The Need for Change Management

The increased security concerns within the IT sector has a direct consequence on the number of changes (i.e., patch installations to solve vulnerabilities, configuration changes to block an attachment, etc.) requested. Very often those changes are planned, driven by security or compliance requirements, the introduction of advanced technologies or other shifts, but sometimes the changes are driven by urgency when IT systems are under attack.

In any case, the need for proper governance of those incidents cannot be of secondary importance when compared with a security incident. In fact, the lack of governance would ultimately result in the interruption or disruption of service, which will impact business processes anyway. Effective governance can be achieved by integrating the security framework with the service management processes. This is a quite general concept, although it is possible to find excellent existing guidelines. Let me share what I think are the most important practices to consider when designing a service.

Best Practices to Handle Change in Security

1. Managing Reactions Within a Service Management Structure

If security information and event management (SIEM) responsibilities are to identify offenses and recommend particular reactions, the best practice is to have the change submitted within a proper change management process. The offense managed via the SIEM has to be transformed into an incident managed with a service desk tool. Change management can be effective by having a clear knowledge of the enterprise configuration. In fact, whether the change can be performed or not depends on the configuration of the various assets involved in — and the relationship between — the various assets.

2. Risk Management

If the previous section was about mitigating the risk of disruption depending on an unauthorized change, the objective of this section is to analyze the opposite aspect: Managing change must take into consideration the possible effect of a change on the enterprise in terms of security. Changes can sometimes be required in emergency situations, and they would be approved by an emergency review board — so the CISO needs to provide an answer quickly. Having a risk management tool integrated into the SIEM platform makes the integration of service management into the security framework that much more effective.

3. Integrating With Business Service Management

Very often the cost of a security incident is difficult to estimate, particularly if we consider factors such as brand reputation and other long-term impacts. Nevertheless, there are elements that could be easily predicted. This information can be used as the basis for a decision.

What are the elements of the service impacted, and what is the cost of interrupting such a service? If a security incident can be translated into an event to be processed by the business service manager — and if the business manager has visibility into the asset configurations, their relations and the architecture of the service — sizing the impact of an incident and eventual violation of a service level agreement could be done. While this is not an element that can be used to understand the cost of the security incident, it is something that can be used to make the proper decision.

More from CISO

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…