Improve IT Governance to Drive Business Results

Avoid bureaucracy and achieve alignment with a minimalist approach.

ANALYST PERSPECTIVE

Governance optimization is achieved where decision making, authority, and context meet.

"Governance is something that is done externally to IT and well as internally by IT, with the intention of providing oversight to direct the organization to meet goals and keep things on target.

Optimizing IT governance is the most effective way to consistently direct IT spend to areas that provide the most value in producing or supporting business outcomes, yet it is rarely done well.

IT governance is more than just identifying where decisions are made and who has the authority to make them – it must also provide the context and criteria under which decisions are made in order to truly provide business value" (Valence Howden, Director, CIO Practice Info-Tech Research Group)

Our understanding of the problem

This Research is Designed For:

• CIOs
• CTOs
• IT Directors

This Research Will Help You:

• Achieve and maintain executive and business support for optimizing IT governance.
• Optimize your governance structure.
• Build high-level governance processes.
• Build governance committee charters and set accountability for decision making.
• Plan the transition to the optimized governance structure and processes.

This Research Will Also Assist:

• Executive Leadership
• IT Managers
• IT Customers
• Project Managers

This Research Will Help Them:

• Improve alignment between business decisions and IT initiatives.
• Establish a mechanism to validate, redirect, and reprioritize IT initiatives.
• Realize greater value from more effective decision making.
• Receive a better overall quality of service.

Executive Summary

Situation

• IT governance is the #1 predictor of value generated by IT, yet many organizations struggle to organize their governance effectively.*
• Current IT governance does not address the changing goals, risks, or context of the organization so IT spend is not easily linked to value.
• The right people are not making the right decisions about IT.

Complication

• Organizations do not have a governance framework in place that optimally aligns IT with the business objectives and direction.
• Implementing IT governance requires the involvement of key business stakeholders who do not see IT’s value in governance and strategy.
• The current governance processes are poorly designed, creating long decision-making cycles and driving non-compliance with regulation.

Resolution

• Use Info-Tech’s four-step process for optimizing your IT governance framework. Our client-tested methodology supports the enablement of IT-business alignment, decreases decision-making cycle times, and increases IT’s transparency and effectiveness in making decisions around benefits realization, risks, and resources.
• Successful completion of the IT governance redesign will result in the following outcomes:
  1. Align IT with the business context.
  2. Assess the current governance framework.
  3. Redesign the governance framework.
  4. Implement governance redesign.

Info-Tech Insight

• Establish IT-business fusion. In governance, alignment is not enough. Merge IT and the business through governance to ensure business success.
• With great governance comes great responsibility. Involve relevant business leaders, who will be impacted by IT outcomes, to take on governing responsibility of IT.
• Let IT manage and the business govern. IT governance should be a component of enterprise governance, allowing IT leaders to focus on managing.

IT governance is...

An enabling framework for decision-making context and accountabilities for related processes.

A means of ensuring business-IT collaboration, leading to increased consistency and transparency in decision making and prioritization of initiatives.

A critical component of ensuring delivery of business value from IT spend and driving high satisfaction with IT.

IT governance is not...

An annoying, finger-waving roadblock in the way of getting things done.

Limited to making decisions about technology.

Designed tacitly; it is purposeful, with business objectives in mind.

A one-time project; you must review and revalidate the efficiency.

Avoid common misconceptions of IT governance

Don’t blur the lines between governance and management; each has a unique role to play. Confusing these results in wasted time and confusion around ownership.

Governance		Management
IT governance sets direction through prioritization and decision making, and monitors overall IT performance. Governance aligns with the mission and vision of the organization to guide IT.		Management is responsible for executing on, operating, and monitoring activities as determined by IT governance. Management makes decisions for implementing based on governance direction.

The IT Governance Framework

An IT governance framework is a system that will design structures, processes, authority definitions, and membership assignments that lead IT toward optimal results for the business.

Governance is performed in three ways:

1. Evaluate

   Governance ensures that business goals are achieved by evaluating stakeholder needs, criteria, metrics, portfolio, risk, and definition of value.

2. Direct

   Governance sets the direction of IT by delegating priorities and determining the decisions that will guide the IT organization.

3. Monitor

   Governance establishes a framework to monitor performance, compliance to regulation, and progress on expected outcomes.

"Everyone needs good IT, but no one wants to talk about it. Most CFOs would rather spend time with their in-laws than in an IT steering-committee meeting. But companies with good governance consistently outperform companies with bad. Which group do you want to be in?" (Martha Heller, President, Heller Search Associates)

Create impactful IT governance by embedding it within enterprise governance

The business should engage in IT governance and IT should influence the direction of the business.

Identify signals of sub-optimal IT governance within any of these domains

If you notice any of these signals, governance redesign is right for you!

Inability to Realize Benefits

1. IT is unable to articulate the value of its initiatives or spend.
2. IT is regularly delegated unplanned projects.
3. The is no standard approach to prioritization.
4. Projects do not meet target metrics.

Resource Misallocation

1. Resources are wasted due to duplication or overlap in IT initiatives.
2. IT projects fail at an unacceptable rate, leading to wasted resources.
3. IT’s costs continue to increase without reciprocal performance increase.

Misdiagnosed Risks

1. Risk appetite is incorrectly identified or not identified at all.
2. Disagreement on the approach to risk in the organization.
3. Increasing rate of IT incidents related to risk.
4. IT is failing to meet regulatory requirements.

Dissatisfied Stakeholders

1. There are no ways to measure stakeholder satisfaction with IT.
2. Business strategies and IT strategies are misaligned.
3. IT’s relationship with key stakeholders is unstable and there is a lack of mutual trust.

A majority of organizations experience significant alignment gaps

The majority of organizations and their key stakeholders experience highly visible gaps in the alignment of IT investments and organizational goals.

88% of CIOs believe that their governance is not effective. (Info-Tech Diagnostics)

Leverage governance as the catalyst for connecting IT and the business

49% of firms are misaligned on current performance expectations for IT.

• 49% Misaligned
• 51% Aligned

67% of firms are misaligned on the target role for IT.

• 34% Highly Misaligned
• 33% Somewhat Misaligned
• 33% Aligned

A well-designed IT governance framework will hep you to:

1. Make sure IT keeps up with the evolving business context.
2. Align IT with the mission and the vision of the organization.
3. Optimize the speed and quality of decision making.
4. Meet regulatory and compliance needs in the external environment.
(Info-Tech Diagnostics)

Align with business goals through governance to attain business-IT fusion

Create a state of business-IT fusion, in which the two become one.

Without business-IT fusion, IT will go in a different direction, leading to a divergence of purpose and outcomes. IT can transform into a fused partner of the business by ensuring that they govern toward the same goal.

Firefighter Delivers lower value Duplication of effort Unclear risk profile High risk exposure

Business Partner Increased speed of decision making Aligned with business priorities Optimized utility of people, financial, and time resources Monitors and mitigates risk and compliance issues

Redesign IT governance in accordance with COBIT and proven good practice

Info-Tech’s approach to governance redesign is rooted in COBIT, the world-class and open-source IT governance standard.

COBIT begins with governance, EDM – Evaluate, Direct, and Monitor.

We build upon these standards with industry best practices and add a practical approach based on member feedback.

This blueprint will help you optimize your governance framework.

Use Info-Tech’s approach to implementing an IT governance redesign

The four phases of Info-Tech’s governance redesign methodology will help you drive greater value for the business.

1. Align IT With the Business Context
   Align IT’s direction with the business using the Statement of Business Context Template.
2. Assess the Current Governance Framework
   Evaluate the strengths and weaknesses of current governance using the Current State Assessment of IT Governance.
3. Redesign the Governance Framework
   Build a redesign of the governance framework using the Future State Design for IT Governance tool.
4. Implement Governance Redesign
   Create an IT Governance Implementation Plan to jumpstart the communication of the redesign and set it up for success.
Continuously assess your governance framework to ensure alignment.

Leverage Info-Tech’s insights for an optimal redesign process

Leverage both COBIT and Info-Tech-defined metrics to evaluate the success of your redesign

These metrics will help you determine the extent to which your governance is supporting your business goals, and whether the governance in place promotes business-IT fusion.

Benefits Realization

1. Percent of IT-enabled investments where benefit realization is monitored through the full economic life. (COBIT-defined metric)
2. Percent of enterprise strategic goals and requirements supported by IT strategic goals. (COBIT-defined metric)
3. Percent of IT services where expected benefits are realized or exceeded. (COBIT-defined metric)

Resources

1. Satisfaction level of business and IT executives with IT-related costs and capabilities. (COBIT-defined metric)
2. Average time to turn strategic IT objectives into an agreed-upon and approved initiative. (COBIT-defined metric)
3. Number of deviations from resource utilization plan.

Risks

1. Number of security incidents causing financial loss, business disruption, or public embarrassment. (COBIT-defined metric)
2. Number of issues related to non-compliance with policies. (COBIT-defined metric)
3. Percentage of enterprise risk assessments that include IT-related risks. (COBIT-defined metric)
4. Frequency with which the risk profile is updated. (COBIT-defined metric)

Stakeholders

1. Change in score of alignment with the scope of the planned portfolio of programs and services (using CIO-CXO Alignment Diagnostic).
2. Percent of executive management roles with clearly defined accountabilities for IT decisions. (COBIT-defined metric)
3. Percent of business stakeholders satisfied that IT service delivery meets agreed-upon service levels. (COBIT-defined metric)
4. Percent of key business stakeholders involved in IT governance.

Capture monetary value by establishing and monitoring key metrics

While benefits of governance are often qualitative, the power of effective governance can be demonstrated through quantitative financial gains.

Redesign IT governance to achieve optimal business outcomes

CASE STUDY

Industry: Healthcare
Source: Info-Tech

Situation

The IT governance had been structured based on regulations and had not changed much since it was put in place. However, a move to become an integration and service focused organization had moved the organization into the world of web services, Agile development, and service-oriented architecture.

Complication

The existing process was well defined and entrenched, but did not enable rapid decision making and Agile service delivery. This was due to the number of committees where initiatives were reviewed, made worse by their lack of approval authority. This led to issues moving initiatives forward in the timeframes required to meet clinician needs and committed governmental deadlines.

In addition, the revised organizational mandate had created confusion regarding the primary purpose and function of the organization and impacted the ability to prioritize spend on a limited budget.

To complicate matters further, there was political sensitivity tied to the membership and authority of different governing committees.

Result:

The CEO decided that a project would be initiated by the Enterprise Architecture Group, but managed by an external consultant to optimize and restructure the governance within the organization.

The purpose of using the external consultant was to help remove internal politics from the discussion. This allowed the organization to establish a shared view of the organization’s revised mission and IT’s role in its execution.

The exercise led to the removal of one governing committee and the merger of two others, modification to committee authority and membership, and a refined decision-making context that was agreed to by all parties.

The redesigned governance process led to a 30% reduction in cycle time from intake to decision, and a 15% improvement in alignment of IT spend with strategic priorities.

Use these icons to help direct you as you navigate this research

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Redesign IT Governance – project overview

	Align IT With the Business Context	Assess the Current State	Redesign Governance	Implement Redesign
Best-Practice Toolkit	1.1 Identify Stakeholders 1.2 Make the Case 1.3 Present to Executives 1.4 Customize Comm. Plan 1.5 Review Documents 1.6 Analyze Frameworks 1.7 Conduct Brainstorming 1.8 Finalize the SoBC	2.1 Create Committee Profiles 2.2 Build a Governance Structure Map 2.3 Establish Governance Guidelines	3.1 Build Governance Structure Map 3.2 Create Committee Profiles 3.3 Leverage Process Specific Governance Blueprints	4.1 Identify Next Steps for the Redesign 4.2 Establish Communication Plan 4.3 Lead Executive Presentation
Guided Implementations	Move towards gaining buy-in from the business if necessary. Then identify the major components of the SoBC. Review SoBC and discuss a strategy to engage key stakeholders in the redesign.	Explore the process of identifying the four major elements of governance. Build guidelines for the future state. Review the current state of governance and discuss the implications and guidelines.	Identify the changes that will need to be made. Review redesigned structure and authority. Review redesigned process and membership.	Discuss and review the implementation plan. Prepare the presentation for the executives. Provide support on any final questions.
Onsite Workshop	Module 1: Align IT with the business context	Module 2: Assess the current governance framework	Module 3: Redesign the governance framework	Module 4: Implement governance redesign
	Phase 1 Results: Align IT’s direction with the business.	Phase 2 Results: Evaluate the strengths and weaknesses of current governance and build guidelines.	Phase 3 Results: Establish a redesign of the governance framework.	Phase 4 Results: Create an implementation plan for the communication of the redesign.

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Improve IT Governance to Drive Business Results

PHASE 1

Align IT With the Business Context

Phase 1 outline

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Align IT With the Business Context

Proposed Time to Completion: 2-4 weeks

Phase 1: Align IT With the Business Context

Activities:

• 1.1 Identify Stakeholders
• 1.2 Customize Make the Case Presentation
• 1.3 Present to Executives
• 1.4 Customize Communication Plan
• 1.5 Review Business Documents
• 1.6 Analyze Business Frameworks
• 1.7 Conduct Brainstorming Efforts
• 1.8 Finalize the SoBC

Outcomes:

• Make the case for a governance redesign.
• Create a custom communication plan to facilitate support for the redesign process.
• Establish a collectively agreed upon statement of business context.

Set up business-driven governance by gaining an understanding of the business context

Fuse IT with the business by establishing a common context of what the business is trying to achieve. Align IT with the business by developing an understanding of the business state, creating a platform to build a well-aligned governance framework.

"IT governance philosophies can no longer be a ‘black box’ … IT governance can no longer be ignored by senior executives." (Iskandar and Mohd Salleh, University of Malaya, International Journal of Digital Society)

Info-Tech Insight

Get consensus on the changing state of business. There must be an active understanding of the current and future state of the business for governance to address the changing needs of the business.

The source for the governance redesign directive will dictate the route for attaining leadership buy-in

"Without an awareness of IT governance, there is no chance that it will be followed … The higher the percentage of managers who can describe your governance, the higher the governance performance." (Jeanne Ross, Director, MIT Center for Information Systems Research)

The path you will choose for your governance buy-in tactics will be based on the original directive to redesign governance.

Enterprise Directive.
In the case that the redesign is an enterprise directive, jump directly to building a communication plan.

IT Directive.
In the case that the redesign is an IT directive, make the case to get the business on board.

Use the Make the Case presentation template to get buy-in from the business

INSTRUCTIONS

1. Identify Stakeholders
   Determine which business stakeholders will be impacted or involved in the redesign process.
2. Customize the Presentation
   Identify specific pain points regarding IT-business alignment.
3. Present to Executives
   Present the make the case presentation.

Info-Tech Best Practice

Use the Make the Case customizable deliverable to lead a boardroom-quality presentation proving the specific need for senior executive involvement in the governance redesign.

Determine which business stakeholders will be impacted or involved in the redesign process

It is vital to identify key business and IT stakeholders before the IT governance redesign has begun. Consider whose input and influence will be necessary in order to align with the business context and redesign the governance framework accordingly.

Business

• Shareholders
• Board
• Chief Executive Officer
–› Example: the CEO wants to know how IT will support the achievement of strategic corporate objectives.
• Chief Financial Officer
• Chief Operating Officer
• Business Executives
• Business Process Owners
• Strategy Executive Committee
• Chief Risk Officer
• Chief Information Security Officer
• Architecture Board
• Enterprise Risk Committee
• Head of Human Resources
• Compliance
• Audit

IT

• Chief Information Officer
–› Example: the CIO would like validation from the business with regards to prioritization criteria.
• Head Architect
• Head of Development
• Head of IT Operations
• Head of IT Administration
• Service Manager
• Information Security Manager
• Business Continuity Manager
• Privacy Officer

External

• Government Agency
–› Example: some governments mandate that organizations develop and implement an IT governance framework.
• Audit Firm

Build a power map to prioritize stakeholders

Stakeholders may have competing concerns – that is, concerns that cannot be addressed with one solution. The governance redesigner must prioritize their time to address the concerns of the stakeholders who have the most power and who are most impacted by the IT governance redesign.

Draw a stakeholder power map to visualize the importance of various stakeholders and their concerns, and to help prioritize your time with those stakeholders.

• Power: How much influence does the stakeholder have? Enough to drive the project forward or into the ground?
• Involvement: How interested is the stakeholder? How much involvement does the stakeholder have in the project already?
• Impact: To what degree will the stakeholder be impacted? Will this significantly change the job?
• Support: Is the stakeholder a supporter of the project? Neutral? A resistor?

Download Info-Tech’s Stakeholder Power Map Template to help you visualize your key stakeholders.

Build a power map to prioritize stakeholders

1.1

It is important to identify who will be impacted and who has power, and the level of involvement they have in the governance redesign. If they have power, will be highly impacted, and are not involved in governance, you have already lost – because they will resist later. You need to get them involved early.

• Focus on key players – relevant stakeholders who have high power, are highly impacted, and should have a high level of involvement.
• Engage the stakeholders that are impacted most and have the power to impede the success of redesigning IT governance.
  • For example, if a CFO, who has the power to block project funding, is heavily impacted and not involved, the IT governance redesign success will be put at risk.
• Some stakeholders may have influence over others so you should focus your efforts on the influencer rather than the influenced.
  • For example, if an uncooperative COO is highly influenced by the Director of Operations, it is recommended to engage the latter.

Identify specific pain points regarding business-IT alignment

INPUT: Signal Questions, CIO-CXO Alignment Diagnostic

OUTPUT: List of Categorized Pain Points

Materials: Make the Case for an IT Governance Redesign

Participants: Identified Key Business Stakeholders

1. Consider Signals for Redesign
   Refer to the Executive Brief for questions to identify pain points related to governance.
   • Benefits Realization
   • Resources
   • Risks
   • Stakeholders
2. Conduct CIO-CEO Alignment Diagnostic
   Assess the current state of alignment between the CIO and the major stakeholders of the organization.

See the CEO-CIO Alignment Program for more information.

Conduct the CEO-CIO Alignment Diagnostic

Why CEO-CIO Alignment?

The CEO-CIO Alignment Program helps you understand the gaps between what the CEO wants for IT and what the CIO wants for IT. The program will also evaluate the current state of IT, from a strategic and tactical perspective, based on the CEO’s opinion.

The CEO-CIO Alignment Program helps to:

• Evaluate how the executive leadership currently feels about the IT organization’s performance along the following dimensions:
  • IT budgeting and staffing
  • IT strategic planning
  • Degree of project success
  • IT-business alignment
• Answer the question, “What does the CEO want from IT?”
• Understand the CEO’s perception of and vision for IT in the business.
• Define the current and target roles for IT. Understanding IT’s current and target roles, in the eyes of the CEO, is crucial to creating IT governance. By focusing the IT governance on achieving the target role, you will ensure that the senior leadership will support the implementation of the IT governance.

To conduct the CEO-CIO Alignment Program, follow the steps outlined below.

1. Select the senior business leader to participate in the program. While Info-Tech suggests that the CEO participate, you might have other senior stakeholders who should be involved.
2. Send the survey link to your senior business stakeholder and ensure the survey’s completion.
3. Complete your portion of the survey.
4. Hold a meeting to discuss the results and document your findings.

