To ITIL® V3 and Beyond: Travels with Rob Stroud

I'd like to make a quick point. There are times when I find the discussions surrounding ITIL® v3 popularity to be superfluous. That's because whether or not people are "for" ITIL v3, if they want to work for successful organizations, they have probably already put several aspects of ITIL v3 into practice -- whether they realize it or not.  

I recently visited several European ITIL practitioners who are in process of transforming their ITSM implementations to support their dynamic business environments -- the objective, to innovate as the market demands. As the head of the ITSM team at a large manufacturer commented, "any ITIL implementation that is service aligned is doing much of v3 already." I concur.

In his case, Knowledge Management, Self Help and Access Management have been part of his culture for the last 12 months and pre-date the launch of v3.  

So please. There is no "for" or "against." You are going to adopt some practices that are suspiciously reminiscent of ITIL v3. If you choose not to label them as such, so be it. Or, to paraphrase Chelsea Clinton, "that's absolutely none of my business."

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

Those of you struggling with bringing IT and business alignment to life through your ITIL® initiative may be surprised to learn that your salvation may lie in a free download.

Even with the improved use of organizational charts and metrics in ITIL v3, some practitioners have commented that the linkage to a sound maturity process is still lacking. This is where COBIT, which is available for free from http://www.isaca.org/, can assist.

Many companies that I work with have been using COBIT's Key Performance Indicators, Maturity Models and RACI Charts (which track  Responsible, Accountable, Consulted and Informed persons for every process) to provide metrics and structure for their ITIL processes.

COBIT is the governance framework that aligns business strategies and objectives with IT deliverables by identifying and analyzing the IT processes and measurements needed to construct processes that deliver desired business results.

COBIT provides the missing governance capabilities for your ITIL processes, helping you measure and assure performance and roll up the metrics to business requirements to provide a holistic view of your performance.

While ITIL does offer performance measurements and organizational information, in my opinion these don't roll up to the business level to the extent COBIT does.

For example, take a look at COBIT process DS1, Define and Manage Service Levels, which is defined as control over the IT processes of defining and managing service levels with the objective of ensuring the alignment of key IT services with business strategy. COBIT identifies requirements, inputs, outputs, report requirements, organizational impact, metrics and the maturity model (every COBIT process has its own maturity model to show you where you are and where you are going ) -- all of which can assist you in your ITIL journey.

So go to isaca.org and download COBIT.  It's on me.

By the way, check back at isaca.org in the next few weeks for mappings of COBIT 4.1 to ITIL v3.  We'll have two versions to choose from depending on whether you have an existing leaning towards COBIT or ITIL.  

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

The IT Skeptic recently wrote a blog entitled “Perhaps one day Service Management will become a universal discipline: ITIL 4?” It starts, “Who left the IT in itSMF? What a shame we have kept our focus narrow.”

Some of you may be thinking that’s absurd, of course there should be an “IT” in “itSMF.” But I can tell you that as part of the COBIT v4.1 discussions, we seriously considered the relevance of “IT” and the possibility of removing those letters. Something that many people forget is that the “IT” in COBIT is actually “information and related technology”, not “Information Technology” as many assume.

As the COBIT “IT” represents that the information we manage, and how we manage it, are key, we decided to keep it, excuse the pun. COBIT V4.1 provides an appendix on mapping Business goals to IT goals and IT processes. I don’t believe we went that far in Service Strategy in V3, although good guidance on driving the IT strategy from the business strategy and constraints is well documented. So the “IT” in COBIT is fair, but what about ITIL….

IT and the business are becoming more integrated and dependent on each other. As the skills required by our IT professionals incorporate more business knowledge, the line between what is IT and what is not will become increasingly blurred.

In the Governance space, we have already seen the adoption of Project and Portfolio Management (PPM) processes, historically employed for IT, adopted by the business for new business initiatives. The same is true in the Service Desk area.  I recall a recent visit with at an organization that is using its Service Desk product to track and manage not only IT incidents but also calls from external customers about products purchased at the organization’s website—clearly a business function.

Of course, “IT” will always be a must in certain applications, for example, the t-shirt sold by the IT Skeptic that declares “If IT ain’t broke don’t fix it.” We’ll table that discussion for the time being, but the question as to when to label something “IT”--be it a process, a practice, or an organization--will be raised with increasing frequency.

