Jim over at DCS Security (a great new blog) just finished his last in a series of good posts on security layers.
He brings up a favorite subject of mine, best practices:
Essentially best practices is a bunch of smart (hopefully) guys sitting around in Gartner, Forester, D&T, PWC, E&Y, SANS, and other groups coming to a consensus on which controls cover the closest to 100% for a given threat they are looking at and which are the best controls to put in place.
I hate to dash his hopes, but it turns out that’s not really how things work.
I break best practices into three categories:
- Analyst best practices: What us white coat dudes who don’t work for a living come up with as best practices. These are the more aggressive, forward looking best practices that probably don’t reflect your operational realities. Basically, it’s what a bunch of industry experts think everyone should do, not that they (we) actually have to do it. Analyst best practices will make you really fracking secure, but probably cost more than a CEOs parachute and aren’t always politically correct. Maybe 2% of enterprises (and probably far fewer) adopt comprehensive analyst best practices, but a lot of you pick and choose and implement at least a few.
- Industry best practices: These are the more formal best practices that more closely align to operational realities. ISO standards, the NERC/FERC CIP standards, PCI, etc. More measurable, more auditable, and while hard, more operationally realistic for most organizations. Let’s guess and call it 20% of enterprises, mostly large, that really hit the full spectrum of industry best practices. Thanks to compliance I expect this to rise significantly over the next 2 years. Some industries, like financial services, are better than others. Industry practices never represent the cutting edge, but are the foundstones of a good security program.
- Common practices: what everyone is really doing: When most people ask about best practices, they really just want to know what everyone else is doing. It’s a dumb approach, but they figure as long as they don’t fall too far behind they won’t get in too much trouble when it hits the fan. Being a follower in security isn’t always the best idea; most crimes are crimes of opportunity. It’s the virtual equivalent of walking around a parking lot and seeing who left their car door unlocked, rather than picking that hot Beemer and figuring out how to bypass all the extra security. But the entire Internet is that big parking lot, and the bad guys can scan anonymously, at will, without anyone noticing them lurking around.
Just because someone else is doing something doesn’t make it right. Especially when everyone faces equal threats, never mind some of the industry specific threats.
Best practices are not best practices. It’s another term we tend to overuse without really delving into the meaning.
Reader interactions
2 Replies to “The Three Types of Best Practices”
I have to agree with Pepper on the selections process, and you on the breakdown of “tiers” to the establishment of industry-wide acceptance. Unfortunately, in my experience, the approach Pepper mentions of an ad hoc survey of peers approach doesn’‘t go deep or wide enough. I wanted to comment on this article last week, but decided to wait and see what the folks at TechTarget did with some info on a project my company sponsored to solve this very problem. Since we haven’‘t gotten skewered too badly (yet?), here you go.
Quite simply, relying on vendors, auditors, IT, the courts, etc. is a bad way to do it, so we are establishing a place where practitioners can meet to swap controls and ideas about them with their colleagues across industries and geographic boundaries. Hopefully, we can tear down some of the walls between organizations and put a little more sanity back into the selections process.
With a little luck, we’‘ll all have a way to gauge where we on on the leader/laggard curve and decide for ourselves, how mush is enough based on our risk appetites.
Rich,
These are all pretty formal. We often discuss best practices here in an informal way. The rough translation is one of the following, depending on the specifics of the situation:
1) What do your friends in the neighborhood do? Oh, everybody keeps a hot spare per shelf? That sounds good, let’s do that.
2) What do your peers at relevant consortia do in similar situations do? Oh, everybody at EDUCAUSE is trying to figure out single sign-on based on LDAP this year? So we’‘re going in the right direction.
3) What is the ‘‘industry standard’‘? How does the vendor suggest we secure this? What does the consultant think is the minimum requirement for this application?