Subscribe and get email updates
We won’t share, sell or spam you.
About Gene Kim

I'm the multiple award-winning CTO, Tripwire founder, Visible Ops co-author, IT Ops/Security Researcher, Theory of Constraints Jonah, a certified IS auditor and a rabid UX fan.

I am passionate about IT operations, security and compliance, and how IT organizations successfully transform from "good to great."

RECENT SPEAKING SCHEDULE

7/30 - BSides Las Vegas- Las Vegas, NV
Mobilizing the PCI Resistance: Lessons Learned from Fighting Prior Wars (SOX-404)

9/20 - itSMF USA Fusion 2010 - Louisville, KY
Avoiding Audit Fatigue: Achieving Compliance In A Multi-Compliance World

9/24 - PCI SSC North American Community Meeting - Orlando, FL
Scoping SIG Update

9/24 - Interop New York - New York, NY
Creating Effective Security Controls: A Ten Year Study of High Performing Security Organizations

10/24 - NACD Corporate Governance Conference - Washington, DC
How IT Can Help (And Hinder) Boards

Twitterstream

Visible Ops

What fewer people know about me is that one of my areas of passion has been studying high-performing IT organizations.  This journey started in 2000, when I started keeping a list of people that was called “Gene’s list of people with great kung fu.”  These were the people who led IT organizations that talked, acted and worked differently than everyone else. But most importantly, those IT organizations all had phenomenally better better performance than the typical IT organization.

After years of study, we called these organizations the “high performing IT organizations that were simultaneously achieving the highest IT service levels (e.g., MTTR, MTBF, change success rates, etc.), the earliest integration of information security into the software/service development lifecycle, the best posture of compliance (e.g., fewest number of repeat audit findings), and amazingly, the best IT efficiencies (e.g., server/sysadmin ratios).”

We had studied 11 high performing IT organizations, which included a bank, a stock exchange, a wireless billing service, a domain name service provider, and two IT service providers.

I started working with Kevin Behr to understand how these organizations made their “good to great” IT transformations, and codified this transformation in the Visible Ops and Visible Ops Security books, which have sold over 150K copies. And in the process, we co-founded the IT Process Institute, to develop and disseminate the practices.

We had several goals in mind when we wrote Visible Ops:

Prescriptive

  • Process frameworks, such as ITIL, are basically an exhaustive list of IT processes, given without order or priority. The problem is, organizations don’t do process frameworks: they do projects.
  • Our goal was to describe the four projects required to implement and operatationalize the controls observed in high performing IT organizations.

Ordered

  • The four Visible Ops phases are ordered and sequential. In other words, organizations complete them in the specified order, because each successive projects depends on the controls activated in the previous phase.

Catalytic

  • Each of the four Visible Ops phases are designed to active only controls that are “catalytic.” In other words, they generate more calories on an ongoing basis than were required to create them (e.g., if a control required 100 calories to create, then it should deliver more than 100 calories back to the organization on a weekly basis).
  • Those controls that don’t have a catalytic property are the ones that get a reputation of “sucking the will to live out of everybody they touch,” such as poorly run change management processes.

Top Things You May Not Know About Visible Ops:

1.When we first studied the high performing IT organizations, we noticed something unusual. The backgrounds of the people leading them typically came from one of three backgrounds. They were either a non-commissioned officer in the military (usually E-5s or E-6s), they were chemical engineers, or they were auditors.

We then started asking, “what values do these three professions have in common?” And the answer became obvious. They valued rigor and discipline.

Non-commissioned officers give live ammunition to 18 year olds. The remarkableness of this became even more extraordinary, which I learned that in restaurant operations, management often doesn’t even like giving knifes to 18 year olds, because the accident rate is so high.

Chemical engineers have long, elaborate and ordered recipes, where an endothermic reaction can become catastrophically exothermic if steps are mis-ordered.

 

And auditors? Well, they love almost any control.

 

 

2.Here’s a graph that we generated in 2000 that made us fall out of our chairs, because it indicated that there really was measurable business value of being a high performing IT organization.

  • First, let me describe what this graph shows. On the Y axis is the scale of the IT systems under management, as measured by number of servers. On the X axis is the server to system administrator ratio (i.e., the number of system administrators that are managing those systems).
  • What we found was that the high performers had a server/sysadmin ratio 4x higher than the non-high performers. Specifically, they had server/sysadmin ratios of over 100:1, where average organizations had server/sysadmin ratios of 15-25:1.
  • The provocative conclusion was that controls were not only required for great service levels, but also yielded efficiency advantages, as well! In other words, controls gave you effectiveness and efficiency.
 
Do you like Tripwire or Visible Ops?

Be the first to see the opening chapters of my upcoming titles, When IT Fails: The Novel and The DevOps Cookbook!

Sign up here to receive your free preview !