By Josiah Dykstra
We continuously aim to question assumptions and challenge conventional wisdom, even our own. Today, we are pleased to announce that we are dropping our use of the problematic phrase “best practices” in all our communications. Going forward, you’ll see us use “recommended practices” instead, and we hope you do, too.
Think about how often you hear or see people use the phrase “best practices.” It’s everywhere! The phrase is widely accepted both inside and outside of cybersecurity. It’s how experts describe the advice they believe broadly suits a general situation based on the research or data available.
However, this prevalence is precisely why we must avoid it. When presented with a “best practice,” casual readers fail to think carefully about whether they should trust the author and, more importantly, whether the guidance is best for them and their situation. “Recommended practices” is more contextualized: it conveys that certain standards apply only to specific projects, industries, and risk profiles.
Why “best” isn’t best
There are at least three downsides for readers when they encounter “best practices”:
- Best practices imply groupthink about why we’re doing something and blind adherence to it regardless of whether it’s right for you. Given the diversity of users, businesses, and environments, one-size-fits-all is very uncommon. What’s right for one might be impractical for another.
- Best practices seem static. In his book Think Again, organizational psychologist Adam Grant writes of advice that “best practices imply it has reached an endpoint.” Shouldn’t we always be looking for better and better solutions? We all need to use MFA today but should keep searching for even better, innovative options.
- Best practices lead to a false sense of security. Following them might make readers believe they’ve done enough, potentially preventing them from exploring further improvements or staying aware of new risks, leading to complacency.
During our internal discussions about this change, Emilio López, a Trail of Bits engineer in Argentina, pointed out that the Spanish equivalent of “best practices” is actually “buenas prácticas,” literally “good practices.” We think that “recommended practices” is the best English choice.
How we’re making the change
Here are a few examples of what this change will look like for us in practice.
In our reports:
Original:
“In general, it is considered a best practice to have a mechanism for automatically rotating keys to recover more quickly from a key compromise event.”
New:
“In general, experts recommend having a mechanism for automatically rotating keys to recover more quickly from a key compromise event.”
In our blog posts:
Original:
“We observed that the client follows best practices, such as using robust primitives that are well accepted in the industry.”
New:
“We observed that the client follows recommended practices, such as using robust primitives that are well accepted in the industry.”
In our training:
Original:
“Follow best practices for integrating untrusted code when sourcing AI models.”
New:
Original:
“Follow recommended practices for integrating untrusted code when sourcing AI models.”
A more thoughtful approach
Trail of Bits has always been careful to avoid overgeneralizations in our writing, but this change aims to communicate more clearly to our readers that one size does not fit all. We’re not diluting our advice; we’re encouraging engagement and thoughtful consideration of how advice can be best applied in various contexts. It’s not permission to ignore advice you don’t like; it’s an invitation to think before jumping unquestioningly to action.
We invite you to join us in adopting a more thoughtful, flexible approach to advice and guidelines. Your active participation is crucial in fostering an environment where innovation and customization lead the way. Together, we can nudge the ecosystem in a better direction. Contact us to share your thoughts, experiences, and how you’re implementing recommended practices in your work.