The most dangerous person in your organization isn’t a hacker. It’s the engineer everyone calls at 2am to “just fix it.”
Every IT organization has one. The person who knows where all the bodies are buried. The one who can SSH into any server, reset any service, and have production back online before anyone writes a ticket. They’re celebrated at all-hands meetings, praised in Slack, and quietly feared by management.
They are also your single greatest security liability.
Here’s why — and more importantly, what to do about it.
What “Hero Culture” Actually Looks Like
Hero culture in IT isn’t malicious. It starts with good intentions — someone who genuinely cares, works long hours, and takes pride in keeping systems running. But over time it creates a deeply dangerous pattern:
- Problems get solved verbally, not documentarily
- Fixes happen in production, not in a change management system
- Knowledge lives in one person’s head, not in a runbook
- Speed is rewarded over process
The result? An organization that runs on tribal knowledge, undocumented changes, and the assumption that the hero will always be available.
That assumption is where breaches are born.
The Anatomy of a “Hero-Enabled” Breach
Let me walk you through a scenario I’ve seen play out more than once.
A production server starts behaving oddly. The hero jumps in, identifies a config issue, makes a quick change — no ticket, no change record, no peer review. System stabilizes. Everyone moves on.
Six months later, an auditor or a security tool flags anomalous behavior. The investigation begins. Nobody can explain why that config changed. The change log shows nothing. The hero has since left the company. Nobody knows what was done, when, or why.
What started as a minor config tweak is now a forensic nightmare — and potentially a compliance violation.
This is not hypothetical. According to Verizon’s Data Breach Investigations Report, 74% of breaches involve a human element — and a significant portion trace back to undocumented, ad-hoc changes made under time pressure.
Why Change Control Is the Real Security Tool
Most organizations invest heavily in firewalls, EDR platforms, SIEM systems, and zero-trust architectures. These are necessary. But they all share a critical blind spot: they cannot protect you from an authorized user making an unauthorized change.
The pharmaceutical industry figured this out decades ago under FDA’s Current Good Manufacturing Practice (CGMP) regulations. In a CGMP environment, no change happens without a change record. Every modification to a validated system — no matter how minor — requires:
- A written request
- A risk assessment
- Peer review and approval
- A test plan
- Post-implementation verification
- A signed-off record
This isn’t bureaucracy for its own sake. It’s the only way to maintain a defensible audit trail — proof that your system is in the exact state you believe it to be in.
Enterprise IT needs the same discipline.
The “Just This Once” Trap
The most common objection I hear is: “Our environment moves too fast for that level of process.”
I understand the sentiment. But consider what you’re actually saying: “We move too fast to know what we’ve done to our own infrastructure.”
That’s not agility. That’s chaos with a good uptime score.
The “just this once” emergency fix is the most common entry point for:
- Misconfigured storage buckets left open after a rushed deployment
- Deprecated TLS protocols nobody noticed because the change was never tracked
- Orphaned admin accounts created during an incident and never removed
- Open firewall rules punched in at midnight that never got closed
Each of these starts as a hero solving a problem. Each of them ends as a vulnerability — or a breach.
Building a Culture of Documented Accountability
The solution isn’t to eliminate urgency or slow down legitimate incident response. It’s to build a culture where documentation is treated as part of the fix, not a bureaucratic afterthought.
Here’s what that looks like in practice:
1. No ticket, no touch Enforce a policy that every production change — even emergency changes — gets a ticket opened within 24 hours. Emergency changes can happen fast; the documentation follows immediately after.
2. Peer review as a default Even a 5-minute Slack review from a colleague before pushing a change creates accountability and catches errors. It also means two people now know what changed.
3. Infrastructure as Code When your infrastructure is defined in code — Terraform, Ansible, Pulumi — changes are tracked in version control automatically. The “hero fix” becomes a pull request with a history, a diff, and a reviewer.
4. Celebrate the process, not the rescue Culturally, stop celebrating the engineer who saved production at 2am. Start celebrating the engineer who built the runbook that prevented the outage in the first place.
5. Treat every change as a permanent record Borrow the CGMP mindset: if it isn’t documented, it didn’t happen. Any unrecorded change is treated as a potential breach by default.
The Hardest Part Isn’t Technical
Implementing change control tooling is straightforward. The hard part is the culture shift.
Heroes don’t want to slow down. Managers don’t want to push back on the person keeping the lights on. Teams under pressure take shortcuts because shortcuts work — right up until they don’t.
The turning point usually comes after an incident. A breach, an audit finding, a compliance failure. By then, the cost of not having a process is already visible.
The organizations that get ahead of this don’t wait for the incident. They treat their infrastructure like a manufacturing process — planned, tested, recorded, and verifiable — before something goes wrong.
Because a system is only truly secure if you can prove, at any moment, exactly what state it’s in and exactly how it got there.
The Bottom Line
Your hero isn’t the problem. The culture that rewards heroism over process is.
The next time someone bypasses change control to save the day, ask yourself: “Can I prove, right now, that this change was safe, authorized, and reversible?”
If the answer is no — that’s not a hero. That’s a liability wearing a cape.
Have you seen hero culture create security problems in your organization? Drop a comment — I’d love to hear how your team navigated the shift to documented accountability.
#CyberSecurity #EnterpriseIT #ChangeManagement #DevSecOps #InfrastructureAsCode #CGMP #ITLeadership #ZeroTrust #RiskManagement #Compliance