CIOs Largely Overlook Compliance Best-Practices Guide

Sarbanes-Oxley compliance has fueled interest in the IT Infrastructure Library best practices, but a lack of understanding of ITIL and lack of baseline performance measurements could keep IT shops implementing it from achieving its promised efficiency gains.

Those are a couple of the conclusions of a survey of IT managers and executives on ITIL initiatives that was released on Monday by IT process consulting firm Evergreen Systems Inc.

The Sterling, Va., company surveyed attendees at the Inter-national IT Service Manage-ment Conference earlier this year to gauge the level of commitment to and understanding of ITIL among a group considered to be early innovators of ITIL, according to Don Casson, CEO at Evergreen.

“Incident management is the place where most ITIL activities begin,” said Casson. “Many see ITIL as a way to improve the help desk, not re-engineer service delivery at the enterprise level,” he said.

Casson believes that view represents a lack of understanding on the part of upper IT management of what ITIL is intended to accomplish, which is a re-engineering across the entire IT organization of the provisioning of services.

For more on the impact of SarbOx, read: Will Sarbanes-Oxley Compliance Leave a Hole in Your Budget?

The survey of 100 attendees at the conference, about two-thirds of whom work for Fortune 1000 companies, also revealed that some 70 percent of those implementing ITIL initiatives don’t have a baseline to measure performance improvements. “IT could miss a great opportunity to prove a terrific gain,” Casson said.

Many IT shops looking at ITIL don’t understand its companion standard, Control Objectives for Information and Technologies (COBIT).

COBIT is a set of 36 standards that detail how to control or audit the effectiveness of IT process control. “COBIT is the audit tool you use to see if you followed those best practices,” Casson said.

For example, while 87 percent of respondents said their organizations have CIO-level commitment to an enterprise ITIL architecture, only 37 percent said their organization is investigating a process compliance framework like COBIT.

For more on the impact of SarbOx, read: Calculator: The Cost of Sarbanes-Oxley Compliance.

The survey also hinted at the possible over-hyping of the configuration management database, which large enterprise management suppliers such as BMC Software Inc. and IBM’s Tivoli brand are promoting.

Although 79 percent of respondents said their organizations were going to create a CMDB and a third said they are already using an active CMDB, those answers don’t jibe with Evergreen Systems’ experience.

“Creating a CMDB is a whopping challenge,” Casson said. “To do it correctly you have to use a change process to update every configuration item. We’re not sure the market really understands that. For most IT shops, asset management is still done in the silos. It’s not unusual to find a dozen different asset databases out there. To get to a federated configuration repository is a huge challenge, and you have to update it and create a systems awareness of it.”