Improving IT Service Management – Changing the Tire While the Car Is Moving

by WGroup

As IT professionals, our job is to align technology with business objectives, helping the business drive increased revenue and performance. That can be challenging, as for many shops, the operational burden of IT has not gone away.

Finding the balance between maintaining a quality lights-on operation, managing costs, and driving operational improvements to a higher IT maturity level is a significant challenge. The day-to-day complexity of managing an IT organization requires full attention and the lion’s share of available resources.

There’s limited bandwidth to focus on process improvements. IT has to keep pace and provide value during a time where disruptive technologies are changing the way services need to be delivered. The business expects IT to provide technology services in support of the business strategy and to demonstrate technical leadership that could influence market differentiation. These expectations require IT to provide consistent quality of service and develop capabilities that lead to technical innovation. To support this, IT must have a level of IT service management maturity to be able to manage demand and the quality delivery of that demand.

So how do you know where you are and where you need to go? First things first: conduct an IT service management (ITSM) assessment to baseline your current level of maturity, identify gaps, and develop an improvement plan. With an assessment, the end-to-end process framework and organizational capabilities are baselined to provide a platform to build upon. Developing a service-improvement plan emphasizing process improvements, capabilities, and agility will improve IT’s ability to adapt to change and sustain the quality delivery of services.

Specifically, being able to outline the key service delivery constraints by identifying root cause is a way to link the symptoms to problems and fixes that improve service and benefit the IT team and customers alike.

The illustration below is an example of a high-level assessment that outlines common IT constraints and potential impacts to the ITIL processes.

Common IT Service Delivery Constraints
Addressable ITIL Process Service Instability Delivery Lead Times Quality of Service Ability to Scale Cost of Service Lack of Innovation Overall IT Ineffectiveness
Services Strategy
Strategy Management    
Business Relationship Management
Demand Management
Service Portfolio Management  
Financial Management of IT Services    
Service Design              
Design Coordination      
Service Catalog Management        
Service Level Management
Availability Management    
Capacity Management
IT Service Continuity Management  
IT Security Management System    
Supplier Management
Service Transition              
Transition Planning & Support
Change Management  
Service Asset & Configuration Management    
Release & Deployment Management  
Service Validation & Testing    
Change Evaluation  
Knowledge Management  
Service Operations              
Event Management  
Incident Management    
Request Fulfillment
Problem Management  
Identity Management
Continuous Process Improvement

This high-level assessment provides a starting point for potential areas of process improvements. Another level of detailed analysis would be required to assess each underlying process and the details needing to be addressed (resource, process, technology). Each process in itself is as an integral part to the overall ITSM delivery model.

Periodic assessments and service-improvement plans should be routine. IT is expected to constantly improve service delivery while providing value, and not necessarily by way of long-term projects. In essence, you have to change the tire while the car is moving.  An assessment will provide insight to a path forward, but time is of the essence. Using a time-to-value approach will provide guidance in setting priorities on the list of improvement activities. Implementing improvements that yield some immediate benefit (time-value) demonstrates progress while the longer-term improvement plan is implemented.

These improvements to service and capabilities are visible and will boost IT’s value to the company. Easier said than done? Sure, but worth it.

This blog was contributed by WGroup’s Principal Consultants, Tony Ioele and Rick Letourneau.

Click here to read a real-life client case study on how WGroup helped a major healthcare company reduce service costs and align the organization to an ITSM based service model.

Posted in Default | Comments Off on Improving IT Service Management – Changing the Tire While the Car Is Moving

CIOReview Special IoT Edition

by Bill Genovese

This article is featured in CIOReview Magazine: Special Edition on IoT published on November 4, 2015. Click here to download the full online version and see page 68 for the below article contributed by WGroup Principal, Bill Genovese.

Organizations That Have A Mature Enterprise Architecture Function Are Better Positioned To Take Advantage Of Emerging And Converging Technologies

When you build a house, do you build it haphazardly without requirements or specifications? Of course not. You want to ensure that the house has a solid foundation,running water, electricity,access to public services, physical security services and zones in the house–all while adhering to specific zoning regulations in your town and state.

You may select a plot of land and have an idea in your mind on what the house will look like. You’ll draw up some diagrams, or even hire an architect to provide a set of well–designed and detailed blueprints, that will identify down to the level of detail both your “private” services and your “public” services you need to access from the town, state and even government.

