antifragile/antifragile-consulting/core/move-fast-and-fix-things.md

Move Fast and Fix Things

"The best time to plant a tree was 20 years ago. The second best time is now. The worst time is after the storm has already knocked it down."

This document anchors the antifragile consulting practice in a single, actionable posture: move fast and fix things. It is not a contradiction of Taleb's philosophy—it is its operational expression. Antifragility is not achieved by standing still and theorizing. It is earned by rapid iteration, honest repair, and the refusal to let perfect be the enemy of resilient.

---

The Philosophy

Speed Is a Security Control

The organizations that survive are not the ones with the most comprehensive plans. They are the ones that execute fastest against the gaps that actually matter. A 90% solution deployed today outperforms a 100% solution that ships in six months—because the attacker does not wait for your roadmap.

Fixing Things Is Strategic

Every unfixed vulnerability, orphaned account, and untested backup is a compounding liability. Technical debt in security does not accrue interest linearly. It accrues catastrophically. The longer a gap exists, the more likely it becomes the entry point for an existential incident.

Fixing things is not maintenance. It is risk reduction at velocity.

Work Beats Purchases

Most organizations do not have a tools problem. They have a utilization problem. They own EDR but have 40% coverage. They own a SIEM but log only 20% of critical systems. They own a PAM solution but have not onboarded privileged accounts. They own backup software but have never tested a restore.

The antifragile consultant's first duty is not to recommend new spending. It is to extract the value already paid for.

---

The Three Rules

Rule 1: Start With What You Own

Before any new purchase is discussed, exhaust the capabilities of existing tooling. This is not cheapness. It is optionality preservation: every dollar not spent on redundant tooling is a dollar available for structural improvement.

Common Underutilized Asset	What Most Organizations Do	What We Do
Microsoft E5 / Defender suite	Buy additional EDR, SIEM, CASB	Maximize Defender for Endpoint, Sentinel, Entra ID PIM, Purview
Existing firewall / IDS	Buy another "next-gen" platform	Audit rules, enable logging, integrate with SOC workflow
Active Directory	Add third-party IAM	Cleanse accounts, implement PAWs, enforce conditional access
Backup solution	Buy additional DRaaS	Test restores, document runbooks, automate verification
CMDB / ITAM tool	Start a new discovery project	Populate with T0 assets, enforce ownership, feed security workflow

Rule 2: Fix the Kill Chain First

Not all debt is equal. We identify the shortest sequence of failures that would end the organization—the kill chain—and we fix those nodes with extreme prejudice. Everything else waits.

This requires brutal honesty:

• If your domain admins are logging in from workstations with email and browsing, that is the kill chain.
• If your backups have never been restored, that is the kill chain.
• If your cloud storage bucket is public and contains customer data, that is the kill chain.
• If your CEO's email has no MFA, that is the kill chain.

We do not fix everything. We fix the existential things. Fast.

Rule 3: Every Fix Must Produce a Signal

A fix that does not generate intelligence is a fix that will rot. Every remediation must produce a signal: a metric, an alert, a log entry, or a structural change that prevents recurrence.

Bad Fix	Good Fix
"We disabled the old account."	"We disabled the old account and implemented automated orphan detection."
"We patched the server."	"We patched the server and added it to automated vulnerability management."
"We rotated the password."	"We rotated the password and vaulted it in the PAM with checkout logging."
"We fixed the firewall rule."	"We fixed the firewall rule and added a monthly rule review to the change process."

---

Mapping to Antifragile Pillars

Antifragile Pillar	Move Fast and Fix Things Expression
Structural Decoupling	Identify and eliminate hidden dependencies before they become fatal. Do not add new platforms to solve problems that abstraction can solve.
Optionality Preservation	Maximize existing investments to preserve budget for strategic optionality. Every unnecessary purchase reduces your ability to pivot.
Stress-to-Signal Conversion	Every fix must generate telemetry. Incidents are not failures; they are unpaid penetration tests. Convert their lessons into structure.
Sovereign Intelligence	Use what you own first. Local AI on existing hardware beats cloud AI on a credit card. Your data should improve your models, not someone else's.
Asymmetric Payoff Design	Small, fast fixes on the kill chain yield disproportionate risk reduction. Do not distribute effort evenly; concentrate it where failure is existential.

---

Mapping to Standards

We do not treat compliance as the goal. We treat it as a side effect of doing the right things fast.

Standard	How We Map
CIS Controls v8	IG1 is the floor, not the ceiling. We aim for IG1 completeness in 90 days because it is the minimum viable security posture. See CIS Controls Mapping.
NIST CSF 2.0	We align to Identify, Protect, Detect, Respond, Recover—but we emphasize GOVERN as the missing piece in most organizations. See NIST CSF Mapping.
ISO 27001	Annex A controls are addressed through the kill chain-first methodology, not checklist compliance.
DORA / NIS2	Operational resilience and ICT risk management are natural outcomes of the antifragile rapid-modernisation approach.

---

The Consultant's Stance

When you walk into a client environment, bring these assumptions:

1. They already own enough software. Your job is to configure, integrate, and operationalize—not to shop.
2. Their technical debt is worse than they admit. Your job is to find the kill chain and fix it without shaming.
3. Speed builds trust. A visible fix in week one is worth more than a perfect report in week twelve.
4. Honesty is the product. You are not a reseller. You are an independent advisor. Say what you would do with your own company's data.

The Opening Pitch

"Most consultants will sell you a shopping list. We start with what you already bought. Our job is to find the gaps that matter, fix them fast, and make sure they stay fixed. We move fast. We fix things. And we do it with the tools you already own."

---

Engagement Principles

Week 1: Brutal Honesty Audit

• Inventory existing tooling and its utilization rate
• Identify the kill chain
• Pick three fixes that can be completed before the next steering committee
• Execute them

Month 1: Momentum Through Visibility

• Show the client what they could not see before
• Close the highest-risk gaps
• Demonstrate value from existing tools
• Build political capital for harder changes

Quarter 1: Structural Change

• Convert fixes into process
• Automate detection and response
• Establish the antifragile feedback loop: incident → learning → structure

---

Contrast With "Move Fast and Break Things"

The Silicon Valley mantra was an excuse for externalizing harm. "Move fast and fix things" is its responsible successor:

Move Fast and Break Things	Move Fast and Fix Things
Ship now, fix later	Fix now, ship sustainably
Externalize risk to users	Internalize risk and reduce it
Growth at all costs	Resilience as the foundation of growth
Ignore technical debt	Pay down the highest-interest debt first
Disrupt without accountability	Build trust through visible repair

---

Next: CIS Controls Mapping Previous: Antifragile Manifest