Conclusion: Cyber incidents and the protection of information have now taken enterprise and national significance.
Organisations will need to learn to operate securely in a zero trust world. With an ever-increasing number of cyber-related incidents, cyber security risk has evolved from a technical risk to a strategic enterprise risk. The risk of a compromise for most organisations is increasing with the acceleration of digital transformation, adoption of technologies such as Cloud services, analytics and IoT. The threat landscape is further compounded by increased regulatory and compliance requirements.
A cyber compromise is almost inevitable and organisations are now focusing on improving the resilience of their organisation to a cyber incident. Many organisations now have cyber resilience programs in place which not only protect and defend their key information assets but are also well placed to respond should a cyber incident occur. Our cyber strategy, roadmap and implementation advisory are designed to assist on your cyber resilience journey.
Conclusion: As-a-Service solutions offer organisations agility, flexibility and scalability but the graveyard of unused software piling up should ring alarm bells. Neglected software utilisation and compliance will be factors that should drive a new Software Asset Management (SAM) investment. The impact of an unmanaged Cloud SaaS or IaaS solution will be quickly revealed during audits. At a time when management is a focus, this should be an easy win.
Organisations will need to quickly identify if they are running single or multi-tenanted instances and whether production and non-production environments are being managed efficiently for the purposes of SAM product selection.
Selecting a SAM tool should be proportionate to the cost of non-compliance. Unmitigated software licence costs can be eye-watering. Consider these factors when selecting your SAM product for Information Technology Asset Management (ITAM):
Conclusion: Governance committees face a number of challenges that can undermine their effectiveness. These challenges include groupthink, a focus on individual responsibilities rather than organisation-wide benefits, trust issues and a lack of knowledge of emerging issues and opportunities. Appropriately qualified and experienced independent external advisors can play an important role in overcoming these challenges.
Conclusion: People are and will be using passwords for the foreseeable future despite the numerous efforts underway to dispense with them. Managing them and particularly resetting them are ongoing costs for organisations.
Passwords are also a significant contributor to breaches. They are either captured during credential-grabbing efforts, leaked in a data breach or just too easy to guess.
Yet there are excellent guidelines in existence to assist people to minimise the possibility of passwords being cracked or guessed. Some involve implementing good policies, and most involve making it easier for users to create, remember and use passwords.
Conclusion: In the modern world, no organisation has ICT entirely in-sourced. As a result, procurement, contract and vendor management have become strategic processes that allow organisations to align their ICT capability with the business strategy to achieve the desired outcomes, both now and into the future.
It is often the case that effective planning for the procurement of technology capability is compressed or constrained such that procurement is not able to effect ‘big step’ change. Or the commercial approach means the agreement is based on a fixed term, which results in the procurement not being a strategic exercise. More often than not, the procurement delivers constraints that limit the business’s ability to achieve the desired outcomes. These constraints limit the business’s ability to be agile in terms of elasticity, or how well it can respond to disruption in the market.
The technology options to meet business demand are not the same today as they were yesterday, and they will undoubtedly differ tomorrow. The challenge is to ensure ICT procurement is responsive to the business strategy, and that vendors share in the advantage a strategic alliance brings to the business. Procurement needs to be effectively planned and clearly aligned to the business strategy to ensure the strategy is delivered effectively.
This paper is the first in a four-part series on how to ensure procurement meets the business need, gain an understanding of strategic versus tactical procurement, and will define the steps necessary to avoid the pitfalls that cause procurements to under-deliver.
Conclusion: Many organisations are engaged in implementing digital transformation programs to provide enhanced customer services, e. g. with new products or to reduce operating costs, or both. Unfortunately, many programs fail, sometimes repeatedly, until they achieve their set objectives. What is important though is when failure occurs, use the lessons learned to try again.
Delivering a transformed organisation is hard as it is inevitably accompanied by:
Conclusion: Growing use of SaaS-based, low-code application development platforms will accelerate digital process innovation. However, embracing citizen developers (non-IT people who create simple but significant forms-based applications and workflows) creates issues around governance: including security, process standardisation, data quality, financial controls, integration and potentially single points of failure. There is also a need for new app integrations and service features for its stakeholders that need to be addressed before the potential for citizen developers can be fully realised.
