May 29, 2020, 

07:20am EDT | 484 views

In Cybersecurity, Best Practices

Are The Worst
Itzik Kotler Forbes Councils Member
Forbes Technology Council COUNCIL POST | Membership (fee-based)
Innovation

POST WRITTEN BY

Itzik Kotler
Co-Founder & CTO at SafeBreach. I'm a father, husband, hacker, open source enthusiast and
entrepreneur.

Photo: GETTY

Clichés are overused, and they tend to be broad generalizations that

contain kernels of truth. They are convenient, often colorful phrases
offered as unoriginal descriptions of things or nonspecific responses to
situations. We’re all familiar with clichés, and we all use them often
(that’s how they become clichés). For example, we might say, “It’s not
rocket science,” when we mean that something is not difficult or, “It’s like
herding cats,” when something is.
In casual conversation, clichés are mostly harmless verbal shorthand. But
in business, where clear and precise communication is necessary to lead
teams and achieve goals, clichés can be confusing, counterproductive and
even dangerous. This is especially true when used by people who want to
sound informed but who have no idea what they are talking about. Such
individuals will brandish a cliché with smug bluster, leaving subordinates
confused and intimidated. After all, if everyone is expected to know what
the cliché means, who wants to be the one to ask for clarification and
reveal themselves as being uninformed?

One of my least favorite clichés is the term “best practices.” What does
that even mean? In my experience, it can be translated as, “I have no idea
what to do in this situation, so I’ll say ‘best practices’ and pray someone
else does — and that things work out.”

I like what retired U.S. Army Colonel Gregory Fontenot said on the
matter: “When you hear ‘best practices,’ run for your lives. The Titanic
was built with best practices. It was faithfully operated in accordance with
best practices.”

Just as Colonel Fontenot observed with the Titanic, every organization

that ever fell victim to a hacker or suffered a data breach due to human
error was likely following best practices. Data security laws, such as
Europe’s omnibus General Data Protection Regulation (GDPR) require
best practices as a minimum standard for compliance. And with the
increase of malicious activity related to the COVID-19 pandemic, a lot of
well-meaning people are recommending that organizations pay attention
to best practices to avoid falling victim to a cyberattack or scam.

It sounds good, but whether you are at the helm of a transatlantic ocean
liner or a leading an enterprise security operations team, best practices
don’t cut it and will eventually lead to a disaster. Instead, when you are
designing a security program for a specific company, threat or network
configuration, you need specific practices that address whatever situation
your enterprise faces and that will remedy your specific vulnerabilities.
There will always be a best course of action to take, but it may be different
tomorrow than it is today.

Why? Because your organization’s cyber risk posture is not static. The
configuration of your enterprise IT infrastructure is always changing, as
are the circumstances affecting the employees.

Consider your sales staff. Best practices say that “security is everyone’s
job,” but if that were really the case, we wouldn’t need risk managers or
CISOs. Your salespeople are out trying to build your company’s revenue.
They might be in your main office in Topeka meeting with the sales
manager today and working from a cafe near their home in Burlingame
tomorrow — all while getting ready to pitch a prospect in Vancouver
before flying to Wenzhou to meet with a major customer. Those four
locations present very different risks for your organization.

So while that salesperson is hustling to land new business, even if they

know not to connect to the internet through an unknown Wi-Fi access
point, they can’t reasonably be expected to understand the nuances of the
threat landscape in each location — or why the public infrastructure in a
place like China is inherently more risky than it is in Canada or the U.S.

Protecting that salesperson — and every aspect of your enterprise —

means keeping track of how each change affects security. It requires
knowing the weaknesses in your systems and infrastructure,
understanding the tricks of the adversary and closing the gaps before they
are exploited. That means planning, testing and applying what works, and
then reverse engineering attacks to understand how they might succeed
against your defenses and taking actions designed to meet your specific
needs — and repeating the process constantly.

If that sounds like applying best practices, it is. The difference is doing the
hard work it takes to know exactly what is needed within the context of
your organization’s situation and putting that knowledge into practice
versus doing things that worked yesterday and hoping they work again
tomorrow. Because if you aren’t intimately familiar with your
organization’s IT infrastructure, the types of attacks you are likely to face,
the most up-to-date threat intelligence and adversarial strategies, and
whether your organization is vulnerable to likely attacks, you don’t stand
a chance against a determined foe and can’t direct your team in a
meaningful way. And it means you can’t possibly be clear when conveying
directions to those tasked with keeping the enterprise safe.

When you track cybersecurity news, you notice that a lot of well-known
and respected companies get hit by data breaches. It’s probable that most
of them were following best practices when they discovered the breach.
The problem is that when you do only what is required, you aren’t doing
enough. And when you manage by cliché, it is just a matter of time before
you become a cliché.

Forbes Technology Council is an invitation-only community for world-

class CIOs, CTOs and technology executives. Do I qualify?

Itzik Kotler

Co-Founder & CTO at SafeBreach. I'm a father, husband, hacker, open source
enthusiast and entrepreneur. Read Itzik Kotler's full executive profile here.…
 Read More

Reprints & Permissions

ADVERTISEMENT