Home �   ITIL�  Index

The Perils of the CMDB

Oct 22, 2008

George Spafford


A fairy doesn’t appear at 2 A.M. in the data center and magically change configurations and move equipment. The fact is that someone made those changes and it is to everyone’s benefit to understand why. Simply pumping the changes blindly into the CMDB with autodiscovery is a recipe for disaster.


You may wonder why this is the case. Let’s think about it for a moment. If an IT service were perfectly designed and implemented then, when a service went into production, no changes would be needed. The reality is that there are many reasons that changes will be needed ranging from responding to business needs, security patches, technical issues, etc.


We also know that 70% to 80% of network availability issues stem from human error. We need change management to ensure that risks are properly managed and that the CMDB can aid everyone to understand what has changed and why. We can drive down MTTR by enabling resolution teams to more efficiently and effectively answer the question “What changed?” and the answer and background data will ideally come from the CMDB.


If we just use an autodiscovery tool to load all detected changes into the CMDB we risk not knowing why a change transpired and if it was properly authorized, an error or something malicious in nature. Thus, even with autodiscovery, there must be a process that governs its use to make sure that risks are appropriately managed and that the CMDB correctly reflects the current state of the environment.


In summary, beginning an ITSM effort with the implementation of a CMDB because software was purchased is a very perilous path as there is no guarantee the software will meet the needs of the organization. Furthermore, without proper processes the investment is liable to be a tremendous waste of time. To make a broad generalization, organizations seeking to begin their journey are strongly urged to begin with change management or the combination of change management and configuration management. This will ensure that risks are managed, updating of the CMDB is governed and the organization truly benefits.


George Spafford is a principal consultant with Pepperweed Consulting and a long-time IT professional. George's professional focus is on compliance, security, management and overall process improvement.