Home > Uncategorized > ”Best practices?”

”Best practices?”

One does not have to be around information security professionals very long before hearing the term “best practices.” In theory, “best practices” means the set of security practices that the best or elite information security programs adopt. BS7799 (the content of which has been incorporated into ISO/IEC 27001) is according to a large proportion of information security professionals a “best practices” standard in that it prescribes exemplary measures used by the most effective security programs.

Although the term “best practices” is widely used, my enthusiasm for this term is not commensurate with its popularity for a number of reasons. The first is that the term is extremely misleading from a statistical perspective. Although “best practices” may be determined by analyzing the nature and components of leading information security programs, if a large proportion of security programs were to follow “best practices” (as many have), these practices would (and to a large degree actually have) become “normal practices,” not “best practices.” A statistical value that is originally well above the mean of a statistical distribution cannot remain in its original relative standing if numerous other values that are the same or similar are added to the distribution.

Second, I am nervous about how “best practices” were originally identified, namely by inviting “leading security professionals” to working sessions. Although these professionals deserve a huge amount of credit for their accomplishments, it appears to me that their results represent consensus among a certain circle of professionals rather than the output of empirically-grounded and methodologically sound work. A good analogy would be a situation in which people who were considered very intelligent in certain circles got together and defined “high intelligence.” Intelligence tests, which have been developed empirically, provide a far more suitable way to define and measure intelligence.

I worry, too, that the term “best practices” raises red flags in the minds of senior management because of cost connotations. In business, whatever measures are“best” usually cost the most. With the US (and the entire world, for that matter) on the brink of recession, cost cutting is foremost in senior managers’ minds. For this reason, when security professionals mention “best practices” in making their case for more resources for their security programs, I suspect that they have already lost.

Additionally, although the concept of “best practices” is potentially useful, the set of measures that effectively counter security-related risk will to some degree (and sometimes to a very large degree) vary from one organization to another. For example, firewalls placed in external gateways may not be as suitable for an organization that needs a more open and collaborative computing environment than one that needs to minimize risk due to externally initiated break-ins and denial of service attacks. To universally prescribe external firewalls as “best practice” measures would not make much sense in the former organization because the security control measures in question would not have the kind of cost to benefit yield as in the latter organization.

Considering all the problems in connection with the use of the term “best practices,” I propose that alternative terms be used instead. As a start, “sound practices” or “widely accepted practices” both seem far less misleading than “best practices.”

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.