Security debt – how big is your Still-To-Do list?

Security debt is the sum of all those security-related things that you are going to get around to sorting out, when you have time.

  • Those online accounts that you set up ages ago, with weak passwords (before you really thought about security).
  • That router that you set up in a hurry because the last one died and you needed the new one to work immediately, so you didn’t change the default password.
  • The spare key to your office, that your former employee forgot to hand back a couple of months ago.
  • The fact that your employees share information through channels that might not be very secure, but that are quick and easy for them to use.
  • That software that you know isn’t as secure as it could be, but it needed to be up and running, and you’re going to fix it at some point…

Security debt is a kind of technical debt. ‘Technical debt’ describes the future cost of rework needed for something that wasn’t done right the first time. Security debt, then, is a list of things known to be vulnerable to attack, but which haven’t (yet) been resolved.

Like all debts, these things tend to snowball, because the lack of time that caused the problem in the first place is probably still an issue.

How does security debt happen?

Security debt involves unaddressed security vulnerabilities, and usually describes insecure code, but there are other kinds of security debt, such as the examples provided above.

It happens if not enough time or money were spent dealing with issues at the time. Perhaps there wasn’t enough time or budget to run security tests on new software, or not enough time allowed to rework out of date processes and procedures.

Sometimes this kind of debt builds up because you’re postponing updates of your operating system or delaying patching applications. Or perhaps you’re delaying refactoring the legacy code you’re responsible for, because getting something new to market is a higher priority.

Whatever it is that you’ve been putting off, knowing that doing so is affecting your security, it’s time to tackle it.

It’s not likely to be easy—and may not be cheap—to fix, but doing so will be better than suffering the effect of a data breach. This could include reputational damage, costs around incident response, and potentially a fine. Plus, it will reduce your worry-list.

How to go about reducing security debt?

Like all good debt advisors, we’d say that the most important place to start managing debt is to find out the size of the problem:

1. Are you in a crisis? In security terms: have you already been attacked? If so, call us now.

2. Is your security debt getting out of control? In security terms: is the list of things you need to do to get your security issues backlog under control, bigger than the time you have available? We can help with this too, through our Security Manager as a Service.

3. Would you rather go at it alone? Here are some steps to think about:

  • Establish what you need to secure. This could be software, hardware and your network, but there are other areas to secure as well. Think about physical security for instance, or the need for securing your operations.
  • Looking at this list, work out what the risks are, and prioritise them based on the scale of the risk. It doesn’t need to be precisely ordered, but you’ll be most effective dealing with the bigger risks first.
  • Think about a way of measuring your progress through the list of risks, especially if you have a very long list—this should help you stay motivated.
  • Put in place a plan for your debt reduction programme. You won’t be able to do everything at once, so commit to a plan: perhaps batching the issues up, to be blitzed monthly, or committing to a certain number of hours each week.
  • Work out how you are going to handle each security risk. Decide what to do about the biggest one first (and do it), then work down the list.
  • Establish a way of staying out of security debt in the future. Were your biggest problems due to failure to keep up with patching, or with writing secure code in the first place? Perhaps your developers need training in secure coding, or perhaps your patching schedule isn’t working. Maybe you need to review operational procedures… Whatever it is, putting that in place now—even if belatedly—will help you stay out of security debt in the future.

Would you like help with this? Just call us on 0113 733 6230 for a chat (or fill out our online form), and find out how we can help.