This trend should not be as surprising as it may sound. Years ago, change audit and control tools such as those offered by Tripwire saw their first wide acceptance, not for their IT service management values, but as security enablers; as a means to instrument the detection of unauthorized change resulting from exploit or attack.
They have since been recognized for the value they contribute to IT service management. Yet their importance is now coming full circle as a key enabler of risk control buying playing a significant role in monitoring events that not only threaten ITs positive values, but which also indicate the bad guys may be afoot.
Other risk technologies that bridge IT operations and security include event management systems. In IT ops, they perform root cause analysis of IT service problems. In security, they correlate recognition of a threat. Uniting these two perspectives can help businesses distinguish the true root cause of system events, and improve the distant early warning of potential governance or compliance risks. They also contribute directly to the accumulation and maintenance of audit-worthy evidence of the effectiveness of IT risk controls.
The service desk is yet another focus of shared interest between risk management and IT optimization. Response to a risk event may mean follow-upanalyzing a vulnerability, deploying a patch, investigating behavior, improving education. The workflow capabilities of the service desk can play a key role in delivering an effective response. Yet, one of the biggest benefits of a comprehensive view of risk management may be in getting security and IT ops to play nice with each other.
These two groups often disagree because they serve different priorities. Operations wants to make sure IT is highly available, whereas security wants to keep things as safe as possible. Yet they do have common interests: Defending critical IT services against disruption is an operations priority, while security pros are dedicated to assuring the A in securitys CIA values of confidentiality, integrity and availability.
Giving them a common goalsuch as agreement on the tools and processes that improve their cooperationmay be one of the greatest benefits of taking the high road of risk management that speaks to both sides of the issue.
Because, after all, its all about risk.
Scott Crawford is a research director of the Security and Risk Management practice with Enterprise Management Associates in Boulder, Colo., an industry analyst firm focused on all aspects of enterprise management systems and services. The former information security chief for the International Data Centre of the Comprehensive Nuclear-Test-Ban Treaty Organization in Vienna, Austria, Scott has also worked with the University Corporation for Atmospheric Research as well as Emerson, HP, and others. He can be reached at firstname.lastname@example.org.