Apply to MSS

First Name

Last Name





Check all that apply

Experience with a major consulting firm

Check all that apply


Check all that apply


Check all that apply

Functional Experience

Check all that apply

Attach Cover Letter

Attach Resume

Join Our Talent Community

First Name

Last Name





Check all that apply

Experience with a major consulting firm

Check all that apply


Check all that apply


Check all that apply

Functional Experience

Check all that apply

Attach Resume

facebook gplus linkedin sharethis
  • Blog

    blog banner
  • Category Archives: Digital Transformation

    The Case for Ambiguity – How to Set Your IT Project Up For Success

    ambiguity game

    I really enjoy playing guessing games – you know, the types that you would do in a case interview, in business school, or with your nerdy, analytical friends (and yes, my friends and I would fall into this category). It’s fun to try and give your guesstimate on how many golf balls could fit into a 747 or how many cigarettes are smoked a day in Montana. Even though I enjoy it quite a bit, I couldn’t imagine having my job hanging in the balance based on the accuracy of a hypothetical exercise. However, that is exactly what happens to an overwhelming number of leaders on a regular basis with their technology projects.

    A McKinsey-Oxford study found that large IT projects go over-budget 45% of the time, over-schedule 7% of the time, and under-deliver 56% of the time¹. This translates to an awful lot of Steering Committee meetings where a Project Sponsor is forced to have an uncomfortable conversation with company executives on why their project is not meeting the metrics that were promised. But why does this happen? Why do very capable individuals (who called in experienced implementation teams) consistently find themselves in the hot seat with their projects? In many cases, the projects were doomed from the beginning due to basing the foundation of the project off of hypothetical exercises and guesstimates. Let me show you what I mean…



    Projects tend to start by following a fairly predictable pattern:

    MSS was recently brought in by a client that was experiencing significant difficulties during a Back Office Transformation project. The implementation partner was well over a year into the project (and already several months late from the planned go-live date), with very few tangible deliverables to show for their efforts. After a brief assessment we were able to quickly determine the cause of the issues: there was not enough effort early in the process focused on the true needs of the organization and the development of a corresponding scope. Instead, the organization was focused on finding a cost-effective supplier based on limited information of the business needs. This lead to the organization selecting a solution that did not meet their future state vision with an implementation partner that did not have experience in delivering the necessary scope (focusing on developing what they did have experience in delivering, instead). Fortunately, we were able to work with the client in developing a relatively quick course correction, but not until after they had already accrued a significant amount of sunk cost before realizing the project was doomed from the beginning.

    In this case, the project failed its metrics the moment it is approved based on a rough, uninformed estimate. However, we have seen that this is not a unique case – it happens to a surprising number of companies regardless of company size, budget, industry, or even level of experience of the Project Sponsor. Bad things happen to good executives, but there is a way to avoid being put in this situation.

    How to Avoid Project Estimation Errors

    Chances are, you know all of this already – you have had a project (or maybe several projects) that quickly grew over-budget and/or under-delivered. But what can you do about it?

    The single biggest thing you can do to set yourself up for success is to live in cost/timeline ambiguity during an early assessment phase to get an accurate scope that focuses on the true success of the project.

    Once the initial problem is identified and documented internally, allowing an experienced team to evaluate your environment, account for potential complexities, and develop an agreed upon scope upfront can help provide a far more accurate understanding of the true efforts needed. It is critical to also use this initial assessment to identify what is needed to truly make this project successful. Answering questions like ‘Which resources will we need for this project?’, ‘What success metrics will we orient our decisions toward?’, and ‘How will we prepare our End Users for success on day 1?’ will go a long way in achieving the goals of the project.



    This re-imagined launch of the project is as follows, focusing on a more success-oriented process and list of activities:

    We live in a world where rapid technology changes and advancements are more than the norm – they are a requirement to survive in business. Before the whirlwind of a project begins, make sure to take the time to set your organization up for a successful project, rather than for a project doomed to disappoint. Being comfortable with living in temporary ambiguity will save you from a revolving door of unfortunate conversations with your Steering Committee.

    ¹ Bloch, M., Blumberg, S., Laartz, J. (2012) Delivering large-scale IT projects on time, on budget, and on value.

    Top 5 Cloud Trends

    Cloud technologies has been a buzz word for more than a decade ever since Amazon started selling their in-house, web-based service platform that was used to support their own internet sales site. They were able to package the technology, market it and turned it into a profitable solution that allowed companies to take advantage of large scale technologies without the upfront costs to build their own datacenters. Since then, cloud technologies have evolved quickly as a mainstay in our ever-evolving technological world.

    New, billion-dollar companies such as AirBnB and Uber have capitalized from this trend by utilizing cloud-based infrastructure to increase reliability while decreasing costs. In April of 2018, GoDaddy announced it was moving a vast majority of their current infrastructure to AWS.¹

    As companies are evolving to stay ahead in the new technology world, here are five trends that are happening with cloud computing.

    1. Growth in Cloud Services and Solutions – We are in the digital age where cloud services are now common place and businesses look to a cloud solution first before an on premises solution. 56% percent of CIOs in Gartner’s CIO survey indicate they are adopting cloud as either an option or as part of a “cloud first” approach, while 71% look to SaaS either first or as an option.

    Gartner predicts that by 2020, businesses without cloud capabilities will be as uncommon as businesses without Internet are today.

    Most businesses use some sort of cloud offering or online application such as Microsoft Office 365 or Salesforce. Few businesses are completely 100% cloud based nor are there businesses that are completely 100% cloud free.

