What was your reaction to Allen Gwinn’s article on industry best practices? (https://thehill.com/opinion/technology/553891-our-cybersecurity-industry-best-practices-keep-allowing-breaches?rl=1)
Sort by:
Gwinn’s article talks about best practices without defining them—I wouldn't call what he describes in the article best practices. His experience is one-sided, and he paints everything with a broad brush. I’ve worked in organizations that invested a lot in automation and technology that helped quite a bit with protection and investigation, so I couldn't understand why he thinks that everyone has these outdated business processes and systems. I'm sure there are plenty who do, but that isn’t best practice. I just don't think that Gwinn’s article can be broadly and practically applied in our technology environments. He could have talked about how to create more effective oversight instead of saying all best practices are bad.
If robustly followed, I see best practices as a way to mitigate the common issues that trip us all up. It's like a pilot going through the checklist before they take off. The Checklist Manifesto was written by a doctor when he stepped back to look at why people died in operating rooms, etc., and he saw that people weren't following “best practices”. The book argues that the power of checklists is that they allow you to go into an autonomic mode so you don't miss the steps we all tend to overlook when we're running fast. So I believe in the power of best practices and standards. The term best practices was loosely defined in the article but I define it as the CIS top 18 controls, and the cybersecurity framework, some of those new standards. If you anchor “best practices” to standards like that, it can clear the clutter of issues that surround the substantially bad incidents.
Gwinn’s article refers to the idea of best practice, but if you unpack that, does it mean all best practices or certain best practices? Because I don’t know that it’s helpful to have all best practices in place. For many small or mid-size organizations, having all best practices in place is logistically almost impossible. Where we do have best practices in place, they definitely work. It's a matter of integrating things that we're not thinking about or doing, things which generally catch us off guard.