Cyber Security Debt

Pay-money - Delapouite - game-icons

In the world of software development, we call the potential problems and actual support burden caused by cutting corners or patching when you should rewrite "technical debt." This is a useful concept because it forces us to acknowledge the long-term burdens imposed by short-term thinking. Without this concept it becomes difficult to make good short-term choices; without this concept the answer to "should we do it right but slowly or hack it quickly?" will always be "hack it quickly: why not?"

In practicing Cyber Security there is a similar need to balance short-term practical requirements with long-term repercussions, otherwise the answer will always be "a quick hack is fine." In actually protecting cyber assets and monitoring that protection, there is the same tension between a near-infinite need (there is always something more you could do) and the very finite set of resources available to fill that need (you have "real" work to get done, after all).

Should you make sure that all your network hardware's firmware is up-to-date? Yes, you should. How often? Well, the depends on how much time your network people can spare on that. Should you replace computer systems that have reached End of Life? Well, sure, but those systems are likely stable, paid for and lack a drop-in replacement, so replacing them will be a project. But you should take the time and energy and money to replace those systems, right? Next month? Next quarter? Next year?

At Pythia Cyber, we are all about "reality-based consulting." Advising you to do things you can't or won't do is a waste of time. Suggesting fixes that are too expensive or too broad in scope doesn't make you safer, it just makes you feel bad.

On the other hand, being realistic does not mean being foolish. Cut every corner you have to, but do so with forethought and awareness. Put off what you can put off, but not forever: instead pick a date and stick to that date.

In other words, be aware of your Cyber Security debt; just like every other kind of debt if you let it get too big it will overwhelm you. But you won't have the bank repossessing your car. Instead you will have access to critical systems denied either by malice or malfunction, or your critical data read, modified or destroyed. In Cyber Security, "tomorrow never comes" is a seductive lie and the epitaph of many a poorly protected enterprise.

Comments

Post a Comment