I hate the term “best practice”. There I’ve said it….. It feels good to get that off my chest. But why do I hate it?
The term “best practice” is thrown around by IT professionals to justify their recommendations. However, the use of the word “best” is a very bold statement. To state that something is “best practice” implies that nothing else is equal to or better than the practice being presented. It also suggests that it has been independently evaluated using a published and repeatable research method against competing practices and determined to be best.
In my opinion if you use the term “best practice” you better be able and willing to provide evidence that your assertion is true. Whilst many IT management frameworks claim to be best practice there is very little independent research published to support their claims.
I think one of reason IT professionals use the term so frequently is that managers and clients want to know that they are doing is the best thing possible. However, the fact remains that the use of the word “Best” has a specific connotation which is usually not backed up with evidence.
The issue is compounded by some ICT management frameworks that insist on claiming to be “best practice”. Typically these claims have not been empirically tested by an independent party so cannot be substantiated. However, businesses change, threat landscapes change, tolerance for risk changes over time. Even if a practice were to be validated as the best possible practice today, it does not necessarily remain so in future.
To be fair most people mean “good” or “industry accepted” practice when they use the term “best practice”. However, I think it is time that IT professionals actually used the appropriate terminology to support their recommendations. I stopped using “best practice” over two years ago and it hasn’t stopped clients adopting my recommendations. I use either “good practice” or “generally accepted practice” depending on the context, and where appropriate I provide evidence to support my assertions.