03 September 2025

Stephen Earl, Director, Cloudhouse

Change management is a fundamental IT discipline and process. Being aware of what is happening in your IT estate is key to having a secure and managed infrastructure and application landscape.

A good change and configuration management process provides you with the visibility of what is taking place in your IT estate and how it is evolving to meet your business needs. But it also allows you to check you are aligned to your own standards and policies alongside external standards.

A security breach or outage, for example, leaves IT systems exposed and can lead to significant remediation projects. The recent high-profile cyber-attacks against several high street retailers illustrates this growing and very real risk. Extensive audits take place into why the event happened – audits are still ongoing for last year’s Microsoft’s Crowdstrike outage, for instance – and then remediation projects are initiated to modernise systems and rectify vulnerabilities. However, an audit implies a heavy one-off event. Instead, change management should be weaved into business as usual.

Having confidence in your change management and enablement processes should be a given, and the use of these should be part of everyday activities. But how do you create a change process that reduces friction, isn’t onerous and thus is there to watch your back?
For CIOs, it’s about:

1. Small and steady improvements

It’s crucial to strike the balance between enabling change and ensuring operational continuity. If too much change is done at once or nothing is done at all to modernise outdated systems, then in both situations companies can end up with significant gaps and vulnerabilities in their systems.

Incremental and low-risk updates can not only build resilience and reduce technical debt over time, but they also provide visibility into when security gaps emerge and allow you to manage them before they become threats. Keeping detailed changelogs and conducting configuration updates can be great ways to demonstrate compliance with internal and external standards too. Crucially, this normalises change.

2. Changing mindsets

Traditionally, change management could be seen as a major undertaking that didn’t warrant its cost, the time it would take, or the disruption it would cause. Now, however, the scale of cyber-attacks happening to many high-profile organisations has put IT security much higher on the list of priorities for business leaders, if not at the top.

But this is where CIOs must model and advocate for proactive improvement, not just reactive fixes. Change management is not a one-time event but an ongoing way of working; it’s crucial to reducing attack surfaces and ensuring operational stability.

Resistance to change can come from the perceived scale of updating existing critical business applications. But CIOs can educate leaders on the different options for modernising unsupported or outdated applications, such as redeploying them onto supported operating systems without needing to change the applications themselves.

3. Ongoing monitoring and collaboration

The key challenge in change management is maintaining oversight and hygiene of the entire IT estate. Where security vulnerabilities accidentally emerge is when there is a lack of alignment between how different elements of the estate interact with each other or teams not knowing what changes are being implemented by other teams.
It’s why adopting a smart, centralised platform that can automatically and continuously monitor the whole IT environment can be a real asset. If teams have one view of their estate, they can spot and manage configuration changes and reconcile them in real time. If you can provide an evidenced trail of activities taken against your devices and configurations, you can enable faster time-to-incident resolution, increased awareness of the changes across your technology estate, and assurance that policies and standards are being adhered to.

Change management is a top priority

The current IT landscape is emphasising the importance of change and configuration management. But it shouldn’t take a crisis to trigger an evaluation of the process. To avoid having to carry out a major remediation project and audit into IT failures, it’s worth performing an audit of your change processes. To reduce friction in what can be an onerous activity, CIOs can adopt an approach that delivers small and steady improvements and gains buy-in from stakeholders across the company.

But true change management relies on having complete oversight of your entire IT estate.

This visibility means you can ensure devices are correctly configured, standards are being adhered to, and that changes do not accidentally lead to security holes and the damaging repercussions that can come from them.

In the current climate where security breaches are gaining visibility publicly, don’t wait for your organisation to become a news story. By prioritising Change and Configuration management you get ahead of the pack, enabling IT estate visibility and insight before potential events force your hand.