Why ‘Move Fast and Break Things’ Is Wrong: Lessons from AWS, eBay, and Google on Speed with Safety

“Move fast and break things” became Silicon Valley’s most famous mantra. It represented the boldness, the disruption, the willingness to sacrifice everything at the altar of speed. But here’s the uncomfortable truth that tech giants learned the hard way: breaking things doesn’t make you faster. It makes you slower, more expensive, and far less safe.

Adrian Cockcroft, Tapabrata “Topo” Pal, Randy Shoup, and their colleagues have spent decades at the helm of some of the world’s most demanding technology organizations—AWS, eBay, Google, and beyond. Their paper “Faster, Cheaper, and Safer” in the Fall 2025 Enterprise Technology Leadership Journal reveals a counterintuitive insight: The organizations that move fastest are the ones that invested heavily in safety first.

The question isn’t whether to prioritize speed or safety. The question is understanding how they enable each other—and recognizing when optimizing for one dimension actually undermines both.

The Three-Dimensional Trade-off

Every engineering organization constantly juggles three competing goals: faster, cheaper, and safer. Like database theory’s CAP theorem—which tells us distributed systems can provide at most two of three guarantees (consistency, availability, partition tolerance)—organizations typically optimize for at most two of these three dimensions.

Faster means reducing time to value, turning ideas into impactful systems with speed and precision. It’s measured through flow velocity (how much value moves through the pipeline) and flow time (how long it takes).

Cheaper means getting the most from whatever budget exists. This includes headcount, infrastructure, vendor licensing, and increasingly, LLM API calls. But short-term cost focus can be perilous—reducing cost can halt value realization and drive up long-term expenses.

Safer means mitigating business risk, protecting customer data, and reliably operating over time. Systems need to handle load spikes and failures, manage security vulnerabilities, ensure end-user safety, and comply with regulations. These capabilities come at a cost, effectively adding an “insurance premium” to operating expenses.

The priority order depends entirely on business context. Rapidly growing startups often prioritize faster, then safer, with cheaper coming last by default. At scale, conversations change—organizations face increased exposure to failure and security risks, requiring them to prioritize safety even at the cost of spending more or taking longer. Sustaining mature products? Optimize for cheaper and safer, deprioritizing faster.

When Speed Without Safety Backfires: The Capital One Breach

The 2019 Capital One data breach exposed the personal information of over 100 million people. While the breach was executed by a former AWS employee who exploited a misconfigured web application firewall, the underlying conditions reflect a broader prioritization of speed and innovation over robust security practices.

Capital One was an early adopter among large financial institutions in migrating to public cloud. The move aimed to leverage AWS’s scalability, flexibility, and cost efficiencies—part of a strategic shift to modernize operations, reduce datacenter footprint, and accelerate new application deployment. By 2019, the bank had closed several on-premises datacenters and relied heavily on AWS for critical customer data.

This rapid transition introduced significant risks that weren’t adequately mitigated. Security measures struggled to keep pace with adoption speed. Traditional on-premises security practices weren’t seamlessly transferable to the cloud’s shared responsibility model.

Several factors suggest security took a backseat to speed. The over-provisioned permissions assigned to the WAF role indicate lack of adherence to least privilege—a foundational security practice. The delay in detecting the breach (it occurred in March but wasn’t discovered until July after an external tip) points to insufficient monitoring and visibility. Former employees highlighted high turnover in Capital One’s cybersecurity team and concerns about inadequate resources.

The competitive drive to be a cloud-first leader likely influenced this imbalance. Capital One’s leadership emphasized agility and cost savings through agile development and microservices, prioritizing rapid deployment over exhaustive security reviews. The assumption that AWS’s baseline security would suffice, combined with rushed implementation, created a perfect storm.

The lesson? Capital One’s focus on accelerating cloud adoption—touted as competitive advantage—outpaced development of a mature cybersecurity strategy tailored to the cloud. Speed without adequate safety mechanisms doesn’t just create vulnerabilities—it creates disasters that cost far more than the safety investment would have.

When Safety Investment Enables Speed: Automotive OTA

The automotive industry provides a fascinating counterexample. Manufacturers who invested in over-the-air (OTA) upgrade capabilities took significant up-front costs that more cost-conscious manufacturers avoided. OTA required substantial investment in software platforms ensuring safe and reliable vehicle upgrades.

Those who decided OTA was strategic but didn’t sufficiently invest saw “bricked” cars needing dealer towing when upgrades failed and vehicles wouldn’t turn on. But manufacturers who properly invested in OTA realized that significant up-front cost resulted in reduced long-term costs.

OTA dramatically increases the speed of deploying bug fixes—cars don’t need dealer visits for labor-intensive upgrades. Once software defects became the number one cause of car recalls, manufacturers with OTA capabilities gained major cost structure advantage.

BMW Group and others took this further with simulation. Physical prototyping has major speed constraints, so they created complex simulations of entire cars using supercomputers, connecting those simulations directly to delivery pipelines. If new control software causes unwanted vibration, simulation identifies the defect through virtual test drives. The defect automatically gets added to the supplier’s backlog. Once fixed, simulation re-runs using the same CI/CD infrastructure.

This comes with up-front cost for software pipelines, platforms, and high-performance simulation. But resulting cost reductions from going faster are tremendous. A single physical crash test costs half a million dollars—virtual testing provides substantial savings while enabling faster iteration.

The pattern is clear: Strategic safety investment doesn’t slow you down. It accelerates everything that comes after.

How Elite Organizations Balance All Three

The authors studied organizations across industries and identified distinct patterns:

• Airline industry: Safer, cheaper, faster (in that order)—safety and cost sensitive, hard to innovate
• Automotive: Safer, faster, cheaper—safety and product features drive premium pricing
• Streaming media: Faster, cheaper, safer—innovation driven, not safety critical
• Neo banks: Faster, safer, cheaper—disrupting finance while managing high cost of failure
• Traditional retail: Cheaper, safer, faster—slim margins, low innovation rates
• Online retail: Cheaper, faster, safer—slim margins but innovative, taking more risks

Position within this triangle isn’t static. Organizations move based on strategic constraints and opportunities. A company serving large markets might have a “home base” close to safety, ensuring reliability while maintaining healthy economics. But fear of missing out on GenAI might create emergency budget increasing costs temporarily while requiring faster velocity to market. Once initial AI experiments complete, the organization can gain cost efficiencies before returning toward safety.

The Faster-to-Safer Strategies That Actually Work

Organizations that successfully balance speed with safety employ specific strategies:

Speed Up Innovation: Reduce friction between concept and creation. Shorter experimentation and iteration time lets teams explore bold ideas, test assumptions, and bring breakthroughs to life without process or bureaucracy bogging them down.

Streamline Development: Build platforms that empower developers instead of obstructing them. Design tools and systems removing unnecessary hurdles—seamless integrations, intuitive workflows, minimal overhead—so developers focus on coding, problem-solving, and delivering value.

Tighten the Feedback Loop: Rapid, actionable insights are the heartbeat of progress. Faster feedback cycles—from users, testing, or performance metrics—mean teams adapt in real time, fix issues before escalation, and refine features to better meet needs.

Leverage the OODA Loop: The military-inspired observe, orient, decide, act framework drives agility. Observe the landscape (data, trends, user behavior), orient your approach (analyze and prioritize), decide with confidence, and act swiftly.

Optimize Flow: Focus on flow velocity (how quickly value moves through the pipeline) and flow time (latency from delays). By measuring and improving these, teams eliminate bottlenecks, boost throughput, and ensure development processes hum like well-tuned engines.

The Cost of Resilience—and Why It’s Worth It

Building safety requires investment: capacity headroom, redundant fail-over systems, complex hardened secure architectures. Observability and controllability become critical. Chaos engineering, game-day testing, and penetration testing ensure safety controls operate as expected.

Think of safety investment as an insurance policy. You build resilience through resource duplication, failover control planes, and decide whether resilience cost makes sense compared to the system’s investment and business value. Once you’ve built resilience, you need to prove it works—that you haven’t wasted efforts. This is where chaos engineering and testing come in. The cost of testing resilience must be included up front as part of creating resilience itself.

The aviation industry learned this painfully. While leaner, cheaper operations seem appealing, consequences of underinvesting in technological safeguards result in financial, regulatory, and customer trust losses far outweighing short-term savings. The industry shifted toward prioritizing safety over cost efficiency and rapid capability implementation.

Making Trade-offs Explicit

Problems arise when organizations don’t make trade-offs explicit. Senior leadership might optimize for faster while teams handling outages focus on safer to avoid turmoil. Without explicit trade-offs, you end up with local optimizations inconsistent with overall strategy.

The authors recommend using the “faster/cheaper/safer triangle” as a mental model. This helps organizations make point-in-time decisions about where on the triangle they want to be, understanding consequences and opportunities as they shift.

Key patterns for effective decision-making:

Frame the Decision with Scenarios: For less tactical audiences, choosing between safer, cheaper, or faster can be too abstract. Describing each choice through sample scenarios helps decision-makers understand tactical implications and avoid “I’ll take all three!” responses.

Push Decision-Making Down: Faster-cheaper-safer trade-offs often escalate to C-level leadership. Using the general manager model, where GMs run business units with responsibility for managing budgets, roadmaps, and risks, allows decisions to be made more quickly and effectively.

Establish Measurement Cadence: Close the feedback loop through active monitoring. Two ceremonies are necessary: proactive check-ins on leading indicators and retrospective evaluation of outcomes. Would a sudden negative trend in cost metrics trigger a cost incident? How metrics are treated influences organizational behavior.

The AI Multiplier Effect

AI’s recent impact greatly increases the rate of change, disrupting product plans and budget allocations. Speed of execution moves up the priority order, with many safety issues being reported and emergency FOMO budget allocations. Later, as AI moves to production at scale, cost becomes prohibitive, and optimization moves up the priority order.

But the fundamental principles remain: You can’t have speed without safety infrastructure. You can’t maintain safety without understanding its cost. And you can’t optimize cost without measuring the value delivered.

What This Means for Your Organization

As Steven Wright quipped: “You can’t have everything. Where would you put it?”

The appropriate trade-off is highly contextual—industry type, business stage, and organization maturity all influence where the right balance lies. And it continues evolving as context changes.

Start by asking: Where are we on the triangle right now? Where do we need to be? What investments would get us there?

If you’re optimizing for speed, ask whether you’re creating technical debt that will slow you down later. If you’re focused on cost, consider whether you’re undermining the safety that enables sustainable speed. If you’re prioritizing safety, evaluate whether you’re over-investing relative to actual risk.

The organizations that win aren’t the ones that move fast and break things. They’re the ones that invest in the infrastructure, tooling, and practices that let them move fast and fix things—preferably before they break in production.

That up-front investment in resilience, automation, observability, and testing? It doesn’t slow you down. It’s what makes sustainable speed possible.

Capital One learned this the expensive way. BMW learned it the smart way. Which path will you choose?

This blog post is based on “Faster, Cheaper, and Safer: Finding the Balance” by Adrian Cockcroft, Tapabrata (Topo) Pal, Randy Shoup, Cat Swetel, Dr. Mik Kersten, and Buck Butler, with review by Elisabeth Hendrickson, Michael Nygard, and Brendan Hopper, published in the Enterprise Technology Leadership Journal Fall 2025.

- About The Authors

Leah Brown

Managing Editor at IT Revolution working on publishing books and guidance papers for the modern business leader. I also oversee the production of the IT Revolution blog, combining the best of responsible, human-centered content with the assistance of AI tools.

Follow Leah on Social Media

•