Explaining why security is not, in fact, a department of “No” (never has been, and never will be), what it is instead, and what the future is likely to hold
For example the CIO and their department of developers own cyber risk for applications that they build. Not cyber. Cyber owns governance to drive accountability of developers to follow policies and organizational best interests.
If organizations don’t hold developers accountable for their own security it will never get done
Well said
I think this is a good post overall but fails to take in the three lines of defense responsibilities seen in larger organizations
https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdfhttps://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf
For example the CIO and their department of developers own cyber risk for applications that they build. Not cyber. Cyber owns governance to drive accountability of developers to follow policies and organizational best interests.
If organizations don’t hold developers accountable for their own security it will never get done