In principle, all companies and organizations like to postpone the cost of IT security in the future, they choose to borrow from security and spend the money on other “more important” things. But by postponing the cost of IT security, you build up a so-called “security debt”, which means that you create a future cost to correct deficiencies in IT security.
The organization saves money in the short term by installing inadequate security systems and procedures. But in the long run, it must be remedied, which costs more than if you took the cost initially.
It’s easy to forget the interdependence between IT and business. IT is a business activity and the contingent liability thus in practice becomes both a business debt and a business risk, an IT incident is in fact a business incident.
An IT incident above all creates a lack of trust, which is contagious and can cause more serious financial consequences than the incident itself. Lack of trust can also not be remedied with, for example, insurance.
The accelerating digitalisation and the large increase in teleworking and learning caused by the COVID -19 pandemic also creates completely new risks with associated security requirements and is further based on the security debt at a rapid pace.
IT security is often handled at the wrong level. IT security must be planned and managed by the organization’s management team. But is instead left to the organization’s IT department, which has neither sufficient resources nor a mandate to perform the task. In some cases, the IT security responsibility is even left to external suppliers without requirements, transparency or control from the customer/organization.
It is very important to identify the organization’s collateral debt and meet all the challenges and risks associated with it. At least the following measures are recommended to handle the security gaps:
- Understand what a collateral debt is and how it affects the organization.
- Make visible what contributes to the collateral debt.
- Realize the consequences of the collateral debt in everyday life.
- Pay off the collateral, without taking shortcuts.
- Make a vulnerability assessment and identify the most important issues that the management team should focus on.
The security debt is a constant challenge and it is something that business and IT leaders must constantly continue to review. Cyber security must be managed in a comprehensive and holistic way, not from a one-dimensional perspective. There is no end, it is a continuous journey.
Feel free to contact us at Schuetten Consulting, we have extensive experience in this area and can help you reduce your IT security debt through better cyber protection, everything from building your internal IT security organization to direct technical security measures.
TIP! You can hire us as your organization’s CSO (Chief Security Officer) as a part-time or interim assignment. A very advantageous and effective way to bring the necessary IT security knowledge into the organization’s management team.