Are the IT "industry best practices" part of the problem or the solution to cybersecurity? https://thehill-com.cdn.ampproject.org/c/s/thehill.com/opinion/technology/553891-our-cybersecurity-industry-best-practices-keep-allowing-breaches?amp

I must say that I was struck by the approach outlined in Gwinn’s article. I found the opinion rather ill-advised and hope that security professionals reading the piece can look past aha tappers to be some form of bias. The foundational question Gwinn asks, “what is wrong with information security best practices” is a reasonable and timely question. However, the credentials of security professionals are not at issue when security best practices break down. Implementation of any best practice can be the determinate of how effective that best practice is. It is rather surprising that Gwinn does not make that point. Gwinn proceeds to attack technological best practices without any consideration of the specific context of how those best practices are applied in an organization. Gwinn’s base premise of the need for a “holistic view of systems” by security professionals is reasonable. However, holistic view of systems means different things to different organizations. I do not agree with Gwinn’s assertion that the hacker is the only one with a holistic view of an organization’s systems. But I think the most egregious assertion Gwinn makes is his point to never hire an information security employee who has ever worked for a firm that has had a security incident. This is a rather short-sighted assertion. Security incidents happen at all organizations and to fault the security professional is unreasonable.

Anonymous Author
I must say that I was struck by the approach outlined in Gwinn’s article. I found the opinion rather ill-advised and hope that security professionals reading the piece can look past aha tappers to be some form of bias. The foundational question Gwinn asks, “what is wrong with information security best practices” is a reasonable and timely question. However, the credentials of security professionals are not at issue when security best practices break down. Implementation of any best practice can be the determinate of how effective that best practice is. It is rather surprising that Gwinn does not make that point. Gwinn proceeds to attack technological best practices without any consideration of the specific context of how those best practices are applied in an organization. Gwinn’s base premise of the need for a “holistic view of systems” by security professionals is reasonable. However, holistic view of systems means different things to different organizations. I do not agree with Gwinn’s assertion that the hacker is the only one with a holistic view of an organization’s systems. But I think the most egregious assertion Gwinn makes is his point to never hire an information security employee who has ever worked for a firm that has had a security incident. This is a rather short-sighted assertion. Security incidents happen at all organizations and to fault the security professional is unreasonable.
3 upvotes
Anonymous Author
There's really no good way to answer the question. As to the referenced article, it misses all of the important nuances of the asymmetrical nature of cyber security and the immense breadth of the issue, focusing on a very narrow "industry best practices", which IMHO is a misnomer. provided some good arguments and I can probably add a few more pages, it's just wrong on so many levels.
0 upvotes