← Back to principles

Team

Security Never Waits

What this means in practice

Security maintenance is planned into regular work (not treated as ad-hoc). This includes keeping dependencies, infrastructure, and platforms up to date with security patches, and scheduling time for routine upgrades and vulnerability remediation.

When a critical vulnerability is identified, we take end-to-end ownership: we stop the track to coordinate the fix, and we also own the communication

  • Timely internal updates

  • Clear customer/stakeholder messaging (where applicable)

  • Documented status/next steps until the issue is resolved.

  • Coordination with other teams

Why this matters

Unpatched or poorly managed vulnerabilities create unacceptable risk. Treating security maintenance as planned work reduces the chance of incidents and makes delivery more predictable.

When we stop the track for critical vulnerabilities, we reduce time-to-mitigate and limit blast radius. Owning the communication as well as the fix ensures stakeholders get clear, timely updates, helps teams coordinate effectively, and supports customer trust and compliance expectations.

Practices that meet this principle

  • Vulnerability findings are triaged quickly with clear owners and SLAs.

  • Work is re-prioritised immediately for critical security issues (including critical vulnerabilities). We can stop the track and pause feature delivery when needed.

  • Security scanning of images - we can’t deploy infected images

  • Security scanning included in Pull requests - we can’t merge which adds risks

  • Agents independently suggest fixes that are not ignored

  • Documented process, everyone knows!. Over-communicate. How do we find out?

Validation

A project meets this principle when:

  • There is a visible, recurring plan for patching and security maintenance (capacity, cadence, ownership).

  • Critical/high vulnerabilities are addressed within agreed timeframes, with evidence (tickets/PRs/releases).

  • The team has an agreed “stop the track” trigger and escalation path for urgent security work, including critical vulnerabilities.