Interesting question!

I don't think relying on peers is the problem. I think the problem is documentation. Best practices are derived from refined SOPs. SOPs are derived from documented implementation policies that have been discuss and revised over time. I think we have a problem in our field with technicians and engineers not taking the time to properly document their systems.

We are a managed IT services firm in Austin, Texas and the first thing we have to retrain our employees is to carefully notate the work done and why. With our this information, it is difficult to progressively layer in new technologies on top of the existing infrastructure while taking proper consideration of all other existing system dependencies.

While this may not present itself as a problem if you are a single administrator of a small network system, it is if you are part of a management team responsible for a large number of disparate systems. It is from this careful documentation that we have grown our current *documented* best practices that we use as a framework to guide the management of all our clients.

IMHO, this emphasis on strong documentation has been critical to our success and the success of our clients.

- Tex

Links:

• http://www.AllCityTech.com

posted November 14, 2007

Think the issue lies in the definition of best practices vs. industry vs. customer segment being served.

While there are standard industry practices ("thou shall not unplug a live system") there are also practices that speak to servicing a customer niche, taking many variables into account such as quality of service, data integrity, security, timeliness of service, uptime, accessability, reliability, availability, localization, internationalization, user experience, field support, replacement policies, development methodologies, product lifecycle et al ad nauseam.

The purpose of best practices is to ensure repeatability of results at the highest level of quality and service value to your customer, internal or external.

Take an SLA for example - the boiler plate tends to be quite similar from vendor to vendor, yet there is great variance in how companies service their customers and why customers choose different companies to support their business activities.

And from a different angle, the typical book dealing with the "10 Simple Rules for a Successful <mumble>", the approach taken is to distill the essence of practices into principles of success in a specific area. Is that a best practice? Not IMO, as practice implies "skill in the art", and while abstract principles may be useful to those already skilled, they are not very helpful to the rest who are not.

This is why it is difficult to establish industry-wide best practices and why it is relevant to rely on your network to tap people with experience in specific customer niches, who understand specific customer process, and understand what it takes to provide a high level of service to them - someone who has done it before, understands the customer niche, understands the products/services, understands the timeliness and quality involved, etc. to produce the best practices to serve a customer niche.

If a company expects to differentiate and become a leader in the field, the company will have to go beyond what has been established and therefore will have to come up with their own best practices. So no, I don't believe it is adversely affecting the outcome, although at the risk that whoever is tapped as an expert will have a significant influence in the final outcome.

Who is involved in establishing them? Company leaders in their respective areas of competency setting the bar for servicing the customer, experts in delivering the product/service, product managers determining the feature sets, and experts in customer process who understand what the customer does and needs.

Credibility comes from success - it is the best way to make people believe and subsequently adopt.

posted November 14, 2007

Andrew,

Best practices evolve from networking with other companies in diverse industries and IT security peers/experts/associations. In essence, this sharing is vital to establishing a common body of knowledge what would be the fundamental practices on securing information security. Yet If I understand your point, others see the term "best practices" as contextual. Meaning what is a best practice for one organization may not be a best practice for another. So in essence there are no best practices to follow. Strange as it seems, yet true in fact, in one industry it might be a best practice but for another type of company it might not work or it might be overkill. Oh I have seen that in a few companies I worked for!

What I see as a huge problem is the abuses of those security controls and IT governance in general facing corporations. What I mean by that, for example, is not that a control has been breached gaining unauthorized access, it is the abuse of that unauthorized access. It is thinking about new ways to abuse the controls, nothing new. Think of it, in the old days we never had to worry about employees talking pictures with their cell phones, USB drives, Internet access, etc. Corporate electronic espionage looms big getting far more complex with each passing day. These threats can be employees, customers, business partners or outsourcing partners who have authorized access.

Now lets add the 800 pound gorilla into the complexity. The landscape of regulatory requirements is an immense challenge. It's difficult for businesses to keep up with the changing requirements. You have the federal level Sarbanes- Oxley and then multiple state-level privacy laws and regulations. Then add in the industry regulations such as HIPAA [Health Insurance Portability and Accountability Act], and top it all off with the global regulations such as the European Union Data Directive and Basel an institution created by the central bank governors of the G-10 countries.
Several mid-cap companies that were traded on the stock exchanges publicly have opted to go private to escape to a certain extent these mandated regulations.

Now I hope you can understand what my term abuse means. If there is a way around a security control, it will be found and abused. Human nature and physics, as water flows down through a trough of least resistance so does information going through a corporation's network.

