Security Experts:

The Technical Debt Bubble and Its Effect on IT Security

Much has been said and written about the financial crisis that we have been mired in for the past 5 years. Its effects are felt every day-- for some more than for others.

One aspect that has received little attention though, is the effect that this macroeconomic phenomenon has had on information security. Yet the impact has been great-- it has steered and guided the mutation and evolution of the face of cybercrime (financial, activist, or state-sponsored type), and the security ecosystem.

The early 2000’s were challenging for the security community. With the dotcom bubble bursting, the information security industry, as interconnected and related as the two are, also took a beating. Prospects looked dim for a while-- budgets were cut, redundancies, mergers, all of the usual thinning of the herd when a business cycle comes to a crashing end. But, then the Housing Bubble started to inflate, and with it the Credit Bubble.

Technical Debt and Information SecurityThis bubble grew so rapidly, and so large, that the money that it was inflated with splashed around everywhere. Financial businesses grew at a breakneck pace, as fast as they could throw the money at people (which is very fast, people are usually happy to take money), and everything else grew with it. IT grew to a complexity and scale never seen before.

One of the many odd, funny (and for many in the business community, excruciatingly annoying) things about IT systems and environments (especially IT security), is that they cannot be “quickly” banged out. In fact, IT belongs to a rare, but select and honored group of things that we have almost forgotten in this age of on-demand i-FRILL, just-on-time delivery and 24-7 shopping. IT cannot be rushed-- it takes as long as it takes. It’s like baking bread, seducing someone, or a visit to the doctor (although I have read that even that can be done virtually now).

Someone more business minded than me would probably say that IT growth and security developed some innovative solutions during this time, allowing systems to adapt to this rapid growth rate and successfully meeting these new challenges. I am a cynic by nature though, a common trait in technical people. So, I would say that it has been like trying to repair the engine on a running car on a racetrack-- impossibly difficult and ultimately futile. If you do not have enough resources to provide full spectrum security or redundancy, it is a matter of when, not if.

If the depth and scale of the financial debt reported during the crisis so far has seemed far-fetched and shocking, it would probably pale against the technical and IT design debt that accrued during the same time in some organizations. I am not pointing the finger here either. It is understandable that IT cannot justifiably be a bottleneck on revenue. But, it is an aspect worth mentioning because it underpins the economic reality that we live in.

For those of you who are not familiar with the concept of technical debt, it was a term coined by Ward Cunningham to describe the effect of skimping during the design and implementation phase of software. Essentially, anything you save at the beginning to speed up release, you end up with as debt that has to be paid with interest. Design debt is a similar concept but applied at a higher level.

Along with the financial debt bubble, came a technical and design debt bubble.

Just as with financial debt, you can pay it back. But this will have to be paid with interest. That website that had to be released really quickly to beat the competition to the market now has 100,000 users, 2 million lines of code and a 99% SLA Uptime guarantee.

And as I mentioned earlier, due to the bubble that was the catalyst for all of this, this is on a scale and complexity never seen before. The Sony hack can be said to be a victim of not paying this debt off on time. For some, the debt is often too much to pay in the long term. DigiNotar comes to mind.

As if this is not bad enough, the situation is exasperated even more. After all, we are still in a crisis, having lasted for some 5 years until now. It is difficult to pay off this debt in a time of financial crisis. Budgets are tight, headcounts are reduced, and profitability and efficiency have to be increased. Persuading the corporate purse holders to invest in something that provides no apparent visible boost to the bottom line or benefit to profitability is going to be a hard sell. Coming back to our cannonball run analogy, not only are we hanging out of the window with our head underneath the car at 100 MPH, that car has now driven almost 200K and is making noises like a 20 year old coffee machine, and the teammate that was holding your legs before to make sure you don’t accidentally go under the wheels is now not there anymore. And the spare parts you needed will not be available, you will have to use spit, some old tights and stickytape. Before we didn’t have the time; Now we don’t have the money.

The crisis itself does not have a certain end in sight yet either. Even if it did, it will be at least a while before things return to business as usual. The chances of it ever returning to the highs it saw during the bubble are slim.

But it is really this technical and design debt that is the root cause of many of the security challenges that we face today. 2011 was a catastrophic year in terms of Information Security. In a sense, for us in the security community the crash occurred in 2011. Years of too rapid growth, insufficient investment and a profit-fuelled risk appetite came back with a vengeance to demand repayment. It remains to be seen if that was the worst of it, or if more is yet to come.

Our greatest challenge in the near future will be how to pay back the interest on that debt without breaking the bank. We are going to have become more sophisticated and inventive in how we solve problems and provide solutions, because throwing money at it is not an option.

Oliver-Christopher Rochford works for Tenable Network Security and lives in Germany. He has over a decade of Information Security experience garnered from such diverse companies as Integralis, Qualys, Secunia and HP ESS, and has frequently written and and given interviews on the topics of Information and Offensive Security, as well as Cyber-Terrorism and Hacker Culture.