Is it time for a two-speed ITIL?

Do we need faster access to new ITIL concepts?

At the UK itSMF conference this month, somebody asked me “What do you think the ITSM community are looking forward to next from ITIL?” As I tried to answer this question I realized that we don’t really have an ITSM community with a shared set of objectives.

We have many different people with different goals and objectives, and we all want different things from ITIL. Over the last few years I have seen an increasing divergence between two distinct groups of ITIL users and I think it will become increasingly difficult for the ITIL we currently have to satisfy both groups.

We all want different things from ITIL

One group includes training organizations, exam institutes, tool vendors, and organizations that have made investments in developing ITIL related solutions. These organizations are looking for stability, so that they can realize some value from the large investments they have made in ITIL related products, services and solutions. There was a major release of ITIL in 2007 and a smaller release in 2011, and they really need time now to consolidate their work and extract value from it.

The second group includes organizations that are creating and adopting new ways of working to create increased value for themselves and their customers. Some of these are using DevOps and Agile to deliver very rapid rates of change for their customers, some are using complex multi-supplier relationships to create value, and some are adopting BYOD to increase productivity of their users. These people and organizations are looking for ITIL to release new material to support them, and tell me that although the underlying concepts in the core ITIL publications still apply to them, they need significant and frequent updates to provide guidance that is suitable for these rapidly changing environments.

We cannot support all needs with a single set of publications

I think that ITIL needs to support both of these groups, as well as all the other shades of opinion in between, but I don’t think we can support such disparate needs with a single set of best practice publications. The solution I propose is to create a new set of “ITIL Fast Track” publications. Let’s keep the core ITIL 2011 publications unchanged for a few years, so that organisations that need stability can extract value from their investments, but let’s also create new ITIL publications to support those on the leading edge. These ITIL Fast Track publications could be based on leading edge practices and what’s happening in the industry now, rather than on tried and tested best practices. They would not be intended for exams, but to provide guidance on how to apply great service management practice in a way that works with the latest practices from other sources.

We could produce ITIL Fast Track Service Strategy with ideas from COBIT5 and recent work on supplier integration and management, ITIL Fast Track Service Transition and Service Design with ideas from DevOps and Agile, ITIL Fast Track Service Operation with guidance on how to use Rob England’s Standard and Case

A chance to create new ‘best practice’

The really good thing about this solution is that in a few years’ time some of the material in the ITIL Fast Track publications would have been tried and tested by sufficient organizations that it would become best practice, and could be merged into the ITIL core in a future update.

So what do you think? Would you be interested in reading ITIL Fast Track publications, or do you just want to stick with the ITIL core?

(A Russian translation of this article is available on the itSMF Russia website here:

Image credit: © flucas –

The BYOD battle… and the ITSM war

The BYOD battle.... and the ITSM war
38% of respondents think the IT department should be supporting any personal device, regardless of how much it is used for work purposes.

Pat Bolger is chief evangelist at Hornbill Service Management.

Bolger writes in this guest post for the ITSM Review to underline the big picture that exists across the BYOD landscape and how this use case model has affected and continues to impact the IT service manager’s current set of challenges.

BYOD is an increasingly inevitable feature of the business landscape and its reach is only set to grow. In this current scenario IT departments are under growing pressure to support devices which fall outside of their traditional remit; whilst this presents a challenge, the alternative is a serious impact on the productivity and bottom line of an organisation.

Better the BYOD you know

It shouldn’t be a shock that people prefer using the smartphones, tablets and mobile devices that they know and are familiar with at work. What is surprising is the number of businesses that are failing to deal with BYOD.

Corporate IT departments that do not support the movement risk becoming divorced from both the needs of the business and the expectations of users.

An unwillingness to get to grips with BYOD not only reduces the effectiveness of the IT department; it is also costing UK enterprise (as a whole) dearly. Hornbill recently sponsored an independent study of 1500 UK office workers.

Those surveyed estimated that being able to use their personal device in the workplace would save them two hours a month. When this figure is applied nationally it shows a staggering total of £2 billion in lost productivity across the UK; a stark example for those businesses who are not embracing BYOD.

