Crap Factoid Alert: one third of sites have completed a CMDB

Here is a high Crap Factoid alert from Chokey the Chimp:
We recently demolished the EMA paper on CMDB adoption but nevertheless the paper in question is being misquoted by bITaPlanet as saying that "there’s been a dramatic jump in the number of companies that have completed their CMDB, from just 9 percent in 2006 to one-third in 2008". This is nonsense but it is nonsense that is now turning up elsewhere. Be on alert and keep the CFirehose ready.

To repeat what I said orginally about the paper:

Key study findings include:
-- Most CMDB deployments are less than two years underway, with 43 percent less than a year underway and 68 percent not yet in full production.

These numbers apply to those "actively involved in the planning or deployment of their organization's CMDB". So even if we take the more optimistic numbers of say 30% of sites working on a CMDB, then 68% of them haven't got one yet. That means, best case about 10% of sites have something working that they are willing to label a CMDB.

What proportion would meet the ITIL definition of a CMDB? Less than half I bet.

Furthermore, allow for the fact that the population analysts talk to tends to be skewed towards larger sites (read: MONEY), and those who are active with vendors, and those willing to talk to analysts (read: more successful at implementing).

Add all that up and I reckon you have to go a LOOOOONG way to find a working example of an "ITILly-correct" CMDB - I reckon 2%-5% of IT shops


ITIL Compliance???

This thread has a reference to the idea of ITIL conformance. This begs a lot of issues:
* ITIL can't be conformed to as it is not a conformance standard.
* ISO IEC 20000 is a conformance standard - but how valuable is it? It is more aligned with an ITIL V2 foundation view of service management than a current view based on V3 or other models. Since in todays world organizations are really interested in ITIL V3 and other models like COBIT, eTOM, Governance etc etc - isn't a new standard really needed?
* Why do we need ISO IEC 20000 - isn't ISO 9001 the management system standard that is supposed to be followed for quality management systems for both products and services? Why do we need an overlapping standard? ie Why do we need two management system standards? Is IT or service really different than the rest of the world when it comes to what a quality management system looks like?
* What actually is the value of a maturity model? The comment above was that here is a need to be able to say if a provider is a 2 or a 3 or a 4 etc. What is the value of that statement? Isn't the value of a maturity model more for usage as a diagnostic technique to help figure out how to improve, rather than to compare one provider with another? Then - when it comes to comparing one provider with another - isn't there already a model for that with an objective certification scheme - the Carnegie Mellon IT Service Qualification Center - eSCM - service capability model??? It was intended to show quantifiable differences in service capability. Does it not work???

Isn't there a very real industry problem we all face today? Unrealistic expectations of what a supplier’s maturity level claim means? Here are some statements that I would be interested to see some feedback on. If they are really off base - what is the arguement? I am very interested in whatever responses come in.

Maturity models deal with performance and describe how well process activities are required to carry out. They do not indicate why the activities should be performed or what the business outcome is that is to be achieved or what specifically it is that is being managed. Is the process managing systems, services or busness performance? I think maturity models could be used to show a process is mature, but yet does not contribute to busines value.

A maturity model is a tool for internal process improvement but is often improperly used as a benchmark or selection criteria.

A lack of emphasis on ratings is prudent in the light of findings that not all suppliers are exhibiting behavior consistent with their attained maturity level rating.

Appraisal integrity & misrepresentation of the benefits of a “level.” (Time, Program, Specific Project or Service)

Inconsistencies between appraised ratings claimed and observed program performance.

Organizational maturity should not be described as a single digit answer but as a profile of capability. (mono-numerosis)

Maturity Assessment is a useful diagnostic and remediation planning technique.

A maturity model is a set of best practices to be employed by the supplier. It is essential that the industry use this capability in the right manner, with appropriate measure, in order to realize its benefit.

the real world

"A maturity model is a tool for internal process improvement " - indeed. And every major services provider is perfectly capable of assessing that maturity. As John mentions, so did itSMF for V2. So I don't accept that "ITIL can't be conformed to as it is not a conformance standard". As someone said: "this may work in practice but I doubt it will work in theory". The purists say you can't assess ITIL conformance/compliance. the real world does it every day.

your feedback...

ITIL can't be conformed to as it is not a conformance standard.

Agreed. However the OGC did provide an assessment model in v2 that could be used to assess how well you perform vs. compared to ITIL...

