> people don't get promoted for preventing issues.

they do - but only after a company has been burned hard. They also can be promoted for their area being enough better that everyone notices.

still the best way to a promotion is write a major bug that you can come in at the last moment and be the hero for fixing.

▲

tartoran 11 hours ago | parent | next [-]

That could work but plenty of quiet heros weren’t promoted for fixing critical bugs.

▲

recursive 10 hours ago | parent [-]

They fixed it too soon. You have to wait until the effect is visible on someone's dashboard somewhere.

	▲	marcta 10 hours ago \| parent \| next [-]
		Goodhart's Law strikes again... "When a measure becomes a target, it ceases to be a good measure."
	▲	bluGill 10 hours ago \| parent \| prev [-]
		You have to make sure it doesn't arrive at you before it is on the dashboard. Otherwise you are why it is blowing up the time to fix a bug metric. Unless you can make the problem so obscure other smart people asked to help you can't figure it out thus making you look bad.

▲

joquarky 5 hours ago | parent | prev | next [-]

That is in no way guaranteed. Sometimes finding too many security issues makes you unpopular.

Two years afterward, we got hit with ransomware. And obviously "I told you so" isn't a productive discussion topic at that point.

▲

johnnyanmac 9 hours ago | parent | prev [-]

That's not preventing the issue, though. The closest you can get to this is to have another competitor be burned hard and demonstrate how your code base has the exact same issue. But even that isn't guaranteed. "that can't happen here" is a hard mindset to disrupt unless you yourself are already a C suite.