    2. Serverless Computing – A relatively new cloud service that has come into the marketplace is serverless computing which allows developers to deploy their applications without the need to provision servers or backend infrastructure to support and run their applications. Developers can release their code and run it as a service without the need to build backend infrastructure such as servers, network, databases and backend applications to support the application. This creates simplicity and agility in the marketplace to turn out applications much more quickly than run at greater speed. This also allows companies to go global by replicating their applications to run around the world as if the local datacenter is right next door.

    3. Multi-cloud – The rise of pure play cloud platforms like Microsoft Office 365, Salesforce, ServiceNow, and Workday show that most businesses already utilize a multi-cloud cloud environment. Multicloud is the use of multiple public cloud computing and storage services in a single heterogeneous architecture not to be mistaken for hybrid cloud which is a mixture of public and private resources. Some cloud companies are changing their application architecture to force companies into a multi-cloud environment even if they are not willing to give up the hold on local resources.

    Microsoft will begin to remove Skype for Business and OneDrive for non-365 users by 2020 to force them into using Office 365

    4. Disaster Recovery – As businesses move toward a virtualized and constantly evolving IT ecosystem old DR approaches become much more expensive and complex to maintain. Software based DR at the hypervisor level allows a company to prioritize applications and provides automated testing to ensure and validate a company’s DR strategy. I can remember a year after the 9-11 disaster, the company I worked for at the time invested in a 3rd party disaster recovery site and solution. A few times a year would be spent on building out our servers and clients from backup tapes to perform drills to ensure our DR solution was adequate. This time-consuming ordeal would take 48 hours to build and test but would only ensure our most business-critical applications would be recovered. Now with the use of cloud technologies recovery can be completed and tested within minutes.

    5. Security – Last but certainly not least is security. The glaring question from anyone thinking of moving to the cloud “Is my information in the cloud secure?”. Contrary to the myth that you will lose security when you move to the public cloud because you cannot physically touch the device, in most cases you are increasing security by moving data to the cloud by utilizing the provider’s hardened datacenters with many more security resources. This all depends on your current state of security. The cloud provider is responsible for the security of the cloud (datacenters, access, security tools, etc.) while the consumer is responsible for the security in the cloud (data access policy, authentication, authorization, etc.). Security must be built into every step of product development or migration strategy rather than at the end.

    Businesses demand more as technology increases and legacy systems become less sustainable. The goal for business is to reduce risk by ensuring that crucial applications are always available. The cloud has become a tool to satisfy this business demand while reducing risk. What needs to change is the IT mindset of being a support model into being an enabler. That means rethinking IT infrastructure and services that support the business which is not always an easy task. It takes resources that understand what and how to move business applications and infrastructure to the cloud to ensure businesses do not become extinct.

    Cloud evolution is happening in the technology world, if you aren’t willing to adapt, you’ll die.


    Are You Ready for Analytics? 3 Aspects to Your Organization’s Analytics Maturity

    In the previous article, we talked about the importance of a business/outcome-driven mindset to derive value out of your data and introduced the “Question-to-Value” approach. So, are you ready now for analytics? It is a critical exercise to assess your readiness before launching the actual effort. In this article I will share the three components for evaluating the maturity of your analytics: technology, business competency and culture. Also, stay tuned for our upcoming BTI workshop that will arm you with a practical assessment and more strategic guidance to steer your organization’s analytics journey.

    With all the hype around data and analytics, it is nearly impossible to ignore it as a leader. If you are reading this article, you are most likely seeking the answer for: Am I (Is My Organization) Ready for Analytics?

    It is a very useful and almost essential exercise to assess the maturity of your organization for analytics before launching any analytics effort. When doing this, there is more to consider beyond the usual suspects, i.e., the technology side such as data infrastructure and technical talent. The assessment should take a more holistic view of your organization, for although critical, technology maturity is not the only ingredient required to succeed in deriving real business value from data and analytics.

    There are three components to consider when you assess your analytics maturity: technology, business competency and culture. They should be assessed and improved in a balanced way to ensure the success of any analytics project to be developed in your organization.


    The core of a successful analytics practice is, without doubt, the technology capability. There are three major aspects: data infrastructure, data quality, and technical talent.

    Data infrastructure lays the foundation for analytics by consolidating the organization’s available data sources into one single repository. This might be a lengthy process; therefore, it is important to invest in the agility of the infrastructure. When there is need for previously unavailable data, possibly from your analytics initiatives, an agile infrastructure can quickly enable capturing of new data field and sources, and make adjustments. In this way, you do not have to wait upon a perfectly comprehensive data infrastructure, which may take forever to build, to start conducting analytics and realize value from your data. (see previous article)

    Analytics starts on a solid foundation of good data. Bad data quality can severely impair an organization’s ability to gain any useful insights from their data. When building your data infrastructure, it is critical to design appropriate data collection and storage process, and build proper data QA/QC (quality assurance and quality control) process. The tolerance level for errors varies greatly depending on your business setting and should be carefully selected through discussions with the technical team, as well as business leads. Good data quality is vital for your organization to start leveraging data as an asset.

    The third component is talent. Don’t jump to the conclusion that you are locked in a battle for rare, expensive analytics talent and get intimidated. Most likely you are not competing against the employment propositions of digital-native brands or the salaries of investment banks. Find the talent you need for a competitive advantage against your actual competitors, not Facebook, Goldman Sachs, or Google. Start by looking for the analytics talent you already have and ask if you are putting this talent to its best use, before looking externally.

    Business Competency

    Again, technology maturity is not the only component when assessing your readiness for analytics. You need the “Brain” to give directions to your talent on how to use your data to arrive at business insights and action items, which are the ultimate goals of analytics.

