Excellent post.. so much of the advice I'm seeing really feels like we're telling the industry "just do better".. when everyone is already doing the best they can. That said, the reason for this is there are no shortcuts, and you ultimately need to do the work of security, and often that involves trying to do so with competing incentives, constraints and more.
It’s worse than this, I think. It doesn’t matter how good a job the security team does if IT and the business ignore their advice. What security recommends is often expensive and difficult, and the business often says “no” or “maybe next budget cycle”
Excellent post.. so much of the advice I'm seeing really feels like we're telling the industry "just do better".. when everyone is already doing the best they can. That said, the reason for this is there are no shortcuts, and you ultimately need to do the work of security, and often that involves trying to do so with competing incentives, constraints and more.
It’s worse than this, I think. It doesn’t matter how good a job the security team does if IT and the business ignore their advice. What security recommends is often expensive and difficult, and the business often says “no” or “maybe next budget cycle”