« Compliance & Risk Management Are Not the Devil | Main | It's Your Methods, Not Your Madness »

"Best Practice" (You're Saying it Wrong)

Since this has come up a couple times in the past week, I thought that I'd take a moment to elaborate on why I bristle at the phrase "best practice." It's quite simple, really, and often comes down to semantics (which, despite the frequent dismissal, can be quite important). To this end, I think there are a couple key points we should all keep in mind when we encounter the phrase.

1) "Best Practice" or "Minimum Acceptable Practice"?
First off, I think most "to do" lists, like hardening guides, are incorrectly classified as "best practices." What these should really be called are "minimum acceptable practices." Much in our industry falls under this heading. The old SANS "How To" guides, or the CIS security benchmarks, or even the PCI DSS fall under this category. It's not so much that a practice is "best," but that it's the very least you should be doing (from a security perspective).

2) "Best" is Subjective
One of our fatal flaws in this industry is running around telling people what they should or shouldn't be doing. Typically "best practice" is the catch-all justification for our arguments. Unfortunately, this phrasing undermines our credibility and ignores context. What is best for you may not be best for me. My favorite is the dime store security scan that produces a stock report that tells us what needs to be done based on "best practices." Yeah, well, maybe. Ignoring all the false positives, a purely external, non-contextualized list of practices needs to be properly split between "minimum acceptable practice" and "general recommendations that may or may not fit your particular organization." To quote Anton Aylward: "Context is everything."

Along with the sentiment is the fact that "best" is constantly evolving. Despite the seeming failure of the industry to really evolve beyond firewalls, signature-based solutions, and SSL, the fact is that our faithful opposite definitely has. And, really, if you think about, "best" has definitely evolved over the years. 15 years ago I would not have looked at Web 2.0 issues because, well, Web 2.0 didn't exist (but CGI certainly did;). Obviously the mark moves over time.

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/1027

Comments (1)

How about an alternative like, "Crap that's worked in other places/times/dimensions". That's what "Best Practice" really means, IMO.

Post a comment

About

This page contains a single entry from the blog posted on June 1, 2010 1:20 PM.

The previous post in this blog was Compliance & Risk Management Are Not the Devil.

The next post in this blog is It's Your Methods, Not Your Madness.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.