The Skinny on ITIL

The Information Technology Infrastructure Library (ITIL) is coming to America; early adopters say it's a friendly invasion with security benefits

By Malcolm Wheatley

Page 2

Early private-sector ITIL adopters interviewed for this article indicate that the results are promising, though it behooves CISOs to have the right expectations up front.

Future Shock

Those healthy up-front expectations include a small culture shock and a standard implementation path.

On the culture front, don't expect to become certified as ITIL-compliant, at least not in the accepted sense. Having promulgated ITIL, the British government continues to support, develop and make it available to interested parties. However, it's largely up to individual businesses to choose how to actually apply ITIL. ITIL is not a standard, per se. Instead, it's a compilation of best practicesâ¬albeit one that is codified, well thought-out, and integrated together into a single framework. (In this regard it is reminiscent of control objectives for information and related technology, or Cobit; see "Alphabet Soup: Cobit, ITIL and ISO," this page.) Security isn't a separate book within ITILâ¬it's woven into the very fabric of it. And for many companies, that will mean security becomes more tightly integrated into IT operations and the business itself, rather than being set off in a guard/watchdog function. So ultimately, this culture shock is probably for the good.

"The culture shock to IT security practitioners from adopting ITIL will be much greater than that experienced by the IT operations people," notes Gene Kim, CTO and cofounder of Tripwire, and coauthor of The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps, published by the Information Technology Process Institute. "What ITIL does so well is to show how security doesn't live by itself; it lives within the overall IT operational context."

To Kim, one of ITIL's greatest strengths is that it forces security practitioners to seriously address issues such as change management (part of security's job being to help ensure that all changes are properly authorized). "A significant proportion of security-related Sarbanes-Oxley audit deficiencies relate to change controlâ¬yet for years, security practitioners have fought shy of the issue. With ITIL, the day of reckoning is here," says Kim.

Richard Starnes gives service delivery as another example. Starnes is the London-based president of the U.K. chapter of the Information Systems Security Association, and an American infosecurity professional formerly employed as director of incident response at a major British telecommunications company. "ITIL tells you how to run a service desk properly, which is useful for [preventing or dealing with] social engineering attacks," he says.

As for the implementation path, according to Robert Bowey, service delivery specialist at British IT consultancy Astech Consultants, ITIL implementations tend to proceed along a fairly standard adoption curve, which CISOs are well served to follow. "Most organizations look for where they can get the quick wins from ITIL first," he says. "That tends to be in areas like release management, incident management, problem management and change management. Configuration management, on the other hand, is a much more resource-intensive and time-consuming business." Knowing this up front can help save decision-making time and focus early efforts on those areas with the fastest payoff.