Jeff Atwood has a post up titled Don't Reinvent The Wheel, Unless You Plan on Learning More About Wheels.
Go read it first. The comments too. Go on, I'll wait.
.
.
.
.
.
Welcome back! Good post, huh?
First, I agree with Jeff that there are times when it is more important to figure something out for yourself. Second, I also think there are times when re-use is the right way to go. That brings us to Information Security.
We have all these "best practices" and standards flying around that people are always pointing to and saying you should do THAT.
There are instances where this is completely true. If you are subject to PCI DSS requirements then you really ought to adhere to the requirements. Unless you want to pay fines and such.
However, if you aren't, does it really make sense to apply those requirements to your networks and systems? It might, but then again, it might not. The exact same thing can be said for ISO:27002.
This is where re-inventing the wheel comes in.
We must examine our businesses and make sure that we are not just plugging in the accepted standards and "best practices" without understanding whether they matter in our environment.
Our job as information security professionals is to maintain the Confidentiality, Availability and Integrity of the data under our care. As such, we must make sure we do so with a full understanding of what that data is and how the business uses it. Implimenting policies, processes and technologies exactly the same way everybody else is doing it, is not the way to effectively use our resources.
I fully support the use of standards and "best practices" and believe that PCI DSS, ISO:27002 and other standards and requirements are good things. We just need to be careful that we are paying attention when we use them.
What say you?
-Kevin
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=7ac90be2-593a-4a3a-9a02-0b93b2b199cb)
{ 9 comments… read them below or add one }
Kevin — Great post. Our value as professionals DOES NOT come from following best practice checklists. It comes from our ability to effectively evaluate the challenges we face and correctly determine whether a checklist (or which checklist) is the right approach for that problem, or whether we need to vary from the checklist. It also comes from our ability to explain why a certain approach is the right one.
Something else we sometimes seem to forget is that advancement comes from questioning/challenging status quo and “conventional wisdom”. A snippet from T.S. Eliot woke me up to this:
“…and the end of our exploring will be to arrive where we started and know the place for the first time.”
Thanks,
Jack
Thanks Jack.
Nice post. Applicable even for us non-programmers.
You bring out the justification for a risk-based approach to security. The important activity is to make decisions on best practices, not to follow them without thought. I like to quote Rush (the rock group), “If you choose not to decide, you still have made a choice.”
Cheers,
Ron W
P.S. Your 2nd to last paragraph should start with “Our” not “Out”
Ron,
A) Thanks for the comment and B) thanks for catching the typo, hate it when I do that
It’s fixed now.
Agree with your quote completely. I have made similar statements many times.
Kevin
Kevin,
I concur! “Best Practices” are seldom scientifically validated and thus why they are not called proven practices. They usually fall apart at “well it seems logical”.
Building a relevant system of internal controls based on the goals of the company may be reinventing the wheel but it is the ONLY way to make sure you can actually meet those goals (by using the controls to instrument your success or failure) AND comply with regulation dejour.
High performers actually use less controls in many cases..they just do the hard work of defining their own wheel (read company goals) and building the right system of internal controls to manage the wheel (read brakes, steering wheels etc.).
my .02
Kevin Behr
Richard Feynman – one to be emulated, I might add – thought everything should be done yourself for the very sake of learning it thoroughly. This approach (coupled with his creativity and genius of course) caused him to glean things others never did, and to derive certain duplicate results, which were considered monumental when first discovered.
When tutoring his sister in astronomy, he taught her to go through every single page of her material. The minute she started not understanding, he instructed her to go back and start from the beginning.
All of that may sound inefficient (and in some cases it’s impossible), but just think of how well you will have learned what it is you were studying when you _do_ get through the material.
Kevin,
Thanks for the comment. I particularly like this part “..they just do the hard work of defining their own wheel.” Very true words.
Dennis,
Thanks for the comment. Richard Feynman was an incredible person. He excelled at everything he tried from physics to playing the bongos. Time reading his writings and the writings about him is time well spent.
Kevin
I’ve got trouble viewing your blog properly with the most recent release of Opera. Looks fine in IE6 and Firefox though.
@Stephen,
Thank you for the information about Opera. I apologize for any issues you may be having. I will look into it when I get a chance.
Kevin