If governed properly, low-code platforms and citizen developers can accelerate digital transformation (or at least, digitisation of processes) and in turn alleviate the load on traditional in-house development teams.
Conclusion: This month, there has been an increased focus on the impact of external environments and customer demands on managed services providers and their offerings. An increased demand for hybrid working solutions, remote operations and connectivity solutions has driven a greater demand for associated services such as security, Cloud and platforms. Customers have been searching for targeted and combined solutions to help address business needs and increase operational efficiencies. For those vendors that put an emphasis on meaningful customer relationships and interactions, maintaining open and clear communications and the capacity to adapt to client needs is critical. A customer with a heavy reliance on legacy systems for key business processes may find this raises challenges or is simply no longer feasible in the current climate. Service providers must be ready to work with clients that need to adapt or completely overhaul in order to provide the necessary support in difficult times.
Conclusion: As a result of the COVID-19 outbreak in Australia, many businesses’ income has been reduced, approximately 800,000 people have been made redundant and the IT budget has been significantly cut. IT organisations are left with no alternative but to improve their internal efficiency to continue meeting their committed service levels while facing a constant drop in headcount. To survive under these budget limitations during the next two years, IT must focus on efficiency quick wins that opt to reduce costs, automate highly manual activities and mitigate critical risk that may lead to service breakdowns, which in turn require significant human effort to rectify. The quick wins should be implemented within 18 months to realise the desired effect. An efficiency improvement task force should be established to make it all happen.
Conclusion: The coming global recession will see ICT budgets cut, or at least constrained, in the 2021 financial year through to 2023. CIOs are now inundated with advice that boils down to this singular direction for efficiency and mostly, for survival. Although sound, this advice does not take into consideration that many CIOs have long been practising cost-efficiency. Many IT shops are already cut to the bone.
IT projects will be on the chopping block. Hence, it is crucial to prioritise now – before the cuts are mandated – which IT projects can be shelved for a few years without unacceptable risks to the organisation. It is important to note here that postponing or cancelling projects is being framed as a business risk decision. The CIO’s role is to put forward the risks of delaying or killing off a project, not to be the sole arbitrator.
Conclusion: In August 2020, IBRS ran a roundtable on the issue of Microsoft Support service, and specifically options for obtaining services in the most effective manner.
The replacement of Microsoft's traditional Premier Support programs for its Unified Support program is well underway. For many organisations, the new program is a strong fit, offering a wide range of services and unlimited reactive support inquiries for a fee that is directly proportional to their Microsoft software and platform investment.
However, for others, the program is not an ideal or cost-effective fit. During the roundtable, 16 peers shared their stories of how they have approached Microsoft support in the new era and a set of practical recommendations was developed.
Conclusion: Estimating the workdays for an agile- or waterfall-based IT project is not a simple task. However, with effort and a disciplined people-focused approach, it can be turned from an art into, as close as possible, a science.
When the effort is made, management will become more comfortable with the resources needed to complete projects and avoid the unpleasant task of asking for more resources than expected due to flawed estimating.
Conclusion: The massive shift to working from home since the start of the COVID-19 pandemic has led to upsides for employees: more flexibility, no commute and greater productivity. Many executives have been publicly extolling the virtues of remote working. However, a number of management, cultural and work design issues are now starting to emerge. Organisations need to review their current workplace design and practices and prepare for a hybrid home-office workplace post-pandemic.
Conclusion: The COVID-19 pandemic has resulted in prolonged lockdowns and quarantines, limiting economic activity and resulting in closure of businesses and many people losing their jobs. Various institutions around the world are unanimous in predicting that a recession is on its way, if not already here. Unless a vaccine is developed in the immediate future, the uncertainty will continue to rise in the days and months to come. However, businesses can turn this situation into an opportunity to examine their current operations.
