Will the events starting Eastern Europe cause the cracks in your IT foundation to crumble?
A new day has started, and with it, a “new normal” in Cybersecurity.
The legacy of CIOs retiring today will be, in part, the technical debt they left behind. Sure, they can hang their hat on the many business apps built, successful digital transformations, or helping to usher in a once-in-a-lifetime shift to the cloud, but the infrastructure they failed to clean up remains a burden for everyone that comes after them. Now is the time to stop technical debt from being passed down to tomorrow’s CIOs.
There is now a digital wasteland of legacy software and hardware after allowing companies to ignore, hide, and transfer the risk of outdated and orphaned technologies.
As we all know, security through obscurity is a failed belief. Put another way, this risk does not go away with managed risk exception processes. It’s a primrose path to think these risks are “transferred” to some mystical place where we no longer have to worry about vulnerabilities being exploited. One has to ask why organizations continue to allow for exceptions in the first place. The answer is that the cost of remediating older outdated technology has been determined to be too costly. So it persists.
CISOs hedge against the risks associated with technical debt by prioritizing remediation and creating Red Teams to identify critical vulnerabilities on their most critical infrastructure – which is a worthy effort. But what about the thousands of other assets that were deemed “low risk” or “safe” to overlook when evaluated last month or last year?
There aren’t enough Red Teams in the world to continuously re-evaluate the millions of endpoints that still pose a risk to companies today. Certainly not when you consider new vulnerabilities on old hardware and software are discovered every day.
Cybersecurity professionals have attempted to mitigate legacy vulnerabilities by analyzing massive amounts of threat intelligence to create a false sense of security as intelligence has to be current, timely, and focused. However, companies and institutions will continue to have to deal with this seemingly endless string of cyberattacks, which will only increase in frequency and intensity with Russia’s invasion of Ukraine last night. How do we deal with this never-ending problem that is now more urgent?
While technical debt is an albatross for cybersecurity professionals, its importance cannot be stressed enough today due to the events in Kyiv last night. The fine line between critical/high and lower risk vulnerabilities shifted overnight, and we need to recognize that going forward. There is a new normal in cybersecurity.
There are steps that can be taken today to up our cybersecurity game in this new normal, such as running complex Tabletop simulations (note: stay tuned for more on this from my ImagineX colleagues). Another is addressing the problem of technical debt, which will persist until companies finally turn the lights out at their data centers and completely move to the cloud. Microsoft Corp.’s new security chief, Charlie Bell suggests, “Take shelter in the cloud… It’s sort of like the mother of all problems,” Mr. Bell was recently quoted in The Wall Street Journal. “If you don’t solve it, all the other technology stuff just doesn’t happen.”
And as we all move to the cloud and modernize in the cloud, we cannot repeat the sins of our past. Visibility will be the key to holding people accountable, we’ll need to rely on technologies that have great capabilities in regards to visibility both on-prem and in the cloud, including Containers and Infrastructure-as-Code.
CIOs directly influence their legacy – don’t leave it to your successor. Especially today.