The document discusses research conducted by the IT Process Institute on the relationship between IT controls and organizational performance. The research found that:
1) Higher performing organizations consistently implement a small number of "foundational" IT controls related to change management, access controls, and configuration management.
2) For larger organizations, nine additional controls around release management, problem management, and service level management help explain performance differences.
3) How organizations manage exceptions to IT processes, through detection and enforcement of consequences, is a key factor in performance. Those that do not enforce consequences see less benefit from controls.
1. Metricon 4.0: The importance of context Security measures as a dependent variable Data reveals foundational practices that optimize security and operations Kurt Milne Managing Director, IT Process Institute [email_address] Gene Kim CTO, Co-Founder, Tripwire, Inc. [email_address] , @RealGeneKim
5. Mission - advancing the science of IT management Research Prescriptive Guidance Benchmarking IT Management Leadership Foster sustainable change Enable industry comparison Link practice to results
6. Data driven management - spectrum of influence Intuitive Analytical Academic Study Population Sample Population Sample Academic Study Population Sample Population Sample Academic Study Population Study Benchmark ROI Story Best Practice Peer Recommendation Anecdote Prior Experience ITPI Focus Vendors Consultants Industry Analyst Tradeshows Industry Press Blogshere
7.
8.
9.
10.
11.
12.
13. Study #1: 2006: Design Survey: Pick IT Controls Source: COBIT, IT Governance Institute/ISACA We selected the 6 leading BS15000 areas within ITIL that are conjectured to be “where to start.” These were Access, Change, Resolution, Configuration, Release, Service Levels 1 We then selected 63 COBIT control objectives within these areas. 2 Source: IT Infrastructure Library (ITIL) / BS 15000
14. Study #1: 2006: The 63 IT Controls The resulting controls that we selected were in the following control categories: • Access Controls : 17 controls • Change Controls : 13 controls • Configuration Controls : 7 controls • Release Controls : 6 controls • Service Level Controls : 8 controls • Resolution Controls : 12 controls
15.
16.
17. 2006: Three Clusters Of Respondents Each wedge in the pie represents one of the foundational controls. Each bar represents the percentage of the cluster members that responded ‘yes’ to that control. 2 Almost all of the members of the high performing cluster had all of the foundational controls. 3 Almost all of the members of the low performing cluster had no controls, except for access and resolution. 4 Source: IT Process Institute, May 2006 Low Performer Medium Performer High Performer The ITPI identified 23 “foundational controls” and used cluster analysis techniques to identify the relationship between the use of Foundational Controls and performance indicators of the companies studied Three clusters emerged. 1
When we look beyond the metrics into what they actually do day-to-day, the high performers set themselves apart and three major areas. First, they placed a significant emphasis on their change management process. In fact, high performers see their change management as a key capability that allows them to become a high performers. The next area of difference, is that high performers operate within a culture of causality. In other words, they placed a high amount of value on understanding why it change happened -- not just that it was resolved. These attributes led to a third aspect that was evident within the high performers: they were very rigorous about enforcing the policies and insisted on compliance from their team members. They also use the data they collected to reduce the variance of configurations and an increase consistency of practice within their operating environments. This was achieved through an emphasis on sending the right cultural message within the company, implementing the correct controls to hold people accountable for adhering to policies, and following through with consequences for not doing things the right way.
Need to redraw with three arrows in circle IT Management Demming rolling up a hill
How each side Actively impedes the achievement of each other’s goals.
Key findings indicate that a set of 21 control activities, what the ITPI calls Foundational Controls, have the broadest impact on key performance measures. Top performers had higher performance measures in key operational metrics such as 12 to 37 percent less unplanned work than medium and low performers, 12 to 26 percent higher change success rate, and 2.5 to 5.4 times higher server to system administrator ratio. In addition, the presence of specific Change and Configuration controls, among others, appear to be the primary differentiators of top performing organizations.
(1) Of the universe of potential controls, the researchers identified 23 "Foundational Controls" spanning 6 areas of ITIL (Access, Change, Config, Release, Service Level Mgt, and Resolution). Foundational controls were those controls which had the highest correlation with positive performance indicators (there were ~50 performance indicators spanning Operations, Compliance, and Security). By segmenting the respondents based on the performance indicators, 3 clusters of performers were apparent - high, medium, and low. (2) (See block 2 above) (3) (See block 3 above) (4) (See block 4 above) You'll also notice that the high performers utilize a very balanced approach to implementing controls, while the other groups have unbalanced approaches. We believe that the appropriate balance of controls is essential for success. However, some controls have a much greater impact than others. Let's discuss which ones those are…
Based on analysis of the top performers in this study, our overall conclusion is that focusing ongoing audit, compliance, and best practice related resources on Foundational Control activities will generate a significant return on investment realized through increased performance on a wide range of key performance measures.