Could following best practices religiously actually expose you to risk?

In some cases, best practices aid the attacker because of the way in which they’re defined. For example, I like the MITRE ATT&CK (https://attack.mitre.org/) framework, but it doesn't address some attack factors because they haven't yet been seen. I've submitted some and worked with people who've submitted others before that are highly probable, or have actually occurred, but because they're not in the news they don't have the evidence in that sense. MITRE doesn't want to expand the framework because their customer base wants it to stay relatively static—it's easier for them if it evolves slowly versus the speed at which threats are evolving. What I've seen with some organizations that just want to focus on best practices—including ones that I've run—they dumb themselves down and stop contemplating the risk as well as the temporal and dynamic nature of controls. And then, as a liability deflection for the fact that they weren't properly running risk and controls, they fall back on the fact that they were following best practices. So for me, best practices are a minimum standard. And if you're just a mid-sized company, just doing some of the core best practices would negate the vast majority of the issues you'd face.

Anonymous Author
In some cases, best practices aid the attacker because of the way in which they’re defined. For example, I like the MITRE ATT&CK (https://attack.mitre.org/) framework, but it doesn't address some attack factors because they haven't yet been seen. I've submitted some and worked with people who've submitted others before that are highly probable, or have actually occurred, but because they're not in the news they don't have the evidence in that sense. MITRE doesn't want to expand the framework because their customer base wants it to stay relatively static—it's easier for them if it evolves slowly versus the speed at which threats are evolving. What I've seen with some organizations that just want to focus on best practices—including ones that I've run—they dumb themselves down and stop contemplating the risk as well as the temporal and dynamic nature of controls. And then, as a liability deflection for the fact that they weren't properly running risk and controls, they fall back on the fact that they were following best practices. So for me, best practices are a minimum standard. And if you're just a mid-sized company, just doing some of the core best practices would negate the vast majority of the issues you'd face.
1 upvotes
Anonymous Author
You never know what will happen tomorrow, but what we're doing the best work around is front user readiness, user awareness. We have the blocking and tackling system fundamentals in place for security, identification and alerting. We have seen minor breaches, but just in the areas we weren’t thinking about. Once these come to mind we can address them.
1 upvotes