Security Debt: The Risk Nobody Is Reporting
Every major breach post-mortem tells the same story. Not a sophisticated attack. Not a nation-state. A gap that was known, documented, and ignored — until an attacker found it first. That’s security debt. And it’s behind more incidents than most organizations want to admit.
We spent an entire Cyberside Chats episode digging into what security debt looks like in practice, how attackers exploit it, and what you can actually do about it. Here’s the written version — focused on the five types of debt and the three incidents that show exactly what happens when it goes unaddressed.
AI is compressing attacker timelines from weeks to hours. Debt that felt manageable last year is becoming real exposure.
- Stryker · 2026 – An attacker gained admin access to an endpoint management system and wiped devices at scale. The gap wasn’t the breach, it was that one admin account could execute destructive actions with no second approval required. Microsoft’s Multi Admin Approval for Intune was available. It wasn’t on.
- Change Healthcare · 2024 – Attackers entered through a Citrix portal with no MFA. CEO Andrew Witty confirmed it in congressional testimony. $22 billion in disruption. One missing checkbox on one portal.
- Colonial Pipeline · 2021 – A compromised VPN account, no longer in use, never deprovisioned. A legacy account still active. Lifecycle debt in its simplest form, one week of disrupted fuel distribution across the Eastern US.
The common thread isn’t the attacker. It’s the gap. No exotic techniques. Just known issues that nobody closed.
Most real incidents involve more than one. That’s what makes this hard — and what makes fixing the connections between categories so much more valuable than fixing one in isolation.
- Identity Debt (Accounts that outlived their purpose) MFA available but not enforced. Admin accounts created during a project crunch and never cleaned up. Privileged access that accumulated because adding was always easier than reviewing. Change Healthcare lives here.
- Lifecycle Debt (Systems that should be gone) End-of-support software still in production. The server nobody will touch because seventeen things depend on it. Legacy accounts still active after their owners left. Colonial Pipeline lives here.
- Architecture Debt (The blast radius problem) Flat networks with no segmentation. Admin work on the same laptop used for email. Remote management consoles reachable from the internet. Architecture debt doesn’t let attackers in — it determines how far they go once they’re already there.
- Governance Debt (Exceptions nobody ever closed) Policies that exist on paper but aren’t enforced. Security exceptions with no expiration date, no named owner, no scheduled review. Every open exception without a deadline is governance debt. Stryker lives here.
- Operational Debt (The AI risk acceleration problem) Patch programs that can’t keep up. Detection gaps where attackers operate undetected. IR plans written once and never tested. If your time-to-remediate is measured in weeks and attacker timelines are now measured in hours, you have a math problem that good intentions won’t solve.
Most of this is fixable. Not with new tools or a platform purchase with decisions, policies, and follow-through on things you probably already know need to happen.