Taking the Law Into Their Own Hands

“The consensus among the corporate workforce itself summarises the situation best:  53% of office workers said IT departments are failing to keep pace with business needs. Because of this failure, some 40% of employees are taking matters into their own hands and using their personal devices without the permission of the IT department, an issue that will only worsen without intervention.”

The results were even more pronounced amongst workers in the 16-34 years old category; with 49% of 16-24 year olds and 48% of 25-34 year olds saying they would use their devices regardless of IT’s knowledge. The longer businesses fight their employees by failing to offer support, the greater the likelihood they will lose out on potential productivity benefits and further expose themselves to other risks around data security and governance, especially as younger generations enter the workplace.

Who Runs What?

The research also had interesting implications for ITSM teams trying to decide when exactly a device becomes their responsibility. A total of 38% of respondents think the IT department should be supporting any personal device, regardless of how much it is used for work purposes. Whilst this is unfeasible for many ITSM teams, it emphasises that personal devices have become so intrinsically linked with both the work and personal lives of UK workers that many do not draw a line between work or pleasure use.

“Setting employees’ expectations by introducing concise and clear policies around the use of personal devices will help ensure the IT department is not over-stretching itself?”

Patrick Bolger, Hornbill Service Management
Patrick Bolger, Hornbill Service Management

Despite this apparent insistence from employees that IT departments should be on hand for any device, one of the most thought-provoking findings concerns who workers turn to with a problem. A whopping 82% said they would ask a colleague for help with simple IT questions or problems, rather than going directly to the IT department. This willingness to use peer-to-peer (P2P) or community knowledge can work in the favour of the IT department; fostering this kind of activity, offering self-service tools and hosting discussion forums, means IT departments can save a significant amount of time in dealing with ‘utility’ or ‘fire-fighting’ issues.

Ultimately, reticence in getting behind BYOD is damaging both the reputation and effectiveness of IT departments; businesses need to start looking at BYOD as something which can actually be of benefit, rather than just an operational and technical headache. In short, BYOD must be a movement which supports the ITSM team, rather than holding it back. The consumerisation of IT may not yet be complete, but IT departments can still reap the benefits of a much needed upgrade.

Pat Bolger is chief evangelist at Hornbill Service Management.

Protecting the perimeter: social media asset safety

Social media truths

There are several risks associated with social media, but attempting to stop the use of external social media web sites is counterproductive and, in any case, impossible. The IT industry is realising that if it fails to embrace social media and define ways to use it productively, safely and securely then we may lose the opportunity to shape employee behaviour appropriately going forward.

In this article by Intel security VP Malcolm Harkins we analyse the state of the social media landscape and address the fact that social media does not create new risks, but can increase existing ones.

Recognising this truth as we indeed should, Intel says it has created policies and training tools to manage social media… and then, subsequently, the firm has deployed internal social media capabilities, such as wikis, forums, and blogs.

This article examines the effort to find the balance between protecting through restrictions and through cultivating a sense of personal commitment and security ownership among our employees.

Car crash methodology metaphors

To try to reduce driving accidents at a dangerous curve in Chicago, the city painted a series of white lines across the road. As drivers approached the sharpest point of the curve, the spacing between the lines progressively decreased, giving the drivers the illusion they were speeding up and nudging them to tap their brakes. The result was a 36 percent drop in crashes, as described by Richard Thaler and Cass Sunstein in the book Nudge.

This traffic-control method succeeded in making drivers more aware, improving safety, while keeping the traffic flowing with minimum disruption. I think this example provides a useful metaphor for information security.

Some security controls are like stop signs or barriers: we simply block access to technology or data. But if we can shape the behaviour of employees rather than blocking them altogether, we’ll allow employees and therefore the company, to move faster.

Roundabouts are often safer than intersections

To use another traffic metaphor, a roundabout at an intersection typically results in more efficient traffic flow than an intersection with stop signs, because drivers don’t have to come to a complete halt. The roundabout increases drivers’ awareness, but they can proceed without stopping if the way is clear. Statistics have shown roundabouts are often safer than intersections.

“Of course, we need to block access in some situations such as with illegal web sites. But there are cases where it’s more efficient and productive to make users aware of the risks, yet leave them empowered to make the decisions themselves. For example, it might make sense to warn users visiting certain countries that they may be accessing material that is considered unacceptable.”

