prioritize your documentation effort

This step involves the following participants:

• Infrastructure & Operations Manager
• Infrastructure Supervisors

Results & Insights

• Results: A review of the existing policy suite and identification of opportunities for improvement.
• Insights: Not all gaps necessarily require a fresh policy. Repurpose, refresh, or supplement existing documentation wherever appropriate.

Conduct a policy review

You’ve got time to review your policy suite. Make the most of it.

1. Start with organizational requirements.
   • What initiatives are on the go? What policies or procedures do you have a mandate to create?
2. Weed out expired and dated policies.
   • Gather your existing policies. Identify when each one was published or last reviewed.
   • Decide whether to retire, merge, or update expired or obviously dated policy.
3. Review policy statements.
   • Check that the organization is adequately supporting policy statements with SOPs, standards, and guidelines. Ensure role-related information is up to date.
4. Document and bring any gaps forward to the next activity. If no action is required, indicate that you have completed a review and submit the findings for approval.

But they just want one policy...

• Existing policies may address what you’re trying to do with a new policy. Using or modifying an existing policy avoids overlap and contradiction and saves you the effort required to create, communicate, approve, and maintain a new policy.
• Review the suite to validate that you’re addressing the most important challenges first.

Brainstorm improvements for core Infrastructure & Operations processes

Supplement the list of gaps from your policy review with process challenges.

1. Write out key Infra & Ops–related processes – one piece of flipchart paper per process. You can work through all of these processes or cherry-pick the processes you want to improve first.
2. With participants, write out in point form how you currently execute on these processes (e.g. for Asset Management, you might be tagging hardware, tracking licenses, etc.)
3. Work through a “Start – Stop – Continue” exercise. Ask participants: What should we start doing? What must we stop doing? What do we do currently that’s valuable and must continue? Write ideas on sticky notes.
4. Once you’ve worked through the “Start – Stop – Continue” exercise for all processes, group similar suggestions for improvements.

Asset Management: Manage hardware and software assets across their lifecycle to protect assets and manage costs.

Availability and Capacity Management: Balance current and future availability, capacity, and performance needs with cost-to-serve.

Business Continuity Management: Continue operation of critical business processes and IT services.

Change Management: Deliver technical changes in a controlled manner.

Configuration Management: Define and maintain relationships between technical components.

Problem Management: Identify incident root cause.

Operations Management: Coordinate operations.

Release and Patch Management: Deliver updates and manage vulnerabilities in a controlled manner.

Service Desk: Respond to user requests and all incidents.

PHASE 1: Identify Policy and Procedure Gaps

Step 1.2: Create an action plan to address policy gaps

This step will walk you through the following activities:

• Identify challenges and gaps that can be addressed via documentation
• Prioritize high-value, high-risk gaps

This step involves the following participants:

• Infrastructure & Operations Manager
• Infrastructure Supervisors

Results & Insights

• Results: An action plan to tackle policy and procedures gaps, aligned with business requirements and business value.
• Insights: Not all documentation is equally valuable. Prioritize documentation that delivers value and mitigates risk.

Support policies with procedures, standards, and guidelines

Use a working definition for each type of document.

Policy: Directives, rules, and mandates that support the overarching, long-term goals of the organization.

• Standards: Prescriptive, uniform requirements.
• Procedures: Specific, detailed, step-by-step instructions for completing a task.
• Guidelines: Non-enforceable, recommended best practices.

Info-Tech Best Practice

Take advantage of your Info-Tech advisory membership by scheduling review sessions with an analyst. We provide high-level feedback to ensure your documentation is clear, concise, and consistent and aligns with the governance objectives you’ve identified.

Answer the following questions to decide if governance documentation can help close gaps

1(c) 30 minutes

Documentation supports knowledge sharing, process consistency, compliance, and transparency. Ask the following questions:

1. What is the purpose of the documentation?
   Procedures support task completion. Policies set direction and manage organizational risk.
2. Should it be enforceable?
   Policies and standards are enforceable; guidelines are not. Procedures are enforceable in that they should support policy enforcement.
3. What is the scope?
   To document a task, create a procedure. Set overarching rules with policies. Use standards and guidelines to set detailed rules and best practices.
4. What’s the expected cadence for updates?
   Policies should be revisited and revised less frequently than procedures.

Info-Tech Best Practice

Reinvent the wheel? I don’t think so!

Always check to see if a gap can be addressed with existing tools before drafting a new policy

• Is there an existing policy that could be supported with new or updated procedures, technical standards, or guidelines?
• Is there a technical control you can deploy that would enforce the terms of an existing, approved policy?
• It may be simpler to amend an existing policy instead of creating a new one.

