The Bedel Security Blog

What is "Best Practice"?

Written by Brian Petzold | Mar 5, 2021

Over the years, I have become wary of the term “best practice” when it is applied to technology and cybersecurity. The term “best practice” is supposed to mean that what is being described aligns with the actions of the best in the industry. The problem is that in many cases I can find examples of top practitioners in an industry doing things differently.

An example I saw recently pertained to how users are named on a network. A provider told an organization that it was “best practice” to name all administrator accounts a certain way so that it was clear they were administrators, making it easier for those reviewing access reports to be able to easily pick out the administrators.

While naming users in a way that designates who is an administrator is fairly common, there are those in the industry who would state that this helps an attacker who has a user list identify the best targets and that names should never indicate administrative rights.

There are others who go as far as to say that best practice is to not even identify the user using any part of their name, but to instead assign a random identifier.

Another example was an organization that was criticized for how their risk assessment was performed. The assessment was asset-based, and for each asset the strength of authentication controls was assessed.

The reviewer stated that it was “best practice” to perform a stand-alone authentication risk assessment that looked at authentication across all assets at once. I work with many institutions and can tell you that either approach can work. Neither is the “best” approach.

In both of these cases, and in almost every other case where I hear the term “best practice”, the term is misused. If there are multiple views of how to do something among the best in the industry, these are simply opinions.

One is not right and the other wrong. The term “best practice” is usually being used to avoid having a real discussion regarding the best approach.

If you find yourself in a situation where the term “best practice” is being used and it makes you feel uneasy, ask whether they have documentation that this is the agreed upon best approach in the industry, or whether it is simply the approach that they prefer.

This might open up the conversation into other approaches to the problem.

As for myself, I did a review and did find a few places where I have described something as “best practice”. I apologize, and it will never happen again. That is my new practice. Maybe it will catch on and become the “best practice”!

If you need help finding the best approach, solution, or option for your institution's information security program, shoot us an email at support@bedelsecurity.com!

 

Additional Resources:

The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper

Information Security Strategy: 5 Tips for Success
https://www.bedelsecurity.com/blog/information-security-strategy-5-tips-for-success 

Understanding Your Information Security Layers
https://www.bedelsecurity.com/blog/understanding-your-information-security-layers