Blog Posts From Articles Tagged With open_source

Interview: Jerry McElhatton - Former MasterCard CIO Talks About Achieving the Competitive Edge

tom@tomparish.com — Wed, 27 Aug 2008 22:53:54 GMT

No one can deny that Jerry McElhatton has mastered many successful IT moments. During his 10 years as CIO with MasterCard International, McElhatton spearheaded a five-year, $160 million upgrade of the company's global processing system into one unified, single messaging standard. Even more impressively, he delivered this enormous undertaking on time and within the budget. The systems support more than 15,000 customers worldwide, handle more than 40 million transactions daily worth more than $1 trillion annually, and are linked to 800,000 ATMs globally. Also during his tenure, McElhatton oversaw the building of a $135 million, 52-acre campus for MasterCard's primary IT team.

In March 2005, McElhatton retired from MasterCard, where he had anywhere from 1,600 to 3,200 IT professionals under his leadership. Enterpriseleadership.org recently spoke with McElhatton about what his experiences managing an IT organization that could make or break MasterCard's success.

EL: What are you doing now?

JM: After 10 years with MasterCard, I retired to start Virtual Resources, a company that does consulting for organizations in the payments area, and for some architectural engineering firms. I also sit on the boards of directors for several technology companies, where I set up advisory committees to provide feedback on the company's products and examine what competitors are doing. I spend my free time tinkering with a massive model training collection, which my four grandchildren love. I almost forgot: I write articles for business publications, such as CIO Decisions.

EL: Now that you've retired from MasterCard, would you advise other near-retirement CIO's to go off and keep their hands in IT?

JM: Why not? I'm enjoying helping companies understand the cost benefits of technology. I've successfully gotten people to look at their cost structures, to put some best practices in place, to help them evaluate some future cost-effective architectures, and to get them to be more responsive to business needs.

EL: Looking back at the technology overhaul you implemented at MasterCard, what things really made it happen?

JM: The credit goes to my great team. The company had some very mature systems that did a nice job, but it took too long to bring new products to market. New and better technology could simplify things and reduce our infrastructure costs. My assignment included restructuring, rewriting, and redeveloping the core systems. It took five years of changes to give those systems the scalability and flexibility they needed to meet best business practices. We completed that project within the assigned budget and ahead of schedule.

EL: What were some of the best practices that were put into place?

JM: We put reusable systems code and architectures in place. When it came to databases and data warehousing, we made sure we captured the data correctly and could easily segment it. Our key members had to analyze this data to help them build their marketshare.

At MasterCard, I had the unique position of being responsible for all technology, all IT operations, and both IT security and physical security. Fraud is a big problem in the credit card business. For example, I oversaw all of the risk systems that enabled our members to report fraud to us so we could stop it. We gave them information to make them aware of certain types of fraud that were taking place or had the potential to take place. We spent a lot of time reworking those systems. We put together things that would give us an advantage in identifying some characteristics and traits of fraud.

JM: Yes, the entire security team reported to me. I was also responsible for the access control side of physical security. The entire team that guarded our campus buildings reported to me. These folks did a lot of investigations internally to make sure employees did not access unauthorized areas.

EL: What was the business model for MasterCard when you were there?

JM: Simply, we worked very closely with the business units to help them define priorities, to help them move marketshare and generate income, and to help them reduce operational expenses. As a member of the operations and policy committee, I looked at how we could leverage technology to get the biggest payback.

EL: What was your IT model at MasterCard?

JM: MasterCard's technology generates a significant amount of revenue on what's called a "quick charge." We have charges for authorization, clearing, settlement, and also charges on our risk systems. On some of the systems, we had profit and loss residing with the operations and technology group. And on the others, we had direct chargeback to the marketing group for the cost and expense of generating that revenue.

EL: Did you folks use anything like Six Sigma?

JM: It's an interesting concept that has to do with the definition of root cause analysis and definition of quality standards. Eighty-five percent of the program we used consisted of Six Sigma and the benefits associated with it.

We measured everything, and we drove staffing and quality off those numbers. In our system, we posted implementation reviews, and whenever we had a problem, we did a root cause analysis to determine where to patch the problem. So, our systems got stronger over time. The performance of MasterCard as a company became outstanding because of the work we'd done to engineer the system.

EL: How successful were you in combating fraud?

JM: It was very good. We did a lot of proactive things to put people on notice. In the credit card business, fraud often happens at the merchant location and at some of the processors. If someone doesn't follow the rules, you might do routine audits, but an IT security audit is only good for the day you do it. Someone can make a change the next day, and thus, put a hole in the system. You might not catch it until you do another audit, or you might not catch it until you have a problem. We did a lot of proactive work to identify potential fraud. We not only used our systems, but we had cooperative efforts with others, and we used their systems, so we had a significant reduction in fraud.

EL: Do you have any comments on Oracle's recent buying spree?

JM: On the one hand, Oracle will have a strong product offering. On the other hand, as with all technology mergers/acquisitions, IT departments no longer have a lot of product choice; they'll lose their ability to negotiate on price, and service levels.

EL: Are you writing a book?

JM: I've thought about it. My working title is, 101 Easy Lessons Learned the Hard Way. IT folks today have similar sets of issues and problems as their counterparts five or 10 years ago. Yes, there might be more flexible ways to solve these problems, but every generation seems to have to touch the top of the stove to see if it's hot. I have a lot of advice to give about how to avoid some of the mistakes other IT people have made in the past.

EL: What's the biggest mistake people make in climbing the career ladder?

JM: IT people are smart people, but they don't often have a sense of how to budget for projects and how to meet the deliverables. IT people often make things harder than they really are.

At MasterCard, we learned how to eat a big marshmallow without getting sick. The answer is a bite at a time. We broke down projects into very significant deliverables that we measured and monitored.

IT people have to first learn to commit to a project, and then stick to the schedule, the budget, and the deliverables.

EL: Do you think the CIO role should be rotational?

JM: Some companies might be better off if they went in that direction. If someone has been a CIO for 10 or more years, then that person might be stuck in that role. Let me tell you what helped me at MasterCard. For example, at one time I was assigned to run the process change team. We took more than $100 million out of the systems by leveraging technology, and leveraging people's skillsets. This experience helped me to grow closer to the business units. I had some other great business opportunities.

If you want to cultivate stronger IT professionals, then assign them both business problems and technology problems. This process enables IT professionals to gain a more realistic view of how the business uses technology, and how they should use it to solve problems.

EL: Have you read Nicholas Carr's book, Does IT Matter, or his Harvard Business Review article, "IT Doesn't Matter?"

JM: I've read the book. I've been in businesses where technology has made a big difference. At MasterCard, we leveraged a lot of technology to get good business results. Carr perceives technology as a commodity -- spending a lot of money on IT doesn't necessarily translate to creating competitive differential. For example, if an IT department is late with deliverables, then the company can loose its competitive edge. At MasterCard, we won a lot of new business by being the first to deliver new, working systems, and to continue to enhance those systems. The other guys had a hard time catching up with us.

Additional Reading - Sponsor Link:
Managing the Business of IT: Maximizing the Power of Service Resource Planning, the Next Step in Business Service Management

Elizabeth M. Ferrarini is an IT consultant from Boston, Massachusetts. Reach her at elizabethferrarini@yahoo.com.

Smart Attacks Call for Smarter Measures - Part 2

tom@tomparish.com — Tue, 18 Dec 2007 21:48:54 GMT

by Deb Radcliff

Part 1 | Part 2 | Part 3

Tighten Control of the Handset

In the first part of this three-part article, author Deb Radcliff outlined the rise of smart-phones risk, and why that risk has been less serious in the U.S. (so far). In part 2, you'll see how U.S. businesses are beginning to respond to this new threat to the enterprise, and how much still depends upon the user.

"A lot of carriers have the general idea that they're secure, given the threats out there. That may be true today. But moving forward, as you see more applications and features on cellular phones, business and personal data will be increasingly at risk," says Sandra Palumbo, senior analyst with the Yankee Group. "So, encryption is definitely a big area we need to address on feature-rich phones, especially as more and more people put personal and business-competitive data on their devices."

Businesses are handling encryption, authentication, and other important information protections in a piecemeal fashion with limited products that don't interoperate, she says. That is why a trusted hardware platform is sorely needed, says Janne Uusilehto, Chief Security Officer at Nokia and chairman of the Trusted Computing Group's Mobile Phone Working Group. "We need a more reliable platform that is hard, or impossible, to crack by malicious software. But how do you realize security in a hardware device?"

As such, Uusilehto, together with industry heavyweights including Intel, Philips, Motorola, IBM, France Telecom, Vodaphone and others, are putting the finishing touches on a Mobile Platform Module based on the Trusted Computing Group's successful Trusted Computing Module for PCs, to be completed by mid-year.

The Mobile Platform Module sets standards that would enable network carriers to accurately identify and authenticate devices connecting into them, which is a big problem for carrier networks dealing with cloned phones today, he continues. It also enables applications like Public Key Encryption through secure key storage, digital signatures, and integrity checks of devices and applications.

"The trusted module provides a secure place to store secrets (keys) in a place they can't be compromised," says Lark Allen, VP of Wave Systems. "It also measures things, like a software module on your device, and compares that against a hash stored in its secure registers to see if it's been changed. It can also measure the configuration of the phone: Has it been altered? Is there malicious code? Are there unauthorized installs?"

With the mobile standards, he continues, carrier network operators and enterprise risk managers can exercise better controls over their valuable mobile devices. For example, they can package only approved applications with the phones, check the integrity of the telephone applications, and encrypt data that needs encrypting.

Wave Systems, which makes document encryption and secure storage products based on the Trusted Platform, demonstrated at RSA in February with Juniper and Nortel a proof-of-concept integrity check application on the Trusted Computing Platform that could do just that. With it, they measured patch level, status of anti-virus, and other security policy compliance points on a PC. Such an application can quickly convert to smart phone management once the mobile platform module is completed and security vendors start building against those standards, he adds.

"With a standard building block like the Trusted Mobile Platform Module, you can now put it into lots of platforms with a common security infrastructure to support all kinds of smart, feature-rich devices," Allen says. "In a mobile environment, this is important because every network operator has phones from a variety of different vendors that it needs to support."

In addition, as more robust handset applications are developed on the trusted mobile platform, companies such as F-Secure, Kaspersky, McAfee, Symantec, and others building anti-malware for smart devices will have more options for integrating their technologies into remotely-managed security platforms, which they're already deploying on PCs.

"That's the trick with mobile security. You want it to be easy for the end user or they'll ignore it. Users don't want to enter passwords to make calls. They don't want to manage their own encryption. And they don't want to deal with keeping their anti-virus signatures up to date," says Palumbo of the Yankee Group. "So a lot of this will have to be done by a gatekeeper."

Educate Users

Even if security is made easy, there will always be the problem of human error. Already, users are demonstrating the same gullibility they have demonstrated over PC-based social engineering attempts at getting them to click or load something and to turn over information that they shouldn't. What's to say they mobile phone users will be any different, asks Longstaff.

"We're seeing cases all over the place using Bluetooth (Cabir, Lasco, others) and Multi-Media Messaging Service (Comwarrior) to spread," he says. "That involves some level of social engineering to get people to accept them."

So the best defense is to set some type of responsible use policy -- one that can be enforced manually until we see further automation -- to educate users about safe cell phone usage in a way that they can understand, say experts.

"Just as in the PC world, we need to teach users not to accept applications and downloads that they didn't ask for. Same with links. And they should not give out personal information," says Nick Ianelli, Internet security analyst on mobile malware for US.CERT (Computer Emergency Response Team), based at Carnegie Mellon. "We need to show our users that their phones and the data on them are valuable. Get them familiar with its features."

The theory goes that someone could let loose a Bluetooth virus in a crowded stadium and spread itself throughout the crowd, adds Marcus Sachs, who directs the Cyber R&D Lab for the Department of Homeland Security. The reality is, you still have to get them to accept the download, he adds. And, even with the best of education, users will always have questions about Caller ID, authenticity of phone calls, and integrity of data being moved around, he contends.

"If it comes from someone they know and trust, they'll allow it (a download). If they're swept up in an event at a crowded stadium and their phones keep ringing up asking them to accept something, they'll download it. In fact, this has already happened. Someone let loose a Bluetooth worm that spread through the crowd at the World Cup," Sachs adds, referring to the Cabir worm, which spread through the World Athletics Championships at the Olympic Stadium in Helsinki, Finland in August, 2005.

Not to mention that it's only a matter of time before mobile malware stops playing nice by asking for permission to load, contends Nokia's Uusilehto. Soon, he says, criminals will try and spread their wares without the user's knowledge by using hiding and changing technologies to avoid even automated detection. (Already, we've seen Skulls.K attempt to do this last May by trying to disable security on the devices.)

The reason for all this trouble coming at our cellular phone users is because phones are essentially becoming PCs, say Sachs and others. This makes policy, education, and muti-layered protections just as vital to data and device protection as it is on networked PCs.

"The problem's not new: How do you handle all the consumer gadgets inside the enterprise?" he says. "You see this convergence of phone, e-mail, and entertainment, and soon, Voice over IP that communications providers are jockeying to bundle over a variety of devices. The smart enterprise would get ahead of this technology, embrace it, and actually lead the charge to drive that technology securely into the enterprise."

Deb Radcliff is an award-winning freelance writer, educator and speaker based in Northern California. She's been covering online crime and security ever since working as researcher on a book about infamous hacker, Kevin Mitnick back in 1995.

Smart Attacks Call for Smarter Measures - Part 1

tom@tomparish.com — Tue, 18 Dec 2007 20:07:31 GMT

by Deb Radcliff

Part 1 | Part 2 | Part 3

Smart devices have become the latest attack vector for online criminals, putting intellectual property, regulated and personal financial information stored on them at risk. In this first of a three-part article, author Deb Radcliff explores these new attack vectors into the enterprise.

Dozens of viruses, worms, and Trojans have been written against smart phones and pocket PCs since 2004. And even though most of these are proof-of-concept and nuisance malware, experts are warning of more serious crimes to come.

More criminal elements are already stealing identities and other personal and private information of value in countries where Symbian-based mobile phones are being used as money, in business collaboration, and in other valuable e-commerce applications, says Danny de Temmerman, head of cybercrime and security for the European Commission's Directorate General for Justice, Freedom, and Security. While speaking on a cybercrime panel at the RSA Security Conference in February, he also said that crimes over cellular phones have now become a top law enforcement priority in Europe.

"We're seeing fraud, phishing, spam, spyware, and adware all over these smart phones in countries where phones hold information that could be monetized," adds Vincent Weafer, director of operations at Symantec's Security Response Center, which sifts millions of spam messages per day through its global content scanning systems. "And in India, they're real concerned about pedophiles getting to their kids through their smart devices."

Even in the U.S., today's smart phone malware poses more than just a nuisance. For example, there are real costs to enterprises that issue smart, and feature-rich devices being targeted by malware. For example, skyrocketing phone bills when Mosquitos malware enter company-issued smart devices through games and start messaging expensive toll numbers. Other malware, such as the RedBrowser Trojan, repetitively ring up $5 - $6 SMS calls. And Commwarrior blasts millions of MMS text-based spam messages, also wracking up huge telecommunications bills.

Indirect costs also abound. Consider the lost revenues when productive road warriors lose their customer data and contact lists because a worm turned their phones into useless "bricks". Such worms can already kill reboot (Fontal.A), crash the operating system (Locknut), and drop the operating system and other critical applications altogether (Skulls). There's also the cost of cleaning up the network when an infected smart phone synchs to a PC or connects to the network through the VPN.

Fortunately, there's also more security around U.S.-based smart phones, particularly in closed carrier networks where phones are issued and maintained by the network operators. But there's much room for improvement, particularly in developing standards around device authentication, application integrity, and data protection on the handset. And, as with PCs, users -- including the enterprise customers -- must do their part to avoid malware, spam, and fraudsters in the first place.

A Safer Gateway

Ask Verizon Wireless, and you'll get an earful about how the risks are blown out of proportion by vendors wanting to sell security on the handset. It's all in the network, says Jeffrey Nelson, Verizon Wireless Spokesman, echoing Verizon's marketing message.

His biggest beef with such dire portrayal of crimes to come to the U.S., he says, is that carrier networks have more control over their phones than they do in the U.S., where most phones are sold through closed-carrier networks, meaning carriers sell the phone and the service bundled together. This way, network operators can control the phones and the applications allowed on them.

"There's a huge difference in risk between the U.S. and Europe and Asia," Nelson adds. "In the United States, people buy wireless service from a company, while in Europe and Asia, you buy a phone you like, and then get service for it, then buy a carrier service. Then you slip in a SIM card, and walk into this dangerous, unprotected world."

With more control, carriers can lock down vulnerable applications like Bluetooth and manage downloads somewhat by, at the very least, working off a whitelist of approved vendors, and denying the rest.

In addition, any carrier network worth its salt is already filtering out malicious code and unwanted spam entering through their messaging and e-mail gateways, he continues. They should also be filtering content from loading directly off the Internet. For example, Nortel Networks is using Websense to block damaging and unwanted content from getting onto browsers from malicious Web sites.

There are other reasons we've not seen as much malicious activity in the U.S. as we have overseas, say experts. For starters, the U.S. has been slow to standardize on a single operating system; whereas Europe, Asia, and other heavy-use regions have standardized on Symbian. So, by defaut, Symbian has become the operating system to attack, says Thomas Longstaff, deputy director of technology, Network Systems Survivability for Carnegie Mellon's Software Engineering Institute.

Another reason is slower adoption of smart O/S-, and browser-enabled phones in the U.S., which currently make up12 percent of North America's cellular phone user base, according to the Yankee Group. But, by 2009, that number will rise to 46 percent. And, 87 percent of all U.S. cellular phones in circulation are already feature rich, according to Yankee. Where there are new features, there are also new vulnerabilities.

ITIL, COBIT, and Sarbanes-Oxley

tom@tomparish.com — Wed, 05 Dec 2007 21:49:29 GMT

The Information Technology Infrastructure Library (ITIL) is an industry-leading set of IT Service Management best practices. These best practices for the support and delivery of IT services can help a company document IT processes as required for Sarbanes-Oxley.

Troy DuMoulin, managing consultant at Pink Elephant – an organization providing ITIL based consulting, education, conferences and outsourcing services, notes a shift in how organizations approach best practices for IT services: "In the past, companies used best practices out of a desire for self improvement and to create a positive impact on the bottom line. Now, with Sarbanes-Oxley, they have to do it because it's a formal, legal requirement."

ITIL is part of the foundation of the COBIT model, which defines control objectives for IT in support of business processes. COBIT was explicitly chosen as the tool of choice for external auditors to use in IT audits for Sarbanes-Oxley. "Since auditors are using COBIT, it makes sense for organizations to learn about the model. The model identifies key performance indicators and critical success factors that organizations can take into consideration when documenting or re-engineering a process," DuMoulin says.

"Although there are many different control frameworks out there, many of them have ITIL at their core. With COBIT for example, 45-50% of the control objectives are covered within ITIL. In particular, ITIL's Service Support and Service Delivery processes address almost a dozen specific control objectives," DuMoulin says.

The ITIL process documentation and COBIT control objectives are a powerful combination that can accelerate Sarbox compliance.

The Word is

tom@tomparish.com — Wed, 05 Dec 2007 18:58:17 GMT

by Tom Field

While CIOs have faced flat, to slow growth in their annual budgets, the same cannot be said of business expectations when it comes to innovative use of IT.

As a result, CIOs face this challenge: How to reduce costs while simultaneously using IT to drive competitive advantage. As CIO magazine's fifth annual State of the CIO survey reveals, the best executives have realized that simple cost-cutting won't work. Technology innovation is a team sport, and it demands strong partnerships with business decision makers.

