Optimise Your Organisations CMDB Strategy

As Voltaire once said, "Perfect is the enemy of good". If you think you can achieve a perfect CMDB on day dot, you've already failed. This isn't possible no matter what your software vendor may tell you or how 'shiny' a tool is; it is easy to buy into the utopian world you may see in presales demonstrations. There is however a journey to get to perfection. The best action is starting with baby steps - as the US Navy Seals say, "slow is smooth and smooth is fast". This saying, used by arguably the most elite force in the world, reminds us that the best way to move fast in a professional setting is to take your time. Slow down, and do the job right, and try not to look through rose-tinted glasses. Saying perfection doesn't exist isn't necessarily buying into mediocrity; organisations should strive for whatever their 'perfect' may look like through continuously improving and maintaining their CMDB. Perfection is a process rather than a steady state.

‍

In certain instances, not having a CMDB has proven to be catastrophic. In 2017, the publicly funded healthcare system in England – known as the National Health Service(NHS) – suffered a ransomware attack titled WannaCry. This attack brought the organisation to its knees overnight. The NHS cancelled some 20,000 medical appointments, locked down hundreds of computers, and closed five emergency centres. Losses from WannaCry were estimated to be around $174 million.

The NHS identified that the proverbial back door was left open by an asset owner who had failed to update their Windows OS. Because of this simple vulnerability,the hackers had found a way into NHS's environment. Unfortunately, by the time there was knowledge of the attack, the IT security managers within the NHS had no idea which department the machines were located in, what software they were running, nor where they were physically located. Despite identifying the problem relatively early on, they could not fix it.

There are many examples of similar catastrophic hacks, outages and consequent lengthy down times are all over the Internet and social media – and the numbers of stories are increasing. Network downtime is good for neither the business nor for the user experience – and any prolonged outage can cause a failure in operations, sometimes proving fatal for an organisation.

‍

What is a CMDB?

‍

ITIL 4 defines a Configuration Management Database (CMDB) as a database used to store configuration records throughout their lifecycle. The CMDB also maintains the relationships between these configuration records. A configuration record is a record containing the details, as well as the lifecycle of a configuration item (CI). Configuration records are stored in a configuration management database as a CI. A  CI is any component that needs to be managed to deliver an IT service.

‍

The Service Quality Strategy

‍

Firstly, the CMDB is a big beast, so organisations must recognise what they plan for. Not having a plan means you plan to fail. Start by defining what their CMDB should look like relative to your organisation—acknowledging that not all organisations have the same:

‍

1.       Budget;

2.      Skillset; or

3.      Resources.

For instance, a Fortune100 company will likely have an abundance of all three compared to an organisation with 2,000 employees and only 100 people in IT. Each will operate on different economies of scale.

When defining your stance in relation to the above, it is important to link it to outcomes that will deliver value to the organisation. Unfortunately, too many organisations blindly build out their CMDB without understanding what problems they are trying to solve and the inherent value that follows. Do not just focus on the technological aspects of the CMDB; remember to consider people, processes, and services (user journeys) when developing your plan.

The first step after defining your plan is establishing the people layer. This involves creating a configuration control board (CCB) and, importantly, gaining executive buy-in. The CCB will provide leadership, managerial oversight, and a decision-making process to ensure that the CMDB continues to drive value according to the organisation's investment and desired outcomes. Again, this is relative - in some cases, this may only be one person, in others, it could be multiple. It all comes down to your organisation.

With established governance and an approved CMDB design plan, the following steps include populating the CMDB and implementing the processes and technology required to keep it updated and accurate. 

We advise that customers focus only on approved customer journeys. Start small, and progressively work your way up instead of going with a big bang approach. We usually start with a single CI type and only import attributes deemed critical in support of the user journeys and ignore collecting attributes that are not. This initial CI will become the template for other CI types (process-wise, not the data captured).