In a recent blog posting, I suggested that you take a look at the IT Governance Institute's recently released IT Governance Global Status Report. IT Business Edge interviewed me on the survey results contained in the report. You may be interested in the article entitled "IT Governance: Taking it from the Top." The author, Ann All, also discussed our interview in her blog, the Visible Enterprise, in a posting entitled "COBIT, Other Frameworks Can Help Impose Order on IT." 

The IT Governance Institute just released its IT Governance Global Status Report, which can be found on the ITGI home page. The report analyzes survey responses from almost 750 CIOs and CEOs on a variety of ITG issues. It contains a myriad of nuggets that will be great blog fodder for months to come.  But, assuming that as a reader of my blog, you are an IT professional, and not someone who found me while searching for the Birdman of Alcatraz, it behooves you to look at the report for yourself. 

The survey set out to determine:

1. The degree to which ITG is recognized by boardrooms and CIOs
2. Levels of ITG expertise and use of frameworks
3. Perception of ITGI's own CobiT framework

The report conveniently focuses on 13 key findings from the survey and is bound to be quoted in best practices and IT governance articles, presentations, yes, and blogs, for some time to come.

In the interest of full disclosure, I am listed in the report as a member of ITGI's board of trustees and its IT Governance Committee.  And, though we share the same name, I am not related to the Birdman of Alcatraz. That I know of.    

As I traveled to the Sultanate of Oman for the Asia-Pacific Computer Audit, Control and Security (CACS) Conference hosted by ISACA, an air travel incident presented a painful reminder of the importance of having a contingency plan.

The beautiful city of Oman has only a small number of incoming flights each day, so I allowed for a seemingly ample 36 hours to make sure I'd be on the podium giving my speech at the specified time. I even arrived at JFK Airport two hours before the already obscenely early suggested arrival time just in case I could catch an even earlier flight for the first leg of my journey.

During check-in I was told my flight was on time, but moments later, I received a message on my Blackberry that my flight had been cancelled. I knew I was in trouble when I saw that the line at the counter was already a mile long. While standing on it waiting for assistance, I hedged my bets and also called the airline service desk. Twenty minutes later, I was at the front of the line still listening to "your call is important to us" (when should you change from holiday hold music by the way?). The counter staff confirmed triumphantly that I had been automatically rebooked on the next flight to London. Got to love automated workflows. I only had to wait 20 hours for my connection. On the bright side, that did leave plenty of time for emailing and blogging.

Although my situation was dealt with expediently, I am sure that you can understand my disappointment and frustration when I discovered that my carrier could have swapped me to an alternate carrier and I would have made the original connection to Oman. While the airline may be under the impression that it dealt with my incident in an efficient manner, I can tell you the user satisfaction score on a survey of one (me) would be zero.   

There is a lesson in all of this, and I had plenty of time to think about it during the delay. As we as IT professionals develop our ITIL® incident and problem management solutions and get closer to the consumer with our technology solutions, we need to incorporate processes that account for the human element. Humans are emotional. They are going to react to long wait times, disruptions and unwieldy processes-even if those inconveniences fall within what the organization has deemed acceptable procedures and service levels, and even if those inconveniences are not the fault of the organization. 

Forget the human element and you're likely to be caught off guard presenting "everything is peachy" reports to executives who come back with scathing quotes from their griping employees or customers. 

By the way, I did make it to Oman, not as rested as I would have liked, but thankfully just in time for my speech.

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

Of course I was delighted when CA CMDB r11.1 received a gold award in SearchDataCenter.com's Data Center Products of the Year 2007. I did think that the title of the award category, "CMDB and provisioning," was quite interesting, especially after just coming off of some itSMF USA planning meetings where we discussed, among other topics, the continued and growing interest in the CMDB and the need for automation to ensure the correct focus, timely updating, and ultimately value, of a CMDB initiative.

"Provisioning" refers to the solution's ability "to supply" or "to fit out" the CMDB-that is to automate to ensure that the appropriate data is loaded and managed.  The fact that the other award category titles (i.e. Data Center Automation and Performance Management Tools) did not include the "and provisioning" modifier, though they could have, makes me wonder why CMDB was singled out in this manner.  In a way, it was a nod towards an idea I blogged about that beyond the CMDB there is a Configuration Management System or CMS that provides the automated functionality that supports the provisioning of the CMDB.

Whether or not there was a real need to include "and provisioning," there is no doubt that CMDBs devoid of the tools needed to provision are apt to become outdated quickly. Automation of the CMDB is more than advantageous--it is essential to ensure the integrity and practicability of the CMDB.                

