Build a Zero Trust Roadmap

Leverage an iterative and repeatable process to apply zero trust to your organization.

EXECUTIVE BRIEF

Analyst Perspective

Internet is the new corporate network.

For the longest time we have focused on reducing the attack surface to deter malicious actors from attacking organizations, but I dare say that has made these actors scream “challenge accepted.” With sophisticated tools, time, and money in their hands, they have embarrassed even the finest of organizations. A popular hybrid workforce and rapid cloud adoption have introduced more challenges for organizations, as the security and network perimeter have shifted and the internet is now the corporate network. Suffice it to say that a new mindset needs to be adopted to stay on top of the game.

The success of most attacks is tied to denial of service, data exfiltration, and ransom. A shift from focusing on the attack surface to the protect surface will help organizations implement an inside-out architecture that protects critical infrastructure, prevents the success of any attack, makes it difficult to gain access, and links directly to business goals.

Zero trust principles aid that shift across several pillars (Identity, Device, Application, Network, and Data) that make up a typical infrastructure; hence, the need for a zero trust roadmap to accomplish that which we desire for our organization.

Victor Okorie
Senior Research Analyst, Security and Privacy
Info-Tech Research Group

Executive Summary

Your Challenge

• Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
• The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.

Common Obstacles

• Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
• Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.

Info-Tech’s Approach

• Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined.
• Our unique approach:
• Assess resources and determine zero trust readiness.
• Address barriers and identify enablers.
• Prioritize initiatives and build out roadmap.
• Identify most appropriate vendors via vendor selection framework.
• Deploy zero trust and monitor with zero trust progress metrics.

Info-Tech Insight

A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Your challenge

This research is designed to help organizations:

• Understand what zero trust is and decide how best to deploy it with their existing IT resources. Zero trust is a set of principles that defaults to the highest level of security; a failed implementation can easily disrupt the business. A pragmatic zero trust implementation must be flexible and adaptable yet maintain a consistent level of protection.
• Move from a perimeter-based approach to security toward an “Always Verify” approach. The path to getting there is complex without a clear understanding of desired outcomes. Focusing efforts on key protection gaps and leveraging capable controls in existing architecture allows for a repeatable process that carries IT, security, and the business along on the journey.

On this zero trust journey, identify your valuable assets and zero trust controls to protect them.

Top three reasons for building a zero trust strategy

44%

Reduce attacker’s ability to move laterally

44%

Enforce least privilege access to critical resources

41%

Reduce enterprise attack surface

Common obstacles

These barriers make this challenge difficult to address for many organizations:

• Due to zero trust’s many components, performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.
• To feel ready to implement and to understand the benefits of zero trust, IT must first understand what zero trust means to the organization.
• Zero trust as a set of principles is a moving target, with many developing standards and competing technology definitions. A strategy built around evolving best practices must be supported by related business stakeholders.
• To ensure support, IT must be able to “sell” zero trust to business stakeholders by illustrating the value zero trust can bring to business objectives.

43%

Organizations with a full implementation of zero trust saved 43% on the costs of data breaches.
(Source: Teramind, 2021)

96%

Zero trust is considered key to the success of 96% of organizations in a survey conducted by Microsoft.
(Source: Microsoft, 2021)

What is zero trust?

It depends on who you ask…

• Vendors use zero trust as a marketing buzzword.
• Organizations try to comprehend zero trust in their own limited views.
• Zero trust regulations/standards are still developing.

“A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”

Source: NIST, SP 800-207: Zero Trust Architecture, 2020

“An evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”

Source: DOD, Zero Trust Reference Architecture, 2021

“A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.”

Source: NSA, Embracing a Zero Trust Security Model, 2021

“Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

Source: CISA, Zero Trust Maturity Model, 2021

“The foundational tenet of the zero trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.”

Source: OMB, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, 2022

What is zero trust?

From Theoretical to Practical

Zero trust is an ideal in the literal sense of the word, because it is a standard defined by its perfection. Just as nothing in life is perfect, there is no measure that determines an organization is absolutely zero trust. The best organizations can do is improve their security iteratively and get as close to ideal as possible.

In the most current application of zero trust in the enterprise, a zero trust strategy applies a set of principles, including least-privilege access and per-request access enforcement, to minimize compromise to critical assets. A zero trust roadmap is a plan that leverages zero trust concepts, considers relationships between technical elements as well as security solutions, and applies consistent access policies to minimize areas of exposure.

Info-Tech Insight

Solutions offering zero trust often align with one of five pillars. A successful zero trust implementation may involve a combination of solutions, each protecting the various data, application, assets, and/or services elements in the protect surface.

Zero trust business benefits

Reduce business and organizational risk

Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organizations practice.

36% of data breaches involved internal actors.
Source: Verizon, 2021

Reduce CapEx and OpEx

Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
Source: SecurityBrief - Australia, 2020.

Reduce scope and cost of compliance

Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.

Scope of compliance reduced due to segmentation.

Reduce risk of data breach

Reduced risk of data breach in any instance of a malicious attack as there’s no lateral movement, secure segment, and improved visibility.

10% Increase in data breach costs; costs went from $3.86 million to $4.24 million.
Source: IBM, 2021

Info-Tech’s methodology for Building a Zero Trust Roadmap

Protect what is relevant

Apply zero trust to key protect surfaces

A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Align protect surfaces to business objectives

Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

Identify zero trust capabilities

Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

Roadmap first, not solution first

Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

Create enforceable policies

The success of a zero trust implementation relies on consistent enforcement. Applying the Kipling methodology to each protect surface is the best way to design zero trust policies.

Success should benefit the organization

To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverable:

Zero Trust Communication Deck

Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.

Zero Trust Protect Surface Mapping Tool

Identify critical and vulnerable DAAS elements to protect and align them to business goals.

Zero Trust Program Gap Analysis Tool

Perform a gap analysis between current and target states to build a zero trust roadmap.

Zero Trust Candidate Solutions Selection Tool

Determine and evaluate candidate solutions based on defined criteria.

Zero Trust Progress Monitoring Tool

Develop metrics to track the progress and efficiency of the organization’s zero trust implementation.

Blueprint benefits

IT Benefits

• A mapped transaction flow of critical and vulnerable assets and visibility of where to implement security controls that aligns with the principle of zero trust.
• Improved security posture across the digital attack surface while focusing on the protect surface.
• An inside-out architecture that leverages current existing architecture to tighten security controls, is automated, and gives granular visibility.

Business Benefits

• Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organization’s practice.
• Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
• Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.
• Reduced risk of data breach in any instance of a malicious attack.

Measure the value of this blueprint

Save an average of $1.76 million dollars in the event of a data breach

• This research set seeks to help organizations develop a mature zero trust implementation which, according to IBM’s “Cost of a Data Breach 2021 Report,” saves organizations an average of $1.76 million in the event of a data breach.
• Leverage phase 5 of this research to develop metrics to track the implementation progress and efficacy of zero trust tasks.

43%

Organizations with a mature implementation of zero trust saved 43%, or $1.76 million, on the costs of data breaches.
Source: IBM, 2021

In phase 2 of this blueprint, we will help you establish zero trust implementation tasks for your organization.

In phase 3, we will help you develop a game plan and a roadmap for implementing those tasks.

Executive Brief Case Study

National Aeronautics and Space Administration (NASA)

INDUSTRY: Government

SOURCE: Zero Trust Architecture Technical Exchange Meeting

NASA recognized the potential benefits of both adopting a zero trust architecture (including aligning with OMB FISMA and DHS CDM DEFEND) and improving NASA systems, especially those related to user experience with dynamic access, application security with sole access from proxy, and risk-based asset management with trust score. The trust score is continually evaluated from a combination of static factors, such as credential and biometrics, and dynamic factors, such as location and behavior analytics, to determine the level of access. The enhanced access mechanism is projected on use-case flows of users and external partners to analyze the required initiatives.

The lessons learned in adapting zero trust were:

• Focus on access to data, assets, applications, and services; and don’t select solutions or vendors too early.
• Provide support for mobile and external partners.
• Complete zero trust infrastructure and services design with holistic risk-based management, including network access control with software-defined networking and an identity management program.
• Develop a zero trust strategy that aligns with mission objectives.

Results

NASA implemented zero trust architecture by leveraging the agency existing components on a roadmap with phases related to maturity. The initial development includes privileged access management, security user behavior analytics, and a proof-of-concept lab for evaluating the technologies.
Case Study Source: NASA, “Planning for a Zero Trust Architecture Target State,” 2019

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 12 calls over the course of 2 to 4 months.

Workshop Overview

Contact your account representative for more information.workshops@infotech.com 1-888-670-8889

Phase 1

Define Business Objectives and Protect Surfaces

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Identify and define the business goals.
• Identify the critical DAAS elements and protect surface.
• Align the business goals to the protect surface and critical DAAS elements.

This phase involves the following participants:

• Security Team
• Business Executives
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management

Analyze your business goals

Identifying business goals is the first step in aligning your zero trust roadmap with your business’ vision.

• Security leaders need to understand the direction the business is headed in.
• Wise security investments depend on aligning your security initiatives to business objectives.
• Zero trust, and information security at large, should contribute to your organization’s business objectives by supporting operational performance, ensuring brand protection and shareholder value.
• For example, if the organization is working on a new business initiative that requires the handling of credit card payments, the security organization needs to know as soon as possible to ensure the zero trust architecture will be extended to protect the PCI data and enable the organization to be PCI compliant.

Info-Tech Insight

Security and the business need to be in alignment when implementing zero trust. Defining the business goal helps rationalize the need for a zero trust implementation.

1.1 Define your organization’s business goals

Estimated time 1-3 hours

1. As a group, brainstorm the business goals of the organization.
2. Review relevant business and IT strategies.
3. Review the business goal definitions in tab “2. Business Objectives” of the Zero Trust Protect Surface Mapping Tool, including the key goal indicator metrics.
4. Record the most important business goals in the Business Goal column on tab “3. Protect Surfaces” of the Zero Trust Protect Surface Mapping Tool. Try to limit the number of business goals to no more than five primary goals. This limitation will be critical to help map the protect surface and the zero trust roadmap later.

Input

• Business and IT strategies

Output

• Prioritized list of business objectives

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• Security Team
• IT Leadership
• Business Stakeholders
• Risk Management
• Compliance
• Legal

Download the Zero Trust Protect Surface Mapping Tool

Info-Tech Insight

Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

What does zero trust mean for you?

For a successful implementation, focus on your zero trust outcome.

Regardless of whether the user is accessing resources internally or externally, zero trust is posed to authenticate, authorize, and continuously verify the security policies and posture before access is granted or denied. Many network architecture can be local, cloud based, or hybrid and with users working from any location, there is no network perimeter as we knew it and the internet is now the corporate network.

Zero trust framework seeks to extend the perimeter-less security to the present digital transformation.

Understand protect surface

Data, Application, Asset, and Services

A protect surface can be described as what’s critical, most vulnerable, or most valuable to your organization. This protect surface could include at least one of the following – data, assets, applications, and services (DAAS) – that requires protection. This is also the area that zero trust policy is aimed to protect. Understanding what your protect surface is can help channel the required energy into protecting that which is crucial to the business, and this aligns with the shift from focusing on the attack surface to narrowing it down to a smaller and achievable area of protection.

Anything and everything that connects to the internet is a potential attack surface and pursuing every loophole will leave us one step behind due to lack of resources. Since a protect surface contains one or more DAAS element, the micro-perimeter is created around it and the appropriate protection is applied around it. As a team, we can ask ourselves this question when thinking of our protect surface: to what degree does my organization want me to secure things? The knowledge of the answer to this question can be tied to the risk tolerance level of the organization and it is only fair for us to engage the business in identifying what the protect surface should be.

Components of a protect surface

• Data
• Application
• Asset
• Services

Info-Tech Insight

The protect surface is a shift from focusing on the attack surface. DAAS elements show where the initiatives and controls associated with the zero trust pillars (Identity, Devices, Network, Application, and Data) need to be applied.

Sample Scenario

INDUSTRY: Healthcare

SOURCE: Info-Tech Research Group

Illustration

A healthcare provider would consider personal health information a critical resource worthy of being protected against data exfiltration due to a host of reasons including but not limited to privacy regulations, loss of revenue, legal, and reputational loss; hence, this would be considered a protect surface.

• What is the data that can’t be risked exfiltrated?
• What application(s) is used to access this data?
• What assets are used to generate and store the data?
• What are the services we rely on to be able to access the data?

DAAS Element

• The data here is the patient information.
• The application used to access the personal health information would be EPIC, OR list, and any other application used in that organization.
• The assets used to store the data and generate the PHI would include physical workstations, medical scanners, etc.
• The services that can be exploited to disrupt the operation or used to access the data would include active directory, single sign-on, etc.

DAAS and Zero Trust Pillar

This granular identification provides an opportunity to not only see what the protect surface and DAAS elements are but also understand where to apply security controls that align with the principle of zero trust as well as how the transaction flows. The application pillar initiatives will provide protection to the EPIC application and the device pillar initiatives will provide protection to the workstations and physical scanners. The identity pillar initiatives will apply protection to the active directory, and single sign-on services. The zero trust pillar initiatives align with the protection of the DAAS elements.

Shift from attack surface to protect surface

Info-Tech Insight

The protect surface is a shift from focusing on the attack surface as it creates a micro-perimeter for the application of zero trust policies on the system. This drastically reduces the success of an attack whether internally or externally, reduces the attack surface, and is also repeatable.

1.2 Identify critical DAAS elements

Estimated time 1-3 hours

1. As a group, brainstorm and identify critical, valuable, sensitive assets or resources requiring high availability in the organization. Each DAAS element is part of a protect surface, or sometimes, the DAAS element itself is a protect surface.

• Data – The sensitive data that poses the greatest risk if exfiltrated or misused. What data needs to be protected?
• Applications – The applications that use sensitive data or control critical assets. Which applications are critical for your business functions?
• Assets – Physical or virtual assets, including an organization’s information technology (IT), operational technology (OT), or Internet of Things devices.
• Services – The services an organization most depends on. Services that can be exploited to disrupt normal IT or business operations.

Download the Zero Trust Protect Surface Mapping Tool

Input

• Critical resources to protect
• Understanding of how they interoperate or connect

Output

• Protect surfaces

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• Security Team
• IT Leadership
• Business Stakeholders

1.3 Map business goals to critical DAAS elements

Estimated time 1-2 hours

1. The protect surface will be generated from the critical DAAS elements as a standalone protect surface or a group of interconnected DAAS elements merged into one.

• Each protect surface can be tied back to a business objective.

• Type in your business objectives if the drop-down list does not apply.

Download the Zero Trust Protect Surface Mapping Tool

Phase 2

Assess Key Capabilities and Identify Zero Trust Initiatives

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Assess the organization’s current capabilities.
• Define the zero trust target state.
• Identify tasks to close gaps
• Define zero trust initiatives and align zero trust initiatives to business goals and protect surfaces.

This phase involves the following participants:

• Security Team
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

The Info-Tech Zero Trust Framework

Info-Tech’s Zero Trust Framework aligns with zero trust references, including:

• ACT Zero Trust Cybersecurity Current Trends. 2019
• NIST SP 800-207: Zero Trust Architecture. 2020
• DOD Zero Trust Reference Architecture. 2021
• NSA Embracing a Zero Trust Security Model. 2021
• CISA Zero Trust Maturity Model. 2021
• Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, The White House. 2021
• OMB Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. 2022
• NSTAC Zero Trust and Trusted Identity Management. 2022
• NIST SP 800-53 r5: Security and Privacy Controls for Information Systems and Organizations

Identity

• Authentication
• Authorization
• Privileged Access Management

Applications

• Software Defined Compute
• DevSecOps
• Software Supply Chain

Devices

• Authentication
• Authorization
• Compliance

Networks

• Software Defined Networking
• Macro Segmentations
• Micro Segmentation

Data

• Software Defined Storage
• Data Loss Prevention
• Data Rights Management

Info-Tech Insight

A best-of-breed approach ensures holistic coverage of your zero trust program while refraining from locking you into a specific reference.

2.1 Review the Info-Tech framework

Estimated time 30-60 minutes

1. As a group, have the team review the framework within the Zero Trust Program Gap Analysis Tool.
2. Customize the tool as required using the instructions in tab “2. Setup”:

• Define costing criteria
• Define benefits criteria
• Configure full-time equivalent hours and start year
• Input business goals as mapped to protect surfaces (see next slide)

Download the Zero Trust Program Gap Analysis Tool

Input

• Protect surfaces mapped to business objectives

Output

• Customized framework

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT

2.1.1 Input business goals as mapped to protect surfaces

Refer to the Protect Surface Mapping Tool, copy the following elements from the Protect Surface tab.

1. Enter Business Goals.
2. Enter Protect Surfaces.
3. Enter Data.
4. Enter Application.
5. Enter Assets.
6. Enter Services.

Info-Tech Insight

Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

2.2 Assess current capabilities and define zero trust target state

Estimated time 6-12 hours

1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
2. Follow the instructions on the next slides to complete your current-state and target-state assessment.
3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

Download the Zero Trust Program Gap Analysis Tool

Input

• Protect surfaces mapped to business objectives
• Information on current state of controls, including sources such as audit findings, vulnerability and penetration test results, and risk registers

Output

• Current-state and target-state assessment for gap analysis

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management

Understanding security target states

Maturity models are very effective for determining target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state in your organization.

AD HOC 01

Initial/ad hoc security programs are reactive. Lacking strategic vision, these programs are less effective and less responsive to the needs of the business.

DEVELOPING 02

Developing security programs can be effective at what they do but are not holistic. Governance is largely absent. These programs tend to rely on the talents of individuals rather than a cohesive plan.

DEFINED 03

A defined security program is holistic, documented, and proactive. At least some governance is in place; however, metrics are often rudimentary and operational in nature. These programs still often rely on best practices rather than strong risk management.

MANAGED 04

Managed security programs have robust governance and metrics processes. Management and board-level metrics for the overall program are produced. These are reviewed by business leaders and drive security decisions. More mature risk management practices take the place of best practices.

OPTIMIZED 05

An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs). Individual security services are optimized using key performance indicators (KPIs) that continually measure service effectiveness and efficiency.

2.2.1 Conduct current-state assessment

1. Carefully review each of the controls in the Gap Analysis tab that are needed for the protect surfaces. For each control, indicate the current maturity level of the organization. The tool uses the maturity levels of the CMMI model to score maturity.

• Only use “N/A” if you are confident that the control is not required in your protect surfaces. For example, if the protect surfaces do not require or use software-defined computing, select “N/A” for any controls related to software-defined computing.

