Wretched Term of the Week: Best Practice
This is a peeve I learned from the great Donn Parker. The term “Best Practice” should be avoided. It is inaccurate. misleading, and self-defeating. Here’s why:
- Best is a superlative. By using it, one implies that there a single choice that surpasses all others. Rarely is this the case in real life. Security gurus are known for asking probing questions like “What’s your threat model?” or “What goal do you wish to achieve?” Different goals yield different practices.
Shortly after 9/11, some physical security people I know put some physical security plans in place that many people, including me, sneered at. Harumph, harumph, it doesn’t actually improve security. It’s there just to look like you’re doing something. Some time later, one of them took me quietly aside and told me that the reason they did it was to lower insurance costs. If you’re faced with your insurance bills going up by a million bucks and you can avert that with fifty grand of security theatre, out comes the greasepaint and tap shoes followed shortly by an amateur production of songs from Chicago.
- Something that is best doesn’t actually have to be good. If you’re faced with having to choose between a number of bad alternatives, you still look for the best. But best implies good. Admittedly, using best allows you to weasel out of the fact that the decision sucks. In such a dilemma, least bad is better than best because it’s honest.
- A superlative implies that it cannot be surpassed. That makes it hard to replace a best practice with one even better. Smart people know that best is always within context and often the life of it being superlative is shorter than the implementation time. But that word works in favor of the clichpoop with the budget. Why set yourself up be on the defensive?
What do you say, then? Parker recommended “Good Practices,” but noted that many best practices need improvement before they can get to good. This the problem — we’re always having to do things that may not be quite so good. Grading on the curve is an old technique, and the same budget holder who will question improving a best practice may not appreciate honesty. Some organizations use “Best Current Practices” which manages to keep from tacitly chiseling them in stone, but still keeps the superlative, and I believe that the superlative is a problem. I think I can count practices that are truly best on one hand once they get more complex than, “look both ways before crossing the street” or “cook the popcorn for only two minutes.”
I recently heard Stephen R. Katz, another pioneer of computer security — the world’s first CISO, mention the same peeve and suggest the term “Standard Acceptable Practice.” The great thing about a term like “Standard Acceptable Practice” is that no one is going to disagree with either, “We have to get this organization to follow Standard Acceptable Practices,” or “We need to improve our Standard Acceptable Practices.”
Photo by andai.