{"id":110703,"date":"2026-05-17T12:10:46","date_gmt":"2026-05-17T12:10:46","guid":{"rendered":"https:\/\/www.red-gate.com\/simple-talk\/?p=110703"},"modified":"2026-05-19T12:15:59","modified_gmt":"2026-05-19T12:15:59","slug":"in-2026-engineering-teams-are-quietly-accepting-more-risk-heres-why","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/security-and-compliance\/in-2026-engineering-teams-are-quietly-accepting-more-risk-heres-why\/","title":{"rendered":"In 2026, engineering teams are quietly accepting more risk. Here’s why"},"content":{"rendered":"\n

Redgate’s 2026 State of the Database Landscape report<\/a> reveals that people are increasingly willing to accept more risk to be more productive and take full advantage of AI\u2019s capabilities.<\/strong> But, why is this happening – and are they even aware?<\/strong><\/p>\n\n\n\n

That’s the question Steve Jones, Kellyn Gorman, Grant Fritchey and Pat Wright tried to answer in the latest episode of the Simple Talk podcast<\/a>. <\/p>\n\n\n\n

Sharing first-hand experience and stories from their own careers, they debated whether the decline of the DBA<\/a> ‘gatekeeper’ role has weakened security practices, how AI<\/a> is amplifying the problem – and much more.<\/p>\n\n\n\n

Watch or listen to the episode here<\/a>. If you don’t have time, though, here are the 11 key takeaways from the episode.<\/p>\n\n\n\n

Security vs speed in databases: 11 key takeaways<\/h2>\n\n\n\n

“Accepting more risk for speed” usually means misjudging the risk<\/h4>\n\n\n\n

Most teams making this trade don’t have a real model of what they’re agreeing to. As Steve put it in the episode: “People misassess risk. They say they’re accepting more risk, but really they don’t understand the risk they’re accepting.<\/em>“<\/p>\n\n\n\n

“<\/em>The internet finds open doors in minutes, not months”<\/h4>\n\n\n\n

Grant has tested this directly by opening up example databases on cloud platforms: “The moment it’s open, there’s hacking attempts. It’s like I’m opening up little tiny example databases and there’s 1,000 hits a minute trying to hack into it.”<\/em><\/p>\n\n\n\n

You don’t have to be a target \u2014 just a resource<\/h4>\n\n\n\n

Pat recounted a SQL Server<\/a> that ended up quietly mining Bitcoin for an attacker who never even touched the data. Kellyn encountered the same pattern, with leaked AWS API keys<\/a> and crypto miners running up a significant bill.<\/p>\n\n\n\n

Retrofitting security onto a privileged-by-default app is brutal<\/h4>\n\n\n\n

Whether it’s Great Plains demanding SA<\/code> for everything, or PostgreSQL<\/a> systems with passwords in pg_hba.conf<\/code>, Kellyn, Steve, Pat & Grant all agreed that adding security later is one of the hardest things in software. As Steve said, “you’re so worried about breaking something, you wouldn’t do it.”<\/em><\/p>\n\n\n\n

\n
\n
\n
\n

Protect your data. Demonstrate compliance.<\/h3>\n
\n With Redgate, stay ahead of threats with real-time monitoring and alerts, protect sensitive data with automated discovery & masking, and demonstrate compliance with traceability across every environment. <\/div>\n <\/div>\n Learn more<\/a>\n <\/div>\n <\/div>\n<\/section>\n\n\n

<\/p>\n\n\n\n

AI is amplifying existing bad habits – not fixing them<\/h4>\n\n\n\n

The standout line of the episode, from Grant: “It goes back to that 80s commercial. Where did you learn to do drugs? I learned it from you, Dad. The LLMs learned it from us. We’ve taught them poorly and now they’re executing poorly.”<\/em><\/p>\n\n\n\n

There’s a glimpse of how AI could help<\/h4>\n\n\n\n

Steve described an LLM (large language model) that, when given credentials in a file, came back unprompted and offered to move them into secure storage. This kind of ‘secure-by-default’ capability is exactly what people want – and need – from AI, but it’s not the norm as of yet.<\/p>\n\n\n\n

Defaults beat documentation, every time<\/h4>\n\n\n\n

That’s Kellyn’s core argument: “Everybody’s talking about policy and governance. If they don’t get software that does it for them, they’re going to lose. We need software that goes in and forces people to do it.”<\/em><\/p>\n\n\n\n

Friction can be a feature<\/h4>\n\n\n\n

AWS’s fiddly VPC (Virtual Private Cloud)<\/a> setup is a real impediment to speed \u2014 and that’s exactly why it nudges teams toward more deliberate network design. On the other hand, Microsoft Azure’s<\/a> ‘just let any Azure service talk to any other’ convenience is faster, but defaults to a posture most teams wouldn’t knowingly choose.<\/p>\n\n\n\n

Legacy systems aren’t the only problem<\/h4>\n\n\n\n

Kellyn pointed to the Oracle Cloud (OCI) breach<\/a>, which started with an unpatched legacy app. Kellyn also flagged that newer architectures, like data lakes<\/a>, are creating fresh exposure by democratising access faster than security can keep up.<\/p>\n\n\n\n

The ‘zero-day’ window is closing fast<\/h4>\n\n\n\n

Where teams used to wait months to patch databases, automated attacks now move in within days of a vulnerability being published. Patching cadence has to change accordingly. <\/p>\n\n\n\n

Security vs speed? It should instead be ‘visible work vs invisible risk’<\/h4>\n\n\n\n

Security work shows up in tickets and slower pull requests (PRs), so it’s visible. The risk it averts, however, doesn’t show up anywhere – until<\/em> said risk becomes a reality. Then, it shows up everywhere.<\/p>\n","protected":false},"excerpt":{"rendered":"

11 takeaways from the Simple Talk podcast on security vs speed in databases: why teams misjudge risk, how AI amplifies bad habits, and what to do about it.…<\/p>\n","protected":false},"author":59127,"featured_media":103086,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[46,143523,143530,159393,143524],"tags":[4168,4170,4619,5765,4150],"coauthors":[7590],"class_list":["post-110703","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-and-compliance","category-databases","category-security","category-simple-talk-podcast","category-sql-server","tag-database","tag-database-administration","tag-security","tag-security-and-compliance","tag-sql"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/110703","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/59127"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=110703"}],"version-history":[{"count":5,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/110703\/revisions"}],"predecessor-version":[{"id":110712,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/110703\/revisions\/110712"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media\/103086"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=110703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=110703"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=110703"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=110703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}