Settling Technical Debt

Top Strategic Technical Trends for 2021



When ane spider web services customer changes a setting, and huge swathes of the internet get inaccessible as a event, you know the fourth dimension has come to accost misconfigurations and technical debt. The Fastly outage, which caused multiple global news services, areas of the UK’south .gov website and some Amazon sites to get dark for more than an hour, has catapulted software settings and infrastructure administration back into the limelight – exactly where information technology should exist, in my opinion.




Technical debt
is a complex concept, going dorsum decades, and relatively simple misconfigurations like Fastly’s are just a very visible example of a much wider problem. Simply what does information technology hateful, what does it embrace, and what should IT and security leaders practise about it?





Develop now, pay afterward?




The issue of technical debt has long been discussed in software development circles, only today all companies and departments operate in a digitally-transformed and interconnected earth, then it would seem that the fourth dimension to pay up is upon u.s.. Essentially technical debt is the divergence between the “price” (time, man resources, technology investment) a technical projection should cost in guild to exist perfect and future-proofed, and the “price” an organization is prepared to pay at the time.




We don’t live in a perfect globe however, and so projection after project racks upwardly small amounts of technical debt – which must be addressed at some point before a product develops flaws, is unable to be upgraded, or ceases to role entirely. Because we work in multi-product, constantly irresolute organizations, information technology’s very easy for meaning amounts of technical debt to mount up, piece by slice, and issue in a big-scale incident which tin crusade a breach, a cyber assault or a business continuity incident.




In my view, there are three chief areas where technical debt accrues, which business and IT leaders should monitor as role of their ongoing hazard assessment programs.




i. Redirected investment




Every company evolves, choosing to redirect budget and resources to new or different technologies or products, while older products remain “on the truck” but not supported to the same level they were previously. So far, and then normal. However, if end-of life plans are not put in place, companies risk catastrophe up with products created in outdated code which cannot be upgraded to latest versions of operating systems, resulting in pregnant security holes.



When investment stops in sure products, the coding environment is also not upgraded. This tin cause problems with ongoing maintenance and management, misconfiguration and vulnerabilities.




Changes in investment don’t but touch older products on a path to retirement. We also see technical debt occurring in live products, when an platonic evolution scenario volition have significant time and investment, just a viable production can be created in a shorter timescale, even if it’due south non perfect. Finding this balance between perfection, advisable functionality, and minimum viability is a challenge, and some can find themselves in a situation where improvements are promised once the project is complete, only and then business concern priorities modify and the plans are non acted upon.


Of course, managing technical debt in these scenarios is a very real claiming for leadership teams. Information technology’s my view that a sweet spot can be found with careful management, merely IT and business organisation leaders demand to work closely with development teams, setting articulate objectives and helping create a production which is both satisfactory to the software developer, secure and low-risk, and acceptable to the leader keen to deliver a product within a limited timeframe.



2. Concrete technology



Similarly, concrete data centres full of routers, firewalls and servers need to be maintained. I’ve seen multiple examples of information centres invested in and so left, without further direction, for up to four years.




This drawing sums it up: operating in circuitous systems where new services have been added to or bolted on to legacy systems can get out a company in a precarious position.








        
          
            
              Dependency: https://xkcd.com/2347/
            
          
        
      




Sadly, it is ofttimes some of our nearly disquisitional services who endure from integration challenges with legacy systems, although these are slowly existence addressed. Financial services and healthcare have both suffered outages, breaches and attacks which can bring critical services screeching to a halt. Critical infrastructure is oft built on proprietary OT (operational technology), which, when connected to modern digital services, can open organizations upwards to take chances. Add into this mix the wealth of smaller firms which make up the supply chain to large enterprises, government or critical infrastructure and you take a perfect tempest of legacy and unsupported technology.





3. People





Possibly the most important office of technical debt is people. Software systems have often been developed over decades, and are maintained by teams of workers with pregnant experience, broader coding skillsets (e.g. PERL vs Python) and years of institutional noesis. These people service, maintain and manage the older, hybrid or underfunded technology and services.




All the same, as businesses evolve over fourth dimension, and leaders adapt strategies and redirect resource to new products and services, systems built on older code tin be neglected. Organizational change tin can lead to people feeling disenfranchised, increasing the risk of insider threat – of particular import if they are managing critical Information technology infrastructure.




Succession planning is imperative, because all workers will somewhen get out or retire, and without comprehensive knowledge sharing you lot risk a situation where older systems need to be maintained past newer employees with very different coding skillsets. Everyday security hygiene must exist maintained on older systems, with patches and updates practical and configurations managed accordingly.





How should It leaders run a risk-assess and manage technical debt?




Technology leaders must ensure that developers build cease-of-life processes into every product or infrastructure project, even at the very start. When organizational modify happens, then should take a chance assessments, documenting the potential bear on on software and hardware, and putting contingency plans in place.



Even on technology which is on a path to end-of-life, some investment in both infrastructure and human resource must be provided. When building new software, have steps to invest in a hereafter state and plan for change – in other words, build not merely for scalability, just for future upgrade paths.



We practise need succession planning for software, or we take chances continued misconfiguration or vulnerability-driven outages, breaches or cyberattacks.






Appendix




Additional resources/examples:



  • https://www.businesswire.com/news/domicile/20210615005115/en/4994345/Study-Reveals-Majority-of-IT-Leaders-Consider-Technical-Debt-One-of-the-Biggest-Threats-to-Innovation-as-They-Build-Back



  • Misconfiguration in CVS Health Cloud Database leaves over a billion records exposed



  • https://www.theregister.com/2021/06/18/bofh_2021_episode_8/

Source: https://www.forcepoint.com/blog/x-labs/settling-technical-debt

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …