We live in a time where compliance and security initiatives are in the spotlight, it’s the new black, never have CISO’s or compliance departments had as large a budget or priority in the boardroom as they do today. However, as organizations rush to make up for years of neglect in security, the focus is usually singular, it’s safeguards and measures to build resilience. While that should take precedence over other objectives, efficiency is mostly forgotten.
A Common issue
Most large organizations that have been operating for half a century or more are all facing challenges that come with legacy IT and technical debt. Some have faced those challenges and moved past them with an IT transformation, but for the vast majority, these challenges persist as a barrier for building efficient resilience. This issue remains widespread across both highly regulated sectors, but also the less regulated, where the situation usually is direr. For in today’s digitalized world, everyone relies on the same digital tools, which can and will be compromised. As such, no one is spared and the cyber threat remains constant for everyone, regardless of your area of business.
The answer for most organizations would be a hybrid approach, as there is no “right” approach that works for all organizations, especially not with the current cyber threats taken into consideration.
Consequences of Neglect
While decades of neglect in security might pose a serious challenge to achieve a mature resilience level, chances are it’s both viable and achievable in decent time with modern tools, if no other constraints are present. However, as established, legacy IT and technical debt will be the deciding factors for the level of resilience and the time spent to achieve it. Without addressing basic IT operational and infrastructural hygiene first, most security additions to an existing IT landscape will simply not be efficient.
Classic examples of technical debt vary from dependence on key individuals due to lack of documentation or competencies, to mismanaged account and access management leading to an overabundance of privileged users. As well as undocumented software changes and developments, unmapped integrations and API calls, not least accumulated shadow IT after years without technical limitations or monitoring.
Examples such as these lead to unnecessary exposure and proliferate the amount of attack vectors which can be used by threat actors. Furthermore, conducting an accurate risk assessment, which should be the basis of any security initiative, becomes almost impossible until the gaps have been mapped and assessed due to the amount of unknown variables. As such, the consequence will mostly be time, as technical debt can be remediated, but the time it will take to map and document the existing IT landscape takes focus and resources away from safeguarding the organization.
Catch 22
In a perfect world with no immediate risk, the right approach would always be to map out the gaps, conduct a risk assessment and then proceed accordingly. However, with the ever present cyber risk, taking the time to document and map parts of the IT landscape before implementing security measures, is often not a reasonable solution from a security perspective.
The answer for most organizations would be a hybrid approach, as there is no “right” approach that works for all organizations, especially not with the current cyber threats taken into consideration. While documentation might be lacking, most organizations have some notion of where their crown jewels are being kept, which business processes, associated IT platforms and vendors that are key for their function. This is where you start, knowing that before you have finished the security initiative, you will have made findings that force you to adapt your initial approach and possibly the chosen safeguards as well.
The Cost of Efficiency
Immediate security will therefore come at the cost of efficiency, as applying security measures without a solid overview of the IT landscape and its associated risk will mean costly and not least time-consuming changes along the way. Something that most stakeholders are not overly fond of. Unfortunately, most organizations won’t understand their own risk appetite until after having experienced a cyber security breach.
The question that remains is whether it will have been worthwhile applying security measures immediately. The answer from a security professional’s perspective would usually be yes, as such measures come at a very limited cost in comparison to what a cyber security breach could cost. Stakeholder management should therefore focus on establishing a mutual understanding, that certain security decisions might not seem effective from a cost or administrative point of view, but that such actions are necessary in building resilience swiftly.