Make sure that the gap between target state and current state is achievable for the current zero trust roadmap. For instance, if you set your current maturity to 1 – Ad Hoc, then having a target maturity of 4 – Managed or 5 – Optimized is not recommended due to the big jump.

2.2.2 Review the Gap Analysis Dashboard

1. Use the Dashboard to map your progress on assessing current- and future-state maturities. As you fill out the Zero Trust Program Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state.
2. Use the color-coded legend to see the size of the gap between your current and target state.
3. Zero trust processes that appear white have not yet been assessed or are rated as “N/A.”

2.3 Identify tasks to close gaps

Estimated time 5 hours

1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
2. Follow the instructions on the next slides to identify gap closure tasks for each control that requires improvement.
3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

Download the Zero Trust Program Gap Analysis Tool

Input

• Zero trust controls gap information

Output

• Gap closure task list

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management

2.3 Identify tasks to close gaps (cont.)

1. For each of the controls where there is a gap between the current and target state, a gap closure task should be identified:

• Review the example tasks and copy one or more of them if appropriate. Otherwise, enter your own gap closure task.

• In small groups, have participants ask, “what would we have to do to achieve the target state?” Document these in the Gap Closure Tasks column.
• The example gap closure tasks may be appropriate for your organization, but do not simply copy them without considering whether they are right for you.
• Not all gaps require their own task. You can enter one task that may address multiple gaps.
• Be aware that tasks that are along the lines of “investigate and make recommendations” may not fully close maturity gaps.

Make sure that the Gap Closure Tasks are SMART (Specific, Measurable, Achievable, Realistic, Timebound).

2.4 Define tasks and initiatives

Estimated time 2-4 hours

1. As a group, review the gap tasks identified in the Gap Analysis tab.
2. Using the instructions on the following slides, finalize your tab “5. Task List.”
3. Using the instructions on the following slides, review and consolidate your tab “6. Initiative List.”

Download the Zero Trust Program Gap Analysis Tool

Input

• Gap analysis

Output

• Refined list of tasks
• List of zero trust initiatives

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management
• Project Management Office

2.4.1 Finalize your task list

1. Define the gap closure task list in tab “5. Task List”:
1. Obtain a list of all your tasks from Gap Closure Tasks column in tab “3. Gap Analysis.”
2. Paste the list into the table in tab “5. Task List,” Task column.

• Use Paste Values to retain the table formatting.

• They have costs associated with them.
• They require initial effort to implement and ongoing effort to maintain.
• They must be accomplished dependently of other tasks.

1. For each new initiative, create the initiative name on Initiative Name column in the tab “6. Initiative List.”

Example: Initiative consolidation

In the example below, we see three gap closure tasks within the Authentication process for the Identity pillar being consolidated into a single initiative “IAM modernization.”

We can also see three gap closure tasks within the Micro Segmentation process for the Network pillar being grouped into another initiative “Network segmentation.”

Info-Tech Insight

As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.

2.4.2 Finalize your initiative list

1. As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.
2. Review your final list of initiatives in tab “6. Initiative List” and make any required updates.
1. Optionally, add a description or paste in a list of the individual gap closure actions that are associated with the initiative. This will make it easier to perform the cost and benefit analysis.
3. Obtain a list of all gap closure tasks associated with an initiative by filtering the Initiative Name column in the Task List tab.
4. Indicate the most appropriate pillar alignment for each initiative using the drop-down list.
1. Refer to tab “5. Task List” for the pillar associated with an initiative under the Initiative Name column.

If the list of tasks is too long for the Description column, then you can also shorten the name of the tasks or group several tasks to a more general task.

2.5 Align initiatives to business goals and protect surfaces

Estimated time 30-60 minutes

1. Using the instructions on the following slides, align initiatives to business goals in tab “6. Initiative List.”
2. Using the instructions on the following slides, align initiatives to protect surfaces in tab “6. Initiative List.”

Download the Zero Trust Program Gap Analysis Tool

Input

• List of zero trust initiatives
• Protect surfaces mapped to business objectives

Output

• List of zero trust initiatives aligned to business goals and protect surfaces

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management
• Project Management Office

2.5.1 Align initiatives to business goals

1. Indicate the most appropriate business goal(s) alignment for each initiative using the drop-down list in “Selection for Business Goal(s)” column.
1. Use the legend to determine the most appropriate business goal(s).
2. After that copy the selected business goal(s) to Business Goal(s) Alignment column.
3. Then reset the selection using the blank cell in Selection for Business Goal(s) column.

2.5.2 Align initiatives to protect surfaces

1. Indicate the most appropriate protect surface(s) for each initiative using the drop-down list in Selection for Protect Surface(s) column.
1. Use the legend to determine the most appropriate protect surface(s).
2. After that copy the selected protect surface(s) to Protect Surface(s) Coverage column.
3. Reset the selection using the blank cell in Selection for Protect Surface(s) column.

Phase 3

Evaluate Candidate Solutions and Finalize Roadmap

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Define solution criteria.
• Identify candidate solutions.
• Evaluate candidate solutions.
• Perform cost/benefit analysis.
• Prioritize initiatives and build roadmap.

This phase involves the following participants:

• Security Team
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

3.1 Define solution criteria

Estimated time 30-60 minutes

1. As a group, review the scoring system within the Zero Trust Candidate Solutions Selection Tool.
2. Customize the tool as required using the instructions on the following slides.

Info-Tech Insight

Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

Download the Zero Trust Candidate Solutions Selection Tool

Input

• Zero trust initiative list

Output

• Zero trust candidate solutions

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT

3.1.1 Define compliance and solution evaluation criteria

On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

1. Verify that the Description for each criterion is accurate.
2. Provide weights for the compliance score and the solution score, which are the overall evaluation:

• Compliance score consists of tenets score, pillar score, threat protection score, and trust algorithm score.
• Solution score consists of features score, usability score, affordability score, and architecture score.

3.1.2 Define remaining evaluation criteria

On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

1. Verify that the Description for each criterion is accurate.
2. Provide weights for the remaining evaluation criteria:

• Tenets: Considers how well each initiative aligns with zero trust principles.
• Pillars: Considers how well each initiative aligns with zero trust pillars.
• Threats: Considers what zero trust threats are relevant with the candidate solution.
• Trust Algorithm: Considers trust evaluation factors, trust evaluation process score, and input coverage.
• Cost Estimation: Considers initial costs, which are one-time, upfront capital investments (e.g. hardware and software costs), and ongoing cost, which is any annually recurring operating expenses that are new budgetary costs (e.g. licensing, maintenance, subscription fees).
• Deployment Architecture: Considers the solutions deployment architecture capabilities.

Review available candidate solutions

The Rapid Application Selection Framework is a comprehensive yet fast-moving approach to help you select the right software for your organization

Five key phases sequentially add rigor to your selection efforts while giving you a clear, swift-flowing methodology to follow.

Download the Rapid Application Selection Framework research

Evaluate software category leaders through vendor rankings and awards

SoftwareReviews

The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

Sample whiteboard activity

• Place sticky notes on the zero trust tenet that matches with the identified candidate solution to produce “solution requirements” that can be used to develop an RFP.
• A sample sticky note is provided below for privileged access management.

• The PAM solution should support MFA
• Live session monitoring, audit, and reporting
• Should have password vaulting to prevent privileged users from knowing the passwords to critical systems and resources

3.2 Identify candidate solutions

Estimated time 2 hours

1. As a group, have the team review the candidate solutions within the Zero Trust Program Gap Analysis Tool.
2. On tab 3 in the Zero Trust Candidate Solutions Selection Tool:

• Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.

Input

• Candidate solutions for zero trust tasks and initiatives

Output

• Suitability evaluation of candidate solutions

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT

Info-Tech Insight

Add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.

Download the Zero Trust Candidate Solutions Selection Tool

3.2.1 Review candidate solutions

1. Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.
2. Enter candidate solutions to the Compliance Data Entry tab on the Solution column within the Zero Trust Candidate Solutions Selection Tool.
3. Optionally, add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.

3.3 Evaluate candidate solutions

Estimated time 3 hours

On the Scoring tab, evaluate solution features, usability, affordability, and architecture using the instructions on the following slides. This activity will produce a solution score that can be used to identify the suitability of a solution.

Input

• Candidate solutions

Output

• Candidate solutions scored

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT

Download the Zero Trust Candidate Solutions Selection Tool

3.3.3 Evaluate solution scores

After all candidate solutions are evaluated, the Solution Score column can be sorted to rank the candidate solutions. After sorting, the top solutions can be used on prioritization of initiatives on Zero Trust Program Gap Analysis Tool.

1. On Features
   1. Enter Coverage.
   2. Enter Quality.
2. Enter Usability.
3. On Affordability
   1. Enter Initial Cost.
   2. Enter Ongoing Cost (annual).
4. Enter Architecture.

3.4 Perform cost/benefit analysis

Estimated time 1-2 hours

1. Assign costing and benefits information for each initiative, following the instructions on the next slide.
2. Define dependencies or business impacts if they will help with prioritization.

Input

• Ranked candidate solutions
• Gap analysis
• Initiative list

Output

• Completed cost/benefit analysis for initiative list

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management
• Project Management Office

Download the Zero Trust Program Gap Analysis Tool

3.4.1 Complete the cost/benefit analysis

Use Zero Trust Program Gap Analysis Tool.

1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.

• Use the result from candidate selection to define the estimated costs.
• If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.

The Cost / Effort Rating is calculated based on the weight defined on step 2.1.1. The Benefit Rating is calculated based on the weight defined on step 2.1.2.

3.4.2 Optionally enter detailed cost estimates

Use Zero Trust Program Gap Analysis Tool.

1. For each initiative, the tool will automatically populate the Detailed Cost Estimates and Detailed Staffing Estimates columns using the averages that you provided in step 2.1.1. However, if you have more detailed data about the costs and effort requirements for an initiative, you can override the calculated data by manually entering it into these columns. For example:

• You are planning to subscribe to a security awareness vendor, and you have a quote from them specifying that the initial cost will be $75,000.
• You have defined your “Medium” cost range as being “$10-100K,” so you select medium as your initial cost for this initiative in step 3.4.1. As you defined the average for medium costs as being $50,000, this is what the tool will put into the detailed cost estimate.
• You can override this average by entering $75,000 as the initial cost in the detailed cost estimate column.

The Benefits-Cost column will give results after comparing the cost and the benefit. Negative value means that the cost outweighs the benefit. Positive value means that the benefit outweighs the cost. Zero value means that the cost equals the benefit.

3.5 Prioritize initiatives

Estimated time 2-3 hours

1. As a group, review the results of the cost/benefit analysis. Optionally, complete the Other Considerations columns in the Prioritization tab:

• Dependencies can refer to other initiatives on the list or any other dependency that relates to activities or projects within the organization.
• Business impacts can be helpful to document as they may require additional planning and communication that could impact initiative timelines.

Input

• Gap analysis
• Initiative list
• Cost/benefit analysis

Output

• Prioritized list of initiatives

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• IT Leadership
• Project Management Office

Download the Zero Trust Program Gap Analysis Tool

3.5.1 Create a visual effort map for your organization

1 hour

An effort map is a tool used for the visualization of a cost and benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized based on tab 7 in the Zero Trust Program Gap Analysis Tool.

1. Establish the axes and colors for your effort map:
1. X-axis represents the Benefit value from column J
2. Y-axis represents the Cost/Effort value from column H
3. Sticky note color is determined using the Alignment to Business value from column I
2. Create sticky notes for each initiative and place them on the effort map or whiteboard based on the axes you have created with the help of your team.
3. As you place initiatives on the visual effort map, discuss and modify rankings based on team member input.

Input

• Outputs from activities 3.4.1 and 3.4.2

Output

• High-level prioritization for each of the gap-closing initiatives
• Visual representation of quantitative values

Materials

• Zero Trust Program Gap Analysis Tool (tab 7)
• Sticky notes
• Markers
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

3.5.2 Refine the effort map’s visual output

1 hour

Once the effort map is complete, work to further simplify the visual output by categorizing initiatives based on the quadrant in which they have been placed.

1. Before moving forward with the initiative wave prioritization (activity 3.7), identify any initiatives listed across all quadrants that are required as a part of compliance and mark with a sticky dot.
2. Document these initiatives as Execution Wave 1.

Input

• Outputs from activity 3.5.1

Output

• Prioritization for each of the gap-closing initiatives
• First execution wave of gap-closing initiatives

Materials

• Zero Trust Program Gap Analysis Tool (tab 7)
• Sticky notes
• Sticky dots
• Markers
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

3.5.3 Refine the effort map’s visual output

30 minutes

1. Use a separate area of the whiteboard to draw out four to five Execution Wave columns.
2. Group initiatives into each Execution Wave column based on their placement within the quadrant from activities 3.5.1 and 3.5.2.
1. Ensure that all identified mandatory activities as per governing privacy law fall within the first wave.
2. Leverage the following 0-4 Execution Wave scale:
0. Underway –Initiatives that are already underway
1. Must Do – Initiatives that must happen right away
2. Should Do – Initiatives that should happen but need more time/support
3. Could Do – Initiatives that are not a priority
4. Won’t Do – Initiatives that likely won’t be carried out
3. Indicate the granular level for each execution wave using the a-z scale.

• Use the lettering to track dependencies between initiatives.
• If one must take place before another, ensure that its letter comes first alphabetically.
• If multiple initiatives must take place at the same time, use the same letter to show they will take place in tandem.

Input

• Outputs from activity 3.5.2

Output

• Prioritization for each of the gap-closing initiatives
• First execution wave of gap-closing initiatives

Materials

• Zero Trust Program Gap Analysis Tool (tab 7)
• Sticky notes
• Sticky dots
• Markers
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

Wave assignment example

In the example below, we see “IAM modernization” was assessed as 9 on cost/effort rating and 5 on benefit rating and its Benefits-Cost has a positive value of 1. We can label this as SHOULD DO (wave 2).

We can also see “Network segmentation” was assessed as 6 on cost/effort rating and 4 on benefit rating and its Benefits-Cost has a positive value of 2. We can label this as MUST DO (wave 1).

We can also see “Unified Endpoints Management” was assessed as 8 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a negative value of -4. We can label this as WON’T DO (no wave).

We can also see “Data Protection” was assessed as 4 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a zero value. We can label this as COULD DO (wave 3).

It is recommended to define the threshold of each wave based on the value of Benefits-Cost before assigning waves.

3.6 Build roadmap

Estimated time 2-3 hours

1. As a group, follow step 3.6.1 to create your roadmap by scheduling initiatives into the Gantt chart within the Zero Trust Program Gap Analysis Tool.
2. Review the roadmap for resourcing conflicts and adjust as required.
3. Review the final cost and effort estimates for the roadmap.

Input

• Gap analysis
• Cost/benefit analysis
• Prioritized initiative list

Output

• Zero trust roadmap

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• IT Leadership
• Project Management Office

Download the Zero Trust Program Gap Analysis Tool

3.6.1 Schedule initiatives using the Gantt chart

1. On the Gantt Chart tab for each initiative, enter an owner (the role who will be primarily responsible for execution).
2. Additionally, enter a start month and year for the initiative and the expected duration in months.

• You can filter the Wave column to only see specific waves at any one time to assist with the scheduling.
• You do not need to schedule Wave 4 initiatives as the expectation is that these initiatives will not be done.
• 

3.6.2 Review your roadmap

1. When you have completed the Gantt chart, as a group review the overall roadmap to ensure that it is reasonable for your organization. Consider the following:

• Do you have other IT or business projects planned during this time frame that may impact your resourcing or scheduling?
• Does your organization have regular change freezes throughout the year that will impact the schedule?
• Do you have over-subscribed resources? You can filter the list on the Owner column to identify potential over-subscription of resources.
• Have you considered any long vacations, sabbaticals, parental leaves, or other planned longer-term absences?
• Are your initiatives adequately aligned to your budget cycle? For instance, if you have an initiative that is expected to make recommendations for capital expenditure, it must be completed prior to budget planning.

3.6.3 Review your cost/effort estimates table

1. Once you have completed your roadmap, review the total cost/effort estimates. This can be found in a table on the Results tab. This table will provide initial and ongoing costs and staffing requirements for each wave. This also includes the total three-year investment. In your review consider:

• Is this investment realistic? Will completion of your roadmap require adding more staff or funding than you otherwise expected?
• If the investment seems unrealistic, you may need to revisit some of your assumptions, potentially reducing target levels or increasing the amount of time to complete the strategy.

This table provides you with the information to have important conversations with management and stakeholders.

Phase 4

Formulate Policies for Roadmap Initiatives

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Formulate zero trust policies for critical DAAS elements.
• Formulate zero trust policies to secure a path to access critical DAAS elements.

This phase involves the following participants:

• CIO
• CISO
• Business Executives
• IT Manager
• Security Team

Understand the zero trust policy

Use the Kipling methodology as a vendor agnostic approach to identify appropriate allow list elements when deploying multiple zero trust solutions.
The policies help to prevent lateral movement.

Info-Tech Insight

The success of a zero trust implementation relies on enforcing policies consistently. Applying the Kipling methodology to the protect surface is the best way to design zero trust policies.

4.1.1 Formulate policy

Estimated time 1-2 hours

1. As a group, review the protect surface(s) identified in phase one, and using the Kipling methodology from the previous slide, formulate a policy. Each policy can be reviewed repeatedly until we are sure it satisfies the goal.
2. The policy created should be consistent for both cloud and on-prem environments.
3. As an example, let's use the healthcare scenario found in tab 3 of the Zero Trust Protect Surface Mapping Tool. The protect surface used is "Automated Medication Dispensing." Another example will be "Salesforce" accessed via the cloud.

Input

• Kipling methodology
• Protect surface

Output

• Zero trust policy

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• CIO
• CISO
• Business Executives
• IT Manager
• Security Team

4.1.2 Apply policy

1-2 hours

1. Place each protect surface in its own microperimeter. Each microperimeter should be segmented by a next-generation firewall or authentication broker that will serve as a segmentation gateway.
2. Name the microperimeter and place it on a firewall.

Input

• Kipling methodology
• Protect surface

Output

• Zero trust policy

Materials

• Whiteboard/Flip Charts
• Sticky Notes
• Zero Trust Protect Surface Mapping Tool

Participants

• CIO
• CISO
• Business Executives
• IT Manager
• Security Team

Microperimeter A
Protect Surface:
DAAS Elements:

Microperimeter B
Protect Surface:
DAAS Elements:

Microperimeter C
Protect Surface:
DAAS Elements:

4.2 Secure a path to access critical DAAS elements

How should you allow access to the resource?

