Hero Culture and a $1 Million Mistake
Find Threat Talks on
Hero Culture and a $1 Million Mistake
Saying no doesn’t stop the work. It just moves the work somewhere you cannot see it. Hero culture rewards the engineer who shipped the feature in time for Black Friday, not the one who said the peer review was not finished.
Sina Yazdanmehr, Founder and Managing Director of Aplite GmbH, joins Lieuwe Jan Koning, Co-founder and CTO at ON2IT Cybersecurity, to work through two stories every security leader will recognize. A SaaS company that skips a security check two days before Black Friday and loses $1 million to a hard-coded test account. A machine learning team told no on production data access that finds a friend in operations and ends up with the database on contractor laptops nobody can account for. Two stories, one pattern.
What you’ll learn
- Hero culture isn’t a security policy. The person who books revenue gets the bonus, the person who avoids a loss gets nothing.
- The prevention paradox. Saying no does not stop risky work, it removes your visibility into it. Once the data is moving by friendship and SharePoint, you have lost the audit trail.
- Accountability belongs upstream. When the CEO is personally liable, as NIS2 already requires in Europe, the security conversation changes within one quarter.
- Partner or get bypassed. A technical security team that engages on the business problem ends up writing the secure path. A team that refuses gets routed around.
Your cybersecurity experts
Lieuwe Jan Koning
Co-Founder and CTO
ON2IT
Sina Yazdanmehr
Founder and Managing Director
Aplite GmbH
Episode details
The $1 million story is the kind every CISO has heard a version of. A company runs most of its annual revenue through the back end of the year, Black Friday through Christmas. Two days before Black Friday, the product team decides to ship a new feature. The release is rushed. The security and compliance tests in the pipeline are bypassed because the deadline matters more than the process. The code goes live with a hard-coded test bank account number still in it. For roughly a week, transactions land in random accounts before the finance team notices the numbers do not add up. Root cause analysis surfaces the bypass. The damage was already done before anyone looked at the pipeline.
Sina’s first story highlights how hero culture trains everyone in the building to ship. The engineer who finds the shortcut to production gets the bonus. The engineer who raises their hand on a missing review gets called the bottleneck.
On paper, the development pipeline requires peer review, PR approval, security checks, four-eyes principle. In practice, the first thing to get bypassed when the deadline tightens is security, because the company has labeled it technical debt rather than risk.
The second story is the inverse of the same problem. A machine learning team needs production data to train a model. Synthetic and masked data do not cover the corner cases. Buying data does not align with the production schema. They go to the security team and ask for an exception. The security team says no, full stop, no discussion.
The team goes to their friends in the operations team, who run the production environment, who do not say no. They get an export of the database via SharePoint. Each developer pulls a copy onto their workstation. One external contractor without a company-issued laptop pulls a copy onto their personal device.
This continues for over a year before anyone realizes what happened. When the CISO confronts the team, the answer is uncomfortable: “Did you expect us just to not work because you said it’s not secure?”
Lieuwe brings the counter-example from ON2IT’s own playbook. The team wanted to discourage WhatsApp and Signal for company conversations, but not everyone has a company phone. Instead of a blanket no, the team built a constrained version of the answer: a self-hosted chat platform, allowed on personal devices, with controls on what data class can move through those channels, and a stricter posture inside the secure rooms. It is painful to operate.
It is still better than the alternative, where the same conversations end up on WhatsApp and outside the company’s legal perimeter entirely.
If your security function is leaning on no as its primary control surface, this is the episode to send to whoever resources it. The fix is not more refusals. It is a technical team that engages on the business problem and writes the safer path before the team that needs it finds a friend in operations.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
