The other day while having a discussion with another security professional regarding why something was implemented in a particular way, he brought out the sledgehammer known to all of us in IT. He said, “Well, it’s a best-practice.” I remember how annoyed I felt, because I realized I had to make a political choice. Continue the discussion, which could become a pointless, tangential exploration of the “best practice” he was referring to or walk away, resolving to save the battle for another day. I felt discouraged and frustrated, because ultimately nothing was resolved.
This experience was a good lesson for me, but also a bitter pill to swallow. I have to admit that I’ve been just as guilty of overusing this expression as anyone; often as a technique to end a conversation when I’m feeling irritated and want to win an argument. Since I think we would all agree that it’s become a stale and misunderstood platitude, my question is: when is a “best practice”, not?
While there are plenty of standards organizations in IT, there is no single, official, god-like regulating body, which determines the universal “best practices” for all. And maybe this isn’t a bad thing. A “best practice” isn’t supposed to be written in stone like the Ten Commandments. Ideally, a “best practice” should be determined by industry guidelines or recommendations for implementation while considering the context. Unfortunately, that’s not the way it usually plays out in an organization or in discussions between professionals. Some meetings become angry battlefields of egos fighting over various standards, more like conflict in a third-world country than a technical dialogue. “Best practice” is often used like a weapon of intimidation in a discourse that degenerates into an adversarial war of words and personalities.
I’d like to offer a challenge in 2012 to all the Packetpushers subscribers. What if we make a commitment to consider our intention before using the expression “best practice” in the next conversation we have? Instead of jumping to use the phrase in an attempt to disempower the other professional and win an argument, maybe we could put aside ego and patiently investigate the assumptions on both sides. The results could be surprising. We might find we’ve missed some key information in our own analysis. Or even if we find we are correct in our assertion, we’ll allow the other person to feel heard, maybe a little better educated and we’ll avoid creating enmity with a colleague. And if someone says, “It’s a best practice” to one of us, maybe the best response is Greg Ferro’s trademarked response, “Well, doesn’t it depend?”