Introduction#
Path dependency explains why organizations often struggle to move away from outdated solutions or rigid processes, even when better alternatives exist. Every choice we make builds a path for the future. Some decisions have minor impacts, while others can have significant consequences for a person, a company, or even a country. Some choices may become effectively irreversible, even if initially considered “temporary.” Understanding this concept is essential for IT leaders and security professionals, because the choices we make today will shape the risks, costs, and opportunities of tomorrow.
What is Path Dependency?#
“Path dependence is a concept in the social sciences, referring to processes where past events or decisions constrain later events or decisions.” — Wikipedia
Once a certain path is chosen, it becomes increasingly costly or complex to change direction, even if superior options appear. Classic examples include the QWERTY keyboard layout or the dominance of certain operating systems. Once a standard is widely adopted, the surrounding ecosystem reinforces its position, making alternatives harder to implement. In short: history matters.
Path Dependency in Technology#
In IT, path dependency appears in multiple contexts:
- Legacy systems: Many organizations still run critical operations on outdated platforms because replacing them would require huge investments, downtime, and retraining.
- Vendor lock-in: Once a company commits to a provider like Microsoft, AWS, or Oracle, switching becomes extremely costly, not just financially, but also in terms of skills, integrations, and processes.
- A recent example is the city of Lyon: in June 2025, Lyon canceled their Microsoft Office 365 subscription to “not rely on an American company and acquire numerical sovereignty”. This decision requires employees to learn new tools and may take time to readapt, but it also reduces dependency, cuts costs, and encourages skill development (Next INK, June 2025).
- Protocols and standards: Once a technology is adopted (TCP/IP, Wi-Fi standards, encryption algorithms), the entire ecosystem builds around it, making alternatives harder to consider.
These paths often make sense at the time but can later limit innovation or flexibility.
Path Dependency in Cybersecurity#
Cybersecurity is also shaped by path dependency, sometimes in ways that undermine resilience:
- Governance frameworks: Choosing ISO 27001, NIST, or CIS often sets the tone for all future policies and audits. Changing frameworks later is rare and costly.
- Risk management tools: The structure of your first risk register or GRC tool often dictates how risks are evaluated for years, even if the methodology is not optimal.
- Compliance-driven security: Some companies strictly follow regulations but fail to adapt to evolving threats, because they’re locked into “passing the audit” rather than true risk reduction.
In each case, past choices can silently define an organization’s future security posture.
Why It Matters#
Path dependency is not inherently bad. It can create stability, consistency, and economies of scale. But if organizations don’t recognize it, they risk:
- Security debt: Outdated security processes accumulate risk over time, just like technical debt.
- Inflexibility: Locked into vendors, frameworks, or legacy systems, companies may struggle to respond quickly to emerging threats.
- Hidden costs: What seems efficient today can become an expensive constraint tomorrow.
Being aware of path dependency allows leaders to consciously manage it: reviewing inherited decisions, questioning whether frameworks still serve the organization, and building adaptability into processes and architectures.
Conclusion#
Path dependency is not entirely negative, it can create stability and shared standards within an organization. Left unchecked, however, it can lead to security debt, vendor lock-in, and a lack of agility in responding to new threats. We can view it as a habit: some are beneficial, others are cumbersome, and some are difficult to undo. For architects, CISOs, and IT strategists, the key is awareness: actively questioning inherited choices, reassessing frameworks, and building flexibility into governance and infrastructure. By recognizing how yesterday’s paths influence today’s strategies, organizations can make smarter, more resilient decisions for the future.