Case Study: Technology Modernization, Digital Transformation Readiness and IT Cost Savings

“Digital Distinction” is a major trend for growing, medium-sized organizations, with growth requiring a well-executed digital platform enabled by foresight, leadership and accountability that helps ensure that societal needs are addressed with limited input resources.¹

This digital distinction story was performed with limited resources in a multiservice urban Aboriginal agency (the Agency) providing holistic, culture-based programs and services for Aboriginal children and families. The Agency strives to provide a life of quality, well-being, healing, and self-determination for children and families in the Toronto, Ontario, Canada, urban Aboriginal community by implementing a service model that is culture based and respects the values of Aboriginal people, the extended family and the right to self-determination.

The Agency faced considerable technology challenges at the start of the pandemic-induced lockdowns. The mandatory move to a remote service model stressed the existing IT infrastructure to such an extent that it exposed issues such as network bottlenecks, Wi-Fi interruptions and landline unreliability, all of which compromised the ability of social workers to perform their duties. It had become evident to management that the Agency needed significant digital transformation as part of the journey toward the increasing virtualization of social services and a much-needed modernization of its base IT infrastructure.

To be effective, however, digital transformation must build on an IT foundation that ensures reliable and sustainable outcomes. While IT modernization is a necessary condition for digital transformation readiness,² it is not a sufficient condition. Readiness must identify and address all IT operating model gaps³ before innovation; unfortunately, many organizations undertaking transformation are not ready for innovation.⁴

An unprepared organization is likely to see its digital transformations flounder;

…barely one in eight are successful. Even worse, only 3 percent of … 1,733 business executives … report any success at sustaining the change required for successful digital transformation….⁵

Thus, the Agency needed improved digital capabilities to support its growth and to increase its agility in response to the pandemic, so it engaged an experienced digital transformation consultancy with one executive from the group serving in the role of interim chief information officer (CIO).

The CIO title of the 1980s⁶ has evolved to become one of vision as part of enterprise strategy, of managing risk as part of enterprise risk and of managing a governed high-performance team to sustain today’s ever more complex IT ecosystems. The modern CIO creates new operating models and helps the organization become data-driven.⁷ The CIO takes the organization forward “… in ways that extract the maximum value from the information on hand…to make better decisions, faster”⁸ as articulated in the new data strategy.

This case study articulates all the listed requirements of the modern CIO from vision to risk management to creating high performance teams as part of IT operating model modernization. Furthermore, down the road, there will be sufficient material for a future case study to document the path of the organization to achieving fit-for-purpose data for data-driven decision-making and improved reporting efficiency.

THE AGENCY’S INTERIM CIO’S FIRST STEP WAS…TO ESTABLISH THE ORGANIZATION’S CURRENT STATE TO DETERMINE ITS STATE OF READINESS FOR THE REQUIRED DIGITAL TRANSFORMATION.

The Challenge: Assessing the Current State

One cannot create a strategy without knowing the current state. The Agency’s interim CIO’s first step was, therefore, to establish the organization’s current state to determine its state of readiness for the required digital transformation. While tools facilitating readiness include staff surveys,⁹ benchmarking and determining the business case for IT change, a survey was selected as the right tool to learn about the organization’s IT challenges (what the users experience), its IT priorities (what the users want fixed first) and its IT value chain performance (how IT creates value for the organization) through the lens of four different levels of stakeholders. The survey was distributed to staff at all levels; the output presented an end-user view of the organization’s current state.

The four key findings from the survey across these categories were:

1. The organization’s executives had different perceptions of the frequency of the top IT challenges compared to the rest of the staff complement (figure 1). This could be given that they were more aware of the negative impact of various IT failures on their mandate.
2. The frontline staff were the most supportive of prioritizing all of the top items compared to management, who saw the priorities differently (figure 2). This highlights the importance of engaging with people most actively using technology and not to depend only on management feedback for insights in this respect.
3. The supervisor level experienced the severity of most of the shortcomings along the IT value chain (figure 3).
4. One of the major challenges experienced by end users was that it took too long for IT to fix IT issues, with users perceiving that it was getting worse. The same held for the network; network reliability was decreasing (figure 4).

