Cleaning up Risk and Technical Debt in the Wake of the Pandemic
IT staff and developers have had to rework many business processes and applications to operate entirely online, and built up a lot of technical debt in the process. Sooner or later, they’ll need to re-architect and re-factor to reduce the risk the comes with it. The key to alignment from my upcoming book in the figure below illustrates how security leaders have a role to play in finding the solution.
Time to Play Catch Up?
Many businesses, like a financial services company I wrote about that had positioned itself a few years ago for a zero trust architecture, were already well prepared for a crisis that would empty offices and force staff to work from home.
But other businesses weren’t so well prepared. Prior to this year, even companies that claimed a cloud first strategy did not always adopt cloud as aggressively as they’re doing today.When they make quick fixes, technical teams tend to cut corners. They remove firewall rules that protect the perimeter. They increase administrative privilege levels or create new privileged accounts. They migrate to new cloud services without performing much due diligence on new suppliers.
If that sounds your company, its time to play catch up. Architecturally, all the end users sent home from locked down corporate networks are now in the cloud. Along with VPNs, the cloud’s become our digital lifeline. But attached to that digital lifeline is a boat anchor of risk and technical debt.
Multicloud Governance and a New IT Security Strategy
To be successful amidst today’s accelerated push to digitalization, businesses require a new security strategy. They must clean up risk and pay down technical debt. Multicloud governance and cloud security architecture must be key components. Security leaders must also improve information risk management practices sufficiently to help prioritize many conflicting demands on the security program. Finally, they have to able to communicate risk in terms business stakeholders understand.
What You Cannot Manage, You Cannot Secure
As I described in Chapters 6 and 7 of my Rational Cybersecurity book, a security control baseline can’t be fully or efficiently implemented across a chaotic IT environment. Even before cloud emerged as a disruptive force, IT organizations had accumulated technical debt by not rationalizing their infrastructure platforms and application portfolios. They may have too many platforms, too many applications performing similar functions, too many vendors, or all of the above. Disparate systems don’t interoperate unless stitched together by complex integration tools. Multiple internal support organizations tie themselves up with bureaucratic red tape and still struggle to coordinate their efforts.
Fortunately, just by doing their job well, security leaders can be a catalyst for IT improvement and thereby help security’s cause. The Rational Cybersecurity book advises security leaders on how to help develop (or discern) the IT strategy. It explains how to provide security for a governed multi-cloud environment through the following good practices:
- Identify the risk of shadow IT
- Align with the evolution from IT-as-provider to IT-as-broker
- Manage cloud risk through the third-party management program
- Include security services in the IT service catalog
- Upgrade IT operations with DevSecOps and Disciplined Agile
I tried to make these section title bullets self-explanatory. Skim friendly. You can look at around at your organization and consider: Where are we following these good practices? Where do we still need them?
Manage Risk in The Language of Business
As businesses build up technical debt, risk rises alongside. Some risks can be addressed through security controls such as strong authentication, access management, and secure system configuration. But even effective IT security organizations using the best technologies can’t always implement the controls ubiquitously or consistently across a chaotic IT environment with an excess of technical debt. Other risks stem from neglecting to assess and remediate security gaps during mergers and acquisitions, or from onboarding new suppliers without adequate due diligence.
In their book “How to Measure Anything in Cybersecurity Risk,” Douglas Hubbard and Richard Seiersen call a rigorous approach to risk management “the one patch most needed for cybersecurity.” Without enough attention to risk analysis and risk management, business leaders can’t be held accountable for fixing bad business practices that no control can cure. Security leaders can’t make defensible arguments on which risks to accept or avoid, convey a rational case for changing bad business practices, or even properly prioritize controls within their discretionary budget.
Chapter 5 from the book recommends adopting the quantitative FAIR risk analysis model within the ISO 31000 Risk Management Framework. Work with business and IT leaders to implement an information risk management program. Define risk program context, accountabilities, risk appetites, and risk processes. Performing risk analyses before making major business or IT decisions could help businesses see their way to avoiding some technical debt incurring actions. Or, at least help IT and security groups prioritize their efforts to refactor the impacted systems.
Tiered Risk Assessments
Finally, my colleagues and I with Security Architects Partners advocate using a form of tiered risk assessment that’s designed to engage business and IT staff in the issue triage and early risk identification processes. With tiered risk assessments, its possible to remediate or gain routine exceptions for 90% of IT operational and cyber-risks at the business or IT team level. This helps focus teams on remediating issues or risks early on while they’re still small. Or knowing when its ok to accept delay in fixing an issue so that a project can deliver business value faster. Tiered risk assessment also frees skilled information risk team professionals (who can’t be everywhere) to focus primarily on the higher risks.