Tales from the garage that may change the way you think about Enterprise IT
According to The Smithsonian, humans started creating the first hand-axes and hammers about 2.6 million years ago. Later in the Stone Age, our ancestors were using ivory and bone to fashion harpoons and needles. By the 1920s, Henry Ford's Ford Motor Company had popularized mass production and the use of machine tools. Fast forward another 100 years or so, and today we have more tools than ever before, from kitchen gadgets to the hardware and software that power the modern enterprise.
In 1967, we saw Star Trek's Mr. Spock thrown back in time where he complained to Captain Kirk that he had to "construct a mnemonic memory circuit using stone knives and bearskins." Clearly, having the right tools at the right time has been important throughout human history, and it will continue to be. But how do we know that we have the tools we need? How do we know if we have too many tools?
When I went to the garage a few months back to do some work around the house, the mess that I found in the tool chest – and the cleanup that ensued – provided some valuable lessons about moving toward a more effective and efficient set of tools, whether those tools are in a home garage or an enterprise data center. In this article, we'll look at the Why, What, and How of Tools Rationalization.
Why Conduct Tools Rationalization? – A Case Study
In one recent engagement, our client was divested from a larger company and engaged Hybrid Pathways to perform an Information Security Tools Rationalization with a roadmap for their Cloud-only strategy. This client was spending over $1.5MM on security tools and managing 45 vendors. After a two-month rationalization project, Hybrid Pathways delivered a strategy that saved the company approximately $1 million dollars and reduced the vendor count from 45 to 20, a 63% cost savings and 45% reduction in number of vendors.
Success Criteria
To consider the engagement a success, our client established clear goals that the tools rationalization project needed to achieve including:
Utilize a third-party-hosted Infrastructure-, Platform-, and Software-as-a-Service (IaaS, PaaS, and SaaS) for its IT Security Infrastructure
Consolidate IT Tools with Elasticity and Scalability
Agility for speed to market
Complete coverage of industry-standard and compliance-related information security controls
Alignment to client's growth and business model
Cost effectiveness
Benefits
The benefits of this Tools Rationalization project extend far beyond the financial and process gains and met the client’s other success criteria including providing competitive advantages, improved security, and an infrastructure that allows faster time to market.
Competitive Advantages:
Full controls coverage, aligned to industry standards
NIST Cybersecurity Framework
ISO 27001/2
Reduction in the number of vendors – 45%
Reduction in tool costs – 63%
Speed to Market
Increased automation and integration (e.g., dashboarding) to enable operational support efficiency
Increased agility and scalability (elasticity) with Cloud-based automation
Scalability enables the acquisition of multiple books of business while maintaining a relatively flat Information Security operating model
Subscription-based access to third-party SMEs enables predictable costs for acquisition and growth
What is Effective Tools Rationalization? – Maximizing Efficiency
Enterprises may accumulate a mass of various tools, each added at the time in response to a need or a technology change. Even when companies try to standardize on a strategic toolset, they may continue to bear the burden of outdated, broken, or duplicate tools.
The process of Tools Rationalization is the systematic analysis of the products, services, and applications being used by the enterprise. The result is a determination of which tools should be kept, replaced, or retired. Tools Rationalization is often performed across a specific domain such as Information Security, Cloud, or Identity & Access Management, though it may also be applied more broadly.
A Tools Rationalization may take two to four months, depending on the scope, complexity, and the amount of stakeholder involvement. Some benefits may be realized immediately, and others over time.
How Do You Conduct Tools Rationalization? – Steps to Success
To get started on our journey towards an improved toolset, let's take a trip across the "Seven Cs" of Tools Rationalization: Capability, Cost, Compliance, Cleanup, Cloud, Customers, and Change.
#1 Catalog Current Capabilities
Before I tackle any task around the house, I need to know what I am capable of. At my personal skill level, I'm pretty handy and can generally "fix stuff" -- but I am by no means a craftsman; woodworking and building beautiful things from scratch is something that I aspire to, but it is beyond my current skill set. My toolbox should support the tasks that I am capable of performing but collecting tools that I don't yet know how to use would be wasteful.
Many readers will be familiar with the Capability Maturity Model (CMM) developed by Carnegie Mellon University, which charts the growth of a process through five tiers from "Initial" to "Optimizing". For purposes of IT Tools Rationalization, we will think about moving through three phases: Foundational, Mature, and Advanced Data-Driven capabilities.
Foundational: These are the minimum capabilities that an organization needs to carry out its mission and will generally be the starting point for any new process. Foundational capabilities are characterized by a set of core competencies based on common practices, manual processes, and qualitative measurements.
Mature: Once a process reaches this phase, we will see repeatable compliance-driven processes supported by Key Performance Indicators (KPIs) that help drive continuous improvement.