    One of the first things needed is leadership that believes in leveraging data for making decisions. Data-driven leaders not only trust data to prove/disprove their own beliefs about business opportunities but are also open to learn from data, regardless of their beliefs. Once the organization has the majority of decision makers wired to leverage data, half of the battle is won.

    Once leadership is in place, next comes implementing the appropriate analytics approach, which often means that data needs to be inserted into the decision-making process. We have covered this point extensively in the previous article (The Biggest Myth Preventing You from Deriving Value out of Your Data), and the key to success is to always start by thinking “what is my biggest business question that I wish to answer, or business issue to solve, that could potentially be opportunity for analytics?”

    The final component is again, people. In addition to the technical skills to analyze data mentioned in the session above, the right analytical skills also include interpersonal/business skills to bridge the gap from data to business. Investment in analytics training for your key business analysts, and basic business knowledge training for your data analyst is a great idea. It will help build seamless communication between data and business and move the organization further towards analytics maturity.


    Once the organization knows how to use data effectively through technology capability and the right business process, it must somehow apply the findings. That usually means, among other things, a change in corporate culture. While it seems like something to consider “after the real work is done”, culture is real, and is something better addressed sooner than later. According to a McKinsey report, companies in the top quartile of culture health return to shareholders three times higher than the rest.

    Getting your culture right by making it suitable for your strategy is one of the biggest levers management can pull. And it is possible to achieve culture transformation in a way much more structured than you thought. The fundamentals are very similar to many other generic cultural transformation lessons and include: measurement, role modeling, change messaging, incentives, and skills. More specifically for analytics, four key steps are of high importance:

    • Define the outcome
    • Set measurable targets
    • Build relevant skills
    • Provide incentives

    and, they should all be directed toward not only the employees handling data and analytics, but also the frontline employees using the outputs (marketing staff, operations managers, sales team, customer-facing agents, etc.)

    A Thorough Assessment

    I hope you have learned the theory of the three-pronged assessment methodology for your analytics readiness, and are now eagerly thinking: How can I do this assessment in real life?

    At MSSBTI we provide more than just the theoretical knowledge. We have developed a practical exercies to provide quantified assessment for your analytics maturity. This exercise is conducted in the form of a questionnaire and visualize your results via a triangle spider diagram, as shown on the right. Armed with this assessment, you will be in a more informed position to decide how to improve your analytics readiness and how to best proceed with your analytics efforts. This assessment is only a small part of our Analytics Assessment and Strategy Workshop, which is designed to help steer your organization’s analytics journey, in a hands-on and collaborative way.

    More details about our upcoming Data Analytics: Becoming an Intelligent Organization workshop can be found here. If you are interested, please register, connect with us, and feel free to reach out for more information.

    Advanced Analytics: 5 Steps to Becoming an Intelligent Organization

    No other recent trend has created as much buzz as big data and analytics, especially within the C-suite. By analyzing its data in a structured and smart way, an organization becomes “intelligent” and “insight-driven”, giving it a competitive advantage. This workshop, 5 Steps to Becoming an Intelligent Organization, addresses the most common questions and concerns leaders have when considering launching big data and analytics efforts in their organizations, including:

    • Analytics can create new opportunities and disrupt entire industries; but where and how exactly it can create value?
    • What are the building blocks for launching analytics efforts? I need Analytics 101.
    • Is my organization mature enough for analytics? What are the factors to evaluate? Is there a practical way to assess my maturity for analytics?
    • What are the ways to organize an analytics operating model? Which one is the best suited for my organization?
    • What are some common pitfalls on the journey to analytics? How can I avoid detouring and head straight to business values?
    • Is cultivating a data-driven culture in my organization, as embedding analytics, as much about change management as it is about data science?

    The workshop will address all these questions, and more, through lecture, case study, discussion, hands-on assessment, structured brainstorming and other creative techniques. It engages the audiences in an immersive learning environment and inspires them to achieve customized action plans for their organizations.

    This is a highly interactive and motivating 1.5-day workshop packed with everything you need to know about analytics as a leader; and up to 5 hours of post-workshop follow-up are included. Moreover, it is also a great social opportunity to meet peer leaders in similar situations as you through the included meet-n-greet breakfast, lunch, coffee breaks, and happy hour.

    Lu Hao, PhD, is an enthusiastic data scientist and management consultant who specializes in applying data science under business context to generate real values. She has worked with clients in various domains on data and analytics initiatives. Her deep understanding of the misconceptions, struggles and needs of analytics from first-hand, client-facing experience has motivated her to develop this workshop to help guide leaders through the vast mist around analytics to shore as a truly intelligent organization driven by insights from data.

    To learn more about Becoming an Intelligent Organization, contact MSSBTI at 602-387-2100 or

    Program Audience

    • Enterprise leaders and their teams
    • Executives in strategy and organizational transformation
    • Executives/directors for analytics practice
    • Senior leaders for teams in transitions to a more data-driven culture
    • Executive-level consultancy professionals


    • 1.5-day workshop
    • 5 hours post-workshop follow-up

    Expected Outcomes

    • Achieve a thorough understanding of what analytics means for your organization
    • Complete a practical assessment of your organization’s analytics maturity
    • Create action plans and roadmap for your organization’s analytics efforts
    • Identify the best-suited business operating model for analytics
    • Diagnose your organization’s barrier and pain points on the analytics journey
    • Gain the momentum to jump-start your organization’s analytics journey


    • All workshops can be performed at MSSBTI facilities in Central Phoenix, AZ or onsite at the client location

    See all workshops offered through MSSBTI

    Adapt or Get Left Behind: Realities of Digital Transformation and IT Service Management

    “No man steps in the same river twice.”

    – Heraclitus, Greek Philosopher (535 – 475 BC)

    Heraclitus reasoned that by the time we walk from one river bank to the other the flowing river and the person that crossed it will never be the same. This theory of constant change is called “Flux.”