A hypothetical example…

A U.S. employee traveling on business might be working in a local office of a country with strict religious guidelines. The employee has a daughter who’s in a beauty pageant – so it would be natural to check the pageant web site from time to time. But the images could be offensive in the country, so it makes sense to warn the employee to exercise caution. At Intel, we’ve found that when we warn users in this way about potentially hazardous sites, the vast majority heed the warnings and don’t access the web sites.

In the case of information security, there’s an additional benefit of making controls as streamlined as possible. We all know if controls are too cumbersome or unreasonable, users may simply find ways around them.

We kept this concern in mind when developing a social media strategy at Intel IT.

We were well aware of the risks associated with social media, but attempting to stop the use of external social media web sites would have been counterproductive and, in any case, impossible. We realised that if we did not embrace social media and define ways to use it, we would lose the opportunity to shape employee behaviour.

As part of our initial investigation into this area, we conducted a social media risk assessment. We found social media does not create new risks, but can increase existing ones. For example, there’s always been a risk that information can be sent to inappropriate people outside the organisation. However, posting the same information on a blog or forum increases the risk by immediately exposing the information to a much wider audience. We also determined that we could reduce risk by implementing social media tools within the organisation.

The social media strategy toolbox

In light of our findings, we developed a social media strategy that included several key elements. We deployed internal social media capabilities, such as wikis, forums, and blogs. Initially, these were mostly standalone tools and employees used them mainly to connect socially rather than for core business functions.

Since then, our use has evolved to include more enterprise-focused tools, and we have integrated the tools into line-of-business applications to achieve project and business goals. We’ve also added social media tools tailored for specific business groups, such as a secure collaboration solution used by design teams to simplify real-time sharing of confidential project information across geographically dispersed teams.

As we designed our internal social media capabilities, we also worked with Intel’s human-resources groups to develop guidelines for employee participation in external social media sites.

Intel then developed an instructional video that was posted externally on a public video-sharing site. The video candidly explains Intel’s goals and concerns, as well as providing guidance for employees. It explains that Intel wants to use social media to open communications channels with customers, partners and influencers and to encourage people to adopt the technology as well as closing the feedback loop. The information also includes guidance about how to create successful content and general usage guidelines such as the need to be transparent, respect confidentiality, distinguish between opinion and fact, and to admit mistakes.

We also use technology to help ensure that employees follow the guidelines. We monitor the Internet for posts containing information that could expose us to risks, and we also monitor internal social media sites to detect exposure of sensitive information and violations of workplace ethics or privacy.

“In general, people are likely to take better care of their own possessions than someone else’s. They feel a stronger connection to their own car than to one provided by their employer. If people are using their own computing device, they may take better precautions against theft or loss. Also they may feel the same way if they are storing personal information on a corporate device. At Intel, we allow reasonable personal use of corporate laptops and therefore many employees store personal as well as corporate information on their laptops. Because of this, they have a personal stake in ensuring the devices don’t get lost or stolen.”

Many organisations, including Intel, use disk encryption on laptops to protect data in the event the laptop is lost or stolen. Adoption of disk encryption accelerated when states began passing privacy protection laws, and the consequences of data theft increased as a consequence.

Penetration during hibernation

However with some disk encryption software, the latest data isn’t encrypted until the user shuts down the PC or puts it into hibernate mode. If users simply put the PC into standby by closing the lid, the system may contain recently created data that is still unencrypted and vulnerable. If the PC is stolen at that point, the thief still has to penetrate the usual login access controls, but that’s much easier than figuring out how to decrypt the data.

When our security group analysed this data encryption issue, we decided that we needed to be careful about how we addressed it. We wanted to ensure data on laptops was protected, but we didn’t want to disrupt users’ experiences by forcing them to shut down their laptops more frequently, and then endure the subsequent lengthy reboots.

So we adjusted the system settings to initiate encryption whenever the laptop was left unused for a specific length of time. Now, if a laptop is lost or stolen, we can determine the likelihood that it contains unencrypted data, based on the time that elapsed since the employee last used it. While making this change to technical security controls, we also increased our efforts to educate employees about secure behaviour.

