Alignment
Defence in Debt: When Security Spending Doesn't Buy Security
"There's a special kind of technical debt that doesn't show up in Jira."
There's a special kind of technical debt that doesn't show up in Jira. It doesn't sit in a backlog. It doesn't have a product owner. It doesn't even admit it exists. It lives in PowerPoint.
I call it capability debt. And it's quietly crushing platform teams across the industry.
The Swiss Cheese Problem
The Swiss cheese model of defence is sound in theory. Multiple layers, each with holes, working together to reduce the chance of total failure. No single layer needs to be perfect because the layers behind it catch what slips through. It's an elegant concept that has shaped how we think about security architecture for decades.
But in many enterprises, what actually gets deployed bears little resemblance to this model. The first layer gets purchased with great fanfare. The second layer gets installed, usually by a vendor professional services team who leaves after a week. The third layer gets partially configured, enough to pass the initial health check but not enough to actually enforce anything. The fourth layer exists as a draft policy document that's been "under review" for six months. The fifth layer is a roadmap item, perpetually three quarters away.
None of the holes are aligned, but none of the layers are actually sealed either. We don't have layered defence. We have layered procurement. The organization believes it has defence in depth because it has contracts in depth. These are not the same thing.
Millions Spent, Outcomes Unclear
Modern enterprises routinely license an impressive array of security tooling. Endpoint detection platforms that promise to catch malware before it executes. Identity governance suites that are supposed to ensure the right people have the right access. Conditional access engines that should enforce device compliance and user context. Data loss prevention tooling that's meant to stop sensitive information from leaving the organization. Cloud workload protection for the containers and serverless functions. CASB to monitor SaaS applications. Zero Trust frameworks to replace the crumbling perimeter model.
The contracts get signed. The announcements get made. Strategic milestones are declared in quarterly business reviews. The security team's slide deck shows an impressive architecture diagram with logos from all the major vendors.
Then someone asks a simple question: "What risk is measurably reduced today?"
Silence.
Because what exists is not an operational control. It's a theoretical capability. The tool is licensed. It's probably installed somewhere. There might even be a dashboard that shows green. But when you dig into whether it would actually stop something bad from happening, the answers get vague. Theoretical capability does not stop an attack. Attackers don't care about your architecture diagrams or your vendor relationships. They care about what's actually enforced.
The Platform Tax
Here's what actually happens in most organizations. Security secures funding for "capability uplift." It's a compelling pitch: we need this tool to address a critical gap in our defences. The budget gets approved. The vendor gets selected (often the one with the best golf outings). Contracts are signed with much celebration. Implementation begins with enthusiasm and executive attention.
Then it stalls at 60%.
Why? Because the final 40% is where the real work lives. It requires engineering integration with systems that weren't designed for this new tool. It requires operational runbooks so the SOC knows what to do when alerts fire. It requires exception governance so there's a clear process when the tool blocks something legitimate. It requires identity hygiene, which means actually cleaning up the years of accumulated cruft in Active Directory. It requires device hygiene, which means dealing with all those unmanaged devices that somehow got onto the network. It requires ownership clarity, because someone needs to be responsible for this thing after the implementation team moves on. And it requires real change management, which means getting business units to actually change how they work.
None of that fits neatly inside a capability announcement. It's unglamorous work that doesn't make for good slides. It doesn't generate impressive metrics for the quarterly review. It's just grinding, difficult, operational reality.
So the platform teams inherit it. The identity team suddenly finds themselves responsible for a new tool they weren't consulted on. The endpoint team gets a half-configured agent that's causing performance problems. The network team has to figure out why traffic is being dropped. The cloud team discovers new policies that break their deployment pipelines.
They inherit broken policy sets that were configured by someone who didn't understand the environment. They inherit half-enforced controls that create confusion about what's actually required. They inherit unowned configurations that nobody wants to touch because nobody knows why they're there. They inherit escalation paths that lead to people who have moved on to other roles. They inherit audit findings without remediation funding, because the security budget went to new tools rather than fixing the old ones.
Defence in debt.
Chasing the Future While Ignoring the Present
Meanwhile, leadership hosts strategy sessions on the threats of tomorrow. Post-quantum cryptography gets a lot of airtime, because the idea of quantum computers breaking encryption makes for compelling boardroom discussion. AI-driven autonomous SOC is on every vendor's roadmap, promising to solve the analyst shortage through machine learning magic. Behavioural biometrics will revolutionize authentication. Adaptive risk scoring will make access decisions seamless and secure.
And yes, these things will matter eventually. Some of them will genuinely transform how we approach security. Planning for the future is part of the job.
But today, right now, the fundamentals are often embarrassingly broken. Ask whether local admin rights are actually controlled, and you'll hear about the project that's been underway for two years. Ask whether conditional access policies are consistently enforced, and you'll learn about all the exceptions that got granted because someone important complained. Ask whether service accounts are inventoried and rotated, and watch the uncomfortable silence. Ask whether exceptions are time-bound and audited, and you'll discover they're time-bound in policy but permanent in practice. Ask whether device posture is truly required, and you'll find it's set to "audit mode" rather than "enforce" because nobody wanted to deal with the helpdesk tickets.
It's astonishing how often the basics are optional while the future is mandatory. Organizations convene working groups on quantum-resistant encryption while the firewall rule set still contains entries marked "temporary - do not delete" from 2019. We're preparing for nation-state attacks while domain admin credentials sit in a spreadsheet on SharePoint.
Capability vs Control
This distinction matters more than most security frameworks acknowledge, and getting it wrong is at the heart of capability debt.
