Chico and the Man: When "Not My Job" Became The Problem

# Chico and the Man: When "Not My Job" Became The Problem

**Published:** October 23, 2025

**Author:** Patrick Duggan

**Category:** Culture, Security, Enterprise

**Reading Time:** 12 minutes

The Catchphrase That Explained Everything

**"It's not my job, man!"**

Freddie Prinze made this famous on NBC's "Chico and the Man" (1974-1978). He played Chico Rodriguez, an optimistic young Mexican-American who worked for Ed Brown, a cantankerous garage owner in East LA.

Every time Ed asked Chico to do something unreasonable, Chico would fire back: **"It's not my job, man!"**

The audience loved it. It was funny. Relatable. A working-class rebellion against unreasonable boss demands.

**Then viewers complained:** The phrase reinforced Hispanic lazy stereotypes.

**Freddie listened.** Changed his catchphrase to **"Looking good!"** instead.

**But the damage was done.** "Not my job" escaped into the cultural lexicon and became the most destructive phrase in enterprise security.

Fast Forward to Dell (2017-2020)

I was Azure Stack Infrastructure Architect at Dell Technologies, working with **Spencer Shepler**, **Paul Chang**, and **Paul Galjan**.

Our mission: Integrate Dell's hardware with Microsoft's Azure Stack - bring Azure cloud to on-premises enterprise data centers.

**Dell could ONLY touch the management build.** That was the contract. Microsoft controlled Azure Stack OS and services. Dell provided hardware and could optimize the management layer.

**I put my excellence into that management build.**

**And then we watched customers deploy compromised workloads on top of our perfect infrastructure.**

The Pattern We Couldn't Unsee

**Customer after customer, same mistakes:**

The "Not My Job" Chain of Failure

**Infrastructure Team:** "We secured the management plane. Application security is not our job."

**Application Team:** "We write code. Infrastructure security is not our job."

**Security Team:** "We set policy. Implementation is not our job."

**Management:** "We approve budgets. Technical details are not our job."

**Everyone said "not my job."**

**Attackers said: "This IS my job."**

**Result: Breach.**

What Microsoft Told Us

We pointed this pattern out to Microsoft.

**Their response:** "That's the shared responsibility model. And yeah... nobody's addressing that well."

**Translation:**

- Cloud providers secure the management plane (they do this expertly)

- Customers secure the workload plane (they fail at this constantly)

- The model ASSUMES both parties have equal security capability

- **The assumption is wrong**

**Freddie Prinze's catchphrase became enterprise security's failure mode.**

The Three "Not My Job" Disasters

Disaster 1: Hardcoded Credentials

**What Happened:**

- Developer hardcoded AWS keys in application code

- Pushed to public GitHub repo

- Keys scraped within 15 minutes

- $47,000 AWS bill overnight (cryptocurrency mining)

**Who Said "Not My Job":**

- **Developer:** "Security review isn't my job, I just write code"

- **Code Review:** "We check functionality, not security - not our job"

- **Infrastructure Team:** "We secure cloud accounts, not application code - not our job"

- **Security Team:** "We set policy against hardcoding, enforcement isn't our job"

**Who Actually Did Their Job:** The attackers.

**Cost:** $47,000 + 3 days remediation + brand damage

Disaster 2: Default SQL Password

**What Happened:**

- SQL Server deployed with `sa` account using `Password123`

- Database exposed to internet (misconfigured network rules)

- Breached in 4 hours

- Customer PII exfiltrated (2.3M records)

**Who Said "Not My Job":**

- **DBA:** "Changing default passwords is security's job, not mine"

- **Network Team:** "Application firewall rules aren't our job, that's infrastructure"

- **Infrastructure Team:** "SQL security isn't our job, that's the DBA"

- **Security Team:** "We set password policy, enforcement isn't our job"

**Who Actually Did Their Job:** The attackers (again).

**Cost:** $12M settlement + $3M remediation + regulatory fines

Disaster 3: Unpatched WordPress (The Jaguar Parallel)

**What Happened:**

- WordPress site with 2021 plugin vulnerability

- Credentials stolen via infostealer malware

- 4 years later (2025), credentials still valid

- Used for initial access, pivoted to production systems

**Who Said "Not My Job":**

- **Web Team:** "Core infrastructure patching isn't our job"

- **Infrastructure Team:** "WordPress is application layer, not our job"

- **Security Team:** "We flag vulnerabilities, patching isn't our job"

- **Management:** "Technical implementation isn't our job"

**Who Actually Did Their Job:** Attackers (sensing a pattern?)

**Cost:** If this were Jaguar Land Rover: £1.9B

The Chico Rodriguez Problem

**Freddie Prinze's character was RIGHT to say "not my job."**

Ed Brown was asking unreasonable things - tasks outside Chico's role, without proper compensation, often exploitative.

**The phrase was workplace self-defense.**

**But it metastasized into corporate culture as:**

- Excuse for not giving a shit

- Deflection of accountability

- Turf protection disguised as role clarity

- **Security abdication at every layer**

**Chico's rebellion became enterprise security's failure mode.**

What "Not My Job" Really Means in Enterprise

**Surface Meaning:** "That task is outside my role definition"

**Actual Meaning:**

1. **"I don't want to do it"** (honesty would be better)

2. **"I don't know how"** (training gap)

3. **"I'm protecting my turf"** (political bullshit)

4. **"Someone else will handle it"** (diffusion of responsibility)

5. **"I'm not accountable if it fails"** (CYA behavior)

**What It NEVER Means:** "I've ensured the right person is doing it"

The Shared Responsibility Model Is "Not My Job" at Scale

**Cloud Provider Says:**

- "We secure infrastructure (management plane)"

- "You secure workloads (application plane)"

- "Both parties contribute to overall security"

**What They Mean:**

- "We secure what we control (expertly)"

- "You secure what you control (good luck)"

- **"Your failures aren't our job"**

**Customer Hears:**

- "Cloud provider handles security" (wrong)

- "We just deploy applications" (wrong)

- "If something breaks, provider will fix it" (very wrong)

**What Actually Happens:**

- Customer deploys insecure workloads

- Cloud provider shrugs (not their job)

- Customer gets breached

- **Cloud provider points to shared responsibility agreement**

**"Not my job" written into the service contract.**

The Dell Azure Stack Lesson

**What We Built (2017-2020):**

- Enterprise-grade management plane

- Dell hardware + Microsoft Azure Stack OS

- Perfect infrastructure for hybrid cloud

**What Customers Did:**

- Deploy workloads with stupid simple mistakes

- Hardcoded credentials, default passwords, unpatched software

- Get breached despite perfect underlying infrastructure

**What Microsoft Said:**

"That's the shared responsibility model. Nobody's addressing that well."

**What They Meant:**

- Cloud providers secure management plane (they do)

- Customers ATTEMPT to secure workloads (they fail)

- Attackers exploit the gap (they succeed)

- **Everyone says "not my job" except the attackers**

Why DugganUSA Exists

**The Problem:** "Not my job" at every layer creates security gaps

**Traditional Solution:**

- More policy (ignored)

- More training (forgotten)

- More tools (misconfigured)

- More audits (gamed)

**DugganUSA Solution:** **Control both planes, eliminate "not my job" excuse**

How We Do It

**Management Plane (Infrastructure):**

- Azure Key Vault with 90-day rotation

- RBAC enforcement

- Certificate automation

- Audit logging

- **Our job. We own it.**

**Workload Plane (Application):**

- Judge Dredd pre-commit enforcement (9 laws)

- CodeQL security scanning (every commit)

- Dependabot alerts (auto-patching)

- ThreatFox IOC monitoring (7,089 threats daily)

- **Our job. We own it.**

**Result: 81% SOC1 compliance at $77/month**

**No "not my job" excuses because there's only ONE job: secure both planes.**

The Math on "Not My Job"

Enterprise With "Not My Job" Culture

**Security Budget:** $5M-$13M/year

**Where It Goes:**

- Infrastructure team: $2M/year (securing management plane)

- Security team: $3M/year (policy, not enforcement)

- Incident response: $5M/year (fixing breaches)

- Compliance audits: $1M/year (documenting gaps)

**Gaps:**

- Hardcoded credentials: "Not security's job to check code"

- Default passwords: "Not infrastructure's job to configure apps"

- Unpatched software: "Not dev's job to patch"

- Misconfigurations: "Not anyone's job, apparently"

**Breach Cost:** $47K to £1.9B (depends who you ask)

**ROI on "Not My Job" Culture:** Negative infinity

DugganUSA Without "Not My Job" Excuse

**Security Budget:** $77/month ($924/year)

**Where It Goes:**

- Azure Key Vault: $77/month

- Everything else: $0 (Judge Dredd, CodeQL, Dependabot, ThreatFox all free/included)

**Gaps:** Zero (if it's insecure, Judge Dredd blocks the commit)

**Breach Cost:** $0 (16 days production, zero incidents)

**ROI on "Everything Is My Job" Culture:** 5,411× to 14,069× better than enterprise

The Freddie Prinze Tragedy

**Freddie died January 28, 1977, age 22.**

Depression, drug use, self-inflicted gunshot. Taken off life support the next day.

**His catchphrase outlived him** and became corporate culture poison.

**"Not my job, man!"** went from working-class rebellion to enterprise excuse for negligence.

**What Freddie meant:** "Don't exploit me"

**What enterprise heard:** "Don't make me accountable"

**The distance between those two meanings: £1.9B (if you're Jaguar)**

What Freddie Got Right (That We Got Wrong)

**When viewers complained the phrase reinforced stereotypes:**

**Freddie listened.**

**Changed his catchphrase to "Looking good!"**

**Adapted based on feedback.**

**When customers complain about shared responsibility failures:**

**Cloud providers don't listen.**

**Keep the same model.**

**Point to contract language.**

**Freddie had more integrity at 22 than the enterprise security industry at 40 years old.**

The "Looking Good!" Approach to Security

**What If We Applied Freddie's Second Catchphrase?**

**Instead of:** "Not my job" (deflection)

**Say:** "Looking good!" (proactive verification)

**Practical Translation:**

Traditional Enterprise:

- **Developer pushes code:** "Security review isn't my job"

- **Code reviewer:** "Security scanning isn't my job"

- **Security team:** "Code review isn't my job"

- **Result:** Hardcoded credentials in production

"Looking Good!" Enterprise:

- **Developer pushes code:** Judge Dredd pre-commit scan says "BLOCKED - hardcoded credentials"

- **Developer fixes:** Moves credentials to Key Vault

- **Developer pushes again:** Judge Dredd says "APPROVED - looking good!"