    We’ve all heard the adage that the only certainties in life are “death and taxes”. Well, constant change is another certainty. Organizations that doubt the veracity of Heraclitus’s theory and don’t adapt to disruptive and emerging technologies will get left behind. In fact, organizations that attempt to adapt without a mature approach to IT Service Management will get left behind as well.

    There is widespread consensus that if organizations aren’t leveraging Digital Transformation, Predictive Analytics, and Artificial Intelligence, they reduce their ability to remain competitive.¹²³

    There is also widespread agreement among Chief Information Officers that mature IT Service Management (ITSM) Processes are necessary for organizations to seize the surplus of opportunities associated with disruptive and emerging technologies.

    To be sure, in 2017, Forbes Insights surveyed 250 worldwide IT executives, of which 88% said ‘lack of a Service Management approach’ is hurting competitiveness as a business. Likewise, these same IT executives also believe ITSM as important to related initiatives around cloud computing (86 percent), mobility (83 percent) and big data (83 percent).4

    They also noted despite increases to their IT budgets the majority of the spend was on activities running the business (i.e. keeping the lights on). This disproportionate allocation of the budget and resources prevents IT from engaging in activities that allow them to change the business.

    As Heraclitus proved, change is constant and how we deal with change is the difference between success and failure. The evolving expectations from customers means that IT must quickly develop solutions enabling the business to go to market faster, be more agile, responsive, and adaptive to meet those expectations.

    The purpose of this article is to provide a point of view that addresses a fundamental question: Do traditional IT Service Management Frameworks, such as ITIL have the capabilities to meet today’s ever changing organizational demands?

    Let’s find out.

    What is traditional ITSM?

    Traditional IT Service Management (ITSM) it is most aptly defined as “A Strategic Approach for Designing, Delivering, Managing, and Improving IT Services”. The premise is to follow a framework like the Information Technology Infrastructure Library (ITIL), which is a set of detailed practices for ITSM that focuses on aligning IT services with the needs of business. Over time, the IT department can increase the maturity levels of service management through efficient processes which result in fewer interruptions, less unplanned work, thus providing value to the organization.

    Unfortunately, ITIL has been met with a lot of negative perceptions such as it’s too rigid, too slow, too expensive, and takes too long to achieve desired maturity levels to realize value. While we can certainly refute these incorrect perceptions, during the infancy of our careers we realized perception is reality, so it’s better to accept it and move on.

    The Need for a New Approach to ITSM

    Today’s constant changes in technology and customer expectations require businesses to be more innovative, agile, and demonstrate a high sense of urgency, responsiveness, adaptability, and to move away from traditional thinking to remain competitive. If a customer experience doesn’t meet their expectations they’ll quickly move on until they find an organization that embodies the qualities they desire.

    Similarly, IT has never been asked to do more with less and at unprecedented speeds. And they won’t be successful without a mature ITSM organization. Sean Kirby Vice President, Support Center, at Buchanan Technologies puts it best when he says:

    “The absence of a mature IT Service Management Process is like having a brand-new, state-of-the-art sports car, but with no systems or gauges of any kind to tell you when something is going wrong. It can be great for a while, but eventually it’s going to result in a catastrophic failure.”

    What we need first is a more expansive set of tools that foster a faster, more agile, and more responsive ITSM organization by leveraging best practices from myriad philosophies. (e.g. ITIL, CoBIT, VeriSM, IBM BPM, Agile etc.)

    One such approach is “Agile Service Management” developed by Jayne Gordon Groll.5 Ms. Groll correctly surmises that if we leverage some best practices from DevOps, Agile/Scrum methodologies and merge them with Service Management best practices we can achieve the flexibility necessary to add value to the organization. By extension, value-added ITSM allows the organization to remain competitive and pivot from supporting the business to changing the business to meet ever changing demands.

    At the beginning we set out to answer whether traditional IT Service Management Frameworks, such as ITIL have the capabilities to meet today’s ever changing organizational demands? Absolutely! However, it may be time to change how they’re used. One idea is to adopt a “data driven” and “a-la-carte approach” to ITSM.

    Why take data driven approach?

    A data driven approach allows us to begin where we are. That is, when we analyze the data an organization has, we allow it to make decisions on what is “known” rather than what they “think”. We may very well conclude the data is useless because it lacks the specificity to make meaningful measurements. After all, how can one manage what can’t be measured? Alternatively, our analysis may prove the organization has perfected basic blocking and tackling and is ready to become more automated, proactive, and predictive in its service offerings.

    Either way, a data driven approach allows us to start where we are, to identify and prioritize what needs to be done quickly to ensure People, Processes, and Technologies produce the most value to the business and its customers as possible.

    Why take an “a-la-carte approach”?

    My first IT mentor was a transformational CIO with a successful track record of turning around underperforming IT organizations by aligning business and IT. I can still hear him saying, “Tony, Applications and Infrastructure doesn’t just break; rather it’s more likely somewhere there was a change to People, Process, or Technology”.

    So, when I perform ITSM assessments I often begin by first examining Change, Release and Deployment, or Service Desk processes. If an organization has no formal Change Management process, I know where to begin. Similarly, immature or non-existent Incident, Problem, or Release and Deploy processes provide an opportunity for quick wins and instant value.

    In a world of constant change, ITSM needs to be prepared to shift from slow, outdated processes into agile and responsive approaches to market demands. Approaching an ITSM transformation is a difficult decision, and all IT departments need to consider how well they are serving their business and their customers with their ITSM systems.

    One thing is certain, when you come out of this river, you’ll never be the same.

