There is a lot of conventional security that is based on established ceremonies and an unquestioning faith that if we keep doing these things then all shall be well. If the ceremonies don’t produce the required results then we are deemed to have not performed them well enough - as opposed to it just being the wrong approach. The non-believers who point this out can even be subject to an inquisition for their heresy (it might even be unexpected). Much has been written about security theater ...| Risk and Cyber
One of the many paradoxes of security is that when you have invested appropriately (sometimes at significant expense) and you have less and less incidents, then some time later, someone somewhere might ask: “Why are we spending so much on security when we don’t have any issues?” If this becomes an accepted view then cuts happen, upgrades and maintenance don’t get incrementally funded, or investments to mitigate new risks are not made. You know what comes next, slowly but surely crack...| Risk and Cyber