New Best Practice: Think
Since anyone can declare anything a best practice in information security, I’d like to add my favorite to your list.
Think.
Thank you.
Shostack + Friends Blog Archive
8 comments on "New Best Practice: Think"
Comments are closed.
Feel?
Preach on.
how about
DO!
All these people in security (consultants and practitioners alike) talk,talk,talk…. but rarely ever do. Screw best practice… got out and DO something.
My fav:
IT is always best practice to use best practices
Yes, let’s use what everyone else is doing because everyone else is doing it. Best practice find what is required for your environment and follow nickerson’s advice DO!
“Think”, indeed!
When I was at a Big 4 consulting firm, I learned to cringe when I heard “best practices” from either my co-workers or when it was requested by clients. I came to realize that there was no vetting process what so ever for any “best practices” and that it was nearly always sought as a substitute for thinking, as if to say “Why should we think about this when we can just borrow/steal the thoughts of other people.”
Plus, “best practices” give everyone involved a giant fig leaf to cover up their lack of insight, originality, or systematic understanding. It is especially attractive to upper management to cover up their lack of understanding of technical issues.
Amen.
Practice what you preach and advertise this best practice any chance you get:
http://remogeneralstore.com/pages/popupSS.cfm?plu=1290&start_image=1
Yours wearing his red on black THINK t-shirt right now (casual Thursday for some reason),
Saso
My best practice:
Use “effective practices” rather than so-called “best practices”.
Of course, you will need proof to declare one “effective”.
What? I am too busy implementing best practices to take on any more requirements like ‘Think’. Unless there is a compensating control for that, you’ll just have to come back later.