Avoiding the Best Practices Trap

By Joe Knape

“Best Practice is, however, often a misused term. It is frequently used to support politically correct ideals which, in reality take no account of individual need or circumstances. In this sense the ensuing practice is far from ‘best’ when the resulting effects are contrary to the real ideal situation. It is also used to prevent challenges to rules and systems that are, in reality, not best practice.”

– Wikipedia (http://en.wikipedia.org/wiki/Best_practice)

As suggested by the Wikipedia entry, “best practices” often fall short of being best. Worse, blind adoption of such practices in a rapidly evolving field leads to stagnation in thinking and innovation. Best practices can even make things worse – by increasing risk — while leaving no way out for those trying to actually make a difference for the better. For example:

Take, for example, anti-virus software. There have been multiple studies that have shown that the effectiveness of anti-virus software has been decreasing in recent years. One such study is described here http://www.heise-online.co.uk/security/Antivirus-protection-worse-than-a-year-ago–/news/100900.

Additionally, due to the pervasive nature of anti-virus software, any time a new device or access mechanism, say cellular phones or other portable “smart” devices, is being considered one of the first things that comes up is whether there is such software available for said device regardless of whether there is any real threat that exists and regardless of whether any risks might be actually mitigated by the use of such software. Now, am I saying that anti-virus software shouldn’t be installed? No, I can’t and won’t answer that question for you or your company.

What I am saying however, is that the implementation of anti-virus software tends to give people a false sense of security and this inability or unwillingness to look past anti-virus software at other viable solutions even when confronted with evidence of its ineffectiveness leads companies to unknowingly accept higher risk and makes it nearly impossible at times for security professionals who understand the risks and rewards involved to suggest and actually implement other, more innovative, and possibly more effective methods.

As we welcome a new year, we welcome new opportunity. One such opportunity is for security professionals to work together to rely less on ‘best practices’ and focus more on…

When you hear the term ‘industry-best practice’ ask yourself these questions and then try to stem the tide before the flood begins and it is too late:

1.     What is the definition of “best” and do you agree with it?

2.     What is the basis to determine if the authors of the ‘best practice’ are competent, complete and suited to your situation?

3.     What initial conditions or assumptions are necessary for the ‘best practice’ to be useful and does my current situation meet them?

If the answer or answers to any of these questions tend to leave you doubting the veracity or effectiveness of the “best practice” then maybe that particular practice shouldn’t be implemented since most likely it is simply some process or procedure that originated from some failed or failing initiative that will eventually go sour and make things worse in the long run.

Of course, that’s easier said than done but since the Security Catalyst Community is here to help we will be offering some follow-up blog posts to address such questions as, how to use the rejected practices to discover and document possible alternatives, how to use what you discover to push back properly, and what to do in the all too often case where the practice is implemented regardless of the forces mustered against it.