I came across the concept of Technology Ratchet. A Ratchet is a physical device that can only go forward. The lever prevents it from winding counterclockwise; therefore, movement is always clockwise. The technology racket analogy incorporates both the historical perspective (“we have seen this before”) and the impossibility of stopping the clockwise motion.
In the early 2000s, the industry was warned that the internet’s design wasn’t conducive to software security. The rush to connect everything would create vulnerabilities at scale. Most of the industry shrugged and kept shipping. Until it happened! The salient example to me – as I was working with Microsoft technologies, was the Bill Gates issued the Trustworthy Computing memo. What was the cost of that decision? Thousands of software engineers halted feature development to fix security defects. It was unprecedented, expensive and necessary.
Fast forward twenty years: Log4j exposes millions of systems. SolarWinds becomes a nation-state attack vector. CrowdStrike’s update crashes critical infrastructure worldwide. We’re accelerating again. AI code assistants generate code faster than humans can review it. DevOps practices promise continuous deployment. “Move fast and break things” is still the mantra, except now breaking things means GDPR fines, SOC2 failures, and regulatory scrutiny that can shut you down.
We’re about to have another security wake-up call. And once again, we’re 20 years late.
Clockwise spin of the Ratchet…
The pressure to ship fast hasn’t changed. What’s changed is the cost of getting it wrong.
GDPR turns data breaches into eight-figure fines. SOC2 compliance is table stakes for B2B SaaS. EU regulations are tightening around AI and software liability. Healthcare and fintech face regulatory oversight that makes “fix it in production” a career-ending strategy.
Meanwhile, DevOps practices—continuous integration, rapid deployment, infrastructure as code—are optimized for speed. Push to production multiple times per day. Automate everything. Fail fast, learn faster.
These practices are powerful. They’re also defect amplifiers when security and quality aren’t built in from the start. Deploy ten times a day with poor testing, and you’ve just distributed vulnerabilities at scale. Use AI to generate code without review processes, and you’ve automated the creation of exploitable patterns.
The collision is inevitable. You can’t ship fast and fix later when “later” means regulatory penalties, customer trust erosion, and legal liability. The question isn’t whether you’ll prioritize security and quality. It’s whether you’ll do it proactively or after the incident that makes headlines.
… Accelerated by Gen AI tools…
Here’s what concerns me: we’re about to amplify all of this.
AI code generation is extraordinary. It can scaffold applications, suggest implementations, and accelerate development by orders of magnitude. It’s also generating code faster than most teams can thoughtfully review. Reviewing is cognitively expensive for humans!
Poor DevOps practices—weak testing, inadequate security scanning, “ship now, fix later” culture—already amplify defects. Add AI that generates code at machine speed, and you’ve created a defect multiplication engine. The velocity feels incredible until you discover the vulnerability that’s been replicated across your entire codebase because nobody caught it in the AI-generated template.
We’re building systems at a pace that outstrips our ability to secure them. The tools are more powerful. The velocity is higher. The attack surface is larger. And the regulatory environment is less forgiving.
…a reckoning we have seen before…
We know what happens next. There will be incidents. High-profile breaches. Regulatory actions. Companies that moved fast and broke things will discover that “things” include customer trust, compliance status, and sometimes the business itself.
Some organisations will respond with panic: freeze deployments, audit everything, slow down dramatically. This isn’t sustainable. You can’t compete by being slow and paranoid.
Others will be out of business before they are able to respond!
Dealing with the leaver in the Ratchet
Preventing the reckoning requires investment before the crisis, so that it becomes invisible. Break your system to incorporate a whole systems view of your business and development processes. Training programs. Tooling. Process evolution. Cultural commitment to quality over short-term velocity metrics. It’s not dramatic. It won’t make headlines. And it won’t lead you to the crisis!
The practices work. The question is whether you’ll adopt them before or after the crisis that makes them non-negotiable.
While the principles discussed here are straightforward, their effective implementation often requires a nuanced understanding of your team’s unique context and regulatory environment. That’s where evidence-based coaching makes the difference, helping you build security and quality into velocity without sacrificing competitive speed. Let’s explore how tailored coaching can help you move fast AND secure, preparing your organisation for increasing regulatory scrutiny before the wake-up call arrives. Reach out today, and let’s build sustainable, secure velocity into your development practices.
Discover more from The Software Coach
Subscribe to get the latest posts sent to your email.
