Applying this to security in 2009: Vivian Yeo, from ZDNet Asia, wrote “2009: Bad times means worse security?” Vivian points out that worsening economic conditions, leading to cost-cuttings, will result in security challenge. The article discusses various IT technologies that will move operations out of the traditional layered network approach where security is better established. To address security concerns, Judy Wu, IDC’s research manager for infrastructure software in the Asia-Pacific region, believes that companies will adopt a “more disciplined” approach tapping on frameworks such as Control Objectives for Information and related Technology (COBIT), ISO 27001 and ITIL.

Previously, I posted, “Intense Simplicities,” where I discuss a few risk-based protection model. For more entertaining contrast, check out Rob England posts “ITIL is the hitchhiker’s guide, COBIT is the encyclopaedia” and “COBIT rivals ITIL.”

Military strategist Karl Von Clausewitz once wrote, “War is an extension of politics, by other means.” IT is an extension of business, while security helps deal with risks. While I avoid predictions, I do know CEOs will be reading articles and listening to research managers like the ones quoted above. Folks in security need to have an understanding of frameworks like ITIL, COBIT, and ISO 27001 in order to ensure security concerns are addressed at the very beginning of these business discussions.

Technological Upheaval
Ground breaking innovations often causes some form of upheaval. Most folks are familiar with the story of Robin Hood and his band of merry men. Another group living in the Sherwood Forest area, though later around 1811, were the Luddites. These men from the past have a great deal to teach us concerning the ramifications of revolutionary technological change. The Luddites were highly skilled and quite well paid croppers (men who worked cloth). Their job was to cut the cloth after it had been raised with shears. These shears weighed 40 lb and were 4 feet long. Their world was turned upside down by the introduction of the water powered shearing frame. This new technology was simple enough that it could be operated by an unskilled worker, taking under a quarter of the time.

Luddites fought back by breaking into factories at night and destroying the new machines. In a three-week period, for example, over two hundred stocking frames were destroyed. While this may not be as exciting as Robin Hood, just as in that story the heavy hand of the government came down on the Luddites. The Frame Breaking Act made machine-breaking a capital offense. In Yorkshire in 1812, over 12,000 soldiers were brought in to keep order. Roundups of hundreds of men occurred. Some were deported to penal colonies and others were executed. At one point seventeen men were executed. In the end, the Luddites could not stop technology from advancing. By the 1820s the Luddite movement had ceased to be active and few croppers could find work in the woolen industry.

It’s All About Risk
The moral of the story is that technology does not exist in a vacuum. Not if it is useful technology. It ends up being integrated into the environment in which it operates. This integration can be peaceful, or not. Either way, it will occur. Policy based compliance tend to have policies dictating discrete, predefined information security requirements along with associated safeguards and countermeasures. There is minimal flexibility in implementation and little emphasis on explicit acceptance of mission risk. Compare that to risk based protection where the enterprise missions and business function drive security requirements, associated safeguards, and countermeasures. It is highly flexible in implementation and focuses on acknowledgment and acceptance of mission risk.

Today, organizations are taking a serious look at their information technology (IT) groups and questioning the governance models necessary to minimize risks and maximize returns. Taking the definition from the Control Objectives for Information and related Technology (COBIT) executive summary, IT governance is “a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”

Command and Control
Business managers and stakeholders, in order to trust and rely on IT must have some sense of reliability and control. Add to this business mix the constant pressures to decrease cost, increase reliability, and meet requirements to comply with local and federal regulations. Communication between different groups within an organization is essential, whether that be technical folks, auditors, finance, managers, etc. Innovation cannot exist only in the IT arena. It must translate into overall business process improvements. To help do this, companies are showing greater interest in best practices and in frameworks such as Information Technology Infrastructure Library (ITIL), International Organization for Standardization (ISO/IEC ) 17799, and COBIT. Government organization need to follow the DoDI 8500.2 “Information Assurance (IA) Implementation” document or National Institute of Standards and Technology (NIST) SP 800-53A “Recommended Security Controls for Federal Information Systems.”

As organizations attempt to implement these frameworks/recommendations/requirements questions concerning how to bring these standards together arise along with difficulties in helping organizations get from where the company current is to where the company needs to be? Government does not get a free pass. Government agencies are faced with the daunting task of having to work together to combat security risks. That includes federal information systems that support defense, civil, and intelligence agencies along with private sector information systems supporting U.S. industry and businesses and information systems supporting critical infrastructures within the U.S. It would be helpful if we could start talking the same language. Or at least develop a dictionary so we can understand each other. Winston Churchill once said, “Out of intense complexities intense simplicities emerge.” By bringing together the seemingly diverse security best practices and controls from COBIT, ITIL, DoDI 8500.2, and NIST SP 800-53A, we hope intense simplifications emerges.

Battle Plans
First, a little background. The Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and NIST both address the Federal Information Security Management Act (FISMA) of 2002 requirements. FISMA is a United States federal law which recognizes the importance of information security to the economic and national security interest of the United Stats. FISMA tasked NIST with the responsibility of “providing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems.” While DIACAP establishes “the standard DoD process for identifying, implementing and validating information assurance (IA) Controls for authorizing the operation of DoD information systems and for managing the IA posture across DoD information consistent with Title III of the E-Government Act, FISMA, DoDD 8500.a and DoDI 8500.2.” A major part of the DIACAP process is testing to make sure compliance with regulations occurs. The testing is based on security controls set out in DoDI 8500.2. The NIST SP 800-53A also “provides guidelines for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government.” As you can see, NIST 800-53A and DoDI 8500.2 are fairly similar in definitions and methodologies.

COBIT’s original purpose was to link IT process and controls to business requirements. Management guidelines were later added, providing management tools such as metrics and maturity models. ITIL is effective IT service management focused. It consists of 10 processes, which break down into service support (operational) and service deliver (tactical) processes. ISO/IEC 17799 focuses on security and attempts to aid an organization in the creation of an effective IT security plan.

Strengths and Weaknesses
The Information Systems Audit and Control Association (ISACA) has put a great deal of effort in mapping COBIT to other standards. In part, this is because of COBIT’s focus is on business requirements. COBIT can be used as the framework and governance model under which other best practices integrate. Take a look at these mapping guides:

• COBIT Mapping: Mapping of NIST SP800-53 Rev 1 With COBIT 4.1
• COBIT Mapping: Mapping of TOGAF 8.1 With COBIT 4.0
• COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT 4.0
• COBIT Mapping: Mapping of ITIL With COBIT 4.0
• COBIT Mapping: Mapping of PRINCE2 With COBIT 4.0
• COBIT Mapping: Mapping of ISO/IEC 17799: 2005 With COBIT 4.0
• COBIT Mapping: Mapping PMBOK to COBIT 4.0
• COBIT Mapping: Mapping SEI’s CMM for Software to COBIT 4.0
• COBIT Mapping to ISO/IEC 17799:2000 With COBIT, 2nd Edition
• COBIT Mapping Overview of International IT Guidance, 2nd Edition
• Aligning COBIT, ITIL and ISO/IEC 17799 for Business Benefit

Coming Together
To keeps things somewhat simpler, let us only focus on the mappings that exist for ITIL with COBIT and NIST SP800-53 with COBIT. Through this approach, we will develop a path from DoDI 8500.2 to ITIL. The mapping should be helpful not only in understanding but also in organization. Keep in mind, DoDI 8500.2 is the catalog of controls and can be matched against NIST SP 800-53A. Appendix G of NIST SP 800-53A does match up ISO/IEC 17799 and DoDI 8500.2.

When we combines these mappings, we do begin to see both the strengths of certain standards. We also gain depth of coverage. Take a look at the following mapping for configure and implement acquired application software to meet business objectives.

The complete mapping can be found from this link. This is a work in progress and is meant only as a first attempt to produce something that might clarify and help.

Building Trust
Dr. Ron Ross, project leader for the FISMA Implementation Project, has been doing some talks on transforming the certification and accreditation process through a unified risk management framework. He also wants us to be able trust each other. One of his recent presentation from November 14, 2007 to the ACT/IAC Information Security and Privacy Shared Interest Group titled “Building Trust Relationships Among Organizations” makes some very important points. In the presentation Ross states that there is an information security paradigmatic shift occurring from a policy based compliance model to a risk-based protection model. This is of key importance because the responsibility of security to provide information will depend on a trust relationship established among partners. This is applicable to both the government and industry. Trust can occur only when an organization understands the security state of their partners. Government and industry must be able to trust and understand each other’s security state.

Michael Smith, manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, makes the following important point about the unified catalog of controls in his post, “One Catalog to Rule Them All“:

What a unified catalog of controls means is that we now have something that is standardized across the board so that I can take an IA practitioner from the DoD side, put them into a civilian agency, and have a reasonable expectation that they will succeed there. In other words, I’ve decreased the switch costs for personnel transfers. I’ve also made it easier for agencies to share data with each other (conspiracy buffs here can think things about Census data feeding the Total Information Awareness program and corroborated against your classified file) and to support each other as vendors under Lines of Business, which the government needs desperately.

Eustace D. King has an article in the July issue of CrossTalk titled “Transforming IA Certification and Accreditation Across the National Security Community.” In the article King discusses the DoD and DNI CIOs seven goals for transforming C&A processes across the DoD and the IC. These goals can be found off the director if National Intelligence CIO’s “Re-Vitalizing Certification & Accreditation Initiative” page and include (quoting from King’s article):

1. Define a common set of impact levels and adopt and apply them across the DoD and IC.
2. Adopt reciprocity as the norm, enabling organizations to accept the approvals by others without retesting or reviewing.
3. Define, document, and adopt common security controls, using NIST SP 800-53 as a baseline.
4. Adopt a common lexicon, using CNSSI 4009 as a baseline, thereby providing both the DoD and IC a common language and common understanding.
5. Institute a senior risk executive function, which bases decisions on an enterprise view of risk considering all factors, including mission, IT, budget, and security.
6. Incorporate IA into enterprise architectures and deliver IA as common enterprise services across the DoD and IC.
7. Enable a common adaptable process that incorporates security within the lifecycle processes and eliminates security-specific processes.

I do like the idea of “define, document, and adopt common security controls, using NIST SP 800-53 as a baseline.”

At the last month’s Infosecurity Canada Conference & Exhibition, Al Purdy, now principal of DRA Enterprises Inc. addressed the importance of a establishing an risk management framework. “The most likely way to address some of the risks is a public-private sector collaboration based on an established risk management framework“, Purdy said. Purdy points out that the IT Governance Institute (ITGI), developers of COBIT is reported working on a risk management framework for release later this year. Herr Urs Fischer, who is leading a steering committee that is developing the framework, admits, “While COBIT does contain some discussion of risk management, ITGI realized that it needed to provide more depth and guidance as technology professionals struggle with issues around compliance with regulations such as Basel II.” Fisher goes on to say, “It’s more of an add-on (to COBIT) than a new one.” Fisher explains, “It’s not a checklist. It’s more about the way you should do risk management.”

Parting Words
I started this post wondering if a shift is beginning towards the risk-based protection model. We see elements in play. There is a definite need for establishment of a common language between all our standards, best practices, and requirements. Recent research published in the IT Governance Global Status Report 2008 found a six percent increase from 2005 in the importance of IT to business strategy. IT is increasingly playing a more vital role in business and government. Help is needed that will allow different groups within an organization to understand IT. This need to communicate goes beyond the boundary of an organization. Governments and industry need to properly be able to evaluate the risk of working with their partners and they can only do this if they can evaluate their partner’s security readiness. Partnerships do not end within one’s own country. It is not surprising to see the push for a common risk management framework.

