Prepare for the Upgrade to Windows 11

The upgrade is inevitable, but you have time, and you have options.

Analyst Perspective

Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

“You hear that Mr. Anderson? That is the sound of inevitability.” ("The Matrix Quotes" )

The fictitious Agent Smith uttered those words to Keanu Reeves’ character, Neo, in The Matrix in 1999, and while Agent Smith was using them in a very sinister and figurative context, the words could just as easily be applied to the concept of upgrading to the Windows 11 operating system from Microsoft in 2022.

There have been two common, recurring themes in the media since late 2019. One is the global pandemic and the other is cyber-related crime. Microsoft is not in a position to make an impact on a novel coronavirus, but it does have the global market reach to influence end-user technology and it appears that it has done just that. Windows 11 is a step forward in endpoint security and functionality. It also solidifies the foundation for future innovations in end-user operating systems and how they are delivered. Windows-as-a-Service (WAAS) is the way forward for Microsoft. Windows 10 is living on borrowed time, with a defined end of support date of October 14, 2025. Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

It is inevitable!

P.J. Ryan

Research Director, Infrastructure & Operations

Info-Tech Research Group

Executive Summary

Your Challenge

• Windows 10 is going EOL in 2025. That is closer than you think.
• Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft-initiated catastrophe?
• You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

Common Obstacles

• The difference between Windows 10 and Windows 11 is not clear. Windows 11 looks like Windows 10 with some minor changes, mostly cosmetic. Many online users don’t see the need. Why upgrade? What are the benefits?
• The cost of upgrading devices just to be eligible for Windows 11 is high.
• Your end users don’t like change. This is not going to go over well!

Info-Tech's Approach

• Spend wisely. Space out your endpoint replacements and upgrades over several years. You do not have to upgrade everything right away.
• Be patient. Windows 11 contained some bugs when it was initially released. Microsoft fixed most of the issues through monthly quality updates, but you should ensure that you are comfortable with the current level of functionality before you upgrade.
• Use the upgrade ring approach. Test your applications with a small group first, and then stage the rollout to increasingly larger groups over time.

Info-Tech Insight

There is a lot of talk about Windows 11, but this is only an operating system upgrade, and it is not a major one. Understand what is new, what is added, and what is missing. Check your devices to determine how many are eligible and ineligible. Many organizations will have to spend capital on endpoint upgrades. Solid asset management practices will help.

Insight summary

Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system.

Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

Many organizations will have to spend capital on endpoint upgrades.

Microsoft now insists that modern hardware is required for Windows 11 for not only security but also for improved stability. That same hardware requirement will mean that many devices that are only three or four years old (as well as older ones) may not be eligible for Windows 11.

Windows 11 is a virtualization challenge for some providers.

The hardware requirements for physical devices are also required for virtual devices. The TPM module appears to be the biggest challenge. Oracle VirtualBox and Citrix Hypervisor as well as AWS and Google are unable to support Windows 11 virtual devices as of the time of writing.

Windows 10 will be supported by Microsoft until October 2025.

That will remove some of the pressure felt due to the ineligibility of many devices and the need to refresh them. Take your time and plan it out, keeping within budget constraints. Use the upgrade ring approach for systems that are eligible for the Windows 11 upgrade.

New look and feel, and a center screen taskbar.

Corners are rounded, some controls look a little different, but overall Windows 11 is not a dramatic shift from Windows 10. It is easier to navigate and find features. Oh, and yes, the taskbar (and start button) is shifted to the center of the screen, but you can move them back to the left if desired.

The education industry gets extra attention with the release of Windows 11.

Windows 11 comes with multiple subscription-based education offerings, but it also now includes a new lightweight SE edition that is intended for the K-8 age group. Microsoft also released a Windows 11 Education SE specific laptop, at a very attractive price point. Other manufacturers also offer Windows 11 SE focused devices.

Why Windows 11?

Windows 10 was supposed to be the final desktop OS from Microsoft, wasn’t it?

Maybe. It depends who you ask.

Jerry Nixon, a Microsoft developer evangelist, gained notoriety when he uttered these words while at a Microsoft presentation as part of Microsoft Ignite in 2015: “Right now we’re releasing Windows 10, and because Windows 10 is the last version of Windows, we’re all still working on Windows 10,” (Hachman). Microsoft never officially made that statement. Interestingly enough, it never denied the comments made by Jerry Nixon either.

Perhaps Microsoft released a new operating system as a financial grab, a way to make significant revenue?

Nope.

Windows 11 is a free upgrade or is included with any new computer purchase.

Market share challenges?

Doubtful.

It’s true that Microsoft's market share of desktop operating systems is dropping while Apple OS X and Google Chrome OS are rising.

In fact, Microsoft has relinquished over 13% of the market share since 2012 and Apple has almost doubled its market share. BUT:

Microsoft is still holding 75.12% of the market while Apple is in the number 2 spot with 14.93% (gs.statcounter.com).

The market share is worth noting for Microsoft but it hardly warrants a new operating system.

New look and feel?

Unlikely

New start button and taskbar orientation, new search window, rounded corners, new visual look on some controls like the volume bar, new startup sound, new Windows logo, – all minor changes. Updates could achieve the same result.

Security?

Likely the main reason.

Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

The features are available on all Windows 11 physical devices, due to the common hardware requirements.

Windows 11 hardware-based security

These hardware options and features were available in Windows 10 but not enforced. With Windows 11, they are no longer optional. Below is a description and explanation of the main features.

How do all the hardware-based security features work?

This scenario explains how a standard boot up and login should happen.

You turn on your computer. Secure Boot authorizes the processes and UEFI hands over control to the operating system. Windows Hello works with TPM and uses a pin to authenticate the user and the operating systems gives you access to the Windows environment.

Now imagine the same process with various compromised scenarios.

You turn on your computer. Secure Boot does not recognize the signature presented to it by the second process in the boot sequence. You will be presented with a “Secure Boot Violation” message and an option to reboot. Your computer remains protected.

You boot up and get past the secure boot process and UEFI passes control over to the Windows 11 operating system. Windows Hello asks for your pin, but you cannot remember the pin and incorrectly enter it three times before admitting temporary defeat. Windows Hello did not find a matching pin on the TPM and will not let you proceed. You cannot log in but in the eyes of the operating system, it has prevented an unauthorized login attempt.

You power up your computer, log in without issue, and go about your morning routine of checking email, etc. You are not aware that malware has infiltrated your system and modified a page in system memory to run code and access the operating system kernel. VBS and HVCI check the integrity of that code and detect that it is malicious. The code remains isolated and prevented from running, protecting your system.

TPM, Hello, UEFI with Secure Boot, VBS and HVCI all work together like a well-oiled machine.

“Microsoft's rationale for Windows 11's strict official support requirements – including Secure Boot, a TPM 2.0 module, and virtualization support – has always been centered on security rather than raw performance.” – Andrew Cunningham, arstechnica.com

“Windows 11 raises the bar for security by requiring hardware that can enable protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot. These features in combination have been shown to reduce malware by 60% on tested devices.” – Steven J. Vaughan-Nichols, Computerworld

Can any device upgrade to Windows 11?

In addition to the security-related hardware requirements listed previously, which may exclude some devices from Windows 11 eligibility, Windows 11 also has a minimum requirement for other hardware components.

Windows 7 and Windows 10 were publicized as being backward compatible and almost any hardware would be able to run those operating systems. That changed with Windows 11. Microsoft now insists that modern hardware is required for Windows 11 for not only security but also improved stability.

Software Requirement

You must be running Windows 10 version 2004 or greater to be eligible for a Windows 11 upgrade (“Windows 11 Requirements”).

Complete hardware requirements for Windows 11

• 1 GHz (or faster) compatible 64-bit processor with two or more cores
  • Not all processors are compatible; compatible processors are listed in this link: “Windows Processor Requirements”
• 4 GB RAM
• 64 GB or more of storage space
• Compatible with DirectX 12 or later with WDDM 2.0 driver
  • DirectX connects the hardware in your computer with Windows. It allows software to display graphics using the video card or play audio, as long as that software is DirectX compatible. Windows 11 requires version 12 (“What are DirectX 12 compatible graphics”).
  • WDDM is an acronym for Windows Display Driver Model. WDDM is the architecture for the graphics driver for Windows (“Windows Display Driver Model”).
  • Version 2.0 of WDDM is required for Windows 11.
• 720p display greater than 9" diagonally with 8 bits per color channel
• UEFI Secure Boot capable
• TPM 2.0 chip

(“Windows 11 Requirements”)

Windows 11 may challenge your virtual environment

When Windows 11 was initially released, some IT administrators experienced issues when trying to install or upgrade to Windows 11 in the virtual world.

The Challenge

The issues appeared to be centered around the Windows 11 hardware requirements, which must be detected by the Windows 11 pre-install check before the operating system will install.

The TPM 2.0 chip requirement was indeed a challenge and not offered as a configuration option with Citrix Hypervisor, the free VMware Workstation Player or Oracle VM VirtualBox when Windows 11 was released in October 2021, although it is on the roadmap for Oracle and Citrix Hypervisor. VMware provides alternative products to the free Workstation Player that do support a virtual TPM. Oracle and Citrix reported that the feature would be available in the future and Windows 11 would work on their platforms.

Short-Term Solutions

VMware and Microsoft users can add a vTPM hardware type when configuring a virtual Windows 11 machine. Microsoft Azure does offer Windows 11 as an option as a virtual desktop. Citrix Desktop-As-A-Service (DAAS) will connect to Azure, AWS, or Google Cloud and is only limited by the features of the hosting cloud service provider.

Additional Insight

According to Microsoft, any VM running Windows 11 must meet the following requirements (“Virtual Machine Support”):

• It must be a generation 2 VM, and upgrading a generation 1 VM to Windows 11 (in-place) is not possible
• 64 GB of storage or greater
• Secure Boot capable with the virtual TPM enabled
• 4 GB of memory or greater
• 2 or more virtual processors
• The CPU of the physical computer that is hosting the VM must meet the Windows 11 (“Windows Processor Requirements”)

What’s new or updated in Windows 11?

The following two slides highlight some of the new and updated features in Windows 11.

Security

The most important change with Windows 11 is what you cannot see – the security. Windows 11 adds requirements and controls to make the user and device more secure, as described in previous slides.

Taskbar

The most prominent change in relation to the look and feel of Windows 11 is the shifting of the taskbar (and Start button) to the center of the screen. Some users may find this more convenient but if you do not and prefer the taskbar and start button back on the left of your screen, you can change it in taskbar settings.

Updated Apps

Paint, Photos, Notepad, Media Player, Mail, and other standard Windows apps have been updated with a new look and in some cases minor enhancements.

User Interface

The first change users will notice after logging in to Windows 11 is the new user interface – the look and feel. You may not notice the additional colors added to the Windows palette, but you may have thought that the startup sound was different, and the logo also looks different. You would be correct. Other look-and-feel items that changed include the rounded corners on windows, slightly different icons, new wallpapers, and controls for volume and brightness are now a slide bar. File explorer and the settings app also have a new look.

Microsoft Teams

Microsoft Teams is now installed on the taskbar by default. Note that this is for a personal Microsoft account only. Teams for Work or School will have to be installed separately if you are using a work or school account.

What’s new or updated in Windows 11?

Snap Layouts

Snap layouts have been enhanced and snap group functionality has been added. This will allow you to quickly snap one window to the side of the screen and open other Windows in the other side. This feature can be accessed by dragging the window you wish to snap to the left or right edge of the screen. The window should then automatically resize to occupy that half of the screen and allow you to select other Windows that are already open to occupy the remaining space on the screen. You can also hover your mouse over the maximize button in the upper right-hand corner of the window. A small screen with multiple snap layouts will appear for your selection. Multiple snapped Windows can be saved as a “Snap Group” that will open together if one of the group windows are snapped in the future.

Widgets

Widgets are expanding. Microsoft started the re-introduction of widgets in Windows 10, specifically focusing on the weather. Widgets now include other services such as news, sports, stock prices, and others.

Android Apps

Android apps can now run in Windows 11. You will have to use the Amazon store to access and install Android apps, but if it is available in the Amazon store, you can install it on Windows 11.

Docking

Docking has improved with Windows 11. Windows knows when you are docked and will minimize apps when you undock so they are not lost. They will appear automatically when you dock again.

This is not intended to be an inclusive list but does cover some of the more prominent features.

What’s missing from Windows 11?

The following features are no longer found in Windows 11:

• Backward compatibility
  • The introduction of the hardware requirements for Windows 11 removed the backward compatibility (from a hardware perspective) that made the transition from previous versions of Windows to their successor less of a hardware concern. If a computer could run Windows 7, then it could also run Windows 10. That does not automatically mean it can also run Windows 11.
• Internet Explorer
  • Internet Explorer is no longer installed by default in Windows 11. Microsoft Edge is now the default browser for Windows. Other browsers can also be installed if preferred.
• Tablet mode
  • Windows 11 does not have a "tablet" mode, but the operating system will maximize the active window and add more space between icons to make selecting them easier if the 2-in-1 hardware detects that you wish to use the device as a tablet (keyboard detached or device opened up beyond 180 degrees, etc.).
• Semi-annual updates
  • It may take six months or more to realize that semi-annual feature updates are missing. Microsoft moved to an annual feature update schema but continued with monthly quality updates with Windows 11.
• Specific apps
  • Several applications have been removed (but can be manually added from the Microsoft Store by the user). They include:
    • OneNote for Windows 10
    • 3D Viewer
    • Paint 3D
    • Skype
• Cortana (by default)
  • Cortana is missing from Windows 11. It is installed but not enabled by default. Users can turn it on if desired.

Microsoft included a complete list of features that have been removed or deprecated with Windows 11, which can be found here Windows 11 Specs and System Requirements.

Windows 11 editions

• Windows 11 is offered in several editions:
  • Windows 11 Home
  • Windows 11 Pro
  • Windows 11 Pro for Workstations
  • Windows 11 Enterprise Windows 11 for Education
  • Windows 11 SE for Education
• Windows 11 hardware requirements and security features are common throughout all editions.
• The new look and feel along with all the features mentioned previously are common to all editions as well.
• Windows Home
  • Standard offering for home users
• Pro versus Pro for Workstations
  • Windows 11 Pro and Pro for Workstations are both well suited for the business environment with available features such as support for Active Directory or Azure Active Directory, Windows Autopilot, OneDrive for Business, etc.
  • Windows Pro for Workstations is designed for increased demands on the hardware with the higher memory limits (2 TB vs. 6 TB) and processor count (2 CPU vs. 4 CPU).
  • Windows Pro for Workstations also features Resilient File System, Persistent Memory, and SMB Direct. Neither of these features are available in the Windows 11 Pro edition.
  • Windows 11 Pro and Pro for Workstations are both very business focused, although Pro may also be a common choice for non-business users (Home and Education).
• Enterprise Offerings
  • Enterprise licenses are subscription based and are part of the Microsoft 365 suite of offerings.
  • Windows 11 Enterprise is Windows 11 Pro with some additional addons and functionality in areas such as device management, collaboration, and security services.
  • The level of the Microsoft 365 Enterprise subscription (E3 or E5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the E5 subscription.

Windows 11 Education Editions

With the release of a laptop targeted specifically at the education market, Microsoft must be taking notice of the Google Chrome educational market penetration, especially with headlines like these.

“40 Million Chromebooks in Use in Education” (Thurrott)

“The Unprecedented Growth of the Chromebook Education Market Share” (Carklin)

“Chromebooks Gain Market Share as Education Goes Online” (Hruska)

“Chromebooks Gain Share of Education Market Despite Shortages” (Mandaro)

“Chromebook sales skyrocketed in Q3 2020 with online education fueling demand” (Duke)

• Education licenses are subscription based and are part of the Microsoft 365 suite of offerings. Educational pricing is one benefit of the Microsoft 365 Education model.
• Windows 11 Education is Windows 11 Pro with some additional addons and functionality similar to the Enterprise offerings for Windows 11 in areas such as device management, collaboration, and security services. Windows 11 Education also adds some education specific settings such as Classroom Tools, which allow institutions to add new students and their devices to their own environment with fewer issues, and includes OneNote Class Notebook, Set Up School PCs app, and Take a Test app.
• The level of the Microsoft 365 Education subscription (A3 or A5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the A5 subscription.
• Windows 11 SE for Education:
  • A cloud-first edition of Windows 11 specifically designed for the K-8 education market.
  • Windows 11 SE is a light version of Windows 11 that is designed to run on entry-level devices with better performance and security on that hardware.
  • Windows 11 SE requires Intune for Education and only IT admins can install applications.
• Microsoft and others have come out with Windows SE specific devices at a low price point.
  • The Microsoft Surface Laptop SE comes pre-loaded with Windows 11 SE and can be purchased for US$249.00.
  • Dell, Asus, Acer, Lenovo, and others also offer Windows 11 SE specific devices (“Devices for Education”).

Initial Reactions

Below you can find some actual initial reactions to Windows 11.

Initial reactions are mixed, as is to be expected with any new release of an operating system. The look and feel is new, but it is not a huge departure from the Windows 10 look and feel. Some new features are well received such as the snap feature.

The shift of the taskbar (and start button) is the most popular topic of discussion online when it comes to Windows 11 reactions. Some love it and some do not. The best part about the shift of the taskbar is that you can adjust it in settings and move it back to its original location.

The best thing about reactions is that they garner attention, and thanks in part to all the online reactions and comments, Microsoft is continually improving Windows 11 through quality updates and annual feature releases.

“My 91-year-old Mum has found it easy!” Binns, Paul ITRG

“It mostly looks quite nice and runs well.” Jmbpiano, Reddit user

“It makes me feel more like a Mac user.” Chang, Ben Info-Tech

“At its core, Windows 11 appears to be just Windows 10 with a fresh coat of paint splashed all over it.” Rouse, Rick RicksDailyTips.com

“Love that I can snap between different page orientations.” Roberts, Jeremy Info-Tech

“I finally feel like Microsoft is back on track again.” Jawed, Usama Neowin

“A few of the things that seemed like issues at first have either turned out not to be or have been fixed with patches.” Jmbpiano, Reddit user

“The new interface is genuinely intuitive, well-designed, and colorful.” House, Brett AnandTech

“No issues. Have it out on about 50 stations.” Sandrews1313, Reddit User

“The most striking change is to the Start menu.” Grabham, Dan pocket-lint.com

How do I upgrade to Windows 11?

The process is very similar to applying updates in Windows 10.

• Windows 11 is offered as an upgrade through the standard Windows 10 update procedure. Windows Update will notify you when the Windows 11 upgrade is ready (assuming your device is eligible for Windows 11).
  • Allow the update (upgrade in this case) to proceed, reboot, and your endpoint will come back to life with Windows 11 installed and ready for you.
• A fresh install can be delivered by downloading the required Windows 11 installation media from the Microsoft Software Download site for Windows 11.
• Business users can control the timing and schedule of the Windows 11 rollout to corporate endpoints using Microsoft solutions such as WSUS, Configuration Manager, Intune and Endpoint Manager, or by using other endpoint management solutions.
• WSUS and Configuration Manager will have to sync the product category for Windows 11 to manage the deployment.
• Windows Update for Business policies will have to use the target version capability rather than using the feature update referrals alone.
• Organizations using Intune and a Microsoft 365 E3 license will be able to use the Feature Update Deployments page to select Windows 11.
• Other modern endpoint management solutions may also allow for a controlled deployment.

