CIO

Pros and Cons of the 4 Most Common Types of Small Business IT Support

Most businesses launch their operations on a shoestring budget and manage the business on readily available technology.
If your business starts in your home, as many do, you probably already have a basic computer, internet connection, and phone service. All you need to do is register a domain name for your website and email, set up a basic website through a web hosting provider and platform, and select an email hosting provider.
Eventually, you start to grow and bring on your first few employees. With employees comes more computers and the need to share information and applications. Great employees expect to have the tools and resources to do their jobs well, and you need to spend your time growing the business not dealing with day-to-day technology challenges.
You may have a friend or colleague help you with your IT needs, but you’re starting to think you need a bit more support than one person can provide. This is usually around the time when a business starts to think about obtaining some sort of professional IT support.
There are a few ways you can go at this point.
Option 1: Hire an Internal IT Person
Pros:

You have direct control over how employees spend their time.
Employee time is 100% dedicated to your business.
You can hand select employees with specific skills and experience with the exact technology tools you utilize.
An entry- to mid-level IT support person is qualified to troubleshoot basic devices and applications, replace equipment, troubleshoot simple network issues, and add to your software stack.
The hourly cost of an entry- to mid-level IT support person is less expensive than the hourly rate of most outsourced IT vendors.

Cons:

Entry- to mid-level technicians are typically not experienced in business leadership and growth. So, they often lack the strategic business skills to offer guidance around scaling and right-sizing your IT solutions to your overall business plan.
A good Chief Information Officer (CIO) with the unique combination of technical skills and business acumen necessary to drive your technology strategy, earns well into six-figure ranges, which is not a feasible or necessary position in most small businesses.
Employees take sick days, vacation, and are generally not available at all hours when you need technology working.
Selecting and managing a technical employee is difficult without technical expertise. This is often an unfair situation for employees early in their careers who need access to coaching and mentoring.
IT support has a broad range of specialties. Even a great jack-of-all-trades support person requires backup on advanced or complex issues and projects. Plus, IT employees require constant training and professional development to remain current in new technologies that could benefit your business.

An Internal IT Person is a Great Option for:

Medium-sized businesses with more than 200 employees may have enough work to justify an internal IT support person. However, this model is most effective when paired with one of the outsourced options to fill in skill/knowledge gaps and offer back-up support during peak times.
Large businesses with more than 500 employees may require a fully-staffed IT department, including their own CIO, helpdesk, and network administrators. However, businesses of this size should conduct a thorough cost-benefit analysis to determine which components of the IT department need to be internal, and which components are more cost effective to outsource.
Business with unique line-of-business applications and/or equipment often benefit from an internal resource who specializes in that unique equipment or program. For example, even a small manufacturing facility may benefit from an internal resource with specific expertise in maintaining and troubleshooting the applications that run their manufacturing equipment. This is typically the FIRST type of IT person a business needs, as application specialists bring a much different skill set than the systems generalist types of roles that are much more effective to outsource. A few more notes on internal application specialists:

In addition to specialized knowledge of the application, they act as an internal technology champion by helping employees embrace and fully utilize specific business applications in their specific jobs.
Applications specialists have the intimacy and tacit knowledge of both the organizational processes and business applications to hone in on necessary application customization and applicable functions.

Option 2: Hire an On-Demand IT Vendor or Freelancer When You Need Them
Pros:

There are no costs if you don’t call and request support.
You are not locked into a contract commitment.
On-demand providers often charge a lower hourly rate than other types of providers, especially in the case of individual freelancers who have significantly less overhead than a mature business.
You can freely switch between different vendors and/or freelancers based on the skills and experience you require at any given time.

Cons:

You have no ongoing network monitoring or maintenance, which means you can’t proactively address any issues before they impact the business.
You most likely don’t have a complete inventory and assessment of the IT tools you’re using, so no one can advise you on upcoming changes in your technology or opportunities to implement more efficient solutions.
The hourly rate might be less than a different service model, but the time it takes to fix issues may be more since the provider isn’t as familiar with the ins and outs of your unique network set-up.
There is no guarantee your issue will be fixed if it proves to be too challenging and/or complicated, leaving you with a labor bill and no resolution to your problem.
Often these types of one-person businesses and freelance professionals lack the necessary insurance to cover errors and omissions.
You have no Service Level Agreement (SLA), which establishes things like minimum response time, resolution time, and availability. Plus, even if the business or individual carries adequate professional liability insurance, it is difficult to hold the vendor accountable for any undesirable outcome without a contractual agreement establishing expectations.
You are at the mercy of when the vendor can get to your problem. Even if they have always addressed your issues quickly in the past, you run the risk of coming in second, third, fourth, and so on depending on issues other customers called in ahead of you.