Jacob August Riis, an Danish-born American journalist and slum reformer who created new standards in civic responsibility regarding the poor and homeless in his reporting of New York City slum conditions, once wrote, “When nothing seems to help, I go and look at a stonecutter hammering away at his rock perhaps a hundred times without as much as a crack showing in it. Yet at the hundred and first blow it will split in two, and I know it was not that blow that did it, but all that had gone before.” Sometimes the hands of change seem to move at glacial speeds, but change will come. When all the elements are in place, change can come like a flash flood. The best we can do is be patient and then make sure we are not caught like the Luddites, on the wrong side of technological advancements.

Special Thanks
I wanted to add a note of special thanks to Michael Smith over at the Guerilla CISO. Michael is quoted above. I have been a long time reader of Michael’s blog and when I came across questions concerning DIACAP, I dropped him an email. He was most helpful and informative with his responses, shared with me some pdfs, and pointed me to some great sites. If you want to know more about Michael, Martin McKeay did an interview with him a few months back. Of course, any mistakes in this post are my own, and the correct information is due to the help that Michael provided.

Do you remember the flying car? I know the people from my generation grew up with dreams of one day having such a fantastic automobile. Over on Technorama, one of their regular contributors, Bruce Barr, points out an article by Julia Laton, “Are We on the Brink of the Flying Car?” According to the article, an Israeli company names Urban Aeronautics is claiming they will have a flying car on the market by 2012. The craft is designed to fly for up to two hours on one tank of gas, at up to 155 miles per hour (250 kph) and 12,000 feet (3,700 meters). It will cost $1.5 million. Here is the interesting thing, currently it can only hovered just 3 feet (1 meter) above the ground.

Mike Rothman, author of the Pragmotic CSO, and blogger of Daily Incite had an interesting point in his Pragmatic CSO Weekly posting. He, like many security professionals, have spent this week attending the RSA Conference. Mike writes:

Which goes to the topic of this week’s pep talk – don’t believe everything you hear. For those of you familiar with my research at Security Incite – you know I’m pretty cynical about pretty much everything. I’ll admit I was born cynical and sarcastic, but being in the security and networking business for the past 15 years hasn’t really helped soften my edge.

That was very apparent on the show floor, where vendors were resorting to all sorts of tricks (including of all horrors, booth babes) to gain the attention of potential buyers. And once they have your attention, their objective is to keep it. And sometimes they make claims on the show floor that don’t necessarily hold up in the lab. Empty claims don’t help you to do your job any better.

I would also add to Mike’s statement, do not include facts that you cannot backup in a presentation. This came up this week. A gentleman was preparing a presentation and wanted some facts on the cost savings of ITIL. Wouldn’t you know, he got a response from the ITIL expert within his company quoting itSMF, “Up to 70% reduction in downtime, 1000% return on investment, and time savings of 50%.”

If I was in the audience during this presentation, upon hearing such I quote, I would stop believing the presenter. The use of the word, “up to” makes any claim possibly true while making the statement meaningless. You could have “up to” 99% reduction in downtime and a trillion percent return on investment. Chances are real good that you won’t. When I go into a presentation, the last thing I want is to be caught off guard. There is always someone who has read other numbers/statements and they will want your response. If you cannot respond to that person, you will lose the rest of the audience. The 70% reduction in downtime and 1000% return on investment, are such amazing numbers, it rings of hype. If the audience thinks your presentation is full of hype, the credibility of the presentation suffers.

I have mentioned this site before, but I have to point to it again. The IT Skeptic site goes after the hype around ITIL. Concerning the claims around ITIL, the IT Skeptic wrote an interesting posting, “The Emperor has no clothes. Where is the evidence for ITIL?” There is even a podcast.

