Can you share any tips for new security leaders to identify blind spots in their organization? How have you approached this when starting a new role in the past?
Sort by:
For new security leaders, the most important tip is to never assume that what’s written in policies or diagrams reflects reality. Blind spots often sit at the seams — where responsibilities overlap, where assumptions about coverage go untested, or where governance is unclear.
When I start a new role, I focus on three things: listening to teams across business and IT to compare perception vs. reality, validating with data from logs, incidents, and scans, and mapping responsibilities using a three-lines-of-defense model to see where accountability is weak. Small tests — like checking backup integrity or access revocation — often reveal much bigger systemic issues.
My advice: ask “who owns this risk, and how do we know it’s controlled?” If you can answer that confidently across people, processes, and technology, you’ll uncover blind spots before they turn into incidents.
When stepping into a new security leadership role, I start by zooming out to gain a full picture of the environment. I typically benchmark the organization against recognized standards such as ISO 27001 or SOC 2, comparing what’s documented versus what’s actually in place, and verifying that declared controls are operational and regularly reviewed.
Once I have this high-level view, I move into a risk-based approach. I conduct a risk assessment focused on the business’s most critical risks and facilitate brainstorming sessions with the clear guidance that no answer is wrong. This not only surfaces potential blind spots but also helps identify the organization’s true “crown jewels.”
In parallel, I look at the technical side using frameworks such as MITRE ATT&CK to evaluate whether we have the right controls against common attack vectors and vulnerabilities.
Finally, I strongly echo Mohamed’s point: never assume, always validate. A questioning mindset—“trust but verify”—is key to uncovering blind spots before they turn into issues.