OK, let's talk about Change Management, shall we? There are certain things that everyone who works in IT security knows. For example, we all know that running anti-virus on our computers is a good move. We also all know that Change Management is a good thing. The difference between the two is that the second item is true and the first is a load of crap. However, it can be a real pain to try to convince other people that Change Management is necessary...especially the people that have to give something up in CM.
I'm talking about giving up control. In my organization there is an application development group, a help desk group, a computer lab group, a networking group, and a server admin group. There are a couple others, but we'll ignore them for now. For the most part, Change Management is a process by which the development group, server admin group, and networking group tell the others what they're going to be doing and get their feedback. Many of them are resistant to CM because they feel that they shouldn't have to ask permission to do what they want to do with the systems they manage. There is also a legitimate fear that they will be boxed into only making changes in the wee hours of the evening and that there will be no extra compensation or balancing of these hours. For the others, they are pleased to hear what is being planned and not have as many things come up as a surprise.
Since I came in the door at my University I have been talking about Change Management and the clear message from my boss was "I'm not listening." After we had a couple audits that both suggested we implement a CM process the message was "how can we comply with this on paper without changing anything?" This is why I feel that all IT security managers should try to scratch and claw their way into reporting to the highest ranking figure they can. In the beginning I reported to someone that does not support CM, but then I managed to get in a position where I reported to someone higher up that was neutral about CM. And that is really the first step in getting CM off the ground. You need to get important people to care about it. So make sure you've got your bullet points handy when you're selling this.
- Transparency - no more secret changes that make everyone ask "WTF just happened?"
- Communication - not just improved communication in the department, but also with the customers.
- Documentation - A dirty word to be sure, but documenting your processes is a sign of a mature IT shop.
- Quality Assurance - This is a chance to make sure that important changes have been tested and that there is a rollback plan if things go poorly.
- Coordination - If system A and B both need to go down, but the administrators of these systems don't know about the other systems change, then they will likely be brought down at different times causing two separate outages. Change Management allows your staff to coordinate these events into one single outage. Better for the help desk and better for your customers.
- Best Practice - I know it's crappy to use the "everyone else is doing it" sales pitch, but you can still respect yourself in the morning if you're pushing something that really is good and this bullet point isn't the strongest thing you've got.
Coming up, I'm going to write about how I got Change Management off the ground after we had a disaster that got me the support I needed. Here's a hint...start slowly.