I am not saying one should believe without question what the IT Skeptic posts. Don’t believe the IT Skeptic, the itSMF, the folks at RSA, or someone telling you the flying car is just around the corner. Just dig a little before quoting numbers. When I pointed to the IT Skeptic I got the comment back about him being a “ghostwriter.” Focus on the message, not the messenger.

Imagine if we could invent a tablet that one could take to the RSA conference. It is capable of speech recognition and everything someone said is translated immediately into written words. Then the tablet can add links to the subject areas all the way back to the sources. As the salespeople talk, you could checks your table to see where all these numbers and ideas originated. That is better then a lie detector. I would trade in my flying car for such a device. One of the great things about blogs is that they can include links which one can easily follow to the source. Alot of salespeople would be out of work if we could do the same thing to the spoken word. Some fast talking executives would be demoted back to the mail room. In the meantime, do your homework and check those numbers. If it sounds too good to be true, it is.

There are alot of areas in security where I can argue both sides of an issue. I am using ITIL only as an example. Any area of business where you are changing the fundamental way you do business might prove difficult to quantify ROI. A discussion of metrics involving SOA can be found on Dana Gardner’s BriefingsDirect titled, “Panel of IT analysts look to the movie business to explain SOA’s relevance and ROI.” One of the great things about Dana Gardner podcasts is that he makes full transcripts of the shows available. The panel starts off with a discussion on a statements that Verizon had come out that with a stable of 500 services that they were expecting to yield $20 million in savings over two years.

It is a valid argument to point out that when you are changing the fundamental way of doing business, it complicates how you might determine ROI. In relation to SOA, Steve Gorone raises the question, “How do you actually quantify what your ROI is, given the advantages of using an SOA approach? I’ve listed the main reasons why people would want to do SOA, in terms of the advantages, and they basically break down to four major areas.” The four reasons are:

1. The reuse of IT assets
2. Reduce the expense associated with doing the application integration test they normally would have to do
3. Meeting compliance requirements
4. The issue of how agile do you make your business

Of course, my main interest in SOA comes from the last two claims of compliance and agility. Another key point that interest me is the idea that Tony Baer points out:

If there is one benefit that SOA delivers, it’s that the value becomes the service rather than the plumbing. If you think about the way we’ve traditionally developed functionality or integrated systems, we’ve had to spend inordinate amounts of time in the plumbing and maintaining it. SOA theoretically, if it’s done right, standardizes the plumbing, makes everything declarative, so you take out the guess work. The result is that if you look at outsourcing, SOA separates the plumbing from the service. Therefore, what is probably ideal for outsourcing would be the plumbing, because that’s where the value is and that’s not where IT organizations should be spinning their wheels.

That quote from a security point of view is very interesting. Alot of our efforts have been on the plumbing. While there is a great need to secure the plumbing, what is being done to secure the services?

The point is, IT is not the same as manufacturing. Metrics generally are not as simply as the replacement of one machine with another that can produce more widgets at less power consumption. For example, how does one measure the value of agility? If you fail to be able to adapt and provide one of the latest web 3.0 services, how many customers will you lose? How do you measure customer satisfaction because it was easy for the customer to get to you? Present information and selling points, but also be aware of the arguments both ways. This is the only way to insure that you won’t be taken off guard. Plus, it shows that you are not just a salesperson. You truly do know the subject matter.

Many people assume because I talk about the Control OBjective for Information and related Technology (COBIT), that I have something against the Information Technology Infrastructure Library (ITIL). Not at all. Anything that promotes a framework of best practices for high quality computing services, I believe should be should be considered.

