Oracle releases large Critical Patch Update!


Although this critical update, complete with 270 fixes, is not the largest Oracle has issued, it’s a close second – trailing just six fixes behind the largest to-date, which was released in 2016.

The affected landscape deals mostly with business-critical applications, including: Oracle Database Server, Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, Oracle Fusion Middleware, Oracle Sun products, Oracle Java SE and Oracle MySQL. Many of the vulnerabilities in this bulletin can be exploited remotely, without authentication. Given the business-critical and financial data that could be exposed, it is highly recommended by Oracle to apply this update as soon as possible.

Of the 270 vulnerabilities, around 18 have a CVSS score of 9 or higher and one vulnerability hit the 10 mark. This 10 was awarded to Oracle Primavera and is addressed by CVE-2017-3324.

For Java SE, there are a total of 17 CVEs, with all but one able to be exploited without authentication. Nine of the Java vulnerabilities are user targeted and three have a CVSS base score of nine or higher. Although the score decreases slightly when not running with elevated privileges, the risk threat is still notable and the vulnerabilities need to be mitigated quickly.

Although Shavlik does not have patch content for all of the affected products, we have made the Java patches for this update available to our customers.

January 2017 Patch Tuesday Forecast – Shavlik


Goodbye 2016; Hello 2017!

We have survived another year and what a year that was.

As we start off 2017, I am sure most of you have already heard about the joining of forces between LANDESK and Heat Software to further the expertise stronghold on security and patching. This marrying of the minds comes just in time for those who have not yet picked a new year’s resolution.  Now is the time to make a resolution to increase the health of your security posture and patch your systems regularly.

Even though there are no known zero days or hints of nasty exploits on the horizon, we all know that it is just a matter of time before someone will find something to hack and expose potential vulnerabilities. So, with that in mind, let’s start the year off with good habits and make sure we are following the steps to better Security Hygiene now that the holiday fun and distractions are behind us.

Steps to Better Security Hygiene

  • Make sure you have sanitized incoming email with junk mail and phishing filters. Remember that user targeted vulnerability is where some of the highest risk lies.
  • Make sure you have sanitized the machines and devices of users who have come into contact with public WiFi while traveling in and out of the office and private secured networks. Since users will likely browse the internet, open email with attachments, and in general be exposed to potential attack vectors daily, it is important to sanitize their machines with good signature, non-signature, and behavioral threat assessments.  Remember that signature based threat assessment alone is not enough anymore.
  • Make sure your systems are frequently patched, both the OS and software, and make use of least privilege rules and proper application control. Remember that preventative security measures can mitigate or eliminate 85% of the threats in today’s market.

Honorable Mentions

Chrome announced at the end of 2016 that beginning in the new year they will be identifying web pages as “Not Secure” if the page includes login or credit card fields AND the page is not served using HTTPS. For additional information on this announcement, see the following article posted on

Your Patch Tuesday Forecast

Based on the trends we saw in 2016, the January 2017 Patch Tuesday will likely include updates for the following:

From Microsoft we are likely looking at around 1-4 installable packages:

  • OS and IE will definitely have multiple updates, but they will come in a single installable package under the new servicing model. Vista would be the only exception to this change as it still receives individual bulletin updates.
  • Office is likely since there were updates consistently pretty much every month in 2016.

From Adobe you can expect 1-3 updates:

  • Adobe typically tries to release Flash Player on Patch Tuesday and has done so pretty consistently all of 2016, so expect that update.
  • Adobe Reader and Acrobat both released an update back in October of 2016 and have been pretty consistently having an update every 2-3 months this year. Those two are a high possibility this month since they did not release last month.

From Chrome you may have 1 update this month:

  • Chrome released a beta version after last Patch Tuesday making it likely there could be an update on or around Patch Tuesday this month.

Total Update Accumulation 3-8 updates for Patch Tuesday next week.

