Jim over at DCS Security (a great new blog) just finished his last in a series of good posts on security layers.

He brings up a favorite subject of mine, best practices:

Essentially best practices is a bunch of smart (hopefully) guys sitting around in Gartner, Forester, D&T, PWC, E&Y, SANS, and other groups coming to a consensus on which controls cover the closest to 100% for a given threat they are looking at and which are the best controls to put in place.

I hate to dash his hopes, but it turns out that’s not really how things work.

I break best practices into three categories:

  1. Analyst best practices: What us white coat dudes who don’t work for a living come up with as best practices. These are the more aggressive, forward looking best practices that probably don’t reflect your operational realities. Basically, it’s what a bunch of industry experts think everyone should do, not that they (we) actually have to do it. Analyst best practices will make you really fracking secure, but probably cost more than a CEOs parachute and aren’t always politically correct. Maybe 2% of enterprises (and probably far fewer) adopt comprehensive analyst best practices, but a lot of you pick and choose and implement at least a few.
  2. Industry best practices: These are the more formal best practices that more closely align to operational realities. ISO standards, the NERC/FERC CIP standards, PCI, etc. More measurable, more auditable, and while hard, more operationally realistic for most organizations. Let’s guess and call it 20% of enterprises, mostly large, that really hit the full spectrum of industry best practices. Thanks to compliance I expect this to rise significantly over the next 2 years. Some industries, like financial services, are better than others. Industry practices never represent the cutting edge, but are the foundstones of a good security program.
  3. Common practices: what everyone is really doing: When most people ask about best practices, they really just want to know what everyone else is doing. It’s a dumb approach, but they figure as long as they don’t fall too far behind they won’t get in too much trouble when it hits the fan. Being a follower in security isn’t always the best idea; most crimes are crimes of opportunity. It’s the virtual equivalent of walking around a parking lot and seeing who left their car door unlocked, rather than picking that hot Beemer and figuring out how to bypass all the extra security. But the entire Internet is that big parking lot, and the bad guys can scan anonymously, at will, without anyone noticing them lurking around.

Just because someone else is doing something doesn’t make it right. Especially when everyone faces equal threats, never mind some of the industry specific threats.

Best practices are not best practices. It’s another term we tend to overuse without really delving into the meaning.