How can compliance frameworks blind companies from understanding their own accepted risks?

1.8k views4 Comments

Board Member, Advisor, Executive Coach in Software, Self-employed
As much as I like the frameworks—and we do need them—I still wonder whether they will limit us in our thinking around risks. We do need them but they create boundaries and that framing can then make us blind to risks. Because I saw this at Intel and at Cylance a few times when we would grab onto something, and so I always tried to be the one arguing against the framework: "What is the framework not telling us? What is the standard making us blind to?"

While they give us efficiency, effectiveness, they provide us some level of liability protection and some consistency for management to have a structured discussion—that they understand once we train them on those boundaries—if we are not doing the discussion around the bias that they create and the things that we may miss, then we're probably not doing our jobs.

Use them for their efficiency and effectiveness, but also question them periodically and set up a monthly or quarterly review to ask, what is this not telling us? What are we missing because we're so focused on using this set of parameters as the mitigation for that?
Director of Security Operations in Finance (non-banking), 5,001 - 10,000 employees
The trap that a lot of folks fall into is not understanding that the framework is not the end. The framework is the means to an end; it provides the structure level and process through which you get to the end. But there are a lot of companies that don't necessarily have the operational maturity to understand that. Therefore, they’re executing in accordance with the framework, which protects them from compliance and audit. 

But does it truly translate to understanding that you are accepting risks and what those are? As opposed to being surprised when the bad thing happens even though it links back to this risk that we told you about in accordance with the framework—which you all nodded your head about at the time. Now the bad thing that we said could happen has actually happened and everyone’s shocked.
President and National Managing Principal in Software, 501 - 1,000 employees
I was on a call with a bunch of CPA firm risk officers that are worried about reputation risks, like the type of clients you can take on, conflicts of interest, whether you're doing consulting versus auditing, etc. But that's not even a real factor in the risk assessment methodologies or some of the other things that are standard-based. So you have to pick a model and use it for what it has but also recognize that there may be other things that you're not thinking of, which are not included but are equally worrisome.
1 Reply
Board Member, Advisor, Executive Coach in Software, Self-employed

I'm a big believer in the Mitre ATT&CK framework, but it’s also limiting in that it doesn't cover certain things. I do advisory work for a company that does stuff at the firmware security level, but Mitre won't recognize that in the Mitre ATT&CK framework because they don’t believe there have been enough attacks and evidence for it to be expanded—which means even that framework is driving behind the risk curve. That's why you have to look at the frameworks and identify where it’s limiting you. 

As much as it's useful for focus, that focus means we're losing peripheral sight of some things and potentially foresight on other things further ahead. It's only up to us as to whether or not the framework will do that; it’s how we use it.


Content you might like

Strongly agree5%




Strongly disagree0%



Slow recovery response times33%

Data availability is limited49%

Too expensive to scale effectively52%

Difficult to manage for widespread use38%

Prone to misconfiguration12%

No - There are no drawbacks6%


1.9k views3 Upvotes