An On-Demand Vendor or Freelancer is a Great Option for:

Start-ups with limited cash flow and some level of internal IT skills.
Businesses that can tolerate the possibility of extended downtime waiting on a vendor with no SLA.
Businesses that do not depend on technology to conduct business and drive revenue.

Option 3: Pre-Purchase Blocks of Support Hours
Pros:

Pre-purchased hours typically come with an SLA, guaranteeing you minimum hold time, response time, resolution time, etc.
You typically have the option to add services like monitoring, compliance, backup and disaster recovery, etc.
Hours are typically flexible, meaning they may be used toward networking projects or day-to-day IT support.
Most contracts allow unused hours to roll over month-to-month before they expire after a pre-determined period of time.
By using the same support vendor repeatedly, the company gets to know your infrastructure better over time, which should allow them to troubleshoot faster.

Cons:

You are billed for hours overages. So, you or someone else who can authorize the use of hours are involved in determining which issues warrant a call to your IT support provider. This means:

You or another high-level employee are involved in day-to-day IT support.
End users can’t get up and running as quickly as if they had direct access to support.
You won’t address seemingly smaller, nuisance issues unless you have hours to use before they expire, reducing productivity as you continue to tolerate the issue.

Your costs are not fixed, so you risk facing large overage bills in the event an issue takes more time than your allotted hours to remedy.
While pro-active services like network monitoring can be added, any corrective actions taken to address monitoring alerts are deducted from your block of hours. So, you may not realize how much support time you’re using to keep problems from occurring.
The annual cost of the hourly block, necessary overages, and add-on services necessary to maintain your network, compliance, etc. are most likely greater than a flat-rate model.

Blocks of Hours are a Great Option for:

Large and medium-sized businesses with a more full-staffed IT department. A block of hours can provide backup support during peak-times to a fully-staffed internal IT department, offer after-hours emergency support, provide local “boots on the ground” support to specific locations, etc.

Option 4: Partner with a Managed Service Provider (MSP)
Pros:

Controlled costs. You are billed a flat monthly fee, typically based on the number of devices or number of users. This offers predictability in IT expenses not offered by other models where costs go up and down based on the number of hours required and skill set of the professional.
MSPs commit to an SLA, guaranteeing you a minimum response and resolution time.
Minimizes downtime, as it is in the MSP’s best interest to resolve issues quickly and efficiently (i.e. you don’t pay them for the hours they spend to resolve an issue).
Your contract guarantees a resolution to issues.
Typically includes add-ons like network monitoring, compliance, and basic risk mitigation.
Since any employee can utilize the MSP like your own, internal IT department, you and other high-level employees are removed from day-to-day tech support issues.
Higher level issues are escalated quickly to tier 3 technicians and engineers because it is costlier to the MSP to allow lower level technicians to continue to work on an issue for longer periods of time.
Network monitoring alerts are addressed immediately. Since you are not billed by the hour the MSP doesn’t need to wait for you to authorize the use of time.

Cons:

Equipment costs may seem higher when compared to other available options. MSPs typically install equipment designed to be easily managed and even power cycled remotely. This offers added efficiency and cost savings elsewhere, but something to keep in mind if you are the type to price shop every individual component.
When an MSP does their job correctly, you may see them less and less over time as they continue to improve your network. This could lead you to feel like you’re paying for service you’re not receiving, but a good MSP is working behind the scenes to keep your network running at maximum efficiency.
If you have an immediate need for a networking or new equipment project, an MSP will typically not quote the work until they’ve completely onboarded your network and understand the technology in your business. While this may seem frustrating, it’s in your best interest to give them the time they need to confidently stand behind the new installation. This also offers you the opportunity to get to know the quality of the company and support before you are locked into their equipment recommendations. However, it can be a frustrating response if you are trying to complete a project immediately.

Managed Service Providers are a Great Option for:

Small businesses with 10-200 employees who cannot support their own internal IT department but rely on technology for day-to-day operations.
Medium-sized businesses with 200-500 employees and have an internal IT resource who specializes in unique equipment and/or specific line-of-business applications.
Large businesses with an internal IT department that has identified cost savings in outsourcing specific IT department components like network monitoring and administration, data backups and disaster recovery, or helpdesk support.
Businesses that cannot tolerate downtime and rely on their IT systems to generate revenue.
Businesses in industries that have specific compliance requirements like healthcare, finance, legal, and other professional services.
Businesses that rely on sensitive or proprietary information.