As always, catch our Patch Tuesday blog and commentary next Tuesday and sign up for our Patch Tuesday Webinar next Wednesday, January 11th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.

Happy Holidays – New Updates for MAC OS


It is the holiday season and with that comes presents for the MAC OS in the form of updates for a number of issues, including several denial of service.

Released on December 13th, Apple has new security updates for macOS Sierra 10.12.2, El Capitan 2016-003 and Yosemite 2016-007.

The winner for most CVE updates for this release is macOS Sierra 10.12.2 with 71 CVEs to address a wide variety of vulnerabilities. These vulnerabilities include 8 denial of service issues

  • CVE-2016-7609 : AppleGraphicsPowerManagement  – Improved input validation has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-7605 : Bluetooth – Improved input validation has been added to address the possible impact of an application being able to cause a system denial of service.
  • CVE-2016-7604 : CoreCapture – Improved state management has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-7603 : CoreStorage – Improved input validation has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-7667 : CoreText – Improved validation of overlapping ranges has been added to address the possible processing of a maliciously crafted string being able to cause a denial of service.
  • CVE-2016-7615 : Kernel  – Improved memory handling has been added to address the possible impact of a local user being able to cause a system denial of service.
  • CVE-2016-6304 : LibreSSL and OpenSSL – Improved memory handling in unbounded OCSP growth has been added to address the possible impact of an attacker with a privileged network position being able to cause a denial of service.
  • CVE-2016-7636 : Security – Verification of OCSP revocation status after CA validation and limiting the number of OCSP requests per certificate has been added to address the possible impact of an attacker with a privileged network position being able to cause a denial of service.

This security update addresses memory corruption and shared memory issues, use after free issues, validation and system privilege issues on top of the denial of service critical vulnerabilities.

New security content is also available for Safari 10.0.2 which is made up of 25 CVEs to address vulnerabilities focusing on arbitrary code execution in both Safari Reader and WebKit. Given the number of user targeted vulnerabilities, it would be a good idea to look at installing this security update sooner rather than later.

With the pending end to 2016, now is the perfect time to start a new habit of patching your MAC regularly and having a more secure 2017.

How to Achieve and Sustain Secure Agility

GettyImages-532034284The long-term success if a business depends on its agility – the ability to sense and adapt to changes within the industry in order to stay competitive. The same can be said for your IT operation, but it’s not as daunting as it sounds.

Start at the bottom—and at the top

An agile enterprise requires agile, user-centered, comprehensive, integrated security. If security at your enterprise isn’t already all of those things, start making it all of those things.

For most of you, that effort can and should begin with patching your key applications, operating systems, client systems, and servers more consistently and regularly than you are now. As you and your colleagues get patch management sorted, you should be looking for other opportunities to establish, improve, and extend security policies, practices, and technologies that improve agility across the enterprise.

As you and your colleagues get patch management sorted, you should be looking for other opportunities to establish, improve, and extend security policies, practices, and technologies that improve agility across the enterprise.

Secure agility can be built from the ground up, but the will and commitment to become and remain securely agile must come from enterprise leadership. That means executives, IT, security, and business unit leaders must be visibly and demonstrably behind security- and agility-enhancing initiatives.

Walk the talk

Declared commitments to secure agility must extend beyond platitudes and media quotes. Every strategic plan, every set of operational practices and principles, and every solution chosen for deployment must reflect and support that commitment for it to mean anything to your enterprise. This means that every such resource must incorporate processes for regular review and the opportunity for revision in response to corporate, marketplace, or regulatory changes.

Every strategic plan, every set of operational practices and principles, and every solution chosen for deployment must reflect and support that commitment for it to mean anything to your enterprise.

This means that every such resource must incorporate processes for regular review and the opportunity for revision in response to corporate, marketplace, or regulatory changes.

Build it in

Every process and control upon which your enterprise’s competitiveness depends must incorporate security- and agility-enhancing elements.

