I think last night it clicked what my main issue is with massively "bottom up" cultures in organisations.
I am sure it works fine for creative / building orgs where you want people to unleash their maximum creative / engineering / building genius and both find the right problems to solve, and then solve them in amazing ways.
For #Risk / #infosec etc, its not that simple. Sometimes (actually, many times) you need to be more prescriptive about which problems we solve.
If we only solved the cool problems, then we'd end up with a whole host of companies / organisations running around with cool bespoke AI powered tools, flashy automated pipelines that start no where and end no where...
No one would be wanting to solve the simple things like, Asset management, or vuln scanning, or writing standards and guidelines etc ...
Heyyy... wait a minute ...
Aaannyhow.. what I was saying is that if I am looking at something as a system, in which all the objects in that system work together to solve a common purpoes... then letting people just build and do what ever from the bottom up, doesnt deliver a system at all. It delivers a collection of random cool stuff, solving random cool problems.
And yes, often the system, is just a collection of systems, each with their own purpose, but they still need to align with solving for the mission etc.
So I think its much more effective if we can help define the purpose / mission, let groups be creative with what collection of objects (systems or not) combine to solve that, and then let others be yet again bottoms up and creative with defining the next level down, and the "how" for many of these areas / items.
It all still has to combine together to solve the purpose though. Not sure many companies devote budget to infosec with the purpose of "go do random cool stuff". It's generally aligned with solving digitial business risks (aka what I call cybersecurity).
