Change Management: The key to IT risk reduction, control and operational stability.
Best Practices > VisOps/ITIL

Visible Ops Security

 |  Achieving common security & IT operations objectives in four practical steps

WEBCAST

An Introduction to Security Visible Ops with Gene Kim

Register today

SOLUTION BRIEF

Enhance IT infrastructure security with Tripwire

Download now

WHITEPAPER

Take a Proactive Security Stance with Tripwire: Reduce risk in both physical and virtual environments

Download now

Visible Ops Blog

The latest hints, tips and advice from the ITPI
More >

Getting IT Operations, Development and Information Security to Work Together

The original Visible Ops™ methodology was a pioneering guide to helping IT organizations implement IT change management controls and process improvement. Now comes the groundbreaking follow-up: Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps. As put forth in this new handbook, Visible Ops Security Venn Diagramthis methodology tackles the difficult problem of how to get an organization's IT operations, development, and information security groups to work together to achieve the goals of aligning IT with the needs of the business, reducing organizational risk, and creating business value.

Why Can't We All Get Along?

Visible Ops Security focuses on a crippling problem in organizations: the challenges information security groups face in accomplishing their goals for safeguarding the organization because of difficulties in working with other groups across the IT organization.

In most organizations, groups responsible for IT operations, services (application) development, and information security are each assigned their own objectives. Over time, because of these different objectives, these groups develop an adversarial relationship and work together only when one group demands something of the other. The result is continual turf battles where one group blames the other for unplanned work, crises, or undoing their work.

A Four-Step Program

These turf battles need to stop and be replaced by a new paradigm where operations, development and information security work together towards three common goals: aligning IT with the needs of the business, reducing organizational risk, and creating business value. After all, that's really what it' all about–for the organization and all three groups.

Visible Ops Security is the peace plan for accomplishing that. It takes your organization through a four-step methodology for integrating security, development and operations that is based on 10 years of IT Process Institute (ITPI) studies of over 850 high-performing IT organizations. These high performers have seen results such as:

  • Production system changes fail half as often
  • Releases cause unintended failures half as often
  • One quarter of the frequency of emergency change requests
  • One quarter the frequency of repeat audit findings
  • One half the amount of unplanned work and firefighting
  • Two times higher server-to-system-administrator ratios

As for information security effectiveness, the evidence is overwhelming in this area as well:

  • High performers are half as likely as medium performers and one-fifth as likely as low performers to experience security breaches that result in loss
  • High performers automatically detect security breaches 15 percent more often than medium performers and twice as often as low performers
  • High performers have a mean time to detect anomalies measured in minutes, compared with hours for medium performers and days for low performers

Could You See These Kinds of Results?
Tripwire believes that by following the methodology outlined in Visible Ops Security, your organization could see similar results.

"Visible Ops Security is the first work I've found that helps connect all the dots...Many organizations, both large and small, will find the practical and clear guidance in Visible Ops Security to be very compelling in helping their efforts to get ahead of the risk management, compliance, and governance curve."
Jay R.Taylor, CIA, CISA, CFE, General Director, Global IT Audit & Financial Services, General Motors Corporation

"The Visible Ops Security handbook should be on the must-read list...It provides a play-by-play walk-through for how IT and security can work together towards the commongoals of the business without getting in each other's way and without creating bureaucracy."
Ron Gula, CTO and Co-founder, Tenable Network Security

"When I heard a Visible Ops Security book was in the works, I was skeptical about the need for a sequel...But Visible Ops Security isn't a sequel. It's an essential companion to the original Visible Ops book."
Steve Darby, VP of Operations, IP Services

Written by Experts in the Field

Visible Ops Security was authored by three visionary leaders in the IT process improvement and security field.

Gene Kim is CTO and founder of Tripwire, Inc. In 1992, he co-authored Tripwire while at Purdue University with Dr. George Spafford. Since then, Tripwire has been adopted by more than 6,000 enterprises worldwide. Since 1999, he has been studying high performing IT operations and security organizations, which led Gene to co-found the ITPI in 2004. In conjunction with the ITPI, Gene co-authored the "Visible Ops Handbook: Implementing ITIL in 4 Practical And Auditable Steps" which has since sold over 75,000 copies.

Paul Love, CISSP, CISA, CISM, Security+, has been in the IT field for over 15 years. He has co-authored three security books, contributed to multiple Linux/Unix books, and has been the technical editor for over 10 best-selling Linux and Unix books. Paul is currently the Director of Information Security at The Standard.

George Spafford is a Principal Consultant with Pepperweed Consulting. He is a prolific author and speaker on a wide range of topics encompassing technology business, security, IT governance and co-author of "The Visible Ops Handbook." He is a Certified Information Systems Auditor (CISA) and holds ITIL Service Manager, Practitioner Release and Control, and Foundations certifications. George is a current member of the ISACA, the IIA, and the ITPI.

What is the ITPI?
The IT Process Initiative (ITPI), www.itpi.org, an independent research and membership organization, is engaged in three principle areas of activity: research, benchmarking, and the development of prescriptive guidance for practitioners and business executives. The ITPI has collaboration agreements in place with research organizations such as the Software Engineering Institute at Carnegie Mellon University and the Decision Sciences program at the University of Oregon. It is currently developing the necessary guidance that solves the common objectives of IT Security, Corporate Governance, Audit and Operations. Through research, development and benchmarking, the ITPI creates powerful measurement tools, prescriptive adoption methods, and control metrics to facilitate management by fact.