My answer to the question was long and rambling.
Your question assumes that these decisions are best made using a top down organization where certain select few experts decide what should and shouldn't be. I am not going to debate that point; I just want to highlight a hidden assumption and offer a different way.
Humans as a species work from a bottom up thought process. We, as social animals, watch and emulate others. We form opinions of others based on our past experiences with them or through a network of trusted opinions of others that we call someone's reputation. When someone who's reputation you respect offers an opinion about a way of doing something you will at least consider it. The idea itself has a certain fitness depending on its ability to solve the problem at hand. The ideas that are the fittest tend to get passed on and those that don't - don't. The fitness of ideas that people recommend operate in a feedback loop effecting the reputations of those that pass them on; those individuals that consistently pass on fit ideas gain a reputation as an expert in their field, etc. Since human society is a scale free network; certain ideas hit a tipping point of acceptance where the aggregate reputation of the individuals passing on the idea out ways any fitness of the idea itself. e.g. the increase to my reputation when I pass on a fit idea is 1 to 1 while the potential decrease to my reputation by passing on an unfit idea is 1 to n where the loss in reputation is diluted among everyone passing on the idea. This effect could be seen in the sayings "No one ever got in trouble recommending IBM" that became "No one ever got in trouble recommending Microsoft."
So what are best practices? They are nothing more than the collection ideas that have exceeded some threshold of saturation in the scale free network of human society. Does that make them good? Sure, they at a minimum survived and out competed the competitor ideas that died off. The whole survival of the fittest thing. Are they the best solution to your specific problems? I wouldn't bet on it.
The answer isn't to decide who should create best practices. The goal is not to base your security program on them. Your program should be based on a sound risk management framework that objectively measures the risk that business decisions have and select the fittest controls to reduce the risk to acceptable levels.
I am a convert to the Factored Analysis of Information Risk (FAIR) framework. Measuring and selecting solutions based on actual needs is always better then playing the keeping up with the neighbors game.My fundamental point I keep making is that this computer stuff isn't new. All we are doing is continuing the same old human nature with new tools.
No comments:
Post a Comment