Security Debt, Running With Scissors
Security debt is a serious and common problem for that pervades businesses today, especially with the move to cloud computing and rise of IoT. While organisations might accept the risks they encounter, they often neglect to review them or plan for the future. That risk is compounded when patches are passed from passed from person-to-person through staff changes and/or employee churn. Managing our growing security debt is therefore of critical importance because ransomware is the debt collector, and it will come calling.
We invited a group of security directors, product managers, and IT heads to discuss how they are tackling their security debt, and to talk more about:
- What security debt means for their organisations
- How organisations can secure their debt when they are unaware of what needs protecting
- Communicating the importance of security and the accrued debt with the wider business
Rela8 Group’s Technology Leaders Club roundtables are held under the Chatham House Rule. Names, organisations and some anecdotes have been withheld to protect privacy.
Born from a hacker ethos and with a desire to make the Internet a secure place, Duo is here to democratise security. Unique in the way it recognises change as a constant to be anticipated and embraced, Duo’s mission is to protect the mission of its customers by making security simple for all.
Comprised of a team of people who have a shared belief in adding value to the world, Duo brings an empathetic approach in solving some of the most complex global business and security changes faced today.
Security debt is the accumulation of the patches missed, the risks accepted, and the configurations misapplied. Security debt looks different within each organisation and can be caused by any number of factors, but at the end of the day, unless yours is a very new business, these technological debts that have manifested as security issues will exist within your organisation. Therefore, understanding where your organisation’s security debt lies is the first step to managing it.
How did we get here?
What makes security debt so hard to handle is the difficulty organisations have identifying their own debt. Security debt can be broken down to make it more easily identified and prioritised:
- Unavoidable debt – debt that is accrued simply over time by applications and procedures designed in the past with no way of knowing how they would need to fit within future landscapes.
- Planned debt – throwaway applications or work done with intent that ends up being used for longer than planned or in unexpected ways.
- Unplanned debt – code, procedures or applications that have unintended technical defects that have gone unnoticed or unchecked.
By better understanding how security debt is created, security teams can more effectively work to combat it. Where they stand to make the biggest impact is with unplanned debt. Good practice controls can be added to mitigate unplanned debt such as better code reviews and clear upfront discussions with the business to provide manageable security requirements.
By compartmentalising technical security debt, it becomes easier to prioritise, but we also have to think about our staff and data, areas that often get overlooked in more technical discussions. Staff need to be enabled to work effectively and safely in their roles, if not, mounting security issues arise from having improper tools, being overworked, or improperly trained. Effective implementation of remote working is an excellent example of how security teams prevented the creation of huge amounts of security debt by providing staff with the means to work safely.
Data debt refers to the masses of data being accrued by businesses who are unable to properly manage it. Some businesses have vast amounts of sensitive data waiting to explode in a breach. This needs to be contained, purged, or archived and good governance needs to be put in place to prevent further risk.
Developers need the proper tools to do their work, but they also need to be provided with crystal clear security requirements. Businesses often leave the security requirements conversation until after they have invested in new tools, creating no small amount of conflict and potential for security debt. Security teams need to make the value proposition clear in these situations, does the business want to spend $1 upfront, or $10,000 on the backend?
By inserting themselves into the conversation much earlier in the process, security can mitigate some of the long-term effects of their technical debt by ensuring that security is being built-in from the beginning.
What needs securing?
Oftentimes businesses are completely unaware of the security debt they are amassing as it’s virtually impossible for them to have a complete understanding of everything that exists within their environment. How can you secure your debt if you don’t know what you’re protecting? This vulnerability makes it easy for ransomware to infiltrate and cause harm. Therefore, establishing an asset inventory is paramount.
There is no easy way to track decades of servers, devices, data, and applications. Each organisation is at a different stage in the journey to consolidate, tag and label their assets, none likely to have achieved the almost impossible task of correctly categorising everything . Businesses that have seen the most success in this endeavour have done so with careful planning and a clear, achievable roadmap for progression.
By focusing on accountability and the risks involved in not proceeding with the sizeable task of asset inventory, security teams can work with the business leaders to prioritise the most at risk assets and stagger the progression and development accordingly into more manageable phases.
Much like with a home, there is a certain percentage of an organisation’s value that should be planned to be spent on maintenance. Businesses wondering why a third of their tech resource is being spent on security and compliance need to be made aware that there is no escaping the debt that has built up, and now security teams must work to get ahead and proactively maintain systems while decommissioning others.
Security teams need to quantify the costs of remediating this debt against focusing on things that are perceived to be more valuable. Provide context around how you make a risk informed security decision and then empower them to own the risk on the business side. If the system goes down and they chose not to make certain changes or certain patches, they own that risk. All parties benefit from having these candid conversations. Security can push for prioritisation, data democratisation, and accountability within the business arms, and by engaging with the organisation’s goals, they can better work as business enablers.
Security debt is an issue that all businesses will need to wrangle with. The debt has already been established, the way forward now is to ensure that processes and governance are put in place to prevent the problem from growing, while tackling the already amassed debt with a whole-business approach. Engage the business side of the equation. Be brutally honest and bravely transparent when getting them to understand their technology debt dispute, the risks they're incurring and help them make better risk informed decisions.