New Best Practice: Think

by adam on October 14, 2009

Since anyone can declare anything a best practice in information security, I’d like to add my favorite to your list.


Thank you.



by alex on October 14, 2009 at 4:31 pm. Reply #

Preach on.

by Kyle Maxwell on October 14, 2009 at 4:44 pm. Reply #

how about

All these people in security (consultants and practitioners alike) talk,talk,talk…. but rarely ever do. Screw best practice… got out and DO something.

by nickerson on October 14, 2009 at 5:01 pm. Reply #

My fav:
IT is always best practice to use best practices

Yes, let’s use what everyone else is doing because everyone else is doing it. Best practice find what is required for your environment and follow nickerson’s advice DO!

by GenesysWave on October 14, 2009 at 5:14 pm. Reply #

“Think”, indeed!

When I was at a Big 4 consulting firm, I learned to cringe when I heard “best practices” from either my co-workers or when it was requested by clients. I came to realize that there was no vetting process what so ever for any “best practices” and that it was nearly always sought as a substitute for thinking, as if to say “Why should we think about this when we can just borrow/steal the thoughts of other people.”

Plus, “best practices” give everyone involved a giant fig leaf to cover up their lack of insight, originality, or systematic understanding. It is especially attractive to upper management to cover up their lack of understanding of technical issues.

by Russell on October 14, 2009 at 5:46 pm. Reply #


Practice what you preach and advertise this best practice any chance you get:

Yours wearing his red on black THINK t-shirt right now (casual Thursday for some reason),

by Saso on October 14, 2009 at 10:22 pm. Reply #

My best practice:
Use “effective practices” rather than so-called “best practices”.

Of course, you will need proof to declare one “effective”.

by Andrew Yeomans on October 15, 2009 at 9:36 am. Reply #

What? I am too busy implementing best practices to take on any more requirements like ‘Think’. Unless there is a compensating control for that, you’ll just have to come back later.

by Adrian Lane on December 3, 2009 at 4:30 pm. Reply #

Leave your comment

Not published.

If you have one.