How valuable is ISO 20K? isn't a new standard really needed? organizations are really interested in ITIL V3 and other models like COBIT, eTOM, Governance etc etc

ISO 20K can at least be measured for compliance, which may be of value...from what I can tell ISO 15504 could be used to assess any process if there was a PRM and PAM for the target framework. We'll see ISO 20K eventually, but from what I can tell it could also be used for ITIL v3, CobiT or others. Sounds ok to me....

Why do we need two management system standards?

I'm not sure we do. It was my understanding that ISO 9000 was kind of a 'generic' QMS, where ISO 20K was specific to ITSM. Both are compatible and in fact many of the ISO 9000 QMS elements could be used in an ISO 20K scenario...

What actually is the value of a maturity model?

seems to me if we had an accepted measurement framework we'd be better at getting 'apples-to-apples' comparisons...

a provider is a 2 or a 3 or a 4 etc. What is the value of that statement?

not much unless we've agreed on what that means, and how we get to that result is done in a consistent, repeatable way...

Isn't the value of a maturity model more for usage as a diagnostic technique to help figure out how to improve, rather than to compare one provider with another?


Carnegie Mellon IT Service Qualification Center - eSCM - service capability model...Does it not work???

I don't know. I was more focused on assessments within an organization than supplier selection. Not sure how it might help ITSM implementations...

Maturity not indicate why the activities should be performed or what the business outcome is that is to be achieved...

I'm gonna lean on van Loon:

["When an organization sets goals to achieve success, it must know how well it is performing and what it still needs to do to achieve success. .... Process assessment therefore fits within a value chain leading from organizational goals to success:

> The first step is to translate the organizational goals into the required processes."]

This section of the book seems consistent with ITIL's CSI model. (Establish the Vision). Again, I'm focused on ISO 15504 and from what I can tell this might allow you to take any good practice process framework (ITIL v3, ISO 20K, etc.) and with the appropriate PRM and PAM consistently assess processes against the framework.

Assuming you agree that the process outcomes as defined by the framework support your business goals, then I suppose all is goodness....

I think maturity models could be used to show a process is mature, but yet does not contribute to busines value.....A maturity model is a tool for internal process improvement but is often improperly used as a benchmark or selection criteria.
...Appraisal integrity & misrepresentation of the benefits of a “level.”..Inconsistencies between appraised ratings claimed and observed program performance..

Agree. Whether the process outcomes add business value is something you must determine. Perhaps ValIT can help here...but a standardized approach to process assessment and uniform criteria for assessors and evidence would help would help with some of these inconsistencies I think.

I'm outta feedback for now, but thanks for the exchange!
John M. Worthington
MyServiceMonitor, LLC

Basis for Compliance???


What proportion would meet the ITIL definition of a CMDB? Less than half I bet.

A few relevant questions:

  • Where does such a definition exist that is detailed enough to validate that it meets it??
  • What level of agreement exsits regarding such a definition??
  • Does being supported by a vendor implementation of CMDB qualify and/or demonstrate compliance??
  • ... and other similar questions

It's often said that "it's not what you know, it's what you know that just ain't so". As such, given the state of the art in this area, we should be treading this ground and considering any answers to these questions (original or mine) very carefully (and skeptically, if I might be so bold).


emerging standards for CMDB

"I know art when i see it"

I hear there are emerging standards for CMDB (and I'm not refering to the CMDBf interface). I hope one day we can have a formal model for what constitutes a CMDB at maturity 1 thru 5.

The downside would be I'd have to stop saying CMDB can't be done, because presumably just about any idiot could do maturity 1 CMDB

The opportunity to define CMDB standards is long gone

Many organisations came to the realisation some time ago that they required technology tools to better manage their IT infrastructure and it was at that point that the variations of functional elements in a CMDB started to emerge. It also had vary little to do with ITIL, it was a standard practice in the mainframe world. The vendor community soon followed with a range of product offerings encompassing various elements of the service management lifecycle and they have been refining them ever since in an attempt to align them with a moving target of implied standards, and many of them proclaiming ITIL compliance for their products. Most organisations are reluctant to take on new technologies to support their overall service management process, they just want to add to it, to gain the benefits of a structured configuration management practice, and many organisations have different goals. The site has recently been updated and refers to many of the top product offerings in the market but researching the market segment is like wading through a minefield of spin doctor literature. (IT Skeptic also gets a link from the site.) Some of the features that are gaining popularity in this space are non-automated service mapping (ensuring that the CMDB is not populated with obsolete legacy connection data), selective auto discovery of network assets and dynamic visualisation (Article and Demo on of services and infrastructure. The theoretical model and what needs to be put into practice differ in many areas. From information gathered so far it is clear there are 2 different types of CMDB’s, those that solve general configuration management issues and those that strive to impose the full lifecycle of ITIL compliance, and both are necessary contributors to this market segment.

