I was pondering this thought after sitting through a presentation at a recent meeting of the Northern Security Group aka NUKSG
The discussion was going along the lines of how and why security issues occur and that one of the first questions that should be asked is “What has changed?”. The rationale here is that with strong change control, not only do you improve security but you also improve operational performance. This has already been researched extensively by the IT Process Institute and the publication that condenses this is called Visible Ops Security – which was very kindly given out for free by Tripwire at the meeting.
This notion reminded me of my recent experience working for a French company – and the initial frustration when attempting to get something resolved. A customer of mine whom himself had worked in France for some time, sugggested I read a book with the same title (60 million Frenchman can’t be wrong) and it might help. For the unitiated, the French are very thorough and process driven and in the event that something needs a decision, they will go through the process of debating it even if the answer/decision appears obvious. Whilst at first frustrating, in the long run I came to accept that this was clearly the best approach – if only so that there was nothing unexpected later on. By properly following a procedure and having tight change control, the quality of output improves significantly.
The book goes into detail about how to integrate Information Security into daily operations, through a prescriptive phased approach – although the takeaway for me was to get Operations bought into the cost of not having tight change control.