Wednesday, April 23, 2014

Best Practices - The Only Thing Worse Than Compliance

There's only 1 thing worse than hearing a CISO talk about their organization's culture of compliance. There is only 1 thing which makes compliance sound like a worthy goal. There is only 1 thing that makes my skin crawl when someone in an enterprise security role discusses.

That one thing is hearing a CISO proudly announce his organization's adherence to "best practice". What does that even mean?! Let's ask Wikipedia-
"A best practice is a method or technique that has consistently shown results superior to those achieved with other means, and that is used as a benchmark."
That definition makes sense. Except ... in security every organization is just different enough so that what works great for one enterprise, will likely fail miserably for another. I know everyone believes their enterprise is a special snowflake, and that ultimately none of them are that different - but there are enough differences such that the term best practice is almost meaningless in my humble opinion.

What makes this whole matter worse is that while the security professionals community laments the notion that enterprises are largely made up of static defenses their adversaries are highly dynamic. Make no mistake - your adversaries don't follow "best practice" when it comes to penetrating your weak defenses. They scout you, identify a weakness, and exploit it. Done.

Here's why this all makes me so nuts-

Rather than understanding their own organization, and developing a dynamic security strategy which is both able to be implemented and able to be effective many CISOs hide behind "best practice". It's a mindless thing to do, and you're essentially saying "Well it [supposedly] works elsewhere, so why think for myself". You're probably wrong. What works at company A, may not even be applicable at company B. What's worse is that "best practice" has been largely taken over by marketing departments and made a buzz-term. This fact virtually guarantees that any value the term best practice had left, is now gone.

Here's a fantastic example- One CISO told me that her organization follows best practices when it comes to patch management. When I asked what that meant, she answered that they apply critical patches within 7 days, and other criticality levels accordingly. This puts considerable strain on her large infrastructure, not to mention the relationships with her peers who manage systems and servers for the organization. Full compliance with 7 days isn't a trivial task. It gets even more interesting when you consider the industry they operate in. Her enterprise IT resources are significantly more "disconnected" than others out there, and they are much more static and averse to change. A 7 day window is, I would argue, not desirable in her line of business ... but hey it's best practice right?

What really makes me nuts about the use of "best practice" is that what you're essentially trying to hide behind someone else's work. When it succeeds, it's brilliance, and you get to pat yourself on the back. When it fails, you blame someone else, or the failure of a best practice and move on.

My advice? Think for yourself, and do your own analysis. Maybe one of the best practices someone is trying to convince you of will work for you - maybe not. Odds are though that you have to think for yourself, and be held accountable for your analyses. Don't aspire to what allegedly works elsewhere...there is no safety in group think.

No comments: