The Small Enterprise Guide to People and Resource Management

Quickly start getting the right people, with the right skills, at the right time

Is this research right for you?

Research Navigation

Managing the people in your department is essential, whether you have three employees or 300. Depending on your available time, resources, and current workforce management maturity, you may choose to focus on the overall essentials, or dive deep into particular areas of talent management. Use the questions below to help guide you to the right Info-Tech resources that best align with your current needs.

Analyst Perspective

Workforce planning is even more important for small enterprises than large organizations.

It can be tempting to think of workforce planning as a bureaucratic exercise reserved for the largest and most formal of organizations. But workforce planning is never more important than in small enterprises, where every individual accounts for a significant portion of your overall productivity.

Without workforce planning, organizations find themselves in reactive mode, hiring new staff as the need arises. They often pay a premium for having to fill a position quickly or suffer productivity losses when a critical role goes unexpectedly vacant.

A workforce plan helps you anticipate these challenges, come up with solutions to mitigate them, and allocate resources for the most impact, which means a greater return on your workforce investment in the long run.

This blueprint will help you accomplish this quickly and efficiently. It will also provide you with the essential development and knowledge transfer tools to put your plan into action.

Jane Kouptsova
Senior Research Analyst, CIO Advisory
Info-Tech Research Group

Executive Summary

Your Challenge

52% of small business owners agree that labor quality is their most important problem.¹

Almost half of all small businesses face difficulty due to staff turnover.

76% of executives expect the talent market to get even more challenging.²

Common Obstacles

76% of executives expect workforce planning to become a top strategic priority for their organization.²

But…

30% of small businesses do not have a formal HR function.³

Small business leaders are often left at a disadvantage for hiring and retaining the best talent, and they face even more difficulty due to a lack of support from HR.

Small enterprises must solve the strategic workforce planning problem, but they cannot invest the same time or resources that large enterprises have at their disposal.

Info-Tech's Approach

A modular, lightweight approach to workforce planning and talent management, tailored to small enterprises

Clear activities that guide your team to decisive action

Founded on your IT strategy, ensuring you have not just good people, but the right people

Concise yet comprehensive, covering the entire workforce lifecycle from competency planning to development to succession planning and reskilling

Info-Tech Insight

Every resource counts. When one hire represents 10% of your workforce, it is essential to get it right.

¹CNBC & SurveyMonkey. ²ADP. ³Clutch.

Labor quality is small enterprise's biggest challenge

The key to solving it is strategic workforce planning

Strategic workforce planning (SWP) is a systematic process designed to identify and address gaps in today's workforce, including pinpointing the human capital needs of the future.

Linking workforce planning with strategic planning ensures that you have the right people in the right positions, in the right places, at the right time, with the knowledge, skills, and attributes to deliver on strategic business goals.

SWP helps you understand the makeup of your current workforce and how well prepared it is or isn't (as the case may be) to meet future IT requirements. By identifying capability gaps early, CIOs can prepare to train or develop current staff and minimize the need for severance payouts and hiring costs, while providing clear career paths to retain high performers.

¹CNBC & SurveyMonkey. ²Clutch. ³ADP.

Workforce planning matters more for small enterprises

You know that staffing mistakes can cost your department dearly. But did you know the costs are greater for small enterprises?

The price of losing an individual goes beyond the cost of hiring a replacement, which can range from 0.5 to 2 times that employee's salary (Gallup, 2019). Additional costs include loss of productivity, business knowledge, and team morale.

This is a major challenge for large organizations, but the threat is even greater for small enterprises, where a single individual accounts for a large proportion of IT's productivity. Losing one of a team of 10 means 10% of your total output. If that individual was solely responsible for a critical function, your department now faces a significant gap in its capabilities. And the effect on morale is much greater when everyone is on the same close-knit team.

And the threat continues when the staffing error causes you not to lose a valuable employee, but to hire the wrong one instead. When a single individual makes up a large percentage of your workforce, as happens on small teams, the effects of talent management errors are magnified.

Info-Tech Insight

One bad hire on a team of 100 is a problem. One bad hire on a team of 10 is a disaster.

Blueprint pre-step: Determine your starting point

People and Resource management is essential for any organization. But depending on your needs, you may want to start at different stages of the process. Use this slide as a quick reference for how the activities in this blueprint fit together, how they relate to other workforce management resources, and the best starting point for you.

Your IT strategy is an essential input to your workforce plan. It defines your destination, while your workforce is the vessel that carries you there. Ensure you have at least an informal strategy for your department before making major workforce changes, or review Info-Tech's guidance on IT strategy.

This blueprint covers the parts of workforce management that occur to some extent in every organization:

• Workforce planning
• Knowledge transfer
• Development planning

You may additionally want to seek guidance on contract and vendor management, if you outsource some part of your workload outside your core IT staff.

Track metrics

Consider these example metrics for tracking people and resource management success

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 4 to 6 calls over the course of 3 to 4 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Each onsite day is structured with group working sessions from 9-11 a.m. and 1:30-3:30 p.m. and includes Open Analyst Timeslots, where our facilitators are available to expand on scheduled activities, capture and compile workshop results, or review additional components from our comprehensive approach.

Phase 1

Workforce Planning

The Small Enterprise Guide to People and Resource Management

Phase Participants

• Leadership team
• Managers
• Human resource partner (if applicable)

Additional Resources

Workforce Planning Workbook for Small Enterprises

Phase pre-step: Gather resources and participants

1. Ensure you have an up-to-date IT strategy. If you don't have a formal strategy in place, ensure you are aware of the main organizational objectives for the next 3-5 years. Connect with executive stakeholders if necessary to confirm this information.
   If you are not sure of the organizational direction for this time frame, we recommend you consult Info-Tech's material on IT strategy first, to ensure your workforce plan is fully positioned to deliver value to the organization.
2. Consult with your IT team and gather any documentation pertaining to current roles and skills. Examples include an org chart, job descriptions, a list of current tasks performed/required, a list of company competencies, and a list of outsourced projects.
3. Gather the right participants. Most of the decisions in this section will be made by senior leadership, but you will also need input from front-line managers. Ensure they are available on an as-needed basis. If your organization has an HR partner, it can also be helpful to involve them in your workforce planning process.

Formal workforce planning benefits even small teams

Strategic workforce planning (SWP) is a systematic process designed to identify and address gaps in your workforce today and plan for the human capital needs of the future.

Your workforce plan is an extension of your IT strategy, ensuring that you have the right people in the right positions, in the right places, at the right time, with the knowledge, skills, and attributes to deliver on strategic business goals.

SWP helps you understand the makeup of your current workforce and how well prepared it is or isn't (as the case may be) to meet future IT requirements. By identifying capability gaps early, CIOs can prepare to train or develop current staff and minimize the need for severance payouts and hiring costs, while providing clear career paths to retain high performers.

The smaller the business, the more impact each individual's performance has on the overall success of the organization. When a given role is occupied by a single individual, the organization's performance in that function is determined wholly by one employee. Creating a workforce plan for a small team may seem excessive, but it ensures your organization is not unexpectedly hit with a critical competency gap.

Right-size your workforce planning process to the size of your enterprise

Small organizations are 2.2 times more likely to have effective workforce planning processes.¹ Be mindful of the opportunities and risks for organizations of your size as you execute the project. How you build your workforce plan will not change drastically based on the size of your organization; however, the scope of your initiative, the size of your team, and the tactics you employ may vary.

¹ McLean & Company Trends Report 2014

1.1 Set project outcomes and success metrics

1-3 hours

1. As a group, brainstorm key pain points that the IT department experiences due to the lack of a workforce plan. Ask them to consider turnover, retention, training, and talent acquisition.
2. Discuss any key themes that arise and brainstorm your desired project outcomes. Keep a record of these for future reference and to aid in stakeholder communication.
3. Break into smaller groups (or if too small, continue as a single group):
   1. For each desired outcome, consider what metrics you could use to track progress. Keep your initial list of pain points in mind as you brainstorm metrics.
   2. Write each of the metric suggestions on a whiteboard and agree to track 3-5 metrics. Set targets for each metric. Consider the effort required to obtain and track the metric, as well as its reliability.
   3. Assign one individual for tracking the selected metrics. Following the meeting, that individual will be responsible for identifying the baseline and targets, and reporting on metrics progress.

1.2 Identify key roles and competency gaps

1-3 hours

1. As a group, identify all strategic, core, and supporting roles by reviewing the organizational chart:
   1. Strategic: What are the roles that must be filled by top performers and cannot be left vacant in order to meet strategic objectives?
   2. Core: What roles are important to drive operational excellence?
   3. Supporting: What roles are required for day-to-day work, but are low risk if the role is vacant for a period of time?
2. Working individually or in small groups, have managers for each identified role define the level of competence required for the job. Consider factors such as:
   1. The difficulty or criticality of the tasks being performed
   2. The impact on job outcomes
   3. The impact on the performance of other employees
   4. The consequence of errors if the competency is not present
   5. How frequently the competency is used on the job
   6. Whether the competency is required when the job starts or can be learned or acquired on the job within the first six months
3. Continue working individually and rate the level of proficiency of the current incumbent.
4. As a group, review the assessment and make any adjustments.

Record this information in the Workforce Planning Workbook for Small Enterprises.

Download the Workforce Planning Workbook for Small Enterprises

1.2 Identify key roles and competency gaps

Conduct a risk-of-departure analysis

A risk-of-departure analysis helps you plan for future talent needs by identifying which employees are most likely to leave the organization (or their current role).

A risk analysis takes into account two factors: an employee's risk for departure and the impact of departure:

Employees are high risk for departure if they:

• Have specialized or in-demand skills (tenured employees are more likely to have this than recent hires)
• Are nearing retirement
• Have expressed career aspirations that extend outside your organization
• Have hit a career development ceiling at your organization
• Are disengaged
• Are actively job searching
• Are facing performance issues or dismissal OR promotion into a new role

Employees are low risk for departure if they:

• Are a new hire or new to their role
• Are highly engaged
• Have high potential
• Are 5-10 years out from retirement

If you are not sure where an employee stands with respect to leaving the organization, consider having a development conversation with them. In the meantime, consider them at medium risk for departure.

To estimate the impact of departure, consider:

• The effect of losing the employee in the near- and medium-term, including:
  • Impact on the organization, department, unit/team and projects
  • The cost (in time, resources, and productivity loss) to replace the individual
  • The readiness of internal successors for the role

1.3 Conduct a risk analysis to identify future needs

1-3 hours

Preparation: Your estimation of whether key employees are at risk of leaving the organization will depend on what you know of them objectively (skills, age), as well as what you learn from development conversations. Ensure you collect all relevant information prior to conducting this activity. You may need to speak with employees' direct managers beforehand or include them in the discussion.

• As a group, list all your current employees, and using the previous slide for guidance, rank them on two parameters: risk of departure and impact of departure, on a scale of low to high. Record your conclusions in a chart like the one on the right. (For a more in-depth risk assessment, use the "Risk Assessment Results" tab of the Key Roles Succession Planning Tool.)
• Employees that fall in the "Mitigate" quadrant represent key at-risk roles with at least moderate risk and moderate impact. These are your succession planning priorities. Add these roles to your list of key roles and competency gaps, and include them in your workforce planning analysis.
• Employees that fall in the "Manage" quadrants represent secondary priorities, which should be looked at if there is capacity after considering the "Mitigate" roles.

Record this information in the Workforce Planning Workbook for Small Enterprises.

Info-Tech Insight

Don't be afraid to rank most or all your staff as "high impact of departure." In a small enterprise, every player counts, and you must plan accordingly.

1.3 Conduct a risk analysis to identify future needs

Determine your skill sourcing route

The characteristics of need steer hiring managers to a preferred choice, while the marketplace analysis will tell you the feasibility of each option.

Sourcing Options		Preferred Options		Final Choice
	State of the Marketplace		State of the Marketplace
	Urgency: How soon do we need this skill? What is the required time-to-value? Criticality: How critical, i.e. core to business goals, are the services or systems that this skill will support? Novelty: Is this skill brand new to our workforce? Availability: How often, and at what hours, will the skill be needed? Durability: For how long will this skill be needed? Just once, or indefinitely for regular operations?		Scarcity: How popular or desirable is this skill? Do we have a large enough talent pool to draw from? What competition are we facing for top talent? Cost: How much will it cost to hire vs. contract vs. outsource vs. train this skill? Preparedness: Do we have internal resources available to cultivate this skill in house?

1.4 Determine your skill sourcing route

1-3 hours

1. Identify the preferred sourcing method as a group, starting with the most critical or urgent skill need on your list. Use the characteristics of need to guide your discussion. If more than one option seems adequate, carry several over to the next step.
2. Consider the marketplace factors applicable to the skill in question and use these to narrow down to one final sourcing decision.
   1. If it is not clear whether a suitable internal candidate is available or ready, refer to the next activity for a readiness assessment.
3. Be sure to document the rationale supporting your decision. This will ensure the decision can be clearly communicated to any stakeholders, and that you can review on your decision-making process down the line.

Record this information in the Workforce Planning Workbook for Small Enterprises.

Info-Tech Insight

Consider developing a pool of successors instead of pinning your hopes on just one person. A single pool of successors can be developed for either one key role that has specialized requirements or even multiple key roles that have generic requirements.

1.5 Determine readiness of internal successors

1-3 hours

1. As a group, and ensuring you include the candidates' direct managers, identify potential successors for the first role on your list.
2. Ask how effectively the potential successor would serve in the role today. Review the competencies for the key role in terms of:
   1. Relationship-building skills
   2. Business skills
   3. Technical skills
   4. Industry-specific skills or knowledge
3. Determine what competencies the succession candidate currently has and what must be learned. Be sure you know whether the candidate is open to a career change. Don't assume – if this is not clear, have a development conversation to ensure everyone is on the same page.
4. Finally, determine how difficult it will be for the successor to acquire missing skills or knowledge, whether the resources are available to provide the required development, and how long it will take to provide it.
5. As a group, decide whether training an internal successor is a viable option for the role in question, considering the successor's readiness and the characteristics of need for the role. If a clear successor is not readily apparent, consider:
   1. If the development of the successor can be fast-tracked, or if some requirements can be deprioritized and the successor provided with temporary support from other employees.
   2. If the role in question is being discussed because the current incumbent is preparing to leave, consider negotiating an arrangement that extends the incumbent's employment tenure.
6. Record the decision and repeat for the next role on your list.

Info-Tech Insight

A readiness assessment helps to define not just development needs, but also any risks around the organization's ability to fill a key role.

Use alternative work arrangements to gain time to prepare successors

Alternative work arrangements are critical tools that employers can use to achieve a mutually beneficial solution that mitigates the risk of loss associated with key roles.

Alternative work arrangements not only support employees who want to keep working, but more importantly, they allow the business to retain employees that are needed in key roles who are departure risks due to retirement.

Viewing retirement as a gradual process can help you slow down skill loss in your organization and ensure you have sufficient time to train successors. Retiring workers are becoming increasingly open to alternative work arrangements. Among employed workers aged 50-75, more than half planned to continue working part-time after retirement.
Source: Statistics Canada.

Flexible work options are the most used form of alternative work arrangement

Source: McLean & Company, N=44

Choose the alternative work arrangement that works best for you and the employee

Choose the alternative work arrangement that works best for you and the employee

Phase 2

Knowledge Transfer

The Small Enterprise Guide to People and Resource Management

Phase Participants

• Leadership/management team
• Incumbent & successor

Additional Resources

IT Knowledge Identification Interview Guide Template

Knowledge Transfer Plan Template

Determine your skill sourcing route

Knowledge transfer plans have three key components that you need to complete for each knowledge source:

Don't miss tacit knowledge

There are two basic types of knowledge: "explicit" and "tacit." Ensure you capture both to get a well-rounded overview of the role.

Embed your knowledge transfer methods into day-to-day practice

Multiple methods should be used to transfer as much of a person's knowledge as possible, and mentoring should always be one of them. Select your method according to the following criteria:

Info-Tech Insight

The more integrated knowledge transfer is in day-to-day activities, the more likely it is to be successful, and the lower the time cost. This is because real learning is happening at the same time real work is being accomplished.

Type of Knowledge

• Tacit knowledge transfer methods are often informal and interactive:
  • Mentoring
  • Multi-generational work teams
  • Networks and communities
  • Job shadowing
• Explicit knowledge transfer methods tend to be more formal and one way:
  • Formal documentation of processes and best practices
  • Self-published knowledge bases
  • Formal training sessions
  • Formal interviews

Incumbent's Preference/Successor's Preference

Ensure you consult the employees, and their direct manager, on the way they are best prepared to teach and learn. Some examples of preferences include:

1. Prefer traditional classroom learning, augmented with participation, critical reflection, and feedback.
2. May get bored during formal training sessions and retain more during job shadowing.
3. Prefer to be self-directed or self-paced, and highly receptive to e-learning and media.
4. Prefer informal, incidental learning, tend to go immediately to technology or direct access to people. May have a short attention span and be motivated by instant results.
5. May be uncomfortable with blogs and wikis, but comfortable with SharePoint.

Cost

Consider costs beyond the monetary. Some methods require an investment in time (e.g. mentoring), while others require an investment in technology (e.g. knowledge bases).

The good news is that many supporting technologies may already exist in your organization or can be acquired for free.

Methods that cost time may be difficult to get underway since employees may feel they don't have the time or must change the way they work.

2.1 Create a knowledge transfer plan

1-3 hours

1. Working together with the current incumbent, brainstorm the key information pertaining to the role that you want to pass on to the successor. Use the IT Knowledge Identification Interview Guide Template to ensure you don't miss anything.
   • Consider key knowledge areas, including:
     • Specialized technical knowledge.
     • Specialized research and development processes.
     • Unique design capabilities/methods/models.
     • Special formulas/algorithms/techniques.
     • Proprietary production processes.
     • Decision-making criteria.
     • Innovative sales methods.
     • Knowledge about key customers.
     • Relationships with key stakeholders.
     • Company history and values.
   • Ask questions of both sources and receivers of knowledge to help determine the best knowledge transfer methods to use.
   • What is the nature of the knowledge? Explicit or tacit?
   • Why is it important to transfer?
   • How will the knowledge be used?
   • What knowledge is critical for success?
   • How will the users find and access it?
   • How will it be maintained and remain relevant and usable?
   • What are the existing knowledge pathways or networks connecting sources to recipients?
2. Once the knowledge has been identified, use the information on the following slides to decide on the most appropriate methods. Be sure to consult the incumbent and successor on their preferences.
3. Prioritize your list of knowledge transfer activities. It's important not to try to do too much too quickly. Focus on some quick wins and leverage the success of these initiatives to drive the project forward. Follow these steps as a guide:
   1. Take an inventory of all the tactics and techniques which you plan to employ. Eliminate redundancies where possible.
   2. Start your implementation with your highest risk role or knowledge item, using explicit knowledge transfer tactics. Interviews, use cases, and process mapping will give you some quick wins and will help gain momentum for the project.
   3. Then move forward to other tactics, the majority of which will require training and process design. Pick 1-2 other key tactics you would like to employ and build those out. For tactics that require resources or monetary investment, start with those that can be reused for multiple roles.

Record your plan in the IT Knowledge Transfer Plan Template.

Download the IT Knowledge Identification Interview Guide Template

Download the Knowledge Transfer Plan Template

Info-Tech Insight

Wherever possible, ask employees about their personal learning styles. It's likely that a collaborative compromise will have to be struck for knowledge transfer to work well.

2.1 Create a knowledge transfer plan

Not every transfer method is effective for every type of knowledge

This table shows the relative strengths and weaknesses of each knowledge transfer tactic compared against four different knowledge types.

Not all techniques are effective for all types of knowledge; it is important to use a healthy mixture of techniques to optimize effectiveness.

Employees' engagement can impact knowledge transfer effectiveness

When considering which tactics to employ, it's important to consider the knowledge holder's level of engagement. Employees who you would identify as being disengaged may not make good candidates for job shadowing, mentoring, or other tactics where they are required to do additional work or are asked to influence others.

Knowledge transfer can be controversial for all employees as it can cause feelings of job insecurity. It's essential that motivations for knowledge transfer are communicated effectively.

Pay particular attention to your communication style with disengaged and indifferent employees, communicate frequently, and tie communication back to what's in it for them.

Putting disengaged employees in a position where they are mentoring others can be a risk, as their negativity could influence others not to participate, or it could negate the work you're doing to create a positive knowledge sharing culture.

Employees' engagement can impact knowledge transfer effectiveness

Phase 3

Development Planning

The Small Enterprise Guide to People and Resource Management

Phase Participants

• Leadership team
• Managers
• Employees

Additional Resources

• IT Competency Library
• Leadership Competencies Workbook
• IT Employee Career Development Workbook
• Individual Competency Development Plan
• Learning Methods Catalog

Effective development planning hinges on robust performance management

Your performance management framework is rooted in organizational goals and defines what it means to do any given role well.

Your organization's priority competencies are the knowledge, skills and attributes that enable an employee to do the job well.

Each individual's development goals are then aimed at building these priority competencies.

Info-Tech Insight

Without a performance management framework, your employees cannot align their development with the organization's goals. For detailed guidance, see Info-Tech's blueprint Setting Meaningful Employee Performance Measures.

What is a competency?

The term "competency" refers to the collection of knowledge, skills, and attributes an employee requires to do a job well.

Often organizations have competency frameworks that consist of core, leadership, and functional competencies.

Core competencies apply to every role in the organization. Typically, they are tied to organizational values and business mission and/or vision.

Functional competencies are at the department, work group, or job role levels. They are a direct reflection of the function or type of work carried out.

Leadership competencies generally apply only to people managers in the organization. Typically, they are tied to strategic goals in the short to medium term

Use the SMART model to make sure goals are reasonable and attainable

Example goal:

"Learn Excel this summer."

Problems:

Not specific enough, not measurable enough, nor time bound.

Alternate SMART goal:

"Consult with our Excel expert and take the lead on creating an Excel tool in August."

3.2 Identify target competencies & draft development goals

1 hour

Pre-work: Employees should come to the career conversation having done some self-reflection. Use Info-Tech's IT Employee Career Development Workbook to help employees identify their career goals.

1. Pre-work: Managers should gather any data they have on the employee's current proficiency at key competencies. Potential sources include task-based assessments, performance ratings, supervisor or peer feedback, and informal conversation.
   
   Prioritize competencies. Using your list of priority organizational competencies, work with your employees to help them identify two to four competencies to focus on developing now and in the future. Use the Individual Competency Development Plan template to document your assessment and prioritize competencies for development. Consider the following questions for guidance:
   1. Which competencies are needed in my current role that I do not have full proficiency in?
   2. Which competencies are related to both my career interests and the organization's priorities?
   3. Which competencies are related to each other and could be developed together or simultaneously?
2. Draft goals. Ask your employee to create a list of multiple simple goals to develop the competencies they have selected to work on developing over the next year. Identifying multiple goals helps to break development down into manageable chunks. Ensure goals are concrete, for example, if the competency is "communication skills," your development goals could be "presentation skills" and "business writing."
3. Review goals:
   1. Ask why these areas are important to the employee.
   2. Share your ideas and why it is important that the employee develop in the areas identified.
   3. Ensure that the goals are realistic. They should be stretch goals, but they must be achievable. Use the SMART framework on the previous slide for guidance.

Info-Tech Insight

Lack of career development is the top reason employees leave organizations. Development activities need to work for both the organization and the employee's own development, and clearly link to advancing employees' careers either at the organization or beyond.

Download the IT Employee Career Development Workbook

Download the Individual Competency Development Plan

3.2 Identify target competencies & draft development goals

Apply a blend of learning methods

• Info-Tech recommends the 70-20-10 principle for learning and development, which places the greatest emphasis on learning by doing. This experiential learning is then supported by feedback from mentoring, training, and self-reflection.
• Use the 70-20-10 principle as a guideline – the actual breakdown of your learning methods will need to be tailored to best suit your organization and the employee's goals.

Spend development time and effort wisely:

Internal initiatives are a cost-effective development aid

Incorporating a development objective into daily tasks

What do we mean by incorporating into daily tasks?

The next time you assign a project to an employee, you should also ask the employee to think about a development goal for the project. Try to link it back to their existing goals or have them document a new goal in their development plan.

For example: A team of employees always divides their work in the same way. Their goal for their next project could be to change up the division of responsibility so they can learn each other's roles.

Another example:

"I'd like you to develop your ability to explain technical terms to a non-technical audience. I'd like you to sit down with the new employee who starts tomorrow and explain how to use all our software, getting them up and running."

Info-Tech Insight

Employees often don't realize that they are being developed. They either think they are being recognized for good work or they are resentful of the additional workload.

You need to tell your employees that the activity you are asking them to do is intended to further their development.

However, be careful not to sell mundane tasks as development opportunities – this is offensive and detrimental to engagement.

Establish manager and employee accountability for following up

Ensure that the employee makes progress in developing prioritized competencies by defining accountabilities:

3.3 Select development activities and schedule check-ins

1-3 hours

Pre-work: Employees should research potential development activities and come prepared with a range of suggestions.

Pre-work: Managers should investigate options for employee development, such as internal training/practice opportunities for the employee's selected competencies and availability of training budget.

1. Communicate your findings about internal opportunities and external training allowance to the employee. This can also be done prior to the meeting, to help guide the employee's own research. Address any questions or concerns.
2. Review the employee's proposed list of activities, and identify priority ones based on:
   1. How effectively they support the development of priority competencies.
   2. How closely they match the employee's original goals.
   3. The learning methods they employ, and whether the chosen activities support a mix of different methods.
   4. The degree to which the employee will have a chance to practice new skills hands-on.
   5. The amount of time the activities require, balanced against the employee's work obligations.
3. Guide the employee in selecting activities for the short and medium term. Establish an understanding that this list is tentative and subject to ongoing revision during future check-ins.
   1. If in doubt about whether the employee is over-committing, err on the side of fewer activities to start.
4. Schedule a check-in for one month out to review progress and roadblocks, and to reaffirm priorities.
5. Check-ins should be repeated regularly, typically once a month.

Download the Learning Methods Catalog

Info-Tech Insight

Adopt a blended learning approach using a variety of techniques to effectively develop competencies. This will reinforce learning and accommodate different learning styles. See Info-Tech's Learning Methods Catalog for a description of popular experiential, relational, and formal learning methods.

3.3 Select development activities and schedule check-ins

Tips for tricky conversations about development

What to do if…

Employees aren't interested in development:

• They may have low aspiration for advancement.
• Remind them about the importance of staying current in their role given increasing job requirements.
• Explain that skill development will make their job easier and make them more successful at it; sell development as a quick and effective way to learn the skill.
• Indicate your support and respond to concerns.

Employees have greater aspiration than capability:

• Explain that there are a number of skills and capabilities that they need to improve in order to move to the next level. If the specific skills were not discussed during the performance appraisal, do not hesitate to explain the improvements that you require.
• Inform the employee that you want them to succeed and that by pushing too far and too fast they risk failure, which would not be beneficial to anyone.
• Reinforce that they need to do their current job well before they can be considered for promotion.

Employees are offended by your suggestions:

• Try to understand why they are offended. Before moving forward, clarify whether they disagree with the need for development or the method by which you are recommending they be developed.
• If it is because you told them they had development needs, then reiterate that this is about helping them to become better and that everyone has areas to develop.
• If it is about the development method, discuss the different options, including the pros and cons of each.

Coaching and feedback skills help managers guide employee development

Coaching and providing feedback are often confused. Managers often believe they are coaching when they are just giving feedback. Learn the difference and apply the right approach for the right situation.

What is coaching?

A conversation in which a manager asks questions to guide employees to solve problems themselves.

Coaching is:

• Future-focused
• Collaborative
• Geared toward growth and development

What is feedback?

Information conveyed from the manager to the employee about their performance.

Feedback is:

• Past-focused
• Prescriptive
• Geared toward behavior and performance

Info-Tech Insight

Don't forget to develop your managers! Ensure coaching, feedback, and management skills are part of your management team's development plan.

Apply the "4A" behavior-focused coaching model

Using a model allows every manager, even those with little experience, to apply coaching best practices effectively.

Use the following questions to have meaningful coaching conversations

Opening Questions

• What's on your mind?
• Do you feel you've had a good week/month?
• What is the ideal situation?
• What else?

Problem-Identifying Questions

• What is most important here?
• What is the challenge here for you?
• What is the real challenge here for you?
• What is getting in the way of you achieving your goal?

Problem-Solving Questions

• What are some of the options available?
• What have you already tried to solve this problem? What worked? What didn't work?
• Have you considered all the possibilities?
• How can I help?

Next-Steps Questions

• What do you need to do, and when, to achieve your goal?
• What resources are there to help you achieve your goal? This includes people, tools, or even resources outside our organization.
• How will you know when you have achieved your goal? What does success look like?

The purpose of asking questions is to guide the conversation and learn something you didn't already know. Choose the questions you ask based on the flow of the conversation and on what information you would like to uncover. Approach the answers you get with an open mind.

Info-Tech Insight

Avoid the trap of "hidden agenda" questions, whose real purpose is to offer your own advice.

Use the following approach to give effective feedback

Provide the feedback in a timely manner

• Plan the message you want to convey.
• Provide feedback "just-in-time."
• Ensure recipient is not preoccupied.
• Try to balance the feedback; refer to successful as well as unsuccessful behavior.

Communicate clearly, using specific examples and alternative behaviors

• Feedback must be honest and helpful.
• Be specific and give a recent example.
• Be descriptive, not evaluative.
• Relate feedback to behaviors that can be changed.
• Give an alternative positive behavior.

Confirm their agreement and understanding

• Solicit their thoughts on the feedback.
• Clarify if not understood; try another example.
• Confirm recipient understands and accepts the feedback.

Manager skill is crucial to employee development

Development is a two-way street. This means that while employees are responsible for putting in the work, managers must enable their development with support and guidance. The latter is a skill, which managers must consciously cultivate.

For more in-depth management skills development, see the Info-Tech "Build a Better Manager" training resources:

• Basic Management Skills: Time management, delegation, accountability.
• Manage Your People: Communication, coaching, and performance management.
• Personal Leadership: Manager's role in the organization, decision-making, and conflict management.

Bibliography

Anderson, Kelsie. "Is Your IT Department Prepared for the 4 Biggest Challenges of 2017?" 14 June 2017.
Atkinson, Carol, and Peter Sandiford. "An Exploration of Older Worker Flexible Working Arrangements in Smaller Firms." Human Resource Management Journal, vol. 26, no. 1, 2016, pp. 12–28. Wiley Online Library.
BasuMallick, Chiradeep. "Top 8 Best Practices for Employee Cross-Training." Spiceworks, 15 June 2020.
Birol, Andy. "4 Ways You Can Succeed With a Staff That 'Wears Multiple Hats.'" The Business Journals, 26 Nov. 2013.
Bleich, Corey. "6 Major Benefits To Cross-Training Employees." EdgePoint Learning, 5 Dec. 2018.
Cancialosi, Chris. "Cross-Training: Your Best Defense Against Indispensable Employees." Forbes, 15 Sept. 2014.
Cappelli, Peter, and Anna Tavis. "HR Goes Agile." Harvard Business Review, Mar. 2018.
Chung, Kai Li, and Norma D'Annunzio-Green. "Talent Management Practices of SMEs in the Hospitality Sector: An Entrepreneurial Owner-Manager Perspective." Worldwide Hospitality and Tourism Themes, vol. 10, no. 4, Jan. 2018.
Clarkson, Mary. Developing IT Staff: A Practical Approach. Springer Science & Business Media, 2012.
"CNBC and SurveyMonkey Release Latest Small Business Survey Results." Momentive, 2019. Press Release. Accessed 6 Aug. 2020.
Cselényi, Noémi. "Why Is It Important for Small Business Owners to Focus on Talent Management?" Jumpstart:HR | HR Outsourcing and Consulting for Small Businesses and Startups, 25 Mar. 2013.
dsparks. "Top 10 IT Concerns for Small Businesses." Stratosphere Networks IT Support Blog - Chicago IT Support Technical Support, 16 May 2017.
Duff, Jimi. "Why Small to Mid-Sized Businesses Need a System for Talent Management | Talent Management Blog | Saba Software." Saba, 17 Dec. 2018.
Employment and Social Development Canada. "Age-Friendly Workplaces: Promoting Older Worker Participation." Government of Canada, 3 Oct. 2016.
Exploring Workforce Planning. Accenture, 23 May 2017.
"Five Major IT Challenges Facing Small and Medium-Sized Businesses." Advanced Network Systems. Accessed 25 June 2020.
Harris, Evan. "IT Problems That Small Businesses Face." InhouseIT, 17 Aug. 2016.
Heathfield, Susan. "What Every Manager Needs to Know About Succession Planning." Liveabout, 8 June 2020.
---. "Why Talent Management Is an Important Business Strategy." Liveabout, 29 Dec. 2019.
Herbert, Chris. "The Top 5 Challenges Facing IT Departments in Mid-Sized Companies." ExpertIP, 25 June 2012.
How Smaller Organizations Can Use Talent Management to Accelerate Growth. Avilar. Accessed 25 June 2020.
Krishnan, TN, and Hugh Scullion. "Talent Management and Dynamic View of Talent in Small and Medium Enterprises." Human Resource Management Review, vol. 27, no. 3, Sept. 2017, pp. 431–41.
Mann Jackson, Nancy. "Strategic Workforce Planning for Midsized Businesses." ADP, 6 Feb. 2017.
McCandless, Karen. "A Beginner's Guide to Strategic Talent Management (2020)." The Blueprint, 26 Feb. 2020.
McFeely, Shane, and Ben Wigert. "This Fixable Problem Costs U.S. Businesses $1 Trillion." Gallup.com, 13 Mar. 2019.
Mihelič, Katarina Katja. Global Talent Management Best Practices for SMEs. Jan. 2020.
Mohsin, Maryam. 10 Small Business Statistics You Need to Know in 2020 [May 2020]. 4 May 2020.
Ramadan, Wael H., and B. Eng. The Influence of Talent Management on Sustainable Competitive Advantage of Small and Medium Sized Establishments. 2012, p. 15.
Ready, Douglas A., et al. "Building a Game-Changing Talent Strategy." Harvard Business Review, no. January–February 2014, Jan. 2014.
Reh, John. "Cross-Training Employees Strengthens Engagement and Performance." Liveabout, May 2019.
Rennie, Michael, et al. McKinsey on Organization: Agility and Organization Design. McKinsey, May 2016.
Roddy, Seamus. "The State of Small Business Employee Benefits in 2019." Clutch, 18 Apr. 2019.
SHRM. "Developing Employee Career Paths and Ladders." SHRM, 28 Feb. 2020.
Strandberg, Coro. Sustainability Talent Management: The New Business Imperative. Strandberg Consulting, Apr. 2015.
Talent Management for Small & Medium-Size Businesses. Success Factors. Accessed 25 June 2020.
"Top 10 IT Challenges Facing Small Business in 2019." Your IT Department, 8 Jan. 2019.
"Why You Need Workforce Planning." Workforce.com, 24 Oct. 2022.

Integrate Physical Security and Information Security

Securing information security, physical security, or personnel security in silos may not secure much

Analyst Perspective

Ensure integrated security success with close and continual collaboration

From physical access control systems (PACS) such as electronic locks and fingerprint biometrics to video surveillance systems (VSS) such as IP cameras to perimeter intrusion detection and prevention to fire and life safety and beyond: physical security systems pose unique challenges to overall security. Additionally, digital transformation of physical security to the cloud and the convergence of operational technology (OT), internet of things (IoT), and industrial IoT (IIoT) increase both the volume and frequency of security threats.

These threats can be safety, such as the health impact when a gunfire attack downed wastewater pumps at Duke Energy Substation, North Carolina, US, in 2022. The threats can also be economic, such as theft of copper wire, or they can be reliability, such as when a sniper attack on Pacific Gas & Electric’s Metcalf Substation in California, US, damaged 17 out of 21 power transformers in 2013.

Considering the security risks organizations face, many are unifying physical, cyber, and information security systems to gain the long-term overall benefits a consolidated security strategy provides.

Ida Siahaan

Research Director, Security and Privacy Practice
Info-Tech Research Group

Executive Summary

Info-Tech Insight

An integrated security architecture, including people, process, and technology, will improve your overall security posture. These benefits are leading many organizations to consolidate their siloed systems into a single platform across physical security, cybersecurity, HR, legal, and compliance.

Existing information security models are not comprehensive

Current security models do not cover all areas of security, especially if physical systems and personnel are involved and safety is also an important property required.

• The CIA triad (confidentiality, integrity, availability) is a well-known information security model that focuses on technical policies related to technology for protecting information assets.
• The US Government’s Five Pillars of Information Assurance includes CIA, authentication, and non-repudiation, but it does not cover people and processes comprehensively.
• The AAA model, created by the American Accounting Association, has properties of authentication, authorization, and accounting but focuses only on access control.
• Donn Parker expanded the CIA model with three more properties: possession, authenticity, and utility. This model, which includes people and processes, is known as the Parkerian hexad. However, it does not cover physical and personnel security.

CIA Triad

Parkerian Hexad

Sources: Parker, 1998; Pender-Bey, 2012; Cherdantseva and Hilton, 2015

Adopt an integrated security model

The security ecosystem is shifting from segregation to integration

Sources: Cisco, n.d.; Preparing for Technology Convergence in Manufacturing, Info-Tech Research Group, 2018

Physical security includes:

• Securing physical access,
  e.g. facility access control, alarms, surveillance cameras
• Securing physical operations
  (operational technology – OT), e.g. programmable logic controllers (PLCs), SCADA

Info-Tech Insight

Why is integrating physical and information security gaining more and more traction? Because the supporting technologies are becoming more matured. This includes, for example, migration of physical security devices to IP-based network and open architecture.

Reactive responses to physical security incidents

April 1995

Target: Alfred P. Murrah Federal Building, Oklahoma, US. Method: Bombing. Impact: Destroyed structure of 17 federal agencies, 168 casualties, over 800 injuries. Result: Creation of Interagency Security Committee (ISC) in Executive Order 12977 and “Vulnerability Assessment of Federal Facilities” standard.
(Source: Office of Research Services, 2017)

April 2013

Target: Pacific Gas & Electric’s Metcalf Substation, California, US. Method: Sniper attack. Impact: Out of 21 power transformers, 17 were damaged. Result: Creation of Senate Bill No. 699 and NERC- CIP-014 standard.
(Source: T&D World, 2023)

Sep. 2022

Target: Nord Stream gas pipelines connecting Russia to Germany, Baltic sea. Method: Detonations. Impact: Methane leaks (~300,000 tons) at four exclusive economic zones (two in Denmark and two in Sweden). Result: Sweden’s Security Service investigation.
(Source: CNBC News, 2022)

Dec. 2022

Target: Duke Energy Substation, North Carolina, US. Method: Gunfire. Impact: Power outages of ~40,000 customers and wastewater pumps in sewer lift stations down. Result: State of emergency was declared.
(Source: CBS News, 2022)

Info-Tech Insight

When it comes to physical security, we have been mostly reactive. Typically the pattern starts with physical attacks. Next, the impacted organization mitigates the incidents. Finally, new government regulatory measures or private sector or professional association standards are put in place. We must strive to change our pattern to become more proactive.

Physical security market forecast and top physical security challenges

Physical security market forecast
(in billions USD)

A forecast by MarketsandMarkets projected growth in the physical security market, using historical data from 2015 until 2019, with a CAGR of 6.4% globally and 5.2% in North America.

Source: MarketsandMarkets, 2022

Top physical security challenges

An Ontic survey (N=359) found that threat data management (40%) was the top physical security challenge in 2022, up from 33% in 2021, followed by physical security threats to the C-suite and company leadership (35%), which was a slight increase from 2021. An interesting decrease is data protection and privacy (32%), which dropped from 36% in 2021.

Source: Ontic Center for Protective Intelligence, 2022

Info-Tech Insight

The physical security market is growing in systems and services, especially the integration of threat data management with cybersecurity.

Top physical security initiatives and operations integration investments

We know the physical security challenges and how the physical security market is growing, but what initiatives are driving this growth? These are the top physical security initiatives and top investments for physical security operations integration:

Top physical security initiatives

A survey by Brivo asked 700 security professionals about their top physical security initiatives. The number one initiative is integrating physical security systems. Other initiatives with similar concerns included data and cross-functional integration.

Source: Brivo, 2022

Top investments for physical security operations integration

An Ontic survey (N=359) on areas of investment for physical security operations integration shows the number one investment is on access control systems with software to identify physical threat actors. Another area with similar concern is integration of digital physical security with cybersecurity.

Source: Ontic Center for Protective Intelligence, 2022

Evaluate security integration opportunities with these guiding principles

Opportunity focus

• Identify the security integration problems to solve with visible improvement possibilities
• Don’t choose technology for technology’s sake
• Keep an eye to the future
• Use strategic foresight

Piece by piece

• Avoid taking a big bang approach
• Test technologies in multiple conditions
• Run inexpensive pilots
• Increase flexibility
• Build a technology ecosystem

Buy-in

• Collaborate with stakeholders
• Gain and sustain support
• Maintain transparency
• Increase uptake of open architecture

Key Recommendations:

Focus on your master plan

Build a technology ecosystem

Engage stakeholders

Info-Tech Insight

When looking for a quick win, consider learning the best internal or external practice. For example, in 1994 IBM reorganized its security operation by bringing security professionals and non-security professionals in one single structure, which reduced costs by approximately 30% in two years.

Sources: Create and Implement an IoT Strategy, Info-Tech Research Group, 2022; Baker and Benny, 2013; Erich Krueger, Omaha Public Power District (contributor); Doery Abdou, March Networks Corporate (contributor)

Case Study

4Wall Entertainment – Asset Owner

4Wall Entertainment is quite mature in integrating its physical and information security; physical security has always been under IT as a core competency.

4Wall Entertainment is a provider of entertainment lighting and equipment to event venues, production companies, lighting designers, and others, with a presence in 18 US and UK locations.

After many acquisitions, 4Wall Entertainment needed to standardize its various acquired systems, including physical security systems such as access control. In its integrated security approach, IT owns the integrated security, but they interface with related entities such as HR, finance, and facilities management in every location. This allows them to obtain information such as holidays, office hours, and what doors need to be accessed as inputs to the security system and to get sponsorship in budgeting.

In the past, 4Wall Entertainment tried delegating specific physical security to other divisions, such as facilities management and HR. This approach was unsuccessful, so IT took back the responsibility and accountability.

Currently, 4Wall Entertainment works with local vendors, and its biggest challenge is finding third-party vendors that can provide nationwide support.

In the future, 4Wall Entertainment envisions physical security modernization such as camera systems that allow more network accessibility, with one central system to manage and IoT device integration with SIEM and MDR.

Results

Lessons learned in integrating security from 4Wall Entertainment include:

• Start with forming relationships with related divisions such as HR, finance, and facilities management to build trust and encourage sponsorship across management.
• Create policies, procedures, and standards to deploy in various systems, especially when acquiring companies with low maturity in security.
• Select third-party providers that offer the required functionalities, good customer support, and standard systems interoperability.
• Close skill gaps by developing training and awareness programs for users, especially for newly acquired systems and legacy systems, or by acquiring expertise from consulting services.
• Complete cost-benefit analysis for solutions on legacy systems to determine whether to keep them and create interfacing with other systems, upgrade them, or replace them entirely with newer systems.
• Delegate maintenance of specific highly regulated systems, such as fire alarms and water sprinklers, to facilities management.

Tracking progress of physical and information security integration

Physical security is often part of facilities management. As a result, there are interdependencies with both internal departments (such as IT, information security, and facilities) and external parties (such as third-party vendors). IT leaders, security leaders, and operational leaders should keep the big picture in mind when designing and implementing integration of physical and information security. Use this checklist as a tool to track your security integration journey.

Plan

• Engage stakeholders and justify value for the business.
• Define roles and responsibilities.
• Establish/update governance for integrated security.
• Identify integrated elements and compliance obligations.

Enhance

• Determine the level of security maturity and update security strategy for integrated security.
• Assess and treat risks of integrated security.
• Establish/update integrated physical and information security policies and procedures.
• Update incident response, disaster recovery, and business continuity plan.

Monitor & Optimize

• Identify skill requirements and close skill gaps for integrating physical and information security.
• Design and deploy integrated security architecture and controls.
• Establish, monitor, and report integrated security metrics on effectiveness and efficiency.

Benefits of the security integration framework

Today’s matured technology makes security integration possible. However, the governance and management of single integrated security presents challenges. These can be overcome using a multi-phased framework that enables a modular, incremental, and repeatable integration process, starting with planning to justify the value of investment, then enhancing the integrated security based on risks and open architecture. This is followed by using metrics for monitoring and optimization.

1. Modular

   • Implementing a consolidated security strategy is complex and involves the integration of process, software, data, hardware, and network and infrastructure.
   • A modular framework will help to drive value while putting in appropriate guardrails.

2. Incremental

   • Integration of physical security and information security involves many components such as security strategy, risk management, and security policies.
   • An incremental framework will help track, manage, and maintain each step while providing appropriate structure.

3. Repeatable

   • Integration of physical security and information security is a journey that can be approached with a pilot program to evaluate effectiveness.
   • A repeatable framework will help to ensure quick time to value and enable immediate implementation of controls to meet operational and security requirements.

Potential risks of the security integration framework

Just as medicine often comes with side effects, our Integration of Physical and Information Security Framework may introduce risks too. However, as John F. Kennedy, thirty-fifth president of the United States, once said, "There are risks and costs to a program of action — but they are far less than the long-range cost of comfortable inaction."

Plan Phase

• Lack of transparency in the integration process can lead to lack of trust among stakeholders.
• Lack of support from leadership results in unclear governance or lack of budget or human resources.
• Key stakeholders leave the organization during the engagement and their replacements do not understand the organization’s operation yet.

Enhance Phase

• The risk assessment conducted focuses too much on IT risk, which may not always be applicable to physical security systems nor OT systems.
• The integrated security does not comply with policies and regulations.

Monitor and Optimize Phase

• Lack of knowledge, training, and awareness.
• Different testing versus production environments.
• Lack of collected or shared security metrics.

Data

• Data quality issues and inadequate data from physical security, information security, and other systems, e.g. OT, IoT.
• Too much data from too many tools are complex and time consuming to process.

Develop an integration of information security, physical security, and personnel security that meets your organization’s needs

Integrate security in people, process, and technology to improve your overall security posture

Having siloed systems running security is not beneficial. Many organizations are realizing the benefits of consolidating into a single platform across physical security, cybersecurity, HR, legal, and compliance.

Plan and engage stakeholders

Assemble the right team to ensure the success of your integrated security ecosystem, decide the governance model, and clearly define the roles and responsibilities.

Enhance strategy and risk management

Strategically, we want a physical security system that is interoperable with most technologies, flexible with minimal customization, functional, and integrated, despite the challenges of proprietary configurations, complex customization, and silos.

Monitor and optimize

Find the most optimized architecture that is strategic, realistic, and based on risk. Next, perform an evaluation of the security systems and program by understanding what, where, when, and how to measure and to report the relevant metrics.

Focus on master plan

Identify the security integration problems to solve with visible improvement possibilities, and don’t choose technology for technology’s sake. Design first, then conduct market research by comparing products or services from vendors or manufacturers.

Build a technology ecosystem

Avoid a big bang approach and test technologies in multiple conditions. Run inexpensive pilots and increase flexibility to build a technology ecosystem.

Deliverables

Each step of this framework is accompanied by supporting deliverables to help you accomplish your goals:

Integrate Physical Security and Information Security Requirements Gathering Tool

Map organizational goals to IT goals, facilities goals, OT goals (if applicable), and integrated security goals. Identify your security integration elements and compliance.

Integrate Physical Security and Information Security RACI Chart Tool

Identify various security integration stakeholders across the organization and assign tasks to suitable roles.

Key deliverable:

Integrate Physical Security and Information Security Communication Deck

Present your findings in a prepopulated document that summarizes the work you have completed.

Plan

Planning is foundational to engage stakeholders. Start with justifying the value of investment, then define roles and responsibilities, update governance, and finally identify integrated elements and compliance obligations.

Plan

Engage stakeholders

• To initiate communication between the physical and information security teams and other related divisions, it is important to identify the entities that would be affected by the security integration and involve them in the process to gain support from planning to delivery and maintenance.
• Possible stakeholders:
  • Executive leadership, Facilities Management leader and team, IT leader, Security & Privacy leader, compliance officer, Legal, Risk Management, HR, Finance, OT leader (if applicable)
• A successful security integration depends on aligning your security integration initiatives and migration plan to the organization’s objectives by engaging the right people to communicate and collaborate.

Info-Tech Insight

It is important to speak the same language. Physical security concerns safety and availability, while information security concerns confidentiality and integrity. Thus, the two systems have different goals and require alignment.

Similarly, taxonomy of terminologies needs to be managed,¹ e.g. facility management with an emergency management background may have a different understanding from a CISO with an information security background when discussing the same term. For example:

In emergency management prevention means “actions taken to eliminate the impact of disasters in order to protect lives, property and the environment, and to avoid economic disruption.”²

In information security prevention is “preventing the threats by understanding the threat environment and the attack surfaces, the risks, the assets, and by maintaining a secure system.”³

Sources: ¹ Owen Yardley, Omaha Public Power District (contributor); ² Translation Bureau, Government of Canada, n.d.; ³ Security Intelligence, 2020

Map organizational goals to integrated security goals

1. As a group, brainstorm organization goals.
   • Review relevant corporate, IT, and facilities strategies.
2. Record the most important business goals in the “Goals Cascade” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool. Try to limit the number of business goals to no more than ten goals. This limitation will be critical to helping focus on your integrated security goals.
3. For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.

Download the Integrate Physical Security and Information Security Requirements Gathering Tool.

Record organizational goals

Refer to the Integration of Physical and Information Security Framework when filling in the table.

1. Record your identified organizational goals in the “Goals Cascade” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.
2. For each organizational goal, identify IT alignment goals.
3. For each organizational goal, identify OT alignment goals (if applicable).
4. For each organizational goal, identify Facilities alignment goals.
5. For each organizational goal, select an integrated security goal from the drop-down menu.

Justify value for the business

Facilities in most cases have a team that is responsible for physical security installations such as access key controllers. Whenever there is an issue, they contact the provider to fix the error. However, with smart buildings and smart devices, the threat surface grows to include information security threats, and Facilities may not possess the knowledge and skills required to deal with them. At the same time, delegating physical security to IT may add more tasks to their already-too-long list of responsibilities. Consolidating security to a focused security team that covers both physical and information security can help.1 We need to develop the security integration business case beyond physical security "gates, guns, and guards" mentality.2

An example of a cost-benefit analysis for security integration:

Sources: 1 Andrew Amaro, KLAVAN Security Services (contributor); 2 Baker and Benny, 2013;
Industrial Control System Modernization, Info-Tech Research Group, 2023; Lawrence Berkeley National Laboratory, 2021

Plan

Define roles and responsibilities

Many factors impact an organization’s level of effectiveness as it relates to integration of physical and information security. How the team interacts, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, we need to identify stakeholders that are:

• Responsible: The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
• Accountable: The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor.
• Consulted: The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs).
• Informed: The person(s) who is updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

Download the Integrate Physical Security and Information Security RACI Chart Tool

Define RACI chart

Define Responsible, Accountable, Consulted, Informed (RACI) stakeholders.

1. Customize the Work Units to best reflect your operation with applicable stakeholders.
2. Customize the Action rows as required.

Sources: ISC, 2015; ISC, 2021

Info-Tech Insight

The roles and responsibilities should be clearly defined. For example, IT Security should be responsible for the installation and configuration of all physical access controllers and devices, and facility managers should be responsible for the physical maintenance including malfunctioning such as access device jammed or physically broken.

Plan

Establish/update governance for integrated security

HR & Finance

HR provides information such as new hires and office hours as input to the security system. Finance assists in budgeting.

Security & Privacy

The security and privacy team will need to evaluate solutions and enforce standards on various physical and information security systems and to protect data privacy.

Business Leaders

Business stakeholders will provide clarity for their strategy and provide input into how they envision security furthering those goals.

IT Executives

IT stakeholders will be a driving force, ensuring all necessary resources are available and funded.

Facilities/ Operations

Operational plans will include asset management, monitoring, and support to meet functional goals and manage throughout the asset lifecycle.

Infrastructure & Enterprise Architects

Each solution added to the environment will need to be chosen and architected to meet business goals and security functions.

Info-Tech Insight

Assemble the right team to ensure the success of your integrated security ecosystem and decide the governance model, e.g. security steering committee (SSC) or a centralized single structure.

Adapted from Create and Implement an IoT Strategy, Info-Tech Research Group, 2022

What does the SSC do?

Ensuring proper governance over your security program is a complex task that requires ongoing care and feeding from executive management to succeed.

Your SSC should aim to provide the following core governance functions for your security program:

1. Define Clarity of Intent and Direction

   How does the organization’s security strategy support the attainment of the business, IT, facilities management, and physical and information security strategies? The SSC should clearly define and communicate strategic linkage and provide direction for aligning security initiatives with desired outcomes.

2. Establish Clear Lines of Authority

   Security programs contain many important elements that need to be coordinated. There must be clear and unambiguous authority, accountability, and responsibility defined for each element so lines of reporting/escalation are clear and conflicting objectives can be mediated.

3. Provide Unbiased Oversight

   The SSC should vet the organization’s systematic monitoring processes to ensure there is adherence to defined risk tolerance levels and that monitoring is appropriately independent from the personnel responsible for implementing and managing the security program.

4. Optimize Security Value Delivery

   Optimized value delivery occurs when strategic objectives for security are achieved and the organization’s acceptable risk posture is attained at the lowest possible cost. This requires constant attention to ensure controls are commensurate with any changes in risk level or appetite.

Adapted from Improve Security Governance With a Security Steering Committee , Info-Tech Research Group, 2018

Plan

Identify integrated elements and compliance obligations

To determine what elements need to be integrated, it’s important to scope the security integration program and to identify the consequences of integration for compliance obligations.

INTEGRATED ELEMENTS

What are my concerns?

Process integrations

Determine which processes need to be integrated and how

• Examples: Security prevention, detection, and response; risk assessment

Software and data integration

Determine which software and data need to be integrated and how

• Examples: Threat management tools, SIEM, IDPS, security event logs

Hardware integration

Determine which hardware needs to be integrated and how

• Examples: Sensors, alarms, cameras, keys, locks, combinations, and card readers

Network and infrastructure

Determine which network and infrastructure components need to be integrated and how

• Example: Network segmentation for physical access controllers.

COMPLIANCE

How can I address my concerns?

Regulations

Adhere to mandatory laws, directives, industry standards, specific contractual obligations, etc.

• Examples: NERC CIP (North American Utilities), Network and Information Security (NIS) Directive (EU), Health and Safety at Work etc Act 1974 (UK), Occupational Safety and Health Act, 1970 (US), Emergency Management Act, 2007 (Canada)

Standards

Adhere to voluntary standards and obligations

• Examples: NIST Cybersecurity Framework (CSF), The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard (US), Cybersecurity Maturity Model Certification (CMMC), Service Organization Control (SOC 1 and 2)

Guidelines

Adopt guidelines that can improve the integrated security program

• Examples: Best Practices for Planning and Managing Physical Security Resources (US Interagency Security Committee), Information Security Manual - Guidelines for Physical Security (Australian Cyber Security Centre), 1402-2021-Guide for Physical Security of Electric Power Substations (IEEE)

Record integrated elements

Refer to the “Scope” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool when filling in the following elements.

1. Record your integrated elements, i.e. process integration, software and data integration, hardware integration, network and infrastructure, and physical scope of your security integration, in the “Scope” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.
2. For each of your scoping give the rationale for including them in the Comments column. Careful attention should be paid to any elements that are not in scope.

Record your compliance obligations

Refer to the “Compliance Obligations” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.

1. Identify your compliance obligations. These can include both mandatory and voluntary obligations. Mandatory obligations include:
   • Laws
   • Government regulations
   • Industry standards
   • Contractual agreements
   Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your integrated security, include those that include physical security requirements.
2. Record your compliance obligations, along with any notes, in your copy of the Integrate Physical Security and Information Security Requirements Gathering Tool.
3. Refer to the “Compliance DB” tab for lists of standards/regulations/ guidelines.

Remediate third-party compliance gaps

If you have third-party compliance gaps, there are four primary ways to eliminate them:

1. Find a New, Compliant Partner

   Terminate existing contract and find another organization to partner with.

2. Bring the Capability In-House

   Expense permitting, this may be the best way to protect yourself.

3. Demand Compliance

   Tell the third party they must become compliant. Make sure you set a deadline.

4. Accept Noncompliance and Assume the Risk

   Sometimes remediation just isn’t cost effective and you have no choice.

Follow Contracting Best Practices to Mitigate the Risk of Future Third-Party Compliance Gaps

1. Perform Initial Due Diligence: Request proof of third-party compliance prior to entering into a contract.
2. Perform Ongoing Due Diligence: Request proof of third-party contractor compliance annually.
3. Contract Negotiation: Insert clauses requesting periodic assertions of compliance.

View a sample contract provided by the US Department of Health and Human Services.

Source: Take Control of Compliance Improvement to Conquer Every Audit, Info-Tech Research Group, 2015

Pitfalls to avoid when planning security integration

• No Resources Lineups

  Integration of security needs support from leadership, proper planning, and clear and consistent communication across the organization.

• Not Addressing Holistic Security

  Create policies and procedures and follow standards that are holistic and based on threats and risks, e.g. consolidated access control policies.

• Lack of Governance

  While the IT department is a critical partner in cybersecurity, the ownership of such a role sits squarely in the organizational C-suite, with regular reporting to the board of directors (if applicable).

• Overlooking Business Continuity Effort

  IT and physical security are integral to business continuity and disaster recovery strategies.

