On ITIL

One of the things I do from time to time is  interview with various enterprises, sometimes for jobs and sometimes, just out of curiosity.  Recently, I went through a couple of such meetings with a local financial institution, and for the first time, saw first hand, some interest at the enterprise level for acquiring talent schooled in ITIL.

Now this was not really all that surprising, as the importance of IT in the enterprise has grown over the years, and the need to catalog best practices has also increased just to keep the quite chaotic and ever evolving morass running.  Another not surprising reason is that the parent company was a member of the British Commonwealth, which is where ITIL originated a while back.  

While I had read about ITIL in the past, I really hadn't studied it, so when the interviewer inquired about my knowledge of ITIL I told him I had none...  And proceeded to spend a good portion of the next hour receiving a lecture on the importance, role and value of ITIL in the enterprise.  Quite educational.  He was, if not an eloquent speaker, at least quite passionate.  He was quite adamant about one thing in particular - that ITIL was all about Risk Management (and (IT) operations management in general isn't? - ???).  Anyway, he peeked my interest enough so that I decided to make this my next course of study, just out of curiosity.

According to Wikipedia.org: "The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for Information Technology Services Management (ITSM), Information Technology (IT) development and IT operations".  I prefer to think of it as a guidance for technology in the enterprise.

I am now about midway through the foundations sequence and I see a lot of good thinking - if your interest is the philosophy of service provisioning.  Not really of much use in terms of concrete operational doctrine though (no easy outs here) - hence my preference for calling it a guidance (at least at the foundations level), and which is why it probably hasn't yet caught on with many small to medium businesses.  In passing, I would note that most companies really can't afford to even think about it as an enterprise process until they hit the billion dollar revenue mark (defining and tabulating all those metrics and having all those planning/review meetings tends to be labor intensive, and storing all that accumulated data for regulatory compliance can be costly).

As to the content, nothing really new - to me at least.  Things I have spent the last 3 decades learning through the old apprenticeship process, they have spindled, collated, acronymed and formalized into a nice, (barely) digestible tome of wisdom.  Perfect for the MBA set, who usually start out at the (project) manager/consultant/analyst level, so they rarely learn the ins and outs of the reality of IT (which means dealing with the details of day-to-day operations in the trenches).  (I am not intending to demean the MBA, quite the contrary, however, I do view a new MBA like the army views 2nd Lieutenants - stuffed with lots of info, but very short on practical experience.  (As I once heard stated, the job description of a 2LT was to relay instructions to the troops, observe, report and listen attentively to his sergeant for every pearl of wisdom he deigned to drop.) Though this is changing for the better at many institutions (I had to pleasure of working with some MBA students on a team project last year.  They did a bang up job on an analysis for Business Continuity solutions for one of my clients (though I still wouldn't want them running a datacenter for me).

I do see ITIL (at least the foundation level) as becoming a requirement for the CIO/CTO role in the next decade.  I also believe that it should be required for any C level executive, so that they have at least a basic concept of what IT is trying to do (I also note that there is a lot of very good general thinking here for all aspects of enterprise operation).  In particular the CFO, to whom IT reports to in many organizations (to the detriment of those companies in many, but not all, cases).

The current state of Deduplication

I recently attended one of the many Enterprise IT related conferences that occurs every spring in the city and had the good fortune to hit a special channel session where one of the speakers, a specialist in storage technology, gave us an interesting heads-up as to the state of deduplication in the enterprise.

To make a long story short:

• Situation: In a conference call with a client to a vendor of storage equipment with dedupe built-in
• Topic:  Cost of 2 additional disk drives ($53,000, available from Newegg for $500.00)
• Reason for Discussion:  Explain the cost
• Justification:  Licensing for support, warranty, extended services (including dedupe) for the additional drives.

He went further on with this topic to a more interesting point, regarding to a judicial ruling regarding SOX compliance with dedupe. To Point: You cannot dedupe exact copies of docs that are transmitted to recipients at different times/dates.  So if you forgot to include the name of one person in a mailing list, or had to resend because the recipients e-mail got accidentally deleted. etc., that e-mail, if SOX relevant (and it can be argued by lawyers, that almost everything regarding related to money, taxes, or law is) then those exact copies must be stored independently, and completely (no dedupe).  If one were to continue this trend of thinking, you might expect the same ruling to eventually apply to any compliance related documentation trail(HIPPA, etc.).

He told us one additional anecdote:
A large communications provider (phone, etc), several years ago decided to acquire a dedupe solution from one of the major storage providers (part of their suite of applications/devices) at a significant sum (pick a suitable integer and add at least 7 zeros before the decimal point).  Their  goal was to reduce the growth rate of their total document storage via deduplication.  After several rounds with operations and legal, they discovered that, instead of being able to dedupe across their entire document base, they were limited to using dedupe for only a single digit percentage of their documents.  A video (published on one of the major video sites) was made of a presentation at one of these enterprise events by one of their IT execs where he pointed this out to his audience, which, because of contractual obligations, between the customer and their vendor, was quickly pulled first from the show's video list and eventually from the video site itself.

His recommendation to was was not to sell/recommend storage device integrated deduplication, but to us an add-on device that you could configure as required for a lower TCO.

This is all second hand information, so I can't state to it's veracity.  However, I do recommend that you do a thorough check with all departments (including legal, compliance) to verify how effectively you can make use of a dedupe solution before you spend a lot of money on something you may not be able to use efficiently.

On the state of IT security and data storage

There have recently been several notable events in the IT world that if you aren't already, should cause you to question the wisdom of claims of both Security and Managed Services providers.  To point, several weeks ago I sent out a link to a story about a major IT security provider that got hacked (see: http://www.msnbc.msn.com/id/42152645/ns/technology_and_science-security), and last week there was another note worthy event where a irate ex-employee of a data storage service provider wiped out a years production for a TV production company that employed its services (see: http://news.yahoo.com/s/nm/20110331/tv_nm/us_zodiac ).

There is some commonality between the events.  Both provide external services (although its not clear which products were compromised in the first case).  Both  were used to insure data security and integrity.  Both were used so that companies would not have to address the expense of managing their own secure services.  And because their marketing was taken at face value, their customers suffered.

There are a couple of key points:

1. There is no such thing as perfect security.
2. Your security is only as good as the people you hire (not the companies you employ).
3. Hype sells, but doesn't pay the damages from law suits.
4. Outsourcing is cheaper in the short term, but won't help your case when your customers and/or shareholders sue (notice a train of thought here).
5. Whether you outsource or not, you are still responsible for the final results (just ask BP about that).
6. If you have a government entity as a client, be aware that they have deeper pockets for law suits (think just about infinite) than you do.

So how do you avoid, or at least reduce the risk of these kinds of  events from happening to you?  Several things come to mine:

• Don't depend on a single data storage source...  Keep local backups... That are checked... By your people... on a regular basis.
• Use multiple layers and types of security... From different providers... That are monitored... By your people... On a continuing basis.

Now your CFOs and CEOs may complain that this is an unnecessary expense.  I acknowledge that each tasking would require at least one full time position (and possibly multiple shifts) to ensure proper coverage and due diligence...  And that it is not expensible.  An appropriate response is to ask them if they would be willing to  insure (with their personal assets), that such will not happen.  Because while the courts can be somewhat forgiving when due diligence is performed, they will be absolutely scathing when it is not.

That is not to say that there aren't services that are trustworthy and reliable - or even that these were not, just don't put all your eggs in one basket (and keep a few hidden in the back of the frig.) lest you find yourself with egg on your face and a large mess to clean up.