← Back to Library

Nobody ever gets credit for fixing security problems that never happened

By Ross Haleliuk · Venture in Security · · 13 min read

Deep Dives

Explore related topics with these Wikipedia articles, rewritten for enjoyable reading:

  • Fundamental attribution error 12 min read

    The article explicitly discusses this psychological phenomenon as central to why managers blame individuals rather than systemic processes. Understanding the cognitive bias deeply would help readers recognize it in their own organizations.

  • Systems thinking 10 min read

    The article references feedback loops, time delays, and capability erosion - all core systems thinking concepts from the Sterman/Repenning research. Understanding systems thinking provides the theoretical foundation for the 'working smarter vs harder' framework.

Over 20 years ago, Nelson Repenning and John Sterman published an article in the Engineering Management Review, IEEE titled “Nobody ever gets credit for fixing problems that never happened: creating and sustaining process improvement”. When you read this article, you’ll realize that security is not unique in facing the problems it does, but also that our industry amplifies a lot of the challenges common in other fields and makes them much harder to tackle.

In this piece, I am doing a deep dive into the aspects of that great article that are most relevant to security. First and foremost, there’s the fact that nobody ever gets credit for fixing security problems that never happened. This has serious consequences for security teams and startup founders alike, as it effectively defines what initiatives (or products) are likely to be doomed from the start. It also answers many other questions, like why we blame people and not processes, why people are conditioned to work harder instead of working smarter, and why we love shortcuts even if the long-term impact of taking them can be pretty bad.

This issue is brought to you by… Intruder.

30M Domains Later, Here’s What We Found Hiding In Shadow IT

How much Shadow IT can you uncover with only public data? We ran the experiment and the answer was: too much. From backups holding live credentials to admin panels with no authentication, these exposures stay invisible to you but wide open to attackers. Read the research to see what we found and how Intruder helps you find it first.

Working harder vs. working smarter

Nelson and John, authors of the IEEE article, explain in very simple terms why security teams, similar to other functions, get stuck in the endless cycle of firefighting.

The idea here is simple. Security teams spend all their time dealing with incidents, tickets, and alerts - all the stuff that causes the well-known fatigue. Everything is on fire, the amount of work is overwhelming, and it’s impossible to ever reach a point where the team has time to pursue more strategic initiatives. Because the teams are bogged down doing all this manual, repetitive, low-value work, they never get the time to prioritize investing in foundational hygiene, architecture changes, or resilience. This creates a vicious cycle: the more they firefight, the more fragile the system becomes, and the more fragile the system, ...

Read full article on Venture in Security →

This excerpt is provided for preview purposes. Full article content is available on the original publication.