Insider threats

It’s an unfortunate reality that many intentional threats originate within the organisation. Among the 600 organisations participating in the 2011 Cybersecurity Watch Survey, about 20 percent of attacks were attributed to insiders.

The damage can be substantial. One employee working for a manufacturer stole blueprints containing trade secrets worth US $100 million and sold them to a Taiwanese competitor in hopes of obtaining a new job with them.

Insider attacks also cause additional harm that can be hard to quantify and recoup such as damage to an organisation’s reputation. Insiders have a significant advantage because they can bypass physical and technical security measures such as firewalls and intrusion detection systems that were designed to prevent unauthorised access.

Yet surveys have also suggested that many insider attacks are opportunistic, rather than highly planned affairs. Many insiders take data after they’ve already accepted a job offer from a competitor or another company and steal data to which they already have authorised access. In some cases, misguided employees may simply feel they’re entitled to take information related to their job.

It may not be possible to thwart all insider exploits, but we can take action to deter the more opportunistic attacks. Perhaps the biggest step we can take is to try to instill a culture of commitment. But we can also use technology to help against insider attacks.

“As part of our security strategy at Intel, we’re implementing monitoring technology that tracks users’ logins and access attempts. At many companies, IT organisations treat such login data as information that should be closely held and not revealed to users. However, our strategy is to make login information available to users so that they can act as part of the perimeter, helping to spot anomalous access attempts.”

Let’s say an employee’s log indicates that he accessed the network from Asia yesterday, when in fact he was in Europe. The security organisation might be unaware that anything untoward has occurred. But it’s obvious to the employee that someone stole his smart phone or his access information, and he can alert us to the breach.

Providing this login information to users can also help deter insider attacks. If unscrupulous insiders know they’re being watched, they’re less likely to take advantage. It’s like the corner store that invested in a CCTV camera; when you walk up to the counter, you see yourself in the display. Now consider the store on the next corner that lacks a camera. Which one is more likely to be robbed?

Striking the right balance

Whether we like it or not, people are already part of the perimeter. Technical controls alone are no longer able to keep pace with rapidly changing attacks, especially when those attacks are combined with sophisticated social engineering. It’s up to us, as security professionals, to recognise that people, policy, and technology are all fundamental components of any security system, and to create strategies that balance these components.

Above all, we need to create a sense of personal commitment and security ownership among our employees. If we succeed in this goal, we will empower employees to help protect the enterprise by making better security decisions both within and outside the workplace.


This article is based on material found in the book  “Managing Risk and Information Security” by Malcolm Harkins to be published by Apress, Inc.  To learn more about this book go to:

Also see the Intel Recommended Reading List for similar topics:

About the Author

Malcolm Harkins is vice president of the Information Technology Group, and Chief Information Security Officer (CISO) and general manager of Information Risk and Security.  The group is responsible for managing the risk, controls, privacy, security, and other related compliance activities for all of Intel¹s information assets.

Before becoming Intel¹s first CISO, Harkins held roles in Finance, Procurement and Operations.  He has managed IT benchmarking efforts and Sarbanes Oxley systems compliance efforts.  Before moving into IT, Harkins acted as the profit and loss manager for the Flash Product Group at Intel; was the general manager of Enterprise Capabilities, responsible for the delivery and support of Intel¹s Finance and HR systems; and worked in an Intel business venture focusing on e-commerce hosting.

Harkins previously taught at the CIO institute at the UCLA Anderson School of Business and was an adjunct faculty member at Susquehanna University in 2009.  In 2010, he received the excellence in the field of security award at the RSA conference.  He was also recently recognised by Computerworld magazine as one of the top 100 Information Technology Leaders for 2012.

Harkins received his bachelor’s degree in economics from the University of California at Irvine and an MBA in finance and accounting from the University of California at Davis.

Not Invented Here…

Fieldwork at the Ostrich School of Coping Skills

One of the biggest challenges I’ve been put up against this year is probably the view that, if something wasn’t invented here, it’s no good. And boy, have I struggled with trying to make things look like we actually invented them here.

