Linda Stutsman, formerly of Bank of America and now with I-4 / Getronics, weighs in on the notion of best practices in security (among other things):
I don’t believe in best practices.
"Best" is contextual. What is a best practice for one organization
may not be a best practice for another. In one industry
it might be a best practice but for another type of company
it might not work or it might be overkill. Members consider
what their colleague organizations have done that’s new or different
compared to what their own approach to related situations
has been and apply the thinking within their business risk
tolerances. I believe each company has to take the best of each
solution and customize it. There may a best practice within an
industry but it’s tough to go across industries.
When I first read the headline of this article, my initial reaction was one of agreement. I have been railing about best practices actually being best theories for years now – that is, that the activities that people (e.g. auditors) suggest are best practices are not actually applied anywhere, they simply sound like the strongest control possible in a given situation.
But there is a larger problem here. On a different level, there must be a way to define something that is best practices, else this really implies that the entire security profession is essentially winging it. Now, that might not be far from the truth, but surely we must have a better handle on this than "no such thing" implies…. right?
In one regard, we see best practices all the time – in the compliance audit. If auditors don’t have a sense for what is "best practice" how could they audit to any particular standard? It happens that I don’t necessarily believe that the things folks suggest are anything more than old wives’ tales, but certainly there are standard practices that are repeated over and over again…
Perhaps folks are starting to consider the "scientific" aspect of security management and want to define best practices based on optimized risk – the minimization of risk given a certain set of resources. I doubt it, but I can hope, can’t I?
The notion of best practices takes on a different meaning when you control for risk tolerance and resource availability, as was the case in a recent Chicago CISO roundtable I participated in. While there, some folks suggested that they needed 2-3 years just to get "their" security program implemented. Again, I was struck with the notion that there really shouldn’t be much need for variability, particularly in situations where nothing else changed (risk, budget).
So I am stuck agreeing with the idea that there is no such thing as best practices, but I also believe there really should be such a thing. Who doesn’t want to have a program where they are doing the "right" things? And how can auditors perform an audit without best practices?
They must exist, we just need to identify them.
Pete,
What we need to do is say “You need to ensure that your internal systems are protected from the external world.” How is that done? Usually a firewall but that may not be the best answer in every case. Just like PCI gets fairly specific on each step they at least leave some leeway with the “compensating controls” statements. Yes auditors needs something to compare you to but if you can prove that what you have works then why should you spend extra effort on something else that is considered “best practice”.
The problem is that we try to tie best practices to technology and not concepts. Even saying “you need a firewall” is a technology best practice, in a conceptual sort of way.
I think you could make the case that there are “common” practices or even “lazy” practices, but for the same reasons above I challange the assertion that they are “best” or even just “good”.