Change, Configuration and Release Management... these are not ordinarily the tools that the "Blue Team" (the corporate defenders) work with, or are strong proponents of. In fact, while CISOs continue to focus on adopting new niche tools it's often the things they already possess in the enterprise that could make the biggest difference in corporate security posture.
Consider this, your enterprise environment is more dynamic than ever, and I'm not just saying that because you already know it's true. Whether you're struggling with existing infrastructure in a "traditional IT" sort of shop, or you're trying to modernize and keep up with the Joneses enterprise change is likely to be the only constant. If you're in one of those "revolutionize IT" sorts of places you're likely completely lose without strong CCRM.
It's almost shocking how many CISOs have absolutely no representation on the change review board in the enterprises out there today. What's even more shocking, and seriously alarming, is how many enterprises have no change review boards at all. How can you effectively manage when you have no earthly idea what's going on minute-to-minute. Of the last 10 enterprises I've spoken to the first question I've asked is "What does your change review and release process look like?" and the answers should shock you. Of the total of 10 CISOs, 4 CISOs believe their enterprise has no centralized, formal, change, configuration and release management process. Additionally 3 CISOs know that a process exists but aren't invited to the table, 2 CISOs have a representative who sits on change review boards but don't have veto power, and a whopping 1 out of 10 of these CISOs belongs to an enterprise which has a strong central change review board and process, while allowing a representative from Information Security & Risk Mgnt a full stake (with veto power) on that board.
Now, this is not a representative sample of the industry as a whole, obviously, but it's telling me something I've already suspected for a while. We as an "Information Security" organization are failing at the basics, and I'm not even convinced many of the leaders who run information security teams understand or have the will power to get into those basics.
If you've ever tried to get into the configuration, change and release management process in your enterprise you may already understand why many of your peers have given up on trying. Where these processes exist they're difficult and painful. The reason they are often ad-hoc and powerless is that they've evolved over years as unwieldy processes that take weeks to get a change approved, leading to "emergency escalation" procedures. In a previous organization I worked in, this quickly led to everything being an emergency and bypassing the review board which over a period of about 2 years led to the complete and utter decimation of the review board and it's power.
If you're struggling with relevance, and don't have a strong change review process in place here are some tips that may help:
- Ensure CCRM board attendance is mandatory for all heads-of-department
- Make sure your CCRM process is nimble, and easy to work with
- Ensure that "emergency" change options are available, but require high-level approval
- Make sure you're holding people accountable for changes (when a change fails they are part of triage)
- Ensure you're closing the loop on changes, recording metrics of in-process vs. out-of-process changes, successful vs. failed, etc for reporting
Configuration, Change and Release Management is crucial to being an effective information security organization in an enterprise large, or small. If you don't have a handle on the rate of change in your enterprise, you have absolutely no hope of effectively securing anything. In a situation where you're not effectively managing and monitoring change, you're playing whack-a-mole ...and probably scoring pretty poorly.
Good luck! If you have a CCRM story you'd like to share for a future installment of this series of posts, please leave me a note... or chat with me on Twitter using the hashtag #SecBiz... and don't forget to leave your Twitter handle in your comments!
Cross-posted from Following the White Rabbit