• Not Having Relevant Training and Awareness

  Provide a training and awareness program based on relevant attack vectors. Trained employees are key assets to the development of a safe and secure environment. They must form the base of your security culture.

• Overbuilding or Underbuilding

  Select third-party providers that offer systems interoperability with other security tools. The intent is to promote a unified approach to security to avoid a cumbersome tooling zoo.

Sources: Real Time Networks, 2022; Andrew Amaro, KLAVAN Security Services (contributor)

Enhance

Enhancing is the development of an integrated security strategy, policies, procedures, BCP, DR, and IR based on the organization’s risks.

Enhance

Determine the level of security maturity and update the security strategy

• Before updating your security strategies, you need to understand the organization’s business strategies, IT strategies, facilities strategies, and physical and information security strategies. The goal is to align your integrated security strategies to contribute to your organization’s success.
• The integrated security leaders need to understand the direction of the organization. For example:
  • Growth expectation
  • Expansions or mergers anticipation
  • Product or service changes
  • Regulatory requirements
• Wise security investments depend on aligning your security initiatives to the organization’s objectives by supporting operational performance and ensuring brand protection and shareholder values.

Sources: Amy L. Meger, Platte River Power Authority (contributor); Baker and Benny, 2013; IFSEC Global, 2023; Security Priorities 2023, Info-Tech Research Group, 2023; Build an Information Security Strategy, Info-Tech Research Group, 2020; ISC, n.d.

Understanding security maturity

Maturity models are very effective for determining security states. This table provides examples of general descriptions for physical and information security maturity levels.

Determine which framework is suitable and select the description that most accurately reflects the ideal state for security in your organization.

Sources: ¹ Fennelly, 2013; ² Build an Information Security Strategy, Info-Tech Research Group, 2020

Enhance

Assess and treat integrated security risks

The risk assessment conducted consists of analyzing existing inherent risks, existing pressure to the risks such as health and safety laws and codes of practice, new risks from the integration process, risk tolerance, and countermeasures.

• Some organizations already integrate security into corporate security that consists of risk management, compliance, governance, information security, personnel security, and physical security. However, some organizations are still separating security components, especially physical security and information security, which limits security visibility and the organization’s ability to complete a comprehensive risks assessment.
• Many vendors are also segregating physical security and information security solutions because their tools do well only on certain aspects. This forces organizations to combine multiple tools, creating a complex environment.
• Additionally, risks related to people such as mental health issues must be addressed properly. The prevalence of hybrid work post-pandemic makes this aspect especially important.
• Assess and treat risks based on the organization’s requirements, including its environments. For example, the US federal facility security organization is required to conduct risk assessments at least every five years for Level I (lowest risk) and Level II facilities and at least every three years for Level III, IV, and V (highest risk) facilities.

Sources: EPA, n.d.; America's Water Infrastructure Act (AWIA), 2018; ISC, 2021

“In 2022, 95% of US companies are consolidating into a single platform across physical security, cybersecurity, HR, legal and compliance.”

Source: Ontic Center for Protective Intelligence, 2022; N=359

Example risk levels

The risk assessment conducted is based on a combination of physical and information security factors such as certain facilities factors. The risk level can be used to determine the baseline level of protection (LOP). Next, the baseline LOP is customized to the achievable LOP. The following is an example for federal facilities determined by Interagency Security Committee (ISC).

Source: ISC, 2021

Example assets

It is important to identify the organization’s requirements, including its environments (IT, IoT, OT, facilities, etc.), and to measure and evaluate its risks and threats using an appropriate risk framework and tools with the critical step of identifying assets prior to acquiring solutions.

Info-Tech Insight

Certain exceptions must be identified in risk assessment. Usually physical barriers such as gates and intrusion detection sensors are considered as countermeasures,1 however, under certain assessment, e.g. America's Water Infrastructure Act (AWIA),2 physical barriers are also considered assets and as such must also be assessed.

Compromising a fingerprint scanner

An anecdotal example of why physical security alone is not sufficient.

Image by Rawpixel.com on Freepik

Lessons learned from using fingerprints for authentication:

• Fingerprint scanners can be physically circumvented by making a copy an authorized user’s fingerprint with 3D printing or even by forcefully amputating an authorized user’s finger.
• Authorized users may not be given access when the fingerprint cannot be recognized, e.g. if the finger is covered by bandage due to injury.
• Integration with information security may help detect unauthorized access, e.g. a fingerprint being scanned in a Canadian office when the same user was scanned at a close time interval from an IP in Europe will trigger an alert of a possible incident.

Info-Tech Insight

In an ideal world, we want a physical security system that is interoperable with all technologies, flexible with minimal customization, functional, and integrated. In the real world, we may have physical systems with proprietary configurations that are not easily customized and siloed.

Source: Robert Dang, Info-Tech Research Group

Use case: Microchip implant

Microchip implants can be used instead of physical devices such as key cards for digital identity and access management. Risks can be assessed using quantitative or qualitative approaches. In this use case a qualitative approach is applied to impact and likelihood, and a quantitative approach is applied to revenue and cost.

Asset: Microchip implant

Benefits

Risks

Sources: Business Insider, 2018; BBC News, 2022; ISC, 2015

Enhance

Update integrated security policies and procedures

Global policies with local implementation

This model works for corporate groups with a parent company. In this model, global security policies are developed by a parent company and local policies are applied to the unique business that is not supported by the parent company.

Update of existing security policies

This model works for organizations with sufficient resources. In this model, integrated security policies are derived from various policies. For example, physical security in smart buildings/devices (sensors, automated meters, HVAC, etc.) and OT systems (SCADA, PLCs, RTUs, etc.) introduce unique risk exposures, necessitating updates to security policies.

Customization of information security policies

This model works for smaller organizations with limited resources. In this model, integrated security policies are derived from information security policies. The issue is when these policies are not applicable to physical security systems or other environments, e.g. OT systems.

Sources: Kris Krishan, Waymo (contributor); Isabelle Hertanto, Info-Tech Research Group (contributor); Physical and Environmental Security Policy Template, Info-Tech Research Group, 2022.

Enhance

Update BCP, DR, IR

• Physical threats such as theft of material, vandalism, loitering, and the like are also part of business continuity threats.
• These threats can be carried out by various means such as vehicles breaching perimeter security, bolt cutters used for cutting wire and cable, and ballistic attack.
• Issues may occur when security operations are owned separately by physical security or information security, thus lacking consistent application of best practices.
• To overcome this issue, organizations need to update BCP, DR, and IR holistically based on a cost-benefit analysis and the level of security maturity, which can be defined based on the suitable framework.

Sources: IEEE, 2021; ISC, 2021

“The best way to get management excited about a disaster plan is to burn down the building across the street.”

Source: Dan Erwin, Security Officer, Dow Chemical Co., in Computerworld, 2022

Optimize

Optimizing means working to make the most effective and efficient use of resources, starting with identifying skill requirements and closing skill gaps, followed by designing and deploying integrated security architecture and controls, and finally monitoring and reporting integrated security metrics.

Optimize

Identify skill requirements and close skill gaps

• The pandemic changed how people work and where they choose to work, and most people still want a hybrid work model. Our survey in July 2022 (N=516) found that 55.8% of employees have the option to work offsite 2-3 days per week, 21.0% can work offsite 1 day per week, and 17.8% can work offsite 4 days per week.
• The investment (e.g. on infrastructure and networks) to initiate remote work was huge, and the costs didn’t end there; organizations needed to maintain the secure remote work infrastructure to facilitate the hybrid work model.
• Moreover, roles are evolving due to convergence and modernization. These new roles require an integrative skill set. For example, the grid security and ops team might consist of an IT security specialist, a SCADA technician/engineer, and an OT/IIOT security specialist, where OT/IIOT security specialist is a new role.

Strategic investment in internal security team

Internal security governance and management using in-house developed tools or off-the-shelf solutions, e.g. security information and event management (SIEM).

Security management using third parties

Internal security management using third-party security services, e.g. managed security service providers (MSSPs).

Outsourcing security management

Outsourcing the entire security functions, e.g. using managed detection and response (MDR).

Sources: Info-Tech Research Group’s Security Priorities 2023, Close the InfoSec Skills Gap, Build an IT Employee Engagement Program, and Grid Modernization

Select the right certifications

What are the options?

• One issue in security certification is the complexity of relevancy in topics with respect to roles and levels.
• The European Union Agency for Cybersecurity (ENISA) takes the approach of analyzing existing certifications of ICS/SCADA professionals' cybersecurity skills by orientation, scope, and supporting bodies that are grouped into specific certifications, relevant certifications, and safety certifications (ENISA, 2015).
• This approach can also be applied to integrated security certifications.

Physical security certification

• Examples: Industrial Security Professional Certification (NCMS-ISP); Physical Security Professional (ASIS-PSP); Physical Security Certification (CDSE-PSC); ISC I-100, I-200, I-300, and I-400

Cyber physical system security certification

• Examples: Certified SCADA Security Architect (CSSA), EC-Council ICS/SCADA Cybersecurity Training Course

Information security certification

• Examples: Network and Information Security (NIS) Driving License, ISA/IEC 62443 Cybersecurity Certificate Program, GIAC Global Industrial Cyber Security Professional (GICSP)

Safety Certifications

• Examples: Board of Certified Safety Professionals (BCSP), European Network of Safety and Health Professional Organizations (ENSHPO)

Optimize

Design and deploy integrated security architecture and controls

• A survey by Brivo found that 38% of respondents have partly centralized security platforms, 25% have decentralized platforms, and 36% have centralized platforms (Brivo, 2022; N=700).
• If your organization’s security program is still decentralized or partly centralized and your organization is planning to establish an integrated security program, then the recommendation is to perform a holistic risk assessment based on probability and impact assessments on threats and vulnerabilities.
• The impacted factors, for example, are customers served, criticality of services, equipment present inside the building, personnel response time for operational recovery and the mitigation of hazards, and costs.
• Frameworks such as Sherwood Applied Business Security Architecture (SABSA), Control Objectives for Information and Related Technologies (COBIT), and The Open Group Architecture Framework (TOGAF) can be used to build security architecture that aligns security goals with business goals.
• Finally, analyze the security design against the design criteria.

Sources: ISA and Honeywell Integrated Security Technology Lab, n.d.; IEEE, 2021

“As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one.”

Source: FedTech magazine, 2009

Analyze architecture design

Cloud, on-premises, or hybrid? During the pandemic, many enterprises were under tight deadlines to migrate to the cloud. Many did not refactor data and applications correctly for cloud platforms during migration, with the consequence of high cloud bills. This happened because the migrated applications cannot take advantage of on-premises capabilities such as autoscaling. Thus, in 2023, it is plausible that enterprises will bring applications and data back on-premises.

Below is an example of a security design analysis of platform architecture. Design can be assessed using quantitative or qualitative approaches. In this example, a qualitative approach is applied using high-level advantages and disadvantages.

Info-Tech Insight

It is important for organizations to find the most optimized architecture to support them, for example, a hybrid architecture of cloud and on-premises based on operations and cost-effectiveness. To help design a security architecture that is strategic, realistic, and based on risk, see Info-Tech’s Identify the Components of Your Cloud Security Architecture research.

Sources: InfoWorld, 2023; Identify the Components of Your Cloud Security Architecture , Info-Tech Research Group, 2021

Analyze equipment design

Below is an example case of a security design analysis of electronic security systems. Design can be assessed using quantitative or qualitative approaches. In this example a qualitative approach is applied using advantages and disadvantages.

Info-Tech Insight

Once the design has been analyzed, the next step is to conduct market research to analyze the solutions landscape, e.g. to compare products or services from vendors or manufacturers.

Sources: IEEE, 202; IEC, n.d.; IEC, 2013

Analyze off-the-shelf solutions

Criteria to consider when comparing solutions:

Visibility and Asset Management

Passively monitoring data using various protocol layers, actively sending queries to devices, or parsing configuration files of physical security devices, OT, IoT, and IT environments on assets, processes, and connectivity paths.

Threat Detection, Mitigation, and Response (+ Hunting)

Automation of threat analysis (signature-based, specification-based, anomaly-based, flow-based, content-based, sandboxing) not only in IT but also in relevant environments, e.g. physical, IoT, IIoT, and OT on assets, data, network, and orchestration with threat intelligence sharing and analytics.

Risk Assessment and Vulnerability Management

Risk scoring approach (qualitative, quantitative) based on variables such as behavioral patterns and geolocation. Patching and vulnerability management.

Usability, Architecture, Cost

The user and administrative experience, multiple deployment options, extensive integration capabilities, and affordability.

Source: Secure IT/OT Convergence, Info-Tech Research Group, 2022

Optimize

Establish, monitor, and report integrated security metrics

Security metrics serve various functions in a security program.1 For example:

• As audit requirements. For integrated security, the requirements are derived from mandatory or voluntary compliance, e.g. NERC CIP.
• As an indicator of maturity level. For integrated security, maturity level is used to measure the state of security, e.g. C2M2, CMMC.
• As a measurement of effectiveness and efficiency. Security metrics consist of operational metrics, financial metrics, etc.

Safety

Physical security interfaces with the physical world. Thus, metrics based on risks related to safety are crucial. These metrics motivate personnel by making clear why they should care about security.
Source: EPRI, 2017

Business Performance

The impact of security on the business can be measured with various metrics such as operational metrics, service level agreements (SLAs), and financial metrics.
Source: BMC, 2022

Technology Performance

Early detection leads to faster remediation and less damage. Metrics such as maximum tolerable downtime (MTD) and mean time to recovery (MTR) indicate system reliability.
Source: Dark Reading, 2022

Security Culture

Measure the overall quality of security culture with indicators such as compliance and audit, vulnerability management, and training and awareness.

Info-Tech Insight

Security failure can be avoided by evaluating the security systems and program. Security evaluation requires understanding what, where, when, and how to measure and to report the relevant metrics.

Related Info-Tech Research

Secure IT/OT Convergence

The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.

Hence, IT and OT need to collaborate, starting with communication to build trust and to overcome their differences and followed by negotiation on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.

Preparing for Technology Convergence in Manufacturing

Information technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication.

Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration.

Build an Information Security Strategy

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations.

This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap.

Bibliography

"1402-2021 - IEEE Guide for Physical Security of Electric Power Substations." IEEE, 2021. Accessed 25 Jan. 2023.

"2022 State of Protective Intelligence Report." Ontic Center for Protective Intelligence, 2022. Accessed 16 Jan. 2023.

"8 Staggering Statistics: Physical Security Technology Adoption." Brivo, 2022. Accessed 5 Jan. 2023.

"America's Water Infrastructure Act of 2018." The United States' Congress, 2018. Accessed 19 Jan. 2023.

Baker, Paul and Daniel Benny. The Complete Guide to Physical Security. Auerbach Publications. 2013

Bennett, Steve. "Physical Security Statistics 2022 - Everything You Need to Know." WebinarCare, 4 Dec. 2022. Accessed 30 Dec. 2022.

"Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide." Interagency Security Committee (ISC), Dec. 2015. Accessed 23 Jan. 2023.

Black, Daniel. "Improve Security Governance With a Security Steering Committee." Info-Tech Research Group, 23 Nov. 2018. Accessed 30 Jan. 2023.

Borg, Scott. "Don't Put Up Walls Between Your Security People." FedTech Magazine, 17 Feb. 2009. Accessed 15 Dec. 2022.

Burwash, John. “Preparing for Technology Convergence in Manufacturing.” Info-Tech Research Group, 12 Dec. 2018. Accessed 7 Dec. 2022.

Carney, John. "Why Integrate Physical and Logical Security?" Cisco. Accessed 19 Jan. 2023.

"Certification of Cyber Security Skills of ICS/SCADA Professionals." European Union Agency for Cybersecurity (ENISA), 2015. Accessed 27 Sep. 2022.

Cherdantseva, Yulia and Jeremy Hilton. "Information Security and Information Assurance. The Discussion about the Meaning, Scope and Goals." Organizational, Legal, and Technological Dimensions of IS Administrator, Almeida F., Portela, I. (eds.), pp. 1204-1235. IGI Global Publishing, 2013.

Cobb, Michael. "Physical security." TechTarget. Accessed 8 Dec. 2022.

“Conduct a Drinking Water or Wastewater Utility Risk Assessment.” United States Environmental Protection Agency (EPA), n.d. Web.

Conrad, Sandi. "Create and Implement an IoT Strategy." Info-Tech Research Group, 28 July 2022. Accessed 7 Dec. 2022.

Cooksley, Mark. "The IEC 62443 Series of Standards: A Product Manufacturer's Perspective." YouTube, uploaded by Plainly Explained, 27 Apr. 2021. Accessed 26 Aug. 2022.

"Cyber and physical security must validate their value in 2023." IFSEC Global, 12 Jan. 2023. Accessed 20 Jan. 2023.

"Cybersecurity Evaluation Tool (CSET®)." Cybersecurity and Infrastructure Security Agency (CISA). Accessed 23 Jan. 2023.

"Cybersecurity Maturity Model Certification (CMMC) 2.0." The United States' Department of Defense (DOD), 2021. Accessed 29 Dec. 2022.

“Cyber Security Metrics for the Electric Sector: Volume 3.” Electric Power Research Institute (EPRI), 2017.

Czachor, Emily. "Mass power outage in North Carolina caused by gunfire, repairs could take days." CBS News, 5 Dec. 2022. Accessed 20 Jan. 2023.

Dang, Robert, et al. “Secure IT/OT Convergence.” Info-Tech Research Group, 9 Dec. 2022. Web.

"Emergency Management Act (S.C. 2007, c. 15)." The Government of Canada, 2007. Accessed 19 Jan. 2023.

"Emergency management vocabulary." Translation Bureau, Government of Canada. Accessed 19 Jan. 2023.

Fennelly, Lawrence. Effective physical security. Butterworth-Heinemann, 2013.

Ghaznavi-Zadeh, Rassoul. "Enterprise Security Architecture - A Top-down Approach." The Information Systems Audit and Control Association (ISACA). Accessed 25 Jan. 2023.

"Good Practices for Security of Internet of Things." European Union Agency for Cybersecurity (ENISA), 2018. Accessed 27 Sep. 2022.

"Health and Safety at Work etc Act 1974." The United Kingdom Parliament. Accessed 23 Jan. 2023.

Hébert, Michel, et al. “Security Priorities 2023.” Info-Tech Research Group, 1 Feb. 2023. Web.

"History and Initial Formation of Physical Security and the Origin of Authority." Office of Research Services (ORS), National Institutes of Health (NIH). March 3, 2017. Accessed 19 Jan. 2023.

"IEC 62676-1-1:2013 Video surveillance systems for use in security applications - Part 1-1: System requirements - General." International Electrotechnical Commission (IEC), 2013. Accessed 9 Dec. 2022.

"Incident Command System (ICS)." ICS Canada. Accessed 17 Jan. 2023.

"Information Security Manual - Guidelines for Physical Security." The Australian Cyber Security Centre (ACSC), Dec. 2022. Accessed 13 Jan. 2023.

"Integrated Physical Security Framework." Anixter. Accessed 8 Dec. 2022.

"Integrating Risk and Security within a TOGAF® Enterprise Architecture." TOGAF 10, The Open Group. Accessed 11 Jan. 2023.

Latham, Katherine. "The microchip implants that let you pay with your hand." BBC News, 11 Apr. 2022. Accessed 12 Jan. 2023.

