Structural Correction
Central functions that mandate adoption produce compliance without substance. The board’s role is to verify annually that central capabilities are genuinely good, affordable, and funded through unit demand rather than top-down allocation.
Richard's first quarterly review after the transitional fund renewal included a new item: the CISO's report on security posture across the four operational autonomous units. The report showed 94% compliance with the mandated container scanning policy.
Richard asked a question the compliance metric could not answer: “What does 94% compliance mean for our actual security risk?”
The CISO explained that the scanning tool had been integrated into every unit's deployment pipeline and that the remaining 6% was a configuration issue being resolved. Richard asked a different question: “Are the units using the tool because they need it, or because we told them to?”
The answer took two weeks to produce. Two of the four units had configured the tool to auto-approve all findings below critical severity, because the default thresholds generated hundreds of false positives and the units had no mechanism to work with the security team on tuning them. The compliance dashboard showed adoption. The security risk was unchanged.
Richard's observation was concise: “We are measuring whether the units consume what we push, not whether they are managing the risk they own.”
The central security team had two responses available. The first was to retool: work with each unit to understand its specific risk profile, tune the scanning thresholds to each unit's context, and offer the tool as a service the units would choose to consume. The second was to reframe: present the 94% compliance figure to the board as evidence of successful adoption, add a remediation plan for the remaining 6%, and continue pushing the unchanged tool.
...
Continue reading in the interactive reader
Read this chapterSee also: Full contents · Preview chapters · Illusions of Work