See the CEO-CIO Alignment Program for more information.

Present the “Make the Case” for IT governance redesign

1.3 30 minutes

1. Review Finalized Stakeholder List
   Consolidate a list of the most important and impactful stakeholders who need further convincing to participate in the governance redesign and implementation.
2. Present the Deck
   Include the information gathered throughout the discovery into the presentation deck and hold a meeting to review the findings.

Business

• Shareholders
• Board
• Chief Executive Officer
• Chief Financial Officer
• Chief Operating Officer
• Business Executives
• Strategy Executive Committee
• Chief Risk Officer
• Architecture Board
• Enterprise Risk Committee
• Head of Human Resources
• Compliance

IT

• Chief Information Officer

External

• Government Agency
• Audit Firm

Use the Make the Case for an IT Governance Redesign template for more information.

Create a custom communication plan to facilitate support for the redesign process

1B Create a plan to engage the key stakeholders

INSTRUCTIONS

1. Identify Stakeholders
   Determine which business stakeholders will be involved (refer to Activity 1.1).
2. Customize Communication Plan
   Follow up with individual communication plans.

Info-Tech Best Practice

Create personal communication plans to provide individualized engagement, instead of assuming that everyone will respond to the same communication style.

Download the IT Governance Stakeholder Communication Planning Tool for more information.

Create a communication plan to engage key stakeholders

1. Input Stakeholders
   Determine which business stakeholders will be involved (refer to Activity 1.1). Then, insert their position on the power map, the rationale to inform them, the timing of communications, and what inputs they will be needed to provide.

   Stakeholder role	Power map position	Why inform them	When to inform them	What we need from them
   Chief Executive Officer
   Chief Financial Officer
   Chief Operating Officer

2. Identify Communication Strategy
   Outline the most effective communication plan for that stakeholder. Identify how to best communicate to the stakeholders to make sure they are appropriately engaged in the redesign process.

   Vehicle	Audience	Purpose	Frequency	Owner	Distribution	Level of detail
   Status Report	IT Managers	Project progress and deliverable status	Weekly	CIO, John Smith	Email	Details for milestones, deliverables, budget, schedule, issues, next steps
   Status Report	Marketing Manager	Project progress	Monthly	CIO, John Smith	Email	High-level detail for major milestone update and impact to the marketing unit

Establish a collectively agreed upon statement of business context (SoBC)

1C Document the mutual understanding of the business context

INSTRUCTIONS

1. Review Business Documents
   Review business documents from broad areas of the business to assess the business context.
2. Analyze Business Frameworks
   Analyze business frameworks to articulate the current and projected future business context.
3. Brainstorm With Key Stakeholders
   Conduct stakeholder brainstorming efforts to gain insights from key business stakeholders.
4. Finalize the SoBC
   Document and sign the SoBC with identified stakeholders.

Info-Tech Best Practice

Use the Statement of Business Context customizable deliverable as a point of reference that will guide the direction of the governance redesign.

Use the Statement of Business Context to identify the critical information needed to guide governance

Components of the SoBC Mission Who are you as an organization? Who are your internal and external customers? What are your core business functions? Example (Higher Education) Nurture global leaders and provide avenues for intellectual exploration. Vision Is your vision statement future-facing? Is your vision statement concise? Is your vision statement achievable? Does your vision statement involve change? Example Be a catalyst for creating the future leaders of tomorrow through dynamic and immersive educational experiences. The university will be recognized for being a prestigious innovative research hub and educational institution.

Use the Statement of Business Context to identify the critical information needed to guide governance (cont.)

More Components of the SoBC Strategic Objectives What are the strategic initiatives of the organization? Do you have a roadmap to accomplish your mission? What are the primary goals of senior leaders for the organization? Example Meeting government regulation Revenue generation Top research quality High teaching quality
State of Business Consider what the current state and future state are. How does the operating model used define the state? How do industry trends shape the business? What internal changes impact the business model? Example Our organization aims to make quick decisions and navigate the fast-paced industry with agility, uniting the development and operational sides of the business.

Leverage core concepts to determine the direction of the organization’s state of the business

Review business documents to assess business context

INPUT: Strategic Documents, Financial Documents

OUTPUT: Mission, Vision, Strategic Objectives

Materials: Corporate Documents

Participants: IT Governance Redesign Owner

Start assessing the state of the business context by leveraging easily accessible information. Many organization have strategic plans, documents, and presentations that already include a large portion of the information for the SoBC – use these sources first.

Instructions

1. Strategic Documents
   Leverage your organization’s strategic documents to gain understanding of the business context.

Documents to Review:

• Corporate strategy document.
• Business unit strategy documents.
• Annual general reports.

• Look for large capital expenditures.
• Review operating costs.
• Business cases submitted.

Review strategic planning documents

Overview

Some organizations (and business units) create an authoritative strategy document. These documents contain the organization’s corporate aspirations and outline initiatives, reorganizations, and shifts in strategy. Additionally, some documents contain strategic analysis (Porter’s Five Forces, etc.).

Action

• Read through any of the following:
  • Corporate strategy document
  • Business unit strategy documents
  • Annual general reports
• Watch out for key future-looking words:
  • We will be…
  • We are planning to…

Overt Statements

• Corporate objectives and initiatives are often explicitly stated in these documents. Look for statements that begin with phrases such as “Our corporate objectives are…”
• Remember that different organizations use different terminology – if you cannot find the word “goal” or “objective” then look for “pillar,” “imperative,” “theme,” etc.
• Ask a business partner to assist if you need some help.

Covert, Outdated, and Non-Existent Statements

• Some corporate objectives and initiatives will be mentioned in passing and will require clarification, for example:
  “As we continue to penetrate new markets, we will be diversifying our manufacturing geography to simplify distribution.”
• Some corporate strategies may be outdated and therefore of limited use for understanding the state of business – validate the statement to ensure it is up to date.
• Some organizations lack a strategic plan altogether. Use stakeholder interviews to identify imperatives and validate conflicting statements before moving on.

Review financial documentation

Overview

Departmental budgets highlight the new projects that will launch in the next fiscal year. The overwhelming majority of these projects will have IT implications. Additionally, identifying where the department is spending money will allow you to identify business unit initiatives and operational change.

Action

• Scan budgets:
  • Look for large capital expenditures
  • Review operating costs
  • Review business cases submitted
• Look for abnormalities or changes:
  • What does an increase in spending mean?
  • Does IT need to change as a result?

Capital Budgets

• Capital expenditures are driven by projects, which map to corporate goals and initiatives.
• Look for large capital expenditures and cross-reference the outflows with any project plans that have been collected.
• If an expenditure cannot be explained by project plans, request additional information.

Operating Budgets

• Major changes to operating costs typically reflect changes to a business unit. Some of these changes affect IT capabilities and can be classified as corporate initiatives.
• Changes that should be classified as corporate initiatives are expansion or contraction of a labor force, outsourcing initiatives, and significant process changes.
• Changes that should not be classified as corporate initiatives are changes in third-party fees, consulting engagements, and changes caused by inflation or growth.

Analyze business frameworks to articulate context

1.6 2-4 hours

INPUT: Industry Research, Organizational Research, Analysis Templates

OUTPUT: PESTLE and SWOT Analysis

Materials: Computer or Whiteboards and Markers

Participants: IT Governance Redesign Owner

If corporate documents denoting the key components of the SoBC are not easily available, or do not provide all information required, refer to business analysis frameworks to discover internal and external trends that impact the mission, vision, strategic objectives, and state of the business.

1. Conduct a PESTLE Analysis
   The PESTLE analysis will support the organization in identifying external factors that impact the business. Keep watch for trends and changes in the industry.

Political

Economic

Social

Technological

Legal

Environmental

2. Conduct a SWOT Analysis
   The SWOT analysis will be more specific to the organization and the industry in which it operates. Identify the unique strengths, weaknesses, opportunities, and threats for your organization.

Strengths

Weaknesses

Opportunities

Threats

Conduct a PESTLE analysis

• Break participants into teams and divide the categories amongst them:
  • Political trends
  • Economic trends
  • Social trends
  • Technological trends
  • Legal trends
  • Environmental trends
• Have each group identify relevant trends under their respective categories. You must relate each trend back to the business by considering:
  • How does this affect my business?
  • Why do we care?
• Use the prompt questions on the next slide to help the brainstorming process.
• Have each team present its list and have remaining teams give feedback and additional suggestions.

Political. Examine political factors such as taxes, environmental regulations, and zoning restrictions.

Economic Examine economic factors such as interest rates, inflation rate, exchange rates, the financial and stock markets, and the job market.

Social. Examine social factors such as gender, race, age, income, disabilities, educational attainment, employment status, and religion.

Technological. Examine technological factors such as servers, computers, networks, software, database technologies, wireless capabilities, and availability of software as a service.

Legal. Examine legal factors such as trade laws, labor laws, environmental laws, and privacy laws.

Environmental. Examine environmental factors such as green initiatives, ethical issues, weather patterns, and pollution.

Download Info-Tech’s PESTLE Analysis Template to help get started.

Review these questions to help you conduct a PESTLE analysis

For each prompt below, always try to answer the question: how does this affect my business?

Political

• Will a change in government (at any level) affect your organization?
• Do inter-government or trade relations affect you?
• Are there shareholder needs or demands that must be considered?

Economical

• How are your costs changing (moving off-shore, fluctuations in markets, etc.)?
• Do currency fluctuations have an effect on your business?
• Can you attract and pay for top-quality talent (e.g. desirable location, reasonable cost of living, changes to insurance requirements)?

Social

• What are the demographics of your customers or employees?
• What are the attitudes of your customers or staff (do they require social media, collaboration, transparency of costs, etc.)?
• What is the general lifecycle of an employee (i.e. is there high turnover)?
• Is there a market of qualified staff?
• Is your business seasonal?

Technological

• Do you require constant technology upgrades (faster network, new hardware, etc.)?
• What is the appetite for innovation within your industry or business?
• Are there demands for increasing data storage, quality, BI, etc.?
• Are you looking at cloud technologies?
• What is the stance on “bring your own device”?
• Are you required to do a significant amount of development work in-house?

Legal

• Are there changes to trade laws?
• Are there changes to regulatory requirements, e.g. data storage policies or privacy policies?
• Are there union factors that must be considered?

Environmental

• Is there a push towards being environmentally friendly?
• Does the weather have any effect on your business (hurricanes, flooding, etc.)?

Conduct a SWOT analysis on the business

Break the group into two teams.

Assign team A internal strengths and weaknesses.

Assign team B external opportunities and threats.

• Have the teams brainstorm items that fit in their assigned grids. Use the prompt questions on the next slide to help you with your SWOT analysis.
• Pick someone from each group to fill in the grids on the whiteboard.
• Conduct a group discussion about the items on the list. Identify implications for IT and opportunities to innovate as you did for the other business and external drivers.

Download Info-Tech’s Business SWOT Analysis Template to help get started.

Review these questions to help you conduct your SWOT analysis on the business

Strengths (Internal)

• What competitive advantage does your organization have?
• What do you do better than anyone else?
• What makes you unique (human resources, product offering, experience, etc.)?
• Do you have location advantages?
• Do you have price, cost, or quality advantages?
• Does your organizational culture offer an advantage (hiring the best people, etc.)?

Weaknesses (Internal)

• What areas of your business require improvement?
• Are there gaps in capabilities?
• Do you have financial vulnerabilities?
• Are there leadership gaps (succession, poor management, etc.)?
• Are there reputational issues?
• Are there factors that are making you lose sales?

Opportunities (External)

• Are there market developments or new markets?
• Industry or lifestyle trends, e.g. move to mobile?
• Are there geographical changes in the market?
• Are there new partnerships or M&A opportunities?
• Are there seasonal factors that can be used to the advantage of the business?
• Are there demographic changes that can be used to the advantage of the business?

Threats (External)

• Are there obstacles that the organization must face?
• Are there issues with respect to sourcing of staff or technologies?
• Are there changes in market demand?
• Are your competitors making changes that you are not making?
• Are there economic issues that could affect your business?

Conduct brainstorming efforts to gain insights from key business stakeholders

INPUT: SoBC Template

OUTPUT: Completed SoBC

Materials: Computer, Phone, or Other Mechanism of Connection

Participants: CEO, CFO, COO, CMO, CHRO, and Business Unit Owners

There are two ways to gather primary knowledge on the key components of the SoBC:

1. Stakeholder Interviews
   Approach each individual to have a conversation about the key components of the SoBC. Go through the SoBC and fill it in together.
2. Stakeholder Survey
   In the case that you are in a very large organization, create a stakeholder survey. Input the key components of the SoBC into an online survey maker and send it off the key stakeholders.

Use the SoBC as the guide to both the interview and the survey. Be clear about the purpose of understanding the business context when connecting with key business stakeholders to participate in the brainstorming. This is a perfect opportunity to establish or develop a relationship with the stakeholders who will need to buy into the redesigned governance framework since it will involve and impact them significantly.

Go directly to the information source – the key stakeholders

Overview

Talking to key stakeholders will allow you to get a holistic view of the business strategy. You will be able to ask follow-up questions to get a better understanding of abstract or complex concepts. Interviews also allow you to have targeted discussions with specific stakeholders who have in-depth subject-matter knowledge.

Action

• Talk to key stakeholders:
  • Structure focused, i.e. CEO or CFO
  • Customer focused, i.e. CMO or Head of Sales
  • Operational focused, i.e. COO
  • Lower-level employees or managers
• Listen for key pains that IT could alleviate.

Overcome the Unstructured Nature of Interviews

• Interviewees will often explicitly state objectives and initiatives.
• However, interviews are less formal and less structured than objective-oriented strategy documents. Objectives are often stated using informal language.
  “We’re talking rev gen here. That’s the name of the game. If we can get a foothold in India, there’s huge upside potential.” (VP Marketing)
• Further analysis might translate this into a corporate imperative: increase revenue by growing our market share in India to 8% by January of next year.
• If an imperative is unclear, ask the stakeholder for more detail.
• Understand how key stakeholders evaluate, direct, and monitor their own areas of the business; this will give you insight as to their style.

Receive final sign-off to proceed with developing the IT governance redesign

Document any project assumptions or constraints. Before proceeding with the IT governance activities, validate the statement of business context with senior stakeholders. When consensus has been reached, have them sign the final page of the document.

How to ensure sign-off:

• Schedule a meeting with the senior stakeholders and conduct a review of the document. This meeting presents a great opportunity to deliver your interpretation of management expectations and make any modifications.
• Obtaining stakeholder approval in person ensures there is no miscommunication or misunderstandings around the tasks that need to be accomplished to develop a successful IT governance.
• This is an iterative process; if senior stakeholders have concerns over certain aspects of the document, revise and review again.
• Final sign-off should only take place when mutual understanding has been reached.

Download the SoBC Template and complete for final approval.

Info-Tech Tip

In most circumstances, you should have the SoBC validated with the following stakeholders:

• CIO
• CEO
• CFO
• Business Unit Leaders

Understand the business context to set the foundation for governance redesign

CASE STUDY

Industry: Healthcare
Source: Info-Tech

Challenge

The new business direction to become an integrator shifted focus to faster software iteration and on enabling integration and translation technologies, while moving away from creating complete, top-to-bottom IT solutions to be leveraged by clinicians and patients.

Internal to the IT organization, this created a different in perspective on what was important to prioritize: foundational elements, web services, development, or data compliance issues. There was no longer agreement on which initiatives should move forward.

Solution

A series of mandatory meetings were held with key decision makers and SMEs within the organization in order to re-orient everyone on the overall purpose, goals, and outcomes of the organization.

All attendees were asked to identify what they saw as the mission and vision of the organization.

Finally, clinicians and patient representatives were brought in to describe how they were going to use the services the organization was providing and how it would enable better patient outcomes.

Results

Identifying the purpose of the work the IT organization was doing and how the services were going to be used realigned the different perspectives in the context of the healthcare outcomes they enabled.

This activity provided a unifying view of the purpose and the state of the business. Understanding the business context prepared the organization to move forward with the governance redesign.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop

Book a workshop with our Info-Tech analysts:

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop. Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

1.1		Identify Relevant Stakeholders Build a list of relevant stakeholders and identify their position on the stakeholder power map.
1.4		Communication Plan Build customized communication plans to engage the key stakeholders in IT governance redesign.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop

Book a workshop with our Info-Tech analysts:

1.7		Gather Business Information Review business documents, leverage business analysis tools, and brainstorm with key executives to document the Statement of Business Context.
1.8		Finalize the Statement of Business Context Get final approval and acceptance on the Statement of Business Context that will guide your redesign.

Improve IT Governance to Drive Business Results

PHASE 2

Assess the Current Governance Framework

Phase 2 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 2: Assess the Current Governance Framework

Proposed Time to Completion: 2 weeks

Phase 2: Assess the Current Governance Framework

Activities:

• 2.1 Create Committee Profiles
• 2.2 Build a Governance Structure Map
• 2.3 Establish Governance Guidelines

Outcomes:

• Use the Current State Assessment of IT Governance to determine governance guidelines.

Info-Tech Insight

Don’t be passive; take action! Take an active approach to revising your governance framework. Understand why you are making decisions before actually making them.

Explore the current governance that exists within your organization

Your current governance framework will give you a strong understanding of the way the key stakeholders in your business currently view IT governance.

Leverage this understanding of IT governance to determine where governance is occurring and how it transpires.

Conduct a current state assessment

Use this tool to critically assess each governing body to determine the areas of improvement that are necessary in order to achieve optimal business results.

1. Identify All Governing Bodies
   Some bodies govern intentionally, and some govern through habit and practice. Outline all bodies that take on an element of governance.
2. Create a Governance Structure Map
   Configure the structural relationships for the governing bodies using the structure map.
3. Reveal Strengths and Weaknesses
   Identify the strengths and weaknesses of the governance structure, authority definitions, processes, and membership.
4. Establish Governance Guidelines
   Based on the SoBC, express clear and applicable guidelines to improve on the weaknesses while retaining the strengths of your governance framework.

Download the Current State Assessment of IT Governance to work toward these outcomes

Conduct a current state assessment to identify governance guidelines

How to use the Current State Assessment of IT Governance deliverable: Follow the steps below to create a cohesive understanding of the current state of IT governance and the challenges that the current system poses.

What makes up the “governance framework”?

There are four major elements of the governance framework:

1. Structure
   Structural relationships are shown by mapping the connections between committees.
2. Authority
   Each committee will have a purpose and area of decision making that it is accountable for.
3. Process
   The process includes the inputs, outputs, and activities required for the committee to function.
4. Membership The individuals or roles who sit on each committee. Take into account members’ knowledge, capability, and political influence.

Create governing board or committee profiles

Part A – Committee Profiles

1. Identify Governing Bodies

   Establish where governance happens and who is governing. For different organizations, the governance framework will contain a variety of governing bodies or people. Use a list format to identify governing bodies that exist in your organization.

2. Leverage Committee Templates

   Use the templates provided. Create a profile for each governing body that currently operates in your IT governance framework as listed in step 1.

