With the mainstream press extensively covering the consequences of the recent malware attacks against computers with aged or unpatched operating systems, and ‘Security’ having been elevated to a boardroom topic in many companies, triggering business executives beyond just the CISO to become involved in digital & security strategies there is an opportunity to make positive Currency improvements.
By acting now whilst the memory is fresh, IT leaders have a better chance of securing the backing and investment needed to make positive improvements in the root cause of the problem.
Whilst often reported as security problems, these issues are actually an opportunistic consequence of key topics that relate to technical debt and the age of the systems being compromised; you might know this subject under many names (“technology refresh”, “technology debt”, “legacy or heritage management” or “infrastructure life-cycle management”) but we call this overall topic ‘Currency’.
At its core, Currency relates to the task of ensuring technology is up-to-date and supported by the manufacturer, and it's scope is wide - covering applications, technology infrastructure, end-user-computing and consumer devices (inc phones), services, interfaces and certainly not forgetting embedded systems (ATMs, Display boards, control systems etc). We use the additional term Technical Debt to describe those technology software or hardware elements of the deployed estate that are older than the products currently sold and/or supported by the original manufacturer.
Business Support Is More Critical Than Ever
Similar to investing in insurance, many forget its value and importance until the day its needed, leading some companies to overlook the topic. If boards are truly serious about managing risks to the business, they should be supportive of and prioritising Currency works.
Most technologists understand that technology evolves, and that consequently, and similarly, risk & threat positions evolve - these things aren't new. However, several key changes have occurred in recent times that make the prioritised business support of this understanding even more critical:
- The double-edged pressures of less budget and greater delivery & innovation - often resulting in organisations keeping technology longer, with less frequent or available updates, with budget moved to new topics
- The time delay from security vulnerability to exploitation has dropped from months to hours and days - increasing the likelihood that the target is unprepared
- The reducing barrier to entry –increased computation availability at low cost and improved ease of mass usage & deployment, has resulted in many more attacks (see http://map.norsecorp.com/#/ for an example real-time attack map) exploiting poor Currency.
What Can Be Done?
Like many things, the best practice is to use multiple approaches; in addition to multiple layers of security protection, a key to minimising risk and managing Currency is to triage a number of parallel activities, in order of maturity priority:
- Get current - focusing on the prioritised mitigation of the existing technology debt; reducing today's issues and risk
- Keep current - the standards, processes & procedures to ensure that once technology is current, it is kept current on an ongoing basis; keeping currency under control
- Be current - the architectural & design fundamental principles and standards that all new technology deployments must follow (the playbook); making the future easier
Before the awareness drops off the business priority radar again, it is critical to ensure that both the business & IT functions understand that Currency, like security, is not a one-off situation that can be completed or resolved. It is a continuing everlasting asymmetrical battle, where the good guys have to win every time, but the bad guys only need to get lucky once.
Take a look at Coeus' services in this area.