In recent weeks, I’ve been engaged in numerous conversations and attended presentations where the focus was on ‘Security Best Practices’ and the notion that everyone should adhere to them. However, it’s essential to recognize that ‘Best Practice’ often translates to merely doing what everyone else does. While it might seem reasonable to follow the majority, it’s crucial to question whether this approach is genuinely effective. Unfortunately, ‘Best Practice’ is seldom measured or scrutinized, primarily because it’s perceived as the universally accepted norm.

Now, I don’t entirely dismiss the value of these so-called best practices, as they do benefit many organizations. Yet, I believe that blindly adopting them without considering the unique needs of your specific business could lead to as many challenges as it solves. I liken ‘best practice’ to buying an off-the-rack suit; it may fit reasonably well for those of average size and shape, but it will never match the perfect fit of a tailored suit. Moreover, it fails to accommodate those who fall outside the predefined ‘normal’ standards set by the retailers.

The underlying issue is that no two companies are identical; each possesses distinct characteristics and requirements. While best practices prove highly beneficial for small to medium-sized enterprises (SMEs) lacking the resources for a dedicated security team, large enterprises with sufficient funds should demand more from their security leadership. Merely adopting formulaic toolsets followed by everyone else is not enough for large enterprises. They have the luxury of in-house security teams and should strive for tailored security solutions that align with their specific needs and strategic goals.

So, why do large enterprises still embrace best practices without much thought? There are two main reasons: ignorance and job protection. First, some organizations may not be aware of better alternatives. Second, adhering to best practices can serve as a defense during audits and job security. For instance, regulatory bodies may not penalize a company following best practices after a data breach, but if a company employs unconventional methods, it must defend and justify its approach. However, when a company has thoroughly evaluated its unique needs and crafted a logical and strategic security solution, defending their choices becomes easier and more robust.

I propose a shift in perspective: technology should be the last consideration when formulating security strategies. Instead, companies must first identify their control objectives, which can only be achieved by fully understanding their specific business context and strategic objectives. The next step is to assess potential threat scenarios and balance risks accordingly. Blindly following the crowd is not the answer; rather, I encourage businesses to strive for the best solution tailored to their needs, not just embracing best practices for the sake of conformity. By doing so, security can be transformed from a hindrance to a business enabler, ensuring a more effective and proactive security posture for the future.