Want to learn more about choosing an outsourced IT vendor? Find out what to look for in an outsourced IT vendor or managed service provider.
This post originally published at Innovative, Inc.

Five Questions for a Sprint Goal!

Sophieja23 / Pixabay
What is a Sprint Goal?
“The Sprint Goal is an objective that will be met within the Sprint through the implementation of the Product Backlog” (quote from the Scrum Guide).
The Sprint Goal is a phrase that can be used in many different ways:

The Development team uses it at every Daily Scrum, to inspect the work done and adapt the work left. The result of this inspection and adaptation is transparently visible in the Sprint Backlog
The Product Owner uses it to communicate with the Stakeholders and as a decision-making tool, when negotiating Sprint content with the Development Team or when he/she has to decide to continue or to cancel a Sprint
The Scrum Master to ensure that a Sprint Goal has been defined at the end of the Sprint Planning, in a transparent and clear way to everyone and that is frequently used for inspection and adaptation during a Sprint.

Have you clearly defined a Sprint Goal at the end of your Sprint Planning? Is this Sprint Goal understandable and transparent to everyone? Is it defined in a way that provides guidance and flexibility to the Development Team?
The aim of this article is to raise awareness on the importance of having a Sprint Goal defined and to provide some suggestions on how to create one.
Do you know how many times the term “Sprint Goal” is mentioned in the Scrum Guide? 27 times!
Why do we need a Sprint Goal?
A Scrum Team needs a Sprint Goal because it provides:

Purpose to the Scrum Team, because it answers the question: “Why are we building this increment?”
Guidance to the Development Team, because they can inspect it frequently, during a Sprint, so that undesirable variances can be detected sooner.
A reference for decision making to the Product Owner, because he/she can decide to cancel a Sprint if the Sprint Goal becomes obsolete.

When the Sprint Goal is defined?
The Sprint Goal is defined during the Sprint Planning by the Scrum Team. It remains valid for all the duration of the Sprint, otherwise, the Sprint is canceled by the Product Owner.

How a Sprint Goal is defined?
A Sprint Goal is crafted by the collaboration of the Product Owner and the Development Team.
In the first part of the Sprint Planning (the “what” part), “the Product Owner discusses the objective that the Sprint should achieve and the Product Backlog items that, if completed in the Sprint, would achieve the Sprint Goal” (quote from the Scrum Guide).
With the stage set, the Development Team collaborates and negotiates with the Product Owner the work to be done in the Sprint. Together, they define and agree on a Sprint Goal.
Crafting a Sprint Goal won’t be natural in the first Sprints, some help and direction can be found in the Roman Pichler’s Sprint Goal template.
What are some examples of Sprint Goal?
Good Sprint Goal Examples:

Implement the Search functionality
Understand if we can integrate the Open Source solution XY to our Product
Experiment the use of new technology for the rebranding of the feature XY

Sprint Goals to reconsider:

Fix bugs #1234 and #3488
Implement the Search functionality and, if you have time, fix bug#3335 and bug#777 plus answer to the question made by the CIO on the past Sprint Review
Rewrite Java class ShopProcess

Reading suggestions

The Professional Product Owner by Don McGreal and Ralph Jocham
Agile Product Management With Scrum by Roman Pichler

CIO’s Guide To Stopping Privileged Access Abuse – Part 2

Why CIOs Are Prioritizing Privileged Credential Abuse Now
Enterprise security approaches based on Zero Trust continue to gain more mindshare as organizations examine their strategic priorities. CIOs and senior management teams are most focused on securing infrastructure, DevOps, cloud, containers, and Big Data projects to stop the leading cause of breaches, which is privileged access abuse.
Based on insights gained from advisory sessions with CIOs and senior management teams, Forrester estimates that 80% of data breaches have a connection to compromised privileged credentials, such as passwords, tokens, keys, and certificates. In another survey completed by Centrify, 74% of IT decision makers surveyed whose organizations have been breached in the past, say it involved privileged access abuse. Furthermore, 65% of organizations are still sharing root or privileged access to systems and data at least somewhat often. Centrify’s survey, Privileged Access Management in the Modern Threatscape, is downloadable here.
The following are the key reasons why CIOs are prioritizing privileged access management now:

