Is your IT/security team largely firefighting? If not, I’d love to know!
This rumination was prompted by a blog comment I read, and I was kinda dumb-founded. Are there IT shops that are *not* firefighting? Pray tell, where are they?
I conjecture that top-down, and outside-in we have this tendency to think IT/security is better than it really is.
I also conjecture that the only shops that are not firefighting are the ones so large that all those things that would be “firefighted” in small shops end up falling into the black holes of processes and separated teams. “Oh, I know that’s a problem, but that’s for the virtualization team,” or “That’s not something my manager wants me to touch, that’s a code issue for dev team 83,” or “I’m just the consultant/security advisor, it’s up to the desktop team to figure out how to properly implement that DLP.” It’s not that they’re getting done, as much as being buried in a field full of freshly dug holes.