Jeffrey Wheatman here. About a decade ago a client told me a story…

Mary, who will hopefully forgive me for telling her story, was, and in fact, still is, an experienced, wise, successful CISO. She said this actually happened and I have no reason to doubt her. After all, if you can’t trust a CISO, who can you trust?

It was a sunny Easter morning, and many members of the family were preparing for their annual multigenerational feast. Mary oversaw the main course, the Easter ham. As she had done for 20 years, she cut the ends off the beautiful, gigantic, soon to be sweet and juicy, heritage ham and placed it in the roasting dish. Mary’s daughter saw this and asked her mom why she cut the ends off the ham; Mary thought for a moment and said, “gram always did so, let’s go ask her.” And they did. Gram pursed her lips, paused, and responded, “I learned all my cooking from noogie (this is apparently what great grandma was called – don’t ask me, I just work here), let’s go ask her.”

Partying old lady

The three generations strolled over to 98-year-old noogie, who was sitting in an easy chair, sipping her glass of cheap gin and vermouth, looking proudly at the family over which she was reigning matriarch. Mary knelt beside noogie and asked her — rather loudly, as noogie’s hearing wasn’t what it used to be and no matter how many times they asked her, she refused to get ‘those pesky hearing aids’ — “noogie, why did you always cut the ends off the Easter ham?” Noogie sipped some or her very, very, very dry martini and said in her creaky old voice … “we were very poor … we only had one roasting dish … and that big ol’ ham didn’t fit in the dratted thing,” and looked at her daughter, granddaughter, and great-granddaughter like they had two heads, and debated whether it had been a good idea to have kids in the first place.

Tl;dr Mary was cutting off the ends of the ham for no reason other than the simple ‘it’s always been done that way.’

Why, you may ask, did I tell you this story?

Best practice is a common concept in the field of cybersecurity (and other disciplines), referring to a set of actions and activities that have historically been thought to have been effective at fending off attacks, and responding to those attacks when they were successful.

There are several reasons why using best practice is often not terribly useful:

  • Times change, problems change, and technology changes. Is it wise to continue to depend on the same answers?
  • Just because ‘everybody does it’ doesn’t mean that it works well, or at all.
  • Even if it works for some organizations, it may not be best for your organization
  • The concept that adhering to best practice gives you defensibility is slowly but surely going away.
  • Best practices are often overly simplistic and prescriptive and aren’t always practical or achievable.
  • And finally, best practices are rarely, if ever, aligned with risk-based decisions making.

Back to the parable of noogie. How many of you are spending time, human capital and money on cutting off the ends of the ham decades after you were able to fill your cupboards with more pots and pans than you know what to do with?

Say NO to best practices.

Say YES to risk management.

Stay safe, stay healthy, stay secure.
Wheatman, out!