Security Experts:

Connect with us

Hi, what are you looking for?



The Technical Debt Bubble and Its Effect on IT Security

Much has been said and written about the financial crisis that we have been mired in for the past 5 years. Its effects are felt every day– for some more than for others.

Much has been said and written about the financial crisis that we have been mired in for the past 5 years. Its effects are felt every day– for some more than for others.

One aspect that has received little attention though, is the effect that this macroeconomic phenomenon has had on information security. Yet the impact has been great– it has steered and guided the mutation and evolution of the face of cybercrime (financial, activist, or state-sponsored type), and the security ecosystem.

The early 2000’s were challenging for the security community. With the dotcom bubble bursting, the information security industry, as interconnected and related as the two are, also took a beating. Prospects looked dim for a while– budgets were cut, redundancies, mergers, all of the usual thinning of the herd when a business cycle comes to a crashing end. But, then the Housing Bubble started to inflate, and with it the Credit Bubble.

Technical Debt and Information SecurityThis bubble grew so rapidly, and so large, that the money that it was inflated with splashed around everywhere. Financial businesses grew at a breakneck pace, as fast as they could throw the money at people (which is very fast, people are usually happy to take money), and everything else grew with it. IT grew to a complexity and scale never seen before.

One of the many odd, funny (and for many in the business community, excruciatingly annoying) things about IT systems and environments (especially IT security), is that they cannot be “quickly” banged out. In fact, IT belongs to a rare, but select and honored group of things that we have almost forgotten in this age of on-demand i-FRILL, just-on-time delivery and 24-7 shopping. IT cannot be rushed– it takes as long as it takes. It’s like baking bread, seducing someone, or a visit to the doctor (although I have read that even that can be done virtually now).

Someone more business minded than me would probably say that IT growth and security developed some innovative solutions during this time, allowing systems to adapt to this rapid growth rate and successfully meeting these new challenges. I am a cynic by nature though, a common trait in technical people. So, I would say that it has been like trying to repair the engine on a running car on a racetrack– impossibly difficult and ultimately futile. If you do not have enough resources to provide full spectrum security or redundancy, it is a matter of when, not if.

If the depth and scale of the financial debt reported during the crisis so far has seemed far-fetched and shocking, it would probably pale against the technical and IT design debt that accrued during the same time in some organizations. I am not pointing the finger here either. It is understandable that IT cannot justifiably be a bottleneck on revenue. But, it is an aspect worth mentioning because it underpins the economic reality that we live in.

For those of you who are not familiar with the concept of technical debt, it was a term coined by Ward Cunningham to describe the effect of skimping during the design and implementation phase of software. Essentially, anything you save at the beginning to speed up release, you end up with as debt that has to be paid with interest. Design debt is a similar concept but applied at a higher level.

Along with the financial debt bubble, came a technical and design debt bubble.

Just as with financial debt, you can pay it back. But this will have to be paid with interest. That website that had to be released really quickly to beat the competition to the market now has 100,000 users, 2 million lines of code and a 99% SLA Uptime guarantee.

And as I mentioned earlier, due to the bubble that was the catalyst for all of this, this is on a scale and complexity never seen before. The Sony hack can be said to be a victim of not paying this debt off on time. For some, the debt is often too much to pay in the long term. DigiNotar comes to mind.

As if this is not bad enough, the situation is exasperated even more. After all, we are still in a crisis, having lasted for some 5 years until now. It is difficult to pay off this debt in a time of financial crisis. Budgets are tight, headcounts are reduced, and profitability and efficiency have to be increased. Persuading the corporate purse holders to invest in something that provides no apparent visible boost to the bottom line or benefit to profitability is going to be a hard sell. Coming back to our cannonball run analogy, not only are we hanging out of the window with our head underneath the car at 100 MPH, that car has now driven almost 200K and is making noises like a 20 year old coffee machine, and the teammate that was holding your legs before to make sure you don’t accidentally go under the wheels is now not there anymore. And the spare parts you needed will not be available, you will have to use spit, some old tights and stickytape. Before we didn’t have the time; Now we don’t have the money.

The crisis itself does not have a certain end in sight yet either. Even if it did, it will be at least a while before things return to business as usual. The chances of it ever returning to the highs it saw during the bubble are slim.

But it is really this technical and design debt that is the root cause of many of the security challenges that we face today. 2011 was a catastrophic year in terms of Information Security. In a sense, for us in the security community the crash occurred in 2011. Years of too rapid growth, insufficient investment and a profit-fuelled risk appetite came back with a vengeance to demand repayment. It remains to be seen if that was the worst of it, or if more is yet to come.

Our greatest challenge in the near future will be how to pay back the interest on that debt without breaking the bank. We are going to have become more sophisticated and inventive in how we solve problems and provide solutions, because throwing money at it is not an option.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.