Info-Tech Insight

The upgrade itself may be a simple process but be prepared for the end-user reactions that will follow. Some will love it but others will despise it. It is not an optional upgrade in the long run, so everyone will have to learn to accept it.

When can I upgrade to Windows 11?

You can upgrade right now BUT there is no need to rush. Windows 11 was released in October 2021 but that doesn’t mean you have to upgrade everyone right away. Plan this out.

• Build deployment rings into your Windows 11 upgrade approach: This approach, also referred to as Canary Releases or deployment rings, allows you to ensure that IT can support users if there's a major problem with the upgrade. Instead of disrupting all end users, you are only disrupting a portion of end users.
  • Deploy the initial update to your test environment.
  • After testing is successful or changes have been made, deploy Windows 11 to your pilot group of users.
  • After the pilot group gives you the thumbs up, deploy to the rest of production in phases. Phases are sometimes by office/location, sometimes by department, sometimes by persona (i.e. defer people that don't handle updates well), and usually by a combination of these factors.
  • Increase the size of each ring as you progress.
• Always back up your data before any upgrade.

Deployment Ring Example

Pilot Ring - Individuals from all departments - 10 users

Ring #1 - Dev, Finance - 20 Users

Ring #2 - Research - 100 Users

Ring #3 - Sales, IT, Marketing - 500 Users

Upgrade your eligible devices and users to Windows 11

Build Windows 11 Deployment Rings

Instructions:

1. Identify who will be in the pilot group. Use individuals instead of user groups.
2. Identify how many standard rings you need. This number will be based on the total number of employees per office.
3. Map groups to rings. Define which user groups will be in each ring.
4. Allow some time to elapse between upgrades. Allow the first group to work with Windows 11 and identify any potential issues that may arise before upgrading the next group.
5. Track and communicate. Record all information into a spreadsheet like the one on the right. This will aid in communication and tracking.

What are my options if my devices cannot upgrade to Windows 11?

Don’t rush out to replace all the ineligible endpoint devices. You have some time to plan this out. Windows 10 will be available and supported by Microsoft until October 2025.

Use asset management strategies and budget techniques in your Windows 11 upgrade approach:

• Start with current inventory and determine which devices will not be eligible for upgrade to Windows 11.
• Prioritize the devices for replacement, taking device age, the role of the user the device supports, and delivery times for remote users into consideration.
• Take this opportunity to review overall device offerings and end-user compute strategy. This will help decide which devices to offer going forward while improving end-user satisfaction.
• Determine the cost for replacement devices:
  • Compare vendor offerings using an RFP process.
• Use the hardware asset management planning spreadsheet on the next slide to budget for the replacements over the coming months leading up to October 2025.

Leverage Info-Tech research to improve your end-user computing strategy and hardware asset management processes:

New to End User Computing Strategies? Start with Modernize and Transform Your End-User Computing Strategy.

New to IT asset management? Use Info-Tech’s Implement Hardware Asset Management blueprint.

Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

Build a Windows 11 Device Replacement Budget

The link below will open up a hardware asset management (HAM) budgeting tool. This tool can easily be modified to assist in developing and justifying the budget for hardware assets for the Windows 11 project. The tool will allow you to budget for hardware asset refresh and to adjust the budget as needed to accommodate any changes. Follow the instructions on each tab to complete the tool.

A sample of a possible Windows 11 budgeting spreadsheet is shown on the right, but feel free to play with the HAM budgeting tool to fit your needs.

HAM Budgeting Tool

Related Info-Tech Research

Modernize and Transform Your End-User Computing Strategy

This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

Implement Hardware Asset Management

This project will help you analyze the current state of your HAM program, define assets that will need to be managed, and build and involve the ITAM team from the beginning to help embed the change. It will also help you define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.

Bibliography

aczechowski, et al. “Windows 11 Requirements.” Microsoft, 3 June 2022. Accessed 13 June 2022.

Binns, Paul. Personal interview. 07 June 2022.

Butler, Sydney. “What Is Trusted Platform Module (TPM) and How Does It Work?” Help Desk Geek, 5 August 2021. Accessed 18 May 2022.

Carklin, Nicolette. “The Unprecedented Growth of the Chromebook Education Market Share.” Parallels International GmbH, 26 October 2021. Accessed 19 May 2022.

Chang, Ben. Personal interview. 26 May 2022.

Cunningham, Andrew. “Why Windows 11 has such strict hardware requirements, according to Microsoft.” Ars Technica, 27 August 2021. Accessed 19 May 2022.

Dealnd-Han, et al. “Windows Processor Requirements.” Microsoft, 9 May 2022. Accessed 18 May 2022.

“Desktop Operating Systems Market Share Worldwide.” Statcounter Globalstats, June 2021–June 2022. Accessed 17 May 2022.

“Devices for education.” Microsoft, 2022. Accessed 13 June 2022.

Duke, Kent. “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand.” Android Police, 16 November 2020. Accessed 18 May 2022.

Grabham, Dan. “Windows 11 first impressions: Our initial thoughts on using Microsoft's new OS.” Pocket-Lint, 24 June 2021. Accessed 3 June 2022.

Hachman, Mark. “Why is there a Windows 11 if Windows 10 is the last Windows?” PCWorld, 18 June 2021. Accessed 17 May 2022.

Howse, Brett. “What to Expect with Windows 11: A Day One Hands-On.” Anandtech, 16 November 2020. Accessed 3 June 2022.

Hruska, Joel. “Chromebooks Gain Market Share as Education Goes Online.” Extremetech, 26 October 2020. Accessed 19 May 2022.

Jawed, Usama. “I am finally excited about Windows 11 again.” Neowin, 26 February 2022. Accessed 3 June 2022.

Jmbpiano. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

Lumunge, Erick. “UEFI and Legacy boot.” OpenGenus, n.d. Accessed 18 May 2022.

Bibliography

Mandaro, Laura. “Chromebooks Gain Share of Education Market Despite Shortages.” The Information, 9 September 2020. Accessed 19 May 2022.

Murtaza, Fawad. “What Is Virtualization Based Security in Windows?” Valnet Inc, 24 October 2021. Accessed 17 May 2022.

Roberts, Jeremy. Personal interview. 27 May 2022.

Rouse, Rick. “My initial thoughts about Windows 11 (likes and dislikes).” RicksDailyTips.com, 5 September 2021. Accessed 3 June 2022.

Sandrews1313. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

“The Matrix Quotes." Quotes.net, n.d. Accessed 18 May 2022.

Thurrott, Paul.” Google: 40 Million Chromebooks in Use in Education.” Thurrott, 21 January 2020. Accessed 18 May 2022.

Vaughan-Nichols, Steven J. “The real reason for Windows 11.” Computerworld, 6 July 2021, Accessed 19 May 2022.

“Virtual Machine Support.” Microsoft,3 June 2022. Accessed 13 June 2022.

“What are DirectX 12 compatible graphics and WDDM 2.x.” Wisecleaner, 20 August 2021. Accessed 19 May 2022.

“Windows 11 Specs and System Requirements.” Microsoft, 2022. Accessed 13 June 2022.

“Windows Display Driver Model.” MiniTool, n.d. Accessed 13 June 2022.

Identify and Manage Security Risk Impacts on Your Organization

Know where the attacks are coming from so you know where to protect.

Analyst perspective

It is time to start looking at risk realistically and move away from “trust but verify” toward zero trust.

Frank Sewell,
Research Director, Vendor Management
Info-Tech Research Group

We are inundated with a barrage of news about security incidents on what seems like a daily basis. In such an environment, it is easy to forget that there are ways to help prevent such things from happening and that they have actual costs if we relax our diligence.

Most people are aware of defense strategies that help keep their organization safe from direct attack and inside threats. Likewise, they expect their trusted partners to perform the same diligence. Unfortunately, as more organizations use cloud service vendors, the risks with n-party vendors are increasing.

Over the last few years, we have learned the harsh lesson that downstream attacks affect more businesses than we ever expected as suppliers, manufacturers of base goods and materials, and rising transportation costs affect the global economy.

“Trust but verify” – while a good concept – should give way to the more effective zero-trust model in favor of knowing it’s not a matter of if an incident happens but when.

Executive Summary

Info-Tech Insight
Organizations must evolve their security risk assessments to be more adaptive to respond to global changes in the market. Ongoing monitoring of third-party vendor risks and holding those vendors accountable throughout the vendor lifecycle are critical to preventing disastrous impacts.

Info-Tech’s multi-blueprint series on vendor risk assessment

There are many individual components of vendor risk beyond cybersecurity.

This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

Out of Scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

Security risk impacts

Potential losses to the organization due to security incidents

• In this blueprint we’ll explore security risks, particularly from third-party vendors, and their impacts.
• Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to correct security plans.

The world is constantly changing

The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

Below are some things no one expected to happen in the last few years:

Identify and manage security risk impacts on your organization

Due diligence will enable successful outcomes.

What is third-party risk?

Third-Party Vendor: Anyone who provides goods or services to a company or individual in exchange for payment transacted with electronic instructions (Law Insider).

Third-Party Risk: The potential threat presented to organizations’ employee and customer data, financial information, and operations from the organization’s supply chain and other outside parties that provide products and/or services and have access to privileged systems (Awake Security).

It is essential to know not only who your vendors are but also who their vendors are (n-party vendors). Organizations often overlook that their vendors rely on others to support their business, and those layers can add risk to your organization.

Identify and manage security risks

Global Pandemic

Very few people could have predicted that a global pandemic would interrupt business on the scale experienced today. Organizations should look at their lessons learned and incorporate adaptable preparations into their security planning and ongoing monitoring moving forward.

Vendor Breaches

The IT market is an ever-shifting environment; more organizations are relying on cloud service vendors, staff augmentation, and other outside resources. Organizations should hold these vendors (and their downstream vendors) to the same levels of security and standards of conduct that they hold their internal resources.

Resource Shortages

A lack of resources is often overlooked, but it’s easily recognized as a reason for a security incident. All too often, companies are unwilling to dedicate resources to their vendors’ security risk assessment and ongoing monitoring needs. Only once an incident occurs do companies decide it is time to reprioritize.

Create a Post-Implementation Plan for Microsoft 365

You’ve deployed M365. Now what? Look at your business goals and match your M365 KPIs to meet those objectives.

Analyst perspective

You’ve deployed M365. Now what?

There are three primary objectives when deploying Microsoft 365: from a business perspective, the expectations are based on productivity; from an IT perspective, the expectations are based on IT efficiencies, security, and compliance; and from an organizational perspective, they are based on a digital employee experience and collaborative functionality. Of course, all these expectations are based on one primary objective, and that is user adoption of Teams, OneDrive, and SharePoint Online. A mass adoption, along with a high usage rate and a change in the way users work, is required for your investment in M365 to be considered successful. So, adoption is your first step, and that can be tracked and analyzed through analytics in M365 or other tools. But what else needs to be considered once you have released M365 on your organization? What about backup? What about security? What about sharing data outside your business? What about self-service? What about ongoing training? M365 is a powerful suite of tools, and taking advantage of all that it entails should be IT’s primary goal. How to accomplish that, efficiently and securely, is up to you!

John Donovan Principal Research Director, I&O Info-Tech Research Group

Insight summary

Executive summary

Info-Tech Insight

There are three primary areas where organizations fail in a successful implementation of M365: training, adoption, and information governance. While it is not up to IT to ensure every user is well trained, it is their initial responsibility to find champions, SMEs, and business-based trainers and to manage information governance from backup, retention, and security aspects of data management.

Business priorities

What priorities is IT focusing on with M365 adoption?

What IT teams are saying

• In a 2019 SoftwareONE survey, the biggest reason IT decision makers gave for adopting M365 was to achieve a “more collaborative working style.”
• Organizations must plan and execute a strategy for mass adoption and training to ensure processes match business goals.
• Cost savings can only be achieved through rightsizing license subscriptions, retiring legacy apps, and building efficiencies within the IT organization.
• With increased mobility comes with increased cybersecurity risk. Make sure you take care of your security before prioritizing mobility. Multifactor authentication (MFA), conditional access (CA), and additional identity management will maintain a safe work-from-anywhere environment.

Top IT reasons for adopting M365

61% More collaborative working style

54% Cost savings

51% Improved cybersecurity

49% Greater mobility

Source: SoftwareONE, 2019; N=200 IT decision makers across multiple industries and organization sizes

Define & organize post-implementation projects

Key areas to success

• Using Microsoft’s M365 adoption guide, we can prioritize and focus on solutions that will bring about better use of the M365 suite.
• Most of your planning and prioritizing should be done before implementation. Many organizations, however, adopted M365 – and especially Teams, SharePoint Online, and OneDrive – in an ad hoc manner in response to the pandemic measures that forced users to work from home.
• Use a Power BI Pro license to set up dashboards for M365 usage analytics. Install GitHub from AppSource and use the templates that will give you good insight and the ability to create business reports to show adoption and usage rates on the platform.
• Reimagine your working behavior. Remember, you want to bring about a more collective and open framework for work. Take advantage of a champion SME to show the way. Every organization is different, so make sure your training is aligned to your business processes.

Process steps

Info-Tech’s approach

Use the out-of-the-box tools and take advantage of your subscription.

Info-Tech Insight

A clear understanding of the business purpose and processes, along with insight into the organizational culture, will help you align the right apps with the right tasks. This approach will bring about better adoption and collaboration and cancel out the shadow IT products we see in every business silo.

Leverage built-in usage analytics

Adoption of services in M365

To give organizations insight into the adoption of services in M365, Microsoft provides built-in usage analytics in Power BI, with templates for visualization and custom reports. There are third-party tools out there, but why pay more? However, the template app is not free; you do need a Power BI Pro license.

Usage Analytics pulls data from ActiveDirectory, including location, department, and organization, giving you deeper insight into how users are behaving. It can collect up to 12 months of data to analyze.

Reports that can be created include Adoption, Usage, Communication, Collaboration (how OneDrive and SharePoint are being used), Storage (cloud storage for mailboxes, OneDrive, and SharePoint), and Mobility (which clients and devices are used to connect to Teams, email, Yammer, etc.).

Source: Microsoft 365 usage analytics

Understand admin roles

Prevent intentional or unintentional internal breaches

Secure your M365 tenant

A checklist to ensure basic security coverage post M365

• Multifactor Authentication: MFA is part of your M365 tenant, so using it should be a practical identity security. If you want additional conditional access (CA), you will require an Azure AD (AAD) Premium P1+ license. This will ensure adequate identity security protecting the business.
• Password Protection: Use the AAD portal to set this up under Security > Authentication Methods. Microsoft provides a list of over 2,000 known bad passwords and variants to block.
• Legacy Authentication: Disable legacy protocols; check to see if your legacy apps/workflows/scripts use them in the AAD portal. Once identified, update them and turn the protocols off. Use CA policies.
• Self-Service Password Reset: Enable self-service to lower the helpdesk load for password resets. Users will have to initially register and set security questions. Hybrid AD businesses must write back to AD from AAD once changes are made.
• Security Defaults: For small businesses, turn on default settings. To enable additional security settings, such as break- glass accounts, go into Manage Security Defaults in your AAD properties.
• Conditional Access (CA) Policies: Use CA policies if strong identity security and zero trust are required. To create policies in AAD go to Security > Conditional Access > New Policies.

Identity Checklist

• Enable MFA for Admins
• Enable MFA for Users
• Disable App Passwords
• Configure Trusted IPs
• Disable Text/Phone MFA
• Remember MFA on Trusted Devices for 90 Days
• Train Staff in Using MFA Correctly
• Integrate Apps Into Azure AD

Training guidelines

Identify business scenarios and training adoption KPIs

• Customize your training to meet your organizational goals, align with your business culture, and define how users will work inside the world of M365.
• Create scenario templates that align to your current day-to-day operations in each department. These can be created by individual business unit champions.
• Make sure you have covered must-have capabilities and services within M365 that need to be rolled out post-pilot.
• Phase in large transitions rather than multiple small ones to ensure collaboration between departments meets business scenarios.
• Ensure your success metrics are being measured and continue to communicate and train after deployment using tools available in M365. See Microsoft’s adoption guidelines and template for training.

Determine your training needs and align with your business processes. Choose training modalities that will give users the best chance of success. Consider one or many training methods, such as:

• Online training
• In-person classroom
• Business scenario use cases
• Mentoring
• Department champion/Early adopter
• Weekly bulletin fun facts

Don’t forget backup!

Providing 99% uptime and availability is not enough

Why is M365 backup so important?

Accidental Data Deletion.

If a user is deleted, that deletion gets replicated across the network. Backup can save you here by restoring that user.

Internal and External Security Threats.

Malicious internal deletion of data and external threats including viruses, ransomware, and malware can severely damage a business and its reputation. A clean backup can easily restore the business’ uninfected data.

Legal and Compliance Requirements.

While e-discovery and legal hold are available to retain sensitive data, a third-party backup solution can easily search and restore all data to meet regulatory requirements – without depending on someone to ensure a policy was set.

Retention Policy Gaps.

Retention policies are not a substitute for backup. While they can be used to retain or delete content, they are difficult to keep track of and manage. Backups offer greater latitude in retention and better security for that data.

Retire your legacy apps to gain adoption

Identify like for like and retire your legacy apps

To meet the objectives of cost reduction and rationalization, look at synergies that M365 brings to the table. Determine what you are currently using to meet collaboration, storage, and security needs and plan to use the equivalent in your Microsoft entitlement.

Managing M365’s hidden costs

Licenses and storage limits TCO

• Email security. Ninety-one percent of all cyberattacks come from phishing on email. Microsoft Defender for M365 is a bolt-on, so it is an additional cost.
• Backup. This will bring additional cost to M365. Plan to spend more to ensure data is backed up and stored.
• Email archiving. Archiving is different than backup. See our research on the subject. Archiving is needed for compliance purposes. Email archiving solutions are available through third-party software, which is an added cost.
• Email end-to-end encryption. This is a requirement for all organizations that are serious about security. The enterprise products from Microsoft come at an additional cost.
• Cybersecurity training. IT needs to ramp up on training, another expense.
• Microsoft 365 Power Platform Licencing. From low-code and no-code developer tools (Power Apps), workflow tools (Power Automate), and business intelligence (Power BI) – while the E5 license gives you Power BI Pro, there are limitations and costs. Power BI Pro has limitations for data volume, data refresh, and query response time, so your premium license comes at a considerably marked up cost.

M365 is not standalone

• While Microsoft 365 is a platform that is ”just good enough,” it is actually not good enough in today’s cyberthreat environment. Microsoft provides add-ons with Defender for 365, Purview, and Sentinel, which pose additional costs, just like a third-party solution would. See the Threat Intelligence & Incident Response research in our Security practice.
• The lack of data archiving, backup, and encryption means additional costs that may not have been budgeted for at the outset. Microsoft provides 30-60-90-day recovery, but anything else is additional cost. For more information see Understand the Difference between Backups and Archiving.

Compliance and regulations

Security and compliance features out of the box

There are plenty of preconfigured security features contained in M365, but what’s available to you depends on your license. For example, Microsoft Defender, which has many preset policies, is built-in for E5 licenses, but if you have E3 licenses Defender is an add-on.

