Shostack + Friends Blog Archive


New Best Practice: Think

Since anyone can declare anything a best practice in information security, I’d like to add my favorite to your list.


Thank you.

8 comments on "New Best Practice: Think"

  • alex says:


  • nickerson says:

    how about

    All these people in security (consultants and practitioners alike) talk,talk,talk…. but rarely ever do. Screw best practice… got out and DO something.

  • GenesysWave says:

    My fav:
    IT is always best practice to use best practices

    Yes, let’s use what everyone else is doing because everyone else is doing it. Best practice find what is required for your environment and follow nickerson’s advice DO!

  • Russell says:

    “Think”, indeed!

    When I was at a Big 4 consulting firm, I learned to cringe when I heard “best practices” from either my co-workers or when it was requested by clients. I came to realize that there was no vetting process what so ever for any “best practices” and that it was nearly always sought as a substitute for thinking, as if to say “Why should we think about this when we can just borrow/steal the thoughts of other people.”

    Plus, “best practices” give everyone involved a giant fig leaf to cover up their lack of insight, originality, or systematic understanding. It is especially attractive to upper management to cover up their lack of understanding of technical issues.

  • Saso says:


    Practice what you preach and advertise this best practice any chance you get:

    Yours wearing his red on black THINK t-shirt right now (casual Thursday for some reason),

  • Andrew Yeomans says:

    My best practice:
    Use “effective practices” rather than so-called “best practices”.

    Of course, you will need proof to declare one “effective”.

  • Adrian Lane says:

    What? I am too busy implementing best practices to take on any more requirements like ‘Think’. Unless there is a compensating control for that, you’ll just have to come back later.

Comments are closed.