Sunday, August 25, 2013

Best Practices: Built-In Security Failure

Years ago, Intel hired me to do hardware-related work in semiconductor fabrication, as part of a group called 'Improvement Engineering' in what was a hole in the New Mexico desert. So, yeah, it needed a lot of improvement in order to become the cleanest clean-room on earth.

We didn't use the term Best Practices which is so prevalent in the compliance (I did not say Security, as they are emphatically not the same thing) industry of 2013, and you shouldn't either. Best Practices implies received wisdom, and slow responses to rapidly changing threats. We spoke of BKMs, or Best Known Methods. The 'Known' cannot be emphasized enough. It implies a seeking, driving, dynamic approach that is often lacking today; it implies currently Unkown Methods, waiting to be discovered by motivated, data-driven people.

Examples of where it has been proven that there can be no better way (from hardware, software, or procedural perspectives) are rare. This is fertile ground. More specifically, it drives Continuous Improvement, and various other all-to-corporate buzz phrases, past and present, into corporate culture.

The Best Practices approach demonstrably is, and has been, failing, by every available metric.  Emphasize that, take a data-driven approach, and reward those who demonstrably improve the state of the Best Known Method.









No comments:

Post a Comment

Thanks for your comment; communities are not built without you.

But note than comments on older posts usually go into a modertion queue. It keeps out a lot of blog spam. Weird links to Web sites hosting malware, marketing nonsense, etc.

I really want to be quick about approving comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.