The IT Governance Cheat Sheet
January 10, 2013
In my previous column, "Must 'Cloud' Translate To 'Ungovernable'?", I argued that when IT services come from a mix of inside and outside assets, we need more control, not less. The bad news: IT service management (ITSM) as a discipline includes an ocean of standards. To help guide IT leaders who are new to ITSM, I put together a sample of important frameworks, and where they fit in the business.
Why go to the effort of wading through it? As IT gradually gets drawn into a broad XaaS (everything as a service) transformation, service management becomes a mutual need for enterprises and their suppliers. A culture of reciprocal accountability must prevail, as it does in other industries. To put it another way, look at what happened when a few seats on American Airlines flights came loose in midair. A series of policies and inspections, with FAA involvement, was kicked off automatically. Meanwhile, hospitals are quickly learning that processes and checklists minimize errors.
- Client Windows Migration: Expert Tips for Application Readiness
- Thwart off Application-Based Security Exploits: Protect Against Zero-Day Attacks, Malware, Advanced Persistent Threats
- Best Practices for Security and Compliance with Amazon Web Services
- Why a New Business Model is Needed for SSL Certificates
- State of Cloud 2011: Time for Process Maturation
- SaaS 2011: Adoption Soars, Yet Deployment Concerns Linger
Why doesn't an IT failure launch a predefined remediation process? Imagine how we would react if the healthcare or airline industries were not in compliance with their respective governance standards. Now, you can argue that a bit of regulation goes a long way, and no one is likely to die if a SaaS provider is offline for a few hours. True, but we must aspire to achieve the same levels of standards that we hold the businesses we support to--especially if we buy the premise that cloud adoption is now in the fast lane.
ITSM is only a means to an end, and, to that extent, business objectives and governance must come first. While the academic list of related artifacts can be daunting (what's below is just a sample), there are plenty of resources to help in preparing a highly customized and targeted subset that can serve as the materially significant list of critical ITSM tracks for a given business agenda. Check out ITSM Watch, for example, and various certification tracks.
I've seen plenty of theories on how many of the 26 ITIL processes and related artifacts are must-haves. Obviously, there is no universal answer. I recommend beginning with a manageable list of 10 to 15 carefully chosen subsets of these processes for large companies with cloud and in-house services. Smaller companies, or those with a simple IT infrastructure, could use fewer. Alignment with business objectives and governance, and demonstrating value back to the business, will definitely help in that filtering exercise.
(click image for larger view)
Keep in mind that ITSM is a mix of optional best practices and enforceable policies. Wherever possible, policy-driven ITSM must be elevated to policy-governed ITSM, so breaches and outages can be averted, rather than merely reported on after the fact. Adhering to standards can also help avoid vendor lock-in. You get the gist.
To start an ITSM program:
- Form an executive sponsorship/steering committee with business and IT stakeholders. If applicable, include key external members, such as major suppliers and partners.
- Review broad business objectives, including compliance needs.
- Review your current IT enterprise architecture and cloud strategy, and include providers in the discussions.
- Define the desired scope and objectives of IT governance. Differentiate between elements that will be best practice vs. elements that are enforced by policy.
- Include continuous improvement and communications in the plan.
- Implement ITSM tracks iteratively; keep the steering committee and stakeholders informed about where value is being added to the business to sustain the momentum of adoption.
Sreedhar Kajeepeta is the founder of Adunik Inc, a consulting firm specializing in cloud computing, big data, social networking, and mobility. He can be reached at firstname.lastname@example.org.