Have you ever sat in a meeting with auditors or other third party professionals who will include the phrase “best practices” in their argument or report? I have no idea how many times security practitioners have tossed this phrase about to bolster their position. I’ve read that phrase countess times in articles published by reputable publications. Have you ever stopped to think of what that actually means? Best practices according to what authority? What is the source of power behind best practices I wonder? My observation thus far has been that this catch phrase is used by those “professionals” who are insecure in their position. To validate my point, I would encourage you to challenge or “question authority” the next time you are participating in some meeting and the designated expert tosses that phrase out. Ask that person to articulate the source or foundation of their statement. I suspect that you will discover, as I have, that the freshly minted MBA or certified professional snake oil salesperson will suddenly stammer and stumble. The explanation will suddenly turn into an exercise where they attempt to lull you into a comfortable “moving right along” dialog where they attempt to hang onto that authority you have given them. My advice to you is that keeping a mental red flag handy for that particular phrase and challenging the person who drops it will be beneficial. When you have a reputation of fact checking and demanding credibility from your professionals, you will get better explanations that are meaningful and worth the price you paid.