Jakub Jirsk - Fotolia
It's not just technical debt that companies can accumulate over time; they can also build up security debt. Failure to apply timely patches and not having a plan to review accepted risks are big contributing factors behind building such debt, according to Dave Lewis, global security advocate at Akamai Technologies, headquartered in Cambridge, Mass.
Lewis spoke with SearchCIO ahead of RSA Conference 2018, where he will be presenting a session about security debt and its associated risks. In part one of this two-part Q&A, Lewis explains how security debt is accumulated over time, highlights the risks of this accumulation and explains how a process-driven approach can help.
Editor's note: This interview has been edited for clarity and length.
What is security debt?
Dave Lewis: Security debt is a variation on technical debt. It is accumulation of things not done [and] practices not implemented. For example, what we saw with Heartbleed was a rather heavy reliance on a security library that nobody had really taken a look at in 20 years. As a result, over time, this got to the point where when something did eventually happen, it was far too late.
There are also things like when Oracle releases a database patch, for example. You will find database administrators that wouldn't apply the patch because they will look at it and say, 'This is my data.' They are very possessive of their database and, unfortunately, sometimes this would then accumulate -- patches that should have been applied three years previous weren't applied. Then, when an attack is weaponized and launched, there is too much scrambling, because they had not previously applied the patches when they had the chance.
What are the risks of accumulating security debt?
Lewis: One of the things that we see with a lot of organizations is that rather than taking the step to fix or mitigate an issue that may come up, they will actually go through the process of documenting it, which is well and good, but they don't make any plan to fix it. They just say, 'Oh, OK. We accepted the risk that this is a problem.'
Dave Lewisglobal security advocate at Akamai Technologies
The problem is once the risks are accepted, they don't necessarily ever go back and review them. They don't plan to address them in the future. Then, you have the inevitable staff turnover and things to that effect, and what was once a small problem becomes a burgeoning problem that could really rise up and bite down at the worst possible time.
Is there a way for companies to track and measure security debt?
Lewis: There is, and it is process-driven. They need to have a defined, repeatable process within their own organization where they'll say, OK, this is the problem that has risen, or this is a patch that we need to apply.'
They have to make sure that they have some sort of plan of action, because, ultimately, auditors are going to come calling and they will say, 'Why didn't you apply this patch?' But sometimes an organization will take the step of paying a legislative fine, rather than going through the work of fixing an issue.
But the reality is that is only temporary and putting the problem off for a very short amount of time. If we look at stuff like WannaCry, this is leveraging a problem that was long known and should have been fixed a decade earlier. These things accumulate over time.
For every problem you don't fix, you have more problems that come along, and they will continue to grow, so it becomes unruly. That's why we find a lot of organizations today are paying horribly just because of this security debt that they built up over the years.
Continue onto part two of the Q&A, where Lewis offers tips on how companies should address security debt.