David Gewirtz argued in a May 11, 2026 feature that enterprises must stop treating application security as post-release

Secure — by-design must move beyond developers: Enterprises should make application security a funded, measurable operating model with board accountability, incentives across units, and customer risk reduction built into product planning.

David Gewirtz argued in a May 11, 2026 feature that enterprises must stop treating application security as post-release cleanup and instead embed prevention into product development. He frames the problem as organizational and governance — driven: without explicit funding, measurable goals and senior — level authority, security remains an engineering afterthought rather than an enterprise — wide operating priority. This matters because leaving security to reactive patching increases customer risk and long-term costs.

Gewirtz contrasts the familiar model of finding and patching flaws after release with a secure — at-the-source approach that seeks to prevent vulnerabilities before they exist. He points to CISA’s Secure by Design recommendations as a template for that shift, including appointing a chief security — by-design officer and empowering that executive to influence product investment and customer security outcomes. The aim is to make prevention an accountable, funded element of product planning rather than an optional extra.

The article stresses that modern developer tools — scanners, dashboards and AI-augmented capabilities — help surface bugs and track vulnerabilities but cannot replace enterprise decision authority. Tools identify problems; they do not allocate engineering capacity across divisions, resolve ownership disputes, change incentive structures, or arbitrate competing business priorities. Those functions require senior leadership to set trade — offs and reallocate resources across the organization.

Gewirtz warns that technical debt and security debt are distinct, often hidden liabilities. Unlike balance — sheet debt that investors and regulators can quantify, security debt is harder to measure yet generates tangible costs: opportunity losses, remediation expenses, reputational damage and declines in customer satisfaction. He lists common drivers of security debt-feature scope, deadlines, staffing levels, outsourcing, platform choices and vendor selection — each a management decision that can compound risk if left unchecked.

Current operational metrics, the piece says, can reinforce the wrong behaviors. Counting vulnerabilities and tracking ticket — closure rates highlight cleanup throughput but do not show whether underlying flaw classes, repeat defect patterns or risky defaults are actually declining. Those measures can create perverse incentives that reward closing tickets over preventing systemic weaknesses, obscuring the organization’s true exposure.

To change outcomes, Gewirtz calls for cultural and structural reforms: board — level accountability, incentives aligned across product, engineering and business units, and a repeatable operating model that funds prevention and ties it to measurable goals. When governance, funding and metrics treat secure — by-design as part of product delivery, enterprises can reduce security debt, lower customer risk and make prevention an operational norm rather than a developer — era afterthought.