Ever wish there was a simple game to explain how complex organizations make decisions? You’re in luck! Roshambo, also known as rock-paper-scissors, explains it all. There are a few productive hours in each day, and three conflicting ways to spend them. The game explains how they will be prioritized.
- Operations: making and shipping things, developing and releasing software, buying and selling value, or otherwise completing the mission for which this complex organization was initiated.
- Compliance: following policy and proving that policy has been followed. That includes internal procedures, industry standards, and governmental regulations. In other words, it’s not just “keeping ready for the audit”. Compliance also includes your normal procedures for getting things done: approvals, documentation, decision reviews, and more.
- Security: ensuring the confidentiality, integrity, and availability of your people, systems, and data. Proving a negative, under a budget.
Default rules: in enterprise roshambo, Compliance beats Security. Operations beats Compliance in most organizations. Operations beats Compliance beats Security.
- Should we deploy a new patch? Security says yes, Compliance says not necessary yet, Operations says it’s risky: patch isn’t deployed.
- Should we deploy an old patch? Security says yes, Compliance says yes, Operations says it’s risky: patch is deployed in a carefully scheduled maintenance window.
- Should we alter scope of a Compliance audit if Operations asks? Yes.
- Should we disable or uninstall a Security tool if Operations asks? Yes.
The exceptions are highly regulated environments, such as government agencies, food and pharmaceuticals, some commercial finance. Compliance beats Operations beats Security there because failure to follow the law stops (via government intervention) or slows (via budget-disrupting fines) the complex organization’s mission.
- Should we interrupt Operations to ensure the medicine meets the needs of Compliance? Yes.
- Should we interrupt Operations to deploy a patch for Security? Not unless Compliance says so.
An emergency can temporarily change the rules of the game. How they change depends on the emergency. For instance, Operations change freezes and Compliance change control boards are put on hold during a Security zero day response. Security beats Operations beats Compliance, until the emergency is resolved.
If the emergency is in compliance, such as threats of a crippling fine or loss of a major customer, then the lightly-regulated organization can temporarily act like a highly-regulated one. Compliance beats Operations beats Security.