COMMENTARY: Technical debt has become the foremost self-imposed cyber threat within enterprises. But what are we talking about? Why does it happen? And, how can enterprises ensure that obsolete hardware and unattended software aren’t inadvertently leaving the network open to risk?
McKinsey defines technical debt as the “tax” a company pays on any development to redress existing technology issues. And it’s not cheap. The consulting firm’s research found that technical debt accounts for about 40% of IT balance sheets – and that companies pay an additional 10% to 20% on top of a project’s cost to address it.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Think of technical debt as the latent issues in the network that can become significant risks if an enterprise network gets attacked or network configurations change. Equipment with vulnerabilities is one example. Another example: the equipment vendors no longer test for vulnerabilities because it’s end-of-life or not supported or will become so soon. Unfortunately, many IT and cyber managers remain unaware of the extent of technical debt burdening their organizations.
So how did we get here? Today’s networks are extremely complex and critical for an enterprise’s business continuity. This complexity means that the latent problems often remain unknown until they become an immediate threat that needs the team needs to fix immediately. This means that instead of a planned, measured approach to addressing technical debt, enterprises are in a constant state of fire drills and context switching.
A more detailed answer: Today’s networks are composed of tens of thousands of devices running billions of lines of configuration and include multiple clouds. There are more potential traffic paths in a single network than the human mind can track.
Traditionally, network operations centers depended on diagrams, spreadsheets, and siloed tools to manage and troubleshoot the network, but none of these tools designed to address problems like inventory management, security monitoring, network observability, and vulnerability assessments talk to each other. These tools do not offer timely end-to-end visibility and ignore the reality of today’s multi-vendor, multi-cloud environments.
The main risks of technical debt
Technical debt issues vary in risk level depending on the scope and blast radius of the issue. Unaddressed high-risk technical debt issues create inefficiency and security exposure while diminishing network reliability and performance. There’s the obvious financial risk that comes from wasted time, inefficiencies, and maintenance costs. Adding tools potentially introduces new vulnerabilities, increasing the attack surface for cyber threats.
A lot of the literature around technical debt focuses on obsolete technology on desktops. While this does present some risk, desktops have a limited blast radius when compromised. Outdated hardware and unattended software vulnerabilities within network infrastructure pose a much more imminent and severe risk as they serve as a convenient entry point for malicious actors with a much wider potential reach. An unpatched or end-of-life router, switch, or firewall, riddled with documented vulnerabilities, creates a clear path to infiltrating the network.
By methodically addressing technical debt, enterprises can significantly mitigate cyber risks, enhance operational preparedness, and minimize unforeseen infrastructure disruptions. This requires enterprises to know exactly what devices and tools are in the network and what they need to remove, upgrade and/or maintain. In other words, full network visibility.
With the visibility, enterprises can plan ahead to address technical debt issues in the most efficient way. For example, they make patch vs. upgrade decisions based on how close devices are to end-of-life. Or schedule device configuration updates for an approaching maintenance window based on the locations and the number of relevant CVEs.
Network digital twins offer one way for enterprises to get a single, global view of the entire hybrid, multi-cloud environment that can drill down to single devices or instances to pinpoint the exact line of errant code. Enterprise NOC and SOC engineers can make sense of all the information that they have about the devices in the network and their behavior and can prove the security posture and compliance are being enforced as intended, as well as detect and rectify vulnerabilities before they are compromised.
McKinsey’s research notes that the benefits of paying down technical debt free-up engineers to spend as much as 50% more of their time working on value-generating products and services. With digital twin technology, enterprises can address technical debt more methodically, reducing costs by cutting back on time needed to manage complexities, and improving uptime and resiliency.
An even greater benefit: a reliable and secure network. Most outages or security incidents result from simple mistakes made by highly-skilled individuals. By offering them a single source of truth about the devices and software on the network, enterprises can ensure that even as network complexity increases, they have the visibility to ensure that the network doesn’t disrupt business continuity.
Renata Budko, director of security product management, Forward Networks
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
