Governance, risk, and compliance analysis that favors operational substance over ceremonial controls.
15 articles/26 briefs/41 total posts
Start here
Read this beat in order
Start with the pieces that explain how governance theater forms, then move into the essays that show where evidence, ownership, and control design actually break.
The cleanest entry point into the site’s anti-ceremony stance on compliance and control programs.
SOC 2 compliance has become a cargo cult ritual in enterprise security. Organizations implement the ceremonial controls, follow the prescribed procedures, and wait for …
A sharper view of where control programs reveal the truth once the green boxes stop flattering anyone.
Organizations love to report passed controls because passed controls are flattering.
They suggest order. They suggest repeatability. They suggest that the environment …
The risk register that comes out of a mature GRC program should tell the board something true about the organization’s exposure. Too often it tells them something comfortable instead. …
It’s Data Privacy Week. Or is it Data Privacy Day? The confusion isn’t accidental.
What started as a legitimate European observance on January 28 has expanded into a week-long …
Model risk management has a well-documented history in financial services. SR 11-7, the Federal Reserve’s 2011 guidance on model risk management, established a framework that …