--
George Moraetes, CISM
Director of Information Security and Architecture
http://www.moraetes.com
Linkedin: http://www.linkedin.com/in/moraetes
AIM and Yahoo: infosguru

posted November 14, 2007

Best practices come through experience - yours and others.

1. Knowledge sharing - Within an enterprise resources need motivation, process, and culture to share knowledge.

2. Accountability - Someone needs to "own" best practices - collect, develop, enforce.

3. Process and Role of Sr Management - Benefit vs Effort of Best Practices. If best practices can be circumvented often there will be little motivation to develop or maintain them.

posted November 14, 2007

First, I want to tip my hat to Robert's comment regarding the "incentive." It's cheesy, and an XBox is about that last thing I could possibly use.

I worked at Andersen when Thomas B. Kelly, Charles Ketteman, Robert Hiebeler published the book. My beliefs about so-called "Best Practices" haven't changed much over the years, and admittedly it's a little baffling to me how this concept has lasted so long.

Let's start with how a given business practice somehow elevates to becoming a "Best Practice." Somebody simply says it is. That's all it takes. One person calling it a "Best Practice" and a few others thinking it's a good idea. Experts love to get close to "Best Practices" because it makes them feel good and look good. Andersen sold a lot of consulting projects because of the book, and I still can't tell you why "Best Practices" are any more than "Potentially Good Ideas for Your Business."

The reality is that every business is different from any other. What may be a "Best Practice" is often impractical in another, simply because of organizational, infrastructure, or capital constraints - to name a very few.

There is no third party or impartial judge as to whether a business employs a best practice or not. When it comes to "Best Practices," the world simply relies on word of mouth and press in the media. The most publicized Best Practices are promoted, while the BEST Best Practices quietly operate in businesses everyday, without a lot of fuss and hyperbole.

It doesn't matter how many best practices a company has - what really matters is whether or not Customers are LOYAL (not satisfied.) I wish I could count all of the Best Practices I've seen that have little or nothing to do with building Customer Loyalty. I thihk that might be a great chapter in my book....

Just to balance this a little - of course there are practices out there that are innovative and better than others in some way. And, finding a hammer when you need a hammer is great. Best Practices, by whatever name, are simply tools in the toolbox. Tools are just tools. Business success relies on Employees using the RIGHT tools to Deliver what the Customer needs.

Cheers,

Greg Lins
President, TLG Innovation

Greg L also suggests this expert on this topic:

• Blaine M

posted November 14, 2007

Hello Andrew,

You've intrigued me with this question.

Let me start off by admitting that I am not an IT Security professional. What I AM, however, is a quality assurance professional and feel I have some insight of possible value to contribute with regard to "best" practices.

I have worked in many industries (data storage and transfer products for broad band bit-streaming applications, the toy industry, writing instruments, surface mount technology chip manufacturing, cosmetics, toiletries, rocket engines, aerospace explosives, filtration industry, biomedical devices, pharmaceuticals, nutriceuticals, dental devices, commercial airline landing gear, etc.).

So... where am I going with all of this blathering? Well.... as I've moved through all of these industries, I've always been a quality assurance practitioner. When people think of quality, they sometimes associate it with something being "best".... or "great" ... or (at least) "better". Ask ten people what that means and you'll get ten different answers.

I define "quality" simply as "that which makes something what it is supposed to be according to the customer". Using this simple definition of quality.... if a practice is best at being what it is supposed to be in the opinions of those who use, rely upon or work with it..... why not call it a "best practice"?

Any person or cohesive group of people can identify a "best practice"... at anytime. They get to decide what to expect of a practice, compare practices about which they are aware... and pick the one that is the best at being what they expect.

So, when it comes to IT security practices.... you'll have a different set of "best" practices for each cohesive group of IT practitioners that collaborates on defining a set of expectations, no matter how large, how small or how often. If some IT security practitioners should decide to align themselves with specific IT applications, you would have "best" practices for THOSE applications ... as identified by THOSE practitioners. If some IT security practitioners were to decide to align themselves with specific industries or regulations, you would have "best" practices for THOSE specific industries or regulations as identified by THOSE practitioners.

There is value in organizations that align themselves to support members with diverse expectations. The American Society for Quality is an example of this type of organization. The Society has geographic, industry-specific and interest-specific memberships and membership groups. Each type of member "unit" defines unique "expectations" with regard to a specific quality-related "body of knowledge" of particular interest to them... and becomes the organization's custodian for that "body of knowledge".