The fact that the survey highlighted IT challenges such as poor service request and incident management (the service desk item in figure 1) is more important than it may seem at first glance. As part of the journey to making IT more approachable and customer-centric, it is important that the service desk works flawlessly, as it is a major driver of staff (customer) satisfaction, which, incidentally, should be a key IT metric for any CIO.

A task of the CIO is not only to manage spend, but also to understand the context of the spend relative to a peer group or proxy as a means to compare levels of investment in the industry. In this case, the IT spend-to-revenue ratio was 2-3 percent (the measure of actual IT spend as a percentage of actual organization revenue for the organization’s previous financial reporting period), compared with a generally recommended ratio of 4-6 percent,¹⁰ and compared with the 25th to 75th percentile spend range for healthcare (a proxy for social services) of 3.0-5.9 percent.¹¹

A comparison of the actual ratio with the benchmark ratios above confirmed a historical underinvestment in IT. Reducing underinvestment in IT and addressing the associated risk areas while building future IT capabilities should be high, not only on the CIO’s agenda via IT governance, but on the board’s agenda, given the implications for enterprise governance.

The Solution: Addressing the Priority Current State Shortcomings

As a result of the current state findings, the CIO reconsidered improvements and developments that may impact the entire IT operating model. A restitution strategy was developed to address as many of the identified priority shortcomings as possible in the shortest possible time.

ADDRESSING THE NETWORK SHORTCOMINGS REQUIRED SIGNIFICANT PLANNING AND ACTIVITY, GIVEN THAT THE NETWORK WOULD NEED TO BE MODERNIZED WHILE THE AGENCY WAS STILL PERFORMING ITS MANDATE.

Restitution is about partnerships, though, another modern CIO imperative. Non-IT senior leaders are just as accountable for decisions and the delivery of ongoing IT services.¹² In other words, restitution is an organizational challenge rather than only an IT challenge, a fact that impacted the nature of the stakeholders identified to oversee the initiative. The more a CIO engages in stakeholder relationships with the goal of forging partnerships, the more effective the broad diversity of IT initiatives within the CIO’s portfolio must almost automatically become.

In this case, restitution was performed in 1) a technology stream and 2) an IT governance stream. (A data governance stream was also recently introduced but will not be explored further here.) The relationship between the CIO and IT governance took a major leap forward a decade ago when it was explicitly considered in South Africa’s King III code for corporate governance.¹³ However, more than five years later, the focus still tended to be on the use of IT in regulation and compliance,¹⁴ rather than being about the organizational performance and value creation mechanism it is meant to be.

Aligned with digital transformation principles, specifically around the operating model readiness,¹⁵ restitution was not only about technology, but also about other important components of the organization’s operating model, such as people, process and governance.

Technology Stream

From the current state analysis, the Agency’s legacy technology landscape suffered extended maintenance, support, integration, security, and agility risk and constraints. Technology modernization projects (figure 5) were identified for the Agency to address these issues while also addressing most of the user-defined IT priorities identified in the survey.

One of the CIO’s primary objectives was to measure the benefits of each IT intervention, whether they be through enhanced activity, cost savings, risk mitigation or potentially even revenue generation. Cost and activity benefits, where the interventions are complete, are highlighted for the various interventions the Agency undertook.

Network Remediation
The annual operating cost of the Agency’s new network is 48 percent of the cost of the old network—savings driven largely by deploying a modern network technology with standardizing network devices using a modern network protocol.

The old network had nonstandard devices that were unmaintained, outdated with no active support, not configured according to industry best practices and had no redundancy. Furthermore, it suffered bottlenecks, single points of failure and cybersecurity vulnerabilities, with costly management implications.

