Process is a good thing.

Some corporate citizens might disagree with that basic statement based on conversations like the following: “You mean I have to go to some website to enter a request for paper clips, and then someone in another office can just reject it because they want to?” Sometimes it doesn’t work.  When you are in situations like this, remember this little saying from a very wise man: “Don’t confuse logic with the process.”

by mikebaird

by mikebaird

Process in other examples can be a really good thing.  Consider the actions you might take to promote code from a test or Q/A environment into production.  The steps you take to do this should be the same every time, and any deviation from those pre-determined steps should be noted by the developers.  You don’t want to screw this up, so following the checklist of steps is an easy way to make sure you keep the train on the tracks.

Pilots use process (we call them checklists) all the time.  I’ve seen panic in first-time small aircraft passengers when the Pilot In Command (PIC) takes out the Pre-Engine Start checklist and start to read mundane items such as “Passenger safety briefing,” “Fasten seatbelts,” and “Set the Fuel Selector to ‘Both’.”  Those passengers should take solace when the PIC takes out that checklist because he is making sure that every step is completed in the order it was designed, and nothing is missing.  While doing a passenger safety briefing may not be one of those things that seem necessary, checking that all the circuit breakers are in could end up making the difference between a fun first flight, and one that makes you never want to fly again.

Now what happens when you put TOO MUCH process into a particular job?  Process is designed to document and create consistency.  If followed, process can ensure that every code promotion happens as planned.  Of course, too much process can slow cognitive problem solving skills, thus ending in the unfortunate argument/defense mechanism, “But I was just following YOUR process!”

Too much process removes the brains from corporate citizens.  And if the problem is too far gone, questioning the process only lands you in a circular, death-spiral discussion from which even Sully couldn’t pull out ((Are you tired of the pilot stuff yet?)).  So where is this magical balance where you can achieve documented, predictable results, yet still give people the freedom to think for themselves?

That is the million dollar question for sure.  In the security world, we need procedures to ensure we don’t end up opening up security holes by making changes to support the business.

The trick is to make sure that people working with the policy understand WHY it is there, WHAT it is doing, and HOW and WHEN to get exceptions to the process.

This post originally appeared on

Possibly Related Posts: