Funnily enough, just like with governance itself, there’s both good and bad guidance about governance. Now, “bad” may be in the eye of the beholder for sure, so on this Turkey-day in the US, I’m going to briefly go hunting some sacred cows instead of flightless birds.
When I was a kid, my parents used to watch a country music show called Hee Haw. Now, as you might imagine, there was a pretty severe hillbilly vibe running through the whole show, but it was pretty highly rated, and it also happened to feature many of the hottest Country & Western music stars of the time.
And, actually…I remember it was often quite funny too.
One of the segments they used to have was 4 guys sitting around in overalls on empty milk jugs holding those old porcelain “moonshine” jugs. They’d basically do this skit where the main lyrics of the song were the same, but the main joke of the week in the middle of the song was always different. And each one of them would get a line of the weekly joke, and take a sip of mash in turn to soften the blow of the situation they were describing.
The chorus goes like this, in typical Country music fashion:
Gloom, despair, and agony on me
Deep, dark depression, excessive misery.
If it weren’t for bad luck, I’d have no luck at all.
Gloom, despair, and agony on me!
And I have to admit, when I was revisiting the hallowed references and gold standards for “good governance” when it comes to IT – and, by extension, cybersecurity – COBIT5 and the Code of Good Practice…
…I couldn’t help but hear this song run through my head.
I’d be remiss in saying there’s nothing good in COBIT5. There’s good stuff there for sure. The problem is that while it has some great raw material, it’s based on a fundamentally flawed premise that there’s a fundamental difference between management and governance, leading to lots of Railway Act, collective bargaining influence in the governance structures they describe.
While you can have good governance in spite of the general tendencies of the structures they describe, it won’t happen easily—because when they try to make things clear and easy with their suggested governance processes and role and responsibility enablers, all they really do is introduce way too many people off the street, give them chef’s whites…
…and end up with a far more cooks in the kitchen than is good for anybody.
Because the real governance relationships that are required for effective decisions are left as an exercise for the reader to untangle—not to mention the random flip-flops between the perspectives of the accountable and responsible parties with the naming conventions of the activities and outcomes.
Now on the show, they’d sing the chorus, then they’d have each of the 4 guys tell some terrible story as a verse in the middle, and then they’d finish with the chorus again. So, as the last email I’ll send about the upcoming deadline to get the December edition of the print, shipped-to-your-door Security Sanity™ newsletter that talks about a much more fundamental (and reliable) way to identify the real governance roles and responsibilities crucial to the success of your security program, I thought I’d bring the memory of my Dad along to the Thanksgiving party with my own take on the Hee Haw skit we used to watch long ago:
Governance is hard, and every day’s a struggle to survive,
But never fear, help is here, in the form of COBIT5,
Yet all I find are RACI charts with lots of C’s and R’s
So when someone asks, “Who does what?” I just run and hide!
Soooo…if you’d prefer to avoid the gloom, despair and agony of bloated, convoluted and committee-based governance models and make your own evaluation of a simpler alternative described in the pages of the December newsletter, then this is basically your last chance to make sure you subscribe using this link before the deadline:
You might not agree, or you might think I’m crazy, and all of the above are more than OK with me. But remember this: even if you don’t agree, the world needs far fewer security sheep, so sometimes even perspectives you don’t agree with will give you insight to something unique you can call your own.
Happy Thanksgiving to my friends in the US, and to all of you:
Andrew S. Townley
Archistry Chief Executive