Some problems can’t be solved by better documentation (or by documentation alone). Consider additional strategies that address people, process, and technology.

Tackle high-value, high-risk gaps first

1(d) 30 minutes

Prioritize your documentation effort.

1. List each proposed piece of documentation on the board.
2. Assign a score to the risk posed to the business by the lack of documentation and to the expected benefit of completing the documentation. Use a scoring scale between 1 and 3 such as the one on the right.
3. Prioritize documentation that mitigates risks and maximizes benefits.
4. If you need to break ties, consider effort required to develop, implement, and enforce policies or procedures.

Example Scoring Scale

Info-Tech Insight

Documentation pulls resources away from other important programs and projects, so ultimately it must be a demonstrably higher priority than other work. This exercise is designed to align documentation efforts with business goals.

Phase 1: Review accomplishments

Policy pillars: Standards, Procedures, Guidelines

Summary of Accomplishments

• Identified gaps in the existing policy suite and identified pain points in existing Infra & Ops processes.
• Developed a list of policies and procedures that can address existing gaps and prioritized the documentation effort.

Develop Infrastructure & Operations Policies and Procedures

Phase 2

Develop Policies

PHASE 2: Develop Policies

Step 2.1: Modify policy templates and gather feedback

This step will walk you through the following activities:

• Modify policy templates

This step involves the following participants:

• Infrastructure & Operations Manager
• Technical Writer

Results & Insights

• Results: Your own COBIT-aligned policies built by modifying Info-Tech templates.
• Insights: Effective policies are easy to read and navigate.

Write Good-er: Be Clear, Consistent, and Concise

Effective policies adhere to the three Cs of documentation.

1. Be clear. Make it as easy as possible for a user to learn how to comply with your policy.
2. Be consistent. Write policies that complement each other, not contradict each other.
3. Be concise. Make it as quick and easy as possible to read and understand your policy.

Info-Tech Best Practice

To download the full suite of templates all at once, click the “Download Research” button on the research landing page on the website.

Use the three Cs: Be Clear

Understanding makes compliance possible. Create policy with the goal of making compliance as easy as possible. Use positive, simple language to convey your intentions and rationale to your audience. Staff will make an effort adhere to your policy when they understand the need and are able to comply with the terms.

1. Choose a skilled writer. Select a writer who can write clearly and succinctly.
2. Default to simple language and define key terms. Define scope and key terms upfront. Avoid using technical terms outside of technical documentation; if they’re necessary be sure to define them as well.
3. Use active, positive language. Where possible, tell people what they can do, not what they can’t.
4. Keep the structure simple. Complicated documents are less likely to be understood and read. Use short sentences and paragraphs. Lists are a helpful way to summarize important information. Guide your reader through the document with appropriately named section headers, tables of contents, and numeration.
5. Add a process for handling exceptions. Refer to procedures, standards, and guidelines documentation. Try to keep these links as static as possible. Also, refer to a process for handling exceptions.
6. Manage the integrity of electronic documents. When published electronically, the policy should have restricted editing access or should be published in a non-editable format. Access to the procedure and policy storage database for employees should be read-only.

Info-Tech Insight

Highly effective policies are easy to navigate. Your policies should be “skimmable.” Very few people will fully read a policy before accepting it. Make it easy to navigate so the reader can easily find the policy statements that apply to them.

Use the three Cs: Be Consistent

Ensure that policies are aligned with other organizational policies and procedures. It detracts from compliance if different policies prescribe different behavior in the same situation. Moreover, your policies should reflect the corporate culture and other company standards. Use your policies to communicate rules and get employees aligned with how your company works.

1. Use standard sentences and paragraphs. Policies are usually expressed in short, standard sentences. Lists should also be used when necessary or appropriate.
2. Remember the three Ws. When writing a policy, always be sure to clearly state what the rule is, when it should be applied, and who needs to follow it. Policies should clearly define their scope of application and whether directives are mandatory or recommended.
3. Use an outline format. Using a numbered or outline format will make a document easier to read and will make content easier to look up when referring back to the document at a later time.
4. Avoid amendments. Avoid the use of information that is quickly outdated and requires regular amendment (e.g. names of people).
5. Reference a set of supplementary documents. Codify your tactics outside of the policy document, but make reference to them within the text. This makes it easier to ensure consistency in the behavior prescribed by your policies.

