Logo
Become a Client

Resource Regions: Western Europe

When organizations in all industries are struggling to attract talent, IDC explores opportunities for dealing with this shortage.

Introduction

Organizations in all industries are struggling to attract talent. The shortage of potential employees is a problem that has plagued the IT sector for years but has possibly never been worse than it is now. In this blog IDC explores opportunities for dealing with this shortage.

Employee Benefits

The most obvious perspective to consider is that of salary. Benchmarking employee expenses will allow your organization to match your peers and stop losing employees over salary competition.

Another benefit of benchmarking salary cost is tackling the possible internal tug of war for budget increases. An independent benchmark report is often useful to convince senior management that additional budget is required, if the benchmark points this out.

However, employees are not motivated by salary alone. For many, satisfaction also comes from working on cutting-edge technology, something that only some IT organizations allow an employee to do. In contrast, maintaining legacy systems at less competitive organizations may not be interesting to IT professionals who love to experience technology. In a benchmark, the technologies maintained by the IT staff are closely examined and compared to peers. IDC identifies key areas to innovate your business’ digital transformation, keeping IT staff engaged at the same time.

Optimize Your Current Environment

Another perspective to take is optimizing the existing situation. If finding new IT talent is challenging, IT management must consider ways to maximize the use of existing employees. With talent being as scarce as it is, management must be fully aware of possible optimizations.

A benchmark will show how teams are performing in terms of productivity and where potential exists.

Because IDC’s data collection methods dive deep into your IT administration and governance, gaps that no doubt exist are discovered and reported on. The results of a benchmark will uncover where your automation is lacking and whether your end users are educated to market conform levels. All of these insights will allow you to deliver more and better IT with the resources that you already have available.

Rationalizing and consolidating your IT environment has many benefits and generally offers an attractive business case. That said, possibly the most interesting result is simply reducing the amount of IT that needs to be managed by the talent that is so scarce. The size and complexity of the IT environment is a large factor in our benchmarks, be it the complexity of the networks, the size of the datacenter services, the setup of the end user workplace, or the amount of contract management and governance required. IDC reports on all of these components and shows the way to reducing unnecessary complexity and size.

Is Outsourcing the Way?

Finally, if the options of increasing budgets, optimizing teams, and reducing complexity are exhausted, outsourcing more of the IT services can be considered. Outsourcing can be a relatively quick answer to a suboptimal internal IT team, but it does not come without its share of challenges. The first step is deciding which IT domains are attractive candidates to place under a contract. In other words, an organization needs a sourcing strategy. This strategy will determine how each part of the IT organization should be sourced and what a fitting roadmap to get there should look like. Prioritization of rationalization projects are also considered, as well as the potential to supplement existing teams with external talent from an IT supplier.

Cost is, of course, an important factor in deciding which sourcing scenarios are feasible for the organization. IDC will provide so called ‘landing zones’ in which the future cost of a sourcing scenario are modeled based on the current IT market. This is essentially a virtual benchmark of your IT organization as if parts of it were outsourced.

If IT is outsourced in some way, the existing organization should also change. External contract governance and service management capabilities need to evolve and a future organizational model needs to be constructed. When transforming the organization, one must also consider whether it is attractive to re-educate the existing teams into roles that are needed in the new organization.

The ongoing war on talent is challenging. This blog, however, has hopefully shown that the tools to navigate this challenge exist. IDC continues to help organizations daily and to us, the current market offers new and exciting ways to help CIOs globally.

 

Generative AI is the buzzword of the day. More specifically, ChatGPT, the OpenAI model that is trained to interact in a “conversational way”.

The dialogue format enables ChatGPT to answer follow-up questions, admit its mistakes and challenge incorrect premises. Of course, like many geeks in the ICT industry and beyond, I have tried it.

It’s quite impressive. Well, besides the fact that it took me a couple of attempts to find the right time of the day when traffic was not so high to cripple access. I asked a couple of questions about my passion, mountaineering and climbing.