The survey asked nearly 100 senior CIOs for their thoughts on how to implement IT-led innovation throughout the company. Fifty-nine percent of them consider innovation a significant aspect of their job, but they also recognize that no executive is an island. More than one-third say that innovation initiatives are best led by a joint team made up of the CIO and other business leaders, and 28 percent say that innovative ideas best spring from collaboration and brainstorming with business-side peers. If the ideas and work are shared, so should be the responsibility as well: 42 percent of the respondents think that IT and the business units should share accountability for the results of their labors.

How much of your roll is concerned with innovation?

Where do innovative ideas come from?

Who leads innovation initiatives?

Who is accountable for innovation results?

Interview: Geoffrey Moore - Best-Selling Technology Author

tom@tomparish.com — Wed, 05 Dec 2007 18:50:17 GMT

by Elizabeth Ferrarini

Geoffrey Moore, a managing partner at TCG Advisors, has made the understanding and effective exploitation of disruptive technologies the core of his life's work. He divides his time between consulting on strategy and transformation for tech companies such as Cisco Systems, and developing mental models to support this practice. His best-selling books, Crossing the Chasm, Inside the Tornado, The Gorilla Game, and Living on the Fault Line, have become required reading at leading business schools. Moore's most ambitious work to date, Dealing With Darwin -- How Great Companies Innovate at Every Phase of Their Evolution -- offers the bold theory that innovation takes many forms, not just disruptive, and these forms change radically during a company's or product's lifecycle.

Geoffrey Moore recently provided Enterpriseleadership.org with some insight into his new book, Dealing with Darwin, as well as thoughts on outsourcing IT, putting IT into a shared service, and defining the core versus context role of the CIO. Here's what he had to say:

EL: In Dealing with Darwin, you use a series of metaphors to define categories in the lifecycle of a company and/or a product. Can you elaborate on what causes people to get swept into the tornado cycle and how well new technologies will fit into this category?

GM: As a technology or product begin to take off, they start to sustain and then fade, depending on where it is in its lifecycle. The very new stuff starts off the technology adoption lifecycle, called "early market." People who want to try to stay ahead of the herd usually comprise this early market. The tornado emerges immediately once everyone decides they need the product or technology. This has an explosive amount of growth and just sucks every one in its vortex. If you were a vendor in the 1980s and 1990s, you always looked for the next tornado. Things advanced so fast that IT departments wiped out the prior generation of systems and started over.

The new millennium signaled the maturity of technology as if it were a standard industrial sector. New technologies and new ways of adoption still abound, but they now emerge on a beach that has been hit by many waves. The notion that you would swap out a lot of infrastructure and start over is no longer even considered. The real question now is this: How do you evolve your systems rather than revolutionize them?

EL: Still referencing your book's categories, what tech sectors are in the "bowling alley" right now, or the tornado?

GM: The bowling alley is where technology is gaining acceptance in one or more markets. RFID is still crossing the chasm between general acceptance or not; in other words, it's between and betwixt. Digital photography and WiFi are in the tornado. Electronic books never crossed the chasm. WiMax hasn't crossed the chasm yet. The bowling alley is a transitional phase. Linux is still in the bowling area. Linux has established itself in either scientific clusters or in embedded computing. Linux could be in the bowling alley forever.

EL: Your article in the Harvard Business Review (July-August 2004) says that a lot of companies make the assumption that the success of the new systems will draw resources away from the legacy systems. Thus, companies leave the legacy systems unchanged. Is this a common mistake IT makes?

GM: It isn't always a mistake. IT needs to freeze the legacy systems, and then make them a module in a larger architecture. No further changes should be made inside of them. The goal of the new architecture is to turn them into a services-oriented module. To this end, you can ask the systems to do what they have always done, but don't ask them to do anything new. Trying to change a legacy system can cause more damage then good.

EL: I've read that you're a big proponent of outsourcing. Should IT be outsourced to an EDS or put into a shared services model, which has kind of slowed down a bit?

GM: The shared services model and the outsourcing model are part of the same march. You're a little way down the path with the shared service and at the end of the path with outsourcing. We came to this conclusion based on going through three pairs of levers. The first pair says to "centralize and to standardize," which is the shared services model. The second pair says to "modularize and to optimize," both of which provide a transition to outsourcing. Here you deconstruct your systems into smaller ones so you determine which ones to eliminate, which ones to keep unchanged, and which ones to consolidate. The third pair includes "instrument and outsource." If you had outsourced without going with the second pairs of levers, you would waste a lot of money. To "instrument" means to put service levels in place before outsourcing.

EL: Can you run a shared service as a third-party business?

GM: Some companies have tried it and failed. It's usually a bad idea. Keep in mind, the parent of the shared services usually isn't in the IT business, and probably won't be willing to invest in an IT service business. So, as an independent company, the shared services needs to transform itself into a commercial entity with a sales and marketing force.

EL: You are well aware of GM's major effort to establish common processes for its $15 billion IT outsourcing initiatives. What went wrong?

GM: GM made a horrible mistake the first time with EDS. Why? GM didn't use the three pairs of levels before it decided to outsource. Instead, GM through IT over the transom and prayed for the best.

Now let me tell you about the time GM did a brilliant job of outsourcing. In the 1990s, GM used the three pairs of levers to move the supply chain to tier-one and tier-two vendors.

EL: What is core and what is context for a CIO?

GM: Each company has a unique core. To this end, the company defines what is core for the CIO. The CIO has to first interact enough with the executive team to understand the company's claim to fame in its market space. Is it to be the most cost efficient or to provide the best customer experience? Any IT system that can help differentiate the company's performance in that area is core; any other system is context. The CIO's number one task is to figure out what is core for the business, and then figure out what it means for IT. The CIO's colleagues can provide some of the answers, which will be different for every business. So, the CIO needs to excel as a thoughtful leader. The CIO also needs to develop different strategies for dealing with technology as it moves through its lifecycle.

EL: An IT department came up with the idea of rollover minutes. In his book, Does IT Matter, Nicholas Carr asks the reader to consider whether or not IT can help a company innovate. What's your feeling about this argument?

GM: Carr assumes that IT serves no core, but simply all context. That's not true. He says this to be deliberately provocative. For years, too many IT professionals have pretended they were core to the business. Most companies have the same IT resources as their competitors. If you use these same systems in the same way, then IT isn't core. On the other hand, if you build your systems in-house, then you have something different from your competitors. That uniqueness becomes core.

EL: Oracle, which is more than 25 year old, bought a slew of startups and now is buying its competitors. Is this a feasible strategy for Oracle?

GM: The relational database rests at the heart of client-server computing, which has been around since the 1980s We nearing the end of the client-server lifecycle, but Larry Ellison has no intention of leaving and moving on to services-oriented architectures or Web servers. The network, not the relational database, forms the foundation of this new architecture.

To this end, Ellison is buying all of the old client-server properties the same way Computer Associates bought all of the mainframe properties. He's not innovating, but consolidating to create a legacy installed base to milk.

EL: Do you think it was a good idea for Sun to acquired StorageTek?

GM: Sun has some similar issues as Oracle, but Sun also has some very visionary ideas, but is caught in a tough place. Sun's idea of computing by the drain doesn't lend itself to an expensive research and development model, which Sun has.

By purchasing StorageTek, Sun gained a source of revenue during its transition. Sun views storage has tactical, but strategic. It will be interesting to see where Sun ends up.

EL: How do your views differ or compare from those of Harvard Business School's Professor Clayton Christensen?

GM: I love his book, but both of us have spent too much dealing with the disruptive nature of innovation in the 1990s. The title of my new book, Dealing with Darwin -- How Great Companies Innovate in Every Phase of Their Evolution, sums up where innovation is today. Christensen, on the other hand, still associates innovation with disruption.

My book says that innovation is whatever it takes to create competitive advantage. The book defines 15 different types of innovation -- only one is disruptive. The innovation types include application, product, process, and marketing.

Today, the big tech gorillas, such as Cisco and Microsoft, are creating enormous wealth. They're doing incrementally valuable things, such as unique integration methods, which help to differentiate them from their competitors. Their competitors have to try to match these gorillas on a point-to-point product basis.

EL: Should IT professionals or even marketing professionals be concerned about offshoring?

GM: At one time, IT professionals presumed they were insulated from offshore challenges. This is no longer true. Today, no one can tell, nor do they care, where bits come from across the Internet. Unless you're doing something unique in IT in a geographic area, such as San Francisco, you face the challenge of offshoring.

If you're a global corporation, you need to engage in offshoring or else give your competitors a price advantage. This is why I called my book, Dealing with Darwin. To survive in the tech ecosystem, you need to raise the bar on what competitive success requires through every cycle. Clinging to entitlement puts you at risk. Look at General Motors.

Elizabeth Ferrarini is a free-writer technology from Boston, Massachusetts. Reach her at elizabethferrarini@yahoo.com.

Social Networks: A Whole Different Reality Under the Radar

tom@tomparish.com — Wed, 05 Dec 2007 18:30:40 GMT

by Craig S. Mullins

Imagine facing the prospect of a large-scale downsizing. Not the most enjoyable thing to think about, but not unrealistic either in today's business climate where "doing more with less" and optimizing ROI are common practices. So, you grab the company org chart and the latest employee reviews, and try to come up with a plan that minimizes impact on the business. You review the data and earmark for dismissal the poor performers and those employees who do not seem to be key parts of the most profitable business lines.

But is this approach optimal? Perhaps not. What you see on the company's organizational chart does not accurately depict how things actually work in your company. There is an underlying social infrastructure that exists in most organizations. It is informal, but functionally powerful. And rarely is it evident just how critical this informal network is until a piece of it is removed.

Consider our downsizing scenario: What would be the impact of laying off a critical component of the informal network? Even if your corporate policy manuals outline standard operating procedures, can you be sure that they are being followed? In many corporations, it's not uncommon that, over time, the informal employee network takes over tasks, gets the work done appropriately and on time. But most executives do not understand how this informal network operates in their company. So, they do not typically understand how information is flowing, who picks up their requests, and who doesn't. Clearly, a social network, operating "under the radar" of the official organization chart, can impact business processes.

