Cut the Code to Reduce Risk

An excellent article by Leah Alger for Software Testing News has her interviewing Philip Clayson, Technology Developer at UK telco TalkTalk, about the need to eliminate old software that adds to the complexity and risk of running the business. Alger joined TalkTalk not long before the infamous hacking attack which knocked 30 percent off the value of the telco. As a consequence he spent his first year addressing immediate issues with the software portfolio.

The official investigation into the TalkTalk data breach by the UK’s Information Commissioner confirmed press reports that the breach occurred through a straightforward SQL injection attack on some old webpages that TalkTalk inherited after their 2009 acquisition of the UK operations of Tiscali. This kind of attack has a long history and the appropriate defenses are well established. However, TalkTalk had not even noticed two earlier SQL injection attacks because the vulnerable webpages were not being monitored. Put simply, the failure to cut old and unnecessary code and systems left TalkTalk with a more extensive perimeter to protect, and more vulnerabilities that hackers could exploit. But they neither cut the code nor safeguarded it, leading to a significant loss of shareholder value that has not been recouped since.

Clayson’s job now sees him concentrating on cutting TalkTalk’s software mountain in half.

In the last year, he has been leading a massive software transformation which is addressing many many years of technical debt in the software estate – a complex problem and a sizeable challenge which has over 84 million lines of code, hundreds of software applications spanning every conceivable purpose, and nearly 1000 code bases. TalkTalk’s target is to reduce this by half in a year.

When businesses grow, they tend to get more complicated, and that has always been true of telcos that rapidly acquire customers and engage in M&A activity with little thought of the long-term shape of their system architecture. TalkTalk sounds like a case study into what can go wrong as a consequence.

Historically, TalkTalk has focused on accelerating growth, and achieved this through both organic and acquisitive means, the latter bringing with it duplicate technologies with each business. With so many acquisitions, the technical duplication is sometimes not always addressed in full and technical debt accumulates.

Clayson revealed: “I have started the software team at TalkTalk on the journey of a huge investment to start removing our software duplication, reducing obsolete code and re-engineering software stacks.”

The article does not talk much about risk management, but we can still draw the necessary inferences. If you want to reduce risk, then dispense with code and systems that are no longer necessary. One of the obstacles to good risk management is the ‘tomorrow syndrome’ – we will deal with risks tomorrow, instead of today, for the same reasons we delay all uninteresting chores until tomorrow. However, criminals may not wait until tomorrow to strike. Streamlining both reduces costs by dispensing with code that is no longer adding benefit and reduces risk by sparing us the need to protect the decommissioned systems.

You can read the Software Testing News interview of Philip Clayson by clicking here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.