Chesterton's Fence is a cautionary tale to make sure that before you change things you actually understand their purpose. This is particularly important for controls or other risk mitigation. When new leaders come into an organization they sometimes look at the array of controls and want to streamline them. So they start whittling away at things that apparently don't make sense or have no obvious purpose and then a few months later (maybe less maybe more) you start seeing issues, incidents or o| Risk and Cyber
We’re getting it wrong on the messaging for incentives to do security - and people are pretending it’s landing when it isn’t. There are 5 main categories of security incentives:1. Loss avoidance. The problem is many losses don’t outweigh the potential accumulated actual or opportunity costs of the mitigations that would have been needed to avoid the loss.2. Reputational risk / brand protection. The problem is most people forget these issues, and are acclimated to it (e.g. identity ...| Risk and Cyber
Unless you’re doing continuous or quarterly budgeting, which some organizations do, then you’ll no doubt be getting ready for the long haul of the annual budget process to seek the resources you need for your 2024 goals and, perhaps more importantly, to ensure that all the teams around your organization have the planned resources (people and budget) to do all what they need to do. This is one of the core disciplines of security leaders at all levels from sub-team to the whole organization...| Risk and Cyber