3 Tips to Pay Down 'Technical Debt' and Turn PCI Compliance Into a Competitive Advantage

A few jobs back and several years ago, I worked for an oil company. I started right before a boom-and-bust cycle. I don’t know how I always get so lucky, but suffice to say my long-term incentive options were timed in the absolute worst possible way. I tend to be the poster child of “buy high and somehow get forced to sell low.”

I remember watching project budgets get cut, I saw people being let go, and I found our entire team wondering, “Well, now what are we going to do for the next year?”

Thankfully, I had a great manager. What originally seemed like a belt-tightening downturn turned into an incredibly productive year. Why? His philosophy was that we had to get scrappy and use our time to focus on paying down “technical debt.”

First of all, let me state that I hate debt. All kinds of debt. I grew up listening to my dad rail against it and advising me to avoid debt whenever possible. It turns out that was pretty good advice. All of us are likely familiar with financial debt, but the concept of technical debt might be new to you. Trust me that they’re actually very similar — and both must eventually be paid.

This is particularly true in the retail industry, an industry I now work with quite intimately.

Technical Debt and Why You Need to Pay it Down

So, what exactly is technical debt? Simply put, it’s the accumulation of all the bad, hasty and not-well-considered work and decisions your organization has made about its IT systems and processes. Consider these scenarios …

You weren’t able to update a critical piece of software because the accounting team couldn’t tolerate downtime during a year-end cycle? That’s technical debt.

Is there particularly ugly code that’s really slow or resource-intensive because a certain feature just “had to ship”? That’s technical debt.

Are there 30 domain admins in your Active Directory because someone couldn't be bothered to fix file server permissions? That’s technical debt (and just plain dumb)!

On their own, all of these things are bad. But if they impact security, they’re even worse. If your company has put big projects on hold during the COVID-19 pandemic (or for any other reason), it might be the perfect time to start paying off some of your technical debt.

Think of it as your chance to catch up. If you’re looking for a good place to start and you have a PCI compliance obligation, start by reading the PCI DSS 3.2.1 guidelines. If you’ve worked on PCI compliance, you should recognize this as your rule book with everything you need to be successful.

3 Tips to Get Started

Based on issues that I almost universally see when working with customers, here are a few recommendations to improve your PCI-related projects:

1. Work on your PCI policies and procedures. Policy documents at a lot of companies are a mess. If you can find five people that even know where you keep them, you’re probably ahead of the game. I’ve seen many policies that haven’t been updated in a decade. Use any spare time to update and circulate/communicate your latest PCI policies.
2. Update your network maps. I can’t even begin to tell you the number of times I’ve sat through a PCI or network security meeting and found that a company has no up-to-date network diagram. Not only is a map useful for training and troubleshooting, but it’s a requirement for PCI compliance. Don’t be surprised if you discover servers that you had completely forgotten about or entire systems you thought were long dead merrily running along — unmonitored and out of anyone’s control.
3. Update your networking equipment firmware and system operating systems. I recently led a painful upgrade process on a Linux system that was so far behind that it couldn’t get updated using the normal upgrade path. This led to a very arduous migration that was otherwise completely unnecessary. Use this time to get everything on the latest stable branch of code available.

When budgets are tight and you’re not spending money on new systems, it’s a smart time to pay down your technical debt. If you do just the three steps above, you’ll be way further ahead when the economy rebounds and you inevitably find yourself back in the rat race of juggling new IT projects and initiatives.

As director of security architecture at Cybera, Rob Chapman is responsible for the company’s overall cybersecurity architecture and PCI compliance initiatives.