4 learnings from a top Infosec specialist
By Secure Agility
Definition: Technical Debt: technology systems and processes which are costly to maintain but add little value to the business.
Recently, we were pleased to host Steven Woodhouse, a respected CIO with a wealth of Cybersecurity and Cloud experience. We discussed several issues that are pertinent right now in cybersecurity and how it relates to technical debt.
Technical debt is a problem for many organisations, and it can easily influence budget priorities.
In this blog, we will review technical debt, how it’s tied to security and IT decision making, and how taking steps now can avoid technical debt arising in the future.
1. Try changing amid technical debt
The concept of technical debt is broadly defined as technology systems and processes which are costly to maintain but add little value to the business. Systems that are difficult to change also add to the technical debt problem as they hold back modernisation.
Many organisations are managing digital transformation programs without taking a close look at the technical debt they might be tied to first.
There remains a lot of technical debt within digital transformation journeys, but how can an organisation do digital transformation successfully with massive technical debt?
Historically, Kodak ignored digital and thought they didn’t need to do anything. They ended up folding, partly due to the high levels of technical debt they were carrying.
2. Technical debt is also tied to security & processes
Legacy systems can constitute the bulk of an organisation’s technical debt, and this has wider information security challenges.
Operations teams should update and patch systems routinely, yet this is often done ad hoc. In the case of systems past their supported lifespan, how are you mitigating security vulnerabilities?
The signs and precursors of technical debt do not just relate to systems, it’s around processes as well.
Organisations will struggle to automate bad or manual processes and when asked if they have technical debt, most people will say no.
3. Budgets and roadmaps are important
How can technical debt influence budget priorities? If technical debt is ignored it will not rise to the budget level, but it needs to be part of the risk conversation, which is, in turn, up there with the budget conversation.
IT budget strategies need to include remediation of technical debt and the first thing an organisation should have is a technology roadmap to describe all the systems across the organisation, what they are used for, and when is the end-of-life.
That is the key because it allows CIOs to have an accurate risk discussion.
4. Avoiding mistakes of the past
Technical debt should NOT be viewed as a historical concept and can arise with the adoption of modern tools and services, especially the cloud.
As more services move to cloud and service providers, how can Australian organisations avoid a new form, or wave, of technical debt?
There is a big push to the cloud, but is your information portable and will you able to pull it out at any time in the future? Or, if something happens, and you need to go back in time to an archive?
To prevent technical debt from repeating itself in the cloud, Woodhouse suggested that IT leaders need to be reviewing the use of data in the cloud – not just the contracts, but cloud transparency.
As with in-house processes, cloud processes (or processes built around cloud apps and services) can become a form of technical debt in future. It might be very difficult and costly to re-create business processes deeply embedded in cloud services.
Review the other articles in this series Shoring up skills in a changed information security landscape or Cloud security: How much don’t we really know?
