Simply creating Privacy, Security, and Compliance strategies and policies is not enough to insure that your company or your customer's interests are protected. Governance and oversight are needed. Studies from Gartner, Forrester, IDC and others have described the major causes of outages (between 75% to 85% of the time depending on the study) to be caused by people. Security breaches, Privacy issues, and non-compliance to regulatory agencies falls into that same category. The causes range from carelessness, to someone circumventing proper processes, to perceived "nimble" behavior, but regardless of the cause the end result at a minimum costs downtime. In a worst case scenario the reputation of the company and/or harm to itself or it's customers can have long lasting and serious repercussions.
Effective Service Management practices have always included Security. Compliance and Governance have historically played a role in risk mitigation as well. Privacy is a newer concept but one that is extremely important when we think of Operational practices involving both Public and Private Cloud infrastructures.
In fact it can be argued that although Privacy, Security, and Compliance are important in on-premises infrastructure deployments for a company, they become critical when that same company begins to move that infrastructure to the Cloud. If that Company is also holding information for other companies or individuals, these concepts become paramount because a breach could mean lawsuits and potentially devastating losses for all parties.
So, how does effective Service Management enable Privacy, Security, and Compliance? Well, although Service Management encompasses process, lifecycle phases, functions and a myriad of other acronyms, it really boils down to this: Service Management provides the tools, processes, and structure to allow for the enforcement of policy.
The first step an organization needs to put in place is the creation of policies around Security, Privacy, and Compliance. Of course these policies and associated strategies must define appropriate targets and measures so that business objectives can be guaranteed in terms of adherence to the targets.
The role of Effective Service Management then is to define appropriate control processes that insure adherence to these policies. Once these control processes are established, effective controls and measures insure that personnel and applications act within the definition of the policies.
The adage "what gets inspected gets respected" is part and parcel of good Service Management practices. Effective processes not only measure and report on breaches or potential breaches, but they also define and drive proactive steps to keep breaches from occurring in the first place.
A great Service Management implementation places enough of a boundary around day to day activities that each employee is comfortable within these bounds, and each policy is enforced, yet not so rigid that it becomes cumbersome or easily skirted. The first question any company I have ever consulted for asked was "where do I start?" This is usually an easy answer. Since roughly 80% of the downtime, security issues, privacy problems, or non-compliance originate with people it is safe to assume that the reason is that people change things.
It makes perfect sense then that simply getting a handle on Change Management would drive a good portion of that 80% down. In fact in his book ""The Visible Ops Handbook" author Gene Kim suggests 4 phases of moving from good to great. Phase 1 is getting a handle on Change Management.
Change Management is a clear starting place, but effective Configuration Management, Incident and Problem Management, as well as a clear definition of roles and responsibilities all play a key part in fulfillment of an organization's Privacy, Security, and Compliance strategies.
In the end, it is simply not enough to define strategies and policies. The real "meat and potatoes" of how a company makes these real is through effective Service Management practices.