Press enter or click to view image in full size
Notes of shower thoughts.
I have been doing software security for a good couple of decades now. Most, I was on the R&D side. However, I interacted enough with people from the security departments.
The thing that I saw working, again and again, is when you have people who are genuinely interested in some topic (security practices, clean code, etc.). They will do the right thing on their own, they will research and implement best practices. They will automate, create a checklist, and pretty much they will move things forward. You do want to build a support system around them gradually, but the main idea is to let them do what they already want to do.
And what I saw not working is when a checklist is shoved by one group of people down the throat of another department. Surely, if the enforcing party has a stick, the other side will comply. However, it will be so superficial. There are always myriad things that you can do wrong while on the paper, everything looks good.
BTW. Even though I mentioned this in the context of security. It is easily applicable to most of the complex areas requiring deep thinking, a lot of decision making, and some creativity.