Advanced Data-Driven: At the highest level of maturity, processes become more business-aligned, automated, and quantitatively managed. Innovative leading-edge technology is likely to be seen at this maturity level.
A simple summary of capabilities can help to show how mature the various processes are. Further differentiating by context (e.g., “Internal, DMZ, & External”; or “Workforce, Partner, & Customer”) can show where there may be differences in how existing tools are implemented:
Just as a person who is learning new woodworking skills must learn the basics before progressing, organizations must gain proficiency with foundational concepts before tackling the advanced ones. A capability mapping exercise will help to clarify the current maturity within a given domain, such as Information Security or Identity & Access Management (IAM). Be realistic about what maturity level is required. Not every tool or process needs to be implemented at an advanced level.
#2 Control Costs
For one home project, I purchased a template with a built-in level so that I could cut the correct size holes in sheetrock to install electrical outlets. This tool cost me all of $13.95 on-line and enabled me to do a professional-looking job in a short amount of time. And now that I have this tool in my toolbox, I've used it a few more times. Tools don't necessarily have to be expensive to deliver ongoing value.
As we saw in the Case Study above, cost control easily justifies taking the time to perform Tools Rationalization. If the scope and maturity of your capabilities can be improved while cutting costs, the business gains value. The goal of Tools Rationalization is to maximize business value while reducing cost over time. To better understand the organization’s priorities, consider these cost and value attributes:
When you look at the list above, what are your pain points? What costs would you like to reduce or even eliminate? What value attributes would be the most meaningful if they were realized within the next 12 - 18 months? Once you have a clear vision for where you want to build value, you can determine the gaps between your current state and your target state. The gaps will drive requirements for the acquisition of new tools or the expanded use of existing tools.
#3 Cover Compliance and Cybersecurity
As soon as I was able to use a screwdriver, I was taking things apart; I got in trouble for this more than once. One of my favorite disassembly targets was the extension telephone in my parents' bedroom. I found that I could remove the microphone from the receiver and listen to conversations without anyone hearing me. On one occasion, I removed the housing to try and figure out what all the parts inside did. Then the phone rang: A 90-volt jolt of alternating current hit the ringer -- and my fingers! Almost fifty years later, I retain a very healthy respect for electricity because of that zap. Compliance is like electricity: if you don't respect it, you are going to get zapped.
Pharmaceutical and financial verticals are historically thought of as regulated. Today industry standards and cybersecurity requirements affect virtually every business, across verticals and geographies, from small mom-and-pop shops to large enterprises. When choosing new tools, ensure that you understand your organization’s governance and compliance requirements. Bring in appropriate stakeholders early in the Tools Rationalization project. Depending on your organizational structure, this may include representation from your Legal, Compliance, Privacy, HR, and Audit teams.
Compliance, governance, and security requirements might include:
Alignment with a cybersecurity framework such as:
The NIST CSF (National Institute of Standards and Technology Cybersecurity Framework)
ISO 27001/2
Compliance with applicable jurisdictional requirements, for example:
GDPR (The European Union's General Data Protection Regulations)
CCPA (The California Consumer Privacy Act)
Ability to log to a Security Information Event Management (SIEM) tool:
Fast correlation and detection of anomalous activity
Auditable history of system activity
Support for internal and external auditors:
Reporting capabilities
Read-only on-demand auditor views
Automation ability
Ability to integrate with your existing toolset:
Strategic partnerships or officially supported integrations between manufacturers
Robustness of APIs
#4 Cleanup and Consolidation
When I found that unorganized mess in my garage toolbox, there were some things that I should have thrown away a long time before, like a screwdriver with a broken handle, and some dull, rusty hacksaw blades. I found two sets of socket wrenches, but they were coincidentally both missing their 7/8ths-inch sockets. So, I did some screwdriver sorting: Phillips-heads go here, and flat-heads go there. I also added a couple of replacement sockets to my shopping list.
Many modern tools perform more than one function or are available as suites of tools with strong integration between components. Is it possible for you to choose a new tool that can replace several existing ones? If so, you may reap benefits like lower total cost, better automation, better reporting, and greater ease of use. Consolidation often can satisfy many of the goals of Tools Rationalization.
When working with IT tools, there is a lot of value in performing cleanup tasks before consolidation or migration. Just as it made sense to throw away rusted hacksaw blades before organizing the tool chest, think about the aspects of your current toolset that you would not want to reproduce in a new system. Are there old user IDs that should be deleted or credentials that have never been used? What about empty groups? Are there artifacts like open ports or deprecated protocols that were used to support long-gone applications? How about manual processes that could be automated? And of course, if a new tool or suite is licensed on a per-user basis, migrating fewer users will be less expensive.
It may take some time and analysis to find all of the "rusty blades" hidden in your data center but performing cleanup first will result in a more efficient and secure enterprise, while also controlling costs.
