"While there have been terrific advances in the state of technology around heuristics, behavior blocking, and things like that, technology is only a part of the approach to solving the problem with the more important aspect involving putting the right process in place"
About this Quote
Tech evangelism gets punctured here with a CEO's pragmatist pin. John W. Thompson is speaking from the boardroom scar tissue of cybersecurity and enterprise risk: yes, the tools are better - heuristics that infer malicious behavior, behavior blocking that stops threats midstream - but the real failure mode is almost never a missing product. It's governance. It's discipline. It's the boring machinery of who owns what, who approves changes, who responds at 2 a.m., and who gets held accountable when the alert was ignored.
The intent is managerial, but the subtext is a quiet indictment of modern tech culture's favorite alibi: we bought the platform, so we did security. Thompson's phrasing ("terrific advances") concedes the industry's progress while refusing to let it off the hook. By demoting technology to "only a part", he reframes the problem as sociotechnical: breaches happen in the seams between teams, in poorly defined escalation paths, in unpatched systems because patching is inconvenient, in exceptions that quietly become policy.
Context matters: Thompson's career spans IBM to Microsoft to security leadership, an era where security products multiplied while breaches kept pace. He is translating a veteran's lesson for executives who want a capex solution to an opex problem. "The right process" is doing the unsexy work: threat modeling before launch, incident runbooks, least-privilege access, audits with teeth, and a culture where speed isn't purchased by ignoring controls. The line is less a tech critique than a power critique: you can't outsource responsibility to software.
The intent is managerial, but the subtext is a quiet indictment of modern tech culture's favorite alibi: we bought the platform, so we did security. Thompson's phrasing ("terrific advances") concedes the industry's progress while refusing to let it off the hook. By demoting technology to "only a part", he reframes the problem as sociotechnical: breaches happen in the seams between teams, in poorly defined escalation paths, in unpatched systems because patching is inconvenient, in exceptions that quietly become policy.
Context matters: Thompson's career spans IBM to Microsoft to security leadership, an era where security products multiplied while breaches kept pace. He is translating a veteran's lesson for executives who want a capex solution to an opex problem. "The right process" is doing the unsexy work: threat modeling before launch, incident runbooks, least-privilege access, audits with teeth, and a culture where speed isn't purchased by ignoring controls. The line is less a tech critique than a power critique: you can't outsource responsibility to software.
Quote Details
| Topic | Privacy & Cybersecurity |
|---|
More Quotes by John
Add to List
