Discussion about this post

User's avatar
CISO Tradecraft's avatar

I think this is a good post overall but fails to take in the three lines of defense responsibilities seen in larger organizations

https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdfhttps://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf

For example the CIO and their department of developers own cyber risk for applications that they build. Not cyber. Cyber owns governance to drive accountability of developers to follow policies and organizational best interests.

If organizations don’t hold developers accountable for their own security it will never get done

Expand full comment
David Hoenisch's avatar

Well said

Expand full comment

No posts