{"id":306351,"date":"2021-07-23T12:00:00","date_gmt":"2021-07-23T09:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/why-compliance-complacency-is-another-form-of-technical-debt-cloudsavvy-it\/"},"modified":"2021-07-23T12:00:00","modified_gmt":"2021-07-23T09:00:00","slug":"why-compliance-complacency-is-another-form-of-technical-debt-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/why-compliance-complacency-is-another-form-of-technical-debt-cloudsavvy-it\/","title":{"rendered":"#Why Compliance Complacency is Another Form of Technical Debt \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a28a839b3817\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a28a839b3817\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/why-compliance-complacency-is-another-form-of-technical-debt-cloudsavvy-it\/#Technical_Debt\" >Technical Debt<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/why-compliance-complacency-is-another-form-of-technical-debt-cloudsavvy-it\/#IT_Equipment_and_Technical_Debt\" >IT Equipment and Technical Debt<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/why-compliance-complacency-is-another-form-of-technical-debt-cloudsavvy-it\/#Development_Projects_and_Technical_Debt\" >Development Projects and Technical Debt<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/why-compliance-complacency-is-another-form-of-technical-debt-cloudsavvy-it\/#Governance_and_Technical_Debt\" >Governance and Technical Debt<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/why-compliance-complacency-is-another-form-of-technical-debt-cloudsavvy-it\/#Facing_Your_Debts\" >Facing Your Debts<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#Why Compliance Complacency is Another Form of Technical Debt \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 1200px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage wp-image-12938 size-full\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/07\/9db6e0e7.jpg?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/07\/9db6e0e7.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/07\/9db6e0e7.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"it governance illustration\" width=\"1200\" height=\"675\" data-crediturl=\"https:\/\/www.shutterstock.com\/image-photo\/business-technology-internet-network-concept-governance-1785625502\" data-credittext=\"Den Rise\/Shutterstock.com\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/business-technology-internet-network-concept-governance-1785625502\">Den Rise\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>Technical debt comes in three forms. Legacy equipment that can\u2019t meet today\u2019s needs, software projects where corners have been cut, and poorly implemented or completely ignored governance frameworks. The common thread? Risk.<\/p>\n<h2 id=\"technical-debt\"><span class=\"ez-toc-section\" id=\"Technical_Debt\"><\/span>Technical Debt<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Technical debt is the deficit between the assumed performance of something and what it actually delivers. Because of the disparity, there is an unavoidable underperformance. Technical debt doesn\u2019t age well. As the disparity grows so your exposure to risk grows.<\/p>\n<p>Technical debt can slowly accrue. Aging hardware and operating systems eventually slide backward out of their manufacturers\u2019 support cycles. The technical debt is the mounting security risk that you\u2019re exposing your organization to by running systems that don\u2019t receive security patches.<\/p>\n<p>Sometimes you can inherit technical debt through a merger or an acquisition. You can also manufacturer technical debt, especially in software development projects. Design and implementation decisions\u2014often forced on the development team due to budget constraints or unrealistic deadlines\u2014can introduce technical debt that is baked into the <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lication and exists, fully formed, at launch.<\/p>\n<p>IT governance frameworks such as cybersecurity and data protection policies and procedures can accumulate technical debt, can be created with technical debt already embedded in them, or can suffer from both.<\/p>\n<p>in all cases, the technical debt directly equates to risk. It is a sure indicator that attention needs to be applied to the problem.<\/p>\n<h2 id=\"it-equipment-and-technical-debt\"><span class=\"ez-toc-section\" id=\"IT_Equipment_and_Technical_Debt\"><\/span>IT Equipment and Technical Debt<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>All IT equipment must be maintained. Security patches must be applied to software and firmware, and operating systems must be upgraded as they become obsolete and unsupported. Hard drives need to be replaced at the end of their expected service life, or at the first warning signs of developing errors. If the hard drive in question is not part of a RAID array don\u2019t wait for warning signs. Act when the drive has fulfilled its projected duty cycle.<\/p>\n<p>Eventually, all equipment and operating systems become obsolete. Running old, unsupported equipment is a security risk. Despite this, it can be a hard sell to the commercial side of the business to replace something that, to them, is still working just fine. And even when something is earmarked to be upgraded and replaced, technical debt persists until the replacement has actually taken place.<\/p>\n<p>Sometimes, running expired operating systems or old hardware is beyond your im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>te control. Laboratory and industrial control PCs are particularly prone to operating system lock-in. This can happen if a piece of crucial third-party software hasn\u2019t been updated since it was released. That can force you to run the operating system that was current when the product was launched. it may be a hardware-based issue. If the software only works with a particular, ancient interface board that\u2019s only compatible with a particular vintage of PC hardware you\u2019re stuck with the operating systems those POCs can support.<\/p>\n<p>Completely replacing aged hardware and software isn\u2019t as easy as it sounds. It might control production or other mission-critical machinery or processes. You can\u2019t just dump the old stuff if what\u2019s available today doesn\u2019t integrate with your production systems.<\/p>\n<p>The older the systems are, the more likely it is that the people who implemented them have left the company. There may be no deep knowledge of the aged systems in your support teams. Often, when these old systems are discovered to be more deeply interconnected and embedded than was previously understood.<\/p>\n<h2 id=\"development-projects-and-technical-debt\"><span class=\"ez-toc-section\" id=\"Development_Projects_and_Technical_Debt\"><\/span>Development Projects and Technical Debt<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Non-trivial development projects have a lot of demands placed on them. Whether the application is for in-house consumption or is a product that will be marketed, the stress points are similar. Most of them revolve around deadlines, specifications, and budgets.<\/p>\n<p>The specification is a list of functionality and content that the software must provide. The specification must be more than a lengthy wish list. The time available for development, testing, and documentation dictates what content can realistically be achieved with the development resource that you have available and the technologies that they are familiar with.