Avoiding CRA Pitfalls: Don’t Wait to Fix What’s Broken

would say one of the other common gaps or mistakes that I see in CRA preparedness is folks looking to do a very long winded outside in, inside out controls assessment exclusively, wait for the outcomes of those, build a remediation plan, and then start going to tackle those remediations. It is just too slow. You won't accomplish the goals in the same time it will take for new problems to pop up by the time you finish phase three of that effort. So I don't believe that you can do one whole path of assessments and then start fixing things. I think you need to do them in parallel, or else you're never gonna meet these reporting goals. Or if you're if you're really just responsible for one product at a time as your team, I also see that as another major challenge is people who are looking for point solutions because they only have x amount of euros to spend as their team, and so they they solve their problem. Great. But they haven't solved the problem for the organization. So as an organizational head, you should be looking at what your teams are doing. And in this case, it's not shadow IT. It's shadow product security. So are they buying some tool to get the problem solved on their side without really taking into account what the business needs?