#5 Consider the Cloud
During the spring and fall, I'll do some outside cleaning. There's usually some green algae on the siding in the back, and a bit of grime on the front walk – but I have yet to find any dirt around the home that's a match for a 4000-PSI pressure washer! What would take days with a garden hose and a scrub brush only takes a couple of hours with a powerful tool. And – I'll admit it – I think power washers are cool! I don't actually own a power washer though. I don't need to: I rent one for a few hours twice a year and then I give it back. I don't need to buy it or maintain it, and it doesn't take up any space in the garage.
Sometimes it may be advantageous to outsource a capability to a third-party provider, rather than keep the design, build, and run functions in-house. Consider SaaS, IaaS, PaaS, and IDaaS: Software-, Infrastructure-, Platform-, and Identity-as-a-Service, respectively. Analyze the expected use cases and volume for the capability that each tool fulfills. Is it better to build or buy? The total cost of ownership may be lower when leveraging a cloud provider, and if the provider is responsible for patching and maintenance, compliance requirements may be easier to satisfy.
When you move functionality to the cloud, perform a risk-based assessment in cooperation with your Third-Party Cyber Risk Management (TPCRM) team or equivalent group. If this function does not yet exist in your company, work with your purchasing department to perform at least a basic assessment when the new cloud provider is onboarded. Consider the Shared Assessments Standardized Information Gathering (SIG) Questionnaire or a similar methodology in order to ensure you understand the strengths (and any potential weaknesses) that a new Cloud or SaaS partner brings to the table.
#6 Cater to Your Customers
At my current woodworking skill level, I could probably build a pretty good bird house. But, to put it in business-speak, my personal target state capability is to be able to build some beautiful cabinets and furniture, or perhaps a desk – things that I could use, gift, or sell. Wait, did I just say "sell?" Oh dear. Now all of a sudden I have customers -- that's a whole 'nother level. In order to delight my customers, I’m going to have to learn some new things and make some tool investments...
When you looked at the costs associated with a poor customer experience, what resonated with you? Are your customers happy with the ways they interact today across the mobile, web, and voice channels? Are there internal costs that could be reduced to allow you to compete more effectively?
What tools or practices could be improved to deliver the biggest gains for your customers? Tools that help to bring together customer experiences across channels may make interactions easier for the customers, and potentially reduce fraud attempts and helpdesk costs. Know your target audience. Are you working with baby-boomers who prefer to interact by talking to you, or millennials who use a smartphone app for almost every interaction? Consider a staged approach to re-tooling. It may make sense to implement tools that support foundational capabilities right away and wait to implement mature or advanced ones.
#7 Control Change
Here at the home workshop, my tools investments are relatively minor, and usually consist of a trip to the hardware store downtown, or maybe to a big box store. The primary stakeholder besides myself is my wonderful wife, and I see her as an approver of any major changes or investments. When I want to spend money to build or fix something, her response is usually something along the lines of: "Be happy. Buy what you think you need. Be careful with the power tools." What I hear is: "Ensure a successful outcome. Control Costs. Manage risk."
Buy-in can be a bit more challenging in Enterprise IT. It's likely that some changes will be smaller ("Quick Wins") while others will be transformational (pronounced "ex-PEN-sive"). Communication and stakeholder buy-in are the keys for moving forward. Depending on the scope of your transformation, developing a roadmap may also help to show how you intend to control the sequence and the timing of changes. Grouping the tool changes into the following four categories will drive the IT and organizational changes required to plan, build, and support your new tools paradigm.
Contain & Sunset: Tools that have been identified as ineffective (either inherently or as currently implemented), or there are superior alternatives available that better support your target state.
Retain & Maintain: Tools that are either adequate in their current state (and integrate into the target state) or have low impact on the target state.
Retain & Expand: Incumbent tools that support the target state and whose use will be increased; strategic tools that are at least partially implemented.
New Investment: New tools and services that support the target state capabilities. In some cases, a vendor selection exercise may be needed to ensure the most appropriate tools are chosen.
There are many benefits to Tools Rationalization that various stakeholders may prioritize differently; showing the potential cost savings is often the best way to gain consensus to make the investments you need to achieve your target state. "What would you say if I told you that we can cut our helpdesk costs by 50% within 12 months?"
Concluding Comments
Are you ready to start reaping the rewards of a more mature and streamlined tool set? A Tools Rationalization exercise should be one of your first steps: It will help you to understand where you are and where you can be, and it facilitates communicating the benefits to your stakeholders. Showing cost savings over time is one of the best ways to justify Tools Rationalization and subsequent changes. But remember that there can be many other benefits such as better customer experience and improved compliance that help you to gain even wider support. Now let's open that garage door and see what's in there...