I’m inspired by brownies

Hi folks,

We in information security hear a lot of feedback about when we should provide rules and when we should provide guidance.  Sometimes we have various parties battling it out over which we should provide, pulling us in either direction, trying to make their case.  It’s at times like that we need all need a bit of inspiration.  That when we need to turn to:

image002-1
That’s right.  Betty Crocker.

How, exactly, is a fictional dessert baker a great example of the distinction between guidance and rules?  Think brownies.  When you buy a box of Betty Crocker brownie mix, it has very clear and easy-to-follow instructions on the box for making brownies.  But they’re not rules.  In fact, our friend Betty encourages you to experiment.  On her website, she provides a dozen other recipes for which you can use her brownie mix.

Why does she do this?  Is Betty Crocker an anti-authoritarian revolutionary?  Is she baking anarchy brownies and handing them out at Occupy protests?

She does this because there’s no harm in messing with her recipe.  In fact, the home baker might have a better idea for what to do with the brownie mix.  And that’s the key distinction between rules and guidance.

  • If the purpose is to stop harm, it should be mandatory – a rule.
  • If the purpose is to help an implementer do their job, it should be optional – guidance.

There’s all sorts of nuances therein (e.g. what constitutes harm), but as a general principle, that works.  Potential for harm?  Make a rule.  No potential for harm?  Provide some guidance.

And why not just make everything a rule?  Because it locks us in to a way of doing things, reducing our agility and creativity.  So when our customers demand more rules from us (which is a phenomenon I’ll never understand), we need to be cautious about what we provide as a rule and what we provide as guidance.  Just think “what would Betty Crocker do?”

image004-2

Rex