In the 1980's movie Top Gun, the protagonist utters the phrase, “I feel the need, the need for speed!” Peter “Maverick” Mitchell was an F-14 Tomcat pilot, an interceptor jet capable of flying more than twice the speed of sound. Fighter pilots love speed. Speed can be the key factor in winning aerial engagements. Speed is often a key factor in any competitive landscape, whether we are talking about fighters in the air, sports or business. Speaking of business, innovation is all about helping an organization develop processes and products that make it more competitive. As a result, innovation must be fast; the faster the better.
For security professionals and auditors, that means maintaining a balance between speed and protection. If we allow our organization to move too fast, beyond the capability of our controls, we incur risk that could be more costly than losing a product race to a competitor. On the other hand, if our processes cause enough delay where we are constantly behind our competitors, we are putting the long-term health of the organization in jeopardy.
If you remember the movie, we saw both examples play out. At first, Maverick performed risky, unauthorized maneuvers that broke the rules of engagement. He and his Radar Intercept Officer (RIO), Nick “Goose” Bradshaw were penalized as a result. What Maverick did threatened the safety of those flying with him. Later, after Goose’s death, Maverick could not regain his flying form. He flew too slowly, too carefully and unlike a fighter pilot. He was trying to avoid the circumstances that led to Goose’s death. Neither situation was acceptable. Like most movies, though, Maverick has an unlikely breakthrough in actual combat and becomes the balanced pilot he needed to be, leading to a happy ending.
However, our enterprise environments do not have the benefit of a pre-written Hollywood script leading to the ending we want. Instead, we have to help guide our organizations to that desirable end state. That means balancing speed and protection, and that likely means we have to manage teams and people in ways we do not normally do for regular projects and efforts.
The good news is that we do this sort of thing in this compressed time frame in special cases. For instance, we have to operate in this manner in incidence response. We also to have to do the same thing when a new regulatory change comes, especially one with a short onboarding period. With innovation, we have to switch into this faster mode. After all, our organizations also "feel the need, the need for speed.”
Read K. Brian Kelley's recent Journal article:
"Innovation Governance: The Balance of Speed and Protection in Innovation," ISACA Journal, volume 4, 2019.