Compliance

Most organisations think they have a threat model. What they usually have is a historical artefact: a snapshot of how the environment looked on the day several people sat in a room with diagrams, coffee, and varying levels of optimism. The session happens. Assets are mapped. Threats are identified. Risks are scored. A document is produced. The document is reviewed, approved, uploaded somewhere nobody voluntarily visits, and occasionally resurrected during audits or post-incident archaeology. ...

Ever received that little gem of an email from IT: “Compliance Reminder”? No greetings, no sugar-coating, just a tiny, accusatory phrase in your inbox like a foghorn in a library. And just like that, the office collectively holds its breath. Instantly, a strange ritual begins. Even the most relaxed of colleagues, those who haven’t touched the company VPN in months, start opening folders, scanning drives, and muttering about forgotten passwords like they’re uncovering ancient curses. Karen from marketing begins tearing through her emails as though the server itself might collapse if she doesn’t click the right links. Greg in finance panics at a spreadsheet he hasn’t touched since 2019, convinced it’s harbouring hidden sins. ...