I've been alerted (by LinkedIn) that I've used up all of the allotted space for a public answer... so please contact me for more information about this concept, if you like. I can be reached at dkulisek@capatrak.com or via my website at www.capatrak.com. I've put links to the American Society Website and my own for you, below.

All the best,

Diane Kulisek
email: dkulisek@capatrak.com
www.capatrak.com

Links:

• http://www.asq.org
• http://www.capatrak.com

posted November 14, 2007

Best practices are usually not developed with the specific intent of 'creating a best practice.' It evolves from improvements in the approach, method or tools used to solve a problem. Follows that it would largely be the operational level guys who create them.

How to share them?

Offline:
- Have best practice meets, with prizes, certificates. This can be done more often in a no-fuss manner; or on a grand scale once a while.

- Training is a good option, but might smack of imposition at times.

Online:
- Create a database of best practices which anybody can add to and view.
- Create an egroup to share best practices

regards,
Alaka

posted November 15, 2007

Organizational best practises need sincere effort in the form of time and quality resources for developing.
A few rules that I found with respect to Best Practises
1.Best Practises, always evolve
2.Best Practises affect every area in every organization
3.Best Practises are as precious as Intellectual property

There are potentially one of three ways by which best practises are pulled in within any organization.
a) Introverted Best Practise building -
i) Defining the problem that needs a solution,
ii) Implementation
iii) Execution
iv) Evolution of the practise
b) Extroverted Best Practise building -
i) Hiring domain experts from the market
ii) Training staff to adhere to these best practises and evolve these.

The domain of Knowledge Management is very interesting for any company.Intranets and associated tools, Databases, information sharing systems like Wiki, etc. all form very important aspects for knowledge sharing.
The ability to search and mine relevant information in this domain is another interesting problem to solve.

posted November 15, 2007

In my experience, the most important item is a link between the measurements and management. The fact that management is interested and takes action in this process is critical.

The core of this process is a set of procedures and viable metrics to reach specific goals. You must be able to measure the results in a timeframe that provides viable feedback and differentiation in key processes. Key processes need to be few and important, not numerous and too similar.

The best source of information for measuring performance are the people actually performing the process and the client. They can give you clear data on what, when, how, why, results, etc.

Finally, there needs to be time to review the results against the goals with the team and find out what can be changed and why. If a goal is too high or low, then you need to understand why. It may be unrealistic and need to be changed. This is an iterative process and needs to be performed on an ongoing basis against relative metrics. Management must have the dicipline and patience to let ther process work.

Having been part of and coached numerous businesses, I have seen this work well and work poorly. It works well when there is clear dedication to the process from management and the team. It works poorly when this does not exist or when the metrics are not clearly defined.

I know this is a bit general, but I hope it helps answer your questions.

Cheers,

posted November 15, 2007

You question assumes that these decisions are best made using a top down organization where certain select few experts decide what should and shouldn't be. I am not going to debate that point; I just want to highlight a hidden assumption and offer a different way.

Humans as a species work from a bottom up thought process. We, as social animals, watch and emulate others. We form opinions of others based on our past experiences with them or through a network of trusted opinions of others that we call someone's reputation. When someone who's reputation you respect offers an opinion about a way of doing something you will at least consider it. The idea itself has a certain fitness depending on its ability to solve the problem at hand. The ideas that are the fittest tend to get passed on and those that don't - don't. The fitness of ideas that people recommend operate in a feedback loop effecting the reputations of those that pass them on; those individuals that consistently pass on fit ideas gain a reputation as an expert in their field, etc. Since human society is a scale free network; certain ideas hit a tipping point of acceptance where the aggregate reputation of the individuals passing on the idea out ways any fitness of the idea itself. e.g. the increase to my reputation when I pass on a fit idea is 1 to 1 while the potential decrease to my reputation by passing on an unfit idea is 1 to n where the loss in reputation is diluted among everyone passing on the idea. This effect could be seen in the sayings "No one ever got in trouble recommending IBM" that became "No one ever got in trouble recommending Microsoft."

So what are best practices? They are nothing more than the collection ideas that have exceeded some threshold of saturation in the scale free network of human society. Does that make them good? Sure, they at a minimum survived and out competed the competitor ideas that died off. The whole survival of the fittest thing. Are they the bast solution to your specific problems? I wouldn't bet on it.

The answer isn't to decide who should create best practices. The goal is not to base your security program on them. Your program should be based on a sound risk management framework that objectively measures the risk that business decisions have and select the fittest controls to reduce the risk to acceptable levels.

I am a convert to the Factored Analysis of Information Risk (FAIR) framework. Measuring and selecting solutions based on actual needs is always better then playing the keeping up with the neighbors game.

Links:

• http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf
• http://www.riskmanagementinsight.com

posted November 15, 2007

"Best practices" are starting to gel in the IT security world. Emphasize "starting" to gel, because there's still a long way to go. The main driving factors appear to be regulatory compliance and auditing. Even organizations that aren't under direct regulatory requirements for IT security are hearing from customers who are. Auditors appear to be expanding their scope beyond just checking the accounts, now looking for overall protection of the environment that protects the accounts.

One good way to sell security best practices within an organization is to show how it's good for business, not a necessary evil or an unnecessary obstacle.

Adopting a standard framework should help too, because a widely recognized framework can be a stronger sell than something a few IT in the organization made up. If a particular framework isn't imposed on you by regulations or clients, it almost doesn't matter which one you pick, because they're all in more or less the same neighborhood.

Another good way to introduce security best practices is the same way you'd get buy-in on any new effort: Involve the stakeholders early and often in the effort, and don't just impose it on them with a "Shut up, it's good for you" attitude. I'm referring to stakeholders in the broad sense -- anyone who stands to benefit in any way if the organization does well.

posted November 15, 2007

I think that you should be think of essential practices which involve you entire organization. I have several very nice and long best practice lists from major vendors. But I believe the one size approach may overlook unique needs of different groups. I suggest that you follow the money as a place to start. That is to say what are the essential functions needed to support profit centers. IT working with business leaders (if you not an IT company) develop this list and how best to design, monitor, measure, tweak, and BCDR if necessary and life cycle. SLAs and SOPs then are the foundation of essential practices. Finally technology changes so fast its hard to create a static document that will be relevant over time. I can send the white papers if you interested.

Good Luck

Gregg

posted November 15, 2007

Development of best Practice:
There is nothing like ultimate best practice. It is ever evolving. One need to look at major parameters such as cost benefits for business, culture of work force, ease in implementation to define the best practice in security. If possible integrate or inherite some of the successful9 & relevent) SOPs of other management framework like QMS etc. to avoid the duplication. Let the development process influenced by Security Gap analysis, Business process flow.
Stake holder:
Top mgnt, Business owners, HR, Admin, Operation, Maintenance and all touched upon to implment the policy need to be involved with a proper project plan indicating them the resources and time line required to accomplish this.
Communication:
It should be shared in a manner that the work force following them are getting impression of personal touch in the way it is communicated. Only way to be successful as per my experince is to take them in confidance and convienced them about the ease of following the practice and their benefits out of it. You may use posters, mails, web site(intranet), and do remember to appreciate users efforts to follow this. Send mail company wide or offer small gifts.
This is my 2 cents.
Thanks
Sameer Paradia

posted November 15, 2007

In my opinion, best practices are nothing but collective wisdom. Best practices are documented practices that are debated for their relevance, completeness and applicability to a particular situation, organization, industry or environment. Best practices could be elevated to a framework level and then to a standards level and some of them later could become legally enforceable through legislation.

Take COBIT for example. It started with IS Auditors requiring guidance on what to audit and where in environments where business processes are automated. They needed to break down IT processes, collate them and group them and then determine control objectives for each of the identified processes. Business Leaders, IT professionals and audit professionals across various industries all over the world, provided their insights and input and the framework or standard has evolved over a period of time to the current COBIT 4.1 version. It provides best practices / framework or standard for not only IS auditors but any one concerned with governing IT, optimizing value from IT investments and in managing IT-related risks.
Similar is the case with BS 7799: Part I and II, which has now become ISO 17799:2005 renamed as ISO 27001 and 27002.
You can mention any other standards that have evolved from best practices: ITIL for IT service management, PMBOK for Project Management along with PRINCE2, CMMI for IT capability maturity model.

Current best practices or frameworks may have to be customized for a particular organization. That flexibility may not be available in the case of standards or applicable legislation.

To develop best practices, current best practices or frameworks may provide guidance and direction. But consulting all stakeholders and compiling practical experience and challenges and problem solving techniques to meet practical challenges, would all form part of the best practice development processes. Expert guidance and guidance from SMEs (Subject Matter Expertise) would be indispensable for development of best practices. The draft document may undergo various revisions once inputs and suggestions are invited and received from all stakeholders. Even current best practices would need revision from time to time based on practical problems faced in implementation.

posted November 17, 2007

Too much family fun and too little weekend –

Assume that best practices brainstorming sessions are facilitated by an experienced InfoSec Practioner, with broad enough skills to drive and direct competing objectives.

