Governance - Less is more
Published : Wednesday 13 August 2014
In a world fueled by bureaucracy, sometimes doing less can lead to better results ...
Please note: this content is 10 years old. It may be of lower quality or no longer accurate.
In a recent MicrosoftΒ VisualStudio Magazine article about “The Sociology of Application Security: Less Can Be More”, Microsoft highlights that the key to security isn’t just the technicalities of your security system or the code, but the people themselves and by virtue if you make the system more secure you probably reduce compliance and therefore reduce security.
All very interesting, but the reason I liked this article wasn’t so much the development aspect, but the general point that it makes.
Having worked across various private and public sector organisations I’ve seen a variety of practices from the damn right convoluted and bureaucratic to those completely devoid of process / documentation.
I always argue that the key to effective governance is pragmatism and I think this article paints that picture rather nicely.
If you’ve got a 50 page process document it’s going to take some time to read it, that’s if anyone does at all, and if they do how long will it take them to comprehend it and put it in to practice. What if you need to go back and check, how easy is it going to be?
As the article points out human nature will mean that ultimately no matter how loud we bang the drum if we make the process complicated and “costly” to the organisation and individual ultimately you will have a compliance issues. If you have compliance issues you have risk.
The article rounds of nicely with :
“In fact, the only real solution to getting people to follow security procedures is to lower the costs of following those procedures to the point where the resulting cost/benefit analysis makes sense to your users.”
In esseance what we’re saying is that
- costly procedures equals no compliance which inherits risk.
- pragmatic procedures resutlts in compliance and lower risk.
The best quality doesn’t come from the bleeding edge, it comes from consistency, and get the basics right each and every time.
Useful links and references
- The Sociology of Application Security: Less Can Be More
https://visualstudiomagazine.com/articles/2014/09/01/application-security.aspx
Dan's Blog
Information Technology, programming, health, fitness and photography enthusiast.
- Not a writer.
- All views are my own.
- Offence is optional.
- Do your own research.