Another week another UK IT headline. A ‘power outage’ at British Airways caused the UK’s national carrier to cancel worldwide flights at the start of the UK May bank holiday. The WannaCry ransomware attack brought much of the National Health Service to a halt. Events like these expose once again the importance of IT systems in today’s business.
But this should not be the only lesson to take. Such incidents highlight the complexity and the sheer number of vulnerabilities in critical infrastructure sectors such as the NHS, airlines or telecom operators caused by complex software.
It’s simply all about complexity
The reality is, the negative business impact of complex software is set to become much worse, unless we tackle the issues at its core. Rapid technological changes accelerated by the Internet of Things (IoT), Artificial Intelligence (AI), Automation and Robotics are only adding complexity to already-complex, legacy, and outsourced IT set ups.
Added to this, macro-economic changes like Brexit and regulatory changes compound each other in sectors like banking, telecoms, retail and airlines to create pressure on IT departments like never before. For instance, the blame game for the BA outage had already started with the unions blaming BA’s IT management for outsourcing jobs to Indian firms.
As for the WannaCry hack, NHS Trusts were called negligent for not patching a known security vulnerability. But the core underlying causes are what we should address, if we want to make this country a global technology leader, let alone realise our dream of building the next Google, Apple, Facebook or Amazon. The UK needs to pick its act up.
IT Culture vs. Club Class
As experts in code quality we see a LOT of code. The latest CRASH report from CAST Software that analysed 2B Lines of Code (LOC) across over 400 organisations globally. We see different issues across management levels in organisations. The need for a stringent software engineering mindset and discipline is a common thread.
This year, the study found the code quality of software used in the UK lags its European and American peers in criteria such as security and robustness. No wonder we seem to have more than our fair share of IT glitches in this country across banks, the public sector and now airlines.
One might think the days when IT was treated as a back-office and a cost centre are long gone but it doesn’t seem to reflect the attitude we still have towards IT in this country. At the top of the hierarchy, most UK organisations, clearly including BA, don’t have board representation for IT departments and there is still a level of apathy towards IT risk. Despite what they say, IT is not in the DNA of most UK boards.
Third generation outsourcing and two year CIOs
That is not to suggest that most IT mid-managers do themselves or their businesses any favours because of the lack of objective visibility they provide into the IT estate they are charged with managing for present and future generations. Even more so, when the majority of IT systems are in their second and third generation of outsourcing contracts. Here, there is very little visibility into the underlying risk and security vulnerabilities within the IT estate being managed.
There is little point in arguing for a reversal in the trends of globalisation that has led to offshoring. The solution is more objective and predictive Service Level Agreements (SLAs) for outsourced vendor management contracts. These contracts would explicitly monitor and measure improvements in Technical Debt and Complexity rather than rewarding the supplier for just keeping the lights on, delivering cost savings and leaving the Technical Debt as a liability for their successor. With an average CIO tenure of fewer than two years, this is hardly surprising.
At the engineer’s level, security is an afterthought. Developers often think of themselves as ‘artists’, rather than programmers who need to follow coding standards and best practices. The issue here is that spending more IT budget on risk prevention means less to spend on delivering technology innovation. This can lead to a culture of ‘Code now, fix later’.
This is a cultural and management issue. One which most managers outside of IT would recognise as the toughest to type fix. As with many IT decisions, the correct response is to compromise. But making good compromises requires being fully informed of the facts and obtaining those facts, at the holistic risk level, across critical systems, is a fundamental starting point. Ignorance of the facts is perhaps the greatest IT risk of all.
Getting risks in the right order
Trying to adopt a continuous review of IT risk requires the right analysis, automated by a software analytics platform, such as CAST’s Application Intelligence Platform. Once a clear understanding of software risk becomes available to management, a mapping of such risks against business priorities allows prioritisation to occur. Only after such priorities are established can a proactive approach to paying off Technical Debt, the costs accrued by years of neglected by poor IT maintenance, can be initiated.
The complexity of the job at hand of IT execs should not be underestimated. With an average of 5,000 vulnerabilities emerging every year, it’s not an easy task to prioritise and decide which vulnerability to patch. Technical Debt hidden within vast amounts of bespoke legacy outsourced and software creates an extremely difficult situation which is almost impossible to manage.
Technical debt, such as the cost to patch systems compromised by WannaCry, is very easy to ignore until it is too late. The solution, a holistic approach to assessing and prioritising known vulnerabilities and violations from the thousands across the IT estate of most organisations, makes far less national press headlines than hospitals shutting down or a teenager accessing personal details of 160,000 subscribers at Talk Talk by exploiting a SQL injection vulnerability well known the security circles for more than 20 years.
Drive down to the Devilish details
The multiple reasons behind IT outages, varying from Cyber hacks where security vulnerabilities are exploited by hackers to power outages, real or imagined and process breakdowns. But just as we would assess the overall health of a driver to determine if they have decent reflex actions, or suffer from weak eyesight, etc., we should regularly assess the overall health of the IT estate.
This includes, but is not limited to Technical Debt, complexity, and security. We should not do this instead of monitoring, we always must strengthen the external perimeter to prevent hacks and build a more resilient Disaster Recovery process. Only when we tackle these core issues of IT systems will we be able to manage these threats better. The devil is not in the details, it is those very details.
By Vishal Bhatnagar - SVP and Country Manager, UK & Ireland