ITIL Certified Products are No Magic Bullet

July 21, 2009 by ADMIN
Share |

By Michael Lohr, Sales Engineering Team Manager for Tripwire

I get a weekly email from George Spafford who is a co-author of Visible Ops and a Principle consultant for Pepperweed Consulting.

His email has great articles and if you want to subscribe to it, email SGC_Daily_News-subscribe@yahoogroups.com.

Ok, now I’ve given George his unsolicited plug.

I read an article from his email that said the U.K.’s Office of Government Commerce (OCG) has officially created a framework to allow vendor products to achieve an “ITIL Certification”.

The certification is decided by the following criteria.

The official OGC auditing program looks at two areas of compliance, functionality and product documentation.  When auditing these products, it also looks for accurately represented processes and functions. The IT tools standard certifications are awarded in three tiers:

  • If the functionality and documentation pass required criteria, the tools receives a bronze.
  • If, on top of that, upon initial inspection at least three companies have implemented that particular version, a silver level of compliancy is awarded.
  • Finally, gold-level compliancy is given when three or more companies have implemented the tool and those customers have provided evidence in support of it.

Essentially, if a vendor can prove their product supports the ITIL framework and can find a whopping three customer’s to testify this they can get their verification/certification from OCG’s official accrediting agency,  APM Group.

One item that is left off is what is the cost for this certification, but similar verification’s from third party companies are $12,000.

Now, that the details of getting ITIL certified is out, I must ask the obvious question–How does buying a certified ITIL product help with the implementation of ITIL?

I’ll give the simple answer–IT DOESN’T!

ITIL is a best practices process framework and certifying that a product supports a framework in no way means that an organization will actually implement the framework correctly.

There are so many products on the market that CAN support the ITIL framework and hopefully they can scrounge up three customers that this certification becomes pointless.

Essentially, pay your money and you’re in!

I would equate this to following scenario:

I have just moved from Atlanta to Boston and winter is quickly approaching. I know how to drive a car well and I have been doing so for many years. However, I have no experience driving in snow.

I decided the solution to this problem is simply to buy a new tool for the car, namely snow tires. Now that I have snow tires on my car I can safely drive in the snow.

Unfortunately during the first big snow, I skid off the side of the road and hit a sign.

As I am talking with the tow truck driver, I explain that I have never driven on snow but I did buy snow tires so I cannot understand what went wrong. He laughs and says the tires are just part of the solution but I need to LEARN to drive on snow in addition to having the proper equipment.

My fear is that companies will buy these so called certified products thinking they have bought the magic bullet to solve their ITIL project but instead they’ll skip the hard part which is designing the processes for their organization.

So instead of a magic bullet they’ll just shoot themselves in the foot with a real bullet.

ITIL isn’t about specific products but instead about putting in processes that bring efficiency to the organization.

I fear that ITIL will be moved to an irrelevant framework in the US if organization do not get serious about implementing it correctly.

I have been to many companies that say they are implementing ITIL but when I dig further I find out a few people have taken the initial certification class and that is about it.

Now, these same people can go to their boss and say they are recommending a product for the ITIL initial and better yet–it’s CERTIFIED!

Nine months later their boss is going to ask some serious questions about what went wrong with the ITIL project considering he signed several purchase orders for ITIL certified products.

I welcome any thoughts or feedback on this.

Michael Lohr has spent the past ten years in the high tech industry assisting his customers with large scale deployments and enterprise application integration projects.  Michael manages the Sales Engineering team for Tripwire on the East Coast and he spends frequent time with Tripwire’s largest customers helping them with compliance and change management concerns. Michael joined Tripwire in 2004 with an extensive background in integrating large back end system together to provide an enhanced workflow for his client’s customers as well as their employees.  In the time that he has been part of Tripwire, he built upon his integration background by adding best practice processes knowledge, like ITIL to his skill set.  He currently holds a CISA certification and is an ITIL Practitioner in Release and Control.

Learn More About Tripwire Here
Learn More About Tripwire Here

Tripwire helps over 6,500 enterprises worldwide reduce security risk, attain compliance and increase operational efficiency across virtual and physical environments. With its industry leading configuration assessment and change auditing software solutions, IT organizations achieve and maintain configuration control. Tripwire is headquartered in Portland, Ore. with offices worldwide.

*   *   *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Breach, Class Action Lawsuit, D&O Liability, FEATURE ARTICLE, Financial, Government, Insider Threat, Michael Lohr, PCI, PCI Security Standards Council, Sarbanes-Oxley, Tripwire, Uncategorized, due diligence, hackers, identity-theft, malware, national security, privacy 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

One Comment on ITIL Certified Products are No Magic Bullet

  1. Rhett Glauser on Wed, 22nd Jul 2009 2:56 pm

    2. Since Service-now.com achieved PinkVERIFY in 11 ITIL processes last week, you’d think I’m here to disagree with your post. To the contrary, I couldn’t agree more.

    The ITSM tool purchasing and implemention process is broken. I blog about this topic and what SaaS has to do with all of it here: http://bit.ly/wZtJF

    Good post. Best regards,

    Rhett Glauser
    Service-now.com

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!