Let’s be honest, we all cut corners sometimes. That patch can wait until quarter. The access review? We’ll get to it eventually. The old system nobody wants to fix? It’s still working, somehow.
ISACA’s recent white paper on security debt finally gave a name to what’s been bothering me for years. It's not just “risk.” It’s debt … like any debt it grows over time.
So, What Are We Talking About?
Ward Cunningham came up with the term “technical debt” back in 1992. Security debt is like its nasty little cousin. It’s every update we skipped, every shared password that never got changed, every rule gap nobody took care of. The report breaks it into four types: Technical & Process, Business, Leadership & Cultural, Modernization & Innovation, and Governance Debt. And honestly, I’ve seen all four exist in one department.
The Leadership & Cultural one hits hardest for me. When security is treated like somebody else’s problem, you’re already losing.
It Doesn't Blow Up Until It Does
Here's the thing that makes security debt tricky: nothing happens for a long time. You put off a patch … nothing breaks. You skip an access review … life goes on. Then one day you’re reading about yourself in the news.
Equifax had a known Apache Struts vulnerability. This cost them US$575 million. Change Healthcare had inconsistent MFA implementations. Ransomware spread in days and providers couldn’t pay their staff. SolarWinds? Malicious code was hidden in a trusted update for months before anyone noticed.
The 2025 global average for a data breach was $4.44 million and 86% of the breached organizations reported operational disruption. Those aren’t abstract numbers — that's real money and real damage.
One Thing the Report Gets Right
I’m not usually a fan of new frameworks but the Security Debt Index makes sense. It scores debt on three axes: how severe it is, how long it's been sitting there and how fast new issues of the same type keep popping up. Simple enough to explain to a CFO, yet detailed enough to drive decisions. That’s rare.
What I Think Matters Most
I’ve spent enough time in environments where security competes with delivery timelines and budget constraints to know this: tools alone won’t save you. You can buy every platform on the market and still struggle with debt if your organization’s culture isn’t right.
The report makes this point well. Security debt isn’t a CISO problem. It’s a business problem. It belongs on the balance sheet in board discussions and planning, not buried in a risk register nobody reads.
What frustrates me is how often I’ve seen organizations treat security as a hurdle to get through rather than a foundation to build on. Who are the ones that actually succeed? They’re not the ones with the budgets. They’re the ones where leadership truly owns the risk, and where “Not my task, someone else will handle it” isn’t an answer.
Start measuring your debt and be honest about what you find. Prioritize and fix the stuff that matters first. Don’t try to fix everything at once. Start with the 20% that carries 80% of the risk.
That’s it. No magic formula. Just. Honesty.