A review of the events of the recent global recession – the global financial crisis of 2007–2008 – reveals that six recession-seeded trends, when acted upon promptly, provided business advantage. Although the trends for the anticipated COVID-19-led recession are still to be established, CIOs can benefit from re-examining the lessons of the past recessions and exploring a recession’s potential to deliver organisational efficiencies and savings. The outcome may be selective adoption of technology or deferral of projects, but the potency of these trends cannot be ignored.
Conclusion: To respond to the digital world challenges, many organisations are transforming their operations to multi-Cloud to reduce cost, improve service efficiency and contain business risks. As a result, the multi-Cloud availability has become a critical success factor. In some cases, multi-Cloud complex architecture weaknesses have resulted in service outages and allowed ransomware attacks to severely impact business operations. The new generation ITSM tools provide effective backup and recovery facilities that are worth investigation to mitigate multi-Cloud exposures to failure.
Conclusion: For the last two decades, the market for ruggedised computing has been led by emergency, policing and military needs. The advent of lower-cost wireless networking, 4G and now 5G has prompted a sharp rise in field workers using devices and mobile-ready solutions to streamline operations. Unfortunately, legacy thinking about the type of devices to be used has prevailed: either staff get consumer devices (iOS or Android) or military-spec ruggedised devices.
There is an opportunity to rethink this polarised view of devices. Rather than seeing devices as either consumer or rugged, it is better to view devices on a spectrum of needs, including ruggedness, based on the work contexts in which they will be used.
Conclusion: Identity and access management is a crucial component of an organisation’s security posture. At its most basic, it is how an organisation determines whether an individual can access resources or not. In today’s world, it is also becoming the basis of how applications first identify then communicate with each other.
Assurance of identity is the cornerstone of managing access to information. An organisation must be confident in that assurance. One method of bolstering the strength of that assurance could be the deployment of multi-factor authentication – at a minimum to privileged users, but ideally to all users of the services and applications whether those users are staff or not.
As organisations move from office-bound networks to distributed workforces combined with Cloud-based Software-as-a-Service (SaaS) applications, identity will evolve to be almost the sole element used to assess and grant access. Identity is certainly a central element of zero trust environments.
Conclusion: The need to see value from an enterprise architecture (EA) framework is essential, if for no other reason than to justify the cost. However, the business benefit of EA is not just the cost. It will also provide reduced risk and improved agility for the business in its use of ICT.
Many organisations struggle with how success or failure of EA should be measured. This paper provides the reader with guidance and advice on what to measure EA against and how that measurement could be presented as a key performance indicator (KPI).
In establishing KPIs for the EA framework your organisation has adopted, both business and ICT will jointly have a better understanding of the value EA brings to the enterprise, and be able to provide governance on the continuous improvement of your EA framework to achieve even better value.
IBRSiQ is a database of client inquiries and is designed to get you talking to our advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.
Conclusion: This month has seen a rise in mid-high level IT management appointments and departures. These types of shifts are especially prominent in times of change and uncertainty when companies search for staff to provide new skills, experiences to support critical IT and business operations. With an impetus to expedite digital transformation and other projects, companies must focus on increased standards for selecting, deploying and managing infrastructure and highly skilled professionals to implement plans. Vendors must be prepared to support customers when leaders with different priorities or focused on streamlining and enhancing business operations are brought in.
Conclusion: The Digital Ready Workforce Maturity Model serves as a tool to help organisations measure the digital readiness of their workforce. It provides the baseline for organisations. This insight then informs strategic planning, policies and capability development priorities for organisations to guide and subsequently monitor maturity and capability.
Background: The federal government has finally unveiled its cyber security strategy. The Australia’s Cyber Security Strategy 2020, released on 6th August will see $1.67 billion invested in a number of already-known initiatives aimed at enhancing Australia's cyber security over the next decade. IBRS provides their key takeaways from the strategy.
Most of the funding for the Strategy 2020 is from July’s announced $1.35 billion cyber enhanced situational awareness and response (CESAR) package much of the Strategy details will be contained in legislation to be put before parliament.
