“Modern security debt is often hidden deep in an organisation’s IT architecture, legacy code, third-party libraries, and even the fundamental economic principles upon which some business models are based”
Whether it’s a DDoS attack overwhelming an organisation’s network, critical files being held hostage by ransomware, or sensitive customer data being exposed due to the actions of a negligent employee, IT security teams are constantly on the defensive.
Given the sheer scale of the situation, it can be difficult for security chiefs to find an opportunity to take stock and devise a strategic way of tackling the issue, and communicating this to the wider business.
By borrowing an approach from the financial world, however, and viewing security trade-offs as debts that need to be serviced, it may be possible to better communicate with business, and thus appropriately protect the business from cyber-threats.
The term ‘technical debt’ was coined by American software pioneer Ward Cunningham who stated that “some problems with code are like financial debt. It’s OK to borrow against the future, as long as you pay it off.”
Essentially, choosing a quick and easy option will inevitably cost an organisation more further down the line, when compared with taking a comprehensive option which, although initially more expensive, will perform better in the long run.
Many examples of technical debt can be seen where organisations looking to exploit the latest digital opportunities have settled for IT security provisions that are ‘good enough’, only to later find themselves vulnerable to damaging and costly cyber-attacks. The longer these security debts remain unpaid, the more interest they will accrue in terms of addressing the shortcomings of the original investment.
The high-profile breaches suffered by businesses such as Equifax, Uber, Yahoo! and TalkTalk, for example, have had a significant impact on both their reputations and their bottom lines. Indeed, recent research revealed that breaches cost organisations more than £20bn in 2017, much of which might have been saved had those organisation better understood and managed their security debt.
Modern security debt is complex. As with its financial counterpart, it can be difficult to identify, often hidden deep in an organisation’s IT architecture, legacy code, third-party libraries, and even the fundamental economic principles upon which some business models are based. In some cases, the complexity can be so great that the average businesses may be unable to fully determine where the interdependencies lie.
Levels of complexity such as this were responsible for the financial crisis in 2008, which began when debt owned by one business owner was resold to another, before being broken up, bundled, and resold again. By this point, nobody knew where the original debt lay or how risky it was. As result, when the US property market began to crash, the models that had been put in place to protect it simply didn’t work.
It’s worth considering whether years of accumulated security debt and poor risk assessment could lead to a similar situation in the IT security space.
Is it possible, for example, that we’re borrowing security time at a rate we can never repay, and that this debt has now become so complex that no-one is able to determine just whose is whose? Might one catastrophic cyber-attack result in a crash that forces regulators to step in and businesses to fold?
While this is, currently, unlikely, it’s certainly worth being mindful of the similarities between the financial and IT sectors.
Understanding and assessing technical debt is crucial. A paper by security experts Dan Geer and Gunnar Peterson suggests using a Margin of Safety calculation to compare the ‘book value’ of an organisation’s IT assets with the security controls and services used to defend them as a means of determining its technical or security debt ratio. This ratio can then be applied to its cost structure to derive an actual monetary value, with interest determined using risk management language, using a ‘standard’ interest level as a baseline.
Most important, however, is recognising that, as security debt will accrue interest and become toxic over time, it’s best to service it sooner rather than later. In a worst-case scenario, latent security debt could even bankrupt a business eventually. Rather than facing forced repayment, it’s better that an organisation understands the debt it is running, and put processes in place to manage it, such as investing in managed services or taking out cyber-insurance.
The concept of technical or security debt may be largely theoretical but, given due consideration, it could result in wholesale change in how multiple industries manage their cyber-security. By viewing it through the prism of the financial system, IT bosses may find a more effective way of managing the risk presented by an ever-growing cyber-threat landscape.