Security Advancements at the Monastery

“A shoe that fits one person pinches another; there is no recipe for living that suits all cases.” – Carl Jung

Many people assume because I talk about the Control OBjective for Information and related Technology (COBIT), that I have something against the Information Technology Infrastructure Library (ITIL). Not at all. Anything that promotes a framework of best practices for high quality computing services, I believe should be should be considered.

There are a few things that make me question if ITIL is enough or appropriate for all organization. I am also not that crazy about the content of the books being copyrighted by the United Kingdom. The complete library consist of:

• Service Support
• Service Delivery
• ICT Infrastructure Management
• Software Asset Management
• Application Management
• Security Management
• Planning to Implement ITSM
• The Business Perspective Vol. 1

On Amazon, the ITIL Complete Library in CD form costs $2,097.80, and in book format $1,013.05. Sure, corporations can afford to pay that cost. Still, I have witnessed companies buying one set of these books and then having their employees checkout the books one at a time. Or managers are given books which interpret what the Office of Government Commerce stated in the original books. That is no way to promote learning. Best practices should be promoted throughout an organization. The actual standard should be available, not an interpretation. When there is a fairly high price tag on the books, people will not learn the standard completely.

Someone who is not optimistic on ITIL’s future is Noel Bruton. Noel Bruton is a long-established, UK-based, specialized consultant in the area of IT Helpdesk and User Support community. He has written, “That Was ITIL, That Was.” Noel states that senior UK IT services managers have been feeling that the ITIL framework has too many implementations that only deal with the front end of IT. In other words, the low hanging fruit. The way ITIL is being implemented, generally only affects the areas of user support, helpdesk, second line, and change management. In trying to be “non-prescriptive,” and thus allow for adaptation, ITIL ends up only ever advising on what to do. It does not provide much help on how to do it. Therefor, it never offers any real means of benchmarking itself. In this way, it can never prove that it is successful in operation. While consultants will produce various diagrams of gap analysis, those maturity models are not part of ITIL itself. To quote Noel,

Perhaps part of what is killing ITIL is the very fact that it doesn’t prescribe enough, and just too much independent thought is required. Then again, perhaps those who can think independently don’t need ITIL anyway, as was the case for, coincidentally, all the finalists in a recent industry award for user support excellence.

The IT Skeptic, is less skeptical on ITIL being completely dead. He feels that ITIL is in the process of settling down to a calmer state without the hysteria. The Skeptic feels that because of the hype, there is a great deal of disillusionment with ITIL. This might lead to its demise. If so, he has made some predictions in his post, ITIL’s possible displacement. He brings up COBIT and ISO/IEC 20000. To quote him:

The horse has bolted with ISO/IEC 20000: the world sees it as “the ITIL standard” but OGC and itSMF have zero control of it. All we need is for someone credible (and probably American: they have the resources to do it quickly) to publish and certify ISO/IEC 20000-based guidance, and ITIL is stone dead.

Is this what the ISACA group is trying to establish? See my posting on COBIT in 2007. ISACA is definitely establishing a mapping of COBIT to various standards.

The IT Skeptic has many insightful statements on ITIL. When I initially did this posting, I had not noticed that he was also doing a podcast. Thankfully, he left a comment pointing to the location. His podcasts are from his postings, and they are both insightful and incredibly funny. Do check out his postings, whether you believe ITIL is revolutionizing the IT world or you are a bit more skeptical. To quote the site, “Now that ITIL is the de facto standard for IT operations, the time is ripe for a more objective evaluation of ITIL’s merits and caveats. Let’s do that on this website. In the ITIL world it is still spring or summer. This blog seeks to balance that with an icy blast of winter through the techniques of the skeptic – consider the observable facts and question the underlying assumptions – as well as applying that other great Litmus test: common sense.”

Dan Sullivan, over on Realtime Community has a posting, “ITIL is Dead! Long Live ITIL!.” Dan makes some very good points stating whatever standard one uses it has to cover similar territory (managing changes, tracking patches, etc.). In the end, IT managers will need to think for themselves. There is no magic automated process. It comes down to having useful frameworks from which to selectively draw from.