Three elements in security policies are profiles, policies, and policy settings.

• Preset Profiles come in the shape of:
  • Standard – baseline protection for most users
  • Strict – aggressive protection for profiles that may be high-value targets
  • Built-in Protection – turned on by default; it is not recommended to make exceptions based on users, groups, or domains
• Preset Security Policies
  • Exchange Online Protection Policies – anti-spam, -malware, and -phishing policies
  • Microsoft Defender Policies – safe links and safe attachments policies
• Policy Settings
  • User impersonation protection for internal and external domains
  • Select priorities from strict, standard, custom, and built-in

Info-Tech Insight

Check your license entitlement before you start purchasing add-ons or third-party solutions. Security and compliance are not optional in today’s cybersecurity risk world. With many organizations offering hybrid and remote work arrangements and bring-your-own-device (BYOD) policies, it is necessary to protect your data at the tenant level. Defender for Microsoft 365 is a tool that can protect both your exchange and collaboration environments.

More information: Microsoft 365 Defender

Use Intune and Autopilot

Meet the needs of your hybrid workforce

• Using the tools available in M365 can help you develop your hybrid or remote work strategy.
• This strategy will help you maintain security controls for mobile and BYOD.
• Migrating to Intune and Autopilot will give rise to the opportunity to migrate off SCCM and further reduce your on-premises infrastructure.

NOTE: You must have Azure AD Premium and Windows 10 V1703 or later as well as Intune or other MDM service to use Autopilot. There is a monthly usage fee based on volume of data transmitted. These fees can add up over time.

For more details visit the following Microsoft Learn pages:

• Overview of Windows Autopilot
• Windows Autopilot registration overview
• Microsoft Intune fundamentals
• Tutorial: Walkthrough Intune in Microsoft Endpoint Manager

Intune /Autopilot Overview

Info-Tech’s research on zero-touch provisioning goes into more detail on Intune and Autopilot:
Simplify Remote Deployment With Zero-Touch Provisioning

M365 long-term strategies

Manage your costs in an inflationary world

• Recent inflation globally, whether caused by supply chain woes or political uncertainty, will impact IT and cloud services along with everything else. Be prepared to pay more for your existing services and budget accordingly.
• Your long-term strategies must include ongoing cost management, data management, security risks, and license and storage costs.
• Continually investigate efficiencies, overlaps, and new tools in M365 that can get the job done for the business. Use as many of the applications as you can to ensure you are getting the best bang for your buck.
• Watch for upgrades in the M365 suite of tools. As Microsoft continues to improve and deliver on most business applications well after their first release, you may find that something that was previously inefficient could work in your environment today and replace a tool you currently use.

Ongoing Activities You Need to Maintain

• Be aware of increased license costs and higher storage costs.
• Keep an eye on Teams sprawl.
• Understand your total cost of ownership.
• Continue to look at legacy apps and get rid of your infrastructure debt.

Activity

Build your own M365 post-migration plan

1. Using slide 6 as your guideline, create your own project list using impact and difficulty as your weighting factors.
2. Do this exercise as a whiteboard sticky note exercise to agree on impact and difficulty as a team.
3. Identify easy wins that have high impact.
4. Place the projects into a project plan with time lines.
5. Agree on start and completion dates.
6. Ensure you have the right resources to execute.

Related Info-Tech Research

Govern Office 365

• Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals.

Drive Ongoing Adoption With an M365 Center of Excellence

• Accelerate business processes change and get more value from your subscription by building and sharing, thanks to an effective center of excellence.

Simplify Remote Deployment With Zero-Touch Provisioning

• Adopt zero-touch provisioning to provide better services to your end users.
• Save time and resources during device deployment while providing a high-quality experience to remote end users.

Bibliography

“5 Reasons Why Microsoft Office 365 Backup Is Important.” Apps 4Rent, Dec 2021, Accessed Oct 2022 .
Chandrasekhar, Aishwarya. “Office 365 Migration Best Practices & Challenges 2022.” Saketa, 31 Mar 2022. Accessed Oct. 2022.
Chronlund, Daniel. “The Fundamental Checklist – Secure your Microsoft 365 Tenant”. Daniel Chronlund Cloud Tech Blog,1 Feb 2019. Accessed 1 Oct 2022.
Davies, Joe. “The Microsoft 365 Enterprise Deployment Guide.” Tech Community, Microsoft, 19 Sept 2018. Accessed 2 Oct 2022.
Dillaway, Kevin. “I Upgraded to Microsoft 365 E5, Now What?!.” SpyGlassMTG, 10 Jan 2022. Accessed 4 Oct. 2022.
Hartsel, Joe. “How to Make Your Office 365 Implementation Project a Success.” Centric, 20 Dec 2021. Accessed 2 Oct. 2022.
Jha, Mohit. “The Ultimate Microsoft Office 365 Migration Checklist for Pre & Post Migration.” Office365 Tips.Org, 24 June 2022. Accessed Sept. 2022.
Lang, John. “Why organizations don't realize the full value of Microsoft 365.“Business IT, 29 Nov 202I. Accessed 10 Oct 2022.
Mason, Quinn. “How to increase Office 365 / Microsoft 365 user adoption.” Sharegate, 19 Sept 2019. Accessed 3 Oct 2022.
McDermott, Matt. “6-Point Office 365 Post-Migration Checklist.” Spanning , 12 July 2019 . Accessed 4 Oct 2022.
“Microsoft 365 usage analytics.” Microsoft 365, Microsoft, 25 Oct 2022. Web.
Sharma, Megha. “Office 365 Pre & Post Migration Checklist.’” Kernel Data Recovery, 26 July 2022. Accessed 30 Sept. 2022.
Sivertsen, Per. “How to avoid a failed M365 implementation? Infotechtion, 19 Dec 2021. Accessed 2 Oct. 2022.
St. Hilaire, Dan. “Most Common Mistakes with Office 365 Deployment (and How to Avoid Them).“ KnowledgeWave, 4Mar 2019. Accessed Oct. 2022.
“Under the Hood of Microsoft 365 and Office 365 Adoption.” SoftwareONE, 2019. Web.

Make the Case for Legacy Application Modernization

Revamp your business potential to improve agility, security, and user experience while reducing costs.

Analyst Perspective

An old application may have served us reliably, but it can prevent us from pursuing future business needs.

Legacy systems remain well-embedded in the fabric of many organizations' application portfolios. They were often custom-built to meet the needs of the business. Typically, these are core tools that the business leverages to accomplish its goals.

A legacy application becomes something we need to address when it no longer supports our business goals, is no longer supportable, bears an unsustainable ownership cost, or poses a threat to the organization's cybersecurity or compliance.

When approaching your legacy application strategy, you must navigate a complex web of business, stakeholder, software, hardware, resourcing, and financial decisions. To complicate matters, the full scope of required effort is not immediately clear. Years of development are embedded in these legacy applications, which must be uncovered and dealt with appropriately.

IT leaders require a proactive approach for evaluating the current state, developing a legacy application strategy, and executing in an agile manner. When coupled with a business case and communications strategy, the organization will have a clear decision-making framework that will maximize business outcomes and deliver value where needed.

Ricardo de Oliveira
Research Director, Enterprise Applications
Info-Tech Research Group

Executive Summary

Info-Tech Insight
Legacy modernization is a process, not a single event. Your modernization approach requires you to understand your landscape and decide on a path that minimizes business continuity risks, keeps investments under control, and is prepared for surprises but always has your final state in mind.

An approach to making the case for legacy application modernization

Understand Assess the challenges, lay out the reasons, define your legacy, and prepare to remove the barriers to modernization.
Assess Determine the benefits by business capability. Leverage APM foundations to select the candidate applications and prioritize.
Define Use the prioritized application list to drive the next steps to modernization.

Legacy application modernization is perceived as necessary to remain competitive

The 2022 State CIO Survey by NASCIO shows that legacy application modernization jumped from fifth to second in state CIO priorities.

"Be patient and also impatient. Patient because all states have a lot of legacy tech they are inheriting and government is NOT easy. But also, impatient because there is a lot to do - make your priorities clear but also find out what the CIO needs to accomplish those priorities."

Source: NASCIO, 2022

US government agencies feel pressured to deal with legacy applications

In fiscal year 2021, the US government planned to spend over $100 billion on information technology. Most of that was to be used to operate and maintain existing systems, including legacy applications, which can be both more expensive to maintain and more vulnerable to hackers. The Government Accountability Office (GAO) identified:

• 10 critical federal IT legacy systems
• In operation between 8 and 51 years
• Collectively cost $337 million per year to operate and maintain

Source: U.S. Government Accountability Office, 2021

Example: In banking, modern platforms are essential

Case Study

Delta takes off with a modernized blend of mainframes and cloud

INDUSTRY: Transportation
SOURCE: CIO Magazine, 2023

Phase 1: Make the Case for Legacy Application Modernization

Phase 1
1.1 Understand your challenges
1.2 Define legacy applications
1.3 Assess your barriers
1.4 Find the impacted capabilities
1.5 Define candidate applications
1.6 Now, Next, Later

This phase will walk you through the following activities:

• Understand your challenges with modernization
• Define legacy applications in your context
• Assess your barriers to modernization
• Find the impacted capabilities and their benefits
• Define candidate applications and dispositions

This phase involves the following participants:

• Application group leaders
• Individual application owners

Next-Generation InfraOps

Embrace the spectrum of Ops methodologies to build a virtuous cycle.

Executive summary

Your Challenge

IT Operations continue to be challenged by increasing needs for scale and speed, often in the face of constrained resources and time. For most, Agile methodologies have become a foundational part of tackling this problem. Since then, we've seen Agile evolve into DevOps, which started a trend into different categories of "xOps" that are too many to count. How does one make sense of the xOps spectrum? What is InfraOps and where does it fit in?

Common Obstacles

Ultimately, all these methodologies and approaches are there to serve the same purpose: increase effectiveness through automation and improve governance through visibility. The key is to understand what tools and methodologies will deliver actual benefits to your IT operation and to the organization as a whole.

Info-Tech's Approach

By defining your end goals and framing solutions based on the type of visibility and features you need, you can enable speed and reliability without losing control of the work.

1. Understand the xOps spectrum and what approaches will benefit your organization.
2. Make sense of the architectural approaches and enablement tools available to you.
3. Evolve from just improving your current operations to a continuous virtuous cycle of development and deployment.

Info-Tech Insight

InfraOps, when applied well, should be the embodiment of the governance policies as expressed by standards in architecture and automation.

Project overview

The xOps spectrum

xOps categories

There is no definitive list of x's in the xOps spectrum. Different organizations and teams will divide and define these in different ways. In many cases, the definitions and domains of various xOps will overlap.

Some of the commonly adopted and defined xOps models are listed here.

Shift left? Shift right?

Cutting through the jargon

• Shifting left is about focusing on the code and development aspects of a delivery cycle.
• Shifting right is about remembering that infrastructure and tools still do matter.

Info-Tech Insight

Shifting left or right isn't an either/or choice. They're more like opposite sides of the same coin. Like the different xOps approaches, usually more than one shift approach will apply to your IT Operations.

IT Operations in the left-right spectrum

Shifting from executing and deploying to defining the guardrails and standards

Take a middle-out approach

InfraOps and DevOps aren't enemies; they're opposite sides of the same coin.

• InfraOps is about the automation and standardization of execution. It's an essential element in any fully automated CI/CD pipeline.
• Like DevOps, InfraOps is built on similar values (the pillars of DevOps).
• It builds on the principle of Lean to focus on removing friction, or turn-and-type activities, from the pipeline/process.
• In InfraOps, one of the key methods for removing friction is through automation of the interstitia between different phases of a DevOps or CI/CD cycle.

Optimize the Ops in DevOps

Focus on eliminating friction

With the shift from execution to governing and validating, the role of deployment falls downstream of IT Operations.

IT Operations needs to move to a mindset that focuses on creating the guardrails, enforced standards, and compliance rules that need to be used downstream, then apply those standards using automation and tooling to remove friction and error from the interstitia (the white spaces between chevrons) of the various phases.

InfraOps tools

Info-Tech Insight

Your tools can be broken into two categories:

• Infrastructure Architecture
  • HCI vs. CI
• Automation Tooling
  • IaC and A&O

Keep in mind that while your infrastructure architecture is usually an either/or choice, your automation approach should use any and all tooling that helps.

Infrastructure approach

• Hyperconverged

• Composable

Hyperconverged Infrastructure (HCI)

Hyperconvergence is the next phase of convergence, virtualizing servers, networks, and storage on a single server/storage appliance. Capacity scales as more appliances are added to a cluster or stack.
The disruptive departure:

• Even though servers, networks, and storage were each on their own convergence paths, the three remained separate management domains (or silos). Even single-SKU converged infrastructures like VCE Vblocks are still composed of distinct server, network, and storage devices.
• In hyperconvergence, the silos collapse into single-software managed devices. This has been disruptive for both the vendors of technology solutions (especially storage) and for infrastructure management.
• Large storage array vendors are challenged by hyperconvergence alternatives. IT departments need to adapt IT skills and roles away from individual management silos and to more holistic service management.

Info-Tech Insight

HCI follows convergence trends of the past ten years but is also a departure from how IT infrastructure has traditionally been provisioned and managed.

HCI is at the same time a logical progression of infrastructure convergence and a disruptive departure.

Hyperconverged (HCI) – SWOT

HCI can be the foundation block for a fully software defined data center, a prerequisite for private cloud.

Strengths

• Potentially lower TCO through further infrastructure consolidation, reducing CapEx and OpEx expenditures through facilities optimization and cost consolidation.
• Operations in particular can be streamlined, since storage, network connections, and processors/memory are all managed as abstractions via a single control pane.
• HCI comes with built-in automation and analytics that lead to quicker issue resolution.

Opportunities

• Increased business agility by paving the way for a fully software defined infrastructure stack and cloud automation.
• Shift IT human assets from hardware asset maintainers and controllers to service delivery managers.
• Better able to compete with external IT service alternatives.
• Move toward a hybrid cloud service offering where the service catalog contains both internal and external offerings.

Key attributes of a cloud are automation, resource elasticity, and self-service. This kind of agility is impossible if physical infrastructure needs intervention.

Info-Tech Insight

Virtualization alone does not a private cloud make, but complete stack virtualization (software defined) running on a hands-off preconfigured HCI appliance (or group of appliances) provides a solid foundation for building cloud services.

Hyperconverged (HCI) – SWOT

Silo-busting and private cloud sound great, but are your people and processes able to manage the change?

Weaknesses

• HCI typically scales out linearly (CPU & storage). This does not suit traditional scale-up applications such as high-performance databases and large-capacity data warehouses.
• Infrastructure stacks are perceived as more flexible for variable growth across segments. For example, if storage is growing but processing is not, storage can scale separately from processing.

Threats

• HCI will be disruptive to roles within IT. Internal pushback is a real threat if necessary changes in skills and roles are not addressed.
• HCI is not a simple component replacement but an adoption of a different kind of infrastructure. Different places in the lifecycles for each of storage, network, and processing devices could make HCI a solution where there is no immediate problem.

In traditional infrastructure, performance and capacity are managed as distinct though complementary jobs. An all-in-one approach may not work.

Composable Infrastructure (CI)

• Composable infrastructure in many ways represents the opposite of an HCI approach. Its focus is on further disaggregating resources and components used to build systems.
  • Unlike traditional cloud virtual systems, composable infrastructure provides virtual bare metal resources, allowing tightly coupled resources like CPU, RAM, and GPU – or any device/card/module – to be released back and forth into the resource pool as required by a given workload.
  • This is enabled by the use of high-speed, low-latency PCI Express (PCI-e) and Compute Express Link (CXL) fabrics that allow these resources to be decoupled.
  • It also supports the ability to present other fabric types critical for building out enterprise systems (e.g. Ethernet, InfiniBand).
• Accordingly, CI systems are also based on next-generation network architecture that supports moving critical functions to the network layer, which enables more efficient use of the application-layer resources.

Composable Infrastructure (CI)

• CI may also leverage network-resident data/infrastructure processing units (DPUs/IPUs), which offload many network, security, and storage functions.
  • As new devices and functions become available, they can be added into the catalog of resources/functions available in a CI pool.

Use Case Example: Composable AI flow

Data Ingestion > Data Cleaning/Tagging > Training > Conclusion

• At each phase of the process, resources, including specialized hardware like memory and GPU cores, can be dynamically allocated and reallocated to the workload on demand

Composable Infrastructure (CI)

Use cases and considerations

Where it's useful

• Enable even more efficient allocation/utilization of resources for workloads.
• Very large memory or shared memory requirements can benefit greatly.
• Decouple purchasing decisions for underlying resources.
• Leverage the fabric to make it easier to incrementally upgrade underlying resources as required.
• Build "the Impossible Server."

Considerations

• Requires significant footprint/scale to justify in many cases
• Not necessarily good value for environments that aren't very volatile and heterogeneous in terms of deployment requirements
• May not be best value for environments where resource-stranding is not a significant issue

Info-Tech Insight

Many organizations using a traditional approach report resource stranding as having an impact of 20% or more on efficiency. When focusing specifically on the stranding of memory in workloads, the number can often approach 40%.

The CI ecosystem

• The CI ecosystem has many players, large and small!
• Note that the CI ecosystem is dependent on a large ecosystem of underlying enablers and component builders to support the required technologies.

Understanding the differences

Automation approach

• Infrastructure as Code
• Automation & Orchestration
• Metaorchestration

Infrastructure as Code (IaC)

Infrastructure as code (IaC) is the process of managing and provisioning computer data centers through machine-readable definition files rather than physical hardware configuration or interactive configuration tools.

Before IaC, IT personnel would have to manually change configurations to manage their infrastructure. Maybe they would use throwaway scripts to automate some tasks, but that was the extent of it.

With IaC, your infrastructure's configuration takes the form of a code file, making it easy to edit, copy, and distribute.

Info-Tech Insight
IaC is a critical tool in enabling key benefits!

• Reduced costs
• Increased scalability, flexibility, and speed
• Better consistency and version control
• Reduced deployment errors

Infrastructure as Code (IaC)

1. IaC uses a high-level descriptive coding language to automate the provisioning of IT infrastructure. This eliminates the need to manually provision and manage servers, OS, database connections, storage, and other elements every time we want to develop, test, or deploy an application.
2. IaC allows us to define the computer systems on which code needs to run. Most commonly, we use a framework like Chef, Ansible, Puppet, etc., to define their infrastructure. These automation and orchestration tools focus on the provisioning and configuring of base compute infrastructure.
3. IaC is also an essential DevOps practice. It enables teams to rapidly create and version infrastructure in the same way they version source code and to track these versions so as to avoid inconsistency among IT environments that can lead to serious issues during deployment.

• Idempotence is a principle of IaC. This means a deployment command always sets the target environment into the same configuration, regardless of the environment's starting state.
  • Idempotency is achieved by either automatically configuring an existing target or discarding the existing target and recreating a fresh environment.

Automation/Orchestration

Orchestration describes the automated arrangement, coordination, and management of complex computer systems, middleware, and services.

This usage of orchestration is often discussed in the context of service-oriented architecture, virtualization, provisioning, converged infrastructure, and dynamic data center topics. Orchestration in this sense is about aligning the business request with the applications, data, and infrastructure.

It defines the policies and service levels through automated workflows,
provisioning, and change management. This creates an application-aligned infrastructure that can be scaled up or down based on the needs of each application.

As the requirement for more resources or a new application is triggered, automated tools now can perform tasks that previously could only be done by multiple administrators operating on their individual pieces of the physical stack.

Orchestration also provides centralized management of the resource pool, including billing, metering, and chargeback for consumption. For example, orchestration reduces the time and effort for deploying multiple instances of a single application.

Info-Tech Insight

Automation and orchestration tools can be key components of an effective governance toolkit too! Remember to understand what data can be pulled from your various tools and leveraged for other purposes such as cost management and portfolio roadmapping.

Automation/Orchestration

There are a wide variety of orchestration and automation tools and technologies.

Configuration Management

Configuration Management
CI/CD Orchestration
Container Orchestration
Cloud-Specific Orchestration
PaaS Orchestration

Info-Tech Insight

Automation and orchestration tools and software offerings are plentiful, and many of them have a different focus on where in the application delivery ecosystem they provide automation functionality.

Often there are different tools for different deployment and service models as well as for different functional phases for each service model.

Automation/Orchestration

Every tool focuses on different aspects or functions of the deployment of resources and applications.

• Resources
  • Compute
  • Storage
  • Network
• Extended Services
  • Platforms
  • Infrastructure Services
  • Web Services
• Application Assets
  • Images
  • Templates
  • Containers
  • Code

Info-Tech Insight

Let the large ecosystem of tools be your ally. Leverage the right tools where needed and then address the complexity of tools using a master orchestration scheme.

Metaorchestration

Additionally, most tools do not cover all aspects required for most automation implementations, especially in hybrid cloud scenarios.

As such, often multiple tools must be deployed, which can lead to fragmentation and loss of unified controls.

Many enterprises address this fragmentation using a cloud management platform approach.

One method of achieving this is to establish a higher layer of orchestration – an "orchestrator of orchestrators," or metaorchestration.

In complex scenarios, this can be a challenge that requires customization and development.

InfraOps tools ecosystem

Build a virtuous cycle

Remember, the goal is to increase speed AND reliability. That's why we focus on removing friction from our delivery pipelines.

• The first step is to identify the points of friction in your cycle and understand the intensity and frequency of these friction points.
• Depending on your delivery and project management methodology, you'll have a different posture of the different tools that make sense for your pipeline.
• For example, if you are focused on delivering raw resources for sysadmins and/or you're in a Waterfall methodology where the friction points are large but infrequent, hyperconverged is likely to delivery good value, whereas tools like IaC and orchestration may not be as necessary.

Info-Tech Insight

Remember that, especially in modern and rapid methodologies, your IT footprint can drift unexpectedly. This means you need a real feedback mechanism on where the friction moves to next.

This is particularly important in more Agile methodologies.

Activity: Map your IT operations delivery

Identify your high-friction interstitial points

• Using the table below, or a table modified to your delivery phases, map out the activities and tasks that are not standardized and automated.
• For the incoming and outgoing sections, think about what resources and activities need to be (or could be) created, destroyed, or repurposed to efficiently manage each cycle and the spaces between cycles.

Info-Tech Insight

Map your ops groups to the delivery cycles in your pipeline. How many delivery cycles do you have or need?

Good InfraOps is a reflection of governance policies, expressed by standards in architecture and automation.

Related Info-Tech Research

Evaluate Hyperconverged Infrastructure for Your Infrastructure Roadmap

• This Info-Tech note covers evaluation of HCI platforms.

Design Your Cloud Operations

• This Info-Tech blueprint covers organization of operations teams for various deployment and Agile modes.

Bibliography

Banks, Ethan, host. "Choosing Your Next Infrastructure." Datanauts, episode 094, Packet Pushers, 26 July 2017. Podcast.
"Composable Infrastructure Solutions." Hewlett Packard Canada, n.d. Web.
"Composable Infrastructure Technology." Liqid Inc., n.d. Web.
"DataOps architecture design." Azure Architecture Center, Microsoft Learn, n.d. Web.
Tan, Pei Send. "Differences: DevOps, ITOps, MLOps, DataOps, ModelOps, AIOps, SecOps, DevSecOps." Medium, 5 July 2021. Web.

Secure Your Hybrid Workforce

SASE as a driver to zero trust.

Analyst Perspective

Consolidate your security and network.

Remote connections like VPNs were not designed to be security tools or to have the capacity to handle a large hybrid workforce; hence, organizations are burdened with implementing controls that are perceived to be "security solutions." The COVID-19 pandemic forced a wave of remote work for employees that were not taken into consideration for most VPN implementations, and as a result, the understanding of the traditional network perimeter as we always knew it has shifted to include devices, applications, edges, and the internet. Additionally, remote work is here to stay as recruiting talent in the current market means you must make yourself attractive to potential hires.

The shift in the network perimeter increases the risks associated with traditional VPN solutions as well as exposing the limitations of the solution. This is where zero trust as a principle introduces a more security-focused strategy that not only mitigates most (if not all) of the risks, but also eliminates limitations, which would enhance the business and improve customer/employee experience.

There are several ways of achieving zero trust maturity, and one of those is SASE, which consolidates security and networking to better secure your hybrid workforce as implied trust is thrown out of the window and verification of everything becomes the new normal to defend the business.

Victor Okorie
Senior Research Analyst, Security and Privacy
Info-Tech Research Group

Executive Summary

Your Challenge

CISOs are looking to zero trust to fill the gaps associated with their traditional remote setup as well as to build an adaptable security strategy. Some challenges faced include:

• Understanding the main principles of zero trust: never trust, always verify, assume breach, and verify explicitly.
• Understanding how to achieve a zero trust framework.
• Understanding the premise of SASE as it pertains to a hybrid workforce.

Common Obstacles

The zero trust journey may seem tedious because of a few obstacles like:

• Knowing what the principle is all about and the components that align with it.
• Knowing where to start. Due to the lack of a standardized path for the zero trust journey, going about the journey can be confusing.
• Not having a uniform definition of what makes up a SASE solution as it is heavily dependent on vendors.

Info-Tech's Approach

Info-Tech provides a three-service approach to helping organizations better secure their hybrid workforce.

• Understand your current, existing technological capabilities and challenges with your hybrid infrastructure, and prioritize those challenges.
• Gain insight into zero trust and SASE as a mitigation/control/tool to those challenges.
• Identify the SASE features that are relevant to your needs and a source guide for a SASE vendor.

Info-Tech Insight

Securing your hybrid workforce should be an opportunity to get started on the zero trust journey. Realizing the core features needed to achieve this will assist you in determining which of the options is a good fit for your organization.

Turn your challenges into opportunities

Hybrid workforce is the new normal

The pandemic has shown there is no going back to full on-prem work, and as such, security should be looked at differently with various considerations in mind.

Understand that current hybrid solutions are susceptible to various forms of attack as the threat attack surface area has now expanded with users, devices, applications, locations, and data. The traditional perimeter as we know it has expanded beyond just the corporate network, and as such, it needs a more mature security strategy.

Onboarding and offboarding have been done remotely, and with some growth recorded, the size of companies has also increased, leading to a scaling issue.

Employees are now demanding remote work capabilities as part of contract negotiation before accepting a job.

Attacks have increased far more quickly during the pandemic, and all indications point to them increasing even more.

Scarce available security personnel in the job market for hire.

Reality Today

The number of breach incidents by identity theft.
Source: Security Magazine, 2022.

IT security teams want to adopt zero trust.
Source: Cybersecurity Insiders, 2019.

Reduce the risks of remote work by using zero trust

Source: IBM, 2021.

Network + Security = SASE

What exactly is a SASE product?

The convergence and consolidation of security and network brought about the formation of secure access service edge (SASE – pronounced like "sassy"). Digital transformation, hybrid workforce, high demand of availability, uninterrupted access for employees, and a host of other factors influenced the need for this convergence that is delivered as a cloud service.

The capabilities of a SASE solution being delivered are based on certain criteria, such as the identity of the entity (users, devices, applications, data, services, location), real-time context, continuous assessment and verification of risk and "trust" throughout the lifetime of a session, and the security and compliance policies of the organization.

SASE continuously identifies users and devices, applies security based on policy, and provides secure access to the appropriate and requested application or data regardless of location.

Current Approach

The traditional perimeter security using the castle and moat approach is depicted in the image here. The security shields valuable resources from external attack; however, it isn't foolproof for all kinds of external attacks. Furthermore, it does not protect those valuable resources from insider threat.

This security perimeter also allows for lateral movement when it has been breached. Access to these resources is now considered "trusted" solely because it is now behind the wall/perimeter.

This approach is no longer feasible in our world today where both external and internal threats pose continuous risk and need to be contained.

Determine the suitability of SASE and zero trust

The Challenge:

Complications facing traditional infrastructure

• Increased hybrid workforce
• Regulatory compliance
• Limited Infosec personnel
• Poor threat detection
• Increased attack surface

Common vulnerabilities in traditional infrastructure

• MITM attack
• XSS attack
• Session hijacking
• Trust-based model
• IP spoofing
• Brute force attack
• Distributed denial of service
• DNS hijacking
• Latency issues
• Lateral movement once connection is established

Candidate Solutions

Proposed benefits of SASE

• Access is only granted to the requested resource
• Consolidated network and security as a service
• Micro-segmentation on application and gateway
• Adopts a zero trust security posture for all access
• Managed detection and response
• Uniform enforcement of policy
• Distributed denial of service shield

Proposed benefits of zero trust

• Identify and protect critical and non-critical resources in accordance with business objectives.
• Produce initiatives that conform to the ideals of zero trust and are aligned with the corresponding pillars above.
• Formulate policies to protect resources and aid segmentation.

Info-Tech Insight

Securing your hybrid workforce should be an opportunity to get started on the zero trust journey. Realizing the core features needed to achieve this will help you determine which of the options is a good fit for your organization.

Measure the value of using Info-Tech's approach

IT and business value

PHASE 1

Short-term benefits

• Gain awareness of your zero trust readiness.
• Embed a zero trust mindset across your architecture.
• Control the narrative of what SASE brings to your organization.

Long-term benefits

• Identified controls to mitigate risks with current architecture while on a zero trust journey.
• Improved security posture that reduces risk by increasing visibility into threats and user connections.
• Reduced CapEx and OpEx due to the scalability, low staffing requirements, and improved time to respond to threats using a SASE or SSE solution.

Determine SASE cost factors

IT and business value

Info-Tech Insight

IT leaders need to examine different areas of their budget and determine how the adoption of a SASE solution could influence several areas of their budget breakdown.

Determining the SASE cost factors early could accelerate the justification the business needs to move forward in making an informed decision.

Info-Tech's methodology for securing your hybrid workforce

Consider several factors needed to protect your growing hybrid workforce and assess your current resource capabilities, solutions, and desire for a more mature security program. The outcome should either address a quick pain point or a long-term roadmap.

The internet is the new corporate network

The internet is the new corporate network, which opens the organization up to more risks not protected by the current security stack. Using Info-Tech's methodology of zero trust adoption is a sure way to reduce the attack surface, and SASE is one useful tool to take you on the zero trust journey.

Current-state risks and future mitigation

Securing your hybrid workforce via zero trust will inevitably include (but is not limited to) technological products/solutions.

SASE and SSE features sit as an overlay here as technological solutions that will help on the zero trust journey by aggregating all the disparate solutions required for you to meet zero trust requirements into a single interface. The knowledge and implementation of this helps put things into perspective of where and what our target state is.

The right solution for the right problem

It is critical to choose a solution that addresses the security problems you are actually trying to solve.

Don't allow the solution provider to tell you what you need – rather, start by understanding your capability gaps and then go to market to find the right partner.

Take advantage of the RFP template to source a SASE or SSE vendor. Additionally, build a zero trust roadmap to develop and strategize initiatives and tasks.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Zero Trust and SASE Suitability Tool
Identify critical and vulnerable DAAS elements to protect and align them to business goals.

Zero Trust Program Gap Analysis Tool
Perform a gap analysis between current and target states to build a zero trust roadmap.

Key deliverable:

Secure Your Hybrid Workforce With Zero Trust Communication deck
Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.

Phase 1

Current state and future mitigation

This phase will walk you through the following activities:

• Introduction to the tool, how to use the input tabs to identify current challenges, technologies being used, and to prioritize the challenges. The prioritized list will highlight existing gaps and eventually be mapped to recommended mitigations in the following phase.

This phase involves the following participants:

• CIO
• CISO
• CSO
• IT security team
• IT network team

Secure Your Hybrid Workforce

1.1 Limitations of legacy infrastructure

Traditional security & remote access solutions must be modernized

Info-Tech Insight
Traditional security is architected with a perimeter in mind and is poorly suited to the threats in hybrid or distributed environments.

Ensure you minimize or eliminate weak points on all layers.

• SECURITY
  • DDoS
  • DNS hijacking
  • Weak VPN protocols
• IDENTITY
  • One-time verification allowing lateral movement
• NETWORK
  • Risk perimeter stops at corporate network edge
  • Split tunneling
• AUTHENTICATION
  • Weak authentication
  • Weak passwords
• ACCESS
  • Man-in-the-middle attack
  • Cross-site scripting
  • Session hijacking

1.1.1 For example: traditional VPNs are poorly suited to a hybrid workforce

There are many limitations that make it difficult for traditional VPNs to adapt to an ever-growing hybrid workforce.

The listed limitations are tied to associated risks of legacy infrastructure as well as security components that are almost non-existent in a VPN implementation today.

Scaling

VPNs were designed for small-scale remote access to corporate network. An increase in the remote workforce will require expensive hardware investment.

Visibility

Users and attackers are not restricted to specific network resources, and with an absence of activity logs, they can go undetected.

Managed detection & response

Due to the reduction in or lack of visibility, threat detections are poorly managed, and responses are already too late.

Hardware

Limited number of locations for VPN hardware to be situated as it can be expensive.

Hybrid workforce

The increase in the hybrid workforce requires the risk perimeter to be expanded from the corporate network to devices and applications. VPNs are built for privacy, not security.

Info-Tech Insight

Hybrid workforces are here to stay, and adopting a strategy that is adaptable, flexible, simple, and cost-effective is a recommended road to take on the journey to bettering your security and network.

1.1 Identify risk from legacy infrastructure

Estimated Time: 1-2 hours

1. Ensure all vulnerabilities described on slide 17 are removed.
2. Note any forecasted challenge you think you might have down the line with your current hybrid setup.
3. Identify any trend that may be of interest to you with regards to your hybrid setup.

Download the Zero Trust - SASE Suitability Assessment Tool

Input

• List of key pain points and challenges
• List of forecasted challenges and trends of interest

Output

• Prioritized list of pain points and/or challenges

Materials

• Excel tool
• Whiteboard

Participants

• CISO
• InfoSec team
• IT manager
• CIO
• Infrastructure team

1.2 Zero trust principle as a control

A zero trust implementation comes with benefits/initiatives that mitigate the challenges identified in earlier activities.

Info-Tech Insight

Zero trust/"always verify" is applied to identity, workloads, devices, networks, and data to provide a greater control for risks associated with traditional network architecture.

Improve IAM maturity

Zero trust identity and access will lead to a mature IAM process in an organization with the removal of implicit trust.

Secure your remote access

With a zero trust network architecture (ZTNA), both the remote and on-prem network access are more secure than the traditional network deployment. The software-defined parameter ensures security on each network access.

Reduce threat surface area

With zero trust principle applied on identity, workload, devices, network, and data, the threat surface area which births some of the risks identified earlier will be significantly reduced.

Improve hybrid workforce

Scaling, visibility, network throughput, secure connection from anywhere, micro-segmentation, and a host of other benefits to improve your hybrid workforce.

1.2 SASE as an overlay to zero trust

Security and network initiatives of a zero trust roadmap converged into a single pane of glass.

Info-Tech Insight

Security and network converged into a single pane of glass giving you some of the benefits and initiatives of a zero trust implemented architecture in one package.

Improve IAM maturity

The identity-centric nature of SASE solutions helps to improve your IAM maturity as it applies the principle of least privilege. The removal of implicit trust and continuous verification helps foster this more.

Secure your remote access

With ZTNA, both the remote and on-prem network access are more secure than the traditional network deployment. The software defined parameter ensures security on each network access.

Reduce threat surface area

Secure web gateway, cloud access security broker, domain name system, next-generation firewall, data loss prevention, and ZTNA protect against data leaks, prevent lateral movement, and prevent malicious actors from coming in.

Improve hybrid workforce

Reduced costs and complexity of IT, faster user experience, and reduced risk as a result of the scalability, visibility, ease of IT administration, network throughput, secure connection from anywhere, micro-segmentation, and a host of other benefits will surely improve your hybrid workforce.

Align SASE features to zero trust core capabilities

Verify Identity

• Authentication & verification are enforced for each app request or session.
• Use of multifactor authentication.
• RBAC/ABAC and principle of least privilege are applied on the identity regardless of user, device, or location.

Verify Device

• Device health is checked to ensure device is not compromised or vulnerable.
• No admin permissions on user devices.
• Device-based risk assessment is enforced as part of UEBA.

Verify Access

• Micro-segmentation built around network, user, device, location and roles.
• Use of context and content-based policy enforced to the user, application, and device identity.
• Network access only granted to specified application request and not to the entire network.

Verify Services

• Applications and services are checked before access is granted.
• Connections to the application and services are inspected with the security controls built into the SASE solution.

Info-Tech Insight

These features of SASE and zero trust mitigate the risks associated with a traditional VPN and reduce the threat surface area. With security at the core, network optimization is not compromised.

Security components of SASE

Otherwise known as security service edge (SSE)

Security service edge is the convergence of all security services typically found in SASE. At its core, SSE consists of three services which include:

• Secure web gateway – secure access to the internet and web.
• Cloud access security broker – secure access to SaaS and cloud applications.
• Zero trust network access – secure remote access to private applications.

SSE components are also mitigations or initiatives that make up a zero trust roadmap as they comply with the zero trust principle, and as a result, they sit up there with SASE as an overlay/driver of a zero trust implementation. SSE's benefits are identical to SASE's in that it provides zero trust access, risk reduction, low costs and complexity, and a better user experience. The difference is SSE's sole focus on security services and not the network component.

1.3 Pros & cons of zero trust and SASE

Understand SASE and zero trust suitability for your needs

Estimated Time: 1 hour

Use the dashboard to understand the value assessment of adopting a SASE product or building a zero trust roadmap.

Info-Tech Insight

This tool will help steer you on a path to take as a form of mitigation/control to some or all the identified challenges.

Phase 2

Make a decision and next steps

This phase will walk you through the following activities:

• Introduction to the tool activity, how to use the input tabs and considerations to generate an output that could help understand the current state of your hybrid infrastructure and what direction is to be followed next to improve.

This phase involves the following participants:

• CIO
• CISO
• CSO
• IT security
• IT network team

Secure Your Hybrid Workforce

Step 2.1

Sourcing out a SASE/SSE vendor

Activities

2.1.1 Use the RFP template to request proposal from vendors

2.1.2 Use SoftwareReviews to compare vendors

This step involves the following participants:

• CIO, CISO, IT manager, Infosec team, executives.

