by Sam Curry – July 6, 2010

That government is best which governs least
–Thomas Jefferson or Thomas Paine, uncertain attribution

If people behaved like governments, you'd call the cops.
– Kelvin Throop

Unbiddable, ungovernable – like a riot in the heart, and nothing to be done, come ruin or rapture
– Viola de Lesseps in Shakespeare in Love

I alluded to this a few weeks ago in Xanadu, but I got to thinking about the subject and realized it deserves a little more exploration and discussion. I mentioned an almost mythical "hunter-gatherer" society and the potential to build a more modern civilization (for good or ill) when social constructs emerged to let us live in groups of more than 100 to 200 people. This bears some more thinking and some comment because it highlights for me what is so hard about modern Governance: making a large number of people work together is hard and it's not an extension of what a small number of people do!

As I mentioned earlier, we as people tend to organize ourselves even today in groups of between 100 and 200 people. This was first highlighted for me by Malcolm Gladwell in the Tipping Point when he wrote about the Gore corporation and how they self-organize. In a weird coincidence, it was driven home to me by presentations I saw from Guy Kawasaki and Gary Hamel in the same week. We organize ourselves in groups that have a social dynamic and ability to understand one another at somewhere around 150 people: this is true for optimizing a business unit, for military companies and even for some religious congregrations. There's something special about the way our brains work and that size of community.

As I've moved around and changed jobs over the years, I've seen my personal network of active colleagues and associates stay constant at around this number, although the passive number is much, much larger. This magic number rang true for me – it’s been very hard to keep deep contacts with a large number of people, and the “inner circle” of friends we all have changes if we move or change careers, locations or just mature over time. Basically, the number made it personal for me.

Then I read the God Delusion by Richard Dawkins, and regardless of your personal feelings with respect to Dr. Dawkins or his work, bear with me a moment. He postulated that it's entirely possible that we evolved a brain capable of subjecting itself to larger social structures and to what is basically religion, and that this might mean that we evolved a capacity for religion so that we can exist in larger groups than 100 to 200 people. Many scientists, incidentally, loathe the notion of social evolution (and for good reason incidentally), many are leery of the chasm that yawns between science and religion as a no-person's land and many on the religious side despise the reversal this implies; but there are some great points I'd like to summarize from Gladwell and from Dawkin's points:

1. We as Human beings seem to self-organize and work well in groups of about 150 people ― this is our "sweet spot"
2. What is potentially one of the most significant advances in our species was overcoming the ability to work in groups greater than 150 outside the "sweet spot"

And now…we need to combine this with "Governance." Governance is really the ability to direct, manage and determine how a large group of people (and their technology, applications, services and so on) behave. We do this to manage risk and pursue reward, but the magnitude of the task becomes evident very quickly: the heart of the problem around Governance is not a tech problem…it's a Human problem. Solving this one is solving the big one in many ways.

What we want to do is take the personal management techniques that we have evolved for within the "sweet spot" and create a structure for managing companies and countries to the same degree that are measured in the thousands and millions of people. That's hard!

The good news is that we don't have to do it all. We don't have to boil the ocean, we just have to do it well enough to have an impact on risk and on reward. That's good enough and that should be our goal.

In to the Heart of the Matter (and in Will the Real GRC Please Stand Up), I spoke to RSA buying Archer and came to the following conclusions that we need to…

1. Create policy and have IT carry it out
2. Know what is happening, especially with respect to the policies we've created

Perhaps the most significant thing that we can do is minimize the difficulty of managing large groups of people and technology and creating cultures that form in organizations the size of a "sweet spot" to follow corporate principles. If we can't manage a company of 50,000 people as we would one of 50 people, then work on making the tools easier to use, easier to find, faster to respond and empowering to the natural, smaller groupings to follow the policy determined at the top. This is about empowering business to better self-govern and become more powerful.

Fundamentally, GRC and Governance are Human problems and while not completely solvable, they are imminently addressable!

PS ― Next week is the 6 month anniversary of RSA (the Security Division of EMC) acquiring Archer, and I am incredibly proud of how we have and are integrating the two companies to be greater than the sum of the parts!

PPS ― I will be presenting a “Compliance in the Clouds” webinar next week for any who are interested; details are here.