Well, businesses are designed to make money first. So its now your job to develop and present the business case to make controls implementation (and assessment) a priority.
Agreed with above, the main focus SHOULD be on how to build the business. If it were me, I would look at it and frame it in a risk perspective or where are there potential vulnerabilities, and how these would impact their focus on building the business.
Risk with things like not following SOPs may be more efficient and should also consider the operational or reputational risk that errors are not caught and mess up client goals.
Current events help things too. Did Garmin appropriately allocate enough resources in business continuity to risk having to pay $10m ransomware? If so, then their strategy probably paid off, but you also can't account for every potential scenario. Hindsight is 20/20, but that is why there is such a push for companies to always be reevaluating their strategies.
Well, businesses are designed to make money first. So its now your job to develop and present the business case to make controls implementation (and assessment) a priority.
Seconding The Phoenix Project. So many of the issues discussed are one I see at most of my clients.
Agreed with above, the main focus SHOULD be on how to build the business. If it were me, I would look at it and frame it in a risk perspective or where are there potential vulnerabilities, and how these would impact their focus on building the business.
Risk with things like not following SOPs may be more efficient and should also consider the operational or reputational risk that errors are not caught and mess up client goals.
Current events help things too. Did Garmin appropriately allocate enough resources in business continuity to risk having to pay $10m ransomware? If so, then their strategy probably paid off, but you also can't account for every potential scenario. Hindsight is 20/20, but that is why there is such a push for companies to always be reevaluating their strategies.