<\/p>\n<p>Too optimistic a specification or too short a development phase amounts to the same thing. The work doesn\u2019t fit into the time available.\u00a0The impact this has on the development team is profound. If they find themselves under the gun, known techniques, methodologies, and technologies are going to be preferred over devoting time to appraising new platforms, frameworks, or whatever.<\/p>\n<p>When you\u2019re on the death march to a deadline you don\u2019t have time to start experimenting with new technologies and potentially introducing risk. That risk may be functional issues within the software that impact the users or they may be insidious issues that give rise to security vulnerabilities.<\/p>\n<p>Sometimes development comes under pressure from the commercial side of the business. They may stipulate a new <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a> is used to ensure your product stacks up against the competition. That means you\u2019re forced into trying to learn the new technology and still hit the deadline.<\/p>\n<p>These types of self-inflicted wounds affect the architecture of the product and the code quality. You won\u2019t get the best out of a new framework, language, or even development paradigm until your developers are sufficiently familiar with it to understand its idioms and best practices. At the least, it\u2019s likely to produce code that performs poorly and is difficult to maintain. In the worst case, it can introduce security risks.<\/p>\n<p>Third-party libraries and toolkits speed up development, but they may harbor security vulnerabilities and their own technical debt. Using third-party code simplifies development but can complicate matters for your security team.<\/p>\n<p>The business and commercial sides of the organization need to be involved in early conversations with development so that a realistic but mutually satisfying product description and specification can be drafted, taking into account deadlines and technologies both current and cutting edge. Your security team needs to be engaged as well. And because your development team is never sat around doing nothing, there have to be provisions made for research. Otherwise, it won\u2019t happen.<\/p>\n<p>Formally scheduling time and resources for research\u2014including training\u2014is the only way to ensure that essential research takes place. You might have to recruit to achieve this. without research, you\u2019ll never be able to move to new technologies in a controlled fashion. And without control, you\u2019re left with risk.<\/p>\n<h2 id=\"governance-and-technical-debt\"><span class=\"ez-toc-section\" id=\"Governance_and_Technical_Debt\"><\/span>Governance and Technical Debt<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Technical debt can creep into the creation of governance frameworks in a similar way that it does with software development. Instead of developing software, you\u2019re creating policies and procedures, such as IT governance or data protection systems. You wouldn\u2019t give a development project to a team that has never written code before. The same thing applies to governance documentation.<\/p>\n<p>You can\u2019t expect great results if you give the task to someone who doesn\u2019t have the appropriate skillset. Writing good governance documents is difficult. Without that skillset, it\u2019s tempting to copy chunks out of other organizations\u2019 policies and procedures and try to edit them into a cohesive whole, but it doesn\u2019t work. The result is a patchwork quilt of bits of documents that were designed for other organizations.<\/p>\n<p>Your governance authors must know and understand the legislation or standard that you\u2019re trying to satisfy or address, and be experienced in producing governance and policy documents. If that\u2019s not you, engage with someone who has those skills.<\/p>\n<p>Another common failing is making governance documents impressive instead of making them factual. They need to be a true reflection of what you do and need to control, and how you\u2019re going to do it so that you satisfy the legislation or standard you\u2019re working with. It\u2019s impossible to pass an audit if the documents you\u2019re being audited against don\u2019t reflect your actual processes, workflows, and safeguards.<\/p>\n<p>Having accurate and applicable governance documents achieves very little if they\u2019re not being used. Compliance complacency is when you have the policies and procedures, but no one uses them.\u00a0They must be adopted and used by your workforce otherwise your procedures are not being conducted in accordance with your policies. That\u2019s bad enough, but it also means your processes won\u2019t generate an audit trail. Even worse, not following procedures can lead to security lapses and data breaches.<\/p>\n<p>Maintaining a governance system requires time and resources too. You need to perform internal audits for example, and you must monitor the legislative landscape. Legislation changes over time, and is repealed and superseded. The business may choose to, or be compelled to, adhere to a standard that they\u2019ve not been forced to comply with before. For example, you might start taking online payments and need to comply with the Payment Card Industry Data Security Standard (PCI-DSS). Your governance documentation will need to be amended to reflect the new demands and to ensure that all clauses of the standards are addressed.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Facing_Your_Debts\"><\/span>Facing Your Debts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Technical debt never sleeps, and it gets worse the longer you leave it. What it takes to address the problem ranges from the easy to the very difficult. Establishing a patching policy and setting out a schedule is easy. Eradicating lock-in to legacy systems might require untenable upheaval and expenditure.<\/p>\n<p>If you have technical debt that you cannot address\u2014or that cannot be addressed until some other significant event takes place\u2014make sure you have the risk captured and characterized in your operational risk assessment and cyber risk assessment documents. Record what steps have been taken to mitigate the risk, and what contingency steps you can should the risk occur.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/12365\/compliance-complacency-is-another-form-of-technical-debt\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Why Compliance Complacency is Another Form of Technical Debt \u2013 CloudSavvy IT&#8221; Den Rise\/Shutterstock.com Technical debt comes in three forms. Legacy equipment that can\u2019t meet today\u2019s needs, software projects where corners have been cut, and poorly implemented or completely ignored governance frameworks. The common thread? Risk. Technical Debt Technical debt is the deficit between the&#8230;<\/p>\n","protected":false},"author":1,"featured_media":306352,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/07\/9db6e0e7.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-306351","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/306351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=306351"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/306351\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/306352"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=306351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=306351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=306351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}