Skip to content ↓ | Skip to navigation ↓


The evening of July 20 was a both joyous and bittersweet.  Why?  It was joyous because I spent the evening with so many Tripwire colleagues that I’ve loved working with, who were all congratulating me and wishing me well.  It was bittersweet because this was my farewell party at Tripwire: thirteen years after I founded Tripwire, I was leaving the company to start the next chapter in my life.

I had announced to the company on July 1 about my plans.  I’ll be posting this letter tomorrow.

I am very proud of my contributions to the company. Looking back, I’ve achieved almost everything I set out to achieve at Tripwire.  Eighteen years ago, I wrote the original version of Tripwire in 1992 with Dr. Gene Spafford. Now, it is a company that has thousands of customers, booked over $80MM in 2009, and continues to be used as part of information security, compliance and IT operations programs worldwide.  And as widely reported, the company completed its S-1 filing in May.

I am very grateful to Jim Johnson, the Tripwire CEO, for making something that was so difficult (for me) so easy.  He is a genuinely great guy with unquestionable integrity. The company future has never been this bright, and I am deeply grateful to everyone who has helped make that happen, including our customers and investors.

For me, the time was right to take some time off to spend with my family and resume work in area of passion: to complete the study and enable the replication of what makes high performing IT organizations tick.

As many of you know, since 2000, I’ve been studying a group of IT organizations that simultaneously achieve the best IT service levels, the best posture of compliance, the best integration of information security into the software development lifecycle, and also have the highest release rates and project due date performance.

How these organizations made their “good to great” transformation is what my colleagues and I captured in the Visible Ops and Visible Ops Security Handbooks, why we created a non-profit research organization, which benchmarked over 1500 IT organizations to conclude which practices led to improved performance.

Along with some trusted collaborators and fellow travelers, I believe that the conditions are now very favorable to propose some new solutions, dramatically different than the status quo.

In addition to spending half-time with my family, here are the three things that I intend to complete in the next two years:

Project #1: Finish My Book: “When IT Fails: The Novel”

Finish the novel “When IT Fails: The Novel.” The novel describes the fall and eventual triumph of the CEO and VP IT Operations of a 100 year old, $4B/year company at the brink of existential failure.

The CEO must close the gap with the competition.  But the two most critical projects necessary to achieve this are years late and way over budget, mostly because of IT. Furthermore, the company is losing customers due to outages and fragile and insecure IT infrastructure, SOX-404 IT audit findings are jeopardizing their 10-K with disastrous footnotes, PCI compliance failures threaten to damage the company brand, and developers are taking dangerous shortcuts in order to meet external promises.

It starts to dawn on the CEO that his survival now depends upon the success of IT and information security. And while he believes that IT is not their core competency, he learns that the company cannot function without it, and is therefore a competency that they must develop.

You can learn more about the book here.

Project #2: Start An Exciting New Venture

During my thirteen years at Tripwire, I was very focused on the mechanics of how organizations can detect and manage configurations and changes.  But in reality, the problem actually starts far upstream, in how the business and IT organizations made decisions that necessitated those changes.

I am starting a new venture to develop the methods, procedures and enabling software tools needed to support the transformations described in “When IT Fails: The Novel.”

I am very excited to be working with some very talented and trusted colleagues, so stay tuned for more details.

Project #3: Continue Engaging With Kick-Ass Communities Of Practice

Work with the communities that I believe will be an instrumental part of creating the management movement to change how IT is managed.  These include: DevOps, PCI Security Standards Council, Service Management, the Institute of Internal Auditors, the Software Engineering Institute, and I know I’ve forgotten mention some others!

I’ve had tremendously productive collaborations with these groups, as well as forming lasting friendships.  And I believe bigger and better achievements are still to come.

So Stay Tuned!

Thank you again for all your support, and I look forward to collaborating with you in this new chapter my new story.  If you want information on my progress, follow me on Twitter or subscribe to my newsletter.

Later this week, I’ll post my internal email announcement of my departure to the company, as well as pictures from the amazing farewell party that they threw for me.