Shostack + Friends Blog Archive


Best Practices for Defeating the term “Best Practices”

I don’t like the term “Best Practices.” Andrew and I railed against it in the book (pages 36-38). I’ve made comments like “torture is a best practice,” “New best practice: think” and Alex has asked “Are Security “Best Practices” Unethical?

But people keep using it. Worse, my co-workers are now using it just to watch get me spun up. My continued snark is clearly a Best Practice because I keep doing it despite evidence that it doesn’t work.

I’d love to hear your experiences. What are proven or effective practices for getting people to stop using the term?

15 comments on "Best Practices for Defeating the term “Best Practices”"

  • Ray says:

    Sounds like you’re looking for a Best Practice in behavioral modification… LOL

    “There is empirical evidence that CBT is effective for the treatment of a variety of problems, including … psychotic disorders.”

  • Jay Jacobs says:

    As much as I whole heartedly agree, I’m afraid it may be an excercise in futility. It’s like trying to stop all facial tissue from being called “kleenex”. Or perhaps more like trying to prevent people from referring to all fields of cryptography as “encryption”.

    That being said, there may be hope, but not in trying to correct the term one usage at a time… perhaps if there were an alternative. If we had some other methodology to follow (other than prescriptive control statements), we may refer to that seperate approach by a new name. In other words, the problem isn’t that we call prescriptive controls or common techniques as “best practices” it’s that this is the “best” (safest) thing for vendors/practitioners to follow. It’d be easier to create a new approach and name it correctly from the start rather than trying to nudge over a moving frieght train.

  • I have an idea. How about “good practices”? Failing that, maybe “practices that are a little better than the ones we currently have because they pretty much suck”?

  • Patrick Florer says:

    Use of the word “best” implies some sort of comparative process between three or more alternatives.

    I am pretty sure that such comparative processes do not exist.

    So, my vote is for “good practice” – it’s the term I use when I talk about these kinds of things – assuming that the given practice seems to me, and/or to others, to be “good” in the first place.

  • Mikel Gore says:

    Start saying “best guesses” instead.

  • Rob Lewis says:

    I recall that your discussion of the term in your book was very good (mentioned it in my review actually). Some posted comments almost cast the term as a misnomer since best implies good. If a best practice is really just the least sucky option, it may be the best choice available but it may actually be not very good at all. To keep the term is just to reinforce denial about how bad something really is, in the extreme case.

    If you go the opposite direction with something like “best stop gap measure in lieu of something that actually works”, people may have more realistic expectations when something fails, but they might not be too excited about buying in.

    You might just be stuck with the term for the collective group think of the “herd”. Right now it translates into “no one can blame me if I do what everyone else does and something goes wrong”. There may be a point when improvements to the security model and new technologies really will make practices “best”, and you won’t have to change the term back again. 🙂

  • Tom Brennan says:

    A “Best Practice” is a measured accomplishment. Past results are not necessarily indicative of future results as what worked for X may not work for Y

    Insert: __

    But if you have a collection information such as its a good start for unique business situations (they are all unique btw or everyone would be a CEO)

    So perhaps best practice is a starting point and if there was a place for reviews like then you could help the community with a short list. For many execs I know.. I have already written more then they will ever read (i passed my 3 bullets already)


  • Nick Selby says:

    What then of the term “Best of breed,” for which users should be flogged with a bullwhip?

  • Derek Miers says:

    I have a “best practice” for washing dishes, so does my girl friend and ex-wife – all approaches are mutually exclusive !! Go figure.

  • Russell says:

    Unfortunately, nothing short of a conceptual “neutron bomb” is going to get rid of “best practices” meme. The “best practices” meme is deeply entrenched in the MBA curriculum and in the professional societies associated with industrial engineering, quality, and management.

    Nothing short of a Harvard Business Review article by a Wise Man of management will reveal that the Best Practices Emperor Has No Clothes.

    Within Information Security, it may be possible to attack the meme more tactically, by aligning major institutions: SANS, ISACA, ISC2, NIST, CSO, CERT, the Industry Coordinating Committees, and the major consulting firms. Once all (or most) of those institutions reverse course on “best practices”, then the rest of the industry might follow, especially if the meme is replaced with something more attractive:

    “Evidence-based Security”, anyone?

  • I’ve often said that the term “best practices” implies a one-size-fits-all approach to security. Best practice for whom?? I’ll railed against it in the past, especially when it comes down from upper management.I do believe being aware of the general consensus is always warranted but that should not be the only driver in decision making. Organizations should make security decisions due to their own evaluated risks and requirements not just because NIST or Gartner says so.

  • Jody Keyser says:

    Great comments, maybe “Common Practices” is more accurate. I also like Mikel’s “Best Guesses” and Nick’s “Best of Breed” bullwhip comment. Yes Russel I’ll give a nod of approval for “Evidence-based Security”…how about “Defensible Risk Analysis”

    Jay makes a good point – “It’d be easier to create a new approach and name it correctly from the start rather than trying to nudge over a moving frieght train.”
    OK how about “FAIR Practices”


  • Neil Wheelwright says:

    I fully take the points made, although I think nobody will change anything as it is too deeply embedded in the language and attitude of the business world. Indeed, because of that, I have found the phrase useful – If I describe a proposal as being in line with ‘Best Practice’ it is more likely to be accepted by management than ‘I think this is a good idea’……

  • Rob Lewis says:

    Good commentary on the term and practice in this Cyber Secure Institute white paper by Thomas McMillen.

  • Jeremy Wilde says:

    I use ‘compliance’ in as much as its not security.

Comments are closed.