IT Security & Service Management: The Intersection of Safe and Supported
First off, I have to say I hate this title. When did security of IT assets and systems become something different from service management?
Is it because ITSM has just fallen into the “that’s a help desk thing” bucket? That would be unfortunate.
Maybe it’s because cyber security has become its own department with a seat at the table for business continuity and risk. It is the team of jocks who have their own team uniforms and sit together at the lunch table, talking about how SNORT intercepted some denial of service, or SPLUNK alarmed a brute force attack.
In any event, I find the whole idea of cyber security teams and service management teams silly. This isn’t peanut butter and jelly. It’s fruit and sugar, and it's all jelly.
Let’s go with the assumption I suggested that ITSM is relegated to just a “support thing” (which is stupid, but let's go with it). Even then, a separation of these two makes no sense. Take a second and think about your top five requests that come into your service desk.
According to my research (which consisted of talking to four service desk managers at my last HDI meeting), these three requests always appear at the top of the list:
1) Password reset
2) New account setup
3) New account access - (email, Sharepoint, file share, third-party app, etc.)
Is it conceivable to imagine an organization that resets passwords, sets up new accounts for people, or gives permission to critical business information services and systems without following a process that complies with a corporate policy?
(If you answered YES, please fill up your bathtub with water and throw all your devices in it.)
Of course it’s not. Remember my definition of IT Service Management:
1) The defined and monitored method for how work comes into IT
2) The transparent representation of how work gets done in IT
3) The measured balance of planned work vs. unplanned work based on business priority
4) The demonstrated increased of improvement in value of IT resources
Would we not also clearly define how passwords are reset, by whom, and how they are monitored for control?
Is any IT security work done that is not transparent and documented to ensure methods are repeatable and audible?
Would IT security be able to reduce any levels of risk if it were not spending time on risk prevention as well as streamlining risk response?
Lastly, how would IT security possibly fund itself before breach and impact if it could not represent its value?
This last statement is one of the reasons most security projects are funded after a breach or audit failure. Yes, this stupid and unprofessional. I suggest we not list these incidents on our LinkedIn skills page.
Unifying IT is not about getting two departments to work more collaboratively together. It’s about getting outcomes to leverage practices and tools that maximize value, reduce workload, and increase visibility. ITxM is all about systematically improving capabilities within IT asset, service and security management.