Addressing the network shortcomings required significant planning and activity, given that the network would need to be modernized while the Agency was still performing its mandate. It involved an initial network discovery process that, for example, identified Internet Protocol (IP) addresses, the devices linked to the IP addresses, the functions and roles of various servers, the portfolio of critical applications, and network-based processes that needed to be mapped out and well understood. Backout plans and vendor escalation processes were created. Replacing more than 50 switches and several firewalls within a 36-hour window was challenging, especially for a new network topology in an overall process that took up to a year when including the planning and vendor identification/selection processes.

Network remediation addressed technical cybersecurity vulnerabilities, fault tolerance and failover readiness with redundancy. It also provided greater bandwidth, scalability and manageability, with Software-Defined Wide Area Network (SD-WAN) technology proving to be more secure and providing higher performance compared to the Multiprotocol Label Switching (MPLS) technology it replaced. While bandwidth demand tripled during the pandemic, it was all reliably and seamlessly accommodated within the new network architecture.

Strategically, the organization seeks to share its IT environment with smaller social services agencies that might be insufficiently funded to develop appropriately functional IT platforms. The Platform as a Service (PaaS) aspiration required a network architecture designed to handle traffic at scale and the recognition that an additional network engineer would be needed to bring this aspiration to life.

Human Productivity Tools
The annual operating cost of the Agency’s new human productivity tools (HPTs) is 39 percent of the cost of the old HPTs.

The old portfolio of HPTs was a disparate set of vendor solutions that were difficult to support, offered relatively little functionality, challenged the implementation of integrated security, and were costly to manage.

A key consideration was to ensure that all data stayed within Canada. A hybrid approach was followed leveraging Active Directory Federation Services (AD FS) with Azure that allowed for failover from on-premises to the cloud, while moving all users’ mailboxes and enabling the additional functionality into production. This parallel process took six months from planning and vendor identification to deployment.

The Agency’s new Software as a Service (SaaS) HPT offered vast improvements in functionality across multiple end-user devices, such as facilitating engagement and teamwork; application interoperability; and facilitating a single approach to cybersecurity by means of integrated identity and access management. This deployment is a critical lever for successful digital transformation given benefits such as performance, scalability, security, and reliable and integrated support from the vendor.¹⁶

Case Management
A single case management system to integrate the agency’s two case management systems was identified (figure 5). Two systems were deployed as a means to address the data collection shortcomings in each. To address this, a thorough business requirements document (BRD) will be created to facilitate a request for proposal (RFP) process to identify whether an integrated case management tool is available. (This will not be discussed further as it is a separate, significantly larger project that has only recently been instantiated.)

Document Management
A document and content management system— coupled with appropriate workflows and governance—was needed to manage the intranet; perform as a repository for digitized, historical paper-based case files; perform document management; and provide a basis for operational metadata management and the organization’s data dictionary. A feasible tool and functionality was included in the software package provided for the HPT stream, coming in as a cost saving relative to the next best alternative. A decision was taken to use this tool given this cost benefit. A configuration and deployment plan was not yet in place at the time of writing.

Incident Management
An incident management tool had been deployed at the Agency but without supporting processes or governance. There was no ticket escalation process, no ticket auto-allocation process and no feedback loop to the requester that a ticket had been received. The following were established as part of the Agency’s IT department’s emerging ITIL- alignment aspirations to improve incident management performance:

• Defined incident management processes
• Defined incident management responsibilities
• Feedback loops with workflows
• Service-level agreement (SLA)-driven ticket auto-escalation

The operational impact of these changes is evident in figure 6. Within seven months after implementation and as the subject of continuous improvement during that time and beyond, the average ticket closing time had decreased from 34 days to three days according to the system logs, and the average ticket assignment time had decreased from 140 minutes to nine minutes according to the same logs. There are further initiatives to use more of the functionality of the selected tool in the future.

Additional service desk functionality deployed at the Agency includes IT asset management and a configuration management database.

THE ANNUAL OPERATING COST OF THE AGENCY’S NEW MONITORING AND PATCHING SYSTEM IS 30 PERCENT OF THE COST OF THE OLD VENDOR SOLUTION.