3. Create Committee Profiles

   Identify what they are governing and how they are governing.
   Using the profiles created in step 2, identify each body’s membership roles, purpose, decision areas, inputs, and outputs. Refer to the example text in the template to guide you, but feel free to adjust the text to reflect the reality of your governing body.
   Consider the following domains of governance:
   (refer to Executive Brief)
   • Benefits realization
   • Risks
   • Resources
   Refer to our examples for some common governing bodies.

Consistently define the components of governance in the committee profiles

Membership

Membership Roles
Insert information here that reflects who the individuals are that sit on that governing body and what their role is. Include other important information about the individuals’ knowledge, skills, or capabilities that are relevant.

Authority

Purpose
Define why the committee was established in the first place.

Decision Areas
Explain the specific areas of decision making this group is responsible for overseeing.

Process

Inputs
Consider the information and materials that are needed to make decisions.

Outputs
Describe the outcomes of the committee. Think about decisions that were made through the governance process.

Map out relationships on the Governance Map

Part B – Structure Map

Structure

1. Assess Inputs and Outputs

   Governing Bodies	Inputs	Outputs
   Committee #1
   Committee #2
   Committee #3
   CFO
   IT Director
   CIO

   To understand relationships between governing bodies, list the inputs and outputs for each unique committee that rely on other committees in the table provided.
2. Create Structure Map
   Using the outline provided, create your own governance structure map to represent the way the governing bodies interact and feed into each other. This is crucial to ensure that the governing structure is streamlined. It will ensure that communication occurs efficiently and that there are no barriers to making decisions swiftly.

Outline the governance structure in the governance structure map

Identify strengths and weaknesses of the governance framework

Part C – Governance Guidelines

1. Choose Business State Template Choose the template that represents the identified future state of business in the Statement of Business Context.
2. Identify Strengths and Weaknesses Input the major strengths and weaknesses of your governance that were highlighted in the brainstorming activity.
3. Establish Governance Guidelines Draw your own implications from the strength and weaknesses that will drive the design of your governance in its future state. These guidelines should be concise and easy to implement. Note: Refer to the example guidelines in the Current State Assessment of IT Governance after you have considered your own specific guidelines. The examples are supplementary for your convenience.

Distinguish your business state from the others to ensure implications act as accurate guidelines

Business State Options

Identify strengths and weaknesses of the governance framework

2.3 2 hours

INSTRUCTIONS

1. Input Strengths of Governance
   Include useful components of the current framework; that may include elements that are operating well, fit the future state, or are required due to regulations or statutes.
2. Determine Weaknesses and Challenges
   Discuss the pain points of the current governance framework by looking through the lenses of structure, authority, process, or membership.

Consider:

• Where is governance not meeting expectations?
• Are we doing the right things?
• Are we getting the benefits?
• What are the outcomes?
• What do we want to achieve?
• How do we make intelligent decisions about what will help us achieve those outcomes?

Derive governance implications from strengths and weaknesses

2.3 2-4 hours

INSTRUCTIONS

1. Copy and paste your strengths and weaknesses from part B into the template that reflects your business state.
2. Draw your own implications from the strengths and weaknesses that will drive the design of your governance in its future state. These guidelines should be concise and practical.

Note: Use the examples of guidelines provided in the Current State Assessment of IT Governance to help formulate your own.

Conduct a current state assessment to identify guidelines for the future state of governance

CASE STUDY

Industry: Healthcare
Source: Anonymous

Challenge

Over time, the organization had to create a large amount of governing committees and subcommittees in order to comply with governance frameworks applied to them and to meet regulatory compliance requirements.

The current structure was no longer optimal to meet the newly identified mandate of the organization. However, the organization did not want to start from scratch and scrap the elements that worked, such as the dates and times that had been embedded into the organization.

Solution

A current state assessment was planned and executed in order to review what was currently being done and identify what could be retained and what should be added, changed, or removed to improve the governance outcomes.

The scope involved examining how current and near-term governance needs were, or were not, met through the existing structure, bodies, and their processes.

The organization investigated governance approaches of organizations with similar governance needs and with similar constraints to model their own.

Results

The outputs of this exercise included:

• A list of effective practices and committee guidelines that could be leveraged with little to no change in the future state.
• A list of opportunities to streamline the structure and processes.

These guidelines were used to drive recommendations for improvements to the governance structures and processes in the organization.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop

Book a workshop with our Info-Tech analysts:

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop. Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

2.1		Create Current State Structure and Profiles Take the time to clearly articulate the current governance framework of your organization. Outline the structure and build the committee profiles for the governing bodies in your organization.
2.3		Determine Strengths, Weaknesses, and Guidelines Evaluate the strengths of your governance framework, the weaknesses that it exhibits, and the guidelines that will help maintain the strengths and alleviate the pains.

Improve IT Governance to Drive Business Results

PHASE 3

Redesign the Governance Framework

Phase 3 Guided Implementation

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 3: Redesign the Governance Framework

Proposed Time to Completion: 4 weeks

Phase 3: Redesign the Governance Framework

Activities:

• 3.1 Build a Governance Structure Map
• 3.2 Create Committee Profiles
• 3.3 Leverage Process-Specific Governance Blueprints

Outcomes:

• Use the Future State Design for IT Governance template to build the optimal governance framework for your organization.

Info-Tech Insight

Keep the current and future goals in sight to build an optimized governance framework that maintains the minimum bar of oversight required.

Anticipate the outcomes of the Future State Design for IT Governance tool

Use this tool to guide your organization toward transformative outcomes gleaned from an optimized governance framework.

1. Implement Structural Guidelines
   Determine what governing bodies to add, change, or remove from your governance structure.
2. Create a Governance Structure Map
   Configure the structural relationships for the redesigned governing bodies using the structure map.
3. Build Effective Committees
   Use the IT Governance Terms of Reference to build profiles for each newly created committee and to alter any existing committees.
4. Determine Follow-up Governance Support
   Access external material on governance from other Info-Tech blueprints that will help with specific governance areas.

Download the Future State Design for IT Governance template to work toward these outcomes.

Use the Future State Design for IT Governance tool to create a custom governance framework for your organization

How to use the Future State Design for IT Governance deliverable: Follow the steps below to redesign the future state of IT governance. Use the guidelines to respond to challenges identified in the current governance framework based on the current state assessment.

Connect key learnings to initiate governance redesign

The future state design will reflect the state of business that was identified in Phase 1 along with the guidelines defined in Phase 2 to build a governance framework that promotes business-IT fusion.

Use structure and authority guidelines to build a new governance structure map

3A.1 Redesign the governance frameworks

Part A – Structure Map

Structure	Authority
1a. Structural Guidelines	1b. Authority Guidelines
Input the guidelines from the current state assessment to guide the redesign.
2. Leverage Guiding Questions Use the guiding questions provided to assess the needed changes.
Guiding Questions Do governing bodies operate at a tier that matches the guidelines?	Do governing bodies focus on the decisions that align with the guidelines?
Build the “where/why” of governance. Consider at what tier each committee will reside and what area of governance will be part of its domain. Modify the current structure; do not start from scratch.
3. Add / Change (Tier/Authority) / Remove
Determine changes to structure or authority that will be occurring for each of the current governing bodies. Work within the current structure as much as possible.
4. Use the Structure Map to Show Redesign
Create your own governance structure map to represent the way the governing bodies interact and feed into each other.

Maintain as much of the existing framework as possible in the redesign

3.1 2-4 hours

Future State Design

• Structure
• Authority

Info-Tech Best Practice

Keep the number of added or removed committees as low as possible, while still optimizing. The less change to the structure, the easier it will be to implement.

Refer to the example to help guide your committee redesign.

Determine:
1. Do the guidelines impact committees you already have? Will you have to modify the tier or the authority of those committees?
2. Do the guidelines require you to build a new committee to meet needs?
3. Do the guidelines require you to remove a committee that isn’t necessary?

Outline the new governance structure in the governance structure map in the Future State Design for IT Governance tool

Use process and membership guidelines along with the IT Governance Terms of Reference to build committees

Part B – Committee Profiles

Process	Membership
1a. Process Guidelines	1b. Authority Guidelines
Input the guidelines from the current state assessment to guide the redesign.
2. Leverage Guiding Questions Use the guiding questions provided to assess the needed changes.
Guiding Questions Do the process inputs and outputs reflect the structure and authority guidelines?	Do governing bodies engage the right people who have the roles, capacity, and knowledge to govern?
Build the “what/how” of governance. Build out the process and procedures that each committee will use.
3. Adapt / Refine Governing Body Profiles Using your customized guidelines, create a profile for each committee.
We have provided templates for some common committees. To make these committee profiles reflective of your organization, use the information you have gathered in your Current State Assessment of IT Governance guidelines. For a more detailed approach to building out specific charters for each committee refer to the IT Governance Terms of Reference.

Use the IT Governance Terms of Reference to establish operational procedures for governing bodies

3.2 3-6 hours

Future State Design

• Process
• Membership

Info-Tech Best Practice

The people on the committee matter. Governance committee membership does not have to correspond with the organizational structure, but it should correspond with the purpose and decision areas of the governance structure.

Refer to the example to help guide your committee redesign.

Determine:
1. Do the guidelines alter the members needed to achieve the outcomes?
2. Do the guidelines change the purpose and decision areas of the committee?
3. How do the new structure’s guidelines impact the inputs and outputs of the governing body?

Add depth to the committee profiles using the IT Governance Terms of Reference

Refer to the sections outlined below to build a committee charter for your governance committees. Four examples are provided in the tool and can be edited for your convenience. They are: Executive Management Committee, IT Steering Committee, Portfolio Review Board, and Risk and Compliance Committee.

1. Purpose
2. Goals
3. Responsibilities
4. Committee Members
5. RACI
6. Procedures
7. Agenda

Be sure to embed the domains of governance in the charters so that committees focus on the appropriate elements of benefits realization, risk optimization, and resource optimization.

Download the IT Governance Terms of Reference for more in-depth committee charters.

Three pillars of planning effective governance meetings

The effectiveness of the governance is reliant on the ability to work within operational dependencies that will exist in the governance framework. Consider these questions to guide the duration, frequency, and sequencing of your governing body meetings.

Frequency What is the quantity of decisions that must be made? Is a rapid or urgent response typically required? Duration How long should your meeting run based on your meeting frequency and the volume of work to be accomplished? Sequencing Are there other decisions that rely on the outcomes of this meeting? Are there any decisions that must be made first for others to occur?

Leverage process-specific governance blueprints

If there are specific areas of IT governance that you require further support on, refer to Info-Tech’s library of DIY blueprints, Guided Implementations, and workshops for further support. We cover IT governance in the following areas:

Enterprise Architecture Governance	Service Portfolio Governance	Security Governance

Consider the challenges and solutions when identifying a multi-state reality for your business state

A multi-state business will face unique challenges in navigating the redesign process with the goal of combining all related business states in governance.

1. Divergent Governance Models
   Separate the governance groups that need to function differently, and bring them back together at the highest level.
2. Reflecting the Organizational Structure
   Unlike single-state governance, multi-state organizations should model the governance framework in reflection of the organizational structure.
3. Combining Implications
   Prioritize which implications are the most important and make sure they work first, then see what else fits (e.g. start with regulation, then insert lean guidelines).

The multi-state business will not fit into one “box” – consider implications from the overlapping business states.

As business needs change, ensure that you establish triggers to reassess the design of your governance framework.

Leverage the outcomes of the Current State Assessment and Statement of Business Context to build the future state

CASE STUDY

Industry: Healthcare
Source: Info-Tech

Challenge

Identifying the committees and processes that should be in place in the target state required a lot of different inputs.

A number of high-profile senior management team members were still resistant to the overall idea of applying governance to their initiatives since they were clinician driven.

The approach and target state, including the implementation plan, had to be approved and built out.

Solution

The information pulled together from the current state assessment, including best practices and jurisdictional scans, were tied together with the updated mandate and future state, and a list of recommended improvements were documented.

The improvements were presented to the optimization committee and the governance committee members to ensure agreement on the approach and confirm the timeline for agreed improvements.

Results

A future state mapping of the new committee structure was created, as well as the revised membership requirements, responsibilities, and terms of reference.

The approved recommendations were prioritized and turned into an implementation plan, with each improvement being assigned an owner who would be responsible for driving the effort to completion.

Integration points in other processes, like SDLC, where change would be required were highlighted and included in the implementation plan.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop

Book a workshop with our Info-Tech analysts:

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop. Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

3.1		Redesign the Governance Structure Identify committees that need to be added, ones that must be changed, and the no-longer-needed governing bodies in an optimized and streamlined structure. Draw it out in the governance structure map.
3.2		Redesign the Governing Bodies Use the IT Governance Terms of Reference and the Committee Template to build a committee profile for each governing body identified. Use these activities to build out and establish the processes of the modified governing groups.

Improve IT Governance to Drive Business Results

PHASE 4

Implement Governance Redesign

Phase 4 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 4: Implement Governance Redesign

Proposed Time to Completion: 2-3 weeks

Phase 4: Implement Governance Redesign

Activities:

• 4.1 Identify Next Steps for the Redesign
• 4.2 Establish a Communication Plan
• 4.3 Lead the Executive Presentation

Outcomes:

• Rationalize steps in the Implementation Plan tool.
• Construct an executive presentation to facilitate transparency for the governing framework.

Anticipate and overcome implementation obstacles for the redesign

Often high-level organizational changes create challenges. We will help you break down the barriers to optimal IT governance by addressing key obstacles.

Info-Tech Insight

Don’t overlook the politics and culture of your organization while redesigning your governance framework.

Create an implementation roadmap to organize a plan for the redesign

4A Create an implementation and communication plan

INSTRUCTIONS

1. Identify Tasks
   Decide on the order of tasks for your implementation plan. Consider the dependencies of actions and plan the sequence accordingly.
2. Determine Communication Method
   Identify the most appropriate and impactful method of communicating at each milestone identified in step 1.

Download the IT Governance Implementation Plan to organize your customized implementation and communication plan.

Outline next steps for governance redesign

4.1

INPUT: Tasks Identified in the Future State Design

OUTPUT: Identified Tasks for Implementation as Well as the Audience

Materials: N/A

Participants: IT Governance Redesign Owner

INSTRUCTIONS

Keep these questions in mind as you analyze and assess what steps to take first in the redesign implementation.

1. What needs to happen?
   Use the identified changes from the redesign as your guiding list of tasks that need to occur. If they are larger tasks, break them down into smaller parts to make the milestones more achievable.
2. What are the dependencies?
   Throughout the implementation of the redesign, certain tasks will need to occur to enable other tasks to be performed. Make sure to clearly identify what dependencies exist in the implementation process and clearly identify the order of the tasks.
3. Who do the changes impact?
   Consider the groups and individuals that will be impacted by changes to the governance framework. This includes key business stakeholders, IT leaders, members of governing boards, and anyone who provides an input or requires an output from one of the committees.

Use a big-bang approach to implement the IT governance redesign

While there are other methods to implementing change, the big-bang approach is the most effective for governance redesign and will maintain the momentum of the change as well as the support needed to make it successful.

Phased	Parallel	Big Bang
Implementation of redesign occurs in steps over a significant period of time.	Components of the redesign are brought into the governance framework, while maintaining some of the old components.	Implementation of redesign occurs all at once. This requires significant preparation.
Some committees will be operating under a new structure while others are not, which will undermine the changes being made. This method proliferates a lack of transparency and trust.	Releasing IT governance in parallel leads to members sitting on too many boards and spending too much time on governance. There will be a lack of clarity on a committee’s authority.	This approach will lead to consistency and transparency in the new process. The change will be clear and fully embedded in the organization with stronger boundaries and well-defined expectations.

Determine the most effective and impactful communication mediums for relevant stakeholders

4.2 1 hour

INSTRUCTIONS

1. Consider the Individual or Group
   Consider the group and individuals identified in step 4.1. Determine the most appropriate mechanism for communicating with that person or group. Keep in mind: If they are local, how much influence they have and if they are already engaged in the redesign process.
2. Consider the Message
   The type of message that you are communicating will vary in impact and importance depending on the task. Make sure that the communication medium reflects your message. Keep in mind: If the you are communicating an important or more personal issue, the medium should be more personal as well.

Communicate the changes that result from the redesign

Plan the message first, then deliver it to your stakeholders through the most appropriate medium to avoid message avoidance or confusion.

Communication Medium

Face-to-Face Communication

Face-to-face communication helps to ensure that the audience is receiving and understanding a clear message, and allows them to voice their concerns and clarify any confusion or questions.

• Use one-on-one meetings for key stakeholders and large organizational meetings to introduce large changes in the redesign.

Emails

Use email to communicate information to broad audiences. In addition, use email as the mass feedback mechanism.

• Use email to follow up on meetings, or to invite people to next ones, but not as the sole medium of communication.

Internal Website or Drive

Use an internal website or drive as an information repository.

• Store meeting minutes, policies, procedures, terms of reference, and feedback online to ensure transparency.

Message Delivery

1. Plan Your Message
   Emphasize what the audience really needs to know and how the change will impact them.
2. Test Your Message
   If possible, test your communications with a small audience (2-3 people) first to get feedback and adjust messages before delivering them more broadly.
3. Deliver and Repeat Your Message
   “Tell them what you’re going to tell them, then tell them, then tell them what you told them.”
4. Gather Feedback and Evaluate Communications
   Evaluate the effectiveness of the communications (through surveys, stakeholder interviews, or metrics) to ensure the message was delivered and received successfully and communication goals were met.

Construct an executive presentation to facilitate transparency for the governing framework

4B Present the redesign to the key business stakeholders

INSTRUCTIONS

1. Identify Stakeholders
   Determine which business stakeholders have been the most involved in the redesign process.
2. Customize Presentation
   Use the deliverables that you have built throughout this redesign to communicate the changes to the structure, authority, processes, and memberships in the governance framework.
3. Present to Executives
   Present the executive presentation to the key business stakeholders who have been involved in the redesign process.

Info-Tech best Practice

Use the Executive Presentation customizable deliverable to lead a boardroom-quality presentation outlining the process and outcomes of the IT governance redesign.

Present the executive presentation

4.3 1 hour

INSTRUCTIONS

1. Input SoBC Outcomes
   Input the outcomes of the SoBC. Specify the state of the business you have identified through the process of Phase 1.
2. Input Current State Framework and Guidelines
   Input the outcomes of the current state assessment. Explain the process you used to identify the current governance framework and how you determined the strengths, weaknesses, and guidelines.
3. Input Redesigned Governance Framework
   Input the governance redesign outcomes. Explain the process you used to modify and reconstruct the governance framework to drive optimal business results. Show the new structure and committee profiles.

Use the Redesign IT Governance to Drive Optimal Business Results Executive Presentation Template for more information.

Implement the governance redesign to optimize governance and, in turn, business results

CASE STUDY

Industry: Healthcare
Source: Info-Tech

Challenge

Members of the project management group and in the larger SDLC process identified a lack of clarity on how to best govern active projects and initiatives that were moving through the governance process during the changes to the governance framework.

These projects had already begun under the old frameworks and applying the redesigned governance framework would lead to work duplication and wasted time.

