Skip to main content

We understand monetary debt, so why not security debt?

(Image credit: Image Credit: Wright Studio / Shutterstock)

In 2017, Warren Buffet said that cyber-attacks are the number one problem with humankind, and the oracle of Omaha seems to be completely correct. From financially motivated cybercrime gangs, to nation state attacking forces, and even simply negligent and ignorant insiders, the sheer volume and potency of threats facing organisations the world over is simply mind-blowing. This makes it difficult for security bosses and even those in their teams to step back, take a breath, and look at the bigger picture. When you’re constantly rushed off your feet, it’s hard to find more strategic ways to tackle the challenges faced. Even more difficult is trying to communicate those same challenges.

Fortunately, there are parallels in the financial world that can be borrowed and used to describe and better tell the story of what is happening in the world of security. If businesses can begin to understand that security trade-offs and corner cuttings are debts that needs to be paid, they may have a better chance of addressing any imbalance in the long term – which will then benefit the entire organisation.

Years of debt

Security budgets have been increasing for what seems like years now. Spending on information security has been forecast by analyst house Gartner to rise eight per cent year on year to reach around $96 billion this year. Much of this is down to an increasingly complex and growing threat landscape. However, the elephant in the room is what is known to security teams as “technical debt”. First used in the early 1990s, the term initially related to software development; it states that when organisations choose the quick and easy option it will inevitably cost more to fix in the future. This is in comparison to a better, more all-encompassing and comprehensive option that may cost more, and take more time up-front, but will be far superior in the long term.

Unfortunately for security and IT professionals, IT security is absolutely riddled with this kind of technical debt – organisations settling for “good enough” as they race to exploit digital opportunities whilst leaving themselves vulnerable to damaging and costly incidents down the line. The longer this debt goes unpaid, the more interest accrues, and the cost of fixing any shortcomings of the original deployment increases.

For some, this has been going on for almost thirty years. The impact of this practice can be seen in the big-name breaches that we have seen in the past years – think Equifax, Uber, and Yahoo! In some cases, this debt has ended up costing businesses hundreds of millions of dollars, along with major reputational damage. It’s estimated that breaches have cost organisations around $27 billion in the past year, much of which could have been saved if those involved understood their security debt and had processes and plans in place for its management and reduction.

A global security crisis then?

The question is then, how can this be fixed? The answer is: not easily. Not unlike financial debt, technical debt can be difficult to spot – it’s hidden deep in legacy code, older and integrated software architectures, third-party libraries and dependencies, and even some of the most basic economic principles upon which some business models have been based. These interdependencies are often so complex and intertwined that it may be completely beyond the abilities of an average business to even half-determine what they are.

In many ways this can be put into perspective by looking at the events that led up to the global financial crisis in 2008, for which Collaterised Debt Obligations, or CDOs, were largely responsible. These complex derivatives are essentially debt owned by one business and sold on to another – then broken up, bundled into another package, and resold again. It doesn’t take a Nobel Laureate to determine that the result of this practice was that no one had a clue as to where the original debt lay or how risky it was. When the US property market started to crash, any safeguards in place and models that were used and deployed to protect investors simply couldn’t rise to the challenge.

There is a very real chance that a similar turn of events could happen in the IT security space. Years of accumulated security debt and poor risk assessment are slowly turning into problems that we know we can’t fix. We are borrowing security time at a rate we will never be able to repay, and that debt has become so complex that no one will be able to determine what debt is theirs and what isn’t. This is a problem, as there isn’t an equivalent to the financial regulators who were forced to step in during the 2008 crisis to stop businesses going under.

To avoid this threat, we need to become far more aware of the similarities between both the IT and financial sectors.

So, what do we do now?

Though this may be theoretical, it does make you think. It also could lead to security change across multiple industries – which is no bad thing. By looking at cybersecurity through a lens that is better understood by a wider proportion of business, change could be made far more quickly than continuing to do things the way businesses have done them in the past. This way, we can all potentially find a better, and more effective way to manage risk, which will lead to a more secure place to exist and do

How do we plot a course forward? How can we gain ground on the minefield that is technical security debt?

The first step would be to calculate that security debt. Dan Greer and Gunnar Peterson created a research paper that gives the industry an excellent place to start. This begins with a calculation to create a “Margin of Safety” which compares the “book value” of the IT assets with the security controls and services used to defend those assets. This can then be extrapolated to the technical/security debt ratio in an organisation. From there, organisations can apply the ratio to their own cost structure to get an actual monetary value. Interest can then be determined using actual and understood risk management language, creating a baseline for a “standard” interest level.

Whilst this is all good to work out, by far the most crucial activity is to begin to understand that it is best to service security debt sooner rather than later – after all it will become toxic and continue to accrue interest over time. It could even go as far as to eventually bankrupt a business or a technology. Forced repayment is never a good position to be put into. Instead, understanding the debt that is being run, whilst putting processes in place to manage that debt, should be considered best practice. This could be through investing in managed services or, if that isn’t an option, there are other ways to reduce risk such as looking into cyber insurance.

Charl van der Walt, Chief Security Strategy Officer, SecureData
Image Credit: Wright Studio / Shutterstock

Charl van der Walt
Charl has given courses and lectures for companies and universities the world over and has been a regular on the Infosec conference circuit. He has been a security training advisor to the US DoD for over 5 years, has acted as a network security consultant for the Commonwealth Games and co-authored numerous security books.