Mastering Change for IT Success

Today, IT faces a number of unprecedented challenges. Once responsible only for maintaining hardware and software, IT is now expected to harness technology to deliver strategic value. For more and more companies, IT investments hold the key to remaining nimble and competitive. If that wasn’t enough, regulations such as the Sarbanes-Oxley Act have forced IT to embrace best practices and achieve better visibility into the infrastructure, all while keeping increasingly complex systems running on a 24/7 basis, supporting a global market and cutting costs. To meet these challenges, IT must use its resources as efficiently as possible.

Yet many IT departments can spend up to 50 percent or more of their time and resources troubleshooting unforeseen problems and fighting unexpected fires, crippling their ability to implement strategic initiatives. Why? To a large extent, it’s because they have failed to master change. “We’ve found that 60 to 70 percent of the incidents reported to most help desks are the result of changes purposely made to the infrastructure by IT,” says Dennis Gaughan, Research Director for AMR Research. “For example, a simple and necessary patch to a router meant to plug a security hole may inadvertently impact the payroll application in the middle of payroll processing, all because proper testing wasn’t done to get visibility into how this small change would affect other systems.” Just about any IT organization can point to a number of downtime incidents that came from an intended change with unintended consequences. “Users have told me they’ve never experienced such tranquility and peace as when their company’s Oracle DBAs were away at Oracle World,” says Gene Kim, CTO of Tripwire, a leading provider of change auditing solutions.

THE CHANGE EFFECT

As IT continues to consolidate and support an increasingly global infrastructure, the damage that can occur from unintended change becomes even greater. That’s because each IT service rests on an increasingly complex infrastructure stack of applications, databases, middleware, directory services, operating systems and networks. Each of these systems depends on a complex web of file systems, configuration settings, users and permissions.

“I’ve been in IS for more than 18 years and I would say that the inevitable result of sloppy, unregimented change management is always an impact on the health, availability and response time of your business applications,” says Scott Gibson, CIO of Best Western International, “and therefore on the ability to deliver revenue.” Research has shown that the most efficient, nimble and aligned IT organizations are the ones that have mastered an effective change management strategy. While their competitors suffer from the downtime, user resistance and lost revenue resulting from an ineffective change process, successful organizations implement their changes quickly and successfully 99 percent of the time with little impact to existing systems, few to no resulting downtime incidents, and less than five percent of IT time devoted to unplanned work. Companies that have mastered change management are also the ones that achieve compliance with the least expenditure of staff resources. “These companies can produce the reports that attest to their control so that auditors don’t have to come in, rip apart processes and take staff away to answer their questions,” says AMR’s Gaughan.

IT TAKES A CULTURE

How do organizations achieve effective change management? Many have put together change management processes that have little buy-in from their intended users and are thus routinely skirted. “When I started at Best Western, the frequency of exceptions to the change management process was much higher than incidents of adherence,” says Gibson. “That’s a good indicator that something is wrong with the policy or process, or simply that there was a lack of commitment.” By contrast, organizations that succeed at change management see it as an essential part of the corporate culture. “In companies that have effectively implemented change management, the company’s goals and incentives are designed to support these behaviors,” says AMR’s Gaughan. “Everyone understands his or her role, including the business customers, developers, testers and administrators.”

“Change management is the kind of process that requires endorsement and participation at the highest level of the organization,” says Best Western’s Gibson. “Otherwise, it’s too easy to undermine. As CIO, I see as one of my primary roles providing the experience and leadership to ensure best practices and high-quality processes.”

MONITORING AND ENFORCEMENT

Successful companies not only expect change management policies to be followed, they also inspect processes to make sure they are followed. “You have to put in place accountability and ways to monitor changes and measure success,” says Gaughan. That includes processes and tools that ensure changes are authorized, clearly visible, audited and documented. It also means that unauthorized changes are investigated and met with clear consequences.

“Have a playbook that makes unauthorized change a public issue,” says Tripwire’s Kim. “If someone makes an unauthorized change, send an e-mail to the entire team indicating that an unauthorized change has been detected and that the team has four hours to explain before security is mobilized.” Other proven change management best practices and controls include:

• Segregating duties so that a person authorizing a change is not the same one validating the change.
• Not allowing changes to production assets made by developer personnel.
• Establishing a policy for managing change outside scheduled maintenance windows.
• Maintaining a change audit trail.

THE RIGHT TOOLS

Change management ultimately succeeds with the help of the right tools. One such tool is Tripwire Enterprise, which baselines and monitors changes to hundreds of systems across the enterprise, providing a verifiable audit trail of all changes across the service stack. It simplifies monitoring by organizing systems according to geography, service stack, organizational boundaries or other user-defined grouping and provides configurable severity levels to enable the proper response to unauthorized change. Tripwire Enterprise validates system process integrity by independently detecting both automated and manual changes, reconciling detected changes with authorized and intended changes, and graphically reporting on desired and undesired change status. Tripwire Enterprise also provides an array of reports and online dashboards that can be invaluable for enforcing policies, improving change processes and satisfying compliance audits. As organizations look to IT to enable the changes that let them stay nimble and competitive, IT can no longer afford to implement changes in ways that disrupt systems and cause downtime.
With the right change management culture, controls and technologies, such as Tripwire Enterprise, IT can become a key enabler of change.

How the high performers do IT

CIOs are under immense pressure to demonstrate business value. Unfortunately, they may get a lot of advice from people like colleagues, consultants and vendors who provide little real empirical evidence to support their views.

To gather evidence of the value and relevance of IT control activities, and use it to help organizations successfully implement ITIL best practices and COBIT control activities, the IT Process Institute (ITPI) conducted the IT Controls Benchmarking Survey. ITPI is a non-profit organization that supports IT audit, security and operational professionals. The survey was completed by volunteers in approximately 100 IT organizations. Respondents were questioned on their use of 25 key performance measures and 63 IT control activities to identify correlations between IT controls and performance. Responses were analyzed in terms of correlation of controls to performance measures; identification of foundation controls; and analysis of top performers.

Survey results showed that the major difference between high and low performers related to usage of IT change control mechanisms. The top five activities that set these groups apart include:

1. Monitoring systems for unauthorized change
2. Defining consequences for unauthorized change
3. Formalizing a process for configuration management
4. Using an automated process for configuration management
5. Tracking change success rates

Says Gene Kim, CTO of Tripwire and Research Director of the IT Process Institute:
“The results of this survey have given us great confidence that all the things we’ve
been doing at Tripwire around change management are valid and important.”

Get a Free Copy of “IT Process Institute: IT Controls Benchmark
Survey Key Findings” at: http://www.tripwire.com/vault

Seven habits of highly effective IT organizations

1. They have a culture that supports change management
2. They monitor, audit and document all changes to the infrastructure
3. They have zero tolerance for unauthorized changes
4. They have defined consequences for unauthorized changes
5. They test all changes thoroughly in a preproduction environment before implementing them in the production environment
6. They have an established way of analyzing the impact of IT change before and after it occurs
7. They track and analyze change successes and failures and use that data for future changes