There is a growing problem in how applicant tracking systems are being used in hiring, and it is one that deserves more honest scrutiny. Too often, ATS platforms are treated as decision engines rather than what they actually are: administrative tools designed to support process, not replace judgment.
In the first essay in this series, I argued that the real difference between qualitative and quantitative risk is how uncertainty is treated. This essay looks at one small distinction that matters once we stop collapsing uncertainty into a single answer.
Organizations are very good at moving on. Leadership changes. Systems are replaced. Vendors rotate in and out. Strategic priorities shift with the market. What organizations are far less good at is remembering why things exist the way they do.
In this latest article, Ayoub Fandi dissects a familiar but rarely challenged flaw in many GRC programs: controls designed to satisfy auditors first and protect the business second. Drawing on real-world examples from access management, vulnerability management, and application security, Fandi argues that compliance-driven control design too often results in security theater and controls that generate clean audit evidence while leaving real risks untouched. He makes the case for flipping that priority, showing how controls built around actual threats and business risk naturally produce compliance as an outcome, not an objective.
As noted in my most recent LinkedIn post, 2025 turned out to be an unexpectedly big year for these conversations, with more than one million views and over 200,000 reactions. That level of engagement doesn’t happen by accident. It suggests there’s a deep and growing frustration across the risk, audit, and governance community that something fundamental still isn’t clicking inside corporate boardrooms.
Data is a constant subject of discussion in the context of security. Custody of personal data is heavily regulated, and systems are designed to protect anonymity, even though it can never be fully guaranteed. Security breaches are costly, not only because of the breach itself, but because of the scrutiny and liability that follow. As a result, privacy has increasingly become a value proposition for products and services that collect and retain personal information.
SAP systems store sensitive business data, run mission-critical processes, and ensure that operations continue uninterrupted. However, having the SAP GRC product suite or similar governance, risk, and compliance tools does not cover all aspects of system security. Relying on them to keep you safe is a recipe for infiltration.