"Technically, a social network is the set of social relations that connect people and or groups, such as friendship or advice giving," says Dr. Kathleen Carley, of the Institute for Software Research Department in the School of Computer Science at Carnegie Mellon University in Pittsburgh, PA. Dr. Carley is the Director of CASOS, the Center for Computational Analysis of Social and Organizational Systems.

CASOS is a university-wide interdisciplinary center that brings together network analysis, computer science, and organization science. By combining computational and social network techniques, CASOS works to develop a better understanding of the fundamental principles of organizing, coordinating, managing and destabilizing systems of intelligent adaptive agents engaged in real tasks at the team, organizational, or social level. In other words, CASOS works to better understand the way things actually work and how work gets done in the real world.

Social Networks and Social Network Analysis

Basically, a social network is a system composed of multiple elements related in some way. Each element in the network may or may not have a relationship with the other elements.

The word "social" is used to define "social networks" because the most common type of element in the network is a person. However, social networks need not be composed entirely of relationships between people, but can be made up of anything that can have a relationship with something else. For example, social networks have been defined for trade patterns in cities and proteins in the human body.

The term "social network analysis" is used to refer to the set of graph-theory based algorithms applied to any network, preferably networks that include humans or groups as at least some of the nodes. Traditionally, managers look at the attributes of the people (individual elements of the network) they manage. Social network analysis looks at the relations between the elements. This is a significant change.

Consider, for example, conducting a survey of your organization in which everyone is asked: "Who are the people you are most likely to discuss technical problems with?" and "Who are the people you are most likely to go out with for lunch or after work for a drink?." The results of these two questions will not likely be the same. But both help create useful social network maps.

Social network analysis is the process of collecting data, organizing it in useful ways, and examining the network structure to understand its influence on real-world events. It is possible to compare the structure of a healthy organization to an unhealthy one, or of a successful startup to an unsuccessful one.

A manager with access to the social network mappings within the organization becomes empowered to view the operations of the company with a clearer perspective and understanding of how things are actually happening. Social network analysis can enable management to identify emergent groups, potential areas of information blockage, and other key actors within the organization who can effect change.

Consider, for example, the employees who are well-respected as technical gurus, or founts of knowledge on a particular aspect of the company's business. Every company has a few such employees that everyone else relies upon. It would be to management's benefit, first of all, to know who these gurus are, and secondly, to be able to leverage them and their network to successfully launch new initiatives and practices. A new initiative can have a much better chance of succeeding when it is being championed by the leaders -- that is, the gurus -- who already have the trust of the organization.

Dr. Carley notes that CASOS has developed a tool, named ORA, to help provide management with information on social networks. When fed the appropriate data, the tool can deliver a management report with the pertinent social network information to the business executive.

An interesting application of social network analysis being conducted by CASOS is the investigative research of e-mail from Enron Corporation. The e-mail being reviewed is voluminous in that it covers a 3-and-a-half-year period. The data contains a large amount of information on interaction, communication, knowledge, cognition, resources, tasks, and relationships on an individual and group level in Enron. According to Dr. Carley, the analysis shows dramatic shifts in the social networks in response to corporate events such as change in CEO, president, and so on. Enron's social network was used to pass information, reduce concerns, and promote the adoption of ideas.

Crossing Organizational Boundaries

It is also possible for companies to look at the inter-organizational networks among companies or the social network of an individual, such as a CEO, that extends across multiple organizations. In such cases, the CEO can use his social network to vet ideas and do information gathering to reduce risk before making major decisions.

A better understanding of inter-organizational networks can be critical for up-and-coming companies as it helps them better position themselves relative to their competitors. Dr. Carley notes that many companies actively build the network of relations with those companies whom their competitors are also linked to. Highly influential companies are often key nodes in the inter-organizational network. For example, Microsoft would have a higher level of connections to other companies than its smaller competitors. By growing these links, large influential companies can become, effectively, network monopolists and serve to control the flow of information in these inter-organizational networks.

Inter-organizational networking is useful at the personal level, too. The concept of social networks has moved online, such as in the example provided by LinkedIn. LinkedIn is a popular online service that facilitates business-oriented connections. Basically, LinkedIn makes it possible to track your own, personal social network. By keeping your contact information up-to-date, and inviting your trusted associates to join and keep their information current, LinkedIn enables you to easily manage your social network - and to take advantage of others'. Imagine the power of being able to quickly and easily interact with all of your historical business contacts and to ask them to put you in contact with the influential contacts in their social networks.

Taking it Further with Meta-networks

In today's complex business environment, to address practical problems, we need to move beyond social networks to consider the meta-network context. That is, we need to consider the relations of people to people, knowledge, tasks, and so on.

A business executive that can move beyond just information on the connections among personnel to consider knowledge and tasks as well opens up avenues for additional understanding. This additional information can help the executive identify hidden competencies and emergent leaders, as well as helping to put together new teams. Moreover, this information provides new guidance and help for the human resources department to do better personnel management and identify points where training could be beneficial. Essentially, it enables more adaptive behaviors to be implemented.

What About Personal Privacy?

Of course, the practice of social network analysis can open up issues of personal privacy and companies will have to balance the gain of such study against its potential pitfalls.

One such pitfall is perception. The informal nature of a social network can seem to become more formal if it is used by management to further its goals. If staff becomes aware that management is analyzing their "social" network to further business goals it may be perceived as an invasion of privacy.

And what about the gurus who, once identified, may become inundated with additional work? Care must be taken to balance the opportunities for leveraging a social network against a potential backlash of disgruntled employees believing they may have been taken advantage of.

A service such as LinkedIn is voluntary. Subscribers choose to use the service and each time an invitation is sent the receiver can choose to accept or decline the invitation. As such, this opt-in approach can help to alleviate concerns of intrusions on personal privacy.

Of course, sometimes privacy is less of an issue. When the data is publicly available privacy is not usually a big concern, although some may still have issues with the mining of large volumes of data. When privacy is an issue, names and attributes can be anonymized. As Dr. Carley points out, "sometimes, it is beneficial to look at relationships in terms of roles - doctor to nurse to pharmacist, rather then in terms of people's names. This role based approach also helps to alleviate potential privacy concerns."

At times, the results of social network analysis can be useful in terms of summary or aggregated statistics. For example, it may be helpful to know how strongly a group is connected or how complex of a task environment they face rather than the details on specific individuals. In general, such summary data is useful for comparing different divisions or branches in the same company.

For the field as a whole, as for many other scientific fields, data-privacy is a double-edged sword. On the one hand, discovering new ways of de-identifying data, yet preserving the statistical properties, is leading to important scientific advances. On the other hand, concerns about privacy can get so carried away that important data is not gathered and analyzed and policy makers are making important decisions in the dark or with the wrong data. "Overall, there are many key questions that need to be answered in this way," points out Dr. Carley, "and we need to develop new tools for de-identifying and re-identifying nodes and relations in networks so as to ensure appropriate and meaningful privacy levels that do not overly compromise the use of network science to inform policy and provide goods and services to the public."

The Bottom Line

It can be just as, if not more important to understand the informal social fabric of your company than the official organization. The study of social and organizational systems can open up important insight for businesses in terms of how things really get done -- and the implications this has on running the business. This field can offer busy executives additional insight into their business and how it functions.

Craig Mullins is an independent consultant and president of Mullins Consulting, Inc. Craig has extensive experience in the field of database management having worked as an application developer, a DBA, and an instructor with multiple database management systems including DB2, Sybase, and SQL Server. Craig is also the author of the DB2 Developer's Guide, the industry-leading book on DB2 for z/OS, and Database Administration: Practices and Procedures, the industry's only book on heterogeneous DBA procedures. You can contact Craig via his web site at http://www.craigsmullins.com.

Interview: Clayton Christensen - The IT Innovator's Dilemma, the Solution, and What's Next

tom@tomparish.com — Wed, 05 Dec 2007 18:20:52 GMT

by Elizabeth M. Ferrarini

How can one know whether a particular technology will change the way we live or work? What signs do you look for to tell if an emerging company is going to survive? These are just some of the questions that Enterpriseleadership.org put to Clayton M. Christensen, a technology management professor at the Harvard Business School.

In his groundbreaking bestseller, The Innovator's Dilemma, Christensen exposed the crushing paradox behind the failures of many key industry leaders -- (mis)judgments like pleasing the most profitable customers and ignoring disruptive technologies, such as Linux and network-attached storage devices. His book, The Innovator's Solution, makes the case that innovation and profitability are more predictable than managers have come to believe. Seeing What's Next, his latest book, provides a model for those of us without any proprietary information on how to forecast how innovations will affect companies and industries, and how to make the right decisions (while there's still time).

EL: How can a CEO monitor the pulse of his company's marketplace to determine whether the company will succeed or fail?

CC: By looking at data in the present through a lens of good theories, a CEO can forecast whether the company is on track to become more prosperous or to fail. Data about the distant past always exists. If the CEO is using data to understand whether the company will be more successful or not, then the CEO will always be driving into the future, while glancing in the rear view mirror.

For example, if the innovations will help the company sell better products to existing customers, then these sustaining innovations will not necessarily result in future growth, even if it appears that you are innovating and that your profits are improving. If you look at it through the lens of my research, it would cause you to be worried. On the other hand, if your innovations are disruptive -- ones that create new growth markets -- even through they improve current financial results, you could say you are laying the foundation for an exciting future.

EL: What are the indicators that a business or an industry is ready for disruption? You talked about companies that produce products that no one buys and/or product improvements that no one will pay for. What are some of the other signs to look for?

CC: There are two types of disruptions: low-end and new market. A low-end disruption might occur only if two conditions are met:

customers at the low-end of a market don't value, and won't pay for, further product improvements.
someone has figured out a lower-cost business model that can be attractively profitable at the discount prices required to win the business of those customers at the low end.

The first condition identifies an entirely new market sector. If there is a specific population that doesn't have the skills to satisfactorily accomplish specific tasks, nor the money to buy the needed products, then they'll have to rely on the expensive and inconvenient help of experts. If that population exists, the second scenario occurs when someone else develops a technology that provides that specific population with an affordable and easy alternative for accomplishing their tasks.

EL: Given what you just said, where are the innovative opportunities for a major company, such as General Motors? How are they going to stay ahead of their competitors?

