"Virtually all of the Los Alamos engineers tasked with keeping workers safe from criticality incidents decided to quit, having become frustrated by the sloppy work demonstrated by the 2011 event and what they considered the lab management’s callousness about nuclear risks and its desire to put its own profits above safety."
This is key. It's hard to find criticality safety engineers, and their absence (as well as management not giving a damn) was probably a key factor in the 2016 incident.
Having the wrong management is almost worse than having unqualified engineers.
I worked in a startup where they had put the Systems Operations (as in, Linux datacenter guys) under the Chief Marketing Officer for about a year for (reasons).
Three years later, we are STILL cleaning up after that mess. Wrong management creates problems that aren't so much a result of ineffective management... wrong management seems to always move resources away from things that most engineers would call "normal and customary processes" (like patching software or updating libraries that software is dependent upon) and that's how you end up with Equifax. Or a smoking hole in the desert somewhere in New Mexico.
Indeed! There's mounting evidence that Equifax simply didn't "get" application development in addition to operations and patching. I doubt the developers of their vulnerable mobile app were responsible for patching. As such, we've seen security issues which span the company where it's likely the mobile app developers not only didn't report to the same management chain as those in operations, but likely reported to entirely different organizations. This of course points to management issues all the way to the top of the company.
That's a great point that is often missed here. You can get alot done with barely qualified individual contributors if there is enough process in place and the people calling the shots understand what they are doing. It's not fun, but possible.
Unqualified people making bad decisions are always fatal.
You can make that exact same argument about security in software development and operations. If management doesn't think it is important it will go downhill pretty quick.
How much profit have Lockheed and other defense contractors made over the past hundred years? I'd expect that it's a significant percentage of defense spending in that time.
