You’ve heard it in every boardroom, read it in every “State of the Industry” report, and seen it plastered across LinkedIn by people who haven’t managed a real incident in a decade.

“It’s industry best practice.”

It sounds safe. It sounds authoritative. It sounds like a shortcut to security. In reality, it’s usually just a fancy way of saying: “We’re doing exactly what everyone else is doing so if we get breached, we can tell the board it wasn’t our fault.”

Here is the no-bullshit truth: Best practice is the floor, not the ceiling. And in this industry, the floor is rotting.

---

1. The Blind Leading the Blind

Most “best practices” aren’t born from rigorous risk management or defensive success. They are born from mimicry.

Regulator A writes a checklist based on a 10-year-old threat model. Auditor B enforces it because it’s easy to check a box. Company C implements it just to get the auditor out of the building. By the time it reaches you, it’s a hollowed-out ritual.

If you’re following the herd, you’re also following them right into the next major breach. You can’t secure a network by chasing a consensus of people who are also getting hacked.

2. The Compliance Theater Killer

Best practice assumes a “standard” environment. But your risk isn’t standard.

• The “Best Practice”: Spending millions on a shiny new AI-driven tool because a magic quadrant said so.

• The Reality: Your “Best Practice” tool is sitting on top of a network where nobody knows where the sensitive data actually lives and “Admin” is still the password for the HVAC system.

• The Fix: Stop buying tools to solve “best practice” problems and start solving your problems.

By adhering to the “standard” checklist, you aren’t managing risk; you’re managing an audit. Those are not the same thing.

3. Plausible Deniability is a Slow Death

People love best practices because they provide cover. If you follow the manual and the ship sinks, you can blame the manual. If you try something radical—like actually holding people accountable—and it fails, you’re the outlier.

The reality we have to face: Compliance is not Security. You can be 100% compliant and 0% secure. Best practices are for people who want to stay 2% better than the guy next to them. If you want to actually fix the industry, you have to realize that “what everyone else is doing” is exactly why the industry is broken in the first place.

---

How to Actually Lead:

1. Question the Pedigree: When someone says “best practice,” ask: According to who? And what was their success rate?

2. Mission Before Money: Don’t buy a solution just because it’s the “industry standard” if it doesn’t actually reduce your specific risk.

3. Audit for Truth, Not Checkboxes: If a control isn’t actually making you harder to kill, it’s a waste of breath and budget.

Bottom Line: Best practice is a consensus on how to be average. If you want results that actually protect your company, your employees, and your mission, stop asking for the manual and start using your brain.

The “best” way is usually the one that requires the most courage to implement. Stop auditing mediocrity.