We’re on the brink of cyber security crisis. In recent years, news on data breaches, ransomware attacks or accidental exposures by employees have been hitting headlines almost daily. In Singapore, there were three major data breaches in 2019 alone that affected millions of individuals.
It’s no wonder that IT teams are constantly in firefighting mode. And the most popular approach has been patching gaps with multiple point solutions as and when needed instead of taking a step back and finding a more strategic way to address the situation. This has resulted in what old-school IT professionals – such as myself – call building up a security debt, in other words not making the appropriate investment in cyber security year on year to the point where the people, technology and process investment now required for cyber security maturity appears out of reach.
The risk of “good enough”
The concept of security debt comes from a concept in software development called “technical debt”. It refers to the implied cost of additional rework caused by choosing an easy solution that will help an organisation now instead of using a better (often longer) approach that would solve potential problems in the future.
Similarly, there are significant consequences if organisations start building up a security debt. Any debt – whether security, technical or monetary – that is not serviced promptly will accumulate 'interest', making it harder to pay it off in the future. To put it simply, by blindly implementing solutions that are “good enough” right now, organisations are potentially making themselves vulnerable to potential incidents down the line.
Digitalisation initiatives are sweeping every industry by storm with enormous amounts being spent on developing new and better tech-led ways to serve customers. Spend on cyber security solutions also continues to rise. In fact, according to IDC, the Asia Pacific (APAC) companies will invest up to US$16 billion in security-related hardware, software, and services, an increase of 20 percent over the previous year.
The unspoken consequence of all this is that security debt will continue to accumulate. And when the day of reckoning arrives, organisations will face losses that reach millions of dollars and as well as reputational damage.
Is it too late to care?
No, it’s not. IT leaders need the courage and political will to take a step back, calculate current security debt and start to service it now. This will include a mix of initiatives, from reviewing the current solutions and assessing potential risks, to integrating security in every aspect of operations and promoting cyber security culture among all employees.
Many of the cyber security solutions that are currently being used may be best-of-breed. The problem often is that they work in silos and don’t integrate well enough to form a well-coordinated defence system. Organisations should start with an in-depth assessment and testing to identify potential infrastructure, application, and data security gaps.
Once the gaps are identified, organisations should further assess which portions of ecosystem can be integrated and which portions need to be replaced. Building from scratch is seldom an option. What’s important is the ability to recognise the assets that work but could be improved, while at the same time casting aside systems that won’t provide value. This way organisations will be able to reduce the security debt, without incurring additional financial debt.
Security from the get-go
Moving forward, organisations should make security part of the initial design of any new platform or app. Where personal data is impacted this is actually a legal requirements under many of the new data privacy regulations; including GDPR and its termed Secure by Design. To do this, it’s important to equip their teams with the right DevSecOps tools. These tools help to introduce security at the very beginning of application development so that it is integrated from day one. In fact, more and more enterprises are making an effort to shift the security testing to the beginning of development process, known as shifting left
The truth is that today, businesses are under tremendous pressure to digitise fast to compete more effectively. This means that security often becomes just a tick in the box. As a result, many organisations, especially in fast-modernising economies like Singapore, will accumulate security debt.
However, it’s not too late to evaluate current solutions and make strategic adjustments to how cyber security is implemented and managed. The alternative is to let the security debt continue to grow until it collapses, and in all likelihood, takes the company with it. Is it really worth the risk?