Need for Holistic IT Systems’ Risk Assessment

The recent spate of IT glitches and ‘power outages’ at British Airways which caused the UK’s national carrier to cancel all its flights worldwide at the start of May bank holiday along with the WannaCry ransomware attack which ground the National Health Service to a halt have exposed again the importance of IT systems in today’s business. The complexity of these IT systems, the number of vulnerabilities that exist in critical software used by critical infrastructure sectors such as the NHS, airlines, telecom operators has made headlines once more.

The reality is that this situation is set to become even more critical unless we tackle the core issues. With rapid technological changes such as the Internet of Things (IoT), Artificial Intelligence (AI), Automation and Robotics, the problems are set to accelerate for these IT systems that are already complex, legacy, and outsourced. Macro-economic changes like Brexit, and the disruption technology and regulatory changes are causing in sectors like banking, telecoms, retail and airline, are all compounding each other to create pressure on IT departments like never before.

The blame game for the BA outages had already started with the unions blaming BA’s IT management for outsourcing jobs to Indian outsourcing firms. As for the WannaCry hack, NHS Trusts were called negligent for not patching a known security vulnerability. But there are some core underlying causes we should address if we want to make this country the FINTECH leader for the world or realise our dream of building the next Google, Apple, Facebook or Amazon.

Culture

We see different issues across management levels in organisations. However, the need for a stringent software engineering mindset and discipline in this country is a common thread. The latest CRASH report from CAST Software that analysed 2B+ Lines of Code (LOC) across 400+ organisations globally has found that the code quality of software used in the UK lags its European and American peers in criteria such as security and robustness. No wonder we seem to have more than our fair share of IT glitches in this country across banks, the public sector and now airlines.

At the top of the hierarchy, most organisations don’t have board representation for IT departments and there is still a level of apathy towards IT risk. The days when IT was treated as back-office and a cost are long gone but it doesn’t seem to reflect the attitude we still have towards IT in this country.

That is not to suggest that the IT mid-management themselves do their businesses any favours because of the lack of objective visibility they provide in their estate. With a majority of the IT systems in their 2nd and 3rd generation of outsourcing contracts, there is very little visibility they have in the underlying risk and security vulnerabilities in their IT estates. This is not a call to argue for reversing the trends of globalisation that has led to offshoring but a call for more objective and predictive Service Level Agreements (SLAs) in the outsource vendor management contracts that monitor and measure improvements in Technical Debt and Complexity rather than rewarding the supplier for just keeping the lights on, delivering cost savings and leaving the Technical Debt as a liability for their successor. With an average CIO tenure of fewer than 2 years, the current attitude is hardly surprising.

At the engineer’s level security is an afterthought, developers often think of themselves as ‘artists’, more than programmers that have to follow coding standards and best practices. Spending more IT budget on risk prevention means that there is less to spend on the delivery of technology innovation and a culture of ‘Code now, fix later’. This is a cultural issue, which most managers outside of IT would recognise as one of the toughest to fix.

As with many IT decisions, the correct response is to compromise. Making good compromises requires being fully informed of the facts. Obtaining those facts, about the holistic risk level across critical systems is a fundamental starting point.

Adopting such a continuous review requires the right analysis, automated by a software analytics platform, such as CAST’s Application Intelligence Platform. Once a clear understanding of software risk is available to management, a mapping of such risks against business priorities allows prioritisation to occur. Once priorities are established, a proactive approach to paying off Technical Debt can be initiated.

Prioritisation

The complexity of the job at hand of IT execs should not be underestimated. With an average of 5,000 vulnerabilities emerging every year, it’s not an easy task to prioritise and decide which vulnerability to patch. Couple this with the Technical Debt in the vast amounts of bespoke legacy software outsourced creates an extremely difficult situation which is almost impossible to manage. Technical Debt, like the cost to patch systems compromised by WannaCry, is very easy to ignore until it is too late. The solution, a holistic approach to assessing and prioritising known vulnerabilities and violations from the thousands across the IT estate of most organisations, makes far less national press headlines than hospitals shutting down or a teenager accessing personal details of ~154,000 subscribers at Talk Talk by exploiting a SQL injection vulnerability well known the security circles for more than 20 years.

The analogy I would draw is that of a person that gets admitted frequently to the hospital. One day it’s flu, another day it’s due to liver issues, some other time due to very high blood pressure, etc. While the doctors treat these symptoms with specific medicines they will perform a full body scan, blood culture, etc. as the patient keeps returning to the hospital so frequently. This is similar to the multiple reasons behind IT outages, these will varying from Cyber hacks where security vulnerabilities are exploited by hackers, power outages, Disaster recovery failures and process breakdowns. But just as we would assess the overall health of the patient and not just treat individual symptoms, we should assess the overall health of the IT estate, Technical Debt, complexity, security, etc. and not just strengthen the external perimeter to prevent hacks or build a more resilient Disaster Recovery process. Only when we tackle these core issues like overall IT complexity will we be able to manage these threats better.

Learn more on how to mitigate Software risk and reduce IT outages

Comments

comments