The answers were correct, although a bit conservative. For example, when I asked about which multipitch routes I could climb with my level of experience, in Western Canada, the model provided only two options that were exactly in line with my multipitch skills. Instead, I would have appreciated a wider variety of options, some easier and some harder than my skill level, so that I could make a choice.

The model also told me to consult local guides for more information, which indicates that careful ethical principles, like personal safety, are embedded in the design of the algorithm. I then asked about who I should vote for in the upcoming primary to elect the new secretary of the Italian Democratic Party. The answer was that the model can’t express a political opinion, but that it could provide me with the list of candidates.

That’s fair enough, and further proof that ethics are taken into account. So, I asked for the list of candidates and their programmes. The answer was that the model is trained on historical data available until 2021, so it’s not up-to-date on events between 2022 and early 2023. This is understandable, but I would expect it to be quasi real time in the future.

Regardless, fascinating.

Embracing the Augmentative AI Vision

I’ve not done enough research (yet) to say how good the model is and for what use cases. Many of my IDC colleagues are developing thought-leadership research and collecting in-depth data into how generative AI will affect enterprise and consumers.

What I’m thinking about is the societal implications of generative AI. This was triggered yesterday during our first meeting with the 2023 IDC Government Xchange Advisory Board. Gwendolyn Carpenter, a member of the Advisory Board, who has kids in school, said she’d heard about students using it to cheat on their homework.

My colleague Matt Ledger has already written a quick take on this matter too. As Matt noted in his piece, there are a range of opinions on this, from schools that believe ChatGPT can be very valuable as a learning tool, to those that are uncertain about the impact and have temporarily banned usage, to educators that believe that generative AI could make redundant our ability to write, learn and eventually think. This, paradoxically, could hamper our ability to invent brilliant new tools such as ChatGPT itself.

I am no Luddite. I don’t think we should stop progress. But I think generative AI is a great case in point for the ongoing debate about whether we should design AI that can replace human abilities versus AI that can augment human abilities.

For example, I don’t want generative AI to replace my writing, just because it’s much faster and more elegant than I am at synthesising available knowledge. I’m having a lot of fun expressing my opinions in this blog because, in a way, I’m creating it while I write it!

But I would definitely like to have a tool that can critique my writing. A tool that could, for instance, highlight where my piece is biased or where I could consider additional sources of data and literature to enrich my perspective. Sort of a much smarter version of the spell checker that tells me if there’s a typo or if I didn’t use punctuation correctly or if I used too many passive forms. This augmentative AI tool would push my brain to think more, not less. And I’d still be able to make my own choices on whether to apply the advice or not.

Policymakers need to think about how they can shape the new norms to maximise the benefits and tackle the risks of AI. For instance, by recommending (or mandating) a machine-readable label that helps recognise if a piece of content is generated by AI, for example in the case of government-regulated certifications. But regulation is not enough.

If that does not happen, AI will fail to meet the high expectations that it can be a positive force in the future. In fact, according to our Future Enterprise Resilience and Spending Survey (Wave 11, December 2022), only 25% of government executives worldwide think the promise of AI has completely lived up to their organisation’s expectations.

The future of generative AI (and the AI market in general) will depend on whether users and suppliers embrace the human augmentation narrative, in both the B2B and B2C worlds. We need to ask ourselves what kind of AI solutions we want — solutions that replace humans or augment humans. And then design and engineer them in a way that reflects that purpose.

I look forward to discussing more about the power of innovation, and how we can use it at scale to make a positive and ethical impact on society, at our Government Xchange.

Massimiliano Claps - Research Director - IDC

Analyst Profile
Massimiliano (Max) Claps is the research director for the Worldwide National Government Platforms and Technologies research in IDC's Government Insights practice. In this role, Max provides research and advisory services to technology suppliers and national civilian government senior leaders in the US and globally. Specific areas of research include improving government digital experiences, data and data sharing, AI and automation, cloud-enabled system modernization, the future of government work, and data protection and digital sovereignty to drive social, economic, and environmental outcomes for agencies and the public.

