If you were in charge of a nuclear power plant, would you want it to have well defined plans and procedures, well documented with built in monitoring and checks, explained and accessible to your employees? Or would you prefer to cross your fingers and travel light, without a manual for your power plant, and hope all your workers can and will figure out and do the right thing at the right time?
Yoda Spock Indiana Sherlock Bond gets everything right without a plan.
No doubt everyone you’ve hired flawlessly combines the best of McGyver’s ingenuity, Bond’s steely sangfroid, Spock’s logic, Yoda’s wisdom, Sherlock Holmes’ knack for problem solving, Buckaroo Banzai’s diversity of skills, and Indiana Jones’ resilience. If so, the odds are stacked in your favor… but Murphy is everywhere, accidents still happen, and malevolence is more resourceful, ingenious, and persistent than it deserves to be.
Those ill regarded plans and procedures are due diligence. When they are present and done right, no one can reasonably find fault.
Security plans such as FISMA packages are to IT systems as plans and procedural manuals are to nuke plants. The question shouldn’t really be “Do we need them?”, the question should be “How can we assemble them more cost effectively, and ensure they are complete, accurate, and up to date?”. I know I’d want solid plans if I lived next to a nuke plant.