Modern engineering teams have little time — or patience — for retroactive fixes
Security teams have long relied on a triad of controls: preventive, detective, and corrective — stop the adversary, spot the adversary, fix the damage. Implicit in this model is the assumption that the adversary can break in, and defenders must respond. Why do we accept that? Because, much like a mission in a real-time strategy game where the player protects an unpredictable escort, security teams are not in control of what they’re securing.
Today, that ‘escort’ is the business itself — fast-moving, partner-led, and racing to deploy apps at scale in pursuit of growth. And as they move, they leave behind a mess for security teams to clean up.
Security playing catch-up
Modern engineering teams have little time — or patience — for retroactive fixes. That’s left security professionals scrambling to identify, categorise, and prioritise issues as they emerge. To fill the gap, security posture management tools have flooded the market, promising chief information security officers (CISOs) help in tracking cloud misconfigurations, software supply chain vulnerabilities and SaaS risk.
This model — spotting problems and responding — made sense when software development moved slowly. Under the now-outdated waterfall model, software moved through deliberate phases of design, build, test, and deploy. Security had time to inject itself into the process. But as software teams embraced agile practices and continuous deployment, the pace outstripped security’s ability to respond.
From pothole patrol to paving the road
Security, today, is largely structured around reacting to problems. But, as with city streets, a strategy of “just pave the road” — building security into the infrastructure — is more efficient than fixing potholes after the damage is done.
Paving the way for safer, faster software delivery requires a rethink of three fundamental areas.
1. Shrink what you need to protect
Rather than simply minimising the attack surface, the focus should be on reducing the volume of code and infrastructure that needs protection. Modern applications are shipped with bloated dependency trees — redundant components that are rarely used but still expand the threat landscape.
A minimalist approach, deploying only the software needed for a specific use case, is a better path. It eliminates the risk of outdated or unnecessary dependencies and keeps systems more current, closing windows of vulnerability.
2. Fix the foundations with better native configurations
System administrators once had standardised security policies across environments. In the cloud era, that discipline has eroded. The tools and interfaces to configure cloud security are often inconsistent, overly complex, and differ between — and even within — cloud providers.
Security teams, instead of managing risk, now manage complexity. The industry needs to simplify this by allowing teams to define and apply configurations across platforms — consistently, centrally, and automatically.
3. Silence the noise from non-human identities
As passwordless authentication gains ground for users, the credentials used by machines — API keys, tokens, service accounts — remain an unmanaged sprawl. These non-human identities (NHIs) now account for more than 95% of enterprise authenticators, yet their management is alarmingly basic.
Instead of merely storing them securely, NHIs should be treated more like users: given just-in-time access, their usage monitored, and their sprawl curtailed. Security tools need to evolve to support discovery, governance, and runtime protection of these identities throughout the software lifecycle.
Security at the speed of business
The idea of “paving the road” isn’t just idealistic — it’s practical. If security teams can build safe pathways for developers from the start, they reduce both the volume and urgency of threats. While not every risk can be designed away, many can — and should — be.
By enabling developers to move quickly and securely, organisations gain the best of both worlds: speed and safety. The sooner the industry embraces this shift in mindset, the fewer potholes there’ll be left to fix.
