I do Get It that IT needs to align with business. But that doesn’t mean I think everything is then rosy in the house and all the puppies are happy. It’s an easy thing to say, but a hard thing to adhere to (or easy, if you like statistics and can twist anything into a business value-add!).
My boss’ boss recently related a story about a VP who was tasked with turning around a company that had the right technology but the wrong business strategy. This included constantly evaluating whether the technology (and projects) is serving the strategy of the business.
That’s great, but to me that reinforces the idea that you only do enough in IT to accomplish the job, and that’s it. You let the rest languish and most likely don’t do any housekeepping. Housekeepping includes things that make security work: logging, alerts, detections, testing to make sure things you put up 6 months ago still work, audit settings, patches and updates (that don’t add any new features you care about), etc.
Yes, that is a way to go. For example you don’t need absolutely spotless event logs on your Windows servers. But that also is a way to foster a completely reactionary culture in regards to existing technology. I think that approach works more for new technologies and projects.
It just means that someone has to value security and housekeepping. And I’ll always go back to the idea that so few people value personal security in their lack of security measures for their own home, let alone for the business they own, until they suffer for it. It’s like finding your God only when you’re deeply fearing your own mortality (or feeling excessively guilty about something and need an explanation).