Downside's of ITIL?

Ok I'm probably going to be looking at getting the foundation cert sometime over the next couple of months, but thats not what I wanted to ask.
I had an interview recently in which I was asked about ITIL and what I understood of it to which I gave a reasonable answer to given my limited knowledge.
One of the follow up questions through me a little and showed my lack of knowledge and while this doesnt bother me in terms of the interview it puzzles me all the same.

I was asked what\if any were the downsides of ITIL ?

Now I'm not expecting a "correct" answer as I'm well aware that wasnt the purpose of the question and again while I gave my answer I am intruiged as to how some of the more experienced ITIL folk would have answered that.
if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-)

Comments

  • eMeSeMeS Posts: 1,875Member
    Ok I'm probably going to be looking at getting the foundation cert sometime over the next couple of months, but thats not what I wanted to ask.
    I had an interview recently in which I was asked about ITIL and what I understood of it to which I gave a reasonable answer to given my limited knowledge.
    One of the follow up questions through me a little and showed my lack of knowledge and while this doesnt bother me in terms of the interview it puzzles me all the same.

    I was asked what\if any were the downsides of ITIL ?

    Now I'm not expecting a "correct" answer as I'm well aware that wasnt the purpose of the question and again while I gave my answer I am intruiged as to how some of the more experienced ITIL folk would have answered that.

    Excellent topic...here's a start:

    -The expense associated with adopting ITIL (the core books alone cost around ~$900).

    -Time and expense associated with training is often prohibitive.

    -The evangelical approach taken by many ITIL consultants (ITIL is the end-all be all to everything).

    -Consistency problems and errors throughout the core volumes.

    -"Secret-handshake" nature of much of the behind the scenes ITIL best practices documentation and accreditation.

    -Weak framework for security that very much seems like "so what".

    -Repetition of some information, said in multiple places in different ways throughout the core books.

    -Often in ITIL implementations organizations "throw out the baby with the bath water." That is, they ignore they have already been doing much of what ITIL says and think that ITIL means starting over.

    -The fact that ITIL says that boundaries are good, but in fact has many areas throughout the core books with unclear and ambiguous boundaries.

    -Often very focused on terminology and definitions.

    MS
  • eMeSeMeS Posts: 1,875Member
    I forgot about all of the countless "chicken and egg" scenarios that come up in ITIL, around what to adopt first, etc...

    MS
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAPosts: 5,735Member ■■■■■■■■■■
    eMeS wrote: »
    -Weak framework for security that very much seems like "so what".

    As in ITIL discourages it?
    Currently working on: Linux and Python
  • eMeSeMeS Posts: 1,875Member
    As in ITIL discourages it?

    No, that would be the equivalent of best practice suicide these days....

    It's actually more of an afterthought.

    Initially v2 wrapped security into Availability Management, then they added a "bolt-on" security process.

    Now in v3 they've added a process called "Information Security Management", but I would say that it's very immature compared to more rigorous security best practices that are out there.

    MS
  • eMeSeMeS Posts: 1,875Member
    A thought on this thread to everyone...

    Regardless of what you do for a living it behooves you to be able to understand the negative aspects/downsides of it better than the detractors....

    It prepares you for the time when someone tries to knock you off the tracks with a question such as, "what do they mean by the commoditization of IT in the context of IT being a strategic enabler?"

    MS
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAPosts: 5,735Member ■■■■■■■■■■
    eMeS wrote: »
    No, that would be the equivalent of best practice suicide these days....

    It's actually more of an afterthought.

    Initially v2 wrapped security into Availability Management, then they added a "bolt-on" security process.

    Now in v3 they've added a process called "Information Security Management", but I would say that it's very immature compared to more rigorous security best practices that are out there.

    MS

    I think I am going to have to learn some more about ITIL next year. It will probably open my mind to how IT departments work at a higher level.

    Me thinks? icon_wink.gif

    [Edit] Just found this link: http://www.best-management-practice.com/gempdf/ITILV3_and_Information_Security_White_Paper_May09.pdf
    Currently working on: Linux and Python
  • eMeSeMeS Posts: 1,875Member

    I think this underscores my point...this is fluff compared to some of the real security stuff out there....

    One of the other downsides often comes into play when you have consultants that think ITIL is the end-all-be-all answer to everything, and don't recognize or accept this key shortcoming...

    MS
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAPosts: 5,735Member ■■■■■■■■■■
    eMeS wrote: »
    I think this underscores my point...this is fluff compared to some of the real security stuff out there....

    One of the other downsides often comes into play when you have consultants that think ITIL is the end-all-be-all answer to everything, and don't recognize or accept this key shortcoming...

    MS

    I didn't read the PDF yet, but isn't ITIL just a way to provide some sort of basic map for how things should flow? If so then shouldn't it help with the security world as well?
    Currently working on: Linux and Python
  • eMeSeMeS Posts: 1,875Member
    I didn't read the PDF yet, but isn't ITIL just a way to provide some sort of basic map for how things should flow? If so then shouldn't it help with the security world as well?

    Not exactly on the first point. ITIL is a collection of a best practices for how to manage IT in the form of services. While it does offer some good suggestions in terms of security, if I were really interested in applying the best best practices to secure my IT, I wouldn't look to ITIL for those suggestions.

    There are definitely many good things about ITIL, but it definitely doesn't have all of the answers for everything under the Sun.

    MS
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAPosts: 5,735Member ■■■■■■■■■■
    eMeS wrote: »
    Not exactly on the first point. ITIL is a collection of a best practices for how to manage IT in the form of services. While it does offer some good suggestions in terms of security, if I were really interested in applying the best best practices to secure my IT, I wouldn't look to ITIL for those suggestions.