This component makes up the final piece of formulating the policies as it applies the protection of the application traffic.

The principle of least privilege is applied to the security policy to only allow access requests and restrict the access to the purpose it serves. This access request is then logged as well as the traffic (both internal and external). Most firewalls (NGFW) have policy rules that, by default, enable logging.

Segmentation gateways (NGFW, VM-series firewalls, agent-based and clientless VPN solutions), are used to apply zero trust policy (Kipling methodology) in the network, cloud, and endpoint (managed and unmanaged) for all local and remote users.

These policies need to be applied to security profiles on all allowed traffic. Some of these profiles include but are not limited to the following: URL filtering profile for web access and protect against phishing attacks, vulnerability protection profile intrusion prevention systems, anti spyware profiles to protect against command-and-control threats, malware and antivirus profile to protect against malware, and a file blocking profile to block and/or alert suspicious file types.

Good visibility on your network can also be tied to decryption as you can inspect traffic and data to the lowest level possible that is generally accepted by your organization and in compliance with regulation.

Conceptualized flow

With users working from anywhere on managed and unmanaged devices, access to the internet, SAAS, public cloud, and the data center will have consistent policies applied regardless of their location.

The policy is validating that the user is who they say they are based on the role profile, what they are trying to access to make sure their role or attribute profile has the appropriate permission to the application, and within the stipulated time limit. Where the data or application is located is also verified and the why needs to be satisfied before the requested access is granted. Based on the mentioned policies, the how element is then applied throughout the lifecycle of the access.

Phase 5

Monitor Zero Trust Roadmap Deployment

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Establish metrics for roadmap tasks.
• Track metrics for roadmap tasks.

This phase involves the following participants:

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

5.1 Establish metrics for roadmap tasks

Estimated time 2 hours

1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, identify metrics to measure implementation and efficacy of tasks
2. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, document metric metadata.
3. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.

• If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.

Input

• Zero trust roadmap task list

Output

• Metrics for measuring zero trust task implementation and efficacy

Materials

• Zero Trust Progress Monitoring Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Zero Trust Progress Monitoring Tool

5.1.1 Identify metrics to measure implementation and efficacy of tasks

Estimated time 3-4 hours

1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, for each section defined in columns C and D, enter zero trust implementation tasks into column E. If you completed the Zero Trust Program Gap Analysis Tool, use the tasks identified there to populate column E.
2. For each task, identify in column F any metrics that will communicate implementation progress and/or implementation efficacy.

• If multiple metrics are needed for a single task, we recommend expanding the size of the row and adding additional metrics onto a new line in the same row. A sample is provided in the tool.

Info-Tech Insight

To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

5.1.2 Document metric metadata

Estimated time 1-2 hours

For each metric defined in step 4.1.1:

1. Identify in column G whether the metric can be measured now (Phase 1), measured in a few months’ time (Phase 2), or measured in a few years’ time (Phase 3).
2. Identify in columns H through M who is responsible for collecting the metric (Person Source), who/what is consulted to collect the metric (Technology Source), who compiles the collected metric into dashboards and presentations (Compiler), and who is informed of the measurement of the metric (Audience).

• Add more columns under the Audience category if needed.
• Use “X” to identify if an audience group will be informed of the measurement of the metric.

5.2 Track and report metrics

Estimated time 2 hours

1. In the Zero Trust Progress Monitoring Tool, copy and paste metrics you plan to track in the tool from column F on tab 2 to column B on tab 3.
2. Use tab 3 to identify collection frequency, metric target, and measurements collected for each metric. Add notes or comments to each metric or measurement to track contextual elements that could affect metric measurements.
3. Leverage the graphs on tab 4 to communicate metrics to the appropriated audience groups, as defined in tab 2.

Input

• Metrics for measuring zero trust task implementation and efficacy

Output

• Metric data and graphs for presenting zero trust implementation metrics to audience groups

Materials

• Zero Trust Progress Monitoring Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Zero Trust Progress Monitoring Tool

5.2.1 Record baseline measurements for metrics

Estimated time 1-2 hours

On tab “3. Track Metrics” of the Zero Trust Progress Monitoring Tool:

1. Copy and paste the metrics from Column F on tab “2. Task & Metric Register” that you want to track into Column B of this tab.
2. For each metric, record the frequency of collection (Collection Frequency) and the metric target (Target) by referencing columns O and P on tab “2. Task & Metric Register.”
3. Begin to record baseline/initial values for each metric in column E. Rename columns to match your highest frequency of collection.
   (e.g. if any metric is being measured monthly, there should be one column per month)
4. Over time, conduct measurements of your metrics and store them in the table below.
5. Add notes, as necessary.

5.2.2 Report metric health to audience groups

Estimated time 1-2 hours

On tab “4. Graphs” of the Zero Trust Progress Monitoring Tool:

1. The Overall Metric Health gauge at the top of this tab presents the average percentage away from meeting metric targets for all metrics being tracked. To calculate this value, the differences between the most recent measurements and target values for each metric are averaged.
2. Below the Overall Metric Health gauge, use the drop-down list in cell D9 to select one of the metrics from tab “3. Track Metrics.”
3. Six different graphic representations of the tracked data for the selected metric will populate.

Copy and paste desired graphs into presentations for audience members identified in step 5.1.2.

5.3 Build a communication deck

Estimated time 2 hours

Leverage the Zero Trust Communication Deck to showcase the work that you have done in the tools and activities associated with this research.

In this communication deck template, you will find the following sections:

• Introduction
• Protect Surfaces
• Zero Trust Gap Analysis
• Zero Trust Initiatives & Tasks

Input

• Protect surfaces mapped to business goals
• Zero trust program gap analysis
• Zero trust roadmap initiatives and tasks
• Zero trust metrics

Output

• Communication deck for zero trust strategy

Materials

• Zero Trust Communication Deck

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Zero Trust Communication Deck

Summary of Accomplishment

Knowledge Gained

• Knowledge of protect surfaces and the business goals protecting them supports
• Comprehensive knowledge of zero trust current state and summary initiatives required to achieve zero trust objectives
• Assessment of which solutions for zero trust tasks and initiatives are the most appropriate for the organization
• A defined set of security metrics assessing zero trust implementation progress and efficacy

Deliverables Completed

• Zero Trust Protect Surface Mapping Tool
• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool
• Zero Trust Progress Monitoring Tool
• Zero Trust Communication Deck

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

Contact your account representative for more information

workshops@infotech.com

1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Zero Trust Program Gap Analysis Tool

Assess current security capabilities and build a roadmap of tasks and initiatives that close maturity gaps.

Zero Trust Progress Monitoring Tool

Identify and track metrics for zero trust tasks and initiatives.

Research Contributors

• Aaron Benson, CME Group, Director of IAM Governance
• Brad Mateski, Zones, Solutions Architect for CyberSecurity
• Bob Smock, Info-Tech Research Group, Vice President of Consulting
• Dr. Chase Cunningham, Ericom Software, Chief Strategy Officer
• John Kindervag, ON2IT Cybersecurity, Senior Vice President, Cybersecurity Strategy and ON2IT Group Fellow
• John Zhao, Fonterra, Enterprise Security Architect
• Rongxing Lu, University of New Brunswick, Associate Professor
• Sumanta Sarkar, University of Warwick, Assistant Professor
• Tim Malone, J.B. Hunt Transport, Senior Director Information Security
• Vana Matte, J.B. Hunt Transport, Senior Vice President of Technology Services

Related Info-Tech Research

Build an Information Security Strategy

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building out a security roadmap.

Determine Your Zero Trust Readiness

IT security was typified by perimeter security. However, the way the world does business has mandated a change to IT security. In response, zero trust is a set of principles that can add flexibility to planning your IT security strategy.

Use this blueprint to determine your zero trust readiness and understand how zero trust can benefit both security and the business.

Mature Your Identity and Access Management Program

Many organizations are looking to improve their identity and access management (IAM) practices but struggle with where to start and whether all areas of IAM have been considered. This blueprint will help you improve the organization's identity and access management practices by following our three-phase methodology:

• Assess identity and access requirements
• Identify initiatives using the identity lifecycle
• Prioritize initiatives and build a roadmap

Bibliography

• “2021 Data Breach Investigations Report.” Verizon, 2021. Web.
• “A Zero-Trust Strategy Has 3 Needs - Identify, Authenticate, and Monitor Users and Devices On and Off The Network.” Fortinet, 15 July 2021. Web.
• “Applying Zero Trust Principles to Enterprise Mobility.” CISA, March 2022. Web.
• Biden Jr., Joseph R. “Executive Order on Improving the Nation’s Cybersecurity.” The White House, 12 May 2021. Web.
• “CISA Zero Trust Maturity Model.” CISA - Cybersecurity Division, June 2021. Web.
• “Continuous Diagnostics and Mitigation Program Overview.” CISA, Jan. 2022. Web.
• Contributor. “The Five Business Benefits of a Zero Trust Approach to Security.” Security Brief - Australia, 19 Aug. 2020. Web.
• “Cost of a Data Breach Report 2021.” IBM, July 2021. Web.
• English, Melanie. “5 Stats That Show The Cost Saving Effect of Zero Trust.” Teramind, 29 Sept. 2021. Web.
• “Improve Application Access and Security With Fortinet Zero Trust Network Access.” Fortinet, 2 March 2021. Web.
• “Incorporating Zero-trust Strategies for Secure Network and Application Access.” Fortinet, 21 July 2021. Web.
• Jakkal, Vasu. “Zero Trust Adoption Report: How Does Your Organization Compare?” Microsoft, 28 July 2021. Web.
• “Jericho Forum™ Commandments.” The Open Group, Jericho Forum, May 2007. Web.
• Johnson, Derrick. “Zero Trust vs. SASE - Here's What You Need to Know.” Security Magazine, 23 July 2021. Web.
• Joint Defense Information Systems Agency (DISA) and National Security Agency (NSA) Zero Trust Engineering Team. “Department of Defense (DOD) Zero Trust Reference Architecture.” DoD CIO, Feb. 2021. Web.
• Kay, Dennis. “Planning for a Zero Trust Architecture Target State.” NASA, NIST, 13 Nov. 2019. Web.
• National Security Agency. “Embracing a Zero Trust Security Model.” U.S. Department of Defense, Feb. 2021. Web.
• NSTAC. “Draft Report to the President - Zero Trust and Trusted Identity Management.” CISA, NSTAC, n.d. Web.
• Rose, Scott W., et al. “Zero Trust Architecture.” NIST, 10 Aug. 2020. Web.
• “Securing Digital Innovation Demands Zero-Trust Access.” Fortinet, 15 July 2021. Web.
• Shackleford, Dave. “How to Create a Comprehensive Zero Trust Strategy.” SANS, Cisco, 2 Sept. 2020. Web.
• “The CISO’s Guide to Effective Zero-Trust Access.” Fortinet, 28 April 2021. Web.
• “The State of Zero Trust Security 2021.” Okta, June 2021. Web.
• Kerman, Alper, et al. “Implementing a Zero Trust Architecture.” NIST - National Cybersecurity Center of Excellence, March 2020. Web.
• Kindervag, John. “Keynote - John KINDERVAG - 021622.” Vimeo, VIRTUAL Eastern | CyberSecurity Conference, 16 Feb. 2022. Web.
• Lodewijkx, Koos. “IBM CISO Perspective: Zero Trust Changes Security From Something You Do to Something You Have.” SecurityIntelligence, IBM, 19 Nov. 2020. Web.
• VB Staff. “Report: Only 21% of Enterprises Use Zero Trust Architecture.” VentureBeat, 15 Feb. 2022. Web.
• Young, Shalanda D. “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The White House, EXECUTIVE OFFICE OF THE PRESIDENT - OFFICE OF MANAGEMENT AND BUDGET, 26 Jan. 2022. Web.
• “Zero Trust Access.” Fortinet, n.d. Web.
• “Zero Trust Architecture Technical Exchange Meeting.” NIST - National Cybersecurity Center of Excellence, 12 Nov. 2019. Web.
• “Zero Trust Cybersecurity Current Trends.” ACT-IAC, 18 April 2019. Web.
• “Zero-Trust Access for Comprehensive Visibility and Control.” Fortinet, 24 Sep. 2020. Web.

Define a Release Management Process for Your Applications to Deliver Lasting Value

Use your releases to drive business value and enhance the benefits delivered by your move to Agile.

Analyst Perspective

Improving your release management strategy and practices is a key step to fully unlock the value of your portfolio.

As firms invest in modern delivery practices based around product ownership, Agile, and DevOps, organizations assume that’s all that is necessary to consistently deliver value. As organizations continue to release, they continue to see challenges delivering applications of sufficient and consistent quality.

Delivering value doesn’t only require good vision, requirements, and technology. It requires a consistent and reliable approach to releasing and delivering products and services to your customer. Reaching this goal requires the definition of standards and criteria to govern release readiness, testing, and deployment.

This will ensure that when you deploy a release it meets the high standards expected by your clients and delivers the value you have intended.

Dr. Suneel Ghei

Principal Research Director, Application Development

Info-Tech Research Group

Executive Summary

Your Challenge

• Your software platforms are a key enabler of your brand. When there are issues releasing, the brand suffers. Client confidence and satisfaction erode.
• Your organization has invested significant capital in creating a culture of product ownership, Agile, and DevOps. Yet the benefits from these investments are not yet fully realized.
• Customers have more choices than ever when it comes to products and services. They require features and capabilities delivered quickly, consistently, and of sufficient quality, otherwise they will look elsewhere.

Common Obstacles

• Development teams are moving faster but then face delays waiting for testing and deployment due to a lack of defined release cycle and process.
• Individual stages in your software development life cycle (SDLC), such as code collaboration, testing, and deployment, have become leaner, but the overall complexity has increased since many products and services are composed of many applications, platforms, and processes.
• The specifics of releasing products is (wrongly) classified as a technical concern and not a business concern, hindering the ability to prioritize improved release practices.

Info-Tech's Approach

• Develop a release management framework that efficiently and effectively orchestrates the different functions supporting a software’s release.
• Use the release management framework and turn release-related activities into non-events.
• Use principles of continuous delivery for converting your release processes from an overarching concern to a feature of a high-performing software practice.

Executive Summary

Info-Tech Insights

Turn release-related activities into non-events.

Eliminate the need for dedicating time for off-hour or weekend release activities. Use a release management framework for optimizing release-related tasks, making them predictable and of high quality.

Release management is NOT a part of the software delivery life cycle.

The release cycle runs parallel to the software delivery life cycle but is not tightly coupled with it. The act of releasing begins at the point requirements are confirmed and ends when user satisfaction is measurable. In contrast, the software delivery life cycle is focused on activities such as building, architecting, and testing.

All releases are NOT created equal.

Barring standard guiding principles, each release may have specific nuances that need to be considered as part of release planning.

Your release management journey

1. Optimize Applications Release Management - Set a baseline release management process and organization.
2. Modernize Your SDLC - Move your organization to Agile and increase throughput to feed releases.
3. Deliver on Your Digital Product Vision - Understand the practices that go into delivering products, including articulating your release plans.
4. Automate Testing to Get More Done - Create the ability to do more testing quickly and ensure test coverage.
5. Implement DevOps Practices That Work - Build in tools and techniques necessary for release deployment automation.
6. Define a Release Management Process to Deliver Lasting Value (We Are Here)

Define a Release Management Process for Your Applications to Deliver Lasting Value

Use your releases to drive business value and enhance the benefits delivered by your move to Agile.

Executive Brief

Your software delivery teams are expected to deliver value to stakeholders in a timely manner and with high quality

Software delivery teams must enable the organization to react to market needs and competitive changes to improve the business’ bottom line. Otherwise, the business will question the team’s competencies.

The business is constantly looking for innovative ways to do their jobs better and they need support from your technical teams.

The increased stress from the business is widening the inefficiencies that already exist in application release management, risking poor product quality and delayed releases.

Being detached from the release process, business stakeholders do not fully understand the complexities and challenges of completing a release, which complicates the team’s communication with them when issues occur.

IT Stakeholders Are Also Not Satisfied With Their Own Throughput

• Only 29% of IT employees find application development throughput highly effective.
• Only 9% of organizations were classified as having highly effective application development throughput.
• Application development throughput ranked 37th out of 45 core IT processes in terms of effectiveness.

(Info-Tech’s Management and Governance Diagnostic, N=3,930)

Your teams, however, struggle with core release issues, resulting in delayed delivery (and disappointed stakeholders)

Implementing tools on top of an inefficient pipeline can significantly magnify the existing release issues. This can lead to missed deadlines, poor product quality, and business distrust with software delivery teams.

COMMON RELEASE ISSUES

1. Local Thinking: Release decisions and changes are made and approved without consideration of the holistic system, process, and organization.
2. No Release Cadence: Lack of process governance and oversight generates unpredictable bottlenecks and load and ill-prepared downstream teams.
3. Mismanagement of Releases: Program management does not accommodate the various integrated releases completed by multiple delivery teams.
4. Poor Scope Management: Teams are struggling to effectively accommodate changes during the project.

The bottom line: The business’ ability to operate is dictated by the software delivery team’s ability to successfully complete releases. If the team performs poorly, then the business will do poorly as well. Application release management is critical to ensure business expectations are within the team’s constraints.

“As software becomes more embedded in the business, firms are discovering that the velocity of business change is now limited by how quickly they can deploy.” – Five Ways To Streamline Release Management, J.S. Hammond

Historically, managing releases has been difficult and complicated…

Typically, application release management has been hard to coordinate because…

• Software has multiple dependencies and coordinating their inclusion into a deployable whole was not planned.
• Teams many be spending too much time on features that are not needed any longer.
• Software development functions (such as application architecture, test-first or test-driven design, source code integration, and functional testing) are not optimized.
• There are no agreed upon service-level contracts (e.g. expected details in requirements, adequate testing, source control strategy) between development functions.
• The different development functions are not integrated in a holistic style.
• The different deployment environments have variability in their configuration, reducing the reliability of testing done in different environments.
• Minimum thresholds for acceptable quality of development functions are either too low (leading to adverse outcomes down stream) or too high (leading to unnecessary delays).

…but research shows being effective at application release management increases your throughput

Research conducted on Info-Tech's members shows overwhelming evidence that application throughput is strongly tied to an effective application release management approach.

(Info-Tech Management & Governance Diagnostic, since 2019; N=684 organizations)

An application release management framework is critical for effective and timely delivery of software

A well-developed application release management framework is transformative and changes...

