2014 State of IT Changes Survey Results

Similar documents
74% 2014 SIEM Efficiency Survey Report. Hunting out IT changes with SIEM

Keeping Tabs on the Top 5 Critical Changes in Active Directory with Netwrix Auditor

How to Audit the 5 Most Important Active Directory Changes

White Paper. 7 Questions to Assess Data Security in the Enterprise

Keeping Tabs on the Top 5 Critical Exchange Server Changes with Netwrix Auditor

Today s Agenda. Challenges, limitations & solutions Technology overview Demonstration Why Netwrix Q&A

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

2015 Cloud Security Survey. Security and privacy of sensitive data remains the most disturbing concern for 63% of organizations

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

The Change Auditing System

Business Intelligence and Enterprise Performance Management: Trends for Midsize Companies. An Oracle White Paper Updated July 2008

Examining the Dangers of Complexity in Network Security Environments AlgoSec Survey Insights

Exchange Auditing in the Enterprise

Proving Control of the Infrastructure

How To Protect Your Active Directory (Ad) From A Security Breach

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

Optimizing Network Vulnerability

End Your Data Center Logging Chaos with VMware vcenter Log Insight

MEASURING SMB CUSTOMER OUTCOMES: THE DELL MANAGED SERVICES ADVANTAGE

Monitoring Application Performance by Design

Top 10 Most Popular Reports in Enterprise Reporter

SYMANTEC 2010 DISASTER RECOVERY STUDY. Symantec 2010 Disaster Recovery Study. Global Results

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

Justifying Business Continuity: How it Impacts Risk Management

MAJOR INCIDENT MANAGEMENT TRENDS

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

WHITE PAPER. Automated IT Asset Management Maximize Organizational Value Using Numara Track-It! p: f:

MORE DATA - MORE PROBLEMS

BUSINESS FOCUSED EXCHANGE REPORTING. Guide To Successful Microsoft Exchange Reporting & Analysis

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES

AD Management Survey: Reveals Security as Key Challenge

ISO/IEC Information Security Management. Securing your information assets Product Guide

solution brief NEC Remote Managed Services Prevent Costly Communications Downtime with Proactive Network Monitoring and Management from NEC

The Benefits of Virtualization for Small and Medium Businesses. VMware SMB Survey Results

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Cloud Backup And Disaster Recovery Meets Next-Generation Database Demands Public Cloud Can Lower Cost, Improve SLAs And Deliver On- Demand Scale

VCE SUPPORT OVERVIEW. Investment Protection and Welcome Peace of Mind

white paper Using Cloud for Data Storage and Backup By Aaron Goldberg Principal Analyst, Content4IT

How to Use Log & Event Management For Fault Diagnosis and Prevention. Greg Ferro Author and Blogger. whitepaper

Proactive Performance Management for Enterprise Databases

Leveraging Privileged Identity Governance to Improve Security Posture

White Paper. of User Activity Monitoring in Managed Environments

SMALL BUSINESS REPUTATION & THE CYBER RISK

TABLE OF CONTENTS. Collection Agency Operations and Technology Survey Page 2 Copyright BillingTree insidearm.com

Scalability in Log Management

WHITE PAPER. Meeting the True Intent of File Integrity Monitoring

Netwrix Auditor for Active Directory

The Benefits of VMware s vcenter Operations Management Suite:

Active Directory Auditing: What It Is, and What It Isn t

Web applications today are part of every IT operation within an organization.

THE ZENDESK BENCHMARK

Best Practices for Auditing Changes in Active Directory WHITE PAPER

Muscle to Protect Your Grid July Sustainable and Cost-effective Muscle to Protect Your Grid

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

End-user Security Analytics Strengthens Protection with ArcSight

WHITE PAPER IMPROVING FIREWALL CHANGES OVERCOME PROCESS AND COMPLEXITY CHALLENGES BY FOCUSING ON THE FIREWALL.

Sage ERP I White Paper. Tips for Maximizing the Return on Your ERP Investment

Active Directory Auditing The Need and Result

Software License Management: 2012 Software License Management Benchmark Survey SOLUTION WHITE PAPER

Datacenter Hosting - The Best Form of Protection

Drawbacks to Traditional Approaches When Securing Cloud Environments

TABLE OF CONTENTS. Planning With Cash Flow Insight. Introduction. Keep Your System Flexible. Organize Your Contracts. Watch for Predators

Demonstrating the ROI for SIEM: Tales from the Trenches

Ten Reasons Why Microsoft Excel Should Not Be Your Documentation Tool

Better Visibility into Change Management with Kinetic Calendar Abstract

Privilege Gone Wild: The State of Privileged Account Management in 2015

Organizations Struggle with Data Center Capacity Management

White Paper. The Ten Features Your Web Application Monitoring Software Must Have. Executive Summary

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE

Reining in the Effects of Uncontrolled Change

Intacore Managed IT Services

Why Alerts Suck and Monitoring Solutions need to become Smarter

Log Management Solution for IT Big Data

The Definitive Guide. Active Directory Troubleshooting, Auditing, and Best Practices Edition Don Jones

Grow Your Business with Confidence

TechInsights Report: Cloud Succeeds. Now What?

