TIM MALONEY

© 2026 Tim Maloney

All Rights Reserved

Thinking Upstream in Tech Risk

Applying lessons learned from Dan Heath's "Upstream"

In today’s fast-paced IT environment, too many organizations operate in “reaction mode,” fighting fires instead of preventing them. Drawing inspiration from Dan Heath’s Upstream, this article explores how technology leaders can shift their mindset from downstream firefighting to upstream problem-solving. By identifying root causes early, clarifying ownership of risks, and freeing teams from constant crisis management, organizations can strengthen governance, enhance resilience, and create sustainable risk management practices. The key takeaway: investing time and structure in prevention pays dividends in performance, compliance, and confidence.

I recently finished reading Upstream: The Quest to Solve Problems Before They Happen by Dan Heath, and it was a great reminder of how much impact we can have by addressing issues at their source. Too often, IT organizations find themselves “downstream,” reacting to cybersecurity breaches, IT compliance findings, or operational inefficiencies—issues that could have been prevented with the right strategies and foresight.

Some of my key takeaways from the book:

  1. Problem Blindness: Many organizations don’t recognize systemic risks until it’s too late. Effective IT Governance and proactive IT risk management can help illuminate those blind spots.
  2. Ownership Gaps: When accountability is unclear, critical issues fall through the cracks. Collaboration across functions and clear ownership of IT risk is essential.
  3. Tunneling: The constant pressure of day-to-day crises makes it hard to think strategically. Organizations need to create the space and resources to plan ahead.

The message is clear: the best solutions are upstream. By shifting focus from reaction to prevention, organizations can reduce risk, drive efficiency, and build resilience in their technology environments.

At Protiviti, our Technology Risk, Governance, and Enablement team works with companies to move upstream—helping them build better IT risk management practices, develop sustainable governance structures, and address regulatory challenges before they become costly problems.

A question to consider: What are the fires you’re constantly putting out in your organization? And how could an upstream approach prevent them from happening in the first place?

If you’re ready to take a more proactive approach to technology risk and governance, I’d love to hear your thoughts—or start a conversation. Let’s connect!