"One of the issues is the perception that policies are rules and regulations. Instead, your policies should be used to say ‘this is the way we do things around here.’" (Mike Hughes CISA CGEIT CRISC, Principal Director, Haines-Watts GRC)

Use the three Cs: Be Concise

Reading and understanding policies shouldn’t be challenging, and it shouldn’t significantly detract from productive time. Long policies are more difficult to read and understand, increasing the work required for employees to comply with them. Put it this way: How often do you read the Terms and Conditions of software you’ve installed before accepting them?

1. Be direct. The quicker you get to the point, the easier it is for the reader to interpret and comply with your policy.
2. Your policy is a rule, not a recipe. Your policy should outline what needs to be accomplished and why – your standards, guidelines, and SOPs address the how.
3. Keep policies short. Nobody wants to read a huge policy book, so keep your policies short.
4. Use additional documentation where needed. In addition to making consistency easier, this shortens the length of your policies, making them easier to read.
5. Policy still too large? Modularize it. If you have an extremely large policy, it’s likely that it’s too widely scoped or that you’re including statements that should be part of procedure documentation. Consider breaking your policy into smaller, focused, more digestible documents.

"If the policy’s too large, people aren’t going to read it. Why read something that doesn’t apply to me?" (Carole Fennelly, Owner and Principal, cFennelly Consulting)

"I always try to strike a good balance between length and prescriptiveness when writing policy. Your policies … should be short and describe the problem and your approach to solving it. Below policies, you write standards, guidelines, and SOPs." (Michael Deskin, Policy and Technical Writer, Canadian Nuclear Safety Commission)

Customize policy documents

Use the policies templates to support key Infrastructure & Operations programs.

INPUT: List of prioritized policies

OUTPUT: Written policy drafts ready for review

Materials: Policy templates

Participants: Policy writer, Signing authority

No policy template will be a perfect fit for your organization. Use Info-Tech’s research to develop your organization’s program requirements. Customize the policy templates to support those requirements.

1. Work through policies from highest to lowest priority as defined in Phase 1.
2. Follow the instructions written in grey text to customize the policy. Follow the three Cs when you write your policy.
3. When your draft is finished, prepare to request signoff from your signing authority by reviewing the draft with an Info-Tech analyst.
4. Complete the highest ranked three or four draft policies. Review all these policies with relevant stakeholders and include all relevant signing authorities in the signoff process.
5. Rinse and repeat. Iterate until all relevant polices are complete.

Request, Incident, and Problem Management

An effective, timely service desk correlates with higher overall end-user satisfaction across all other IT services. (Info-Tech Research Group, 2016 (N=25,998))

Use the following template to create a policy that outlines the goals and mandate for your service and support organization:

• IT Triage and Support Policy

Support the program and associated policy statements using Info-Tech’s research:

• Standardize the Service Desk
• Incident and Problem Management
• Design & Build a User-Facing Service Catalog

Embrace Standardization

• Outline the support and service mandate with the policy. Support the policy with the methodology in Info-Tech’s research.
• Over time, organizations without standardized processes face confusion, redundancies, and cost overruns. Standardization avoids wasting energy and effort building new solutions to solved issues.
• Standard processes for IT services define repeatable approaches to work and sandbox creative activities.
• Create tickets for every task and categorize them using a standard classification system. Use the resulting data to support root-cause analysis and long-term trend management.
• Create a single point of contact for users for all incidents and requests. Escalate and resolve tickets faster.
• Empower end users and technicians with knowledge bases that help them solve problems without intervention.

Change, Release, and Patch Management

Slow turnaround, unauthorized changes, and change-related incidents are all too familiar to many managers.

Use the following templates to create policies that define effective patch, release, and change management:

• Change Management Policy
• Release and Patch Management Policy
• Change Control – Freezes & Risk Evaluation Policy

Ensure the policy is supported by using the following Info-Tech research:

• Optimize Change Management

Embrace Change

• IT system owners resist change management when they see it as slow and bureaucratic.
• At the same time, an increasingly interlinked technical environment may cause issues to appear in unexpected places. Configuration management systems are often not kept up to date, so preventable conflicts get missed.
• No process exists to support the identification and deployment of critical security patches. Tracking down users to find a maintenance window takes significant, dedicated effort and intervention from the management team.
• Create a unified change management process that reduces risk and is balanced in its approach toward deploying changes, while also maintaining throughput of patches, fixes, enhancements, and innovation.

IT Asset Management (ITAM)

A proactive, dynamic ITAM program will pay dividends in support, contract management, appropriate provisioning, and more.

Start by outlining the requirements for effective asset management:

• Hardware Asset Management Policy
• Software Asset Management Policy

Support ITAM policies with the following Info-Tech research:

• Implement IT Asset Management

Leverage Asset Data

• Create effective, directional policies for your asset management program that provide a mandate for action. Support the policies with robust procedures, capable staff, and right-fit technology solutions.
• Poor management of assets generally leads to higher costs due to duplicated purchases, early replacement, loss, and so on.
• Visibility into asset location and ownership improves security and accountability.
• A centralized repository of asset data supports request fulfilment and incident management.
• Asset management is an ongoing program, not a one-off project, and must be resourced accordingly. Organizations often implement an asset management program and let it stagnate.

"Many of the large data breaches you hear about… nobody told the sysadmin the client data was on that server. So they weren’t protecting and monitoring it." (Carole Fennelly, Owner and Principal, cFennelly Consulting)

Business Continuity Management (BCM)

Streamline the traditional approach to make BCM practical and repeatable.

Set the direction and requirements for effective BCM:

• Business Continuity Management Policy

Support the BCM policy with the following Info-Tech research:

• Create a Right-Sized Disaster Recovery Plan
• Develop a Business Continuity Plan

Build Organizational Resilience

• Evidence of disaster recovery and business continuity planning is increasingly required to comply with regulations, mitigate business risk, and meet customer demands.
• IT leaders are often asked to take the lead on business continuity, but overall accountability for business continuity rests with the board of directors, and each business unit must create and maintain its business continuity plan.
• Set an organizational mandate for BCM with the policy.
• Divide the business continuity mandate into manageable parcels of work. Follow Info-Tech’s practical methodology to tackle key disaster recovery and business continuity planning activities one at a time.

Info-Tech Best Practice

Governance goals must be supported with effective, well-aligned procedures and processes. Use Info-Tech’s research to support the key Infrastructure & Operations processes that enable your business to create value.

Availability, Capacity, and Operations Management

What was old is new again. Use time-tested techniques to manage and plan cloud capacity and costs.

Set the direction and requirements for effective availability and capacity management:

• Availability and Capacity Management Policy
• System Maintenance Policy – NIST

Support the policy with the following Info-Tech research:

• Develop an Availability and Capacity Management Plan
• Improve IT Operations Management
• Develop an IT Infrastructure Services Playbook

Mature Service Delivery

• Hybrid IT deployments – managing multiple locations, delivery models, and service providers – are the future of IT. Hybrid deployments significantly complicate capacity planning and operations management.
• Effective operations management practices develop structured processes to automate activities and increase process consistency across the IT organization, ultimately improving IT efficiency.
• Trying to add mature service delivery can feel like playing whack-a-mole. Systematically improve your service capabilities using the tactical, iterative approach outlined in Improve IT Operations Management.

Enhance your overall security posture with a defensible, prescriptive policy suite

Align your security policy suite with NIST Special Publication 800-171.

Security policies support the organization’s larger security program. We’ve created a dedicated research blueprint and a set of templates that will help you build security policies around a robust framework.

• Start with a security charter that aligns the security program with organizational objectives.
• Prioritize security policies that address significant risks.
• Work with technical and business stakeholders to adapt Info-Tech’s NIST SP 800-171–aligned policy templates (at right) to reflect your organizational objectives.

Review and download Info-Tech's blueprint Develop and Deploy Security Policies.

Info-Tech Best Practice

Customize Info-Tech’s policy framework to align your policy suite to NIST SP 800-171. Given NIST’s requirements for the control of confidential information, organizations that align their policies to NIST standards will be in a strong governance position.

PHASE 2: Develop Policies

Step 2.2: Implement, enforce, measure, and maintain new policies

This step will walk you through the following activities:

• Gather stakeholder feedback
• Identify preventive and detective controls
• Identify required supports
• Seek policy approval
• Establish roles and responsibilities for policy maintenance

This step involves the following participants:

• Infrastructure & Operations Manager
• Infrastructure Supervisors
• Technical Writer
• Policy Stakeholders

Results & Insights

• Results: Well-supported policies that have received signoff.
• Insights: If you’re not prepared to enforce the policy, you might not actually need a policy. Use the policy statements as guidelines or standards, create and implement procedures, and build a culture of compliance. Once you can confidently execute on required controls, seek signoff.

Gather feedback from users to assess the feasibility of the new policies

2(b) Review period: 1-2 weeks

Once the policies are drafted, roundtable the drafts with stakeholders.

INPUT: Draft policies

OUTPUT: Reviewed policy drafts ready for approval

Materials: Policy drafts

Participants: Policy stakeholders

1. Form a test group of users who will be affected by the policy in different ways. Keep the group to around five staff.
2. Present new policies to the testers. Allow them to read the documents and attempt to comply with the new policies in their daily routines.
3. Collect feedback from the group.
   • Consider using interviews, email surveys, chat channels, or group discussions.
   • Solicit ideas on how policy statements could be improved or streamlined.
4. Make reasonable changes to the first draft of the policies before submitting them for approval. Policies will only be followed if they’re realistic and user friendly.

Info-Tech Best Practice

Allow staff the opportunity to provide input on policy development. Giving employees a say in policy development helps avoid obstacles down the road. This is especially true if you’re trying to change behavior rather than lock it in.

Develop mechanisms for monitoring and enforcement

Brainstorm preventive and detective controls.

INPUT: Draft policies

OUTPUT: Reviewed policy drafts ready for approval

Materials: Policy drafts

Participants: Policy stakeholders

Preventive controls are designed to discourage or pre-empt policy breaches before they occur. Training, approvals processes, and segregation of duties are examples of preventive controls. (Ohio University)

Detective controls help enforce the policy by identifying breaches after they occur. Forensic analysis and event log auditing are examples of detective controls. (Ohio University)

Not all policies require the same level of enforcement. Policies that are required by law or regulation generally require stricter enforcement than policies that outline best practices or organizational values.

Identify controls and enforcement mechanisms that are in line with policy requirements. Build control and enforcement into procedure documentation as needed.

Suggestions:

1. Have staff sign off on policies. Disclose any monitoring/surveillance.
2. Ensure consequences match the severity of the infraction. Document infractions and ensure that enforcement is applied consistently across all infractions.
3. Automatic controls shouldn’t get in the way of people’s ability to do their jobs. Test controls with users before you roll them out widely.

Support the policy before seeking approval

A policy is only as strong as its supporting pillars.

Create Standards

Standards are requirements that support policy adherence. Server builds and images, purchase approval criteria, and vulnerability severity definitions can all be examples of standards that improve policy adherence.

Where reasonable, use automated controls to enforce standards. If you automate the control, consider how you’ll handle exceptions.

Create Guidelines

If no standards exist – or best practices can’t be monitored and enforced, as standards require – write guidelines to help users remain in compliance with the policy.

Create Procedures: We’ll cover procedure development and documentation in Phase 3.

Info-Tech Insight

In general, failing to follow or strictly enforce a policy creates a risk for the business. If you’re not confident a policy will be followed or enforced, consider using policy statements as guidelines or standards as an interim measure as you update procedures and communicate and roll out changes that support adherence and enforcement.

Seek approval and communicate the policy

Policies ultimately need to be accepted by the business.

• Once the drafts are completed, identify who is in charge of approving the policies.
• Ensure all stakeholders understand the importance, context, and repercussions of the policies.
• The approvals process is about appropriate oversight of the drafted policies. For example:
  • Do the policies satisfy compliance and regulatory requirements?
  • Do the policies work with the corporate culture?
  • Do the policies address the underlying need?

If the draft is rejected:

• Acquire feedback and make revisions.
• Resubmit for approval.

If the draft is approved:

• Set the effective date and a review date.
• Begin communication, training, and implementation.

• Employees must know that there are new policies and understand the steps they must take to comply with the policies in their work.
• Employees must be able to interpret, understand, and know how to act upon the information they find in the policies.
• Employees must be informed on where to get help or ask questions and from whom to request policy exceptions.

"A lot of board members and executive management teams… don’t understand the technology and the risks posed by it." (Carole Fennelly, Owner and Principal, cFennelly Consulting)

Identify policy management roles and responsibilities

Discuss and assign roles and responsibilities for ongoing policy management.

"Whether at the level of a government, a department, or a sub-organization: technology and policy expertise complement one another and must be part of the conversation." (Peter Sheingold, Portfolio Manager, Cybersecurity, MITRE Corporation)

Phase 2: Review accomplishments

Effective Policies: Clear, Consistent, and Concise

Summary of Accomplishments

• Built priority policies based on templates aligned with the IT Management & Governance Framework and COBIT 5.
• Reviewed controls and policy supports.
• Assigned roles and responsibilities for ongoing policy maintenance.

Develop Infrastructure & Operations Policies and Procedures

Phase 3

Document Effective Procedures

PHASE 3: Document Effective Procedures

Step 3.1: Scope and outline procedures

This step will walk you through the following activities:

• Prioritize SOP documentation
• Draft workflows using a tabletop exercise
• Modify templates, as applicable

This step involves the following participants:

• Infrastructure & Operations Manager
• Technical Writer
• Infrastructure Supervisors

Results & Insights

• Results: An action plan for SOP documentation and an outline of procedure workflows.
• Insights: Don’t let tools get in the way of documentation – low-tech solutions are often the most effective way to build and analyze workflows.

Prioritize your SOP documentation effort

Build SOP documentation that gets used and doesn’t just check a box.

1. Review the list of procedure gaps from Phase 1. Are any other procedures needed? Are some of the procedures now redundant?
2. Establish the scope of the proposed procedures. Who are the stakeholders? What policies do they support?
3. Run a basic prioritization exercise using a three-point scale. Higher scores mean greater risks or greater benefits. Score the risk of the undocumented procedure to the business (e.g. potential effect on data, productivity, goodwill, health and safety, or compliance). Score the benefit to the business of documenting the procedure (e.g. throughput improvements or knowledge transfer).
4. Different procedures require different formats. Decide on one or more formats that can help you effectively document the procedure:
   • Flowcharts: Depict workflows and decision points. Provide an at-a-glance view that is easy to follow. Can be supported by checklists and diagrams where more detail is required.
   • Checklists: A reminder of what to do, rather than how to do it. Keep instructions brief.
   • Diagrams: Visualize objects, topologies, and connections for reference purposes.
   • Tables: Establish relationships between related categories.
   • Prose: Use full-text instructions where other documentation strategies are insufficient.

Modify the following Info-Tech templates for larger SOPs

Support these processes...	...with these blueprints...	...to create SOPs using these templates.
	Create a Right-Sized Disaster Recovery Plan	DRP Summary
	Implement IT Asset Management	HAM SOP and SAM SOP
	Optimize Change Management	Change Management SOP
	Standardize the Service Desk	Service Desk SOP

Use tabletop planning or whiteboards to draft workflows

3(b) 30 minutes

Tabletop planning is a paper-based exercise in which your team walks through a particular process and maps out what happens at each stage.

OUTPUT: Steps in the current process for one SOP

Materials: Tabletop, pen, and cue cards

Participants: Process owners, SMEs

1. For this exercise, choose one particular process to document.
2. Document each step of the process on cue cards, which can be arranged on the table in sequence.
3. Be sure to include task ownership in your steps.
4. Map out the process as it currently happens – we’ll think about how to improve it later.
5. Keep focused. Stay on task and on time.

Example:

• Step 3: PM reviews new defects daily
• Step 4: PM assigns defects to tech leads
• Step 5: Assigned resource updates status – frequency is based on ticket priority

Info-Tech Insight

Don’t get weighed down by tools. Relying on software or other technological tools can detract from the exercise. Use simple tools such as cue cards to record steps so that you can easily rearrange steps or insert steps based on input from the group.

Collaborate to optimize the SOP

Review the tabletop exercise. What gaps exist in current processes?
How can the processes be made better? What are the outputs and checkpoints?

OUTPUT: Identify steps to optimize the SOP

Materials: Tabletop, pen, and cue cards

Participants: Process owners, SMEs

Example:

• Step 3: PM reviews new defects daily
• NEW STEP: Schedule 10-minute daily defect reviews with PM and tech leads to evaluate ticket priority
• Step 4: PM assigns defects to tech leads
• Step 5: Assigned resource updates status – frequency is based on ticket priority
  • Step 5 Subprocess: Ticket status update
  • Step 5 Output: Ticket status moved to OPEN by assigned resource – acknowledges receipt by assigned resource

A note on colors: Use white cards to record steps. Record gaps on yellow cards (e.g. a process step not documented) and risks on red cards (e.g. only one person knows how to execute a step) to highlight your gaps/to-dos and risks to be mitigated or accepted.

If it’s necessary to clarify complex process flows during the exercise, you can also use green cards for decision diamonds, purple for document/report outputs, and blue for subprocesses.

PHASE 3: Document Effective Procedures

Step 3.2: Document effective procedures

This step will walk you through the following activities:

• Document workflows, checklists, and diagrams
• Establish a cadence for document review and updates

This step involves the following participants:

• Infrastructure Manager
• Technical Writer

Results & Insights

• Results: Improved SOP documentation and document management practices.
• Insights: It’s possible to keep up with changes if you put the right cues and accountabilities in place. Include document review in project and change management procedures and hold staff accountable for completion.

Document workflows with flowcharting software

Suggestions for workflow documentation

• Whether you draft the workflow on a whiteboard or using cue cards, the first iteration is usually messy. Clean up the flow as you document the results of the exercise.
• Make the workflow as simple as possible and no simpler. Eliminate any decision points that aren’t strictly necessary to complete the procedure.
• Use standard flowchart shapes (see next slide).
• Use links to connect to related documentation.
• Review the documented workflow with participants.