Info-Tech Insight: Your application release management framework should turn a system release into a non-event. This is only possible through the development of a holistic, low-risk and standardized approach to releasing software, irrespective of their size or complexity.

Robust continuous “anything” requires proficiency in five core practices

A continuous anything evaluation should not be a “one-and-done” event. As part of ongoing improvements, keep evolving it to make it a fundamental component of a strong operational strategy.

Continuous Anything

• Automate where appropriate
  • Automation is not a silver bullet. All processes are not created equal; and therefore, some are not worthy of being automated.
• Control system variables
  • Deploying and testing in environments that are apple to apple in comparison reduces the risk of unintended outcomes from production release.
• Measure process outcomes
  • A process not open to being measured is a process bound to fail. If it can be measured, it should be, and insights found should be used for improving the system.
• Select smaller features batches
  • Smaller release packages reduce the chances of cognitive load associated with finding root causes for defects and issues that may result as post-production incidents.
• Reduction of cycle time
  • Identification of waste in each stage of the continuous anything process helps in lowering cost of operations and results in quicker generation of value for stakeholders.

Invest time in developing an application release management framework for your development team(s) with a continuous anything mindset

An application release management framework converts a set of features and make them ready for releasability in a low-risk, standardized, and high-quality process.

A continuous anything (integration, delivery, and deployment) mindset is based on a growth and improvement philosophy, where every event is considered a valid data point for investigation of process efficiency.

Diagram adapted from Continuous Delivery in the Wild, Pete Hodgson, Published by O'Reilly Media, Inc., 2020

Related Info-Tech Research

Streamline Application Maintenance

• Justify the necessity of streamlined maintenance. Gain a grounded understanding of stakeholder objectives and concerns and validate their achievability against the current state of the people, process, and technologies involved in application maintenance.
• Strengthen triaging and prioritization practices. Obtain a holistic picture of the business and technical impacts, risks, and urgencies of each accepted maintenance request to justify its prioritization and relevance within your backlog. Identify opportunities to bundle requests together or integrate them within project commitments to ensure completion.
• Establish and govern a repeatable process. Develop a maintenance process with well-defined stage gates, quality controls, and roles and responsibilities, and instill development best practices to improve the success of delivery.

“Releasability” (or release criteria) of a system depends upon the inclusion of necessary building blocks and proof that they were worked on

There is no standard definition of a system’s releasability. However, there are common themes around completions or assessments that should be investigated as part of a release:

• The range of performance, technical, or compliance standards that need to be assessed.
• The full range of test types required for business approval: unit tests, acceptance tests, security test, data migration tests, etc.
• The volume-criticality mix of defects the organization is willing to accept as a risk.
• The best source and version control strategy for the development team. This is mostly a function of the team's skill with using release branches and coordinating their work artifacts.
• The addition of monitoring points and measures required for evaluations and impact analysis.
• The documentation required for audit and compliance.
• External and internal dependencies and integrations.
• Validations, approvals, and sign-offs required as part of the business’ operating procedure.
• Processes that are currently carried out outside and should be moved into the pipeline.
• Manual processes that may be automated.
• Any waste activities that do not directly contribute to releasability that can be eliminated from the development process.
• Knowledge the team has regarding challenges and successes with similar software releases in the past.

Releasability of a system is different than governing principles for application release management

Governing principles are fundamental ways of doing something, which in this case is application release management, while releasability will generally have governing principles in addition to specific needs for a successful release.

Example of Governing Principles

• Approval from Senior Director is necessary before releasing to production
• Production deployments can only be done in off-hours
• We will try to automate processes whenever it is possible for us to do so
• We will use a collaborative set of metrics to measure our processes

Examples of Releasability Criteria

• For the upcoming release, add performance testing for Finance and Budget Teams’ APIs
• Audit and compliance documentation is required for this release
• Automation of manual deployment
• Use trunk-based source code management instead of feature-based

Regulated industries are not more stable despite being less nimble

A pervasive myth in industry revolves around the misperception that continuous anything and nimble and non-event application release management is not possible in large bureaucratic and regulated organizations because they are risk-averse.

"We found that external approvals were negatively correlated with lead-time, deployment frequency and restore time, and had no correlation with change failure rate. In short, approval by an external body (such as a manager or Change Approval Board) simply doesn’t work to increase the stability of production systems…However, it certainly slows things down. It is in fact worse than having no change approval process at all." – Accelerate by Gene Kim, Jez Humble, and Nicole Forsgren

Many organizations reduce risk in their product release by adopting a paternalistic stance by:

• Requiring manual sign-offs from senior personnel who are external to the organization.
• Increasing the number and level of authorization gates.
• Staying away from change and preferring to stick with what has worked in the past.

Despite the prevalence of these types of responses to risk, the evidence is that they do not work and are in fact counter-productive because they:

• Create blocks to frequent releases.
• Introduce procedural complexity to each release and in effect make them “bigger.”
• Prefer process over people (and trusting them). Increase non-value-add scrutiny and reporting.

There is a persistent misunderstanding about continuous anything being only an IT engineering practice

01

At the enterprise level, continuous anything focuses on:

• Visibility of final value being provided in a high-quality and expedited manner
• Ensuring efficiency in the organization’s delivery framework
• Ensuring adherence to established governance and risk mitigation strategy

02

Focus of this blueprint

At the product level, continuous anything focuses on:

• Reliability of the product delivery system
• Use of scientific evidence for continuous improvement of the product’s delivery system
• Orchestration of different artifacts into a single whole

03

At the functional level, continuous anything focuses on*:

• Local functional optimization (functions = software engineering, testing, application design)
• Automation of local functions
• Use of patterns for standardizing inputs and functional areas

*Where necessary, practices at this level have been mentioned.

Related Info-Tech Research

Implement DevOps Practices That Work

• Be DevOps, rather than do DevOps. DevOps is a philosophy, not an industry framework. Your organization’s culture must shift toward system-wide thinking, cross-function collaboration, and empathy.
• Culture, learning, automation, integrated teams, and metrics and governance (CLAIM) are all critical components of effective DevOps.

Automate Testing to Get More Done

• Optimize and automate SDLC stages to recover team capacity. Recognize that automation without optimization is a recipe for long-term pain. Do it right the first time.
• Optimization and automation are not one-hit wonders. Technical debt is a part of software systems and never goes away. The only remedy is constant vigilance and enhancements to the processes.

The seeds of a good release are sown even before work on it begins

Pre-release practices such as requirements intake and product backlog management are important because:

• A standard process for documentation of features and requirements helps reduce “cognitive dissonance” between business and technology teams. Clearly articulated and well-understood business needs are fundamental ingredients of a high-quality product.
• Product backlog management done right ensures the prioritized delivery of value to stakeholders. Features can become stale or get a bump in importance, depending upon evolving circumstances. Prioritizing the backlog is, therefore, critical for ensuring time, effort, and budget are spent on things that matter.

Improve Service Desk Ticket Queue Management

Strong queue management is the foundation to good customer service

Analyst Perspective

Secure your foundation before you start renovating.

Service Desk and IT leaders who are struggling with low efficiency, high backlogs, missed SLAs, and poor service desk metrics often think they need to hire more resources or get a new ITSM tool with better automation and AI capabilities. However, more often than not, the root cause of their challenges goes back to the fundamentals.

Strong ticket queue management processes are critical to the success of all other service desk processes. You can’t resolve incidents and fulfill service requests in time to meet SLAs without first getting the ticket to the right place efficiently and then managing all tickets in the queue effectively. It sounds simple, but we see a lot of struggles around queue management, from new tickets sitting too long before being assigned, to in-progress tickets getting buried in favor of easier or higher-priority tickets, to tickets jumping from queue to queue without progress, to a seemingly insurmountable backlog.

Once you have taken the time to clearly structure your queues, assign resources, and define your processes for routing tickets to and from queues and resolving tickets in the queue, you will start to see response and resolution time decrease along with the ticket backlog. However, accountability for queue management is often overlooked and is really key to success.

Natalie Sansone, PhD
Senior Research Analyst, Infrastructure & Operations
Info-Tech Research Group

Executive Summary

Your Challenge

• Tickets come into the service desk via multiple channels (email, phone, chat, portal) and aren’t consolidated into a single queue, making it difficult to know what to prioritize.
• New tickets sit in the queue for too long before being assigned while assigned tickets sit for too long without progress or in the wrong queue, leading to slow response and resolution times.
• Tickets quickly pile up in the queues, get lost or buried, or jump between queues without finding the right home, leading to a seemingly insurmountable backlog and breached SLAs.

Common Obstacles

• All tickets pile into the same queue, making it difficult to view, manage, or know who’s working on what.
• There are no defined rules or processes for how tickets should be assigned and routed, meaning they often take too long to get to the right place.
• Technicians have no guidelines as to how to prioritize their work, and no easy way to organize their tickets or queue to know what to work on next.
• Nobody has authority or accountability for queue management, meaning everyone has eyes only on their own tickets while others fall through the cracks.

Info-Tech’s Approach

• Clearly define your queue structure, organize the queues by content, then assign resources to relevant queues depending on their role and expertise.
• Define and document queue management processes, from initial triage to how to prioritize work on assigned tickets. Ensure everyone who handles tickets is clear on their responsibilities.
• Establish clear ownership and accountability for queue management.
• Once processes have been defined, identify opportunities to build in automation to improve efficiency.

Info-Tech Insight

If everybody is managing the queue, then nobody is. Without clear ownership and accountability over each and every queue it becomes too easy for everyone to assume someone else is handling or monitoring a ticket when in fact nobody is. Assign a Queue Manager to each queue and ensure someone is responsible for monitoring ticket movement across all the queues.

Timeliness is essential to customer satisfaction

And timeliness can’t be achieved without good queue management practices.

As soon as that ticket comes in, the clock starts ticking…

A host of different factors influence service desk response time and resolution time, including process optimization and documentation, workflow automation, clearly defined prioritization and escalation rules, and a comprehensive and easily accessible knowledgebase.

However, the root cause of poor response and resolution time often comes down to the basics like ticket queue management. Without clearly defined processes and ownership for assigning and actioning tickets from the queue in the most effective order and manner, customer satisfaction will suffer.

For every 12-hour delay in response time*, CSAT drops by 9.6%.

*to email and web support tickets
Source: Freshdesk, 2021

A Freshworks analysis of 107 million service desk interactions found the relationship between CSAT and response time is stronger than resolution time - when customers receive prompt responses and regular updates, they place less value on actual resolution time.

A queue is simply a line of people (or tickets) waiting to be helped

When customers reach out to the service desk for help, their messages are converted into tickets that are stored in a queue, waiting to be actioned appropriately.

Ticket Queue

Email/web
Ideally, the majority of tickets come into the ticket queue through email or a self-service portal, allowing for appropriate categorization, prioritization, and assignment.

Phone
For IT teams with a high volume of support requests coming in through the phone, reducing wait time in queue may be a priority.

Chat
Live chat is growing in popularity as an intake method and may require routing and distribution rules to prevent long or multiple queues.

Queue Management

Queue management is a set of processes and tools to direct and monitor tickets or manage ticket flow. It involves the following activities:

• Review incoming tickets
• Categorize and prioritize tickets
• Route or assign appropriately
• View or update ticket status
• Monitor resource workload
• Ensure tickets are being actioned in time
• Proactively identify SLA breaches

Ineffective queue management can bury you in backlog

Ticket backlog with poor queue management

Without a clear and efficient process or accountability for moving incoming tickets to the right place, tickets will be worked on randomly, older tickets will get buried, the backlog will grow, and SLAs will be missed.

Ticket backlog with good queue management

With effective queue management and ownership, tickets are quickly assigned to the right resource, worked on within the appropriate SLO/SLA, and actively monitored, leading to a more manageable backlog and good response and resolution times.

A growing backlog will quickly lead to dissatisfied end users and staff

Failing to efficiently move tickets from the queue or monitor tickets in the queue can quickly lead to tickets being buried and support staff feeling buried in tickets.

Common challenges with queue management include:

• Tickets come in through multiple channels and aren’t consolidated into a single queue
• New tickets sit unassigned for too long, resulting in long response times
• Tickets move around between multiple queues with no clear ownership
• Assigned tickets sit too long in a queue without progress and breach SLA
• No accountability for queue ownership and monitoring
• Technicians cherry pick the easiest tickets from the queue
• Technicians have no easy way to organize their queue to know what to work on next

This leads to:

• Long response times
• Long resolution times
• Poor workload distribution and efficiency
• High backlog
• Disengaged, frustrated staff
• Dissatisfied end users

Info-Tech Insight

A growing backlog will quickly lead to frustrated and dissatisfied customers, causing them to avoid the service desk and seek alternate methods to get what they need, whether going directly to their favorite technician or their peers (otherwise known as shadow IT).

Dig yourself out with strong queue management

Strong queue management is the foundation to good customer service.

Build a mature ticket queue management process that allows your team to properly prioritize, assign, and work on tickets to maximize response and resolution times.

A mature queue management process will:

• Reduce response time to address tickets.
• Effectively prioritize tickets and ensure everyone knows what to work on next.
• Ensure tickets get assigned and routed to the right queue and/or resource efficiently.
• Reduce overall resolution time to resolve tickets.
• Enable greater accountability for queue management and monitoring of tickets.
• Improve customer and employee satisfaction.

As queue management maturity increases:
Response time decreases
Resolution time decreases
Backlog decreases
End-user satisfaction increases

Ten Tips to Effectively Manage Your Queue

The remaining slides in this deck will review these ten pieces of advice for designing and managing your ticket queues effectively and efficiently.

1. Define your optimal queue structure
2. Design and assign resources to relevant queues
3. Define and document queue management processes
4. Clearly define queue management responsibilities for every team member
5. Establish clear ownership & accountability over all queues
6. Always keep ticket status and documentation up to date
7. Shift left to reduce queue volume
8. Build-in automation to improve efficiency
9. Configure your ITSM tool to support and optimize queue management processes
10. Don’t lose visibility of the backlog

#1: Define your optimal queue structure

There is no one right way to do queue management; choose the approach that will result in the highest value for your customers and IT staff.

Sample queue structures

*Queues may be defined by skillset, role, ticket category, priority, or a hybrid.

Triage and Assign

• All incoming tickets are assigned to an appropriate queue based on predefined criteria.
• Queue assignment may be done through automated workflows based on specific fields within the ticket, or manually by a
• Queue Manager, dedicated coordinator, or Tier 1 staff.
• Queues may be defined based on:
• Skillset/team (e.g. Infrastructure, Security, Apps, etc.)
• Ticket category (e.g. Network, Office365, Hardware, etc.)
• Priority (e.g. P1, P2, P3, P4, P5)
• Resources may be assigned to multiple queues.

Define your optimal queue structure (cont.)

Tiered generalist model

• All incidents and service requests are routed to Tier 1 first, who prioritize and, if appropriate, conduct initial triage, troubleshooting, and resolution on a wide range of issues.
• More complex or high-priority tickets are escalated to resources at Tier 2 and/or Tier 3, who are specialists working on projects in addition to support tickets.

Unassigned queue

• Very small teams may work from an unassigned queue if there are processes in place to monitor tickets and workload balance.
• Typically, these teams work by resolving the oldest tickets first regardless of complexity (also known as First In, First Out or FIFO). However, this doesn’t allow for much flexibility in terms of priority of the request or customer.

#2: Design and assign resources to relevant queues

Once you’ve defined your overall structure, define the content of each queue.

Info-Tech Insight

Start small; don’t create a queue for every possible ticket type. Remember that someone needs to be accountable for each of these queues, so only build what you can monitor.

#3 Define and document queue management processes

A clear, comprehensive, easily digestible SOP or workflow outlining the steps for handling new tickets and working tickets from the queue will help agents deliver a consistent experience.

Process recommendations

As you define queue management processes, keep the following advice in mind:

Rotate triage role

The triage role is critical but difficult. Consider rotating your Tier 1 resources through this role, or your service desk team if you’re a very small group.

Limit and prioritize channels

You decide which channels to enable and prioritize, not your users. Phone and chat are very interrupt-driven and should be reserved for high-priority issues if used. Your users may not understand that but can learn over time with training and reinforcement.

Prioritize first

Priority matrixes are necessary for consistency but there are always circumstances that require judgment calls. Think about risk and expected outcome rather than simply type of issue alone. And if the impact is bigger than the initial classification, change it.

Define VIP treatment

In some organizations, the same issue can be more critical if it happens to a certain user role (e.g. client facing, c-suite). Identify and flag VIP users and clearly define how their tickets should be prioritized.

Consider time zone

If users are in different time zones, take their current business hours into account when choosing which ticket to work on.

Info-Tech Insight

Think of your service desk as an emergency room. Patients come in with different symptoms, and the triage nurse must quickly assess these symptoms to decide who the patient should see and how soon. Some urgent cases will need to see the doctor immediately, while others can wait in another queue (the waiting room) for a while before being dealt with. Some cases who come in through a priority channel (e.g. ambulance) may jump the queue. Checklists and criteria can help with this decision making, but some degree of judgement is also required and that comes with experience. The triage role is sometimes seen as a junior-level role, but it actually requires expertise to be done well.

For more detailed process guidance, see Standardize the Service Desk

Info-Tech’s blueprint Standardize the Service Desk will help you standardize and document core service desk processes and functions, including:

• Service desk structure, roles, and responsibilities
• Metrics and reporting
• Ticket handling and ticket quality
• Incident and critical incident management
• Ticket categorization
• Prioritization and escalation
• Service request fulfillment
• Self-service considerations
• Building a knowledgebase

#4 Clearly define queue management responsibilities for every team member

This may be one of the most critical yet overlooked keys to queue management success. Define the following:

Who will have overall accountability?

Someone must be responsible for monitoring all incoming and open tickets as well as assigned tickets in every queue to ensure they are routed and fulfilled appropriately. This person must have authority to view and coordinate all queues and Queue Managers.

Who will manage each queue?

Someone must be responsible for managing each queue, including assigning resources, balancing workload, and ensuring SLOs are met for the tickets within their queue. For example, the Apps Manager may be the Queue Manager for all tickets assigned to the Apps team queue.

Who is responsible for assigning tickets?

Will you have a triage team who monitors and assigns all incoming tickets? What are their specific responsibilities (e.g. prioritize, categorize, attempt troubleshooting, assign or escalate)? If not, who is responsible for assigning new tickets and how is this done? Will the triage role be a rotating role, and if so, what will the schedule be?

What are everyone’s responsibilities?

Everyone who is assigned tickets should understand the ticket handling process and their specific responsibilities when it comes to queue management.

