So many organizations struggle with policy exceptions. While exceptions are a reality, the prevalence of them leads one to believe that risk management is not quite working.
While organizations try to pivot from risk to compliance focal points to enforce adherance to security / privacy best practices, the reality is that most entities are not agile, and they also lack the resources to migrate from legacy workdlows to secure processes and systems.
While the cloud and ITO / BPO of the past have promised more agility, many orgs leverage traditional internal models due to cost constraints.
GRC, risk management, and IT audit professionals have a legit argument to focus on policies, standards, and guidelines; however, for orgs to be and remain secure these days, an offensive, proactive model is more of a necessity.
No comments:
Post a Comment