Q&A: Regulations and Security Drive Organizations to Adopt Frameworks
Why organizations are increasingly adopting the IT Infrastructure Library
Looking for a good framework?
Thanks to regulations, businesses are increasingly seeking frameworks for managing security, compliance, and related controls. For IT operations in particular, one dominant framework is the IT Infrastructure Library (ITIL), a set of service management best practices. Developed by the Office of Government and Commerce in the United Kingdom, ITIL helps organizations improve everything from incident management and problem resolution to change management and help desk effectiveness.
To discuss ITIL, we spoke with Rob Stroud, director of brand strategy for CA, who’s on the advisory board for the third version of ITIL—due out by the end of 2006—and a contributing author for another widely used framework, the Control Objectives for Information and related Technology (COBIT).
What is ITIL?
It’s a framework, typically aimed at the operations side of the business, but it also stretches into the business alignment bit that everyone’s trying to do now. … So it’s an IT operations framework, that’s where it fits into the world. It’s not a governance framework, like COBIT. …
Does ITIL compete with COBIT or ISO 17799?
There is a myth to debunk that they’re all totally competitive. Really, we’re designing these to work together. … In fact, I know of a couple of organizations in North America that will have all [implemented] next year. … It’s certainly moving that way for many organizations.
What’s ITIL used for?
Things such as automating incident management and problem management—automatically creating trouble tickets—or managing aspects of change management. Then more mature organizations are moving up to service-level management, where you’re understanding which parts of the business are impacted, and you’re managing service levels.
How is ITIL designed?
ITIL has three components. First, there’s IT alignment with the business, which everyone wants to do. Second is improving customer service, and that gets back to aligning with the business. So, understanding when you have an incident, [what will the impact be]. Say you have a server in the corner. What you really want to know is, which processes are affected when the server goes down … so theoretically you can automatically resolve the problem. Third, then, is reducing the cost of running your IT environment.
So ITIL helps organizations add business context to the hardware and software they rely on?
With a good ITIL implementation, you have that business layer—all your technical components are being represented back to the business in terms of business metrics, business impact, but as an IT professional you’re also getting the information you need to know how to resolve business problems.
IT is like the cobbler’s children: we’re very good at automating the services we deliver to clients but we’re not very good at automating our own, internal systems. So with ITIL you document your processes. … Then you automate them, and once you automate them, you have the opportunity to remove things that don’t add value. In addition, you can really fundamentally allocate resources to deliver value or give business benefits back to the organization. …
The fundamental improvement with ITIL is [that] you’re talking the same language as the business.
What’s an example of how an organization might use ITIL?
One of the things I’ve seen, for example, is incident management. Say you have something basic, like a password you forget. Now we’ve seen most organizations implement automated password reset systems … but in the past, those reset requests would go to a centralized help desk, and someone would resolve the problem manually. Now, however, password resets [are very often] automated.
If you have a service desk where people deal with issues as they come in, and you’re actually prioritizing those by business impact, then you can route ones that hit a major business system to the top of the IT queue … to resolve them first [and ultimately, to automate their resolution].
Another example would be just understanding a problem you have fairly regularly and you know about, such as that rebooting [a particular] server tends to fix it. … [With] ITIL, you have the people who would typically work those calls working on a fix instead, resulting in higher up-times, reliability, and so on.
Who leads an ITIL initiative?
For a long time, it was people in what was then called the help desk or the customer support desk, since this was a single point of contact in IT. Now, however, we’ve seen CIOs start to look at ITIL for their IT organization, to drive efficiencies. Also, we’re starting to see service management roles, such as change manager or problem manager, which are all related to ITIL. I’m even seeing organizations have service-level managers as well, where you’re really looking at the uptime.
Is ITIL adoption predicated on any technology in particular?
ITIL is fundamentally a combination of people, processes, and technology. In an ITIL implementation, you look at your organization’s structure, and you look at the maturity of processes, including service, support, disciplines such as the service desk as a function, supported by incident, problem, change, capacity, and configuration management. …
Most people look to see, where are the glaring errors in their organization at any given time? So people will sit down and just see where they need help, then implement a [specific] tool to help those processes.
Is use of ITIL increasing?
In the ITSMF [the not-for-profit, volunteer-based IT Service Management Forum], … we have doubled our membership each year. The North American chapter is either the largest, or about to be the largest, chapter in the world. With ITIL in North America, there were very few of us in 1999 that knew of it. … Now, however, it’s becoming a framework people truly know and understand, and accept to some degree or another. I’m also told China and Japan have rapidly growing ITIL markets right now, and Korea too.
So it is a fast-growing, global phenomenon, and here to say. Clients are asking now for our software to be ITIL-compliant, or we can’t respond to an RFP [request for proposal]. Five years ago, that was something we’d hardly ever see.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.