Identities are the new security perimeter for any business, making privileged access abuse the greatest challenge CIOs face in keeping their businesses secure and growing. Gartner also sees privileged credential abuse as the greatest threat to organizations today, and has made Privileged Account Management one of the Gartner Top 10 Security Projects for 2018, and again in 2019. Forrester and Gartner’s findings and predictions reflect the growing complexity of threatscapes every CIO must protect their business against while still enabling new business growth. Banking, financial services, and insurance (BFSI) CIOs often remark in my conversations with them that the attack surfaces in their organizations are proliferating at a pace that quickly scales beyond any trust but verify legacy approach to managing access. They need to provide applications, IoT-enabled devices, machines, cloud services, and human access to a broader base of business units than ever before.
CIOs are grappling with the paradox of protecting the rapidly expanding variety of attack surfaces from breaches while still providing immediate access to applications, systems, and services that support their business’ growth. CIOs I’ve met with also told me access to secured resources needs to happen in milliseconds, especially to support the development of new banking, financial services, and insurance applications in beta testing today, scheduled to be launched this summer. Their organizations’ development teams expect more intuitive, secure, and easily accessible applications than ever before, which is driving CIOs to prioritize privileged access management now
Adapting and risk-scoring every access attempt in real-time is key to customer experiences on new services and applications, starting with response times. CIOs need a security strategy that can flex or adapt to risk contexts in real-time, assessing every access attempt across every threat surface and generating a risk score in milliseconds. The CIOs I’ve met with regularly see a “never trust, always verify, enforce least privilege” approach to security as the future of how they’ll protect every threat surface from privileged access abuse. Each of their development teams is on tight deadlines to get new services launch to drive revenue in Q3. Designing in Zero Trust with a strong focus on Zero Trust Privilege is saving valuable development time now and is enabling faster authentication times of the apps and services in testing today.

Strategies For Stopping Privileged Credential Abuse – Part 2
Recently I wrote a CIO’s Guide To Stopping Privileged Access Abuse – Part 1 detailing five recommended strategies for CIOs on how to stop privileged credential abuse. The first five strategies focus on the following: discovering and inventorying all privileged accounts; vaulting all cloud platforms’ Root Accounts; auditing privileged sessions and analyzing patterns to find privileged credential sharing not found during audits; enforcing least privilege access now within your existing infrastructure as much as possible; and adopting multi-factor authentication (MFA) across all threat surfaces that can adapt and flex to the risk context of every request for resources.
The following are the second set of strategies CIOs need to prioritize to further protect their organizations from privileged access abuse:

After completing an inventory of privileged accounts, create a taxonomy of them by assigning users to each class or category, personalizing privileged credential access to the role and entitlement level for each. CIOs tell me this is a major time saver in scaling their Privileged Access Management (PAM) strategies. Assigning every human, machine and sensor-based identity is the goal with the overarching objective being the creation of a Zero Trust-based enterprise security strategy. Recommended initial classes or categories include IT administrators who are also responsible for endpoint security; developers who require occasional access to production instances; service desk teams and service operations; the Project Management Office (PMO) and project IT; and external contractors and consultants.
By each category in the taxonomy, automate the time, duration, scope, resources, and entitlements of privileged access for each focusing on the estimated time to complete each typical task. Defining a governance structure that provides real-time access to resources based on successful authentication is a must-have for protecting privileged access credentials. By starting with the attributes of time, duration, scope and properties, organizations have a head start on creating a separation of duties (SOD) model. Separation of duties is essential for ensuring that privileged user accounts don’t have the opportunity to carry out and conceal any illegal or unauthorized activities.
Using the taxonomy of user accounts created and hardened using the separation of duties model, automate privileged access and approval workflows for enterprise systems. Instead of having administrators approve or semi-automate the evaluation of every human- and machine-based request for access, consider automating the process with a request and approval workflow. With time, duration, scope, and properties of privileged access already defined human- and machine-based requests for access to IT systems and services are streamlined, saving hundreds of hours a year and providing a real-time log for audit and data analysis later.
Break-glass, emergency or firecall account passwords need to be vaulted, with no exceptions. When there’s a crisis of any kind, the seconds it takes to get a password could mean the difference between cloud instances and entire systems being inaccessible or not. That’s why administrators often only manually secure root passwords to all systems, cloud platforms and containers included. This is the equivalent of leaving the front door open to the data center with all systems unlocked. The recent Centrify survey found that just 48% of organizations interviewed have a password vault. 52% are leaving the keys to the kingdom available for hackers to walk through the front door of data centers and exfiltraticate data whenever they want.
Continuous delivery and deployment platforms including Ansible, Chef, Puppet, and others need to be configured when first installed to eliminate the potential for privileged access abuse. The CIOs whose teams are creating new apps and services are using Chef and Puppet to design and create workloads, with real-time integration needed with customer, pricing, and services databases and the systems they run on. Given how highly regulated insurance is, CIOs are saying they need to have logs that show activity down to the API level in case of an audit. The more regulated and audited a company, the more trusted and untrusted domains are seen as the past, Zero Trust as the future based on CIO’s feedback.