The same holds true for corporations that are now venturing more into emerging technologies, such as Cloud Computing, IoT and Big Data, which are converging in many areas of the enterprise. The use of a well-defined strategy with specified services (i.e private, public leveraged and “hybrid”), and a mature Enterprise Architecture driven framework that provides building blocks that can act as investment enablers for decisions is critical for cost avoidance, so that maximum accelerated ROI is achieved. In addition, a mature Enterprise Architecture provides the guardrails to mitigate risk as technologies converge to meet the goals of the organization; so that common “services” provide a stable foundation for the “house” while these can also be leveraged to make the lives of the inhabitants better, to get more value out of their planning and building investments for the house.

Enterprise Architecture (EA) establishes the roadmap to achieve an aligned business-technology mission, based on the organization’s tactical and strategic drivers through optimal performance of its core business processes within an efficient information technology (IT) environment. Simply stated,enterprise architectures are blueprints that systematically and completely define an organization’s current (baseline) or desired (target) environment. Enterprise architectures are essential for evolving information systems and developing new systems that optimize their mission value. If maintained and implemented effectively, these institutional blueprints assist in optimizing the interdependencies and interrelationships among an organization’s business operations and the underlying IT that support operations. In the path to maturity, these interdependencies and interrelationships can be developed into services provided by IT that both support and protect a business.

The Enterprise Technology Framework, developed by a mature Enterprise Architecture organization, is aligned with the business applications and lifeblood of the organization-data,if the business objectives and benefits are to be realized while at the same time mitigating and helping to eliminate risk.

An Enterprise Technology Framework defines the technology services and functions (IT capabilities) required to support the business applications and data, including Common (or shared) Application
Services, Common Data Services, Common System Services, Network Services, Security Services, Platform Services, as well as the management tools used to support the delivery of IT service. It also helps to define the specifics for a line of business that may be required as well, or in the case of a “Software Defined” and enabled hybrid cloud model, what system or application must stay in the datacenter at the corporation (for example, “system of record” vs. what may be hosted in a SaaS or Public Model and also potentially accessed via a “system of engagement” via a mobile device, where data and analysis output can be received). This reference framework can help to define what are private or bounded service definitions, policies, and patterns as well and help to define the policies as in relation to the enterprise for a hybrid cloud delivery model, and how best to access (and secure) structured and unstructured data outside the organization, which is now being captured and delivered via technology sensors and devices across entities, geographies, and even people (i.e via wearable devices)—IoT or the Internet of Things.

Our society is rapidly developing and transforming with the explosion of data and how best to harness it for its full advantage for us as consumers of the data. Enterprise Architecture provides a
roadmap for an organization on where to best leverage existing assets for development of services to take advantage of “Big Data” and the IoT, for consumption in the digital emerging society. As such, a well-established Enterprise Technology Framework aligns with an Enterprise Security Architecture Framework to define the guardrails and protection based on regulatory and corporate policy to also help define and further develop the services.

The Enterprise Technology Framework can be used to provide a repository of agreed technology principles, standards, products and components that can be selected at system design time and implemented. It can also be used to provide a repository of agreed technology principles, standards, products and components that can be selected at system design time and implemented, and provide pre-defined combinations of implementable components, standards and interfaces. Other benefits are:

• Provides a repository of information about the technology (IT enablers and capabilities) required to support both the various parts of the business, and the achievement of the overall business
goals and objectives, which guides IT investment decisions.

• Provides a repository of agreed technology principles, standards, products and components that can be selected at system design time and implemented.

• Reduces the amount of time spent by individual development projects in the evaluation and selection of products and components.

• Provides pre-defined combinations of implementable components, standards and interfaces.

• Ensures individual systems can be integrated effectively, including the sharing of common services, functions, ‘middleware’ and data.

• Provide a known technology base for service delivery planning (capacity, performance, and availability) and measurement, to meet future business requirements.

• Provides the basis for the specification of the required (to be) IT systems.

• Helps identify, define, and further develop critical and secondary services starting at the end-user access layer.

In conclusion, mature EA helps identify what is required before embarking on large scale journeys into the technical unknown. In the absence of a defined framework of IT enablers, capabilities and requirements, many assumptions and design decisions may be made in a vacuum (especially at the project level). This can greatly increase the risk that the overall business objectives, requirements and expectations may not be met, putting the enterprise at risk, or the enterprise as a whole may miss out on greater opportunities that are only achieved at a project level. The organizations that
have a well defined and mature EA leveraging a defined framework are best positioned to embark on the journey to cloud, which will also enable accelerated and secure access to “Big Data” delivered via the Internet of Things.

