Over time, I started to explain these two states because the “paper firm” and the “actual firm.” The paper firm is outlined by controls. It’s the model of the group that seems in frameworks, insurance policies, structure diagrams and maturity assessments, with named house owners, mapped processes and reassuring traffic-light studies.
The true firm is outlined by habits. It’s the model that seems in telemetry, menace intelligence, purple workforce findings and post-incident evaluations. It’s formed by how folks really work, by shortcuts embedded in processes, by legacy programs no one desires to the touch and by integrations that have been by no means absolutely documented.
The paradox is that management conversations often assume solely the paper firm exists. When a board asks, “Are we safe?”, the reply usually references insurance policies, certifications and power protection, all attributes of the paper firm, whereas attackers work together solely with the true one. Till leaders can see the true firm clearly and recurrently, they’re successfully managing a cat-in-a-box: they need to act as if they’re each safe and compromised, with out understanding which state is presently true.