Monitoring and Patching System
The annual operating cost of the Agency’s new monitoring and patching system is 30 percent of the cost of the old vendor solution.

Driven by continuity risk factors such as poor outage monitoring and alerting, poor device monitoring, and poor vendor responsiveness, as well as cybersecurity risk factors such as poor patching, the Agency sought and deployed a tool to fulfill these requirements with remote management capability.

The technology was selected based on a review of this specific technology landscape according to various IT research organizations. Then, deploying the monitoring tool required making changes to the firewall to allow agents to communicate. Furthermore, a cache server was set up to reduce the bandwidth implications of all the computers in the Agency requiring similar updates, thereby reducing the possibility of network congestion. Planning, vendor identification and deployment took less than three months.

Cloud
The annual operating cost of the Agency’s new cloud data center is 45 percent of the cost of the on-premises data center, driven by the higher support and equipment costs of maintaining an on-premises environment.

THE ANNUAL OPERATING COST OF THE AGENCY’S NEW CLOUD DATA CENTER IS 45 PERCENT OF THE COST OF THE ON-PREMISES DATA CENTER.

The Agency had historically entered into a five-year contract for its data center, with further expenditure required for power to eight servers, hosting facilities and equipment, an uninterruptible power supply, and management time for maintenance and management. The risk of the data center being an operational bottleneck was considerable. The real push for a work-in-progress cloud migration was driven by the pandemic.

The selection of the cloud vendor was based on a review of the findings by various IT research organizations and the need to ensure interoperability between the various tools that were about to be deployed in the cloud. For the software tools, a primary driver was the effectiveness of the solution to serve well in a Software as a Service (SaaS) paradigm, which will be the foundation for the type of incremental transformational functionality envisaged as a strategic driver of future IT at the Agency.

Configuring a cloud infrastructure requires configuration activities such as subscribing to the services, creating virtual machine(s), the virtual private network (VPN) and the VPN gateway. Additional services that were migrated to the cloud or deployed to the cloud include the HPTs, the monitoring and patching services, and the mail system. The planning, vendor identification and deployment was performed within four months.

The operational, scale and cost advantages of the cloud at a stated availability of 99.999 percent were implemented as a desirable alternative to on-premises services, given that the modern CIO’s role is to create an environment that facilitates on-demand technology and related services.¹⁷ The potential of this migration for future Platform as a Service (PaaS) services, virtual computing, storage and on-demand functionality positions the organization well for an enhanced digital future.

Telephony
Telephony depends on a stable network, and the organization is now ready to address its telephony shortcomings. An architecture and plan to migrate between the current state and the proposed state for telephony is being developed, with the major goals being scalability as part of the PaaS vision for the organization and redundancy, given, the always- on requirement of child welfare services.

Financial Summary
IT underinvestment introduces significant risk and inefficiencies into an organization. The technology modernization stream not only addressed technology risk at the Agency, it also eliminated architectural inefficiencies and high-cost structures, as demonstrated by the annual cost savings achieved (figure 7).

While cost savings of up to 13 percent are expected in technology modernization,¹⁸ savings of 18 percent were realized.

IT Governance Stream

IT governance ensures that IT produces the value expected of it. While IT governance was introduced as a mechanism for CIO oversight of the technology deployments, less tangible activities were also established by means of the IT governance stream to help establish a vision for IT, to reduce IT risk and to extend the people capabilities of the IT department.

The following sections detail the measures taken to help ensure reduced-risk value delivery from IT.

Policies and Processes
Procedural and cybersecurity-related updates were made to the Agency’s IT policy. Processes were also co-created with human resources (HR) (e.g., onboarding, offboarding) and with operations (e.g., IT-facilitated process design for the handling of all possibilities of incoming telephone calls) to ensure that handovers to IT and back to HR and operations were clear, and that people had been identified in the process to accept handovers.

If an operational process needs engagement with IT, operations must co-design the process with IT to manage expectations and to reduce operational risk. Failing to do this will result in failed processes, given no awareness or clarity of IT’s role in the process.

