Shostack + Friends Blog Archive

 

Wretched Term of the Week: Best Practice

BestPractice.jpg

This is a peeve I learned from the great Donn Parker. The term “Best Practice” should be avoided. It is inaccurate. misleading, and self-defeating. Here’s why:

  1. Best is a superlative. By using it, one implies that there a single choice that surpasses all others. Rarely is this the case in real life. Security gurus are known for asking probing questions like “What’s your threat model?” or “What goal do you wish to achieve?” Different goals yield different practices.

    Shortly after 9/11, some physical security people I know put some physical security plans in place that many people, including me, sneered at. Harumph, harumph, it doesn’t actually improve security. It’s there just to look like you’re doing something. Some time later, one of them took me quietly aside and told me that the reason they did it was to lower insurance costs. If you’re faced with your insurance bills going up by a million bucks and you can avert that with fifty grand of security theatre, out comes the greasepaint and tap shoes followed shortly by an amateur production of songs from Chicago.

  2. Something that is best doesn’t actually have to be good. If you’re faced with having to choose between a number of bad alternatives, you still look for the best. But best implies good. Admittedly, using best allows you to weasel out of the fact that the decision sucks. In such a dilemma, least bad is better than best because it’s honest.
  3. A superlative implies that it cannot be surpassed. That makes it hard to replace a best practice with one even better. Smart people know that best is always within context and often the life of it being superlative is shorter than the implementation time. But that word works in favor of the clichpoop with the budget. Why set yourself up be on the defensive?

What do you say, then? Parker recommended “Good Practices,” but noted that many best practices need improvement before they can get to good. This the problem — we’re always having to do things that may not be quite so good. Grading on the curve is an old technique, and the same budget holder who will question improving a best practice may not appreciate honesty. Some organizations use “Best Current Practices” which manages to keep from tacitly chiseling them in stone, but still keeps the superlative, and I believe that the superlative is a problem. I think I can count practices that are truly best on one hand once they get more complex than, “look both ways before crossing the street” or “cook the popcorn for only two minutes.”

I recently heard Stephen R. Katz, another pioneer of computer security — the world’s first CISO, mention the same peeve and suggest the term “Standard Acceptable Practice.” The great thing about a term like “Standard Acceptable Practice” is that no one is going to disagree with either, “We have to get this organization to follow Standard Acceptable Practices,” or “We need to improve our Standard Acceptable Practices.”
Photo by andai.

9 comments on "Wretched Term of the Week: Best Practice"

  • yoshi says:

    I agree that term “best practice” should not be used but I don’t agree with “standard acceptable practices” either. The simple fact is that practice chosen depends on what is most relevant for your organization.
    Or in the words of a CIO that I once worked for “Don’t care about best practices – care about what is best for this company”. (you can put this comment down but this came from a CIO who was more supportive of proper security policies and practices than anyone I’ve ever worked for.)

  • Matt says:

    I agree with your breakdown of “best practices”. But, as a security marketer, I use it a lot. When I offer a webcast or white paper with “best practices”, the expectation by the viewer appears to be that they will hear real examples of how people are doing something, not just a theoretical discussion. I don’t believe they think it will actually be the “best” – they just expect it to be somewhat more valid as it has actually been implemented somewhere, as opposed to something from a vendors white board.
    I’ve debated using “case study”, but typically a best practices discussion will involve more than one example, and not necessarily follow only one example in a lot of detail, as a case study usually does.
    “Good practices” or “standard acceptable practices” don’t mean the same thing’ that I mean by best practices and would not be as effective.
    I’m open to a better term – but I have not found it yet.

  • Roland Dobbins says:

    The term ‘best current practice’, or BCP has been in use for years by the IETF and the Internet operational community, and is both well-accepted and semantically inclusive of the concept of evolving practices. It serves the purpose well, and I strongly suggest adopting this construction.

  • Name says:

    I use “improved practices” or “advanced practices”, those do not sound überperfect or like recipes for braindead. Works for me.;)

  • David Brodbeck says:

    Language is a tool for communication. If “best practices” is the term everyone understands and agrees on, it’s the proper term for the job. Lots of terms are literally inaccurate but still understood. “Carbon copies” don’t actually involve carbon anymore, and people “dial” phones that don’t actually have dials on them.

  • Mordaxus says:

    Yoshi — I think you and I are in violent agreement. The CIO who wants the best for himself understands. I want to get rid of the word “best” but don’t have an um, well, standard acceptable (snerk) replacement for it.
    Roland, as an IETF person, I admire the BCP term, but again, I have a peeve about “best.”

  • In my paper on Silver Bullets, I reach a few surprising conclusions: Best practices is a standardised list that is not best, by our definitions at least, and is reached by a process that has little to do with security.
    What it means is (a) the user has not the capability to do security themselves, (b) they therefore have to pick up a list from someone else, and (c) they have to achieve protection from threats, but (d) the major threat is the threat of external fallout for breaches, not for breaches themselves, so eventually (e) they need a list that reduces fallout. Hence, (f) the ‘best practices’ arises because if everyone does it, nobody can then be “wrong” and therefore fallout is reduced to a level of comfortable non-blame.
    To sum, best practices is mostly to do with reducing fallout and only nominally to do with security. This in itself is a good goal (“preserves shareholder value”) and curiously it doesn’t stop an organisation from doing security. But, see (a) above. Best practices are the best they can do, not the bast that can be done.

  • guy says:

    I discovered the following definition of best practice from WikiPractice
    Best Practice is an idea which asserts that there is a technique, method, process, activity, incentive or reward that is more effective at delivering a particular outcome than any other technique, method, process, etc. The idea is that with proper processes, checks, and testing, a desired outcome can be delivered with fewer problems and unforeseen complications.
    I agree with it, but under the condition they are dynamic: it means that Best Practice are continuousely evolving to reach the perfection.

  • guy says:

    I discovered the following definition of best practice from WikiPractice
    Best Practice is an idea which asserts that there is a technique, method, process, activity, incentive or reward that is more effective at delivering a particular outcome than any other technique, method, process, etc. The idea is that with proper processes, checks, and testing, a desired outcome can be delivered with fewer problems and unforeseen complications.
    I agree with it, but under the condition they are dynamic: it means that Best Practice are continuousely evolving to reach the perfection.

Comments are closed.