There are a few things that make me question if ITIL is enough or appropriate for all organization. I am also not that crazy about the content of the books being copyrighted by the United Kingdom. The complete library consist of:

• Service Support
• Service Delivery
• ICT Infrastructure Management
• Software Asset Management
• Application Management
• Security Management
• Planning to Implement ITSM
• The Business Perspective Vol. 1

On Amazon, the ITIL Complete Library in CD form costs $2,097.80, and in book format $1,013.05. Sure, corporations can afford to pay that cost. Still, I have witnessed companies buying one set of these books and then having their employees checkout the books one at a time. Or managers are given books which interpret what the Office of Government Commerce stated in the original books. That is no way to promote learning. Best practices should be promoted throughout an organization. The actual standard should be available, not an interpretation. When there is a fairly high price tag on the books, people will not learn the standard completely.

Someone who is not optimistic on ITIL’s future is Noel Bruton. Noel Bruton is a long-established, UK-based, specialized consultant in the area of IT Helpdesk and User Support community. He has written, “That Was ITIL, That Was.” Noel states that senior UK IT services managers have been feeling that the ITIL framework has too many implementations that only deal with the front end of IT. In other words, the low hanging fruit. The way ITIL is being implemented, generally only affects the areas of user support, helpdesk, second line, and change management. In trying to be “non-prescriptive,” and thus allow for adaptation, ITIL ends up only ever advising on what to do. It does not provide much help on how to do it. Therefor, it never offers any real means of benchmarking itself. In this way, it can never prove that it is successful in operation. While consultants will produce various diagrams of gap analysis, those maturity models are not part of ITIL itself. To quote Noel,

Perhaps part of what is killing ITIL is the very fact that it doesn’t prescribe enough, and just too much independent thought is required. Then again, perhaps those who can think independently don’t need ITIL anyway, as was the case for, coincidentally, all the finalists in a recent industry award for user support excellence.

The IT Skeptic, is less skeptical on ITIL being completely dead. He feels that ITIL is in the process of settling down to a calmer state without the hysteria. The Skeptic feels that because of the hype, there is a great deal of disillusionment with ITIL. This might lead to its demise. If so, he has made some predictions in his post, ITIL’s possible displacement. He brings up COBIT and ISO/IEC 20000. To quote him:

The horse has bolted with ISO/IEC 20000: the world sees it as “the ITIL standard” but OGC and itSMF have zero control of it. All we need is for someone credible (and probably American: they have the resources to do it quickly) to publish and certify ISO/IEC 20000-based guidance, and ITIL is stone dead.

Is this what the ISACA group is trying to establish? See my posting on COBIT in 2007. ISACA is definitely establishing a mapping of COBIT to various standards.

The IT Skeptic has many insightful statements on ITIL. When I initially did this posting, I had not noticed that he was also doing a podcast. Thankfully, he left a comment pointing to the location. His podcasts are from his postings, and they are both insightful and incredibly funny. Do check out his postings, whether you believe ITIL is revolutionizing the IT world or you are a bit more skeptical. To quote the site, “Now that ITIL is the de facto standard for IT operations, the time is ripe for a more objective evaluation of ITIL’s merits and caveats. Let’s do that on this website. In the ITIL world it is still spring or summer. This blog seeks to balance that with an icy blast of winter through the techniques of the skeptic – consider the observable facts and question the underlying assumptions – as well as applying that other great Litmus test: common sense.”

Dan Sullivan, over on Realtime Community has a posting, “ITIL is Dead! Long Live ITIL!.” Dan makes some very good points stating whatever standard one uses it has to cover similar territory (managing changes, tracking patches, etc.). In the end, IT managers will need to think for themselves. There is no magic automated process. It comes down to having useful frameworks from which to selectively draw from.

