IT Strategic Plan Model Every CIO Can Use

The overarching intent of an IT strategic plan model is to produce a plan that can function at a blueprint or roadmap (you pick the term you like most) for the way forward. To achieve that goal the plan must address the 3 dimensions of people, process and technology if it is to succeed at being a usable living plan that you work with on a regular basis.

IT Strategic PLan Model showing components of the plan

IT Strategic Plan Model

If you follow the IT strategic planning process described earlier the component parts of the IT strategic plan emerge from the  (shown in blue) should include a Security Plan, an Application Plan and an underlying Infrastructure Plan which could be thought of as a Technology Plan. I choose to not use Technology Plan here because many times the IT Strategic Plan is referred to as a technology plan which may contribute to those plans only focusing on the technology dimension while omitting the people and process dimensions.

The concept at work here is one of alignment. The applications are customer facing and security is institutionally oriented. Together they are the most common points of customer-provider interaction and the vehicles through which IT enables and supports the business.

Security Plan

Separate from the creation of the institutional strategic plan is the creation of the organization’s risk management plan. Although the risk management plan will show alignment to the mission and perhaps vision, risk management plans must demonstrate sufficient independence of the planning process since evaluating planning risk should be one of the purposes covered by the risk management plan. As such, many risk management plans originate from the board or audit committee with no linkage to the institutional plan.

It is worth noting that I realize very few institutions will have a formal risk management plan. That doesn’t mean that you shouldn’t. Several regulatory compliance programs expect a plan to be in place and with some having explicit requirements for one. But that is a topic for another day.

The Security Plan should focus on the institution’s IT related risk universe and the compliance landscape both as fluid concepts and might be inclusive of both security and privacy depending on the role of IT on privacy. I feel like that last point should be punctuated – privacy and security are two different issues each of which must be addressed.

The security plan should reflect results from IT risk (security and privacy) assessments, recent audits results, remediation plans, and address improving management’s ability to assess the effectiveness of IT controls. The plan must address the requirements for the use of cloud computing services especially any specific compliance requirements.

Application Plan

The Application Plan at its core should be a plan for the portfolio of applications used to achieve the mission of the institution inclusive of desktop (local) and server based (on-premise) applications as well as any web-based (off-premise) applications used throughout the organization. The plan must speak to the use of SaaS applications and cloud computing services and other big themes that will guide future decision making such as open source or locally developed applications. Attention to both administrative applications and academic applications is a must.

Infrastructure Plan

The Infrastructure Plan is then driven by the needs of the Security Plan and the Application Plan. By forcing this orientation it further reduces the risk of IT driving technology initiatives without a business driver which can be thought of as technology for technology sake. This thinking does not prevent normal lifecycle refresh of the infrastructure but that is just maintenance. When a refresh might introduce a shift in technology it should emerge as a business strategy and compete against all others for approval and resources. Given advancements in the virtual desktop technology end-user computing can be folded into the Infrastructure Plan unless it makes sense to pull it out separately. Just be sure to keep it subordinate to the Security Plan and the Application Plan.

IT Resource Plan

Out of the three main plans comes the IT Resource Plan. Here the forward looking requirements for human and financial capital are developed. The intent here is to account for how a change in the application portfolio to support a business initiative might drive an infrastructure change and security considerations resulting in changes in staff skills or additions/reductions in capacity. The resource plan should articulate the plan to maintain skills current in anticipation of known changes. It may include strategies to buy new skills rather than growing them or even outsourcing. The Resource Plan also pulls in all other plan elements to produce a financial forecast and initial budget estimates for the entire scope accounted for.

Quick Tips

If you are still not sure on how to organize each portion of your IT strategic plan you might want to pick any one of the simple themes to structure your documents. This keeps them in the same format and makes developing the plan simpler. Consider framing each document around any one of these ideas:

If you are still looking for ideas you can always scan the Strategic Planning category here for ideas on improving support servicesend-user computing strategies  and on developing a portfolio plan for your applications including moving ERP to the cloud.

This entry was posted in IT Strategy and tagged , , , , , . Bookmark the permalink.