The most egregious type of CYA is the business leader who pulls together a cross-functional security team that includes security leadership, line of business leaders, human resources and so on. It makes every part of the organization feel involved in the process but it accomplishes nothing. Managing risk isnt as simple as putting up nice new drapes and adding a fresh coat of paint. Security is a journey and not a destination. And its for people who are serious about it.”]
Source: https://www.csoonline.com/article/2122202/well-covered.html