Martin McKeay’s presentation at Networkshop warned us of the risk of spiralling “security debt”.
Testing for, and exploiting, well-known vulnerabilities in networked systems now requires little or no technical expertise as point-and-click testing tools are freely available. The best known of these led Josh Corman to propose “HDMoore’s law“, that the capabilities of the Metasploit tool now define a minimum acceptable baseline for technical security. Wendy Nather then suggested that this establishes the security “poverty line”. Any organisation that cannot maintain its systems’ security at or above this level – whether because of insufficient patching, technology, knowledge, manpower or willpower – is unlikely to be living sustainably on the Internet: instead it is in security debt.
And, like financial debt, security debt grows at a compound rate. The more trivially-exploitable vulnerabilities there are, the more effort the organisation will spend cleaning up after incidents, the less effort will be available to remove vulnerabilities, and the more vulnerabilities there will be. As with financial debt there are a number of ways out of this downward spiral: most are unattractive but the history of IT includes examples of all of them. The organisation (or its staff, by finding other jobs and incidentally making the situation even worse) can declare security bankruptcy; the organisation can struggle on until its customers or suppliers decide it is no longer safe to work with; the organisation can spend more money, though this is unlikely to be enough as security debt isn’t just about not having enough “blinky lights”; the organisation can change its way of operating to bring it up towards the poverty line, and it can be innovative in how it thinks about, and does, security to reduce or eliminate the deficit.
Clearly these last two options, probably in combination, are the best option for an organisation that wants to escape the vicious spiral and get back to a sustainable position. And, as Rodrigo Bijou commented via Twitter, viewing security as something that contributes to the organisation’s products, rather than just its compliance process, can bring benefits to the organisation and a much greater sense of achievement to all those involved in security. Indeed once you are in security profit, it strikes me that that may have a compounding effect too!