Solution

The organization decided that instead of applying the redesign to all initiatives across the organization, it would only be applied to new initiatives and ones that were still working within the first part of the “gating” process, where revised intake information could still be provided.

Active initiatives that fell into the grandfathered category were identified and could proceed based on the old process. Yet, those that did not receive this status were provided carry-over lead time to revise their documentation during the changes.

Results

The implementation plan and timeframes were approved and an official change-over date identified.

A communication plan was provided, including the grandfathered approach to be used with in-flight initiatives.

A review cycle was also established for three months after launch to ensure the process was working as expected and would be repeated annually.

The revised process improved the cycle time by 30% and improved the ability of the organization to govern high-speed requests and decisions.

Summary of accomplishment

Insights

• IT governance requires business leadership.
  Instead of IT managing and governing IT, engage business leaders to take responsibility for governing IT.
• With great governance comes great responsibility.
  Involve relevant business leaders, who will be impacted by IT outcomes, to share governing authority of IT.
• Establish IT-business fusion.
  In governance, alignment is not enough. Merge IT and the business through governance to ensure business success.

Knowledge Gained

• There must be an active understanding of the current and future state of the business for governance to address the changing needs of the business.
• Take a proactive approach to revising your governance framework. Understand why you are making decisions before actually making them.
• Keep the current and future goals in sight to build an optimized governance framework that maintains the minimum bar of oversight required.

Processes Optimized

• EDM01 – Establishing a Governance Framework
• Understanding the four elements of governance:
  • Structure
  • Authority
  • Process
  • Members
• Embedding the benefits realization criteria, risk optimization, and resource optimization in governance.

Deliverables Completed

• Statement of Business Context
• Current State Assessment of IT Governance
• Future State Design for IT Governance
• IT Governance Implementation Plan

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop

Book a workshop with our Info-Tech analysts:

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop. Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

4.1		Build and Deploy the Implementation Plan Construct a list of tasks and consider the individuals or groups that those tasks will impact when implementing the governance redesign. Ensure consistent and transparent communication for successful outcomes.
4.3		Build the Executive Presentation Insert the state of business, current state, and future state design outcomes into a presentation to inform the key business stakeholders on the process and outcomes of the governance redesign.

Research contributors and experts

Deborah Eyzaguirre, IT Business Relationship Manager, UNT System

Herbert Kraft, MIS Manager, Prairie Knights Casino

Roslyn Kaman, CFO, Miles Nadal JCC

Nicole Haggerty, Associate Professor of Information Systems, Ivey Business School

Chris Austin, CTO, Ivey Business School

Adriana Callerio, IT Director Performance Management, Molina Healthcare Inc.

Joe Evers, Consulting Principal, JcEvers Consulting Corp

Huw Morgan, IT Research Executive

Joy Thiele, Special Projects Manager, Dunns Creek Baptist Church

Rick Daoust, CIO, Cambrian College

Related Info-Tech Research

• Establish an Effective IT Steering Committee
  Have the right people making the right decisions to drive IT success.

Bibliography

A.T. Kearney. “The 7 Habits of Highly Effective Governance.” A.T. Kearney, 2008. Web. Nov. 2016.

Bertolini, Phil. “The Transformational Effect of IT Governance.” Government Finance Review, Dec. 2012. Web. Nov. 2016.

CGI. “IT Governance and Managed Services – Creative a win-win relationship” CGI Group Inc., 2015. Web. Dec. 2016.

De Haes, Steven, and Wim Van Grembergen. “An Exploratory Study into the Design of an IT Governance Minimum Baseline through Delphi Research.” Communications of the Association for Information Systems: Vol. 22 , Article 24. 2008. Web. Nov. 2016.

Deloitte LLP. “The Role of Senior Leaders in IT Governance.” The Wall Street Journal, 22 Jun. 2015. Web. Oct. 2016.

Dragoon, Alice. “Four Governance Best Practices.” CIO From IDG, 15 Aug. 2003. Web. Dec. 2016.

du Preez, Gert. “Company Size Matters: Perspectives on IT Governance.” PricewaterhouseCoopers, Aug. 2011. Web. Nov. 2016.

Hagen, Christian, et. al. “Building a Capability-Driven IT Organization.” A.T. Kearney, Jun. 2011. Web. Nov. 2016.

Heller, Martha. “Five Best Practices for IT Governance.” CFO.com, 27 Aug. 2012. Web. Oct. 2016.

Hoch, Detlev, and Payan, Miguel. “Establishing Good IT Governance in the Public Sector.” McKinsey Dusseldorf, Mar. 2008. Web. Oct. 2016.

Horne, Andrew, and Brian Foster. “IT Governance Is Killing Innovation.” Harvard Business Review, 22 Aug. 2013. Web. Dec. 2016.

ISACA. “COBIT 5: Enabling Processes.” ISACA, 2012. Web. Oct. 2016.

IT Governance Institute. “An Executive View of IT Governance.” IT Governance Institute, in association with PricewaterhouseCoopers. 2009. Web. Nov. 2016.

Bibliography continued

IT Governance Institute. “IT Governance Roundtable: Defining IT Governance.” IT Governance Institute, 2009. Web. Nov. 2016.

Macgregor, Stuart. “The linchpin between Corporate Governance and IT Governance.” The Open Group’s EA Forum Johannesburg and Cape Town, Nov. 2013. Web. Nov. 2016.

Mallette, Debra. “Implementing IT Governance An Introduction.” ISACA San Francisco Chapter, 23 Sep. 2009. Web. Oct. 2016.

Massachusetts Institute of Technology. “IT Governance Introduction.” MIT Centre for Information System Research, 2016. Web. Nov. 2016.

Mueller, Lynn, et. al. “IBM IT Governance Approach – Business Performance through IT Execution.” IBM Redbooks, Feb. 2008. Web. Nov. 2016.

National Computing Centre. “IT Governance: Developing a successful governance strategy.” The National Computing Centre, Nov. 2005. Web. Oct. 2016.

Pittsburgh ISACA Chapter. “Practical Approach to COBIT 5.0.” Pittsburgh ISACA Chapter, 17 Sep. 2012. Web. Nov. 2016.

PricewaterhouseCoopers. “Great by governance: Improve IT performance and Value While Managing Risks.” PricewaterhouseCoopers, Nov. 2014. Web. Dec. 2016.

PricewaterhouseCoopers. “IT Governance in Practice: Insights from leading CIOs.” PricewaterhouseCoopers, 2006. Web. Nov. 2016.

Routh, Richard L. “IT Governance Part 1 of 2.” Online video clip. YouTube. The Institute of CIO Excellence, 01 Aug. 2012. Web. Nov. 2016.

Salleh, Noor Akma Mohd, et. al. “IT Governance in Airline Industry: A Multiple Case Study.” International Journal of Digital Society, Dec. 2010. Web. Nov. 2016.

Bibliography continued

Speckert, Thomas, et. al. “IT Governance in Organizations Facing Decentralization – Case Study in Higher Education.” Department of Computer and Systems Sciences. Stockholm University, 2014. Web. Nov. 2016.

Thorp, John. The Information Paradox—Realizing the Business Benefits of Information Technology. Revised Edition, McGraw Hill, 2003 (written jointly with Fujitsu).

Vandervost, Guido, et. al. “IT Governance for the CxO.” Deloitte, Nov. 2013. Web. Nov. 2016.

Weill, Peter, and Jeanne W. Ross. “IT Governance: How Top Performers Manage IT Decision Rights for Superior Results.” Boston: Harvard Business School, 2004. Print. Oct. 2016.

Wong, Daron, et. al. “IT Governance in Oil and Gas: CIO Roundtable, Priorities for Surviving and Thriving in Lean Times.” Online video clip. YouTube. IT Media Group, Jun. 2016. Web. Nov. 2016.

Enterprise Storage Solution Considerations

Narrow your focus with the right product type and realize efficiencies.

Analyst Perspective

The vendor landscape is continually evolving, as are the solutions they offer. The options and features are increasing and appealing.

To say that the current enterprise storage landscape looks interesting would be an understatement. The solutions offered by vendors continue to grow and evolve. Flash and NVMe are increasing the speed of storage media and reducing latency. Software-defined storage is finding the most efficient use of media to store data where it is best served while managing a variety of vendor storage and older storage area networks and network-attached storage devices. Storage as a service is taking on a new meaning with creative solutions that let you keep the storage appliance on premises or in a colocated data center while administration, management, and support are performed by the vendor for a nominal monthly fee. We cannot discuss enterprise storage without mentioning the cloud. Bring a thermometer because you must understand the difference between hot, warm, and cold storage when discussing the cloud options. Very hot and very cold may also come into play. Storage hardware can assume a higher total cost of ownership with support options that replace the controllers on a regular basis. The options with this type of service are also varied, but the concept of not having to replace all disks and chassis nor go through a data migration is very appealing to many companies. The cloud is growing in popularity when it comes to enterprise storage, but on-premises solutions are still in demand, and whether you choose cloud or on premises, you can be guaranteed an array of features and options to add stability, security, and efficiency to your enterprise storage. P.J. Ryan Research Director, Infrastructure & Operations Info-Tech Research Group

Executive Summary

Info-Tech Insight

Enterprise storage has evolved, with more options than ever

Data is growing, data security will always be a concern, and vendors are providing more and more options for enterprise storage.

“By 2025, it’s estimated that 463 exabytes of data will be created each day globally – that’s the equivalent of 212,765,957 DVDs per day!” (Visual Capitalist)

“Modern criminal groups target not only endpoints and servers, but also central storage systems and their backup infrastructure.” (Continuity Software)

Cloud or on premises? Maybe a hybrid approach with both cloud and on premises is best for you. Do you want to remove the headaches of storage administration, management, and support with a fully managed storage-as-a-service solution? Would you like to upgrade your controllers every three or four years without a major service interruption? The options are increasing and appealing.

High-Level Considerations

1. Understand Your Data

Understand how much data you have and where it is located. This will be crucial when evaluating enterprise storage solutions.

2. Plan for Growth

Your enterprise storage considerations should include your data needs now and in the future.

3. Understand the Mechanics

Take the time to understand the various data storage formats, disk types, and associated technology, as well as the cloud-based and on-premises options. This will help you select the right tool for your needs.

Storage formats, disk drives, and technology

Common data storage formats, technology, and drive types are outlined below. Understanding how data is stored as well as the core building blocks for larger systems will help you decide which solution is best for your storage needs.

Narrow your focus with the right product type

On-premises enterprise storage solutions fit into a few distinct product types.

Cloud storage

• Cloud storage is online storage offered by a cloud provider. Cloud storage is available almost anywhere and is set up with high availability features such as data duplication, redundancy, backup, and power failure protection.
• Cloud storage is very scalable and typically is offered as object storage, block storage, or file storage. Cloud storage vendors may have their own naming scheme for object, block, or file storage.
• Cloud-hosted data is marketed according to the frequency of access and length of time in storage. There are typically three main levels of storage: hot, warm, or cold. Vendors may have their own naming convention for hot, warm, and cold storage. Some may also add more layers such as very hot or very cold.
  • Hot storage is for data that is frequently accessed and modified. It is available on demand and is the most costly of the storage levels.
  • Cold storage is for data that will sit for a long period of time and not need to be accessed. Cold storage is usually only available after several hours or days. Cold storage is very low cost and, in some cases, even free, but retrieval or restoration for the free services can be costly.
  • Warm storage sits in between hot and cold storage. It is for data that is infrequently needed. The cost of warm storage is also in between hot and cold storage costs, and access times are measured in terms of minutes or hours.
  • It is not uncommon for data to start in hot storage and, as it ages, move to warm and eventually cold storage.

“Enterprise cloud storage offers nearly unlimited scalability. Enterprises can add storage quickly and easily as it is needed, eliminating the risk and cost of over-provisioning.”

– Spectrum Enterprise

“Hot data will operate on fresh data. Cold data will operate on less frequent data and [is] used mainly for reporting and planning. Warm data is a balance between the two.”

– TechBlost

Enterprise storage features

The features listed below, while not intended to cover all features offered by all vendors, should be considered and could act as a baseline for discussions with storage providers when evaluating enterprise storage offerings.

What’s new in enterprise storage

• Data warehouses are not a new concept, but the data storage evolution and growth of data means that data lakes and data lakehouses are growing in popularity.
  • “A data lake is a centralized repository that allows you to store all your structured and unstructured data at any scale. You can store your data as-is, without having to first structure the data” (Amazon Web Services).
  • Analytics with a data lake is possible, but manipulation of the data is hindered due to the nature of the data. A data lakehouse adds data management and analytics to a data lake, similar to the data warehouse functionality added to databases.
• Options for on-premises hardware support is changing.
  • Pure Storage was the first to shake up the SAN support model with its Evergreen support option. Evergreen//Forever support allows for storage controller upgrades without having to migrate data or replace your disks or chassis (Pure Storage).
  • In response to the Pure Storage Evergreen offering, Dell, HPE, NetApp, and others have come out with similar programs that offer controller upgrades while maintaining the data, disks, and chassis.
• “As a service” is available as a hybrid solution.
  • Storage as a service (STaaS) originally referred to hosted, fully cloud-based offerings without the need for any on-premises hardware.
  • The latest STaaS offerings provide on-premises or colocated hardware with pay-as-you-go subscription pricing for data consumption. Administration, management, and support are included. The vendor will supply support and manage everything on your behalf.
  • Most of the major storage vendors offer a variation of storage as a service.

“Because data lakes mostly consist of raw unprocessed data, a data scientist with specialized expertise is typically needed to manipulate and translate the data.”

– DevIQ

“A Lakehouse is also a type of centralized data repository, integrated from heterogeneous sources. As can be expected from its name, It shares features with both datawarehouses and data lakes.”

– Cesare

“Storage as a service (STaaS) eliminates Capex, simplifies management and offers extensive flexibility.”

– TechTarget

Major vendors

The current vendor landscape for enterprise storage solutions represents a range of industry veterans and the brands they’ve aggregated along the way, as well as some relative newcomers who have come to the forefront within the past ten years.

Vendors like Dell EMC and HPE are longstanding veterans of storage appliances with established offerings and a back catalogue of acquisitions fueling their growth. Others such as Pure Storage offer creative solutions like all-flash arrays, which are becoming more and more appealing as flash storage becomes more commoditized.

Cloud-based vendors have become popular options in recent years. Cloud storage provides many options and has attracted many other vendors to provide a cloud option in addition to their on-premises solutions. Some software and hardware vendors also partner with cloud vendors to offer a complete solution that includes storage.

Info-Tech Insight

Explore your current vendor’s solutions as a starting point, then use that understanding as a reference point to dive into other players in the market

Key Players

• Amazon
• Cisco
• Dell EMC
• Google
• Hewlett Packard Enterprise
• Hitachi Vantara
• IBM
• Microsoft
• NetApp
• Nutanix
• Pure Storage

Enterprise Storage Use Cases

Block, object, or file storage? NAS, SAN, SDS, or HCI? Cloud or on prem? Hot, warm, or cold?
Which one do you choose?
The following use cases based on actual Info-Tech analyst calls may help you decide.

1. Offsite backup solution
2. Infrastructure consolidation
3. DR/BCP datacenter duplication
4. Expansion of existing storage
5. Complete backup solution
6. Existing storage solution going out of support soon
7. Video storage
8. Classify and offload storage

Offsite backup solution

“Offsite” may make you think of geographical separation or even cloud-based storage, but what is the best option and why?

Use Case: How a manufacturing company dealt with retired applications

• A leading manufacturing company had to preserve older applications no longer in use.
• The company had completed several acquisitions and ended up with multiple legacy applications that had been merged or migrated into replacement solutions. These legacy applications were very important to the original companies, and although the data they held had been migrated to a replacement solution, executives felt they should hold on to these applications for a period of time, just in case.
• A modern archiving solution was considered, but a research advisor from Info-Tech Research joined a call with the manufacturing company and helped the client realize that the solution was a modified backup. The application data had already been preserved through the migration, so data could be accessed in the production environment.
• The data could be exported from the legacy application into a nonsequential database, compressed, and stored in cloud-based cold storage for less than $5 per terabyte per month. The manufacturing company staff realized that they could apply this same approach to several of their legacy applications and save tens of thousands of dollars in the process.
• Cold storage is inexpensive until you start retrieving that data frequently. The manufacturing company knew they did not have a requirement to retrieve the application and data for a very long time, so cloud-based cold storage was ideal.

“Data retrieval from cold storage is harder and slower than it is from hot storage. … Because of the longer retrieval time, online cold storage plans are often much cheaper. … The downside is that you’d incur additional costs when retrieving the data.”

– Ben Stockton, Cloudwards

Infrastructure consolidation

Hyperconverged infrastructure combines storage, virtual infrastructure, and associated management into one piece of equipment.

Use Case: How one company dealt with equipment and storage needs

• One Info-Tech client had recently started in the role of IT director and realized he had inherited aging infrastructure along with a serious data challenge. The storage appliances were old and out of support. The appliances were performing inadequately, and the client was in need of more data due to ongoing growth, but he also realized that the virtual environment was running on very old servers that were no longer supported. The IT director reached out to Info-Tech to find solutions to the virtualization challenge, but the storage problem also came up throughout the course of the conversation with an analyst.
• The analyst quickly realized that the IT director was an ideal candidate for a hyperconverged infrastructure (HCI) storage solution, which would also provide the necessary virtual environment.
• The analyst explained the benefits of having a single appliance that would provide virtualization needs as well as storage needs. The built-in management features would ease the burden of administration, and the software-defined nature of the HCI would allow for the migration of data as well as future expansion options.
• Hyperconverged infrastructure is offered by many vendors under a variety of names. Most are similar but some may have a better interface or other features. The expansion process is simple, and HCI is a good fit for many organizations looking to consolidate virtual infrastructure and storage.

“HCI environments use a hypervisor, usually running on a server that uses direct-attached storage (DAS), to create a data center pool of systems and resources.”

– Samuel Greengard, Datamation

Datacenter duplication

SAN providers offer a varied range of options for their products, and those options are constantly evolving.

Use Case: Independent school district provides better data access using SAN technology

• An independent school district was expanding by adding a second data center in a new school. This new data center would be approximately 20 miles away from the original data center used by the district. The intent was not to replace the original data center but to use both centers to store data and provide services concurrently. The district’s ideal scenario would be that users would not know or care which data center they were reaching, and there would be no difference in the service received from each data center. The school district reached out to Info-Tech when planning discussions reached the topic of data duplication and replication software.
• An Info-Tech analyst joined a call with the school district and guided the conversation toward the existing environment to understand what options might be available. The analyst quickly discovered that all the district’s servers were virtual, and all associated data was stored on a single SAN.
• The analyst informed the school district staff about SAN options, including SAN-to-SAN replication. If the school district had a sufficient link between the two data centers, SAN-to-SAN replication would work for them and provide the two identical copies of data at two locations.
• The analyst continued to offer explanations of other features that some vendors offer with their SANs, such as the ability to turn on or off deduplication and compression, as well as disk options such as flash or NVMe.
• The school district was moving to the request for proposal (RFP) stage but hoped to have SAN-to-SAN replication implemented before the next academic year started.

“SAN-to-SAN replication is a low-cost, highly efficient way to manage mounting quantities of stored data.”

