Field Notes

You're focused on the wrong thing

By Nate Lee, co-founder of TrustMind

Poor security controls are a massive tax on organizational performance that many businesses don’t even realize they’re paying for. They slow productivity, lower morale and worse, they often do it without addressing the u...

You're focused on the wrong thing

Poor security controls are a massive tax on organizational performance that many businesses don’t even realize they’re paying for. They slow productivity, lower morale and worse, they often do it without addressing the underlying issue.

Vulnerability management policies often require teams to rapidly fix everything that pops up in the scanner without context. This drops engineering output, annoys engineers and can cost companies millions of dollars in lost productivity without anyone even noticing.

Risk registers with 143 items at a company with a 3 person security team take days to build and nurture, all in order to be neatly filed away until it can serve its true purpose of drawing a knowing nod from the duly impressed auditor during their annual wellness visit.

We know that the likelihood of a company being breached by a non-exploitable vulnerability in a 3rd party library is somewhere near the odds of being eaten by a giraffe.

We also know that of the 143 risks on that register, 47 are just cleverly reworded ways of saying we could be breached if someone makes a mistake.

Not terribly useful controls in either case.

How do you counter having controls that generate work without delivering value?

Make sure your team has a deeply ingrained culture of asking “Why?”

Just because a rule exists, doesn’t mean it makes sense.

Smart team members look at controls critically to ensure they’re addressing the right outcomes you want to deliver. They look at the risk assessment as an opportunity to understand the situation and address the root cause of issues to drive positive outcomes.

What teams shouldn’t do is roll out a control without understanding why it exists. Just because it’s in Vanta/Drata as a default for your SOC 2 isn’t a great reason.

Your goal isn’t to vanquish every single vulnerability in your app, it’s to effectively manage the risk that someone breaches your system.

The objective of a risk assessment isn’t to build an expansive catalog of every single thing that could go wrong so that someone else can “accept the risk”. It should be to identify the biggest risks to the organization so you can do something about it.

Focus on outcomes, not outputs.