in many places, computers are treated as capital equipment with a fairly long lifespan, and as devices that need operation but not maintenance. These attitudes may date back to the 1950s, when the first was fairly true and the cost of maintenance was hidden in the operational cost. Neither is true today. Computers are consumables that require regular, skilled care. Skipping this care is like not changing the oil in your car: you can get away with it for a little while, but at some point you’re in trouble. In fact, and as I explain below, it’s worse than dirty engine oil: not only are you at risk for a security incident, you end up in a maintenance trap.
Steven Bellovin, Professor of computer science at Columbia University and a security expert, believes that security of computers and computing infrastructure is hampered by the 1950s thinking. Patching, upgrading, and maintaining security is smoother if your systems are changed every four years. The advice is true for individuals, government organizations, and large companies. (h/t Steve Crandall)