[Cryptography] best practices considered bad term

[Henry Baker]

At 04:04 PM 1/31/2015, Jerry Leichter wrote:
>On Jan 31, 2015, at 6:27 AM, ianG <iang at iang.org> wrote:
>> As a wider philosophical question, is it even appropriate to promote or accept 'best practices' in the security world?  It's presence is almost a complete proof that we're not doing security, we're instead participating in a rain dance or voodoo for purposes of avoiding security.
>
>Yes and no.
>
>The specific term "best practices", as far as I can tell, was used by SAP sales guys - back in SAP's heyday - as a way to get people to turn their business operations inside out to work with the way SAP designed its software.  SAP took the point of view that they wouldn't customize their software - customers had to adapt to their *right* way of doing things.  They're answer to the complaint from a customer who organized things differently was "Oh ... you mean you don't follow industry best practices?"
>
>Whether they invented the term or picked up on something that was already around, I don't know.  It became, and remains, a way for consultants and sales guys of all stripes to try to force people to abandon their "legacy" approaches and move on to whatever the consultant or sales guy is trying to move them to (for an appropriate fee, of course).

Best practice = minimum CYA effort = plausible deniability in case of lawsuit = what a jury would consider non-negligent = only regular damages, rather than punitive damages.