CC: If GM is trying to be innovative by making either better or larger sport utility vehicles, then I would really be worried. Seeing GM make innovations to its OnStar systems translates to a really exciting new growth business -- one that's disruptive. If GM tries to sell Buicks in Japan or China, then I would remark that it might yield profits -- but not create a lot of exciting new growth. On the other hand, if GM were to sell cars in China at a $4,000 price point, I would say the opposite.

By looking at innovations through the lens of good theory, you can tell whether today's innovations will produce tomorrow's results.

EL: How can a CIO encourage the company's use of innovative or disruptive technologies?

CC: It's not the realm of a CIO to do this. The most exciting markets are the ones whose size can't be quantified. If the CIO finds himself or herself generating reports that innovating managers rely upon to assess the potential of the innovation, the CIO will be misleading people almost every time. To decide whether an innovation has potential, executives need to watch what people are doing, and then decide if the product they're proposing will help people do a better job of what they're already trying to do.

EL: In what industries is a lot of disruptive innovation going on?

CC: Salesforce.com is a disruptive innovator to a sustaining technology company like Oracle. Linux has an operating system in Web-based computing that has become the OS of choice for handheld devices. It's really an exciting, disruptive innovation. Regional airlines are an exciting disruptive innovation that are just killing the major airlines, and SANdisk, which makes flash memory, is a disruptive innovation that is killing the disk drive industry. Wireless 802.11 and WiMax are pretty exciting innovations in telecom.

EL: Right now, another disruptive technology, the Blackberry wireless network, is embroiled in a patent lawsuit. Can a force like this hinder a disruption?

CC: It happens on occasion to sustaining innovations. Intellectual property protection impacts innovation in both positive and negative ways. A lot of times, patent issue thickets arise that make it difficult for anyone on the sustaining tier to create a meaningful innovation. For disruptive ones, the intellectual property issues almost never matter.

EL: About six years, StorageNetworks built an IT infrastructure from commercially available hardware, raised more than $200 million, and offered organizations a third-party source for immediate storage, likened to that of a public service utility. EMC validated the concept. But StorageNetworks couldn't make a go of that business and offered backup stores and eventually started licensing its software. Then, StorageNetworks went Chapter 11 and couldn't even find a buyer. What went wrong here?

CC: I haven't really studied this company in depth. With the caveat that I haven't crawled inside, I'll tell you some of the things I worry about as I watch emerging companies. First, when you start a business, you may think you know, but you don't really know if you have the right strategy. Likewise, you don't really know who are the right customers, and what job they are trying to get done. You start out with a deliberate strategy, and you think, this is the right thing, when in fact, you almost have to know for sure that, initially, you're going to be wrong. Therefore, you have to get in the market quick with a little of that conviction, then figure out what will work later.

One of my books cities a colleague's study of 400 Harvard Business School graduates who started new companies. Half have been successful; half haven't been. The graduates who founded about 90 percent of the companies that succeeded said they didn't entirely trust the strategy they used when they raised money. They ended up selecting another strategy that enabled them to succeed. The difference between the successes and the failures wasn't that the successful ones got it right the first time. They just had money left over after they got it wrong.

They learned from their mistakes in time to shift gears.

EL: What do you mean by "good investment money" and "bad investment money"?

CC: Bad money flows into something with the willingness to accept big losses. You've got the expectation that the more you spend, the more you'll earn later. You spend the money expecting your strategy is right.

There probably was a good business opportunity somewhere for StorageNetworks. However, it's accurate to say that StorageNetworks didn't have the right initial strategy, and spent a lot of time pursuing it. Or you can say that StorageNetworks employed a deliberate strategy aggressively from the beginning, and spent to get big fast.

Elizabeth M. Ferrarini is an IT consultant from Boston, Massachusetts.

What is Best Practice?

tom@tomparish.com — Wed, 05 Dec 2007 18:10:21 GMT

What do Tiger Wood's swing and ITIL have in common? The question is no joke! Both Tiger Wood's swing and ITIL are best practices.

Here's the analogy:

When a beginner golfer picks up the clubs for the first time, the instructor doesn't say "keep hitting the ball till you figure out your swing?" Instead, they recommend one of two common grips, basic stance, and straight left arm. These are best practices. In other words, they provide a way to do something based on what is commonly viewed as the best way to do it. A best practice is simply a way of doing something, based on how others have successfully done it before, that helps you quickly achieve a level of competence.

Is the best practice the end goal? No. Best practice provides a baseline, or starting point. It's a way to quickly achieve results, that you can then build on and adapt to your unique needs. In golf, many players copy Tiger Wood's swing to improve their game. But there is only one Tiger Woods! If you are shorter, less flexible, weaker, or less practiced than Tiger (as most of us are), then you need to adapt Tiger's swing to your unique requirements.

The same goes with ITIL. ITIL is a set of best-practice guidelines that are based on how others have successfully managed IT. These guidelines help you quickly achieve an expected level of performance. Is ITIL the end goal? No. Based on your unique and changing requirements, you should identify key areas of requiring exceptional - performance, and adapt ITIL to meet your needs.

So you're not a beginner golfer? Your organization already has IT service and support process in place? Best practices can still help. Use best practices to g

o back and improve areas that are currently effective, but t still need to be enhanced. Look at how others have done it, and modify as needed to help achieve the goals of your unique circumstance.

Your take away - adapt ITIL best practices to improve IT service efficiency. Look for solutions that implement ITIL out-of-box, but are easily adapted to your unique requirements. Leverage the best, but don't get stuck with a golf swing or an IT process that doesn't quite fit your needs!

ITIL and Six Sigma

tom@tomparish.com — Wed, 05 Dec 2007 17:51:50 GMT

by Kurt Milne

In this first column, I am going to try my hand as a matchmaker. No, I am not going into the romance business. What I am going to do is propose bringing together two seemingly independent approaches to improve the quality of IT service delivery — the IT Infrastructure Library (ITIL® and Six Sigma. These two approaches, each of which has attractive features, can certainly function without the other. So why bring them together? Let me explain.

ITIL defines a framework for IT Service Management. It consists of a set of guidelines, based on industry best practices, that specify what an IT organization should do. ITIL does not, however, define how to do it. For example, ITIL specifies that IT should allocate a priority for each incident that comes into the service desk. But, it does not specify how to allocate those priorities.

With ITIL, it's up to the IT staff to flesh out the details of process flow, and create detailed work instructions, all in a way that makes sense for their organization.

Six Sigma, on the other hand, defines a specific process, based on statistical measurement, that drives quality improvement and reduces operational costs. It helps in developing detailed work instructions, and it defines a methodology for continually mapping, measuring, and improving the quality process. Six Sigma tells you how, but doesn't tell you what. This approach does not specify any best practices specifically for IT Service Management.

In summary then, ITIL defines the "what" of service management, and Six Sigma defines the "how" of quality improvement. Together, they are a perfect fit for improving the quality of IT service delivery and support.

As in any match, however, there is a challenge. That challenge comes in reconciling the egos and expectations of the parties involved. In the case of ITIL and Six Sigma, this involves reconciling two separate camps of purists, each of which is convinced that their approach is best. To make things harder, both camps have impressive credentials to support their claims. ITIL has master's level certification. Six Sigma has its "black belts." So, your challenge is to bring these two approaches (and their advocates) together to implement the optimum combination for your organization.

The good news is that as a Remedy customer, you already have a great solution that helps bring them together. Remedy IT Service Management applications for the Enterprise help implement ITIL best practices straight out of the box. Remedy supports the ITIL best practices described in incident and problem management, change management, configuration management, service level management, and availability management. At the same time, the applications provide a great source of data for Six Sigma quality improvements. Outside the manufacturing area where Six Sigma was invented, there is no better place than the service desk to find operational data that drives customer relevant quality improvement.

By using Remedy applications to help implement the processes that bring ITIL and Six Sigma together, you have a great opportunity to use them both to improve the quality of IT services that are critical to your business.

Kurt Milne is Senior Manager of Strategic Marketing at Remedy, a BMC Software company.

This article was originally published in the inaugural edition of Remedy Online Newsletter, a quarterly publication for Remedy customers worldwide. The article, which ran in Fall 2003, is the first of a recurring series on "Emerging Trends" in Service Management.

CobiT and IT Governance

tom@tomparish.com — Wed, 05 Dec 2007 17:40:55 GMT

by Rod Amis

The issue of IT governance has become a concern for many CIOs/CTOs these days as emphasis has switched from the technologies themselves to how they bring greater value to the overall business. As one professional commented, you don't show value by talking about how many transactions you processed per hour; you talk about how much money you made the business last night. Business leaders in IT are less concerned about showing what's "under the hood" than they are about demonstrating the benefit of getting to the destination. One tool that is being explored to bring value is CobiT.

CobiT (Control Objectives for Information and related Technology), the international open standard of good practice for IT governance, security, and control, is now available for download at the Information Systems Audit and Control Association (ISACA) Web site. This interactive and customizable release of CobiT is made available by the IT Governance Institute (ITGI). In this article, we'll explore the questions:

What is CobiT?
Is CobiT better than other governance frameworks?
What benefits does CobiT bring to the enterprise?

What IS CobiT?

Let's begin with a bit of history. "ISACA got its start in 1967, when a small group of individuals with similar jobs -- auditing controls in the computer systems that were becoming increasingly critical to the operations of their organizations - sat down to discuss the need for a centralized source of information and guidance in the field. In 1969, the group formalized, incorporating as the EDP Auditors Association. In 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field," we learn at the ISACA Web site.

In pursuit of this mission and parallel to the IT Infrastructure Library (ITIL) project begun by the British Government, the auditors at ISACA -- as the organization expanded internationally -- were looking for control mechanisms that could bring to the business the value of controls that provided verifiable compliance and governance data.

In essence, CobiT incorporates the control objectives observed by enterprises in compliance with Sarbanes-Oxley and other international standards, and allows for coordination between control requirements, technical issues, and business risks. CobiT's tool sets allow for practices that the ITGI believes incorporate or deepen the international IT Guidance supplied by ITIL, ISO/IEC 17799, ISO/IEC 13335, ISO/IEC 15408, TickIT, NIST and COSO.