Outcomes of this step

• Zero Trust Roadmap

2.1.1 Use the RFP template to request proposal from vendors

Estimated Time: 1-3 hours

1. As a group, use the RFP Template to include technical capabilities of your desired SASE product and to request proposals from vendors.
2. The features that are most important to your organization generated from phase one should be highlighted in the RFP.

Input

• List of SASE features
• Technical capabilities

Output

• RFP

Materials

• RFP Template

Participants

• Security team
• IT leadership

Download the RFP Template

2.1.2 Use SoftwareReviews to compare vendors

SoftwareReviews

• The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.
• Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.
• The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.
• Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

Step 2.2

Zero trust readiness and roadmap

Activities

2.2.1 Assess the maturity of your current zero trust implementation

2.2.2 Understand business needs and current security projects

2.2.3 Set target maturity state with timeframe

This step involves the following participants:

CIO, CISO, IT manager, Infosec team, executives.

Outcomes of this step

Zero Trust Roadmap

2.2.1 Assess the maturity of your current zero trust implementation

Estimated Time: 1-3 hours

• Realizing that zero trust is a journey helps create a better roadmap and implementation. Identify the current controls or solutions in your organization that align with the principle of zero trust.
• Break down these controls or solutions into different silos (e.g. identity, security, network, data, device, applications, etc.).
• Determine your zero trust readiness.

Input

• List of zero trust controls/solutions
• Siloed list of zero trust controls/solutions
• Current state of zero trust maturity

Output

• Zero trust readiness and current maturity state

Materials

• Zero Trust Security Benefit Assessment tool

Participants

• Security team
• IT leadership

Download the Zero Trust Security Benefit Assessment tool

2.2.2 Understand business needs and current security projects

Estimated Time: 1-3 hours

1. Identify the business and IT executives, application owners, and board members whose vision aligns with the zero trust journey.
2. Identify existing projects within security, IT, and the business and highlight interdependencies or how they fit with the zero trust journey.
3. Build a rough sketch of the roadmap that fits the business needs, current projects and the zero trust journey.

Input

• Meetings with stakeholders
• List of current and future projects

Output

• Sketch of zero trust roadmap

Materials

• Whiteboard activity

Participants

• Security team
• IT leadership
• IT ops team
• Business executives
• Board members

Download Zero Trust Protect Surface Mapping Tool

2.2.3 Set target maturity state with a given timeframe

Estimated Time: 1-3 hours

1. With the zero trust readiness, current business, IT and security projects, current maturity state, and sketch of the roadmap, setting a target maturity state within some timeframe is at the top of the list. The target maturity state will include a list of initiatives that could be siloed and confined to a timeframe.
2. A Gantt chart or graph could be used to complete this task.

Input

• Results from previous activity slides

Output

• Current state and target state assessment for gap analysis
• List of initiatives and timeframe

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security team
• IT leadership
• IT ops team
• Business executives
• Board members

Download the Zero Trust Program Gap Analysis Tool

Summary of Accomplishment

Insights Gained

• Difference between zero trust as a principle and SASE as a framework
• Difference between SASE and SSE platforms.
• Assessment of which path to take in securing your hybrid workforce

Deliverables Completed

• Zero Trust – SASE Suitability Assessment Tool
• Secure Your Hybrid Workforce Communication Deck

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

Contact your account representative for more information

workshops@infotech.com

1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Zero Trust - SASE Suitability Assessment Tool

Assess current security capabilities and build a roadmap of tasks and initiatives that close maturity gaps.

Research Contributors

• Aaron Shum, Vice President, Security & Privacy
• Cameron Smith, Research Lead, Security & Privacy
• Brad Mateski, Zones, Solutions Architect for CyberSecurity
• Bob Smock, Info-Tech Research Group, Vice President of Consulting
• Dr. Chase Cunningham, Ericom Software, Chief Strategy Officer
• John Kindervag, ON2IT Cybersecurity, Senior Vice President, Cybersecurity Strategy and ON2IT Group Fellow
• John Zhao, Fonterra, Enterprise Security Architect
• Rongxing Lu, University of New Brunswick, Associate Professor
• Sumanta Sarkar, University of Warwick, Assistant Professor
• Tim Malone, J.B. Hunt Transport, Senior Director Information Security
• Vana Matte, J.B. Hunt Transport, Senior Vice President of Technology Services

Related Info-Tech Research

Build an Information Security Strategy

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current state assessment, prioritizing initiatives, and building out a security roadmap.

Determine Your Zero Trust Readiness

IT security was typified by perimeter security. However, the way the world does business has mandated a change to IT security. In response, zero trust is a set of principles that can add flexibility to planning your IT security strategy.

Use this blueprint to determine your zero trust readiness and understand how zero trust can benefit both security and the business.

Mature Your Identity and Access Management Program

Many organizations are looking to improve their identity and access management (IAM) practices but struggle with where to start and whether all areas of IAM have been considered. This blueprint will help you improve the organization's IAM practices by following our three-phase methodology:

• Assess identity and access requirements.
• Identify initiatives using the identity lifecycle.
• Prioritize initiatives and build a roadmap.

Bibliography

"2021 Data Breach Investigations Report." Verizon, 2021. Web.
"Fortinet Brings Networking and Security to the Cloud" Fortinet, 2 Mar. 2021. Web.
"A Zero Trust Strategy Has 3 Needs – Identify, Authenticate, and Monitor Users and Devices on and off the Network." Fortinet, 15 July 2021. Web.
"Applying Zero Trust Principles to Enterprise Mobility." CISA, Mar. 2022. Web.
"CISA Zero Trust Maturity Model." CISA, Cybersecurity Division, June 2021. Web.
"Continuous Diagnostics and Mitigation Program Overview." CISA, Jan. 2022. Web.
"Cost of a Data Breach Report 2021 | IBM." IBM, July 2021. Web.
English, Melanie. "5 Stats That Show The Cost Saving Effect of Zero Trust." Teramind, 29 Sept. 2021. Web.
Hunter, Steve. "The Five Business Benefits of a Zero Trust Approach to Security." Security Brief - Australia, 19 Aug. 2020. Web.
"Improve Application Access and Security With Fortinet Zero Trust Network Access." Fortinet, 2 Mar. 2021. Web.
"Incorporating zero trust Strategies for Secure Network and Application Access." Fortinet, 21 Jul. 2021. Web.
Jakkal, Vasu. "Zero Trust Adoption Report: How Does Your Organization Compare?" Microsoft, 28 July 2021. Web.
"Jericho Forum™ Commandments." The Open Group, Jericho Forum, May 2007. Web.
Schulze, Holger. "2019 Zero Trust Adoption Report." Cybersecurity Insiders, 2019. Web.
"67% of Organizations Had Identity-Related Data Breaches Last Year." Security Magazine, 22 Aug. 2022. Web.
United States, Executive Office of the President Joseph R. Biden, Jr. "Executive Order on Improving the Nation's Cybersecurity." The White House, 12 May 2021. Web.

Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

Change your focus from satisfying auditors to driving process optimization, consistent IT operations, and effective knowledge transfer.

Project Outline

ANALYST PERSPECTIVE

Do your SOPs drive process optimization?

"Most organizations struggle to document and maintain SOPs as required, leading to process inconsistencies and inefficiencies. These breakdowns directly impact the performance of IT operations. Effective SOPs streamline training and knowledge transfer, improve transparency and compliance, enable automation, and ultimately decrease costs as processes improve and expensive breakdowns are avoided. Documenting SOPs is not just good practice; it directly impacts IT efficiency and your bottom line."

Frank Trovato, Senior Manager, Infrastructure Research Info-Tech Research Group

Our understanding of the problem

This Research Is Designed For:

• IT Process Owners
• IT Infrastructure Managers
• IT Service Managers
• System Administrators
• And more…

This Research Will Help You:

• Identify, prioritize, and document SOPs for critical business processes.
• Discover opportunities for overall process optimization by documenting SOPs.
• Develop documentation best practices that support ongoing maintenance and review.

This Research Will Also Assist:

• CTOs
• Business unit leaders

This Research Will Help Them:

• Understand the need for and value of documenting SOPs in a usable format.
• Help set expectations around documentation best practices.
• Extend IT best practices to other parts of the business.

Executive summary

Situation

• Most organizations know it is good practice to have SOPs as it improves consistency, facilitates process improvement, and contributes to efficient operations.
• Though the benefits are understood, many organizations don't have SOPs and those that do don't maintain them.

Complication

• Writing SOPs is the last thing most people want to do, so the work gets pushed down the priority list and the documents become dated.
• Promoting the use of SOPs can also face staff resistance as the documentation is seen as time consuming to develop and maintain, too convoluted to be useful, and generally out of date.

Resolution

• Overcome staff resistance while implementing a sustainable SOP documentation approach by doing the following:
• Create visual documents that can be scanned. Flowcharts, checklists, and diagrams are quicker to create, take less time to update, and are ultimately more usable than a dense manual.
• Use simple, but effective document management practices.
• Make SOPs part of your project deliverables rather than an afterthought. That includes checking documentation status as part of your change management process.
• Extend these principles to other areas of IT and business processes. The survey data and examples in this report include application development and business processes as well as IT operations.

Info-Tech Insight

1. Create visual documents, not dense SOP manuals.
2. Start with high-impact SOPs. Identify the most critical undocumented SOPs and document them first.
3. Integrate SOP creation into project requirements and create SOP approval steps to ensure documentation is reviewed and completed in a timely fashion.

Most organizations struggle to create and maintain SOP documents, especially in North America, despite the benefits

North American companies are traditionally more technology focused than process focused, and that is reflected in the approach to documenting SOPs.

• An ad hoc approach to SOPs almost certainly means documents will be out of date and ineffective. The same is also true when updating SOPs as part of periodic concerted efforts to prepare for an audit, annual review, or certification process, and this makes the task more imposing.
• Incorporating SOP updates as part of regular change management processes ensures documents are up to date and usable. This can also make reviews and audits much more manageable.

'It isn’t unusual for us to see infrastructure or operations documentation that is wildly out of date. We’re talking months, even years. Often it was produced as one big effort and then not reliably maintained.'

– Gary Patterson, Consultant, Quorum Resources

Organizations are most likely to update documents on an ad hoc basis or via periodic formal reviews. Less than 25% keep SOPs updated as needed.

Source: Info-Tech Research Group; N=104

Document SOPs to improve knowledge transfer, optimize processes, and ultimately save money

COBIT, ISO, and ITIL aren’t a complete solution

"Being ITIL and ISO compliant hasn’t solved our documentation problem. We’re still struggling."

– Vendor Relationship Manager, Financial Services Industry

• Adopting a framework such as ITIL, COBIT, or ISO doesn’t always mean that SOP documents are accurate, effective, or up to date.
• Although these frameworks emphasize the importance of documenting processes, they tend to focus more on process development and requirements than on actual documentation. In other words, they deal more with what needs to be done than with how to do it.
• This research will focus more on the documentation process itself – so how to go about creating, updating, optimizing, managing, and distributing SOP documents.

Inadequate SOPs lead to major data loss and over $99,000 in recovery costs

CASE STUDY 1

Company A mid-sized US organization with over 1,000 employees

Source Info-Tech Interview

Situation

• IT supports storage nodes replicated across two data centers. SOPs for backup procedures did not include an escalation procedure for failed backups or a step to communicate successful backups. Management was not aware of the issue and therefore could not address it before a failure occurred.

Incident

• Primary storage had a catastrophic failure, and that put pressure on the secondary storage, which then also failed. All active storage failed and the data corrupted. Daily backups were failing due to lack of disk space on the backup device. The organization had to resort to monthly tape backups.

Impact

• Lost 1 month of data (had to go back to the last tape backup).
• Recovery also took much longer because recovery procedures were also not documented.
• Key steps such as notifying impacted customers were overlooked. Customers were left unhappy not only with the outage and data loss but also the lack of communication.

Intangible costs

High “goodwill” impact for internal staff and customers.

"The data loss pointed out a glaring hole in our processes – the lack of an escalation procedure. If I knew backups weren’t being completed, I would have done something about that immediately."

– Senior Division Manager, Information Technology Division

IT services company optimizes its SOPs using “Lean” approach

CASE STUDY 2

Company Atrion

SourceInfo-Tech Interview

Lean and SOPs

• Standardized work is important to Lean’s philosophy of continuous improvement. SOPs allow for replication of the current best practices and become the baseline standard for member collaboration toward further improvements.
• For more on Lean’s approach to SOPs, see “Lean Six Sigma Quality Transformation Toolkit (LSSQTT) Tool #17.”

Atrion’s approach

• Atrion is focused on documenting high-level processes that improve the client and employee experience or which can be used for training.
• Cross-functional teams collaborate to document a process and find ways to optimize that SOP.
• Atrion leverages visual documentation as much as possible: flowcharts, illustrations, video screen captures, etc.

Outcomes

• Large increase in usable, up-to-date documentation.
• Process and efficiency improvements realized and made repeatable.
• Success has been so significant that Atrion is planning to offer SOP optimization training and support as a service for its clients in the future.

Atrion

• Atrion provides IT services, solutions, and leadership to clients in the 250+ user range.
• After adopting the Lean framework for its organization, it has deliberately focussed on optimizing its documentation.

When we initiated a formal process efficiency program a little over a year ago and began striving towards a culture of continuous improvement, documenting our SOPs became key. We capture how we do things today and how to make that process more efficient. We call it current state and future state mapping of any process.

– Michelle Pope, COO, Atrion Networking Corp.

Strategies to overcome common documentation challenges

Use Info-Tech’s methodology to streamline the SOP documentation process.

Use this blueprint as a building block to complete these other Info-Tech projects

Improve IT-Business Alignment Through an Internal SLA

Understand business requirements, clarify capabilities, and close gaps.

Standardize the Service Desk – Module 2 & 3

Improve reporting and management of incidents and build service request workflows.

Create a Right-Sized Disaster Recovery Plan

Define appropriate objectives for DR, build a roadmap to close gaps, and document your incident response plan.

Extend the Service Desk to the Enterprise

Position IT as an innovator.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Create Visual SOP Documents – project overview

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Measured value for Guided Implementations (GIs)

Engaging in GIs doesn’t just offer valuable project advice, it also results in significant cost savings.

Note: Documenting SOPs provides additional benefits that are more difficult to quantify: reducing the time spent by staff to find or execute processes, improving transparency and accountability, presenting opportunities for automation, etc.

Phase 1

Prioritize, Optimize, and Document Critical SOPs

Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

Phase 1 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Prioritize, optimize, and document critical SOPs

Proposed Time to Completion (in weeks): 2 weeks

Step 1.1: Prioritize SOPs

Start with an analyst kick off call:

• Apply a client focus to critical IT services.
• Identify undocumented, critical SOPs.

Then complete these activities…

• Rank and prioritize your SOP documentation needs.

With this template:

Standard Operating Procedures Workbook

Step 1.2: Develop visual documentation

Review findings with analyst:

• Understand the benefits of a visual approach.
• Review possibilities for visual documentation.

Then complete these activities…

• Identify formats that can improve your SOP documentation.

With these templates:

• Example DRP Process Flows
• Example App Dev Process And more…

Step 1.3: Optimize and document critical processes

Finalize phase deliverable:

• Two visual SOP documents, mapped using a tabletop exercise.

Then complete these activities…

• Create the visual SOP.
• Review and optimize the process.

With this tool:

SOP Project Roadmap Tool

Phase 1 Results & Insights:

Identify opportunities to deploy visual documentation, and follow Info-Tech’s process to capture steps, gaps, and opportunities to improve IT processes.

Focus first on client-facing and high-impact SOPs

IT’s number one obligation to internal and external customers is to keep critical services running – that points to mission-critical operations, service management, and disaster recovery.

Understand what makes an application or service mission critical

When email or a shared drive goes down, it may impact productivity, but may not be a significant impact to the business. Ask these questions when assessing whether an application or service is mission critical.

"Email and other Windows-based applications are important for our day-to-day operations, but they aren’t critical. We can still manufacture and ship clothing without them. However, our manufacturing systems, those are absolutely critical"

– Bob James, Technical Architect, Carhartt, Inc.

Create a high-level risk and benefit scale

1.1a

15 minutes

Define criteria for high, medium, and low risks and benefits, as shown in the example below. These criteria will be used in the upcoming exercises to rank SOPs.

Note: The goal in this section is to provide high-level indicators of which SOPs should be documented first, so a high-level set of criteria is used. To conduct a detailed business impact analysis, see Info-Tech’s Create a Right-Sized Disaster Recovery Plan.

Materials

• Whiteboard

Participants

• Process Owners
• SMEs

Identify and prioritize undocumented mission-critical operations

1.1b

15 minutes

1. To navigate to this exercise, open Info-Tech’s Standard Operating Procedures Workbook.
2. List your top three–five mission critical applications or services.
3. Identify relevant SOPs that support those applications or services.
4. Indicate SOP status: Green = up to date and complete, Yellow = out-of-date or incomplete, Red = undocumented.
5. Assign risk and benefit scores (3=high, 1=low) to Yellow and Red SOPs based on potential impact if those processes failed (risk) and opportunity for process improvement (benefit).

OUTPUT

• Analysis of SOPs supporting mission-critical operations

Materials

• Whiteboard

Participants

• Process Owners
• SMEs

Identify and prioritize undocumented service management procedures

1.1c

15 minutes

1. To navigate to this exercise, open Info-Tech’s Standard Operating Procedures Workbook.
2. Identify service management SOPs.
3. Indicate SOP status: Green = up to date and complete, Yellow = out-of-date or incomplete, Red = undocumented.
4. Assign risk and benefit scores (3=high, 1=low) to Yellow and Red SOPs based on potential impact if those processes failed (risk) and opportunity for process improvement (benefit).

OUTPUT

• Analysis of SOPs supporting service management

Materials

• Whiteboard

Participants

• Process Owners
• SMEs

Identify and prioritize undocumented DR procedures

1.1d

20 minutes

1. To navigate to this exercise, open Info-Tech’s Standard Operating Procedures Workbook.
2. Identify DR SOPs.
3. Indicate SOP status: Green = up to date and complete, Yellow = out-of-date or incomplete, Red = undocumented.
4. Assign risk and benefit scores (3=high, 1=low) to Yellow and Red SOPs based on potential impact if those processes failed (risk) and opportunity for process improvement (benefit).

OUTPUT

• Analysis of SOPs supporting DR

Materials

• Whiteboard

Participants

• Process Owners
• SMEs

Select the SOPs to focus on for the first round of documentation

1.1e

20 minutes

1. Identify two significantly different priority 1 SOPs to document during this workshop. It’s important to get a sense of how the Info-Tech templates and methodology can be applied to different types of SOPs.
2. Rank the remaining SOPs that you still need to address post-workshop by priority level within each topic area.

INPUT

• SOP analysis from activities 1.1 and 1.2

OUTPUT

• A shortlist of critical, undocumented SOPs to review later in this phase

Materials

• Whiteboard

Participants

• Process Owners
• SMEs

Change the format of your documentation

Which document is more effective? Which is more likely to be used?

