• CIO.in
• White Papers
• Creating a Culture of Change Management

The Greeks knew long ago that it is impossible to step into the same river twice. Fast-forward from ancient Greece to our technology-driven century, and change occurs so rapidly it is difficult to manage. Managing change is one of the most difficult challenges that IT organizations face, and to effectively support and facilitate enterprise business goals, IT must also continually change. Sometimes these changes are significant, as in upgrading a network. Some changes are almost imperceptible, occurring without fanfare as services evolve and underlying IT infrastructure is maintained.

Infrastructure Complexity Magnifies the Impact of Change
While planned, authorized changes have obvious benefits to systems or users, unknown and even imperceptible changes can result in serious negative impact to IT systems and processes. IT organizations are responsible for a complex structure of "systems of systems,"all of which must work together to deliver quality information and communication services. Each "service" requires a specific, integrated "stack" of systems-such as applications, databases, middleware, directory services, operating systems, and networks-in order to successfully deliver a set of functions or processes. The unique behavior and state of each system in a stack is determined by a multitude of elements, such as file systems and their attributes, configuration settings, users, and permissions. This complexity means that changes in the IT infrastructure can potentially affect every part of a business operation, posing various degrees of risk to the enterprise. For example, an unauthorized change to firewall settings can result in serious vulnerabilities that not only threaten data and disrupts revenue-generating services, but that can also imperil compliance with regulatory requirements.

Instilling Change Controls
Change must be controlled to mitigate the inherent risk to IT's compliance, service quality, and security posture. Indeed, national and local laws, as well as private contractual arrangements, demand that organizations deploy effective controls on their IT infrastructures. One form of control is developing change management processes. These processes are often based on best practices, such as the IT Infrastructure Library (ITIL), and supported by an array of system management techniques, tools, procedures, and policies that together help define the organization's change management process.

Having processes in place is not enough, however. Change management policies and controls must be systematically evaluated and enforced. If they are not, companies experience:

• Control deficiencies that can result in poor audit findings, potential fines, and other disciplinary measures
• Difficulty and higher costs to prepare for audits
• Service outages, unplanned work, and delayed delivery of strategic projects resulting from unauthorized and undocumented changes
• Increased risk and security vulnerabilities
• A lack of assurance about system security and data integrity

 

 

• Web Applications Under Attack - Four Eye-Opening Findings
• Enforcing IT Change Management Policy
• 8 Ways On-site Service can Drive Revenue Now
• The Path to a Secure Application: A Source Code Security Review Checklist
• Threat Roundup and Forecast: Cybercrime Isn’t Predictable. But Trend Micro is.

CIO Newsletters

• CIO World

  Critical news & updates, delivered 5 days a week. View Sample

• CIO Alert

  Your weekly update on digital security and threat. Delivered every Friday. View Sample

• CIO Focus: Cloud Computing

  A Fortnightly capsule delivering the latest trends, opinions and features on cloud computing.