Accumulated security debt is haunting enterprises around the world, says Dave Lewis
As part of my day job with the enterprise security company, Duo Security, I get the opportunity to travel the world and speak at all manner of conferences. In my travels I count myself lucky for having the chance to speak with so many people who work diligently to defend their enterprises.
These conversations have given me a unique perspective as to how others see the issues that they must contend with on a daily basis. And what’s really caught my attention are the similarities that I encounter from Tokyo to Rome and beyond.
A lot of the security professionals that I’ve spoken with at conferences have three core issues that they’re stuck trying to address. The first is the issue of accumulated security debt. The next is the need to consolidate the security tools in their environments and cut costs associated with the deluge of products. The last is the eternal battle for the information security budget.
I know – I cringed at that last point as well. The security debt issue manifests in numerous ways. Risks get accepted in order to ensure that projects keep to their deliverable timelines. Patches don’t get installed because a system is behind the firewall.
These are just a couple of the examples which haunt security programs the world over. When do those security risks that were accepted get addressed? More often than not these risks never get revisited and can and could lead to rather severe consequences later on.
The next problem with the consolidation of security tools in the environment is something that many senior program owners discuss: in many cases they would have inherited tools from their predecessors.
In addition to the initial outlay, they’d be saddled with the annual maintenance at 23% of the original purchase price, and this would make it difficult to convince their higher-ups to rip and replace – or better yet, consolidate.
There was a time when firewalls, DMZs and VPNs were the way to secure an environment. At the time, they were right – but the problem that arose was that, as times change and we see things such as zero trust emerge, it becomes difficult to educate the wider audience that change is, in fact, a good thing.
To add insult to injury, there is the continual battle for budget. This is a battle that I lived through more times than I care to remember, and it is interesting to commiserate with others and learn how they handled the situation.
My favorite story was that of a CISO from a hospital in the US. He had given back part of his budget when there was a shortfall in the hospital budget that pertained to patient care.
In his case, he managed to build credibility in the wider organization by stepping up to help proactively. As a result of that act, it became an academic exercise to secure budgets in the years that followed. This was a bold play – and it worked out for him.
No matter where I show up to speak at a conference, I thoroughly enjoy speaking with the men and women who work so hard to keep the internet secure and share their stories.