"The end result for most SOPs is a 100-page document that makes anyone but the author want to stab themselves rather than read it. Even worse is when you finally decide to waste an hour of your life reading it only to be told afterwards that it might not be quite right because Bob or Stan needed to make some changes last year but never got around to it."

– Peter Church, Solutions Architect

Create visual-based documentation to improve usability and effectiveness

"Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow."

– Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management

SOPs, including those that support your disaster recovery plan (DRP), are often created to meet certification requirements. However, this often leads to lengthy overly detailed documentation that is geared to auditors and business leaders, not IT staff trying to execute a procedure in a high-pressure, time-sensitive scenario.

Staff don’t have time to flip through a 300-page manual, let alone read lengthy instructions, so organizations are transforming monster manuals into shorter, visual-based documentation. Benefits include:

• Quicker to create than lengthy manuals.
• Easier to be absorb, so they are more usable.
• More likely to stay up to date because they are easier to maintain.

Example: DRPs that include visual SOPs are easier to use — that leads to shorter recovery times and fewer mistakes.

Use flowcharts for process flows or a high-level view of more detailed procedures

• Flowcharts depict who does what and when; they provide an at-a-glance view that is easy to follow and makes task ownership clear.
• Use swim lanes, as in this example, to indicate process stages and task ownership.
• For experienced staff, a high-level reminder of process flows or key steps is sufficient.
• Where more detail is required, include links to supporting documentation (which could include checklists, vendor documentation, other flowcharts, etc.).

See Info-Tech’s Incident and Service Management Procedures – Service Desk Example.

"Flowcharts are more effective when you have to explain status and next steps to upper management."

– Assistant Director-IT Operations, Healthcare Industry

Example: SOP in flowchart format

Review your options for diagramming software

Many organizations look for an option that easily integrates with the MS Office suite. The default option is often Microsoft Visio.

Pros:

• Easy to learn and use.
• Has a wide range of features and capabilities.
• Comes equipped with a large collection of stencils and templates.
• Offers the convenience of fluid integration with the MS Office Suite.

Cons:

• Isn’t included in any version of the MS Office Suite and can be quite expensive to license.
• Not available for Mac or Linux environments.

Consider the options below if you’re looking for an alternative to Microsoft Visio:

Desktop Solutions

• Dia Diagram Editor
• Diagram Designer
• LibreOffice Draw
• Pencil Project
• yEd Graph Editor

• Draw.io
• Creately
• Gliffy
• LucidChart

Note: No preference or recommendation is implied from the ordering of the options above.

This list is not intended to be comprehensive.

Evaluate different solutions to identify one that works for you

Use the criteria below to identify a flowchart software that fits your needs.

Use checklists to streamline step-by-step procedures

• Checklists are ideal when staff just need a reminder of what to do, not how to do it.
• Remember your audience. You aren’t pulling in a novice to run a complex procedure, so all you really need here are a series of reminders.
• Where more detail is required, include links to supporting documentation.
• Note that a flowchart can often be used instead of a checklist, depending on preference.

For two different examples of a checklist template, see:

• Employee Termination Process Checklist – IT Security Example
• System Recovery Procedures Template

Use topology diagrams to capture network layout, integrations, and system information

• Organizations commonly have network topology diagrams for reference purposes, so this is just a re-use of existing resources.
• Physically label real world equipment to correspond to topology diagrams. While these labels will be redundant for most IT employees, they help give clarity and confidence when changes are being made.
• If your topology diagrams are housed in a tool such as a systems management product, then export the diagrams so they can be included in your SOP documentation suite.

"Our network engineers came to me and said our standard SOP template didn't work for them. They're now using a lot of diagrams and flowcharts, and that has worked out better for them."

Use screen captures and tutorials to facilitate training for applications and SOPs

• Screen capture tutorials or videos are effective for training staff on applications. For example, create a screen capture tutorial to train staff on the use of a help desk application and your company’s specific process for using that tool.
• Similarly, create tutorials to train end users on straightforward “technical” tasks (e.g. setting up their VPN connection) to reduce the demand on IT staff.
• Tutorials can be created quickly and easily with affordable software such as Snag-It, ScreenHunter Pro, HyperSnap, PicPick, FastStone, Ashampoo Snap 6, and many others.

"When contractors come onboard, they usually don't have a lot of time to learn about the organization, and we have a lot of unique requirements. Creating SOP documents with screenshots has made the process quicker and more accurate."

– Susan Bellamore, Business Analyst, Public Guardian and Trustee of British Columbia

Example: Disaster recovery notification and declaration procedure

1. Swim lanes indicate task ownership and process stages.
2. Links to supporting documentation (which could include checklists, vendor documentation, other flowcharts, etc.) are included where necessary.
3. Additional DR SOPs are captured within the same spreadsheet for convenient, centralized access.

Review Info-Tech’s Incident Response and Recovery Process Flows – DRP Example.

Example: DRP flowchart with links to supporting documents

Establish flowcharting standards

If you don’t have existing flowchart standards, then keep it simple and stick to basic flowcharting conventions as described below.

Start, End, and Connector. Traditional flowcharting standards reserve this shape for connectors to other flowcharts or other points in the existing flowchart. Unified Modeling Language (UML) also uses the circle for start and end points.

Start, End. Traditional flowcharting standards use this for start and end. However, Info-Tech recommends using the circle shape to reduce the number of shapes and avoid confusion with other similar shapes.

Process Step. Individual process steps or activities (e.g. create ticket or escalate ticket). If it’s a series of steps, then use the sub-process symbol and flowchart the sub-process separately.

Sub-Process. A series of steps. For example, a critical incident SOP might reference a recovery process as one of the possible actions. Marking it as a sub-process, rather than listing each step within the critical incident SOP, streamlines the flowchart and avoids overlap with other flowcharts (e.g. the recovery process).

Decision. Represents decision points, typically with Yes/No branches, but you could have other branches depending on the question (e.g. a “Priority?” question could branch into separate streams for Priority 1, 2, 3, 4, and 5 issues).

Document/Report Output. For example, the output from a backup process might include an error log.

Conduct a tabletop planning exercise to build an SOP

1.3a

20 minutes

Tabletop planning is a paper-based exercise where your team walks through a particular process and maps out what happens at each stage.

1. For this exercise, choose one particular process to document.
2. Document each step of the process using cue cards, which can be arranged on the table in sequence.
3. Be sure to include task ownership in your steps.
4. Map out the process as it currently happens – we’ll think about how to improve it later.
5. Keep focused. Stay on task and on time.

OUTPUT

• Steps in the current process for one SOP

Materials

• Tabletop, pen, and cue cards

Participants

• Process Owners
• SMEs

Info-Tech Insight

Don’t get weighed down by tools. Relying on software or other technological tools can detract from the exercise. Use simple tools such as cue cards to record steps so that you can easily rearrange steps or insert steps based on input from the group.

Collaborate to optimize the SOP

1.3b

20 minutes

Review the tabletop exercise. What gaps exist in current processes?

How can the process be made better? What are the outputs and checkpoints?

OUTPUT

• Identify steps to optimize the SOP

Materials

• Tabletop, pen, and cue cards

Participants

• Process Owners
• SMEs

A note on colors: Use white cards to record steps. Record gaps on yellow cards (e.g. a process step not documented) and risks on red cards (e.g. only one person knows how to execute a step) to highlight your gaps/to-dos and risks to be mitigated or accepted.

If it’s necessary to clarify complex process flows during the exercise, also use green cards for decision diamonds, purple for document/report outputs, and blue for sub-processes.

Capture opportunities to improve processes in the Standard Operating Procedures Project Roadmap Tool

1.3

Rank and track projects to close gaps you discover in your processes.

1. As a group, identify potential solutions to close the gaps in your processes that you’ve uncovered through the tabletop mapping exercise.
2. Add these project names to the Standard Operating Procedures Project Roadmap Tool on the “Project Scoring” tab.
3. Review and adjust the criteria for evaluating the benefits and costs of different projects on the “Scoring Criteria” tab.
4. Return to the “Project Scoring” tab, and assign weights at the top of each scoring column. Use the drop-down menus to adjust the scores for each project category. The tool will automatically rank the projects based on your input, but you can adjust the ranks as needed.
5. Assign dates and descriptions to the projects on the “Implementation Schedule” tab, below.

Identify gaps to improve process performance and make SOP documentation a priority

CASE STUDY

Challenge

• Tabletop planning revealed a 77-hour gap between current and desired RTO for critical systems.
• Similarly, the current achievable RPO gap was up to one week, but the desired RPO was one hour.
• A DR site was available but not yet set up with the necessary equipment.
• Lack of documented standard operating procedures (SOPs) was identified as a risk since that increased the dependence on two or three key SMEs.

Solution

• Potential projects to close RTO/RPO gaps were identified, including:
• Deploy servers that were decommissioned (as a result of a server refresh) to the DR site as warm standby servers.
• Implement site-to-site data replication.
• Document SOPs to enable tasks to be delegated and minimize resourcing risks.

Results

• A DR project implementation schedule was defined.
• Many of the projects required no further investment, but rather deployment of existing equipment that could function as standby equipment at the DR site.
• The DR risk from a lack of SOPs enabled SOPs to be made a priority. An expected side benefit is the ability to review and optimize processes and improve consistency in IT operations.

Document the SOPs from the tabletop exercise

1.3c

20 minutes

Document the results from the tabletop exercise in the appropriate format.

1. Identify an appropriate visual format for the high-level SOP as well as for any sub-processes or supporting documentation.
2. Break into groups of two or three.
3. Each group will be responsible for creating part of the SOP. Include both the high-level SOP itself and any supporting documentation such as checklists, sign-off forms, sub-processes, etc.
4. Once your document is complete, exchange it with that of another group. Review each other’s documents to check for clarity and completeness.

OUTPUT

• Output from activities 1.4 and 1.5

Materials

• Flowcharting software, laptops

Participants

• Process Owners
• SMEs

Repeat the tabletop exercise for the second process

Come back together as a large group. Choose a process that is significantly different from the one you’ve just documented, and repeat the tabletop exercise.

As a reminder, the steps are:

1. Use the tabletop exercise to map out a current SOP.
2. Collaborate to optimize the SOP.
3. Decide on appropriate formats for the SOP and its supporting documents.
4. Divide into small groups to create the SOP and its supporting documents.
5. Repeat the steps above as needed for your initial review of critical processes.

Info-Tech Insight

If you plan to document more than two or three SOPs at once, consider making it an SOP “party” to add momentum and levity to an otherwise dry process. Review section 2.3 to find out how.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

Book a workshop with our Info-Tech analysts:

• To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
• Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
• Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

1.1a-e

Get started by prioritizing SOPs

Ensure the SOP project remains business focused, and kick off the project by analyzing critical business services. Identify key IT services that support the relevant business services. Conduct a benefit/risk analysis to prioritize which SOPs should become the focus of the workshop.

1.3a-c

Document the SOPs from the tabletop exercise

Leverage a tabletop planning exercise to walk the team through the SOP. During the exercise, focus on identifying timelines, current gaps, and potential risks. Document the steps via que cards first and transpose the hard copies to an electronic version.

Phase 2

Establish a Sustainable Documentation Process

Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

Phase 2 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 2: Establish a sustainable SOP documentation process

Proposed Time to Completion (in weeks): 4 weeks

Step 2.1: Establish guidelines for identifying and organizing SOPs

Start with an analyst call:

• Establish documentation information guidelines.
• Review version control best practices.

Then complete these activities…

• Implement best practices to identify and organize your SOPs.

With these tools & templates:

• SOP Workbook

Step 2.2: Define a process to document and maintain SOPs

Review findings with analyst:

• Identify opportunities to create a culture that fosters SOP creation.

Then complete these activities…

• Create a plan to address SOP documentation gaps.

With these tools & templates:

• Document Management Checklist

Step 2.3: Plan time with experts to put a dent in your documentation backlog

Finalize phase deliverable:

• Address outstanding undocumented SOPs by working through process issues together.

Then complete these activities…

• Organize and run a working session to document and optimize processes.

With these tools & templates:

• SOP Workbook
• SOP Project Roadmap Tool

Phase 2 Results & Insights:

Improve the process for documenting and maintaining your SOPs, while putting a dent in your documentation backlog and gaining buy-in with staff.

Identify current content management practices and opportunities for improvement

DISCUSS

What is the current state of your content management practices?

Are you using a content management system? If not, where are documents kept?

Are your organizational or departmental SOPs easy to find?

Is version control a problem? What about file naming standards?

Get everyone on the same page on the current state of your SOP document management system, using the questions above as the starting point.

Keep document management simple for better adoption and consistency

If there is too much complexity and staff can’t easily find what they need, you won’t get buy-in and you won’t get consistency.

Whether you store SOPs in a sophisticated content management system (CMS) or on a shared network drive, keep it simple and focus on these primary goals:

• Enable staff to find the right document.
• Know if a document is the latest, approved version.
• Minimize document management effort to encourage buy-in and consistency.

If users can’t easily find what they need, it leads to bad practices. For example:

• Users maintain their own local copies of commonly used documents to avoid searching for them. The risk is that local copies will not be automatically updated when the SOP changes.
• Separate teams will implement their own document management system and repository. Now you have duplication of effort and company resources, multiple copies of documents (where each group needs their own version), and no centralized control over potentially sensitive documents.
• Users will ignore documented SOPs or ask a colleague who might also be following the above bad practices.

Insert a document information block on the first page of every document to identify key attributes

Include a document information block on the first page of every document to identify key attributes. This strategy is as much about minimizing resistance as it is ensuring key attributes are captured.

• A consistent document information block saves time (e.g. vs. customized approaches per document). If some fields don’t apply, enter “n/a.”
• It provides key information about the document without having to check soft copy metadata, especially if you work with hard copies.
• It’s a built-in reminder of what to capture and easier than updating document properties or header/footer information or entering metadata into a CMS.

Note: The Info-Tech templates in this blueprint include a copy of the document information block shown in this example. Add more fields if necessary for your organization’s needs.

For an example of a completed document information block, see Network Backup for Atlanta Data Center – Backups Example

Info-Tech Insight

For organizations with more advanced document management requirements, consider more sophisticated strategies (e.g. using metadata) as described in Info-Tech’s Use SharePoint for Enterprise Content Management and Reintroduce the Information Lifecycle to the Content Management Strategy. However, the basic concepts above still apply: establish standard attributes you need to capture and do so in a consistent manner.

Modify the Info-Tech document information block to meet your requirements

2.1a

15 minutes

1. Review “Guidelines and Template for the Document Information Block” in the Standard Operating Procedures Workbook. Determine if any changes are required, such as additional fields.
2. Identify which fields you want to standardize and then establish standard terms. Balance the needs for simplicity and consistency – don’t force consistency where it isn’t a good fit.
3. Pre-fill the document information block with standard terms and examples and add it to an SOP template that’s stored in your content management system.

Educate staff by pre-filling the document

• Providing examples built into the templates provides in-context, just-in-time training which is far more effective and easier than formal education efforts.
• Focus your training on communicating when the template or standard terms change so that staff know to obtain the new version. Otherwise, the tendency for many staff will be to use one of their existing documents as their template.

OUTPUT

• Completed document information block

Materials

• Laptop
• Projector

Participants

• Process Owners
• SMEs

Leverage the document information block to create consistent filenames that facilitate searching

Use the following filename format to create consistent, searchable, and descriptive filenames:

Topic – Document Title – Document Type – Version Date

For example:

• ERP – System Administration Monthly Maintenance Tasks – Checklist – 2016-01-15.docx
• ERP – System Administration Monthly Maintenance Tasks – SOP – 2017-01-10.docx
• Backups – Network Backup Procedure for Atlanta Data Center – SOP – 2017-03-06.docx
• PROJ437 – CRM Business Requirements – BRD – 2017-02-01.xlsx
• DRP – Notification Procedures – SOP – 2016-09-14.docx
• DRP – Emergency Response Team Roles and Responsibilities – Reference – 2018-03-10.xlsx

Apply filename and document information block guidelines to existing SOPs

2.1b

15 minutes

1. Review the SOPs created during the earlier exercises.
2. Update the filenames and document information block based on guidelines in this section.
3. Apply these guidelines to other select existing SOPs to see if additional modifications are required (e.g. additional standard terms).

INPUT

• Document Information Block

OUTPUT

• Updated filenames and document information blocks

Materials

• Laptop and projector

Participants

• Process Owners
• SMEs

Implement version control policies for local files as well as those in your content management system (CMS)

1. Version Control in Your CMS

Always keep one master version of a document:

• When uploading a new copy of an existing SOP (or any other document), ensure the filenames are identical so that you are just adding a new version rather than a separate new file.
• Do not include version information in the filename (which would create a new separate file in your CMS). Allow your CMS to handle version numbering.

Ideally, staff would never keep local copies of files. However, there are times when it is practical or preferable to work from a local copy: for example, when creating or updating an SOP, or when working remotely if the CMS is not easily accessible.

Implement the following policies to govern these circumstances:

• Add the version date to the end of the filename while the document is local, as shown in the slide on filenames.
• Remove the date when uploading it to a CMS that tracks date and version. If you leave the date in the filename, you will end up with multiple copies in your CMS.
• When distributing copies for review, upload a copy to the CMS and send the link. Do not attach a physical file.

Reduce the need for version updates by isolating volatile information in a separate, linked document. For example:

• Use Policy documents to establish high-level expectations and goals, and use SOPs to capture workflow, but put volatile details in a separate reference document. For example, for Backup procedures, put offsite storage vendor details such as contact information, pick up times, and approved couriers in a separate document.
• Similarly, for DRP Notification procedures, reference a separate contacts list.

Modify the Info-Tech Document Management Checklist to meet your requirements

2.1c

15 minutes

1. Review the Info-Tech Document Management Checklist.
2. Add or remove checklist items.
3. Update the document information block.

OUTPUT

• Completed document management checklist

Materials

• Laptop, projector

Participants

• Process Owners
• SMEs

See Info-Tech’s Document Management Checklist.

If you aren’t going to keep your SOPs current, then you’re potentially doing more harm than good

An outdated SOP can be just as dangerous as having no SOP at all. When a process is documented, it’s trusted to be accurate.

• Disaster recovery depends as much on supporting SOPs – such as backup and restore procedures – as it does on a master incident response plan.
• For disaster scenarios, the ability to meet recovery point objectives (i.e. minimize data loss) and recovery time objectives (i.e. minimize downtime) depends on smoothly executed recovery procedures and on having well-defined and up-to-date DR documentation and supporting SOPs. For example:
• Recovery point (data loss) objectives are directly impacted by your backup procedures.
• Recovery time is minimized by a well-defined restore procedure that reduces the risk of human error during recovery which could lead to data loss or a delay in the recovery.
• Similarly, a clearly documented configuration procedure will reduce the time to bring a standby system online.

Follow Info-Tech best practices to keep SOPs current and drive consistent, efficient IT operations

The following best practices were measured in this chart, and will be discussed further in this section:

1. Identify documentation requirements as part of project planning.
2. Require a manager or supervisor to review and approve SOPs.
3. Check documentation status as part of change management.
4. Hold staff accountable.

Higher adoption of Info-Tech best practices leads to more effective SOPs and greater benefits in areas such as training and process improvement.

