It’s simple: If you are using a legacy ecosystem, your compliance is at risk. The fact that your security hasn’t yet been compromised is no evidence of your safety; it really is a case of it being quiet, too quiet. When it comes to security breaches, it’s not a question of if, but when. Whether your household or institutional architecture, the full value of security is only appreciated after disaster has already struck.
Experian for example is doomed to forever be associated with the security breach in 2015 when 15 million of their customers’ private information was exposed. And who could forget the Adult Friend Finder breach in 2016 where up to 400 million logins on the "sex and swingers" hook-up site were leaked - sensitive data indeed.
While the Covid-19 pandemic has helped many to reflect and consider their neighbors before themselves, hackers have gone the other way. Their activity has ramped up through the pandemic: In May the FBI reported a 300% increase in reported cybercrimes. Any security breach could be costly, and even an existential threat to an organization. IBM Security’s Cost of a Data Breach Report 2020 put the average cost of a security breach at $8.64 million.
Complacency around the issue of security is the biggest danger. If organizations can correct that complacency, and avoid their inclination toward being comfort-blind, they will minimize the risk and impact of breaches. In the fullness of time, cyberattacks are inevitable. The flood is coming, and those that are best prepared for it will survive and thrive.
The Warning Signs
There is an inherent risk in the way an organizational psyche operates. A belief persists that if an individual is appointed responsible for the active development and active maintenance of security, then it’s taken care of in its totality. This allows an organization's leaders to think they have fulfilled their responsibilities and done all that's needed, but does little to prevent a breach from occurring.
Organizations are also endangered by their natural conservatism. The perception is: “if it isn’t broken, don’t fix it.” That tendency is like the innovator's dilemma, where companies stop innovating to serve their customers today, only to realize that their offering is outdated when it’s already too late. The perceived risk of maintaining the status quo is always considered lower than the perceived risk of changing; but that’s a false perception, which definitely does not apply to security. The ecosystem must be secured on solid foundations, with a watertight architecture. If security doesn't start with architecture, the organization is already at risk.
Another pitfall is a misplaced feeling of progress with regards to security. The false sense of safety that results from incremental changes, like improving efficiency through introducing DevOps, can allow decision makers to comfort themselves with a superficial impression of progress in their overall software development. This is dangerous thinking: security is a binary. If the system can be breached, efficiency, while it may look pretty, is a worthless measure.
A final issue is related to organizational communication. There is a disconnect between where policies are framed, how security is enforced, and where it is audited. While security officers are responsible for ensuring the integrity of the platforms, they are not the ones charged with developing the solution to protect it. That is left for developers, who are often trained to look for single solutions to single problems. This creates a patchwork that leaves organizations exposed, with patchwork fixes ill equipped to provide the necessary protective shield around the institutional architecture.
Monolithic to Modern
It is a logical certainty that every system is less secure today than it was yesterday, and it will be more susceptible to a breach tomorrow than it is today, simply due to the rate of technological development.
Organizations and many experts are often enamored with the shiny, single purpose tools they use to patch problems. Ultimately, this just means they continue to be dependent on the legacy architecture they are most familiar with. That familiarity creates trust, but doesn’t account for the rate of technological development, which makes them increasingly outdated.
It is possible to transfer to a watertight architecture, and away from an outdated legacy system. The majority of the data transfer can be achieved through automation, where it is filtered and sorted into a new architectural environment; ideally to a Microservices architecture with DevSecOps.
While automation can be used in that initial transfer, it also ensures the system maintains itself in the future. Automation allows your ecosystem to be set up in a standardized way across products, meaning they are integrated by design and don't require any costly, time intensive retrofitting. It also enables multi-tenancy and spinning up a new tenant with data isolation as a simple configuration, so your software enables your business growth. Other processes like auto-scaling, alerting and monitoring, build logs, and exception logs can also be automated - in fact, they should be.
Modernization is the only way to ensure an organization's architectural security, and therefore its business security, with a breach potentially threatening its very existence. When that breach happens, it will already be too late to act, so organizations must act with urgency, and think beyond the immediate. That’s the only way to avoid an almost inevitable disaster.
When the flood comes, organizations will only survive if they prepare for the worst case scenario. Modernizing an ecosystem is a recognition of the precarious nature of an interconnected technological world. To do so is to prepare for the flood, as Noah did in the Old Testament. Organizations need to make sure they don’t end up as the other guy; the one who thought a wooden arc was too expensive and took too long to build. No price can be put on survival, and a watertight architecture is likewise invaluable.