This means those processes and controls must be driven by and measured against your enterprise’s performance requirements and goals. They must also incorporate specific features for integration with and support of efforts to achieve and sustain user-centered security.

Controls and processes that do not include these characteristics will likely contribute little to your organization’s agility, and might even impede it. (This means all controls and processes must be reviewed and tested regularly and designed to be easily modified or retired as changes demand.)

Show your work

It’s not enough to preach the gospel of secure agility. It’s not even enough to achieve a sustainable level of secure agility. For your efforts to have maximum business value, you must show and tell all of your most important stakeholders the details of those efforts and their effects. This means that consolidated, integrated, timely, business-driven reporting of all things related to security and agility should be a critical element of your secure agility efforts.

Be securely agile everywhere

Pursuit of secure agility may begin in one or more departments or business units, but for maximum business benefit, it must be pervasive.

For many enterprises, the best way to make this happen is to start with IT. IT powers most of the services that run an enterprise’s business and is already focused on (if not preoccupied with) security. Secure agility initiatives that prove successful within IT can therefore likely be incorporated into the delivery and management of other business services.

This means that a single, integrated, process-driven platform for service management and security management can be a powerful enabler of enterprise agility.

Secure agility is an operational and competitive requirement for every successful enterprise. By taking concrete steps toward inculcating a culture that is focused on user-centered security and enterprise agility, you can accelerate your enterprise’s journey to true, sustainable, secure agility.

If you choose or are forced to remain focused on reactive firefighting as an operational approach to security, neither secure agility nor your career are likely to advance much further at your enterprise.

Moving to a proactive, holistic approach to user-centered security and enterprise agility, however, will have salutary effects on your enterprise and your career.


Reshaping Your Enterprise With Agility, Resilience, and Trust

GettyImages-537708180It is critical to understand that success in establishing and cultivating ART-fulness (agility, resilience, trust) at your enterprise—like success in establishing and cultivating comprehensive security—is largely an outreach-driven effort.

Both require consistently high levels of internal marketing, sales, and evangelism.

These requirements may constitute the bulk of your challenges as you seek to establish, grow, and promote both ART-fulness and security at your enterprise.

Fortunately, there are some straightforward steps you can take to tame these challenges, steps based on some fundamental, consistently successful marketing and outreach techniques.

How to Make Your Enterprise More Secure and More ART-ful

  • Engage

Security and ART-fulness are things you simply cannot achieve and do not even want to attempt without lots of help and support. Identify the influencers, leaders, and stakeholders who matter most to your efforts. Then, make sure their voices are heard and matter, and make sure that they know these things are true.

  • Inform

Once you’ve identified those who matter most, get and stay in touch with them. Tell them what you’re doing and why. Tell them how their support is contributing to your efforts and why those contributions matter. Regular, non-disruptive, nonintrusive communications, perhaps via a short e-mail newsletter, a dedicated internal Web site or portal, or both, can be low-effort, high-impact tools here.

  • Persuade

Use the activities and information with which you engage and inform your constituents to persuade them that comprehensive security and ART-fulness are essential to your enterprise’s success. Find and share supporting external examples of secure, ARTful enterprises.

Identify and tout credible data that underscores the business value of security and ARTfulness—and the costs and risks of not having enough of either. Free, simple, Web content monitoring tools such as Google Alerts can make finding such points of persuasion easier.

Also, when you and your colleagues successfully improve security, agility, resilience, and/or trustworthiness within your enterprise, promote these successes to as many stakeholders and influencers as possible. Nothing persuades like success.

  • Invite

This is one of the most critical and frequently overlooked elements of successful outreach. Every communication should include a call to action—an invitation to do something to continue the conversation. Ask your constituents for their opinions and suggestions wherever possible.

Hold events such as webinars and Tweet chats, and invite constituents to participate. Solicit success stories or even “epic fails” related to security, ART-fulness, or both, and share these with attribution. Welcome input and feedback, and incorporate these explicitly into your enterprise’s journey to greater security and ART-fulness. This is one of the most effective ways to turn the disinterested and skeptical into observers, stakeholders, and advocates.

