I’ve been working across different organisations as a security advisor, and I keep seeing patterns that don’t quite match what the frameworks and standards suggest should happen. This document captures some initial questions I’m exploring.
The Puzzle
Security governance frameworks are well-documented. ISO 27001, NIST, COBIT - they all describe what organisations should do. Most boards and executives genuinely want effective security. Practitioners work hard within their organisations.
Yet I keep observing the same patterns across different companies, different industries, different countries. Patterns that don’t align with what the theory suggests should happen.
I’m starting to wonder if there’s something more fundamental going on - something about how organisations actually work versus how we think they should work.
Questions I’m Exploring
On Measurement
Why do qualitative security assessments persist despite their limitations?
I’ve sat in governance committees where everyone receives security reports that don’t really tell them much - “medium risk here, high risk there” - with limited ability to compare year-over-year or understand what’s actually changing. When someone proposes more objective metrics, there’s often resistance or the initiative quietly stalls.
This seems odd. Better measurement should lead to better decisions. But maybe there’s something about having more objective data that creates problems I’m not seeing?
On Authority and Accountability
How do security leaders operate without authority to enforce their recommendations?
In most organisations I work with, the security function identifies vulnerabilities but can’t mandate that IT operations patch them. They recommend controls but can’t enforce implementation. They assess risks but don’t own the budget to remediate them.
Yet they’re held accountable when things go wrong.
This seems like a fundamental design problem, but it’s so consistent across organisations that I wonder if it serves some purpose I don’t fully understand.
On Compliance vs. Capability
Does compliance certification correlate with actual security effectiveness?
I’ve noticed that organisations investing heavily in ISO 27001 certification, audit programs, and compliance frameworks don’t always seem more secure than those focused on building technical capability. Sometimes it seems like the opposite might be true.
This might just be observation bias on my part, but if it’s a real pattern, what does it mean for how we advise organisations to allocate resources?
What I’m Trying to Understand
These observations might just reflect organisational dysfunction - things not working as they should. But the patterns are too consistent for that to be the full explanation.
I suspect there are rational reasons - incentive structures, organisational dynamics, real costs and benefits - that make these patterns stable. If I can understand what organisational needs these apparently dysfunctional patterns actually serve, maybe there are better approaches that meet those needs whilst delivering better security outcomes.
Next Steps
I’m planning to:
- Read more deeply into organisational theory and governance research
- Discuss with other security practitioners on social media to see if they observe similar patterns
- Identify what makes some security leaders more successful at navigating these dynamics than others
This might become nothing, or it might become something more structured. For now, I’m just documenting questions.