Skip to content

Time to Defrost: Why Organizations Should Rethink Their Change Freeze Policies

With the right tools, IT teams can unleash innovation and better manage IT risk


The IT operations change freeze is commonplace in many organizations. After all, any software change runs the risk of introducing new bugs, errors and other issues. For periods when IT is expected to be under-staffed, or if the business is entering a busy sales period, freezing changes could insulate the organization from these risks, it is argued. In reality, organizations can and should be more agile than that. Change freezes stifle innovation and expose systems to increased cyber risk.

The good news is that tooling now exists to empower IT operations to take a more active role in managing their environment — at speed and scale. In so doing, they can finally be freed from the limitations and risks associated with change freezes.

The case against change freezes

All modern organizations run on software. And many are dependent on continuous innovation just to keep pace with ever-changing customer and market demands. Change freezes can interrupt CI/CD pipelines at critical moments, impacting time-to-market and customer experiences. You wouldn’t find leading tech innovators putting roadblocks in front of their developers like this.

Another consideration is cybersecurity. Attackers certainly don’t freeze, so why should your IT ops team? In fact, when adversaries find an organization in a frozen state, they can move quickly through the IT environment.

Meanwhile, defender resources are frozen, making it extremely difficult for them to respond until it’s too late. Perhaps aware of the advantage this grants them, ransomware actors frequently attack just before public holidays in the US. For example:

When an attack hits and all changes are frozen, how do you patch promptly? Updates could still be deployed as an emergency exception. But wouldn’t a better longer-term solution be finding a way to actively manage the impact of changes, rather than run the risk of dealing with multiple exceptions during a freeze period?

A better way to manage change and IT risk

To do this, organizations should plan for a continuous cycle of testing and deployment, focusing on the most critical business systems first. These procedures must be adaptive and account for changes that occur mid-cycle. Create policies that are too rigid and inflexible here, and you’ll end up with de facto freezes. Any testing and deployment tools should have roll-back capabilities in order to minimize any unforeseen consequences of changes that are introduced.

Next, think about your teams. Segment the organization into groups based on the necessary or desired rate of change and create separate policies and processes for each. Product development may want to deploy patches weekly, whereas for the finance team, quarterly could be frequent enough. Tooling should also be flexible enough to cater to the specific needs of each group. Create rapid response teams to spring into action during critical periods, with the ability to override some internal safeguards if the organization is at serious risk.

How Tanium can help

Organizations that routinely deploy freezes will not change overnight. Decision-makers will need to buy in to the idea for it to succeed. A good strategy is to start small and look for quick wins. See if there’s one group that could be exempt from the next freeze and work with them to enhance IT hygiene and cyber resilience. They could then serve both as a pilot for how to craft testing and deployment policies, and as a test bed for tools enabling active managed response.

To help with this process, better understand the extent of your change freezes with the following questions:

  • How long does this freeze last?
  • What groups are or are not affected by this freeze?
  • Are there emergency exceptions to this freeze?

The good news is that Tanium can help to drive success in evolving toward a more dynamic and active management of change, through a comprehensive platform for endpoint management and security. Crucially, our unique architecture empowers IT teams to find and fix problems at speed and scale, no matter how large your endpoint estate.

Experience Tanium for yourself. Sign up for a free two-week trial today.

Ken Smiley

Ken Smiley is Tanium’s Director of Rapid Response, former industry analyst, coach, and public speaker. He assists organizations in responding to critical events and deriving the maximum value and return on their investments in IT.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.