There are two key waves rolling through the IT industry these days. Two separate trends aregaining mindshare and even a substantial chunk of dwindling IT budgets. The push forincreased information security and the separate push for IT service management are bothgaining momentum industry wide.
The question is if the two IT trends will merge.
With information increasingly becoming a company’s greatest asset, information security ison the forefront of IT’s focus and spending. A report released just this week listed thepost of Information Security Manager as the hottest job of the year. And with IT budgetsbeing tightened across the country, one of the few things still getting funding wassecurity.
And on the other side of the aisle, evangelism about ITSM has been clearly picking up speed.ITSM is a different way of thinking, and a different way of managing. IT managers are beingtold that they need to get their heads out of their backend servers and start looking at thebigger picture. IT should no longer just be about keeping the servers up and running or theemail flowing. Oh, that’s still part of it, of course. But the IT manager should be focusedon what the business needs, whether it’s better customer service or getting products madeand shipped out faster.
And many people today would say what the business needs is better security. So do these twotrends really mesh?
Can ITSM be implemented to improve security and reduce its cost? Or is ITSM more geared tocustomer service and production processes, and just not right for a security manager to grabhold of?
David Ratcliffe, president and CEO of Toronto-based Pink Elephant, Inc., an IT managementresearch and consulting company, says security is perfectly suited to an ITSM way ofthinking and management. Here, Ratcliffe, who has spent the last 16 years espousing thebenefits of a service management philosophy, talks with Datamation about dealing withpatches, viruses and spam… and how ITSM does, or doesn’t, fit in.
Q: The big question is if ITSM would work when it comes to security.
It definitely helps. The topic of security is a blend of tools and the technology, the nutsand bolts… But it’s also a blend of the processes, disciplines and the culture of people’sbehavior. ITSM provides guidance on processes and culture to help us manage security. WithITSM, we’re saying it has more to do with the process and how the infrastructure ismanaged… Poor security directly affects the availability of services. It’s a very realoperational need to maintain availability and service.
Q: Can you give me an example of how this would work?
We might have tools that help us with passwords. And we might think as long as we passwordprotect some data or a Web site, we have a way of gatekeeping our assets. If the policy orthe process we have for administering the passwords doesn’t make a lot of sense or isn’tuser friendly, you get people who can’t remember their passwords because they’re not realwords but random strings of numbers and letters. There’s the process getting in the way. Andyou don’t want it too much the other direction either, where there’s no rules and people endup using the same password for everything. You need a tool but you need a process or rulesof how to use it. It’s an interesting blend of managing people’s behavior as well as thetechnology.
Q: With so much focus on security today, and so much fear of terrorism, is this the righttime to implement a new way of thinking about security, or would it be better to wait?
It’s easy to let security take a back seat. In times of stress, we tend to relax security.It’s all hands to the pumps, and we have no time for security. But those are the times,maybe, when they’re more vulnerable. When some crisis occurs, bad weather or terrorism, wehave to continually remind them that they can’t ignore security. You must address it innormal day-to-day operations, and during a crisis, as well. The idea of wedging doors openwhen the lock is broken… that becomes something you have to remind people about.
Q: When you have to remind IT not to forget about security, how does ITSM fit inthere?
ITSM gives you that reminder. This is something you must do. ITSM lays out a set of guidancerules, reminding you of what you need to address. They are rules making sure we’ve dottedour i’s and crossed our t’s.
Q: IT managers are struggling to keep up with the constant rush of softwarevulnerabilities and the patches they need to download to correct them. How can ITSM helpwith this?
Change Management is the process people spend the most time talking about — making sure weplan for changes or upgrades and patches. Think about the impact of doing the patch, ofmaking the change. When we say we’re going to apply a change, if you’ve planned, youunderstand the impact of the change, as well as the impact of not doing it. You think aboutwho and what needs to be involved, and that improves communication. And then ReleaseManagement addresses how we efficiently manage all the different patches. They’re notaddressed in an ad hoc way. You have an order and a method of deciding how patches areapplied. Are they applied in groups? Is every patch applied? Instead of applying patches asthey come out, maybe it’s more efficient to bundle them together and apply them all on aSaturday.
Q: Companies were hit very hard a few weeks ago by the Sobig-F and Blaster worms. CouldITSM process have helped alleviate that?
You have to be ready to respond to something that is urgent. ITSM gives guidance as to howto do that efficiently. You have to be flexible and reactive. You have to be prepared. Youmight not know when and where and why it will happen, but you’re ready to react.
You don’t want to wait for a weekly or monthly update, you need to do it right now. And thenyour processes tell you what other work must be postponed or who is going to have to worklate. It’s all part of being reactive and being able to respond quickly.
Q: Can ITSM processes help fight spam?
I don’t know exactly what the solution is. ITSM offers good guidance to apply. Be moreprotective of your email address. It can provide guidance for people on how to process theiremail, how to go about their work, how to protect their email. But I can’t claim that ITSMhas a lot of guidance here. WE don’t have all the solutions yet. This is an interestingthing to think about — how can processes help solve spam? But I think this is an area wherewe might rely more on technology than on processes.