A capability is something you can describe. You can put it on a slide. You can tell auditors you have it. You can check a box on a compliance questionnaire. A capability is a potential.
A control is something that measurably constrains behaviour. It actively prevents something from happening, or detects it when it does, with real consequences. A control is an operational reality.
Consider the difference in practice. "We have DLP" is a capability. It means you've purchased and probably installed a data loss prevention product. It says nothing about whether that product is actually preventing data loss. "Sensitive data exfiltration from unmanaged devices is blocked, monitored, and enforced through device posture requirements" is a control. It describes a specific behaviour that is prevented, explains how, and implies that someone is watching.
"We have Zero Trust" is a capability, and at this point it's such an overloaded term that it barely means anything. Every vendor claims their product is Zero Trust. "Access without device compliance is denied, with no exceptions granted without time-bound approval and audit trail" is a control. It's specific, enforceable, and verifiable.
If a security investment does not result in an enforceable control, it's not a defence layer. It's a brochure. It might satisfy an auditor who's checking boxes, and it might look impressive in a board presentation, but it won't stop an attacker who doesn't care about your compliance posture.
The Cultural Problem
This isn't a technology issue. It's a cultural one, rooted in how security work is funded, measured, and rewarded.
Security owns the narrative. They write the strategy documents, present to the board, and secure the funding. Their success is measured in capabilities delivered, tools deployed, and maturity assessments completed. Platform teams own the operational reality. They're the ones who have to make these tools actually work in production, integrate them with existing systems, and deal with the fallout when something breaks. Audit owns the findings. They identify gaps and write reports, but they don't have budget or authority to fix anything. And critically, no one owns the outcome. No single person or team is accountable for whether the organization is actually more secure.
The result is an organization that confuses concern with control, procurement with protection, and roadmaps with risk reduction. Leadership feels good because they've invested heavily in security. Security feels good because they've delivered on their capability commitments. Meanwhile, the platform teams are told to "close gaps" without the authority, funding, or mandate to actually enforce anything. They can't push back on exceptions because they don't own the policy. They can't force business units to comply because they don't have executive backing. They can't fund the remediation work because the budget went to new tools.
Security gets the budget and the announcements. Operations gets the blame when something breaks. That's how defence becomes debt, and it's why so many organizations are in this position despite spending more on security than ever before.
What Mature Organizations Do Differently
The organizations that actually reduce risk do things differently, and some of what they do is uncomfortable. It requires honesty about the gap between what's claimed and what's real, and it requires discipline to resist the allure of new capabilities when existing ones aren't working.
They stop counting tools and start measuring enforcement. The metric isn't how many security products are deployed; it's how many are actively enforcing policy. They know the difference between a dashboard showing green because everything is configured correctly and a dashboard showing green because it's set to audit mode.
They require every capability to map to a measurable control before procurement. This means defining, specifically, what behaviour will be prevented or detected, and who will operationalize it. If these questions can't be answered clearly, the procurement doesn't move forward. This kills a lot of shiny object purchases, which is exactly the point.
They assign operational ownership before signing contracts. Someone has to be accountable for making this thing work in production, and that person needs to be involved in the decision to buy it. The days of security purchasing tools and throwing them over the wall to platform teams should be over.
They fund the last 40%, not just the first 60%. The implementation budget includes integration, runbooks, training, and ongoing operations. This makes the true cost visible, which sometimes kills projects that looked affordable when only the license fees were considered.
And they kill controls that can't be enforced. This is the hardest one, because it requires admitting that something isn't working. But a partially implemented control isn't neutral. It creates false confidence, and false confidence affects how you allocate attention and resources everywhere else. If you think DLP is preventing data exfiltration, you might not invest in other detective controls. If you think conditional access is enforced, you might not worry about lateral movement. Acknowledged weakness is easier to manage than hidden weakness.
The Questions That Matter
Before the next security investment, before the next vendor pitch, before the next capability announcement, ask five questions.
What exact behaviour will this prevent? Not "improve security posture" or "reduce risk." What specific thing will stop happening or start being detected? If the answer is vague, the investment is probably buying a capability, not a control.
Who operationalizes it? Not the vendor professional services team who'll be gone in three weeks. Who inside the organization will own this on an ongoing basis? Do they know? Have they agreed? Do they have capacity?
What's the enforcement model? When this tool decides to block something, what happens? Is there an exception process? Who approves exceptions? What prevents exceptions from becoming permanent?
What happens when it blocks something revenue-generating? Because it will. A sales rep won't be able to send a file to a client. A deployment will fail because of a new policy. An executive will be blocked from something they need. When that happens, does the control hold or does it get bypassed? The answer to this question tells you whether you're building real defence or theatre.
Is leadership willing to hold the line when that happens? Because if the answer is "we'll create an exception," you're not reducing risk. You're just adding complexity.
If those answers are unclear, you're not building defence. You're building debt.
The Bottom Line
Defence in depth only works when the depth is real. It only works when each layer actually does something, when controls are enforced rather than merely installed, and when someone is accountable for the operational reality rather than just the capability narrative.
The fix isn't more tools. Security budgets have grown dramatically over the past decade, and yet breaches continue. The fix is finishing what you've started, funding the unglamorous implementation work, being honest about what's actually enforced versus what's merely licensed, and having the discipline to kill things that aren't working rather than letting them create false confidence.
That's harder than buying another platform. It's less exciting than the next big thing. It doesn't generate vendor dinners or conference invitations. But it's the only thing that actually reduces risk.
Stop building capability. Start building control.