The Visibility Trap
Breaking through the visibility trap with systematic governance rollouts.
Edition #2: The Visibility Trap
This week I spoke with a VP of Engineering at a bank who said: "We know exactly what's broken. We just can't get anyone to fix it."
This is what I call The Visibility Trap.
Organizations are spending millions on monitoring tools that are great at finding problems, but there is no organizational capability to bridge visibility to action. Teams have comprehensive dashboards, detailed security reports, and cost optimization recommendations. But month after month, the same problems persist.
There is a fundamental gap between seeing problems and solving them.
The organizations breaking through this visibility trap share one thing: they've moved from alerting to systematic Governance Rollouts.
Instead of hoping teams will act on alerts, they implement structured rollouts that guide changes through predictable phases:
→ DRAFT: Test and validate controls internally before sharing
→ PREVIEW: Show teams what will be evaluated before enforcement
→ CHECK: Monitor compliance and provide self-service remediation tools
→ ENFORCE: Automate where appropriate, with clear exceptions
This bridges the gap from visibility to action, turning alerts into results.
- Keep on Herding, Bob
PARTNER SPOTLIGHT
Turbot: Complete Cloud Governance
Transform visibility into action with automated policy enforcement and remediation at enterprise scale.
What's Happening in Cloud Governance 📡
AWS re:Inforce 2025 Talks: Explore more than 175 sessions covering topics like DevSecOps, Security Culture, Enterprise Security, and beyond. All videos are collected in a YouTube playlist. Check out Cybr's compiled summaries and transcripts for most talks on GitHub.
fwd:cloudsec North America 2025 Talks: Watch 45+ presentations focused on AI/ML security, IAM, threat detection, attack techniques, and more. The full set of recordings is available on YouTube. You can also find curated transcripts from Cybr on GitHub.
GRC Engineering for AWS: AJ Yawn gave a presentation at fwd:cloudsec about turning your governance, risk, and compliance processes into an engineering discipline rather than a checklist exercise. AJ also published a book on GRC Engineering, focused on automating compliance, building security into your architecture, and creating governance frameworks that scale with your business.
Behind the Scenes: Redpanda Cloud’s Response to the GCP Outage: Great write-up on the investment Redpanda made to avoid major impacts from the GCP global outage last month. This level of multi-cloud architecture is a significant investment, but there are key takeaways anyone can apply to their workloads: architect for failure, at least multi-region is achievable. Make sure monitoring is highly available to avoid flying blind in an outage. And communicate proactively with customers.
Get Involved 👋
Join the conversation on LinkedIn about this newsletter edition.