The Skinny on ITIL

The Information Technology Infrastructure Library (ITIL) is coming to America; early adopters say it's a friendly invasion with security benefits

Until a few months back, the acronym ITIL didn't figure much in the day-to-day working life of David Monahan, network and information security manager at data storage and management company Network Appliance. Why would it? ITIL (the Information Technology Infrastructure Library) is, after all, a collection of best practices first developed by the British government almost 20 years ago. But ITIL is rapidly gaining ground as an IT governance model in U.S. businesses. As Monahan explains, his own conversion came via a senior executive who joined Network Appliance in the summer of 2005 to head the company's global infrastructure function. Having had prior positive experience with ITIL, said executive formed the view that Network Appliance might also benefit from adopting ITIL, which promises operational improvements through more disciplined processes.

"The belief," says Monahan, "is that ITIL will add rigor to the way that we scale and add structure to our processes." In particular, he explains, Network Appliance is looking at problem management, change management and incident managementthree of ITIL's 11 core process areas (see "ITIL's Scope," below)and identifying gaps between what ITIL recommends and Network Appliance's current practice. Monahan says it's not an overnight job, but one that is already paying dividends: For a start, ITIL has been the focal point for several core process overhauls that have significantly improved areas of IT service delivery. "So far, we're very pleased," he sums up.

CIO (a sister publication to CSO) reports that ITIL is gaining steam in the United States and that ITIL "helps IT departments improve their quality of service, including increased system uptime, faster problem resolution and better security." Partly fueled by a tougher regulatory frameworkincluding Sarbanes-Oxley and the Federal Information Security Management Act of 2002IT vendors and service providers report they are now fielding more requests for information about their ITIL capability. "A year ago, we hadn't had a single ITIL requestnow we're getting one a month, and the pace is accelerating," says Gretchen Hellman, senior manager of product marketing at security vendor ArcSight. In fact, the U.S. and Canadian governments will soon require IT contractors to use ITIL, as will some big companies including General Motors. As IT in the commercial sector has grown to mirror the complexity and mission-critical nature of the public-sector IT applications that sparked ITIL in the first place, a growing number of CIOs and CISOs are seeing in it a ready-made governance framework that speaks their language.

Early private-sector ITIL adopters interviewed for this article indicate that the results are promising, though it behooves CISOs to have the right expectations up front.

Future Shock

Those healthy up-front expectations include a small culture shock and a standard implementation path.

On the culture front, don't expect to become certified as ITIL-compliant, at least not in the accepted sense. Having promulgated ITIL, the British government continues to support, develop and make it available to interested parties. However, it's largely up to individual businesses to choose how to actually apply ITIL. ITIL is not a standard, per se. Instead, it's a compilation of best practicesalbeit one that is codified, well thought-out, and integrated together into a single framework. (In this regard it is reminiscent of control objectives for information and related technology, or Cobit; see "Alphabet Soup: Cobit, ITIL and ISO," this page.) Security isn't a separate book within ITILit's woven into the very fabric of it. And for many companies, that will mean security becomes more tightly integrated into IT operations and the business itself, rather than being set off in a guard/watchdog function. So ultimately, this culture shock is probably for the good.

"The culture shock to IT security practitioners from adopting ITIL will be much greater than that experienced by the IT operations people," notes Gene Kim, CTO and cofounder of Tripwire, and coauthor of The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps, published by the Information Technology Process Institute. "What ITIL does so well is to show how security doesn't live by itself; it lives within the overall IT operational context."

To Kim, one of ITIL's greatest strengths is that it forces security practitioners to seriously address issues such as change management (part of security's job being to help ensure that all changes are properly authorized). "A significant proportion of security-related Sarbanes-Oxley audit deficiencies relate to change controlyet for years, security practitioners have fought shy of the issue. With ITIL, the day of reckoning is here," says Kim.

