Best Practice
Throughout my career in InfoSec, I must have heard the term “Information Security best practice” thousands of times. I didn’t think too much about it until recently, waving it off as a heuristic way to describe how something is “appropriately secured”, or “secured in line an industry’s expectations”.
But the term bothered me and I knew some colleagues who had a distaste for it, but I didn’t fully understand the issue. I’ve since learned some things which I think are worth sharing.
This short post will outline the ways in which this term impairs critical thinking and hampers inclusivity in our industry.
Losses in Critical Thinking
“Best practice” infers a single, most correct way of doing a particular thing. But this doesn’t make a lot of sense in information security.
There is no “best”.
All identified information or cyber security risks will be specific to each organisation, based on their assets, their asset configurations, the data being processed by those assets, and their organisational use cases.
This means that the resulting treatment or remediation plan for any given risk should consider these contextual elements. Many remediation plans might look the same (e.g., deploy the vendor’s patch to address the vulnerability), but their implementation will look very different in each organisation, due to that organisation’s unique environment.
I used the term “appropriately secured” earlier on purpose, as it infers that context-specific risks are addressed through the implementation of commensurate security controls, which are fit for their purpose.
Each security problem will have its own organisation-specific and contextually aware “appropriate” control, but these controls cannot be collated and aggregated into the book of “best” security, for all to digest and implement in the exact same way.
“Best Practice” infers that security practitioners can just look at a textbook and recommend bland and potentially useless solutions to identified risks and issues.
You can try that if you want, and to be honest if you do, you’ll probably still perform well in your infosec career, and no one will call you out for regurgitating textbook answers to problems. But you won’t create much value.
A belief that there is such thing as “Information Security best practice”, removes an information security practitioner’s need to think critically about the challenges or problems their organisation is facing.
Non-Inclusive Language & Ideas
In linguistic anthropology there is a well-regarded hypothesis called the Sapir–Whorf hypothesis. It proffers that the structure and content of a language determines a native speaker’s perception and categorization of their experience. In other words, the language that we use on a daily basis, and its underlying meaning and etymology, can and will have an influence on how we view and frame the world around us.
The point above on the lack of critical thinking in relation to this term was included as a standalone point, but also to frame the idea that the belief in “best practice”, and the use of this term promotes a potentially harmful way of thinking about the world around us. It promotes that there is only one right way to do something and a million wrong ways.
“Best practice” infers a singular correct approach each problem.
This approach leaves no space for differing perspectives, approaches, and insights.
In a middle-aged, white, and cis-male dominated industry, we risk excluding innovative and novel ways to address common and challenging security problems, through the exclusion of the approaches and people who will deliver that innovation.
We shouldn’t be promoting only one means to be secure. Instead, we should be inclusively looking for interesting and diverse new ways to improve upon existing practices.
Improving equality, diversity, and inclusion is not just the ethically justified thing to do (although that should be enough of a reason to do anything), it will also improve our industry’s approach to problem-solving, innovation, and the delivery of secure processes and technology.
What to do
To conclude, the term “information security best practice”, while invasive in our industry, can be dangerous.
We should kill it with fire.
Long live “good practices”.