2012 Key Trends in Software Pricing & Licensing Survey

2015 Public Cloud Disaster Recovery Survey

How To Manage Log Management

Reduce cost and increase you ability to support your customers: Integrating Customer Support and Defect Tracking an architecture for success

SecureVue Product Brochure

How To Buy Nitro Security

The State of Global Disaster Recovery Preparedness

access convergence management performance security

How to Achieve Operational Assurance in Your Private Cloud

ITSM 101. Patrick Connelly and Sandeep Narang. Gartner.

NOVEMBER 2014 CYBER & DATA SECURITY RISK SURVEY CONTENT:

TRIPWIRE REMOTE OPERATIONS: STOP OPERATING, START ANALYZING

Succeed in Search. The Role of Search in Business to Business Buying Decisions A Summary of Research Conducted October 27, 2004

The Future of Network Security Sophos 2012 Network Security Survey

Mobile E-Commerce: Friend or Foe? A Cyber Security Study

Log Management: 5 Steps to Success

Drive Down IT Operations Cost with Multi-Level Automation

TIBCO AT-A-GLANCE COMPANY OVERVIEW: CORPORATE EXECUTIVES: CUSTOMERS VERTICALLY DIVERSIFIED: CUSTOMERS GLOBALLY DIVERSIFIED: AREAS OF MARKET FOCUS:

Making Sense of Your Organization s Big Data. A Guide for Small and Medium Businesses

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

Transcription:

2014 State of IT Changes Survey Results

Results In 2014, change is the only constant. Changes to critical IT systems are a daily part of any IT organization s ability to meet the constant barrage of requests for improved, faster and more efficient services. It s also a foundational part that causes system downtime, security breaches, internal and external threats and decreases in operational efficiency. Without a means to track what has changed, an IT organization has little ability to know what change was the root of a data breach or what caused a system to stop functioning properly, let alone be able to know exactly what to revert to fix the problem. Many organizations manage major changes by using everything from a spreadsheet to more advanced change management solutions. Other organizations choose to utilize nothing more than raw log data as a means to have some level of insight into changes. Those organizations that only rely on change management processes or solutions are allowing their IT organization the ability to simply bypass the change management in place and make changes not logged and tracked. Organizations taking IT changes the most seriously are utilizing change auditing solutions that automatically monitor changes to critical systems, notify IT personnel, and provide historical reporting. Change auditing is a foundational part of any IT organization s security plans, change management processes and compliance programs. Companies that utilize some form of change auditing gain visibility into when changes were made, what specifically was changed and by whom. Netwrix surveyed 577 IT professionals about the state of changes made by IT to provide an idea of how organizations today see the impact of changes made, the use of change auditing and the methods and processes intended to maintain security and system availability. Also this survey is focused on whether the change management and auditing is truly useful by asking members of IT organizations, if they are making changes without knowing their peers, circumventing the change management, auditing processes and systems that are in place. Additionally, the survey covers the kinds of changes IT is making and the impact they have. Our goal in this report is to provide multiple perspectives for different IT organizations, so we have chosen to break down the responses by organizational size, industry vertical and size of IT organization. 1

Survey Highlights Who is the most serious about tracking IT changes? When asked whether change management process controls were in place for IT changes, Enterprise organizations with more than 1000 employees claimed the highest level of processes, systems and controls in place to manage and audit IT changes, weighing in at. This trend of the Enterprise taking IT changes and their impact seriously follows through most of the survey. Enterprise Midsize 55% Small Business 45% Is it organization size or IT organization size? Number of IT Staff When looking at how seriously organizations of various sizes take IT changes, a higher correlation exists between the number of IT staff in an organization and their position on managing and auditing IT changes, especially when compared to the size of the organization itself. 1 2-5 6-10 10+ 2

Are organizations auditing changes to IT systems? While at face value it seems that organizations take IT changes seriously, when asked if they have any system in place to audit changes to critical IT systems, only 38% responded positively. We dug deeper and found that many organizations answering YES considered just having system log data enough to answer affirmatively. 38% 62% Who s making undocumented changes? Daily 7% Never 43% Weekly 21% Surprisingly, when asked about making changes that no one else knew about, 57% admitted to making continual periodic changes without documenting the changes. Yearly 9% Monthly 3

