Why? And in relation to What?
After much research and consultation (ok, an hour of tweets), it has been agreed that the next time you hear/read about a “best practice” you have to think/respond “Why? And in relation to What?” Sound good to you?
“Who gives a damn!” I hear you shriek. Well, best practice is big business (isn’t it, itSMF?). On twitter there’s a constant stream of best practice tweets. We get best practice shoved down our throats all the time (ITIL anyone?). I would bet a rare Yorkshire quid that few of the people touting best practices can articulate both Why and In Relation to What.
If a best practice is defined as “superior to other practices”, then what are those other practices? And why is one superior to the others? It just might be that in my situation another practice might be best. What’s best for you might not be best for me, right? But you can’t know that, so we are still friends.
I’ll be honest: best practices appeal to my lazy self. If someone else has done all the heavy lifting then why not leverage their hard work? Aren’t best practices a form of altruism? Well, that’s a bit of a trusting approach in an untrusting world. What if the author is lazy too? What if that auther just lifted their best practice from someone else, ad infinitum? Now nobody knows why its a best practice, reason is lost in time, and we all go baa.
FWIW I give a damn because my lazy self really wants to use best practices but because of my irksome sense of self preservation I have to do a bit more homework before I reuse any existing best practices… and in fact, this attitude means I can’t take someone else’s short cuts and makes me into an ever more cynical person.
So, here’s three things I’m going to do from now on and I encourage you, Dear Reader, to do the same:
- If you feel the words “best practice” bubbling from your brain to your mouth, make sure you can answer the Why and In Relation To What questions.
- If you are writing a best practice then you must include text that answers the Why and In Relation To What questions. Otherwise, you are just recommending a practice (ie. not best).
- If your ears ever hear the words “best practice” from someones mouth or in see them in print, make sure you think Why and In Relation To What and unless you have at least one counterpoint, just downgrade it to a practice (i.e. remove the best). Ask the author, Why? and In relation to what? They might have a superb answer that we can all learn from.
Up for it? Let’s start now. Personally I never recommend best practices I only recommend suitable practices to match the requirements but that’s another story…
No related posts.
Most of the time when people say “best practice” what they really mean is “cover your ass”.
“We installed the VMware software using best practices” means “We followed the VMware best practice documentation, if it breaks it’s not my fault”.
Following the best practice documentation is good, but as you say people need to be able to understand the reasoning behind the choices in the documentation, so they can understand and update it when it’s not right for their own environment.
OMG. Finally. Someone who agrees with me.
My statement. Practice ? Well that’s not perfect then……
You are right on the money, Ewan! Thanks for your comment!
I’m happy to hear someone else question best practices. I’ve been looking at it from a security point of view for small businesses. An example of best practices for security might be the 20 Critical Controls from SANS. But is it cost effective or necessary for every mom and pop business to pay someone to perform continuous vulnerability assessments when simply patching might be enough?
Without context, best practices really don’t have any meaning. Thanks for asking us to question this notion.
What a great example! Now, if someone had some concrete practices (ie. actually implemented that worked well) for a “mom’n'pop shop”, then I reckon that would be worth something to other mom’n'pop shops… but even then, the effort to assess and report on the success, to package them up… and then the effort to understand that package of practices and whether it applies… it’s all a bit of an effort. I honestly think that, like Ewan said, best practices are really CYA practices. I see this every week, and often “designs” are nothing of the sort they are simply a mash up of best practice one liners from various internet docs (e.g. VMware PDFs or, worse and punishable by a stint in the stocks, from product management pages on the net!).
I think we, those of us who don’t believe in your average best practice nor their use, are in the majority.
@Steve Chambers – I am on the Small Business Administration Information Security Task Force and we have been tasked with doing exactly that. Develop Information Security “Best Practices” for Small business. For the record: I work in the SMB Security Market, I do not work for the SBA.
You make some very valid points here that I would like to include in my report. Incidentally, I found your blog while researching VMware VDI for an unrelated topic.
Hey Joel, thanks for popping by
For the record I _do_ believe that good practices exist, but I’m not being pedantic about disliking the use of the word ‘best’. If there was an imaginary line with “no practice” at one end, and “best practice” at the other end, there is also and inverse amount of effort on that line – ie. best practice suggests “no effort required” and no practice suggests “a log of effort required”. What I’d like to see is a happy medium (good practice?) where _some_ effort is required on the part of the consumer/actor but they are not starting with a blank sheet.
I feel the same way about “reference architecture.” Perhaps you’re “best practices” are “space suitable practices” as designed by astronaut architects.