Looking at cybersecurity through financially-tinted glasses

Looking at cybersecurity through financially-tinted glasses

This is a contributed article by Charl van der Walt, Chief Security Strategy Officer, SecureData


Technical debt is a phenomenon that has been explored and researched for several years. The premise is that if a developer cuts corners in creating some code, the repercussions will be felt later, each time that piece of code is modified or extended. This debt is created when the code is optimised for development cost or time to market, rather than using a better approach from the start that may take longer to implement. When this is scaled up to each application or device that an organisation uses, the debt spirals, and may become significant.

To put this into perspective, we should briefly explore an example from the Open Source software ecosystem. Open source software is the base to many applications and programmes used across the globe. With estimates of around 52 billion (annualised) Python downloads from the PyPI repository alone, the contagion aspect of technical security debt is something to be acutely aware of. Each vulnerable or quickly composed component could have a shortcut taken amounting to a small slice of technical debt. All this debt is shared, resold, and carved up when a new application is created, deployed and shared across different businesses or departments in an organisation. This debt sharing has parallels which are close to what the global economy faced in 2007 with the Global Financial Crisis (GFC).


A bit of give and take

To understand how the GFC relates to technical debt, we need to understand how it came into being.

The GFC began with something called ‘Collaterised Debt Obligations' (CDO) in 2007. CDOs are a form of derivative in which the value of the instrument is derived from the value of other assets, often high-yield junk bonds, mortgage-backed securities, credit-default swaps and other high-risk, high-yield products. Essentially a CDO boils down to debt owned by one business, that is then resold to another, broken up, bundled and resold again.

As this process continued across the globe, the CDOs in circulation became more and more complex.  Eventually no-one in business or industry could determine where the original debt lay or how risky it was, and so when the bottom started to fall out of the domestic property market in 2008, the assets at the core of CDOs were going under and the mathematical models that were supposed to guide investors didn't work. There was more debt and more risk than the business model could tolerate and everything, literally, collapsed. 


We're deeply in the red

Could a similar thing happen because of poor risk assessment and accumulated security debt in modern digital businesses? Is the whole IT industry borrowing security time at a rate that we'll never be able to repay? Our debt is so broken up, bundled and resold that no-one will ever accurately determine what theirs really is, and it could be that we just need one major incident for the bottom to fall out of the technology industry. Presumably regulators would then step in, reducing appetite in investment, increasing costs and potentially driving businesses under. Other market forces may also cause a ‘run' on technologies, products or brands that could cause further financial tumult. While we haven't seen anything close to this happen yet, the recent ‘Spectre' and ‘Meltdown' vulnerabilities in Intel CPU chips illustrate how real this possibility is. It would serve the security industry to brace itself and learn from other sectors that have tackled these issues.  

The kind of debt experienced in the GFC is rife in security. When the internet was still new and promised to enable radical business concepts, many companies rushed blindly to ‘get online,' come hell or high water. Unfortunately, this meant there was no appreciation of security threats at the time and security was neglected or ignored. These new business concepts were therefore shipped or packaged up with inherent flaws, and so we started to accumulate security debt. It's been adding up for almost three decades. Some of the debt is easy to see, but much of it is hidden deep in the architectures, legacy code, 3rd party libraries and dependencies - even the fundamental economic principles that some business models are based on. All this points to a debt that is too far in the red-zone for any organisation to handle.


Getting back into the black

So how do we at least try and get our security finances back in order? The first step is for the industry to look at calculating security debt. Dan Geer and Gunnar Peterson wrote a paper on this subject, which offers a sound starting point on tackling the challenge. This involves a Margin of Safety calculation, which compares the "book value" of IT assets and the security controls and services used to defend those same assets. The figure given can then be used for working out the technical or security debt ratio in the organisation. Apply that ratio to your cost structure to get an actual monetary value, and then interest can be determined using risk management language - all while baselining on a "standard" interest level.

As a crucial overarching theme to security debt, businesses must understand that servicing security debt sooner rather than later is incredibly important. If not addressed, it will accrue interest and will become greatly toxic over time. Latent security debt could potentially bankrupt a business or a technology - and no one wants to be put in a position of forced repayment and foreclosure. Instead, organisations should be making efforts to understand the debt that is being run and put the right processes in place to manage that debt and risk. Cyber insurance is one consideration to be made here.

Even though this concept is theoretical, the thought process and concern that it drives is real and has precedent. By looking through the less than rose-tinted glasses of finance, there is potential to find better ways to manage and mitigate security risk, before it falls through and affects the global economy more than we can imagine.



Charl van der Walt is Chief Security Strategy Officer at SecureData. Charl has given courses and lectures for companies and universities the world over and has been a regular on the Infosec conference circuit. He has been a security training advisor to the US DoD for over 5 years, has acted as a network security consultant for the Commonwealth Games and co-authored numerous security books.


« News Roundup: Apple punishes Facebook and Google for violating app rules


How can blockchain transform applications and services? »

IDG Connect's expert contributors come from across the spectrum of IT and business job titles.

  • Mail


Do you think your smartphone is making you a workaholic?