Cybersecurity teams face many challenges when it comes to implementing the right mix of security controls to protect their organization from cyber-criminals, and Technical Debt is just one major barrier. Technical Debt, according to John Wondolowski, Solutions II CTO, "is the trade-off of short-term benefit…versus long-term value" and is "felt most strongly in the IT Operations and Infrastructure organization.” I would add that given the current landscape, technical debt is, at least, equally as felt on the Security side, if not more so.
Carrying Technical Debt
An organization can carry Technical debt in a number of different ways. From a Cybersecurity perspective, it can be seen in legacy hardware and software that is riddled with vulnerabilities that create such a fragile platform IT is unable to patch. It comes in the form of manual and time-consuming IT/Security operational and administrative tasks that prevent Analysts and Engineers from focusing on implementing preventative security controls. Another form of Technical Debt includes an environment of best-of-breed tools that suffer from poor integrations and operational overhead.
Technical Debt creates a stranglehold on organizations and keeps them from achieving their goals as quickly as they would like. IT Modernization is essential for curbing technical debt. The attack surface has exploded and managing technical debt is more important than ever. The key to creating and maintaining a cyber-resilient company is standardization, simplification, optimization, and automation via the management of technical debt.
Cybersecurity teams should be talking about technical debt with the business and their IT teams. The Technical Debt conversation is a great way to partner with the business and help them understand the risks of carrying certain types of technical debt that put the organization at greater risk for a data breach or worse, ransomware. Through surveys done in our Solutions II March 2022 Roundtables we found that 44% of IT Executives say that Technical Debt is increasing their IT costs and 28% said that Technical Debt is increasing their organization’s security risk profile.
The business needs to know what the risks are! This is our number one job as Security Professionals. They also need to know what the costs are to mitigate the risks versus the costs associated to recover from the realization of the risks in the event of a cyber incident. More often than not, the costs to mitigate the risks will be far less than the costs to respond and recover from a cyber incident. This might seem obvious but too many organizations aren't investing enough in cybersecurity to protect themselves from a cyber-attack and too many organizations do not have basic cyber-hygiene in place. Reducing technical debt will help you improve your security posture.
Facilitating with Solutions II
Solutions II can also help facilitate these discussions to assist you in reducing your technical debt to free up money and resources. This "newfound" money can then be reinvested in the cybersecurity program to improve the "cyber-resilient" future state of the organization.