With your excellent corp/software/net breakdown, this feels like it isn't actually aimed at a company-wide level. This feels like it's aimed at a product engineering leader who has no real power over the real corpsec concerns - like if the company uses SSO - but real power over the product itself.
I suppose it makes sense in a context where someone else is handling corpsec adequately, but if that's the idea then it's not very well explained.
I suppose it makes sense in a context where someone else is handling corpsec adequately, but if that's the idea then it's not very well explained.