– Secure Infrastructure & Services

Expansion of existing storage

That old storage area network may still have some useful life left in it.

Use Case: Municipality solves data storage aging and growth challenge

• A municipality in the United States reached out to Info-Tech for guidance on its storage challenge. The municipality had accumulated multiple SANs from different vendors over the years. These SANs were running out of storage, and more data storage was needed. The municipality’s data was growing at a rapid pace, thanks to municipal growth and expansion of services. The IT team was also concerned with modernizing their storage and not hindering their long-term growth by making the wrong purchase decision for their current storage needs.
• An analyst from Info-Tech discussed several options with the municipality but in the end advised that software-defined storage may be the best solution.
• Software-defined storage (SDS) would allow the municipality to gain better visibility into existing storage while making more efficient use of existing and new storage. SDS could take over the management of the existing storage from multiple vendors and add additional storage as required. SDS would also be able to integrate cloud-based storage if that was the direction taken by the municipality in the future.
• The municipality moved forward with an SDS solution and added some additional storage capacity. They used some of their existing SANs but retired the more troublesome ones. The SDS system managed all the storage instances and data management. The administration of the storage environment was easier for the storage admins, and long-term savings were achieved through better storage management.

“Often enterprises have added storage on an ad hoc basis as they needed it for various applications. That can result in a mishmash of heterogenous storage hardware from a wide variety of vendors. SDS offers the ability to unify management of these different storage devices, allowing IT to be more efficient.”

– Cynthia Harvey, Enterprise Storage Forum (“What Is Software Defined Storage?”, 2018)

Complete backup solution

Many backup software solutions can provide backups to multiple locations, making two-location backups simple.

Use Case: How an oil refinery modernized its backup solution

• A large oil refinery needed a better solution for the storage of backups. The refinery was replacing its backup software solution but also wanted to improve the backup storage situation and move away from tape-based storage. All other infrastructure was reasonably modern and not in need of replacement at this time.
• A research analyst from Info-Tech helped the client realize that the solution was a modified backup. The general guidance for backups is have a least one copy offsite, so the cloud was the obvious focal point. The analyst also explained that it would be beneficial to have a recent copy of the backup available on site for common restoration requests in addition to having the offsite copy for disaster recovery (DR) purposes.
• The refinery staff conducted a data analysis to determine how much data was being backed up on a daily basis. The solution proposed by the analyst included network-attached storage (NAS) with adequate storage to hold 30 days' worth of on-premises data. The backup software would also simultaneously copy each backup to a cloud-based storage repository. The backup software was smart enough to only back up and transfer data that had changed since the previous backup, so transfer time and capacity was not a factor.
• The NAS would allow for the restoration of any local, on-premises data while the cloud storage would provide a safe location offsite for backup data. It could also serve as the backup location for other cloud-based services that required a backup.

“Data protection demands that enterprises have multiple methods of keeping data safe and replicating it in case of disaster or loss.”

– Drew Robb, Enterprise Storage Forum, 2021

Storage going out of support

SAN solutions have come a long way with improvements in how data is stored and what is used to store the data.

Use Case: How one organization replaced its old storage with a similar solution

• A government organization was looking for a solution for its aging storage area network appliances. The SANs were old and would be no longer supported by the manufacturer within four months. The SANs had slower spinning disks and their individual capacity was at its limit through the addition of extra shelves and disks over the years.
• The organization reached out to Info-Tech for guidance. An analyst arranged a call with them, and they discussed the storage situation in detail, including desired benefits from a storage solution and growth requirements. They also discussed cloud storage, but the government organization was not in a position to move its data to the cloud for a variety of reasons.
• Although the individual SANs were at their storage capacity limit, the total amount of data was well within the limits of many modern on-premises storage solutions. SSD and flash or NVMe storage can store large amounts of data in small footprints and form factors.
• The analyst reviewed several vendors with the client and discussed some advantages and disadvantages of each. They explored the features offered as well as scalability options.
• SANs have been around for a long time but the features and capabilities that come with them has evolved. They are still a very viable solution for many organizations in a variety of scenarios.

“A rapidly growing portion of SAN deployments leverages all-flash storage to gain its high performance, consistent low latency, and lower total cost when compared to spinning disk.”

– NetApp

Video storage

Cloud storage would not be sufficient if you were using a dial up connection, just as on-premises storage solutions would not suffice if they were using floppy disks.

Use Case: Body cams and public cameras in municipalities are driving storage growth

• Municipal law enforcement agencies are wearing body cameras more frequently, for their own protection as well as for the protection of the public. Camera footage can be useful in legal situations as well. Municipalities are also installing more and more public cameras for the purposes of public safety. The recorded video footage from these cameras can result in large data files, which in turn drive data storage requirements.
• Info-Tech analysts are joining calls about video data storage with increasing frequency. The concerns are repetitive, and the guidance is similar on most of these calls.
• The “object” storage format is ideal for video and media data. Most cloud-based storage solutions use object storage, but it is also available with on-premises solutions such as NAS or SAN. The challenges clients are expressing are typically related to inadequate bandwidth for cloud-based storage or other storage formats instead of “object” storage. Cloud-based storage can also grow beyond the budgeted numbers, causing an increase in the monthly cloud cost. Older, slower on-premises hardware sometimes reveals itself as the latency culprit.
• Object storage is well suited for the unstructured data that is video footage. It uses metadata to tag the video file for future retrieval and is easily expandable, which also makes it cost effective.
• Video data stored in a cloud-based repository will work fine as long as the bandwidth is adequate. On-premises storage of video data is also quite adequate on the right storage format, with fast disks and a reasonably up-to-date network infrastructure.

“The captured video is stored for days, weeks, months and sometimes years and consumes a lot of space. Data storage plays a new and important role in these systems. Object storage is ideal to store the video data.”

– Object-Storage.Info

Classify and offload primary storage

Some software products have storage options available as a result of agreements with other storage vendors. Several backup and archive software products fall into this category.

Use Case: Enterprise storage can help reduce data sprawl

• A large engineering firm was trying to manage its data sprawl. The team sampled a small percentage of their data and quickly realized that when they applied their findings on the 1% of data to their entire data estate, the sheer volume of personal files, older files, and unclassified data was going to be a challenge.
• They found a solution in archiving software. The archiving software would tag data based on several factors. The software would move older files away from primary storage to an alternate storage platform but still leave a stub of the moved file in place and maintain limited access to those files. This would reduce primary storage requirements and allow the firm to eliminate multiple file servers
• The engineering firm reached out to Info-Tech and participated in an analyst call. During that call, they laid out their plans, and the analyst made them aware of cloud storage. The positive and negative aspects of cloud storage were discussed, and the firm fully understood that the colder the storage tier, the slower the recovery. The firm's stance was if the files had not been accessed in the past six months, waiting a day or two for retrieval would not be a concern, and the firm was content with cold storage in the cloud.
• The firm had not purchased the archiving software at the time of the analyst call, and the analyst also explained to them that the archiving software may have an existing agreement with a cloud provider for storage options, which could be more cost effective than purchasing cloud storage separately.
• Cold cloud-based storage was the preferred solution for this firm, but this use case also highlights the option that some software products carry regarding storage. Several backup and archive products have a cloud storage option that should be investigated, as they may be cost-effective options.

“Cold storage is perfect for archiving your data. Online backup providers offer low-cost, off-site data backups at the expense of fast speeds and easy access, even though data retrieval often comes at an added cost. If you need to keep your data long-term, but don’t need to access it often, this is the kind of storage you need.”

– Ben Stockton, Cloudwards

Understand your data requirements

Activity

The first step in solving your enterprise storage challenge is identifying your data sources or drivers, data volume size, and growth rates. This information will give you insight into what data sources could be stored on premises or in the cloud, how much storage you will require for the coming five to ten years, and what to consider when exploring enterprise storage solutions.

• Info-Tech’s Modernize Enterprise Storage Workbook can be a valuable asset for determining your current storage drivers and future storage needs, structuring a plan for future storage purchases, and determining timelines and total cost of ownership.
• An example of the Storage Capacity Calculator tab from that workbook is displayed on the right. Using the Storage Capacity Requirements Calculator requires minimal steps.

1. Enter the current date and planning timeline (horizon) in months
2. Identify the top sources of data within the business – the current data drivers. Areas of focus could include business applications, file shares, backup, and archives.
3. For each of these data drivers, include your best estimate of:

• Current data volume
• Growth rate

• Initial data volumes
• Projected growth rates
• Planned implementation date

Download the Modernize Enterprise Storage Workbook and take the first step toward understanding your data requirements.

Download the Modernize Enterprise Storage Workbook

Related Info-Tech Research

Modernize Enterprise Storage

Current and emerging storage technologies are disrupting the status quo – prepare your infrastructure for the exponential rise in data and its storage requirements.

Modernize Enterprise Storage Workbook

This workbook will complement the discussions and activities found in the Modernize Enterprise Storage blueprint. Use this workbook in conjunction with the blueprint to develop a strategy for storage modernization.

Bibliography

Bakkianathan, Raghunathan. “What is the difference between Hot Warm and Cold data storage?” TechBlost, n.d.. Accessed 14 July 2022.
Cesare. “Data warehouse vs Data lake vs Lakehouse… and DeltaLake?“ Medium, 14 June 2021. Accessed 26 July 2022.
Davison, Shawn and Ryan Sappenfield. “Data Lake Vs Lakehouse Vs Data Mesh: The Evolution of Data Transformation.” DevIQ, May 2022. Accessed 23 July 2022.
Desjardins, Jeff. “Infographic: How Much Data is Generated Each Day?” Visual Capitalist, 15 April 2019. Accessed 26 July 2022.
Greengard, Samuel. “Top 10 Hyperconverged Infrastructure (HCI) Solutions.” Datamation, 22 December 2020. Accessed 23 July 2022.
Harvey, Cynthia. “Flash vs. SSD Storage: Is there a Difference?” Enterprise Storage Forum, 10 July 2018. Accessed 23 July 2022.
Harvey, Cynthia. “What Is Software Defined Storage? Features & Benefits.” Enterprise Storage Forum, 22 February 2018. Accessed 23 July 2022.
Hecht, Gil. “4 Predictions for storage and backup security in 2022.” Continuity Software, 09 January 2022. Accessed 22 July 2022.
Jacobi, Jonl. “NVMe SSDs: Everything you need to know about this insanely fast storage.” PCWorld, 10 March 2019. Accessed 22 July 2022
Pritchard, Stephen. “Briefing: Cloud storage performance metrics.” Computer Weekly, 16 July 2021. Accessed 23 July 2022
Robb, Drew. “Best Enterprise Backup Software & Solutions 2022.” Enterprise Storage Forum, 09 April 2021. Accessed 23 July 2022.
Sheldon, Robert. “On-premises STaaS shifts storage buying to Opex model.” TechTarget, 10 August 2020. Accessed 22 July 2022.
“Simplify Your Storage Ownership, Forever.” PureStorage. Accessed 20 July 2022.
Stockton, Ben. “Hot Storage vs Cold Storage in 2022: Instant Access vs Long-Term Archives.” Cloudwards, 29 September 2021. Accessed 22 July 2022.
“The Cost Savings of SAN-to-SAN Replication.” Secure Infrastructure and Services, 31 March 2016. Accessed 16 July 2022.
“Video Surveillance.” Object-Storage.Info, 18 December 2019. Accessed 25 July 2022.
“What is a Data Lake?” Amazon Web Services, n.d. Accessed 17 July 2022.
“What is enterprise cloud storage?” Spectrum Enterprise, n.d. Accessed 28 July 2022.
“What is SAN (Storage Area Network).” NetApp, n.d. Accessed 25 July 2022.
“What is software-defined storage?” RedHat, 08 March 2018. Accessed 16 July 2022.

Enterprise Network Design Considerations

It is not just about connectivity.

Executive Summary

Info-Tech Insight

Connectivity and security are tightly coupled

Security, risk, and trust models play into how networks are designed and deployed. If these models are not considered during network design, band-aids and workarounds will be deployed to achieve the needed goals, potentially bypassing network controls.

Many services are no longer within the network

The cloud “gold rush” has made it attractive for many enterprises to migrate services off the traditional network and into the cloud. These services are now outside of the traditional network and associated controls. This shifts the split of east-west vs. north-south traffic patterns, as well as extending the network to encompass services outside of enterprise IT’s locus of control.

Users are demanding an anywhere, any device access model

Where users access enterprise data or services and from which devices dictate the connectivity needed. With the increasing shift of work that the business is completing remotely, not all devices and data paths will be under the control of IT. This shift does not allow IT to abdicate from the responsibility to provide a secure network.

Enterprise networks are changing

The new network reality

The enterprise network of 2020 and beyond is changing:

• Services are becoming more distributed.
• The number of services provided “off network” is growing.
• Users are more often remote.
• Security threats are rapidly escalating.

The above statements are all accurate for enterprise networks, though each potentially to differing levels depending on the business being supported by the network. Depending on how affected the network in question currently is and will be in the near future, there are different common network archetypes that are best able to address these concerns while delivering business value at an appropriate price point.

High-Level Design Considerations

1. Understand Business Needs

Understand what the business needs are and where users and resources are located.

2. Define Your Trust Model

Trust is a spectrum and tied tightly to security.

3. Align With an Archetype

How will the network be deployed?

4. Understand Available Tooling

What tools are in the market to help achieve design principles?

Understand business needs

Mission

Never ignore the basics. Start with revisiting the mission and vision of the business to address relevant needs.

Users

Identify where users will be accessing services from. Remote vs. “on net” is a design consideration now more than ever.

Resources

Identify required resources and their locations, on net vs. cloud.

Controls

Identify required controls in order to define control points and solutions.

Define a trust model

Trust is a spectrum

• There is a spectrum of trust, from fully trusted to not trusted at all. Each organization must decide for their network (or each area thereof) the appropriate level of trust to assign.
• The ease of network design and deployment is directly proportional to the trust spectrum.
• When resources and users are outside of direct IT control, the level of appropriate trust should be examined closely.

Implicit

Trust everything within the network. Security is perimeter based and designed to stop external actors from entering the large trusted zone.

Controlled

Multiple zones of trust within the network. Segmentation is a standard practice to separate areas of higher and lower trust.

Zero

Verify trust. The network is set up to recognize and support the principle of least privilege where only required access is supported.

Align with an archetype

Archetypes are a good guide

• Using a defined archetype as a guiding principle in network design can help clarify appropriate tools or network structures.
• Different aspects of a network can have different archetypes where appropriate (e.g. IT vs. OT [operational technology] networks).

Traditional

Services are provided from within the traditional network boundaries and security is provided at the network edge.

Hybrid

Services are provided both externally and from within the traditional network boundaries, and security is primarily at the network edge.

Inverted

Services are provided primarily externally, and security is cloud centric.

Traditional networks

Resources within network boundaries

Moat and castle security perimeter

Abstract

A traditional network is one in which there are clear boundaries defined by a security perimeter. Trust can be applied within the network boundaries as appropriate, and traffic is generally routed through internally deployed control points that may be centralized. Traditional networks commonly include large firewalls and other “big iron” security and control devices.

Network Design Tenets

• The full network path from resource to user is designed, deployed, and controlled by IT.
• Users external to the network must first connect to the network to gain access to resources.
• Security, risk, and trust controls will be implemented by internal enterprise hardware/software devices.

Control

In the traditional network, it is assumed that all required control points can be adequately deployed across hardware/software that is “on prem” and under the control of central IT.

Info-Tech Insight

With increased cloud services provided to end users, this network is now more commonly used in data centers or OT networks.

Traditional networks

Defining Characteristics

• Traffic flows in a defined path under the control of IT to and from central IT resources.
• Due to visibility into, and the control of, the traffic between the end user and resources, IT can relatively simply implement the required security controls on owned hardware.

Common Components

• Traditional offices
• Remote users/road warriors
• Private data center/colocation space

Hybrid networks

Resources internal and external to network

Network security perimeter combined with cloud protection

Abstract

A hybrid network is one that combines elements of a traditional network with cloud resources. As some of these resources are not fully under the control of IT and may be completely “offnet” or loosely coupled to the on-premises network, the security boundaries and control points are less likely to be centralized. Hybrid networks allow the flexibility and speed of cloud deployment without leaving behind traditional network constructs. This generally makes them expensive to secure and maintain.

Network Design Tenets

• The network path from resource to user may not be in IT’s locus of control.
• Users external to the network must first connect to the network to gain access to internal resources but may directly access publicly hosted ones.
• Security, risk, and trust controls may potentially be implemented by a mixture of internal enterprise hardware/software devices and external control points.

Control

The hallmark of a hybrid network is the blending of public and private resources. This blending tends to necessitate both public and private points of control that may not be homogenous.

Info-Tech Insight

With multiple control points to address, take care in simplifying designs while addressing all concerns to ease operational load.

Hybrid networks

Defining Characteristics

• Traffic flows to central resources across a defined path under the control of IT.
• Traffic to cloud assets may be partially under the control of IT.
• For central resources, the traffic to and from the end user can have the required security controls relatively simply implemented on owned hardware.
• For public cloud assets, IT may or may not have some control over part of the path.

Common Components

• Traditional offices
• Remote users/road warriors
• Private data center/colocation space
• Public cloud assets (IaaS/PaaS/SaaS)

Inverted perimeter

Resources primarily external to the network

Security control points are cloud centric

Abstract

An inverted perimeter network is one in which security and control points cover the entire workflow, on or off net, from the consumer of services through to the services themselves with zero trust. Since the control plane is designed to encompass the workflow in a secure manner, much of the underlying connectivity can be abstracted. In an extreme version of this deployment, IT would abstract end-user access, and any cloud-based or on-premises resources would be securely published through the control plane with context-aware precision access.

Network Design Tenets

• The network path from resource to user is abstracted and controlled by IT through services like secure access service edge (SASE).
• Users only need internet access and appropriate credentials to gain access to resources.
• Security, risk, and trust controls will be implemented through external cloud based services.

Control

An inverted network abstracts the lower-layer connectivity away and focuses on implementing a cloud-based zero trust control plane.

Info-Tech Insight

This model is extremely attractive for organizations that consume primarily cloud services and have a large remote work force.

Inverted networks

Defining Characteristics

• The end user does not have to be in a defined location.
• All central resources that are to be accessed are hosted on cloud resources.
• IT has little to no control of the path between the end user and central resources.

Common Components

• Traditional offices
• Regent offices/shared workspaces
• Remote users/road warriors
• Public cloud assets (IaaS/PaaS/SaaS)

Understand available tooling

Don’t buy a hammer and go looking for nails

• A network archetype must be defined in order to understand what tools (hardware or software) are appropriate for consideration in a network build or refresh.
• Tools are purpose built and generally designed to solve specific problems if implemented and operated correctly. Choose the tools to align with the challenges that you are solving as opposed to choosing tools and then trying to use those purchases to overcome challenges.
• The purchase of a tool does not allow for abdication of proper design. Tools must be chosen appropriately and integrated properly to orchestrate the best solutions. Purchasing a tool and expecting the tool to solve all your issues rarely succeeds.

