Analyze this. Vince Lombardi is coaching the Packers in the Super Bowl. There are 2 seconds left in the game, with the Packers behind, 30-27, on the opposing teams 40-yard line. With time for one play, should the Packers attempt a tie with a field goal or go for a touchdown?
Lombardi could do one of two things: Consult a statistician to determine what other football coaches have done in similar situations, then choose the option the other coaches chose most often; or make his own decision, based on his understanding of his players, the opposing teams strengths and weaknesses, input from his coaches, and myriad other details.
Lombardi, clearly, would have made his own decision. When it comes to information security, though, many CIOs and chief information security officers would follow the first scenario, known in the industry as information security best practices.
Best practices, however, are inherently problematic. They often dont work consistently for all organizations. Companies may justifiably deploy systems differently to conform to their cultures and their needs. Force-fitting one companys practices onto another doesnt work.
Best practices are often little more than a feel-good exercise, an attempt to show senior management that an IT manager is keeping up with the Joneses.
Best practices look at what everyone else is doing, crunch numbers—and come up with what everyone else is doing. Using the same method, one would conclude that best practices for nutrition mandates a diet high in fat, cholesterol and sugar, with the average male being 35 pounds overweight.