You can’t open up a newspaper or visit a media website these days without seeing a story about the latest company that has had its computer systems hacked. Usually these stories are accompanied by big numbers detailing either financial impacts or numbers of customers affected. You can be sure that those customers are no long satisfied.
Why does this keep happening, despite the fact that the risks are now widely known and security solutions abound? The answers are usually not technical in nature. Instead, they are flaws in the organization and management of corporate information systems which leave gaping holes through which hackers invade.
Misplaced priorities – It may be cliche to suggest that many companies get hacked because they don’t care enough not to, but it is also true. Stories abound of systems that are rushed into deployment for business reasons without spending enough time in testing.
Executives may be told that the product isn’t finished yet, but business interests or short-term interests are prioritized over long-term security and stability. The company simply doesn’t spend enough time considering security flaws before launching the project. Worse, the business consequences of having those flaws exploited are not incorporated into the prioritization model when decisions are made. Security must always be one of the top priorities in technical projects, even when the potential consequences of security failings are not well understood.
Technical debt – Technical debt is a problem related to misplaced priorities. The term refers to long-term consequences related to poor system design or construction. Corners are cut in software projects as a result of business pressure, poor implementation process, neglected testing, or thoughtless standards.
Developers are often aware when technical debt is being accrued. At some point, known flaws will need to be corrected, but for various internal reasons, management may not be interested in correcting those flaws earlier. Developers may be encouraged to withhold their views in order to rush a product to market. In some cases, even when debt is recognized and accepted as a consequence of business timelines, organizations find that their commitment to a long-term solution withers once the product is deployed.
Development teams need to be clear with management about the effects of accruing long-term technical debt, and management must account for such debt on their balance sheet just like any other financially consequential entry.
Cold calculation – Some companies don’t pay much attention to security problems because they have calculated the costs and explicitly decided that they are not worth the benefits. A breach might cost hundreds of thousands of dollars in lost business or compensation to customers. But if the cost of repairing the software to prevent the breach runs into the millions, it’s a straightforward (if unpopular) business decision to eat the risks.
It could be argued that this isn’t an organizational failing, but simply a rational, distasteful business decision. But it is rarely entered into with a full understanding of either the market or legal consequences of discovery.
Oblivious executives – Executives are responsible for determining strategy and ensuring it is executed properly. If they are unaware that security is even a concern, such considerations are very unlikely to be incorporated in the final products.
It is particularly difficult for many modern executives to remain fully briefed and in the loop on technical factors relating to security issues. The problems may be arcane and difficult for a layperson to grasp. It’s important for organizations with complex technical development systems to have a management layer cognizant of technical issues and capable of conveying concerns higher up the ladder when necessary.
By taking a closer look at organizational vulnerabilities, many companies can make subtle, inexpensive changes to dramatically increase their security posture without a great deal of technical work involved. In the long run, the solution benefits both the company and their customers.