Best Practices for Defeating the term “Best Practices”

by adam on February 12, 2010

I don’t like the term “Best Practices.” Andrew and I railed against it in the book (pages 36-38). I’ve made comments like “torture is a best practice,” “New best practice: think” and Alex has asked “Are Security “Best Practices” Unethical?

But people keep using it. Worse, my co-workers are now using it just to watch get me spun up. My continued snark is clearly a Best Practice because I keep doing it despite evidence that it doesn’t work.

I’d love to hear your experiences. What are proven or effective practices for getting people to stop using the term?

15 comments

Sounds like you’re looking for a Best Practice in behavioral modification… LOL

“There is empirical evidence that CBT is effective for the treatment of a variety of problems, including … psychotic disorders.”

by Ray on February 12, 2010 at 5:20 pm. Reply #

As much as I whole heartedly agree, I’m afraid it may be an excercise in futility. It’s like trying to stop all facial tissue from being called “kleenex”. Or perhaps more like trying to prevent people from referring to all fields of cryptography as “encryption”.

That being said, there may be hope, but not in trying to correct the term one usage at a time… perhaps if there were an alternative. If we had some other methodology to follow (other than prescriptive control statements), we may refer to that seperate approach by a new name. In other words, the problem isn’t that we call prescriptive controls or common techniques as “best practices” it’s that this is the “best” (safest) thing for vendors/practitioners to follow. It’d be easier to create a new approach and name it correctly from the start rather than trying to nudge over a moving frieght train.

by Jay Jacobs on February 12, 2010 at 6:53 pm. Reply #

I have an idea. How about “good practices”? Failing that, maybe “practices that are a little better than the ones we currently have because they pretty much suck”?

by Peter Schawacker on February 12, 2010 at 7:11 pm. Reply #

Use of the word “best” implies some sort of comparative process between three or more alternatives.

I am pretty sure that such comparative processes do not exist.

So, my vote is for “good practice” – it’s the term I use when I talk about these kinds of things – assuming that the given practice seems to me, and/or to others, to be “good” in the first place.

by Patrick Florer on February 12, 2010 at 9:17 pm. Reply #

Start saying “best guesses” instead.

by Mikel Gore on February 12, 2010 at 11:42 pm. Reply #

I recall that your discussion of the term in your book was very good (mentioned it in my review actually). Some posted comments almost cast the term as a misnomer since best implies good. If a best practice is really just the least sucky option, it may be the best choice available but it may actually be not very good at all. To keep the term is just to reinforce denial about how bad something really is, in the extreme case.

If you go the opposite direction with something like “best stop gap measure in lieu of something that actually works”, people may have more realistic expectations when something fails, but they might not be too excited about buying in.

You might just be stuck with the term for the collective group think of the “herd”. Right now it translates into “no one can blame me if I do what everyone else does and something goes wrong”. There may be a point when improvements to the security model and new technologies really will make practices “best”, and you won’t have to change the term back again. 🙂

by Rob Lewis on February 13, 2010 at 2:24 am. Reply #

A “Best Practice” is a measured accomplishment. Past results are not necessarily indicative of future results as what worked for X may not work for Y

Insert: __

But if you have a collection information such as http://www.owasp.org its a good start for unique business situations (they are all unique btw or everyone would be a CEO)

So perhaps best practice is a starting point and if there was a place for reviews like http://www.securityscoreboard.com then you could help the community with a short list. For many execs I know.. I have already written more then they will ever read (i passed my 3 bullets already)

Brennan

by Tom Brennan on February 13, 2010 at 3:01 pm. Reply #

What then of the term “Best of breed,” for which users should be flogged with a bullwhip?

by Nick Selby on February 14, 2010 at 12:37 pm. Reply #

I have a “best practice” for washing dishes, so does my girl friend and ex-wife – all approaches are mutually exclusive !! Go figure.

by Derek Miers on February 14, 2010 at 2:00 pm. Reply #

Unfortunately, nothing short of a conceptual “neutron bomb” is going to get rid of “best practices” meme. The “best practices” meme is deeply entrenched in the MBA curriculum and in the professional societies associated with industrial engineering, quality, and management.

Nothing short of a Harvard Business Review article by a Wise Man of management will reveal that the Best Practices Emperor Has No Clothes.

Within Information Security, it may be possible to attack the meme more tactically, by aligning major institutions: SANS, ISACA, ISC2, NIST, CSO, CERT, the Industry Coordinating Committees, and the major consulting firms. Once all (or most) of those institutions reverse course on “best practices”, then the rest of the industry might follow, especially if the meme is replaced with something more attractive:

“Evidence-based Security”, anyone?

by Russell on February 15, 2010 at 7:19 pm. Reply #

I’ve often said that the term “best practices” implies a one-size-fits-all approach to security. Best practice for whom?? I’ll railed against it in the past, especially when it comes down from upper management.I do believe being aware of the general consensus is always warranted but that should not be the only driver in decision making. Organizations should make security decisions due to their own evaluated risks and requirements not just because NIST or Gartner says so.

by William McBorrough on February 15, 2010 at 11:52 pm. Reply #

Great comments, maybe “Common Practices” is more accurate. I also like Mikel’s “Best Guesses” and Nick’s “Best of Breed” bullwhip comment. Yes Russel I’ll give a nod of approval for “Evidence-based Security”…how about “Defensible Risk Analysis”

Jay makes a good point – “It’d be easier to create a new approach and name it correctly from the start rather than trying to nudge over a moving frieght train.”
OK how about “FAIR Practices”

~jK

by Jody Keyser on February 16, 2010 at 11:01 pm. Reply #

I fully take the points made, although I think nobody will change anything as it is too deeply embedded in the language and attitude of the business world. Indeed, because of that, I have found the phrase useful – If I describe a proposal as being in line with ‘Best Practice’ it is more likely to be accepted by management than ‘I think this is a good idea’……

by Neil Wheelwright on February 17, 2010 at 5:35 pm. Reply #

Good commentary on the term and practice in this Cyber Secure Institute white paper by Thomas McMillen.

http://cybersecureinstitute.org/docs/whitepapers/McMillen_02_17_10.pdf

by Rob Lewis on February 19, 2010 at 4:53 pm. Reply #

I use ‘compliance’ in as much as its not security.

by Jeremy Wilde on February 22, 2010 at 4:31 pm. Reply #

Leave your comment

Not published.

If you have one.