This is the cultural cycle that has engineered a chronic problem of talent alienation and adverse prioritization, leading to execution failure around security programs, the historic reluctance of senior executives to commit to large-scale investments and the continuing avalanche of breaches. After all, compliance and risk people focus on business aspects, while technologists have always been incentivized to deliver on features and performance, not on controls. In my experience, it's often been locked in a compliance or technology niche where it was also alien. To me, that’s the heart of the matter and the main reason why maturity levels have remained low in spite of all investments: Security has been seen as external to the business. More importantly, both isolate cybersecurity from business cycles and business levers. The first one, taken to some extreme, is restrictive and has led to some security practices becoming mere box-checking or window-dressing practices the second one is short-termist and technology-focused. Security became a fire-fighting practice against constant attacks that were brought on by technological change.įrom my perspective, none of those are positive drivers. The second decade of this century was dominated by threats and incidents considerations. Security was seen mostly as a "balancing act" among compliance, risk and costs. The first decade of this century was dominated by risk and compliance considerations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |