#1745653: The Only Thing Worse Than Technical Debt is Newly Discovered Technical Debt
| Description: |
With new LLM tools, organizations are suddenly forced to reconcile years of technical debt being discovered at machine speed. So, how do organizations deal with this new diagnostic visibility that breaks every assumption about vulnerability management? Week one is the wrong time to overreach New CISOs keep making the same three mistakes in their first few months, and none of them are new. Percy Rotteveel of Rotteveel Consultancy watched the pattern repeat across career after career: trying to fix everything at once, turning into the office of no, and running at full sprint speed until burnout catches up. The instinct to prove value fast is exactly what pushes people toward all three. The fix is almost boring by comparison: pick three to five priorities for year one and actually execute them. The mistakes sound obvious in hindsight, which is exactly why they keep happening. Nobody has the AI playbook Leadership never had a finish line, just the next thing you don't understand yet. Miko Pawlikowski 🎙️ of Quadrature got a blunt reminder of that recently. The confident certainty everyone wants from AI right now just doesn't hold up when you're the one leading a team through it. Admitting you don't know something once builds trust. Say it every week and it starts looking less like honesty and more like drift. Don't pretend you have answers. Focus on making "we're figuring this out together" sound like a plan instead of a shrug. Vulnerability management wasn't built for this clock AI tools aren't creating new vulnerabilities; they're exposing legacy debt that's been quietly rotting in codebases for years. Ross Young of CISO Tradecraft® calls it an MRI effect: diagnostic visibility into rot nobody could see before. Where organizations feel the pain is how this completely changes traditional security timing. Exploitation windows are collapsing from months down to minutes, and that breaks nearly every assumption built into how patching works today. Vulnerability management isn't dead, but it can't survive running on last decade's schedule. Stop blaming the human, fix the system Humans aren't the weakest link in security; they're just predictable, and that's a very different problem to solve. Joshua Copeland of Crescendo argues that treating every phishing click as a training failure lets everyone dodge the real issue, which is a design failure. His fix is engineering controls that don't depend on people behaving perfectly, all the time, forever. Great idea, right up until the budget and the tooling have to keep pace with it. The harder question isn't whether humans are predictable. It's how much of that predictability a security program is actually willing to design around. Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now. Listen to the full episode here. Thanks Vanta for sponsoring. And thanks to Speakeasy for providing this week's security tip on threat intelligence. |
|---|---|
| More info: | https://www.linkedin.com/pulse/only-thing-worse-than-technical-debt-newly-discovered-cisoseries-zhisc/ |
| Date added | July 15, 2026, 12:41 a.m. |
|---|---|
| Source | |
| Subjects |
