From Stanford comes "Corporate Governance According to Charles T. Munger" which is characterized by avoiding "best practices" and insted going in the direction of "trust based governance." A lot of this will resonate with infosec people weary of compliance check box Olympics.
Here are some highlights:
“One solution fits all” is not the way to go. All these cultures are different. The right culture for the Mayo Clinic is different from the right culture at a Hollywood movie studio. You can’t run all these places with a cookie-cutter solution.
In infosec, context matters more than any single factor. Context results from technical factors, but also business drivers, usability, and incentives. That's what makes infosec a challenge is that there is no one size fits all. Hey if there was, Microsoft and IBM would package it up and ship it out of the box. The good news here is that human judgement matters in infosec and so analysts won't be replaced by automated machines.
A lot of people think if you just had more process and more compliance—checks and double- checks and so forth—you could create a better result in the world. Well, Berkshire has had practically no process. We had hardly any internal auditing until they forced it on us. We just try to operate in a seamless web of deserved trust and be careful whom we trust.
Anyone who has been through compliance regime knows the critical difference from slavishly following the compliance checkbox versus using reason. In another speech, Munger summarized the difference ""if you have analysts, due diligence, and no horse sense, you've just described hell."
The Standford paper pulls together an alternative framework that builds a responsible culture through basic controls, accountability, conservative accounting ("Ninety-nine percent of the troubles that threaten our civilization come from too optimistic accounting"), and modest executive compensation.
The final quote is the one that's the most though provoking for infosec pros and one we should all consider as to how much of the checkbox Olympics should be perpetuated.
"The last idea that I want to give to you as you go out in a profession that frequently puts a lot of procedures and a lot of precautions and a lot of mumbo jumbo into what it does: this is not the highest form which civilization can reach. The highest form that civilization can reach is a seamless web of deserved trust—not much proce- dure, just totally reliable people correctly trusting one another. That’s the way an operating room works at the Mayo Clinic. If a bunch of lawyers were to introduce a lot of process, the patients would all die. So never forget when you are a lawyer that you may be rewarded for selling this stuff but you don’t have to buy it. In your own life what you want is a seamless web of deserved trust. And if your proposed marriage contract has forty-seven pages, I suggest you not enter."
I'll close by saying that all is not lost. Compliance is not going away any time soon, but there are ways to use the leverage of compliance to your advantage. I will show some examples of this in upcoming posts.