IT Frameworks
Recent views from Chief Information Officers
What’s next.
Table of Contents
_
2 Introduction ................................................................................. 3
1. IT Frameworks
COBIT....................................................................................... 4
ISO20000 - ITIL..................................................................... 7
IT Governance ....................................................................... 8
Service Delivery...................................................................... 16
6. Conclusion .......................................................................... 23
Introduction
In an environment where new business from wide ranging sectors, cultures, For the needs of this report, 56 enterpris-
demands, stringent industry-specific academic backgrounds and genera- es of varying size and industry responded
regulations, and risks emerge every day, tions, CIONET’s membership represents to the survey and provided detailed in-
3
maximizing the value of intellectual an impressive body of expertise in IT formation on usage, actual and expected
property, managing information risk management. CIONET’s mission is benefits, and actual and expected costs
and security, and assuring compliance to feed and develop that expertise by of IT frameworks used for
through effective enterprise govern- providing top-level IT executives with __ IT Governance
ance of IT, have all emerged as mission the resources they need to realise their __ Information Security
critical issues for all size and all industry full potential. __ Service Delivery
enterprises worldwide. Several frame-
works to support these enterprise chal- The CIONET community maintains In addition to the traditional ‘Major
lenges emerged some 20 years ago and close ties with both corporate and aca- lessons learned’, the survey explored
while they have evolved they increas- demic worlds, helping to foster the kind the reason and degree of adoption
ingly maintained they would create of creative thinking that fuels innova- of frameworks, their expected cost
value for the enterprise. But do they? tion in IT. Every year, CIONET actively and benefits and the actual costs and
supports a number of research projects benefits.
CIONET is the biggest community of IT and, e.g., trends surveys on a range of
executives in Europe. Bringing together topics developed in consultation with
over 3500 CIOs, CTO’s and IT directors our advisory boards.
Enterprise Size
Company Staff
IT Users
Geography Industry
Services 5
Other Consumer Goods & Retail 3
Belgium Technology & Telecom 2
Industrials & Manufacturing 12
U.K. Utilities & Energy 2
Italy Financials 7
Healthcare 4
Government 8
Spain
Netherlands Other 13
1.
IT Frameworks
4
IT Governance
and Management
Run
5
Direct Governance Management
Processes Processes
Build
Monitor
Plan
Direct Monitor
MEA2
Monitor System
BAI5 BAI6 BAI7 BAI8 of Internal
Enable organisational Manage Accept & Transition Knowledge Control
Change Changes Changes Management
1 Security Policy 1 2
2 Organisation and information Security 2 11
3 Asset Management 2 5
4 Human Recources Security 3 9
5 Physical and Evironmental Security 2 13
6 Communications and Operations Management 10 32
7 Access Control 7 25
8 Security Requirements of Information Systems 6 16
9 Information Security Incident Management 2 15
10 Business Continuity Management 1 5
11 Compliance 3 10
Associated standards have been developed for verifying compliance against 27001.
Service
Delivery
ITIL (Information Technology Infrastruc- A new version became available in 2007 7
ture Library) is the most widely accept- (ITIL version 3). It does not focus on
ed approach to IT service management processes like version 2 but rather on
in the world. ITIL provides a cohesive services. A service lifecycle forms the
set of best practice, drawn from the heart of version 3:
public and private sectors internation-
ally. It was developed by the CCTA __ Service Strategy
which is now incorporated in the Office __ Service Design
of Government Commerce (OGC). __ Service Transition
__ Service Operation
__ Continual Service Improvement
ITIL describes activities and practices of the service lifecycle in detail, linked to
customer/business requirements using business metrics and reinforcing continuous
improvement. Based on a clear specification and a “Code of Practice”, it draws on
many other standards and helps managers develop their own IT Service Manage-
ment System. ITIL has become the “bible” of many IT operational managers.
Specification
ISO/IEC
“Aims to fulfil”
20000-1
IT Governance
25 Users
22 Leaders
11
10
7
5
4
3 18 6 1 2 0 1
Senior management
IT management
IT professionals
Risk managers
Security staff
Compliance officers
Auditors
EFFICIENCY
processes
as ITIL
10 __ Improved processes and reduced
risk come in as a close second as
expected benefits
Extended staff capabilities
__ The actual benefits however look
very different, indicating overall
EFFECTIVENESS
benefits (see the scores in the
Medium column) but disappointing Better service delivery
as to the high expectations.