Forrester addresses this issue in a report title, “The Management Process Alphabet Soup.” The article states, “Looking at these frameworks, we find that they are mainly complementary, but they lack directly actionable recommendations, which makes them excellent guides and checklists rather than implementation blueprints.” Forrester’s conclusion:

ITIL is relatively weak in security controls and weaker yet in metrics and outsourcing, two areas where ISO and COBIT shine. We believe that:

• Process improvement is not a choice. The evolution of IT is such that both complexity and cost containment will exert continuous pressure on IT operations and make best practices the only answer available to organizations.
• ITIL, COBIT, and ISO are good sources of inspiration. When it comes to process improvements, the tried and true is difficult to beat. But a single source of information may not be enough. Combining elements of at least these three major frameworks will broaden the scope of the resulting process and improve its quality.
• People and organizations will resist change. This leaves two choices: 1) be very dogmatic about the ITIL, COBIT, and ISO recommendations or 2) use them as a reference to define the best possible solution that fits the current organization. CASE, CMM, and ISO 9000 used a very sectarian implementation approach 15 years ago that mostly failed. A consensus and educated approach must be favored over the creation of “process police.”
• Certification may be useful but not necessary. Certification brings expertise to an organization that you can use to design or overhaul processes. However, if your company tends to reject the creation of elitist groups, skip certification — it’s not mandatory. Building a widely accessible reference library and educating the organization through process champions and advocates may provide better results.

Remember, ITIL is about to undergo a major revision. TalkBMC has put out a very good podcast with Ken Turbitt title, “The Inside Scoop on the ITIL Refresh.” Ken talks about Version 3 of ITIL being an entire rewrite of ITIL. He points out that while ITIL v2 focused on IT to business alignment, ITIL v3 is a lifecycle approach to services that IT delivers to business. What I was pleased to hear is that security, along with other traditional function, are “baked into” appropriate parts of the lifecycle. Often I found people looking at the ITIL functions, like change management, as silos which they could choose to implement or ignore. That never made sense to me since these IT functions are dependent on each other. I look forward to learning more about ITIL v3. Now, if only I could afford to buy the documentation.

Another great podcast from TalkBMC included Ken Turbitt and Peter Hill discussing “ITIL Verses COBIT.” In the podcast, Ken and Peter examine how COBIT complements ITIL and where they differ. The issues they address are based on a paper they did together, “Combine ITIL and COBIT to Meet Business Challenges.” To quote the paper:

ITIL provides a framework for best practice processes in ITSM that help IT manage resources from a business perspective. COBIT provides the framework for setting business goals and objectives, and measuring the progress of “ITIL-izing” the organization to meet those goals and objectives.

What scares me are those people that have become religious on one standard. One should question both sides. itSMF quotes as the benefits of ITIL, “up to 70% reduction in downtime, 1000% return on investment, and time savings of 50%.” Those are such amazing numbers, that I wonder how anyone can see them as anything but hype. The IT Skeptic wrote a post that addresses these and other statistics. I am not saying you should read the IT Skeptic and take everything he says as Gospel. Become agnostic. Whatever position you take, it is good to be aware of the arguments and back yourself up with real facts. In some cases, there are just no real. IT is complicated and every changing. Not to quote is much more acceptable then to quote hype.

In the IT world, we have pressure to decrease cost, increase reliability, secure the data, and comply with various regulations. New ways to deal with the information flow come out daily. Agility maybe is king in 2007. Or maybe that is just hype of vendors trying to sell us new things. I just don’t see things slowing down. Thinking that one standard fits all is a little naive. As Noel points out, if you make the standard “non-prescriptive” so it is adaptable, it does not help actually implement anything. Frameworks and best practices have to fit together with implementation guides. One has to examine the business model and determine the needs of the business. There is no place for those that limit the solution by only learning one way to address the problems of today’s IT.

I do not see any easy answers. Verses what a salesperson might say, I have not run into too many complicated problems that were solved without a great deal of effort. To quote Jacob August Riis, “When nothing seems to help, I go and look at a stonecutter hammering away at his rock perhaps a hundred times without as much as a crack showing in it. Yet at the hundred and first blow it will split in two, and I know it was not that blow that did it, but all that had gone before.” Anyone telling you that they have a simple solution is just selling you snake oil.