Published: March 29 2010, 04:39 PM | 1 Comment(s)
by Robert Stroud

I have been involved in ISACA for some time in various roles from member to committee member and am now a member of the ISACA board of Directors. Fundamental to each of these roles has been my involvement in ISACA frameworks and their development. For some time ISACA staff and volunteers have been developing the strategy for the future of the ISACA COBIT 5 framework. This week is a significant one with the first external deliverable available, the "COBIT^® 5 Design Paper Exposure Draft" for review and comment by the community.

COBIT 5 is the next evolution of the ongoing development of the ISACA frameworks and standards including COBIT, VALIT, RISKIT, ITAF and BMIS and will look to both consolidate and integrate these, but more importantly the resultant framework will be easier to use and extensible. COBIT 5 will take into account recent global governmental and market-driven enterprise and IT governance initiatives, such as sustainability and green IT, will be easier to use and will deliver guidance on how to implement including migration from previous versions. Of special interest to me personally will be the focused guidance on functional responsibility and organization views to allow practitioners to focus on specific domain and how COBIT can assist them in their role. 

I personally plan to provide feedback on the use of practical components including aspects such as KPI's (Key Performance Indicators), maturity models, integration with other frameworks such as ITIL, PMI and standards such as ISO\IEC 38500:2008 and the applicability and application against compliance requirements.

I encourage you to download the exposure draft and to complete the online questionnaire, providing input and validating ISACA assumptions. This is a rare opportunity to be involved at the ground level so I encourage your involvement and make a contribution.

Share this post:  Email

Share

Published: March 25 2010, 04:47 PM | no comments
by Jeff Foucher

Share this post:  Email

Share

Published: March 22 2010, 08:40 AM | no comments
by Robert Stroud

It was with much pleasure that I read the weekly @ISACA communication last week in which the slate for the 2010-2011 Board of Directors was announced including myself for a 4^th term. Serving on the ISACA board has been one of the highlights of my professional career and comes with a great sense of responsibility and my personal acknowledgement that I am accountable to the more than 86,000 members globally.  I will be formally appointed at the Annual Meeting which is held in conjunction with the International Conference in Cancun Mexico June 6 to June 9 which all ISACA members globally are invited to attend.

For more information on ISACA or COBIT visit the ISACA website at http://www.isaca.org/.

Share this post:  Email

Share

Published: March 15 2010, 11:55 AM | no comments
by Robert Stroud

While in Mumbai last month I was fortunate enough to spend a day with the Indian itSMF leadership and present at their event in Mumbai (for those interested in cricket it was the day Sachin Tendulkar scored 200 runs in a one day international, the only player to ever do so). The session followed the ISACA Asia Pacific CACS conference and meetings with several CIO's in which we discussed a range of topics including: the growth of ISO\IEC 20000 in India (refer to past blogs by Jeff and myself), the implementation of governance and the rapid rollouts of virtualization, a strong interest in cloud computing and a focus on automation.  If you think about it, with a market of 1.2 billion, repeatability and automation are keys to success.  

In India, many IT Service Management implementations are moving from the process by process approach where you mature a single process before commencing another, to a cross process approach where you do components of multiple processes at a time.  The cross process approach acknowledges the static inputs and outputs and dependencies of each process and is typically based on achieving a maturity level across each of the processes and may be followed by a similar controlled implementation until you reach the targeted maturity level.  For instance, many of us walk and run to some level but a professional athlete would develop their skills to a higher level to support their maturity level.  Over my time all too familiar with Service Management implementations, I have seen starting and ending with a brilliant incident management implementation with minimal focus on other process.  Don't get me wrong, resolving outages are important, but if you agree with many, better change management in the form of user acceptance, system testing, and regression testing should be considered.  For instance, by recent blog on Service Levels, the Toll collection system cannot afford downtime, so isn't it better to spend additional time in testing of change rather than racing to implement to meet a date and then being spectacular at resolving outages. 

Back to India, the itSMF Indian event discussed the theme that is emerging in India where Service Management implementations are now typically on clusters of processes with a maturity level identified and confirmed with the business in advance of the implementation.  For instance, the implementation of change management with configuration, release management, capacity and service level management.  These processes are all linked and must be implemented in some degree for success.  In reality, once the business determines what the business service looks like and is approved, typical attributes include service level metrics, which in turn assist in the determination of capacity requirements and also allows determination of the criticality of the service, thus determining the level of testing (systems, user, integration etc).  All this together ensures that when the service is transitioned to production, the support organization will be cognizant of the requirements and can accordingly prioritize support. 