An enterprise that is optimally secure and ART-ful is one that is well positioned for sustained success, whatever its primary business. But neither optimal security nor ART-fulness ever just happens. Each requires careful, consistent nurturing and support from a committed community of advocates.


Trust Us, the Cornerstone to Business Is ‘Trust’

GettyImages-77188102Let’s cut to the chase. There are likely no circumstances under which you would choose to do business with any person or entity you could not trust.

It is equally likely that every client (internal and external), partner, and prospect of your enterprise thinks and feels exactly the same way.

Trustworthiness is therefore at least as critical to your enterprise’s success as agility or resilience.

To quote perhaps the world’s best-known investor and businessperson, Warren Buffett, “Trust is like the air we breathe. When it’s present, nobody really notices. But when it’s absent, everybody notices.”

This is especially true for companies that sell products or services, which is just about all companies.

Trust and the Bottom Line

Stephen M.R. Covey is the author of the book The Speed of Trust: The One Thing That Changes Everything. He is also the son of Stephen R. Covey, who wrote the worldwide bestseller The 7 Habits of Highly Effective People, and CEO of the Covey Leadership Center. A central element of Stephen M.R. Covey’s thesis is that deals get closed faster and are more successful when those involved share high levels of trust.

Specifically, Covey argues that success in business requires a winning competitive strategy, and superb organizational execution—and that distrust is an enemy of both. He adds that while high trust levels won’t necessarily make a poor strategy effective, even the best strategy can be derailed by a lack of trust.

The bottom line? Edelman, the world’s largest PR firm, surveyed some 33,000 people worldwide for its 2015 Edelman Trust Barometer. Of those respondents, 63 percent said they simply refuse to buy anything from those they don’t trust. Further, 80 of those respondents said that they will buy only from those they trust.

Zig Ziglar, one of the best known and widely read sales professionals in the world, once said, “If people like you, they will listen to you. But if they trust you, they’ll do business with you.”.

How to Achieve and Sustain Trustworthiness

  • Know where you are. Bite the bullet, and ask your most important constituent groups (privately, of course) questions that help you assess how much they trust your team or company. At minimum, ask if they’d do business with your team or company again, if they’d recommend your team or company to peers, and why or why not.
  • Fix what’s broken. Use those questions and answers to identify any unsatisfied constituents, find out why they’re unsatisfied, and fix it. Every unsatisfied constituent is a detriment to trustworthiness, and you should assume that your constituents talk with each other.
  • Cultivate advocacy. Use those questions and answers to identify your happiest, most trusting clients and partners, then ask them to let you make them stars. That is, ask for their permission and cooperation to showcase them in your outreach efforts. Then, make it as easy as possible for them to be featured in the success stories, presentations, interviews, and other content you produce with their cooperation and support.
  • Show your work. It’s one thing to claim to be trustworthy. It’s another to be able to demonstrate and document trustworthiness credibly and on demand to any and all stakeholders—from customers, partners, and prospects to auditors and regulators. This is a major, long-term, continuing effort. And everything you do to make and keep your organization’s IT infrastructure comprehensively, demonstrably secure greatly aids these efforts. Comprehensive, proactive, user-centered security is a firm foundation for managing governance, operational transparency, and reporting. All of these, in turn, enhance your organization’s ability to both claim and credibly demonstrate trustworthiness.

Make the goal of trustworthiness a significant part of every plan, strategy, and process that governs your business, especially those focused on IT security, since the security of your IT infrastructure has direct and profound effects on your organization’s ability to be trusted. Include your internal and external clients and partners in this effort wherever practical. It may be the single most significant thing you can do to minimize time to success and maximize the number and value of constituent relationships, for your constituents, your team, and your enterprise.


