pixstock - Fotolia
Ignoring "security debt" can trigger serious problems for organizations, according to Dave Lewis, global security advocate at Akamai Technologies based in Cambridge, Mass. Companies need to be aware of such debt and implement a robust patch management process and a vulnerability management program to avoid incurring such debt, Lewis said.
In part two of this two-part Q&A, Lewis spoke with SearchCIO about the importance of maintaining a risk register to help track and address security issues as they arise. He also explained how consolidating security tools can help better manage security debt.
Editor's note: This interview has been edited for clarity and length.
How should companies address security debt?
Dave Lewis: You have to look at it from the perspective of a risk register. A lot of companies will have some sort of risk register, but other companies don't want to have it because they don't want to have it as a discoverable piece of documentation, which is this very strange keep away game.
It really depends on what the risk appetite of that organization is, but having that risk register helps an organization track the problems that can arise and make sure that you're showing, 'These are the top 10 problems that are affecting our organization, these are the top three that we need to be worried about or address right now, and this is the plan for the other seven that we are going to address later.'
What steps can companies take to avoid incurring security debt?
Lewis: Having a very well-structured, defined and repeatable patch management process is a really good way to look at it. Making sure that they're staying ahead of things by having a vulnerability management program where they are going through and not just looking at it like, 'Oh OK, there's zero-day in platform X, but we're using platform Y.'
Dave Lewisglobal security advocate, Akamai Technologies
They looked at it and understood that it does not affect what is in their environment, which is good, but they also have to go through and make sure that they document that they checked that. Some day, that [risk] might actually be introduced into their environment and they want to make sure that they're tracking these things. A lot of times they'll say, 'Oh yeah, we don't have that in our environment,' when they don't have any real situational understanding as to what is actually on their network.
I've worked in companies in the past where we had 100,000 nodes distributed across the world, and nobody could tell you what all those nodes were. They were usually hand waving and saying 'Oh, don't worry; it is x of this and y of that.' Then you would do actual scans using various vulnerability assessment tools and find out that wasn't the picture that we thought it was.
Do you have any tips for organizations that are trying to better manage their security debt?
Lewis: Be aware that this is a thing. I have been through enough organizations in my career that I know that it is a real and present danger for a lot of organizations. One company I was in had seven different system monitoring platforms. Why? Each one of those platforms had a different feature that somebody wanted for that organization.
Over time, rather than consolidating all these or using one platform, they were using seven different platforms. They were paying 23-25% per annum on maintenance, so there's this huge sinkhole of money. When we went through and rationalized, we found there was one platform that could do everything that they probably needed. It's just nobody had ever taken the time to do the work. As an IT practitioner, most people don't want to do these sorts of things because they want to do something that's exciting. But the thing is we have to stop this mentality of firefighting. We have to sit down and do the hard work.
In part one of the Q&A, Lewis explained the risks of accumulating security debt.