When I read this article by Intel’s Chief Information Security Officer (CISO), Brent Conran, I was initially surprised why a CISO would be talking about technical debt. Technical debt, the amount of rework and maintenance needed for code or systems that stem from making quick yet messy implementation decisions, doesn’t seem directly related to security. Examples of technical debt include leaving code alone that should be refactored, writing customizations that make it difficult to upgrade systems, building applications that don’t add value compared to what could be bought, or bringing in components that don’t easily interface with other existing components. But if you think about it, technical debt is intimately tied to security for a few reasons.
Reason #1: Coding and Configuration
First, if you are constantly maintaining code or configurations for older security applications, you will be unable to focus on dealing with newer and potentially more dangerous threats. This is becoming more critical as threats have evolved to become increasingly sophisticated and are always changing. Spending the time to write code that is easy to maintain or buying an application and using out of the box configurations instead may cost more time and money upfront, but in the longer run can save both time and money.
Reason #2: New Skill
A second reason is the need to attract, ramp up, and retain security personnel. Using standard tools that incur little technical debt allows you to hire a wider range of personnel who could start almost immediately using industry standard security applications. Information Security personnel (most IT professionals) will want to learn and use standard industry products that will enhance their employability. Having and enforcing a security systems architecture that prevents accruing technical debt allows standard newer tools to be added easily. That provides even more opportunities for employee growth and development. These are subtle side effects of reducing technical debt.
Information Security is not just about technologies like intrusion detection systems and firewalls, but a holistic exercise that includes managing technical debt and as we have talked about, corporate culture. Over the year, I will be writing more about how managing technical debt, from identifying, reducing, and preventing as shown in the above diagram, can be applied to improve Information Security.