These steps are continual, a process of knowledge/implementation refinement.

INTERNALLY (Top-down)
Ideally, you initially involve the highest level blend of affected organizational authorities, business and technical, to create policy. This provides Senior Management support. Policy is interpreted by seasoned mid-level functional area practitioners, both business and technical SMEs, with modifications looped up for approval. Once Policy is set, the mid-level team will craft guidelines, specific to their area of functional accountability, which may include general procedures.

INTERNALLY (Bottom-up)
Break guidelines into manageable bite-sizes (units criteria) to allow multidisciplinary subject matter experts (SMEs) to apply their skills, in turn own the solution(s). These experts create the procedures, which are reviewed my mid-management. Therefore, those assigned to create, execute and monitor all jointly connected for performance.

INTERNALLY (Cross-functional, interlaced/integrated)
Involve internal professionals, from many disciplines, such as HR, Legal, Compliance, SBUs, Accounting, Audit, Partners, Customer advocates, etc.). Cross-pollinate, remove silos and shore up gaps, like training of End-users or indirect aspects of the InfoSec solution, e.g., PR and incident management.

EXTERNALLY (Cross-section of consultive experts)
Since the number one threat originates internally, there must be third-party involvement, to provide broader/deeper and independent insights and techniques. Checkpoint the internal processes and people are crucial to successful outcomes. These inputs will augment the framework created and/or carried out by the internal staff. Naturally, this will involve formal and unadvertised audit of implemented plans.

COLLECTIVELY (Steering committee)
All aforementioned groups will have regular involvement by participating in the success of the InfoSec program. Information exchange between data owners and data protectors, is communicated often, risk management is adjusted, incidents or their potential openly discussed. Broad standards like COBiT, ITIL or ISO are tailored to the firm’s needs.

Best practices are all the above., including getting back to family matters.

posted November 17, 2007

To me,

The very need for best practices is to achive some thing?, from the many answers I browsed, many people of talking about what and how.... but really the key to the whole thing is WHY?

If we consider this question, and leave behind all the jargon, we see that using best practices is a simple way to making organisational change happen in a way that moves us towards success that others have experienced.

In the dicey world of organisational change (what every area or spectrum it may be) best practices provide some kind of a ground where we can stand upon.

I have had a lot of success in using Action Research where an individual playing the role of action researcher observes the system under improvement using both quantitative and qualititavie techniques, identifies interventions that can move the organisation towards the desired end state, uses best practices to design these interventions in the four dimensions of People, Processes, Tools and Partnerships and uses an iterative approach like that identified by Kotter (given below).

Establish a sense of urgency
Create the guiding coalition
Develop a Vision and Strategy
Communicate the Change Vision
Empower employees for broad-based action
Generate short-term wins
Consolidate gains and produce more change
Anchor new approaches in the culture

Belive me this really works...

posted November 18, 2007

Andrew:

1. How should best practices be developed?

- Result of collective observation, experience, feelings and success stories
- Innovative best practices is normally developed through intuition, creativity and special intelligence triggered through experiences. In this case, you can try out proof-of-concept.

2. Who should be involved?

- Everyone (at all levels) who can contribute or comment, selective smart people who needs to practice this best practice and some of those who benefits. You must have scalable model to capture the thoughts of people otherwise scalability and effectiveness could be an issue.

3. How are they shared in a manner that will make them most credible?

As much as possible the best practices must be embedded in the system & tools. It will facilitate change and help people naturally embrace. In some cases it must be documented and communicated to right people. In the later case, the understanding level of the people must be assessed and the outcome must be measured.

For example, best practices on how to behave in a meeting should be in the minds of people and best practices on how to plan for learning effectively must be embedded in innovative learning systems.

Note: Refer to more Q&As (in Linkedin) on motivation and change management to learn more.

We approach best practices on knowledge management mostly through systematic approaches and some through people awareness creation (documented and managed learning).

posted November 19, 2007

I’d like to have a nickel for every organization I’ve seen that espouses the virtues of best practices, has gone through the trouble of formalizing them, and then proceeds to ignore them. The reasons for doing so are many and usually pretty weak. Too often the words are simply taken from existing boiler plate, hopefully, at least, from a closely related enterprise. Quite often the person assigned the responsibility for development of the standards slaves away in some isolated section of the organization, and works in a vacuum. Or it simply be a case of people not being willing or able to invest the considerable time to develop them. Therefore, many best practices that are adopted ultimately only serve to give the illusion of sound standards implementation.