Linthicum, David. "2023 could be the year of public cloud repatriation." InfoWorld, 3 Jan. 2023. Accessed 10 Jan. 2023.

Ma, Alexandra. "Thousands of people in Sweden are embedding microchips under their skin to replace ID cards." Business Insider, 14 May 2018. Accessed 12 Jan. 2023.

Mendelssohn, Josh and Dana Tessler. "Take Control of Compliance Improvement to Conquer Every Audit." Info-Tech Research Group, 25 March 2015. Accessed 27 Jan. 2023.

Meredith, Sam. "All you need to know about the Nord Stream gas leaks - and why Europe suspects 'gross sabotage'." CNBC, 11 Oct. 2022. Accessed 20 Jan. 2023.

Nicaise, Vincent. "EU NIS2 Directive: what’s changing?" Stormshield, 20 Oct. 2022. Accessed 17 Nov. 2022.

"NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations." The National Institute of Standards and Technology (NIST), 13 Jul. 2022. Accessed 27 Jan. 2023.

"North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Series." NERC. Accessed 23 Jan. 2023.

"North America Physical Security Market - Global Forecast to 2026." MarketsandMarkets, June 2021. Accessed 30 Dec. 2022.

"NSTISSI No. 4011 National Training Standard For Information Systems Security (InfoSec) Professionals." The United States Committee on National Security Systems (CNSS), 20 Jun. 1994. Accessed 23 Jan. 2023.

"Occupational Safety and Health Administration (OSH) Act of 1970." The United States Department of Labor. Accessed 23 Jan. 2023.

Palter, Jay. "10 Mistakes Made in Designing a Physical Security Program." Real Time Networks, 7 Sep. 2022. Accessed 6 Jan. 2023.

Parker, Donn. Fighting Computer Crime. John Wiley & Sons, 1998.

Pathak, Parag. "What Is Threat Management? Common Challenges and Best Practices." Security Intelligence, 2020. Accessed 5 Jan. 2023.

Pender-Bey, Georgie. "The Parkerian Hexad." Lewis University, 2012. Accessed 24 Jan. 2023.

Philippou, Oliver. "2023 Trends to Watch: Physical Security Technologies." Omdia. Accessed 20 Jan. 2023.

Phinney, Tom. "IEC 62443: Industrial Network and System Security." ISA and Honeywell Integrated Security Technology Lab. Accessed 30 Jan. 2023.

"Physical Security Market, with COVID-19 Impact Analysis - Global Forecast to 2026." MarketsandMarkets, Jan. 2022. Accessed 30 Dec. 2022.

"Physical Security Professional (PSP)" ASIS International. Accessed 17 Jan. 2023.

"Physical Security Systems (PSS) Assessment Guide" The United States' Department of Energy (DOE), Dec. 2016. Accessed 23 Jan. 2023.

"Policies, Standards, Best Practices, Guidance, and White Papers." Interagency Security Committee (ISC). Accessed 23 Jan. 2023.

"Profiles, Add-ons and Specifications." ONVIF. Accessed 9 Dec. 2022.

"Protective Security Policy Framework (PSPF)." The Australian Attorney-General's Department (AGD). Accessed 13 Jan. 2023.

"Satellites detect methane plume in Nord Stream leak." The European Space Agency (ESA), 6 oct. 2022. Accessed 23 Jan. 2023.

""Satellites detect methane plume in Nord Stream leak." The European Space Agency (ESA), 6 oct. 2022. Accessed 23 Jan. 2023.

Satgunananthan, Niru. "Challenges in Security Convergence?" LinkedIn, 8 Jan. 2022. Accessed 20 Dec. 2022.

Sooknanan, Shastri and Isaac Kinsella. "Identify the Components of Your Cloud Security Architecture." Info-Tech Research Group, 12 March 2021. Accessed 26 Jan. 2023.

"TC 79 Alarm and electronic security systems." International Electrotechnical Commission (IEC), n.d. Accessed 9 Dec. 2022.

"The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard." Interagency Security Committee (ISC), 2021. Accessed 26 Jan. 2023.

"The Short Guide to Why Security Programs Can Fail." CyberTalk, 23 Sep. 2021. Accessed 30 Dec. 2022.

Verton, Dan. "Companies Aim to Build Security Awareness." Computerworld, 27 Nov. 2022. Accessed 26 Jan. 2023.

"Vulnerability Assessment of Federal Facilities." The United States' Department of Justice, 28 Jun. 1995. Accessed 19 Jan. 2023.

"What is IEC 61508?" 61508 Association. Accessed 23 Jan. 2023.

Wolf, Gene. "Better Include Physical Security With Cybersecurity." T&D World 5 Jan. 2023. Accessed 19 Jan. 2023.

Wood, Kate, and Isaac Kinsella. “Build an Information Security Strategy.” Info-Tech Research Group, 9 Sept. 2020. Web.

Woolf, Tim, et al. "Benefit-Cost Analysis for Utility-Facing Grid Modernization Investments: Trends, Challenges, and Considerations." Lawrence Berkeley National Laboratory, Feb. 2021. Accessed 15 Nov. 2022.

"Work Health and Safety Act 2011." The Australian Government. Accessed 13 Jan. 2023.

Wu, Jing. “Industrial Control System Modernization: Unlock the Value of Automation in Utilities.” Info-Tech Research Group, 6 April 2023. Web.

Research Contributors and Experts

Amy L. Meger, IGP

Information and Cyber Governance Manager
Platte River Power Authority

Andrew Amaro

Chief Security Officer (CSO) & Founder
KLAVAN Security

Bilson Perez

IT Security Manager
4Wall Entertainment

Dan Adams

VP of Information Technology
4Wall Entertainment

Doery Abdou

Senior Manager
March Networks Corporate

Erich Krueger

Manager of Security Engineering
Omaha Public Power District

Kris Krishan

Head of IT
Waymo

Owen Yardley

Director, Facilities Security Preparedness
Omaha Public Power District

Right-Size the Service Desk for Small Enterprise

Turn your help desk into a customer-centric service desk.

Analyst Perspective

Small enterprises have many of the same issues as large ones, but with far fewer resources. Focus on the most important aspects to improve customer service.

The service desk is a major function within IT. Small enterprises with constrained resources need to look at designing a service desk that enables consistency in supporting the business and finds the right balance of documentation.

Evaluate documentation to ensure there is always redundancy built in to cover absences. Determining coverage will be an important factor, especially if vendors will be brought into the organization to assist during shortages. They will not have the same level of knowledge as teammates and may have different requirements for documentation.

It is important to be customer centric, thinking about how services are delivered and communicated with a focus on providing self-serve at the appropriate level for your users and determining what information the business needs for expectation-setting and service level agreements, as well as communications on incidents and changes.

And finally, don’t discount the value of good reporting. There are many reasons to document issues besides just knowing the volume of workload and may become more important as the organization evolves or grows. Stakeholder reporting, regulatory reporting, trend spotting, and staff increases are all good reasons to ensure minimum documentation standards are defined and in use.

Sandi Conrad Principal Research Director Info-Tech Research Group

Table of Contents

Insight summary

Help desk to service desk

Blueprint deliverables

Standard Operating Procedures	Maturity Assessment	Categorization scheme	Improvement Initiative
Create a standard operating procedure to ensure the support team has a consistent understanding of how they need to engage with the business.

Blueprint benefits

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is six to ten calls over the course of three to four months.

The current state discussion will determine the path.

The service desk is the cornerstone for customer satisfaction

N=63, small enterprise organizations from the End-User Satisfaction Diagnostic, at December 2021 Dissatisfied was classified as those organizations with an average score less than 7. Satisfied was classified as those organizations with an average score greater or equal to 8.

End users who were satisfied with service desk effectiveness rated all other IT processes 36% higher than dissatisfied end users. End users who were satisfied with service desk timeliness rated all other IT processes 34% higher than dissatisfied end-users.

Improve the service desk with a Start, Stop, Continue assessment

Complete a maturity assessment to create a baseline and areas of focus

The Service Desk Maturity Assessment tool helps organizations assess their service desk process maturity and focus the project on the activities that matter most. The tool will help guide improvement efforts and measure your progress. The second tab of the tool walks through a qualitative assessment of your service desk practices. Questions will prompt you to evaluate how you are executing key activities. Select the answer in the drop-down menus that most closely aligns with your current state. The third tab displays your rate of process completeness and maturity. You will receive a score for each phase, an overall score, and advice based on your performance. Document the results of the efficiency assessment in the Service Desk Improvement Initiative. The tool is intended for periodic use. Review your answers each year and devise initiatives to improve the process performance where you need it most.

Define your vision for the support structure

Use this vision for communicating with the business and your IT team

Consider service improvements and how those changes can be perceived by the organization. For example, offering multiple platforms, such as adding Macs to end-user devices, could translate to “Providing the right IT solutions for the way our employees want to work.”

Facilitate service desk operations with an ITSM tool

You don’t need to spend a fortune. Many solutions are free or low-cost for a small number of users, and you don’t necessarily have to give up functionality to save money. Encourage users to submit requests through email or self-serve to keep organized. Ensure that reporting will provide you with the basics without effort, but ensure report creation is easy enough if you need to add more. Consider tools that do more than just store tickets. ITSM tools for small enterprises can also assist with: Equipment and software license management Self-serve for password reset and improving the experience for end users to submit tickets Software deployment Onboarding and offboarding workflows Integration with monitoring tools Info-Tech Insight Buying rather than building allows you the greatest flexibility and can provide enterprise-level functionality at small-enterprise pricing. Use Info-Tech’s IT Service Management Selection Guide to create a business case and list of requirements for your ITSM purchase.

Logos contain links

ITSM implementations are the perfect time to fix processes

Define roles looking to balance between customer service and getting things done

First contact – customer service, general knowledge Answers phones, chats, responds to email, troubleshooting, creates knowledge articles for end users. Analyst – experienced troubleshooter, general knowledge Answers phone when FC isn’t available, responds to email, troubleshooting, creates knowledge articles for first contact, escalates to other technicians or vendors. Analyst – experienced troubleshooter, specialist Answers phones only when necessary, troubleshooting, creates knowledge articles for anyone in IT, consults with peers, escalates to vendors. Engineer – deep expertise, specialist Answers phones only when necessary, troubleshooting, creates knowledge articles for anyone in IT, consults with peers, escalates to vendors. Vendor, Managed Service Providers Escalation point per contract terms, must meet SLAs, communicate regularly with analysts and management as appropriate. Who escalates and who manages them?

Note roles in the Incident Management and Service Desk – Standard Operating Procedure Template

Keep customers happy and technicians calm by properly managing your queue

If ticket volume is too high or too dispersed to effectively have teams self-select tickets, assign a queue manager to review tickets throughout the day to ensure they’re assigned and on the technician’s schedule. This is particularly important for technicians who don’t regularly work out of the ticketing system. Follow up on approaching or missed SLAs.

• Separate incidents (break fix) and service requests: Prioritize incidents over service requests to focus on getting users doing business as soon as possible. Schedule service requests for slower times or assign to technicians who are not working the front lines.
• First in/first out…mostly: We typically look to prioritize incidents over service requests and only prioritize incidents if there are multiple people or VIPs affected. Where everything is equal, deal with the oldest first. Pause occasionally to deal with quick wins such as password resets.
• Update ticket status and notes: Knowing what tickets are in progress and which ones are waiting on information or parts is important for anyone looking to pick up the next ticket. Make sure everyone is aware of the benefits of keeping this information up to date, so technicians know what to work on next without duplicating each other’s work.
• Implement solutions quickly by using knowledge articles: Continue to build out the knowledge base to be able to resolve end-user issues quickly, check to see if additional information is needed before escalating tickets to other technicians.
• Encourage end users to create tickets through the portal: Issues called in are automatically moved to the front of the queue, regardless of urgency. Make it easy for users to report issues using the portal and save the phone for urgent issues to allow appropriate prioritization of tickets.
• Create a process to add additional resources on a regular basis to keep control of the backlog: A few extra hours once a week may be enough if the team is focused without interruptions.
• Determine what backlog is acceptable to your users: Set that as a maximum time to resolve. Ideally, set up automated escalations for tickets that are approaching target SLAs, and build flexibility into schedules to have an “all hands on deck” option if the volume gets too high.

Info-Tech Insight

Make sure your queue manager has an accurate escalation list and has the authority to assign tickets and engage with the technical team to manage SLAs; otherwise, SLAs will never be consistently managed.

Best practices for ticket handling

Accurate data leads to good decisions. If working toward adding staff members, reducing recurring incidents, gaining access to better tools, or demonstrating value to the business, tickets will enable reporting and dashboards to manage your day-to-day business and provide reports to stakeholders. Provide an easy way for end users to electronically submit tickets and encourage them to do so. This doesn’t mean you shouldn’t still accept phone calls, but that should be encouraged for time sensitive issues. Create and update tickets, but not at the expense of good customer service. Agents can start the ticket but shouldn’t spend five minutes creating the ticket when they should be troubleshooting the problem. Update the ticket when the issue is resolved or needs to be escalated. If agents are escalating, they should make sure all relevant information is passed along to the next technician. Update user of ETA if issue cannot be resolved quickly. Update categories to reflect the actual issue and resolution. Reference or link to the knowledge base article as the documented steps taken to resolve the incident. Validate incident is resolved with client. Automate this process with ticket closure after a certain time. Close or resolve the ticket on time.

Ticket templates (or quick tickets) for common incidents can lead to fast creation, data input, and categorizations. Templates can reduce the time it takes to create tickets from two minutes to 30 seconds.

Create a right-sized self-service portal

Review tickets and talk to the team to find out the most frequent requests and the most frequent incidents that could be solved by the end user if there were clear instructions. Check with your user community to see what they would like to see in the portal.

Use customer satisfaction surveys to monitor service levels

Transactional surveys are tied to specific interactions and provide a means of communication to help users communicate satisfaction or dissatisfaction with single interactions. Keep it simple: One question to rate the service with opportunity to add a comment is enough to understand the sentiment and potential issues, and it will be more likely that the user will fill it out. Follow up: Feedback will only be provided if customers think it’s being read and actioned. Set an alert to receive notification of any negative feedback and follow up within one or two business days to show you’re listening.

Relationship surveys can be run annually to obtain feedback on the overall customer experience. Inform yourself of how well you are doing or where you need improvement in the broad services provided. Provide a high-level perspective on the relationship between the business and IT. Help with strategic improvement decisions. Should be sent over a duration of time and to the entire customer base after they’ve had time to experience all the services provided by the service desk. This can be done on an annual basis. For example: Info-Tech’s End User Satisfaction Diagnostic. Included in your membership.

Keep categorizations simple

Asset categorization provides reports that are straightforward and useful for IT and that are typically used where the business isn’t demanding complex reports.

Too many options can cause confusion; too few options provide little value. Try to avoid using “miscellaneous” – it’s not useful information. Test your tickets against your new scheme to make sure it works for you. Effective classification schemes are concise, easy to use correctly, and easy to maintain.

Build out the categories with these questions: What kind of asset am I working on? (type) What general asset group am I working on? (category) What particular asset am I working on? (sub-category) Create resolution codes to further modify the data for deeper reporting. This is typically a separate field, as you could use the same code for many categories. Keep it simple, but make sure it’s descriptive enough to understand the type of work happening in IT. Create and define simple status fields to quickly review tickets and know what needs to be actioned. Don’t stop the clock for any status changes unless you’re waiting on users. The elapsed time is important to measure from a customer satisfaction perspective. Info-Tech Insight Think about how you will use the data to determine which components need to be included in reports. If components won’t be used for reporting, routing, or warranty, reporting down to the component level adds little value.

Need to make quick progress? Use Info-Tech Research Group’s Service Desk Asset-Based Categories template.

1.1 Build or review your categories

Input: Existing tickets

Output: Categorization scheme

Materials: Whiteboard/Flip charts, Markers, Sample categorization scheme

Participants: CIO, Service desk manager, Technicians

Discuss:

• How can you use categories and resolution information to enhance reporting?
• What level of detail do you need to be able to understand the data and take action? What level of detail is too much?
• Are current status fields allowing you to accurately assess pending work at a glance?

Draft:

1. Start with existing categories and review, identifying duplicates and areas of inconsistency.
2. Write out proposed resolution codes and status fields and critically assess their value.
3. Test categories and resolution codes against a few recent tickets.
4. Record the ticket categorization scheme in the Incident Management and Service Desk – Standard Operating Procedure.

Download the Incident Management and Service Desk – Standard Operating Procedure Template

Separate tickets into service requests and incidents

		INCIDENTS	SERVICE REQUESTS
	PRIORITIZATION	Incidents will be prioritized based on urgency and impact to the organization.	Service requests will be scheduled and only increase in prioritization if there is an issue with the request process (e.g. new hire start).
	SLAs	Did incidents get resolved according to prioritization rules? REPONSE & RESOLUTION	Did service requests get completed on time? SCHEDULING & FULFILMENT
	TRIAGE & ROOT CAUSE ANALYSIS	Incidents will typically need triage at the service desk unless something is set up to go directly to a specialist.	Service requests don’t need triage and can be routed automatically for approvals and fulfillment.

“For me, the first key question is, is this keeping you from doing business? Is this a service request? Is it actually something that's broken? Well, okay. Now let's have the conversation about what's broken and keeping you from doing business.” (Anonymous CIO)

Determine how service requests will be fulfilled

• Identify standard requests, meaning any product approved for use and deployment in the organization.
• Determine whether this should be published and how. Consider a service catalog with the ability to create tickets right from the request page. If there is an opportunity to automate fulfillment, build that into your workflow and project plans.
• Create workflows for complicated requests such as onboarding, and build them into a template in the service desk tool. This will allow you to reduce the administrative work to deploy tasks.
• Who will fulfill requests? There may be a need for more than one technician to be able to fulfill if volume dictates, but it’s important to determine what will be done by each level to quickly assign those tickets for scheduling. Define what will be done by each group of technicians.
• Determine reasonable SLAs for most service requests. Identify which ones will not meet “normal” SLAs. As you build out a service catalog or automate fulfillment, SLAs can be refined.

Info-Tech Insight

Service requests are not as urgent as incidents and should be scheduled.

Set the SLA based on time to fulfill, plus a buffer to schedule around more urgent service requests.

1.2 Identify service requests and routing needs

2-3 hours

Input: Ticket data, Existing workflow diagrams

Output: Workflow diagrams

Materials: Whiteboard/Flip charts, Markers, Visio

Participants: CIO, Service desk manager, Technicians

Identify:

1. Create your list of typical service requests and identify the best person to fulfill, based on complexity, documentation, specialty, access rights.
2. Review service requests which include multiple people or departments, such as onboarding and offboarding
3. Draw existing processes.
4. Discuss challenges and critique existing process.
5. Document proposed changes and steps that will need to be taken to improve the process.

Download the Incident Management and Service Desk – Standard Operating Procedure Template

Incident management

1.3 Activity: Identify critical systems

1 hour

Input: Ticket data, Business continuity plan

Output: Service desk SOP

Materials: Whiteboard/Flip charts, Markers

Participants: CIO, Service desk manager, Technicians

Discuss and document:

1. Create a list of the most critical systems, and identify and document the escalation path.
2. Review inventory of support documents for critical systems and identify any that require runbooks to ensure quick resolution in the event of an outage or major performance issue. Refer to the blueprint Incident Management for Small Enterprise to prioritize and document runbooks as needed.
3. Review vendor agreements to determine if SLAs are appropriate to support needs. If there is a need for adjustments, determine options for modifying or renegotiating SLAs.