Conclusion: This month, the first anchor tenant signed up to the new Sydney Innovation and Technology Precinct. The NSW Government first announced plans for the Tech Central precinct, located in Sydney’s CBD, in 2018. The precinct is expected to provide 50,000 square metres of space for startup and scale-up businesses and promote industry expansion, innovation and collaboration. These types of initiatives are critical to stimulating the ICT service industry, and ensuring the ongoing development of offerings and delivery models that shift quickly and are sensitive to external influences, such as new technologies or the pandemic. The Tech Central precinct is expected to facilitate the evolution of the industry in Australia and allow for high quality and advanced products and services that customers demand, and vendors require to remain relevant in a highly competitive environment.
Conclusion: The traditional IT service management (ITSM) tools have allowed IT organisations to automate key IT processes (e. g. incident management), promote service management disciplines and meet service levels in the majority of cases. However, they were not designed for multi-Cloud management. The new generation ITSM tools address the essential multi-Cloud requirements by offering:
IT organisations should assess the cost-effectiveness and relevance of the new ITSM offerings to business operations improvement1.
Conclusion: Due to the pandemic and economic decline, politically astute IT managers will need all their selling skills to get one-off IT infrastructure proposals approved. Not only is this due to a decline in earned revenue or grants, but also because procurement involves paying cash to vendors.
IT managers may need to ‘walk the talk’ to convince decision makers to support IT infrastructure investment proposals. In an environment where demand exceeds supply, and competition for scarce resources is high, the need to sell the proposal is probably an organisational political necessity.
taConclusion: Ransomware attacks are becoming increasingly common and Australian organisations have experienced several high-profile incidents in 2020. While the preferred option is to recover from backups, organisations may find that this is not feasible either because of the scale of the compromise or that backups themselves are compromised. While the decision to pay a ransom is complex and poses significant risks, it should be explored in parallel with the recovery from backup.
Conclusion: Working remotely has become the default option for most companies in the new normal setup. Although this has led to rising demand in technological tools and IT systems, it is unlikely the tech industry will be spared widespread job cuts – already such cuts are being seen in some industry sectors. With the world bracing for recession, companies are cutting down on costs and tightening budgets wherever they can.
Understandably, the current state of job insecurity is creating anxiety in employees who have retained their jobs. IT staff are justifiably feeling insecure and this is likely to affect some employees’ work performance. Such anxiety is a major issue that needs to be recognised and addressed quickly and effectively in order to enable the company to maximise its existing resources both during the economic downturn and as it starts to grow again.
Conclusion: IBRS has identified five areas of governance overlooked in the rush to deploy Teams. Organisations now need to ‘back-fill’ these areas to ensure the organisation meets its compliance obligations and reaps the full benefits of the digital collaboration environment.
Conclusion: Many organisations have integrated enterprise architecture (EA) into the business processes, whilst many have not. To some, it is a religious argument as to why the ICT group even needs to have people with ‘architect’ in their name; for others, the EA group is the watchdog of the system, ensuring both new capabilities and changes to existing capabilities will be fit for purpose.
Like most things in business, the cost versus benefit analysis to justify why any activity is a priority is essential before committing effort and resources to it. EA should be no different. Organisations should complete a business case assessment to justify why EA is necessary for their business model, and what form it should take.
In doing so, both business and ICT will jointly have a better understanding of the value EA brings to the enterprise, be able to manage expectations on what EA can deliver and judge its effectiveness.
Philip Nesci, IBRS adviser and former CIO, has warned that agencies will need to get their information management sorted out to capitalise on the new rules.
‘‘Agencies need to identify their high-value data sets and where they are located.’’
IBRS advisor Dr. Joseph Sweeney discusses why it falls to individuals to look at improving their work in a post-COVID world. Dr. Sweeney comments on the need to build a culture of innovation that empowers employees to understand where improvement is needed in their job.
IBRSiQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.
