I was thinking last night of all the organizations that I’ve reviewed and the procedures at each one for managing the security aspects of their infrastructure.  It has ranged from “Hey Timmy, will you go open up the firewall for FTP” to “Submit a change request for the modification of the firewall ruleset and it will get reviewed by the IT review committee at the end of the week for approval”.  While the former is easier and quicker, I’d rather have the latter if I were a large organization.  Firewalls and networks are obviously huge in large organization and ad-hoc changes can easily lead to a hole that might put the company at a level of risk that it might not be willing to accept.  Documentation and approval of security changes in a large organization are paramount to the maintenance of its security posture, particularly when it’s not just “the IT guy” making the changes, but several members of an IT organization.  Ultimately, those companies that put the time and effort into change and configuration management are much more aware of their security posture on an ongoing basis.  Those companies that do not have such a process in place are driving an ‘85 Buick Skylark in a Nascar race.  They can keep going…but it’ll catch up to them pretty fast in the end.

So a plea to organizations that think change management is waste of time.  If you want to grow your business in a secure manner and maintain a well-thought out security environment…consider implementing some change management.  Perhaps I’ll write some more on this process later depending on if there is any interest on it.