    Stay tuned for my next ITSM article where we’ll dive deeper into ITSM transformation, including a discussion on the cultural and behavioral adjustments necessary to transform ITSM.


    The Biggest Myth Preventing You from Deriving Value out of Your Data

    In the previous article in the analytics series, we introduced the next disruptive innovation in data and analytics and the importance of getting ready for it. But how? In this article, I will share what I believe to be the biggest misunderstanding about launching your data and analytics effort. I will also introduce the “Question-to-Value” approach to help set you on the right track for deriving value from your data faster.

    No trend in the past 10 to 15 years has created as much buzz as big data and analytics; these initiatives have climbed to the top of the C-suite agenda for many organizations. According to the Harvard Business Review (, companies that inject big data and analytics into their operations show productivity rates and profitability that are 5% to 6% higher than those of their peers. And Forbes found that analytics have been successfully used to improve pricing, and promotions to optimize 6% or more increase in revenue. (

    However, skepticism and hesitation abound. Leaders often convince themselves that their organizations simply aren’t ready for the change. The most common remarks I hear from senior leaders include: “We are not there yet”, or “A better timing for analytics will be after we accomplished our data warehouse project”, or “We need to build our BI team before getting into advanced analytics.”

    All these comments are founded on one single myth: the idea that a data and analytics-enabled business value must be accompanied or even preceded by a fully upgraded and implemented data infrastructure (data warehouse, data lake, database…, you name it).

    This is the biggest misunderstanding surrounding the big data question. And whoever realizes it and adjusts his or her mindset accordingly, will win big.

    True, data infrastructure is important for the long-term health of your analytics program, but infrastructure is not an indispensable ingredient for you to generate business value out of your data. If you are waiting for a perfect data warehouse to start on analytics, you’ve probably already deployed a process that is driven by data availability, which often means using whatever data that’s available to cook a data soup and see what problems bubble up. This is a lengthy approach, and it often leads to random correlations rather than meaningful insights. Therefore, a very likely scenario is after spending piles of money on data-warehousing programs, you then invest on powerful analytics programs analyzing all your data but are still unable to yield any insights that can be put to use.

    This is why data should serve the purpose, not drive the process. In other words, data analytics is not a crystal ball into which you dump all the data and ask, “what does my data tell me to do?” (see previous article Predictive Analytics Ain’t No Crystal Ball). Instead, the right question to start with should be “what business issues I need to solve that could potentially be solved using data and analytics?”. With this change of mindset, you are shifting from a data availability-driven process to a business-driven process, where you start by thinking about the desired business results. This mindset better fits the agile company needs to create value from data and to create it fast. You should tie analytics tightly to your biggest value drivers and largest pain points, and focus on how to use data to make better decisions.

    To help implement this business-driven process, the “Question-to-Value” approach (below) provides a pragmatic solution. This approach involves six key stages to help set you on the right track to start using your data and gaining business value in no time:

    1. Question: Too often we find that companies launch analytics or big data efforts without a clear view of what exactly they want to accomplish, which results in a solution that is not tied to a business problem. Asking the right question is half of the answer. Therefore, the best way to start the process is to first identify the business question, or issue that you wish to answer/solve through data and analytics. The question often does not emerge naturally. It takes deliberate effort of identifying, understanding, and focusing on the main business drivers. It is also a collaborative process where analytics project leaders need to communicate with key business leads and stakeholders to gain a holistic view before deciding on the right question.
    2. Data: With the right question in mind, you should then identify the necessary data to solve the puzzle. This process includes examining the data collected in your organization and select only the relevant segments of data: a specific time range, a handful of factors that have a direct impact on bottom line and a set of business levers you could manage to pull. In addition to the internal data source, it is also worthwhile to explore external data sources available that might contain key influencers, such as customer demographics data.
    3. Analytics: The next step is to choose the right analytics models that could best deliver practical insights. The model designer should have mixed background in IT and business. This hybrid role needs to understand the basics behind predictive modeling, as well as the types of business judgments made in the day-to-day operations. Conversations with frontline managers will ensure that analytics and tools complement existing decision-making processes, so that the ultimate goals can be met.
    4. Insights: Analytics modeling in step 3 reveals hidden patterns in data, which may or may not be useful to the business. The next step is to interpret these patterns into business insights. Findings should be shared with business lead(s) who understand the day-to-day operations to be framed into a business context. And based on their feedback, the analytics models might need to be fine-tuned and re-ran to derive the most impactful business insights from the data.
    5. Action Items: The business insights discovered in step 4 need to be developed into customized action items. The business lead(s) should identify the feasible action items to address the insights, and these insight-driven action items should be aimed at the goal/expectation identified in step 1. Analysts are also responsible for developing hypothetical scenarios to quantify the expected improvement from different action items to help with the final decision making.
    6. Value: The final step is the execution of the action plan. This means getting the insights into the hands of your frontline employees who will ultimately realize the value from data through day-to-day operations. For this, the business needs an adoption strategy, both for short-term implementation and long-term organizational culture transformation.

    Analytics will take root faster only when it is tied directly to business outcomes. Therefore, taking the “Question-to-Value” approach is critical because it puts the focus where it should be: on tying analytics directly to outcomes, taking action and delivering value, in an agile way. It provides a value realization mechanism that helps move organizations from a data-based mindset to an outcomes-based mindset and minimize needless or unproductive analytics efforts. It also helps break down the organizational barriers that impede information sharing by setting clear goals and expectations up front.

    When you leave this page, start writing down the single, most pressing question that you have with your organization. Then, go through the “Question-to-Value” chain. Sooner than you expect, you will see opportunities to derive true value from your data rather than see a misguided use of R&D funds on the latest business fad.

