When the Last Mile in infosec is convincing the Board to stick to ‘their’ own rules and not think themselves above it, how do we’d want to pull this off ..?
Where, so often, they complain that sticking to the rules is too complex or cumbersome for them — for no extra credit, reflect on their capacities to be in there position to Lead and Show — whilst forgetting their underlings have to deal with it anyway, possibly being more capable yes but not as claimed dealing with less sensitive information …
Where the reaction for themselves is they Have to carry on, counter to sane advice and rules, with unsafe behaviour often in particular when dealing with the most sensitive stuff; either not recognising that as such or hardball playing down the sensitivity and/or their attractiveness as targets — out of some form of cognitive dissonance and often contrary to their lightly-to-grossy inflated self-worth estimates respectively.
Where, also, we see con-zultands playing up their self-importance and -assigned capabilities, as per this. Recognisable, all too recognisable [been there, done that, didn’t even got the T-shirt; ed.].
And realising that this all, seems to work… reminds me of what Thomas Paine can still bring to bear on this, which is not good. Not at all. Though the advisortypes may co-opt and exploit the courtiers’ methods (hey, how hard have you studied these ..?) without being caught in the courtiers’ ‘regulatory capture’ error and maintain a bedrock of sanity until My Precious is had; is that the only viable road?
Or would you have something else? No, not plain forward address that is so sure to fail, to fall flat on your face before it’s out of the starting block; if you don’t see that, you may very well be too inexperienced to have a clue…
But seriously, folks, what have ..?