#5 Establish clear ownership & accountability over all queues

If everyone is accountable, then no one is accountable. Ownership for each queue and all queues must be clearly designated.

You may have multiple queue manager roles: one for each queue, and one who has visibility over all the queues. Typically, these roles make up only part of an individual’s job. Clearly define the responsibilities of the Queue Manager role; sample responsibilities are on the right.

Info-Tech Insight

Lack of authority over queues – especially those outside Tier 1 of the service desk – is one of the biggest pitfalls we see causing aging tickets and missed SLAs. Every queue needs clear ownership and accountability with everyone committed to meeting the same SLOs.

The Queue Manager or Coordinator is accountable for ensuring tickets are routed to the correct resources service level objectives or agreements are met.

Specific responsibilities may include:

• Monitors queues daily
• Ensures new tickets are assigned to appropriate resources for resolution
• Verifies tickets have been routed and assigned correctly and reroutes if necessary
• Reallocates tickets if assigned resource is suddenly unavailable or away
• Ensures ticket handling process is met, ticket status is up to date and correct, and ticket documentation is complete
• Escalates tickets that are aging or about to breach
• Ensures service level objectives or agreements are met
• Facilitates resource allocation based on workload
• Coordinates tickets that require collaboration across workgroups to ensure resolution is achieved within SLA
• Associates child and parent tickets
• Prepares reports on ticket status and volume by queues
• Regularly reviews reports to identify and act on issues and make improvements or changes where needed
• Identifies opportunities for improvement

#6 Always keep ticket status and documentation up to date

Anyone should be able to quickly understand the status and progress on a ticket without needing to ask the technician working on it. This means both the ticket status and documentation must be continually and accurately updated.

Ticket Documentation
Ticket descriptions and documentation must be kept accurate and up to date. This ensures that if the ticket is escalated or assigned to a new person, or the Queue Manager or Service Desk Manager needs to know what progress has been made on a ticket, that person doesn’t need to waste time with back-and-forth communication with the technician or end user.

Ticket Status
The ticket status field should change as the ticket moves toward resolution, and must be updated every time the status changes. This ensures that anyone looking at the ticket queue can quickly learn and communicate the status of a ticket, tickets don’t get lost or neglected, metrics are accurate (such as time to resolve), and SLAs are not impacted if a ticket is on hold.

Common ticket statuses include:

• New/open
• Assigned
• In progress
• Declined
• Canceled
• Pending/on hold
• Resolved
• Closed
• Reopened

For more guidance on ticket handling and documentation, download Info-Tech’s blueprint: Standardize the Service Desk.

• For ticket handling and documentation, see Step 1.4
• For ticket status fields, see Step 2.2.

#7 Shift left to reduce queue volume

Enable processes such as knowledge management, self-service, and problem management to prevent tickets from even coming into the queue.

Shift left means enabling fulfilment of repeatable tasks and requests via faster, lower-cost delivery channels, self-help tools, and automation.

Shift to Level 1

• Identify tickets that are often escalated beyond Tier 1 but could be resolved by Level 1 if they were given the tools, training, resources, or access they need to do so.
• Provide tools to succeed at resolving those defined tasks (e.g. knowledge article, documentation, remote tools).
• Embed knowledge management in resolution workflows.

Shift to End User

• Build a centralized, easily accessible self-service portal where users can search for solutions to resolve their issues without having to submit a ticket.
• Communicate and train users on how to use the portal regularly update and improve it.

Automate & Eliminate

• Identify processes or tasks that could be automated to eliminate work.
• Invest in problem management and event management to fix the root problem of recurring issues and prevent a problem from occurring in the first place, thereby preventing future tickets.

#8 Build in automation to improve efficiency

Manually routing every ticket can be time-consuming and prone to errors. Once you’ve established the process, automate wherever possible.

Automation rules can be used to ensure tickets are assigned to the right person or queue, to alert necessary parties when a ticket is about to breach or has breached SLA, or to remind technicians when a ticket has sat in a queue or at a particular status for too long.

This can improve efficiency, reduce error, and bring greater visibility to both high-priority tickets and aging tickets in the backlog.

However, your processes, queues, and responsibilities must be clearly defined before you can build in automation.

For more guidance on implementing automation and AI within your service desk, see these blueprints:

For examples of rules, triggers, and fields you can automate to improve the efficiency of your queue management processes, see the next slide.

Sample automation rules

Criteria or triggers you can automate actions based on:

• Ticket type
• Specific field in a ticket web form
• Ticket form that was used (e.g. specific service request form from the portal)
• Ticket category
• Ticket priority
• Keyword in an email subject line
• Keywords or string in a chat
• Requester name or email
• Requester location
• Requester/ticket language
• Requester VIP status
• Channel ticket was received through
• SLAs or time-based automations
• Agent skill
• Agent status or capacity

Fields or actions those triggers can automate

• Priority
• Category
• Ticket routing
• Assigned agent
• Assigned queue
• SLA/due date
• Notifications/communication

Sample Automation Rules

• When ticket is about to breach, send alert to Queue Manager and Service Desk Manager.
• When ticket comes from VIP user, set urgency to high.
• When ticket status has been set to “open” for ten hours, send an alert to Queue Manager.
• When ticket status has been set to “on hold” for five days, send a reminder to assignee.
• When ticket is categorized as “Software-ERP,” send to ERP queue.
• When ticket is prioritized as P1/critical, send alert to emergency response team.
• When ticket is prioritized as P1 and hasn’t been updated for one hour, send an alert to Incident Manager.
• When an in-progress ticket is reassigned to a new queue, alert Queue Manager.
• When ticket has not been resolved within seven days, flag as aging ticket.

#9 Configure your ITSM tool to support and optimize queue management processes

Configure your tool to support your needs; don’t adjust your processes to match the tool.

• Most ITSM tools have default queues out of the box and the option to create as many custom queues, filters, and views as you need. Custom queues should allow you to name the queue, decide which tickets will be sent to the queue, and what columns or information are displayed in the queue.
• Before you configure your queues and dashboards, sit down with your team to decide what you need and what will best enable each agent to manage their workload.
• Decide which queues each role should have access to – most should only need to see their own queue and their team’s queue.
• Configure which queues or views new tickets will be sent to.
• Configure automation rules defined earlier (e.g. automate sending certain tickets to specific queues or sending notifications to specific parties when certain conditions are met).
• Configure dashboards and reports on queue volume and ticket status data relevant to each team to help them manage their workload, increase visibility, and identify issues or actions.

Info-Tech Insight

It can be overwhelming to support agents when their view is a long and never-ending queue. Set the default dashboard view to show only those tickets assigned to the viewer to make it appear more manageable and easier to organize.

Configure queues to maximize productivity

Info-Tech Insight

The queue should quickly give your team all the information they need to prioritize their work, including ticket status, priority, category, due date, and updated timestamps. Configuration is important - if it’s confusing, clunky, or difficult to filter or sort, it will impact response and resolution times and can lead to missed tickets. Give your team input into configuration and use visuals such as color coding to help agents prioritize their work – for example, VIP tickets may be clearly flagged, critical or high priority tickets may be highlighted, tickets about to breach may be red.

#10 Don’t lose visibility of the backlog

Be careful not to focus so much on assigning new tickets that you forget to update aging tickets, leading to an overwhelming backlog and dissatisfied users.

Track metrics that give visibility into how quickly tickets are being resolved and how many aging tickets you have. Metrics may include:

• Ticket resolution time by priority, by workgroup
• Ticket volume by status (i.e. open, in progress, on hold, resolved)
• Ticket volume by age
• Ticket volume by queue and assignee

Regularly review reports on these metrics with the team.

Make it an agenda item to review aging tickets, on hold tickets, and tickets about to breach or past breach with the team.

Take action on aging tickets to ensure progress is being made.

Set rules to close tickets after a certain number of attempts to reach unresponsive users (and change ticket status appropriately).

Schedule times for your team to tackle aged tickets or tickets in the backlog.

Info-Tech Insight

It can be easy for high priority work to constantly push down low priority work, leaving the lower priority tickets to constantly be ignored and users to be frustrated. If you’re struggling with aging tickets, backlog, and tickets breaching SLA, experiment with your team and queue structure to figure out the best resource distribution to handle your workload. This could mean rotating people through the triage role to allow them time to work through the backlog, reducing the number of people doing triage during slower volume periods, or giving technicians dedicated time to work through tickets. For help with forecasting demand and optimizing resources, see Staff the Service Desk to Meet Demand.

Activity 1.1: Define ticket queues

1 hour

Map out your optimal ticket queue structure using the Service Desk Queue Structure Template. Follow the instructions in the template to complete it as a team.

The template includes several examples of service desk queue structures followed by space to build your own model of an optimal service desk queue structure and to document who is assigned to each queue and responsible for managing each queue.

Note:

The template is not meant to map out your entire service desk structure (e.g. tiers, escalation paths) or ticket resolution process, but simply the ticket queues and how a ticket moves between queues. For help documenting more detailed process workflows or service desk structure, see the blueprint Standardize the Service Desk.

Input

• Current queue structure and roles

Output

• Defined service desk ticket queues and assigned responsibilities

Materials

• Org chart
• ITSM tool for reference, if needed

Participants

• Service Desk Manager
• IT Director
• Queue Managers

Document in the Service Desk Queue Structure Template.

Related Info-Tech Research

Standardize the Service Desk

This project will help you build and improve essential service desk processes including incident management, request fulfillment, and knowledge management to create a sustainable service desk.

Optimize the Service Desk With a Shift-Left Strategy

This project will help you build a strategy to shift service support left to optimize your service desk operations and increase end-user satisfaction.

Improve Service Desk Ticket Intake

This project will help you streamline your ticket intake process and identify improvements to your intake channels.

Staff the Service Desk to Meet Demand

This project will help you determine your optimal service desk structure and staffing levels based on your unique environment, workload, and trends.

Works Cited

“What your Customers Really Want.” Freshdesk, 31 May 2021. Accessed May 2022.

Document and Maintain Your Disaster Recovery Plan

Put your DRP on a diet – keep it fit, trim, and ready for action.

ANALYST PERSPECTIVE

The traditional disaster recovery plan (DRP) “red binder” is dead. It takes too long to create, it’s too hard to maintain, and it’s not usable in a crisis.

“This blueprint outlines the following key tactics to streamline your documentation effort and produce a better result:

• Write for an IT audience and focus on how to recover. You don’t need 30 pages of fluff describing the purpose of the document.
• Use flowcharts, checklists, and diagrams over traditional manuals. This drives documentation that is more concise, easier to maintain, and effective in a crisis.
• Create your DRP in layers to get tangible results faster, starting with a recovery workflow that outlines your DR strategy, and then build out the specific documentation needed to support recovery.”

This project is about DRP documentation after you have clarified your DR strategy; create these necessary inputs first

These artifacts are the cornerstone for any disaster recovery plan.

• Business Impact Analysis
• DR Roles and Responsibilities
• Recovery Workflow

Missing a component? Start here. ➔ Create a Right-Sized Disaster Recovery Plan

This blueprint walks you through building these inputs.
Our approach saves clients on average US$16,825.22. (Clients self-reported an average saving of US$16,869.21 while completing the Create a Right-Sized Disaster Recovery Plan blueprint through advisory calls, guided implementations, or workshops (Info-Tech Research Group, 2017, N=129).)

How this blueprint will help you document your DRP

This Research is Designed For:

• IT managers in charge of disaster recovery planning (DRP) and execution.
• Organizations seeking to optimize their DRP using best-practice methodology.
• Business continuity professionals that are involved with disaster recovery.

This Research Will Help You:

• Divide the process of creating DR documentation into manageable chunks, providing a defined scope for you to work in.
• Identify an appropriate DRP document management and distribution strategy.
• Ensure that DR documentation is up to date and accessible.

This Research Will Also Assist:

• IT managers preparing for a DR audit.
• IT managers looking to incorporate components of DR into an IT operations document.

This Research Will Help Them:

• Follow a structured approach in building DR documentation using best practices.
• Integrate DR into day-to-day IT operations.

Executive summary

Situation

• DR documentation is often driven by audit or compliance requirements, rather than aimed at the team that would need to execute recovery.
• Traditional DRPs are text-heavy, 300+ page manuals that are simply not usable in a crisis.
• Compounding the problem, DR documentation is rarely updated, so it’s just shelf-ware.

Complication

• DRP is often given lower priority as day-to-day IT projects displace DR documentation efforts.
• Inefficient publishing strategies result in your DRP not being accessible during disasters or key staff not knowing where to find the latest version.
• Organizations that create traditional DRPs end up with massive manuals that are difficult to maintain, so they quickly become unreliable.

Resolution

• Create visual and concise DR documentation that strips out unnecessary content and is written for an IT audience – the team that would actually be executing the recovery. Your business leaders can take the same approach to create separate business response plans – don’t mix the two into an all-in-one plan that is not effective for either audience.
• Determine a documentation distribution strategy that supports ease of maintenance and accessibility during a disaster.
• Incorporate DRP maintenance into change management and project intake procedures to systematically update and refine the DR documentation. Don’t save up changes for a year-end blitz, which turns document maintenance into an onerous project.

Info-Tech Insight

1. DR documentation fails when organizations try to boil the ocean with an all-in-one plan aimed at auditors, business leaders, and IT. It’s too long, too hard to maintain, and ends up being little more than shelf-ware.
2. Using flowcharts, checklists, and diagrams aimed at an IT audience is more concise and effective in a disaster, quicker to create, and easier to maintain.
3. Create your DRP in layers to keep the work manageable. Start with a recovery workflow to ensure a coordinated response, and build out supporting documentation over time.

An effective DRP that mitigates a wide range of potential outages is critical to minimizing the impact of downtime

The criticality of having an effective DRP is underestimated.

Cost of Downtime for the Fortune 1000

• Cost of unplanned apps downtime per year: $1.25B to $2.5B
• Cost of critical apps failure per hour: $500,000 to $1M
• Cost of infrastructure failure per hour: $100,000
• 35% reported to have recovered within 12 hours.
• 17% of infrastructure failures took more than 24 hours to recover.
• 13% of application failures took more than 24 hours to recover.

Size of Impact Increasing Across Industries

• The cost of downtime is rising across the board and not just for organizations that traditionally depend on IT (e.g. e-commerce).
• Downtime cost increase since 2010:
  • Hospitality: 129% increase
  • Transportation: 108% increase
  • Media organizations: 104% increase

Potential Lost Revenue

The impact of downtime increases significantly over time, not just in terms of lost revenue (as illustrated here) but also goodwill/reputation and health/safety. An effective DR solution and overall resiliency that mitigate a wide range of potential outages are critical to minimizing the impact of downtime.

Without an effective DRP, your organization is gambling on being able to define and implement a recovery strategy during a time of crisis. At the very least, this means extended downtime – potentially weeks – and substantial impact.

Only 38% of those with a full or mostly complete DRP believe their DRPs would be effective in a real crisis

Organizations continue to struggle with creating DRPs, let alone making them actionable.

Why are so many living with either an incomplete or ineffective DRP? For the same reasons that IT documentation in general continues to be a pain point:

• It is an outdated model of what documentation should be – the traditional manual with detailed (lengthy) descriptions and procedures.
• Despite the importance of DR, low priority is placed on creating a DRP and the day-to-day SOPs required to support a recovery.
• There is a lack of effective processes for ensuring documentation stays up to date.

(Source: Info-Tech Research Group, N=165)

(Source: Info-Tech Research Group, N=69 (includes only those who indicated DRP is mostly completed or completed))

Improve usability and effectiveness with visual-based and more-concise documentation

Choose flowcharts over process guides, checklists over lengthy procedures, and diagrams over descriptions.

If you need a three-inch binder to hold your DRP, imagine having to flip through it to determine next steps during a crisis.

DR documentation needs to be concise, scannable, and quickly understood to be effective. Visual-based documentation meets these requirements, so it’s no surprise that it also leads to higher DR success.

DR success scores are based on:

• Meeting recovery time objectives (RTOs).
• Meeting recovery point objectives (RPOs).
• IT staff’s confidence in their ability to meet RTOs/RPOs.

“Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow.” (Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management)

Maintainability is another argument for visual-based, concise documentation

There are two end goals for your DR documentation: effectiveness and maintainability. Without either, you will not have success during a disaster.

Organizations using a visual-based approach were 30% more likely to find that DR documentation is easy to maintain.	➔	“Easy to maintain” leads to a 46% higher rate of DR success.

Not only are visual-based disaster recovery plans more effective, but they are also easier to maintain.

Overcome documentation inertia with a tiered model that allows you to eat the elephant one bite at a time

Start with a recovery workflow to at least ensure a coordinated response. Then use that workflow to determine required supporting documentation.

Recovery Workflow: Starting the project with overly detailed documentation can slow down the entire process. Overcome planning inertia by starting with high-level incident response plans in a flowchart format. For examples and additional information, see XMPL Medical’s Recovery Workflows.

Recovery Procedures (Systems Recovery Playbook): For each step in the high-level flowchart, create recovery procedures where necessary using additional flowcharts, checklists, and diagrams as appropriate. Leverage Info-Tech’s Systems Recovery Playbook example as a starting point.

Additional Reference Documentation: Reference existing IT documentation, such as network diagrams and configuration documents, as well as more detailed step-by-step procedures where necessary (e.g. vendor documentation), particularly where needed to support alternate recovery staff who may not be as well versed as the primary system owners.

Info-Tech Insight

Organizations that use flowcharts, checklist, and diagrams over traditional, dense DRP manuals are far more likely to meet their RTOs/RPOs because their documentation is more usable and easier to maintain.

Use a DRP summary document to satisfy executives, auditors, and clients

Stakeholders don’t have time to sift through a pile of paper. Summarize your overall continuity capabilities in one, easy-to-read place.

DRP Summary Document

• Summarize BIA results
• Summarize DR strategy (including DR sites)
• Summarize backup strategy
• Summarize testing and maintenance plans

Follow Info-Tech’s methodology to make DRP documentation efficient and effective

Follow XMPL Medical’s journey through DR documentation

CASE STUDY

Industry Healthcare
Source Created by amalgamating data from Info-Tech’s client base

Streamline your documentation and maintenance process by following the approach outlined in XMPL Medical’s journey to an end-to-end DRP.

Outline of the Disaster Recovery Plan

XMPL’s disaster recovery plan includes its business impact analysis and a subset of tier 1 and tier 2 patient care applications.

Its DRP includes incident response flowcharts, system recovery checklists, and a communication plan. Its DRP also references IT operations documentation (e.g. asset management documents, system specs, and system configuration docs), but this material is not published with the example documentation.