Download the following workflow examples:

• XMPL Recovery Workflows
• Workflow Library

Establish flowcharting standards

If you don’t have existing flowchart standards, then keep it simple and stick to basic flowcharting conventions as described below.

	Start, End, and Connector: Traditional flowcharting standards reserve this shape for connectors to other flowcharts or other points in the existing flowchart. Unified Modeling Language (UML) also uses the circle for start and end points.
	Start and End: Traditional flowcharting standards use this for start and end. However, Info-Tech recommends using the circle shape to reduce the number of shapes and avoid confusion with other similar shapes.
	Process Step: Individual process steps or activities (e.g. create ticket or escalate ticket). If it’s a series of steps, then use the subprocess symbol and flowchart the subprocess separately.
	Subprocess: A series of steps. For example, a critical incident SOP might reference a recovery process as one of the possible actions. Marking it as a subprocess, rather than listing each step within the critical incident SOP, streamlines the flowchart and avoids overlap with other flowcharts (e.g. the recovery process).
	Decision: Represents decision points, typically with Yes/No branches, but you could have other branches depending on the question (e.g. a “Priority?” question could branch into separate streams for Priority 1, 2, 3, 4, and 5 issues).
	Document/Report Output: For example, the output from a backup process might include an error log.

Support workflows with checklists and diagrams

Diagrams

• Diagrams are a visual representation of real-world phenomena and the connections between them.
• Be sure to use standard shapes. Clearly label elements of the diagram. Use standard practices, including titles, dates, authorship, and versioning.
• IT systems and interconnections are layered. Include physical, logical, protocol, and data flow connections.

Examples:

• XMPL Recovery Workflows
• Workflow Library

Checklists

• Checklists are best used as short-form reminders on how to complete a particular task.
• Remember the audience. If the process will be carried out by technical staff, there’s technical background material you won’t need to spell out in detail.

Examples:

• Employee Termination Process Checklist
• XMPL Systems Recovery Playbook

Establish a cadence for documentation review and maintenance

Lock-in the work with strong document management practices.

• Identify documentation requirements as part of project planning.
• Require a manager or supervisor to review and approve SOPs.
• Check documentation status as part of change management.
• Hold staff accountable for documentation.

"It isn’t unusual for us to see infrastructure or operations documentation that is wildly out of date. We’re talking months, even years. Often it was produced as one big effort and then not reliably maintained." (Gary Patterson, Consultant, Quorum Resources)

Only a quarter of organizations update SOPs as needed

Info-Tech Best Practice

Use Info-Tech’s research Create Visual SOP Documents to further evaluate document management practices and toolsets.

Phase 3: Review accomplishments

Workflow documentation: Cue cards into flowcharts

Summary of Accomplishments

• Identified priority procedures for documentation activities.
• Created procedure documentation in the appropriate format and level of granularity to support Infra & Ops policies.
• Published and maintained procedure documentation.

Research contributors and experts

Carole Fennelly, Owner
cFennelly Consulting

Carole Fennelly provides pragmatic cyber security expertise to help organizations bridge the gap between technical and business requirements. She authored the Center for Internet Security (CIS) Solaris and Red Hat benchmarks, which are used globally as configuration standards to secure IT systems. As a consultant, Carole has defined security strategies, and developed policies and procedures to implement them, at numerous Fortune 500 clients. Carole is a Certified Information Security Manager (CISM), Certified Security Compliance Specialist (CSCS), and Certified HIPAA Professional (CHP).

Marko Diepold, IT Audit Manager
audit2advise

Marko is an IT Audit Manager at audit2advise, where he delivers audit, risk advisory, and project management services. He has worked as a Security Officer, Quality Manager, and Consultant at some of Germany’s largest companies. He is a CISA and is ITIL v3 Intermediate and ITGCP certified.

Research contributors and experts

Martin Andenmatten, Founder & Managing Director
Glenfis AG

Martin is a digital transformation enabler who has been involved in various fields of IT for more than 30 years. At Glenfis, he leads large Governance and Service Management projects for various customers. Since 2002, he has been the course manager for ITIL® Foundation, ITIL® Service Management, and COBIT training. He has published two books on ISO 20000 and ITIL.

Myles F. Suer, CIO Chat Facilitator
CIO.com/Dell Boomi

Myles Suer, according to LeadTails, is the number 9 influencer of CIOs. He is also the facilitator for the CIOChat, which has executive-level participants from around the world in such industries as banking, insurance, education, and government. Myles is also the Industry Solutions Marketing Manager at Dell Boomi.