AS A RISK CONTROL, A PASSWORD VAULT WAS CREATED FOR ALL APPLICATION AND SYSTEM PASSWORDS, SUPPORTED BY A PROCESS THAT COULD BE ACCESSED BY THE EXECUTIVE TEAM IN AN EMERGENCY.

Risk Management
Risk management is a key pillar of effective IT governance. Together with policies and procedures as a critical part of effective risk management,¹⁹ IT implemented a risk management process—Identify, Assess, Respond, Control, Monitor—with a living risk register as a monitoring and communication tool as a means to help minimize potentially negative differences between expected IT outcomes and the actual IT outcomes. The process emphasized assigning responsibility for a risk control at the point where risk is realized. Periodic IT governance meetings were established as a means to monitor changes in IT environment risk and to monitor the effectiveness of the risk controls.

Key administrator passwords held in people’s heads was a major operational and sustainability risk. As a risk control, a password vault was created for all application and system passwords, supported by a process that could be accessed by the executive team in an emergency.

Structure and People
People are the most critical part of IT because they determine whether something is done well. To effect and to sustain digital transformation, IT staff must have digital mindsets;²⁰ be inclined to testing and learning, innovation, and agility;²¹ have diverse technology knowledge, deep data skills, rich process skills, and end-to-end mindsets that includes teamwork, courage, and change management.²²

Sustainable digital transformation, thus, requires “t- shaped” people—staff with deep knowledge of their areas of expertise and broad knowledge that they can apply to solve the types of new problems that emerge under transformation.²³ T-shaped people are especially important in small IT teams, where broad knowledge overlap mitigates the continuity risk of a small staff complement.

Digital transformation demands agility—people fluidly structuring around problems or challenges in cross-functional teams^{24, 25} rather than constrained within traditional organizational structures. Compromising on IT competence has been described as a subtle and even a dangerous issue in digital transformation.²⁶

“Build the organization,” “run the organization” and “transform the organization”²⁷ was adopted as the IT structure paradigm. Bespoke definitions for “run the organization” and “build the organization” were developed to define their purpose and scope for the organization (figure 8).

While the Agency’s IT organization managed day-to-day operations (run) and performed technology modernization projects (build) like those in figure 8, it had unsustainable transformation. Given the organization’s growth and expansion aspirations, “transform the organization” was established as a full-time role, and an experienced leader was recruited to focus on strategy and architecture to help define the organization’s broader digital capabilities.

Strategy and Architecture
The current state of the Agency was such that it had no clear IT strategy and no clear IT architecture. Many different applications had been acquired from a wide variety of vendors over time to serve specific point purposes but with no consideration for aspects such as architectural fit, integrated cybersecurity management and interoperability. The historical approach to IT tended to be tactical, with no consideration of how the tactical deployments would impact the Agency’s overall IT risk profile.

While this worked reasonably well in a low-stress IT environment, the diverse flaws in the approach quickly became apparent at the start of the pandemic—especially to end users who suffered service interruptions—when network volumes escalated significantly under work-from-home orders.

All interventions documented in the Technology Stream section were part of a significantly more architected approach—specifically around cybersecurity and interoperability—that included business cases as part of the supporting documentation and a comparison with next-best technology alternatives.

THE HISTORICAL APPROACH TO IT TENDED TO BE TACTICAL, WITH NO CONSIDERATION OF HOW THE TACTICAL DEPLOYMENTS WOULD IMPACT THE AGENCY’S OVERALL IT RISK PROFILE.

It is useful to note that unarchitected IT is a primary driver of technology debt;²⁸ an unwelcome gift to current IT management from former IT management as experienced in the Agency’s current IT state. While appropriate IT vendor diversity should be supported in the interest of good IT risk management, this should occur within a strategically architected framework. IT strategy and IT architecture can sustainably reduce IT risk and improve business continuity.

Data Governance Stream
Digital transformation consumes data and produces more data that not only serves general reporting and decision-making, but also potentially serves government policy direction. While data were not initially identified as a problem at the Agency, a data strategy has been developed in response to some data issues identified (figure 9), and in line with a vision for data for the organization. (The data strategy will not be covered further in this case study beyond the limited discussion that follows.)

