CHAPTER 19: BRINGING IT TOGETHER
Making a case for change
When it comes to developing a business case for changing the way we envision, develop and implement IT controls, make every attempt to justify with metrics that are meaningful in the context of every-day operations, as opposed to point-in-time compliance.
As detailed in the prior chapter, the rate of failure seen in changes deployed in production, the mean time to repair a bug, the average time taken to remove access for a terminated employee, or per cent of failed back-up media, all convey a sense of urgency to keep the lights turned on.
Change does not have to come in the form of a neatly carved out compliance project. If anything, the label of compliance can spell doom from the start ...