A defensive posture was chosen for us. The building is still on fire. This is a refuge for the people who actually put it out — and a memo to the CIOs who keep forgetting they exist.
The CISO has a board slot. The head of operations has a Jira backlog. Compliance is a department; reliability is a side-effect. Defense-in-depth is a strategy; uptime is a wish written on a napkin and pinned to someone's monitor.
Somewhere in the last decade every operational risk got reframed as a security risk, because that's where the budget moves. A 4-hour outage is a ticket; a 4-hour exposure is a press release. So we hire for the press release. The ticket is somebody's evening.
A service is degraded right now in your stack and nobody's been paged, because the alert fired into a Slack channel that's been muted since the last reorg. The on-call rotation is two engineers deep and one of them is on PTO. The runbook was written by someone who no longer works here. The post-mortem template has a field for "blameless" and no field for "underfunded."
This isn't a security problem. No threat actor caused it. Entropy did. And entropy doesn't show up on the threat model — which is why the threat model is the wrong document to be staring at when the lights go out.
The next outage will not arrive through a vector you war-gamed. It will arrive through a cron job nobody remembered to migrate.
It is not the CISO. It is not the security analyst. It is not the consultant your auditor recommended. It is the person who restores service first and asks why later — the one the rest of the org gets out of the way of when the alarm goes.
They are an old shape. The industry kept renaming them. SysAdmin. SRE. Ops. Platform. The titles drift; the work doesn't. Someone has to be ready to run toward the smoke. Someone has to know where the shutoff valves are. Someone has to have hours — not heroics — on the schedule.
That person is a fireman. Not a metaphor. A job. With shifts, equipment, training, a station to come back to, and a chief who will go to the budget meeting on their behalf.
It is, on close inspection, almost funny.
You have on-call rotations. You have pagers — they vibrate inside Slack now, but they are pagers. You have a chief, sort of, who is also the staff engineer doing roadmap reviews on Wednesday. You have engines: the runbooks somebody wrote one weekend. You have a hall: the war-room channel that springs into existence around an incident and is gone by Friday. You even have pancake breakfasts. You call them "blameless retros" and you hold them after the smoke clears.
You have a volunteer fire department. You did not budget for one. You did not name it. You did not deputize anyone. But it is there, because somebody has to run toward the smoke, and a few people — usually the same few people — keep doing it for free, on top of their actual jobs, because the alternative is watching the town burn.
Volunteer departments are honourable. Whole communities depend on them. They are also a sign that the town hasn't grown up yet — that nobody has done the math on what a professional response costs, or what its absence costs more.
Your incident response plan is the same five people, again. That is not a plan. That is a volunteer department.
Your security spend has a champion. Your operations spend has a survivor. Stop using the former as a proxy for the latter. The blast radius of your next outage is bigger than the blast radius of your next breach, and you already know it, because you've already lived through both and only one of them got a press release.
Hire firemen. Pay them like they cost something to keep, because they do. Give them a station — a real platform team, not a rotating tax on whoever drew the short straw this quarter. Give them a chief — somebody senior enough to say no to the next initiative that ships without an on-call owner. Then get out of their way.
Both jobs matter. Only one of them shows up on the news. The other one is the difference between a tough quarter and a customer-facing apology.
This site is not a vendor. It is not a course. It is not selling a certification. It is a place for essays, field notes, and short dispatches from the people who keep things running — and the occasional memo aimed up the org chart at the people who decide what gets funded.
New dispatches arrive irregularly, on the rhythm of the work. The first one is below.
An ITIL Incident Manager works a lot like a fireman. The parallels run deep — and the boundary that matters is where the job ends.
In drafting · The Volunteer Department
Pending · radio quiet