CIOs strive for data consistency, data availability, information resource control and information flow visibility.²⁹ Not addressing data challenges results in delayed and/or incorrect data-driven decision- making and productivity compromises, and incurs unnecessary IT effort to resolve issues arising from bad data.

As a first step toward addressing data challenges, the Agency articulated its unique perspective of the drivers of a data culture as an output of a facilitated workshop series. Some of the behavioral considerations include:

• Mistrust about what data could communicate; could they show performance levels that are lower than perceived?
• That data have not been seen as something that can add value
• That data are removed from the people whose lives they represent
• That data capture is only seen as a necessary part of getting the job done, rather than as a vital part of the data value chain
• That data are not seen as distinct from IT, with operational and strategic best practices distinct from those applicable to data

It is important that ways to address these behavioral considerations are included in the organization’s data strategy. The implementation of the cultural aspect is an overarching workstream for the data work that needs to be performed over the upcoming years to create an environment rich in fit- for-purpose data. Overall, IT culture is the single greatest risk—and, therefore, critical success factor (CSF)—not only for IT governance,³⁰ but possibly for data governance, too.

Key Results and Benefits

As outlined, successful digital transformation requires the barriers to an effective digital strategy—processes, technology, people and governance, in that order³¹—to be addressed. Without a sound IT operating model foundation, digital transformation will exacerbate IT operating model shortcomings with predictable consequences. Figure 10 summarizes the major IT outcomes achieved. Note that the column “Technology and/or Governance Intervention” in the figure refers to the relevant item in the Technology Stream section or the Governance Stream section.

Figure 10 item 10 refers to technical cybersecurity vulnerabilities. However, the Desjardins breach in Canada^{32, 33} is a shocking reminder of the scale of breach possible in the presence of even the best technological responses. People vulnerabilities are, thus, addressed through the newly established SOC at the Agency, mandated to address people matters such as cybersecurity training and to perform vendor due diligence. This closes the loop on the cybersecurity vulnerabilities identified as part of the network remediation workstream.

Other noteworthy outcomes include digital forms with workflows for efficient forms processing compared to paper forms, and improved secure video conferencing.

What Is Next?

With many of the primary activities in figure 10 having been achieved in six months across nearly 20 regional sites, there is still more work to do, with some of the major considerations being:

• Telephony, as discussed
• Case management, as discussed
• Laptop standardization, all staff
• Addressing stable and reliable power
• Modernizing the data infrastructure as the foundation required for the implementation of an organizationwide data strategy

DIGITAL DISTINCTION’ AND COST SAVINGS WERE ACHIEVED WITH LIMITED RESOURCES IN A LIMITED TIMEFRAME, AN UNUSUAL ACHIEVEMENT IRRESPECTIVE OF ORGANIZATION SIZE OR RESOURCES.

Of these, the data infrastructure will likely be the highest cost future intervention. This will require not only technology, but a full data operating model to support the growing day-to-day requirements for data and reporting in the organization. From a CIO perspective, formally aligned organizational strategy and IT strategy interventions ultimately help minimize digital strategy execution gaps,³⁴ the difference between what an organization aspires to achieve strategically, and what it actually achieves.

Conclusion

Organizations trust the CIO to ensure that the technology ecosystem is a functional and reliable enabler of the organization’s operations.³⁵ This means that the role has significant fiduciary responsibilities requiring high performing, t-shaped people. Digital transformation needs executive support and visibility, and credit is due to the head of the organization, the head of finance and administration, and the head of human resources (HR) for their encouragement during some of the darkest hours of this process. Thanks are due also to the extraordinary performance of a small, but mighty and highly motivated IT team willing to go so significantly beyond the extra mile for months on end.