__ Interestingly, innovation was not
an expected nor an actual benefit
which indicates that the industry Faster solution delivery
is maybe not ready yet for frame-
works like ValIT
Increased innovation
RISK
Reduced risk
Estimated and Actual Cost of an IT Governance Framework in Small and Large Enterprises
The survey enterprises were also asked
how benefits were demonstrated. The
Proof Metrics Cases Perception result is shown here as a heat chart.
Two results jump to the front: benefit
metrics appear to be very much used
Improved enterprise
for service delivery, and increased in-
processes
novation is purely a case of perception. 11
The respondents also provided infor-
mation as to the actual metrics used.
Extended staff capabilities
Overall the most quoted was number
of issues raised, fixed and outstanding,
and second most quoted was resolu-
Better service delivery tion time. Framework adherence and
maturity level achieved, only received
low scores.
Faster solution delivery
Increased innovation
Reduced risk
Finally, the lessons learned were collected. Respondents confirmed a major argu-
ment used by framework developers, i.e., that they significantly provide for a com-
mon language between all stakeholders of IT. On the negative side, their implemen-
tation is perceived to be complex with a high learning curve for managers. And as
for most initiatives that look for improvement, the high level of senior management
support was identified as a major requirement for success.
CTO
Head of IT
IT Manager
IT Services Director
12
11
7 7 7
0 29 9 0 0 0 0
Senior management
IT management
IT professionals
Risk managers
Security staff
Compliance officers
Auditors
Support IT operations
EFFICIENCY
processes
sults in the ‘Medium’ column for actual
14 benefits are encouraging.
EFFECTIVENESS
Better service delivery
Increased innovation
RISK
Reduced risk
Increased innovation
Reduced risk
Metrics 15
Cases
SMALL
day usage in small companies is under-
Roll-out 190 200
estimated.
Usage 125 170 72% of respondents use external help to
implement a service delivery framework
Implementation 2900 3100
with on average 125m/d for training and
LARGE
Compliance officers Extensively used for practices but compliance not verified 13%
Users and Leaders Information Security Framework Usage Maturity of Information Security Framework
The main drivers are - no surprise
High Medium Low - regulatory compliance and audit.
Nevertheless, enterprises feel that ap-
Support regulatory compliance plication of this framework will also
improve IT and help with IT governance
Guide IT Governance implementation implementation.
17
Guide IT improvements
The major positive experiences identified were the increase in awareness and the
reduction of risk. Interesting remarks in the lessons learned were that the frame-
work was to the point, extensive and complete and that useful than expected.
The survey recorded the same comments as for other frameworks on negative
experiences: complexity, learning curve, hard to do, management time, senior
management support.
3. Comparison
to other Surveys
18
The IT Governance Institute published the results of
two international surveys on the adoption and use
of the IT governance frameworks CobiT and ValIT
in 2008 and 2010.
The first covered responses from 750 companies. Europe, Asia and the Americas
were about equally represented while the manufacturing industry and public sector
were the major responders. Leadership for these frameworks was in the first place
CIO
with the CIO but with a much larger role for other executives. What was also strik-
ing was that the non-IT responders of this survey were much more positive about CEO
IT – in terms of general management attention and value creation - than the IT
CFO
responders.
Leadership
Usage - % of enterprises
The 2008 survey also noted in the Concerning maturity of use, the find-
two years prior to the survey, a strong ings were similar to the CIONET survey:
reduction in adoption of quality and for 50% it is one of the enterprise’s
‘home-made’ frameworks and the references, for 25% it is the main source
growth of ITIL, CobiT and ISO27000. of reference, a little more than 10% are
only influence by it, and at the other
end of the spectrum, a little less than
10% apply it by the book.
The major constraints for adoption in ValIT, and received responses from over On achievement of business and
2008 were concerns for budget and 500 companies worldwide. Govern- IT goals – from 1 not achieved to 5
expected benefits as well as a lack of ance over the processes of acquisition, achieved, results are generally just
knowledge and expertise on IT govern- change management, security and above the middle with the business
ance. operations scored highest while nev- financial goal scoring best and the
ertheless most processes only scoring future IT capabilities goal the least.
