It’s time for IS Service Management

IT Service Management (ITSM) is nothing new to the Information Technology realm. I propose now is the time to apply Customer Service (Service Management) to Information Security programs.

According to a study by, ITSM improves the internal users experience, improves governance, and operations. Businesses that implement an ITSM program benefit in areas that are also prudent to an Information Security program.

Benefits of adopting my proposed ISSM include; one central location for reporting and requesting security services, tracking security incidents, requests, services, and the key factor to my proposal, moving the security department from a historically business inhibitor to a business enabler.


Just as the IT Service Desk captures data that quantifies business decisions, collection of Security data provides that same opportunity. Tracking trends, incidents, and requests builds the information required to provide actionable strategy decisions, staffing, priorities, and budget forecasting.

Providing a single point of contact to request, and report security requirements simplifies the process for end users. Simple, automatic, and easy increases the chance your staff utilizes the solution, and your security program. Most ITSM applications (ticketing system) are already suitable to build ISSM into them.

Security often appears to inhibit business, provide no revenue, and seen as the “NO” department. The key concept to my ISSM is to instill in the Security staff strong customer service skills, and the customer service mentality. The security staff learns to change their thought process to enable the business, and assist the business in meeting the business goals while guiding them in reducing risks, and reaching desired outcomes in the safest way possible.

Key Success Factors

The top factors of success of ISSM have little to do with Security or technology. Understanding the goals of your business, what success looks like for the business units, strong customer service skills, an enabling attitude, mentoring, coaching, training, and communication skills are at the core of the ISSM.

Finally a team that embraces the ISSM concepts, supports the ISSM program, and constantly looks for improvements serves as the deciding factor of success. Without a strong Army behind the General, one cannot win the war.

Think back to a time you received excellent customer service; you felt comfortable, you understood what was happening, why it happened, and how you are going to get to your desired outcome. With Information Security, this does not have to be any different.

Real World examples

If you have ever worked with me, or for me, you know I love to brag about my team at every opportunity. With this article I get to do this again. My real world examples come from my current IS team, and the ISSM approach to our program.

Our team has increased our Security Assessment efforts, and our Architects implemented processes that are new to the business. Through their efforts of applying our ISSM concepts these changes are embraced, welcomed, and gained greater collaboration than ever before.

The governance, compliance, and audit efforts of our program is also under the maturity process. Through our ISSM efforts, communicating our many initiatives, and process improvements to the audit/compliance and audit program has been met with success, and compliments.

Our ISSM concept also increased the collaboration between developers, techincal architects, and entities, that in the past, hardly talked; if at all. The overall feedback from everyone is happy, comfortable business partners that further result in an improved Security posture for the business.


I intended this article to serve as a high level overview of my ISSM program. If you would like to learn more please reach out. I encourage your feedback, and thoughts. If there is enough interest than the possibility that I will expand this to a full book is not out of the question.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.