Friday, January 19, 2007

Practicing "Best Practices" vs Doing Good Work?

So, is this true? - "One of the major trends I have seen with some dismay is the notion that security professionals have become increasingly concerned with being able to demonstrate that they went through the steps of securing their systems from attack and less concerned with actually protecting the systems from attack."

I kinda see the same trend, but I am not sure it is entirely a bad thing. Folks who are switching to "going thru the steps" are switching from "NOT going thru the steps" and not from "actually protecting the systems." Checklist approach is good for those who didn't have any approach at all :-)

Further, he says that "Best Practices alone are the equivalent of a night watchman." Hmmm, I always thought that "best practices" is what the BEST organizations follow, not what the [dumb] majority follows. Thus, I am not sure I agree with the above "anti-best practices" stance. At the same time, I totally agree that "real security is a creative act", at least nowadays.

So, what's the overall point? Look at available "best practices", choose the right ones, follow them, but still be creative. No checklist will ever guarantee you that you will not suffer a loss ...

Dr Anton Chuvakin