For those of you interested in taking the title of my blog literally ("Travels with Rob Stroud"), I invite you to meet me in Muscat, Sultanate of Oman, at the Shangri-La, Barr Al Jissah Resort and Spa on January 21 and 22. I'll be delivering the keynote at the Asia-Pacific Computer Audit, Control and Security (CACS) Conference hosted by ISACA. With more than 65,000 members in more than 140 countries, ISACA is a recognized worldwide leader in IT governance, control, security and assurance, and I'm proud to be a board member. The keynote will feature my thoughts on "Harmonizing COBIT, Val IT, ITIL® and ISO 20000: Best Practices for IT Governance."

I couldn't resist showing you this gorgeous venue. I'll bring you news from the conference in a future blog.

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

The commingling of ITIL® and security has drawn increased attention at the conferences I've attended recently. No doubt security is a hot topic, fueled by highly publicized security exposures. 

Though ITIL v3 formally introduces the security concept of Access Management to ITIL for the first time, ITIL processes have dealt with security issues for several years. Five years ago, IT service desks everywhere faced a huge issue in the ever-mounting numbers of password resets needed--a problem caused by the large number of passwords, draconian password change rules and lack of self help capabilities. Password resets represented up to 60% of all service desk incidents in many organizations. Today we have a self help capability for resetting passwords and automated processes to request and automate access. These automated processes are similar to the ITIL v3 processes from the Service Operations volume for Access Management and Self Help and are great examples of business driven automation now promoted by ITIL v3.    

Within the security arena there are evolving standards in the ISO 27000 series (the series of standards have been specifically reserved by the International Organization for Standardization (ISO) for information security matters). ISO 27001 is an accepted standard currently in use and is intended to be used in conjunction with the coming ISO 27002, which will replace ISO 17799. ISO 17799 is a generic set of best practices for the security of information systems, considered by some to be the foremost security specification document in the world.

The IT Governance Institute, of which I am a board member, worked with the Office of Government Commerce (OGC) on a paper exploring the relationship between the best practice frameworks COBIT and ITIL with security management as described in IS0 17799. The joint publication on "Aligning COBIT, ITIL and ISO 17799 for Business Benefit" is available for download and is one of ITGI's most requested publications.

I am pleased to advise that a refresh of this document is currently underway and is scheduled for release in the first half of 2008. The new version will provide additional guidance on leveraging COBIT and ITIL to address security issues.

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

I'd like to welcome Kirk Holmes of Holms and Associates, Inc., Sallie Kennedy of Kennedy & Kennedy, Inc., and Lisa Schlaf of Econ Global Services to the itSMF USA board. You can read the press release here.

I've been involved with the itSMF USA since 2001. Currently, as a director, I serve as the chair of the events committee, which runs the annual itSMF Fusion event, arguably the largest IT Service Management (ITSM) event in the world.

itSMF USA and its umbrella organization itSMF International, are instrumental in driving the awareness and acceptance of ITSM globally. If you are interested in learning more about, or contributing to the growth of, ITSM, I strongly encourage you to check out an itSMF USA Local Interest Group.   

Poor change. Bad enough that people resist change, but, in IT, change is unjustly accused of causing problems and may be unable to defend itself of the charge. I'll explain.

I spoke with an IT exec from a retail organization recently about the absolute importance it places on the holiday shopping season. During this period of high transaction volume, his IT department has a critical responsibility to ensure system availability. The company's financial future depends on it.      

To prevent any IT changes from affecting this crucial two month window, the organization routinely implements a change freeze on ALL their systems from the middle of November until the middle of January. The freeze is in place to eliminate the potential for any IT change to introduce problems that could negatively affect business systems.

While a bit like using a jack hammer to crack a walnut, this drastic measure is the only way the organization can guarantee that IT will not introduce change that can result in diminished infrastructure performance and reduced profits. Such procedures are routinely employed in companies that freeze all changes to ensure problem-free month-end or year-end processing. 

These extreme measures would not be necessary if ITIL® change and configuration management processes and a configuration management database (CMDB) or, as I blogged, a configuration management system (CMS), were in place. Strong processes could mitigate risk associated with change. With relationships between IT infrastructure configuration items (CIs) captured in the CMDB or CMS, decisions as to what changes should and shouldn't be made can be based on reality, not the fear of the unknown.

Without change and configuration management processes in place, organizations cannot confidently predict the impact of change, nor defend a change that is blamed for the latest system hiccup. Change is guilty until proven innocent, but without a CMDB or CMS, proving innocence is difficult. By the time a change has been cleared of all wrongdoing, its name has been tarnished, a rash of emails about it have flown around the company, the damage to IT's reputation is done, and its time to look for another job.

