Embracing change management for better cyber security

Despite the significant financial and reputational damage caused by cyber attacks, companies still prioritise service delivery over cyber security. Unfortunate as this is, it is hardly surprising that safeguarding corporate IT systems, be they cloud or traditional data centre-based, takes time and resources away from providing and focusing on business services. Realistically, until security is embedded into service management principles, nothing is likely to change.

Through the work we have done with our partner, Blue Turtle Technologies, it has become clear that many decision-makers still view cyber security as an afterthought. It is something to be bolted on after the fact and has resulted in an approach where more security widgets are added to plug potential holes as the network evolves.

Understanding change

Instead, the alternative is about having visibility of all the change that is happening to IT systems and ensuring that all changes are verified and validated. Everything outside that scope is unexpected and should be considered suspicious, and potentially an indicator of compromise.

Most vulnerabilities come from flaws in the software (such as the operating system or applications used) or exploits based on the misconfiguration of systems. The latter is a direct result of the inevitable ‘feature creep’ that comes from the continual ‘business as usual’ change to the environment. Paradoxically, while regular patching is done to protect systems, the associated change noise generated serves to mask breach activity, while necessary configuration changes may also inadvertently introduce latent vulnerabilities.

If anything, this highlights why change control must be considered one of the most critical cyber security best practices to follow. Unless an organisation continually controls, validates and verifies that changes happen safely, the potential for security compromise remains constant.

Security integration

Of course, change management by itself is not a new concept. The difference comes in by bonding cyber security to the operations framework.

While this might sound revolutionary, it merely focuses on ensuring that changes to the network take place as expected. It not only provides management with a view of those changes but also verifies and validates them, confirming they have been delivered correctly.

More importantly, it corroborates that these changes do not introduce new vulnerabilities. Fundamentally, it accounts for every change implemented and checking that it is safe and accurate, even more important now that everything is potentially under attack and the variety of platforms and devices has expanded. The threats to cloud-based services is very different to those faced by industrial control systems in power stations, but the same change control process will protect both equally.

By operating strict change control, an organisation can better secure itself. It introduces an element of risk management that remains cognisant of how any device connecting to the network can be a potential entry point for a hack or breach. This security-first mindset treats everything as a risk, applies the appropriate change control to it, and defends the company in a more integrated manner.

Introducing automation

For this strategy to be more effective than the ‘add another widget’ approach, there must be a level of automation. However, what is considered a threat in one IT environment might not be in another. Therefore, to simply implement a generic automated process for change control is not the answer.

There is truth to the notion that cyber security can be automated to a large extent. But there will always be some processes and procedures built around it. Truth be told, cyber security takes on many different shapes and sizes. It will always require some human component to remain effective.

Effective cyber security therefore requires a blend of security best practices, operated as a continuous component of IT service management. Change control relies on a continually updated knowledge base of all vulnerabilities and calls for systems to be maintained with a hardened build standard (for example making sure the operating system is patched, and applications run the latest versions). Then, as new changes are implemented, either to enhance or expand IT services, or for routine patching, all changes are verified and validated as accurate and safe.

By combining change control with the local expertise and skills of our partner, Blue Turtle Technologies, we leverage the respective strengths of each organisation to deliver a cyber security offering that is more secure by design. This will be fundamental to safeguard the network environment of the future.

Join NNT and Blue Turtle Technologies on 12 August 2020 for a live webinar focusing on exactly how you can improve cyber security with effective control change management. Click HERE to register.