You buy flexibility by hiring really good people, especially for privacy and security. Really, really good people can think through situations and weigh tradeoffs well and quickly. That's less overhead for known situations but it's even more important when facing novelty.

People who aren't as good need a lot more structure to achieve an acceptably low rate of known errors. But that has two costs: 1) a heck of a lot of overhead in the normal case and 2) everything new triggers full-on exception-handling.

If you're working off checklists normally, then you haven't practiced thinking things through from first principles and, frankly, probably don't have the expertise locally. That means both missing issues more often and taking a heck of a lot more time to do it.

The other form of flexibility you buy yourself with good people is long-term lower cost. Good people will see a pattern and move to correct it long-term. You'll have fewer surprises -- and privacy/security surprises are *expensive*.

So why not hire top-flight people for everything? Well, they're not right for all jobs.
1. They crave novelty. If you don't have enough, they'll get bored and wander off.
2. There are not many of them.
3. Unsurprisingly given #2, they're $$$.

But if you can get 'em, get 'em.

So effectively there are two major ways of building a security/privacy team:
* get a relatively small number of really great people. This is how you prioritize flexibility.
* get a larger number of people (who don't have to be as good) and build a bunch of structure around them.

Because they're so rare, if you have great people, you should focus on making them effective and flexible: reduce the decisions they need to make to the hard ones, and make sure they have the right information in the right place at the right time to make those decisions.

Note that compliance is 100% built around the "lots of people, lots of structure" strategy. In a world where we can't count on everyone to make consistently great decisions, there isn't a lot of choice.