The IT Governance Institute Survey around the middle of the scale from 19
published in 2010 focused on process 1 = not implemented to 5 = fully
implementation and the benefits of IT implemented. The better implementa-
Governance Frameworks like CobiT and tions were noted in Europe, the finance
industry and with the larger companies.
Financial Orientation
Business
Customer Focus
__ Improved cost
Internal Processes
optimisation
Learning and growth __ Increased IT compliance
Corporate contribution __ Better maintenance of
IT goals
At a more detailed level, the better The survey also collected information correlation between properly function-
contributions of an IT Governance to analyse the benefits of IT Govern- ing operational and support-oriented
framework referred to IT compliance, ance practices by correlating process processes with IT compliance and
information security and IT infrastruc- results to IT goals to business goals. security goals and compliance and risk
ture, while also service levels and cost The major conclusions are that this business goals.
optimisation where also positively value chain is hard to analyse and prove
impacted. but also the distinct and strong
IT Governance
Ben Farhangui, Director IT Governance
& Compliance, Atos Worldline
The nature of Atos Worldline’s business Cobit helped identify the most relevant The programme consisted of assign-
with a large range of IT products and processes to start with based on a ing roles and responsibilities to ensure
services subject to a large number of selection of business goals. The rela- process governance, integrating tools in
local and global rules, calls for a well tively long list of processes was then the different regions, ensuring process
established framework for IT govern- filtered by first selecting those that were adherence through awareness pro-
ance embraced by the senior executive important and urgent, then those that grammes, while strongly building on
team. provided opportunities and were highly existing processes and know-how.
feasible. Maturity and performance tar-
A framework like CobiT helps to gets for the processes present in both The major lesson learned was that vi-
understand the operational control lists were then set to start the improve- sion, skills, resources and action plan
requirements to drive the IT strategy ment programme. should all support gradual change,
and strengthen desirable behaviours avoiding confusion, anxiety, frustration
irrespective of the fact that the different and false starts. Ben called it “stealth
IT environments are centralised, de- governance”!
centralised or federated.
ds12
60
50
ds13 ai3
40 ds4
po8
ds11 ai6
30
po2
20 po5
ds1
10 ds6
me3 Opportunity &
me1 Feasibility
0 10 20 30 40 50 60 70
Service Delivery
Stefan Mertens, Director of Operations
& Customer Services @ M-team
M-team is today an IT-service service informal technology driven organiza- Notwithstanding the pragmatic ap- 21
provider for 3 unions and 27 health- tion to a service oriented organization. proach and value objective, a rigorous
care payers (neutral, liberal, free) on process was used: identification of es-
the Belgium market. M-team provides M-team’s approach for this transforma- sential processes, maturity assessment,
it-services towards 5000 end-users tion toward industrialization has been gap definition and building momentum
serving 2.7 million affiliates from 1700 very pragmatic from the beginning. with quick-wins.
branch offices. Although it was recognized that frame-
works like ITIL or CobIT can substan- Stefan especially stressed that in such a
A few years ago, M-team proposed a tially help, proper governance and a transformation project, if the guidance
gradual IT-infrastructure centralisa- strong focus on short term delivery with and usage of appropriate frameworks
tion. The decision was mainly driven visible benefits were the most critical are essential, success can only be
by the economy of scale potential for success factors. guaranteed with a clear communication
its customers owning and managing plan and a build-in progress monitoring
their own distributed infrastructure The motto “adopt and adapt” was intro- mechanism while being careful of not
and resources. In a world where cost duced ensuring that frameworks were embracing too much at the same time.
and quality are more and more under used only when value was delivered to
pressure, the management quickly M-Team customers and never for the
recognized the need to evolve from an sake of using them.
identification
maturity gap build momentum
of essential
assessment identification with Quick-Wins
processes
Information Security
Peter Billiau, (former) CIO Dexia Group
Dexia’s approach towards frameworks lines and very good Best Practices required to educate their clients to
is holistic and pragmatic but while more than directly applicable solutions, make them aware of Security and
ISO2700x is a “mandatory” inspiration, but they do not plan on certification. Data Privacy issues. He expressed the
the Web Application Security stand- Reasons for this are that frameworks need to focus on real threats and their
ard, the Set of Secure Development are not pragmatic enough, are costly mutations and also warned that frame-
Guidelines from MicroSoft and a very and require strong process integration. works do not provide per se effective
strict application of Rational SD for Hence, Dexia’s preference for frame- responses to current attack patterns. As
web based applications are even more works directly applicable in the field. a result, IT Security Incident Manage-
important. ment, inspired by ITIL and ISO2700x is
Peter pointed out there is no magic a priority.
ISO2700x in his view provides guide- framework for clients. It is therefore
5. Major findings from
the Break-out Sessions
22
Some 30 attendants discussed intensively in 6 working groups about the justifica-
tion of framework investments, how to plan for success; what risks to avoid and
what would a typical (successful) implementation look like. Below is a summary of
their findings.
23
The benefits of implementing an IT governance framework are perceived to be less
than hoped for and create a high learning curve for managers even though it usually
costs 20% less than expected. Notwithstanding, they do provide a better organisa-
tion, more useful management information and a higher maturity.
ITIL as the example ‘par excellence’ of IT service frameworks is the most widely
used and despite the detail, complexity and management learning curve, does pro-
vide a better IT organisation.
Even though it kicks in an open door, all framework implementations also require
senior management support. So if you do not have it to begin with, don’t get
started! Or as some of the break-out attendees suggested, do it in a ‘stealthy’ man-
ner, bottom up.
But if you do have senior management support you should nevertheless take on
board this very insightful comment from one of the participants:
Adoption of frameworks
is neither a simple nor a
self-contained project with
measured costs.
It is a gradual shift and
interrelates with many other
initiatives.
Author When not enjoying his retirement, Erik
lectures on the subjects of IT secu-
rity and control, IT governance, and
Erik Guldentops, CISA, CISM risk management at the Management
2010 Executive Professor School of the University of Antwerp,
2011 Visiting Lecturer Belgium. He worked for many years at
University of Antwerp Management SWIFT (Society for Worldwide Interbank
School Financial Telecommunication), where
he held the positions of Inspector-
Schapulierstraat 14/3/1 general and Director of Information
B-1800 Vilvoorde, Belgium Security and worked with its board and
tel +32-2-251-9551 executive management on the sub-
gsm +32-475-432-748 jects of governance, risk, security and
net erik.guldentops@pandora.be control. He held several positions in
ISACA and the IT Governance Institute
between 1989 and 2007. Often referred
to as “The Father of CobiT”, he lead
the development of COBIT and Val IT.
He currently chairs a panel of profes-
sors that reviews the master of IT audit
programmes in four universities in The
Netherlands.
Contributors
The IT Governance Working Group consisting of:
__ Georges Ataya, Solvay Business School
__ Hendrik Deckers, CIONET
__ Erik Guldentops, Universiteit Antwerpen Management School
__ Luc Hendrikx, Accenture
__ Daniel Van den Hove, ICT Control
__ Johan Van Grieken, Deloitte
CIONET would like to thank the many responders to the survey as well as the
presenters and attendants of the breakouts at the event on The Value of IT Frame-
works held in September 2011.
About CIONET
We are CIONET, the biggest commu- education programmes all tailored to top-level manage-
What’s next.
nity of IT executives in Europe. Bringing ment. CIONET also provides exclusive access to the latest
together over 3500 CIOs, CTO’s and IT directors from wide research through regular online and offline publications and
ranging sectors, cultures, academic backgrounds and genera- a number of value adding partnerships with key players from
tions, CIONET’s membership represents an impressive body the academic and corporate worlds.
of expertise in IT management. CIONET’s mission is to feed
and develop that expertise by providing top-level IT executives Faced with the rapidly changing role of today’s IT execu-
with the resources they need to realise their full potential. tive, CIONET not only helps its members keep up with the
pace of change but empowers them to take an active role
CIONET develops, manages and moderates an integrated array in shaping the future of their field, always challenging them
of tools and services from the online CIONET platform – the with “What’s next.”
world’s first social network for CIOs – to a range of offline
networking events, conferences, workshops and executive