Professional Documents
Culture Documents
In Cybersecurity, Best Practices Are The Worst
In Cybersecurity, Best Practices Are The Worst
In Cybersecurity, Best Practices Are The Worst
POST WRITTEN BY
Itzik Kotler
Co-Founder & CTO at SafeBreach. I'm a father, husband, hacker, open source enthusiast and
entrepreneur.
Photo: GETTY
One of my least favorite clichés is the term “best practices.” What does
that even mean? In my experience, it can be translated as, “I have no idea
what to do in this situation, so I’ll say ‘best practices’ and pray someone
else does — and that things work out.”
I like what retired U.S. Army Colonel Gregory Fontenot said on the
matter: “When you hear ‘best practices,’ run for your lives. The Titanic
was built with best practices. It was faithfully operated in accordance with
best practices.”
It sounds good, but whether you are at the helm of a transatlantic ocean
liner or a leading an enterprise security operations team, best practices
don’t cut it and will eventually lead to a disaster. Instead, when you are
designing a security program for a specific company, threat or network
configuration, you need specific practices that address whatever situation
your enterprise faces and that will remedy your specific vulnerabilities.
There will always be a best course of action to take, but it may be different
tomorrow than it is today.
Why? Because your organization’s cyber risk posture is not static. The
configuration of your enterprise IT infrastructure is always changing, as
are the circumstances affecting the employees.
Consider your sales staff. Best practices say that “security is everyone’s
job,” but if that were really the case, we wouldn’t need risk managers or
CISOs. Your salespeople are out trying to build your company’s revenue.
They might be in your main office in Topeka meeting with the sales
manager today and working from a cafe near their home in Burlingame
tomorrow — all while getting ready to pitch a prospect in Vancouver
before flying to Wenzhou to meet with a major customer. Those four
locations present very different risks for your organization.
If that sounds like applying best practices, it is. The difference is doing the
hard work it takes to know exactly what is needed within the context of
your organization’s situation and putting that knowledge into practice
versus doing things that worked yesterday and hoping they work again
tomorrow. Because if you aren’t intimately familiar with your
organization’s IT infrastructure, the types of attacks you are likely to face,
the most up-to-date threat intelligence and adversarial strategies, and
whether your organization is vulnerable to likely attacks, you don’t stand
a chance against a determined foe and can’t direct your team in a
meaningful way. And it means you can’t possibly be clear when conveying
directions to those tasked with keeping the enterprise safe.
When you track cybersecurity news, you notice that a lot of well-known
and respected companies get hit by data breaches. It’s probable that most
of them were following best practices when they discovered the breach.
The problem is that when you do only what is required, you aren’t doing
enough. And when you manage by cliché, it is just a matter of time before
you become a cliché.
Itzik Kotler
Co-Founder & CTO at SafeBreach. I'm a father, husband, hacker, open source
enthusiast and entrepreneur. Read Itzik Kotler's full executive profile here.…
Read More