When I studied Computer Science one of the more interesting classes I took was Algorithm Analysis. I learned all sorts of interesting ways to solve problems. One such lesson was on how to fit things into a box. The answer seems simple. Find a box, put item in, close box.
It turns out that there are many ways to fit things into boxes Today we will discuss; first fit, best fit, and worst fit. If you are really wanting to nerd it up you can read about them here.
First a quick illustration: If I ask you to pick a box to pack pair of shoes into would you put them into the first you find, closest to the size or the biggest?
Obviously the best practice is to find a shoe box and use it right? However, the answer depends on context. If I am packing things to move to a new house I will grab the box right next to me as I want items from similar spaces to be packed together (first fit). If I am giving the shoes as a present I am going to use the smallest box I can to avoid excessive wrapping paper (best fit). Finally, if I am packing for a trip I will want a suitcase with extra room for other things (worst fit).
In technology these three methods can be categorized into some very common questions.
"What are other people doing?"
This is the first fit solution. The reason I do not like this question is because it offloads the research portion. They just want to know what everyone else is doing and shoehorn it into place. My snarky response in the security arena is "Other people are getting hacked"
"What is the best practice?"
This is the best fit to any problem. If I hear this question I know I have a professional who is willing to research appropriate solutions. However just because it is best practice does not mean that this is something that will work for your business.
"What do you think of this solution?"
Often this is the worst fit solution. However, I love this question because it is often followed up with a good discussion. Following this question I have seen solutions that soon become best practice for the remainder of the industry.
I worked for a company once who built a backup data center. I was brought in late on the project and asked my usual 'why' questions and was met with "Because it is best practice"
In this situation they were committing millions of dollars towards a best practice without understanding what the right solution for the company was.
Another infamous company decided to move everything to the cloud because that is where all their content lived, their competitors were doing it so they did it too. They did not identify the risk factors and the company folded after the master account was compromised.
A final company had their public facing servers all running Linux. This was best practice as Linux is difficult to hack. However, the company did not have a patch process in place and the server containing client data was compromised causing a PR nightmare and weeks of recovery time.
How do we chose?
We need to take a step back and discover what the situation calls for. If your company is a clone of another company then often the first fit can be best. However, even with a franchise there are differences that must be accounted for before moving forward.
In the end we need to be wary of the "best practices" approach. We need to do what is best for the situation we are in. Sometimes we need a quick solution, sometimes we need a standard solution, and sometimes we need something custom. In every situation we need to understand the risks and what we are trying to accomplish.
Business owners know their product and understand business processes. Map these to your technology needs and ensure your providers are informed. Once you have context you will be able to discover the best solution for your company.
There is another reason to not just choose the default best practice. You want your company to stand out, you want to be exceptional, by simply always choosing best practice you are setting yourself up to be average. Set yourself up to be exceptional.