Firewall change management? Who needs that anyway...

I recently had someone contact me and ask about the change management item I list in my Firewall Best Practices document. This person's inquiry revolved around them trying to get management to adopt change management practices and the troubles associated with having to properly and realistically explain to management the risks involved of not having good practices. This person wanted to know if I could explain the risks involved when a firewall best practice such as this is not implemented and potential exposure an organization could face. A book could be written about the specifics regarding change management and firewalls. Here's a good real-world example I've experienced...

Not too long ago I worked on a project where a network admin in a large organization made an offline/out of process change to a critical firewall that ended up creating hours of downtime for their e-commerce customers. That loss PLUS a couple weeks of consulting time to figure out what went wrong and how to prevent it in the future created some pretty serious business risks and costs. Stuff that didn't have to be IF:

1. They would've had the right change management processes in place (such as those outlined in ITIL)
2. Had employee buy-in so the processes were followed
3. Automated and enforced their policies and processes where possible using a technology such as those offered by Voyence and Configuresoft

I've always said and it deserves repeating here: as long as people have their hands in security, there will always be vulnerabilities and business risks.