Defense in Depth: Bad Best Practices

All professionals like to glom onto “best practices.” But in security, “best” practices may be bad out of the gate, become useless over time, or they’re not necessarily appropriate for all situations. Stay tuned, we’re about to expose some of the worst “best” practices.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Yaron Levi (@0xL3v1), CISO, Blue Cross and Blue Shield of Kansas City.

Got feedback? Join the conversation on LinkedIn.

Thanks to this week’s podcast sponsor, Endgame

Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit

On this episode of Defense in Depth, you’ll learn:

  • The response of “This is how we’ve always done it”, is not a reason to continue a “best” practice.
  • One of the most universally bad “best” practices is counting the number of people who fall for a phishing test. Both Allan and Yaron told stories of phishing test reports that could swing wildly based on the type of email sent.
  • CISOs argue that a better metric to track is the number of people who report the phishing email.
  • Let employees know that you’re going to test them. If you don’t it can be seen as a means to discipline them, which you’re not.
  • Cybersecurity best practices don’t stand the test of time. If a best practice seems off, challenge it by simply asking, “Why?”
  • Awareness training should be measured by testing afterwards, not by the number of people who actually took it.

Defense in Depth