Selling Removal of Technical Debt
First time vulnerability scans and penetration tests almost always reveal vulnerabilities related to old technology. When I approach leadership to resolve these weaknesses, I feel like I've heard every reason why leadership opts not to replace old technology. Does any of this sound familiar?
Yes, education is important when such objections are raised but how we educate is critically important. Here are a few tips.
Step 1 proves the old technology is broken, not working because it is a risk, and that attackers do go after these weaknesses.
2. Find Out Where Layered Technical Debt Exists - Often, technology and data leaders want to move faster but cannot due to technical debt which requires slow, insecure integrations. Partner with these leaders to articulate why/how current technology allows the business to move faster and realize more wins.?
3. Reframe the Conversation - Learn about the business process the legacy technology enables, find out how newer technology improves those processes, then work with the business partner to sell the upgrade.
Steps 2 and 3 help address the "not enough money" objection by making a case that the business "can't afford not to" to be more competitive.?
4. Have a Plan B - There are times new technology doesn't make sense. Keep isolation in your back pocket as a way to substantially reduce the risk.?
What other tips have you picked up along the way??
Principal Engineer; Creator of DeepSurface
1 年Great article Lee. Indeed understanding the complexities of security architecture and how technical debt impacts go downstream is hard to quantify or explain to other stakeholders. At DeepSurface we face this problem a lot and are able to quantify the risk based on the percentage of only exploitable vulnerabilities that have attack paths going through legacy applications. If a hacker can access backup servers through unpatched and outdated systems comes back to point 3 where there's greater risk in accepting the risk than the risk appetite allows.
Information Technology and Cyber Security Professional
1 年Great article Lee Bailey One addition to #3. Re-frame the conversation, we need to help business stakeholders understand that the cost of keeping the technology environment current via patching, upgrades, legacy kit replacement is one of the costs of doing business and not an afterthought.
Vice President - Client & Community Partnerships at DivIHN Integration Inc
1 年Gentlemen, VERY well said as the additional comment was very helpful as well! Great team work!
Microsoft Cloud Security Coach | Helping SMBs Grow by Enabling Business-Driven Cybersecurity | Fractional vCISO & Cyber Advisory Services | Empowering Secure Growth Through Risk Management
1 年Great share Lee Bailey
Mentor | Founder & CEO, Intelligence Services Group LLC | Board Member | Leading the Charge in Growth, Resilience, & Innovation | Committed to Creating Impactful Legacies for People & Businesses
1 年Great article Lee. I would add a couple thoughts: The technology is not the target, it's the data the technology has or gives access to that needs to be protected. By protecting the data you're protecting the organization. Apply a risk quantification methodology which identifies total cost to organization if that data on the old technology is compromised. ie: cost of outage availability loss, income loss, data breach loss, investigation, recovery FINES, reputation costs, insurance costs. Just a thought