This case study details the types of CIO leadership needed for digital transformation readiness and technology modernization, aligned with an approach published in ISACA^® Journal.³⁶ “Digital distinction” and cost savings were achieved with limited resources in a limited timeframe, an unusual achievement irrespective of organization size or resources. The organization is now positioned to increasingly redirect IT spend from operations to digital innovation³⁷ as reward for its courageous efforts.

Endnotes

¹ El Tarabishy, A.; “The Top 10 Micro, Small, and Medium Enterprises Trends for 2021,” International Council for Small Business, 6 July 2020, http://icsb.org/toptrends2021
² Avanade, “IT Modernization: Critical to Digital Transformation,” March 2017, http://www.avanade.com/-/media/asset/white-paper/avanade-it-modernization-whitepaper.pdf
³ Pearce, G.; “Digital Transformation Governance: What Boards Must Know,” Governance Institute of Australia, vol. 72, no. 5, 2020, http://www.governanceinstitute.com.au/resources/governance-directions/volume-72-number-5/digital-transformation-governance-what-boards-must-know/
⁴ Bendor-Samuel, P.; “Four Guidelines for Success in Innovation in Digital Transformation,” Forbes, 23 July 2019, http://www.forbes.com/sites/peterbendorsamuel/2019/07/23/four-guidelines-for-success-in-innovation-in-digital-transformation/#61401a511aa9
⁵ Pearce, G.; “Attaining Digital Transformation Readiness,” ISACA^® Journal, vol. 1, 2020, http://h04.v6pu.com/archives
⁶ Rivier University Nashua, New Hampshire, USA, “The Growing Importance of a CIO in Today’s Evolving Business World,” Boston Business Journal, 16 March 2020, http://www.bizjournals.com/boston/news/2020/03/16/the-growing-importance-of-a-cio-in-today-s.html
⁷ Op cit McLaughlin
⁸ Op cit Rivier University
⁹ Ibid.
¹⁰ Morley, L.; “How Much Should a Company Spend on IT?,” Techvera, http://blog.techvera.com/company-it-spend
¹¹ Avasant Research; “IT Spending as a Percentage of Revenue by Industry, Company Size, and Region,” Computer Economics, http://www.computereconomics.com/article.cfm?id=2626
¹² CIO Journal, “The Role of Senior Leaders in IT Governance,” The Wall Street Journal, 22 June 2015, http://deloitte.wsj.com/articles/the-role-of-senior-leaders-in-it-governance-1434945783?tesla=y
¹³ IT Governance Network; “The CIO and IT Governance,” http://www.itgovernance.co.za/3/index.php/general-articles/176-the-cio-and-it-governance
¹⁴ De Haes, S.; A. Joshi; T. Huygh; S. Jansen; Board Level IT Governance Research Project, Antwerp Management School, Belgium, September 2016, http://assets.kpmg/content/dam/kpmg/be/pdf/2018/05/Corporate_Governance_Codes_and_Digital_leadership.pdf
¹⁵ Op cit Pearce, “Attaining Digital Transformation Readiness”
¹⁶ Sharma, A.; “Application Modernization: One of the Critical Levers of Digital Transformation,” CIO, 30 July 2020, http://cio.economictimes.indiatimes.com/news/strategy-and-management/application-modernization-one-of-the-critical-levers-of-digital-transformation/77253867
¹⁷ Dogan, C.; From the Basement to the Cloud: The Role of the CIO Over Four Decades, Deloitte Consulting, USA, 2018, http://www2.deloitte.com/content/dam/Deloitte/ar/Documents/technology/THE-ROLE-OF-THE-CIO-OVERF-OUR-DECADES.pdf
¹⁸ Op cit Avanade
¹⁹ Amadei, L.; “Why Policies and Procedures Matter,” Risk Management, 1 November 2016, http://www.rmmagazine.com/2016/11/01/why-policies-and-procedures-matter/
²⁰ Op cit Dogan
²¹ Annacone, A.; “The Four Types of Digital Transformation,” TechNexus on Linkedin, 19 June 2019, http://www.linkedin.com/pulse/4-types-digital-transformation-andrew-annacone/
