ITIL Expert for security specialist

This will be one of the few posts not related to cybersecurity. It will be about the experience of passing the ITIL Expert exam. In fact, there is no such exam, but the title is awarded only to those who passed 7 others. You can find all the details at, and here I will tell you more about the process:

1. In principle, the beginning of a journey can be considered the summer of 2011 when I passed the basic ITIL Foundation exam, that I encouraged to do just with the interest and desire to effectively invest the available free time. By the way, most security specialists, who position themselves as pros in the best practices of ITSM, have stopped at this stage (however, some of them don’t have even this);

2. The second stage was the decision to start training and actually start, for which the following motivators inspired me — 1) ITIL Expert is one of the few high-level certificates, that have not yet complying with ISO 17024 (i.e. no CMU\CPE and other points that constantly needing attention) 2) I have not found holders of such status in CIS among security specialists (the certificate will help to differ from the total mass) 3) ITIL is not only used both in my and my colleagues daily work, but it is the foundation for one of the projects in which I participate 4) the learning project promised to fit in my personal budget for 2012 (in 2012 it took ~$4k, another $250 in 2011 — i.e., this pleasure is not cheap);

3. In 2012, training began in the second half of June and ended in October 2012, there had to be 6 exams, but there were 8 (because I’ve failed 2 of them, so the overall success rate was 75%). Both failed exam were taken after 22 o’clock, and during the increase load at work. Maybe that was what affected the performance…

4. I didn’t just write about training (not just exams), because passing it requires the certificate on the training (~$2k online — my version — OR ~$6k + ~19 days out of the job — full-time). I can not say anything bad about accredited online training. There was all kind of things: strict requirements, and support tools, and reminders about the possibility of consultations with the teacher, and test exams… Well, if I was going to follow 100% of the courses guidance, I would have probably not failed a single exam).

5. I chose the Lifecycle path, as the Capability path seemed more confusing and unclear to me (for example, 5 Lifecycle certifications tied to specific books of the ITIL body of knowledge, but the Capability certification contains “mixed” knowledge from different books).

Benefits supposed to be the following:

1. Increased communication efficiency with other parts of IT — it was delivered.

2. Increase the credibility in the organization — it was delivered.

3. The change of perception at the labor market — not so much because rare Russian organization cares about cybersecurity processes excellence.

4. Increased personal effectiveness for IT transformation projects — it was delivered.

In general, I can recommend the course, but only for those specialists who are thinking about career in management. Architects\experts should think more about general process methodologies like IDEF\Rational Rose, security engineers don’t need ITIL higher than the ITIL Foundation, in fact — ITIL itself stresses the need for a clear description of processes, roles and responsibilities in the “Operations” domain, so in the case of a presence of competent process architect, the engineer does not need ITIL at all ;)