In structure, CobiT features 34 high-level control objectives and 318 detailed control objectives that keep IT's operations in line with the business goals of maximizing security and profitability and minimizing risks.

In a February, 2005 interview with IT Business Edge, Malcolm Fry, an ITIL expert, provides this overview: "I'm going to ask you to draw yourself a graphic to explain how they all link together as a cohesive unit. If you draw two boxes next to each other and in the left hand one you write the ITIL, for the IT Infrastructure Library, and in the other, write TQM --Total Quality Management -- in other words, that's the business. The ITIL is basically running the day-to-day operations of IT. Draw a slighter bigger box around those two boxes and across the top of it write CobiT. What CobiT does is it brings in check points, security points, so in other words, in a certain point in the procedure you can't go past here unless you've got authority or proof or you meet some kind of criteria. So when you're implementing ITIL to support the corporate TQM, then CobiT you will implement at the same time to put the control points in. So ITIL is about processes, CobiT is about control points …"

Is CobiT Better than Other IT Governance Frameworks?

First a word of caution: No single framework of IT governance will fit the needs or the business objectives of every organization. Each business must look at its own challenges, goals, and objectives, and then evaluate the available governance frameworks to see which features of each best helps to meet those goals. Each of the three most recommended frameworks brings its own strengths to the business circumstances.

As Mr. Fry suggests in his response, oftentimes an array of frameworks, tailored to the particular needs of your enterprise is the best approach. While CobiT's strength is most pronounced in the area of controls and metrics, ITIL is strong on best practices and processes, and ISO is strong on security.

It is important to remember that each of these frameworks is the result of the work of literally hundreds of businesses and IT professional organizations internationally, over a period of decades. Each complies with international standards, so an array of the features of all three may be best for your enterprise.

"For the last five years, I have worked with IT organizations across the U.S. as a principal consultant, helping them identify key opportunities for best practice improvements in their change, and migration, processes. In those areas, CobiT provides some clear control guidelines that can be applied appropriately to meet a given organization's needs, based on their business model," says Mary McMichael, Principal Consultant for Diversified Software Systems.

"When sitting down with IT leaders from various disciplines in an organization, CobiT provides an objective set of guidelines with which to guide a discussion about the specific risks and opportunities in that enterprise, while avoiding some of the potential political potholes that can befall us in this type of discussion," she continues. "It can become a true business needs definition discussion rather than a criticism of any one organizational group, and provide a roadmap to prioritize improvement options."

What Benefits does CobiT Bring to the Enterprise?

The most apparent benefits that the CobiT framework can bring to the table are time and money. Because the documentation -- the accumulated experience of hundreds of IT professionals, auditors and business managers -- is made immediately available to your enterprise at no cost at the ISACA.org Web site, you immediately avoided having to invest in developing these practices independently. And, instead of addressing your control and auditing concerns on an ad hoc basis, you can bring this knowledge and complete framework to the fingertips of your management team immediately. With all this information and milestones set out for you and your staff, the possibilities of confusion or miscommunication about goals you're trying to achieve with CobiT are minimized, which also brings greater efficiency.

The third important benefit offered by CobiT is that it already complies with international standards and Sarbanes-Oxley. That means that it is not only a valuable tool for your internal management team, but can also be used by auditors and others outside your enterprise to evaluate your success in implementing control structures.

Finally, the CobiT framework allows you to share the knowledge you gain with other organizations, in users' groups, in professional journals or books, and via the Web. Sharing solutions and challenges with others can be a powerful engine, driving even more new ideas and solutions from your team.

Emphasis on Compliance

As an internationally developed and accepted framework of IT governance, CobiT shines in the areas of controls and auditing. It was developed by the IT Governance Institute and is freely available in an interactive, Web-based format from ISACA.org. It comprises years of experience in controls and security issues devised by hundreds of IT professionals, all to ensure that your organization is compliant with internationally accepted standards.

Since the shadow of the Enron scandal (which lead directly to Sarbanes-Oxley) fell over the vast arena of business reporting, and what IT can bring to risk management, control, and the audit trail, professionals have taken a closer look at tools that allow for verifiable, reliable reporting as well as controls for the enterprise. CobiT is increasingly coming on many CIOs' radar as a powerful compliance, and best practices tool, and another means by which IT brings value to the business (and can show it).

For more information about CobiT, check out the following resources:

Rod Amis is a freelance technology writer based in North Carolina. He has written for various publications on- and offline, including IT Manager's Journal, NewsForge, Silicon.com and Access Internet Magazine. He is also the author of two books and was a newspaper journalist before going completely digital.

Innovative Technology: Virtualization

tom@tomparish.com — Wed, 05 Dec 2007 17:30:27 GMT

by Debby Young

Changing the game plan from cutting costs to increasing service.

With server virtualization, IT can dynamically provision resources for the corporate computing environment based on anticipated workload cycles, such as normal end-of-the-month spikes caused by payroll processing or increased demand on online ordering resources triggered by a planned promotion. Because virtualization can emulate multiple computer environments on any given server, IT can pool server resources across the enterprise, thus driving down the cost of operation. This just-in-time resource allocation is part of a predictive resource scheduling strategy that optimizes utilization and assures service levels despite fluctuating workloads.

"Ultimately, you want to be able to allocate resources based on business priorities," says David Cohen, vice president, research and development for Merrill Lynch. He likens it to the way the electric company distinguishes between hospitals and residences -- during a power outage, hospitals get priority service over the general public. "In a virtualized environment, IT can configure resources to enable mission-critical applications to take precedence over less vital applications when extra processing power is needed," he says.

Virtualizing such tasks as data storage and network support can reap similar efficiencies. Depending on its failover configuration, for instance, pooling standby servers alone could save a company upwards of 40 percent on idle infrastructure expenses, floor space, power consumption, and support personnel.

THE BOTTOM LINE ON VIRTUALIZATION

For CIOs charged with streamlining underutilized IT environments, virtualization holds the key to significantly driving down infrastructure costs without sacrificing high availability. But more than just a cost-saver, virtualization helps effect business change by enabling IT organizations to:

Pool server resources
Increase server utilization
Provision capacity on demand
Shorten disaster recovery time

In the multitiered application environments endemic to large enterprises, IT tends to overprovision application clusters because need is calculated on the peak requirements of every application. By virtualizing servers, resources within the server cluster can be continually repurposed to meet changing capacity needs. When demand subsides from one application, the resources can be redirected to another application experiencing peak load. Therefore, the cluster can be provisioned closer to average requirements rather than to peak loads, optimizing resource usage and lowering the cost of ownership without compromising service-level agreements. In baseball terms, it's like having a utility player available instead of a specialized backup player for every position.

Because virtualization separates applications from the platforms they run on, disaster recovery -- one of today's key business priorities -- is quicker than in traditional IT environments. For instance, with a physical server, if hardware is modified after software is installed, the data restoration might fail because the licensing key no longer recognizes the configuration. "In a virtualized environment, from the operating system's perspective, it's all the same hardware," explains David Boyes, president and chief technologist for the Ashburn, Va.-based R&D company Sine Nomine Associates. "This can take literally hours and days off your disaster recovery time."

The Latest Advances

Advances in virtualization technology are occurring on a number of fronts. Foremost is dynamic, orchestrated provisioning -- that is, quickly reallocating servers from one pool of applications to another. This sophisticated process involves reconfiguring server parameters, allocating storage and other resources on the fly to meet the increased work-load demands of another application. VMotion technology from VMware, for example, allows IT architects and administrators to view the server farm as one aggregate computing pool and carve off logical servers to meet peak loads or to test new applications with no perceptible delay in service.

VMware is also innovating how memory is managed in virtualized, consolidated environments. With advanced memory management (AMM), IT no longer needs to calculate memory requirements based on the total amount of memory in each of the systems being consolidated. "Because AMM optimizes how the overall system is used, IT can often reduce actual memory requirements by 50 percent or more," explains Brian Byun, VP of software alliances for VMware.

In addition, progress is being made in balancing workloads across clusters in the enterprise to meet the service-level agreements for business applications. The goal is to prevent the reallocation of resources without first determining the underlying relevance to the business. For instance, is the spike in transactions in the Web store caused by an increase in purchases, or is it a denial-of-service attack? If it is the former, IT would need to reallocate resources to keep up response times in order to avoid losing sales. If it is the latter, IT would have to throttle back resources and address the attack.

Virtualization technology is rapidly gaining adoption. Innovators such as Merrill Lynch are using it to ease the transition to new computing platforms and manage application updates. For instance, when Merrill Lynch rolled out Windows XP across its user base, VMware allowed the company's financial advisors to toggle between Windows NT and Windows 2000 on the same desktop so that there was no disruption in service.

Industry experts observe that virtualization will enhance IT's ability to seamlessly integrate with partners that can provide additional resource capacity to handle workload spikes. There may be a slight premium on those resources, but it will cost a company far less than it would to retool the enterprise infrastructure to support peak requirements.

Additional Reading - Sponsor Link:
Seven Requirements for Balancing Control and Agility in the Virtual Environment

Iron Mountain's CIO on Data Protection Resolutions for 2006

tom@tomparish.com — Wed, 05 Dec 2007 17:12:51 GMT

by Kevin B. Roden

According to a number of recent surveys, data protection is a top priority in 2006. As the CIO of a company that's trusted for protecting and storing the world's data, I suggest 10 data protection resolutions for 2006. Many CIOs have taken several, if not all, of the first five resolutions. I encourage you to review all of these, and if any of them is missing from your checklist, to make it a top priority.