Research contributors and experts

Peter Sheingold, Portfolio Manager
Cybersecurity, Homeland Security Center, The MITRE Corporation

Peter leads tasks that involve collaboration with the Department of Homeland Security (DHS) sponsors and MITRE colleagues and connect strategy, policy, organization, and technology. He brings a deep background in homeland security and strategic analysis to his work with DHS in the immigration, border security, and cyber mission spaces. Peter came to MITRE in 2005 but has worked with DHS from its inception.

Robert D. Austin, Professor
Ivey Business School

Dr. Austin is a professor of Information Systems at Ivey Business School and an affiliated faculty member at Harvard Medical School. Before his appointment at Ivey, he was a professor of Innovation and Digital Transformation at Copenhagen Business School, and, before that, a professor of Technology and Operations Management at the Harvard Business School.

Research contributors and experts

Ron Jones, Director of IT Infrastructure and Service Management
DATA Communications

Ron is a senior IT leader with over 20 years of management experiences from engineering to IT Service Management and operations support. He is known for joining organizations and leading enhanced process efficiency and has improved software, hardware, infrastructure, and operations solution delivery and support. Ron has worked for global and Canadian firms including BlackBerry, DoubleClick, Cogeco, Infusion, Info-Tech Research Group, and Data Communications Management.

Scott Genung, Executive Director of Networking, Infrastructure, and Service Operations
University of Chicago

Scott is an accomplished IT executive with 26 years of experience in technical and leadership roles. In his current role, Scott provides strategic leadership, vision, and oversight for an IT portfolio supporting 31,000 users consisting of services utilized by campuses located in North America, Asia, and Europe; oversees the University’s Command Center; and chairs the UC Cyberinfrastructure Alliance (UCCA), a group of research IT providers that collectively deliver services to the campus and partners.

Research contributors and experts

Steve Weil, CISSP, CISM, CRISC, Information Security Director, Cybersecurity Principal Consultant
Point B

Steve has 20 years of experience in information security design, implementation, and assessment. He has provided information security services to a wide variety of organizations, including government agencies, hospitals, universities, small businesses, and large enterprises. With his background as a systems administrator, security consultant, security architect, and information security director, Steve has a strong understanding of both the strategic and tactical aspects of information security. Steve has significant hands-on experience with security controls, operating systems, and applications. Steve has a master's degree in Information Science from the University of Washington.

Tony J. Read, Senior Program/Project Lead & Interim IT Executive
Read & Associates

Tony has over 25 years of international IT leadership experience, within high tech, computing, telecommunications, finance, banking, government, and retail industries. Throughout his career, Tony has led and successfully implemented key corporate initiatives, contributing millions of dollars to the top and bottom line. He established Read & Associates in 2002, an international IT management and program/project delivery consultancy practice whose aim is to provide IT value-based solutions, realizing stakeholder economic value and network advantage. These key concepts are presented in his new book: The IT Value Network: From IT Investment to Stakeholder Value, published by J. Wiley, NJ.

Related Info-Tech research

• Develop and Deploy Security Policies
• Develop an Availability and Capacity Management Plan
• Improve IT Operations Management
• Develop an IT Infrastructure Services Playbook
• Create a Right-Sized Disaster Recovery Plan
• Develop a Business Continuity Plan
• Implement IT Asset Management
• Optimize Change Management
• Standardize the Service Desk
• Incident and Problem Management
• Design & Build a User-Facing Service Catalog

Bibliography

“About Controls.” Ohio University, ND. Web. 2 Feb 2018.

England, Rob. “How to implement ITIL for a client?” The IT Skeptic. Two Hills Ltd, 4 Feb. 2010. Web. 2018.

“Global Corporate IT Security Risks: 2013.” Kaspersky Lab, May 2013. Web. 2018.

“Information Security and Technology Policies.” City of Chicago, Department of Innovation and Technology, Oct. 2014. Web. 2018.

ISACA. COBIT 5: Enabling Processes. International Systems Audit and Control Association. Rolling Meadows, IL.: 2012.

“IT Policy & Governance.” NYC Information Technology & Telecommunications, ND. Web. 2018.

King, Paula and Kent Wada. “IT Policy: An Essential Element of IT Infrastructure”. EDUCAUSE Review. May-June 2001. Web. 2018.

Luebbe, Max. “Simplicity.” Site Reliability Engineering. O’Reilly Media. 2017. Web. 2018.

Swartout, Shawn. “Risk assessment, acceptance, and exception with a process view.” ISACA Charlotte Chapter September Event, 2013. Web. 2018.

“User Guide to Writing Policies.” Office of Policy and Efficiency, University of Colorado, ND. Web. 2018.

“The Value of Policies and Procedures.” New Mexico Municipal League, ND. Web. 2018.