Part 1: Keys to great security and IT operations

Computerworld - Security and IT operations often act as if they are at war with each other, with completely opposing goals. You've probably seen it. For instance, security works hard to create a policy to ensure that the organization remains in an acceptable defensive posture, only to have it completely ignored by IT operations. So when the organization gets hit with something like the MS Blast worm, many critical servers are affected. As a remedy, security creates a list of urgent patches to be applied. However, due to the wide variety of server configurations, the patch doesn't consistently succeed. As a result, IT operations is left with a server, or hundreds of servers, that no longer even boot!
In scenarios like this, the patching cure prescribed by security is worse than the disease. A political blame game can follow, creating an adverse relationship between security and IT operations. More energy is put into unproductive activities, and business goals are compromised, including the delivery of a stable, available and secure computing infrastructure that fulfills business requirements.
Observed practices for success
I recently participated in two workshops where more than 70 practitioners from high-performing IT organizations shared their experiences on how they achieve and sustain their security and operational objectives. The first workshop, "Auditable Security Controls That Work," I co-chaired with the SANS Institute; the other workshop, "Best in Class Security and Operations Roundtable," I co-chaired with the Software Engineering Institute at Carnegie Mellon University.
This two-part article describes my observations and key findings from these workshops. This first article describes the challenges and solutions common to this group. The second article will explore a working definition of what it means to be a high-performing IT organization and will describe the resulting works in progress.

In the two workshops, three key management practices emerged as common to high-performing security and IT operations organizations: They rigorously enforce the change management processes, they foster a "culture of causality," and they ensure that security adheres to and helps enforce the effective management of change. Each of these practices is described below:
Rigorously enforce the change management processes
Common to all the high-performing organizations we studied is a culture of change management. Why so much rigor around how changes are made? They recognize that change represents the significant majority of risk to IT availability and security. Market research company IDC confirms their intuition, showing that 78% of all downtime can be attributed to changes made internally, by someone with access and authority.
A shining example of a culture