Hi folks,
My daughter’s school recently hosted an “80s day” when all the kids dressed like little Cyndi Laupers, Princes, and Billy Idols. Cute, but the 80s have been the throwback decade of choice for a while now – you’d think the 90s would have their turn, right? Wrong. Because “nostalgia for 90s fashion” is a phrase uttered by nobody. Ever.
But the 90s were good to us in some ways. The fall of communism in Europe, a growing internet, maturing hip hop, and… Adam Sandler movies.
Yeah, I know – not exactly Oscar material. But hear me out. The 1996 movie Happy Gilmore actually left us with an important lesson.
Happy Gilmore, played by Adam Sandler, is a wanna-be hockey star who discovers he can drive a golf ball better than any pro by using his club like taking a slapshot in hockey. Hilarity ensues and Happy wins the day using his unconventional approach.
What could we possibly learn from this? The lesson is that there’s a time to prioritize the process and there’s a time to prioritize the outcome.
Had Happy’s golf mentors tried to make him conform to a traditional golf swing, he’d undoubtedly have lost his advantage. By instead focusing on outcome – using that amazing, weird drive – Billy was able be the hero of the movie.
You may be saying “Rex, that’s just the ends justifying the means!” Not quite.
I think ol’ Leon was close to getting it right, but for our purposes – for the sake of organizational efficiency and focus – the means must be justified by the end. And not just in that they led us to a desirable outcome, but that they are a reasonable approximation of the best route of achieving that outcome.
That’s where many of us fall into a trap by prioritizing the process over the outcome. Especially when dealing with activities that the regulators will examine – as if pointing to a considered, refined process excuses a poor outcome.
Because the weight of a man’s opinion is directly proportional to the amount of lace in his collar, I’m invoking Sir Francis Bacon:
As if you would call a physician, that is thought good for the cure of the disease you complain of but is unacquainted with your body, and therefore may put you in the way for a present cure but overthroweth your health in some other kind; and so cure the disease and kill the patient.
As Sir Bacon implores, it’s not about the process – the ultimate goals of the organization must be the priority. Is it okay to kill the patient as long as you cure the disease? Most patients would say no.
Further, a process that doesn’t materially improve our rate of success is less than worthless. At a minimum, it diverts valuable resources for no perceptible benefit. Worse yet, it could point us in the wrong direction entirely. The means are not justified by the end, even if the process is well-intentioned and even if we happen to achieve our goals with no thanks to the process.
Some who work with me may think I loathe NIST and their guidance. Far from it. What I loathe is the elevation of NIST and related regulatory efforts above the goals of the agency – the fetishization of the process over the outcome (I stole that term from here). NIST, FISMA, A-123, audits, etc are critical components for encouraging the pursuit of security across the Federal sector – but they should never become the primary goal.
Our goal is security, not the process of becoming secure. Performance, not compliance.
Rex