I won’t try to figure out why the ‘not invented here syndrome’ is so rooted in our organization. There are probably lots of reasons, historical, organizational, cultural, previous experiences and what not. Some experts tell me I have to change the attitude among my co-workers and kill the opinions that abound and are aimed towards massacring external influences. That would probably be a good thing, if you had the support and means to do it. I, and my ITSM colleagues, went for another approach.

The post-it walls

We have a ‘war-room’ on the third floor of the building where most of operations and tech department are located. That’s where people gather whenever there are major incidents going on, or just for debriefing when the nightshift go off and the dayshift starts. The walls of this room were once covered with whiteboards and huge post-its. Every now and then some manager would move the post-its around and write stuff on them during the meetings that were held there.

When we looked into this room we discovered that they had built a sort of an incident and problem management ticketing system with post-its on whiteboards.

As we are interested in having people working in the ITSM-tools we have, and actually following the defined processes, we of course asked:

Why don’t you use the ITSM-suite and the incident and problem management processes?

We mostly got mumblings and a lot of staring at shoes in response. The ones who spoke back did so in a quite animated manner. Some claimed that the processes were over complicated and useless, others argued that the ITSM tool didn’t meet their requirements or that it was too hard to understand how to use it.

No problem, we thought, let’s work together to change what doesn’t work well enough in the tool and the processes. However, the people in the room were not so interested in that.

First of all, they didn’t recognize what they did as incident or problem management, it was the ‘8:45 war-room meeting and that’s where we actually work’. So even if we had some shiny processes to help them do their job more efficiently, we weren’t welcome. Just for that reason.

Furthermore, not only did we miss the opportunity to control, but also the ability to measure the processes and activities. Apart from that, you had to be physically present in the room to be able to get all the information needed to work on the cases. The various managers had different ideas on how to do things as well, so we never got a chance to actually work in a process oriented way or with commonly agreed routines.

Inventing it here

We started by accepting the methods used in the room with the post-its and slowly but patiently planting small but important changes to the methods and the vocabulary. We did some parallel registration of the data on the post-its in the problem management ticketing tool, and we began to show the advantages of a tool that wasn’t physically restricted to a single room.

By now we’ve lost the post-its and we register and follow all PM tickets in the ITSM tool. We’ve started to deliver some metrics on what we believe should be important to the company, and we show that our methods get the job done faster and with better results than before.

There’s still a long way to go to make this stick throughout the entire organization and to be able to convince all the people involved that it makes a difference.

But, just the same, we have actually invented problem management here at my company and we are proud of it!

(Please just don’t tell anyone…)

Image Credit

Repeat after me: “I am not IMPLEMENTING ITIL®”

'...If I go to one more presentation, or read one more blog about how to “implement” ITIL I think I will scream!'

Maybe I am being pedantic or overly precious about this, but if I go to one more presentation, or read one more blog about how to “implement” ITIL I think I will scream! And that would not be a pleasant experience for me or anyone else in the surrounding area.

Please don’t get me wrong, ITIL is a fantastic tool, and one that I use on each and every assignment I undertake in service management. But that is what it is – a tool – it is a repository of really good ideas that can help you introduce best practice into the IT Service provision hub of any business. It just isn’t something that you implement.

You are what you eat

I liken this to a book on healthy eating. You buy the book and read it, you use the good advice that it contains to improve your dietary best practice. You do not implement the advice letter for letter – chances are that you just don’t like some of the foods that they are recommending, or they are not available locally. Just because you did not follow ALL the ideas contained in the book religiously, does not mean that you didn’t gain value from your investment. You picked the advice that suited your circumstances and discarded the ideas that didn’t.

There are some parts of ITIL that are non-negotiable, just as there are some parts of healthy eating advice that you really can’t ignore. You have to get the business supporting your ITSM journey, and you need to define your services, those things are essential. You must monitor what you are doing to make sure it is working and then make adjustments. But if you only want or need incident and request fulfillment management, then nobody should be telling you that you have to do problem, change and request management – or create a CMDB.

If I am trying to lose weight (and I usually am) then I need to follow a healthy diet and exercise plan, but if a recipe calls for a good helping of broad beans, then I am just going to leave them out! But I am not going to add half a pound of butter instead, as that would defeat the purpose. What I am going to do is monitor the success of the things I am doing and adjust them accordingly, if the results are not what I want and expect.

