In my last post, I talked about getting beyond “the business of no” in security, to a more effective and thorough approach in which organizations define their objectives, actually implement them, maintain visibility into the environment for consistency with those objectives or activity that could indicate threats, and respond accordingly.
This more mature approach is still not the same as saying “yes” to the business, however. Is that actually possible in security?
Consider a fundamental aspect of building more risk-resilient IT: configuration and change management (CCM). The tools and disciplines of CCM are central to defining a secure environment, and deploying changes such as reconfiguration to resolve security exposures, or patching to address software vulnerabilities.
Having configuration and systems management tools alone is far from enough, however, for making the most of CCM for security. Many organizations define change control processes, and even bodies such as change control boards (CCBs) to govern the management of change in IT. Is this enough?
Not according to high performers identified in EMA research. In our 2008 study of the technologies and practices that had the most positive impact on IT security and the management of a wide spectrum of IT risks, we grouped over 200 respondents based on a number of parameters, including percentages of:
- Security events that caused disruptions to IT performance, availability or resource integrity
- Security events resulting in exposure or leakage of sensitive information
- Unplanned IT work overall
- Planned IT changes that were successful
- IT projects delivered on time, within budget, and with expected features
Other factors in our grouping included
- Criticality of IT risk management: How dependent is the business on managing risk in IT?
- How active is the IT organization in seeking the input of the business, whether for service delivery expectations or risk management priorities?
Grouping respondents in this way enabled us to identify high, medium and low performers in terms of their management outcomes. Around half emerged in the medium performer category, with about one-fourth each falling into high and low performer groups.
Of particular interest were outcomes in terms of security-related incidents requiring unplanned work in investigation and remediation. We found that high performers reported, on average, roughly half the median incidence of disruptive security events of both medium and low performers. What were the management disciplines that this group emphasized the most?
Configuration and change management was given a high priority by this group – but high performers did more than invest in management tools. In fact, this group was nearly unanimous (94%) in reporting that they did all four of the following:
- Defined their processes for IT change control
- Actually implemented those processes in practice
- Monitored the environment for unauthorized or unexpected change (an indicator of a potential security threat, or other threat to IT integrity or resource availability), and
- Responded by enforcing change controls, or other appropriate action such as event investigation.
Remember my last post about how high performers are thorough in pursuing all four milestones of the Plan – Do – Check – Act philosophy?
This comprehensive and systematic approach to configuration and change management not only supports security, it also reduces variability and instability in IT, improving the reliability and consistency of IT services – fundamental precepts of quality management.
This points to the value of configuration and change control beyond security. Not surprisingly, these high performers excelled in other ways as well. They also had:
- Lower incidence of unplanned work
- Higher percentages of successful planned changes
- Higher numbers of IT projects delivered on time, within budget, and with expected features
- Generally larger ratios of servers to system administrators, suggesting the value of management automation in these organizations.
In other words, they delivered IT that is more responsive to the business not only in terms of more effective security, but also in greater efficiency and reduced waste through reduced unplanned work, successful IT change, and better project performance.
You may also recognize in these high performers evidence of the Visible Ops approach to defining more efficient, more effective – and more secure – IT.
Who says better security can’t mean saying “yes” to the business?
Note that while this approach to change control can deliver real benefits in the data center, managing change on the user endpoint poses a substantial challenge all its own. Nor does “monitoring” mean simply watching for events your systems can already detect. We’ll tackle these topics in additional posts down the road. Stay tuned!