CIOReview Magazine: Special Edition on IoT (November 4, 2015)

Posted in Default | Comments Off on CIOReview Special IoT Edition

The Inside Job – Preventing Cyber Security Threats from Inside the Enterprise

by Jeff Vail

“Is our data secure? Where are we vulnerable? What are you doing to keep us OUT of the headlines?”

Every CIO is being asked these questions by their Board of Directors on a consistent basis, even more so in the last twenty four months. More often than not, the intent behind this question is simply, “Are we protected from hackers?” While a comforting answer might be to describe how high and wide the perimeter wall is around your enterprise castle, such a wall does not protect you from the dangers that lie within. Shockingly, internal dangers account for greater risk than outside hackers breaching the network.

Many of the headline-making breaches in recent history are the result of an “inside job.” Take Ashley Madison, for instance. Andrew McAfee recently reported evidence that their infamous breach was the direct result of a “lone female” inside the parent company1, Avid Life Media. And they are not alone. Within the last year, both DuPont2 and P&G3 have filed suits against former employees for theft of trade secrets. Collectively, these trade secrets are essential to sustain more than $25 Billion in annual sales within the related segments for the respective companies.

In a report released by the Identity Theft Resource Center (ITRC) on breach statistics4 in 2014, the research notes that of the 760 reported breaches in the year, 37% were the result of insider threats (defined as “Insider Theft,” “Employee Negligence,” and “Subcontractors”). A lesser, 30% of breaches were the result of outside hacking.

Insider threats can be broken down into 3 main areas:

  • Malice.
    Like the cases of P&G and DuPont, this is when an insider knowingly misappropriates sensitive corporate information.
  • Negligence.
    This is when a breach is the result of a mistake by an employee. For example, an employee accidently sends sensitive information to an unauthorized party, an assistant maintains a scratch pad of executive passwords, or an employee clicks on nefarious links on the internet.
  • Ruse.
    Better known as social engineering or phishing, this is when employees are victims of intentional deception. Social engineering is a hacking technique that prays upon users sensibilities in order to gain credentials that give them access to a network. For example, an employee receives an e-mail from what looks like corporate IT asking to verify network credentials.

Preventing threats from within requires initiative across the spectrum of people, process and technology. Many firms rely heavily on policy as a primary measure of defense for insider threats. Policies are necessary, but they do not constitute adequate threat protection. Baseline measures to protect the enterprise include robust and persistent employee awareness programs, documented policies, virus and malware detection, and spam filters. However, these actions are merely proper hygiene. It is unfortunate to note that 34% of enterprises report that they have experienced an insider breach5 despite having good hygiene in place.

Insider threats are difficult to detect because doing so requires the ability to differentiate user behaviors. This challenge of detecting good and evil in this realm is quickly becoming the bastion of artificial intelligence (AI). AI is emerging as the technology with sufficient dynamics to counteract this equally dynamic threat.

Several new entrants with AI footing have entered the security space in the categories of data loss prevention and end-point protection. These firms are using patterns, analytics, and AI to identify and react to potential insider threats. A few interesting firms emerging in this space include:

  • Cylance (www.cylance.com)
    Cylance applies artificial intelligence, algorithmic science, and machine learning to cybersecurity. Using a predictive analysis process, Cylance identifies what is safe and what is a threat, not just what is in a blacklist or whitelist.
  • harvest.ai (www.harvest.ai)
    harvest.ai searches for changes in user behavior, key business systems, and applications caused by cyber-attacks. harvest.ai has applied AI-based algorithms to learn the business value of critical documents across an organization and can detect and stop data breaches from targeted attacks and insider threats before data is stolen.
  • Bitglass (www.bitglass.com)
    Bitglass Breach Discovery analyzes outbound flows through firewalls to identify high-risk activities indicating breach or exfiltration, allowing you to remediate issues quickly before any real damage occurs.
  • Exambeam (www.exabeam.com)
    Exabeam is a user behavior analytics solution that leverages existing log data to quickly detect advanced attacks and accelerate incident response. Exabeam automates the work of security analysts by resolving individual security events and behavior anomalies into a complete attack chain.

Insider threats can be detrimental to the success of your enterprise. Take action now. Protect your perimeter from the outside-in AND the inside-out. Below are three steps that should be essential to your cyber security protection roadmap.

