The Security Decision You're Already Making
By Domenic DiNatale
The most consequential security decisions your organization makes probably aren't made by your security team.
They're made by engineers choosing how services authenticate to each other. By architects deciding whether to put staging and production on the same network. By product teams deciding which user data gets stored and for how long. By DevOps choosing whether to use long-lived credentials or short-lived ones. By leadership deciding how much technical debt is acceptable to carry.
None of these decisions are framed as security decisions when they're made. They're engineering decisions, product decisions, infrastructure decisions. The security implications are usually invisible at decision time and only become visible after something goes wrong.
This is the architectural root of most poor security postures. Not bad intentions. Not ignored security advice. Just the quiet accumulation of decisions made without recognizing the security dimension they contained.
The Invisible Security Choice
Every system design embeds security properties whether the designer thinks about them or not. A service that stores credentials in environment variables is making a choice about how those credentials can be accessed and by whom. A database that's network-accessible to the entire internal network is making a choice about what has to be compromised before that data is reachable. A microservices architecture where every service implicitly trusts every other service is making a choice about blast radius.
These aren't choices made carelessly — they're choices made without the full decision frame. The engineer deciding to use a shared database across services is optimizing for development speed and code simplicity, which are legitimate goals. The security implication — that a compromise of any service now potentially means access to all data accessible to any service — isn't the primary thing in view. It gets weighed against convenience and velocity and usually loses, not because the engineer doesn't care about security, but because the security cost isn't visible at decision time.
The organizations with the worst security postures aren't typically staffed by people who made a deliberate choice to be insecure. They're staffed by competent engineers who made reasonable-looking decisions without a full view of what those decisions meant for security. The problem isn't malice or negligence. It's an incomplete decision frame applied consistently over years.
When Security Gets Involved
In most organizations, security gets involved after design decisions are made — reviewing architecture diagrams, conducting penetration tests, running vulnerability scans. These activities are valuable, but they're operating on a design that's already constrained. The security review can identify problems, but the solutions are constrained by the architecture those problems are embedded in.
Telling a team "your services shouldn't trust each other implicitly" is useful feedback. But if the services were built assuming implicit trust — if the API contracts, data access patterns, and deployment model all assume it — the fix isn't a configuration change. It's a re-architecture. That's expensive in a way that makes it unlikely to happen unless the risk is immediately compelling.
The leverage point is earlier. Security needs to be a participant in the design process, not an auditor of the output. That's a different operating model from how most security functions work, and it requires a different kind of security practitioner — one who understands the engineering tradeoffs well enough to be in the room when architecture decisions are made, and can surface the security implications without blocking the work.
Making the Security Dimension Visible
The practical intervention is simpler than a wholesale organizational redesign: make the security dimension of routine decisions visible at the time those decisions are made.
This looks like threat modeling as a lightweight engineering practice, not a heavyweight security audit. When a team is designing a new service, they ask: what does this service need access to, and what happens if it's compromised? Not as a formal review process, but as part of the normal design conversation. What's the blast radius? What's the privilege footprint? What does the authentication model look like?
It looks like security-aware defaults in infrastructure tooling. If the default network configuration is segmented rather than flat, engineers don't have to make an active decision to segment — they have to make an active decision to un-segment, which forces the security cost into view. Sensible defaults shift the burden from "remember to do the secure thing" to "deliberately choose the insecure option when you have a reason."
It looks like recognizing that data minimization is a security decision. Storing less data, retaining it for shorter periods, and restricting access to it are all security choices made under the cover of product and engineering decisions. When product teams decide what to store and for how long, they're making choices about what an attacker can access if the storage is compromised. Making that connection explicit changes the conversation.
The Accumulation Problem
The reason this is hard to fix retrospectively is that the security debt accumulates gradually, in small decisions, until the architecture reflects a set of security properties that nobody chose intentionally. Each individual choice seemed reasonable. The aggregate is a system where a single compromised service can reach sensitive data, where credentials are durable and broadly valid, where the blast radius of a breach is essentially unlimited.
Unwinding that architecture is expensive — often more expensive than the organization can absorb at once. The practical response is incremental: identify the highest-risk architectural properties and address them systematically, while building the culture and processes to make better security decisions upstream going forward.
But the deeper fix is recognizing that you are always making security decisions, even when you think you're making something else. Every architecture choice is a security choice. The question is only whether you're making that choice consciously.
This post is part of a series on security as an architectural problem. Read the full series on the Intellitech blog.