Respondent Demographics Organization Size We grouped organizations by size using Gartner s definitions 1 of small business (1-100 employees), midsize enterprises (101-1,000 employees) and enterprise business organizations (1,001+ employees). Figure 1 shows the breakdown of organization sizes responding to this survey. Large Enterprises 33% Small Business 25% Midsize Enterprises 42% Figure 1: Respondents by Organization Size 1 http://www.gartner.com/it-glossary/smbs-small-and-midsize-businesses 4

Industry Vertical We received survey responses from IT staff working in 24 different industries. Figure 2 shows the breakdown of the industries most represented with those least represented grouped together. Other 19% Technology 18% Energy 4% Retail & Wholesale 5% Consulting 6% Education 9% Manufacturing 9% Health Care 9% Service 1 Banking & Financial Services 1 Figure 2: Respondents by Industry IT Organization Size IT staffs vary size from one to one hundred (and everything in between). IT staff size responses in this survey were no exception, as shown in Figure 3. IT Staff Size 1 1 2-5 46% 6-10 18% 10+ 27% Figure 3: Respondents by IT Organization Size 5

Respondents cited varying IT staff sizes in conjunction with their organization size, as shown in Figure 4. 10 SMB Midsize Enterprise 10+ 6-10 2-5 1 Figure 4: Size of IT Staff by Organization Size Survey Responses The focus of this survey was to find out whether IT organizations are managing and auditing changes made within IT infrastructure, what kind of impact do these changes have and how IT pros can manage and audit configuration changes. Change Management: Who s Doing it and Why IT is using some form of change management controls On an average, of organizations claimed to have some kind of change management controls in place, as shown in Figure 5. It s no surprise to see that SMBs have the least handle on change management leaving them exposed to changes that may influence security or system downtime. Midsize organizations have little more than their SMB counterparts. Given the higher percentage of a larger number of IT staff, midsize IT organizations are even more susceptible to problems arising from IT changes. 10 Figure 5: Does IT have change management controls in place? 6

IT is documenting their changes t surprising, most organizations are making some effort into documenting changes with the average around, as shown in Figure 6. 10 Figure 6: Are IT organizations documenting changes? (By organization size) Digging a bit deeper into the data, we found that of those stating they did not have change management process controls in place are still documenting changes. When looking at the size of the IT department, rather than the organization size as a whole, we found a far more distinctive trend in the attitude towards documenting IT changes, as shown in Figure 7. This should come as no surprise, that organizations with larger sizes try to document changes made in order to keep IT staff informed of what is going on, whereas IT pros in smaller organizations mostly keep everything in mind. 10 1 2-5 6-10 10+ Size of IT Organization Figure 7: Are IT organizations documenting changes? (By IT organization size) 7

How frequently is IT making changes that impact security? It s clear to see the need for tracking changes when you consider that of all organizations surveyed are making changes to IT either daily or weekly, as shown in Figure 8, this activity definitely impacts companies security. 10 Annually Monthly Weekly Daily Never Figure 8: Breakdown of the frequency of changes impacting security How frequently is IT making changes that impact performance or service uptime? Similar to changes impacting security, organizations make frequent changes, this time impacting system performance or service uptime. Overall, organizations are in line with security-related changes with nearly 42% making changes either daily or weekly, as shown in Figure 9. Surprisingly, despite the fact that these changes would be far more noticeable by the organization as a whole, and that enterprise organizations have many more users impacted by system downtime, nearly 52% of enterprises make these kinds of changes daily or weekly. 10 Annually Monthly Weekly Daily Never Figure 9: The frequency of changes impacting performance and uptime 8

Change Auditing: Putting Change Management to the Test We wanted to validate the usefulness of the change management systems and processes utilized by IT organizations by testing whether they are validating the use of those systems and processes by use of a change auditing method or solution. Having a system to manage and track changes in place and utilizing it is a great first step, but without a system in place to audit all changes made, there is no way to verify whether the change management processes are being used. Change auditing allows organizations to review changes as well as ensure that all changes are documented accurately. IT isn t auditing their own changes While the majority of IT organizations are utilizing some form of change management processes, 62% of our respondents indicated that they have little or no real ability to audit the changes made, as shown in Figure 10. This leads to missed changes, an inability to meet compliance objectives and results in security gaps. This inability lessens as the organization size grows. 10 Figure 10: Is IT auditing changes? (By organization size) Like the documenting of changes, the responses, when looked at through the lens of organization size, produced a far more dramatic increase in the usage of some form of change auditing. From 13% of SMBs up to of enterprises use change auditing as a means to validate the changes. 10 1 2-5 6-10 10+ Figure 11: Is IT auditing changes? (By IT organization size) 9

