The thinktank/website Edge.org has been asking annual questions for a few years now. Here is the latest:

The Edge Annual Question — 2008

When thinking changes your mind, that’s philosophy.
When God changes your mind, that’s faith.
When facts change your mind, that’s science.

WHAT HAVE YOU CHANGED YOUR MIND ABOUT? WHY?

Science is based on evidence. What happens when the data
change? How have scientific findings or arguments changed your mind?

So, folks out there in the security world, what have you changed your mind about and why?

I have changed my mind on a number of things – perhaps most significantly, I no longer believe that security is more about "process than product" – by my interpretation, that means that I no longer believe  that the quality of administrative processes is more important than inline security mechanisms that directly influence online activities.

The latest question in my mind revolves around the notion of "best practices." It is unnerving to me that our profession can lean so strongly (?) in favor of security being an art and not a science. It seems like this disposition is strong enough that security professionals may be okay with, say, a dozen different security pros coming up with a dozen different protection profiles given the exact same scenario.

I used to make fun of best practices simply because I thought of them as "best theories" in the vein that they weren’t actually implemented anywhere. My new notion of best practices are those security activities that optimize risk – as described and validated through data collection. I think it can be done. I hope you do, too.

Happy New Year.