No Priorities or Prescriptions

ITIL consists of recommendations, not prescriptions. It gathers together decades of fantastic common sense, which has been constantly updated and republished to suit current thinking, technology and practices. It is just not something you implement.

I have shuddered recently on reading claims from vendors stating that their product will “automate your ITIL implementation”. You might be able to automate some ITIL based processes using software tools, but there is no “one-size-fits-all” model for this, and there is a very high chance – almost an inevitability – that if you decide to implement processes this way, you will be disappointed with the results. Certainly not all vendors are trying to market their products with these methods, there are some excellent ones out there who understand that the tools they are supplying are just that, tools that will help provide a means for you to improve the way you provide and support IT services. My advice would be that if a vendor comes to you and tells you that their tool will do it all for you…run away, and fast.

So please, USE ITIL, and other best practice advice, to create a recipe for your business that will provide the results that you are looking for. Don’t set about implementing 27 (is that the current count?) processes and functions, just because they are contained in the books. I can guarantee that you really don’t need them all.

So now, I am going to review my healthy eating process since this morning’s monitoring tells me that something I am doing currently is not working – although I have a feeling that this may relate to a major incident that occurred over the weekend involving Whittakers Peanut Slabs!

Image Credit

Rackspace highlights billion hour ITSM drain

With its newly refined corporate label as the “open cloud” company, managed hosting specialist Rackspace is championing open truths both good and bad by highlighting what it describes as inadequate customer service that is allegedly costing UK businesses more than one billion wasted man (and presumably woman) hours every year.

On The ITSM Review’s radar this week then is Rackspace’s IT Industry Service Report — the “first” annual snapshot of IT service quality in the UK.

The report found that in 39 per cent of companies… IT staff are estimated to be losing around one working day or more per week on tackling IT problems and chasing suppliers. However the problem is not isolated to technology teams, with general employees also losing an average of almost five hours per week due to IT service issues.

This is a huge amount of wasted productivity, so why hasn’t it been flagged before? Is this survey just corporate showboating for the sake of brand reinforcement… or perhaps there is real substance and real concern here.

ITSM issues on the rise

This waste of resources has huge productivity implications, making it unsurprising that that IT customer service is now a key issue for CIOs. Almost half (48 per cent) of respondents reported that customer service has become an increased priority over the last 12 months, while over a quarter (27 per cent) already regard customer service to be a top priority.

Taylor Rhodes, managing director, International at Rackspace said,

“A staggering amount of man hours are being wasted by UK businesses as they struggle to manage and control IT service issues. CIOs are taking note however and it is encouraging to see service being acknowledged as a crucial factor in procurement decisions along with parameters such as price, security and uptime guarantees.”

Man hours and woman hours both, this service-based wastage is now being highlighted and brought to the fore more prevalently than ever. Perhaps this is because of the cloud computing model, which is essentially (of course) a service-based proposition.

NOTE: Rackspace also found that UK businesses switch providers if customer service is not up to scratch.

Although the average score for IT service satisfaction amongst enterprise IT decision-makers interviewed was a relatively high 7.2 out of 10, a total of 69 per cent of respondents have dropped IT suppliers in the past 12 months because of customer service shortfalls.

“Our report shows that ‘satisfactory service’ is no longer good enough. Seven out of 10 of the respondent UK companies have voted with their feet in the past year and changed suppliers because of poor quality service,” continued Rhodes.

“In today’s highly competitive business environment, customer support is a crucial factor, which is precisely why Rackspace champions a culture of ‘Fanatical Support’. The results revealed today prove that many IT suppliers in the UK today are not rising to the challenge and are quite rightly losing out on business as a consequence.”

Inadequate level of interaction

The most common causes for complaints relate to IT suppliers having an “inadequate level of interaction” with their customers, rather than issues of a technical nature. A poor response time to faults (32 per cent) and a low quality of communication (32 per cent) were the most commonly reported customer support failings.

Moving forwards, it is clear that IT organisations need to take a customer-centric approach if they want to win and retain business. This view is supported by Stephen Mann, senior analyst, infrastructure & operations at Forrester.

