In a recent podcast interview with Cybercrime Magazine host, Heather Engel, Cimcor President and CEO, Robert E. Johnson, III discuss how organizations are starting to move away from treating IT operations and cybersecurity as two separate areas and are instead bringing them together by aligning service processes with security practices. The podcast can be listened to in its entirety below.
Welcome to the Data Security Podcast, sponsored by Cimcor. I'm your host, Heather Engel. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time while providing detailed forensic information about all changes.
Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Heather: Joining us today is Robert Johnson III, President and CEO at Cimcor. Robert, welcome to the podcast.
Robert: Thank you, Heather. I appreciate the opportunity to be back on your show.
Heather: So today we're talking about the convergence of IT service management and cybersecurity. And I'd like to start by asking you, why do you think IT service management and cybersecurity are no longer separate disciplines, and what factors are prompting their integration?
Robert: Well, change drives most risk.
Every service change is actually a security-relevant event, and every security event degrades service. And in today's world, where everyone's focused on, you know, cloud speed, going fast, automation, and with compliance expectations greater than ever, this is all forcing one operating model where change, configuration, and control are all managed together. And we see data backing that up. For instance, in Verizon's Data Breach Investigations Report, we saw third-party involvement doubled to 30%. Exploitation of vulnerabilities increased 34%. And ransomware is still going strong at 44% of breaches. This is really that intersection of service change and security. Another way to kind of look at this is not only is this critical to do now, but it's not that big of a paradigm shift, especially when you think about what people are trying to accomplish. When the business runs on software, service health, and security, they're really the same problem. They're just seen from two different angles.
Heather: How do you explain the value of this convergence to executives who may still see IT operations and security as two very different priorities?
Robert: One converged model actually means fewer surprises. Convergence cuts the mean time to detect. It reduces the mean time to restore, it reduces audit findings, it lowers cost. When you can converge, you get resilience that you can actually measure, evidence that you can defend, and now you can increase that speed that I spoke about earlier, and focus on the speed of response that you can safely maintain. In terms of dollars, IBM's 2025 Cost of a Data Breach Report, that just came out, shows that the average cost of a breach is $4.4 million. Now, on the plus side, that's down 9% year-over-year. But that same report shows this increasingly concerning governance gap among organizations. For organizations that had some type of AI-related security incident, 97% of those incidents lacked proper AI access controls. 63% lacked AI governance policies. I mean, these are really classical, cross-functional or cross-divisional issues that you can solve with one operating model. Think about it. You have one plan. One converged service and security pipeline.
That's just one set of promises you need to keep.
Heather: So, what risks do organizations face if they continue to manage IT services and security in silos?
Robert: Well, they risk blind spots—blind spots from unwanted, unexpected, uncovered change. Slower incident response. When you're doing the same thing twice, you can end up with duplicate tooling or duplicate products doing the same thing. And, as always, when bad things happen, there'll be finger-pointing. Especially when there's an outage, and we see that all the time.
The bottom line is, if you don't understand exactly what has changed, misconfigurations linger, attackers live off the land, they can explore your infrastructure laterally, and they can even install back doors. And, although it'll be too late when you finally have an audit, they're going to find gaps. And we saw this at internet scale just last year, where we saw so many outages occur in 2024, and it was almost every single one of these outages. In the end, from a root cause perspective, was related to configuration changes. And another example is just in July of 2024. The CrowdStrike incident that disrupted approximately 8.5 million Windows devices. And that impacted multiple industries. Remember, airlines, banks, hospitals. And then on the people and process side, Uptime Institute found a 10% rise in outages that were caused by failure to follow procedures.
A failure to follow procedures. Heather, that's just unnecessary pain. When OPs and security aren't one team, routine changes literally become the cause of breach and outage opportunities.
Heather: And that's a great segue into my next question, which is, how does convergence improve not just security posture, but also the operational resilience and governance piece?
Robert: Good question. Well, you can finally close the loop. That's one major benefit. You can go from authorizing to implementing to verifying, all in one continuous loop. you can use integrity to check and confirm that your environment, your IT environment, matches your business intent. And if you have a product like ours, CimTrak, you can automatically roll back in order to help neutralize bad changes quickly. And when you can capture, for instance, with a tool like our CimTrak, an audit trail and evidence, as work actually happens. Well, now that makes governance continuous. It's not some periodic function or some manual process, it's just baked in.
Practically, if we can move there, that's how you can thwart today's threats. We know that certain classes of threats are up in frequency, such as ransomware and AI-enabled threats, but when change, detection, and response—all three of these functions move together in sync, with automated verification after deploy, you can shrink the blast radius when bad things happen. You can shrink the impact right a boom, and that helps you prove control effectiveness in real time.
Converge teams that actually lean on and accept the fact and leverage service and security-related automation, they can reap real material savings in the event of a security breach. So, just to state that point again, I believe that, when change, detection, and response move together, now you can take this concept of resilience, and you can make it repeatable.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
And now, back to the podcast.
Heather: So what does convergence actually look like in practice for IT and security teams on a day-to-day basis? I think you alluded to that a little bit with your last answer. Can you give us some real-world examples?
Robert: Sure. Well, one backlog. Imagine a shared backlog of tickets between the security teams and OPs teams. A single source of truth for assets and configurations, leveraging that CMDB in your ITSM system.
Imagine converged response playbooks that encapsulate change, and incidents, and problem workflows. Let me kind of put it a different way. Here's another way of looking at it.
Security, in my opinion, will ultimately be the responsibility of your change advisory board, and every change is verified in production by integrity controls.
Ideally, automatically, with products like CimTrak, where the entire process can be automated. And that maps very neatly into frameworks such as NIST 800-53. Imagine they have their configuration management section, and auditing section, and SI section for system integrity.