IT sees Change Auditing in very different ways Of those that indicated they had a system in place to audit changes, only 23% had either an audit process or a true change auditing solution in place to validate changes are being entered into a change management solution. As shown in Figure 12, other organizations believe their change management process or solution is their change auditing solution (which is a bit like asking the watchers to watch themselves). Others are simply documenting their changes manually, using native event log tools, or nothing at all. IT Staff Size 23% 34% 31% 9% 2% Change Auditing Change Management Manual Documentation Native Tools ne Is Change Auditing Necessary? Figure 12: Change auditing solutions utilized The survey has demonstrated that while a vast majority of organizations are employing some level of change management or change documentation, very few are putting that process to the test. So we wanted to know whether organizations had reason to require change auditing. Is every change being documented? Are the changes being made causing security breaches? System downtime? It s the answers to these kinds of questions that help an organization understand whether they need to be auditing IT changes. IT is making changes to critical systems without documenting The notion that every change actually goes into the change management solution is put to the test with this question. When asked if changes were made without documenting, on average 57% of IT organizations are making changes at varying levels of frequency without documenting the change. We saw this same shocking trend across all three organizational size segments with Enterprise being the worst offenders. 10

10 Annually Monthly Weekly Daily Never Figure 13: The frequency of undocumented changes If such a high percentage of IT organizations admit to bypassing their own controls, it becomes imperative to understand whether these undocumented changes are causing harm to the organization as a whole. IT is making changes that cause service interruption Nearly 65% of IT organizations admitted to making changes that caused services to stop. It s surprising to see that, despite the increased focus on managing and auditing changes as organization size increases, the percentage of IT organizations making changes that impact service availability grows up as the organization size increases. 10 t Sure Figure 14: Is IT making changes causing a stoppage in services? Given over half of IT changes are not being documented, without some ability to know when a change is made and what the change was, IT organizations will be hard pressed to quickly identify the change that caused service interruption. IT is making changes that cause security breaches IT organizations appear to be far more serious about changes when it comes to security. We asked if IT organizations had ever made a change that was the root cause of a security breach, an overwhelming 61% claimed to have never made such a change. SMBs were the most security change-conscious with 67% of respondents claiming to not having made such a change. Midsize organizations had the largest uncertainty of whether their changes impact security at 29%, with Enterprises being the worst offender with 17% of respondents admitting changes were made that caused a security breach. 11

10 t Sure Figure 15: Is IT making changes that caused a security breach? Conclusions and Recommendations When a breach occurs, a system goes down or an auditor shows up, questions are going to be asked. Tough questions like Who made changes to this system yesterday and what was changed? IT organizations today have the best of intentions to proactively prepare for such moments. But with so many IT professionals making changes without using the very systems they themselves have implemented, it is going to be nearly impossible for them to provide answers not just to auditors, but to themselves to solve a problem caused by a change. Without some means of accountability, IT changes will continue in these organizations without any supervision. Having a change management process or system that tracks changes alone won t help; there needs to be an external ability to check that all the changes that have been made are tracked. System logs provide some level of detail, but it is more critical that you have your most important systems monitored for changes where change detail (that may be lacking in logs alone) is provided. Given that IT organizations are making undocumented changes that impact system availability and security, IT organizations need to take another look at whether their change management needs the addition of change auditing. This will ensure that all changes both documented and undocumented are tracked, providing IT the ability to be notified when changes are made, report on and review changes in detail to specific systems at specific times, by specific individuals, and have the ability to find the answers quickly in case a change caused a security breach or service outage. About Netwrix Corporation Netwrix Corporation is the #1 provider of change and configuration auditing software, offering the most simple, efficient and affordable IT infrastructure auditing solutions with the broadest coverage of audited systems and applications available today. Founded in 2006, Netwrix has grown to have more than 160,000 customers worldwide, and is ranked in the Top 100 US software companies in the 2013 Inc. 5000 and Deloitte Technology Fast 500. For more information, visit www.netwrix.com. Netwrix Corporation, 20 Regional offices: Pacifica, Suite 625, Irvine, CA New York, Atlanta, Columbus, London netwrix.com/social 92618, US Toll-free: 888-638-9749 Int'l: +1 (949) 407-5125 EMEA: +44 (0) 203-318-0261 A ll rights reserv ed. Netw rix is trademark of Netw rix C orporation and/or one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark O ffice and in other countries. A ll other trademarks and registered trademarks are the property of their respectiv e ow ners. 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information