The Skinny on ITIL

The Information Technology Infrastructure Library (ITIL) is coming to America; early adopters say it's a friendly invasion with security benefits

February 01, 2006 — CSO — Until a few months back, the acronym ITIL didn't figure much in the day-to-day working life of David Monahan, network and information security manager at data storage and management company Network Appliance. Why would it? ITIL (the Information Technology Infrastructure Library) is, after all, a collection of best practices first developed by the British government almost 20 years ago. But ITIL is rapidly gaining ground as an IT governance model in U.S. businesses. As Monahan explains, his own conversion came via a senior executive who joined Network Appliance in the summer of 2005 to head the company's global infrastructure function. Having had prior positive experience with ITIL, said executive formed the view that Network Appliance might also benefit from adopting ITIL, which promises operational improvements through more disciplined processes.

"The belief," says Monahan, "is that ITIL will add rigor to the way that we scale and add structure to our processes." In particular, he explains, Network Appliance is looking at problem management, change management and incident managementâ¬three of ITIL's 11 core process areas (see "ITIL's Scope," below)â¬and identifying gaps between what ITIL recommends and Network Appliance's current practice. Monahan says it's not an overnight job, but one that is already paying dividends: For a start, ITIL has been the focal point for several core process overhauls that have significantly improved areas of IT service delivery. "So far, we're very pleased," he sums up.

CIO (a sister publication to CSO) reports that ITIL is gaining steam in the United States and that ITIL "helps IT departments improve their quality of service, including increased system uptime, faster problem resolution and better security." Partly fueled by a tougher regulatory frameworkâ¬including Sarbanes-Oxley and the Federal Information Security Management Act of 2002â¬IT vendors and service providers report they are now fielding more requests for information about their ITIL capability. "A year ago, we hadn't had a single ITIL requestâ¬now we're getting one a month, and the pace is accelerating," says Gretchen Hellman, senior manager of product marketing at security vendor ArcSight. In fact, the U.S. and Canadian governments will soon require IT contractors to use ITIL, as will some big companies including General Motors. As IT in the commercial sector has grown to mirror the complexity and mission-critical nature of the public-sector IT applications that sparked ITIL in the first place, a growing number of CIOs and CISOs are seeing in it a ready-made governance framework that speaks their language.