When Is a Best Practice, Not?

The other day while having a discussion with another security professional regarding why something was implemented in a particular way, he brought out the sledgehammer known to all of us in IT. He said, “Well, it’s a best-practice.” I remember how annoyed I felt, because I realized I had to make a political choice. Continue the discussion, which could become a pointless, tangential exploration of the “best practice” he was referring to or walk away, resolving to save the battle for another day. I felt discouraged and frustrated, because ultimately nothing was resolved.

This experience was a good lesson for me, but also a bitter pill to swallow. I have to admit that I’ve been just as guilty of overusing this expression as anyone; often as a technique to end a conversation when I’m feeling irritated and want to win an argument. Since I think we would all agree that it’s become a stale and misunderstood platitude, my question is:  when is a “best practice”, not?

While there are plenty of standards organizations in IT, there is no single, official, god-like regulating body, which determines the universal “best practices” for all. And maybe this isn’t a bad thing. A “best practice” isn’t supposed to be written in stone like the Ten Commandments. Ideally, a “best practice” should be determined by industry guidelines or recommendations for implementation while considering the context. Unfortunately, that’s not the way it usually plays out in an organization or in discussions between professionals. Some meetings become angry battlefields of egos fighting over various standards, more like conflict in a third-world country than a technical dialogue. “Best practice” is often used like a weapon of intimidation in a discourse that degenerates into an adversarial war of words and personalities.

I’d like to offer a challenge in 2012 to all the Packetpushers subscribers. What if we make a commitment to consider our intention before using the expression “best practice” in the next conversation we have? Instead of jumping to use the phrase in an attempt to disempower the other professional and win an argument, maybe we could put aside ego and patiently investigate the assumptions on both sides. The results could be surprising. We might find we’ve missed some key information in our own analysis. Or even if we find we are correct in our assertion, we’ll allow the other person to feel heard, maybe a little better educated and we’ll avoid creating enmity with a colleague. And if someone says, “It’s a best practice” to one of us, maybe the best response is Greg Ferro’s trademarked response, “Well, doesn’t it depend?”


  1. says

    I try to avoid that phrase whenever possible.  To me, it sounds like saying, “That’s how someone else told me to do it.”  I’d rather evaluate what the so-called “best practice” is and find my way to do it.  After all, if I’m being hired only to implement a by-the-book method of doing things, what good am I?

    On the other hand, if you’d like to eradicate the “best practice” methodology, just start telling your male coworkers instead “That’s how the directions say to do it.”  After all, don’t we all hate reading (and following) the directions?

    • Anonymous says

      I prefer to use the reply ‘God told me to.’ That usually ends the conversation. Also end every phrase with ‘in accordance to the prophecy.’ That works too.

    • Adam Melong says

      Even Simpler. “Provide me the documentation and white papers describing the best practices”. IF they find it, have them evaluate how “best practice” everything really is. Self ratification is worth more than being right, and weeds out the people who talk more than walk. :)

  2. says

    I’ve been guilty of this before. You see, all of my opinions are “global best practice” and everyone else’s opinions must be proven. That’s the best part of being a consultant, you can say these things and get away with it :)

  3. says

    I treat best practice as a baseline to start from and hopefullly end up with something that is more ‘best fit’. These days especially, there are just too many technologies, vendors, “standards” and configurations working side by side to be able to define what is best practice for each playing field.

    In summary, best practices are a good place to start but are not necessarily the best place to end up at.

  4. says

    Yeah, definitely been there as well.  It’s a lot like learning the basic rules of English in order to be able to break them whenever you fell like it. ( ee cummings and Bukowski come to mind)

  5. Kevin Durbin says

    I recently started working for an org. where my manager has complete disdain for the mere mention of “Best Practices” whether it refers to server, network, or any other IT related area.  I have questioned his upside down smile on this, and pretty much, I think he has been inundated with the ideals of, if a certain company wanted to better market their product(s), they only had to say “Best Practices” and a wave of vertical head-nodding had people giving the thumbs up.  However, at its worst, you can have business leaders looking at “best practices” as just a way of pumping  their own products/services.  Prior to joining this company, I thought best practices were just a way of describing best common sense ways of doing things, but I realize there are many interpretations………….  it is definitely too much of a catch phrase now

  6. Anonymous says

    I agree with your post, and it was very well said. BUT, I do believe best practices have their place. For example, take a new and upcoming IT professional who is just building the foundation, what does s/he have to go on? 

    I think best practices are great to learn when you are just learning a new technology. They give guidance and as you learn the technology more in-depth, then you have the knowledge to question said “Best Practices”. Prior to the ability to think through the tech deep enough, at least you have a “safe” place to go off of. 


  7. Mike Kantowski says

    Security is a realm where “Best Practice” is especially dangerous.  In other areas, like routing, it’s pretty easy to see why it’s “The Best”.  For example, if one only expects to receive 20 prefixes on a BGP session, then putting a prefix limit of like 100 or something is easily accepted as a best practice..  But with Security, best practices should be very high level, such as “We should have two factor authentication for people that access this sensitive customer data, and these people should also have a background check done.”  From there, you have a baseline for implementation, but you aren’t stifled or limited in how to accomplish it.

  8. ElEuteador says

    Excellent post. The network management system at my organization auto generates a ‘best-practice deviation’ report, and we’re not all convinced of the logic behind these guidelines. For example, Does CDP really need to be disabled on all access ports? Does it cause that much trouble for the CPUs of attached hosts? When active, it’s certainly a handy way to see where IP phones are connected.

    • Kevin Dorrell says

      Quite so. CDP is also useful when you are connecting a VMware server, because it allows you to see which vmnic is which.

      Isn’t CDP recommended, if not mandatory, when connecting a Cisco phone?

  9. Kevin Dorrell says

    Thank you for this post – I feel vindicated. “Best practice” is not always best. If there is a good techincal reason for deviating from “best practice”, then do it. (Unless anyone can convince me why I should, I refuse to put bpdufilter on access ports.)

  10. says

    Before the words ‘Best Practice’ ever leave your mouth, you first better know why it is a best practice – like in many of the comments, there will always be somebody who will ask you why. Me if I am there :) for one.

    E.G.  Microsoft Best Practice is to not enable terminal serivces (yes, old name I know) on a domain controller.

    Just by knowing that Microsoft says so is in no way even close enough to an answer to WHY.

        Something like it is to do with security is a start
        Knowing that the root case for this is by having to grant the logon locally right, is better
        Knowing what other access is given by log on locally right and understanding the
    implications is a correct answer.

    However as an IT professional I think the best practice of IT professionals is to not use the phrase Best Practice but to provide a correct and educational answer to the original question.  Unless the person asking will not understand, then maybe a answer for the above example could be ‘Microsoft states it as a best practice due to security reasons”.

Leave a Reply

Your email address will not be published. Required fields are marked *