Dispatch From the Other Side: Aligned Incentives

This is post three of the Dispatch From the Other Side series. Links to previous posts: From Scripts to Software Designing For Leverage From the first time I heard it, Charlie Munger's quote on incentives has stuck with me. "Show me the incentive and I'll show you the outcome." It explained something I kept running into. Development teams weren't ignoring security findings because they didn't care. They were responding rationally to how they were measured. This is what makes the leveraged approaches we explored in the last post so valuable. Rather than asking teams to change how they work, you reduce the cost of being compliant. When the common case is easy, most teams will choose it. Let's compare this to another approach. A vulnerability management team I worked with reached out to a development team about a low risk finding without an available fix. They blocked it from going to production. The security team was measured on eliminating known vulnerabilities. The development team was