On Best Practices

In the wake of every major hack or data breach, executives at the peer firms of the victim-of-the-week all wonder if what happened across town could happen to them. The answer of course is “yes” because everyone is following the same cyber security best practices.

But if everyone is following "best practices" and coming up short, does it stand to reason that there might be better practices?

Roughly 15 years ago the world’s most powerful fighting force went to war in Afghanistan and later Iraq.

It didn’t exactly go as planned.

How does a force designed, trained and equipped to defeat the forces of the world’s other great armies come up so short against a bunch of terrorists and insurgents? Because it was designed, trained and equipped to fight great armies, not terrorists or insurgents. There was nothing wrong with the U.S. military except that they were waiting for the People’s Liberation Army to show up and instead they got the Taliban, al Qaeda, and militias.  

Likewise companies buy and deploy technologies, and train and employ security practitioners, with specific threat models in mind, and in anticipation of specific threats and attack methodologies. They are told ‘this is how you stop X’ where X is whatever technique or vector you like. There may be other ways to stop X, but because those ways aren’t doctrine, no one does it.

If X is a best practice, and everyone is doing X and coming up short, do you think maybe it is time you tried Y to see if that’s not a more effective way of dealing with that particular problem? A better practice in other words?

For a brief time the military got to exercise their skills in maneuver warfare in Iraq, but once they won those battles they spent a long time losing. Pick your cyber security parallel: anti-virus, intrusion detection, network monitoring; they addressed a serious problem, and then the serious problems moved or changed, rendering the defense less useful. If you’re a fan of the movie The Patriot you know what I’m talking about. Cyber security best practices are like the British Army wondering why in the world these colonials and their allies don’t stand in a neat and orderly line and fight like civilized people.

I don’t know the risks that concern you, or the threats you face. What I do know is that your adherence to de facto cyber security doctrine is not going to provide optimal protection for your enterprise (or your job). If you are taking security seriously you owe it to all parties involved to explore your options beyond doctrine in order to effectively fight the fight you are in, not the one you wish you were in. Your enemies are winning because they know your doctrine and its shortcomings. By identifying better practices you stand a chance of being George Washington, not Charles Cornwallis