"Best Practice" (You're Saying it Wrong)

| 1 Comment

Since this has come up a couple times in the past week, I thought that I'd take a moment to elaborate on why I bristle at the phrase "best practice." It's quite simple, really, and often comes down to semantics (which, despite the frequent dismissal, can be quite important). To this end, I think there are a couple key points we should all keep in mind when we encounter the phrase.

1) "Best Practice" or "Minimum Acceptable Practice"?
First off, I think most "to do" lists, like hardening guides, are incorrectly classified as "best practices." What these should really be called are "minimum acceptable practices." Much in our industry falls under this heading. The old SANS "How To" guides, or the CIS security benchmarks, or even the PCI DSS fall under this category. It's not so much that a practice is "best," but that it's the very least you should be doing (from a security perspective).

2) "Best" is Subjective
One of our fatal flaws in this industry is running around telling people what they should or shouldn't be doing. Typically "best practice" is the catch-all justification for our arguments. Unfortunately, this phrasing undermines our credibility and ignores context. What is best for you may not be best for me. My favorite is the dime store security scan that produces a stock report that tells us what needs to be done based on "best practices." Yeah, well, maybe. Ignoring all the false positives, a purely external, non-contextualized list of practices needs to be properly split between "minimum acceptable practice" and "general recommendations that may or may not fit your particular organization." To quote Anton Aylward: "Context is everything."

Along with the sentiment is the fact that "best" is constantly evolving. Despite the seeming failure of the industry to really evolve beyond firewalls, signature-based solutions, and SSL, the fact is that our faithful opposite definitely has. And, really, if you think about, "best" has definitely evolved over the years. 15 years ago I would not have looked at Web 2.0 issues because, well, Web 2.0 didn't exist (but CGI certainly did;). Obviously the mark moves over time.

1 Comment

How about an alternative like, "Crap that's worked in other places/times/dimensions". That's what "Best Practice" really means, IMO.

About this Entry

This page contains a single entry by Ben Tomhave published on June 1, 2010 1:20 PM.

Compliance & Risk Management Are Not the Devil was the previous entry in this blog.

It's Your Methods, Not Your Madness is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Pages

  • about
Powered by Movable Type 6.3.7