Making a case for change

When it comes to developing a business case for changing the way we envision, develop and implement IT controls, make every attempt to justify with metrics that are meaningful in the context of every-day operations, as opposed to point-in-time compliance.

As detailed in the prior chapter, the rate of failure seen in changes deployed in production, the mean time to repair a bug, the average time taken to remove access for a terminated employee, or per cent of failed back-up media, all convey a sense of urgency to keep the lights turned on.

Change does not have to come in the form of a neatly carved out compliance project. If anything, the label of compliance can spell doom from the start ...

Get Compliance by Design: IT Controls that Work now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.