Download the Incident Runbook Prioritization Tool

Prioritization scheme

Focus primarily on incidents. Service requests should always be medium urgency, unless there is a valid reason to move one to high level. Separate major outages from all other tickets as these are a major factor in business impact. Decide how many levels of severity are appropriate for your organization. Build a prioritization matrix, breaking down priority levels by impact and urgency. Build out the definitions of “impact” and “urgency” to complete the prioritization matrix. Run through examples of each priority level to make sure everyone is on the same page.

Document escalation rules and contacts

Depending on the size of the team, escalations may be mostly to internal technical colleagues or could be primarily to vendors.

• Ensure the list of escalation rules and contacts is accurate and available, adding expected SLAs for quick reference
• If tickets are being escalated but shouldn’t be, ensure knowledge articles and training materials are up to date
• Follow up on all external escalations, ensuring SLAs are respected
• Publish an escalation path for clients if service is not meeting their needs (for internal and external providers) and automate escalations for tickets breaching SLAs

User doesn’t know who will fix the issue but expects to see it done in a reasonable time.	If issue cannot be resolved right away, set expectations for resolution time. Document information so next technician doesn’t need to ask the same questions. Escalate to the right technician the first time.	Check notes to catch up on the issue. Run tests if necessary. Contact user to troubleshoot and fix. Meet SLAs or update client on new ETA. Provide complete information to vendor. Monitor resolution. Follow up with vendor if delays. Update client as needed.	Vendor will provide support according to agreement. Encourage vendor to provide regular updates to IT. Review vendor performance regularly. IT will validate issue is resolved and close ticket.	Validate user is happy with the experience

Define, measure, and report on service level agreements

Determine what communications are most important and who will do them

	PROACTIVE, PLANNED CHANGES	From: Service Desk Messaging provided by engineer or director, sent to all employees; proactive planning with business unit leaders.
	OUTAGES & UPDATES	From: Service Desk Use templates to send out concise messaging and updates hourly, with input from technical team working on restoring services to all; director to liaise with business stakeholders.
	UPDATES TO SERVICES, SELF-SERVE	From: Director Send announcements no more than monthly about new services and processes.
	REGULAR STAKEHOLDER COMMUNICATIONS	From: Director Monthly reporting to business and IT stakeholders on strategic and project goals, manage escalations.

1.4 Create communications plan

2 hours

Input: Sample past communications

Output: Communications templates

Materials: Whiteboard/flip charts, Markers

Participants: CIO, Service desk manager, Technicians

Determine where templates are needed to ensure quick and consistent communications. Review sample templates and modify to suit your needs:

1. Proactive, planned changes
2. Outages and updates
3. Updates to services, self-serve
4. Regular stakeholder communications

Download the communications templates

What else can you do to improve service?

Review the next few pages to see if you need additional blueprints to help you:

• Evaluate staffing and training needs to ensure the right number of resources are available and they have the skills they need for your environment.
• Create self-service for end users to get quick answers and create tickets.
• Create a knowledge base to ensure backup for technical expertise.
• Develop customer service skills through training.
• Perform ticket analysis to better understand your technical environment.

Create your roadmap with high-level requirements

Determine what tasks and projects need to be completed to meet your improvement goals. Create a high-level project plan and balance with existing resources.

Bibliography

Taylor, Sharon and Ivor Macfarlane. ITIL Small Scale Implementation. Office of Government Commerce, 2005.

“Share, Collaborate, and Communicate on One Consistent Platform.” Liferay, n.d. Accessed 19 July 2022.

Rodela, Jimmy. “A Beginner’s Guide to Customer Self-Service.” The Ascent, 18 May 2022. Web.

Leverage Web Analytics to Reinforce Your Web Experience Management Strategy

Web analytics tools are the gateway to understanding customer behavior.

EXECUTIVE BRIEF

Analyst Perspective

In today’s world, users want to consume concise content and information quickly. Websites have a limited time to prove their usefulness to a new user. Content needs to be as few clicks away from the user as possible. Analyzing user behavior using advanced analytics techniques can help website designers better understand their audience.

Organizations need to implement sophisticated analytics tools to track user data from their website. However, simply extracting data is not enough to understand the user motivation. A successful implementation of a web analytics tool will comprise both understanding what a customer does on the website and why the customer does what they do.

This research will introduce some fundamental and advanced analytics tools and provide insight into some of the vendors in the market space.

Sai Krishna Rajaramagopalan Research Specialist, Applications − Enterprise Applications Info-Tech Research Group

Executive Summary

Info-Tech Insight

It is easy to get lost in a sea of expensive web analytics tools. Choose tools that align with your business objectives to keep the costs of customer acquisition and retention to a minimum.

Ensure the success of your web analytics programs by following five simple steps

1. ORGANIZATIONAL GOALS The first key step in implementing and succeeding with web analytics tools is to set clearly defined organizational goals, e.g. improving product sales. 3. KPI METRICS Define key performance indicators (KPIs) that help track the organization’s performance, e.g. number of page visits, conversion rates, bounce rates. 5. REVIEW Continuous improvement is essential to succeed in understanding customers. The world is a dynamic place, and you must constantly revise your organizational goals, business objectives, and KPIs to remain competitive.

2. BUSINESS OBJECTIVES The next step is to lay out business objectives that help to achieve the organization’s goals, e.g. to increase customer leads, increase customer transactions, increase web traffic. 4. APPLICATION SELECTION Understand the web analytics tool space and which combination of tools and vendors best fits the organization’s goals.

Web Analytics Introduction

Understand traditional and advanced tools and their capabilities.

Understanding web analytics

Web analytics is the branch of analytics that deals with the collection, reporting, and analysis of data generated by users visiting and interacting with a website. The purpose of web analytics is to measure user behavior, optimize the website’s user experience and flow, and gain insights that help meet business objectives like increasing conversions and sales. Web analytics allows you to see how your website is performing and how people are acting while on your website. What’s important is what you can do with this knowledge. Data collected through web analytics may include traffic sources, referring sites, page views, paths taken, and conversion rates. The compiled data often forms a part of customer relationship management analytics to facilitate and streamline better business decisions. Having strong web analytics is important in understanding customer behavior and fine-tuning marketing and product development approaches accordingly.

Why you should leverage web analytics

Leveraging web analytics allows organizations to better understand their customers and achieve their business goals.

Use traditional web analytics tools to understand your consumer

Traditional web analytics allows organizations to understand what is happening on their website and what customers are doing. These tools deliver hard data to measure the performance of a website. Some of the data measured through traditional web analytics are: Visit count: The number of visits received by a webpage. Bounce rate: The percentage of visitors that leave the website after only viewing the first page compared to total visitors. Referrer: The previous website that sent the user traffic to a specific website. CTA clicks: The number of times a user clicks on a call to action (CTA) button. Conversion rate: Proportion of users that reach the final outcome of the website.

Use advanced web analytics techniques to understand your consumer

Traditional web analytic tools fail to explain the motivation of users. Advanced analytic techniques help organizations understand user behavior and measure user satisfaction. The techniques help answer questions like: Why did a user come to a webpage? Why did they leave? Did they find what they were looking for? Some of the advanced tools include: Heatmapping: A visual representation of where the users click, scroll, and move on a webpage. Recordings: A recording of the mouse movement and clicks for the entire duration of a user’s visit. Feedback forms and surveys: Voice of the customer tools allowing users to give direct feedback about websites. Funnel exploration: The ability to visualize the steps users take to complete tasks on your site or app.

Apply industry-leading techniques to leverage web analytics

Heatmaps are used to visualize where users move their mouse, click, and scroll in a webpage. Website heatmaps use a warm-to-cold color scheme to indicate user activity, with the warmest color indicating the highest visitor engagement and the coolest indicating the lowest visitor engagement. Organizations can use this tool to evaluate the elements of the website that attract users and identify which sections require improvement to increase user engagement. Website designers can make changes and compare the difference in user interaction to measure the effectiveness of the changes. Scrollmaps help designers understand what the most popular scroll-depth of your webpage is – and that’s usually a prime spot for an important call to action.

(Source: An example of a heatmap layered with a scrollmap from Crazy Egg, 2020)

Apply industry-leading techniques to leverage web analytics

Funneling

Funnels are graphical representations of a customer’s journey while navigating through the website. Funnels help organizations identify which webpage users land on and where users drop off. Organizations can capture every user step to find the unique challenges between entry and completion. Identifying what friction stands between browsing product grids and completing a transaction allows web designers to then eliminate it. Designers can use A/B testing to experiment with different design philosophies to compare conversion statistics. Funneling can be expanded to cross-channel analytics by incorporating referral data, cookies, and social media analytics.

Apply industry-leading techniques to leverage web analytics

Session recordings

Session recordings are playbacks of users’ interaction with the website on a single session. User interaction can vary between mouse clicks, keyboard input, and mouse scroll. Recordings help organizations understand user motivation and help identify why users undertake certain tasks or actions on the webpage. Playbacks can also be used to see if users are confused anywhere between the landing page and final transaction phase. This way, playbacks further help ensure visitors complete the funneling seamlessly.

Apply industry-leading techniques to leverage web analytics

Feedback and microsurveys

Feedback can be received directly from end users to help organizations improve the website. Receiving feedback from users can be difficult, since not every user is willing to spend time to submit constructive and detailed feedback. Microsurveys are an excellent alternative. Users can submit short feedback forms consisting of a single line or emojis or thumbs up or down. Users can directly highlight sections of the page about which to submit feedback. This allows designers to quickly pinpoint areas for improvement. Additionally, web designers can play back recordings when feedback is submitted to get a clear idea about the challenges users face.

Market Overview

Choose vendors and tools that best match your business needs.

Top-level traditional features

Top-level advanced features

Speak with category experts to dive deeper into the vendor landscape

SoftwareReviews is powered by Info-Tech

Technology coverage is a priority for Info-Tech and SoftwareReviews provides the most comprehensive unbiased data on today’s technology. Combined with the insight of our expert analysts, our members receive unparalleled support in their buying journey.

Top vendors in the web analytics space

	Google Analytics provides comprehensive traditional analytics tools, free of charge, to understand the customer journey and improve marketing ROI. Twenty-four percent of all web analytical tools used on the internet are provided by Google analytics.
	Hotjar is a behavior analytics and product experience insights service that helps you empathize with and understand your users through their feedback via tools like heatmaps, session recordings, and surveys. Hotjar complements the data and insights you get from traditional web analytics tools like Google Analytics.
	Crazy Egg is a website analytics tool that helps you optimize your site to make it more user-friendly, more engaging, and more conversion-oriented. It does this through heatmaps and A/B testing, which allow you to see how people are interacting with your site.
	Amplitude Analytics provides intelligent insight into customer behavior. It offers basic functionalities like measuring conversion rate and engagement metrics and also provides more advanced tools like customer journey maps and predictive analytics capabilities through AI.

Case Study

INDUSTRY Real Estate

SOURCE Crazy Egg

Heatmaps and playback recordings

Operationalizing Web Analytics Tools

Execute initiatives for successful implementation.

Ensure success of your web analytics programs by following five simple steps

1. ORGANIZATIONAL GOALS The first key step in implementing and succeeding with web analytics tools is to set clearly defined organizational goals, e.g. improving product sales. 3. KPI METRICS Define key performance indicators (KPIs) that help track the organization’s performance, e.g. number of page visits, conversion rates, bounce rates. 5. REVIEW Continuous improvement is essential to succeed in understanding customers. The world is a dynamic place, and you must constantly revise your organizational goals, business objectives, and KPIs to remain competitive.

2. BUSINESS OBJECTIVES The next step is to lay out business objectives that help to achieve the organization’s goals, e.g. to increase customer leads, increase customer transactions, increase web traffic. 4. APPLICATION SELECTION Understand the web analytics tool space and which combination of tools and vendors best fits the organization’s goals.

1.1 Understand your organization’s goals

Output: Organization’s goal list

Materials: Whiteboard, Markers

Participants: Core project team

1. Identify the key organizational goals for both the short term and the long term.
2. Arrange the goals in descending order of priority.

1.2 Align business objectives with organizational goals

30 minutes

Output: Business objectives

Materials: Whiteboard, Markers

Participants: Core project team

1. Identify the key business objectives that help attain organization goals.
2. Match each business objective with the corresponding organizational goals it helps achieve.
3. Arrange the objectives in descending order of priority.

Accelerate your software selection project

Revisit the metrics you identified and revise your goals

Track the post-deployment results, compare the metrics, and set new targets for the next fiscal year.

Related Info-Tech Research

	Modernize Your Corporate Website to Drive Business Value Drive higher user satisfaction and value through UX-driven websites.
	Select and Implement a Web Experience Management Solution Your website is your company’s face to the world: select a best-of-breed platform to ensure you make a rock-star impression with your prospects and customers!
	Create an Effective Web Redesign Strategy Ninety percent of web redesign projects, executed without an effective strategy, fail to accomplish their goals.

Bibliography

"11 Essential Website Data Factors and What They Mean." CivicPlus, n.d. Accessed 26 July 2022.

“Analytics Usage Distribution in the Top 1 Million Sites.” BuiltWith, 1 Nov. 2022. Accessed 26 July 2022.

"Analytics Usage Distribution on the Entire Internet." BuiltWith, 1 Nov. 2022. Accessed 26 July 2022.

Bell, Erica. “How Miller and Smith Used Crazy Egg to Create an Actionable Plan to Improve Website Usability.” Crazy Egg, n.d. Accessed 26 July 2022.

Brannon, Jordan. "User Behavior Analytics | Enhance The Customer Journey." Coalition Technologies, 8 Nov 2021. Accessed 26 July 2022.

Cardona, Mercedes. "7 Consumer Trends That Will Define The Digital Economy In 2021." Adobe Blog, 7 Dec 2020. Accessed 26 July 2022.

“The Finer Points.“ Analytics Features. Google Marketing Platform, 2022. Accessed 26 July 2022.

Fitzgerald, Anna. "A Beginner’s Guide to Web Analytics." HubSpot, 21 Sept 2022. Accessed 26 July 2022.

"Form Abandonment: How to Avoid It and Increase Your Conversion Rates." Fullstory Blog, 7 April 2022. Accessed 26 July 2022.

Fries, Dan. "Plug Sales Funnel Gaps by Identifying and Tracking Micro-Conversions." Clicky Blog, 9 Dec 2019. Accessed 7 July 2022.

"Funnel Metrics in Saas: What to Track and How to Improve Them?" Userpilot Blog, 23 May 2022. Accessed 26 July 2022.

Garg, Neha. "Digital Experimentation: 3 Key Steps to Building a Culture of Testing." Contentsquare, 21 June 2021. Accessed 26 July 2022.

“Global Web Analytics Market Size, Status and Forecast 2021-2027.” 360 Research Reports, 25 Jan. 2021. Web.

Hamilton, Stephanie. "5 Components of Successful Web Analytics." The Daily Egg, 2011. Accessed 26 July 2022.

"Hammond, Patrick. "Step-by-Step Guide to Cohort Analysis & Reducing Churn Rate." Amplitude, 15 July 2022. Accessed 26 July 2022.

Hawes, Carry. "What Is Session Replay? Discover User Pain Points With Session Recordings." Dynatrace, 20 Dec 2021. Accessed 26 July 2022.

Huss, Nick. “How Many Websites Are There in the World?” Siteefy, 8 Oct. 2022. Web.

Nelson, Hunter. "Establish Web Analytics and Conversion Tracking Foundations Using the Google Marketing Platform.” Tortoise & Hare Software, 29 Oct 2022. Accessed 26 July 2022.

"Product Analytics Vs Product Experience Insights: What’s the Difference?" Hotjar, 14 Sept 2021. Accessed 26 July 2022.

“Record and watch everything your visitors do." Inspectlet, n.d. Accessed 26 July 2022.

“Ryanair: Using Web Analytics to Manage the Site’s Performance More Effectively and Improve Profitability." AT Internet, 1 April 2020. Accessed 26 July 2022.

Sibor, Vojtech. "Introducing Cross-Platform Analytics.” Smartlook Blog, 5 Nov 2022. Accessed 26 July 2022.

"Visualize Visitor Journeys Through Funnels.” VWO, n.d. Accessed 26 July 2022.

"Web Analytics Market Share – Growth, Trends, COVID-19 Impact, and Forecasts (2022-2027)." Mordor Intelligence, 2022. Accessed 26 July 2022.

“What is the Best Heatmap Tool for Real Results?” Crazy Egg, 27 April 2020. Web.

"What Is Visitor Behavior Analysis?" VWO, 2022. Accessed 26 July 2022.

Zheng, Jack G., and Svetlana Peltsverger. “Web Analytics Overview.” IGI Global, 2015. Accessed 26 July 2022.

The First 100 Days As CIO

Partner with Info-Tech for success in this crucial period of transition.

Analyst Perspective

The first 100 days refers to the 10 days before you start and the first three months on the job.

“The original concept of ‘the first 100 days’ was popularized by Franklin Delano Roosevelt, who passed a battery of new legislation after taking office as US president during the Great Depression. Now commonly extended to the business world, the first 100 days of any executive role is a critically important period for both the executive and the organization.

But not every new leader should follow FDR’s example of an action-first approach. Instead, finding the right balance of listening and taking action is the key to success during this transitional period. The type of the organization and the mode that it’s in serves as the fulcrum that determines where the point of perfect balance lies. An executive facing a turnaround situation will want to focus on more action more quickly. One facing a sustaining success situation or a realignment situation will want to spend more time listening before taking action.” (Brian Jackson, Research Director, CIO, Info-Tech Research Group)

Executive summary

Situation

• You’ve been promoted from within to the role of CIO.
• You’ve been hired externally to take on the role of CIO.

Complication

Studies show that two years after a new executive transition, as many as half are regarded as failures or disappointments (McKinsey). First impressions are hard to overcome, and a CIO’s first 100 days are heavily weighted in terms of how others will assess their overall success. The best way to approach this period is determined by both the size and the mode of an organization.

Resolution

• Work with Info-Tech to prepare a 100-day plan that will position you for success.
• Collaborate to collect the details needed to identify the right mode for your organization and determine how it will influence your plan.
• Use Info-Tech’s diagnostic tools to align your vision with that of business executives and form a baseline for future reference.

Info-Tech Insight

1. Foundational understanding must be achieved before you start.
   Hit the ground running before day one by using company documents and initial discussions to pin down the company’s type and mode.
2. Listen before you act (usually).
   In most situations, executives benefit from listening to peers and staff before taking action.
3. Identify quick wins early and often.
   Fix problems as soon as you recognize them to set the tone for your tenure.

The First 100 Days: Roadmap

Concierge service overview

Organize a call with your executive advisor every two weeks during your first 100 days. Info-Tech recommends completing our diagnostics during this period. If you’re not able to do so, instead complete the alternative activities marked with (a).

Call 1

Before you start: Day -10 to Day 1

Interview your predecessor

Interviewing your predecessor can help identify the organization’s mode and type.

Before reaching out to your predecessor, get a sense of whether they were viewed as successful or not. Ask your manager. If the predecessor remains within the organization in a different role, understand your relationship with them and how you'll be working together.

During the interview, make notes about follow-up questions you'll ask others at the organization.

Ask these open-ended questions in the interview:

• Tell me about the team.
• Tell me about your challenges.
• Tell me about a major project your team worked on. How did it go?
• Who/what has been helpful during your tenure?
• Who/what created barriers for you?
• What do your engagement surveys reveal?
• Tell me about your performance management programs and issues.
• What mistakes would you avoid if you could lead again?
• Why are you leaving?
• Could I reach out to you again in the future?

