Security debt portfolio management
classify, tranche, prioritise, and burn down vulnerability debt on one record

Findings that are open, owned, and past their second SLA cycle for the severity band. The remediation work has not started or has stalled. The owner is named and the asset binding is clean, but the calendar reads against the published SLA and the finding is now formally tracked as debt. The cost of carry is the recurring scanner re-detection, the recurring audit walkthrough explanation, and the leadership-report mention every cycle.

Findings under a documented exception with a named approver, a documented residual position, and a published expiry. The risk is acknowledged, not remediated. The cost of carry is the recurring review the named approver runs against the residual position, the audit walkthrough citing the exception, and the operational read that the exception is still in force on the live record rather than only in a quarterly slide.

Findings where a substitute control mitigates the residual risk without fixing the underlying issue (a WAF rule blocking exploitation rather than the application-side fix, a network segmentation rule rather than the application authentication fix, a workaround configuration rather than the patch). The cost of carry is the re-validation effort the substitute demands on the workspace cadence, the auditor walkthrough on every framework cycle, and the latent exposure if the substitute degrades.

Findings that are open with no current owner, an asset binding that cannot be resolved against the asset-to-owner mapping, or a context that has decayed (the original engagement closed, the original owner left, the original asset was reorganised). The cost of carry is the leadership-reporting noise these positions produce and the audit risk that orphaned debt absorbs unowned findings the active queue should have surfaced. Orphaned debt is the queue the workspace works down most aggressively because it represents the weakest accountability layer in the portfolio.

A single "open findings" total masks four operationally distinct positions: active debt under named owners, accepted risks under expiring exceptions, compensating-control positions with substitute risk, and orphaned items with no accountability. The leadership pack reads green because the total moved sideways while orphaned debt grew, exceptions silently expired, and substitute controls aged out of re-validation. The fix is the portfolio composition view that reads against the four debt classes on every cycle.

An exception is approved for six months. The expiry date is in the document but not on the live record. Two years later the audit reads the open finding and asks for the current acceptance; the team cannot produce it. The fix is the expiry queue on every accepted-risk record that surfaces approaching expiry on the workspace cadence and reverts the finding to active debt under the prior owner if the named approver does not re-affirm before the date passes.

The substitute control was effective when the exception was written. The platform team retired the WAF rule, the segmentation policy was rewritten, the workaround configuration was reverted in a refactor. The residual risk on the finding moved without anyone re-validating the dependence. The fix is the compensating-control re-validation cadence captured on the engagement so the substitute itself becomes a tracked workstream rather than an assumed control.

A finding loses its owner when the original engagement closes or the analyst rotates. The reassignment never happens. The finding stays open against an asset whose ownership has moved. Orphaned debt grows quietly because the queue reads consistent and the active-debt aging looks healthy. The fix is the orphaned-finding triage queue with an explicit named operator who surfaces each unowned position into the asset-to-owner mapping update or onto the active queue under a named successor.

A security operations lead and an engineering lead agree in a chat thread that the finding will be accepted because the underlying service is being decommissioned in two quarters. No transition lands on the workspace; the audit cycle later finds the finding still tagged as active debt against an SLA breach. The fix is the reclassification transition as an explicit event on the activity log with the actor, the rationale, the residual position, and the re-evaluation trigger captured at the moment of decision.

A tranche has a published burn-down plan with a release window and a budget line. Engineering misses the window because a higher-priority workstream landed. The plan reads as in-progress on the steering deck because no one has updated the record. The fix is the plan-slip event as a first-class transition on the workspace record so the steering committee reads a slip count alongside the closure count and adjusts the budget or the timeline against the visible data.

The recurring effort the position imposes on the security operating week: recurring scanner re-detection that needs to be marked, recurring questionnaire mentions, recurring audit walkthrough explanations, recurring leadership-report inclusion. The component is captured as a documented narrative on the tranche, not a calculated dollar value, because the cost is real but not always quantifiable.

The substitute control the tranche depends on, the re-validation effort it demands, the auditor walkthrough it triggers on every framework cycle, and the residual exposure if the substitute degrades. The component answers the audit question of why the underlying issue remains open and what the substitute is doing in the meantime.

The named risk the tranche carries if the compensating control degrades or the exception expires unnoticed: the asset criticality, the data classification involved, the regulatory exposure, the customer-trust impact. The component reads against the asset criticality scoring policy and against the framework mappings the workspace publishes; it does not invent dollar values the underlying record cannot support.

Every aged finding carries the current debt class (active, accepted-risk, compensating-control, orphaned) and the chronology of reclassifications on the activity log. The chronology supports the audit question of how the finding moved between classes and which actor approved each transition.

A finding can sit in multiple tranches at once (service, framework, asset-tier, vendor, CWE) for reporting reads, but the named tranche owner under workspace RBAC is the single accountable role on the workstream the burn-down plan attaches to. The owner field is the same workspace user record that drives the assignment notification path.

A documented operational, compensating-control, and exposure-cost narrative captured against the tranche on the engagement record. The narrative is reviewed on the steering cadence and revised when the underlying conditions change (a substitute control retires, a regulatory scope expands, an asset criticality shifts).

The published plan per tranche: target close date, budget line, accountable engineering team, release window, residual position once the plan completes. The plan is a property of the engagement so subsequent slip, revision, and closure events read as ordered transitions on the activity log rather than as informal updates.

For accepted-risk and compensating-control positions, the named expiry and the re-evaluation triggers that fire between scheduled reviews (a CVE elevation against the underlying issue, a CISA KEV listing, an asset criticality reclassification, a regulatory scope change, a substitute-control retirement). The triggers are recorded on the engagement so the audit reads them as policy-driven.

Every reclassification, write-down, plan revision, or expiry extension cites the steering meeting (or named approver where the policy delegates) that produced the decision. The cite gives the audit a documented governance chain rather than a chronology that reads as one-off operational calls.