Governance - Less is more

In a recent Microsoft  VisualStudio Magazine article about "The Sociology of Application Security: Less Can Be More", Microsoft highlights that the key to security isn't just the technicalities of your security system or the code, but the people themselves and by virtue if you make the system more secure you probably reduce compliance and therefore reduce security.

All very interesting, but the reason I liked this article wasn't so much the development side of thing, but the general point that it makes.

Having worked across various private and public sector organisations I've seen a variety of practices from the damn right convoluted and bureaucratic to those completely devoid of process / documentation.

I always argue that the key to effective governance is pragmatism and I think this article paints that picture rather nicely.

If you've got a 50 page process document it's going to take some time to read it, that's if anyone does at all, and if they do how long will it take them to comprehend it and put it in to practice. What if you need to go back and check, how easy is it going to be?

As the article points out human nature will mean that ultimately no matter how loud we bang the drum if we make the process complicated and "costly" to the organisation and individual ultimately you will have a compliance issues. If you have compliance issues you have risk.

The article rounds of nicely with :

"In fact, the only real solution to getting people to follow security procedures is to lower the costs of following those procedures to the point where the resulting cost/benefit analysis makes sense to your users."
So in essence :

"Costly" procedures = Non-compliance = Risk.
Simple / pragmatic procedures  = Compliance = Lower risk.

Useful links and references