Conclusion
The CIOs I regularly meet with from the banking, financial services, and insurance industries are under pressure to get new applications and services launched while protecting their business’ daily operations. With more application and services development happening in their IT teams, they’re focusing on how they can optimize the balance between security and speed. New apps, services, and the new customers they attract are creating a proliferation of new threat surfaces, making every new identity the new security perimeter.

IT Leaders: 5 Reasons to Encourage Citizen Development

IT leaders who “teach employees to fish” may be feeding the business for a lifetime.
Many IT leaders and even CIOs today are missing an opportunity. Their teams spend all day catering to business needs when, in fact, the business managers can and should be empowered to solve problems themselves.
There is an old saying that goes: “Give a man a fish and he will eat for a day, but teach a man to fish and he will eat for a lifetime.” IT leaders who facilitate low code rapid application development knowledge in employees outside IT greatly improve IT’s efficiency and productivity. Unfortunately, they don’t do it nearly enough and spend a great deal of their time rushing around putting out fires with the few resources they have leaving little time for more strategic initiatives.
According to Gartner’s IT Glossary, a citizen developer is a user who creates new business applications using development and runtime environments sanctioned by corporate IT.
Citizen development is possible because end-users now have the ability to build a variety of enterprise applications through model-driven platforms and cloud computing services. As long as users understand the principles behind application design and development, they do not have to learn the programming languages that were necessary in the past.
Here are five reasons IT leaders may want to reconsider sanctioning and even encouraging citizen development.
IT Demands Have Gotten Out of Hand
Most enterprise IT departments do not have enough resources to handle every request that comes in and must, therefore, prioritize by value to the overall business. This means that often, individual groups like accounting and marketing will have important requests put on the back burner while a short-staffed and overwhelmed IT group struggles to keep up. In fact, though, IT might not even be essential in developing solutions for these requests and is simply acting as a bottleneck.
IT Might Not “Get It” Anyway
Even if IT was to take on the request, who’s to say that the IT professional who accepts the project fully understands the requirements necessary to develop the most appropriate technology solution? A citizen developer who has deep subject matter expertise could use a low code platform for rapid application development to more quickly arrive at a solution that meets the department’s needs.
Plug and Play Apps Are Less Expensive to Create and Sustain
I’ve seen this first hand. IT will enthusiastically build a custom platform for a line of business, but due to user adoption issues and other challenges, it won’t take off. Such projects involve a huge amount of money that essentially goes down the drain. On the other hand, most citizen developers do not build from scratch but instead employ a pre-configured SaaS application. If the implementation doesn’t work for some reason, it’s easier and more affordable to tweak.
Line of Business Employees and IT Employees Are Not Mutually Exclusive
CIOs might assume that everyone who isn’t in IT is clueless when it comes to technology deployment. But on the contrary, IT professionals are gradually being integrated into other departments. An example of this is the data scientist hired into human resources to help make sense of talent analytics. Many employees who don’t work for the CIO are savvier than the CIO might believe. Leveraging this talent can only alleviate the IT backlog.
CIOs Can Still Be in Charge
Some CIOs perceive citizen development as a threat to their domain or authority. Understandably, they may also worry that applications growing within individual departments won’t work within the context of the larger enterprise IT environment. This is actually why the CIO role is more important than ever. Citizen developers will be most effective if IT leaders set the stage, offering governance, implementation guidelines, and best practices. Citizen development doesn’t eliminate the need for IT; it elevates it to a more strategic level.
Don’t miss Dion Hinchcliffe, widely regarded as one of the most influential figures in digital strategy and enterprise IT, as he shares his advice on this topic in, “Untapped IT Strategy: Unleashing Citizen Development,” in a free webinar, September 29.