Best Practice. What does it mean?

As a software solutions architect I often find myself communicating and clarifying ideas between different teams, backend, mobile apps, micro-servcies and across various departments, engineering, legal, marketing.

I have learned to be wary of words that are ambiguous and easily misunderstood– or differently understood between teams and departments. “Best practice” is one such term.

This can be a buzzword in some circles and I often encounter this term in documents and presentations. Most listeners seem to understand it perfectly and you can easily get the audience to nod when you say it, yet each listener interprets the term very differently. The interpretation often depending on the team or department that they are in.

So what does “best practice” mean?

Christopher Bellman, Paul C. van Oorschot in their paper titled “Best Practices for IoT Security: What Does That Even Mean?”1Best Practices for IoT Security: What Does That Even Mean? Christopher Bellman, Paul C. van Oorschot, April 2020, arXiv:2004.12179 explore in impressive detail the meaning of this term in the first two parts of their paper. They also attempt to position it against other similar terms like good practice, recommendation and standard practice.

This article is inspired by their paper and extensively quotes and summarises ideas from it, so feel free to head over and read their original paper when you are done and specially if you are looking at IoT security practices.

Casually speaking

In their paper, Christopher and Paul point out that the term “best practice” is often used causally and means different things in different contexts,

  • In Engineering or Technology, best practice often means the best known way, suggested by experts, to achieve an outcome
  • For Security a best practice is often a practice that has been widely proven effective and is readily available
  • For Legal teams a best practice is often interpreted as being not worse than the competition, attempting to limit liability
  • For Social situations best practice often refers to the most common practice (which may or may not necessarily be the best thing to do)

Formal definition

To arrive at a formal definition of the elusive term we have to consider that to be called a best practice, something should,

Be Actionable

A practice should be actionable, ie. should be something you can do. It should not be just theoretical or an aspiration to a goal (or outcome) you wish to achieve. For example, “Store passwords securely”, is a goal while “Use a salt and secure hash to store passwords” is a practice. Following this practice will lead to the goal being achieved.

A well-formed best practice should be include both the action to take and the intended outcome. One without the other gives the reader an incomplete picture.

Be among the Best

Because it is impossible to know all practices, measure every one and do so in every context, we cannot hope to find a single Best Practice, superior to all others that works in all cases. It is safe to say that calling something a best practice is therefore a subjective assessment, agreed by consensus, often by experts in a field and within the bounds of known practices. Furthermore there may be many practices that achieve the same outcome. “Best” therefore cannot mean to be above all others but rather a more modest to be one among the best

With that in mind “best practice” can be defined more formally as,

For a given desired outcome, a ‘best practice’ is a means intended to achieve that outcome, and that is considered to be at least as ‘good’ as the best of other broadly-considered means to achieve that same outcome.

Best Practices for IoT Security: What Does That Even Mean?
Christopher Bellman, Paul C. van Oorschot, August 2020

Other Practices

The story however does not end here, because there are other terms that sound similar to best practice, like good practice, recommendation, common practice. How should we interpret these?

Once again Christopher and Paul do this in a novel way considering three dimensions of practices and placing these other terms relative to what we have defined now as a best practice.

Quality

Practices that are concerned with quality of the output fall on the quality continuum of Uber — Best — Good. These practices together with their synonyms are shown in Figure 1.

Figure 1

Commonality

Practices that are widely used or required for compliance fall on the commonality continuum of Requirement — Common Practices, are shown in Figure 2. These practices do not necessarily imply a quality goal. Rather they have wide social acceptance– like writing down passwords, or they are mandated such that they are enough to pass a formal inspection or to limit liability.

Figure 2

Endorsement

Practices that have received formal recognition fall on the Endorsement continuum of Formal Standard — Recommendation — Guidance. Again these do not necessarily imply quality goals but may have a different goal, like interoperability. These are shown in Figure 3.

Note that the term “guidance” is often also used as a synonym for a recommendation but a guidance does not imply endorsement by an entity, while a recommendation does.

Figure 3

It can be confusing to think of practices exclusively along these three dimensions because practices do not lie exclusive on a single dimension. It is entirely possible for a best practice (quality) to be widely used (commonality) and be made part of a formal standard (endorsement). So a single practice can lie on all three or any two dimensions simultaneously.

Conclusion

Hopefully we now have an arsenal of ways to think about a practice. Before we label something as a best practice it helps to pin down the context in which we are speaking. Is it really quality we care about or compliance? Or is it just a common social practice we are referring to? Are we attempting to do the best we can or attempting to do just enough? Are we doing something necessitated by requirements or just trying to help by offering some guidance? Is our practice actionable or is it an outcome we hope to achieve? Are what we suggesting widely known or a well kept secret?

I believe clarity in thought leads to clarity in communication and in action. I hope this article helps you the reader the next time you encounter a best practice.

References

References
1 Best Practices for IoT Security: What Does That Even Mean? Christopher Bellman, Paul C. van Oorschot, April 2020, arXiv:2004.12179