In a recent blog post Stephen stated:

“Forrester’s research shows what a difference customer experience can make to a company’s success. Rackspace is such a company – it has differentiated itself through service. Rackspace exemplifies the benefits of employing the right kind of people (‘obsessive’ about what they do) and shows how this competitive differentiator has translated into business success. They rely on capable people, not limited and rigid processes operated by “scriptbots,” to support their customers.”

NOTE: The average number of hours lost by an employee due to an IT failure as used in this release is calculated by taking a fixed mid-point for each range indicated by the respondents in the survey (for example, the fixed midpoint for the range 2-6 hours is 4 hours), multiplied by the respective percentage of respondents who selected that range, with the resulting amounts for each range then added together (this was equal to 4.75 hours).

The sum was then multiplied by the 4.5 million employees who use IT at work in companies within our size range (> 250 employees) based on ONS figures (this was equal to 21.38 million hours). The resulting number was multiplied by 47 weeks, a typical number of weeks worked by UK employees in a year.

Rob England: Problem Management Defined

Problem Management DefinedRailways (railroads) remind us of how the real world works.

In our last article, we left Cherry Valley, Illinois in its own little piece of hell.

For those who missed the article, in 2009 a Canadian National railroad train carrying eight million litres of ethanol derailed at a level crossing in the little town of Cherry Valley after torrential rain washed out the roadbed beneath the track. 19 tankers of ethanol derailed, 13 of them split or spilled, and the mess somehow caught fire in the downpour.

One person in the cars waiting at the crossing died and several more were seriously injured.

Incidents vs. Problems

In that previous article we looked at the Incident Management. As I said then, an incident is an interruption to service and a problem is an underlying cause of incidents. Incident Management is concerned with the restoration of expected levels of service to the users. Problem Management is concerned with removing the underlying causes. I also mentioned that ITIL doesn’t see it that crisply delineated. Anyway, let us return to Cherry Valley…

One group of people worked inside office buildings making sure the trains kept rolling around the obstruction so that the railroad met its service obligations to its users. This was the Incident Management practice: restoring service to the users, focusing on perishable deliveries such as livestock and fruit.

Another group thrashed around in the chaos that was Cherry Valley, trying to fix a situation that was very very broken. Their initial goal was containment: save and treat people in vehicles, evacuate surrounding houses, stop the fire, stop the spills, move the other 100 tank-cars of ethanol away, get rid of all this damn flooding and mud.

The Shoo-fly

The intermediate goal was repair and restore: get trains running again. Often this is done with a “shoo-fly”: a temporary stretch of track laid around the break, which trains inch gingerly across whilst more permanent repairs are effected. This is not a Workaround as we use the term in ITSM. The Workaround was to get trains onto alternate routes or pass freight to other companies. A shoofly is temporary infrastructure: it is part of the problem fix just as a temporary VM server instance would be. While freight ran on other roads or on a shoofly, they would crane the derailed tankers back onto the track or cart them away, then start the big job of rebuilding the road-base that had washed away – hopefully with better drains this time – and relaying the track. Compared to civil engineering our IT repairs look quick, and certainly less strenuous.

Which brings us to the longer-term goal: permanent remediation of the problem. Not only does the permanent fix include new rail roadbed and proper drainage; the accident report makes it clear that CN’s procedures and communications were deficient as well. Cherry Valley locals were calling 911 an hour beforehand to report the wash-out.

Damage Limitation

We will talk more about the root causes and long term improvement later. Let’s stay in Cherry Valley for now. It is important to note that the lives and property the emergency responders were saving were unconnected to the services, users or customers of the railroad. All the people working on all these aspects of the problem had only a secondary interest in the timeliness of pigs and oranges and expensive petrol. They were not measured on freight delivery times: they were measured on speed, quality and permanence of the fix, and prevention of any further damage.

If you read the books and listen to the pundits you will get more complex models that seem to imply that everything done until trains once more rolled smoothly though Cherry Valley is Incident Management. I beg to differ. To me it is pretty clear: Incident and Problem practices are delineated by different activities, teams, skills, techniques, tools, goals and metrics. Incident: user service levels. Problem: causes.

