Leadership expert and former US Navy SEAL Jocko Willink wrote the following, “And most important, discipline will put you on the path to FREEDOM.”1 What does this have to do with innovation? Everything, as it turns out. Discipline, by Willink’s definition, is regularly doing the things you are supposed to be doing. From a military preparedness level, being disciplined gives you a better chance for survival and helps you deal with unexpected situations. It means you exercise when you can, you ensure your gear is ready to go, and you study up and know what you are supposed to be doing when you are supposed to be doing it. By being disciplined, you free yourself to think, to seize new opportunities, to confront the critical. That is what we are doing in innovation.
The key point for anything related to innovation is to help the organization better compete. Therefore, innovation does not want to set the organization back long term. That defeats the purpose of the innovation effort. As a result, innovation should embrace governance throughout the process. This ensures that what comes out of the innovation efforts is useful to the organization and not costly instead. If we were to just stop there, we have a good enough reason to include governance as part of innovation. However, there is more that governance provides for us.
Governance: An Organization’s Safety Net
The reason we have controls and governance is to protect the organization. We are trying to reduce the risk of a bad process or person. Over time, governance evolves. As technology, people and processes change, so, too, does the governance. It must be adapted to fit the changing conditions. If proper review and revision occur, governance helps protect the organization.
On the other hand, when governance is not properly kept up with, the organization is put at risk. It may even be greater risk than no governance at all. A tangible analogy here comes from the world of sports. Imagine a piece of gear, such as a helmet, with the requisite rules and standards that define what minimum specifications the gear must meet. In order to make things easier, some professional sports organizations will even mandate a list of approved models.
Now, imagine the case where an old model is still approved even though the right testing will show it does not meet what is needed in today’s game. Even worse, the minimum specifications have not been updated. As a result, one helmet on the list of approved gear meets the current standards but does not properly address the current risk to the player. It is likely players wearing such gear will suffer injuries that could have been prevented had the standards and the list of approved helmet models been properly updated. It might even be possible to argue that by not limiting the models of helmets, teams and players would have chosen better gear. In this case, we have an example where an outdated set of governance controls could potentially result in greater risk.
The reason I make a point about outdated governance is that governance itself is not what impairs innovation. Rather, it is outdated governance that gets in the way of innovation. However, outdated governance is not just a problem for innovation. Rather, it is a risk to the overall organization. Therefore, it should be addressed in that context.
HAVING PROPER, UPDATED GOVERNANCE MEANS WE CAN FOCUS MORE ON THE INNOVATION EFFORT ITSELF.
Governance: The Freedom to Hyper Focus
By having proper governance, we know what the rules are in critical areas with respect to the operating environment. We do not have to think about what the rules should be as we are working on something to move the organization forward. The time we do not have to spend thinking about what the rules should be frees us up to be able to innovate. This is the core message behind Willink’s quote that “discipline equals freedom.” Having proper, updated governance means we can focus more on the innovation effort itself.
Often, when writing an article or preparing a talk, it is not unusual to have too much material. Writers and speakers must spend time trying to pare down the material to meet the requirements of the work. The general rule is the shorter the article or talk, the more time will have to be spent to do the cutting. The reason to do the cutting is to ensure that the core message shines through. Everything that could distract from that core message must be cut.
The nature of governance is that it should tell us what is off limits. It tells us what is not core. If there is an area of the market we are not supposed to get into or that is so tightly controlled with regard to particular processes and even specific systems, we know those are areas not to waste time with on the innovation side, as there are likely to be bigger payoffs elsewhere. Therefore, governance helps define our focus, which increases the likelihood that the innovation efforts will pay off.
Governance: Innovation for Other Areas of the Organization
What I have found in years of experience in IT and audit/security is that oftentimes we define a control and, as long as it keeps on working for us, we do not spend time/effort trying to improve it. This is logical, as we would rather spend our resources on moving the needle forward. Only when there is pain around a control do we tend to revisit it.
The great thing about innovation is we are often building new things or implementing things in a new way. In that effort, we get the opportunity to revisit controls. Perhaps a way we are building something in the innovation is applicable to an existing control. For instance, we want to better parse web server log traffic to spot problems before an outage results. In the effort to build this better web server log parser, we also build something that might be applicable to controls around web server monitoring for the organization.
We could also realize something we build to meet governance requirements is applicable somewhere else. For instance, if I need to build a better rights tracking system for a particular application that is considered critical, in the process of building that system I may reveal information that could be used to improve employee on-boarding processes, which can be tossed over to innovation to flesh out.
Governance: The Value of Intent
There is an old maxim in chess, “Better to have a bad plan than no plan at all.” The meaning behind the maxim is that it is better to have an understanding of what you are trying to accomplish than be totally lost and just pushing pieces to complete moves. The difference is intent.
Governance, when we understand the intent, gives us business value. It tells us what most needs protecting. It reveals to us where the weak points are located. It lets us know on what we could be working. That is valuable information to an innovation effort.
NOT ONLY CAN GOVERNANCE TELL US WHERE WE SHOULD NOT WASTE OUR TIME, IT CAN TELL US WHERE WE SHOULD BE SPENDING TIME.
Not only can governance tell us where we should not waste our time, it can tell us where we should be spending time. If we are looking to maximize the return on investment (ROI) of an innovation effort, that is exactly what we need.
Embracing Governance
Not only can governance keep us from making huge missteps that cost the organization, but it can help innovation efforts. The first thing governance can do is pare down what we can focus on by telling us what should be avoided. Knowing what to cut out of the picture helps tremendously. Second, efforts from innovation can assist governance, but governance efforts themselves can lead to insights on expanding technology and processes outside of the realm of meeting a control to bring more efficiency elsewhere. Finally, by taking the time to understand the governance, the whys behind the controls, we can often better understand what is truly important to the organization and where there are gaps that need filling. That gives us a better idea of where innovation can be put to use.
Endnotes
1 Willink, J.; Discipline Equals Freedom Field Manual, St. Martin’s Press, USA, 2017
K. Brian Kelley, CISA, CSPO, MCSE, Security+
Is an author and columnist focusing primarily on Microsoft SQL Server and Windows security. He currently serves as a data architect and an independent infrastructure/security architect concentrating on Active Directory, SQL Server and Windows Server. He has served in a myriad of other positions including senior database administrator, data warehouse architect, web developer, incident response team lead and project manager. Kelley has spoken at 24 Hours of PASS, IT/Dev Connections, SQLConnections, the TechnoSecurity and Forensics Investigation Conference, the IT GRC Forum, SyntaxCon, and at various SQL Saturdays, Code Camps, and user groups.