A Recipe for Risk: Technology Clutter and Artificial Intelligence

3 ice cream scoopers….6 sets of dishes….13 spatulas….thousands of books…. and a 40-year-old computer monitor.  It’s true my parents were hoarders.  But some of this excess and redundancy was just the build up from living in the same home for over 50 years with habits that many of us are familiar with in both personal and work lives:

Forgetting where she put the ice cream scooper, my mother would buy another. 

Not knowing and being too busy] to ask whether my mother had purchased a garlic press, my father would buy another one. 

Not liking the one my father purchased, my mother would buy the brand that she liked.

Not having an agreement on where things should be stored led to duplicate purchases. 

Tired of an outdated gadget, my dad would buy a more modern version without eliminating the old one.

Companies of all sizes, even Fortune 500, can easily find themselves in an analogous situation. Shadow IT, decentralization, M&A activities, a rapid growth culture, incompatible technologies, and missing or incomplete architecture strategy and tech governance can all contribute to unnecessary duplication and unused applications. The operational cost implications of this are clear. However, the risks of IT clutter go beyond the bottom line.

Clutter Increase Risk

My parents’ behaviors simply led to a more cluttered home.  In the business world, however, failure to address similar behaviors in your organization can dramatically and unnecessarily increase the risk of a cybersecurity breach.  At best, this can be costly. At worst, it can cause the shuttering of a business. 

The volume of applications, the individual security assessment for each vendor, and the complexity of the interactions between applications affect a company’s ability to fend off cyber-security attacks – attacks that are becoming even more frequent and challenging due to the use of artificial intelligence by bad actors.

At large companies, cybersecurity staff update and evaluate risk daily, based on cyber-security vulnerabilities published by individual software vendors and the National Institute for Standards and Technology (NIST).  Once a vulnerability is identified, it is assigned to a team to resolve, taking anywhere from a few minutes to over a year.

The more software applications, the more likely staff will miss vulnerabilities and/or have inadequate resources to remediate all the vulnerabilities, leading to one of many critical consequences: data breaches, ransomware attacks, financial losses, reputational damage, legal penalties, compliance issues, operational downtime, extended exposure to threats, escalation of attacks, and increased vulnerability proliferation due to root causes not being addressed.

The challenge of continuously monitoring applications for vulnerabilities and executing remediations cannot be overstated: consider that in the fall of 2024, Chinese state-sponsored hackers gained access to confidential materials by exploiting vulnerabilities in a third-party cybersecurity SaaS platform used by the Treasury Department.  Some experts project that starting in the 2030s quantum computing will disrupt the cryptographic algorithms that secure the digital world.

To reduce cybersecurity risk and minimize the associated cost of cybersecurity protection, companies should maintain a lean application portfolio and vet the security risk of each vendor and its application before purchase and release updates.

This is more easily said than done, of course. So how can you approach such efforts in a way that achieves both organizational buy-in and your goals for a leaner, safer tech stack?

Decluttering Based on Purpose

In a parallel universe, each of my parents would have taken responsibility for aligning their home with their lifestyle by regularly decluttering the kitchen, office, and garage, keeping the best tools and compromising when their needs and preferences differed.

The same can be said for companies – the technology portfolio needs to be regularly aligned with business value and security requirements to minimize the “attack surface” available to cyber-attacks. Application Portfolio Management is a process that continuously right-sizes your application mix now and in the future. It places business goals at the heart of all application decisions and applies process to ensure these decisions consistently consider impacts on risk and cost. The act of ‘decluttering’, or Application Rationalization, identifies and retires unused applications, eliminates redundant applications, reduces vulnerabilities, validates the value of investment in each application, and ultimately standardizes functionality on common application platforms where possible.

To declutter your technology portfolio, you can start by doing a comprehensive point-in-time application rationalization across all departments:

1. Define acceptable technical standards. Define architecture standards and security compliance to be included as MUST-HAVE criteria in the RFI/RFP process for acquiring applications, building applications in-house, and to evaluate all existing software at purchase and update.
2. Analyze the portfolio. Compile an application inventory and profiles (including security), assess technology health (effectiveness, lifecycle, and obsolescence), and assess business value.
3. Create Decentralized IT Policy. Delineate which applications can be used in which company divisions and which are shared at the enterprise level.
4. Rationalize the portfolio. Determine whether to replace, eliminate, rearchitect, rehabilitate, or maintain each IT asset and identify priority opportunities to create a streamlined future state technology architecture.
5. Develop a roadmap. Ensure alignment by working cross-functionally to prioritize opportunities and create an execution timeline that achieves the future state architecture.
6. Design additional controls. It’s important to prevent the behaviors that caused the clutter in the first place. Restricting authorized purchasers, appointing business owners, and most importantly clearly defining operating models (particularly in M&A activities), can all help to curb duplicative systems.

Once you have pared down your tech portfolio, you can then embark on continuous Application Portfolio Management efforts:

1. Actively rescan application inventory, including cybersecurity vulnerabilities
2. Evaluate new applications, before they are added, for business value, cybersecurity strengths and weaknesses, impact on overall cybersecurity, redundancy, the cost impact on IT operations, and the feasibility of replacing existing applications
3. Control application upgrades by scrutinizing whether the version still satisfies the technical health requirements before accepting an upgrade
4. Sunset applications as the work requiring them is completed

Culture and Change Management for Decluttering

When I tried to help my parents pare down, I was met with tons of pushback.  I once convinced them to get rid of 25% of their books and then persuaded the local library to override the normal limit on donations.

Application portfolio management will result in changes that some staff members resist. Sometimes resistance is purely a function of human nature –- getting used to a change, even if it will make their job easier once the new application is mastered. In other cases, staff have lost a tool in the past that supported their role without an adequate replacement, or their new tool was not adequately configured, which then increased processing time, costs, and frustrations.  They do not want to experience that again.

It is critical to involve the business users in application rationalization decisions and planning to avoid poor internal user experience.  To increase buy-in, especially within a fast-paced and/or entrepreneurial company culture, educate staff about the benefits to them of efficiency, cost containment, and simplification and make it easy for them to comply with new procedures.

The cost and timeline for implementation changes, configuration, and change management must be considered in the application rationalization decisions and roadmap.

Fortify Cybersecurity through Application Rationalization Activities

Managing technology vulnerabilities and related remediation activities are often viewed as consuming revenue while providing only reduced risk and no business capabilities. Integrating cybersecurity efforts into application rationalization, if done well, can streamline business operations and improve internal user experience while offering several significant cybersecurity benefits:

1. Enhanced security posture: Application rationalization helps identify and eliminate outdated or vulnerable applications, reducing the overall attack surface
2. Streamlined compliance: By reducing the number of applications, organizations can more easily manage and ensure compliance with regulations
3. Improved incident response: A rationalized application portfolio allows security teams to quickly identify and isolate affected systems during a security incident
4. Cost optimization: Rationalizing applications can reduce cybersecurity costs by simplifying the IT landscape and focusing security efforts on critical systems
5. Better risk assessment: The process helps identify dependencies and critical applications, allowing for more accurate risk assessments and prioritization of security measures
6. Adoption of modern security technologies: Application rationalization often leads to the implementation of newer, more secure technologies and cloud-based solutions

The cost of company disorganization and “hoarding” can be high! By aligning application rationalization with cybersecurity initiatives, organizations can create a more robust, efficient, and secure IT environment while optimizing resources and reducing overall risk.