From a high level, we have broken the approach into the following steps:

1. Governance and Design - Start by creating a governance layer or CCB that will oversee your CMDB, including the overall design.
2. Start Small (MVP) - Start with a single CI type, generally the most used CI or the one with the most information aligned to customer journeys. Focusing on these prioritised customer journeys is the quickest way to realise value. Remember, slow is smooth and smooth is fast.
3. Identify the data required, not the data available - Discovery tools have a plethora of information available; however, not all information is needed. Only focus on what is necessary to meet business needs. Identify the fields you need to facilitate your CMDB instead of simply importing everything at once. 
4. Static feeds of data – Import a one-off export of the data from the external system. Understand the look and feel of the data within the CMDB.
5. Automate data feeds - By utilising APIs, webhooks, direct database connections, CSV imports, and more, organisations can automate the process of populating and updating CI attributes with little to no human intervention. Often there is little need to invest in additional tooling with this step. We've found that on average, organisations will have 5-8 tools they may already provide this data in their ecosystem.
6. Cleanliness - Once the data has been collected, special attention should be paid to ensuring consistency, completeness, and correctness. Remember, if you collect it, it needs to be maintained; otherwise, the data will become obsolete. Obsolete data is often a key factor contributing to distrust in and lack of use of the CMDB.
7. Build CMDB into other process workflows - Integrating your CMDB into your Incident, Problem, and Change Management processes provides better control and insight over your assets – as well as complimenting other ITIL flows.
8. Rinse and Repeat - Repeat steps 3 to 7 for other CI types in order of priority, ensuring they align with approved customer journeys and provide business value. 

Review your feedback loops for valued comments as your organisation embraces the CMDB. Consider soliciting feedback from heavy users through interviews or focus groups. Leverage this feedback to make necessary adjustments; if positive, promote the comments with your stakeholders, build excitement, and solidify their support with the "wins." 

If less than favorable, step back and assess to determine the underlying contributing factors and make the necessary adjustments through redefining User Journeys. 

‍

How can my Organisation Benefit?

‍

Successfully using a CMDB brings over several valuable benefits to your organisation. A robust CMDB can achieve the following:

1. A bird's-eye view of your all IT infrastructure.
2. Information is power; a CMDB gives executives and relevant stakeholders access to information they need to     make informed decisions about your organisations IT infrastructure.
3. More proactive around specific ITIL processes, including Incident, Problem, and Change Management.
4. Effectively manage risks by tracking any change or CI upgrade effect on the overall IT environment.
5. Better governance across who is touching what in your IT environment.
6. Create better insights for your customers, leading to an increase in service satisfaction.
7. Manage vendors, their contracts, and associated SLAs all through a single pane of glass.
8. Helps fight cybercrime and shadow IT.

According to Gartner, it takes about three attempts for organisations to implement a successful CMDB. Many try to boil the ocean, fail to maintain accurate CIs, invest too much in tooling, and overlook the people and process layers.

This often cultivates the perception that the CMDB is an unattainable entity; this is simply not true. A CMDB is an easy project to undertake with the right approach and the correct implementation. Learn more about how Service Quality is helping leading Australian businesses change the way they think, implement, and continuously improve Service Management.

About Service Quality:

Founded in 2007, Service Quality survives on a simple but powerful idea: empower you to do more with your Service Management and Security solutions. With cutting-edge support and award-winning security and service management practices, you can be sure that Service Quality will help maximise your Service Management investment. Today, hundreds of thousands of users rely daily on Service Management and Security solutions designed and implemented by Service Quality to make their work flow.

‍

Written By: Angus Kenny - Director of Enterprise Solutions

‍

References:

1. https://www.axelos.com/getmedia/5896d51f-ab6c-4843-992b-4f045eab0875/ITIL-4-Foundation-glossary_v0_22.aspx
2. https://www.zdnet.com/article/ransomware-how-the-nhs-learned-the-lessons-of-wannacry-to-protect-hospitals-from-attack/

‍