The entirety of these findings are available in a report published by the SEI as follows: Allen, Julia; Behr, Kevin; Kim, Gene et al. Best in Class Security and Operations Round Table Report (CMU/SEI-2004-SR-002). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, March 2004. Copies of the report are available upon request.

Tools To Find The Way To High-Performing IT: Visible Ops, an Executive Level Community Of Practice, and the VEESC Benchmarking Project To help organizations achieve the process transformation to achieve high-performing IT characteristics, the ITPI has created three publicly available tools: the Visible Ops methodology, the ITPI Community of Practice Listserv, and the upcoming VEESC benchmarking study.

1. Visible Ops describes four prescriptive and self-fueling steps to take an organization from any starting point to a continually improving, controlled process. In early May, the Visible Ops Handbook will be published, which is a handbook designed to jumpstart implementation of controls and process improvement in IT organizations needing to increase service levels, decrease costs, and increase security and auditability. Furthermore, BetterManagement presentations on Visible Ops and creating best in class change management processes are available at :
   • So We've Got Change Management: Why Are We Still Firefighting?
   • Building Effective Change Management Processes for Sarbanes-Oxley: Step By Step
   • Twenty Service Level Management Metrics to Enable Corporate Governance: Questions IT Operations Should Be Able To Answer
   
   
2. The ITPI Community of Practice Listserv is a mailing list that includes some of the best practitioners from the domain of IT operations, security, audit and governance. The purpose of this list is to discuss their perceived issues of pains and promise, with the hope of building an executive-level community of practice for IT operations and security, with a common sense of purpose and desire to influence other relevant and connected communities of practice. Among the topics discussed are issues of governance, audit, risk management, IT operations, security, project management, and process management (including benchmarking).
3. The VEESC (Value of Effective and Efficient Security Controls) benchmarking and survey of practice study attempts to quantify the business value of controls, and test which of five controls have the highest correlation with high performing IT organizations. Many practitioners view them as simply another level of bureaucracy, whether it is called ITIL, COBIT, Six Sigma or so forth. The purpose of this benchmark is to determine empirically whether IT controls affect the value, effectiveness, efficiency, and security of information-technology operations. We hypothesize that implementation of IT controls improves IT efficiency, IT effectiveness, IT security, and indirectly, business value.

   Based on prior research and extensive pilot testing with high-performing organizations, we will develop a survey to test our hypotheses. We will then distribute the survey to a sample of Fortune 1000 companies. The results will be analyzed using structural-equation-modeling techniques to determine which controls are the most important in improving IT efficiency, effectiveness, and security. This will be the topic of an upcoming article.

Summary and Call To Action
In this article, we explored three critical questions in the context of solving the most common IT challenges: what do I need to change, what should I change to, and how do I cause the change?

So, here is our call to action: Do you agree or disagree with our definitions of high- and low-performing IT organizations? Do you have more characteristics that should be added to our list of best-in-class attributes? If so, please let us know by emailing Gene Kim and Julie Allen Also, if you are interested in any of this work, please join the ICOPL mailing list.

Gene Kim is the CTO and co-founder of Tripwire, Inc. In 1992, he co-authored Tripwire while at Purdue University with Dr. Gene Spafford. He is currently actively working on a series of projects to capture how "best in class" organizations have Security, Operations, Audit, Management, and Governance working together to solve common objectives.

Julia Allen is a senior member of the technical staff within the Networked Systems Survivability Program at the Software Engineering Institute (SEI), Carnegie Mellon University (CMU). Allen is engaged in the development and transition of security improvement practices for network-based systems and executive programs in information security and survivability.