Challenges with ITIL and ITSM implementations I frequently see is too much focus on implementing incident management.  Getting better at fixing issues over time often has the effect of eroding confidence in IT.  Think about your own practical experience, I for instance always ask for my burger without onions and eight out of ten times it arrives with onions.  Then I ask for another and it arrives without onions (a workaround in ITIL terms).  Now the burger store can be brilliant at dealing with incidents but over time confidence is eroded and think about the impact on the burger store including the waste of time, raw materials and so on.  Logic tells me that it is better to work on the ordered (request process) and get that correct.  Even better results are experienced when implementing change management, service level management and so on, and implementing a combination of processes is a better method of obtaining a balanced business focused implementation. 

One CIO of a large and growing Indian IT organization claimed that by leveraging service management, he has reduced his total numbers of incidents dealt with by staff by 50% with the implementation of self service (described well in the ITIL v3 Service Operations guide).  Automation includes password resets, on boarding and off boarding employee's and the automated virtualization of their Intel server environment, which allows for the automated provisioning based on an automated change process.  The savings were also in terms of staffing as well with the redeployment of former level 1 support staff headcount to the newly created roles of business analysts, who are now ensuring IT is working towards business expectations.  The deployment of this implementation took less than 12 months and the investment will recover costs in 12 months.

India reinforced for me what the better service management implementations tell me - implement a number of processes in parallel in small manageable sprints that show value to the organization with the additional benefit of ensuring the transitioning culture can accommodate the change.

For my Indian friends, I look forward to spending more time with you later this year.

Share this post:  Email

Share

Published: March 12 2010, 04:45 PM | 1 Comment(s)
by Jeff Foucher

 The CA Championship is underway, with 9 of the Top 10 golfers in the world taking their best shots at the vaunted Blue Monster at Doral.   As a lifelong golf aficionado, and one of those rare birds who finds equal satisfaction in watching, playing and analyzing golf statistics  - I read with keen interest Friday's Wall Street Journal article titled "A Stat is Born:  Golf's New Putting Measure", which formally introduces the PGA Tour's newest Metric of Success:   "putts gained per round".

While this new metric could probably use a punchier name, the rationale for its creation lies in an age old question, previously unanswered despite golf being almost as old as the dirt on which its played, and despite the massive dataset which the PGA Tour has compiled over the past 30 years.  

The question:   Who is the Best Putter?

This is not an insignificant question, in a game which readily comes down to the old mantra:   Drive for Show, Putt for Dough.   Whether you are a scratch golfer or a Sunday hack, you are likely familiar with the knee-buckling, palm-sweating and heart palpitating symptoms of golfing's "last mile"   Yet traditional measures have proved inadequate - despite their longstanding acceptance.

Putting Average - the current standard, computes only putts taken on greens reached in regulation.  This approach excludes the 30% of putts which are made on greens not reached in regulation.   Other accepted metrics have similar biases and variability which again makes them only marginally able to quantify a true measure of putting success.

"Statistics can just become a big splash of numbers and not mean anything.   But this, we think, will mean something," said Steve Evans, the PGA Tour's senior vice president for information systems.   "It's complex to calculate, but simple to understand".

Pretty well sums it up....simplicity and innovation in the face of complexity.  Of course, since this quote came from an IT guy, it got me thinking about how IT executives are (or aren't) aggressively pursuing innovative new Metrics to keep pace with the massive datasets they've accumulated over the years, and to support the innovative technologies and delivery systems which they have created.   

A recent CIO briefing I attended touched on this -with the CIO himself challenging the long-standing financial baselines used by IT executives to measure earned value contribution.   I found this refreshing and yet as the conversation evolved, the real challenge was in establishing some consistent, standard and consensus measures of earned value.  

Put simpler - a normalized and standardized way of looking at IT Service Cost Models.   This becomes an essential metric:  "How much does X service cost" and "How much does that X service cost compared with Y competitor or Z industry or W service provider or cloud host"?.

Until an apples-to-apples service cost benchmark can be established, individual organizations will be at the mercy of service providers and cloud hosts who purport to be able to do it "better, faster and (most importantly) cheaper".    While these delivery models certainly have the implicit advantage of economies-of-scale, they are able to do this by standardizing the services they provide (the "good enough" concept).   They have stripped out the variability and pet projects and customization inherent in so many organizations, and their cost-of-service baselines.   

But how then to determine which Service Provider to select?   Are they all using a similar standard set of Cost variables?   Are they all delivering the same quality of services?   Are they all delivering the same security or portability?

Similarly, while much of the discussion on Cloud Computing seems to cite the primary barrier of "security" and "quality" - in my opinion having a Cloud Cost Benchmark for a set of standard services will soon become the real barrier to comparing, selecting and switching service providers.   

And finally, as IT executives continue to innovate their own services, having a new set of metrics will be needed to fully communicate the value they are bringing.    Without these, they risk marginalizing their gains because of antiquated measures.

For what it's worth, using the PGA Tour's new putting metric, Luke Donald would be considered golf's Best Putter.   I've got my money on another Brit to tame the Blue Monster this weekend:   Paul Casey.

What are some innovative metrics your organization is using?   

Share this post:  Email

Share