It maps very cleanly with PCI-DSS, and their sections requiring you to understand what's changed. So, you're not really inventing a new process on either side, the security or the ops side. What I'm simply asking is that by teaming up, you're finding a way to operationalize those two independent teams into one shared system.
Heather: And how can organizations leverage their existing ITSM processes? You mentioned change management. Incident management is another one. How can they leverage those to strengthen their cybersecurity efforts?
Robert: Well, I think I can simplify it. Here's one simple rule to consider. No ticket, no change. That simple.
No ticket, no change. And treat that as your base security control. And then from there, I think you can link security incidents to change records, and then use problem management for your root cause analysis, and then leverage your request workflows, the ones that you have folks typically go through, use those request workflows to actually enforce your least privileged controls. Because that's your choke point for all requests, and for all changes.
There is a lot of valuable information in your CMDB, in your ITSN system. You can use that info. You can use that context to enrich detections, speed decisions, because the security teams aren't making decisions without regard to what's happening from an OPs perspective when they have that data. So, basically, the concept is, we're making your normal work become your evidence, because you have that audit trail of everything that's occurred. So, to put it another way, you're using the processes you trust to enforce the security that you need.
Heather: And where does automation fit in, especially when it comes to bridging IT operations and security response?
Robert: Now, we can automate that handoff between the two teams, ops and security, in some interesting ways. For instance, imagine that you detect a change.
Now what?
Instead of just immediately taking action first, let's check to see if there was an approved ticket. And if there wasn't an approved ticket for that change, create an incident directly in ITSM system, and then leverage products like CimTrak to actually quarantine or roll back that system or change based on your policy. And then capture any forensic evidence related to that unexpected change. And then rinse and repeat. So this entire process can be automated. We'll still keep humans in the mix, but we'll use humans for their human judgment, for either exceptions, or for ultimately accepting risk. IBM found that organizations that use automation extensively saved about $1.9 million per breach.
So, that's proof, that's proof of the value that can be delivered by this automated linkage between ops and security.
Heather: And how does CimTrak support this convergence of ITSM and cybersecurity in real-world environments?
Robert: Well, as a reminder, CimTrak establishes known good baselines for files, configurations, registries, network devices. And when it detects drift from those baselines, it detects it in real-time. And because of its tight integration with ITSM systems, such as BMC Remedy, or ServiceNow, or Jira, or others, it can correlate changes to authorized work.
So now you aren't simply creating a ticket and having someone work on it and close it with an audit trail of what they actually did. We're moving from this implicit trust model to a trust, but verify, and CimTrak is providing the verified information of what happened during that standard service ticket, during the normal work.
Now, unauthorized changes can be blocked or auto-reverted. An audit trail of a proof work will be maintained, we'll export that to the ITSM system associated with a ticket, and unexpected changes can be exported to your SIEM, be a syslog, or whatever other mechanism. And by doing those steps, we have this complete change story. That's… Complete from end to end.
Now, beyond servers, CimTrak can also detect changes to the mentioned network devices, Active Directory, cloud infrastructures, databases, Okta, Zscaler, many operating systems such as Windows, Linux, Solaris, macOS X, HPOX, FreeBSD, and in all those cases, it has the ability to instantly restore them or provide the information that you need to restore or revert when you're under stress. And with our optional Compliance and Configuration Remediation module, it can also automatically harden systems against CIS benchmarks and DISA STIGs. Heather, it literally enables true closed-loop change control. CimTrak lets you know of every change, approve the good, undo the bad, and then alert on all the events that matter.
Heather: And I know that integrity is a key theme for Cimcor. What role does that play in bringing IT operations and security together?
Robert: Integrity, again, I mentioned this earlier, integrity means ensuring that the environment, your IT environment, matches intent, and that's your business intent, or matching your business objectives, or your SLAs. And we have two audiences. OPs wants stability, right? And security wants control.
Integrity Assurance gives both. It provides that provable state, it provides rapid rollback, and audit-ready evidence that the system, the configurations, the settings, all those things that you think are running.
It ensures that those are the settings and configs that actually are running. And it's also a language that auditors understand.
Auditors expect structured change control.
You can see that in NIST 800-53, you can see that in PCI, you can see that in ISO27001, NIST CSF, you can see that in many standards. You have to monitor and measure the integrity of critical systems. Integrity controls makes those expectations continuous. Not just episodic, or an afterthought.
And if you think about it, Integrity is really the foundation to build a resilient infrastructure.
Heather: And finally, looking ahead, how do you see this convergence shaping the future of IT service delivery and cybersecurity?
Robert: Well, I believe the future is secure by default service delivery. So, that means policy-informed changes, with clear visibility, risk scored approvals, continuous control validation, integrity assurance and integrity verification, and compliance as a byproduct of just your normal work, because now we have that audit trail of what folks have actually done. In the future, I think we'll see fewer disconnected tools, I think we'll see more shared platforms, and that would be a priority of organizations. And I believe we'll see integrity checks being baked into every deployment. The pressure's rising on both sides. From the security perspective, sadly, we aren't winning the battle.
And AI has added much more uncertainty into the mix. And on the ops side, the pressure is still on. Downtime and resiliency are continuing to dominate the conversation. This convergence, this is the way forward.
And it's how you're going to be able to keep going fast, maintain uptime, bake in compliance, while making it all safe.
Heather: Robert, thank you for joining us today.
Robert: Thank you, I appreciate the opportunity to be back on your show.
Heather: For Cybercrime Radio, I'm Heather Engel. Joining me today was Robert Johnson III, President and CEO at Cimcor.
This episode was brought to you by Cimcor, which develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
For more of our media, visit our website at cybersecurityventures.com.
.png?width=50&height=50&name=Robert%20(1).png)