Define the Recovery Time Objective (RTO) for all of your applications. The RTO for an application is simply the objective for how quickly you need to have that application's information restored and available after downtime has occurred. For example, for your e-mail system, is the RTO four hours, eight hours, or the next business day?
Define the Recovery Point Objective (RPO) for each application. The RPO for an application is the objective for how much data you can afford to lose since the last backup. Is it two minutes worth of data, 20 minutes, or hours hours? You then need to estimate the costs to achieve your RTO and RPO for each application.
Classify your data based on its mission criticality. Your business's data should be categorized into groupings of critical, vital, sensitive, and non-critical. The critical grouping would include data that is used in key business processes or must be retained for compliance or legal reasons. Vital data includes information that would cripple the company if lost. Sensitive data is simply data that can be rebuilt easily and is not a unique source of information. Non-critical is just that - data with low security requirements. Determine criticality by meeting with company executives and decide clearly what the priorities are for the business. Then pick the appropriate backup strategy to meet that criticality. Also, be sure to assess where all the data is - both centralized and distributed data residing on remote servers, laptops, and PCs. Ensure the strategy addresses all the information.
Develop a detailed plan on how to restore your applications depending on the crisis that drives the need for recovery. Think about how to best respond to different kinds of scenarios, from simple scenarios, to the most complex. Of course, you have to test your backup and recovery plans to make sure they actually work; refine your plans based on your tests. Expect to do multiple tests before you get it right, and remember, this is a continuous process. Strive to constantly learn what works best -- and then amend your plans accordingly.
**Make sure you have adequate resources assigned to data protection at all levels of your organization. If you don't have the right resources and processes in place, than data at the edge of your network is probably at risk. If you are an Iron Mountain customer, you probably have already done the steps above. So where do you go from here? What should you focus on in 2006? Here are 5 resolutions we recommend.
Take an inventory of all your backup data - both onsite and offsite. Do you have everything you expected to have? Do you have more backed up data than you should? Is all of the data in the right location? Do you have tapes that should be onsite that are offsite, or vice versa? Taking a full inventory can be invaluable; you wouldn't want to discover inventory mishaps during a disruption.
Differentiate between backup data and archived data retention rules, and make sure they don't conflict with each other. For example, if your email retention policy is to delete all unclassified email after 90 days, but your hold policy for e-mail backup tapes is six months, then you could have a major e-discovery problem. Backup solutions cannot provide easy retrieval or an audit trail. The use of backed-up electronic records as official legal documents for compliance and litigation will lead to considerable time and money spent to restore backup tapes and search for legally relevant material. True digital archiving solutions today offer secure, compliant, and cost-effective, long-term archiving of electronic records. These records are stored in an indexed, searchable format so the organization can access those records whenever they need.
Put the processes in place to encrypt all data that you determine needs an extra degree of protection. For example, given the risks of theft or loss of confidential data stored on transportable data sources such as backup tapes, it is highly recommended that you encrypt transportable data such as backup tapes or optical platters.
Investigate new technologies to determine whether they may better address your data protection needs in certain areas. For example, electronic vaulting may be a better solution for your critical applications that demand short RTOs. And advances in tape virtualization technologies are now making the concept of online remote data replication much more affordable than it was the past.
Expand your disaster recovery planning to encompass business continuity. IT executives tend to focus on just disaster recovery. But disaster recovery planning that relies on another department for how the business processes recover may put your operations at risk. For example, if you had to execute your disaster recovery plan for your call center, you could have all the systems up in running in an alternative location and then discover that the alternative location is not outfitted for employees to go back to work. It makes sense for IT executives to take the lead. Always ensure enough desks and chairs.
You may already have all of these resolutions covered, but if you don't, I recommend that you address them this year to reduce your company's data protection risks.

Kevin B. Roden joined Iron Mountain as executive vice president and chief information officer in 1999. Previously, Roden was CIO with Fleet Boston Financial, for the banking subsidiary. He has held numerous technology and management positions in a 20-year career at BankBoston, including executive director of U.S. technology

Guidelines for Creating a Service Desk Based on ITIL Initiatives

tom@tomparish.com — Mon, 03 Dec 2007 20:17:08 GMT

by Elizabeth Ferrarini

Most organizations have some sort of an IT help desk staffed by individuals who field calls from users, and then go into firefighting mode to solve users' problems. However, some IT organizations have transformed their inefficient help desk into a proactive, service desk that offers high productivity and efficiency, but at a lower cost than before. Major companies, such as Procter & Gamble and Caterpillar, have accomplished this goal by adopting ITIL initiatives, a standard set of best practices for lowering and improving the quality of IT service delivery.

The Role of Service Desk Based on ITIL

A service desk designed according to ITIL initiatives functions as the day-to-day operational interface between the IT organization and its users for achieving the organization's goals. The service desk also becomes the focal point for integrating the five disciplines in ITIL's service support management processes -- incident, problem, configuration, change, and release management. To this end, service desk staff must be able to communicate effectively with users, via a number of different channels, as well as use technology, in order to close the loop on tasks in each of the five ITIL disciplines.

How to Get Started

The first step in developing a service desk calls for identifying where you are starting from. Assessment should include a formal review of processes and procedures based on the guidelines in the ITIL Best Practice for Service Support volume. These guidelines will include measuring service performance against targets, identifying strengths and weaknesses, and aligning services with customers' requirements. You need to compare similar operations and benchmarks to gauge improvements.

ITIL guidelines call for you to define the key service desk processes, not just what they are, but how they operate, and what affect and significance each process has to your organization. These definitions will encompass the following:

Staffing -- quality and number of people
Daily operational procedures
Incident processes
Request handling and workflows
Incident monitoring and tracking
Escalation and closure
Management information
Call volumes, workload, performance, and trends

The outcome of all this should provide you with a better understanding of user requirements, service level agreements, and the operational level agreements that underpin them.

Select the Right Staff

ITIL guidelines place a lot of emphasis on getting the right people from the start or training the staff you already have. A proactive service desk must have a motivated and positive staff. A good staff becomes a service desk most precious asset. So invest in your staff. This effort might mean recruiting new staff and supporting them with training, tools, and resources to be effective. Soft skills, such as good verbal and written communications, hold as much weight as technical or business knowledge. Don't forget to involve the staff with decisions about the service desk.

Think Service Always

ITIL guidelines call for thinking service desk. To this end, make sure your organization includes the service desk when it considers new business or new direction. Prepare the service desk to handle a new product, or service, or new users. The service desk needs to be involved from the start and have plenty of time to plan for any changes in priorities and workloads. Staff should help define service processes and priorities. The staff should get involved with transition teams to help ensure smooth running of a new business or a merged organization.

User perception of the service ranks alone side of how the was improvement. In some cases, the service desk staff might find it appropriate to work with users to integrate some of their processes with those of the service desk. Such an effort could provide a seamless support environment. For example, an organization might want to incorporate second line support, problem management, and change management facilities into its own service desk operations.

Insist on the Appropriate Technology

The ITIL guidelines stress using technology appropriate to meet the organization's required service levels. The service desk needs to maintain or have access to a wide range of information and facilities that can be provided to users. Some of this might include reference material, such as the corporate file storage structure, contract documentation, process definitions and scripts, and frequently asked questions. Some material might have been interactive, such as links to message boards, intranet services, and external Web sites. Some material might be designed to coordinate service and change management capabilities. For example, this material might enable the service desk staff to manage problem resolution or enabling to assess, coordinate, and deliver service more effectively to users.

Recent advances in service desk tools have included remote (virtual) desktop, and network and application support. (See Tips for Evaluating Service Desk Tools) Service desk tools now incorporate facilities to identify and to resolve incidents before they affect users. In many cases, the tools can resolve problems without intervention from the service desk staff. When a user needs to contact the service desk, he or she has a range of self-help facilities, such as Web and intranet access, incident logging, incident status reports, and other information can help the individual to resolve the problem. These tools can reduce the need for users to contract the service desk for mundane reasons, and thus free the service desk staff to focus on more pressing tasks.

Links between system management and service management tools can provide invaluable insight into the performance of the complete technical infrastructure and can even highlight where attention is required to fix emerging problems. With early warning of failure, missed thresholds, and poor performance, a department manager can decide on the most appropriate actions to eliminate the causes.

The most advanced service desks, as described in the ITIL guidelines, also support functions such as inventory management and software distribution. Integration with each vendor's Web site can provide an additional layer of service that be provided seamlessly to users. For example, one such service might include allowing users to order and download upgrades and new software. Vendors might even be prepared to fund part of the project in return for the benefits they receive.

Seek Support from Other ITIL Adopters

Never feel that you are alone in carrying out a proactive service desk based on ITIL guidelines. You're not. Seek out IT professionals at other organizations who might have faced similar challenges to you and might be happy to share them with you. Visit these individuals and see how they work. Look at the processes you can adopt and check out businesses in other sectors. Most of all, joint the not-for-profit IT Service Management Forum or itSMF (www.itsmf.com) promotes ITIL through its 8,000 members worldwide. Be prepared to share ideas by attending itSMF seminars and itSMF regional groups.

Transforming your help desk into a proactive service might sound like a daunting task. You can lessen the task with careful planning and sensible implementation using ITIL initiatives.

Guidelines for Evaluating Service Desk Tools

When it comes to selecting service desk tools, you might want to narrow your search to those process integrated tools that completely support the five disciplines in the ITIL Best Practice for Service Support volume. For example, a service desk tool integrated with change management can reduce disruptions in the IT infrastructure. This type of tool can locate critical components with performance problems, which can help service desk staff solve user problems more quickly.

If the service desk tool can expand the concept of service management to include other increasingly important processes, such as capacity planning, then IT department can reuse and integrate the knowledge that is captured in this tool. For example, ITIL guidelines provide a problem-management process where an IT professional spend time investigating the root cause of a problem to prevent the problem from reoccurring. A service desk tool should have the capability to relate incidents to problems so that a service desk staff member can make use of the knowledge that is captured with the problem record for faster resolution. Integration between the service desk tool and the systems management environment can enable planned-outage planning support based on specific service levels.

When evaluating service desk tools, consider if the service desk tool dictates how to organize the service goal, or if the service desk can tailor the tool to suit its own way of working. Look for a tool that is based on ITIL's recommendations for the basic organizational structure of the service desk. At the same time, you should be able to tailor the tool so that it can integrate seamlessly with the existing organization infrastructure. Each organization will have unique escalation procedures, notification rules, and approval processes to which the service desk should conform.

So, when evaluating service tools, ask yourself these five questions.

