Risk Tolerance & Raising the Technical Debt Ceiling

Key cybersecurity best-practice or security theater broadway star?

One hot topic anywhere in the U.S. and even worldwide at the moment is the topic of raising the debt ceiling.

The debt limit, or debt ceiling is essentially a restriction on how much debt the Federal government can borrow to pay its bills and carry out its operations. Governmental spending is tied to a bill, which is known as the national debt, or the money borrowed that must be paid off. Over time, this ceiling, and the national debt have continued to climb.

Politics aside, there are some parallels between raising the debt ceiling and the topic of “risk tolerance” when it comes to cybersecurity.

Most notable cybersecurity programs, particularly aimed at security executives and CISO’s will touch on the topic of “speaking the language of the business” and “aligning with the businesses risk tolerance” or “know your business risk appetite”.

Despite the widespread use of the phrases about aligning with the businesses risk tolerance or knowing the businesses risk appetite, these are currently closer to security theater than reality, and we’re putting on quite a show.

As defined by NIST, Risk Tolerance is:

In the context of the business in relation to cybersecurity it could be thought of knowing what risks threaten the organization and how significant the risks are to the organizations ability to do business or carry out its mission.

On the surface this makes sense, but when you start to dig into aspects of this activity and approach, the wheels start to fall off.

First, most organizations simply haven’t defined a risk tolerance, or appetite, and if they have, cybersecurity often doesn’t understand it or couldn’t tell you what it is. As an industry, cybersecurity fails to speak the language of the business generally. The business speaks in dollars and cents and we speak in subjective colors and powerpoint. Much to the disappointment of authors of “How to Measure Anything in Cybersecurity Risk” Douglas Hubbard and Richard Seiersen or FAIR evangelist Jack Freud. Put another way, we’re terrible at cyber risk quantification.

Secondly, key activities that are required to measure the level of existing risk and mitigating controls against the risk tolerance/appetite are severely lacking in most organizations.

Critical security controls such as hardware and software asset inventory are required to understand what you have. As the saying goes in cybersecurity “you can’t protect what you don’t know you have”.

However, despite being a critical control in sources such as the CIS Critical Security Controls, organizations have historically been abysmal at hardware, and more so, software asset inventory.

While organizations historically struggled with this activity, the advent of cloud and the rapid proliferation of OSS have only exacerbated this problem. The rise of cloud and notably, Software-as-a-Service (SaaS) have lead to an unparalleled rise in “shadow IT”, which is often defined as the use of IT-related hardware or software without the approval or at a minimum, knowledge of the IT or security group within an organization. Studies show that only 30% of SaaS is controlled by or even visible to the IT/Security team(s).

Then there is also the prolific growth of open source software (OSS) usage and the flurry from the fallout of incidents such as Log4j now leading to a focus on software supply chain security and Software Bill of Materials (SBOM) and it is clear that most organizations have little understanding of their OSS usage, nor the vulnerabilities from direct or transitive dependencies and they lack a clear understanding of what software components/libraries their software suppliers use in their products that potentially pose risks to them as consumers either.

Organizations are in their infancy of beginning to understand their extent of shadow SaaS consumption and also the actual footprint of OSS and its associated vulnerabilities in both the software they consume, as well as the software they produce, both of which rely extensively on OSS components. That said, malicious actors are having a field day, with software supply chain attacks seeing 742% growth over the last 3 years and 6 out of 7 vulnerabilities coming from transitive dependencies, most of which organizations don’t even know they’re consuming.

As we have covered in previous articles, the average organization has a backlog of 100,000 vulnerabilities, which security leaders such as Jamil Farshchi (Equifax CISO) have speculated is a conservative estimate.

Furthermore, most organizations only ever remediate less than half of their known vulnerabilities and malicious actors continue to outpace defenders when it comes to their weaponization and exploitation of vulnerabilities contrasted with organizations ability or willingness to mitigate them. Some numbers below:

  • It was found that in 2022 it took 277 days on average to identify and contain a data breach according to IBM and Ponemon.

  • The FBI’s Internet Crime Complain Center recorded an all-time high of 847,376 complaints in 2021, totally over $6.9 billion USD.

  • To further quantify it a bit, Accenture published a “State of Cybersecurity Resilience 2021” report finding that the cost of data breaches will rise from $3 trillion each year to more than $5 trillion in 2024.

  • The average total cost of a data breach in 2022 was $4.35 million globally and $9.44 million in the U.S.

  • It’s projected that over 33 billion records will be stolen by cybercriminals in 2023, an increase of 175% from 2018.

If our technical debt ceiling isn’t 100,000 known vulnerabilities, more than half of which we never remediate and which get weaponized faster than we can remediate them, what exactly is our risk appetite?

Much like governments, organizationally and culturally we continue to raise the (technical) debt ceiling, hurtling headlong into incalculable risks and ramifications for our society.