- **Result:** Secure code ships

**"Looking good!" = proactive verification, not reactive excuse**

How to Kill "Not My Job" Culture

Step 1: Eliminate Handoffs

**Problem:** Every handoff = "not my job" opportunity

**Traditional:**

- Dev writes code → "Security not my job"

- Code reviewer checks → "Infrastructure not my job"

- Security scans → "Deployment not my job"

- Ops deploys → "Monitoring not my job"

**DugganUSA:**

- Dev writes code → Judge Dredd blocks insecure commits → Dev fixes → Deploy

- **One person, one job, no handoff, no excuse**

Step 2: Automation Over Policy

**Problem:** Policy requires interpretation = "not my job" excuse

**Traditional:**

- Policy: "No hardcoded credentials"

- Developer: "I didn't know this counted as hardcoded"

- Result: Breach

**DugganUSA:**

- Judge Dredd: Blocks ANY credentials in code (no interpretation needed)

- Developer: Can't commit insecure code (no room for "didn't know")

- Result: Secure by default

Step 3: Ownership Over Responsibility

**Problem:** "Responsibility" = shared = diluted = "not my job"

**Traditional:**

- 5 teams "responsible" for security

- All point at each other when breach happens

- "Shared responsibility" = no responsibility

**DugganUSA:**

- Patrick owns BOTH management and workload planes

- No team to point at (just me)

- **Single owner = actual accountability**

The Arlene's Grocery Test

**Joseph Guillette performs at Arlene's Grocery** (NYC legendary rock venue).

**If you asked him: "Is sound quality your job?"**

**He'd say:** "Fuck yes. Everything on stage is my job."

**Not:**

- "Sound engineer handles that" (deflection)

- "Venue is responsible" (abdication)

- "Not my job, man" (Freddie Prinze excuse)

**He owns the performance.**

**Why can't enterprises own their security the same way?**

The Conclusion

**Freddie Prinze (1974):** "Not my job, man!" (working-class rebellion)

**Freddie Prinze (1975):** "Looking good!" (positive adaptation after feedback)

**Enterprise Security (2025):** Still stuck on "not my job" 50 years later

**The Gap:**

- Freddie evolved in 1 year

- Enterprise security hasn't evolved in 50 years

- **ROI on learning from a dead comedian: Infinite**

The Challenge

**To Every Enterprise Security Team:**

Next time you hear "not my job" in a security discussion, ask:

**"Whose job IS it?"**

If the answer is:

- "Policy team" → Who enforces?

- "Security team" → Who implements?

- "Dev team" → Who validates?

- "Ops team" → Who monitors?

**If more than 2 teams involved = "not my job" culture = security gap**

The DugganUSA Standard

**Everything is our job:**

- Management plane security (Azure Key Vault, RBAC)

- Workload plane security (Judge Dredd, CodeQL, ThreatFox)

- Deployment validation (automated checks)

- Monitoring (daily security reports)

- Incident response (Judge Dredd learning)

**Cost:** $77/month

**Excuses:** Zero

**Breaches:** Zero (16 days production)

**"Not my job" is not in our vocabulary because there's only ONE job owner: Us.**

**Next Post:** "The $7M Experiment - Why Radical Transparency Is Our Moat"

Further Reading

**Chico and the Man:**

- IMDb: https://www.imdb.com/title/tt0070975/

- Wikipedia: https://en.wikipedia.org/wiki/Chico_and_the_Man

- Theme by José Feliciano: https://open.spotify.com/track/[Chico theme]

**Freddie Prinze:**

- Biography: https://en.wikipedia.org/wiki/Freddie_Prinze

- Documentary: "The Freddie Prinze Story" (support the documentary makers)

**The Shared Responsibility Problem:**

- Read Post #35: "The Management Build Lesson: What Dell Taught Me About Why Enterprises Get Hacked"

**Joseph Guillette (All That Is Metal, Brother From Another Mother):**

- Instagram: https://www.instagram.com/p/DMDoM-AMC5c/

- Instagram (NEW BOOK): https://www.instagram.com/p/DNaWknzgCqH/

**Share this post:** Twitter, LinkedIn, Hacker News

**Challenge us:** [email protected]

**Hire us:** We'll eliminate your "not my job" security gaps

**RIP Freddie Prinze (1954-1977).** You were right to say "not my job" when exploited. We're wrong to say it when securing systems. 🎭