South Park’s infamous Underpants Gnomes might have been on to something: In The Checklist Manifesto: How to Get Things Right, Dr. Atul Gawande shows how even very smart professionals can trip up on the details of their complex procedures, but that the presence of a clear, step-by-step guide can dramatically improve success rates:
Ok, so the Gnomes were missing step two, but the question was recently raised on a security mailing list about whether the same methodology could be applied to information security practices. The response was positive but Benjamin Tomhave noted some caveats in his e-mailed response:
Of course, the flip side is that checklists in an area like IT can be detrimental, too. PCI is a great example, where it never made a claim of being comprehensive, yet is treated as such (and codified in State laws for crying out loud), and then orgs still get hacked, leaving them to wonder why the checklist didn’t protect them.
Perhaps the key, then, is knowing that you need experience+procedures. Procedures allow you to not screw up the mundane and routine, while experience allows you to dynamically respond to issues that don’t fit the precise steps of the procedure. Part and parcel to this, then, is needing to empower experienced professionals to be flexible and dynamic in the vast of challenges rather than requiring them to rigidly adhere to procedure in all instances.
Have you found checklists a helpful addition to an IT workflow? I’d love to hear your stories (or better yet, see your checklists!) at Michael@ITKnowledgeExchange.com. I’ve heard a lot of justified grumbling over the years about PCI security-by-checklist, but I’d love to hear some success stories, too.
There might even be from free swag in it for any good responses!