  • Exercise proper hygiene. Deploy up-to-date end-point management, user access management, OS patches, virus and malware detection, spam filtering, and critical data governance.
  • Create security esprit de corps. This is a marketing challenge. Every employee should know the do’s and don’ts, and feel a sense of pride in protecting company information.
  • Deploy behavior-based detection. Technologies utilizing AI and pattern matching to detect changes in user behaviors will help uncover and prevent threats from within.

The ‘inside job’ can come in many forms. What’s important is that your enterprise security program encompass good hygiene, good marketing, and new technologies to keep your critical data locked safe inside your high and wide perimeter. Keep the hackers OUT and contain the threats from within.

 

4 Identity Theft Resource Center (ITRC), 2014. The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format. The ITRC will capture breaches that do not, by the nature of the incident, trigger data breach notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information. These breach incidents will be included by name but without the total number of records exposed.

Posted in Default | Comments Off on The Inside Job – Preventing Cyber Security Threats from Inside the Enterprise

The EZ Way to Make Sure BYOD Is A-OK

by WGroup

Are you allowing employee-owned devices on your network? BYOD (Bring Your Own Device) programs are a rising trend as smartphones, tablets and laptops become ever-more powerful. Your employees enjoy the convenience of using their own devices to access their work. For some employees, it makes sense to give them a stipend to use their own device rather than providing them with a device just for work.

Of course you have to be concerned about the security of your BYOD program. You really don’t have any way of knowing how secure your employees’ devices are. Could they be putting your company’s proprietary information at risk?

One way you can make sure your company’s BYOD program is secure is to put someone in charge of monitoring the program. This person enforces the security rules, which should be distributed to all employees as part of an updated IT policy.

Your security officer or team will monitor the use of your employees’ devices. Common security protocols include issuing each employee a separate password to access the company’s servers, installing GPS on the devices that the company can monitor in case a device is stolen, and an automatic shutoff protocol that will deactivate a device if it’s lost or stolen.

Anti-virus and firewall software are mandatory for devices that are used to access company information. Your company can decide which security tools are suitable and purchase them for employees. Giving the security manager or team passwords to employees’ devices also should be mandatory, so the devices can be controlled remotely, if necessary.

WGroup offers a comprehensive security scan to help you update and manage your security policies, tools, and procedures. Click www.thinkwgroup.com/services/the-security-plan-you-need/ to learn more.

 

Decide what type of devices the company will be able to support with its BYOD program, and don’t allow unauthorized devices to access company servers. If you have employees who use non-supported devices, you’ll have to buy them supported devices at a discount. If employees choose to use these work devices for their personal devices as well, come up with a cost-sharing program for them. Otherwise, their personal and work device must be used separately.

BYOD is already a de facto standard in all types of businesses. The question for IT leaders is no longer “if”, nor even “when?” If you’re not already asking “how?” you’re behind the curve and your organization may begin to suffer.

Posted in Default | Comments Off on The EZ Way to Make Sure BYOD Is A-OK

Aligning IT With the Business

by Terry Coull

What does it mean to align IT with the business?

For most organizations, IT management issues are a strategic and organizational challenge. In addition, CIO’s continue to strive for performance gains such as IT becoming more efficient, nimble, and innovative. More agility, better cost control, and better alignment with business objectives further support every organization’s objective to achieve strategic benefits. Aligning IT with the business has become a critical priority for IT leaders.

According to the Society for Information Management (SIM) and its 2016 IT Trends Survey, aligning IT with the business has become a top-ten issue.  Almost half of the respondents identified alignment as a top five IT management concern for 2016.

So we ask ourselves, what does “alignment” mean for the IT professional?

  • Is it the traditional definition, of the fit between the objectives of the business and IT, and how well IT knows and supports the objectives, and its ability to satisfy the business requirements?

or

  • Is it less about the alignment but rather more about how cohesively IT and the business team or partner together to accomplish enterprise objectives?

Our point of view on aligning IT with the business

At WGroup, we see alignment as a collective effort on the part of both business and IT. Where alignment confusion comes in is when the IT organization has difficulty in responding to business and technological changes. Furthermore, we do not see it as technology’s responsibility to become aligned, and collectively stay aligned, but rather it should be a cohesive partnering between business and IT to form cohesive teams, partner and share responsibilities on a strategic level as well as jointly share responsibilities on tactical technology execution level.

