Conventional wisdom centers on the concept that debt is bad. Although there are clearly exceptions–sometimes it’s necessary to finance a project or acquisition. While the debt is taken to help move innovation along quickly, most fail to think about how that might lead to breakdowns and breaches, and put an enterprise at risk. Sean Duca, vice president and regional chief security officer for Palo Alto Networks, says that it’s critical to identify technical debt and confront any challenges or risks associated with it. Here are five ways you can mind the technical gaps in your organization:
1. Understand what technical debt is and how it impacts your enterprise. Technical debt occurs when business and IT leaders “take a short-term approach rather than adopting a long-term strategy,” Duca explains. In the digital enterprise, technical debt often occurs when organizations attempt to balance the need for speed–agile software development, for example–with the demands of security.
For example, “Technical debt may occur when a developer writes a piece of code quickly that overlooks key security requirements. A vulnerability exists, and, over time, it becomes more evident and perhaps even exposed to the outside world,” Duca explains. Eventually, the developer has to go back and address the security issues that relate to the code. Technical debt ripples into all corners of cybersecurity, including authentication and IT infrastructure. “As you create more technical debt you often slow things down and increase your overall level of risk,” he says.
2. Acknowledge what contributes to technical debt. A number of factors contribute to technical debt. A business may underinvest in security, it may push for results too quickly, teams may not be synced effectively, and developers and others may lack knowledge and not receive the training they require. At some point, an organization may simply lack the ability to deal effectively with risks such as cybercrime, financially motivated threats and malware. It’s important to understand that things are constantly changing, new vulnerabilities are popping up all the time, and an enterprise must make changes and constantly address the potential risks of technical debt.
3. Recognize how technical debt plays out in the real world of business and IT. There are plenty of repercussions resulting from technical debt. Consider patching. Everyone agrees that organizations should patch applications and operating systems. Everyone also concurs that they should update firmware on a regular basis. “But the fear of breaking something–or having to devote time and resources to fixing other systems–may lead to paralysis,” Duca points out. As a result, “People wind up afraid to apply the patches.” Organizations must address these types of issues. “They must move beyond the mentality, ‘Let’s just make everything work today,’” he adds. The same sorts of problems extend to other areas. “The security challenges we faced a decade or two ago have shifted. The goal posts have been moved. Today, an organization cannot approach security from the mindset of a perimeter. With interconnected systems and the emergence of the Internet of Things, it’s important to take a more expansive view and focus on the actual data.”
4. Learn how to pay down technical debt. First, it’s important to recognize that there are no shortcuts. “If you attempt to take shortcuts you create more critical debt,” Duca says. “It’s similar to paying the minimum due on a credit card every month while maintaining a high balance. The underlying situation doesn’t improve, or it becomes worse over time.” Second, it’s critical to conduct some type of assessment and address key areas, such as code development, patching, and cyber-hygiene. “There are a lot of basic things that often wind up overlooked,” he says. Third, you have to think beyond conventional security tools–such as firewalls and antivirus–and take a more holistic view of today’s connected world. Simply updating solutions, or building additional layers, doesn’t necessarily translate into reducing technical debt or cyber-security risk. “In some cases, it can actually increase debt and risk because you are adding complexity. You really have to ask: ‘Do we need these 15 different security solutions that create hundreds of new patching requirements?’ The goal is to get to a clean slate.”
5. Identify the key issues leadership teams should focus on. According to Duca, there are a couple of crucial questions: What will fundamentally happen at the endpoint today? How do I begin to shift away from system-centric security and place the focus where it belongs: on information security? “A vulnerability assessment is essential. It’s critical to identify where an organization stores data, who has access to it, and what they do with it. Then, it’s important to build protections around the data,” he explains. When an organization adopts this approach, the focus shifts from specific technologies to strategic frameworks.
“You stop trying to cobble together a mish-mash of add-ons. You approach the problem in a more comprehensive way,” Duca explains. This includes incorporating things like analytics, biometrics and multifactor authentication–while rethinking areas such as authorizations and governance. It also involves training employees to spot social engineering methods and using hardware–including smart switches and hubs–that can auto-update software and firmware. “It’s important to thoroughly understand a vendor’s products–and the security and patching methods built into products–prior to purchasing them,” he says.
Technical debt is an ongoing challenge and it’s something that business and IT leaders must continue to revisit. Says Duca: “You have to approach cyber-security in a comprehensive and holistic way. You have to rethink things and find ways to stay current with security. There’s no end, it’s a continual journey. It’s possible to address technical debt but it takes ongoing attention–along with a willingness to rethink the way you’re currently doing things.”