Forrester addresses this issue in a report title, “The Management Process Alphabet Soup.” The article states, “Looking at these frameworks, we find that they are mainly complementary, but they lack directly actionable recommendations, which makes them excellent guides and checklists rather than implementation blueprints.” Forrester’s conclusion:

ITIL is relatively weak in security controls and weaker yet in metrics and outsourcing, two areas where ISO and COBIT shine. We believe that:

• Process improvement is not a choice. The evolution of IT is such that both complexity and cost containment will exert continuous pressure on IT operations and make best practices the only answer available to organizations.
• ITIL, COBIT, and ISO are good sources of inspiration. When it comes to process improvements, the tried and true is difficult to beat. But a single source of information may not be enough. Combining elements of at least these three major frameworks will broaden the scope of the resulting process and improve its quality.
• People and organizations will resist change. This leaves two choices: 1) be very dogmatic about the ITIL, COBIT, and ISO recommendations or 2) use them as a reference to define the best possible solution that fits the current organization. CASE, CMM, and ISO 9000 used a very sectarian implementation approach 15 years ago that mostly failed. A consensus and educated approach must be favored over the creation of “process police.”
• Certification may be useful but not necessary. Certification brings expertise to an organization that you can use to design or overhaul processes. However, if your company tends to reject the creation of elitist groups, skip certification — it’s not mandatory. Building a widely accessible reference library and educating the organization through process champions and advocates may provide better results.

Remember, ITIL is about to undergo a major revision. TalkBMC has put out a very good podcast with Ken Turbitt title, “The Inside Scoop on the ITIL Refresh.” Ken talks about Version 3 of ITIL being an entire rewrite of ITIL. He points out that while ITIL v2 focused on IT to business alignment, ITIL v3 is a lifecycle approach to services that IT delivers to business. What I was pleased to hear is that security, along with other traditional function, are “baked into” appropriate parts of the lifecycle. Often I found people looking at the ITIL functions, like change management, as silos which they could choose to implement or ignore. That never made sense to me since these IT functions are dependent on each other. I look forward to learning more about ITIL v3. Now, if only I could afford to buy the documentation.

Another great podcast from TalkBMC included Ken Turbitt and Peter Hill discussing “ITIL Verses COBIT.” In the podcast, Ken and Peter examine how COBIT complements ITIL and where they differ. The issues they address are based on a paper they did together, “Combine ITIL and COBIT to Meet Business Challenges.” To quote the paper:

ITIL provides a framework for best practice processes in ITSM that help IT manage resources from a business perspective. COBIT provides the framework for setting business goals and objectives, and measuring the progress of “ITIL-izing” the organization to meet those goals and objectives.

What scares me are those people that have become religious on one standard. One should question both sides. itSMF quotes as the benefits of ITIL, “up to 70% reduction in downtime, 1000% return on investment, and time savings of 50%.” Those are such amazing numbers, that I wonder how anyone can see them as anything but hype. The IT Skeptic wrote a post that addresses these and other statistics. I am not saying you should read the IT Skeptic and take everything he says as Gospel. Become agnostic. Whatever position you take, it is good to be aware of the arguments and back yourself up with real facts. In some cases, there are just no real. IT is complicated and every changing. Not to quote is much more acceptable then to quote hype.

In the IT world, we have pressure to decrease cost, increase reliability, secure the data, and comply with various regulations. New ways to deal with the information flow come out daily. Agility maybe is king in 2007. Or maybe that is just hype of vendors trying to sell us new things. I just don’t see things slowing down. Thinking that one standard fits all is a little naive. As Noel points out, if you make the standard “non-prescriptive” so it is adaptable, it does not help actually implement anything. Frameworks and best practices have to fit together with implementation guides. One has to examine the business model and determine the needs of the business. There is no place for those that limit the solution by only learning one way to address the problems of today’s IT.

I do not see any easy answers. Verses what a salesperson might say, I have not run into too many complicated problems that were solved without a great deal of effort. To quote Jacob August Riis, “When nothing seems to help, I go and look at a stonecutter hammering away at his rock perhaps a hundred times without as much as a crack showing in it. Yet at the hundred and first blow it will split in two, and I know it was not that blow that did it, but all that had gone before.” Anyone telling you that they have a simple solution is just selling you snake oil.