Customers’ raised expectations, government policies, a spike in fuel prices and technology innovation are converging to enable convenient, affordable, safe and environmentally sustainable mobility as a service (MaaS). MaaS solutions help connect the different phases of the door-to-door mobility experience, from planning to booking, payment, navigation and information queries, with seamless integrations across modes of transportation.

MaaS is not new, but it has been plagued by technical interoperability challenges and difficulty in finding the right business models that can push mobility ecosystem stakeholders — transit authorities, car OEMs, payment providers, transport network companies — to collaborate and share data.

Good Practices for MaaS Ecosystem Innovation

IDC research shows that MaaS is reaching an inflection point. Best practices are emerging among public transportation authorities and transportation operators to deliver on the promise of enabling customers to travel in a convenient way, when it suits them and at a reasonable cost.

At the same time, MaaS is enabling transport operators and planners to optimise the use of capital-intensive asset capacity, launch new revenue-generating services and encourage a modal shift to public modes of transport among citizens.

It all starts with the customer. User-centric MaaS apps enable travellers to build their unique mobility profile based on personal preferences, financial profile, physical characteristics and past behaviour. Service providers must recognise, serve and safeguard the individual preferences of each user to deliver truly personalised MaaS offerings.

Cities such as Genoa have deployed mobile-first user apps that provide a single point of access to information and services while on the move.

To book and pay for their journeys directly in the MaaS app, without the need to switch to a transport operator app, stakeholders must share data and define contractual models that benefit the whole ecosystem. In Spain, train operator Renfe has launched a door-to-door booking MaaS solution (the dōcō app) underpinned by a platform that enables actors across the mobility ecosystem to collaborate openly, from micromobility service providers, to ride-sharing apps, to technology manufacturers and payment system providers.

To enable rapid innovation and scale these MaaS data platforms to process, store, integrate and analyse vast swathes of data, transportation ecosystem companies such as Entur in Norway are moving away from monolithic, legacy systems to cloud-native solutions that enable data sharing at scale and agile innovation. 

Once data is aggregated and information is made accessible through platforms, transportation authorities can use it to build a mobility digital twin of the city that can help with traffic forecasting and simulation, traffic/city planning, infrastructure maintenance and asset management, and logistics resource planning. Data sharing can also support the development of new services and businesses. 

 

Further reading:

IDC PeerScape: Practices to Successfully Implement Mobility as a Service

Massimiliano Claps - Research Director - IDC

Analyst Profile
Massimiliano (Max) Claps is the research director for the Worldwide National Government Platforms and Technologies research in IDC's Government Insights practice. In this role, Max provides research and advisory services to technology suppliers and national civilian government senior leaders in the US and globally. Specific areas of research include improving government digital experiences, data and data sharing, AI and automation, cloud-enabled system modernization, the future of government work, and data protection and digital sovereignty to drive social, economic, and environmental outcomes for agencies and the public.

This is the second blog in IDC’s series focusing on the implications of the EU’s updated Security of Network and Information Systems directive, NIS2. The directive comes into force in January 2023, after which Member States have 21 months to transpose it into their national law – by October 2024.

The broad aim of NIS2 is to engender a high common level of cybersecurity in the EU, across all Member States, in the long term.

The first blog looked at the regional and national entities that are tasked with transposing and implementing the new directive, as well as some of the mechanisms that are being put into place to effect improved cybersecurity across the bloc.

This second instalment looks at which organizations NIS2 will apply to and what will be required of them.

Expanding the Reach

The first NIS directive introduced a clear focus on improving cybersecurity and risk management at critical infrastructure in Europe: energy (electricity, oil, and gas), transportation, drinking water supply and distribution, healthcare, banking and finance, and digital infrastructure (Internet Exchange Points, DNS service providers, and Top-Level Domain (TLD) name registries). These were defined as operators of essential services (OES’s).