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

I've decided to use the upcoming holiday season to launch an ITIL initiative in my home. With all the time I spend evangelizing on ITIL, it is only natural that it has crossed over from my business life to my personal life.  

My idea was prompted by a conversation I had with an energy sector executive. Our discussion covered the increasing reliance of business on technology. This was exemplified by the exec's energy company, which is in the middle of replacing their out-dated meter reading process. The current process necessitates bi-monthly visits to clients' backyards, and in-between estimates of power usage, which I can tell you from experience are never close. The new system is made up of smart meters that automatically send actual usage information back to the company. The system also allows customers to view their power consumption online. This got me thinking.   

With winter in the northeast of the US fast approaching, steps to leverage this new system to manage my power consumption would yield real value. I began to think like a business--a business that has adopted ITIL best practices of course.

I am going to set up a process to monitor and manage power consumption remotely. I'll use alerts to notify me when my threshold of acceptable power consumption is exceeded.  I'll send automatic and electronic change requests to the thermostats controlling my heating to lower the setting. I'll verify the change is correctly implemented by checking the power consumption (which should immediately decrease) online.

Managing all of this in my head will be complicated, so I'll document the event management and change management processes involved. 

What maturity level do I attempt? How do I know I am done? As currently planned, my total expenditure for this project is conveniently just under $1000 (I say conveniently because in my house, projects over $1,000 require a business case). I will need to consider the impact on resources: I will not be available for the annual backyard cleanup process (well documented in the annual work list) and I may have to miss a play or two of football.  Still, I think it will be a weekend well spent.  

Back to the energy company discussion for a moment. One of the points made by the exec was that the line between IT and business processes are increasingly blurred. The Technology Service Desk is handling more questions every day as more business is transacted via the web and customers have greater freedom to manage their own power consumption. The smart meter proactively sends data to the billing process which interfaces with clients' bill payment services. Electronic alerts notify customers that their bills have been automatically paid. The value to the energy company is a more constant cash flow, which leads to a reduction in the number of days that receipts are outstanding.  With less overhead, the price of energy declines.

If the focus was on departmental silos instead of on the overall business solution, we would have lost sight of the primary business driver, which is to provide energy with less overhead, allowing delivery to be at a lower cost and ultimately playing a role in the greening of IT and the business.

So what is the business driver for my household ITIL implementation? I travel so much that I need to control the human manual override within my house--my wife and children who continue to believe that holiday lights should be on all night and 80 degrees is the optimal temperature indoors--even during a New York winter.  

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

I recently spoke at a number of very well attended CMDB seminars. Without fail, I was asked the following question, either during my talk, or afterwards during the accompanying networking events: How can I implement a CMDB and show value quickly?

I subscribe to a notion that my blogging colleague Marv Waschke recently wrote about in his Iterating on IT Service blog posting entitled "ITIL v3: Simplifying Complexity."  That is that implying that something inherently complex is simple raises all kinds of suspicions and red flags. That being said, happily there is a proven way to implement a CMDB and show value quickly. I'll explain.        

A large manufacturing client I spoke with at a recent event completed their initial CMDB implementation in 60 days. In a future blog posting, I'll cover how they managed to implement so quickly. For now, I'd like to delve into how they managed to deliver value so quickly, using a technique they dubbed "scenario planning."

Scenario planning involves developing a number of business scenarios through which the CMDB would add value, leveraging "high value CIs." (A high value CI is a parent CI, usually a business service or critical asset in the organization.) These scenarios are used to support the business case for funding the CMDB. By limiting the scenario scope, work is focused on delivering benefits most important to the business. For this client, recent outages reinforced the premise that the efficient running of the production line should form the central focus of the CMDB implementation and the service levels that related to it. 

Their selected scenarios included the following:

1. Identifying major incidents affecting the production line (one of our high value CIs); identifying the IT systems and processes involved; finding the root cause; and fixing the CI with a change.
2. Resolving an error identified late in the release cycle of a change and using the relationships stored in the CMDB to determine the critical components to be tested prior to releasing the change to the production environment.
3. Identifying critical components and ensuring that they are identified appropriately so that the change process ensures that all changes to technology affecting the production line are scheduled during downtime.