Resulting Disaster Recovery Plan

XMPL’s DRP includes actionable documents in the form of high-level disaster response plan flowcharts and system recovery checklists. During an incident, the DR team is able to clearly see the items for which they are responsible.

Disaster Recovery Plan

• Recovery Workflow
• Business Impact Analysis
• DRP Summary
• System Recovery Checklists
• Communication, Assessment, and Disaster Declaration Plan

Info-Tech Best Practice

XMPL Medical’s disaster recovery plan illustrates an effective DRP. Model your end-to-end disaster recovery plan after XMPL’s completed templates. The specific data points will differ from organization to organization, but the structure of each document will be similar.

Model your disaster recovery documentation off of our example

CASE STUDY

Industry Healthcare
Source Created by amalgamating data from Info-Tech’s client base

Recovery Workflow:

• Recovery Workflows (PDF, VSDX)

Recovery Procedures (Systems Recovery Playbook):

• DR Notification, Assessment, and Disaster Declaration Plan
• Systems Recovery Playbook
• Network Topology Diagrams

Additional Reference Documentation:

• DRP Workbook
• Business Impact Analysis
• DRP Summary Document

Use Info-Tech’s DRP Maturity Scorecard to evaluate your progress

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Document and Maintain Your Disaster Recovery Plan – Project Overview

	1. Streamline DRP Documentation	2. Select the Optimal DRP Publishing Strategy	3. Keep Your DRP Relevant
Best-Practice Toolkit	1.1 Start with a recovery workflow 1.2 Create supporting DRP documentation 1.3 Write the DRP summary	2.1 Create Committee Profiles	3.1 Build Governance Structure Map 3.2 Create Committee Profiles
Guided Implementations	Review Info-Tech’s approach to DRP documentation. Create a high-level recovery workflow. Create supporting DRP documentation. Write the DRP summary.	Identify criteria for selecting a DRP publishing strategy. Select a DRP publishing strategy. Optional: Select requirements for a BCM tool and issue an RFP. Optional: Review responses to RFP.	Learn best practices for integrating DRP maintenance into day-to-day IT processes. Learn best practices for DRP-focused reviews.
Onsite Workshop	Module 1: Streamline DRP documentation	Module 2: Select the optimal DRP publishing strategy	Module 3: Learn best practices for keeping your DRP relevant
	Phase 1 Outcome: A complete end-to-end DRP	Phase 2 Outcome: Selection of a publishing and management tool for your DRP documentation	Phase 3 Outcome: Strategy for maintaining your DRP documentation

Workshop Overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Workshop Goal: Learn how to document and maintain your DRP.

Use these icons to help direct you as you navigate this research

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

Phase 1: Streamline DRP Documentation

Step 1.1: Start with a recovery workflow

This step will walk you through the following activities:

• Review a model DRP.
• Review your recovery workflow.
• Identify documentation required to support the recovery workflow.

This step involves the following participants:

• DRP Owner
• System SMEs
• Alternate DR Personnel

Outcomes of this step

• Understanding the visual-based, concise approach to DR documentation.
• Creating a recovery workflow that provides a roadmap for coordinating incident response and identifying required supporting documentation.

Info-Tech Insights

A DRP is a collection of procedures and supporting documents that allow an organization to recover its IT services to minimize system downtime for the business.

1.1 — Start with a recovery workflow to ensure a coordinated response and identify required supporting documentation

The recovery workflow clarifies your DR strategy and ensures the DR team is on the same page.

“We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management.” (Assistant Director-IT Operations, Healthcare Industry)

Review business impact analysis (BIA) results to plan your recovery workflow

The BIA defines system criticality from the business’s perspective. Use it to guide system recovery order.

Specifically, review the following from your BIA:

• The list of tier 1, 2, and 3 applications. This will dictate the recovery order in your recovery workflow.
• Application dependencies. This will outline what needs to be included as part of an application recovery workflow.
• The recovery time objective (RTO) and recovery point objective (RPO) for each application. This will also guide the recovery, and enable you to identify gaps where the recovery workflow does not meet RTOs and RPOs.

CASE STUDY: The XMPL DRP documentation is based on this Business Impact Analysis Tool.

Haven’t conducted a BIA? Use Info-Tech’s streamlined approach.

Info-Tech’s publication Create a Right-Sized Disaster Recovery Plan takes a very practical approach to BIA work. Our process gives IT leaders a mechanism to quickly get agreement on system recovery order and DR investment priorities.

Conduct a tabletop planning exercise to determine your recovery workflow

1.1.1 Tabletop Planning Exercise

1. Define a scenario to drive the tabletop planning exercise:
   • Use a scenario that forces a full failover to your DR environment, so you can capture an end-to-end recovery workflow.
   • Avoid scenarios that impact health and safety such as tornados or a fire. You want to focus on IT recovery.
   • Example scenarios: Burst water pipe that causes data-center-wide damage or a gas leak that forces evacuation and power to be shut down for at least two days.

Note: You may have already completed this exercise as part of Create a Right-Sized Disaster Recovery Plan.

Info-Tech Insight

Use scenarios to provide context for DR planning, and to test your plans, but don’t create a separate plan for every possibility.

The high-level recovery plan will be the same whether the incident is a fire, flood, or tornado. While there might be some variances and outliers, these scenarios can be addressed by adding decision points and/or separate, supplementary instructions.

Walk through the scenario and capture the recovery workflow

2. Capture the following information for tier 1, tier 2, and tier 3 systems:
   1. On white cue cards, record the steps and track start and end times for each step (where 00:00 is when the incident occurred).
   2. On yellow cue cards, document gaps in people, process, and technology requirements to complete the step.
   3. On red cue cards, indicate risks (e.g. no backup person for a key staff member).

Note:

• Ensure the language is sufficiently genericized (e.g. refer to events, not specifically a burst water pipe).
• Review isolated failures (e.g. hardware, software). Typically, the recovery procedure documented for individual systems covers the essence of the recovery workflow whether it’s just the one system that failed or it’s part of a site-wide recovery.

Note: You may have already completed this exercise as part of Create a Right-Sized Disaster Recovery Plan.

Document your current-state recovery workflow based on the results of the tabletop planning

After you finish the tabletop planning exercise, the steps on the set of cue cards define your recovery workflow. Capture this in a flowchart format.

Use the sample DRP to guide your own flowchart. Some notes on the example are:

• XMPL’s Incident Management to DR flowchart shows the connection between its standard Service Desk processes and DR processes.
• XMPL’s high-level workflows outline its recovery of tier 1, 2, and 3 systems.
• Where more detail is required, include links to supporting documentation. In this example, XMPL Medical includes links to its Systems Recovery Playbook.

This sample flowchart is included in XMPL Recovery Workflows.

Step 1.2: Create Supporting DRP Documentation

This step will walk you through the following activities:

• Create checklists for your playbook.
• Document more complex procedures with flowcharts.
• Gather and/or write network topology diagrams.
• Compile a contact list.
• Ensure there is enough material for backup personnel.

This step involves the following participants:

• DRP Owner
• System SMEs
• Backup DR Personnel

Outcomes of this step

• Actionable supporting documentation for your disaster recovery plan.
• Contact list for IT personnel, business personnel, and vendor support.

1.2 — Create supporting documentation for your disaster recovery plan

Now that you have a high-level incident response plan, collect the information you need for executing that plan.

Info-Tech Insight

Write for your audience. The playbook is for IT; include only the information they need to execute the plan. DRP summaries are for executives and auditors; do not include information intended for IT. Similarly, your disaster recovery plan is not for business units; keep BCP content out of your DRP.

Use checklists to streamline step-by-step procedures

Checklists are ideal when staff just need a reminder of what to do, not how to do it.

XMPL Medical used its high-level flowcharts as a roadmap for creating its Systems Recovery Playbook.

• Since its Playbook is intended for experienced IT staff, the writing style in the checklists is concise. XMPL includes links to reference material to support recovery, especially for alternate staff who might need additional instruction.
• XMPL includes key parameters (e.g. IP addresses) rather than assume those details would be memorized, especially in a stressful DR scenario.
• Similarly, include links to other useful resources such as VM templates.

Included in the XMPL Systems Recovery Playbook are checklists for recovering XMPL’s virtual desktop infrastructure, mission-critical applications, and core infrastructure components.

Use flowcharts to document processes with concurrent tasks not easily captured in a checklist

Recovery procedures can consist of flowcharts, checklists, or both, as well as diagrams. The main goal is to be clear and concise.

• XMPL Medical created a flowchart to capture its phone services recovery procedure to capture concurrent tasks.
• Additional instructions, where required, could still be captured in a Playbook checklist or other supporting documentation.
• The flowchart could have also included key settings or other details as appropriate, particularly if the DR team chose to maintain this recovery procedure just in a flowchart format.

Included in the XMPL DR documentation is an example flowchart for recovering phone systems. This flowchart is in Recovery Workflows.

Reference this blueprint for more SOP flowchart examples: Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

Use topology diagrams to capture network layout, integrations, and system information

Topology diagrams, key checklists, and configuration settings are often enough for experienced networking staff to carry out their DR tasks.

• XMPL Medical includes these diagrams with its DRP. Instead of recreating these diagrams, the XMPL Medical DR Manager asked their network team for these diagrams:
  • Primary data center diagram
  • DR site diagram
  • High-level network diagrams
• Often, organizations already have network topology diagrams for reference purposes.

“Our network engineers came to me and said our standard SOP template didn't work for them. They're now using a lot of diagrams and flowcharts, and that has worked out better for them.” (Assistant Director-IT Operations, Healthcare Industry)

You can download a PDF and a VSD version of these Data Center and Network Diagrams from Info-Tech’s website.

Create a list of organizational, IT, and vendor contacts that may be required to assist with recovery

If there is something strange happening to your IT infrastructure, who you gonna call?

Many DR managers have their team on speed dial. However, having the contact info of alternate staff, BCP leads, and vendors can be very helpful during a disaster. XMPL Medical lists the following information in its DRP Workbook:

• The DR Teams, SMEs critical to disaster recovery, their backups, and key contacts (e.g. BC Management team leads, vendor contacts) that would be involved in:
  • Declaring a disaster.
  • Coordinating a response at an organizational level.
  • Executing recovery.
• The people that have authority to declare a disaster.
• Each person’s spending authority.
• The rules for delegating authority.
• Primary and alternate staff for each role.

Confirm with your DR team that you have all of the documentation that you need to recover during a disaster

DISCUSS: Is there enough information in your DRP for both primary and backup DR personnel?

• Is it clear who is responsible for each DR task, including notification steps?
• Have alternate staff for each role been identified?
• Does the recovery workflow capture all of the high-level steps?
• Is there enough documentation for alternate staff (e.g. network specs)?

Step 1.3: Write the DRP Summary

This step will walk you through the following activities:

• Write a DRP summary document.

This step involves the following participants:

• DRP Owner

Outcomes of this step

• High-level outline of your DRP capabilities for stakeholders such as executives, auditors, and clients.

Summarize your DR capabilities using a DRP summary document

1.3.1 DRP Summary Document

The sample included on Info-Tech’s website is customized for the XMPL Medical Case Study – use the download as a starting point for your own summary document.

• Business Impact Analysis
• DRP Recovery Workflows
• Supporting Documentation
• Outputs from Reduce Costly Downtime Through DR Testing

DRP Summary Document

XMPL’s DRP Summary is organized into the following categories:

• DR requirements: This includes a summary of scope, business impact analysis (BIA), risk assessment, and high-level RTOs and achievable RTOs.
• DR strategy: This includes a summary of XMPL’s recovery procedures, DR site, and backup strategy.
• Testing and maintenance: This includes a summary of XMPL’s DRP testing and maintenance strategy.

Be transparent about existing business risks in your DRP summary

The DRP summary document is business facing. Include information of which business leaders (and other stakeholders) need to be aware.

• Discrepancies between desired and achievable RTOs? Organizational leadership needs to know this information. Only then can they assign the resources and budget that IT needs to achieve the desired DR capabilities.
• What is the DRP’s scope? XMPL Medical lists the IT components that will be recovered during a disaster, and components which will not. For instance, XMPL’s DRP does not recover medical equipment, and XMPL has separate plans for business continuity and emergency response coordination.

The above table to is a snippet from the XMPL DR Summary Document (section 2.1.3.2).

In the example, the DR team is unable to recover tier 1, 2, and 3 systems within the desired RTO. As such, they clearly communicate this information in the DRP summary, and include action items to address these gaps.

Phase 2: Select the Optimal DRP Publishing Strategy

Step 2.1: Select a DRP Publishing Strategy

This step will walk you through the following activities:

• Select criteria for assessing DRP tools.
• Evaluate categories for DRP tools.
• Optional: Write an RFP for a BCM tool.

This step involves the following participants:

• DRP Owner

Outcomes of this step

• Identified strategies for publishing your DRP (i.e. making it available to your DR team).

Info-Tech Insights

Diversify your publishing strategy to ensure you can access your DRP in a disaster. For example, if you are using a BCM tool or SharePoint Online as your primary documentation repository, also push the DRP to your DR team’s smartphones as a backup in case the disaster affects internet access.

2.1 — Select a DR publishing and document management strategy that fits your organization

Publishing and document management considerations:

Portability/External Access: Assume your primary site is down and inaccessible. Can you still access your documentation? As shown in this chart, traditional strategies of either keeping a copy at another location (e.g. at the failover site) or with staff (e.g. on a USB drive) still dominate, but these aren’t necessarily the best options.	➔	Note: Percentages total more than 100% due to respondents using more than one portability strategy. (Source: Info-Tech Research Group, N=118)
Maintainability/Usability: How easy is it to create, update, and use the documentation? Is it easy to link to other documents as shown in the flowchart and checklist examples? Is there version control? Lack of version control can create a maintenance nightmare as well as issues in a crisis if staff are questioning whether they have the right version.
Cost/Effort: Is the cost and effort appropriate? For example, a large enterprise may need a formal solution (e.g. DRP tools or SharePoint), but the cost might be hard to justify for a smaller company.

Pros and cons of potential strategies

This section will review the following strategies, their pros and cons, and how they meet publishing and document management requirements:

• DRP tools (e.g. eBRP, Recovery Planner, LDRPS)
• In-house solutions combining SharePoint and MS Office (or equivalent)
• Wiki site
• “Manual” approaches such as storing documents on a USB drive

Avoid 42 hours of downtime due to a non-diversified publishing strategy

CASE STUDY

Industry Municipality
Source Interview

Situation

• A municipal government has recently completed an end-to-end disaster recovery plan.
• The team is feeling good about the fact that they were able to identify:
  • Relative criticality of applications.
  • Dependencies for each application.
  • Incident response plans for the current state and desired state.
  • System recovery procedures.

Challenge

• While the DR plan itself was comprehensive, the team only published the DR onto the government’s network drives.
• A power generation issue caused power to be shut down, which in turn cascaded into downtime for the network.
• Once the network was down, their DRP was inaccessible.

Insights

• Each piece of documentation that was created could have contributed to recovery efforts. However, because they were inaccessible, there was a delayed response to the incident. The result was 42 hours of downtime for end users.
• Having redundant publishing strategies is just like having redundant IT infrastructure. In the event of downtime, not only do you need to have DR documentation, but you also need to make sure that it is accessible.

Decide on a DR publishing strategy by looking at portability, maintainability, cost, and required effort

Use the information included in Step 2.1 to guide your analysis of DRP publishing solutions.

The tool enables you to compare two possible solutions based on these key considerations discussed in this section:

• Portability/external access
• Maintainability/usability
• Cost
• Effort

The right choice will depend on factors such as current in-house tools, maturity around document management, the size of your IT department, and so on.

For example, a small shop may do very well with the USB drive strategy, whereas a multi-national company will need a more formal strategy to manage consistent DRP distribution.

The DRP Publishing and Management Solution Evaluation Tool helps you to evaluate the tools included in this section.

Don’t think of a business continuity management (BCM) tool as a silver bullet; know what you’re getting out of it

Portability/External Access:

• Pros: Typically a SaaS option provides built-in external access with appropriate security and user administration to vary access rights.
• Cons: Degree of external access is often dependent on the vendor.

Maintainability/Usability:

• Pros: Built-in templates encourage consistency and guide initial content development by indicating what details need to be captured.
• Pros: Built-in document management (e.g. version control, metadata support), centralized access/navigation to required documents, and some automation (e.g. update contacts throughout the system).
• Cons: Not a silver bullet. You still have to do the work to define and capture your processes.
• Cons: Requires end-user and administrator training.

Cost/Effort:

• Pros: For large enterprises, the convenience of built-in document management and templates can outweigh the cost.
• Cons: Expect leading DRP tools to cost $20K or more per year.

About this approach:
BCM tools are solutions that provide templates, tools, and document management to create BC and DR documentation.

Info-Tech Insight

The business case for a BCM tool is built by answering the following questions:

• Will the BCM tool solve an unmet need?
• Will the tool be more effective and efficient than an in-house solution?
• Will the solution provide enhanced capabilities that an in-house solution cannot provide?

If you cannot get a satisfactory answer to each of these questions, then opt for an in-house solution.

“We explored a DRP tool, and it was something we might have used, but it was tens of thousands of pounds per year, so it didn’t stack up financially for us at all.” (Rik Toms, Head of Strategy – IP and IT, Cable and Wireless Communications)

For in-house solutions, leverage tools such as SharePoint to provide document management capabilities

Portability/External Access:

• Pros: SharePoint is commonly web-enabled and supports external access with appropriate security and user administration.
• Cons: Must be installed at redundant sites or be cloud-based to be effective in a crisis that takes down your primary data center.

Maintainability/Usability:

• Pros: Built-in document management (e.g. version control, metadata support) as well as centralized access/navigation to required documents.
• Pros: No tool learning curve – SharePoint and MS Office would be existing solutions already used on a daily basis.
• Cons: No built-in automation (e.g. automated updates to contacts throughout the system).
• Cons: Consistency depends on creating templates and implementing processes for document updates, review, and approval.

Cost/Effort:

• Pros: Using existing tools, so this is a sunk cost in terms of capex.
• Cons: Additional effort required to create templates and manage the documentation library.

About this approach:
DRPs and SOPs most often start as MS Office documents, even if there is a DRP tool available. For organizations that elect to bypass a formal DRP tool, and most do, the biggest gap they have to overcome is document management.

Many organizations are turning to SharePoint to meet this need. For those that already have SharePoint in place, it makes sense to further leverage SharePoint for DR documentation and day-to-day SOPs.

