It seems to be some kind of rule of human nature. It is fear of change meets the Iron Law of Bureaucracy (Every task will always expand to fill the time available) Our Change Control efforts that were once required so the light-speed changes in IT technology didn’t run over our business. How many times has it evolved to become a millstone around our collective necks? How much have we emotionally invested in this control?
On this particular topic I think we need to start with a definition. Taking that from Wikipedia:
Change Control is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without forethought, introducing faults into the system or undoing changes made by other users of software. The goals of a change control procedure usually include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing change.
It seems to me that there are two warring factors in terms of change control (aside from the Iron Law of Bureaucracy VS. high speed change argument). For purposes of argument I will call it the “Works fine” vs. “Really cool” argument.
If proof was needed proof that the pace of Traditional IT change has slowed we only need to look at Windows XP. Its successor, Vista, was largely rejected by industry and as a generality we use our old OS’s for 7 years. Because it worked fine. There was no compelling reason to upgrade until Win 7 came along and even then we were stately about the upgrade.
We could look at our mail systems, they work just fine. Everything is incremental organizational improvements. The calendar, messaging system and all the rest have been good enough for years. CRM, ERP, GRC, a lot of the traditional systems work fine.
Our users are human beings though. We are constantly being marketed to by really cool new toys. The new form factors (smart phones and tablets) and new media Twitter, Google +, Facebook and IM (New Communication methods) are in saturation mode in their push on us. Tethering off the Android and the IPhone makes every user at every desk their Own ISP, going right past our expensive firewalls and IPS. And all these new technologies are so cool!
So the Change Control problem is this: We have developed an organization and an industry that is oriented at looking at better ways to do our traditional activities. It works at a stately speed to do a thorough job. It is perfectly designed and organized to look at when to change the web browser version a year or two after they come out, but not at all on how to control data across smart phones.
For data security managers (or military officers) there is a great rule I learned in there early days as a restaurant manager: never give an order you know won’t be followed. If we tell our users they can’t have mail on their Android they will do it anyway. If we try and implement draconian controls we will make enemies of our users and they will end run around us. By doing this we have made ourselves ineffective. Our user will work around our normal and reasonable controls as well as our knee-jerk slowness to adapt. As soon as our employees decide to that the IT department is the enemy everything we do is for nothing.
Change control
Data Security and Change Control. Maybe we need to go back a bit to our 1995 way of doing things and unclench our fists on some things that have become our purview. I would like to offer a revolutionary thought:
As long as, as an enterprise, we control the data nothing else matters. By use of PKI, VDI, Whitelisting, or the similar if we hold control over proprietary company data (and not try to control an employee’s posting to their kids on FB). We don’t need to care at all about the methods that are used to handle that data, as employees treat that data with respect. Data Security of our precious assets does not need to be about controlling the user’s whole data life
Change control as a minimalist concept base on the use and control of data. Not applications, not operating systems. This can be accomplished in a way that allows the cool, secures the data, and doesn’t break the bank. There are those that will say that unless we manage for every vulnerability in the system we can’t control the data. In 2011 this is no longer true.
· Application whitelisting ( hell yes)
· VDI. All work data saved to the SAN
· Network IPS
· Simple forms of DLP like string matching (because if an employee wants to circumvent even really good DLP they will)
Control the data not the asset
We can (and do) argue the technology. The boil down is this: by backing off our emotional investment in hard control of method and mechanism we can have a better work environment for less money and effort.
No comments:
Post a Comment