Info-Tech Insight

Audits for compliance requirements have little impact on getting SOPs done in a timely manner or the actual usefulness of those SOPs, because the focus is on passing the audit instead of creating SOPs that improve operations. The frantic annual push to complete SOPs in time for an audit is also typically a much greater effort than maintaining documents as part of ongoing change management.

Identify documentation requirements as part of project planning

DISCUSS

When are documentation requirements captured, including required changes to SOPs?

Make documentation requirements a clearly defined deliverable. As with any other task, this should include:

• Owner: The person ultimately responsible for the documentation.
• Assigned resource: The person who will actually put pen to paper. This could be the same person as the owner, or the owner could be a reviewer.
• Deadlines: Include documentation deliverables in project milestones.
• Verification process: Validate completion and accuracy. This could be a peer review or management review.

Example: Implement a new service desk application.

• Service desk SOP documentation requirements: SOP for monitoring and managing tickets will require changes to leverage new automation features.
• Owner: Service Desk Lead.
• Assigned resource: John Smith (service desk technician).
• Deadline: Align with “ready for QA testing.”
• Verification process: Service Desk Lead document review and signoff.

Info-Tech Insight

Realistically, documentation will typically be a far less urgent task than the actual application or system changes. However, if you want the necessary documentation to be ultimately completed, even if it’s done after more urgent tasks, it must be tracked.

Implement document approval steps at the individual and project level

DISCUSS

How do you currently review and validate SOP documents?

Require a manager or supervisor to review and approve SOPs.

• Avoid a bureaucratic review process involving multiple parties. The goal is to ensure accuracy and not just provide administrative protection.
• A review by the immediate supervisor or manager is often sufficient. Their feedback and the implied accountability improve the quality and usefulness of the SOPs.

Check documentation status as part of change management.

• Including a documentation status check holds the project leaders and management accountable.
• If SOPs are not critical to the project deliverable, then realistically the deliverable is not held back. However, keep the project open until relevant documents are updated so those tasks can’t be swept under the rug until the next audit.

SOP reviews, change management, and identifying requirements led to benefits such as training and process improvement.

"Our directors and our CIO have tied SOP work to performance evaluations and SOP status is reviewed during management meetings. People have now found time to get this work done."

– Assistant Director-IT Operations, Healthcare Industry

Review SOPs regularly and assign a process owner to avoid reinforcing silos

CASE STUDY

Industry

Public service organization

Source

Info-Tech client engagement

Situation

• The organization’s IT department consists of five heavily siloed units.
• Without communication or workflow accountability across units, each had developed incompatible workflows, making estimates of “time to resolution” for service requests difficult.
• The IT service manager purchases a new service desk tool, attempting to standardize requests across IT to improve efficiency, accountability, and transparency.

Complication

• The IT service manager implements the tool and creates standardized workflows without consulting stakeholders in the different service units.
• The separate units immediately rebel against the service manager and try to undermine the implementation of the new tool.

Results

• Info-Tech analysts helped to facilitate a solution between experts in the different units.
• In order to develop a common workflow and ticket categorization scheme, Info-Tech recommended that each service process should have a single approver.

The bottom line: ensure that there’s one approver per process to drive process efficiency and accountability and avoid problems down the road.

Hold staff accountable to encourage SOP work to be completed in a timely manner

DISCUSS

Are SOP updates treated as optional or “when I have time” work?

Hold staff directly accountable for SOP work.

Holding staff accountable is really about emphasizing the importance of ensuring SOPs stay current. If management doesn’t treat SOPs as a priority, then neither will your staff. Strategies include:

• Include SOP work in performance appraisals.
• Keep relevant tickets open until documentation is completed.
• Ensure documents are reviewed, as discussed earlier.
• Identify and assign documentation tasks as part of project planning efforts, as discussed earlier.

Holding staff accountable minimizes procrastination and therefore maintenance effort.

Info-Tech Insight

Holding staff accountable does not by itself make a significant impact on SOP quality (and therefore the typical benefits of SOPs), but it minimizes procrastination, so the work is ultimately done in a more timely manner. This ensures SOPs are current and usable, so they can drive benefits such as consistent operations, improved training, and so on.

Assign action items to address SOP documentation process challenges

2.2

1. Discuss the challenges mentioned at the start of this section, and other challenges highlighted by the strategies discussed in this section. For example:

• Are documentation requirements included in project planning?
• Are SOPs and other documentation deliverables reviewed?
• Are staff held accountable for documentation?

An “SOP party” fosters a collaborative approach and can add some levity to an otherwise dry exercise

What is an SOP party?

• An SOP party is a working session, bringing together process owners and key staff to define current SOPs and collaborate to identify optimization opportunities.
• The party aspect is really just about how you market the event. Order in food or build in a cooking contest (e.g. a chilli cook-off or dessert bake-off) to add some fun to what can be a dry activity.

Why does this work?

• Process owners become so familiar with their tasks that many of the steps essentially live in their heads. Questions from colleagues draw out those unwritten steps and get them down on paper so another sufficiently qualified employee could carry out the same steps.
• Once the processes are defined (e.g. via a tabletop exercise), input from colleagues can help identify risks and optimization opportunities, and process questions can be quickly answered because the key people are all present.
• The group approach also promotes consistency and enables you to set expectations (e.g. visual-based approach, standards, level of detail, etc.).

When is collaboration necessary (e.g. via tabletop planning)?

• Tabletop planning is ideal for complex processes as well as processes that span multiple tasks, people, and/or systems.
• For processes with a narrow focus (e.g. recovery steps for a specific server), assign these to the SME to document. Then ensure the SOP is reviewed to draw out the unwritten steps as described above.
• For example, if you use tabletop planning to document a high-level DR plan, sub-processes might include recovery procedures for individual systems; those SOPs can then be assigned to individual SMEs.

Schedule SOP working sessions until critical processes are documented

Ultimately, it’s more efficient to create and update SOPs as needed but dedicated working sessions will help address immediate critical needs.

Organize the working session:

1. Book a full-day meeting in an out of the way meeting room, invite key staff (system and process owners who ultimately need to be SOP owners), and order in lunch so no one has to leave.
2. Prioritize SOPs (see Phase 1) and set goals (e.g. complete the top 6 SOPs during this session).
3. Alternate between collaborative efforts and documenting the SOPs. For example:
1. Tabletop or flowchart the current SOP. Take a picture of the current state for reference purposes.
2. Look for process improvements. If you have the authority in the room to enable process changes, then modify the tabletop/flowchart accordingly and capture this desired future state (e.g. take a picture). Otherwise, identify action items to follow up on proposed changes.
3. Identify all related documentation deliverables (e.g. sub-processes, checklists, approval forms, etc.).
4. Create the identified documentation deliverables (divide the work among the team). Then repeat the above.
4. Repeat these working sessions on a monthly or quarterly basis, depending on your requirements, until critical SOPs are completed.
5. When the SOP backlog is cleared, conduct quarterly or semi-annual refreshers for ongoing review and optimization of key processes.

Assign action items to capture next steps after SOP working sessions

2.3

1. Review the SOPs documented during this workshop. Identify action items to complete and validate those SOPs and related documents. For example, do the SOPs require further approval or testing?
2. Similarly, review the document management checklist and identify action items to complete, expand, and/or validate proposed standards.
3. For SOP working sessions, decide on a date, time, and who should be there based on the guidelines in this section. If the SOP party approach does not meet your requirements, then at the very least assign owners for the identified critical SOPs and set deadlines for completing those SOPs. Document these extra action items in your copy of the Standard Operating Procedures Workbook.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

Book a workshop with out Info-Tech analysts:

• To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
• Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
• Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

2.1

Identify current content management practices

As a group, identify current pain points and opportunities for improvement in your current content management practices.

2.2

Assign action items to address documentation process challenges

Develop a list of action items to address gaps in the SOP documentation and maintenance process.

Phase 3

Identify a Content Management Solution

Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

Phase 3 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 3: Decide on a content management solution for your SOPs

Proposed Time to Completion (in weeks): 1 week

Step 3.1: Understand the options for CM solutions

Start with an analyst kick off call:

• Review your current approach to content management and discuss possible alternatives.

Then complete these activities…

• Evaluate the pros and cons of different approaches to content management.
• Discuss approaches for fit with your team.

Step 3.2: Identify the right solution for you

Review findings with analyst:

• Identify 2–3 possible options for a content management strategy.

Then complete these activities…

• Identify the best solution based on portability, maintainability, cost, and implementation effort.

With these tools & templates:

• Publishing and Document Management Solution Evaluation Tool
• SOP Project Roadmap
• SOP Workbook

Phase 3 Results & Insights:

Choose an approach to content management that will best support your organization’s SOP documentation and maintenance process.

Decide on an appropriate publishing and document management strategy for your organization

Publishing and document management considerations:

• Portability/External Access: At the best of times, portability is nice because it enables flexibility, but at the worst of times (such as in a disaster recovery situation) it is absolutely essential. If your primary site is down, can you still access your documentation? As shown in this chart, traditional storage strategies still dominate DRP documentation, but these aren’t necessarily the best options.
• Maintainability/Usability: How easy is it to create, update, and use the documentation? Is it easy to link to other documents? Is there version control? The easier the system is to use, the easier it is to get employees to use it.
• Cost/Effort: Is the cost and effort appropriate? For example, a large enterprise may need a formal solution like SharePoint or a Content Management System. For smaller organizations, the cost of these tools might be harder to justify.

Consider these approaches:

This section reviews the following approaches, their pros and cons, and how they meet publishing and document management requirements:

• SOP tools.
• Cloud-based content management software.
• In-house solutions combining SharePoint and MS Office (or equivalent).
• Wiki site.
• “Manual” approaches such as storing documents on a USB drive.

Source: Info-Tech Research Group; N=118

Note: Percentages total more than 100% due to respondents using more than one portability strategy.

Develop a content management strategy and process to reduce organizational risk

CASE STUDY

Segment

Mid-market company

Source

Info-Tech Interview

Situation

• A mid-sized company hired a technical consultancy to manage its network.
• As part of this move, the company’s network administrator was fired.
• Over time, this administrator had become a “go-to” person for several other IT functions.

Complication

• The consulting team realizes that the network administrator kept critical documentation on his local hard drive.
• This includes configs, IP addresses, passwords, logins to vendor accounts, and more.
• It becomes clear the administrator was able to delete some of this information before leaving, which the consultants are required to retrieve and re-document.

Result

• Failing to implement effective SOPs for document management and terminating key IT staff exposed the organization to unnecessary risk and additional costs.
• Allowing a local content management system to develop created a serious security risk.
• The bottom line: create a secure, centralized, and backed-up location and establish SOPs around using it to help keep the company’s data safe.

Info-Tech offers a web-based policy management solution with process management capabilities

About this Approach:

myPolicies is a web-based solution to create, distribute, and manage corporate policies, procedures, and forms, built around best practices identified by our research.

Contact your Account Manager today to find out if myPolicies is right for you.

SOP software and DR planning tools can help, but they aren’t a silver bullet

Portability/External Access:

• Pros: Typically have a SaaS option, providing built-in external access with appropriate security and user administration to vary access rights.
• Cons: Dependent on the vendor to ensure external access, but this is typically not an issue.

Maintainability/Usability:

• Pros: Built-in templates encourage consistency as well as guide initial content development by indicating what details need to be captured.
• Pros: Built-in document management (e.g. version control, metadata support, etc.), centralized access/navigation to required documents, and some automation (e.g. update contacts throughout the system).
• Cons: Not a silver bullet. You still have to do the work to define and capture your processes.
• Cons: Requires end-user and administrator training.
• Cons: Often modules of larger software suites. If you use the entire suite, it may make sense to use the SOP tool, but otherwise probably not.

Cost/Effort:

• Pros: For large enterprises, the convenience of built-in document management and templates can outweigh the cost.
• Cons: SOP tools can be costly. Expect to pay at least $3,000-7,000 for software licensing, plus additional per user and hosting fees.

About this Approach:

SOP tools such as Princeton Center’s SOP ExpressTM and SOP Tracks or MasterControl’s SOP Management and eSOP allow organizations to create, manage, and access SOPs. These programs typically offer a range of SOP templates and formats, electronic signatures, version control, and review options and training features such as quizzes and monitoring.

Similarly, DR planning solutions (e.g. eBRP, Recovery Planner, LDRPS, etc.) provide templates, tools, and document management to create DR documentation including SOPs.

Consider leveraging SharePoint to provide document management capabilities

Portability/External Access:

• Pros: SharePoint is commonly web-enabled and supports external access with appropriate security and user administration.
• Cons: Must be installed at redundant sites or be cloud-based to be effective in the event of a worst-case scenario disaster recovery situation in which the primary data center is down.

Maintainability/Usability:

• Pros: Built-in document management (e.g. version control, metadata support, etc.) as well as centralized access to required documents.
• Pros: No tool learning curve – SharePoint and MS Office would be existing solutions already used on a daily basis.
• Cons: No built-in automated updates (e.g. automated updates to contacts throughout the system).
• Cons: Consistency depends on creating templates and implementing processes for document updates, review, and approval.

Cost/Effort:

• Pros: Using existing tools, so this is a sunk cost in terms of capex.
• Cons: Additional effort required to create templates and manage the documentation library.

For more information on SharePoint as a content management solution, see Info-Tech’s Use SharePoint for Enterprise Content Management.

About this Approach:

Most SOP documents start as MS Office documents, even if there is an SOP tool available (some SOP tools actually run within MS Office on the desktop). For organizations that decide to bypass a formal SOP tool, the biggest gap they have to overcome is document management.

Many organizations are turning to SharePoint to meet this need. For those that already have SharePoint in place, it makes sense to further leverage SharePoint for SOP documentation.

For SharePoint to be a practical solution, the documentation must still be accessible if the primary data center is down, e.g. by having redundant SharePoint instance at multiple in-house locations or using a cloud-based SharePoint solution.

As an alternative to SharePoint, SaaS tools such as Power DMS, NetDocuments, Xythos on Demand, Knowledge Tree, Spring CM, and Zoho Docs offer cloud-based document management, authoring, and distribution services that can work well for SOPs. Some of these, such as Power DMS and Spring CM, are geared specifically toward workflows.

A wiki may be all you need

Portability/External Access:

• Pros: Wiki sites can support external access as with any web solution.
• Cons: May lack more sophisticated content management features.

Maintainability/Usability:

• Pros: Built-in document management (e.g. version control, metadata support, etc.) as well as centralized access to required information.
• Pros: Authorized users can make updates dynamically, depending on how much restriction you have on the site.
• Cons: No built-in automation (e.g. automated updates to contacts throughout the system).
• Cons: Consistency depends on creating templates and implementing processes for document updates, review, and approval.

Cost/Effort:

• Pros: An inexpensive option compared to traditional content management solutions such as SharePoint.
• Cons: Learning curve if wikis are new to your organization.

About this Approach:

Wiki sites are websites where users collaborate to create and edit the content. Wikipedia is an example.

While wiki sites are typically used for collaboration and dynamic content development, the traditional collaborative authoring model can be restricted to provide structure and an approval process.

Several tools are available to create and manage wiki sites (and other collaboration solutions), as outlined in the following research:

• Implement a Collaboration Platform
• Vendor Landscape: Collaboration Platforms

An approach that I’ve seen work well is to consult the wiki for any task, activity, job, etc. Is it documented? If not, then document it there and then. Sure, this led to 6-8 weeks of huge effort, but the documentation grew in terms of volume and quality at an alarming but pleasantly surprising rate. Providing an environment to create the documentation is important and a wiki is ideal. Fast, lightweight, in-browser editing leads to little resistance in creating documents.

- Lee Blackwell, Global IT Operation Services Manager, Avid Technology

Managing SOPs on a shared network drive involves major challenges and limitations

Portability/External Access:

• Cons: Must be hosted at redundant sites in order to be effective in a worst-case scenario that takes down your data center.

Maintainability/Usability:

• Pros: Easy to implement and no learning curve.
• Pros: Access can be easily managed.
• Cons: Version control, standardization, and document management can be significant challenges.

Cost/Effort:

• Pros: Little to no cost and no tool management required.
• Cons: Managing documents on a shared network drive requires strict attention to process for version control, updates, approvals, and distribution.

About this Approach:

With this strategy, SOP documents are stored and managed locally on a shared network drive. Only process owners and administrators have read-write permissions on documents on the shared drive.

The administrator grants access and manages security permissions.

Info-Tech Insight

For small organizations, the shared network drive approach can work, but this is ultimately a short-term solution. Move to an online library by creating a wiki site. Start slow by beginning with a particular department or project, then evaluate how well your staff adapt to this technology as well as its potential effectiveness in your organization. Refer to the Info-Tech collaboration strategy research cited on the previous slide for additional guidance.

Avoid extensive use of paper copies of SOP documentation

SOP documents need to be easy to update, accessible from anywhere, and searchable. Paper doesn’t meet these needs.

Portability/External Access:

• Pros: Does not rely on technology or power.
• Cons: Not adequate for disaster recovery situations; would require all staff to have a copy and to have it with them at all times.

Maintainability/Usability:

• Pros: In terms of usability, again there is no dependence on technology.
• Cons: Updates need to be printed and distributed to all relevant staff every time there is a change to ensure staff have access to the latest most accurate documentation.
• Cons: Navigation to other information is manual – flipping through pages etc. No searching or hyperlinks.

Cost/Effort:

• Pros: No technology system to maintain, aside from what you use for printing.
• Cons: Printing expenses are actually among the highest incurred by organizations and this adds to it.
• Cons: Labor-intensive due to need to print and physically distribute documentation updates.

About this Approach

Traditionally, SOPs were printed and kept somewhere in a large binder (or several large binders). This isn’t adequate to the needs of most organizations and typically results in documents that aren’t up to date or effective.

Use Info-Tech’s solution evaluation tool to decide on a publishing and document management strategy

All organizations have existing document management methodologies, even if it’s simply storing documents on a network drive.

Use Info-Tech’s solution evaluation tool to decide whether your existing solution meets the portability/external access, maintainability/usability, and cost/effort criteria, or whether you need to explore a different option.

Note: This tool was originally built to evaluate DRP publishing options, so the tool name and terminology refers to DR. However, the same tool can be used to evaluate general SOP publishing and document management solutions.

Consider using Info-Tech’s DRP Publishing and Document Management Solution Evaluation Tool.

Info-Tech Insight

There is no absolute ranking for possible solutions. The right choice will depend on factors such as current in-house tools, maturity around document management, the size of your IT department, and so on. For example, a small shop may do very well with the USB drive strategy, whereas a multi-national company will need a more formal strategy to ensure consistent application of corporate guidelines.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

Book a workshop with our Info-Tech analysts:

• To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
• Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
• Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

3.1

Decide on a publishing and document management strategy

Review the pros and cons of different strategies for publishing and document management. Identify needs, priorities, and limitations of your environment. Create a shortlist of options that can meet your organization’s needs and priorities.

3.2

Complete the solution evaluation tool

Evaluate solutions on the shortlist to identify the strongest option for your organization, based on the criteria of maintainability, affordability, effort to implement, and accessibility/portability.

Insight breakdown

Create visual documents, not dense SOP manuals.

• Visual documents that can be scanned are more usable and easier to update.
• Flowcharts, checklists, and diagrams all have their place in visual documentation.

