There are two key waves rolling through the IT industry these days. Two separate trends are gaining mindshare and even a substantial chunk of dwindling IT budgets. The push for increased information security and the separate push for IT service management are both gaining momentum industry wide.

The question is if the two IT trends will merge.

With information increasingly becoming a company's greatest asset, information security is on the forefront of IT's focus and spending. A report released just this week listed the post of Information Security Manager as the hottest job of the year. And with IT budgets being tightened across the country, one of the few things still getting funding was security.

And on the other side of the aisle, evangelism about ITSM has been clearly picking up speed. ITSM is a different way of thinking, and a different way of managing. IT managers are being told that they need to get their heads out of their backend servers and start looking at the bigger picture. IT should no longer just be about keeping the servers up and running or the email flowing. Oh, that's still part of it, of course. But the IT manager should be focused on what the business needs, whether it's better customer service or getting products made and shipped out faster.

And many people today would say what the business needs is better security. So do these two trends really mesh?

Can ITSM be implemented to improve security and reduce its cost? Or is ITSM more geared to customer service and production processes, and just not right for a security manager to grab hold of?

David Ratcliffe, president and CEO of Toronto-based Pink Elephant, Inc., an IT management research and consulting company, says security is perfectly suited to an ITSM way of thinking and management. Here, Ratcliffe, who has spent the last 16 years espousing the benefits of a service management philosophy, talks with Datamation about dealing with patches, viruses and spam... and how ITSM does, or doesn't, fit in.

Q: The big question is if ITSM would work when it comes to security.
It definitely helps. The topic of security is a blend of tools and the technology, the nuts and bolts... But it's also a blend of the processes, disciplines and the culture of people's behavior. ITSM provides guidance on processes and culture to help us manage security. With ITSM, we're saying it has more to do with the process and how the infrastructure is managed... Poor security directly affects the availability of services. It's a very real operational need to maintain availability and service.

Q: Can you give me an example of how this would work?
We might have tools that help us with passwords. And we might think as long as we password protect some data or a Web site, we have a way of gatekeeping our assets. If the policy or the process we have for administering the passwords doesn't make a lot of sense or isn't user friendly, you get people who can't remember their passwords because they're not real words but random strings of numbers and letters. There's the process getting in the way. And you don't want it too much the other direction either, where there's no rules and people end up using the same password for everything. You need a tool but you need a process or rules of how to use it. It's an interesting blend of managing people's behavior as well as the technology.

Q: With so much focus on security today, and so much fear of terrorism, is this the right time to implement a new way of thinking about security, or would it be better to wait?
It's easy to let security take a back seat. In times of stress, we tend to relax security. It's all hands to the pumps, and we have no time for security. But those are the times, maybe, when they're more vulnerable. When some crisis occurs, bad weather or terrorism, we have to continually remind them that they can't ignore security. You must address it in normal day-to-day operations, and during a crisis, as well. The idea of wedging doors open when the lock is broken... that becomes something you have to remind people about.

Q: When you have to remind IT not to forget about security, how does ITSM fit in there?
ITSM gives you that reminder. This is something you must do. ITSM lays out a set of guidance rules, reminding you of what you need to address. They are rules making sure we've dotted our i's and crossed our t's.

Q: IT managers are struggling to keep up with the constant rush of software vulnerabilities and the patches they need to download to correct them. How can ITSM help with this?
Change Management is the process people spend the most time talking about -- making sure we plan for changes or upgrades and patches. Think about the impact of doing the patch, of making the change. When we say we're going to apply a change, if you've planned, you understand the impact of the change, as well as the impact of not doing it. You think about who and what needs to be involved, and that improves communication. And then Release Management addresses how we efficiently manage all the different patches. They're not addressed in an ad hoc way. You have an order and a method of deciding how patches are applied. Are they applied in groups? Is every patch applied? Instead of applying patches as they come out, maybe it's more efficient to bundle them together and apply them all on a Saturday.

Q: Companies were hit very hard a few weeks ago by the Sobig-F and Blaster worms. Could ITSM process have helped alleviate that?
You have to be ready to respond to something that is urgent. ITSM gives guidance as to how to do that efficiently. You have to be flexible and reactive. You have to be prepared. You might not know when and where and why it will happen, but you're ready to react. You don't want to wait for a weekly or monthly update, you need to do it right now. And then your processes tell you what other work must be postponed or who is going to have to work late. It's all part of being reactive and being able to respond quickly.

Q: Can ITSM processes help fight spam?
I don't know exactly what the solution is. ITSM offers good guidance to apply. Be more protective of your email address. It can provide guidance for people on how to process their email, how to go about their work, how to protect their email. But I can't claim that ITSM has a lot of guidance here. WE don't have all the solutions yet. This is an interesting thing to think about -- how can processes help solve spam? But I think this is an area where we might rely more on technology than on processes.