WEEK 24 · GOVERNANCE

The Part Nobody Sells You

Security teams are trained to find gaps. No one trains them to see what's already working

Submitted by Neil Watkins · MondayMove

Much like you can have a certification or third-party attestation, you can have every security tool on the market and still be completely exposed. Here's the part of security nobody sells you.

A team recently found themselves locked in a debate over an endpoint control. The core issue? Whether a specific tool in their current stack supported a handful of niche, yet beneficial, features. They poured over the data. They audited the technical specs. They were incredibly thorough, and they were asking entirely the wrong question.

The real question wasn't whether the product could do the thing. It was whether meaningful risk reduction was already within reach given what was already in play. Multiple existing controls, working together, had already narrowed the exposure. The new tool wasn't required. It was just the loudest option in the room.

Stopping at a product boundary instead of reasoning across the full control set is one of the most expensive habits in security. Individual controls don't exist independently. Their necessity, design, and priority are shaped by everything around them. A control that's critical in one environment is redundant in another. Skipping that context check means constantly adding tools to problems that already have solutions.

Security isn't a stack. It's a fabric. What makes it strong isn't any single thread. It's how every thread is woven against the others intentionally, with the full picture in view.

Most security teams are trained to see risk points. Find the vulnerability, evaluate the control, close the gap. It feels rigorous. The problem is that risk points don't exist in isolation. They exist in a fabric. How you close one gap changes the shape of every gap around it.

When a team can only see individual nodes, they'll keep proposing individual solutions. That's not a skills problem. It's a visibility problem. The goal isn't just finding the right tool for the right risk. It's developing the ability to read the room, the full control environment, and understand what's actually needed given everything already in motion.

So, here's the MondayMove

This week's move: Before your team evaluates any new control or tool, require them to answer one question first: "What is already operating in this environment that addresses this risk, and how effective is it?"

That single question shifts the frame from "what can we add" to "what do we already have working." It forces visibility into the fabric before anyone proposes a new thread. What's one question you wish your security team asked before reaching for a new tool?

The threat sees your whole environment. Your team should too.

Friday Follow-Up

Did You Ask the Question?

Monday gave your team one question to run before reaching for a new tool. Friday is when we find out what happened.

Submitted by Neil Watkins · MondayMove

June 12, 2026

MondayMove gives you one concrete action every Monday. FridayFollowUp closes the loop.

Each Friday, a short dispatch on what practitioners actually found when they ran the week's move: where they got stuck, what surprised them, and what to do next. Not sanitized case studies. Field notes. Practitioner to practitioner.

This week's move: before your team evaluates any new control or tool, answer one question first — "What is already operating in this environment that addresses this risk, and how effective is it?"

The most common report: the question was easy to ask and hard to answer. Not because teams were unprepared, but because the answer didn't live anywhere. It lived in people. Whoever ran the last evaluation. Whoever was in the room when that tool got purchased three years ago. When someone tried to actually document it, they found out fast that nobody agreed on what "effective" meant. Implemented? Running? Actually catching things? Those turned out to be very different answers.

A few practitioners reported friction from a different direction. The question got read as resistance to the evaluation rather than rigor inside it. "Why are we slowing this down?" That reaction is worth paying attention to. It tells you something about how the team has been trained to move. When speed is the signal of competence, stopping to ask what you already have feels like a delay. It is not a delay. It is the evaluation.

If the question exposed a gap in what your team actually knows about your own environment, that is the more important finding. The next step is not to fill it perfectly. It is to schedule one hour, put the relevant controls on a whiteboard, and give each one an honest effectiveness rating before the next evaluation opens. Not a formal audit. A working session. That one hour will change how the next conversation goes.

That session is the real move. Monday's question was just how you found out you needed it.

No correct answers here. This is practitioner-to-practitioner. The more honest the responses, the more useful this gets for everyone reading on Monday morning.

See you then.

Discussion