The Production Freeze is Coming

Right about this time every year panic starts to set into IT organizations.

While there are still many projects to be completed, code to be pushed, and last-minute changes to be made to e-commerce platform before the rush to buy on the web starts ...the freeze in many organizations is coming.

I try to write about this every year about this time, just to remind you that the inevitable is coming and you need to prepare yourself ...but this year the message is a little different than years before. This year it's not about rushing those last-minute patches, or trying to figure out how you're going to apply Patch Tuesday when you can't even sneeze in the data center ... this year the message is around change management.

As the last-second inevitable rush to push changes to the production environment starts up, now is the time to evaluate your change management strategy and figure out whether you're comfortable with it - or whether your priority #1 project for next year should be getting into change management. Sadly, over the last year I've met entirely too many CISO's who are in no position to know what changes are being made to their environment on a minute-to-minute basis, so they have very little chance to manage security effectively.

It doesn't take a wise InfoSec guru to understand that a large part of Information Security is simply situational awareness. What users, network nodes, systems and services/applications are on your wires constitutes the effective threat profile of your organization and when that status changes it's the delta you look at for determining whether you've increased or decreased your risk profile. It's simple, really.

I suggest starting internally to your own organization and working out. What are the last 10 changes you've made to the security devices your Information Security organization has responsibility for? Have you updated firewall rules, pushed patches, or added users on those things? Now look forward in time, what are the next 10? How do those 10 intersect with the top-priority business-sponsored changes coming?

If you're not comfortable answering those questions, or if you're finding yourself going back to spreadsheets you may be in bigger trouble than you think. Every day as the overall organizational complexity increases, the risk of not being situationally aware of your organization's own changes becomes more serious. When we all had 1 T1 router and a firewall, this really wasn't that big of a deal, but today when there is barely the ghost of a perimeter you must have strong situational awareness of your own changes.

Before I get off on too long of a rant on change management, I'll simply urge you to get on the train or be left at the station. If you work at a more traditional organization you're still likely looking at a year-end production freeze, and before that there is the mad rush to get everything done ... don't be the victim of the mad rush where you end up with exposed risks you can't do anything about.