How to take charge of technical debt in security 

 October 29, 2019

By  Jane Frankland

In the spirit of full disclosure, please be aware that I’ve received compensation for promoting this #ad for Lenovo ThinkShield. Because your success is important to me, I only align myself with brands I believe in, and Lenovo is one of them.

“I’m under pressure,” he said, “and it’s pouring down on me. Jane, what do I do?”

Simon had just been appointed the Head of Security at a mid-sized biomedical organisation. It was a step up for him. Before starting, he was excited about his new opportunity. Now, he just felt overwhelmed. Everywhere he looked, there were signs the organisation was at risk.

In recent years, it had grown fast. It had a collaborative working culture, with dispersed teams spread across different locations, countries and time zones. But it had become complex in the design process. Predictably, the business favoured speed to market over security. As a result, security had become decentralised, Shadow IT had exploded, and over a thousand employees were now switching, daily, between endless SaaS tools and physical devices that fitted their needs better. Unknowingly, they’d opened up new surface areas that were ripe for attack.

But that wasn’t all. There was the supply chain, and further risks which lay hidden deep in the organisation’s architectures, legacy codes, third-party libraries and dependencies.

Simon knew the organisation needed strong security leadership, a thorough overhaul, and a secure working environment that supported the business leads. But the realisation of building a greenfield site, creating a thriving security culture and eliminating tension when he pressed for change was getting to him. 

“Have you ever talked to executives about technical debt?” I said. “Have you ever thought about leveraging security through the prism of the financial system to better position it?”

The expression on his face said it all, so, I explained.

Technical debt is a term that was first coined in the early 1990s by Ward Cunningham. Used in relation to software development, it can be defined as the longer-term consequences of poor design decisions. It implies that the cost of additional rework caused by choosing an easy, limited or cheap solution will far exceed those that come from a comprehensive solution that will cost more and or take longer. And, just like monetary debt, if technical debt is not repaid, it accumulates 'interest', making it harder and more costly to implement changes later on.

Solving security issues one at a time with solutions that aren’t designed to work together accumulates technical debt. And, by not balancing innovation and security through integrated best practices, like security by design and risk assessments, I’ve witnessed more than my fair share of technical debt accruing over two decades.

Major breaches like those at Equifax, Uber, Yahoo, eBay, Target, TalkTalk, Mariott International and British Airways serve as useful examples. If the technical debt there had been better understood, then perhaps it could have been appropriately managed, brand reputation could have been maintained, and huge financial loses been avoided.

Hindsight is a wonderful thing, and it’s easy to see why making the right decision in security today reduces costs and pays returns. So, with this in mind, here are three steps to guide you on your security leadership.

Step 1. Calculate your organisation’s technical debt.

I’m a big fan of FAIR (Factor Analysis of Information Risk) a taxonomy of the factors that contribute to risk and how they affect each other. Developed by Jack A. Jones, rather than being a methodology or a standard like the ISO/IEC 27000-series, it’s primarily a risk management framework that helps you understand, analyse, measure and then strengthen information risk. I encourage you to seek it out, read the book, join a chapter and start implementing it. 

Another great resource comes from Dan Geer and Gunnar Peterson. In their paper, A Margin of Safety or Speculation, the authors compare the book value of IT assets (software, servers, development, etc) to the book value of the security controls and services used to defend those assets. They suggest that the difference between those two numbers will allow you to establish your technical debt ratio. Then, when you use this on your cost structures, you can determine an accurate financial value. Only by comparing two of the most important business and security metrics – the earnings power of the assets with that of the efficacy of the security control, can you have a meaningful dialogue with business leads and executives.

Step 2. Consider human error.

As human beings we make mistakes. We lose devices. We click on links we shouldn’t. We use tools that haven’t been assigned to us, and we disable security features that stop us from working faster. We don’t deliberately set out to do harm or to cause worry to IT or security leaders, but human erroropens up new attack surfaces, and can cause devastating breaches, data leakage, costly compliance failures, and even “game over” scenarios for organisations.

In fact, according to a recent report that was sponsored by IBM Security and conducted by the Ponemon Institute, almost half of all the breaches (49%) are caused by human error and cost organisations USD $3.50 million. With human error being so prevalent and hacking as a service so cheap, accessible and user-friendly, it’s no wonder why cybercriminals and hackers see it as being one of the easiest ways to gain access to data. Therefore, you must look for solutions that help you prevent and contain human error. You must demand more endpoint visibility, more secure authentication, more encryption, more risk intelligence, more automation and time-saving self-healing capabilities.

Step 3. True end-to-end protection.

Everyone knows it’s impossible to secure everything, but you can reduce your risk by weaving security into the fabric of your organisation. Thankfully, security awareness is growing, and many employees understand social engineering tactics such as phishing, spear phishing, vishing, pretexting and baiting. However, there’s still a lot to do when it comes to ensuring security is engineered into the tools your organisation procures.

This means beginning with development and continuing through the supply chain and the full lifecycle of every device—from development through to disposal. It means equipping your security team with the tools required to stop attacks before an incident occurs. It means providing them with sufficient resources or expertise to decode the vast number of security alerts hitting their screens daily from multiple point products. It means creating a trusted supplier program and collaborating with a qualified, verified supplier base. Only by doing these things will you be able to build security measures that are rigorous, trackable, auditable and effective in your organisation.

Now I want to hear from you…

  • Tell me what insights you have on technical debt and how you manage it in security.

And, if you’d like to know more about Lenovo ThinkShield, a partner that’s invested in the security industry, and provides a fully customisable suite of processes and capabilities that protect the full lifecycle of your assets, from development to disposal go here: http://bit.ly/ThinkShield  

Finally, in the spirit of full disclosure, once more, as a #lenovopartner, please be aware that I’ve received compensation for promoting this #ad for Lenovo ThinkShield.

#LenovoPartner #Microsoft #Intel

Did you enjoy this blog? Search for more blogs that you want to read!

Jane frankland


Jane Frankland is a cybersecurity market influencer, award-winning entrepreneur, consultant and speaker. She is the Founder of KnewStart and the IN Security Movement. Having held executive positions within her own companies and several large PLCs, she now provides agile, forward thinking organisations with strategic business solutions. Jane works with leaders of all levels and supports women in male dominated industries like cybersecurity and tech. Her book, IN Security: Why a failure to attract and retain women in cybersecurity is making us all less safe' is a best-seller.


Follow me

related posts:

Leave a Reply:

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Get in touch