Shavlik is Your Single Solution to Creating an ART-ful Enterprise

GettyImages-519491604While tools alone will not guarantee comprehensive, effective, user-centered security, the right tools can enable and accelerate your progress toward that goal.

Shavlik offers a number of tools that can support your efforts to maximize your organization’s IT security.

Shavlik Protect

When the majority of vulnerabilities come from third-party applications, patching operating systems isn’t enough protection for your organization.

Shavlik Protect is an effective, easy-to-use solution for automating the patching of everything from data center servers to client workstations and virtual environments. It automates patching of not only Microsoft Windows and Office software but also third-party applications from hundreds of vendors, including Adobe, Google, and Oracle.

Shavlik Protect can be configured to deliver agentless or agent-based patch management, and can patch both online and offline virtual machines, including templates and the hypervisor itself. It can even take snapshots prior to patch deployment, so you have a rollback option if something goes wrong. Other capabilities include a library of ITScripts (pre-created PowerShell scripts) that can be customized easily to automate scores of IT maintenance tasks, on demand or on a regular schedule.

Shavlik Protect is also intuitive and easy to configure and use. For many users, Shavlik Protect can be deployed and begin delivering value in as little as 30 minutes.

Shavlik Empower: Heterogeneous Patching in the Cloud

This cloud-based solution delivers patch management for and asset intelligence about Windows and Mac OS X devices. Empower sentinels scan for devices across your environment, then leverage Microsoft Active Directory to extract and map significant intelligence about your organization’s IT assets. Empower then deploys agents that enable comprehensive, flexible patching of Windows and Mac OS X systems, wherever they are.

A browser-based interface enables administrators to view and manage the information collected by Empower sentinels and agents from almost any Web-connected device. Empower can be deployed independently, or as an add-on for Shavlik Protect, Shavlik’s patch management automation solution for datacenter servers, client workstations, and virtual environments.

Fully automate Windows patching, with the flexibility to define policies that lets you filter what you patch by severity, vendor, product family, or product version. Employ the same workflows to manage Mac OS X patching (with some slight differences in filtering options). Minimize user disruption with flexible scheduling and reboot control. Create a firm, flexible foundation for pervasive, effective, transparent security at your enterprise with Shavlik Empower.

Shavlik Patch for Microsoft System Center

For organizations that already know and use Microsoft System Center Configuration Manager (SCCM), Shavlik Patch is an ideal add-on for enabling SCCM to patch third-party applications. Shavlik Patch delivers updates for more than 1,500 application versions from an easyto-use plug-in that snaps right into the SCCM console. Shavlik Patch enhances security and extends the value of Microsoft SCCM investments, with no additional infrastructure or expertise required.

Secure Mobile Email by LetMobile

LetMobile also supports comprehensive, configurable data loss prevention (DLP) filtering rules for both inbound and outbound traffic based on device, user, location, network and time. LetMobile also integrates with any incumbent corporate DLP systems to inherit existing rules and policies. It’s the best of all worlds for a “bring your own device” (“BYOD”) or “company owned, personally enabled” (“COPE”) environment, since it provides robust data security without interfering in any way with personal use of the mobile device.

The Shavlik Team: Your Expert Security Partners

The Shavlik website features authoritative, timely blog posts, as well as white papers, forums and security alerts. The site is an ideal go-to resource for your ongoing security education and promotion efforts.


5 Secrets to Achieving and Sustaining Resilience

GettyImages-608512524There is one thing you must do – and keep doing – to start down the path toward true enterprise resilience: Patch everything. All the time. Starting now.

To make your enterprise truly resilient you need a firm, reliable foundation of security. The successful laying of that foundation begins with patching. Why is this step so critical to effective security and enterprise resilience? Here are a few reasons:

According to the Verizon 2015 Data Breach Investigation Report, “Many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007—a gap of almost eight years.”

Gartner analyst Anton Chuvakin addressed this grave security concern in one of his blog posts.

