Hacker News new | ask | show | jobs
by markwisde 1398 days ago
I’m a security engineer and nobody knows what’s best practice. Everyone is making it up at this point, and security is still a nascent field. Most companies don’t even have a security team.

I think it’s still not clear how you should build a security org, and if you should at all (should security be part of normal workstreams of your devs?)

Btw I wrote about my experience in https://securityhandbook.io/
1 comments
dd36 1398 days ago
Is there even best practice for non-cyber security at private businesses?
link
shagie 1398 days ago
There is a best practice... but the issue is that the "best practice" is something that gets abused for cargo culting and stopping at the discovery of the best practice.

Some time back, I got a copy of "A Practical Guide for Policy Analysis: The Eightfold Path to More Effective Problem Solving" so that I could properly quote back the use of best practices.

https://en.wikipedia.org/wiki/Best_practice

With most times people are looking at best practices, they skip to the decide step without defining the problem - that's even been done here. Is there a best practice for non-cybersecurity at private business? Well, yes - but first, what is the problem that is trying to be solved? There's no "get this book of everything to do and you're good". On the other hand a "we have customer data that includes PII data, we need to secure the data and prevent casual examination of it in house" is a problem that can be looked at and a best practice can be found.

The best practices involve a survey of looking at other organizations and seeing what they have done - what worked and what didn't.

> Part IV "Smart (Best) Practices" Research - Understanding and Making Use of Whatlook Like Good Ideas from Somewhere Else

> It is only sensible to see what kinds of solutions have been tried in other jurisdictions, agencies, or locales. You want to look for those that appear to have worked pretty well, try to understand exactly how and why they may have worked, and evaluate their applicability to your own situation. IN many circles, this is known as "best practices" research. Simple and commonsensical as this process sounds, it represents many methodological and practical pitfalls. The most important of these is relying on anecdotes and on very limited empirical observations for your ideas. To some extent, these are - one hopes - supplemented by smart theorizing. This method is never perfectly satisfactory, but in the real world the alternative is not usually more empiricism but, rather, no thoughtless theorizing.

> Develop Realistic Expectations

> Semantic Tip First, don't be mislead by the word best in so-called best practice research. Rarely will you have any confidence that some helpful-looking practice is actually the best among all those that address the same problem or opportunity. The extensive and careful research needed to document a claim of best will almost never have been done. Usually, you will be looking for what, more modestly, might be called "good practices."

---

A "here is a list of all the best practices, follow these" is the wrong way to try to use best practices but rather relabeled cargo cult security.

link