²² Davenport, T. H.; T. C. Redman; “Digital Transformation Comes Down to Talent in Four Key Areas,” Harvard Business Review, 21 May 2020, http://hbr.org/2020/05/digital-transformation-comes-down-to-talent-in-4-key-areas
²³ Rowles, D.; T. Brown; Building Digital Culture, Kogan Page, United Kingdom, 2017
²⁴ Ghosh, A.; “Digital Transformation of the Workplace,” India Inc., 19 November 2020, http://indiaincgroup.com/digital-transformation-of-the-workplace/
²⁵ Penfold, P.; “HR Strategies That Help Digital Transformation Succeed,” People Matters, 22 November 2019, http://www.peoplemattersglobal.com/article/hr-technology/hr-strategies-that-help-digital-transformation-succeed-23829
²⁶ Op cit Rowles and Brown
²⁷ Apptio, IT Financial Metrics Primer, USA, http://dsimg.ubm-us.net/envelope/151893/296392/1390318118_WP_-_Apptio_IT_Financial_Metrics_Primer.pdf
²⁸ Dalal, V.; R. Patenge; K. Krishnakanthan; “Tech Debt: Reclaiming Tech Equity,” McKinsey Digital, 6 October 2020, http://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/tech-debt-reclaiming-tech-equity#
²⁹ Op cit Dogan
³⁰ Pearce, G.; “The Sheer Gravity of Underestimating Culture as an IT Governance Risk,” ISACA Journal, vol. 3, 2019, http://h04.v6pu.com/archives
³¹ Op cit Pearce, “Attaining Digital Transformation Readiness”
³² The Canadian Press, “Desjardins Says Employee Who Stole Personal Data Also Accessed Credit Card Info,” BNN Bloomberg, 10 December 2019, http://www.bnnbloomberg.ca/desjardins-says-employee-who-stole-personal-data-also-accessed-credit-card-info-1.1360652
³³ The Canadian Press, “Series of Gaps Allowed Massive Desjardins Data Breach, Privacy Watchdog Says,” CTV News, 14 December 2020, http://www.ctvnews.ca/business/series-of-gaps-allowed-massive-desjardins-data-breach-privacy-watchdog-says-1.5230179
³⁴ Pearce, G.; “Digital Governance: Closing the Digital Strategy Execution Gap,” ISACA Journal, vol. 2, 2020, http://h04.v6pu.com/archives
³⁵ Edelman, D. J.; “CIO in Focus: A Global Study,” USA, 2020, http://www.edelman.com/expertise/technology/cio-in-focus
³⁶ Op cit Pearce, “Attaining Digital Transformation Readiness”
³⁷ Halfteck, D.; “Six Steps to Ensure IT Readiness to Drive Digital Transformation,” Access IT Automation, 16 May 2019

Guy Pearce, CGEIT, CDPSE

Has served on governance boards in banking, financial services and a not-for-profit, and as chief executive officer (CEO) of a financial services organization. He has taken an active role in digital transformation since 1999, experiences that led him to create a digital transformation course for the University of Toronto School of Continuing Studies (Ontario, Canada) in 2019. Consulting in digital transformation and governance, Pearce shares more than a decade of experience in data governance and IT governance as an author and as a speaker. He was awarded the ISACA® 2019 Michael Cangemi Best Author award for contributions to IT governance, and he is chief digital officer and chief data officer at Convergence.Tech.

Richard Fullerton, AWS CSA, ITIL, MCAAA, VCP-DCV

Is the IT manager at Native Child and Family Services of Toronto, Ontario, Canada. He is a solutions-oriented IT professional with more than 20 years of experience in the organization and delivery of end-to-end IT projects involving data migrations, server upgrades and configurations, and enterprise-scale software and hardware installations. His areas of expertise include cloud (AWS, Azure, Office 365), virtualization (VMware, Hyper-V, Citrix), and identity and access management. Fullerton is an experienced technical team leader in matrix organizations. He is the recipient of multiple Distinguished Service and Project Leadership awards, and the recipient of a Service Excellence award.