    Already thinking about what’s next: acquiring talent, deploying tools, or building your analytics team? In the following articles we will touch upon all these aspects and help you better prepare your analytics strategy. Stay tuned.

    Cyber Security: Bridging the Gap between the Cyber threat landscape and Business Culture

    It is difficult to quantify cyber risks in terms of business impact to executive leaders; and CISOs are having a tough time in communicating the value cybersecurity programs have to leadership. Using the ‘The Six Principles of Resilience for Digital Business Risk and Security’ this 2-day workshop aims to collaborate with security and c-level leaders to educate, communicate, and build a strategy to define business impact in relation to cyber threats. Using recent attacks and breaches as examples, participants will use tools and techniques to explain cybersecurity value and impact to the business from both a quantitative and qualitative perspective.

    Dr. Roméo Farinacci is a senior security consultant with Terra Verde Services, specializing in security program development, risk management, security architectures, and risk assessments. He brings over 20 years dedicated IT/Security experience and 5 years consultation of complex enterprise infrastructures in public, private, and government sectors.  Roméo’s passion in cyber security enables him to effectively develop and communicate change strategies for improving the security posture of organizations. His education portfolio includes a Doctorate in Management with an emphasis in Information Systems Technology, an MBA in International Business and an MS in Information Technology.

    To learn more about the Cyber Security workshop, contact MSSBTI at 602-387-2100 or


    • C-Level Suite (e.g., CISO, CSO, CFO, COO, etc.) and Security Leaders


    • Facilitated program, with exercises and handouts to include Cyber-Risk to Business Translation tools


    Research identifies a gap in appreciation and appropriate leveraging of the security leadership role in bridging cybersecurity with business. The six principles that include, “Move from checkbox compliance to risk-based thinking” and “Move from protecting the infrastructure to supporting organizational outcomes” (Peter Firstbrook, of Gartner) highlight the type of transformation needed as organizations assimilate cybersecurity into their business. A cybersecurity program that is truly integrated into business strategy is lacking in many organizations, treating cybersecurity as insurance or simply suggestions. Recent attacks have proven cybersecurity must be leveraged to ensure the competitive advantage and longevity of the business; this workshop will help explain how. Security leaders and business executives will benefit from this program by gaining the ability to quantify and communicate cybersecurity business value.


    • Leadership development on communicating how to establish and/or enhance enterprise cyber presence and resiliency
    • Making cybersecurity a part of an organization’s strategic action plan

    Expected Outcomes

    • Cybersecurity transformation to business culture
    • Persuading board and executive leaders to leverage security leaders in a proactive and prescriptive manner, rather than a reactive one
    • Efficiencies in security leadership collaboration with C-level suite and board members
    • Cybersecurity integration into company strategic action plan
    • Enrichment of cybersecurity program to advance enterprise cyber resiliency and business strategy


    Case Study: Welcome to the Digital Age

    Improving Efficiency through Digital Transformation at an Arizona State Agency

    Ours is a world of efficient convenience and in this world it is not acceptable for a customer-facing process to take up to two years to complete, nor is it acceptable to offer only paper-centric interactions with agencies/companies. This is true of commercial organizations and it also applies to government agencies. To serve clients, an organization must be faster and more customer-centric.

    Recently, I was part of a transformation team engaged to lead a large State agency through their digital transformation, automating the application process to lease parcels of land from the State. Prior to the transformation, the only way to submit applications was to manually complete them and mail or email them for processing. The turnaround time to process an application ranged from a few months up to two years, and the process did not allow applicants to check the status of their application. Determining interim status was also very manually intensive.

    This digital transformation was an exciting opportunity to help this agency completely revamp their processes, both internally and externally. Our team developed the strategy, created the solution, and managed the transformation process of the agency from a manual, paper-based system to a paperless digital operating model.

    The effort to drive the transformation encompassed key processes at the agency, including electronic workflow, paperless application processing, real-time information availability for internal agency personnel, and a user-friendly customer interface. Key items to include for success during an effort of this magnitude include the following:

    • Plan for and execute the digitization of the current documents
    • Utilize a user adoption model, including training planning, managing resistance, and deployment
    • Plan for migration of data from the existing legacy systems to the new digital platform
    • Utilize project management and governance to ensure the program remains on track
    • Document current and future State functional and technical requirements to be implemented
    • Implement a digital solution platform

    The agency’s legacy system acted as a database and an enterprise resource planning system, interfacing with multiple functional areas. In the first phase of the transformation, our team was responsible for leading the replacement of the transactional activity portion of the legacy system, leaving the underlying database in place. We wanted to provide open communication with the entire agency so all of the impacted stakeholders felt like they were a part of this major change in processes.

    Throughout the project, we used periodic surveys for this communication to inform the employees of the upcoming changes, and to take the ‘pulse’ of the agency. We also communicated to the public by updating the agency website to post announcements and build excitement about the upcoming changes to go paperless.

    One of the major challenges we faced was determining how to contact one segment of the customer base: ranchers and farmers. Would they be able to be part of this new transformation? Do they have access to the technology needed to access the online applications and transact business with the agency? As part of our change management methodology, we decided to send postcard surveys to the customers in this demographic to determine if they would be able to take the leap with the agency. Interestingly enough, nearly three-quarters of these customers had some access to the internet, computers, and scanners, even if they had to utilize public access, family, or friends to do so. Tackling this challenge helped the team feel much better about the final solution meeting the needs of that portion of their customer base.

    Additionally, prior to go-live, we posted frequently asked questions (FAQs), and solutions, for the most common inquiries on the customer-facing website. We also provided a support structure to accommodate questions and concerns as they were submitted. Posting the FAQs, resulted in very few support calls and emails from customers.