Learn the corporate structure

Identify the organization’s corporate structure type based on your initial conversations with company leadership. The type of structure will dictate how much control you'll have as a functional head and help you understand which stakeholders you'll need to collaborate with.

To Do:

• Review the organization’s structure list and identify whether the structure is functional, prioritized, or a matrix. If it's a matrix organization, determine if it's a strong matrix (project manager holds more authority), weak matrix (functional manager holds more authority), or balanced matrix (managers hold equal authority).

This organization is a ___________________ type.

Presentation Deck, slide 6

Determine the mode of the organization: STARS

Based on your interview process and discussions with company leadership, and using Michael Watkins’ STARS assessment, determine which mode your organization is in: startup, turnaround, accelerated growth, realignment, or sustaining success.

Knowing the mode of your organization will determine how you approach your 100-day plan. Depending on the mode, you'll rebalance your activities around the three categories of assess, listen, and deliver.

To Do:

• Review the STARS table on the right.

Based on your situation, prioritize activities in this way:

• Startup: assess, listen, deliver
• Turnaround: deliver, listen, assess
• Accelerated Growth: assess, listen, deliver
• Realignment: listen, assess, deliver
• Sustaining success: listen, assess, deliver

This organization is a ___________________ type.

(Source: Watkins, 2013.)

Presentation Deck, slide 6

Determine the mode of the organization: STARS

Satya Nadella's listen, lead, and launch approach

CASE STUDY

Industry Software
Source Gregg Keizer, Computerworld, 2014

When Satya Nadella was promoted to the CEO role at Microsoft in 2014, he received a Glassdoor approval rating of 85% and was given an "A" grade by industry analysts after his first 100 days. What did he do right? Created a sense of urgency by shaking up the senior leadership team. Already understood the culture as an insider. Listened a lot and did many one-on-one meetings. Established a vision communicated with a mantra that Microsoft would be "mobile-first, cloud-first." Met his words with actions. He launched Office for iPad and made many announcements for cloud platform Azure.

Satya Nadella, CEO, Microsoft Corp. (Image source: Microsoft)

Listen to 'The First 100 Days' podcast – Alan Fong

Create a one-page introduction sheet to use in communications

As a new CIO, you'll have to introduce yourself to many people in the organization. To save time on communicating who you are as a person outside of the office, create a brief one-pager that includes a photo of you, where you were born and raised, and what your hobbies are. This helps make a connection more quickly so your conversations can focus on the business at hand rather than personal topics.

For your presentation deck, remove the personal details and just keep it professional. The personal aspects can be used as a one-pager for other communications. (Source: Personal interview with Denis Gaudreault, Country Lead, Intel.)

Presentation Deck, slide 5

Call 2

Day 1 to Day 15

Introduce yourself to your team

Prepare a 20-second pitch about yourself that goes beyond your name and title. Touch on your experience that's relevant to your new role or the industry you're in. Be straightforward about your own perceived strengths and weaknesses so that people know what to expect from you. Focus on the value you believe you'll offer the group and use humor and humility where you're comfortable. For example:

“Hi everyone, my name is John Miller. I have 15 years of experience marketing conferences like this one to vendors, colleges, and HR departments. What I’m good at, and the reason I'm here, is getting the right people, businesses, and great ideas in a room together. I'm not good on details; that's why I work with Tim. I promise that I'll get people excited about the conference, and the gifts and talents of everyone else in this room will take over from there. I'm looking forward to working with all of you.”

Have a structured set of questions ready that you can ask everyone.

For example:

• How well is the company performing based on expectations?
• What must the company do to sustain its financial performance and market competitiveness?
• How do you foresee the CIO contributing to the team?
• How have past CIOs performed from the perspective of the team?
• What would successful performance of this role look like to you? To your peers?
• What challenges and obstacles to success am I likely to encounter? What were the common challenges of my predecessor?
• How do you view the culture here and how do successful projects tend to get approved?
• What are your greatest challenges? How could I help you?

Get to know your sphere of influence: prepare to connect with a variety of people before you get down to work

Your ability to learn from others is critical at every stage in your first 100 days. Keep your sphere of influence in the loop as you progress through this period.

Write down the names, or at least the key people, in each segment of this diagram. This will serve as a quick reference when you're planning communications with others and will help you remember everyone as you're meeting lots of new people in your early days on the job.

• Everyone knows their networks are important.
• However, busy schedules can cause leaders to overlook their many audiences.
• Plan to meet and learn from all people in your sphere to gain a full spectrum of insights.

Presentation Deck, slide 29

Identify how your competitors are leveraging technology for competitive advantage

Competitor identification and analysis are critical steps for any new leader to assess the relative strengths and weaknesses of their organization and develop a sense of strategic opportunity and environmental awareness.

Today’s CIO is accountable for driving innovation through technology. A competitive analysis will provide the foundation for understanding the current industry structure, rivalry within it, and possible competitive advantages for the organization.

Surveying your competitive landscape prior to the first day will allow you to come to the table prepared with insights on how to support the organization and ensure that you are not vulnerable to any competitive blind spots that may exist in the evaluations conducted by the organization already.

You will not be able to gain a nuanced understanding of the internal strengths and weaknesses until you are in the role, so focus on the external opportunities and how competitors are using technology to their advantage.

Info-Tech Best Practice

For a more in-depth approach to identifying and understanding relevant industry trends and turning them into insights, leverage the following Info-Tech blueprints:

• Think Like a Futurist
• CIO Trend Report 2019

Presentation Deck, slide 9

Assess the external competitive environment

INPUT: External research

OUTPUT: Competitor array

1. Conduct a broad analysis of the industry as a whole. Seek to answer the following questions:
   1. Are there market developments or new markets?
   2. Are there industry or lifestyle trends, e.g. move to mobile?
   3. Are there geographic changes in the market?
   4. Are there demographic changes that are shaping decision making?
   5. Are there changes in market demand?
2. Create a competitor array by identifying and listing key competitors. Try to be as broad as possible here and consider not only entrenched close competitors but also distant/future competitors that may disrupt the industry.
3. Identify the strengths, weaknesses, and key brand differentiators that each competitor brings to the table. For each strength and differentiator, brainstorm ways that IT-based innovation enables each. These will provide a toolkit for deeper conversations with your peers and your business stakeholders as you move further into your first 100 days.

Complete the CEO-CIO Alignment Program

INPUT: CEO-CEO Alignment Program (recommended)

OUTPUT: Desired and target state of IT maturity, Innovation goals, Top priorities

Materials: Presentation Deck, slides 11-13

Participants: CEO, CIO

Introduce the concept of the CEO-CIO Alignment Program using slide 10 of your presentation deck and the brief email text below.

Talk to your advisory contact at Info-Tech about launching the program. More information is available on Info-Tech’s website.

Once the report is complete, import the results into your presentation:

• Slide 11, the CEO’s current and desired states
• Slide 12, IT innovation goals
• Slide 13, top projects and top departments from the CEO and the CIO

Include any immediate recommendations you have.

Hello CEO NAME,

I’m excited to get started in my role as CIO, and to hit the ground running, I’d like to make sure that the IT department is aligned with the business leadership. We will accomplish this using Info-Tech Research Group’s CEO-CIO Alignment Program. It’s a simple survey of 20 questions to be completed by the CEO and the CIO.

This survey will help me understand your perception and vision as I get my footing as CIO. I’ll be able to identify and build core IT processes that will automate IT-business alignment going forward and create an effective IT strategy that helps eliminate impediments to business growth.

Research shows that IT departments that are effectively aligned to business goals achieve more success, and I’m determined to make our IT department as successful as possible. I look forward to further detailing the benefits of this program to you and answering any questions you may have the next time we speak.

Regards,
CIO NAME

New KPIs for CEO-CIO Alignment — Recommended

Info-Tech CEO-CIO Alignment Program

Info-Tech's CEO-CIO Alignment Program is set up to build IT-business alignment in any organization. It helps the CIO understand CEO perspectives and priorities. The exercise leads to useful IT performance indicators, clarifies IT’s mandate and which new technologies it should invest in, and maps business goals to IT priorities.

Benefits

Master the Basics Cut through the jargon. Take a comprehensive look at the CEO perspective.	Target Alignment Identify how IT can support top business priorities. Address CEO-CIO differences.	Start on the Right Path Get on track with the CIO vision. Use correct indicators and metrics to evaluate IT from day one.

Additional materials are available on Info-Tech’s website.

The desired maturity level of IT — Alternative

Step 1: Where are we today? Determine where the CEO sees the current overall maturity level of the IT organization. Step 2: Where do we want to be as an organization? Determine where the CEO wants the IT organization to be in order to effectively support the strategic direction of the business.

Presentation Deck, slide 11

Tim Cook's powerful use of language

CASE STUDY

Industry Consumer technology
Source Carmine Gallo, Inc., 2019

Apple CEO Tim Cook, an internal hire, had big shoes to fill after taking over from the late Steve Jobs. Cook's ability to control how the company is perceived is a big credit to his success. How does he do it? His favorite five words are “The way I see it..." These words allow him to take a line of questioning and reframe it into another perspective that he wants to get across. Similarly, he'll often say, "Let me tell you the way I look at it” or "To put it in perspective" or "To put it in context." In your first two weeks on the job, try using these phrases in your conversations with peers and direct reports. It demonstrates that you value their point of view but are independently coming to conclusions about the situation at hand.

Tim Cook, CEO, Apple Inc. (Image source: Apple)

Listen to 'The First 100 Days' podcast – Denis Gaudreault

Inform your team that you plan to do an IT Management & Governance Diagnostic survey

Run the diagnostic program or use the alternative activities to complete your presentation

INPUT: IT Management & Governance Diagnostic (recommended)

OUTPUT: Process to improve first, Processes important to the business

Materials: Presentation Deck, slides 19-20

Participants: CIO, IT staff

Introduce the IT Management & Governance Diagnostic survey that will help you form your IT strategy.

Explain that you want to understand current IT capabilities and you feel a formal approach is best. You’ll also be using this approach as an important metric to track your department’s success. Tell them that Info-Tech Research Group will be conducting the survey and it’s important to you that they take action on the email when it’s sent to them.

Example email:

Hello TEAM,

I appreciate meeting each of you, and so far I’m excited about the talents and energy on the team. Now I need to understand the processes and capabilities of our department in a deeper way. I’d like to map our process landscape against an industry-wide standard, then dive deeper into those processes to understand if our team is aligned. This will help us be accountable to the business and plan the year ahead. Advisory firm Info-Tech Research Group will be reaching out to you with a simple survey that shouldn’t take too long to complete. It’s important to me that you pay attention to that message and complete the survey as soon as possible.

Regards,
CIO NAME

Call 3

Day 16 to Day 30

Leverage team interviews as a source of determining organizational culture

Info-Tech recommends that you hold group conversations with your team to uncover their opinions of the current organizational culture. This not only helps build transparency between you and your team but also gives you another means of observing behavior and reactions as you listen to team members’ characterizations of the current culture.

Note: It is inherently difficult for people to verbalize what constitutes a culture – your strategy for extracting this information will require you to ask indirect questions to solicit the highest value information.

Questions for Discussion:

• What about the current organizational environment do you think most contributes to your success?
• What barriers do you experience as you try to accomplish your work?
• What is your favorite quality that is present in our organization?
• What is the one thing you would most like to change about this organization?
• Do the organization's policies and procedures support your efforts to accomplish work or do they impede your progress?
• How effective do you think IT’s interactions are with the larger organization?
• What would you consider to be IT’s top three guiding principles?
• What kinds of people fail in this organization?

See Info-Tech’s Cultural Archetype Calculator.

Use the Competing Values Framework to define your organization’s cultural archetype

THE COMPETING VALUES FRAMEWORK (CVF):

CVF represents the synthesis of academic study of 39 indicators of effectiveness for organizations. Using a statistical analysis, two polarities that are highly predictive of differences in organizational effectiveness were isolated: Internal focus and integration vs. external focus and differentiation. Stability and control vs. flexibility and discretion. By plotting these dimensions on a matrix of competing values, four main cultural archetypes are identified with their own value drivers and theories of effectiveness.

Presentation Deck, slide 16

Create a cultural adjustment plan

Now that you've assessed the cultural archetype, you can plan an appropriate approach to shape the culture in a positive way. When new executives want to change culture, there are a few main options at hand:

Autonomous evolution: Encourage teams to learn from each other. Empower hybrid teams to collaborate and reward teams that perform well.

Planned and managed change: Create steering committee and project-oriented taskforces to work in parallel. Appoint employees that have cultural traits you'd like to replicate to hold responsibility for these bodies.

Cultural destruction: When a toxic culture needs to be eliminated, get rid of its carriers. Putting new managers or directors in place with the right cultural traits can be a swift and effective way to realign.

Each option boils down to creating the right set of incentives and deterrents. What behaviors will you reward and which ones will you penalize? What do those consequences look like? Sometimes, but not always, some structural changes to the team will be necessary. If you feel these changes should be made, it's important to do it sooner rather than later. (Source: “Enlarging Your Sphere of Influence in Your Organization,” MindTools Corporate, 2014.)

As you're thinking about shaping a desired culture, it's helpful to have an easy way to remember the top qualities you want to espouse. Try creating an acronym that makes it easy for staff to remember. For example: RISE could remind your staff to be Responsive, Innovative, Sustainable, and Engaging (RISE). Draw upon your business direction from your manager to help produce desired qualities (Source: Jennifer Schaeffer).

Presentation Deck, slide 17

Gary Davenport’s welcome “surprise”

CASE STUDY

Industry Telecom
Source Interview with Gary Davenport

After Gary Davenport was hired on as VP of IT at MTS Allstream, his first weekend on the job was spent at an all-executive offsite meeting. There, he learned from the CEO that the IT department had a budget reduction target of 25%, like other departments in the company. “That takes your breath away,” Davenport says. He decided to meet the CEO monthly to communicate his plans to reduce spending while trying to satisfy business stakeholders. His top priorities were: Stabilize IT after seven different leaders in a five-year period. Get the IT department to be respected. To act like business owners instead of like servants. Better manage finances and deliver on projects. During Davenport’s 7.5-year tenure, the IT department became one of the top performers at MTS Allstream.

Gary Davenport’s first weekend on the job at MTS Allstream included learning about a 25% reduction target. (Image source: Ryerson University)

Listen to 'The First 100 Days' podcast – David Penny & Andrew Wertkin

Initiate IT Management & Governance Diagnostic — Recommended

Info-Tech Management & Governance Diagnostic

Talk to your Info-Tech executive advisor about launching the survey shortly after informing your team to expect it. You'll just have to provide the names and email addresses of the staff you want to be involved. Once the survey is complete, you'll harvest materials from it for your presentation deck. See slides 19 and 20 of your deck and follow the instructions on what to include.

Benefits

Explore IT Processes Dive deeper into performance. Highlight problem areas.	Align IT Team Build consensus by identifying opposing views.	Ownership & Accountability Identify process owners and hold team members accountable.

Additional materials available on Info-Tech’s website.

Conduct a high-level analysis of current IT capabilities — Alternative

INPUT: Interviews with IT leadership team, Capabilities graphic on next slide

OUTPUT: High-level understanding of current IT capabilities

Run this activity if you're not able to conduct the IT Management & Governance Diagnostic.

Schedule meetings with your IT leadership team. (In smaller organizations, interviewing everyone may be acceptable.) Provide them a list of the core capabilities that IT delivers upon and ask them to rate them on an effectiveness scale of 1-5, with a short rationale for their score.

• 1. Not effective (NE)
• 2. Somewhat Effective (SE)
• 3. Effective (E)
• 4. Very Effective (VE)
• 5. Extremely Effective (EE)

Presentation Deck, slide 21

Use the following set of IT capabilities for your assessment

Quick wins: CEO-CIO Alignment Program

Complete this while waiting on the IT M&G survey results. Based on your completed CEO-CIO Alignment Report, identify the initiatives you can tackle immediately.

If you are here...	And want to be here...	Drive toward...	Innovate around...
Business Partner	Innovator	Leading business transformation	Emerging technologies Analytical capabilities Risk management Customer-facing tech Enterprise architecture
Trusted Operator	Business Partner	Optimizing business process and supporting business transformation	IT strategy and governance Business architecture Projects Resource management Data quality
Firefighter	Trusted Operator	Optimize IT processes and services	Business applications Service management Stakeholder management Work orders
Unstable	Firefighter	Reduce use disruption and adequately support the business	Network and infrastructure Service desk Security User devices

Call 4

Day 31 to Day 45

Inform your peers that you plan to do a CIO Business Vision survey to gauge your stakeholders’ satisfaction

Run the diagnostic program or use the alternative activities to complete your presentation

INPUT: CIO Business Vision survey (recommended)

OUTPUT: True measure of business satisfaction with IT

Materials: Presentation Deck, slide 30

Participants: CIO, IT staff

Meet the business leaders at your organization face-to-face if possible. If you can't meet in person, try a video conference to establish some rapport. At the end of your introduction and after listening to what your colleague has to say, introduce the CIO Business Vision Diagnostic.

Explain that you want to understand how to meet their business needs and you feel a formal approach is best. You'll also be using this approach as an important metric to track your department's success. Tell them that Info-Tech Research Group will be conducting the survey and it’s important to you that they take the survey when the email is sent to them.

Example email:

Hello PEER NAMES,

I'm arranging for Info-Tech Research Group to invite you to take a survey that will be important to me. The CIO Business Vision survey will help me understand how to meet your business needs. It will only take about 15 minutes of your time, and the top-line results will be shared with the organization. We will use the results to plan initiatives for the future that will improve your satisfaction with IT.

Regards,
CIO NAME

Gain feedback on your initial assessments from your IT team

There are two strategies for gaining feedback on your initial assessments of the organization from the IT team:

1. Review your personal assessments with the relevant members of your IT organization as a group. This strategy can help to build trust and an open channel for communication between yourself and your team; however, it also runs the risk of being impacted by groupthink.
2. Ask for your team to complete their own assessments for you to compare and contrast. This strategy can help extract more candor from your team, as they are not expected to communicate what may be nuanced perceptions of organizational weaknesses or criticisms of the way certain capabilities function.

Who you involve in this process will be impacted by the size of your organization. For larger organizations, involve everyone down to the manager level. In smaller organizations, you may want to involve everyone on the IT team to get an accurate lay of the land.

Areas for Review:

• Strategic Document Review: Are there any major themes or areas of interest that were not covered in my initial assessment?
• Competitor Array: Are there any initiatives in flight to leverage new technologies?
• Current State of IT Maturity: Does IT’s perception align with the CEO’s? Where do you believe IT has been most effective? Least effective?
• IT’s Key Priorities: Does IT’s perception align with the CEO’s?
• Key Performance Indicators: How has IT been measured in the past?

Info-Tech Best Practice

You need your team’s hearts and minds or you risk a short tenure. Overemphasizing business commitment by neglecting to address your IT team until after you meet your business stakeholders will result in a disenfranchised group. Show your team their importance.

