Cyber threats are everywhere today. From financially motivated cybercrime groups to nation state attackers and even negligent insiders, the sheer volume and range of threats facing firms is mind-boggling. That can make it challenging for security bosses on the coal face to pull back, look at the bigger picture and find a more strategic way to tackle and communicate the underlying challenges. It may help them to consider a new approach borrowed from the financial world.
If businesses start understanding that security trade-offs are debt that needs to be serviced, they stand a much better chance of addressing this imbalance in the long-term, for the benefit of the entire organisation.
Three decades of debt
Information security budgets have been rising for years now. Gartner has forecast that global spending on information security would rise 8% year-on-year to reach $96 billion in 2018. Much of this is down to an ever-evolving threat landscape, of course. But the elephant in the room is “technical debt”. This is a term first coined in the early 1990s in relation to software development. It states that when organisations choose the quick and easy option it will inevitably cost more to fix in future. That’s in comparison with the comprehensive option which will usually cost more and take longer initially but be better in the long-term.
IT security is riddled with examples of this kind of technical debt, where organisations have settled for “good enough” as they race to exploit digital opportunities, leaving them vulnerable to damaging and costly incidents later. The longer this security debt goes unpaid, the more it will accrue interest as the cost of fixing the shortcomings of the original investment grows over time. For some organisations, this security debt has been accruing for nearly three decades. The impact can be seen in big-name breaches at the likes of Equifax, Uber, Yahoo and TalkTalk, which in some cases cost the organisations hundreds of millions and major brand reputation damage.
In fact, breaches are said to have cost organisations an estimated $27 billion last year. It’s likely that much of this money could have been saved if the firms involved better understood their security debt, and then put in place processes for managing and reducing it.
A security debt crisis?
The challenge lies in the complexity of modern security debt. Like financial debt, it’s often far from easy to spot, hidden deep in the architectures, legacy code, third-party libraries and dependencies, and even the fundamental economic principles that some business models are based on. These interdependencies are so complex and intertwined that it may be beyond the abilities of the average business to fully determine what they are.
This is, in many ways, similar to what led to the 2008 financial crisis. Complex derivatives known as Collaterised Debt Obligations (CDOs) resold debt owned by one business to another — then broke-up, bundled and resold that debt on again. The result was that no-one knew where the original debt lay or how risky it was, so when the US property market started to crash, the models in place to protect investors simply didn’t work.
Is there a chance a similar thing could happen in the IT security space, because of years of accumulated security debt and poor risk assessment? Are we borrowing security time at a rate we’ll never be able to repay? Has that debt become so complex that no one can determine what theirs really is? Could one catastrophic incident cause a crash which forces regulators to step in, businesses to go under and costs to explode?
Well, probably not quite — at least, not yet. But it may do us some good to be aware of the disconcerting similarities between the IT and financial sectors here.
What happens next?
So how do we plot a way forward?
The first step is to calculate that security debt. A paper by Dan Geer and Gunnar Peterson gives us a good place to start: a Margin of Safety calculation which compares the “book value” of IT assets and the security controls/services used to defend those assets. This figure can be used for the technical or security debt ratio in your organisation. From there, apply the ratio to your own cost structure to get an actual monetary value. Interest can then be determined using risk management language, baselining on a “standard” interest level.
The most important thing to do is understand that it’s best to service security debt sooner rather than later, as it accrues interest and can become toxic over time. In fact, latent security debt could, in a worst-case scenario, bankrupt a business or a technology over time. You do not want to be put in the position of forced repayment. Instead, understand the debt you are running and put in place processes to manage that debt and risk. Investing in managed services could be one option. If you’re unable to do so, there are other ways to reduce risk, such as cyber insurance.
Although this concept may be theoretical, it does provide food for thought, and may lead to wholesale security change across multiple industries. By looking at cyber security through the prism of the financial system, we can potentially all find a more effective way to manage risk.
Sourced by Charl van der Walt, chief security strategy officer, SecureData