In my experience with successful implementation of best practices, although the emphasis must come from the top of the organization, the true starting point was the bottom of the organizational chart – where the “rubber meets the road”. Not only do the folks who live and work there understand what needs to be done, but they also fully appreciate the impact of imposed standards. Their technical input and their buy-in are crucial to successful implementation. Obviously many points will have to be negotiated in order to make adherence practical and achievable.

So a successful flow for development of best practices would be for management to research applicable business best practices, prepare and present a statement of needs detailing suggested best practices to all affected departments, obtain input from all levels, reconcile practices to real-world requirements, present it in final form, and have all sign off. Not only does this method obtain everyone’s formal approval (commitment), but it ensures to the extent practical that all contingencies have been considered.

Sounds simple, doesn’t it?

posted November 20, 2007

You say that your original respondants identified "a lack of current best practices as one of the single-largest challenges..."

I would suggest that, as other folk have pointed out, best practice is often sector specific at best, or subjective at worst.

The real problem, IMO, is arriving at consensus within any group as to which best practice should be adopted. It is a political minefield that too often descends to the personal level.

Cheers

Seb

posted November 15, 2007

It doesn't matter where the practice comes from, as long as it is thought through: What is best practice in one situation might not be the correct way to do it in the new. If the best practice comes from a friend or a book based on intensive research, it still needs to be adopted to the new situation.

One thing stands out to prevent this adoptation from happening: Short deadlines set by sales people who didn't consult with development first. In order to meet these deadlines, shortcuts are made that take twice the amount of work to correct afterwards. Best practices are set aside in order to generate a short term increase in the bottom line.

posted November 15, 2007

Best practices are nothing more than good ideas that have been implemented within an organization that are SHARED with other public. Security is one of those areas where disclosure of idea may go against competitive advantage or tip the hand with a security control/process. Unfortunately, due to the way we operate today most "best practices" are now behind the veil of an NDA or confidentiality agreement. A very high level, sterilized version may emerge but will not provide enough basis to really provide a great amount of value.

posted November 15, 2007

Best Practices should, by definition, be credible since that's the point of establishing them in the first place. But I think BP are often confused with "standards". Standards are measurable, quantifiable, and controlled.

BP on the other hand, should be fluid enough to adapt to various organization cultures. I believe the goal for BP would be agree on them as a framework, of which one component may be operating standards, for example, but leave room for flexibility and change.

posted November 15, 2007

I think you can use external artifacts (Gartner, Opensource, groups etc.) as a reference model, but ultimately, the best practices have to be "customized" to your environment.

As you may know, the real value is NOT in "having one", but making them "actionable" so they can be implemented, tracked and evaluated to ensure they're enabling the organization.

posted November 15, 2007

Best practises in still has a long way to go... An effective descision tracker can also lead to identification of Best practise..its matter of fact under different circumstances same excersice can be 'best' or 'worst' practise. Understanding each practise along with its operating environment can yield efficient results...simply adopting a so called best practise from successfull refrence can also lead to dissatisfaction of stakeholders....now last comment from an experience quality professional :)

posted November 16, 2007

"Best Practice" is never static - It "seeds" from the past, "changes" to coexist in present and "grows" to survive in future.

Today's "Best Practice" is correction of Yesterday's inadequacy.

Otherway, for tomorrow, today's "Best Practice" is "Inadequate".

Let us recollect the words of "Charles Robert Darwin" ...
"It is neither the strongest nor the most intelligent (species) that survives - but the one which continue to change to coexist and survive"

Hence I define the "Best Practice" as ...
The one which "Evolves" "Natural Way" of "Doing Things"

posted November 17, 2007

Its funny. Those implementing a process that later becomes a Best Practice are often wondering where they are going right or wrong. And get answers through pure experience!

Do a process. Take it to a B-School and it becomes a Case Study. Take it to the right B-School (read Harvard or equivalent), it becomes a Best Practice!!!

In my opinion, Andrew, just turn pages back to the worst failure you've ever had. And develop a Standard Operating Procedure around the points of inflexion. You will end up with a process that will evolve into a Best Practice.

The best way to share it is to interview the team and post a movie. A white paper can be sent to all those who feel a need for it.

posted November 18, 2007