Security Debt, Running with Scissors

Abstract: Security debt, is “the accumulation of the patches missed, the risks accepted, and the configurations misapplied,” is a serious and common problem for many organizations, especially with the move to cloud com putting and rise of IoT. Part of the problem is that, while organizations might accept the risks they encounter, they often neglect to review them or make a plan for the future, and that risk is compounded when patches are passed from person-to-person through staff changes and/or employee churn. However, it doesn’t have to be this way - to track and address security debt, organizations must develop and implement defined, repeatable processes. They should look to strategies like the zero-trust model, trust but verify, sanitation of inputs and outputs, and of course, make sure to execute patches instead of pushing it onto the next person. Security debt occurs when a technological debt has manifested as a security issue and the associated risks are accepted but not addressed. The longer organizations wait to address risks, the harder it is to address them to eliminate debt, organizations should create defined and repeatable processes with plans for action Bio: Dave has 30 years of industry experience. He has extensive experience in IT security operations and management. Dave is a Global Advisory CISO for Cisco. He is the founder of the security site Liquidmatrix Security Digest & podcast as well as the host of DuoTV and the Plaintext podcast. He is currently a member of the board of directors for BSides Las Vegas. Previously he served on the board of directors for (ISC)2 as well as being a founder of BSides Toronto. Dave has been a DEF CON speaker operations goon for over 10 years. As well, he serves on the advisory board for Sector Security Conference and CFP review for 44CON. He is currently working towards his graduate degree at Harvard. Dave has written columns for Forbes, CSO Online, Huffington Post, The Daily Swig and others. For fun he is a curator of small mammals (his kids) plays bass guitar, grills, is part owner of a whisky distillery and a soccer team.