The scenarios were carefully selected to meet the clear objectives of ensuring compliance with service levels, and ensuring that unscheduled changes do not affect the production process. With well-defined scenarios purposefully designed to address important organizational issues, the initial CMDB implementation was able to proceed with a laser-like focus on processes that the organization already acknowledged it needed. The value of the CMDB was quickly evident.

To ensure that value is quickly realized, the initial CMDB implementation must not be sidetracked into superfluous CMDB muscle flexing. Rather, the success of the scenario planning technique is dependent on IT's ability to concentrate solely on the CMDB benefits that can address specific business priorities. I suggest those of you facing a CMDB implementation give this technique serious consideration.

For more CMDB implementation advice, I recommend reading the eBook entitled Delivering Better Service with a CMDB, written by Shirley Lacy, industry expert and ITIL® V2 and V3 author. Chapter 1 introduces you to Configuration Management and covers the critical success factors in implementing a CMDB. You can read it for free by registering here.

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

IT tools with sticking power sometimes outgrow their original names and graduate to become "Management Systems." Anti-virus tools became Security Management Systems.  Network monitors became Performance Management Systems. Consider the CMDB. Is it time for the CMDB to become a Configuration Management System (CMS)? Let me put a stake in the ground and say, "it depends."

In ITIL® v2, the CMDB evolved into a repository of Configuration Items (CIs), which are the components that make up the IT infrastructure. The CMDB held relationship and dependency information needed to perform analysis to solve system problems quickly, prevent outages, and provide visibility into the impact of changes.

ITIL v3 elevates the CMDB to the more business-aligned CMS by focusing on business value rather than infrastructure components.

A large global financial institution I met with is using a CMDB to assist change management processes by understanding CIs and gauging the impact of CI changes on production. A change was being made to a piece of code running on an application server. The change looked simple enough, but the server was shared and bringing down the server would have brought down a critical business application. A business decision was made to mitigate that risk. The institution's Change Advisory Board (CAB) determined that a business application so vital to the survival of the organization should reside on another server and necessitate a contingency plan to ensure acceptable service levels are maintained.

The CMS moniker conveys that the CMDB, when used as a part of an overall system, goes beyond storing CIs to supporting business strategy. The business value is not in a database of CIs on its own, but rather in a system where the database of CIs is considered with processes that leverage that data in support of the business.  

The CMS is more than the CMDB and reflects the infusion of good IT Service Management (ITSM) practices. Many people that say that they have implemented a CMDB have actually implemented all or part of a CMS.

I think that the use of CMS versus CMDB depends on the extent to which sophisticated analysis that is helpful to the business is performed. Of course, CMDBs that come complete with analysis and reporting tools are more likely to bring value to the business.  But a vanilla homegrown database of CIs can also perform as a CMS, though more manual effort will be needed to yield tangible results.   

Configuration Management Systems are described in detail in the ITIL v3 Service Transition volume. Take a look.  

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

In my travels and in this blog I have noted the widespread interest I've encountered in the CMDB. Though there is not a lot of quantifiable data available on CMDB use, my own observations are validated in a survey conducted by Freeform Dynamics.

My webcast on the survey, co-hosted by Martin Atherton of Freeform Dynamics, is available as a replay and is one of the most highly attended webcasts I have ever conducted on a CMDB-related topic. I take that to mean that IT professionals are thirsty for data to back the claims of widespread CMDB adoption.

The survey found that 20% of respondents have a CMDB project in progress and an additional 25% plan to implement a CMDB in the next six to 18 months. The survey also found that 75% of large enterprises and 60% of organizations overall will have some form of CMDB implementation underway in 18 months time. 

Clearly, the numbers back what I've personally witnessed--that organizations are adopting CMDBs to enhance the stability of their IT infrastructures and insure against costly system down-time. Still, the high adoption numbers reported in the survey shocked even me. 

Though popularized in ITIL® v2, some CMDB demand is not ITIL-driven at all. While to some CMDB=ITIL, many IT organizations I've spoken with who are not pursuing ITIL initiatives are adopting CMDBs to simply help them manage change, the ever-present threat to IT infrastructure stability.

Key to the success of full CMDB market acceptance is the ability to yield short-term deliverables that increase stakeholder buy-in. In planning meetings, I often recommend that implementations have some focus on delivering quick wins, which go a long way toward building project support and enthusiasm. In fact, it may be that the CMDB's ability to deliver some quick and useful results is what's driving IT professionals to kick the tires.  

Your personal experience may or may not agree with the survey findings, but the resulting white paper is quite interesting. You'll need to register for the link, but I hope that won't stop you from taking a look.   

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.