Government officials, industry leaders, and advocates often appeal to “best practices” to guide policy or set requirements. But, too often, they use the term “best practices” imprecisely to cover a variety of meanings. That hurts effective policy, because “best practice” has a definition – and it is one that isn’t aligned with how policymakers frequently misuse it.
Sometimes policymakers use the term to avoid the hard but valuable work of identifying what “best practices” are. Other times, policymakers misuse the term as shorthand for “requirements” or “what the government thinks an enterprise ought to do.” In its least helpful use case, the term is used to avoid debate or cut off discussion. After all, who can argue with doing what is “best?”
Helpfully, in a report to the FCC, a group of experts appointed to the Communications Security and Interoperability Council (CSRIC) defined “best practice” as “a method or technique that users generally accept as superior because it produces results that are superior to those achieved by other methods or techniques.”
In short, proper use of the term “best practices” requires an understanding of how users of the practices understand their effectiveness. Put another way, no organization – government agency or otherwise – can simply create or develop a best practice; rather, organizations can use methods or techniques and if they produce superior results to other methods or techniques, then they are best practices.
There are instances when policymakers use the term best practices appropriately and to great effect. For example, the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence directs the Secretary of the Treasury to “issue a public report on best practices for financial institutions to manage AI-specific cybersecurity risks.” Properly understood, this statement directs the Secretary to work with financial institutions to identify the most effective ways those institutions manage AI-specific cybersecurity risk.
In contrast, the same Executive Order directs the Secretary of Health and Human Services to analyze data and “develop” best practices, as if analysis could create a method or technique that users accept as producing superior results to other methods and techniques. If it were only so simple.
As a community, it’s incumbent upon us to use our terms of art precisely and hold policymakers to the same standard. Next time you consider using the term “best practice” or hear policymakers using the same phrase, consider if it is being used accurately.