Start with high-impact SOPs.

• It can be difficult to decide where to start when faced with a major documentation backlog.
• Focus first on client facing and high-impact SOPs, i.e. mission-critical operations, service management, and disaster recovery procedures.

Integrate SOP creation into project requirements and hold staff accountable.

• Holding staff accountable does not provide all the benefits of a well documented and maintained SOP, but it minimizes procrastination, so the work is ultimately done in a more timely manner.

Summary of accomplishment

Knowledge Gained

SOPs may not be exciting, but they’re very important to organizational consistency, efficiency, and improvement.

This blueprint outlined how to:

• Prioritize and execute SOP documentation work.
• Establish a sustainable process for creating and maintaining SOP documentation.
• Choose a content management solution for best fit.

Processes Optimized

• Multiple processes supporting mission-critical operations, service management, and disaster recovery were documented. Gaps in those processes were uncovered and addressed.
• In addition, your process for maintaining process documents was improved, including adding documentation requirements and steps requiring documentation approval.

Deliverables Completed

As part of completing this project, the following deliverables were completed:

• Standard Operating Procedures Workbook
• Standard Operating Procedures Project Roadmap Tool
• Document Management Checklist
• Publishing and Document Management Solution Evaluation Tool

Project step summary

Client Project: Create and maintain visual SOP documentation.

1. Prioritize undocumented SOPs.
2. Develop visual SOP documentation.
3. Optimize and document critical processes.
4. Establish guidelines for identifying and organizing SOPs.
5. Define a process for documenting and maintaining SOPs.
6. Plan time with experts to put a dent in your documentation backlog.
7. Understand the options for content management solutions.
8. Identify the right content management solution for your organization.

Info-Tech Insight

This project has the ability to fit the following formats:

• Onsite workshop by Info-Tech Research Group consulting analysts.
• Do-it-yourself with your team.
• Remote delivery (Info-Tech Guided Implementation).

Bibliography

Anderson, Chris. “What is a Standard Operating Procedure (SOP)?” Bizmanualz, Inc. No date. Web. 25 Jan. 2016. https://www.bizmanualz.com/save-time-writing-procedures/what-are-policies-and-procedures-sop.html

Grusenmeyer, David. “Developing Effective Standard Operating Procedures.” Dairy Business Management. 1 Feb. 2003. Web. 25 Jan. 2016. https://ecommons.cornell.edu/handle/1813/36910

Mosaic. “The Value of Standard Operating Procedures.” 22 Oct. 2012. Web. 25 Jan. 2016. ttp://www.mosaicprojects.com.au/WhitePapers/WP1086_Standard_Operating_Procedures.pdf

Sinn, John W. “Lean, Six Sigma, Quality Transformation Toolkit (LSSQTT) Tool #17 Courseware Content – Standard Operating Procedures (SOP) For Lean and Six Sigma: Infrastructure for Understanding Process.” Summer 2006. Web. 25 Jan. 2016. https://www.bgsu.edu/content/dam/BGSU/college-of-technology/documents/LSSQTT/LSSQTT%20Toolkit/toolkit3/LSSQTT-Tool-17.pdf

United States Environmental Protection Agency. “Guidance for Preparing Standard Operating Procedures (SOPs).” April 2007. Web. 25 Jan. 2016. http://www.epa.gov/sites/production/files/2015-06/documents/g6-final.pdf

Foster Data-Driven Culture With Data Literacy

Data literacy is an essential part of a data-driven culture, bridging the data knowledge gaps across all levels of the organization.

Analyst Perspective

Data literacy is the missing link to becoming a data-driven organization.

“Digital transformation” and “data driven” are two terms that are inseparable. With organizations accelerating in their digital transformation roadmap implementation, organizations need to invest in developing data skills with their people. Talent is scarce and the demand for data skills is huge, with 70% of employees expected to work heavily with data by 2025. There is no time like the present to launch an organization-wide data literacy program to bridge the data knowledge gap and foster a data-driven culture.

Data literacy training is as important as your cybersecurity training. It impacts all levels of the organization. Data literacy is critical to success with digital transformation and AI analytics.

Annabel Lui

Principal Advisory Director, Data & Analytics Practice
Info-Tech Research Group

Executive Summary

Info-Tech Insight

By thoughtfully designing a data literacy training program for the audience's own experience, maturity level, and learning style, organizations build the data-driven and engaged culture that helps them to unlock their data's full potential and outperform other organizations.

Your Challenge

Data literacy is the missing link to drive business outcomes from data.

• Having a data-driven culture as an organization’s mission statement without implementing a data literacy program is like making an empty promise and leaving the value unrealized and unattainable.
• A study conducted by the Data Literacy Project clearly indicates that organizations with aggressive data literacy programs will outperform those who do not have such programs. By 2030, data literacy will be one of the most sought-after skill sets. All employees require data literacy skills.
• Everyone has a role in data. From employees who are actively involved in data collection to operational teams who create reports with analytics tools and finally to executives who use data to make business decisions – they all require continuous data literacy training in a data-driven organization. Because of differences in maturity, data literacy strategies cannot be one-size-fits-all.

“Data literacy is the ability to read, work with, analyze, and communicate with data. It's a skill that empowers all levels of workers to ask the right questions of data and machines, build knowledge, make decisions, and communicate meaning to others.” – Qlik, n.d.

75% of organizational employees have access to data tools – only 21% demonstrated confidence in their data skills.

Source: Accenture, 2020.

89% of C-level executives expect team members to explain how data has informed their decisions, but only 11% employees are fully confident in their ability to read, analyze, work with, and communicate with data

Source: Qlik, 2022.

Data debt or data asset?

Manage your data as strategic assets.

“[Data debt is] when you have undocumented, unused, incomplete, and inconsistent data,” according to Secoda (2023). “When … data debt is not solved, data teams could risk wasting time managing reports no one uses and producing data that no one understands.”

Signs of data debt when considering investing in data literacy:

• Lack of definition and understanding of data terms, therefore they don’t speak the same language. Without data literacy, an organization will not succeed in becoming a data-driven organization.
• Putting data literacy as a low priority. Organization sees this as “another” training to put on the list and keeps it on the back burner.
• Data literacy is not seen as the number one skill set needed in the organization. However, anyone who works with data requires data skills.
• End users are not trained on self-serve features and tools.
• Focusing on a minority group of people rather than everyone in the organization or seeing it as a one-off exercise.
• Delays or failure to deliver digital transformation projects due to lack of data skills and data access issues.

66%

of organizations say a backlog of data debt is impacting new data management initiatives.

40%

of organizations say individuals within the business do not trust data insights.

30%

of organizations are unable to become data-driven.

Source: Experian, 2020

Info-Tech’s Approach

Data literacy is critical to success with digital transformation and AI analytics.

The Info-Tech difference:

1. More than just technical training. Data literacy program isn’t just about data but rather encompasses aspects of business, IT, and data.
2. More than a one-off exercise. To keep literacy skills alive, the program must be routine and sustainable, tailored to different needs across all levels of the organization.
3. More than one delivery format. Different delivery methods need to be considered to suit various learning styles.

Data needs to be processed

Data – facts – are organized, processed, and given meaning to become insights.

Image source: Welocalize, 2020.

Data represents a discrete fact or event without relation to other things (e.g. it is raining). Data is unorganized and not useful on its own.

Information organizes and structures data so that it is meaningful and valuable for a specific purpose (i.e. it answers questions). Information is a refined form of data.

When information is combined with experience and intuition, it results in knowledge. It is our personal map/model of the world.

Knowledge set with context generates insight. We become knowledgeable as a result of reading, researching, and memorizing (i.e. accumulating information).

Wisdom means the ability to make sound judgments. Wisdom synthesizes knowledge and experiences into insights.

Investment in data literacy is a game changer.

Data literacy is the ability to collect, manage, evaluate, and apply data in a critical manner.

A data-driven culture is “an operating environment that seeks to leverage data whenever and wherever possible to enhance business efficiency and effectiveness” (Forbes).

Info-Tech Insight

Data-driven culture refers to a workplace where decisions are made based on data evidence, not on gut instinct.

Info-Tech’s methodology for building a data literacy program

Insight Summary

“In a world of more data, the companies with more data-literate people are the ones that are going to win.”

– Miro Kazakoff, senior lecturer, MIT Sloan, in MIT Sloan School of Management, 2021

Overarching insight

By thoughtfully designing a data literacy training program personalized to each audience's maturity level, learning style, and experience, organizations can develop and grow a data-driven culture that unlocks the data's full potential for competitive differentiation.

Module 1 insight

We can learn a lot from each other. Literacy works both ways – business data stewards learn to “speak data” while IT data custodians understand the business context and value. Everyone should strive to exchange knowledge.

Module 2 insight

Avoid traditional classroom teaching – create a data literacy program that is learner-centric to allow participants to learn and experiment with data.

Aligning program design to those learning styles will make participants more likely to be receptive to learning a new skill.

Module 3 insight

A data literacy program isn’t just about data but rather encompasses aspects of business, IT, and data. With executive support and partnership with business, running a data literacy program means that it won’t end up being just another technical training. The program needs to address why, what, how questions.

Tactical insight

A lot of programs don’t include the fundamentals. To get data concepts to stick, focus on socializing the data/information/knowledge/wisdom foundation.

Tactical insight

Many programs speak in abstract terms. We present case studies and tangible use cases to personalize training to the audience’s world and showcase opportunities enabled through data.

Key performance indicators (KPIs) for your data literacy program

How do you know if your data literacy program is successful? Here are some useful KPIs:

Program Adoption Metrics

• Percentage of employees attending data literacy training
• Percentage of participants who report gains in data management knowledge after training sessions
• Maturity assessment result
• Survey and diagnostic feedback before and after training
• Trend analysis of overall data literacy program

Operational Metrics

• Number of requests for analytics/reporting services
• Number of reports created by users
• Speed and quality of business decisions
• User satisfaction with reports and analytics services
• Improved business performance (customer satisfaction)
• Improved valuation of organization data

A data-driven culture builds tools and skills, builds users’ trust in the quality of data across sources, and raises the skills and understanding among the frontlines by encouraging everyone to leverage data for critical thinking and innovation.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of the project."

Diagnostics and consistent frameworks are used throughout all four options.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Phase 1

Define Data Literacy Objectives

Foster Data-Driven Culture With Data Literacy

This phase will walk you through the following activities:

• Understand the organization’s needs.
• Create vision and objective for data literacy program.

This phase involves the following participants:

• Data governance sponsor
• Data owners
• Data stewards
• Data custodians

1.1 Gauge your organization’s current data culture

Conduct data culture survey or diagnostic.

1. Identify members of the data user base, data consumers, and other key stakeholders for surveying.
2. Conduct an information session to introduce Info-Tech’s Data Culture Diagnostic survey. Explain the objective and importance of the survey and its role in helping to understand the organization’s current data culture and inform the improvement of that culture.
3. Roll out the Info-Tech Data Culture Diagnostic survey to the identified users and stakeholders.
4. Debrief and document the results and scorecard in the Data Strategy Stakeholder Interview Guide and Findings document.

Contact your Info-Tech Account Representative for details on launching a Data Culture Diagnostic.

1.2 Define data literacy objectives

1. Understand the organization’s needs by identifying opportunities and challenges relating to data. Document the described real-life examples.
2. Categorize the list and identify areas where data literacy can address the business problem.
3. Create a vision statement for the data literacy program, ensuring that it covers all levels of the organization.
4. Articulate the intended targets and goals in planning for a data literacy program.

Quick wins for improving data literacy

Data collected through Info-Tech’s Data Culture Diagnostic suggests three ways to improve data literacy:

87%

think more can be done to define and document commonly used terms with methods such as a business data glossary.

68%

think they can have a better understanding of the meaning of all data elements that are being captured or managed.

86%

feel that they can have more training in terms of tools as well as on what data is available at the organization.

Source: Info-Tech Research Group's Data Culture Diagnostic, 2022; N=2,652

Quick Wins

• Create a business data glossary to document and define common terms.
• Provide easy access to the business data glossary and procedures on how data is captured and managed.
• Launch an organization-wide data literacy program.

Delivering value is a means and the goal

Start with real business problems in a hands-on format to demonstrate the value of data.

Identify business problem:

• Business decisions without facts are just guesses.
• Management spends a lot of time finding and fixing data.
• Unknown challenges on data assets and risk.
• Incomplete view of customer/client and industry.
• Not ready for modern data opportunities (e.g. artificial intelligence).

Create an objective

Treat data as a strategic asset to gain insight into our customers for all levels of organization.

The solution: Data-driven culture powered by people who speak data.

• Data dictionary
• Data literacy
• Trusted single source
• Access to analytics tools
• Decision making

"According to Forrester, 91% of organizations find it challenging to improve the use of data insights for decision-making – even though 90% see it as a priority. Why the disconnect? A lack of data literacy."

– Alation, 2020

Fundamental data literacy

Data literacy is more than just a technical training or a one-off exercise.

Info-Tech provides various topics suited for a data literacy program that can accommodate different data skill requirements and encompasses relevant aspects of business, IT, and data.

Info-Tech Research Group’s Data Literacy Program

Use discovery and diagnostics to understand users’ comfort level and maturity with data.

Data lunch 'n' learn

• The power and value of data
• Everyone is a data steward
• Becoming data literate
• Data 101
• The future is data

1 hour

Speak data

• What is data
• Meet the data team
• Day in the life of a steward
• How data impacts you
• Tools of the trade

1/2 day

Your data story

• Ask the right questions
• Find the top five data elements
• Understand your data
• Present your data story
• Lessons from COVID-19

1/2 day

Phase 2

Assess Learning Style and Align to Program Design

Foster Data-Driven Culture With Data Literacy

This phase will walk you through the following activities:

• Identify your audience.
• Assess learning styles and align them to the data program design.
• Determine the right delivery method.

This phase involves the following participants:

• Data governance sponsor
• Data owners
• Data stewards
• Data custodians

Avoid common pitfalls

75%

feel that training was too long to remember or to apply in their day-to-day work.

21%

find training had insufficient follow-up to help them apply on the job.

Source: Grovo, 2018.

1. Information Overload

   Trying to cover too much useful information results in overwhelm and does not deliver on key training objectives.

2. Limited Implementation

   Learning is only the beginning. The real results are obtained when learning is followed by practice, which turns new knowledge into reliable habits.

3. Lack of Organizational Alignment

   Implementing training without a clear link to organizational objectives leaves you unable to clearly communicate its value, undermines your ability to secure buy-in from attendees and executives, and leaves you unable to verify that the training is actually improving effectiveness.

2.1 Understand learning style

1. Create persona and identify the audiences and their roles in data across all levels of the organization.
2. Identify the data program initiatives and assign the best delivery method to each initiative.
3. Assign participants to each program initiative based on their skill gap and learning style.

You and data

Is data an integral part of your work?

Do you feel comfortable finding and using data in your organization?

• Many people feel intimidated by data and therefore miss out on what data can do for them.
• Often the obstacle is language. If you don’t understand the semantics around data, you will not feel confident to contribute to discussions around data.
• You use data every day but need additional vocabulary to understand how to handle it properly.
• Data literacy is the ability to “speak data” and to understand what data means (i.e. how to read charts and graphs, draw valid conclusions, and recognize when data is misinterpreted or used inappropriately to be misleading).
• The business often doesn’t understand its role in data governance and how it informs and assists IT in responsible data management.

Info-Tech Insight

IT and data professionals need to understand the business as much as business needs to talk about data. Bidirectional learning and feedback improves the synergy between business and IT.

Create personas

Persona creation is a way to brainstorm ideas for the data literacy program.

Choose a data role (e.g. data steward, data owner, data scientist).

Describe the persona based on goals, priorities, tenures, preferred learning style, type of work with data.

Identify data skill and level of skills required.

Consider these other ways to brainstorm:

• Review current in-flight projects.
• Analyze types of data requests.
• Understand needs by department.
• Share learnings in a community of practice.

Program design

Categorize into six data skill areas

Not everyone needs the same level of skill sets

Map the personas to the program

Bridging the data knowledge gap.

• Each component will promote the value of data to all levels of employees when demonstrating the right way for data to be understood, managed, and consumed in the organization.
• Categorizing the data literacy program into six areas and levels of skill sets will provide clarity into which areas to focus on.
• The program is intended to be implemented in stages, allowing the audience to learn and adopt the new skills. Leveraging in-flight projects for rolling out training will have a higher success because the need is already built into the project.

Align program design to learning styles

Info-Tech Insight

Tailor your data literacy program to meet your organization’s needs, filling your range of knowledge gaps and catering to different levels of users.

When it comes to rolling out a data literacy program, there is no one-size-fits-all solution. Your data literacy program is intended to spread knowledge throughout your organization. It should target everyone from executive leadership to management to subject matter experts across all functions of the business.

Discussion method

Delivery Method

• Interactive format between instructor and learner
• Instructor empowers and motivates learner through dialogues and exercises

The imaginative learner

The imaginative learner group likes to engage in feelings and spend time on reflection. This type of learner desires personal meaning and involvement. They focus on personal values for themselves and others and make connections quickly.

For this group of learners, their question is: why should I learn this?

Learning characteristics

• Seek meaning
• Need to be personally involved
• Learn by listening and sharing ideas
• Function through social interaction

Information method

Delivery Method

• Instructor does most of the talking in the training
• Instructor is teaching the content, delivering the training content, and demonstrating

Analytical learner

The analytical learner group likes to listen, to think about information, and to come up with ideas. They are interested in acquiring facts and delving into concepts and processes. They can learn effectively and enjoy doing independent research.

For this group of learners, their question is: what should I learn?

Learning characteristics

• Seek and examine the facts
• Need to know what experts think
• Interested in ideas and concepts
• Critique information and collect data
• Function by adapting to experts

Coaching method

Delivery Method

• Learning has on-the-job training or learning through role-play exercises
• Instructor is coaching and facilitating learner

Common sense learner

The common sense learner group likes thinking and doing. They are satisfied when they can carry out experiments, build and design, and create usability. They like tinkering and applying useful ideas.

For this group of learners, their question is: how should I learn?

Learning characteristics

• Seek usability
• Need to know how things work
• Learn by testing theories using practical methods
• Use factual data to build concepts
• Enjoy hands-on experience

Self-discovery method

Delivery Method

• Interactive format between instructor and learner
• Instructor provides evaluation and remedial instruction

Common sense learner

The dynamic learner group learns through doing and experiencing. They are continually looking for hidden possibilities and researching ideas to make original adjustments. They learn through trial and error and self-discovery.

For this group of learners, their question is: what if I learn this?

Learning characteristics

• Seek hidden possibilities
• Need to know what can be done with things
• Learn by trial and error
• Enjoy variety and excel in being flexible

Delivery method considerations

There are four common ways to learn a new skill: by watching, conceptualizing, doing, and experiencing. The following are some suggestions on ways to implement your data literacy program through different delivery methods.

Phase 3

Map Out Data Literacy Roadmap and Milestones

Foster Data-Driven Culture With Data Literacy

This phase will walk you through the following activities:

• Complete a roadmap exercise.
• Set key performance metrics and milestones.

This phase involves the following participants:

• Data governance sponsor
• Data owners
• Data stewards
• Data custodians