To get some real facts around the general interest in implementing a CMDB strategy, is hosting a comprehensive survey form which is hoped to gather some real life, independent facts behind the take up rate of CMDB technologies. Results will be published on the site and updated on an ongoing regular basis so the trend can be monitored over an extended period of time. Any input of additional questions to be posted in the survey would be most welcome.

Personally I don’t think it will ever get to the point where a defined maturity model can be widely accepted for the CMDB by the industry as a whole. As for the percentage of ITIL Compliant CMDB implementations, it could be as low as 10% to 20%. It may get to some concept of defined maturity in a future ITIL release but I believe that the concept of the CMDB has evolved too far, for it to be reigned back in to an ITIL standard.


We're having the WRONG DEBATE

I do not believe that ITIL ever intended --- or claimed --- to establish either conformance or compliance criteria for a CMDB. The CMDB vision in ITIL was (and is) a key support for the Configuration Management process. In ITIL Version 2, a self-assessment questionnaire was provided that offered OGC's view of 'conformance' to an ITIL Version 2 based Configuration Management process and remains the only 'official' criteria for measuring the capability and maturity of an ITIL based Configuration Management process.

I believe ITIL Version 3's introduction of a Configuration Management System (CMS), which can incorporate multiple CMDB tools, is not only closer to reality but does a fair job of clearing up some of the confusion. However, the fact remains; the process supports required to achieve different levels of Configuration Management maturity will vary based on many factors including the target capability/maturity needed, process scope, existing tools in use and the available time & money.

Your reference to an "ITIL compliant CMDB" I feel is a bit off base. I'm not even sure it would be a good thing to define this standard; couldn't it actually stifle innovation? There is more than one way to reach a goal, and there certainly will remain many different aspects of automation needed by different customers and industry segments. One size definitely does not fit all!

I think what would be very helpful is to establish both an accepted capability maturity model for ITIL-based processes (ISO 20000?) and a repeatable (standardized?) approach to measurement and assessment. That way, there will be much less wiggle room for vendors but still room for innovation at different levels of need. I'm looking at ISO 15504 to fill that bill, but who knows?

In the meantime, I'm not sure looking for an ITIL compliant CMDB was ever the right question in the first place. I believe a more effective approach would be to define varying levels of Configuration Management process capability/maturity, and then establish varying tools and techniques to achieve these objectives. The more things change the more they stay the same...

The search for 'CMDB standards' is the wrong debate; at least right now. How to clarify the capability/maturity of ITSM processes --- consistently and repeatably across multiple customers and industry segements - would be more productive. In addition, it would lay a better foundation to determine --- if, what, by whom and at what maturity level --- technology standards are needed.

John M. Worthington
MyServiceMonitor, LLC

One Person's Art...

Heh. Yeah, I know what you mean. Still, your comment really does play right into my (partially rhetorical) questions.

The guidance that IITL provides in the area is insufficient and leaves the matter open to interpretation such that just about any answer can qualify as correct. I've had some people make the case to me that this provides choice and flexibility, but to me it's anarchy pure and simple.

How much guidance (as in the act of guiding) do you really get when you end up making it all up anyway?

Please post more on such "standards" when you hear more...


When will we have a Maturity Model

When will we have a Maturity Model for ITIL????

When will we be able to say that a service provider is ITIL level 2? or 3? or 5?

In my point of view, it is so more important than a new version of ITIL...


For Maturity levels check out COBIT and Carnegie Melon

There is a maturity model out there.

The CMMI Service Constellation has built an ITSM Maturity Model. The US Department of Defence wanted some assurance that their service providers had some consistent delivery capability. It is pretty comprehensive for ITIL v2; and Van Haren Publishing put out a book about it as well. (IT Service CMM)

Next thought, take a look at COBIT. Each control objective in COBIT has a maturity model (aligned to CMM levels) already built; review the auditors guide or the general 4.1 to see what the relevant level of maturity should look like.
Check the mapping of ITIL v3 to Cobit 4.1, then look up the related objective to see how to determine the process maturity.