While I am arguing with ITIL definitions, let’s look at another aspect of Incidents. ITIL says that something broken is an Incident if it could potentially cause a service interruption in future. Once again this ignores the purpose, roles, skills and tools of Incident Management and Problem Management. Such a fault is clearly a Problem, a (future) cause of an Incident.

(Incidentally, it is hard to imagine many faults in IT that aren’t potentially the cause of a future interruption or degradation of service. If we follow this reasoning to its absurd conclusion, every fault is an incident and nothing is a problem).

Perhaps one reason ITIL hangs these “potential incidents” where it does is because of another odd definition: ITIL says a Problem is the cause of “one or more incidents”. What’s odd about that? ITIL promotes pro-active (better called pre-emptive) problem management, and yet apparently we need to wait until something causes at least one incident before we can start treating it as a problem. I think the washout in Cherry Valley was a problem long before train U70691-18 barrelled into town. (Actually ITIL lost proactive problem management from ITIL V3 but it was hastily restored in ITIL 2011).

Human Eyeball

One of my favourite railroad illustrations is about watching trains. When a train rolls by, keep an eye on nearby staff: those on platforms, down by the track, on waiting trains. On most railroads, staff will stop what they are doing and watch the train – the whole train, watching until it has all gone by. In the old days they would wave to the guard (conductor) on the back of the train. Nowadays they may say something to the driver via radio.

Laziness? Sociability? Railfans? Possibly. But quite likely it is part of their job – it may well be company policy that everybody watches every passing train. The reason is visual inspection. Even in these days of radio telemetry from the FRED (Flashing Rear End Device, a little box on the back that replaces the caboose/guardsvan of old) and track-side detectors for cracked wheels and hotboxes (overheating bearings), there is still no substitute for the good old human eyeball for spotting anything from joyriders to dragging equipment. It is everyone’s responsibility to watch and report: not a bad policy in IT either.

What they are spotting are Problems. The train is still rolling so the service hasn’t been interrupted … yet.

Other Problems make themselves known by interrupting the service. A faulty signal stops a train. In the extreme case the roadbed washes away. We can come up with differing names for things that have and haven’t interrupted/degraded service yet, but I think that is arguing about angels dancing on pinheads. They are all Problems to me: the same crews of people with heavy machinery turn out to fix them while the trains roll by delivering they care not what to whom. Oh sure, they have a customer focus: they care that the trains are indeed rolling and on time, but the individual service levels and customer satisfaction are not their direct concern. There are people in cozy offices who deal with the details of service levels and incidents.
Next time we will return to the once-again sleepy Cherry Valley to discuss the root causes of this accident.

Measuring the value of ITSM

Bringing new levels of transparency to investment in ITSM

I am pleased to announce an exciting new project with Barclay Rae, to measure the value of ITSM.

The ITSM Review and Barclay Rae Consulting have come together to produce a definitive ITSM industry survey and regular performance benchmark. The results will make up a global Index, which will track how and where organisations gain value from implementing ITSM and ITIL.

Organisations worldwide investing in key ITSM areas will have the opportunity to see their resources collated and reviewed in terms of customer satisfaction, SLA performance and financial return.

The value achieved from using ITIL and ITSM to improve IT Services will be measured and demonstrated comprehensively for the first time.

We launched at the itSMF UK conference in London on Monday. The Index is free for organisations to register at

Registration will make it possible to actively participate in the survey and benefit from the resulting new research.

Commenting on the project, Barclay Rae, Managing Director of Barclay Rae Consulting, said:

“Our goal is to be a vendor-independent and trusted source of valuable new information for the wider ITSM industry. Being able to tangibly show the relationship and value achieved from investment in ITSM/ITIL projects will be a huge asset to organisations striving to demonstrate value in these fast changing times.”

Our goal is that end users and practitioners will be able to use the output to help drive their decision-making and investment in ITSM, shape their services and SLAs, provide benchmarking and show cost efficiencies. Industry practitioners, consultants and trainers will be able to gain valuable insights into true customer pain points and growth areas as well as focus and improve their products and services.

The Index is supported and sponsored by both itSMF UK and the Service Desk Institute, with other leading industry bodies poised to join the project in the near future.

Learn more and register here: