COBIT 5 is Dead, Long Live COBIT 2019
Hopefully I’m not alone in thinking that COBIT – “a framework for the governance and management of enterprise information and technology (I&T), aimed at the whole organization” – is not as popular in IT service management (ITSM) as it could, and should, be. Well, things might be about to change because ISACA has released a new version of COBIT– with COBIT 2019 replacing 2012’s COBIT 5 (although ISACA will continue to support organizations in their use of COBIT 5).
This blog looks at what’s changed in COBIT 2019 but not before a quick journey through what COBIT is, how it helps organizations, and the current level of adoption in ITSM scenarios.
COBIT 101
My real “COBIT 101” is a blog that can be found here. But, if you’re short on time – and who isn’t these days – here’s my elevator pitch (we’re in a skyscraper here though):
“COBIT (formerly also known as “Control Objectives for Information and Related Technologies,” a name that was dropped with version 5) is a good-practice framework for IT management and governance created by the international professional association ISACA.”
And to steal from my previous COBIT 101 blog: COBIT complements ITIL and other ITSM best practice methodologies by providing a practical framework on which to base governance as well as a maturity model to facilitate continual service improvement (CSI). And organizations can use COBIT to support a variety of needs, including:
- Keeping IT running
- Value optimization – increasing business value and reducing business risk
- Cost management
- Mastering complexity
- Better aligning IT with the business
- Meeting regulatory compliance
- Increasing the maturity of other standards and best practices
- The need for benchmarking
As to how this is achieved, or will be achieved with the newer version, the early messaging about COBIT 2019 states that it:
“…defines the components to build and sustain a governance system: processes, policies and procedures, organizational structures, information flows, skills, infrastructure, and culture and behaviors. These were referred to as “enablers” in COBIT 5.”
COBIT Adoption Levels for ITSM
COBIT has so much potential for ITSM. However, I remember writing a blog earlier this year which reported that COBIT is only the twelfth most popular approach used by IT service desks according to the 2017 HDI Technical Support Practices & Salary report.
The more recent, 2018, version of the HDI report (it can be found at the same link) now shows COBIT in eleventh place albeit with a drop in usage to just 14% of IT service desks versus 71% for ITIL.
I appreciate that this is only the IT service desk view of COBIT adoption in ITSM but for me it’s indicative of the gulf that has been created in ITSM between ITIL and other approaches (not just COBIT). Importantly, however, it’s not an either-or situation – COBIT is marketed as guidance that’s complementary to ITIL best practice.
Renowned industry luminaries Rob England (the IT Skeptic) and James Finister have long been advocates of the practical, “how to” focus of COBIT over ITIL. But, despite such endorsements, for whatever reason, COBIT has continued to struggle to significantly win the hearts and minds of ITSM pros as part of its stated audience of enterprise executives and consultants in:
- “Audit and Assurance
- Compliance
- IT Operations
- Governance
- Security and Risk Management”
Hopefully though, a refreshed investment in marketing – around COBIT 2019 – will now generate more interest in, and understanding of, how COBIT will help ITSM pros.
What’s Changed in COBIT 2019
I’m writing this before reading the new-version publications (they weren’t available at the time of writing but I’ll definitely write something about them). I’m therefore a little – okay, significantly – light on the detail right now, basing this blog on what has already been publicly communicated by ISACA.
The pre-launch messaging states that the COBIT 2019 update improves COBIT across the following eight areas:
- It better addresses the importance of I&T governance for the enterprise. With COBIT’s governance-based guidance helping organizations to achieve benefits realization, risk optimization, resource optimization, and business and IT alignment for the enterprise.
- It addresses new trends in technology. For example, DevOps and Agile development, cloud, service integration and management (SIAM), and the Internet of Things (IoT).
- It’s more up to date, with latest standards and working methods. With referencing and alignment to concepts originating in other sources. In this context, alignment means: COBIT 2019 does not contradict any guidance in the related standards, does not copy the contents of these related standards, and provides equivalent statements or references to the related guidance.
- It provides greater flexibility. The COBIT Design Guide helps COBIT content to be tailored for each organization’s and each user’s particular needs and context.
- It introduces focus area concepts. These are certain governance topics, domains, or issues that can be addressed by a collection of governance and management objectives and their components. For example: small and medium enterprises, cybersecurity, digital transformation, and cloud computing. Thanks to the various permutations, this makes COBIT 2019 “open-ended.”
- It’s perceived as more prescriptive. Frameworks such as COBIT can be descriptive and/or prescriptive. The tailored COBIT governance components can be perceived as a prescription of how to set up a customized governance system for I&T.
- It’s a better instrument to manage performance of I&T. Because the COBIT performance management model is integrated into the conceptual model.
- It adds a new online collaboration feature. Via this “open source” approach, future updates will be recommended by COBIT users, vetted by a COBIT Steering Committee, to help ensure timelier updates.
Interestingly, as well as describing what COBIT 2019 is, the early ISACA messaging also states what COBIT 2019 isn’t. In my experience, it’s an approach that can be beneficial in aiding understanding and managing expectations. This is aimed at clearing up some misconceptions about COBIT, such as COBIT 2019:
- “Is not a full description of the whole I&T environment of an organization
- Is not a framework to organize business processes
- Is not an (IT) technical framework to manage all technology
- Does not make or prescribe any IT-related decisions. For example, it does not answer questions such as: What is the best IT strategy? What is the best architecture? How much should IT cost? Instead, it defines all the components that describe which decisions should be taken, and how and by whom they should be taken.”
As to the detail of COBIT 2019, you’ll have to wait until I get my grubby little hands on copies of the core publications. In the meantime, however, I’d love to hear your experiences with COBIT – what worked, and what didn’t? Plus, whether you’re interested in taking a first, or repeat, look at the potential of COBIT 2019 in light of the new version. Please let me know in the comments.