Tweet Cybersecurity

“Best Practices” Improve Cybersecurity by Producing Results for Users, Not Policymakers

Government officials, industry leaders, and advocates often appeal to “best practices” to guide policy or set requirements. But, too often, they use the term “best practices” imprecisely to cover a variety of meanings. That hurts effective policy, because “best practice” has a definition – and it is one that isn’t aligned with how policymakers frequently misuse it. Read More >>

Government officials, industry leaders, and advocates often appeal to “best practices” to guide policy or set requirements. But, too often, they use the term “best practices” imprecisely to cover a variety of meanings. That hurts effective policy, because “best practice” has a definition – and it is one that isn’t aligned with how policymakers frequently misuse it.

Sometimes policymakers use the term to avoid the hard but valuable work of identifying what “best practices” are. Other times, policymakers misuse the term as shorthand for “requirements” or “what the government thinks an enterprise ought to do.” In its least helpful use case, the term is used to avoid debate or cut off discussion. After all, who can argue with doing what is “best?”

Helpfully, in a report to the FCC, a group of experts appointed to the Communications Security and Interoperability Council (CSRIC) defined “best practice” as “a method or technique that users generally accept as superior because it produces results that are superior to those achieved by other methods or techniques.”

In short, proper use of the term “best practices” requires an understanding of how users of the practices understand their effectiveness. Put another way, no organization – government agency or otherwise – can simply create or develop a best practice; rather, organizations can use methods or techniques and if they produce superior results to other methods or techniques, then they are best practices.

There are instances when policymakers use the term best practices appropriately and to great effect. For example, the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence directs the Secretary of the Treasury to “issue a public report on best practices for financial institutions to manage AI-specific cybersecurity risks.” Properly understood, this statement directs the Secretary to work with financial institutions to identify the most effective ways those institutions manage AI-specific cybersecurity risk.

In contrast, the same Executive Order directs the Secretary of Health and Human Services to analyze data and “develop” best practices, as if analysis could create a method or technique that users accept as producing superior results to other methods and techniques. If it were only so simple.

As a community, it’s incumbent upon us to use our terms of art precisely and hold policymakers to the same standard. Next time you consider using the term “best practice” or hear policymakers using the same phrase, consider if it is being used accurately.

Author:

Henry Young is Senior Director, Policy for BSA | The Software Alliance. Prior to joining BSA, Young was Senior Counsel and Senior Policy Advisor first to Secretary of Commerce Ross and then Secretary of Commerce Raimondo. In that role he was trusted to develop and oversee high-level policy and strategy for the U.S. Department of Commerce and its bureaus and collaborate with senior White House and interagency officials, to design, advocate, and implement critical policies and strategies that shape national and foreign policy related to technology including cybersecurity, 5G, and standards.

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen + 1 =