The volume and frequency of cyberattacks since the first directive came into force has driven home the message that cybersecurity safeguards and improvements need to be more far-reaching. Industry sectors that may not be viewed as critical may supply components or services to critical infrastructure, from electrical equipment to medical devices. Disruption of food production and distribution or waste management can have a major impact on the function of society. Digital providers such as search engines and online marketplaces are recognized for their universal value.

Consequently, the NIS2 directive extends coverage into all these segments and more. A full list of sectors defined as high criticality or critical is below:

High Criticality Sectors

  • Energy.
  • Transport.
  • Banking.
  • Financial market infrastructures.
  • Health.
  • Drinking water.
  • Waste water.
  • Digital infrastructure.
  • ICT service management (B2B).
  • Public administration.
  • Space.

Other Critical Sectors

  • Postal and courier services.
  • Waste management.
  • Manufacture, production and distribution of chemicals.
  • Food production, processing and distribution.
  • Manufacturing (medical devices, computer, electronic and optical products, electrical equipment, motor vehicles, transport equipment).
  • Digital providers (online marketplaces, search engines and social networks).
  • Research organisations.

Furthermore, it is recognized that it is not only large enterprises that represent a target for cybercriminals or are fundamental to critical services. Consequently, the NIS2 directive also extends the scope to cover midmarket organizations with 250 or more employees and turnover of €10 million or more.

The To-Do List

So, if your organization falls within the sectors covered by NIS2, what requirements are coming your way in the next two years? There are two major aspects to this, detailed in Chapter 4 of the directive, Cybersecurity risk management measures and reporting obligations.

Article 21 of the directive covers the cybersecurity risk management measures and lists the following 10 areas as the minimum recommendation:

  • Policies on risk analysis and information system security
  • Incident handling
  • Business continuity and crisis management
  • Supply chain security
  • Security in network and information systems acquisition, development and maintenance
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  • Basic cyber hygiene practices and cybersecurity training
  • Policies and procedures regarding the use of cryptography and, where appropriate, encryption
  • HR security, access control policies and asset management
  • MFA, continuous authentication, and secure communications where appropriate

It is likely that most entities within critical infrastructure sectors will already have many of these technologies and measures in place, to some degree. The question will be in the level of detail or prescriptiveness that member states go to when transposing this article into their national legislation.

The directive emphasizes that the implementation of these measures should take into account the state-of-the-art, relevant European and international standards, the cost of implementation, the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact. These considerations should be used to determine appropriate or proportional measures.

Article 23 of the directive covers reporting obligations and requires that in the case of any incident that has a significant impact on the provision of their services, essential and important entities notify their CSIRT or competent authority. An early warning should be submitted within 24 hours of the organizations becoming aware of a significant incident, and a more comprehensive incident notification should be submitted within 72 hours.

Further reporting obligations are detailed within the directive and it will be necessary for all organizations covered by NIS2 to familiarize themselves with these obligations once they have been transposed into their national law.

Conclusion

It is early days still for NIS2 and much will depend on the work done over the next 21 months. Nevertheless, the cyberthreats driving this directive will not wait and the benefits from improved cybersecurity measures will outweigh the risks.

Regardless of the final wording of the local versions of the directive, organizations can benefit from getting up to speed with NIS2 and engaging with the existing cybersecurity authorities within their countries to develop their strategies.

Mark Child - Associate Research Director, European Security - IDC

Analyst Profile
Associate Research Director Mark Child of IDC’s European Security Group leads the group's Endpoint Security and Identity & Digital Trust (IDT) research for both Western Europe and Central & Eastern Europe. He monitors developments in security technologies and strategies as organizations address the challenges of evolving business models, IT infrastructure, and cyberthreats. Mark's coverage includes in-depth security market studies, end-user research, white papers, and custom consulting.

November 2022 was a busy month for the European Commission, with two major pieces of legislation passed that aim to bolster the cybersecurity and cyber resilience of Member States and at organisations across the bloc.