    There are definitely many good things about ITIL, but it definitely doesn't have all of the answers for everything under the Sun.

    MS

    Ok, thanks for the insight.
    Currently working on: Linux and Python
  • chrisonechrisone CISSP, CRTP, eCPPT, LFCS, CEH, Azure Fundamentals, Retired Cisco NPs Posts: 1,888Member ■■■■■■■■□□
    I think with ITIL or thinking in that mindframe, you might over analyze a situation when a quick fix is all you need. Mmmmm maybe it is not needed or the best approach for every situation.

    Those are the only two reasonable answers i can come up with, towards that question.
    2019 Goals:
    Certs: Certified Red Team Professional - Pentester Academy (passed!), Azure Fundamentals AZ-900 (passed!), Azure Security Engineer Associate AZ-500 (in-progress)
    2020 Goals:
    Certs: AZ-500, MS-500, Pentester Academy - PACES, Varonis Certified Admin (in-progress)
  • laidbackfreaklaidbackfreak Posts: 991Member
    cheers guys some interesting food for thought there :)

    Interesting point about security being an after thought, but I would say that has been the norm in IT until fairly recently.
    if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-)
  • eMeSeMeS Posts: 1,875Member
    cheers guys some interesting food for thought there :)

    Interesting point about security being an after thought, but I would say that has been the norm in IT until fairly recently.

    What answer did you give in the interview?

    MS
  • laidbackfreaklaidbackfreak Posts: 991Member
    eMeS wrote: »
    What answer did you give in the interview?

    MS

    To be honest I didnt, I said something along the lines of due to my lack of knowledge of the area I wasnt really in a position to explain the negative sides. Somewhat better phrased at the time. They accepted that as they were well aware I have no experience.

    I didnt get the job, but that was due to lack of current experience in MS than anything else, but the feedback was good and I obviously impressed them as they have another role coming up after xmas that they felt (as do I) that is more suitable to my current skillsets (Cisco) and wanted to know if I would be interested in that.
    To be honest despite not getting the role (and I wouldve been in a dilema about taking it, had I got it) it was one of the best interviews I've attended.
    if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-)
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAPosts: 5,735Member ■■■■■■■■■■
    To be honest I didnt, I said something along the lines of due to my lack of knowledge of the area I wasnt really in a position to explain the negative sides. Somewhat better phrased at the time. They accepted that as they were well aware I have no experience.

    I didnt get the job, but that was due to lack of current experience in MS than anything else, but the feedback was good and I obviously impressed them as they have another role coming up after xmas that they felt (as do I) that is more suitable to my current skillsets (Cisco) and wanted to know if I would be interested in that.
    To be honest despite not getting the role (and I wouldve been in a dilema about taking it, had I got it) it was one of the best interviews I've attended.

    Sounds Good!
    Currently working on: Linux and Python
  • chrisonechrisone CISSP, CRTP, eCPPT, LFCS, CEH, Azure Fundamentals, Retired Cisco NPs Posts: 1,888Member ■■■■■■■■□□
    Thats excellent, always take in the positive. Although you didnt get the job it was still a positive learning experience. Hopefully you land the next job they offer to you. Good luck!
    2019 Goals:
    Certs: Certified Red Team Professional - Pentester Academy (passed!), Azure Fundamentals AZ-900 (passed!), Azure Security Engineer Associate AZ-500 (in-progress)
    2020 Goals:
    Certs: AZ-500, MS-500, Pentester Academy - PACES, Varonis Certified Admin (in-progress)
  • NinjaBoyNinjaBoy Posts: 968Member
    Sorry, going back to the original topic...

    ITIL is a complex beast to implement, I did my ITIL foundation and started to look into the higher levels and the first thing that popped into my head was, "wow, how the heck and I suppose to implement this and where am I going to get the resources".

    Then I was introduced to FITS, it's a stripped down version of ITIL (based on version 2 & 3) so it's easier for SMB and the education markets to implement.

    -Ken
  • eMeSeMeS Posts: 1,875Member
    NinjaBoy wrote: »
    Sorry, going back to the original topic...

    ITIL is a complex beast to implement, I did my ITIL foundation and started to look into the higher levels and the first thing that popped into my head was, "wow, how the heck and I suppose to implement this and where am I going to get the resources".

    Then I was introduced to FITS, it's a stripped down version of ITIL (based on version 2 & 3) so it's easier for SMB and the education markets to implement.

    -Ken

    I understand the point you're making, and to some extent I agree. However, what many people and organizations fail to understand about the ITIL is that is is a collection of best practices. There is no requirement to adopt everything; organizations could pick 1 thing from ITIL that they think will help their business and do that.

    MS
  • qwerbyqwerby Posts: 5Member ■□□□□□□□□□
    ITIL is good but it is implemented by people. Some/many people use it as an excuse and spout complete and utter tosh.

    We had a number of issues and the service desk manager often said that his approach "was inline with ITIL best practice". After studying ITIL I know realise he was playing on my ignorance.

    ITIL if followed gives you some smart ideas, and it also allows you to move from organisation to organisation with a bit more ease.

    Ok I'm probably going to be looking at getting the foundation cert sometime over the next couple of months, but thats not what I wanted to ask.
    I had an interview recently in which I was asked about ITIL and what I understood of it to which I gave a reasonable answer to given my limited knowledge.
    One of the follow up questions through me a little and showed my lack of knowledge and while this doesnt bother me in terms of the interview it puzzles me all the same.

    I was asked what\if any were the downsides of ITIL ?

    Now I'm not expecting a "correct" answer as I'm well aware that wasnt the purpose of the question and again while I gave my answer I am intruiged as to how some of the more experienced ITIL folk would have answered that.
Sign In or Register to comment.