    As part of the transformation, we assisted the agency in digitizing their in-process application files. There were over 1,000 of these file types, presenting a significant digitization effort. We did come across some resistance when we asked the administrators to ‘give up’ their paper application files to be scanned and indexed. One of the biggest challenges was helping them to realize they needed to do this to be part of the digital transformation to a paperless system. We had to be creative in determining plans to meet the goal of scanning all open applications. We also assisted them in realizing the vision of accessing this same information they needed to perform their jobs, only in a different manner – online through their document management system.

    As we neared the testing, training, and go-live activities, the Subject Matter Expert (SME) team became concerned about the time commitment needed to support the project. To mitigate this discomfort, we developed a resource requirements matrix, detailing their weekly time commitments required over the final two months of the project. By breaking up the responsibilities into manageable chunks, and providing realistic expectations for involvement, they were able to plan for and manage their time more appropriately. Separately, we created an execution roadmap, which was communicated to the steering committee, so leadership was aware of the tasks to be done and the weeks where a significant workload was required from their teams. This helped management provide the support needed to the SME team, so they were able to be successful.

    Based on the trends and expectations of the public, if the agency did not become digital and update the application process (and associated internal processes) they may have experienced customer dissatisfaction and internal disorganization. Remaining with the status quo would simply not support Governor Doug Ducey’s goal for state government to operate at the speed of business.

    By utilizing a structured approach to project and change management, we successfully completed the transformation project on time and within budget. The digital transformation should take the original lease application process time of up to 2 years, down to days or weeks, with enhanced communication and customer updates.

    Based on this experience, it is realistic for an organization of this type to be more customer-centric and bring it into the digital age. To manage a transformation such as this, there are three strategies to consider:

    1. Make both internal and external communication and support a priority
    2. Don’t be afraid to ask questions to determine if resistance exists, so that it can be addressed before it becomes a barrier to success
    3. Utilize a proven project management and governance strategy to monitor and control a transformation of this magnitude

    Podcast – Cyber Security: Not a Technology Issue – A Transformational Business Strategy

    cyber security podcast

    Airing on December 5, 2017, this podcast provides C-level perspective on building a transformational cyber security strategy that creates value for the organization while protecting its most valuable – nonhuman – asset; its data. Our expert panelists address the ubiquitous nature of the cyber security issue, how to set and achieve expectations from your cyber security strategy, what to expect from a Chief Information Security Officer, and how cyber security adds value in business terms.

    Dr. Roméo Farinacci is a senior security consultant with Terra Verde Services, specializing in security program development, risk management, security architectures, and risk assessments. He brings over 20 years dedicated IT/Security experience and 5 years consultation of complex enterprise infrastructures in public, private, and government sectors. Roméo’s passion in cyber security enables him to effectively develop and communicate change strategies for improving the security posture of organizations. His education portfolio includes a Doctorate in Management with an emphasis in Information Systems Technology, an MBA in International Business and an MS in Information Technology. He also has the following professional certifications: CISSP, CISM, PMP, GSLC, and Six Sigma Green Belt / Lean.

    Kim L. Jones is a 31-year intelligence, security, and risk management professional with expertise in information security strategy; governance & compliance; security operations; and risk management. Professor Jones is a former Chief Security Officer who has built, operated, and/or managed information security programs within the financial services, defense, healthcare, manufacturing, and business outsourcing industries. Jones holds a Bachelors Degree in Computer Science from the United States Military Academy at West Point, and a Masters Degree in Information Assurance from Norwich University.  He also holds the CISM and CISSP certifications.

    Download the podcast


    Not IF but WHEN You are Hacked: Intel-Driven Incident Response Strategies


    “Luck is what happens when preparation meets opportunity” -Seneca.

    The count-down for when you will be hacked is always running!

    Breaches and Hacks are two different concepts in cybersecurity with the latter being more difficult to manage than the former. Breaches can be mitigated through security policies enforced by security awareness training, asset inventory, hardware and software configuration best practices, and various security tools/technologies. A breach, mostly associated with accidental spill of sensitive data, is best exploited by lack of internal processes, procedures, and training. Thus, breaches result in more executive terminations than hacks do because many of them are preventable.

    A lack of appropriate controls can give malicious actors or adversaries easy access to sensitive data. Department of Veteran Affairs in 2006, the U.S. National Institutes of Health (NIH) in 2008, Accretive Health in 2012, SterlingBackCheck in 2015, Western Health Screening (WHA), and Washington State University in 2017, are all examples of lost or stolen unencrypted devices that contained sensitive information. In many cases, these incidents could have been prevented, but a lapse in control resulted in data loss, steep fees, lawsuits, and resignations. Although the concept is simple, the implementation and management can be challenging.

    Hacks Can Lead to Breaches

    Consider the recent Equifax data breach. Hackers exploited a flaw, not in Equifax’s software, but in their implementation of best practices. Failure to patch a known web application vulnerability enabled hackers to penetrate and access up to 143 million American consumers. Because of this failure, we may witness another executive resignation this year. For a hacker to locate a vulnerability, they must be looking for a vulnerability. You can have an alarm system, locks on all doors and windows, and a roaming security guard, but if someone wants in, they’ll get in. Hackers are persistent, determined, dedicated, and in many cases, highly skilled and financially supported. Stopping them is very difficult; even with the right tools, finances, and strategies, having a strong security infrastructure may only slow them down.

    Yahoo’s 2013 data breach, now recorded as the largest data breach in history, is an example of a state-sponsored entity breaching a large firm. In Yahoo’s case, the data taken contained encrypted passwords. Whether some or all passwords were encrypted or hashed is unknown, but we didn’t see resignations result from this incident (although the CISO and CEO eventually left the organization).