“It is essential to have good tools, but it is also essential that the tools should be used in the right way.” — Wallace D. Wattles

Software-defined WAN (SD-WAN)

Simplified branch office connectivity

Archetype Value: Traditional Networks

What It Is Not

SD-WAN is generally not a way to slash spending by lowering WAN circuit costs. Though it is traditionally deployed across lower cost access, to minimize risk and realize the most benefits from the platform many organizations install multiple circuits with greater bandwidths at each endpoint when replacing the more costly traditional circuits. Though this maximizes the value of the technology investment, it will result in the end cost being similar to the traditional cost plus or minus a small percentage.

What It Is

SD-WAN is a subset of software-defined networking (SDN) designed specifically to deploy a secure, centrally managed, connectivity agnostic, overlay network connecting multiple office locations. This technology can be used to replace, work in concert with, or augment more traditional costly connectivity such as MPLS or private point to point (PtP) circuits. In addition to the secure overlay, SD-WAN usually also enables policy-based, intelligent controls, based on traffic and circuit intelligence.

Why Use It

You have multiple endpoint locations connected by expensive lower bandwidth traditional circuits. Your target is to increase visibility and control while controlling costs if and where possible. Ease of centralized management and the ability to more rapidly turn up new locations are attractive.

Cloud access security broker (CASB)

Inline policy enforcement placed between users and cloud services

Archetype Value: Hybrid Networks

What It Is Not

CASBs do not provide network protection; they are designed to provide compliance and enforcement of rules. Though CASBs are designed to give visibility and control into cloud traffic, they have limits to the data that they generally ingest and utilize. A CASB does not gather or report on cloud usage details, licencing information, financial costing, or whether the cloud resource usage is aligned with the deployment purpose.

What It Is

A CASB is designed to establish security controls beyond a company’s environment. It is commonly deployed to augment traditional solutions to extend visibility and control into the cloud. To protect assets in the cloud, CASBs are designed to provide central policy control and apply services primarily in the areas of visibility, data security, threat protection, and compliance.

Why Use It

You a mixture of on-premises and cloud assets. In moving assets out to the cloud, you have lost the traditional controls that were implemented in the data center. You now need to have visibility and apply controls to the usage of these cloud assets.

Secure access service edge (SASE)

Convergence of security and service access in the cloud

Archetype Value: Inverted Networks

What It Is Not

Though the service will consist of many service offerings, SASE is not multiple services strung together. To present the value proposed by this platform, all functionality proposed must be provided by a single platform under a “single pane of glass.” SASE is not a mature and well-established service. The market is still solidifying, and the full-service definition remains somewhat fluid.

What It Is

SASE exists at the intersection of network-as-a-service and network-security-as-a-service. It is a superset of many network and security cloud offerings such as CASB, secure web gateway, SD-WAN, and WAN optimization. Any services offered by a SASE provider will be cloud hosted, presented in a single stack, and controlled through a single pane of glass.

Why Use It

Your network is inverting, and services are provided primarily as cloud assets. In a full realization of this deployment’s value, you would abstract how and where users gain initial network access yet remain in control of the communications and data flow.

Activity

Understand your enterprise network options

Activity: Network assessment in an hour

• Learn about the Enterprise Network Roadmap Technology Assessment Tool
• Complete the Enterprise Network Roadmap Technology Assessment Tool

This activity involves the following participants:

• IT strategic direction decision makers.
• IT managers responsible for network.
• Organizations evaluating platforms for mission critical applications.

Outcomes of this step:

• Completed Enterprise Network Roadmap Technology Assessment Tool

Info-Tech Insight

Review your design options with security and compliance in mind. Infrastructure is no longer a standalone entity and now tightly integrates with software-defined networks and security solutions.

Build an assessment in an hour

Learn about the Enterprise Network Roadmap Technology Assessment Tool.

This workbook provides a high-level analysis of a technology’s readiness for adoption based on your organization’s needs.

• The workbook then places the technology on a graph that measures both the readiness and fit for your organization. In addition, it provides warnings for specific issues and lets you know if you have considerable uncertainty in your answers.
• At a glance you can now communicate what you are doing to help the company:
  • Grow
  • Save money
  • Reduce risk
• Regardless of your specific audience, these are important stories to be able to tell.

Build an assessment in an hour

Complete the Enterprise Network Roadmap Technology Assessment Tool.

Dispense with detailed analysis and customizations to present a quick snapshot of the road ahead.

1. Weightings: Adjust the Weighting tab to meet organizational needs. The provided weightings for the overall solution areas are based on a generic firm; individual firms will have different needs.
2. Data Entry: For each category, answer the questions for the technology you are considering. When you have completed the questionnaire, go to the next tab for the results.
3. Results: The Enterprise Network Roadmap Technology Assessment Tool provides a value versus readiness assessment of your chosen technology customized to your organization.

Related Info-Tech Research

Effectively Acquire Infrastructure Services

Acquiring a service is like buying an experience. Don’t confuse the simplicity of buying hardware with buying an experience.

Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery

There are very few IT infrastructure components you should be housing internally – outsource everything else.

Build Your Infrastructure Roadmap

Move beyond alignment: Put yourself in the driver’s seat for true business value.

Drive Successful Sourcing Outcomes With a Robust RFP Process

Leverage your vendor sourcing process to get better results.

Research Authors

Scott Young, Principal Research Advisor, Info-Tech Research Group

Scott Young is a Director of Infrastructure Research at Info-Tech Research Group. Scott has worked in the technology field for over 17 years, with a strong focus on telecommunications and enterprise infrastructure architecture. He brings extensive practical experience in these areas of specialization, including IP networks, server hardware and OS, storage, and virtualization.

Troy Cheeseman, Practice Lead, Info-Tech Research Group

Troy has over 24 years of experience and has championed large enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) startups.

Bibliography

Ahlgren, Bengt. “Design considerations for a network of information.” ACM Digital Library, 21 Dec. 2008.

Cox Business. “Digital transformation is here. Is your business ready to upgrade your mobile work equation?” BizJournals, 1 April 2022. Accessed April 2022.

Elmore, Ed. “Benefits of integrating security and networking with SASE.” Tech Radar, 1 April 2022. Web.

Greenfield, Dave. “From SD-WAN to SASE: How the WAN Evolution is Progressing.” Cato Networks, 19 May 2020. Web

Korolov, Maria. “What is SASE? A cloud service that marries SD-WAN with security.” Network World, 7 Sept. 2020. Web.

Korzeniowski, Paul, “CASB tools evolve to meet broader set of cloud security needs.” TechTarget, 26 July 2019. Accessed March 2022.

Prevent Data Loss Across Cloud and Hybrid Environments

Leverage existing tools and focus on the data that matters most to your organization.

Analyst Perspective

Data loss prevention is an additional layer of protection

Driven by reduced operational costs and improved agility, the migration to cloud services continues to grow at a steady rate. A recent report by Palo Alto Networks indicates workload in the cloud increased by 13% last year, and companies are expecting to move an additional 11% of their workload to the cloud in the next 24 months1.

However, moving to the cloud poses unique challenges for cyber security practitioners. Cloud services do not offer the same level of management and control over resources as traditional IT approaches. The result can be reduced visibility of data in cloud services and reduced ability to apply controls to that data, particularly data loss prevention (DLP) controls.

It’s not unusual for organizations to approach DLP as a point solution. Many DLP solutions are marketed as such. The truth is, DLP is a complex program that uses many different parts of an organization’s security program and architecture. To successfully implement DLP for data in the cloud, an organization should leverage existing security controls and integrate DLP tools, whether newly acquired or available in cloud services, with its existing security program.

Bob Wilson
CISSP
Research Director, Security and Privacy
Info-Tech Research Group

Executive Summary

Info-Tech Insight

Data loss prevention is the outcome of a well-designed strategy that incorporates multiple, sometimes disparate, tools within your existing security program.

Your challenge

Protecting data is a critical responsibility for organizations, no matter where it is located.

45% of breaches occurred in the cloud (“Cost of a Data Breach 2022,” IBM Security, 2022).

It can take upwards of 12 weeks to identify and contain a breach (“Cost of a Data Breach 2022,” IBM Security, 2022).

• Compliance obligations will require organizations to protect certain data.
• All data states can exist in the cloud, and each state provides a unique opportunity for data loss.
• Insider threats, whether intentional or not, are especially challenging for organizations. It’s necessary to prevent illicit data use while still allowing work to happen.

Info-Tech Insight

Data loss prevention doesn’t depend on a single tool. Many of the leading cloud service providers offer DLP controls with their services and these controls should be considered.

Common obstacles

As organizations increasingly move data into the cloud, their environments become more complex and vulnerable to insider threats

• It’s not uncommon for an organization not to know what data they use, where that data exists, or how they are supposed to protect it.
• Cloud systems, especially software as a service (SaaS) applications, may not provide much visibility into how that data is stored or protected.
• Insider threats are a primary concern, but employees must be able to access data to perform their duties. It isn’t always easy to strike a balance between adequate access and being too restrictive with controls.

Insider threats are a significant concern

Info-Tech Insight

An insider threat management (ITM) program focuses on the user. DLP programs focus on the data.

Insight summary

DLP is not just a single tool. It’s an additional layer of security that depends on different components of your security program, and it requires time and effort to mature.

Organizations should leverage existing security architecture with the DLP controls available in the cloud services they use.

Data loss prevention is not a point solution

Data loss prevention is the outcome of a well-designed strategy that incorporates multiple, sometimes disparate tools within your existing security program.

Prioritize data

Start with the data that matters most to your organization.

Define an objective

Having a clearly defined objective will make implementing a DLP program much easier.

DLP is a layer

Data loss prevention is not foundational, and it depends on many other parts of a mature information security program.

The low hanging fruit is sweet

Start your DLP implementation with a quick win in mind and build on small successes.

DLP is a work multiplier

Your organization must be prepared to investigate alerts and respond to incidents.

Prevent data loss across cloud or hybrid environments

Data loss prevention is not a point solution.
It’s the outcome of a well-designed strategy that incorporates multiple, sometimes disparate tools within your existing security program.

Info-Tech Insight

Leverage existing security tools where possible.

Data loss prevention (DLP) overview

DLP is an additional layer of security.

DLP is a set of technologies and processes that provides additional data protection by identifying, monitoring, and preventing data from being illicitly used or transmitted.

DLP depends on many components of a mature security program, including but not limited to:

• Acceptable use policy
• Data classification policy and data handling guidelines
• Identity and access management

DLP is achieved through some or all of the following tactics:

• Identify: Data is detected using policies, rules, and patterns.
• Monitor: Data is flagged and data activity is logged.
• Prevent: Action is taken on data once it has been detected.

Info-Tech Insight

DLP is not foundational. Your information security program needs to be moderately mature to support a DLP strategy.

DLP approaches and methods

DLP uses a handful of techniques to achieve its tactics:

• Policy and access rights: Limits access to data based on user permissions or other contextual attributes.
• Isolation or virtualization: Data is isolated in an environment with channels for data leakage made unavailable.
• Cryptographic approach: Data is encrypted.
• Quantifying and limiting: Use or transfer of data is restricted by quantity.
• Social and behavioral analysis: The DLP system detects anomalous activity, such as users accessing data outside of business hours.
• Pattern matching: Data content is analyzed for specific patterns.
• Data mining and text clustering: Large sets are analyzed, typically with machine learning (ML), to identify patterns.
• Data fingerprinting: Data files are matched against a pre-calculated hash or based on file contents.
• Statistical Analysis: Data content is analyzed for sensitive data. Usually involves machine learning.

DLP has two primary approaches for applying techniques:

• Content-based: Data is identified through inspecting its content. Fingerprinting and pattern matching are examples of content-based methods.
• Context-based: Data is identified based on its situational or contextual attributes. Some factors that may be used are source, destination, and format.

Some DLP tools use both approaches.

Info-Tech Insight

Different DLP products will support different methods. It is important to keep these in mind when choosing a DLP solution.

Start by defining your data

Define data by answering the 5 “W”s

Who? Who owns the data? Who needs access? Who would be impacted if it was lost?
What? What data do you have? What type of data is it? In what format does it exist?
When? When is the data generated? When is it used? When is it destroyed?
Where? Where is the data stored? Where is it generated? Where is it used?
Why? Why is the data needed?

Use what you discover about your data to create a data inventory!

Compliance requirements

Compliance requirements often dictate what must be done to manage and protect data and vary from industry to industry.

Some examples of compliance requirements to consider:

• Healthcare - Health Insurance Portability and Accountability Act (HIPAA)
• Financial Services - Gramm-Leach-Bliley Act (GLBA)
• Payment Card Industry Data Security Standards (PCI DSS)

Info-Tech Insight

Why is especially important. If you don’t need a specific piece of data, dispose of it to reduce risk and administrative overhead related to maintaining or protecting data.

Classify your data

Data classification facilitates making decisions about how data is treated.

Data classification is a process by which data is categorized.

• The classifications are often based on the sensitivity of the data or the impact a loss or breach of that data would have on the organization.
• Data classification facilitates decisions about data handling and how information security controls are implemented. Instead of considering many different types of data individually, decisions are based on a handful of classification levels.
• A mature data classification should include a formalized policy, handling standards, and a steering committee.

Refer to our Discover and Classify Your Data blueprint for guidance on data classification.

Sample data classification schema

Info-Tech Insight

Data classification should be implemented as a continuous program, not a one-time project.

Understand data risk

Knowing where and how your data is at risk will inform your DLP strategy.

Data exists in three states, and each state presents different opportunities for risk. Different DLP methodologies will be appropriate for different states.

Data states

In use

• End-user devices
• Mobile devices
• Servers

In motion

• Cloud services
• Email
• Web/web apps
• Instant messaging
• File transfers

At rest

• Cloud services
• Databases
• End-user devices
• Email archives
• Backups
• Servers
• Physical storage devices

Causes of Risk

The most common causes of data loss can be categorized by people, processes, and technology.

Check out our Combine Security Risk Management Components Into One Program blueprint for guidance on risk management, including how to do a full risk assessment.

Prioritize your data

Know what data matters most to your organization.

Prioritizing the data that most needs protection will help define your DLP goals.

The prioritization of your data should be a business decision based on your comprehension of the data. Drivers for prioritizing data can include:

• Compliance-driven: Noncompliance is a risk in itself and your organization may choose to prioritize data based on meeting compliance requirements.
• Audit-driven: Data can be prioritized to prepare for a specific audit objective or in response to an audit finding.
• Business-driven: Data could be prioritized based on how important it is to the organization’s business processes.

Info-Tech Insight

It’s not feasible for most organizations to apply DLP to all their data. Start with the most important data.

Activity: Prioritize your data

Input: Lists of data, data types, and data environments
Output: A list of data types with an estimated priority
Materials: Data Loss Prevention Strategy Planner worksheet
Participants: Security leader, Data owners

1-2 hours

For this activity, you will use the Data Loss Prevention Strategy Planner workbook to prioritize your data.

1. Start with tab “2. Setup” and fill in the columns. Each column features a short explanation of itself, and the following slides will provide more detail about the columns.
2. On tab “3. Data Prioritization,” work through the rows by selecting a data type and moving left to right. This sheet features a set of instructions at the top explaining each column, and the following slides also provide some guidance. On this tab, you may use data types and data environments multiple times.

Click to download the Data Loss Prevention Strategy Planner

Activity: Prioritize your data

In the Data Loss Prevention Strategy Planner tool, start with tab “2. Setup.”

Next, move to tab “3. Data Prioritization.”

Click to download the Data Loss Prevention Strategy Planner

Determine DLP objectives

Your DLP strategy should be able to function as a business case.

DLP objectives should achieve one or more of the following:

• Prevent disclosure or unauthorized use of data, regardless of its state.
• Preserve usability while providing adequate security.
• Improve security, privacy, and compliance capabilities.
• Reduce overall risk for the enterprise.

Example objectives:

• Prevent users from emailing ePHI to addresses outside of the organization.
• Detect when a user is uploading an unusually large amount of data to a cloud drive.

Most common DLP use cases:

• Protection of data, primarily from internal threats.
• Meet compliance requirements to protect data.
• Automate the discovery and classification of data.
• Provide better data management and visibility across the enterprise.
• Manage and protect data on mobile devices.

Info-Tech Insight

Having a clear idea of your objectives will make implementing a DLP program easier.

Align DLP with your existing security program/architecture

DLP depends on many different aspects of your security program.
To the right are some components of your existing security program that will support DLP.

1. Data handling standards or guidelines: These specify how your organization will handle data, usually based on its classification. Your data handling standards will inform the development of DLP rules, and your employees will have a clear idea of data handling expectations.

2. Identity and access management (IAM): IAM will control the access users have to various resources and data and is integral to DLP processes.

3. Incident response policy or plan: Be sure to consider your existing incident handling processes when implementing DLP. Modifying your incident response processes to accommodate alerts from DLP tools will help you efficiently process and respond to incidents.

4. Existing security tools: Firewalls, email gateways, security information and event management (SIEM), and other controls should be considered or leveraged when implementing a DLP solution.

5. Acceptable use policy: An organization must set expectations for acceptable/unacceptable use of data and IT resources.

6. User education and awareness: Aside from baseline security awareness training, organizations should educate users about policies and communicate the risks of data leakage to reduce risk caused by user error.

Info-Tech Insight

Consider DLP as a secondary layer of protection; a safety net. Your existing security program should do most of the work to prevent data misuse.

Cloud service models

A fundamental challenge with implementing DLP with cloud services is the reduced flexibility that comes with managing less of the technology stack. Each cloud model offers varying levels of abstraction and control to the user.

Infrastructure as a service (IaaS): This service model provides customers with virtualized technology resources, such as servers and networking infrastructure. IaaS allows users to have complete control over their virtualized infrastructure without needing to purchase and maintain hardware resources or server space. Popular examples include Amazon Web Servers, Google Cloud Engine, and Microsoft Azure.

Platform as a service (PaaS): This service model provides users with an environment to develop and manage their own applications without needing to manage an underlying infrastructure. Popular examples include Google Cloud Engine, OpenShift, and SAP Cloud.

Software as a service (SaaS): This service model provides customers with access to software that is hosted and maintained by the cloud provider. SaaS offers the least flexibility and control over the environment. Popular examples include Salesforce, Microsoft Office, and Google Workspace.

Info-Tech Insight

Cloud service providers may include DLP controls and functionality for their environments with the subscription. These tools are usually well suited for DLP functions on that platform.

Different DLP tools

DLP products often fall into general categories defined by where those tools provide protection. Some tools fit into more than one category.

Cloud DLP refers to DLP products that are designed to protect data in cloud environments.

• Cloud access security broker (CASB): This system, either in-cloud or on-premises, sits between cloud service users and cloud service providers and acts as a point of control to enforce policies on cloud-based resources. CASBs act on data in motion, for the most part, but can detect and act on data at rest through APIs.
• Existing tools integrated within a service: Many cloud services provide DLP tools to manage data loss in their service.

Endpoint DLP: This DLP solution runs on an endpoint computing device and is suited to detecting and controlling data at rest on a computer as well as data being uploaded or downloaded. Endpoint DLP would be feasible for IaaS.

Network DLP: Network DLP, deployed on-premises or as a cloud service, enforces policies on network flows between local infrastructure and the internet.

