The Truth About Best Practices

An article on Linked entitled ‘The Truth about Practices” started a discussion thread with some of my colleagues.

The most pertinent comment came from Alan Rocker:

I'm not sure whether to quote "Up the Organisation", ("If you must have a
policy manual, reprint the Ten Commandments"),  or "Catch-22" (about the
nice "tidy bomb pattern" that unfortunately failed to hit the target), in
support of the article.

Industry-wide metrics can nevertheless be useful, though it's fatal to
confuse a speedometer and a motor.

However not everyone in the group agreed with our skepticism and the observations of the author of the article.
One asked

And Anton aren’t the controls you advocate so passionately best practices? >

NOT. Make that *N*O*T*!*!*!  Even allowing for the lowercase!

“Best practices” is an advertising line of self-aggrandization invented by the Big Name Accounting Firms when operating in Consulting Mode.Information Security SWOT Analysis

Their economic model is to come up with one ‘analysis’ and set of recommendations and use a mail-merge like customization of the report for each customer, so converting ‘consulting’ into a mass-production product rather than one which needs individual attention and individual, and therefore more expensive, working.  Yes, it makes economic sense for them.  No doubt for some clients any advice is better than none, so a ‘one size fits all‘ won’t actually cause harm.

However, as Alan says, the ‘“tidy bomb pattern” that unfortunately failed to hit the target‘ is an apt description.

The flawed assumption is that ‘one size fits all’,  Well yes, Lycra swimming suits and panty hose will fit many size women because Lycra is both stretchy and supportive, but the ‘best practices are not Lycra. What is good for one company may be irrelevant for another and destructive for a third. Much of what Peter Drucker wrote pre-dates the use of this phrase, but from his earliest writings he makes the point that consultants have to look to what is and not try to fit companies onto the Bed of Procrustes.

I’ve long said that there are not such things as Best Practices; there are only good (please note the lower case ‘g’) practices and what is  good for you may not be good for me.  We recognize and accept this in other aspects of our lives.

The “Best” fits in with marketing in true Madison Avenue style; why should anyone want anything other than *The* *Best* ??

Controls are about business and controls should only ever reflect risk analysis and be part of risk management.

I came into audit from IT operations. Luckily I had enough business knowledge to accept without argument the idea that as an auditor it was not my job to fix things, but to report to management on the threats, vulnerabilities and risks, and it was up to management to decide which risk they would accept and which they would decide to implement controls to remediate.

Read that again: it wasn’t my business either as an auditor or as IT operations to make that decision. Management makes the decision where to allocate budget, what risks to accept and what risks to manage. In operations I might make detailed operating decisions within those instructions — that’s what a management hierarchy is about.  Different businesses may be subject t the same market forces, but that doesn’t mean they should all respond in the same way.  Each one will want to, need to, address its ‘competitive advantage’ in a different way.  That expression of difference is what the market is about.

I’m know to many practitioners for the line

Context is Everything

and that is what applies here. The controls that need to be applied, for example in a ISO-27000 framework context, may be described as broad brush in the Annex to ISO-27001, but the detailed Statement of Applicability for any particular scope at any particular form (and any
point in time) may pick and choose from them and further, may decide to implement the controls in different ways.

Yes, you may call “making use of ISO-27000” or COBIT, NIST or FAIR or FMEA a “Best Practice” in the sense that its better to make use of them than not, the idea that ISO-27K is the best, that is better than NIST or FAIR or FMEA or COBIT — or ranking them in any order — is completely missing the point.

The root idea is that the Big Name Accounting and Consulting firms know what is best for you. Personally I think that kind of paternalist arrogance is unfounded.

You might want to read “Dangerous Company” — there’s a review at

There are however Baseline Practices.
These are, basically

  1. Comply with the law
  2. Do a risk analysis
  3. Base you controls on the risk analysis

Donn Parker expounds on using these principles in practice. From them he derives a set of controls that you should use as a baseline. This is no more outrageous than recommending wearing an overcoat in the rain or warm clothes in cold weather. Its better described as ‘prudence’. If you’re connecting the the Internet you need a firewall. Don’t download that executable just because the you got mail saying that you’ve won a lottery you didn’t even know about. Prudence.

If you want to call widespread prudence “Best Practices” to inflate the idea and impress less critical minds than this august (yes its still August) body then go ahead, I can’t stop you. But don’t attribute the idea to me.


Enhanced by Zemanta

About the author

Security Evangelist

Leave a Reply