Is the tool completely based on ITIL?
Does it have the capability to define and to map IT service and their components?
Out of the box, does it integrate with the following:
- A confirmation or asset management module?
- A change management module
- A workflow management module
- A service level management module
Does the tool allow you to forward of events being generated by a network or systems monitoring tool and communicating back any status change of the incident recorded in the service desk application.
Can you easily learn to use the tool, navigate with it, and tailor it to your needs?

Additional Reading - Sponsor Links:
Why You Should Take a Holistic Approach to ITIL and Service Support
Streamlining Service Request Processes: A Key to Business Success
Taking the Service Desk to the Next Level

Elizabeth Ferrarini is an IT consultant and freelance writer from Boston, Massachusetts. Elizabeth can be reached at elizabethferrarini@yahoo.com.

Introduction to ITIL: Early US Adopters Show Business Value

tom@tomparish.com — Mon, 03 Dec 2007 20:05:30 GMT

What's ITIL? A Question Every IT Professional Should Ask

When asked if he knew about ITIL, a former CIO from a major brokerage firm paused for moment and then said, "I can't say I've ever heard of it." After all, it's not a standard term in a lot of American IT professionals' vocabularies. On the other hand, IT executives at Procter & Gamble and Caterpillar have turned their IT departments into efficient powerhouses by becoming early adopters of an IT process-driven framework for service management. Despite its highbrow name, the Information Technology Infrastructure Library, or ITIL, holds great promise, according to industry analysts.

Established in 1989 by the United Kingdom's former Central Computer and Telecommunications Agency (CCTA) to improve its IT organization, ITIL consists of an interrelated set of best practices for lowering the cost, while improving the quality of IT services delivered to users. To achieve these goals, the IT department must work collaboratively with users to create new business opportunities for the organization.

ITIL, which is widely adopted throughout Europe and is closely tied to ISO 17799, nudged its way into North America in the 1990s and now appears to be gaining momentum with CIOs looking to overhaul their IT departments. After all, during the past five years, IT departments here have gone from warding off the hazards of Y2K, to overbuilding capacity for e-business, and now learning to do more with less in a tight economy.

Gartner Group describes ITIL as a roadmap for carrying out repeatable steps for managing technology. It sets out major procedures, goals, and directions for each of 10 different disciplines -- everything from incident management to service-level management -- that can turn IT into a service delivery system rather than an infrastructure made up of discrete processes. ITIL addresses those activities that an organization should do in order to keep processes in control. It can also help determine if a process is cost effective or not, and whether job descriptions should be changed.

ROI: The Payback from ITIL

Carrying out ITIL principles has bought more than good news to a handful of major North American corporations and government agencies. Some early adopters have tallied up their cost savings and productivity gains directly attributed to ITIL principles. Consider the following vignettes about early ITIL adopters:

Procter & Gamble

Procter & Gamble, the Cincinnati, Ohio-based consumer products giant, embarked on ITIL in 1999 with a worldwide effort to streamline the number of applications help desks have to support. In just the past four years, Procter & Gamble has reportedly saved about $500 million. A study of savings within Procter & Gamble's finance and accounting IT departments showed a six percent to eight percent cut in operating costs and a 15 percent to 20 percent reduction in technology personnel. Procter & Gamble's most recent ITIL endeavor involved root-cause analysis of trends in help-desk requests. This initiative resulted in a 10 percent reduction in help desk calls.

Caterpillar
In 2000, Caterpillar, the Fortune 100 construction equipment and engine manufacturer based in Peoria, Illinois, used ITIL methods to address incident management for Web-related services. The ITIL team found that internal service providers couldn't meet the target response time of 30 minutes between 60 percent and 70 percent of the time. Now service providers surpass the 90 percent mark.

Ontario Justice Enterprise
Ontario Justice Enterprise, an agency that handles the Canadian government's court system, adopted ITIL in 1999 to help manage growth and to improve service to its internal customers. With 1,000 locations across Ontario serving 25,000 individuals, the agency was under intense pressure to provide more efficient services. The ITIL initiative spawned a virtual service desk that helped slash support costs by 40 percent. The service desk improved service-level monitoring and service request processing, ensuring that everyone worked together as a service-delivery chain. As a result of this agency's experience, other Ontario federal government agencies have adopted ITIL principles.

The ITIL Publications

ITIL got its start as a 40-volume set of principles developed by the CCTA, which has been incorporated into the UK's Office of Government Commerce (OGC). Today, ITIL principles come in several volumes of "best practices" published and maintained by the OGC. The ITIL publications cover Business/IT perspective, application management, service delivery, service support, and infrastructure management. The two most popular volumes address the five disciplines of service support, and the five disciplines of service delivery, respectively. All of these disciplines work together to deliver service management to an organization and the users of IT systems. Users can include the employees of the organization or partners and customers which use the organization's IT services.

Service Support

This volume consists of the day-to-day processes that support delivery of IT services. These processes consist of the following:

Incident Management includes the timely coordination, diagnosis, correction, and restoration of interrupted IT services.
Problem Management helps to identify and permanently remove the root causes of actual and potential problems.
Change Management helps to maximize the business benefits of infrastructure change while reducing risk of making changes.
Configuration Management helps to establish control of critical IT configuration items.
Release Management helps to improve software releases, distribution, and maintenance processes of configuration items.

Unlike these five disciplines, the service desk functions as more than a traditional help desk for fielding users' calls citing problems. It functions as the essential, operational interface between the IT organization and its users for achieving the organization's goals. The service desk's main responsibilities include the following:

Receive and record all calls.
Provide initial assessment and attempt first-time resolution.
Monitor and escalate all incidents.
Provide timely feedback to users.
Produce management reports.

Service Delivery

This volume focuses on the long-term planning of improvements in IT service delivery. These processes consist of the following:

Availability Management helps to optimize and ensure the availability of IT services to support business objectives.
Capacity Management helps to optimize the capacity of IT resources and services in alignment with business requirements.
IT Service Continuity Management helps to ensure the availability and rapid restoration of IT services in the event of a disaster.
Financial Management provides a way to measure, control, and cover costs to IT service.
Service-Level Management helps to establish, to report on, and to maintain the delivery of agreed upon IT service levels to users.

Support for ITIL principles began as a cottage industry, with vendors offering workshops for ITIL certification; these days, major system vendors offer a platform of tools to support all the processes in each ITIL discipline.

Based in the United Kingdom, the not-for-profit IT Service Management Forum or itSMF promotes ITIL through its 8,000 members worldwide. In the U.S., itSMF has about 600 members representing about 200 major corporations, such as IBM and Hewlett-Packard.

Challenges of Carrying Out ITIL Initiatives

Getting a company-wide ITIL initiative underway can have its challenges. Governance, which aims to address and correct bad habits, makes up the core of practically all IT standards. IT governance outlines policies, highlights procedures, requires meticulous documentation, and establishes a precise plan for constant improvements. Carrying out these tasks often involves introducing formal changes that cause friction in the organization. In fact, the two ITIL volumes offer considerations for dealing with potential roadblocks in each of the 10 different disciplines.

Senior executives need to lead the charge by rallying the troops and explaining the need for changes, and how and why ITIL principles will shape the organization. Linking other organizational initiatives to ITIL can help increase its acceptance. For example, Procter & Gamble marketed ITIL as a way to help meet a companywide direction from the CEO to cut costs by $2 billion over a five-year period. CIOs might want to start with an ITIL initiative in one discipline, get some measurable results and buy-in from the IT department, before going forward with other initiatives.

ITIL stands for the "IT Infrastructure Library" -- a series of guidelines developed by the OGC for the British government. The de-facto standard in the area of service management, ITIL contains comprehensive, publicly accessible specialist documentation on the planning, provision, and support of IT services. ITIL provides the basis for improvement in the use and effect of an operationally deployed IT infrastructure. IT service organizations, employees from computing centers, suppliers, specialist consultants, and trainers helped develop ITIL, which describes the architecture for establishing and operating IT service management. Apart from guidelines for service management in book form, ITIL provides its users with a range of other products; for example, in the areas of:

Training and coaching
Vocational and professional examinations
Consultancy

ITIL books are best-practice guidelines for service management; the guidelines describe what rather than how. Service management is tailored to the size, the internal culture and, above all, the requirements of the company. The impartial view of the external consultant may help to break away from the rigid structures.

The books provided by ITIL make up the only comprehensive, non-proprietary and publicly accessible, process-related library in this field -- a unique and valuable product for all IT professionals.

Overview of Service Management According to ITIL

Service Support

Service Desk

Configuration Management
Incident Management
Problem Management
Release Management
Change Management

Service Delivery

Service Level Management
Financial Management
Capacity Management
Availability Management
IT Continuity Management
Security Management

Benefits of ITIL

ITIL describes a systematic, professional approach to managing IT services. The library emphasizes the central importance of meeting company requirements economically. Adhering to the best-practice approach described in ITIL has the following benefits for an organization:

Support for the business processes and the tasks of IT decision makers.
Definition of functions, roles, and responsibilities in the services sector.
Reduced expenditure in developing processes, procedures, and job instructions.
IT services that meet the requirements of the particular business.
Improved customer satisfaction through better and measurable availability and performance of the IT service quality.
Improved productivity and efficiency through the purposeful use of knowledge and experience.
Basis for a systematic approach to quality management in IT service management.
Improved employee satisfaction and reduced fluctuations in personnel levels.
Improved communication and information between IT personnel and their customers.
Training and certification of IT professionals
International exchange of experience (www.itsmf.com)

An unconditional willingness to become more customer and service-oriented is a prerequisite. In many enterprises, this will necessitate a change of the predominant service culture.

In addition, with the help of ITIL, a clear body of terminology is to be created in the service management sector.

Contents of ITIL

ITIL comprises the following five basic elements:

Business perspective
Application management
Service delivery (provision of IT services)
Service support
Infrastructure management

"ITIL is a registered trade mark of OGC - The Office of Government Commerce"

Elizabeth Ferrarini is an IT consultant and freelance writer from Boston, Massachusetts. Elizabeth can be reached at elizabethferrarini@yahoo.com.