Presenters:
This talk argues that security failures persist because organizations don’t clearly define what “good” actually looks like. Without a concrete target state, teams operate in ambiguity—making progress hard to measure and easy to misinterpret.
Key takeaways
- No clear definition of success
- What does “secure enough” mean?
- Most organizations can’t answer that concretely
- Without a target, efforts drift
- Teams operate in ambiguity
- Goals are vague or constantly shifting
- Different stakeholders define success differently
- This creates misalignment and confusion
- Progress is hard to measure
- Without a defined end state, metrics become arbitrary
- Teams track activity instead of outcomes
- Leadership gets an unclear picture of risk
- Frameworks don’t solve this alone
- Standards provide structure
- But don’t define what success looks like in your environment
- Organizations still need to translate them into concrete goals
- Clarity enables prioritization
- When you know what “good” looks like, decisions get easier
- Trade-offs become explicit
- Resources can be focused where they matter most