That's easy to say and very hard to do

Well... yes... kinda. That's easy to say and very hard to do

Both of these models prove that a maturity model for ITIL is possible, despiet the crap we get from some of the ITIL "theorists".

But neither of these models maps well to ITIL: there are 22 COBIT processes that ITIL covers partially or not at all. So they don't measure ITIL maturity, they measure their own view of maturity. Mapping them until they come close to ITIL would be more work than the actual assessment, and is work we shouldn't be doing in the field.

Yes...But the core is easily mapped

Hey Skep,

I've been doing these for more than a few years now. The new CMM for services is really good for V2.

And Cobit for V2 is not difficult. The core processes, IM, PM, Change, Release and SLM map easily.
If you just stick with the Generic Process controls you get a simple test for determinng if all your process components are in place.
Best thing about COBIt is that it provides process owners/ managers with the language and outcomes that audit is looking for. As a control framework it helps you determine what you should be producing from your processes.

last thought
Maybe you can check out a rumour I heard. Apparently the University of Sydney is looking into an ITIL process maturity model.

Waiting on the World to Change

First on the CMDB madness...

The ITIL (v3) Glossary defined Configuration Management Database as:

[A database used to store Configuration Records throughout their Lifecycle. The Configuration Management System maintains one or more CMDBs, and each CMDB stores Attributes of CIs, and Relationships with other CIs.]

Based on this definition, I know of many customers that have a CMDB. In v2 I called this a CDB (see CMDB Kool-Aid can result in a Bad Trip...), largely because the CI attributes were largely utilization/performance related. However, it DOES store CIs, Attributes and Relationships between CIs. In fact, it takes measurements at every layer of every component of a service infrastructure --- network system and application --- learns the norms of all measurements and automatically isolates which layer of which component is the source of an anomaly. Pretty handy when you're trying to build bridges across silos.

This focus on Service Impacts, rather than workflow and Changes, has done more for these customers than any ITIL training or consulting I could ever do. Ironically, in many instances the thought of getting to the bottom of what's really going on is pretty scary.

Second, on the Maturity Model....

the absence of an assessment and capability maturity model for v3 dwarfs any nit-picking about terms and concepts. This is a huge miss as far as I'm concerned. Here's where ISO 15504 stands per Alec Dorling (for better or worse) the meantime, you can use CobiT guidance to help, but a standards-based assessment would really get people focused.

There are two relevant standards under development related to IT Service Management process assessment model

ISO/IEC 20000-4 Information technology — Service management — Part 4: Process Reference Model
This standard is being developed by Working Group 25 in ISO/IEC JTC1/SC7
The convener of the working group is Dr. Jenny Dugmore (from the UK)

The standard is currently out for international ballot as a PDTR

This standard provides a process reference model suitable to enable implemented processes of ISO/IEC 20000-1 and ISO/IEC 20000-2 to be assessed according to the requirements of ISO/IEC 15504-2, Information Technology - Process Assessment - Part 2: Performing an assessment. The source for this process reference model is the processes in the body of the international standards ISO/IEC 20000-1 and ISO/IEC 20000-2.

ISO/IEC 15504-8 Process Assessment - IT Servive Management Process Assessment Model

This standard is being developed in Working Group 10 in ISO/IEC JTC1/SC7
The convener of the Working Group is Alec DOrling (UK)

This standard will take the processes defined in the ISO/IEC 2000-4 and elaborate into a Process Assessment Model

This work is currently in a WD (Working Draft) status, pending the result of the PDTR ballow on ISO/IEC 20000-4

Work will be progressed at an ISO meeting in China at the beginning of November 2008 after which it will be forwarded for PDTR ballot. By nature, the Process Assessment Model has to follow the definition of processes in the Process Reference Model.

To gain access to the standards under development, you will need to contact your US national body, or you can participate as a Premium member of the SPICE User Group.

v3 would have done us all a favor by providing some 'interim' assessment model, even simply expanding the v2 self assessment, while we're waiting on the world to change....

John M. Worthington
MyServiceMonitor, LLC

Syndicate content