Did you know that October is Cyber Security Awareness Month? It’s a timely reminder to ensure you carry out your regular security assessment. Much like advice from the Department of Fire and Emergency Services to regularly check in-home smoke alarms, so too should organisations regularly assess, maintain and test to identify risks that may impact their cyber security posture.
Cyber security is a moving target, so it pays to review after any major technology change. The constantly evolving business context, underlying technologies and external factors all add to the challenge. Whether through evolution (incremental step changes over time) or revolution (deliberate transformation programs), the technology landscape is in a constant state of flux, so a gap emerges between the technology in place and what is needed.
This technical debt arises in two main ways. Firstly, through deliberate decisions, made during implementation, that are tactical in nature, driven by a need for cost containment or time pressures. The second way is through lack of process rigor or governance, implicitly allowing poor IT operational practices to creep in (patch management is a great example of this). By its nature, technical debt impacts non-functional requirements such as maintainability, performance, availability, scalability and security.
COVID-19, a catalyst for increasing security risks
The pandemic has fundamentally changed the long-held belief that employees, en masse, must work in a central office location to be productive. Almost overnight, organisations (driven by government mandates) required their workforce to decant from offices and work remotely. Ready or not, IT departments had to quickly deploy remote working solutions.
Will the workforce return to the pre-COVID-19 normal? Research from Cisco suggests that is highly unlikely, with 62% of the workforce prepared to move jobs if they cannot continue to work from anywhere. The unplanned, rapid deployment of solutions and technologies, largely seen as successful, is here to stay. Functional requirements were met, employees were able to connect to business systems and continue working, but that isn’t the end of the story.
What lurks beneath these success stories are the compromises and tactical design and implementation decisions that had to be made on the fly. That hasty transition came with unintended consequences – the technical debt. The burning questions for most organisations should be around security. Why? The introduction of remote working solutions and technologies had the potential to introduce new attack vectors, which may significantly increase the organisation’s cyber security risk profile. Businesses must ask themselves:
- Does the solution align with our cyber security strategy?
- Does the solution comply with our cyber security policies and guiding principles?
- Are we aligned with industry cyber security best practices?
- Have operational procedures been updated to ensure the solution is properly maintained?
Time to circle back
Let’s be clear, technical debt will occur, period. The pandemic made abundantly clear where technical debt will drive up an organisation’s cyber security risk profile. While rapid deployment of solutions and technologies had to be made with little consideration of overall IT Strategy, cyber security strategy, architecture and design governance, this is not necessarily bad. IT departments did what had to be done so that businesses could survive in extraordinary circumstances. However, technical debt, like personal financial debt, will become unwieldy if left unchecked and will over time rachet up your risk profile.
Technical debt is very hard to stamp out because it impacts non-functional requirements, so there can be a reluctance by business leaders to pay it off. With so many pressing investment needs, there is an understandable hesitation before investing valuable dollars into something without a direct line of sight to a business value. They’ve got what they needed functionally, and from a priority perspective they’ve moved on, but leaving technical debt unpaid long-term is usually a big mistake.
Luckily for IT departments, cyber security remains top of mind for most CIOs because it is a risk exposure that carries significant business impact to operations, shareholder value, consumer confidence and reputation. Fallout from security breaches can be catastrophic.
Whilst the pandemic is hardly over, focus has shifted from enabling hybrid working to the long-term adoption and support of that hybrid model. Now is the ideal time for organisations to circle back and revisit technology decisions made under pressure, and compromised to accommodate tight delivery deadlines. While you’re at it, why not expand the scope and assess the overall IT landscape to identify other areas where cyber security technical debt may have crept in over time?
Business Aspect’s Cyber Security and Risk practice provides services such as cyber security strategies, roadmaps, compliance and risk assessments and vulnerability testing. Together with our parent company, Data#3, we are uniquely positioned to help our customers navigate the ever-changing risk landscape and remediate technical debt to help you to drive down your cyber security risk profile.