Can you share any tips for new security leaders to identify blind spots in their organization? How have you approached this when starting a new role in the past?

Listen First, Act Later
Spend time with stakeholders across the business—IT, legal, HR, operations, and even front-line employees. Ask open-ended questions about their pain points, past incidents, and what keeps them up at night. Often, blind spots live in the gaps between departments.

Review the Last Mile
Policies and controls may look great on paper, but how they’re implemented at the operational level is where gaps often emerge. Shadow processes, observe how teams actually work, and compare that to what’s documented.

Leverage External Perspectives
Bring in third-party assessments or red teams early on. They can provide an unbiased view and often uncover issues that internal teams may overlook due to familiarity or organizational blinders.

Map Risk to Business Objectives
Understand what the business is trying to achieve and where security could be a blocker—or worse, absent. This helps uncover strategic blind spots, like unprotected revenue streams or compliance gaps in new markets.

Establish a Culture of Psychological Safety
Encourage teams to speak up about what’s not working. If people feel safe admitting mistakes or raising concerns, you’ll surface issues much faster.

Use Data, But Don’t Rely Solely on It
Metrics like patching cadence or phishing click rates are helpful, but they don’t always tell the full story. Combine quantitative data with qualitative insights to get a more complete picture.

When stepping into a new security leadership role, I start by zooming out to gain a full picture of the environment. I typically benchmark the organization against recognized standards such as ISO 27001 or SOC 2, comparing what’s documented versus what’s actually in place, and verifying that declared controls are operational and regularly reviewed.

Once I have this high-level view, I move into a risk-based approach. I conduct a risk assessment focused on the business’s most critical risks and facilitate brainstorming sessions with the clear guidance that no answer is wrong. This not only surfaces potential blind spots but also helps identify the organization’s true “crown jewels.”

In parallel, I look at the technical side using frameworks such as MITRE ATT&CK to evaluate whether we have the right controls against common attack vectors and vulnerabilities.

Finally, I strongly echo Mohamed’s point: never assume, always validate. A questioning mindset—“trust but verify”—is key to uncovering blind spots before they turn into issues.

For new security leaders, the most important tip is to never assume that what’s written in policies or diagrams reflects reality. Blind spots often sit at the seams — where responsibilities overlap, where assumptions about coverage go untested, or where governance is unclear.

When I start a new role, I focus on three things: listening to teams across business and IT to compare perception vs. reality, validating with data from logs, incidents, and scans, and mapping responsibilities using a three-lines-of-defense model to see where accountability is weak. Small tests — like checking backup integrity or access revocation — often reveal much bigger systemic issues.

My advice: ask “who owns this risk, and how do we know it’s controlled?” If you can answer that confidently across people, processes, and technology, you’ll uncover blind spots before they turn into incidents.