    The graph from CNBC shows a trend over the past 10 years as breaches caused by hacks begin to rise over breaches caused by unintended disclosures, physical loss, and portable devices combined.

    Let’s acknowledge that companies need to start investing in cybersecurity, as implementing best practices and adhering to compliance are only first steps – first steps that many companies are still struggling to achieve. Leverage the CISO and CSO roles by integrating them into the business and hearing their voice, not as guidelines but as warnings. Senior Security Officers need to continue asking “what if…” for any and all business endeavors. Their role is not to say ‘no’ but to make everyone think about the security implications associated with a suggested activity.

    New York’s Department of Financial Services’ (DFS) new cybersecurity requirements defined within the New York Code Rules and Regulations (NYCRR) Title 23 Part 500 leads the way in pushing organizations to leverage a CISO and establishing cybersecurity programs. John P. Melville, Commissioner, New York State Division of Homeland Security and Emergency Services stated, “Cyber-attacks on individuals, businesses, and government agencies have increased exponentially in recent years, so it is vitally important that New Yorkers safeguard their personal information and remain alert to potential scammers.”

    cyber security workshop adNew York is recognizing that cyber-attacks are continuing to escalate and finds it necessary to implement regulatory standards to drive organizations to assess their risk profile, and implement or enhance a cybersecurity program aligned with their risk to best protect customer information. In a recent press release, Financial Services Superintendent Maria T. Vullo stated, “The data breach at Equifax demonstrates the necessity of strong state regulation like New York’s first-in-the-nation cybersecurity actions.” While New York is first in the nation, hopefully it is not the last, as it is setting the stage for other states and organizations to begin defining robust standards on securing sensitive data.

    We have come a long way, but still have far to go. Companies are moving away from asking how much cybersecurity costs, and moving towards asking how much it costs not to. However, we need to remove the question all together and integrate cybersecurity into the business culture, and start asking how can we sustain security as the cyber-landscape changes.

    Change is coming and is constant. Markets change, competitors change, consumers change, technologies change, and cyber threats change. It is now time for organization’s culture to change. Cyberattacks are becoming more sophisticated and costly. From WannaCry to Petya, organizations need to practice vigilance and incorporate patches, updates, and communication strategies quickly to reduce the impact of these attacks. In some cases, we can begin further reducing impact by implementing intelligence driven incident response techniques, understanding the principles of cyber resiliency, and proactively addressing trends and predictions within the cyber community.

    Strategic Methods

    It is said computers do what you tell them to do. If a CISO’s job was to manage computers, they would soon be out of work. Luckily, and unfortunately, this is not the case. A CISO’s job is to manage the people who interact with these machines. Integrating cybersecurity into the business culture is about integrating cybersecurity into the people of the business. Companies tend to write policies, spend thousands of dollars on tools and technologies to enforce the policies, and then discipline employees for breaking policies. This may work best in military structures, but it is not an effective approach for private organizations, especially those seeking to balance their employee retention rates.

    One strategic and productive approach is to first dive into your people, processes, and technologies (PPT) already in place, gaining a deep understanding of why they do what they do. Follow this by mapping outcomes to customer or service expectations, ensuring that the PPTs are enabling quality and trust while sustaining competitive advantage within the industry. Then seek process efficiencies that leverage people and technology capabilities. It is here that policies can be applied to ensure identified processes and technology perform as defined. This promotes employee buy-in for policies and ultimately security across the organization. This also enables cultural transformation, because employees are viewing the concepts of policies and cybersecurity as something they already do rather than new regulations they must adhere to overnight (warm pot meet hot pot).

    Gartner’s Six Principles of Resilience for Digital Business Risk and Security

    Remember, focus on defining people, processes, and technology, while leveraging the people to gain their buy-in towards cybersecurity implementation. These are concepts being highlighted within Gartner’s Six Principles.

    Principle No. 1: Stop Focusing on Check Box Compliance, and Shift to Risk-Based Decision Making
    Principle No. 2: Stop Solely Protecting Infrastructure, and Begin Supporting Business Outcomes
    Principle No. 3: Stop Being a Defender, and Become a Facilitator
    Principle No. 4: Stop Trying to Control Information; Instead, Determine How It Flows
    Principle No. 5: Accept the Limits of Technology and Become People-Centric
    Principle No. 6: Stop Trying to Perfectly Protect Your Organization, and Invest in Detection and Response

    Principle No. 1 “Stop focusing on check box compliance, and shift to Risk-based decision making,” implies an understanding of business risk associated with the people, processes, and technologies that enable the business to function, and not exclusively IT risk. Simply put, examine ‘what do we do and why’, identify business risk profile, then apply appropriate protections that enable the organization to meet customer expectations (product quality, company trust, service confidence, etc.).

    The fourth principle, “Stop Trying to Control Information; Instead, Determine How It Flows,” asks leaders to understand how their data moves in and out of their organization (again, processes). Many organizations currently fail to know where their data is going and how it gets there, and instead focus on implementing controls to meet regulatory compliance that manages data flow “on paper.” For many, data is the business, data is commodity worth billions of dollars, and should seek to obtain cyber resilience by examining the people, processes, and technology that interact with data and undergo a digital transformation, “by identifying the strategic objectives, identifying the right technology solutions, identifying operational improvements, and driving adoption” (MSSBTI).

    MSSBTI is working to guide organizations through digital transformation objectives, and will be conducting several workshops in the first quarter of 2018. One of the workshops provides an evaluation of Gartner’s ‘The Six Principles of Resilience for Digital Business Risk and Security’ resulting in the development of strategies and roadmaps for establishing cyber resiliency within your organization. Learn more about the Cyber Security Workshop here.