What to do

In our experience, we have supported organizations with both organizational change and “running IT with the business”. In both instances, we promoted and encouraged clients to take a top-down strategic approach. This approach includes establishing and institutionalizing five basic portfolio management techniques:

  • Break down the silos. Be aware of organizational functions and staff titles, but, take down the organizational barriers between IT and the business and instead encourage the establishment of cross-functional teams, with accountability for collective objective and project goal accomplishment
  • Convene a strategic group of stakeholders.  Establish a forum (or forums) with representatives that include internal (business, technology) or external partners to drive ownership, accountability and oversight of technological change
  • Establish the rules of the road. Be prepared to improve on enterprise collaboration, the collective ways and guiding principles in which teams come together to accomplish firm-wide and initiative objectives
  • Establish role-based teams. Drive execution activities for project consistency. This includes establishing portfolios of projects, resources and combined teams with clearly demarcated accountable roles and responsibilities
  • Focus on deliverable milestones. To ensure consistency of what to accomplish, and by when, clear milestones have be created, measured and actioned

What to expect

Taking this approach typically yields the following benefits:

  • Significant increase in managing business expectations
  • Improved engagement and cooperation from all stakeholders
  • Faster time to market for technological change
  • Cost effective service delivery
  • Shorter decision timeframes

Learn more about aligning IT with the business and how to help drive more value from technology in our white paper, Rethink IT – Five Actionable Strategies to Drive Business Value from IT. Click here to get your copy.

Posted in Default | Comments Off on Aligning IT With the Business

Smashing the Watermelon Effect – Measuring SLAs based on business value

by Steve Coper

A lot has been written about the watermelon effect in outsourcing, the phenomenon that occurs when SLAs look good (green) on the outside, but on the inside they’re actually problematic (red). How can CIOs and other IT executives avoid this problem? What are the strategies that help companies understand and evaluate SLAs so they can reach more agreeable terms with suppliers? In this blog post we’ll explore the root causes of the watermelon effect and discuss strategies to help avoid problems.

Understanding the root cause of watermelon effect

The watermelon effect generally occurs for one reason: poorly-defined metrics. Companies often have contract relationships with SLAs that are tracked monthly with certain goals and penalties if those goals are missed. In many cases, suppliers meet the defined SLA targets but still aren’t able to meet business objectives. Reports might look good, but senior management is still getting negative feedback from customers and users. This can be career-threatening for CIOs. Companies are continuing to rely on using industry standard metrics to evaluate contracts, but it just isn’t working.

Measuring based on business value

In order to solve the watermelon effect, companies need to change the paradigm for SLA metrics. Rather than only considering traditional specifications like responsiveness to incidents, component availability, and service restoration, consider each element in terms of how it affects the business. This will allow companies to measure based on factors that have a real effect on business goals, allowing them to come to more effective agreements.

• Don’t just use industry standard metrics – Industry standard metrics are important, but they aren’t enough. It is important to develop metrics to suit each individual company’s unique business needs. But be sure newly-defined service levels are realistic and measurable. Identifying more relevant key performance indicators to spot trends is critical to successful supplier agreements and to the company.

• Stay proactive – All companies should regularly evaluate their SLAs to ensure they are helping identify trends, problem areas and accurately reflect business realities. When it’s time for new contract negotiations, this information can then be used to develop stronger SLAs.

• Implement governance structure – A strong governance structure for managing SLAs is important. By building dedicated frameworks for analyzing SLA performance, creating new metrics, and negotiating contracts, companies can help ensure that performance remains strong. This can normally be accomplished using existing contract management or service management staff.

• Examine contracts holistically – By including IT, business leaders, and other departments during contract development and negotiations, company collaboration can help ensure that agreements meet the needs of the whole company.

• Be more aggressive – Many companies are simply too passive when it comes to drafting contracts. All organizations should strive to fully understand what is being agreed upon and to ask for the provisions they need to meet business objectives. Clearly define each metric, the measurement data sources, tools, calculation, frequency and business priority weighting.

Negotiations with suppliers are a primary part of the IT organization’s role in a company and should be treated as such. It’s time to develop better ways to work with the business and address problems with SLAs. Smash the watermelon effect by defining and measuring SLAs based on their ability to meet business objectives – that is a true value of IT!

Learn more about outsourcing and SLAs in the white paper, 5 Ways to Develop a Successful Outsourcing Contract, available here.

Posted in Default | Comments Off on Smashing the Watermelon Effect – Measuring SLAs based on business value