“Although patching has been ‘a solved problem’ for many years, even decades, a lot of organizations struggle with it today—and struggle mightily,” he observed. “In the darkest woods of IT, patching third party applications on a desktop remains a significant challenge for many organizations.”

By the way, the National Vulnerability Database managed by the National Institute of Standards and Technology (NIST) states that some 86 percent of reported vulnerabilities come from third-party applications. So even the most robust patching of operating systems is inadequate to assure that your environment is secure enough to be truly resilient.

Do whatever it takes to ensure that all of your enterprise’s critical applications, operating systems, servers, and user devices are patched and updated consistently and in a timely fashion. Then begin the following actions:

  1. Plan – To make and keep your enterprise as resilient as possible, you and your team must develop and implement a comprehensive, business-centric plan for achieving and sustaining the resilience levels your business demands. Whether described as “high availability,” DR/BC, or otherwise, the goals of your plan should be the same—maximum resilience. And that plan requires a well-thought-out planning lifecycle, which in turn depends upon a formal, detailed policy for DR/BC.
  2. Analyze – Your plan should also be based on a business impact analysis (BIA) that maps out all critical processes, systems, and services, their owners, and their interdependencies. You and your team should then establish formal recovery time objectives (RTOs) and recovery point objectives (RPOs) for all critical business functions and supporting services. In addition, all of your service level agreements (SLAs) should be closely aligned with these objectives.
  3. Engage – To be as successful as possible, your plan must also include specific guidance for keeping the constituents IT supports engaged and informed about efforts to maximize resilience, security, availability, and recoverability. Such marketing and sales efforts may be unfamiliar territory for many in IT. However, they can be essential in gaining support from and eliminating objection or obstruction by those constituents.
  4. Update – Finally, a comprehensive plan must also include specific recovery and continuity plans and procedures. It must also include processes for testing these regularly and for regular review of all relevant policies, plans, processes, and procedures.

No enterprise can be fully agile or trustworthy if that enterprise is not sufficiently resilient. In fact, insufficient resilience can kill an enterprise in the face of a major disruption or disaster.

Begin by patching everything, all the time, starting now. Then, assess whatever current DR/BC resources and efforts are in place at your enterprise. Evaluate and triage these, then build upon them to reach and maintain the levels of resilience you, your constituents, and your enterprise want, need and deserve.


Surviving the Storm With Agility and Resilience

Data warping into safe box - 3D Rendering“The oak fought the wind and was broken, the willow bent when it must and survived.” – Robert Jordan, The Fires of Heaven

Many businesses are suffering the same fate as the oak mentioned in Robert Jordan’s quote. It’s Jordan’s willow that is standing the test of time thanks to its agility and resilience.

Business resilience

As is true with business agility, business resilience is a much broader and deeper consideration than many typical discussions of the subject.

Discussions surrounding resiliency tend to focus on disaster recovery and business continuity (DR/BC) tactics and tools. However, true business resilience is more than disaster recovery and even more than business continuity.

True enterprise resilience is a strategic focus on maintaining operational integrity and restoring it as quickly and completely as possible after any disruption—planned or unplanned, minor or catastrophic.


ISACA (formerly the Information Systems Audit and Control Association) is a membership organization that provides certifications, information, and guidance focused on auditing controls for computer systems.

Volume 3 of the 2009 ISACA Journal features an article by information security expert John P. Pironti called “Key Considerations for Business Resiliency.” That article provides both a comprehensive definition and a significant caveat for those pursuing business resilience (or resiliency).

“Business resiliency is the maturation and amalgamation of the individual processes of crisis management, incident response, business continuance and disaster recovery into one succinct set of processes and capabilities that work collectively, instead of independently.

This combination allows organizations to have minimal disruption in the event of a business-impacting incident that affects the entire organization, instead of focusing on incidents that involve specific information infrastructure areas.

“When evaluating these capabilities, it is important to understand that they are only as effective as the proactive planning and considerations that go into their development. Too often, planning accounts for only the most obvious considerations and does not incorporate crucial and essential considerations that have a greater effect on the business.”

Resilience defines the bottom line

As the ISACA quote above states, resilience includes multiple other elements beyond DR/BC. Despite the inclusion of BC in the description and intent of most DR/BC plans, these tend to focus on DR and IT.

True resilience, however, focuses more on the needs of and effects upon the business.

The goal of true resilience is to enable the business to avoid threats, disasters, and disruptions, and to recover rapidly and seamlessly from those that cannot be avoided.

A specific focus area for resilience plans and strategies is the availability of essential IT and business services. Small-seeming differences can mean a lot.

For example, the difference between 99 percent availability and 99.9 percent availability is the difference between just more than 10 minutes and 1.68 hours of downtime every week. Most IT service level agreements (SLAs) focus on availability levels of 99.99 percent, or “four nines,” and 99.999 percent, or “five nines.”

These differences merely hint at the range of options available to those seeking to balance availability with cost, since higher availability almost always requires higher investment in infrastructure. IT decision makers are often significantly challenged by the need to associate costs with availability levels in ways meaningful to their business colleagues.

This challenge is a primary driver behind the growth of enhanced reporting and “chargeback” and “showback” features in IT infrastructure and service management offerings.

However, these can only improve the presentation of relevant information. They do nothing to make the underlying infrastructures and the services they enable more available, resilient, or robust. Such features can and should be included in resilience strategies and solutions, but they cannot and should not stand alone.


The One Thing Leading Businesses All Have in Common

GettyImages-513642194Agility is more than simple, reactive adaptability. It’s even more than what’s usually covered by the discipline known as “change management.” (An aside: to succeed with change management, it is often necessary to… change management.)

So, what exactly is agility?

In August 2014, The Center for Effective Organizations (CEO) at the University of Southern California (USC) published its first book, The Agility Factor: Building Adaptable Organizations for Superior Performance. The Center has conducted its Organization Agility Research Program for more than a decade and studied more than 230 companies as part of the research that led to the book.

The authors found that “consistently high performers possess a capability to change their resources and processes repeatedly.” Such enterprises also “have the strategies, structures, resources, processes, and routines that allow them to both sense and adapt to environmental threats and opportunities as well as intentionally execute on strategic initiatives.”

This comparatively broad and proactive view of agility requires an equally agile IT infrastructure—and to be truly, reliably agile, that infrastructure must be secure.

Agility’s bottom-line benefits

Security obviously matters to those focused on agility, but why should those who focus on security care about agility?

In 2006, organizational effectiveness experts Edward Lawler and Christopher Worley wrote the book Built to Change: How to Achieve Sustained Organizational Effectiveness. According to Lawler and Worley, between 1973 and 1983, 35 percent of the top 20 Fortune 1000 companies were new to that list. That percentage of new top-20 companies grew to 45 percent between 1983 and 1993, and to 60 percent between 1993 and 2003.

Many, if not most, of the companies displaced by newcomers to the Fortune 1000 top-20 list not only fell to lower positions but ceased to exist entirely. Why? Because they were not sufficiently agile. So agility can be seen as a type of job security for security teams and their colleagues across the enterprise.

Agility also has more direct and positive effects on an enterprise’s bottom line, as a separate USC CEO study revealed. For that research, the Center evaluated the financial performance of more than 240 large firms across 17 industries and 30 years. “In every industry we studied, there were two or three ‘outperformers’: companies that achieved above average industry…performance more than 80 percent of the time.

When we compared our survey and interview data with the performance data, we observed a strong relationship between a company’s basic approach to management and its long-term profitability patterns. When markets and technologies changed rapidly and unpredictably—as they did in every industry over these 30 years—the outperformers had the capability to anticipate and respond to events, solve problems, and implement change better than thrashers. They successfully adapted. They were agile.”