Susan Bowen's talent maximization

CASE STUDY

Industry Infrastructure Services
Source Interview with Susan Bowen

Susan Bowen was promoted to be the president of Cogeco Peer 1, an infrastructure services firm, when it was still a part of Cogeco Communications. Part of her mandate was to help spin out the business to a new owner, which occurred when it was acquired by Digital Colony. The firm was renamed Aptum and Bowen was put in place as CEO, which was not a certainty despite her position as president at Cogeco Peer 1. She credits her ability to put the right talent in the right place as part of the reason she succeeded. After becoming president, she sought a strong commitment from her directors. She gave them a choice about whether they'd deliver on a new set of expectations – or not. She also asks her leadership on a regular basis if they are using their talent in the right way. While it's tempting for directors to want to hold on to their best employees, those people might be able to enable many more people if they can be put in another place. Bowen fully rounded out her leadership team after Aptum was formed. She created a chief operating officer and a chief infrastructure officer. This helped put in place more clarity around roles at the firm and put an emphasis on client-facing services.

Susan Bowen, CEO, Aptum (Image source: Aptum)

Listen to 'The First 100 Days' podcast – Susan Bowen

Initiate CIO Business Vision survey – new KPIs for stakeholder management — Recommended

Info-Tech CIO Business Vision

Be sure to effectively communicate the context of this survey to your business stakeholders before you launch it. Plan to talk about your plans to introduce it in your first meetings with stakeholders. When ready, let your executive advisor know you want to launch the tool and provide the names and email addresses of the stakeholders you want involved. After you have the results, harvest the materials required for your presentation deck. See slide 30 and follow the instructions on what to include.

Benefits

Key Stakeholders Clarify the needs of the business.	Credibility Create transparency.	Improve Measure IT’s progress.	Focus Find what’s important.

Additional materials are available on Info-Tech’s website.

Create a catalog of key stakeholder details to reference prior to future conversations — Alternative

Only conduct this activity if you’re not able to run the CIO Business Vision diagnostic.

Use the Organizational Catalog as a personal cheat sheet to document the key details around each of your stakeholders, including your CEO when possible.

The catalog will be an invaluable tool to keep the competing needs of your different stakeholders in line, while ensuring you are retaining the information to build the political capital needed to excel in the C-suite.

Note: It is important to keep this document private. While you may want to communicate components of this information, ensure your catalog remains under lock and (encryption) key.

Info-Tech Insight

While profiling your stakeholders is important, do not be afraid to profile yourself as well. Visualizing how your interests overlap with those of your stakeholders can provide critical information on how to manage your communications so that those on the receiving end are hearing exactly what they need.

Activity: Conduct interviews with your key business stakeholders — Alternative

1. Once you have identified your key stakeholders through your interviews with your boss and your IT team, schedule a set of meetings with those individuals.
2. Use the meetings to get to know your stakeholders, their key priorities and initiatives, and their perceptions of the effectiveness of IT.
   1. Use the probative questions to the right to elicit key pieces of information.
   2. Refer to the Organizational Catalog tool for more questions to dig deeper in each category. Ensure that you are taking notes separate from the tool and are keeping the tool itself secure, as it will contain private information specific to your interests.
3. Following each meeting, record the results of your conversation and any key insights in the Organizational Catalog. Refer to the following slide for more details.

Questions for Discussion:

• Be indirect about your personal questions – share stories that will elicit details about their interests, kids, etc.
• What are your most critical/important initiatives for the year?
• What are your key revenue streams, products, and services?
• What are the most important ways that IT supports your success? What is your satisfaction level with those services?
• Are there any current in-flight projects or initiatives that are a current pain point? How can IT assist to alleviate challenges?
• How is your success measured? What are your targets for the year on those metrics?

Presentation Deck, slide 34

Call 5

Day 46 to Day 60

Inform your team that you plan to do an IT staffing assessment

Introduce the IT Staffing Assessment that will help you get the most out of your team

INPUT: Email template

OUTPUT: Ready to launch diagnostic

Materials: Email template, List of staff, Sample of diagnostic

Participants: CIO, IT staff

Explain that you want to understand how the IT staff is currently spending its time by function and by activity. You want to take a formal approach to this task and also assess the team’s feelings about its effectiveness across different processes. The results of the assessment will serve as the foundation that helps you improve your team’s effectiveness within the organization.

Example email:

Hello PEER NAMES,

The feedback I've heard from the team since joining the company has been incredibly useful in beginning to formulate my IT strategy. Now I want to get a clear picture of how everyone is spending their time, especially across different IT functions and activities. This will be an opportunity for you to share feedback on what we're doing well, what we need to do more of, and what we're missing. Expect to receive an email invitation to take this survey from Info-Tech Research Group. It's important to me that you complete the survey as soon as you're can. Attached you’ll find an example of the report this will generate. Thank you again for providing your time and feedback.

Regards,
CIO NAME

Wayne Berger's shortcut to solve staffing woes

CASE STUDY

Industry Office leasing
Source Interview with Wayne Berger

Wayne Berger was hired to be the International Workplace Group (IWG) CEO for Canada and Latin America in 2014. Wayne approached his early days with the office space leasing firm as a tour of sorts, visiting nearly every one of the 48 office locations across Canada to host town hall meetings. He heard from staff at every location that they felt understaffed. But instead of simply hiring more staff, Berger actually reduced the workforce by 33%. He created a more flexible approach to staffing: Employees no longer just reported to work at one office; instead, they were ready to go to wherever they were most needed in a specific geographic area. He centralized all back-office functions for the company so that not every office had to do its own bookkeeping. Finally, he changed the labor profile to consist of full-time staff, part-time staff, and time-on-demand workers.

Wayne Berger, CEO, IWG Plc (Image source: IWG)

Listen to 'The First 100 Days' podcast – Wayne Berger

Initiate IT Staffing Assessment – new KPIs to track IT performance — Recommended

Info-Tech IT Staffing Assessment

Info-Tech’s IT Staffing Assessment provides benchmarking of key metrics against 4,000 other organizations. Dashboard-style reports provide key metrics at a glance, including a time breakdown by IT function and by activity compared against business priorities. Run this survey at about the 45-day mark of your first 90 days. Its insights will be used to inform your long-term IT strategy.

Benefits

Right-Size IT Headcount Find the right level for stakeholder satisfaction.	Allocate Staff Correctly Identify staff misalignments with priorities.	Maximize Teams Identify how to drive staff.

Additional materials are available on Info-Tech’s website.

Quick wins: Make recommendations based on IT Management & Governance Framework

Complete this exercise while waiting on the IT Staffing Assessment results. Based on your completed IT Management & Governance report, identify the initiatives you can tackle immediately. You can conduct this as a team exercise by following these steps:

1. Create a shortlist of initiatives based on the processes that were identified as high need but scored low in effectiveness. Think as broadly as possible during this initial brainstorming.
2. Write each initiative on a sticky note and conduct a high-level analysis of the amount of effort that would be required to complete it, as well as its alignment with the achievement of business objectives.
3. Draw the matrix below on a whiteboard and place each sticky note onto the matrix based on its potential impact and difficulty to address.

Call 6

Day 61 to Day 75

Run a start, stop, continue exercise with your IT staff — Alternative

This is an alternative activity to running an IT Staffing Assessment, which contains a start/stop/continue assessment. This activity can be facilitated with a flip chart or a whiteboard. Create three pages or three columns and label them Start, Stop, and Continue.

Hand out sticky notes to each team member and then allow time for individual brainstorming. Instruct them to write down their contributions for each category on the sticky notes. After a few minutes, have everyone stick their notes in the appropriate category on the board. Discuss as a group and see what themes emerge. Record the results that you want to share in your presentation deck (GroupMap).

Gather your team and explain the meaning of these categories:

Start: Activities you're not currently doing but should start doing very soon.

Stop: Activities you're currently doing but aren’t working and should cease.

Continue: Things you're currently doing and are working well.

Presentation Deck, slide 24

Determine the alignment of IT commitments with business objectives

INPUT: Interviews with IT leadership team

OUTPUT: High-level understanding of in-flight commitments and investments

Run this only as an alternative to the IT Management & Governance Diagnostic.

1. Schedule meetings with IT leadership to understand what commitments have been made to the business in terms of new products, projects, or enhancements.
2. Determine the following about IT’s current investment mix:
   1. What are the current IT investments and assets? How do they align to business goals?
   2. What investments in flight are related to which information assets?
   3. Are there any immediate risks identified for these key investments?
   4. What are the primary business issues that demand attention from IT consistently?
   5. What choices remain undecided in terms of strategic direction of the IT organization?
3. Document your key investments and commitments as well as any points of misalignment between objectives and current commitments as action items to address in your long-term plans. If they are small fixes, consider them during your quick-win identification.

Presentation Deck, slide 25

Determine the alignment of IT commitments with business objectives

Run this only as an alternative to the IT Staffing Assessment diagnostic.

Schedule meetings with IT leadership to understand what commitments have been made to the business in terms of new products, projects, or enhancements.

Determine the following about IT’s current investment mix:

• What are the current IT investments and assets?
• How do they align to business goals?
• What in-flight investments are related to which information assets?
• Are there any immediate risks identified for these key investments?
• What are the primary business issues that demand attention from IT consistently?
• What remains undecided in terms of strategic direction of the IT organization?

Document your key investments and commitments, as well as any points of misalignment between objectives and current commitments, as action items to address in your long-term plans. If they are small-effort fixes, consider them during your quick-win identification.

Presentation Deck, slide 25

Make a categorized vendor list by IT process

As part of learning the IT team, you should also create a comprehensive list of vendors under contract. Collaborate with the finance department to get a clear view of how much of the IT budget is spent on specific vendors. Try to match vendors to the IT processes they serve from the IT M&G framework.

You should also organize your vendors based on their budget allocation. Go beyond just listing how much money you’re spending with each vendor and categorize them into either “transactional” relationships or “strategic relationships.” Use the grid below to organize them. Ideally, you’ll want most relationships to be high spend and strategic (Source: Gary Davenport).

Where to source your vendor list:

• Finance department
• Infrastructure managers
• Vendor manager in IT

Further reading: Manage Your Vendors Before They Manage You

Presentation Deck, slide 26

Jennifer Schaeffer’s short-timeline turnaround

CASE STUDY

Industry Education
Source Interview with Jennifer Schaeffer

Jennifer Schaeffer joined Athabasca University as CIO in November 2017. She was entering a turnaround situation as the all-online university lacked an IT strategy and had built up significant technical debt. Armed with the mandate of a third-party consultant that was supported by the president, Schaeffer used a people-first approach to construct her strategy. She met with all her staff, listening to them carefully regardless of role, and consulted with the administrative council and faculty members. She reflected that feedback in her plan or explained to staff why it wasn’t relevant for the strategy. She implemented a “strategic calendaring” approach for the organization, making sure that her team members were participating in meetings where their work was assessed and valued. Drawing on Spotify as an inspiration, she designed her teams in a way that everyone was connected to the customer experience. Given her short timeline to execute, she put off a deep skills analysis of her team for a later time, as well as creating a full architectural map of her technology stack. The outcome is that 2.5 years later, the IT department is unified in using the same tooling and optimization standards. It’s more flexible and ready to incorporate government changes, such as offering more accessibility options.

Jennifer Schaeffer took on the CIO role at Athabasca University in 2017 and was asked to create a five-year strategic plan in just six weeks. (Image source: Athabasca University)

Listen to 'The First 100 Days' podcast – Eric Wright

Call 7

Day 76 to Day 90

Finalize your vision – mission – values statement

A clear statement for your values, vision, and mission will help crystallize your IT strategy and communicate what you're trying to accomplish to the entire organization.

Mission: This statement describes the needs that IT was created to meet and answers the basic question of why IT exists.

Vision: Write a statement that captures your values. Remember that the vision statement sets out what the IT organization wants to be known for now and into the future.

Values: IT core values represent the standard axioms by which the IT department operates. Similar to the core values of the organization as a whole, IT’s core values are the set of beliefs or philosophies that guide its strategic actions.

Further reading: IT Vision and Mission Statements Template

Presentation Deck, slide 42

John Chen's new strategic vision

CASE STUDY

Industry Mobile Services
Source Sean Silcoff, The Globe and Mail

John Chen, known in the industry as a successful turnaround executive, was appointed BlackBerry CEO in 2014 following the unsuccessful launch of the BlackBerry 10 mobile operating system and a new tablet. He spent his first three months travelling, talking to customers and suppliers, and understanding the company's situation. He assessed that it had a problem generating cash and had made some strategic errors, but there were many assets that could benefit from more investment. He was blunt about the state of BlackBerry, making cutting observations of the past mistakes of leadership. He also settled a key question about whether BlackBerry would focus on consumer or enterprise customers. He pointed to a base of 80,000 enterprise customers that accounted for 80% of revenue and chose to focus on that. His new mission for BlackBerry: to transform it from being a "mobile technology company" that pushes handset sales to "a mobile solutions company" that serves the mobile computing needs of its customers.

John Chen, CEO of BlackBerry, presents at BlackBerry Security Summit 2018 in New York City (Image source: Brian Jackson)

Listen to 'The First 100 Days' podcast – Erin Bury

Quick wins: Make recommendations based on the CIO Business Vision survey

Based on your completed CIO Business Vision survey, use the IT Satisfaction Scorecard to determine some initiatives. Focus on areas that are ranked as high importance to the business but low satisfaction. While all of the initiatives may be achievable given enough time, use the matrix below to identify the quick wins that you can focus on immediately. It’s important to not fail in your quick-win initiative.

• High Visibility, Low Risk: Best bet for demonstrating your ability to deliver value.
• Low Visibility, Low Risk: Worth consideration, depending on the level of effort required and the relative importance to the stakeholder.
• High Visibility, High Risk: Limit higher-risk initiatives until you feel you have gained trust from your stakeholders, demonstrating your ability to deliver.
• Low Visibility, High Risk: These will be your lowest value, quick-win initiatives. Keep them in a backlog for future consideration in case business objectives change.

Presentation Deck, slide 27

Create and communicate a post-100 plan

The last few slides of your presentation deck represent a roundup of all the assessments you’ve done and communicate your plan for the months ahead.

Slide 38. Based on the information on the previous slide and now knowing which IT capabilities need improvement and which business priorities are important to support, estimate where you'd like to see IT staff spend their time in the near future. Will you be looking to shift staff from one area to another? Will you be looking to hire staff?

Slide 39. Take your IT M&G initiatives from slide 19 and list them here. If you've already achieved a quick win, list it and mark it as completed to show what you've accomplished. Briefly outline the objectives, how you plan to achieve the result, and what measurement will indicate success.

Slide 40. Reflect your CIO Business Vision initiatives from slide 31 here.

Slide 41. Use this roadmap template to list your initiatives by roughly when they’ll be worked on and completed. Plan for when you’ll update your diagnostics.

Expert Contributors

	Alan Fong, Chief Technology Officer, Dealer-FX
	Andrew Wertkin, Chief Strategy Officer, BlueCat Networks David Penny, Chief Technology Officer, BlueCat Networks
	Susan Bowen, CEO, Aptum

	Erin Bury, CEO, Willful
	Denis Gaudreault, Country Manager, Intel Canada and Latin America
	Wayne Berger, CEO, IWG Plc

	Eric Wright, CEO, LexisNexis Canada
	Gary Davenport, past president of CIO Association” of Canada, former VP of IT, Enterprise Solutions Division, MTS AllStream
	Jennifer Schaeffer, VP of IT and CIO, Athabasca University

Bibliography

Beaudan, Eric. “Do you have what it takes to be an executive?” The Globe and Mail, 9 July 2018. Web.

Bersohn, Diana. “Go Live on Day One: The Path to Success for a New CIO.” PDF document. Accenture, 2015. Web.

Bradt, George. “Executive Onboarding When Promoted From Within To Follow A Successful Leader.” Forbes, 15 Nov. 2018. Web.

“CIO Stats: Length of CIO Tenure Varies By Industry.” CIO Journal, The Wall Street Journal. 15 Feb. 2017. Web.

“Enlarging Your Sphere of Influence in Your Organization: Your Learning and Development Guide to Getting People on Side.” MindTools Corporate, 2014.

“Executive Summary.” The CIO's First 100 Days: A Toolkit. PDF document. Gartner, 2012. Web.

Forbes, Jeff. “Are You Ready for the C-Suite?” KBRS, n.d. Web.

Gallo, Carmine. “Tim Cook Uses These 5 Words to Take Control of Any Conversation.” Inc., 9 Aug. 2019. Web.

Giles, Sunnie. “The Most Important Leadership Competencies, According to Leaders Around the World.” Harvard Business Review, 15 March 2016. Web.

Godin, Seth. “Ode: How to tell a great story.” Seth's Blog. 27 April 2006. Web.

Green, Charles W. “The horizontal dimension of race: Social culture.” Hope College Blog Network, 19 Oct. 2014. Web.

Hakobyan, Hayk. “On Louis Gerstner And IBM.” Hayk Hakobyan, n.d. Web.

Bibliography

Hargrove, Robert. Your First 100 Days in a New Executive Job, edited by Susan Youngquist. Kindle Edition. Masterful Coaching Press, 2011.

Heathfield, Susan M. “Why ‘Blink’ Matters: The Power of Your First Impressions." The Balance Careers, 25 June 2019. Web.

Hillis, Rowan, and Mark O'Donnell. “How to get off to a flying start in your new job.” Odgers Berndtson, 29 Nov. 2018. Web.

Karaevli, Ayse, and Edward J. Zajac. “When Is an Outsider CEO a Good Choice?” MIT Sloan Management Review, 19 June 2012. Web.

Keizer, Gregg. “Microsoft CEO Nadella Aces First-100-Day Test.” Computerworld, 15 May 2014. Web.

Keller, Scott, and Mary Meaney. “Successfully transitioning to new leadership roles.” McKinsey & Company, May 2018. Web.

Kress, R. “Director vs. Manager: What You Need to Know to Advance to the Next Step.” Ivy Exec, 2016. Web.

Levine, Seth. “What does it mean to be an ‘executive’.” VC Adventure, 1 Feb. 2018. Web.

Lichtenwalner, Benjamin. “CIO First 90 Days.” PDF document. Modern Servant Leader, 2008. Web.

Nawaz, Sabina. “The Biggest Mistakes New Executives Make.” Harvard Business Review, 15 May 2017. Web.

Pruitt, Sarah. “Fast Facts on the 'First 100 Days.‘” History.com, 22 Aug. 2018. Web.

Rao, M.S. “An Action Plan for New CEOs During the First 100 Days.” Training, 4 Oct. 2014. Web.

Reddy, Kendra. “It turns out being a VP isn't for everyone.” Financial Post, 17 July 2012. Web.

Silcoff, Sean. “Exclusive: John Chen’s simple plan to save BlackBerry.” The Globe & Mail, 24 Feb. 2014. Web.

Bibliography

“Start Stop Continue Retrospective.” GroupMap, n.d. Web.

Surrette, Mark. “Lack of Rapport: Why Smart Leaders Fail.” KBRS, n.d. Web.

“Understanding Types of Organization – PMP Study.” Simplilearn, 4 Sept. 2019. Web.

Wahler, Cindy. “Six Behavioral Traits That Define Executive Presence.” Forbes, 2 July 2015. Web.

Watkins, Michael D. The First 90 Days, Updated and Expanded. Harvard Business Review Press, 2013.

Watkins, Michael D. “7 Ways to Set Up a New Hire for Success.” Harvard Business Review, 10 May 2019. Web.

“What does it mean to be a business executive?” Daniels College of Business, University of Denver, 12 Aug. 2014. Web.

Yeung, Ken. “Turnaround: Marissa Mayer’s first 300 days as Yahoo’s CEO.” The Next Web, 19 May 2013. Web.