Phase 2 - Setting a governance baseline

If you’d rather watch a 3-minute video instead of reading another email, click here to see me blabber while wearing a sick gray flannel blazer from the tragically short Nick Wooster tenure at JC Penney

In the last few emails we talked about the first phase of tackling Governance, Risk, and Compliance, entirely focused on empathy, understanding your culture, how to measure your culture, that sort of stuff. Those previous posts are all available at the bottom of if you want to refer back at any time.

Today I want to switch over and start talking about the second set of concerns. The second phase is establishing baseline governance.

Can we even find practices that make sense to mandate for everyone?

The question that immediately comes to my mind is can we even do this? Are there rules we can make, a set of practices we can insist on for a business that we feel comfortable having as a mandate?

Saying you must do these things, regardless of what industry you are in, regardless of the size of your company, regardless of the details of the security threats that you face?

Is it possible to come up with a set of security practices that you absolutely require?

I think the answer is yes.

Hygiene, Negligence, and Triage

It’s useful to examine how we as a society have looked at the idea of hygiene. In later posts I’ll also get into negligence and triage. Hygiene, negligence, and triage, the three words that are helpful for unpackaging this idea (which can feel a little strict at first) of mandating a set of baseline governance or controls.


If you think about how things are at a restaurant, as a society we’ve worked out that there are practices that are so unreasonably effective, we’re ok with making them a rule. We’re also ok with making a very broad, blanket value judgement on both people and businesses who don’t implement these simple practices.

It sounds so obvious when you say it this way.

We are totally ok with knowing that hand-washing isn’t perfect. It doesn’t stop all contagious diseases, some people still get sick from food at a restaurant. But we feel pretty good about the balance of saying: you know what? At a restaurant, preparing food for people, you must have a certain set of sinks for handwashing, and you must require that your employees wash their hands, and you must follow through with firing people who don’t wash their hands, and you must train people and remind them, have notices posted. If you don’t do that, we will shut you down as a business or impose fines and judgements.

no ridiculous debate allowed

Thinking about hygiene at this level, you aren’t tolerating any arguments from people about “this isn’t going to stop all people from getting this disease, it’s only going to protect most of them, so why should we have to wash our hands” that’s completely silly.

Likewise with security there are some practices that are so unreasonably effective that you can require them as a baseline without being controversial at all.

Next time we’ll talk a little bit about negligence and how that might come into play.

I like my jacket

If you read this far, maybe you didn’t watch the video. It’s not related to anything else, but I truly love this inexpensive JC Penney flannel jacket. Nick Wooster worked at JC Penney for a single season, and this jacket was one of the items that managed to make it to market.

Want to get the latest analysis and open source tools we publish?

It's so easy for experts to put their head down and work without ever sharing lessons learned with the rest of the world. We publish all our best ideas, analysis, and latest open source tools and techniques by email every week.

    We won't send you spam. Unsubscribe at any time.

    Powered By ConvertKit