ITIL defines a service as "a means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks".

Services have metrics such as:

• First response time averages: The average amount of time it takes for a tech to respond to a ticket
• Ticket close time averages: The average amount of time it takes a service to close an assigned ticket
• Vulnerability findings close average: The number of findings closed during a specific amount of time

So beyond identifying the names of core security services, we need to understand:

1. Who is the customer?
2. What is the service that is being provided to that customer?
3. What is the value that is being brought to the customer as a result of our service?
4. What is the definition of good and bad service?

Knowing this, we can start to see some of the dilemmas that we have in some security services, in that:

• If the intent of the vulnerability management service is to manage vulnerabilities, then the service should have the ability and the authority to manage vulnerabilities:
  • If it doesn't have that capability, then it is only a reporting service where the value of the service is measured by how well and accurately the service reports
• If the intent of the incident response team is to respond to incidents, then the team should have the ability and authority to investigate incidents:
  • If it doesn't have that capability, then it is only a reporting service where the value of the service is measured on how well and accurately the service reports

In smaller organizations, issues like these are fewer, as teams can provide guidance and assistance more quickly than in larger organizations.

The following is a simple process that explains vulnerability management:

The more complex the organization is, the more complex the solution is:

However, the solution for the security service remains the same, just as   is the same as .

The way in which the service provides value may (or may not) be how well the service can evaluate and report on the end-to-end process to create the desired result.