Skip to main content

The change management paradox

In the spectrum of the various topics of risk management, change management occupies a surprisingly discreet place that we would like to quantify as largely underrated.

Indeed, incidents happen. Vulnerabilities are found by ethical hackers. Toxic combinations of circumstances are discovered by auditors. And all this happens whatever the budget allocated to risk management, the tools and controls in place, the staff hired, and the completeness of risk management processes. To understand why this is even possible, we have to analyze the root causes of those incidents or issues - what led to this unwanted situation or to the unfortunate event. And when you do it, you will find that in most cases, they were made possible because sometimes in the past, something changed somewhere and the risk impact of this change was not studied, or at least not completely understood.

Changes can often be technical : new services are exposed, a new version of a tool or a business application is deployed, a new device is installed, the configuration of a security tool is modified, etc. Or they can be organizational : an employee moves from one team to another or is promoted, there's a restructuration of the company. In another dimension, they can be endogenous (internal to the company) or exogenous : a new vulnerability is discovered and exploited in the wild, therefore it is not anymore recommended to have a service exposed with a specific version of log4j (remember?) or OpenSSL... Or again, even the "rules" can change, e.g. when it comes to the necessity of being compliant with a specific regulation, like the GDPR.

Each and every change, of any of those categories, has a disastrous potential, which magnitude is absolutely not related to the technical importance of the change itself: a simple, atomic erroneous firewall rule can expose your entire internal network to Internet. A single access granted to the wrong user can cause huge risks of fraud, intrusion or data leakage.

Now if you look at it, the role of a risk manager is first of all to be aware of every change, of all those categories - which is already barely impossible. Then, he or she must have the capacity to infer all the impacts of every change on multiple risks (regulatory, cyber, data protection, availability...), in a "system" whose complexity depends on the company, but that can easily be composed of millions of inter-depending elements. By "system", we mean as well the technical components (servers, user identities, data stores, etc), but also organizational knowledge and standards of the enterprise.

In summary: the task is virtually impossible, hence the incidents and issues that still occur.

On the other side, change management is definitely not the most highlighted and advertised element of any risk management strategy. Standard frameworks will mention the vague requirement to follow proper change management processes somewhere in a subchapter of "operational risks", which is nice but nearly useless. Generally, it will end up by being implemented as basic "validation steps" in a workflows, maybe allowing compliance officers to tick a box, but to be completely honest, quite inefficient to reduce the risk.

But there's definitely a good reason for this lack of a precision and emphasis: we don't really know how to solve this issue. Generally, we wait for an incident or a finding to build the specific, scoped control to avoid that it happens again. This reactive approach has a high - often under-evaluated - residual risk.

This is exactly why Cognitechs was founded. Based on our founder experience in terms of risk and security management, we designed the very unique CogTL engine, specially designed to detect, evaluate and react to any change in a complex system - even if the system is constituted of millions of interconnected knowledge elements.

And as risk management is generally not an IT responsibility (in other words, risk managers are not obligatorily IT-friendly people), we wrapped this very powerful-yet-technical engine in simple risk management applications, whose user experience has been polished by multiple users feedbacks, giving them the possibility to take advantage of the power of a Ferrari without requiring them to have a driving license.