If you’ve worked in IT development for hardware or software, or had dealings with that world, you may well have seen the statistics about the costs of fixing bugs.
In terms of “units” of cost, suppose catching a bug during the design phase costs one unit to fix it. Then catching it after module code has been written costs ten units, and catching it at final quality assurance testing costs 100 to fix it. Once the product has been released to market, the cost is 1,000 units.
A similar logic applies to IT security. If you try to stick it on as an afterthought, it gets expensive too. But what do you do with legacy systems that were built before these illuminating statistics were available?
The problem with bolted-on solutions in a digital world is not just the cost, although this mounts up rapidly in terms of effort to find a suitable solution, testing, and retrofitting (patching or upgrades). IT security is now an all or nothing situation.
If you don’t have it all, you may effectively have nothing, because any chink in the armour may be enough for attackers to enter. This is the challenge facing traditional “build a bigger wall” IT security, now that much of a business’s digital assets are outside or straddling the corporate security perimeter.
The same issue applies to bolt-on security, because unless you completely encapsulate (think of the expense!) a product, a platform, or a data centre, you’ll never be sure that it is completely protected.
Taking a different point of view, if you can get bolted-on security (assuming built-in is not an option) to a level where attackers consider the gain to be had does not compensate the time and effort they must put in to get that gain, then you’ve won – sort of. Chinks in the armour will matter less because they will be harder to find and exploit.
Of course, if your system contains extremely valuable confidential data, getting to the right “attacker frustration level” may still be expensive. But in that case, shouldn’t you transfer that data and those system activities to a modern platform with IT security designed in, anyway?