The first was the Digital Operational Resilience Act (DORA), which covers the finance sector and companies that provide ICT services and infrastructure to financial sector entities. The second was the long-awaited update of the Security of Network and Information Systems (NIS) directive, known as NIS 2.

The broad aim of NIS 2 is to engender a high common level of cybersecurity in the EU, across all Member States, in the long term.

This is the first in a two-part IDC blog series that will focus on the implications of NIS 2.

The Clock is Ticking

The full text of the NIS 2 directive was published in the official journal of the European Union on December 27, 2022, and enters into force 20 days after that (January 16, 2023). Thereafter, Member States will have 21 months to transpose the directive into their national law (by October 17, 2024). What happens between now and then?

Building the Frame(work)

The next 21 months will be critical for the success of NIS 2 as regional and national bodies get to work on transposing the articles of the directive into their national legislation. Who will be responsible for this part of the process?

The prime mover in this respect will be the NIS Cooperation Group, which was established in 2017 to support the first NIS directive. The Cooperation Group comprises representatives of all the EU Member States, the European Commission and the EU Agency for Cybersecurity (ENISA).

The group will provide guidance to the national authorities of the Member States on transposing and implementing the directive. It will also provide guidance, advice and cooperation on numerous related areas including cybersecurity policy initiatives, capacity building, training and awareness, exchange of information and best practices, and vulnerability disclosure. It will also be responsible for defining standards and technical specifications, as well as maintaining a central register of essential and important entities in each country.

A second key group will be a network of computer security incident response teams (CSIRTs) across all the Member States. At least one CSIRT in each country will be designated as a competent authority for various roles including international cooperation and coordination, threat monitoring and analysis, and the provision of incident response and assistance to essential entities.

The third key entity is the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe). Its task is to support coordinated management of large-scale cybersecurity incidents and crises at an operational level. It will also ensure regular exchange of information among Member States and relevant entities within the union. EU-CyCLONe’s role will really crank up once the directive is in place.

Key responsibilities will include:

  • Developing shared situational awareness for large-scale cybersecurity incidents
  • Assessing the impact of large-scale cybersecurity incidents and proposing potential mitigation measures
  • Coordinating the management of large-scale cybersecurity incidents and supporting decision making at the political level

Between them, these organisations, along with the Member States themselves, will be tasked with ensuring that when NIS 2 comes into force at the national level, it is appropriately transposed into national law and the countries are able to put in place the necessary structures and resources.

Kicking the Tyres

One criticism of the first NIS directive was that it lacked teeth. The EC is striving to establish NIS 2 more firmly throughout the bloc and one measure through which it seeks to do this is peer reviews. These are aimed at assessing at a national level the conformity, progress and readiness of the directive. For example, peer reviews will assess:

  • The level of implementation of cybersecurity risk management measures and reporting obligations
  • The level of capabilities, including available financial, technical and human resources
  • The operational capabilities of the country’s CSIRTs
  • The level of implementation of cybersecurity information-sharing arrangements

Peer reviews are to be carried out by designated cybersecurity experts from at least two Member States, at a maximum of once every two years. The experts conducting the reviews are expected to provide reports including recommended improvement on any of the reviewed aspects. Those reports will be submitted to the Cooperation Group and the CSIRTs network where relevant.

Conclusion

These entities and processes should ensure that at a regional and national level the EU and its Member States can develop a higher level of cybersecurity and resilience by adhering to the NIS 2 directive.

The second instalment of this blog series will look at which organisations NIS 2 will apply to and what will be required of them.

Mark Child - Associate Research Director, European Security - IDC

Analyst Profile
Associate Research Director Mark Child of IDC’s European Security Group leads the group's Endpoint Security and Identity & Digital Trust (IDT) research for both Western Europe and Central & Eastern Europe. He monitors developments in security technologies and strategies as organizations address the challenges of evolving business models, IT infrastructure, and cyberthreats. Mark's coverage includes in-depth security market studies, end-user research, white papers, and custom consulting.