What is the first question you ask when something goes wrong in your environment? A system goes down? Service isn’t performing as it should? You flip the switch but nothing happens? In November of 1988, something happened that forever changed IT security and exponentially increased the need to ask this question. That is when the Morris worm was first distributed across the internet. Although not initially intended to be malicious, the Morris worm infected individual computers multiple times. Each additional infection slowed the machine down incrementally to the point of becoming unusable. At that time, Gene Kim (founder of Tripwire) happened to be working part time at Sun Microsystems, and the Morris worm had a significant impact on the systems he was directly responsible for. The question he asked when he came to work and his systems were down was, “What changed?” Things were running smoothly the day before, but then they were choked out and unusable. That question of “what changed?” ended up consuming Gene’s focus, and it ended up motivating him to create the foundational technology behind Tripwire. But I’m not here to talk about Tripwire specifically. I’m more interested in the discussion around change and how organizations can leverage change to improve their IT operations, security and compliance. Charles Darwin once said, “It is not the strongest of the species that survives, nor the most intelligent, but the one most responsive to change.” I would argue that the same goes for IT organizations. And in order to be responsive to change, you must first understand when something changes, what changed and what impact that change might have on the organization. But that’s just the beginning. If you really want to be effective, you also need to have a tight policy around what changes are allowed and what changes are not allowed. The ‘what changes are not allowed?’ question has an easy answer: all organizations should strive for zero unauthorized changes. Yep, zero. Argue that your business needs to be more fluid and your developers can’t be bothered with having to submit change tickets and all that ‘process.’ Of course, no one likes following a strict process… at first. But once you embrace a tight change management process and create a culture of zero tolerance for cowboy developers, your level of control of and confidence in your environment will grow exponentially. And you’ll become a believer. The IT Process Institute has published research that outlines the fundamental differences between under-performing IT organizations where firefighting is rampant, administrators are frustrated, and the IT organization struggles to provide value to the business, and high-performing IT organizations that deliver value and an exponentially greater ‘bang for the buck.’ It turns out that understanding change is at the heart of what differentiates these two types of organizations from each other. It’s interesting to think about why that is the case. Understanding change is also at the heart of IT security and compliance standards. Because no matter what other security measures you have in place to keep people out or plug holes, you still need to be able to answer the question about what changed. In fact, the definition of file integrity monitoring (FIM) is rooted in the understanding of file changes, so much so that in the initial publishing of the PCI-DSS, Tripwire was named specifically under the requirement for file integrity monitoring. Why does this matter? Well, it’s interesting to look at the trajectory of IT security thus far and think about what’s coming in the future. The IT security industry has exploded over the past 10-15 years, and it’s not slowing down any time soon. Every year, we see new companies come on line, new investments being made, new technologies being developed… and it’s easy to get distracted by these new technologies. But the song that Gene Kim was initially singing about the importance of understanding change still remains the same. No matter what happens in terms of technology in the future, understanding change will always be at the heart of sound security practices and high-performing IT organizations. In my role, I have the opportunity to interact with organizations that span the spectrum from financial institutions to health care providers, retail organizations and more. Every customer is unique in that they have specific needs and requirements for their IT functions. But in the end, no matter the organization, the top priority is adding value to the business. And regardless of the industry, IT best practices remain consistent. If I could leave you with one thing, it would be this: think of file integrity monitoring and change management as the foundation of your IT organization. Sure – build cool products, use cutting-edge technologies, and do all that ‘fun’ stuff – but don’t forget that you first need to have a solid foundation or those other technologies will be less effective. Even before you start building, your foundation needs to be solid. It takes discipline, but if you invest the time and effort into developing a sound understanding of change, and a tight change management process, the things you build on that foundation will be stronger and longer lasting. What about in your organization? Do you feel the impact of unauthorized changes? By the way, if your organization hasn’t mastered change management yet, you aren’t alone. This is something every organization deals with on an ongoing basis and it’s seldom perfected. However, creating that culture and working towards the zero-tolerance goal is a journey that’s worth taking.
