cyber debt

The High Cost of Doing Nothing

Don’t have time to read? Start listening to this blog post now:

In business, the name of the game is to make hard choices with the hope that the decision made will pay off. IT is not exempt from these difficult decisions. Originally coined in 1992 to address quick and dirty coding in software development, technical debt has evolved to “reflect the implied costs of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer.” Or simply put by Saša Zdjelar, SSG Supervisor at ExxonMobile, “What’s tomorrow’s cost of a shortcut from yesterday?”

On a daily basis, enterprises come face-to-face with the critical question, “Should we upgrade this technology now or can we get by?” Zdjelar explains, if the choice is to hold-off, the organization, knowingly or not, chooses to incur debt for future re-engineering and refactoring. The advantage is that technical debt is reasonably in control of the organization. Enterprises can choose when and how they leverage upgraded technology to empower business performance. The downside of technical debt is only the first of many difficult decisions on the horizon.

Now, cyber is on the rise and organizations are grappling to wrap their arms around the ambiguous, fast-advancing risks. Consequently, a variation of technical debt is emerging—cyber debt. At this table, the stakes are higher than re-engineering or re-factoring costs. Failing to update a patch could result in the loss of data, competitive advantage, or even brand equity. To exacerbate this, cyber risks are triggered by an outside element—the attacker. In the realm of cyber, organizations lose control of whether or not a decision is placed on the table. Inevitably, every business is a target to cyber risk, and therefore must begin to weigh each and every decision regarding cyber operations.

As with any debt, there are two parts: the interest and the principal. In the case of cyber debt, interest is the potential loss over time resulting from a cyberattack. Every loss impacts the business through disruption, revenue, fines, brand equity, among others. These business impacts reflect the cost of doing nothing. To understand and monitor these losses, successful companies will start by quantifying cyber risks in financial terms. This will provide a common point of reference for organizational stakeholders and enable leaders to prioritize the ever-growing list of cyber risks.

The latter half of the equation, principal, is simply a function of remediation cost. Each loss will have a trigger, and it will fall into one of three buckets: people, process, or technology. For example, if a cyber risk is triggered by an employee clicking on a phishing email, then remediation efforts could include increasing security training for people. The cost for this would include consulting, training software, and labor for coordinating logistics. This half of the equation starts with identifying the cyber trigger for potential losses, estimating the cost to remediate the exposure, then weighing against the interest—Is the cost to remediate now worth mitigating the potential business loss? Or, is the organization willing to take the risk of loss to avoid upfront costs? This, at its simplest form, is a cost-benefit analysis.

Because of the intensifying nature of cyber, the ever-growing list of risks is generating a magnitude of debt, unrealized by many businesses. If ignored, the consequences are immense, as seen with companies like Target, Equifax, and Home Depot. The goal is not cancel out the debt—that would be impossible. Rather, organizations must enable their security teams to manage this debt with constant monitoring and prioritization. When achieved, security leaders can change the question from, “Should we pay off this cyber debt?” to “When should we pay off this cyber debt?”

Interested in reading more of our blogs? Check out “SPICE It Up And Gain That Funding For Your Security Operations” next!