Privacy Plus+

Privacy, Technology and Perspective 

“Technical Debt” in IT Systems.  This week, let’s spotlight a cybersecurity problem that’s often overlooked – Technical Debt.

In an IT context, you can think of a “Technical Debt” as the accumulation of maintenance needed to address the deficiency, or inadequacy, of an organization’s portfolio of technology solutions which is significant enough to impair performance that’s needed from a system. Technical debt often comes from intentional short-cuts taken by implementation teams to save time or money, failing to keep pace with patches, or failing to do timely maintenance. Thus, technical debt can include end-of-life system issues, performance issues, data issues, look and feel issues, and security issues.

Over the short- to medium-term, this often isn’t a problem.  We’ve never heard of an IT department which has all the money or people it would like to have to keep every one of its systems high performing and up to date.  Priorities must be established, hard decisions made, resources allocated; and legacy systems whose performance hasn’t sunk below an acceptable level – which will still work “well enough” for another year, another budget cycle or two, or till somebody’s replacement takes over – must often yield to more urgent needs, or at least to newer and shinier projects. (In real estate or infrastructure, this is called “deferred maintenance.”) 

What’s different now is that what it means to “work well enough” has changed. Now, to “work well enough” – in nearly every setting – means also to be at least reasonably cyber-secure.  Of course, what is “reasonable” varies by industry, data sensitivity, system criticality and complexity, and much else, and it is constantly evolving.  So when technical debt that have built up over too-long deferred maintenance, upgrades, and replacements encounter the new requirements of “reasonable” cyber-security, the technical debt must often be addressed – right now – at surprisingly high cost. This can be especially challenging for organizations who have historically not provide sufficient budget to maintain their systems and must pay a heavy catch-up cost right when the need for digital transformation is needed.

Take Multi-Factor Authentication (MFA), for example:  MFA is a prominent requirement of “reasonable” security in many contexts. Anecdotally, we’ve heard of a large, responsible, well-run IT department which recently discovered that to establish MFA in one of its important legacy systems, the department would first have to install – sequentially – more than ten (10) patches or versions to bring the system to within range of being able to handle MFA. The system seemed to have been “working” well enough all this time, which is why new releases had been continually deferred for so long.  But now, MFA was essential; and suddenly a serious technical debt was exposed to the light and had to be addressed.    

In the M&A context:  To us, technical debt seems especially important in the Mergers & Acquisitions (M&A) arena. There, the scope and pace of M&A activities have increased, and detailed due-diligence investigation of IT systems has been cut back in favor of hasty reps, warranties, and rep-and-warranty insurance. 

We question this approach and advise against it.  Just like having an inspector in real estate transactions can help surface maintenance issues, having proper due diligence of the IT systems can help surface technical debt issues, especially around end-of-life systems that often lack ongoing system patches by vendors, meaning that the system must be replaced at some point, potentially requiring a significant investment or significant risk.  As pointed out acutely in a Forbes article, a link to which follows: “[a]stute acquirers have strong incentives to look beyond what’s on the books to uncover what may be lurking off-balance-sheet,” especially in relation to assessing technical debt:

https://www.forbes.com/sites/noahbarsky/2021/04/06/mckinseys-tech-debt-solution-perpetuates-cios-it-modernization-problem/?sh=7a9581614427

Consider instead another real-estate simile we hear going around the IT world:  The Log4Shell vulnerability, it is being said, “is like having asbestos in your IT system.” Most “fixes” to this problem have merely been work-arounds by disabling the vulnerability but avoiding true system updates. The problem is still there – and one way or the other, you will have to pay off your technical debts.

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.