• “Email DLP”: Detects and enforces security policies specifically on data in motion as emails.

Choosing a DLP solution

You will also find that some DLP solutions are better suited for some cloud service models than others.

DLP solution types that are better suited for SaaS: CASB and Integrated Tools

DLP solution types that are better suited for PaaS: CASB, Integrated Tools, Network DLP

DLP solution types that are better suited for IaaS: CASB, Integrated Tools, Network DLP, and Endpoint DLP

Your approach for DLP will vary depending on the data state you’ll be acting on and whether you are trying to detect or prevent.

Click to download the Data Loss Prevention Strategy Planner
Check the tab labeled “6. DLP Features Reference” for a list of common DLP features.

Activity: Plan DLP methods

Input: Knowledge of data states for data types
Output: A set of technical DLP policy rules for each data type by environment
Materials: The same Data Loss Prevention Strategy Planner worksheet from the earlier activity
Participants: Security leader, Data owners

1-2 hours

Continue with the same workbook used in the previous activity.

1. On tab “4. DLP Methods,” indicate the expected data state the DLP control will act on. Then, select the type of DLP control your organization intends to use for that data type in that data environment.
2. DLP actions are suggested based on the classification of the data type, but these may be overridden by manually selecting your preferred action.
3. You will find more detail on this activity on the following slide, and you will find some additional guidance in the instructional text at the top of the worksheet.
4. Once you have populated the columns on this worksheet, a summary of suggested DLP rules can be found on tab “5. Results.”

Click to download the Data Loss Prevention Strategy Planner

Activity: Plan DLP methods

Use tab “4. DLP Methods” to plan DLP rules and technical policies.

See tab “5. Results” for a summary of your DLP policies.

Click to download the Data Loss Prevention Strategy Planner

Implement your DLP program

Take the steps to properly implement your DLP program

1. It’s important to shift the culture. You will need leadership’s support to implement controls and you’ll need stakeholders’ participation to ensure DLP controls don’t negatively affect business processes.
2. Integrate DLP tools with your security program. Most cloud service providers, like Amazon, Microsoft, and Google provide DLP controls in their native environment. Many of your other security controls, such as firewalls and mail gateways, can be used to achieve DLP objectives.
3. DLP is best implemented with a crawl, walk, then run approach. Following change management processes can reduce friction.
4. Communicating controls to users will also reduce friction.

Info-Tech Insight

After a DLP program is implemented, alerts will need to be investigated and incidents will need a response. Be prepared for DLP to be a work multiplier!

Measure and improve

Metrics of effectiveness

DLP attempts to tackle the challenge of promptly detecting and responding to an incident.
To measure the effectiveness of your DLP program, compare the number of events, number of incidents, and mean time to respond to incidents from before and after DLP implementation.

Metrics that indicate friction

A high number of false positives and rule exceptions may indicate that the rules are not working well and may be interfering with legitimate use.
It’s important to address these issues as the frustration felt by employees can undermine the DLP program.

Tune DLP rules

Establish a process for routinely using metrics to tune rules.
This will improve performance and reduce friction.

Info-Tech Insight

Aside from performance-based tuning, it’s important to evaluate your DLP program periodically and after major system or business changes to maintain an awareness of your data environment.

Related Info-Tech Research

Research Contributors

Andrew Amaro
CSO and Founder
Klavan Physical and Cyber Security Services

Arshad Momin
Cyber Security Architect
Unicom Engineering, Inc.

James Bishop
Information Security Officer
StructureFlow

Michael Mitchell
Information Security and Privacy Compliance Manager
Unicom Engineering, Inc.

One Anonymous Contributor

Bibliography

Alhindi, Hanan, Issa Traore, and Isaac Woungang. "Preventing Data Loss by Harnessing Semantic Similarity and Relevance." jisis.org Journal of Internet Services and Information Security, 31 May 2021. Accessed 2 March 2023. https://jisis.org/wp-content/uploads/2022/11/jisis-2021-vol11-no2-05.pdf

Cash, Lauryn. "Why Modern DLP is More Important Than Ever." Armorblox, 10 June 2022. Accessed 10 February 2023. https://www.armorblox.com/blog/modern-dlp-use-cases/

Chavali, Sai. "The Top 4 Use Cases for a Modern Approach to DLP." Proofpoint, 17 June 2021. Accessed 7 February 2023. https://www.proofpoint.com/us/blog/information-protection/top-4-use-cases-modern-approach-dlp

Crowdstrike. "What is Data Loss Prevention?" Crowdstrike, 27 Sept. 2022. Accessed 6 Feb. 2023. https://www.crowdstrike.com/cybersecurity-101/data-loss-prevention-dlp/

De Groot, Juliana. "What is Data Loss Prevention (DLP)? Definition, Types, and Tips." Digital Guardian, 8 February 2023. Accessed 9 Feb. 2023. https://digitalguardian.com/blog/what-data-loss-prevention-dlp-definition-data-loss-prevention

Denise. "Learn More About DLP Key Use Cases." CISO Platform, 28 Nov. 2019. Accessed 10 February 2023. https://www.cisoplatform.com/profiles/blogs/learn-more-about-dlp-key-use-cases

Google. "Cloud Data Loss Prevention." Google Cloud Google, n.d. Accessed 7 Feb. 2023. https://cloud.google.com/dlp#section-6

Gurucul. "2023 Insider Threat Report." Cybersecurity Insiders, 13 Jan. 2023. Accessed 23 Feb. 2023. https://gurucul.com/2023-insider-threat-report

IBM Security. "Cost of a Data Breach 2022." IBM Security, 1 Aug. 2022. Accessed 13 Feb. 2023. https://www.ibm.com/downloads/cas/3R8N1DZJ

Mell, Peter & Grance, Tim. "The NIST Definition of Cloud Computing." NIST CSRC NIST, Sept. 2011. Accessed 7 Feb. 2023. https://csrc.nist.gov/publications/detail/sp/800-145/final

Microsoft. "Plan for Data Loss Prevention (DLP)." Microsoft 365 Solutions and Architecture Microsoft, 6 Feb. 2023. Accessed 14 Feb. 2023. https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-overview-plan-for-dlp

Nanchengwa, Christopher. "The Four Questions for Successful DLP Implementation." ISACA Journal ISACA, 1 Jan. 2019. Accessed 6 Feb. 2023. https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/the-four-questions-for-successful-dlp-implementation

Palo Alto Networks. "The State of Cloud Native Security 2023." Palo Alto Networks, 2 March 2023. Accessed 23 March 2023. https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/state-of-cloud-native-security-2023.pdf

Pritha. "Top Six Metrics for your Data Loss Prevention Program." CISO Platform, 27 Nov. 2019. Accessed 10 Feb. 2023. https://www.cisoplatform.com/profiles/blogs/top-6-metrics-for-your-data-loss-prevention-program

Raghavarapu, Mounika. "Understand DLP Key Use Cases." Cymune, 12 June 2021. Accessed 7 Feb. 2023. https://www.cymune.com/blog-details/DLP-key-use-cases

Sheela, G. P., & Kumar, N. "Data Leakage Prevention System: A Systematic Report." International Journal of Recent Technology and Engineering BEIESP, 30 Nov. 2019. Accessed 2 March 2023. https://www.ijrte.org/wp-content/uploads/papers/v8i4/D6904118419.pdf

Sujir, Shiv. "What is Data Loss Prevention? Complete Guide [2022]." Pathlock, 15 Sep. 2022. Accessed 7 February 2023. https://pathlock.com/learn/what-is-data-loss-prevention-complete-guide-2022/

Wlosinski, Larry G. "Data Loss Prevention - Next Steps." ISACA Journal, 16 Feb. 2018. Accessed 21 Feb. 2023. https://www.isaca.org/resources/isaca-journal/issues/2018/volume-1/data-loss-preventionnext-steps

Develop an IT Asset Management Strategy

Define your business-aligned approach to ITAM.

Table of Contents

4 Analyst Perspective

5 Executive Summary

17 Phase 1: Establish Business-Aligned ITAM Goals and Priorities

59 Phase 2: Support ITAM Goals and Priorities

116 Bibliography

Develop an IT Asset Management Strategy

Define your business-aligned approach to ITAM.

EXECUTIVE BRIEF

Analyst Perspective

Track hardware and software. Seems easy, right? It’s often taken for granted that IT can easily and accurately provide definitive answers to questions like “how many laptops do we have at Site 1?” or “do we have the right number of SQL licenses?” or “how much do we need to budget for device replacements next year?” After all, don’t we know what we have? IT can’t easily provide these answers because to do so you must track hardware and software throughout its lifecycle – which is not easy. And unfortunately, you often need to respond to these questions on very short notice because of an audit or to support a budgeting exercise. IT Asset Management (ITAM) is the solution. It’s not a new solution – the discipline has been around for decades. But the key to success is to deploy the practice in a way that is sustainable, right-sized, and maximizes value. Use our practical methodology to develop and document your approach to ITAM that is aligned with the goals of your organization. Andrew Sharp Research Director Infrastructure & Operations Practice Info-Tech Research Group

Realize the value of asset management Cost optimization, application rationalization and reduction of technical debt are all considered valuable to right-size spending and improve service outcomes. Without access to accurate data, these activities require significant investments of time and effort, starting with creation of point-in-time inventories, which lengthens the timeline to reaching project value and may still not be accurate. Cost optimization and reduction of technical debt should be part of your culture and technical roadmap rather than one-off projects. Why? Access to accurate information enables the organization to quickly make decisions and pivot plans as needed. Through asset management, ongoing harvest and redeployment of assets improves utilization-to-spend ratios. We would never see any organization saying, “We’ve closed our year end books, let’s fire the accountants,” but often see this valuable service relegated to the back burner. Similar to the philosophy that “the best time to plant a tree is 20 years ago and the next best time is now,” the sooner you can start to collect, validate, and analyze data, the sooner you will find value in it. Sandi Conrad Principal Research Director Infrastructure & Operations Practice Info-Tech Research Group

Executive Summary

Info-Tech Insight

ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. But there’s no value in data for data’s sake. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an ITAM strategy that maximizes the value they can deliver as service providers.

Common obstacles

Info-Tech's IT Asset Management Framework (ITAM)

Adopt, manage, and mature activities to enable business value thorugh actionable, accessible, and accurate ITAM data

	Enable Business Value
Business-Aligned Spend Optimization and Transparency	Facilitate IT Services and Products Actionable, Accessible, and Accurate Data	Context-Aware Risk Management and Security Controls
Plan & Govern Business Goals, Risks, and Structure ITAM Goals & Priorities Roles, Accountability, Responsibilities Scope Ongoing Management Commitment Resourcing & Funding Policies & Enforcement Continuous Improvement Culture ITAM Education, Awareness & Training Organizational Change Management		Build & Manage Tools & Data ITAM Tool Selection & Deployment Configuration Management Synchronization IT Service Management Integration Process Process Management Data & Process Audits Document Management People, Policies, and Providers Stakeholder Management Technology Standardization Vendor & Contract Management

Info-Tech Insight

ITAM is a foundational IT service that provides actionable, accessible, and accurate data on IT assets. But there's no value in data for data's sake. Use this methodology to enable collaboration between ITAM, the business, and IT to develop an approach to ITAM that maximizes the value the ITAM team can deliver as service providers.

Key deliverable

IT asset management requires ongoing practice – you can’t just implement it and walk away. Our methodology will help you build a business-aligned strategy and approach for your ITAM practice with the following outputs: Business-aligned ITAM priorities, opportunities, and goals. Current and target state ITAM maturity. Metrics and KPIs. Roles, responsibilities, and accountability. Insourcing, outsourcing, and (de)centralization. Tools and technology. A documentation framework. Initiatives, a roadmap, and a communication plan.

Each step of this blueprint is designed to help you create your IT asset management strategy:

Info-Tech’s methodology to develop an IT asset management strategy

Insight Summary

There’s no value in data for data’s sake

ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an approach to ITAM that maximizes the value they can deliver as service providers.

Service provider to a service provider

ITAM is often viewed (when it’s viewed at all) as a low-value administrative task that doesn’t directly drive business value. This can make it challenging to build a case for funding and resources.

Your ITAM strategy is a critical component to help you define how ITAM can best deliver value to your organization, and to stop creating data for the sake of data or just to fight the next fire.

Collaboration over order-taking

To align ITAM practices to deliver organizational value, you need a very clear understanding of the organization’s goals – both in the moment and as they change over time.

Ensure your ITAM team has clear line of sight to business strategy, objectives, and decision-makers, so you can continue to deliver value as priorities change

Embrace dotted lines

ITAM teams rely heavily on staff, systems, and data beyond their direct area of control. Identify how you will influence key stakeholders, including technicians, administrators, and business partners.

Help them understand how ITAM success relies on their support, and highlight how their contributions have created organizational value to encourage ongoing support.

Project benefits

Benefits for IT Set a foundation and direction for an ITAM practice that will allow IT to manage risk, optimize spend, and enhance services in line with business requirements. Establish accountability and responsibility for essential ITAM activities. Decide where to centralize or decentralize accountability and authority. Identify where outsourcing could add value. Create a roadmap with concrete, practical next steps to develop an effective, right-sized ITAM practice.

Benefits for the business Plan and control technology spend with confidence based on trustworthy ITAM data. Enhance IT’s ability to rapidly and effectively support new priorities and launch new projects. Effective ITAM can support more streamlined procurement, deployment, and management of assets. Implement security controls that reflect your total technology footprint. Reduce the risk that a forgotten device or unmanaged software turns your organization into the next Colonial Pipeline.

Info-Tech offers various levels of support to best suit your needs

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI around 12 calls over the course of 6 months.

What does a typical GI on this topic look like?

Phase Outcomes:

Defined, business-aligned goals, priorities, and KPIs for ITAM. A concise vision and mission statement. The direction you need to establish a practical, right-sized, effective approach to ITAM for your organization.

Before you get started

0.1 Identify participants

Output: List of key roles for the strategy exercises outlined in this methodology

Participants: Project sponsor, Lead facilitator, ITAM manager and SMEs

This methodology relies on having the right stakeholders in the room to identify ITAM goals, challenges, roles, structure, and more. On each activity slide in this deck, you’ll see an outline of the recommended participants. Use the table below to translate the recommended roles into specific people in your organization. Note that some people may fill multiple roles.

0.2 Estimate asset numbers

Output: Estimates of quantity and spend related to IT assets, Confidence/margin of error on estimates

Participants: IT asset manager, ITAM team

What do you know about your current IT environment, and how confident are you in that knowledge?

0.3 Create a working folder

Output: A repository for templates and work in progress

Participants: Lead facilitator

Download a copy of the ITAM Strategy Template. This will be the repository for all the work you do in the activities listed in this blueprint; take a moment to read it through and familiarize yourself with the contents. House the template in a shared repository that can house other related work in progress. Share this folder with participants so they can check in on your progress. You’ll see this callout box: Add your results to your copy of the ITAM Strategy Template as you work through activities in this blueprint. Copy the output to the appropriate slide in the ITAM Strategy Template.

Collect action items as you go

Don’t wait until the end to write down your good ideas. The last exercise in this methodology is to gather everything you’ve learned and build a roadmap to improve the ITAM practice. The output of the exercises will inform the roadmap, as they will highlight areas with opportunities for improvement. Write them down as you work through the exercises, or you risk forgetting valuable ideas. Keep an “idea space” – a whiteboard with sticky notes or a shared document – to which any of your participants can post an idea for improvement and that you can review and consolidate later. Encourage participants to add their ideas at any time during the exercises.

Step 1.1: Brainstorm ITAM opportunities and challenges

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• ITAM business partners

Outcomes

• Rally the working group around a collection of ideas that, when taken together, create a vision for the future ITAM practice.
• Identify your organization’s current ITAM challenges.

“ITAM is a cultural shift more than a technology shift.” (Rory Canavan, SAM Charter)

What is an IT Asset?

Any piece of technology can be considered an asset, but it doesn’t mean you need to track everything.
	According to the ISO 19770 standard on ITAM, an IT Asset is “[an] item, thing, or entity that can be used to acquire, process, store and distribute digital information and has potential or actual value to an organization.” These are all things that IT is expected to support and manage, or that have the potential to directly impact services that IT supports and manages.
	IT assets are distinct from capital assets. Some IT assets will also be capital assets, but not all will be. And not all capital assets are IT assets, either.
	IT assets are typically tracked by IT, not by finance or accounting. IT needs more from their IT asset tracking system than the typical finance department can deliver. This can include end-user devices, software, IT infrastructure, cloud-based resources, third-party managed IT services, Internet-of-Things devices, embedded electronics, SCADA equipment, “smart” devices, and more.
	It’s important to track IT assets in a way that enables IT to deliver value to the business – and an important part of this is understanding what not to track. This list should be aligned to the needs of your organization.

Enable business value with IT asset management

If you’ve never experienced a mature ITAM program before, it is almost certainly more rewarding than you’d expect once it’s functioning as intended.

Each of the below activities can benefit from accessible, actionable, and accurate ITAM data.

• Which of the activities, practices, and initiatives below have value to your organization?
• Which could benefit most from ITAM data?

1.1 Brainstorm ideas to create a vision for the ITAM practice

Input: Stakeholders with a vision of what ITAM could provide, if resourced and funded adequately

Output: A collection of ideas that, when taken together, create a vision for the future ITAM practice

Materials: ITAM strategy template, Whiteboard or virtual whiteboard

Participants: ITAM team, IT leaders and managers, ITAM business partners

It can be easy to lose sight of long-term goals when you’re stuck in firefighting mode. Let’s get the working group into a forward-looking mindset with this exercise.

Think about what ITAM could deliver with unlimited time, money, and technology.

1. Provide three sticky notes to each participant.
2. Add the headings to a whiteboard, or use a blank slide as a digital whiteboard
3. On each sticky note, ask participants to outline a single idea as follows:
   1. We could: [idea]
   2. Which would help: [stakeholder]
   3. Because: [outcome]
4. Ask participants to present their sticky notes and post them to the whiteboard. Ask later participants to group similar ideas together.

As you hear your peers describe what they hope and expect to achieve with ITAM, a shared vision of what ITAM could be will start to emerge.

1.1 Identify structural ITAM challenges

30 minutes

Input: The list of common challenges on the next slide, Your estimated visibility into IT assets from the previous exercise, The experience and knowledge of your participants

Output: Identify current ITAM challenges

Materials: Your working copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, ITAM business partners

1.1 Identify structural ITAM challenges

Review and update the list of common challenges below to reflect your own organization.

Copy results to your copy of the ITAM Strategy Template

Step 1.2: Review organizational priorities, strategy, initiatives

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• Business executives or their delegates

Outcomes

• Review organizational priorities and strategy.
• Identify key initiatives.

Executive Alignment Session Overview

ITAM Strategy Working Sessions

• Discover & Brainstorm
• Executive Alignment Working Session
  • 1.2 Review organizational strategy, priorities, and key initiatives
  • 1.3 Align executive priorities with ITAM opportunities, set ITAM priorities
• ITAM Practice Maturity, Vision & Mission, Metrics & KPIs
• Scope, Outsourcing, (De)Centralization, RACI
• Service Management Integration
• ITAM Tools
• Audits, Budgets, Documents
• Roadmap & Comms Plan

A note to the lead facilitator and project sponsor:
Consider working through these exercises by yourself ahead of time. As you do so, you’ll develop your own ideas about where these discussions may go, which will help you guide the discussion and provide examples to participants.

