Engineering Hygiene

February 23, 2026

Prior posts here discussed different vectors of engineering and business threats. Where insufficient engineering rigor is a common thread in discussion, these conversations too often devolve into internal business conflict.

When the topic arises, coming from somebody reviewing an aspect of operations, even constructively intended feedback is difficult to hear. Phrases like “insufficient”, “lack of hygiene”, and “low quality” feel arbitrarily subjective and are seen, at best, as negatives in a zero sum game.

And business can be very zero sum – especially for founders staring down the trend lines of funding and expense/revenue, or established leaders dealing with lean times.

Image of a red crab, viewed from above on a dark background. Photo by Mae Mu on Unsplash.com

Compromise

An early phase start up is continually balancing and making even radical tradeoffs under severe constraints. Companies love to say they make data driven decisions, but early companies are pre-data. Similar is true for mature companies experiencing rapid transformation and uncertainty.

Decisions are more reflective of leaders’ taste and judgement instead of rooted in data.

Manifest

Engineering quality is definitely objective when measured against specific standards. Not investing in definition and collection of metrics is a manifestation of leadership taste and judgement.

This is not inherently negative.

Even when data is not present, that may be a positive attribute of normal, constructive business decision making and growth. The lack of data and assumed lower quality may be an outcome of good leadership.

Either way, threats are less important than risk calculations relative to them.

Logical Inference vs Show Your Math

If one looks under the covers and observes business operational artifacts, what message is the company sending about itself, the founders, the leadership? Is it a list of vices? Slop, slob, sloth? Is it a list of virtues? Guardrails, roadmaps, decision trees? Can a reviewer discern unbounded risk from intentionally bounded risk?

What is subtly shared about judgement and taste to the prospective investor, customer, or employees considering whether to tie their future to yours? Is it a calculated and clean or accidental and haphazard message?

Axioms

There is a long list of formalized engineering standards and regulations ready for measurement. Most are likely not required of most businesses.

Today.

But what about tomorrow?

Does an observer of your business see growth plans which are overly optimistic or outright naive relative to expectations of cyber insurance underwriters, US NIST and NTIA software supply chain security standards, US cybersecurity Executive Orders, or the European Union’s Cyber Resilience Act?

Pragmatism

Naturally in the early days a company will need to make compromises and take risks. Nobody is perfect and perfection is very much not the early goal. The key is that the compromises are informed, even when lacking hard data. Tradeoffs are documented and articulate expected future impacts and the shape of remediation. Exception processes include timebounds.

A good compromise notes future questions as much as it declares present answers.

What are the milestones which will indicate it is time for maturation? What might be the cost of added rigor? Alternatively what might be the cost of foregone revenue opportunities

Image of a monarch butterfly on yellow flower. Photo by Mugilan photography on Unsplash.com

The Stoic Balance

Rather than “move fast and break things”, consider a similar phrase from antiquity:

Festine Lente

Sometimes we must slow down to speed up.

Are you moving slowly enough ahead of rapidly approaching requirements such as those in the Cyber Resilience Act? Reach out for a conversation…

Page updated

Report abuse