Linda Stutsman, formerly of Bank of America and now with I-4 / Getronics, weighs in on the notion of best practices in security (among other things):
I don't believe in best practices.
"Best" is contextual. What is a best practice for one organization may not be a best practice for another. In one industry it might be a best practice but for another type of company it might not work or it might be overkill. Members consider what their colleague organizations have done that's new or different compared to what their own approach to related situations has been and apply the thinking within their business risk tolerances. I believe each company has to take the best of each solution and customize it. There may a best practice within an industry but it's tough to go across industries.
When I first read the headline of this article, my initial reaction was one of agreement. I have been railing about best practices actually being best theories for years now - that is, that the activities that people (e.g. auditors) suggest are best practices are not actually applied anywhere, they simply sound like the strongest control possible in a given situation.
But there is a larger problem here. On a different level, there must be a way to define something that is best practices, else this really implies that the entire security profession is essentially winging it. Now, that might not be far from the truth, but surely we must have a better handle on this than "no such thing" implies.... right?
In one regard, we see best practices all the time - in the compliance audit. If auditors don't have a sense for what is "best practice" how could they audit to any particular standard? It happens that I don't necessarily believe that the things folks suggest are anything more than old wives' tales, but certainly there are standard practices that are repeated over and over again...
Perhaps folks are starting to consider the "scientific" aspect of security management and want to define best practices based on optimized risk - the minimization of risk given a certain set of resources. I doubt it, but I can hope, can't I?
The notion of best practices takes on a different meaning when you control for risk tolerance and resource availability, as was the case in a recent Chicago CISO roundtable I participated in. While there, some folks suggested that they needed 2-3 years just to get "their" security program implemented. Again, I was struck with the notion that there really shouldn't be much need for variability, particularly in situations where nothing else changed (risk, budget).
So I am stuck agreeing with the idea that there is no such thing as best practices, but I also believe there really should be such a thing. Who doesn't want to have a program where they are doing the "right" things? And how can auditors perform an audit without best practices?
They must exist, we just need to identify them.