1.2 Review organizational strategy and priorities

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

Participants: Asset manager, IT leadership, Business executives or delegates

Welcome your group to the working session and outline the next few exercises using the previous slide.

Ask the most senior leader present to provide a summary of the following:

1. What is the vision for the organization?
2. What are our priorities and what must we absolutely get right?
3. What do we expect the organization to look like in three years?

The facilitator or a dedicated note-taker should record key points on a whiteboard or flipchart paper.

1.2 Identify transformational initiatives

30 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

Participants: Asset manager, IT leadership, Business executives or delegates

Ask the most senior leader present to provide a summary of the following: What transformative business and IT initiatives are planned? When will they begin and end?

Using one box per initiative, draw the initiatives in a timeline like the one below.

Add your results to your copy of the ITAM Strategy Template

Step 1.3: Set business-aligned ITAM priorities

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• Business executives

Outcomes

• Connect executive priorities to ITAM opportunities.
• Set business-aligned priorities for the ITAM practice.

1.3 Align executive priorities with ITAM opportunities

45 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

Participants: Asset manager, IT leaders and managers, Business executives or delegates

In this exercise, we’ll use the table on the next slide to identify the top priorities of key business and IT stakeholders and connect them to opportunities for the ITAM practice.

1. Ask your leadership or executive delegates – what are their goals? What are they trying to accomplish? List roles and related goals in the table.
2. Brainstorm opportunities for IT asset management to support listed goals:
   1. Can ITAM provide an enhanced level of service, access, or insight?
   2. Can ITAM address an existing issue or mitigate an existing risk?

Add your results to your copy of the ITAM Strategy Template

1.3 Align executive priorities with ITAM opportunities (example)

1.3 Categorize ITAM opportunities

10-15 minutes

Input: The outputs from the previous exercise

Output: Executive priorities, sorted into the three categories at the right

Materials: The table in this slide, The outputs from the previous exercise

Participants: Lead facilitator

Give your participants a quick break. Quickly sort the identified ITAM opportunities into the three main categories below as best you can.

We’ll use this table as context for the next exercise.

Add your results to your copy of the ITAM Strategy Template

1.3 Set ITAM priorities

30 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: Whiteboard, The template on the next slide, Your copy of the ITAM Strategy Template

Participants: Asset manager, IT leaders and managers, Business executives or delegates

The objective of this exercise is to prioritize the outcomes your organization wants to achieve from its ITAM practice, given the context from the previous exercises.

Review the image below. The three points of the triangle are the three core goals of ITAM: Enhance IT Service, Manage Risk, and Optimize Spend. This exercise was first developed by Kylie Fowler of ITAM Intelligence. It is an essential exercise to understand ITAM priorities and the tradeoffs associated with those priorities. These priorities aren’t set in stone and should be revisited periodically as technology and business priorities change.

Draw the diagram on the next slide on a whiteboard. Have the most senior leader in the room place the dot on the triangle – the closer it is to any one of the goals, the more important that goal is to the organization. Note: The center of the triangle is off limits! It’s very rarely possible to deliver on all three at once. Track notes on what’s being prioritized – and why – in the template on the next slide.

Add your results to your copy of the ITAM Strategy Template

1.3 Set ITAM Priorities

The priorities of the ITAM practice are to: Optimize Spend Manage Risk Why? We believe there is significant opportunity right now to rationalize spend by consolidating key software contracts. Major acquisitions are anticipated in the near future. Effective ITAM processes are expected to mitigate acquisition risk by supporting due diligence and streamlined integration of acquired organizations. Ransomware and supply chain security threats have increased demands for a comprehensive accounting of IT assets to support security controls development and security incident response. (Update this section with notes from your discussion.)

Step 1.4: Identify ITAM goals, target maturity

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers

Outcomes

• Connect executive priorities to ITAM opportunities.
• Set business-aligned priorities for the ITAM practice.

“ITAM is really no different from the other ITIL practices: to succeed, you’ll need some ratio of time, treasure, and talent… and you can make up for less of one with more of the other two.” (Jeremy Boerger, Consultant and Author)

1.4 Identify near- and medium-term goals

15-30 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

Narrow down the list of opportunities to identify specific goals for the ITAM practice.

1. Use one color to highlight opportunities you will seize in the next year.
2. Use a second color to highlight opportunities you plan to address in the next three years.
3. Leave blank anything you don’t intend to address in this timeframe.

The highlighted opportunities are your near- and medium-term objectives.

1.4 Connect ITAM goals to tactics

30 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

Let’s dig down a little deeper. Connect the list of opportunities from earlier to specific ITAM tactics that allow the team to seize those opportunities.

Add another row to the earlier table for ITAM tactics. Brainstorm tactics with your participants (e.g. sticky notes on a whiteboard) and align them with the priorities they’ll support.

Add your results to your copy of the ITAM Strategy Template

1.4 Identify current and target state

20 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

We’ll use this exercise to identify the current and one-year target state of ITAM using Info-Tech’s ITAM maturity framework.

1. Review the maturity framework on the next slide as a group.
2. In one color, highlight statements that reflect your organization today. Summarize your current state. Are you in firefighter mode? Between “firefighter” and “trusted operator”?
3. In a second color, highlight statements that reflect where you want to be one year from today, taking into consideration the goals and tactics identified in the last exercise.
4. During a break, copy the highlighted statements to the table on the slide after next, then add this final slide to your working copy of the ITAM Strategy Template.

Add your results to your copy of the ITAM Strategy Template

Establish current and target ITAM maturity

Innovator – Optimized Asset Management All items from Business & Technology Partner, plus: Business and IT stakeholders collaborate regularly with the ITAM team to identify new opportunities to leverage or deploy ITAM practices and data to mitigate risks, optimize spend, and improve service. The ITAM program scales with the business. Business & Technology Partner – Proactive Asset Management All items from Trusted Operator, plus: The ITAM data is integral to decisions related to budget, project planning, IT architecture, contract renewal, and vendor management. Software and cloud assets are reviewed as frequently as required to manage costs. ITAM data consumers have self-serve access to ITAM data. Continuous improvement practices strengthen ITAM efficiency and effectiveness. ITAM processes, standards, and related policies are regularly reviewed and updated. ITAM teams work closely with SMEs for key tools/systems integrated with ITAM (e.g. AD, ITSM, monitoring tools) to maximize the value and reliability of integrations. Trusted Operator – Controls Assets ITAM data for deployed hardware and software is regularly audited for accuracy. Sufficient staff and skills to support asset tracking, including a dedicated IT asset management role. Teams responsible for ITAM data collection cooperate effectively. Policies and procedures are documented and enforced. Key licenses and contracts are available to the ITAM team. Discovery, tracking, and analysis tools support most important use cases. Firefighter – Reactive Asset Tracking Data is often untrustworthy, may be fragmented across multiple repositories, and typically requires significant effort to translate or validate before use. Insufficient staff, fragmented or incomplete policies or documentation. Data tracking processes are extremely highly manual. Effective cooperation for ITAM data collection is challenging. ITAM tools are in place, but additional configuration or tooling is needed. Unreliable - Struggles to Support No data, or data is typically unusable. No allocated staff, no cooperation between parties responsible for ITAM data collection. No related policies or documentation. Tools are non-existent or not fit-for-purpose.

Current and target ITAM maturity

Today: Firefighter Data is often untrustworthy, is fragmented across multiple repositories, and typically requires significant effort to translate or validate before use. Insufficient staff, fragmented or incomplete policies or documentation. Tools are non-existent. In One Year: Trusted Operator ITAM data for deployed hardware and software is regularly audited for accuracy. Sufficient staff and skills to support asset tracking, including a dedicated IT asset management role. Teams responsible for ITAM data collection cooperate effectively. Discovery, tracking, and analysis tools support most important use cases.

Innovator – Optimized Asset Management Business & Technology Partner – Proactive Asset Management Trusted Operator – Controls Assets Firefighter – Reactive Asset Tracking Unreliable - Struggles to Support

Step 1.5: Write mission and vision statements

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers

Outcomes

• Write a mission statement that encapsulates the purpose and intentions of the ITAM practice today.
• Write a vision statement that describes what the ITAM practice aspires to become and achieve.

Write vision and mission statements

Create two statements to summarize the role of the ITAM practice today – and where you want it to be in the future.

1.5 Write an ITAM vision statement

30 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: A whiteboard, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT Leaders and managers

Your vision statement describes the ITAM practice as it will be in the far future. It is a target to aspire to, beyond your ability to achieve in the near or medium term.

Examples of ITAM vision statements:

Develop the single accurate view of IT assets, available to anyone who needs it.

Indispensable data brokers that support strategic decisions on the IT environment.

Provide sticky notes to participants. Write out the three questions below on a whiteboard side by side. Have participants write their answers to the questions and post them below the appropriate question. Give everyone 10 minutes to write and post their ideas.

1. What’s the desired future state of the ITAM practice?
2. What needs to be done to achieved this desired state?
3. How do we want ITAM to be perceived in this desired state?

Review the answers and combine them into one focused vision statement. Use the 20x20 rule: take no more than 20 minutes and use no more than 20 words. If you’re not finished after 20 minutes, the ITAM manager should make any final edits offline.

Document your vision statement in your ITAM Strategy Template.

Add your results to your copy of the ITAM Strategy Template

1.5 Write an ITAM mission statement

30 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

Your ITAM mission statement is an expression of what your IT asset management function brings to your organization today. It should be presented in straightforward language that is compelling, easy to understand, and sharply focused.

Examples of ITAM mission statements:

Maintain accurate, actionable, accessible on data on all IT assets.

Support IT and the business with centralized and integrated asset data.

Provide sticky notes to participants. Write out the questions below on a whiteboard side by side. Have participants write their answers to the questions and post them below the appropriate question. Give everyone 10 minutes to write and post their ideas.

1. What is our role as the asset management team?
2. How do we support the IT and business strategies?
3. What does our asset management function offer that no one else can?

Review the answers and combine them into one focused vision statement. Use the 20x20 rule: take no more than 20 minutes and use no more than 20 words. If you’re not finished after 20 minutes, the ITAM manager should make any final edits offline.

Document your vision statement in your ITAM Strategy Template.

Add your results to your copy of the ITAM Strategy Template

Step 1.6: Define ITAM metrics and KPIs

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers

Outcomes

• Identify metrics, data, or reports that may be of interest to different consumers of ITAM data.
• Identify the key performance indicators (KPIs) for the ITAM practice, based on the goals and priorities established earlier.

Develop different metrics for different teams

A few examples:

• CIOs — CIOs need asset data to govern technology use, align to business needs, and demonstrate IT value. What do we need to budget for hardware and software in the next year? Where can we find money to support urgent new initiatives? How many devices and software titles do we manage compared to last year? How has IT helped the business achieve key goals?
• Asset Managers — Asset managers require data to help them oversee ITAM processes, technology, and staff, and to manage the fleet of IT assets they’re expected to track. What’s the accuracy rate of ITAM data? What’s the state of integrations between ITAM and other systems and processes? How many renewals are coming up in the next 90 days? How many laptops are in stock?
• IT Leaders — IT managers need data that can support their teams and help them manage the technology within their mandate. What technology needs to be reviewed or retired? What do we actually manage?
• Technicians — Service desk technicians need real-time access to data on IT assets to support service requests and incident management – for example, easy access to the list of equipment assigned to a particular user or installed in a particular location.
• Business Managers and Executives — Business managers and executives need concise, readable dashboards to support business decisions about business use of IT assets. What’s our overall asset spend? What’s our forecasted spend? Where could we reallocate spend?

1.6 Identify useful ITAM metrics and reports

60 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

Use this exercise to identify as many potentially useful ITAM metrics and reports as possible, and narrow them down to a few high-priority metrics. Leverage the list of example metrics on the next slide for your own exercise. If you have more than six participants, consider splitting into two or more groups, and divide the table between groups to minimize overlap.

1. List potential consumers of ITAM data in the column on the left.
2. What type of information do we think this role needs? What questions about IT assets do we get on a regular basis from this role or team?
3. Review and consolidate the list as a group. Discuss and highlight any metrics the group thinks are a particularly high priority for tracking.

Add your results to your copy of the ITAM Strategy Template

Examples of ITAM metrics

Differentiate between metrics and KPIs

Key performance indicators (KPIs) are metrics with targets aligned to goals. Targets could include one or more of: Target state (e.g. completed) Target magnitude (e.g. number, percent, rate, dollar amount) Target direction (e.g. trending up or down) You may track many metrics, but you should have only a few KPIs (typically 2-3 per objective). A breached KPI should be a trigger to investigate and remediate the root cause of the problem, to ensure progress towards goals and priorities can continue. Which KPIs you track will change over the life of the practice, as ITAM goals and priorities shift. For example, KPIs may initially track progress towards maturing ITAM practices. Once you’ve reached target maturity, KPIs may shift to track whether the key service targets are being met.

1.6 Identify ITAM KPIs

20 minutes

Input: Organizational strategy documents

Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers

Good KPIs are a more objective measure of whether you’re succeeding in meeting the identified priorities for the ITAM practice.

Identify metrics that can measure progress or success against the priorities and goals set earlier. Aim for around three metrics per goal. Identify targets for the metric you think are SMART (specific, measurable, achievable, relevant, and timebound). Track your work using the example table below.

Add your results to your copy of the ITAM Strategy Template

Develop an IT Asset Management Strategy

Phase Outcomes:

Establish an approach to achieving ITAM goals and priorities, including scope, structure, tools, service management integrations, documentation, and more.

Create a roadmap that enables you to realize your approach.

Step 2.1: Define ITAM Scope

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• ITAM business partners

Outcomes

• Establish what types of equipment and software you’ll track through the ITAM practice.
• Establish which areas of the business will be in scope of the ITAM practice.

Determine ITAM Scope

Focus on what’s most important and then document it so everyone understands where they can provide the most value.

2.1 Establish scope for ITAM

45 minutes

Input: Organizational strategy documents

Output: ITAM scope, in terms of types of assets tracked and not tracked

Materials: The table in this slide, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, ITAM business partners

Establish the hardware and software that are within the scope of the ITAM program by updating the tables below to reflect your own environment. The “out of scope” category will include asset types that may be of value to track in the future but for which the capability or need don’t exist today.

The following locations will be included in the ITAM program: All North and South America offices and retail locations.

Add your results to your copy of the ITAM Strategy Template

Step 2.2: Acquire ITAM Services

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• ITAM business partners

Outcomes

• Define the type of work that may be more effectively or efficiently delivered by an outsourcer or contractor.

“We would like our clients to come to us with an idea of where they want to get to. Why are you doing this? Is it for savings? Because you want to manage your security attack surface? Are there digital initiatives you want to move forward? What is the end goal?” (Mike Austin, MetrixData 360)

Effectively acquire ITAM services

Allow your team to focus on strategic, value-add activities by acquiring services that free them from commodity tasks. When determining which asset capabilities and activities are best kept in-house and which ones are better handled by a supplier, it is imperative to keep the value to the business in mind. Activities/capabilities that are challenging to standardize and are critical to enabling business goals are better kept in-house. Activities/capabilities that are (or should be) standardized and automated are ideal candidates for outsourcing. Outsourcing can be effective and successful with a narrow scope of engagement and an alignment to business outcomes. Organizations that heavily weigh cost reduction as a significant driver for outsourcing are far less likely to realize the value they expected to receive.

Business Enablement Supports business-aligned ITAM opportunities & priorities Highly specialized Offers competitive advantages

Vendor’s Performance Advantage Talent or access to skills Economies of scale Access to technology Does not require deep knowledge of your business

Decide what to outsource

It’s rarely all or nothing.

2.2 Identify outsourcing opportunities

1-2 hours

Input: Understanding of current ITAM processes and challenges

Output: Understanding of potential outsourcing opportunities

Materials: The table in this slide, and insight in previous slides, Your copy of the ITAM Strategy Template

Participants: ITAM team, IT leaders and managers, ITAM business partners

At a high level, discuss which functions of ITAM are good candidates for outsourcing.

Start with the previous slide for examples of outsourcing activities or capabilities directly related to or adjacent to the ITAM practice. Categorize these activities as follows:

Go through the list of activities to potentially or definitely outsource and confirm:

1. Will outsourcing solve a resourcing need for an existing process, or can you deliver this adequately in-house?
2. Will outsourcing improve the effectiveness and efficiency of current processes? Will it deliver more effective service channels or improved levels of reliability and performance consistency?
3. Will outsourcing provide or enable enhanced service capabilities that your IT customers could use, and which you cannot deliver in-house due to lack of scale or capacity?

Answering “no” to more than one of these questions suggests a need to further review options to ensure the goals are aligned with the potential value of the service offerings available.

Add your results to your copy of the ITAM Strategy Template

Step 2.3: Centralize or decentralize ITAM capabilities

Participants

• Project sponsor and lead facilitator
• ITAM team
• IT leaders and managers
• ITAM business partners

Outcomes

• Outline where the team(s) responsible for ITAM sit across the organization, who they report to, and who they need to work with across IT and the business.

Align ITAM with IT’s structure

ITAM’s structure will typically align with the larger business and IT structure. The wrong structure will undermine your ability to meet ITAM goals and lead to frustration, missed work, inefficiency, and loss of value.

Which of the four archetypes below reflects the structure you need?

1. Centralized — ITAM is entirely centralized in a single function, which reports into a central IT department.
2. Decentralized — Local IT groups are responsible and accountable for ITAM. They may coordinate informally but do not report to any central team.
3. Hybrid-Shared Services — Local IT can opt in to shared services but must follow centrally set ITAM practices to do so, usually with support from a shared ITAM function.
4. Hybrid-Federated — Local IT departments are free to develop their own approach to ITAM outside of core, centrally set requirements.

Centralized ITAM

Total coordination, control, and oversight

ITAM accountability, policies, tools, standards, and expertise – in this model, they’re all concentrated in a single, specialized IT asset management practice. Accountability, authority, and oversight are concentrated in the central function as well. A central ITAM team will benefit from knowledge sharing and task specialization opportunities. They are a visible single point of contact for ITAM-related questions The central ITAM team will coordinate ITAM activities across the organization to optimize spend, manage risk, and enhance service. Any local IT teams are supported by and directly answerable to the central ITAM team for ITAM activities. There is a single, centrally managed ITAM database. Wherever possible, this database should be integrated with other tools to support cross-solution automation (e.g. integrate AD to automatically reflect user identity changes in the ITAM database). This model drives cross-organization coordination and oversight, but it may not be responsive to specific and nuanced local requirements.

Example: Centralized Direct reporting relationship Dotted line working or reporting relationship

Decentralized ITAM

Maximize choice

Hybrid: Federation

Centralization with a light touch

Hybrid: Shared Services

Optional centralization

Structure data collection & analysis

Consider the implications of structure on data.

Structure budget and contract management

Contract consolidation creates economies of scale for vendor management and license pooling that strengthen your negotiating position with vendors and optimize spend.