Conclusion: This month there have been increased discussions regarding the security services sector, marketplace expansion and triggers for growth. New market conditions, operating frameworks and the rapid adoption and integration of new services and technologies have resulted in a demand for security offerings that cater to the new environment. However, it has also given rise to new threats posed by new offerings and technologies, such as ageing devices which can cause vulnerabilities with changed operations, configuration changes and under-skilled staff. Security service vendors need to target offerings to individual company needs and strategic objectives as well as specific industry needs.
Conclusion: The disaster recovery plan (DRP) should be seen as significantly more than a technical document for IT resources to be accessed only in times of crisis restoration. Use regular IT DRP updates and testing as a valuable marketing tool and keep the DRP ready for when disaster strikes.
A recently released survey revealed nearly one-quarter of all respondents cited lack of budget as a major challenge for BCP/DRP funding. This challenge will be even more daunting after the anticipated post-coronavirus budget cuts, so it is critical to remember the DRP is not just required to be technically savvy; it contains useful information to suit the non-technical audience when attaching the DRP to support funding to keep it current.
Conclusion: Many organisations have implemented collaboration and in particular video-conferencing facilities to support critical business operations in response to managing the COVID-19 pandemic. While remote workers have embraced these platforms with enthusiasm, organisations have had little opportunity to govern the use of these platforms due to the need to roll them out quickly. As end-users push forward with sharing confidential data and video across many teams, issues of data access rights, data confidentiality and employee confusion will emerge. Unless organisations put in place appropriate governance on their collaboration platform, the full benefits of the platform will not be realised.
Conclusion: The COVID-19 pandemic has taken the whole world by storm, shutting down establishments and pushing businesses and public sector agencies towards high levels of uncertainty. It seems it will be a while before this storm lets up.
Regardless of how bleak the effects of the pandemic and ensuing lockdowns are to the economy and the business sector, it can be a platform where leaders and innovators come forth.
Most companies are struggling to determine the next steps and are barely surviving through their business continuity plans. This paper aims to help you pivot towards a different perspective.
Conclusion: Australian financial organisations have been bombarding their suppliers and partners with requests to complete security assessments. If servicing or dealing with financial organisations is part of the operational model for the organisation, this has probably already happened or is about to happen.
Those financial bodies are being driven by an Australian Prudential Regulation Authority (APRA) issued prudential standard CPS 234 (Cross-industry Prudential Standard). This document lays out how a financial body should manage its cyber security with particular emphasis on extending that management to parties that support or supply the financial body.
These assessments can be tedious and raise concerns about cyber security maturity within the organisation. On the other hand, they bring a clear high-level focus on areas that all organisations should either be covering or working towards covering. This makes CPS 234 a valuable reference for senior executives building a cyber security program.
Conclusion: A simple Google search can provide access to thousands of change management frameworks, methodologies and theories. Many relate specifically to digital transformation; however, methods such as the Knoster model cover organisational change more broadly across culture, vision, resources and action planning.
The frequency of unsuccessful organisational change or transformation is on the rise1. While there are many organisational change theories, this paper demonstrates the connection between a particular theoretical framework (Knoster model) and how an organisation can translate these theories into successful organisational activities and practice.
This advisory paper will step through the six dimensions of change within the Knoster model for managing complex change and how you can use this to easily investigate and diagnose the overall health of your organisation’s change or transformation agenda, and to identify practical steps to stay on track.
Conclusion: When it comes to embracing collaboration, organisations should recognise that it is difficult to manage diverse personalities, perceptions and beliefs. In addition, every individual is going to have their preference on what makes a ‘good collaboration system’.
As a result, it is vital that project leads carefully consider the role staff play in a successful Microsoft Teams deployment and prepare staff for the changes ahead.
Conclusion: To prepare for the inevitable questioning by senior management of whether an expense line item can be reduced, management must review its breakdown and be prepared to justify it to senior management when asked. Responses must highlight the business risks that will ensue should a selected expense line item in the ICT opex (operating) and capex (capital) expense budgets be reduced. Failing to frame the response in business (risks) terms could delay the review and reflect poorly on ICT management.