Monday, February 15, 2010

Introduction to Governance, First of a Series

Governance is the foundation that effective security is built on. It’s a big word for a common-sense idea: things work better if you know what you’re trying to do and how you’re willing to do it than if life is an endless flailing reaction of whatever the latest situation drops in your lap. Boy Scouts have been telling people to “be prepared” for a long time.

If it’s such an easy idea, why do so many people get wrong, in their personal lives and in business? I’m not sure – maybe the root-word “govern” is intimidating. Maybe people don’t like admitting that bad things may happen to them. Maybe there’s always a short term priority – getting the latest update to market, watching the latest TV show, catching up on my infosec blog… OK, maybe not the last. But you get the idea: setting aside some time to plan ahead just doesn’t seem like a lot of fun if you’re not into this stuff and there’s something else you could be doing that’s bright and shiny and it’s even easy to see how it pays off now.

Nothing new there, people don’t write wills and don’t back up data files for the same reasons. People probably also don’t know that they already do governance, and all that would be different is writing down what you already think and might even say.

In the governance-related posts, I’ll discuss several things we call governance collectively in a bit more detail. In the meantime, which of these things do you already think about, talk about, and write down in your personal and professional life:

  • Mission/Vision/Charter – An overall statement of what you’re trying to accomplish.
  • Policy – A broad statement of how you intend to accomplish your mission/vision.
  • Standard – A specific statement of how you intend to make your policy a reality.
  • Guideline – A specific statement of advice on how to adhere to your standard.
  • Procedure – A specific list of steps to perform in order to accomplish a task in a way that fulfills your policies, standards, and guidelines.


Star Straf said...

I took the 7 steps coventry class and as part of that did a personal mission statement - it is written on the inside cover of my moleskin and I revise it a touch each year when I change over moleskins - I try to read thru it monthly.

Matthew Baya said...

Dan - At my workplace I'm just a SysAdmin for a single department at my workplace, so all the IT governance happen not only higher up but in another department. However, as happens with many IT folks who are suckers for volunteering for other organizations, I'm finding myself in the unpaid CIO type role for the local Community Radio station I'm on the board of.

So this post is topical for me but I find myself frustrated at it's brevity. Can you provide any links to examples or places for further reading on this?

Dan Holzman-Tweed said...

Star: Good for yoU!

Matt: Google Thomas Peltier. Charles Cresson Wood is probably overkill right now. But fear not, I'll be doing the rest of this series soon -- especially since it's topical.

Don't let the fact that you're a "lowly" SysAdmin stop you! Personal visions, policies, standards, and procedures are just as important as departmental and corporate ones. Just be sure that yours comply with the ones further up.

Here's an example: When I was working for an international electronics manufacturer, there were global policies, regional policies, operating unit policies, division policies, and even team policies -- and then my own policies. It's important to know what lines you won't cross before you're asked to cross them.

Post a Comment