Why Failure to Sponsor ITSM Is Just Asking for Ransomware

Locky Ransomware virus“You are traveling through another dimension, a dimension not only of sight and sound but of mind. A journey into a wondrous land whose boundaries are that of imagination. Your next stop, the Twilight Zone!”

If you are even slightly connected on social media, maybe you have been feeling like I have lately: that you have mysteriously entered a parallel universe.

One universe is filled with rainbow-colored unicorns, where developers are magically empowered with unlimited knowledge of operational excellence. They also instinctively know the perfect customer experience (DevOps).

The other universe consists of a den of trolls who have maliciously infected every electronic device you own. What’s worse, they’ve systematically cooked up a scheme where you’re holding a winning lottery ticket, all so they can steal it from you and leave you holding the source code (SecOps).

Somewhere in the middle of all of this madness is reality.

As IT leaders, we must ground our ITSM disciplines in reality. In doing so, we recognize that ITSM is how IT gets work done. We need to understand that an appropriate balance is required in addressing any risk or opportunity.

There has always been a balancing act for our prioritization of IT resources.


Let’s take a look at some realities. We’ll start with SecOps, and in particular, the immediate threat of ransomware.

REALITY: You are already hacked and it’s going to happen again.

How do I know this?

Ransomware and malware do not happen as a result of vulnerabilities. They happen as a result of failed ITSM sponsorship and support.

Failure to manage ITSM disciplines have enabled one or more of the following activities to take place within your environment:

  • Failure to sanction an approved software distribution program. Since users are not able to get software from the sanctioned self-service request catalog, they download and install applications on devices from other sources.
  • Failure to inventory software configuration items. With the lack of support to discover and document configuration items properly into your CMDB, management of applications (and particularly, their security) is impossible. Patch management is about updating the keys, but if you don’t know where the safes are and what type they are, your patch management is already flawed.
  • Business service models don’t exist. Failing to map critical business services and vital business functions to your technology assets removes the impact of vital decision making for access control, risk assessment, and recovery. IT works with limited resources, and this lack of intelligence is critical to change, access, and availability planning around high-value targets.
  • ITSM is focused on IT support and is separate from PMO and SDLC. Incident and request management is not ITSM. Relegating accountability for how IT gets work done to your service desk manager or director of IT operations is a critical management flaw. Asset acquisition starts with a project. Sourcing the IT asset or building it requires all parties to understand the risk levels involved. Once operational, this will directly impact response procedures, change authority, and other governance.
  • We don’t need ITSM; we outsource everything and use the cloud. Heaven help me!

BOTTOM LINE: Ransomware is a byproduct of failing to effectively sponsor ITSM enterprise-wide.

The following three tactical efforts need to happen to improve protection against ransomware and malware:

1. Establish critical business service mappings. Starting with customer-facing offerings, map the interfaces, technologies, and systems that support these customers. Define their value and risk to the business. Yes, this is hard and expensive. But try data hostage negotiations for a couple of weeks! This is a walk in the park compared to what could happen.

2. Establish the sanctioned enterprise architecture of approved and supported technologies. This definitive list should be tracked in your ITAM solution, mapped to the discovered inventory. It should be followed by a solid white-listing strategy and a rigorous “non-allowed” removal program to eliminate rouge (non-sanctioned) applications.

3. Redefine the accountability in your BYOD and cloud usage policies. Yes, it’s great that everyone wants to use their own devices for work. However, it must be crystal clear that their allowance for hijacking or malware is a personal liability. Arm your employees with security, inventory, and patch management tools that will ensure they are equipped to protect themselves, but more importantly, the corporate assets they access.

Clearly, it will take more than this to protect against ransomware. However, effective ITSM is already providing processes and tools to support these governance areas.

Is your ITSM lacking this level of governance focus or sponsorship? Talk to us about how to take your governance to the next level, and be sure to download our free whitepaper on how to prevent ransomware.