Long touted for streamlining processes and reducing operating costs, the ITIL best-practices framework also helps mitigate enterprise risk, say its adopters.
At the IDC IT Service Management and ITIL Forum held in New York in December, analysts and enterprise ITIL adopters discussed how process improvements are now providing security benefits. A survey conducted by IDC in November of more than 300 companies revealed that security had surpassed improved availability and lowered costs as a main driver for adopting the best practices laid out in ITIL.
Specifically, 56% of survey respondents indicated security as a motivation for ITIL, while close to 50% said they wanted to lower costs and about 47% thought ITIL would help improve availability at their organisations. More than 45% said problem-solving was a driver for rolling out process improvements, and nearly 45% indicated that reducing errors was a top driver for ITIL adoption.
"Any type of process standard going forward will give you a chance to set policies and processes around security," said Fred Broussard, research manager of PC and device management software at IDC, during a presentation at the event. "For instance, you can ensure only authorised users gain access and better guarantee that unauthorised access doesn't happen."
The survey response might indicate a growing need among organisations to better secure corporate data and information, considering processes around security information management have been incorporated into ITIL Version 3, which was released earlier this year. Dave Howard, national business technology manager for Toyota Financial Services (TFS) in , explained to forum attendees how security policy creation and governance has been incorporated into the upgrade and how TFS has created a Security Centre of Excellence and an Office of Privacy that align with some of the recommendations in the best practices framework.
"It is important to do security management," Howard said. He also explained how TFS incorporated security into his service design package process, in which models of a service are built and multiple criteria are taken into account. For instance, throughout the process of creating a service, his team has to determine the service's ROI, as well as which security requirements are necessary to deliver it.
"For every new release we plan to push out into the environment, we also create a risk model," he said.
ITIL may not provide the external protections of a firewall, but it can go a long way towards securing internal resources and preventing data breaches.
"Security [can] be the motivation for doing some of these processes, such as patch and change management, for instance, because improving processes will make security work better in situations such as access controls," said Tim Grieser, programme vice president of enterprise system management for IDC.
In addition, according to companies using ITIL, security and risk management could be an easier argument to make when trying to get executive buy-in for adopting ITIL. The ROI for process improvements can be ambiguous and not realised for quite some time, so putting an executive's mind at ease with talk of reduced risk may be the better way to go.
Being able to say "this change will result in a reduction of risk" will get management's attention, according to Oryst Kunka, vice president of process design and architecture at The Bank of New York Mellon. "Sometimes it's hard to point out dollars with process improvements, but companies understand risk. At The Bank of New York, ITIL has become a business advantage," he said.