Article

6 hard truths IT must learn to accept

By Dan Tynan | CIO

Sometimes the truth hurts.

It can be hard to admit that you’ve lost control over how your organization deploys technology, or that your network is porous and your code poorly written. Or no matter how much bandwidth you’ve budgeted for, it never quite seems to be enough, and that despite its bright promise, the cloud isn’t the best solution for everything.

In a world where anyone with a credit card and keyboard can spin up their own data center, it’s easy for CIOs to feel irrelevant and redundant.

Good luck with all that. The gap between your dreams and cold hard reality just gets wider every day. That doesn’t mean you should give up, but it does mean you need to get real about what you can change and what you must accept.

At number 4 – your software is unpatched and insecure

Unpatched software is a huge security and compliance risk. Yet according to a Feburary 2017 survey by Flexera, 10 percent of U.S. users were running unpatched versions of Windows. A May 2016 report by Duo Labs claimed that one in four business systems was at risk due to outdated software.

“We’ve seen customers who can’t keep pace with patches, which are rapidly growing in size and take longer to apply,” says James Lee, executive vice president and CMO for Waratek, an application security company. “This is coupled with legacy applications that can’t be updated or secured short of complete rewrite or replacement.”

Worse, adds Lee, security is often a lower priority for software developers, who are incentivized to emphasize features and deliver code on time and under budget. The result: software that is increasingly vulnerable to attack.

The problem stems from a failure to conduct true software quality assurance, says Mark S. Kadrich, interim CISO for Martin Luther King Jr. Community Hospital in Los Angeles.

“I’ve been in the industry long enough to know that if I’m losing sleep over technology failing, I’m in the wrong industry,” he says. “Eighty percent of software is crap, while 20 percent of it just sucks. There’s very little that can be considered well-engineered.”

His response: Assume the software will fail and plan for the worst case scenario.

“You know the software will fail; you know you’re going to get hacked,” he says. “So I plan for failure. I make the network fail, see how long it takes for us to detect and recover from it, and implement my procedures accordingly.”


 

Read the 6 hard truths on CIO website.

Related resources

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.