For SharePoint to be a practical solution, the documentation must still be accessible if the primary data center is down, e.g. by having redundant SharePoint instances at multiple in-house locations, or using a cloud-based SharePoint solution.

“Just about everything that a DR planning tool does, you can do yourself using homegrown solutions or tools that you're already familiar with such as Word, Excel, and SharePoint.” (Allen Zuk, President and CEO, Sierra Management Consulting)

A healthcare company uses SharePoint as its DRP and SOP documentation management solution

CASE STUDY Healthcare

• This organization is responsible for 50 medical facilities across three states.
• It explored DRP tools, but didn’t find the right fit, so it has developed an in-house solution based in SharePoint. While DRP tools have improved, the organization no longer needs that type of solution. Its in-house solution is meeting its needs.
• It has SharePoint instances at multiple locations to ensure availability if one site is down.

Documentation Strategy

• Created an IT operations library in SharePoint for DR and SOPs, from basic support to bare-metal restore procedures.
• SOPs are linked from SharePoint to the virtual help desk for greater accessibility.
• Where practical, diagrams and flowcharts are used, e.g. DR process flowcharts and network services SOPs dominated by diagrams and flowcharts.

Management Strategy

• Directors and the CIO have made finishing off SOPs their performance improvement objective for the year. The result is staff have made time to get this work done.
• Status updates are posted monthly, and documentation is a regular agenda item in leadership meetings.
• Regular tabletop testing validates documentation and ensures familiarity with procedures, including where to find required information.

Results

• Dependency on a few key individuals has been reduced. All relevant staff know what they need to do and where to access required documentation.
• SOPs are enabling DR training as well as day-to-day operations training for new staff.
• The organization has a high confidence in its ability to recovery from a disaster within established timelines.

Explore using a wiki site as an inexpensive alternative to SharePoint and other content management solutions

Portability/External Access:

• Pros: Wiki sites can support external access as with any web solution.
• Cons: Must be installed at redundant sites, hosted, or cloud-based to be effective in a crisis that takes down your primary data center.

Maintainability/Usability:

• Pros: Built-in document management (version control, metadata support, etc.) as well as centralized access/navigation to required information.
• Pros: Authorized users can make updates dynamically, depending on how much restriction you have on the site.
• Cons: No built-in automation (e.g. automated updates to contacts throughout the system).
• Cons: Consistency depends on creating templates and implementing processes for document updates, review, and approval.

Cost/Effort:

• Pros: An inexpensive option compared to traditional content management solutions such as SharePoint.
• Cons: Learning curve if wikis are new to your organization.

About this approach:
Wiki sites are websites where users collaborate to create and edit the content. Wikipedia is an example.

While wiki sites are typically used for collaboration and dynamic content development, the traditional collaborative authoring model can be restricted to provide structure and an approval process.

Several tools are available to create and manage wiki sites (and other collaboration solutions), as outlined in the following research:

• Modernize Communications and Collaboration infrastructure
• Vendor Landscape: Collaboration Platforms

Info-Tech Insight

If your organization is not already using wiki sites, this technology can introduce a culture shock. Start slow by using a wiki site within a specific department or for a particular project. Then evaluate how well your staff adapt to this technology as well as its potential effectiveness in your organization. Refer to our collaboration strategy research for additional guidance.

For small IT shops, distributing documentation to key staff (e.g. via a USB drive) can still be effective

Portability/External Access:

• Pros: Appropriate staff have the documentation with them; there is no need to log into a remote site or access a tool to get at the information.
• Cons: Relies on staff to be diligent about ensuring they have the latest documentation and keep it with them (not leave it in their desk drawer).

Maintainability/Usability:

• Pros: With this strategy, MS Office (or equivalent) is used to create and maintain the documentation, so there is no learning curve.
• Pros: Simple, straightforward methodology – keep the master on a network drive, and download a copy to your USB drive.
• Cons: No built-in automation (e.g. automated updates to contact information) or document management (e.g. version control).
• Cons: Consistency depends on creating templates and implementing rigid processes for document updates, review, and approval.

Cost/Effort:

• Pros: Little to no cost and no tool management required.
• Cons: “Manual” document management requires strict attention to process for version control, updates, approvals, and distribution.

About this approach:
With this strategy, your ERT and key IT staff keep a copy of your DRP and relevant documentation with them (e.g. on a USB drive). If the primary site experiences a major event, they have ready access to the documentation.

Fifty percent of respondents in our recent survey use this strategy. A common scenario is to use a shared network drive or a solution such as SharePoint as the master centralized repository, but distribute a copy to key staff.

Info-Tech Insight

This approach can have similar disadvantages as using hard copies. Ensuring the USB drives are up to date, and that all staff who might need access have a copy, can become a burdensome process. More often, USB drives are updated periodically, so there is the risk that the information will be out of date or incomplete.

Avoid extensive use of paper copies of DR documentation

DR documents need to be easy to update, accessible from anywhere, and searchable. Paper doesn’t meet these needs.

Portability/External Access:

• Pros: Does not rely on technology or power.
• Cons: Requires all staff who might be involved in a DR to have a copy, and to have it with them at all times, to truly have access at any time from anywhere.

Maintainability/Usability:

• Pros: In terms of usability, again there is no dependence on technology.
• Cons: Updates need to be printed and distributed to all relevant staff every time there is a change to ensure staff have access to the latest, most accurate documentation if a disaster occurred. You can’t schedule disasters, so information needs to be current all the time.
• Cons: Navigation to other information is manual – flipping through pages, etc. No searching or hyperlinks.

Cost/Effort:

• Pros: No technology system to maintain, aside from what you use for printing.
• Cons: Printing expenses are actually among the highest incurred by organizations, and this adds to it.
• Cons: Labor intensive due to need to print and physically distribute documentation updates.

About this approach:
Traditionally DRPs are printed and distributed to managers and/or kept in a central location at both the primary site and a secondary site. In addition, wallet cards are distributed that contain key information such as contact numbers.

A wallet card or even a few printed copies of your high-level DRP for general reference can be helpful, but paper is not a practical solution for your overall DR documentation library, particularly when you include SOPs for recovery procedures.

One argument in favor of paper is there is no dependency on power during a crisis. However, in a power outage, staff can use smartphones and potentially laptops (with battery power) to access electronically stored documentation to get through first response steps. In addition, your DR site should have backup power to be an appropriate recovery site.

Optional: Partial list of BCM tool vendors

The list is only a partial list of BCM tool vendors. The order in which vendors are presented, and inclusion in this list, does not represent an endorsement.

Optional: Use our list of requirements as a foundation for selecting and reviewing BCM tools

If a BCM tool is the best option for your environment, expedite the evaluation process with our BCM Tool – RFP Selection Criteria.

Through advisory services, workshops, and consulting engagements, we have created this BCM Tool Requirements List. The featured requirements includes the following categories:

1. Integrations
2. Planning and Monitoring
3. Administration
4. Architecture
5. Security
6. Support and Training

This BCM Tool – RFP Selection Criteria can be appended to an RFP. You can leverage Info-Tech’s RFP Template if your organization does not have one.

Info-Tech can write full RFPs

As part of a consulting engagement, Info-Tech can write RFPs for BCM tools and provide a customized scoring tool based on your environment’s unique requirements.

Phase 3: Keep Your DRP Relevant Through Maintenance Best Practices

Step 3.1: Integrate DRP maintenance into core IT processes

This step will walk you through the following activities:

• Integrate DRP maintenance with Project Management.
• Integrate DRP considerations into Change Management.
• Integrate with Performance Management.

This step involves the following participants:

• DRP Owner
• Head of Project Management Office
• Head of Change Advisory Board
• CIO

Outcomes of this step

• Updated project intake form.
• Updated change management practice.
• Updated performance appraisals.

3.1 — Incorporate DRP maintenance into core IT processes

Focusing on these three processes will help ensure that your plan stays current, accurate, and usable.

Info-Tech Best Practice

Prioritize quick wins that will have large benefits. The advice presented in this section offers easy ways to help keep your DRP up to date. These simple solutions can save a lot of time and effort for your DRP team as opposed to more intricate changes to the processes above.

Assess how new projects impact service criticality and DR requirements upfront during project intake

Understand the RTO/RPO requirements and IT impacts for new or enhanced services to ensure appropriate provisioning and overall DRP updates.

• Have submitters include service continuity requirements. This information can be inserted into your business impact analysis. Use similar language that you use in your own BIA.
  • The submitter should know how critical the resulting project will be. Any items that the submitter doesn’t know, the Project Steering Committee should investigate.
• Have IT assess the impact on the DRP. The submitter will not know how the DRP will be impacted directly. Ask the project committee to consider how DRP documentation and the DR environment will need to be changed due to the project under consideration.

Note: The goal is not to make DR a roadblock, but rather to ensure project requirements will be met – including availability and DR requirements.

This Project Intake Form asks the submitter to fill out the availability and criticality requirements for the project.

Leverage your change management process to identify required DRP updates as they occur

Avoid the year-end rush to update your DRP. Keeping it up to date as changes occur saves time in the long run and ensures your plan is accurate when you need it.

• As part of your change management process, identify potential updates to:
  • System documentation (e.g. configuration settings).
  • Recovery procedures (e.g. if a system has been virtualized, that changes the recovery procedure).
  • Your DR environment (e.g. system configuration updates for standby systems).
• Keep track of how often a system has changed. Relevant DRP documentation might be due for a deeper review:
  • After a system has been changed ten times (even from routine changes), notify your DRP Manager to flag the relevant DRP documentation for review.
  • As part of formal DRP reviews, pay closer attention to DRP documentation for the flagged systems.

This template asks the submitter to fill out the availability and criticality requirements for the project.

For change management best practices beyond DRP considerations, please see Optimize Change Management.

Integrate documentation into performance measurement and performance management

Documentation is a necessary evil – few like to create it and more immediate tasks take priority. If it isn’t scheduled and prioritized, it won’t happen.

“Our directors and our CIO have tied SOP work to performance evaluations, and SOP status is reviewed during management meetings. People have now found time to get this work done.” (Assistant Director – IT Operations, Healthcare Industry)

Step 3.2: Conduct an Annual Focused Review

This step will walk you through the following activities:

1. Identify components of your DRP to refresh.
2. Identify organizational changes requiring further focus.
3. Test your DRP and identify problems.
4. Correct problems identified with DRP.

This step involves the following participants:

• DRP Owner
• System SMEs
• Backup DR Personnel

Outcomes of this step

• An actionable, up-to-date DRP.

Info-Tech Insight

Testing is a waste of time and resources if you do not fix what’s broken. Tabletop testing is effective at uncovering gaps in your DR processes, but if you don’t address those gaps, then your DRP will still be unusable in a disaster.

Set up a safety net to capture changes that slipped through the cracks with a focused review process

Evaluate documentation supporting high-priority systems, as well as documentation supporting IT systems that have been significantly changed.

• Ideally you’re maintaining documentation as you go along. But you need to have an annual review to catch items that may have slipped through.
• Don’t review everything. Instead, review:
  • IT systems that have had 10+ changes: small changes and updates can add up over time. Ensure:
    • The plans for these systems are updated for changes (e.g. configuration changes).
    • SMEs and backup personnel are familiar with the changes.
  • Tier 1 / Gold Systems: Ensure that you can still recover tier 1 systems with your existing DRP documentation.
• Track documentation issues that you discovered with your ticketing system or service desk tool to ensure necessary documentation changes are made.

1. Annual Focused Review
2. Tier 1 Systems
3. Significantly Changed Systems
4. Organizational Changes

Identify larger changes, both organizational and within IT, that necessitate DRP updates

During your focused review, consider how organizational changes have impacted your DRP.

The COBIT 5 Enablers provide a foundation for this analysis. Consider:

• Changes in regulatory requirements: Are there new requirements for IT that are not reflected in your DRP? Is the organization required to comply with any additional regulations?
• Changes to organizational structures, business processes, and how employees work: Can employees still be productive once tier 1 services are restored or have RTOs changed? Has organizational turnover impacted your DRP?
• SMEs leaving or changing roles: Can IT still execute your DRP? Are there still people for all the key roles?
• Changes to IT infrastructure and applications: Can the business still access the information they need during a disaster? Is your BIA still accurate? Do new services need to be considered tier 1?

Info-Tech Best Practice

COBIT 5 Enablers
What changes need to be reflected in your DRP?

Create a plan during your annual focused review to test your DRP throughout the year

Regardless of your documentation approach, training and familiarity with relevant procedures is critical.

• Start with tabletop exercises and progress to technology-based testing (simulation, parallel, and full-scale testing).
• Ask staff to reference documentation while testing, even if they do not need to. This practice helps to confirm documentation accuracy and accessibility.
• Incorporate cross-training in DR testing. This gives important experience to backup personnel and will further validate that documents are complete and accurate.
• Track any discovered documentation issues with your ticketing system or project tracking tools to ensure necessary documentation changes are made.

Example Test Schedule:

1. Q1: Tabletop testing shadowed by backup personnel
2. Q2: Tabletop testing led by backup personnel
3. Q3: Technology-based testing
4. Annual Focused Review: Review Results

Reference this blueprint for guidance on DRP testing plans: Reduce Costly Downtime Through DR Testing

Appendix A: XMPL Case Study

Follow XMPL Medical’s journey through DR documentation

CASE STUDY

Industry Healthcare
Source Created by amalgamating data from Info-Tech’s client base

Streamline your documentation and maintenance process by following the approach outlined in XMPL Medical’s journey to an end-to-end DRP.

Outline of the Disaster Recovery Plan

XMPL’s disaster recovery plan includes its business impact analysis and a subset of tier 1 and tier 2 patient care applications.

Its DRP includes incident response flowcharts, system recovery checklists, and a communication plan. Its DRP also references IT operations documentation (e.g. asset management documents, system specs, and system configuration docs), but this material is not published with the example documentation.

Resulting Disaster Recovery Plan

XMPL’s DRP includes actionable documents in the form of high-level disaster response plan flowcharts and system recovery checklists. During an incident, the DR team is able to clearly see the items for which they are responsible.

Disaster Recovery Plan

• Recovery Workflow
• Business Impact Analysis
• DRP Summary
• System Recovery Checklists
• Communication, Assessment, and Disaster Declaration Plan

Info-Tech Best Practice

XMPL Medical’s disaster recovery plan illustrates an effective DRP. Model your end-to-end disaster recovery plan after XMPL’s completed templates. The specific data points will differ from organization to organization, but the structure of each document will be similar.

Model your disaster recovery documentation off of our example

CASE STUDY

Industry Healthcare
Source Created by amalgamating data from Info-Tech’s client base

Recovery Workflow:

• Recovery Workflows (PDF, VSDX)

Recovery Procedures (Systems Recovery Playbook):

• DR Notification, Assessment, and Disaster Declaration Plan
• Systems Recovery Playbook
• Network Topology Diagrams

Additional Reference Documentation:

• DRP Workbook
• Business Impact Analysis
• DRP Summary Document

Use our structure to create your practical disaster recovery plan.

Appendix B: Summary, Next Steps, and Bibliography

Insight breakdown

Use visual-based documentation instead of a traditional DRP manual.

• Flowcharts, checklists, and diagrams are more concise, easier to maintain, and more effective in a crisis.
• Write for an IT audience and focus on how to recover. You don’t need 30 pages of fluff describing the purpose of the document.

Create your DRP in layers to keep the work manageable.

• Start with a recovery workflow to ensure a coordinated response, and build out supporting documentation over time.

Prioritize quick wins to make DRP maintenance easier and more likely to happen.

• Incorporate DRP maintenance into change management and project intake procedures to systematically update and refine the DR documentation. Don’t save up changes for a year-end blitz, which turns document maintenance into an onerous project.

Summary of accomplishment

Knowledge Gained

• How to create visual-based DRP documentation
• How to integrate DRP maintenance into core IT processes

Processes Optimized

• DRP documentation creation
• DRP publishing tool selection
• DRP documentation maintenance

Deliverables Completed

• DRP documentation
• Strategy for publishing your DRP
• Modified project-intake form
• Change management checklist for DR considerations

Project step summary

Client Project: Document and Maintain Your Disaster Recovery Plan

• Create a recovery workflow.
• Create supporting DRP documentation.
• Write a summary for your DRP.
• Decide on a publishing strategy.
• Incorporate DRP maintenance into core IT processes.
• Conduct an annual focused review.

Info-Tech Insight

This project has the ability to fit the following formats:

• Onsite workshop by Info-Tech Research Group consulting analysts.
• Do-it-yourself with your team.
• Remote delivery (Info-Tech Guided Implementation).

Related Info-Tech research

Create a Right-Sized Disaster Recovery Plan
Close the gap between your DR capabilities and service continuity requirements.

Reduce Costly Downtime Through DR Testing
Improve the accuracy of your DRP and your team’s ability to efficiently execute recovery procedures through regular DR testing.

Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind
Go beyond satisfying auditors to drive process improvement, consistent IT operations, and effective knowledge transfer.

Prepare for a DRP Audit
Assess your current DRP maturity, identify required improvements, and complete an audit-ready DRP summary document.

Bibliography

A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO 31000. The Association of Insurance and Risk Managers, Alarm: The Public Risk Management Association, and The Institute of Risk Management, 2010.

“APO012: Manage Risk.” COBIT 5: Enabling Processes. ISACA, 2012.

Bird, Lyndon, Ian Charters, Mel Gosling, Tim Janes, James McAlister, and Charlie Maclean-Bristol. Good Practice Guidelines: A Guide to Global Good Practice in Business Continuity. Global ed. Business Continuity Institute, 2013.

COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. ISACA, 2012.

“EDM03: Ensure Risk Optimisation.” COBIT 5: Enabling Processes. ISACA, 2012.

Risk Management. ISO 31000:2009.

Rothstein, Philip Jan. Disaster Recovery Testing: Exercising Your Contingency Plan. Rothstein Associates: 1 Oct. 2007.

Societal Security – Business continuity management systems – Guidance. ISO 22313:2012.

Societal Security – Business continuity management systems – Requirements. ISO 22301:2012.

Understanding and Articulating Risk Appetite. KPMG, 2008.

Design a Business-Aligned Security Program

Focus on business value first.

EXECUTIVE BRIEF

Analyst Perspective

Business alignment is no accident.

Security leaders often tout their choice of technical security framework as the first and most important program decision they make. While the right framework can help you take a snapshot of the maturity of your program and produce a quick strategy and roadmap, it won’t help you align, modernize, or transform your program to meet emerging business requirements. Common technical security frameworks focus on operational controls rather than business services and value creation. They are difficult to convey to business stakeholders and provide little program management or implementation guidance. Focus on business value first, and the security services that enable it. Your organization has its own distinct character and profile. Understand what makes your organization unique, then design and refine the design of your security program to ensure it supports the right capabilities. Next, collaborate with stakeholders to ensure the right accountabilities, roles, and responsibilities are in place to support the implementation of the security program.

Michel Hébert Research Director, Security & Privacy Info-Tech Research Group

Executive Summary

Info-Tech Insight

You are a business leader who supports business goals and mitigates risk. Focus first on business value and the security services that enable it, not security controls.

Your challenge

The need for a solid and responsive security program has never been greater.

• You need to build a security program that enables business services and secures the technology that makes them possible.
• Building an effective, business-aligned security program requires that you coordinate many components, including technologies, processes, organizational structures, information flows, and behaviors.
• The program must prioritize the right capabilities, and support its implementation with clear accountabilities, roles, and responsibilities.
• You must communicate effectively with stakeholders to describe the risks the organization faces, their likely impact on organizational goals, and how the security program will mitigate those risks and support the creation of business value.

• Ransomware is a persistent threat to organizations worldwide across all industries.

Cybercriminals deploying ransomware are evolving into a growing and sophisticated criminal ecosystem that will continue to adapt to maximize its profits.

• Critical infrastructure is increasingly at risk.

Malicious agents continue to target critical infrastructure to harm industrial processes and the customers they serve State-sponsored actors are expected to continue to target critical infrastructure to collect information through espionage, pre-position in case of future hostilities, and project state power.

• Disruptive technologies bring new threats.

Malicious actors increasingly deceive or exploit cryptocurrencies, machine learning, and artificial intelligence technologies to support their activities.

Sources: CCCS (2023), CISA (2023), ENISA (2023)

Your challenge

Most security programs are not aligned with the overall business strategy.

50% Only half of leaders are framing the impact of security threats as a business risk.

49% Less than half of leaders align security program cost and risk reduction targets with the business.

57% Most leaders still don’t regularly review security program performance of the business.

Source: Tenable, 2021

Common obstacles

Misalignment is hurting your security program and making you less influential.

Organizations with misaligned security programs have 48% more security incidents...

…and the cost of their data breaches are 40% higher than those with aligned programs.

37% of stakeholders still lack confidence in their security program.

54% of senior leaders still doubt security gets the goals of the organization.

Source: Frost & Sullivan, 2019

Source: Ponemon, 2023

Common obstacles

Common security frameworks won’t help you align your program.

• Common security frameworks focus on operational controls rather than business value creation, are difficult to convey to stakeholders, and provide little implementation guidance.
• A security strategy based on the right framework can provide a snapshot of your program, but it won’t help you modernize, transform, or align your program to meet emerging business requirements.
• The lack of guidance leads to a lack of structure in the way security services are designed and managed, which reduces service quality, increases security friction, and reduces business satisfaction.

There is no unique, one-size-fits-all security program.

• Each organization has a distinct character and profile and differs from others in several critical respects. The security program for a cloud-first, DevOps environment must emphasize different capabilities and accountabilities than one for an on-premise environment and a traditional implementation model.

Info-Tech’s approach

You are a business leader who supports business goals and mitigates risk.

• Understand what makes your organization unique, then design and refine a security program with capabilities that create business value.
• Next, collaborate with stakeholders to ensure the right accountabilities, roles, and responsibilities are in place, and build an implementation roadmap to ensure its components work together over time.

Security needs to evolve as a business strategy.

• Laying the right foundations for your security program will inform future security program decisions and give your leadership team the information they need to support your success. You can do it in two steps:
  • Evaluate the design factors that make your organization unique and prioritize the security capabilities to suit. Info-Tech’s approach is based on the design process embedded in the latest COBIT framework.
  • Review the key components of your security program, including security governance, security strategy, security architecture, service design, and service metrics.

If you build it, they will come

“There's so much focus on better risk management that every leadership team in every organization wants to be part of the solution.

If you can give them good data about what things they really need to do, they will work to understand it and help you solve the problem.”

Dan Bowden, CISO, Sentara Healthcare (Tenable)

Design a Business-Aligned Security Program

Choose your own adventure

This blueprint is ideal for new CISOs and for program modernization initiatives.

1. New CISO

“I need to understand the business, prioritize core security capabilities, and identify program accountabilities quickly.”

2. Program Renewal

“The business is changing, and the threat landscape is shifting. I am concerned the program is getting stale.”

Use this blueprint to understand what makes your organization unique:

1. Prioritize security capabilities.
2. Identify program accountabilities.
3. Plan program implementation.

If you need a deep dive into governance, move on to a security governance and management initiative.

3. Program Update

“I am happy with the fundamentals of my security program. I need to assess and improve our security posture.”

Move on to our guidance on how to Build an Information Security Strategy instead.

Info-Tech’s methodology for security program design

Insight Map

You are a business leader first and a security leader second

Technical security frameworks are static and focused on operational controls and standards. They belong in your program’s solar system but not at its center. Design your security program with business value and the security services that enable it in mind, not security controls.

There is no one-size-fits-all security program
Tailor your security program to your organization’s distinct profile to ensure the program generates value.

Lay the right foundations to increase engagement
Map out accountabilities, roles, and responsibilities to ensure the components of your security program work together over time to secure and enable business services.

If you build it, they will come
Your executive team wants to be part of the solution. If you give them reliable data for the things they really need to do, they will work to understand and help you solve the problem.

Blueprint deliverables

Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.

Security Program Design Tool

Tailor the security program to what makes your organization unique to ensure alignment.

Security Program Implementation Tool

Assess the current state of different security program components and plan next steps.

SecurityProgram Design and Implementation Plan

Communicate capabilities, accountabilities, and implementation initiatives.

Key deliverable

Security Program Design and Implementation Plan

The design and implementation plan captures the key insights your work will generate, including:

• A prioritized set of security capabilities aligned to business requirements.
• Security program accountabilities.
• Security program implementation initiatives.

Blueprint benefits

Measure the value of using Info-Tech’s approach

Assess the effectiveness of your security program with a risk-based approach.

Measure the impact of your project

Use Info-Tech diagnostics before and after the engagement to measure your progress.

• Info-Tech diagnostics are standardized surveys that produce historical and industry trends against which to benchmark your organization.
• Run the Security Business Satisfaction and Alignment diagnostic now, and again in twelve months to assess business satisfaction with the security program and measure the impact of your program improvements.
• Reach out to your account manager or follow the link to deploy the diagnostic and measure your success. Diagnostics are included in your membership.

Inform this step with Info-Tech diagnostic results

• Info-Tech diagnostics are standardized surveys that accelerate the process of gathering and analyzing pain point data.
• Diagnostics also produce historical and industry trends against which to benchmark your organization.
• Reach out to your account manager or follow the links to deploy some or all these diagnostics to validate your assumptions. Diagnostics are included in your membership.

Governance & Management Maturity Scorecard
Understand the maturity of your security program across eight domains.
Audience: Security Manager

Security Business Satisfaction and Alignment Report
Assess the organization’s satisfaction with the security program.
Audience: Business Leaders

CIO Business Vision
Assess the organization’s satisfaction with IT services and identify relevant challenges.
Audience: Business Leaders

Executive Brief Case Study

INDUSTRY: Higher Education

SOURCE: Interview

Building a business-aligned security program

Portland Community College (PCC) is the largest post-secondary institution in Oregon and serves more than 50,000 students each year. The college has a well-established information technology program, which supports its education mission in four main campuses and several smaller centers.

PCC launched a security program modernization effort to deal with the evolving threat landscape in higher education. The CISO studied the enterprise strategy and goals and reviewed the college’s risk profile and compliance requirements. The exercise helped the organization prioritize security capabilities for the renewal effort and informed the careful assessment of technical controls in the current security program.

Results

Laying the right foundations for the security program helped the security function understand how to provide the organization with a clear report of its security posture. The CISO now reports directly to the board of directors and works with stakeholders to align cost, performance, and risk reduction objectives with the needs of the college.

The security program modernization effort prioritized several critical design factors

• Enterprise Strategy
• Enterprise Goals
• IT Risk Profile
• IT-Related Issues
• IT Threat Landscape
• Compliance Requirements

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 4 to 6 calls over the course of 6 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Customize your journey

The security design blueprint pairs well with security governance and security strategy.

• The prioritized set of security capabilities you develop during the program design project will inform efforts to develop other parts of your security program, like the security governance and management program and the security strategy.
• Work with your member services director, executive advisor, or technical counselor to scope the journey you need. They will work with you to align the subject matter experts to support your roadmap and workshops.

Endpoint Management Selection Guide

Streamline your organizational approach to selecting a right-sized endpoint management platform.

Endpoint Management Selection Guide

Streamline your organizational approach toward the selection of a right-sized endpoint management platform.

EXECUTIVE BRIEF

Analyst Perspective

Revolutionize your endpoint management with a proper tool selection approach

The endpoint management market has an ever-expanding and highly competitive landscape. The market has undergone tremendous evolution in past years, from device management to application deployments and security management. The COVID-19 pandemic forced organizations to service employees and end users remotely while making sure corporate data is safe and user satisfaction doesn't get negatively affected. In the meantime, vendors were forced to leverage technology enhancements to satisfy such requirements.

That being said, endpoint management solutions have become more complex, with many options to manage operating systems and run applications for relevant user groups. With the work-from-anywhere model, customer support is even more important than before, as a remote workforce may face more issues than before, or enterprises may want to ensure more compliance with policies.

Moreover, the market has become more complex, with lots of added capabilities. Some features may not be beneficial to corporations, and with a poor market validation, businesses may end up paying for some capabilities that are not useful.

In this blueprint, we help you quickly define your requirements for endpoint management and narrow down a list to find the solutions that fulfill your use cases.

Mahmoud Ramin, PhD
Senior Research Analyst, Infrastructure and Operations
Info-Tech Research Group

Executive Summary

Your Challenge

Endpoint management solutions are becoming increasingly essential – deploying the right devices and applications to the right users and zero-touch provisioning are indispensable parts of a holistic strategy for improving customers' experience. However, selecting the right-sized platform that aligns with your requirements is a big challenge.

Following improvements in end-user computation strategies, selection of the right endpoint management solution is a crucial next step in delivering concrete business value.

Common Obstacles

Despite the importance of selecting the right endpoint management platform, many organizations struggle to define an approach to picking the most appropriate vendor and rolling out the solution in an effective and cost-efficient manner. There are many options available, which can cause business and IT leaders to feel lost.

The endpoint management market is evolving quickly, making the selection process tedious. On top of that, IT has a hard time defining their needs and aligning solution features with their requirements.

Info-Tech's Approach

Determine what you require from an endpoint management solution.

Review the market space and product offerings, and compare the capabilities of key players.

Create a use case – use top-level requirements to determine use cases and short-list vendors.

Conduct a formal process for interviewing vendors, using Info-Tech's templates to select the best platform for your requirements.

Info-Tech Insight

Investigate vendors' roadmaps to figure out which of the candidate platforms can fulfill your long-term requirements without any unnecessary investment in features that are not currently useful for you. Make sure you don't purchase capabilities that you will never use.

What are endpoint management platforms?

Our definition: Endpoint management solutions are platforms that enable IT with appropriate provisioning, security, monitoring, and updating endpoints to ensure that they are in good health. Typical examples of endpoints are laptops, computers, wearable devices, tablets, smart phones, servers, and the Internet of Things (IoT).

First, understand differences between mobile management solutions

• Endpoint management solutions monitor and control the status of endpoints. They help IT manage and control their environment and provide top-notch customer service.
• These solutions ensure a seamless and efficient problem management, software updates and remediations in a secure environment.
• Endpoint management solutions have evolved very quickly to satisfy IT and user needs:
• Mobile Device Management (MDM) helps with controlling features of a device.
• Enterprise Mobile Management (EMM) controls everything in a device.
• Unified Endpoint Management (UEM) manages all endpoints.

Endpoint management includes:

• Device management
• Device configuration
• Device monitoring
• Device security

Info-Tech Insight

As endpoint management encompasses a broad range of solution categories including MDM, EMM, and UEM, look for your real requirements. Don't pay for something that you won't end up using.

As UEM covers all of MDM and EMM capabilities, we overview market trends of UEM in this blueprint to give you an overall view of market in this space.

Your challenge: Endpoint management has evolved significantly over the past few years, which makes software selection overwhelming

Additional challenges occur in securing endpoints

A rise in the number of attacks on cloud services creates a need to leverage endpoint management solutions

MarketsandMarkets predicted that global cloud infrastructure services would increase from US$73 billion in 2019 to US$166.6 billion in 2024 (2019).

A study by the Ponemon Institute showed that 68% of respondents believe that security attacks increased over the past 12 months (2020).

The study reveals that over half of IT security professionals who participated in the survey believe that organizations are not very efficient in securing their endpoints, mainly because they're not efficient in detecting attacks.

IT professionals would like to link endpoint management and security platforms to unify visibility and control, to determine potential risks to endpoints, and to manage them in a single solution.

Businesses will continue to be compromised by the vulnerabilities of cloud services, which pose a challenge to organizations trying to maintain control of their data.

Trends in endpoint management have been undergoing a tremendous change

In 2020, about 5.2 million users subscribed to mobile services, and smartphones accounted for 65% of connections. This will increase to 80% by 2025.
Source: Fortune Business Insights, 2021

Info-Tech's methodology for selecting a right-sized endpoint management platform

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

The endpoint management purchase process should be broken into segments:

1. Endpoint management vendor shortlisting with this buyer's guide
2. Structured approach to selection
3. Contract review

Info-Tech's approach

Complementary research:

Create a quick business case and requirements document to align stakeholders to your vision with Info-Tech's Rapid Application Selection Framework.
See what your peers are saying about these vendors at SoftwareReviews.com.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Phase 1

Understand core features and build your business case

This phase will walk you through the following activity:

Define use cases and core features for meeting business and technical goals

This phase involves the following participants:

• CIO
• IT manager
• Infrastructure & Applications directors

MDM solutions function at the level of corporate devices. Something else was needed to enable personal device management.

Major components of EMM solutions

Mobile Application Management (MAM)

Allows organizations to control individual applications and their associated data. It restricts malicious apps and enables in-depth application management, configuration, and removal.

Containerization

Enables separation of work-related data from private data. It provides encrypted containers on personal devices to separate the data, providing security on personal devices while maintaining users' personal data.

Mobile Content Management (MCM)

Helps remote distribution, control, management, and access to corporate data.

Mobile Security Management (MSM)

Provides application and data security on devices. It enables application analysis and auditing. IT can use MSM to provide strong passwords to applications, restrict unwanted applications, and protect devices from unsecure websites by blacklisting them.

Mobile Expense Management (MEM)

Enables mobile data communication expenses auditing. It can also set data limits and restrict network connections on devices.

Identity Management

Sets role-based access to corporate data. It also controls how different roles can use data, improving application and data security. Multifactor authentication can be enforced through the identity management featured of an EMM solution.

Unified endpoint management: Control all endpoints in a single pane of glass

IT admins used to provide customer service such as installation, upgrades, patches, and account administration via desktop support. IT support is not on physical assistance over end users' desktops anymore.

The rise of BYOD enhanced the need to be able to control sensitive data outside corporate network connection on all endpoints, which was beyond the capability of MDM and EMM solutions.

• It's now almost impossible for IT to be everywhere to support customers.
• This created a need to conduct tasks simultaneously from one single place.
• UEM enables IT to run, manage, and control endpoints from one place, while ensuring that device health and security remain uncompromised.
• UEM combines features of MDM and EMM while extending EMM's capabilities to all endpoints, including computers, laptops, tablets, phones, printers, wearables, and IoT.

Info-Tech Insight

Organizations once needed to worry about company connectivity assets such as computers and laptops. To manage them, traditional client management tools like Microsoft Configuration Manager would be enough.

With the increase in the work-from-anywhere model, it is very hard to control, manage, and monitor devices that are not connected to a VPN. UEM solutions enable IT to tackle this challenge and have full visibility into and management of any device.

UEM platforms help with saving costs and increasing efficiency

UEM helps corporates save on their investments as it consolidates use-case management in a single console. Businesses don't need to invest in different device and application management solutions.

From the employee perspective, UEM enables them to work on their own devices while enforcing security on their personal data.

• Security and privacy are very important criteria for organizations. With the rapid growth of the work-from-anywhere model, corporate security is a huge concern for companies.
• Working from home has forced companies to invest a lot in data security, which has led to high UEM demand. UEM solutions streamline security management by consolidating device management in a single platform.
• With the fourth-generation industrial revolution, we're experiencing a significant rise in the use of IoT devices. UEM solutions are very critical for managing, configuring, and securing these devices.
• There will be a huge increase in cyber threats due to automation, IoT, and cloud services. The pandemic has sped up the adoption of such services, forcing businesses to rethink their enterprise mobility strategies. They are now more cautious about security risks and remediations. Businesses need UEM to simplify device management on multiple endpoints.
• With UEM, IT environment management gets more granular, while giving IT better visibility on devices and applications.

UEM streamlines mundane admin tasks and simplifies user issues.

Even with a COPE or COBO provisioning model, without any IT intervention, users can decide on when to install relevant updates. It also may lead to shadow IT.

Endpoint management, and UEM more specifically, enables IT to enforce administration over user devices, whether they are corporate or personally owned. This is enabled without interfering with private/personal data.

Where it's going: The future state of UEM

Despite the fast evolution of the UEM market, many organizations do not move as fast as technological capabilities. Although over half of all organizations have at least one UEM solution, they may not have a good strategy or policies to maximize the value of technology (Tech Orchard, 2022). As opposed to such organizations, there are others that use UEM to transform their endpoint management strategy and move service management to the next level. That integration between endpoint management and service management is a developing trend (Ivanti, 2021).

• SaaS tools like Office 365 are built to be used on multiple devices, including multiple computers. Further, the pandemic saw 47% of organizations significantly increase their use of BYOD (Cybersecurity Insiders, 2021).
• Over 2022, 78% of people worked remotely for at least some amount of time during the week (Tech Orchard, 2022).
• 84% of organizations believe that cybersecurity threat alarms are becoming very overwhelming, and almost half of companies believe that the best way to tackle this is through consolidating platforms so that everything will be visible and manageable through a single pane of glass (Cybersecurity Insiders, 2022).
• The UEM market was worth $3.39 billion in 2020. It is expected to reach $53.65 billion by 2030, with an annual growth rate of 31.7% (Datamation, 2022). This demonstrates how dependent IT is becoming on endpoint management solutions.