Richard Starnes gives service delivery as another example. Starnes is the London-based president of the U.K. chapter of the Information Systems Security Association, and an American infosecurity professional formerly employed as director of incident response at a major British telecommunications company. "ITIL tells you how to run a service desk properly, which is useful for [preventing or dealing with] social engineering attacks," he says.

As for the implementation path, according to Robert Bowey, service delivery specialist at British IT consultancy Astech Consultants, ITIL implementations tend to proceed along a fairly standard adoption curve, which CISOs are well served to follow. "Most organizations look for where they can get the quick wins from ITIL first," he says. "That tends to be in areas like release management, incident management, problem management and change management. Configuration management, on the other hand, is a much more resource-intensive and time-consuming business." Knowing this up front can help save decision-making time and focus early efforts on those areas with the fastest payoff.

Small Disciplines

In this respect, suggests Bowey, the ITIL implementation at Thresher Group, an 1,800-outlet liquor store chain headquartered north of London, is fairly typical. Change management was an early and obvious area of focus, says Debbie Homer, service delivery manager within Thresher's business systems group. "Businesswide changes such as implementing XP Service Pack 2 could have far-reaching implications if not carried out correctly," she notes. "We're a retail company with a lot of dial-in users, as well as customer-facing EPOS tills [a British phrase for cash registers], and it's vital to guard against something knocking out our firewalls, or leaving our systems open to viruses or abuse."

Accordingly, says Homer, every change to Thresher's IT systems goes through the company's ITIL-compliant change management procedure, which calls for proposed changeseven security patchesto be documented, approved, tested and piloted. What's more, the IT vendors to which key aspects of Thresher's IT have been outsourced must also follow the procedure. Those outsourcers include EDS, which hosts the company's retail systems at an offsite data center, and Dutch company Getronics, which handles Thresher's desktop management and help desk operations. (Getronics, Europe's largest IT service provider, is in fact the organization that first introduced Thresher Group to ITIL, says Homer.)

The integral security of the overall system is enhanced by a practice of prohibiting changes at critical sales periods. Weekends are the busiest time of the week, says Homer, explaining that changes are not allowed from Friday to Monday, inclusive. The Christmas holiday season is another "no change" period: from a certain point in December (the timing of which varies, but is essentially the point at which the shops are fully stocked and the Christmas "deals" are coded into the EPOS system), until early January, no changes take place.

"It's not quite true that no changes take place; we have a provision for what ITIL calls urgent changes,'" adds Homer. "They have to be critical, though, and we have a higher security procedure for them. Essentially, more people have to approve them."

Enter the Matrix

Another benefit of ITIL, according to Tim Mathias, vice president of IT security and CISO at Thomson Financial (part of The Thomson Corp.), is the extent to which it forces businesses to focus on their organizational structures. When Thomson first implemented ITIL in fall 2003having been introduced to it by the business's large presence in Londonthe organizational structure was very different from what it is now.

Post-ITIL, he relates, security is very much a matrix function, relying on people recruited and trained into specific security-oriented positions within ITIL-centered units. Formerly separate functions, such as enterprise network administration and desktop support, now have been folded into the user support services function, with specific people tasked with carrying out the relevant security functions.

"Having these people actually embedded within the organization gives my team much greater visibility into what's actually going onmore so than we could achieve otherwise," says Mathias. "We've seen a significant shift of attitude within the various units: Security is now seen as a business enabler rather than as a bunch of people who just say no."

What's more, the move to an ITIL-centric structure has generated a significant productivity improvement. Immediately following the reorganization, relates Mathias, each unit created a "service catalog" to clarify each organization's roles and responsibilities, and to drive ITIL adoption down one more layer in the company. "There was a lot of overlap and duplication," he says. "In short, we found we could reduce our cost and complexity by putting these people together."

To Mathias, at least, the benefits of ITIL are crystal clear: better governance, better securityand greater efficiency. And as CISOs across America contemplate following Thomson's lead, it's a useful example to be setting.

Copyright © 2006 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations