Change Management and Process Improvement

Monday, December 19, 2011

Rafal Los


Getting Information Security Back to Basics - Change Management & Process Improvement

Recently my media team suggested I pose a question to my Twitter followers to "ask me anything HP security related"...  for a live "from the conference" webcast we were going to do. 

I got the usual softballs on HP Enterprise Security products, services and strategy... but like clockwork I got one that was really difficult to answer off the cuff. 

If you follow the broader security community on Twitter, you probably already follow my friend @ChrisJohnRiley and know he's a snarky Austrian to begin with, but when given the opportunity to stump me he couldn't pass it up.

I'm willing to be there are a fair number of you out there that are going to read Chris's question and say to yourselves - "I was thinking that too"... which is only fair.  So what was the question that prompted me to write an entire blog post you ask? 

It went something like this:

"Why should companies spend money on vendor products when what they need is better processes and basic hardening?"

Well Chris, let me answer that in multiple parts.

First off, your question seems to imply that you feel there is a mutual exclusivity between the very fundamental problems you see organizations facing and purchasing products/services from vendors. 

I don't think this is the case at all.  In fact,  I believe helping our customers develop better processes and basic hardening is what our Enterprise Security Services business is focusing on. 

That being said, this isn't exclusive to our services (or for that matter, any company's services) businesses.  Your question was worded towards vendor products; however, for many vendors that are strictly services based, consulting is the 'product' per se. 

Continuing along that thread, building stronger (better) processes requires good software, no matter how you stack it.  You simply can't have great process management that relies on spreadsheets - it's not operational, it won't scale, and won't survive your promotion. 

Now, I'm not saying that you have to spend a million dollars on software to improve your processes, that simply doesn't track - but many organizations that I've worked with in the past 3 years struggle, at their core, with change management as a broken process. 

I don't know of a bigger detractor to security than a broken enterprise change management process... whether you work for a million node global corporation, or a company with 100 laptops and an outsourced IT - poor change management will be the death of your security posture, period. 

There's no denying that improving change management requires fundamental grounding in things like ITIL, and other sound change management principles... but more than that it requires a way to manage change in some sort of scalable, organization-wide framework. 

Again, your solution to poor change processes which hinder security needs to be a piece of software that is accessible by the right people, at the right time, with the right information - and allows them to do the tasks (and only those tasks) which they are authorized to perform within the change management capabilities. 

This is a sound ITIL change management process... but it requires great software which in all likelihood won't be free.  So here you may have to spend some money on process - but it's not necessarily on security tools... but rather on technology like change management software that integrates change management with your traditional security controls, dashboards, and SIRM (Security Information and Risk Management) platform.

Now, as far as "basic hardening" goes... I agree this is desperately needed as well.  Absolutely, undisputed.  Here's the gotcha... Try and go do basic system, network, or application hardening manually in today's complicated IT environment - even in a small company. 

See 'basic hardening' sounds simple.  Just make sure you apply consistent patches across all your boxes - servers and workstations... and tablets, and smart-phones and what-not... oh and don't forget all those cloud platforms right? 

Look, even in a relatively small show you've probably got >100 system devices, >10 network devices... and that also means you have significantly less manpower to do the job.  This problem of scale means you need automation - or at least some tools - to help you keep your environments sane and 'basically hardened'

Let's not even take this to the typical enterprise level where the idea of basic hardening takes on a level of scale only automation can touch.  Now ... let's talk cloud and mobile devices ...or maybe let's not because the story (at least, without sufficient technologies from vendors *gasp*) goes horribly badly.

Look, it's easy to say we need to return to basics - I say it in nearly every one of my talks.  You can't just shut out your vendors though... otherwise you're left with manually trying to re-invent the wheel every time and while there are brilliant people throughout IT out there, there just aren't enough of you to invent a new wheel in every single company - trust me, this is a fact.

I'm not saying every vendor out there is worthy of your money, and I'm not even saying trust my sales teams implicitly.  I want HP to earn your trust.  I want you to be able to know that when you have an issue, big or small, you can call someone from one of our many business units who will offer honest advice, industry experience, and a helping attitude... if not I want to hear about it.  I've been in your shoes, for many years. 

In my previous job at a global Fortune 5 every vendor was falling over themselves to sell me their latest and greatest shiny box or widget that we just had to have... I have a list of companies I wouldn't ever do business with even if their stuff was free, and sales people I will never talk to no matter what they're peddling - the point here is that you can't simply throw the baby out with the bathwater.

In the end - the IT Security industry needs to return to fundamentals, but you can't do it without the support of the good vendors out there - the ones who earn your trust every day with honesty, technology and service. 

And remember... If you complain because you hate the car you drive, ask yourself who forced you to buy it in the first place.

Let me know how I can help, I'm happy to dispense advice, war stories, or a dose of honest reality :)  Find me on Twitter, over email or Skype.  'Wh1t3Rabbit' is the handle on all those services.

Take care, until the next episode.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Hardening Enterprise Security Network Security Controls Processes vendors change management ITIL
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.