Strong Process Controls bring Security

Gene Kim, the CTO of Tripwire did a study of hundreds of organizations in late 2002 and early 2003. He found that many organizations were struggling with patch management and with system administrator to server ratios of 1 administrator to 5 or 6 servers. Other organizations were humming along with ratios that had one administrator to a hundred servers. The 1:100 organization had strong security. The difference he found between the organizations is policy and controls in place.
The tripwire website has an article goes along with this. What is needed is a prevailing culture of change management, rigorous configuration management practices, and a heavy reliance on release management.
At work, there is an initiative to implement IT Service Management. Administrators have responded with reticence. There are fears that the sys admins job will be nothing more than updating knowledge base articles and disaster recovery plans. The feeling is that System Administration is a dark art rather than a science. From the reports of Gene Kim it sounds like there is a lot of improvement if the process can be implemented correctly.